COBIT — Technology Wiki

Overview

Direct Answer

COBIT is a framework developed by ISACA that provides a comprehensive set of governance and management objectives for information technology and related functions. It bridges the gap between technical IT operations and organisational strategy by establishing process maturity models, control objectives, and performance metrics aligned to business outcomes.

How It Works

The framework organises IT activities into processes grouped across four domains: governance, management, implementation, and monitoring. Each process is mapped to control objectives with specific practices, maturity levels (0–5), and key performance indicators. Organisations assess their current state against these benchmarks and establish improvement roadmaps to achieve desired maturity levels.

Why It Matters

Organisations use COBIT to demonstrate regulatory compliance (Sarbanes-Oxley, GDPR, ISO standards), reduce operational risk, optimise IT investment, and establish accountability between business and IT functions. It helps senior leadership ensure IT delivers value whilst maintaining appropriate controls and risk governance.

Common Applications

Financial institutions employ the framework to satisfy banking regulation requirements; healthcare organisations use it to support HIPAA compliance; manufacturing sectors implement it to manage supply chain and operational resilience. Internal audit departments frequently rely on COBIT as an evaluation standard during compliance assessments.

Key Considerations

Implementing COBIT requires significant organisational commitment, skilled resources, and customisation to industry context; it is a reference model rather than a prescriptive implementation guide. Success depends on executive sponsorship and alignment with existing governance structures rather than standalone adoption.

Cross-References(1)

Governance, Risk & Compliance

Governance

Related in Governance

Governance

The system of policies, rules, and processes by which activities are directed, controlled, and managed.

Right to be Forgotten

A legal concept giving individuals the right to request deletion of their personal data from organisations' records.

Data Sovereignty

The concept that data is subject to the laws and governance structures of the country where it is collected or processed.

Internal Audit

An independent assurance function that evaluates the effectiveness of an organisation's internal controls and governance.

Business Ethics

The application of ethical principles and moral standards to business activities, decisions, and relationships.

Anti-Money Laundering

Laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income.

Whistleblower Protection

Legal provisions protecting individuals who report illegal or unethical practices within organisations.

Information Classification

The process of categorising data based on its sensitivity level and the impact of unauthorised disclosure.

Acceptable Use Policy

A document defining the permitted use of an organisation's IT resources and networks.

AI Regulation

The developing body of laws and policies governing the development, deployment, and use of artificial intelligence systems.

Algorithmic Accountability

The principle that organisations should be answerable for the outcomes and impacts of their algorithmic systems.

Model Risk Management

The governance framework for identifying, measuring, and mitigating risks arising from AI and analytical models.

More in Governance, Risk & Compliance

Know Your Customer

Risk Management

The process of verifying the identity, suitability, and risks of customers in financial transactions.

Regulatory Sandbox

Compliance & Regulation

A controlled environment where businesses can test innovative products and services under regulatory oversight.

Access Control Policy

Security Governance

A set of rules defining who can access specific resources and what actions they can perform.

Risk Management

The process of identifying, assessing, and controlling threats to an organisation's capital and operations.

Compliance as Code

Compliance & Regulation

The practice of expressing regulatory and security compliance requirements as machine-readable policies that can be automatically validated against infrastructure and application configurations.

Compliance

Compliance & Regulation

Adherence to laws, regulations, guidelines, and specifications relevant to an organisation's business.

Regulatory Technology

Compliance & Regulation

Technology solutions designed to help companies comply with regulations efficiently and cost-effectively.

Algorithmic Impact Assessment

Governance

A systematic evaluation of the potential social, economic, and civil rights impacts of an automated decision-making system before and after deployment.