The short answer to this is: COBIT 2019 is designed to be understood, tailored, and implemented with other frameworks in mind.
As outlined earlier in this series, standards are typically mandated (often without the option of choosing which parts to use), while a framework is generally optional and designed to be adaptable. COBIT 2019 itself identifies ‘Related Guidance’, which includes standards, frameworks, and compliance requirements for each component (processes, organizational structures, principles, policies and procedures, information, culture, ethics and behavior, people, skills and competencies, and services, infrastructure, and applications) in each of the 40 governance and management objectives in the Core Model. [See also the list of standards, frameworks, and guidance used in the development of COBIT 2019 itself]
We mention this because during the development of COBIT 2019 itself many standards and frameworks were taken into account. This, in turn, requires that we consider other frameworks when deciding, understanding, implementing, and integrating a governance and management system based on COBIT 2019.
While COBIT 2019 is a comprehensive framework, it cannot cover all areas in equal depth, and neither is it designed for 100% implementation from the outset. It supports and indeed hints at a more incremental implementation to manage risk and address customization and incremental uptake.
It’s worth remembering that COBIT 2019 is a generally accepted (global) framework for information and technology governance, and that continued efforts are made to improve it by keeping it flexible, open, current, relevant, and prescriptive as regards the requirement for tailoring a management and governance system for information and technology. It also integrates the concepts of maturity and capability for closer linkage to external models, such as those from the CMMI Institute amongst many others.
Most organizations already have frameworks in place, whether these are home-grown or globally accepted for specific areas such as security management, and the same applies to standards. Typically, there is no framework-of-frameworks, and this is where COBIT 2019 can play an important role, as it was designed with an open architecture in mind.
This flexibility provides a common point for deciding how to integrate other frameworks and standards. To understand this, we need only look at the Core Model to see the range of governance and management objectives addressed by COBIT 2019 (in fact, it is possible to use this as the basis to help design an operating model for an information and technology division/department).
The Core Model covers most of the major disciplines (by way of objectives) within a modern information and technology division, so we’ll take a brief look at how other frameworks and standards can (and should be) used in conjunction with it. Looking at Service Management, and at ITIL® 4 in particular, we can see immediately that there are two objectives (DSS02 (Managed Service Requests and Incidents) and BAI06 (Managed IT Changes)) where ITIL and COBIT 2019 overlap. Specifically, DSS02 is well-covered by ITIL 4’s practices for Incident Management, Problem Management, Service Continuity Management, and Service Request Management. Similarly, BAI06 can be extended by ITIL 4’s Change Control.
COBIT 2019 Core Model
A few more examples include APO03 (Managed Enterprise Architecture), which refers to The Open Group’s TOGAF Standard, and APO12 (Managed Risk), in which we see clear references and links to the family of ISO31000 Risk Management standards.
COBIT 2019 was designed to work with other frameworks and standards and provides an approach and method for integrating them. ‘Integrating’ is not the same as consolidating or implementing, however. By ‘integrating’ we mean having a common approach to using not only COBIT 2019 but also other framework standards, be they internal or external to your organization. Specifically, COBIT 2019 requires that an organization’s governance system and its components should align and harmonize with the organization’s (a) policies, strategies, governance and business plans, and audit approaches, (b) risk management framework, and (c) any existing governance organization, structure, and processes.
It’s also no secret that COBIT 2019 has its roots in the audit community from the last century. This makes it useful for improving internal and external audits of information and related technology areas – something that may not be at the forefront of our thinking during implementation but is certainly a relevant factor for modern businesses. Equally, its adoption and customization will also support assurance activities.
If you have no frameworks or standards or are starting from scratch, it may still be worth considering COBIT 2019. It could be used to guide your thinking and approach while at the same time providing hints and support for all necessary governance and management objectives, as well as any necessary supporting components. In this situation, COBIT 2019 would be useful for proactively identifying several best-practice and generally accepted standards and frameworks.
In the COBIT 2019 Implementation Guide, we are reminded that it is a ‘single, overarching framework whose consistent, integrated guidance is expressed in nontechnical and technology-agnostic language’, and that the board should mandate adoption of such a framework as part of the wider remit of enterprise governance. This is likely to bring into focus the linkage and integration of other, more business-focused frameworks and standards, such as the South African King IV Code of Corporate Conduct’s Principle 12, which states: ‘The governing body should govern technology and information in a way that supports the organisation setting and achieving its strategic objectives’
More generally, however, we should always bear in mind what COBIT 2019 sets out, such as how the guidance provided by specific standards and good practices can be applied to specific processes, practices, policies, and procedures as an organization tailors its implementation of a governance and management system.
COBIT 2019 includes two objectives that should be read in conjunction with this paper: EDM01 (Ensured governance framework setting and maintenance) and APO01 (Manage I&T management framework).
Lastly, we leave the reader to consider COBIT 2019’s position that ‘working within a framework and leveraging good practices enables development and optimization of appropriate governance processes and other components of the governance system. Tailored appropriately, … [it] will operate effectively as part of an enterprise’s normal business practice, provided there is a supporting culture, demonstrated by top management’.