The IT Governance Institute is about to launch its first update in five years to a technology management standard with a greater focus on business regulations and compliance issues.
Aimed at all levels of management, Control Objectives for Information and related Technology (CobIT) 4.0 offers guidance and best practices to manage 34 different processes, including planning, acquisition, delivery and monitoring. The first edition was published in 1994. This version offers research in eight industries in an attempt to provide a clearer insight into how COBIT processes support the achievement of specific IT goals and, by extension, business goals. CobIT 4.0 is published by the Information Systems Audit and Control Association (ISACA).
CobIT enjoys considerable support in Canada, particularly among public sector organizations such as Public Works and Government Services Canada, Canada Housing and Mortgage Corp. and a number of auditor general offices. Deloitte & Touche, KPMG and PricewaterhouseCoopers all offer CobIT expertise, as do a number of smaller firms.
“There’s a need to prove you have repeatable processes and controls . . . people want to have something more turnkey that they’re able to implement,” said Ivan Milam, president of ISACA’s Ottawa-Valley Chapter, who praised the enhancements. “It was comprehensive to start with, but the additional content will help practitioners.”
“In version 4, part of the process is to identify the business plans and ensure there’s a correlation with the IT at the other end, instead of the IT department going off and developing some fantastic program that doesn’t get used,” he said. “People like it because the structure is what we think it should be.”
Unlike the IT Infrastructure Library (ITIL), which tends to outline more detailed steps to handling technology-based processes, CobIT is more high-level, Milam said. That doesn’t mean the two standards need to compete with each other, however.
“What you’ll see oftentimes is people combine the two and that gives them a complete framework for managing information and technology,” he said.
Though CobIT predates compliance mechanisms such as the U.S. Sarbanes-Oxley regulations, accounting scandals and the consequent scrutiny over business processes has raised CobIT’s profile among CIOs, Saunders.
“When we go in and talk about CobIT now, they at least know what we’re talking about,” he said. “That wouldn’t have been true a few years ago.”
CobIT 4.0 will also attempt to harmonize and maps to other standards such as ISO 17799, according to the ITGI. It also tries to clarify key goal indicator (KGI) and key performance indicator (KPI) relationships and identify how one can drive the achievement of the other.