COBIT - IT Governance Frameworks Tutorial

This lesson is a part of COBIT® 5 Foundation Certification Course and covers the benefits, format and product architecture of COBIT® 5. It also focuses on mapping COBIT® and other IT Governance Frameworks. Let us begin with the objectives of this lesson.


By the end of this COBIT 5 lesson, you will be able to:

  • Explain the benefits of COBIT® 5

  • Discuss the COBIT® 5 format and its volumes

  • Describe the COBIT® 5 product family 

  • Identify the governance and management processes in COBIT® 5 

Let us move on to the next section to discuss the benefits of COBIT® 5.

Benefits of COBIT® 5

The benefits of COBIT® 5 are as follows:

  • It considers stakeholder needs as the starting point of the governance and management activities related to enterprise IT. 

  • It acts as a business framework, which enables the business management to communicate with the IT (read as I-T) management. 

  • It creates a more consistent, integrated and complete perspective of enterprise governance and IT management. It also provides an end-to-end view on all IT-related matters. 

  • It provides a top-down view of the business needs that create a goals cascade, which drives the need to meet the expectations of stakeholders throughout the enterprise. 

  • It encourages a common language throughout the enterprise so that the stakeholders understand the IT and IT meets their business needs. 

  • It is consistent with the generally accepted corporate governance standards, which helps to meet regulatory requirements.

Let us look at the COBIT® 5 format in the next section.

Wish to have in-depth knowledge of COBIT® 5 Course? Check out our Course Preview!

The COBIT® 5 Format

The COBIT® 5 framework follows a simple format. It directly addresses the needs of the viewers from different perspectives. COBIT® 5 comes in 3 volumes:

  • ‘The Framework’

  • ‘Process Reference Guide’

  • ‘Implementation Guide’

 COBIT® 5 is also based on certain principles and enablers. 
Let us proceed to discuss the product family of COBIT® 5 in the next section.

What are the Components of the COBIT® 5 Product Family?

The following image lists the components of the COBIT® 5 product family.

Cobit 5 Product Family

It includes: 

  • COBIT® 5: This publication gives an overview of the complete COBIT® 5 framework as well as a summary for executives and other users. 

  • COBIT® 5 Enabler Guides: It includes the COBIT® 5 Enablers Processes, COBIT® 5 Enabling Information and other enablers guides. These are detailed reference guides that support the ‘COBIT® 5 Business Framework for the Governance and Management of Enterprise IT’ and the professional guides. The ‘COBIT® 5 Enabler Guides’ acts as the bridge between the COBIT® 5 framework and the COBIT® 5 professional guides. 

  • COBIT® 5 Professional Guides: These guides are intended to be used by specific professional practitioners, for example, the auditor would utilize the ’COBIT® 5 for Assurance’ guide to understand and implement COBIT® 5 from the perspective of an auditor. These guides include the COBIT® 5 Implementation guide that is used to get a practical appreciation of how to apply COBIT® 5 to specific business problems, pain points, trigger events and risk scenarios within the organization. 

The remaining guides are still in development and beyond the scope of this course. They are as follows: 

  • COBIT® 5 for Information Security, which was available in July 2012

  • COBIT® 5 for Assurance 

  • COBIT® 5 for Risk, and Other Professional Guides to be defined based on the needs of the market.

The currently available professional guides are: 

  • Vendor Management using COBIT® 5 

  • Configuration Management using COBIT® 5 

  • COBIT® 5 Online that will replace the COBIT® 4.1 (read as KOBIT four point one) Online. This tool was to be made available at the beginning of 2014. It will enable registered users to implement and maintain COBIT® 5 through an interactive online system.

It is to be noted that the COBIT® Process Assessment Guides are treated as part of a separate product family and is accessed at ISACA through the COBIT® Assessment Programme link on their website. 
In the next section, we will discuss the COBIT® 5 mapping summary.

COBIT® 5 Mapping Summary

The following image depicts the various frameworks and standards that have influenced COBIT® 5 and can be mapped to it. 

Cobit 5 Mapping Summary

The five governance and management processes of COBIT® 5 are mapped to various standards and frameworks in the following ways:

  • The Evaluate, Direct, and Monitor or EDM governance processes are mapped to:
  1. the standard for corporate governance of information technology, I-S-O/IEC 38500
  2. the standard for risk management, ISO/IEC 31000, which are essential from the governance perspective.  
  • The Align, Plan and Organize or APO management processes are mapped to:
  1. PRINCE2® and PMBOK® (read as P-M BOK) that are project management frameworks.

  2. The Open Group Architecture Framework or TOGAF that is the de facto global standard for Enterprise Architecture.

  3. ISO/IEC 31000, the risk management standard, and 

  4. ISO/IEC 27000, the standard for Information security.
They are aligned to:
  1. Capability Maturity Model Integration or CMMI, the capability and process assessment model,

  2. IT Infrastructure Library Framework or ITIL® Version 3 2011 framework and

  3. the standard for IT Service Management, which is I-S-O/IEC 20000. 

  • The Build, Acquire and Implement or BAI management processes are aligned with the:

  1. CMMI model 

  2. the ITIL® Version 3 2011 framework and 

  3. ISO/IEC 20000, the standard for IT Service Management. 
The other frameworks and standards that contribute to the BAI processes are:
  1. PRINCE2® or PMBOK® project management frameworks, 

  2. TOGAF and 

  3. ISO/IEC 27000, the information security standard. 

  • The Deliver, Service and Support or DSS management processes are aligned to:

  1. The ITIL® Version 3 2011 framework and

  2. ISO/IEC 20000. 

  • The Monitor, Evaluate and Assess or MEA management processes are aligned to:

  1. ISO/IEC 27000, the information security standard.

In the next section, we will focus on how COBIT® is integrated with other IT governance frameworks, namely, COSO and ITIL®.

Preparing for a career in Cyber Security? Check out the COBIT 5 Course Preview here!

COBIT®—Integration with Other IT Governance Frameworks

COSO is an internal control integrated framework. It consists of five interrelated components that provide an effective framework. The framework describes and analyses the internal control system implemented in an organization mainly to cater to financial regulations requirement. 
The following image depicts how other IT governance frameworks namely, COSO and ITIL® are represented in COBIT®.

These mainly constitute:

  • Committee of Sponsoring Organizations of the Treadway Commission or COSO (read as KO-SO) ISO 27002 (read as I-S-O Twenty Seven Thousand and Two), the standard for information security, 

  • The IT Infrastructure Library Framework or ITIL® (read as I-T-I-L) ISO 9000, the standard for quality.

As evident from the image, COBIT® is integrated with two major frameworks which are COSO and ITIL®. These frameworks are further supported by the two ISO standards which are ISO 27002, the information security standard and ISO 9000, the standard for quality. The flow of information within COBIT®, including how the framework is integrated, is based on the initial framework of COSO whose major focus is on internal controls and governance.
These are then built upon as processes using the two major Industry standards of ISO 27002 and ISO 9000 that constitute information security and quality implementation for the governance and management. Finally, the ITIL® framework aids by providing an IT Service Management framework to make COBIT® a very robust governance and management framework for enterprise IT.
In the next section, we will understand where COBIT® fits in.

Where Does COBIT Fit in?

COBIT® is the bridge between business and enterprise governance requirements and specific IT governance practices. The image shown below depicts the following.

Where Cobit fits in

The key drivers for any enterprise mainly consist of performance business goals and conformance requirements such as Basel II and Sarbanes-Oxley Act or SOX.
To help achieve the mentioned goals, frameworks such as the Balance Scorecard mainly monitor, measure and help to achieve performance business goals. This, along with the COSO framework, helps to put in place internal controls in the enterprise to achieve conformance with the various regulations. Overall, this assists in enterprise governance. 
COBIT® framework assists by providing the IT governance help to achieve enterprise governance. COBIT® also adopts the best practice standards like ISO 9000 (read as I-S-O Nine Thousand) for Quality, ISO 27002 for information security, and ISO 20000 for IT Service Management. 
These best practice standards, in turn, rely on robust processes and procedures such as QA (read as Q-A) procedures, security principles and ITIL® defined processes and functions for ISO 9000, ISO 27002 and ISO 20000 (read as I-S-O Twenty Thousand) respectively. 
In the next section, we will discuss the specifics of mapping other IT governance frameworks to COBIT® 5.

COBIT® 5 Mapping Specifics

The table shown below depicts the mapping of other IT governance frameworks to COBIT® 5:

  • The standard for corporate governance of Information Technology, ISO/IEC 38500 (read as I-S-O-I-E-C Thirty-Eight Five Hundred), provides the six principles of ISO to map them to COBIT® 5.The principles are responsibility, strategy, acquisition, performance, conformance and human behavior for good corporate governance of IT.

  • Information Technology Infrastructure Library or ITIL® V3 (read as I-T-I-L Version three) provides the 5 areas and domains’ subset of processes namely, strategy, design, transition, operations and continual service improvement as inputs to COBIT® 5 in the DSS domain, BAI domain and APO domain.

  • The information security standard or ISO/IEC 27000 (read as I-S-O-I-E-C Twenty Seven Thousand) provides the inputs to the security and IT-related processes in the EDM, APO and DSS domains of COBIT® 5 and also some security monitoring activities in the MEA domain of COBIT® 5.

  • The risk management standard or ISO/IEC 31000 (read as I-S-O-I-E-C Thirty One Thousand) provides inputs to include the risk management related activities in the EDM and APO domains. 

  • The Open Group Architecture Framework or TOGAF (read as one word TOGAF) provides inputs to the resource-related processes in the EDM domain, TOGAF components of the architecture board and governance areas and Enterprise Architecture processes of the APO domain.

  • Projects in Controlled Environment or PRINCE2 (read as one word PRINCE two) provides inputs to the programme and project management processes in the BAI domain and portfolio-related processes in the APO domain.

  • Capability Maturity Model Integration or CMMI (read as C-M-M-I) provides inputs to some organizational and quality related processes in the APO domain and application building and acquisition-related processes in the BAI domain of COBIT® 5.

Want to check the course preview of our COBIT 5 Course? Watch the course content here!


Let us summarise what we have learned in this tutorial: 

  • COBIT® 5 defines the starting point of the governance and management activities related to enterprise IT as stakeholder needs. 

  • COBIT® 5 follows a simplified format and it is available in three volumes, namely, the Framework, Process Reference Guide and Implementation Guide.

  • COBIT® 5 product family includes the COBIT® 5 framework, COBIT® 5 Enabler Guides, COBIT® 5 Professional Guides and COBIT® 5 Online Collaborative Environment.

  • The COBIT® 5 governance and management processes are:

  1. ‘Evaluate, Direct and Monitor governance’
  2. ‘Align, Plan and Organize management’
  3. ‘Build, Acquire and Implement management’ and 
  4. ‘Monitor, Evaluate and Assess management’ processes. 

In the following lesson, you will learn about Overview of COBIT® 5 principles.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*