INTRODUCING

OVERVIEW
November 2018

© 2018 ISACA. All rights reserved.

COBIT® 2019

The globally recognized COBIT Framework, which helps ensure effective

enterprise governance of information and technology, has been updated with new
information and guidance, facilitating easier, tailored implementation—
strengthening COBIT’s continuing role as an important driver of innovation and
business transformation. This document sets the scene for the upcoming release
of COBIT® 2019 guidance.

© 2018 ISACA. All rights reserved.

Remembering John Lainhart

• In dedication to John Lainhart, who was

there from COBIT day -1 in 1995 until his
passing in September 2018.
• John was the relentless support behind
many COBIT related projects, including
COBIT 2019 .
• ISACA is extremely grateful for John and
his vision, and COBIT 2019 (and its
progeny) are his legacy.

Picture provided courtesy of Dirk Steuperaert

© 2018 ISACA. All rights reserved.

OVERVIEW
PRODUCT FAMILY ARCHITECHTURE

© 2018 ISACA. All rights reserved.

OVERVIEW
PRODUCT FAMILY

The COBIT 2019 product family is open-ended. The following publications will
be available in Q4 2018.

© 2018 ISACA. All rights reserved.

COBIT OVERVIEW
COBIT 2019 PRODUCT ARCHITECTURE

© 2018 ISACA. All rights reserved.

OVERVIEW Provides insights on how to get value from the
use of I&T and explains relevant board
INTERNAL STAKEHOLDERS
responsibilities
Boards

Helps to ensure the identification

and management of all IT-related Provides guidance on how to organize
Risk Executive
risk Management management and monitor performance of I&T across
the enterprise

Internal
Stakeholders
Helps manage dependencies on
external service providers, provides
assurance over IT, and ensures the
existence of an effective and efficient Assurance Business
Providers Managers Helps to understand how to obtain the
system of internal controls I&T solutions enterprises require and
how best to exploit new technology for
strategic opportunities
IT Managers

Provides guidance on how best to build and structure

the IT department, manage performance of IT, run an
efficient and effective IT operation, control IT costs,
align IT strategy to business priorities, etc.
© 2018 ISACA. All rights reserved.
OVERVIEW Determines whether the enterprise is compliant with
EXTERNAL STAKEHOLDERS applicable rules and regulations and advises that
the enterprise has the right governance system in
place to manage and sustain compliance

Regulators

External
Stakeholders
IT vendor’s operations must establish
Confirm that a business partner’s
that they are secure, reliable and
operations are secure, reliable and
compliant with applicable rules and
compliant with applicable rules and
regulations Business
IT Vendors regulations
Partners

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
KEY CONCEPTS & CONCEPTUAL MODEL

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
OVERVIEW

PRINCIPLES

GOVERNANCE
DESIGN AND
FACTORS MANAGEMENT
OBJECTIVES

COBIT 2019
CONCEPTS

FOCUS GOALS
AREAS CASCADE

COMPONENTS
OF A
GOVERNANCE
SYSTEM

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
PRINCIPLES

PRINCIPLES PRINCIPLES
Governance System Governance Framework

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
GOVERNANCE SYSTEM PRINCIPLES

The six (6) principles are the core requirements for

a governance system for enterprise information and
technology.
1. Each enterprise needs a governance system to satisfy
stakeholder needs and to generate value from the use of
I&T.
2. A governance system for enterprise I&T is built from a
number of components that can be of different types and
that work together in a holistic way.
3. A governance system should be dynamic. This means that
each time one or more of the design factors are changed
the impact of these changes on the EGIT system must be
considered.
4. A governance system should clearly distinguish between
governance and management activities and structures. Reference: COBIT® 2019 Framework: Introduction and Methodology, Chapter
3 COBIT Principles, Figure 3.1
5. A governance system should be tailored to the enterprise’s
needs, using a set of design factors as parameters to
customize and prioritize the governance system
components.
6. A governance system should cover the enterprise end to
end, focusing not only on the IT function but on all
technology and information processing the enterprise puts
in place to achieve its goals.

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
GOVERNANCE FRAMEWORK PRINCIPLES

The three (3) principles identify the underlying

principles for a governance framework that can be
used to build a governance system for the
enterprise.

1. A governance framework should be based on a

conceptual model, identifying the key components and
relationships among components, to maximize
consistency and allow automation.
2. A governance framework should be open and flexible. It
should allow the addition of new content and the ability to
address new issues in the most flexible way, while
maintaining integrity and consistency.
3. A governance framework should align to relevant major Reference: COBIT® 2019 Framework: Introduction and Methodology,
Chapter 3 COBIT Principles, Figure 3.2
related standards, frameworks and regulations

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
GOVERNANCE AND MANAGEMENT OBJECTIVES

For information and technology to contribute to enterprise goals, a

number of governance and management objectives should be
achieved.

• A governance or management objective always relates to one process

and a series of related components of other types to help achieve the
objective
• A governance objective relates to a governance process, while a
management objective relates to a management process.

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
GOVERNANCE AND MANAGEMENT OBJECTIVES

Similar to COBIT 5, The governance and management objectives in COBIT® 2019 are grouped
into five domains. The domains have names that express the key purpose and areas of activity of
the objectives contained in them.

Governance
Management objectives
objectives

EDM APO BAI DSS MEA

Evaluate, Direct Align, Plan and Build, Acquire and Deliver, Service and Monitor, Evaluate
and Monitor Organize Implement Support and Assess

© 2018 ISACA. All rights reserved.

 Known as the
Process Reference
Model, or PRM in
COBIT 5, COBIT®
2019 identifies this
as the COBIT Core
Model.

Reference:COBIT®
Reference: COBIT®2019
2019Framework:
Framework:Introduction
Introductionand
andMethodology,
Methodology,Chapter
Chapter4 4Basic
BasicConcepts:
Concepts:Governance
GovernanceSystems
Systems andComponents,
and Components,Figure
Figure4.2
4.2
 KEY CONCEPTS
GOVERNANCE AND MANAGEMENT OBJECTIVES

HIGH LEVEL INFORMATION GOALS CASCADE RELATED COMPONENTS RELATED GUIDANCE

• Domain name • Applicable Alignment goals • Processes, practices and
• Focus area • Applicable Enterprise goals activities
• Governance or • Example metrics • Organizational structures
management objective • Information flows and items
name
• People, skills and
• Description competencies
• Purpose statement • Policies and frameworks
• Culture, ethics and
behavior
• Services, infrastructure and
applications
• Where applicable links
and cross references are
provided to other
standards and
frameworks for each of
the governance
components within each
governance and
management objective

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
GOALS CASCADE

• Enterprise goals have been consolidated,

reduced, updated and clarified.
• Alignment goals emphasize the alignment of
all IT efforts with business objectives
 These were IT-related goals in COBIT 5
 The update seeks to avoid the frequent
misunderstanding that these goals indicate purely
internal objectives of the IT department within an
enterprise
 Alignment goals have also been consolidated,
reduced, updated and clarified where necessary

Reference: COBIT® 2019 Framework: Introduction and Methodology, Chapter 4

Basic Concepts: Governance Systems and Components, Figure 4.16

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
COMPONENTS OF A GOVERNANCE SYSTEM

• Each enterprise’s governance system is

built from a number of components
• Components can be of different types
• Components interact with each other,
resulting in a holistic governance system for
I&T
• These were known as enablers in COBIT 5

Reference: COBIT® 2019 Framework: Basic Concepts: Governance Systems and

Components, Figure 4.3

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
COMPONENTS OF A GOVERNANCE SYSTEM

Components can be generic or variants of

generic components: GENERIC
COMPONENTS

• Generic components are described in the

COBIT core model
 Apply in principle to any situation
 However, they are generic in nature and
generally need customization before being
practically implemented
VARIANT
• Variants are based on generic components COMPONENTS

but
 Tailored for a specific purpose or context
within a focus area (e.g., for information
security, DevOps, a particular regulation)

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
FOCUS AREAS

• A Focus Area describes a certain governance topic, EXAMPLES OF FOCUS AREAS

domain or issue that can be addressed by a collection of
• Small and medium
governance and management objectives and their
enterprises
components.
• Information Security
• Focus Areas can contain a combination of generic
governance components and variants • Risk

• The number of focus areas is virtually unlimited. That is • DevOps

what makes COBIT open-ended. New focus areas can be
added as required or as subject matter experts and
practitioners contribute.

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
DESIGN FACTORS

COBIT 2019 Design Factors

Design factors are factors that:

• Influence the design of an enterprise’s
governance system
• Position it for success in the use of I&T
• More information and detailed guidance on
how to use the design factors for designing a
governance system can be found in the
COBIT Design Guide publication
Reference: COBIT® 2019 Framework: Basic Concepts: Design Factors, Figure 4.4

© 2018 ISACA. All rights reserved.

KEY CONCEPTS
DESIGN FACTORS: EXAMPLES

• Growth / Acquisition
Enterprise • Innovation / Differentiation
Strategy • Cost Leadership
• Client Service / Stability

Threat • Normal
Landscape • High

• Support
• Factory
Role of IT • Turnaround
• Strategic

© 2018 ISACA. All rights reserved.

DESIGNING AND
IMPLEMENTING A TAILORED
GOVERNANCE SYSTEM
USING COBIT 2019

© 2018 ISACA. All rights reserved.

DESIGNING A TAILORED GOVERNANCE SYSTEM
IMPACT OF DESIGN FACTORS
Management
Objective
Priority &
Target
Capability
Levels

Design factors influence in different ways the

tailoring of the governance system of an
enterprise.
Design
Factor
Impact

Specific Component
Focus Areas Variations

Reference: COBIT® 2019 Framework: Introduction and Methodology, Chapter 7 Designing

a Tailored Governance System, Figure 7.1

© 2018 ISACA. All rights reserved.

DESIGNING A TAILORED GOVERNANCE SYSTEM
IMPACT OF DESIGN FACTORS
Management
Objective
Priority &
Target
Capability
Management Objective Priority and Target Capability Levels
Levels
• Design factor influence can make some governance
and management objectives more important than
others, sometimes to the extent that they become
negligible Design
• In practice, this higher importance translates into Factor
Impact
setting higher target capability levels

Specific Component
Focus Areas Variations

Reference: COBIT® 2019 Framework: Introduction and Methodology, Chapter 7 Designing

a Tailored Governance System, Figure 7.1

© 2018 ISACA. All rights reserved.

DESIGNING A TAILORED GOVERNANCE SYSTEM
IMPACT OF DESIGN FACTORS
Management
Objective
Priority &
Target
Capability
Levels
Component Variations
• Components are required to achieve governance
and management objectives. Some design factors
can influence the importance of one or more
components or can require specific variations Design
Factor
Impact

Specific Component
Focus Areas Variations

Reference: COBIT® 2019 Framework: Introduction and Methodology, Chapter 7 Designing

a Tailored Governance System, Figure 7.1

© 2018 ISACA. All rights reserved.

DESIGNING A TAILORED GOVERNANCE SYSTEM
IMPACT OF DESIGN FACTORS
Management
Objective
Priority &
Target
Capability
Levels
Specific Focus Areas
• Some design factors, such as threat landscape,
specific risk, target development methods and
infrastructure set-up, will drive the need for
variation of the core COBIT model content to a Design
specific context Factor
Impact

Specific Component
Focus Areas Variations

Reference: COBIT® 2019 Framework: Introduction and Methodology, Chapter 7 Designing

a Tailored Governance System, Figure 7.1

© 2018 ISACA. All rights reserved.

DESIGNING A TAILORED GOVERNANCE SYSTEM
GOVERNANCE SYSTEM DESIGN WORKFLOW

The different stages and steps

in the design process will
result in recommendations for
prioritizing governance and
management objectives or
related governance system
components, for target
capability levels, or for
adopting specific variants of a
governance system
component.

Reference: COBIT® 2019 Framework: Introduction and Methodology, Chapter 7 Designing a

Tailored Governance System, Figure 7.2

© 2018 ISACA. All rights reserved.

IMPLEMENTING A TAILORED GOVERNANCE SYSTEM

The implementation approach is based on empowering business and IT stakeholders

and role players to take ownership of IT-related governance and management
decisions and activities by facilitating and enabling change.

• Implementation guide is a phased approach with three perspectives

 Continual Improvement
 Program Management
 Change Enablement

© 2018 ISACA. All rights reserved.

IMPLEMENTING A TAILORED GOVERNANCE SYSTEM
IMPLEMENTATION

The COBIT® 2019 Implementation Guide

emphasizes an enterprise-wide view of
governance of I&T.

It recognizes that I&T are pervasive in

enterprises and that it is neither possible
nor good practice to separate business
and IT-related activities.

Reference: COBIT® 2019 Framework: Introduction and Methodology, Chapter 8 Implementing

Enterprise Governance of IT, Figure 8.1

© 2018 ISACA. All rights reserved.

PERFORMANCE
MANAGEMENT
CAPABILITY & MATURITY

© 2018 ISACA. All rights reserved.

PERFORMANCE MANAGEMENT
OVERVIEW

COBIT Performance Management (CPM) refers to how well the

governance and management system and all the components of an
enterprise work, and how they can be improved up to the required The term “COBIT
level. It includes concepts and methods such as capability levels Performance
and maturity levels. Management” (CPM) is
used to describe these
COBIT 2019 is based on the following principles: activities, and the
concept is an integral
• Simple to understand and use
part of the COBIT
• Consistent with, and support the COBIT conceptual model framework.
• Provide reliable, repeatable and relevant results
• Must be flexible
• Should support different types of assessments

© 2018 ISACA. All rights reserved.

PERFORMANCE MANAGEMENT
CAPABILITY AND MATURITY

• COBIT 2019 supports a CMMI-based process

capability scheme
• The process within each governance and
management objective can operate at capability
levels, between 0 to 5
• The capability level is a measure for how well a
process is implemented and performing
• Each process activity is associated with a capability
level

Reference: COBIT® 2019 Framework: Introduction and Methodology, Chapter 6 Performance

Management in COBIT, Figure 6.2

© 2018 ISACA. All rights reserved.

PERFORMANCE MANAGEMENT
CAPABILITY AND MATURITY

• Each process activity is associated with a capability level

 Helps users implement processes at a foundational
level
 Identifies future activities to achieve a higher capability
level

© 2018 ISACA. All rights reserved.

PERFORMANCE MANAGEMENT
CAPABILITY AND MATURITY

• Sometimes a more high-level for expressing

performance is required, less granular than individual
process capability ratings: Maturity Levels
• We define maturity levels in COBIT 2019 update as a
performance measure at the Focus Area level

Reference: COBIT® 2019 Framework: Introduction and Methodology, Chapter 6 Performance

Management in COBIT, Figure 6.3

© 2018 ISACA. All rights reserved.

 APPENDIX

© 2018 ISACA. All rights reserved.

ABOUT ISACA

Nearing its 50th year, ISACA® (isaca.org) is a global association helping individuals
and enterprises achieve the positive potential of technology. Today’s world is
powered by technology, and ISACA equips professionals with the knowledge,
credentials, education and community to advance their careers and transform their
organizations.

ISACA leverages the expertise of its 450,000 engaged professionals in information

and cyber security, governance, assurance, risk and innovation, as well as its
enterprise performance subsidiary, CMMI® Institute, to help advance innovation
through technology. ISACA has a presence in 188 countries, including 217 chapters
worldwide and offices in both the United States and China.

© 2018 ISACA. All rights reserved.