COBIT 2019 is ISACA's IT governance framework — and it's the framework that Federal agencies, state governments, and regulated enterprises use to demonstrate IT accountability to auditors, legislators, and oversight bodies. Here's what COBIT 2019 actually does and who should know it.
-
What COBIT 2019 Is
COBIT 2019 is a framework for governing and managing enterprise IT. It provides a comprehensive set of governance and management objectives — each describing a goal, the components needed to achieve it, and how to measure performance. Unlike NIST CSF (which focuses on cybersecurity) or ITIL (which focuses on service management), COBIT addresses the full scope of IT governance: value delivery, risk optimization, resource management, and accountability.
-
COBIT and Federal IT
Federal agencies use COBIT to satisfy GAO IT governance requirements, structure IT investment decision-making, and demonstrate IT accountability to Inspectors General and congressional oversight. State governments use COBIT to standardize IT governance across agencies and satisfy state IT audit requirements. COBIT's governance objectives map well to FISMA, FedRAMP, and NIST CSF requirements.
-
COBIT and the CISO Role
CISOs and IT governance executives use COBIT to build the governance structure that justifies security investments, defines accountability for IT risk, and communicates IT performance to boards. COBIT provides the language for talking about IT risk and governance at the executive and board level — translating technical security requirements into business governance terms.
-
COBIT and ISACA Credentials
COBIT 2019 Foundation is the entry credential for IT governance professionals. CGEIT (Certified in the Governance of Enterprise IT) is the advanced credential for senior IT governance practitioners. Together, they provide the credential stack for IT governance professionals at all career levels.
-
Who Benefits from COBIT Knowledge
IT governance professionals at Federal and state agencies; CIOs and their direct reports at any regulated organization; Internal auditors who audit IT governance programs; GRC professionals who need to frame security requirements in governance terms; Compliance professionals at DoD contractors who need to demonstrate IT governance for CMMC.