This website uses cookies. View our cookie policy
Select regional store:

COBIT® (Control Objectives for Information and Related Technology)

COBIT 5 is the latest iteration of ISACA's globally accepted framework for the governance and management of enterprise IT. It provides globally accepted principles, analytical tools and models to increase trust in—and the value derived from—information systems.

This page introduces COBIT 5, explains the benefits it can bring your organization, and contains links to a wealth of resources.

On this page:

COBIT 5: an introduction

Control Objectives for Information and Related Technology (COBIT) is a governance control framework that helps organizations meet today’s business challenges in the areas of regulatory compliance and risk management, and in aligning IT strategy with organizational goals.

With a focus on managing processes, COBIT has helped organizations bridge the gap between control requirements, regulatory compliance and business risk, and significantly to increase the value of their IT investment.

This latest iteration of COBIT, COBIT 5, was published in 2012 and takes into account the latest thinking on the governance of information technology. COBIT 5 expands on COBIT 4.1 by incorporating the governance activities of ISO38500 and the complementary ISACA frameworks Val IT, Risk IT, BMIS, and ITAF, as well as other areas of IT governance.

The structure of COBIT 5

COBIT 5 is built around five principles:

There are also seven "enablers":

The COBIT 5 Process Reference Model identifies five sets of processes:

In all there are 37 processes: five for governance and 32 for management. Unlike COBIT 4.1, which used a process maturity model, COBIT 5 uses a Process Assessment Model (or PAM) designed in accordance with ISO15504.

The COBIT framework is documented fully in the COBIT 5 Manual, for more details please see below.

The benefits of adopting COBIT 5

Adopting the COBIT framework will enable organizations to:


COBIT is closely related to the COSO control framework, which was developed by The Committee of Sponsoring Organizations of the Treadaway Commission. COSO deals with the control of financial processes, whereas COBIT deals with IT processes.

COBIT and Sarbane–-Oxley compliance

The Sarbanes–Oxley Act (SOX) was introduced in 2002 to improve the accountability and reliability of corporate disclosures for all US public companies. It aims to ensure that every publicly traded company has an internal system of control in place to ensure the disclosure of accurate financial information and mandates that organizations must produce an internal control report, which must be included in their annual Exchange Act report.

COBIT is the most widely-recognized internal control framework used to achieve IT SOX compliance. Please see our dedicated Sarbanes–Oxley webpage for further information on this subject.

COBIT, ISO27002, and ITIL®

ISO/IEC 27002 is the international standard that provides best practice advice and guidance on Information Security. ITIL® is the source of best practice information and processes relating to the delivery of IT as a service. COBIT, ISO27002, and ITIL can be used together to achieve process improvement.

COBIT does not supply an explanatory route map for the implementation of IT or Information Security best-practices, but it provides a framework of controls that allow you to use the processes contained in ISO27002 and ITIL.

COBIT 5 resources

IT Governance offers a range of COBIT 5 resources, including books and toolkits.

We recommend:

  • COBIT 5: an introduction
  • The structure of COBIT 5
  • The benefits of adopting COBIT 5
  • COBIT and COSO
  • COBIT and Sarbanes–Oxley compliance
  • COBIT, ISO27002 & ITIL®
  • COBIT 5 resources
    • Principle 1: Meeting Stakeholder Needs
    • Principle 2: Covering the Enterprise End-to-End
    • Principle 3: Applying a Single Integrated Framework
    • Principle 4: Enabling a Holistic Approach
    • Principle 5: Separating Governance from Management
    • Principles, policies, and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management.
    • Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.
    • Organizational structures are the key decision-making entities in an enterprise.
    • Culture, ethics, and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.
    • Information is required for keeping the organization running and well-governed, but at the operational level, information is very often the key product of the enterprise itself.
    • Services, infrastructure, and applications include the infrastructure, technology, and applications that provide the enterprise with information technology processing and services.
    • People, skills, and competencies are required for successful completion of all activities and for making correct decisions and taking corrective actions.
    1. Evaluate, Direct, and Monitor
    2. Align, Plan, and Organize
    3. Build, Acquire, and Implement
    4. Deliver, Service, and Support
    5. Monitor, Evaluate, and Assess
    • maintain high-quality information to support business decisions
    • achieve strategic goals and realize business benefits through the effective and innovative use of IT
    • achieve operational excellence through reliable, efficient application of technology
    • maintain IT-related risk at an acceptable level
    • optimize the cost of IT services and technology
    • support compliance with relevant laws, regulations, contractual agreements and policies.
    • Governance and Internal Controls for Cutting Edge IT, which explains strategies and techniques to guide IT managers as they implement cutting edge solutions for their business needs. Based on practical experience and real-life models, she covers key principles and processes for the introduction of new technologies and examines how to establish an appropriate standard of security and control, particularly in the context of the COBIT 5 framework and affiliated standards.
    • IT Governance Control Framework Implementation Toolkit, which provides customizable documentation templates for all 37 of COBIT 5’s processes, including charters, standing agendas, policies, and procedures, to simplify your COBIT 5 implementation project.
    • The COBIT Manual is the official COBIT guide from ISACA and provides you all the details of the COBIT framework.
    • COBIT Quickstart Guide, a scaled-down version of COBIT for small- to medium-sized organizations. Only those control objectives that are considered the most critical are included so that implementation of COBIT's fundamental principles can take place easily, effectively, and relatively quickly.