1. COBIT® 5 Frequently Asked Questions (FAQs)
1. What is the purpose of COBIT 5?
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives
for the governance and management of enterprise information and technology assets (IT). Simply
stated, it helps enterprises create optimal value from IT by maintaining a balance between realising
benefits and optimising risk levels and resource use. COBIT 5 enables IT to be governed and
managed in a holistic manner for the entire enterprise, taking in the full end‐to‐end business and IT
functional areas of responsibility, considering the IT‐related interests of internal and external
stakeholders. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not‐for‐profit
or in the public sector.
2. Who is using COBIT 5?
COBIT 5 is used globally by those who have the primary responsibility for business processes and
technology, depend on technology for relevant and reliable information, and provide quality,
reliability and control of information and related technology.
3. Where are the control objectives in COBIT 5?
Based on five principles and seven enablers, COBIT 5 uses governance and management practices to
describe actions that are examples of good practices to effect governance and management over
enterprise IT. Many of these practices and the supporting activities exert ‘control’ over the process
to deliver the required outcome.
The move from the ‘control objectives’ term was explained in an ISACA® Journal article (volume 4,
2011) written by one of COBIT’s first contributors, Erik Guldentops. The article can be found at this
link ’Where Have All The Control Objectives Gone?’ (www.isaca.org/Journal/Past-Issues/2011/volume-4/
pages/Where-Have-All-the-Control-Objectives-Gone.aspx)?w眀w.isac愀⸀org/J漀u爀nal⼀P愀猀t-Is猀甀es/201⼀Vo氀um攀ⴀ4/倀a最e猀⼀Wh攀re-H愀v4. Are there other major differences between COBIT 4.1 and COBIT 5?
Yes, the framework design for COBIT 5 was revisited and restructured to ensure complete coverage
for all major aspects related to the governance and management of enterprise IT. ISACA has
prepared a presentation that outlines the main changes introduced. The presentation can be found
at this link ’Compare COBIT versions 4.1 to 5’.
5. What is the overall quality of COBIT 5, and were any industry professionals part of the expert
review?
To assure the high quality of COBIT 5, several measures were taken. The most important measures
are:
• The entire research process was overseen by both ISACA’s Knowledge Board and Framework
Committee, which are responsible for overseeing all ISACA framework research development.
• The detailed research results and deliverables were quality‐controlled throughout the
development process by a dedicated task force of experienced volunteer professionals.
• A draft design document was issued for public exposure, and the feedback was integrated into
the development work to produce the final COBIT 5 products. Before being issued, the draft
2. development products were distributed to more than 100 subject matter experts around the
world to obtain their professional review.
• Once ready, draft versions of COBIT 5 and COBIT® 5: Enabling Processes were made available to
the public for review. Many good comments were received, suggesting further improvements
for consideration. Survey questions concerning the level of satisfaction of the work at the draft
stage were included in the public exposure activity, with 79 percent of the responses being
positive. Based on the review comments, the development team made changes as appropriate.
• The final product was reviewed by COBIT 5 Task Force members, the Framework Committee and
the Knowledge Board.
6. Can I use COBIT 5 as a statement of criteria for specific audit conclusions?
There are additional professional guides planned that will extend COBIT 5. Amongst these is COBIT 5
for Assurance. This will serve as the guide for assurance professionals wanting to use COBIT 5 in
their work. Once complete, COBIT 5 for Assurance will provide comprehensive guidance on using
COBIT 5 to support assurance activities. The completion of this guide is planned for 2013.
7. What training is available for the use of COBIT 5?
ISACA is developing an education and training portfolio to support COBIT 5. As training is developed,
ISACA will communicate news via appropriate media, including the Education & Training page in the
COBIT 5 area of the ISACA web site.
8. In what way can I suggest to executive management that it use COBIT 5?
Because COBIT is business‐oriented, using it to deliver value and govern and manage IT‐related
business risk is straightforward. The COBIT 5 two‐page executive summary and supporting short
presentation can be used in the discussion with management. The goals cascade in the framework
can be used to:
• Determine stakeholder needs and governance objectives (value creation)
• Identify enterprise goals that can support stakeholder needs. If the balanced scorecard (BSC) is
used to develop these goals, then a common set of terms can be used to communicate the
goals. Enterprise goals from the BSC are reproduced in figure 5 on page 19 of COBIT 5.
• Select IT‐related goals (for each enterprise goal) that will facilitate the achievement of the goals.
IT‐related goals can be found in figure 6 on page 19 of COBIT 5.
• Achieve IT‐related goals. This requires the successful application and use of enablers. The
framework describes enablers in detail in chapter 5. One of the enablers, processes, is treated
separately in the COBIT 5: Enabling Processes publication.
• Present the proposed set of needs, goals and enablers to executive management as a means of
delivering effective governance and management of IT‐related technology
9. Is the COBIT 5 framework superior to the other standards and frameworks such as the International
Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27000 series
and Information Technology Infrastructure Library (ITIL®)?
Most enterprise stakeholders and executive management are aware of the importance of the
general control frameworks with respect to their fiduciary responsibility, such as Committee of
3. Sponsoring Organizations of the Treadway Commission (COSO), Code of Connection (CoCo), the UK
Corporate Governance Code, King III, etc.; however, enterprise stakeholders and executive
management may not necessarily be aware of the details of each framework. In addition, enterprise
managers are increasingly aware of the more technical security guidance, such as the ISO/IEC 27000
series, and service delivery guidance, such as ITIL. Although the aforementioned standard and
framework emphasise business control and IT security and service management and delivery issues
in specific areas of enterprise IT‐related activity, only COBIT 5 integrates all functions and processes
that establish the governance of enterprise IT (GEIT) into overall enterprise governance and from a
business perspective. It should be noted that ISO/IEC 15504 and ITIL V3 were used to develop the
governance and management practices. COBIT 5 is not meant to replace any of these frameworks or
standards. It is intended to emphasise what governance and management elements and practices
are required to create value from information and technology in support of enterprise business
goals.
10. What is the quickest and best way to convince key executives and other enterprise stakeholders of
the value of using COBIT 5?
The enterprise’s culture is vitally important. A proactive culture will be more receptive than one that
is not proactive; however, consider emphasizing COBIT’s focus on stakeholder value creation, it
being business driven, its alignment with other internationally recognised standards and
frameworks, and its simple, but complete, structure. COBIT 5 is based on five principles and seven
enablers. All other governance and management guidance in COBIT 5 cascade from these basic
areas.
11. Has the COBIT 5 framework been accepted by C‐level executives?
Yes, previous versions of COBIT have been accepted in many enterprises globally, and new cases
continue to be documented. However, it should not be a surprise that in those entities where the
chief information officer (CIO) has embraced COBIT as a business framework for information and
technology, this has come as a direct consequence of one or more COBIT champions within the
audit and/or IT function(s). Even more important than acceptance by the CIO is acceptance by the
board of directors and executive management. Successful implementation of governance and
management of enterprise IT using COBIT depends greatly on the commitment of the executive
management team as a whole. The CIO alone cannot implement COBIT 5 effectively throughout the
enterprise because there are implications for many areas of the enterprise outside of the IT
function. The emphasis on value creation and alignment of stakeholder needs, enterprise goals, and
IT‐related goals will ensure that COBIT 5 is seen as a business framework.
12. How is COBIT 5 aligned with the international standard on IT governance, ISO/IEC 38500?
COBIT 5 clearly differentiates between the key areas of governance and management. In alignment
with ISO/IEC 38500, COBIT 5 presents governance in terms of Evaluate, Direct and Monitor. These
terms come directly from the standard’s ’Model for Corporate Governance of IT’.
13. Do I need to meet an exact level when assessing a process using COBIT's process assessment
models?
4. The main purpose of the COBIT assessment programme (the programme web site can be found at
this link ‘COBIT Assessment Programme’) is to give management a robust, reliable, repeatable
approach and supporting tools to better understand the current capability of their governance and
management processes, and to help management do benchmarking, gap analysis and process
improvement planning. The assessment objective is to understand the level of capability that is
present and the level that is appropriate for a given process, based on business requirements, and
to understand the nature of any gaps so that any significant weaknesses in the process can be
identified and improved.
14. What does COBIT stand for?
COBIT was originally an acronym for Control Objectives for Information and related Technology.
Now used in short form, COBIT is used to identify the name of the framework.
15. Why is COBIT 5 presented in international English?
Starting with the first COBIT (1996), a conscious effort was made to use international English to
underscore the global nature of the sources that went into its development (the international
standards and frameworks used as references) and the global application of the resulting COBIT.
Over the years, this approach has been questioned and challenged from time to time, but it has
remained in place and all COBIT derivative products follow this rule as well.