Is a management framework, not a technology framework. That is to say, it provides control objectives as opposed to the controls themselves. It gives a high-level framework that can be used to evaluate an enterprise’s existing or planned controls: be they policies, processes or technologies. Also note that COBIT is not specific to information security, but is rather a general IT-oriented standard.

In COBIT, an organization gets ranked on a scale of 0-5 with 5 being the best. Case in point, compare levels 0, 3 and 5 from COBIT 4.1 for PO9:

0 Non-existent: When a risk assessment for processes and business decisions does not occur. The organization does not consider the business impacts associated with security vulnerabilities and development project uncertainties. Risk management is not identified as relevant to acquiring IT solutions and delivering IT services.

3 Defined: When an organization-wide risk management policy defines when and how to conduct risk assessments. Risk management follows a defined process that is documented. Risk management training is available to all staff members. Decisions to follow the risk management process and receive training are left to the individual’s discretion. The methodology for the assessment of risk is convincing and sound, and ensures key risks to the business are identified. A process to mitigate key risks is usually instituted once the risks are identified. Job descriptions consider risk management responsibilities.

5 Optimized: When risk management develops to the stage where a structured, organization-wide process is enforced and well managed. Good practices are applied across the entire organization. The capture, analysis and reporting of risk management data are highly automated. Guidance is drawn from leaders in the field, and the IT organization takes part in peer groups to exchange experiences. Risk management is truly integrated into all business and IT operations, is well accepted and extensively involves the users of IT services. Management detects and acts when major IT operational and investment decisions are made without consideration of the risk management plan. Management continually assesses risk mitigation strategies.

If you are looking for a framework on which to base your security program, COBIT is a great choice, particularly if you are going to pair it with ISO 27001 or another security standard. COBIT can provide the necessary context to ensure your program is properly addressing the business needs, while an accompanying standard, such as ISO 27001, will ensure the security program has the necessary maturity and the appropriate controls to actually secure the business.

1. Align with business

Recognize that an enterprise exists to create value for stakeholders. This means IT teams must apply governance to balance risks, benefits and resource requirements to deliver goals that meet stakeholders’ needs.

2. Adopt the framework at any size

Cover in the entire enterprise end to end. IT resources and actions are taken into account just like any other business assets.

3. Standardize on Standards

Applies a single integrated framework that can oversee other standards and frameworks an enterprise uses. ISO/IEC 9000, ITIL, CMMI

4. The seven factors to improve IT

Framework defines the factors that influence governance and management of enterprise IT. These seven factors include process descriptions; organizational structures; the culture and behaviours of individuals and organization; policies and principles that guide management; reporting (information); the underlying services, technologies and applications used by IT; and the people and skills required to accomplish necessary activities.

5. Divide responsibilities to conquer

Separating governance from management