What Is COBIT 2019?

Besides it sounding like the name of the pandemic from recent history, what exactly is COBIT?

The first time I tried to grasp the idea of what it is from the ISACA website [↗], the body that drafted it, I ended up more confused than informed.

So like most things I write about on here, I am documenting it for you and I :).

Business and IT harmony

Unlike businesses like e-commerce that exist purely because of the internet, many industries such as banking existed long before IT.

IT has now become a core part of banks, from internal business processes to customer-facing services.

That said, the integration of IT into businesses is not always smooth.

For example, the introduction of IT in banking changed the meaning of financial audits. It's no longer just about verifying the records, but also the systems those records are processed with and stored on, because those systems contribute directly to the integrity of the financial information.

With all these changes, businesses have always needed frameworks and processes that can be followed to ensure IT and business operations exist in harmony.

And this is where a framework like COBIT comes in.

Annnnnnd now what is COBIT?

Let's first expand the acronym.

COBIT stands for Control Objectives for Information and Related Technologies.

And again, I don't expect that definition alone to make it clearer.

Now like I explained in the last section, frameworks exist to help teams establish harmony between their IT and business processes. Some examples include:

ITIL [↗]: This focuses more on the customer-facing side of a company's IT
ISO/IEC 27001 [↗]: This framework focuses on protecting information
TOGAF [↗]: This focuses more on IT system architectures and design

COBIT focuses on the governance of IT processes from the business's viewpoint.

This means it is about structuring IT so that its inputs, outputs, risks, and costs align with the broader goals of the business.

For example, if the business is looking to cut costs that year, the IT department might end up using Let's Encrypt [↗] instead of paying for SSL certificates. It may look like a small change in theory, but when COBIT is implemented properly, even such small alignments become deliberate rather than random choices.

By the way, when I say "framework" I just mean a well-documented approach for achieving something. You can also loosely refer to them as standards.

Let's walk through an example

Now let's see which part of the COBIT framework would influence the IT department's choice between using Let's Encrypt versus paying for SSL certificates.

Assume management sets a business objective for the year: reduce operational costs.

In COBIT terms, that direction starts at the governance level (with managers) under what COBIT calls EDM (Evaluate, Direct and Monitor). This is just a fancy label for management planning, i.e. when they decided they will be cutting cost.

That direction then flows into management activities.

Under another fancy label APO (Align, Plan and Organize), IT would:

Review current IT expenses
Identify areas where savings are possible
Assess risks before making changes

If the company is paying annually for SSL certificates, IT may evaluate whether using Let's Encrypt can reduce recurring costs.

But COBIT doesn't allow the decision to stop at "it's free."

There must be structure.

Risk Assessment

Under risk and security-related objectives, IT would assess:

Does Let's Encrypt meet required encryption standards?
Does it comply with industry or regulatory requirements?
Is there any operational risk (for example, certificate expiration or automation failure)?

If risk remains within acceptable limits, the option stays viable.

Cost Justification

Under cost management objectives:

Compare long-term SSL expenses with the free alternative
Evaluate implementation effort
Consider automation and renewal management

Change Implementation

Under BAI (Build, Acquire and Implement):

Test the configuration
Ensure no service disruption
Document the change

Ongoing Monitoring

Under MEA (Monitor, Evaluate and Assess):

Monitor certificate renewals
Ensure continued compliance
Track performance or incidents

Notice something important:

COBIT does not tell you to use Let's Encrypt.

It ensures that whatever decision is made is aligned with governance direction.

Even a small technical decision becomes connected to business strategy.

That's the practical meaning of alignment.

How does one learn the framework?

Simplest answer: a certification [↗] exists for that.

Although honestly, sometimes it feels more about attaining a cert than actually understanding COBIT deeply.

If you want a proper deep dive, you will likely need to go through the official material sold on the ISACA website [↗].

That documentation breaks down the domains (EDM, APO, BAI, DSS, MEA), the governance components, and the detailed objectives properly.

Et voilà. That's COBIT, minus the big speak.

Here is another article you might like 😊 An Experimental Windows Keylogger

EDDYMENS