COBIT 5 – available today!

Building on more than 15 years of practice in the business, IT, risk, security and assurance communities, COBIT 5 provides the next generation of ISACA's guidance on a critical business issue-the enterprise governance and management of IT.

Building on more than 15 years of practice in the business, IT, risk, security and assurance communities, COBIT 5 provides the next generation of ISACA’s guidance on a critical business issue-the enterprise governance and management of IT.

The COBIT 5 framework will provide the basis for governing and managing enterprise IT. It will include a number of products including:

  • COBIT 5 (the framework)

  • COBIT 5 Enabler Guides, where governance and management enablers are discussed in more detail. These include:

  • COBIT 5: Enabling Processes

  • COBIT 5: Enabling Information (in development)

  • Other enabler guides (more details on the COBIT pages on the ISACA website)

  • COBIT 5 Professional Guides, which include:

    • COBIT 5: Implementation

    • COBIT 5 for Information Security (mid-2012)

    • COBIT 5 for Assurance (2013)

    • COBIT 5 for Risk (2013)

  • A collaborative online environment, which will also be made available to support the use of COBIT 5.

The initial series of publications released include COBIT 5, COBIT 5: Enabling Processes and COBIT 5: Implementation.

Background to the development

COBIT 4.1 had great acceptance across the IT community, but following an extensive review of the stakeholders, a number of drivers were identified leading to the development of the new framework. These included:

  • Determine value from information and related technology (what benefits at what acceptable level of risk and costs) and the priorities in ensuring that expected value is actually being delivered-a big demand from stakeholders.

  • Deliver transparency to stakeholders on how the delivery will occur and the actual results will be achieved.

  • Address the increasing dependency of the enterprise’s success on external business and IT parties such as outsourcers, suppliers, consultants, clients, and cloud and other service providers.

  • Manage the ever-increasing amount of information that is pervasive within the enterprise.

  • Work more effectively with information technology, which has become an integral part of the business and business processes.

  • Deliver guidance for innovation and emerging technologies.

  • Cover the end-to-end business and IT functional responsibilities.

  • Separate the governance and management domains.

Principles-based framework

COBIT 5 is a principles-driven framework based on five fundamental principles:

Principle 1:  Meeting stakeholder needs

COBIT 5 provides all the required processes and other enablers to support business value creation through the use of IT.

Principle 2:  Covering the enterprise end to end

COBIT 5 integrates the governance of enterprise IT into enterprise governance, covering all functions and processes within the enterprise, not just IT.

Principle 3:  Applying a single, integrated framework

COBIT 5 aligns with other relevant standards and frameworks at a high level to serve as the overarching framework for governance and management of enterprise IT.

Principle 4:  Enabling a holistic approach

Efficient and effective governance and management of enterprise IT require a holistic approach, taking into account several interacting components or ‘enablers’. COBIT 5 defines seven categories of enablers:

  • Processes

  • Principles, policies and frameworks

  • Organizational structures

  • People, skills and competencies

  • Culture, ethics and behaviour

  • Services, infrastructure and applications

  • Information

Principle 5:  Separating governance from management

The COBIT 5 framework makes a clear distinction between governance and management, identified as governance and management domains.

The COBIT 5 Process Reference Model

COBIT 5 is not delivered as a prescriptive model, rather it advocates the implementation of governance and management processes within enterprises.  The COBIT 5 process reference model defines and describes in detail the governance and management processes normally found within an enterprise relating to IT activities, providing a common reference model understandable to operational IT and business managers.

The COBIT 5 model delivers an operational model with a common language for all parts of the business involved in IT activities and provdes a framework for measuring and monitoring IT performance, communicating with service providers and integrating best management practices.

COBIT 5 Governance and Management Processes

The COBIT 5 process reference model divides the governance and management processes of enterprise IT into two main process domains:

Governance-Contains five governance processes with ‘evaluate, direct and monitor practices’ defined within each process

Management-Four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM), providing the end-to-end coverage of IT. These domains are an evolution of the COBIT 4.1 domain and process structure:

  • Align, Plan and Organize (APO)

  • Build, Acquire and Implement (BAI)

  • Deliver, Service and Support (DSS)

  • Monitor, Evaluate and Assess (MEA)

The COBIT 5 process reference model is the successor of the COBIT 4.1 process model, incorporating the both the Risk IT and Val IT frameworks.

The complete COBIT 5 enabler model includes a total of 37 governance and management processes with complete details incorporated within COBIT 5:  Process Reference Guide.

COBIT 5 Illustrative Governance and Management Processes

It’s all about the implementation. You don’t simply take COBIT 5 and implement it out of the box. It is a fully customizable framework relevant to organizations of all sizes, in all industries and in any country. Value can only be realized when COBIT is adopted and adapted to fit a particular environment. The implementation must address the specific business challenges, including managing changes to culture and behavior. To assist the enterprise, ISACA delivers practical and extensive implementation guidance in its publication COBIT 5:  Implementation, which is based on a continual improvement lifecycle. Although not intended to be a prescriptive approach, the guide leverages good practices and assists in the creation of successful outcomes. It’s supported with an implementation toolkit containing the following to assist users in their journey:

  • Self-assessment, measurement and diagnostic tools

  • Presentations aimed at various audiences

  • Related articles and further explanations

More importantly, the implementation lifecycle delivers the processes for enterprises to address the complexity and challenges encountered in implementations using COBIT.  The three interrelated components of the lifecycle are the:

  • Core continual improvement lifecycle (this is not a one-off project)

  • Enablement of change (addressing the behavioural and cultural aspects)

  • Management of the program

As discussed previously, the right environment needs to be created to ensure the success of the implementation or improvement initiative, and a top-down approach is required to ensure success.

Where do I get COBIT 5?

COBIT 5 is available from ISACA website on the COBIT page and the Framework, Enabling Processes and Implementation guides are all free to members. ISACA also hosts a community of COBIT users in the ISACA Knowledge Center (, where they can discuss implementation, ask questions and learn more about the practical application of COBIT 5.

 This blog also appears on the CA Service Management blog.

Written by

Robert Stroud

Robert Stroud is VP of innovation and strategy for IT Business Management at CA Technologies.…

Published in

View this topic
  • James Holland

    This is great. Hooray for Disney’s imagineers!


    become a new brand in the share market research with its accurate research. Proven
    itself always right whether market is bull or bear. Last week all paid clients
    booked handsome profit in NIFTY, BANKINIFTY & STOCKS. Now for the coming
    week we expect more correction can come in NIFTY as the IRAQ issue is getting
    more tense, If it happens more then you will see a sharp fall in all world marketNSE BSE, STOCK TIPSbecause as we know all world run on
    crude & most of the crude comes from IRAQ. So be ready for a sharp fall so
    sell will be the best strategy for next week also. Traders can make a sell
    position in NIFTY around 7600-7650 with stoploss 7750 for the target of
    7300-7200.One can also make a sell call NIFTY 50 stocks as per NIFTY levels. You
    can also take our two days free trial to check our accuracy. For further updates
    you can visit our website.



  • king lear

    testing comment functionality, please do not publish this

  • Rachel Macik

    Love the personal pic :)

    • CAHighlight

      Thank you!

  • Plutora Inc

    This is a good case study. 2.3 sec’s off a login transaction is big.

  • Michele Hudnall

    While the analysts were hyping DevOps, I posted the oversight of not including security as part of that discussion as you are highlighting here. Instead of just talking DevOps, it should be DOS (what’s old is new again :-) – DevOpsSec. As a previous AppDev person, it’s the app, who’s using it, why and where rather than the device and having the service available.

    As you rightly point, out Security should be baked into the solution.

    Nice Post and Timely!


    • CAHighlight

      Thank you for your feedback Michele. Agreed – security cannot be overlooked. Appreciate your input!

  • Mitesh

    I would love a printed copy

  • Lars Johansson

    I love the idea of BYOID! This makes me choose if I am almost anonymous (with my Hotmail Nicname) or official with identity from an official organisation. My Identity Provider will attach identity with right level of LoA according to the need of the Service provider.

    • CAHighlight

      Thank you for your comment. BYOID has tangible benefits for end users and relying parties but it also has to be weighed in the balance with potential risks and liability concerns. It will be interesting to see how BYOID plays out in the enterprise.