ISACA Releases COBIT 5 for Public Comment - This Is Important Folks

COBIT has been, without doubt, the dominant resource for IT audit professionals and others when it comes to IT controls and security. In addition, the guidance on IT governance from the IT Governance Institute (an arm of ISACA) has been excellent, as has been the RiskIT framework from ISACA. 

ISACA is now combining these, together with its ValIT framework, which is all about optimizing the value obtained from IT, in a new and very important product: COBIT 5.

You can download the draft documents (Framework and Process Reference Guide) from the ISACA site, which is also where you can submit comments.

I will be reviewing the drafts myself, but am curious about opinions on a few points:

  1. Should the guidance be about "information" (as it says in the opening section) or about "technology?" The former implies it's about the bits and bytes and how they are processed/stored. The latter is more about how technology is used to run the business.
  2. Should the guidance be about the IT function or about the use of technology in the business? More and more, technology is not the sole province of the IT department.
  3. Wouldn't it be better to scrap the COBIT name and replace it with "Technology Governance and Use," or something similar? At least they might consider a descriptive subtitle for COBIT 5.

I welcome your views.

Posted on Jul 1, 2011 by Norman Marks

Share This Article:    

  1. Q1:  I think it should be about how technology is used

    Q2: I think, in line with Q1, that it should be about the use of technology

    Q3: I like "Technology Governance and Use".

    Another way of seeing it:  it should provide guidance on how to preserve the Confidentiality, Integrity and Availibility of the Information thru its life cycle AND the life cycle of the underlying technology.


  1. 1:  With the guidance of COBIT 5 expanding to include controls, risks and values, why should the scope be restricted to either information or technology?  Why not address both?  To ignore one or the other would seem to open the door to all kinds of issues.

    2. Again, why be restictive?  IT auditors currently audit both the IT folks and the business folks -- and if not, they should be.  Again, to ignore either side is to invite problems.

    3. I don't agree with your suggestion becasue it's not just about the technology -- it's about the data and the business uses of that data as well.  Besides, they modified the name a few versions ago when it changed from "Control Objectives for Information Technology" to "Control Objectives for Information and Related Technology."  (Notice that it addresses both information AND technology now.)  But maybe they could change it to "External and Internal Evaluations of Information and Oversight" -- giving us E-I-E-I-O.


Leave a Reply