What‘s new in COBIT 5?

// IT Processes and Organisation, IT-Strategy

For several years now, COBIT has been received and accepted as the framework for IT governance, both in an international context and in Germany. And like every framework, COBIT, too, is regularly being revised and adjusted to changing needs. In April 2012, now, COBIT 5 was published and is replacing version 4.1. Here, this article introduces you to the innovations in COBIT 5.

COBIT (Control Objectives for Information and Related Technology) is an internationally accepted framework for IT governance that provides generally accepted practices that help executives and managers to increase the value of IT itself and to reduce IT risks. COBIT focuses on the essential requirements for implementing an appropriate IT control and is located at a strategic level. The framework was adjusted to and harmonised with other, detailed IT standards and best practices, such as COSO, ITIL, ISO 27001, etc. It does, however, have the claim to be applicable independent of both the industry and the size of the enterprise.

COBIT was developed in 1993 by the Information Systems Audit and Control Association (ISACA), an international association of IT auditors. Since 2000, its further development was handled by the IT Governance Institute (ITGI), a sister organisation of the ISACA. Over the years, COBIT has developed from a tool for IT auditors to a tool for controlling and managing IT from the business point of view. As such, the user group for COBIT is no longer primarily focussed on IT auditors but specifically on business management.

The new version, COBIT 5, was published in April 2012. There have been some changes from the previous version, COBIT 4.1. Here, we will cover the essential innovations. 

Integration with other frameworks

The frameworks COBIT 4.1, Val IT 2.0 and Risk IT were brought together under COBIT 5. As such, Risk IT and Val IT are no longer maintained as separate frameworks but were integrated into COBIT 5.

Separation of governance and management

COBIT 5 now clearly distinguishes between governance and management. For this, five governance and 32 management processes are contained in COBIT 5. The governance processes establish the framework and the rules that are followed by the management processes. The governance processes were modelled after the international standard ISO/IEC 38500 (Corporate Governance in Information Technology).

Adjusted cascade of goals

The starting point for the goals cascade are no longer the Business Goals as in COBIT 4.1, but rather the Stakeholder Needs. These were introduced to illustrated that the primary goal of any organisation is to generate value for the stakeholders. Derived from the Stakeholder Needs are the Enterprise Goals. Derived from these are, in return, the IT-related Goals, and derived from those are the Enabler Goals. But COBIT 5 only contains a mapping between the IT-related Goals and the COBIT processes for the processes, one of the seven Enabler categories.

Migrating Control Objectives into Practices

In their current form, the Control Objectives previously known in COBIT are no longer contained in COBIT 5. This was in response to previous criticism that the Control Objectives did not harmoniously fit into the COBIT 4 structure and thereby resulted in feelings of not consistently conclusive design of the framework. In COBIT 5, the Control Objectives were migrated into the so-called Practices. The Practices, in turn, are put in concrete form through individual activities and are unambiguously assigned to the individual COBIT processes.

Maturity Model adjusted to ISO/IEC 15504 The model for assessing the degree of process maturity, which in COBIT 4.1 was modelled after the Capability Maturity Model (CMM), was completely redesigned in COBIT 5 and modelled after the process maturity model of the international standard ISO/IEC 15504 (SPICE) to allow for a SPICE-compliant COBIT certification in the future.


In summary, it can be said that COBIT 5 made another big step away from being a framework for IT auditors to being a framework for controlling and managing IT. Through the integration of additional frameworks, COBIT 5, at present, is the most comprehensive framework for controlling and managing IT and by far the one with the most direct focus on aligning business and IT. More than ever, it provides executive management and IT management with practices for controlling their IT more effectively, while at the same time also adhering to constantly increasing statutory, regulatory and contractual obligations.



Michael Niehenke


Go back