FAQs about COBIT 5
1. How different is COBIT 5 from COBIT 4.1?
COBIT’s latest version COBIT 5 focuses on improving its capacity to help create more business value. This is intended to create buy-in from all the stakeholders of a company, including the directors and other executives of the company. COBIT 5 helps to align the company’s business objective with the IT objectives so that information governance and control is viewed as an asset by the business audience. This principle forms the core tenet of COBIT 5. Its goal is to bridge the gap between business risks, technology and control requirements. COBIT 5, unlike COBIT 4.1, includes the best practices of several other standards including The Open Group Architecture Framework, Basel III, Payment Card Industry Data Security Standard, etc. It also integrates aspects of its previous versions, as well as other frameworks and standards.
Unlike the earlier version, COBIT 5 helps the company achieve an organization-wide information governance perspective by including innovative processes that cover IT and business activities end-to-end. COBIT 5 offers elaborate explanation of the importance of IT management, governance and control and clearly defines every player’s responsibilities. This makes the stakeholders’ IT responsibilities and accountabilities more transparent.
The seven enablers of COBIT 5 – processes; principles, policies and frameworks; organizational structures; people, skills and competencies; culture, ethics and behaviour; services, infrastructure and applications; and information, are meant for meeting the enterprise’s IT governance goals.
2. How does COBIT 5 help achieve regulatory compliance?
COBIT 5 is used by publicly traded companies to assist them in the Sarbanes-Oxley Act compliance processes. The Sarbanes-Oxley Act requires the company’s chief executives to attest to the accuracy of the information in their financial reports. This necessitates reliable IT processes and controls.
COBIT’s latest version has updated itself and when it was released, the Sarbanes-Oxley Act was ‘about corporate governance’. COBIT 5 helps improve IT processes and that itself the compliance requirements for Sarbanes Oxley. COBIT 5 works for the stakeholders and one of the stakeholders is the regulatory body itself.
3. How does COBIT 5 help in risk management?
COBIT 5 framework and its proponents helps in creating a collaborative culture that focuses on the needs, benefits and risks of IT initiatives. Since the framework includes a change enablement approach within the implementation lifecycle, it has the capability to encourage better unity around IT deployments and reduce the chance of failure. COBIT 5 is widely credited for its ability to help minimise implementation risk of IT processes. IT initiatives typically require agility and quick adaptation, and at the same time they require buy-in from users and other stakeholders. This has been taken care of by COBIT 5.
4. What disadvantages do the critics point out in COBIT 5?
While COBIT 5 has been praised for integrating other ISACA best practices, it has also been criticised for a few shortcomings. Although COBIT 5 shows much improvement when compared to its previous version COBIT 4.1, its complexity could new users. This may hinder its adoption as new users may be wary of it and have reservations. The Research analyst firm Gartner Inc., explains that COBIT framework “ignores the blurring boundary between operational technology and information technology, which will have an increasing impact on the management of risk and delivery of value, and will require additional controls.” They also argue that the defenders of COBIT 5 counter their criticisms by arguing that Gartner & Co does not understand the framework and failed to recognize its guidance on how to manage information and technology.
5. How does COBIT 5 address the criticisms of its earlier versions?
The previous versions of COBIT were criticised for producing limited and in some cases adverse results. Earlier it was noted by ‘Compass’ – an IT benchmarking firm, that several IT management and control approaches including COBIT had the possibility of leading to a hot potato” environment where the stakeholders passed tasks down the line. This was concluded based in the analysis of Compass’s clients. COBIT was criticised as encouraging focus on rote rules and paperwork. It was blamed for failing to promote worthwhile IT governance engagement and fixing a stronger accountability for it. Service providers were found to be deploying COBIT but they did not fully integrate it into their business.
Addressing all these shortcomings, COBIT 5 has been encouraging businesses to manage and govern information and technology in an integrated and holistic way. COBIT 5 has been based on 5 foundational principles – meeting stakeholder needs; covering the enterprise end-to-end; applying a single, integrated framework; enabling a holistic approach; and separating governance from management.
6. Is the COBIT 5 framework superior to the other accepted control models?
Several other frameworks and technical security guidance & service delivery guidance frameworks such as ISO 17799 and ITIL are available, they focus only on emphasize business control and IT security and service issues. But only COBIT 5 makes an attempt to deal with IT-specific control issues from a business perspective. The managements are becoming increasingly aware of this fact. It may be noted that COSO was used as source material for the business model and ISO 17799 and ITIL, amongst many others, were used to develop the control objectives. COBIT 5 is not meant to replace any of these control models. It is intended to emphasize what control is required in the IT environment while working with and building on the strengths of these other control models.
7. How are the management guidelines integrated into the COBIT 5 framework?
Control objectives were developed by the application of international standards and guidelines and research into good practices. This was aided by the COBIT 5 framework. The managements use the tools that the management guidelines offer, to allow self-assessment and choices to be made for control implementation and improvements over its information and related technology. These tools were developed from a management and performance measurement perspective. It has been developed for each of the 34 IT processes. The management’s decision-making processes are supported by guidelines that provide the requisite Maturity models, goals and metrics, and roles and responsibilities (RACI) charts.
Want to get more information about COBIT 5 training and certification?
Connect with one of our consultants for more information!
Email us now at firstname.lastname@example.org or call us at our centralized number: 9015266266.