EDPACS

The EDP Audit, Control, and Security Newsletter

ISSN: 0736-6981 (Print) 1936-1009 (Online) Journal homepage: https://www.tandfonline.com/loi/uedp20

COBIT 2019: A SIGNIFICANT UPDATE

Dirk Steuperaert

To cite this article: Dirk Steuperaert (2019): COBIT 2019: A SIGNIFICANT UPDATE, EDPACS,
DOI: 10.1080/07366981.2019.1578474

To link to this article: https://doi.org/10.1080/07366981.2019.1578474

Published online: 28 Mar 2019.

Submit your article to this journal

View Crossmark data

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=uedp20
 EDPACS
THE EDP AUDIT,
CONTROL, AND SECURITY
NEWSLETTER

2019 VOL. 59, NO. 01

COBIT 2019: A SIGNIFICANT

UPDATE
DIRK STEUPERAERT

ABSTRACT. The new framework for governance and management of

enterprise information & technology – COBIT 2019 – has been released.
The updated framework provides a timely refresh of its structure and
contents, and adds exciting new features like design factors that allow to
tailor governance systems, and many more. This article describes the major
changes in COBIT and the impact they bring to governing bodies,
management and practitioners.

The Information Systems Audit and Control Association recently

released a new version of its Control OBjectives for Information
and related Technology (COBIT) Framework: COBIT 2019. In this
article we briefly describe the major changes compared to its
predecessor COBIT 5 and why this new version deserves attention
from various groups of managers and practitioners. When con-
sidering adoption of or migration to COBIT 2019, we offer some
guidance on how to approach this and which considerations to
make.

MAJOR CHANGES
First of all, some things have not changed, most notably the over- IN THIS ISSUE
all purpose of governance of enterprise Information Technology
n COBIT 2019:
(IT), the definitions of governance and management, and the dis- ASIGNIFICANT UPDATE
tinction we make between both. Hence, the essence of our views
on governance over enterprise IT have remained.
However, after almost seven years of COBIT 5, it was normal to
update and refresh a number of things; technology, its role, and
Editor
the way it is used in many organizations has dramatically chan- DAN SWANSON
ged. Sourcing models for IT services have changed and digital
transformation is changing many organizations’ business models. Editor Emeritus
BELDEN MENKUS, CISA
The regulatory landscape is in constant evolution, imposing stric-
ter rules for many commercial and public enterprises. And the IT
governance and management standards and frameworks

CELEBRATING OVER 4 DECADES OF PUBLICATION!

E D P A C S 2019

landscape has evolved as well. All these changes require adjust-

ments to the governance system an enterprise puts in place over
enterprise IT, and by consequence made a review and update of
the core of COBIT—its processes and the relating governance
components—highly relevant and timely.
User feedback and research have also led to some changes and
new concepts in COBIT 2019. We have changed the names of some
concepts or introduced some new ones, such as:
● Design factors: In COBIT 5, it was mainly the goals cascade from
enterprise goals down to process enabler goals that determined
priorities for processes; in COBIT 2019, we have introduced
many more design factors that can drive the design for the
governance system of the enterprise (e.g., enterprise strategy,
risk profile, role of IT, IT deployment methods, threat landscape).
● Governance components: The governance system of an
enterprise consists of different components of different types
that must work together holistically. Processes, organizational
structures, information flows, culture and behaviors, and
skills are all governance component types, and they can be
compared to the COBIT 5 enablers but are much simplified.
● Governance and management objectives: This is the new
name of what was known as enabling processes in COBIT 5.
The governance and management objectives are the last stage
in the new goals cascade and describe what IT should achieve in
order to generate value for the enterprise. A governance and
management objective naturally requires the related process,
as well as various other governance component types.
● Focus areas: Next to the generic governance and management
objectives, described in the COBIT 2019 Governance and
Management Objectives publication, the new, flexible, and open
architecture of COBIT helps to create and integrate more detailed
and specific guidance on virtually any topic, using the governance
and management objective structure. In a first phase, the focus
area guidance will be available for information security,
information and technology risk, small and medium enterprises,
and DevOps. Many more are possible, feasible, and planned.
A detailed description of these changes can be found in the
COBIT 2019 Framework publication.Figure 1 summarizes the over-
all COBIT 2019 architecture and approach.

If you have information of interest to EDPACS, contact Dan Swanson (dswanson_2008@yahoo.ca). EDPACS (Print ISSN
0736-6981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 530 Walnut Street, Suite 850,
Philadelphia, PA 19106. Subscription rates: US$427/£259/€343. Printed in USA. Copyright 2016. EDPACS is a registered
trademark owned by Taylor & Francis Group, LLC. All rights reserved. No part of this newsletter may be reproduced in any
form — by microfilm, xerography, or otherwise — or incorporated into any information retrieval system without the
written permission of the copyright owner. Requests to publish material or to incorporate material into computerized
databases or any other electronic form, or for other than individual or internal distribution, should be addressed to
Editorial Services, 530 Walnut Street, Suite 850, Philadelphia, PA 19106. All rights, including translation into other
languages, reserved by the publisher in the U.S., Great Britain, Mexico, and all countries participating in the
International Copyright Convention and the Pan American Copyright Convention. Authorization to photocopy items for
internal or personal use, or the personal or internal use of specific clients may be granted by Taylor & Francis, provided
that $20.00 per article photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
01923 USA. The fee code for users of the Transactional Reporting Service is ISSN 0736-6981/06/$20.00 + $0.00. The fee is
subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate
system of payment has been arranged. Product or corporate names may be trademarks or registered trademarks, and are
only used for identification and explanation, without intent to infringe. POSTMASTER: Send address change to EDPACS,
Taylor & Francis Group, LLC., 530 Walnut Street, Suite 850, Philadelphia, PA 19106.

2 ª Copyright 2019 Taylor & Francis—All rights reserved.

2019 E D P A C S

Figure 1. COBIT 2019 provides comprehensive and practical guidance to help enterprises better govern and
manage their information and technology in customizable fashion.

COBIT 2019 allows enterprises to design, operate, and improve

a governance system tailored to their needs. This design of a lean,
effective, and efficient governance system is based on a number
of design factors, and the governance system is built from the
core COBIT 2019 contents—the 40 governance and management
objectives and the underlying processes and other governance
components—as well as from an open number of specific focus
areas. Figure 1 illustrates how each of the four main COBIT 2019
publications guides users through these different steps.
Also based on user feedback, COBIT 2019 has been greatly
simplified at the framework level: the enabler models, which
were quite abstract, have been removed, as well as the name
“enabler.” However, COBIT 2019 still is built around the concept
that a good governance system requires a set of different govern-
ance components (processes, structures, skills, behaviors, etc.)
cooperating in a holistic manner.
A last significant change is the replacement of the COBIT 5
Process Assessment Model (PAM) based on ISO/IEC15504 by
a Capability Maturity Model Integration (CMMI)-inspired process
capability model. The governance and management objectives gui-
dance, at the process activity level, associates each practice with
a process capability level. The new system is more user-friendly
and requires less complex processes for the lower capability
levels compared to the previous model. However, enterprises
using the COBIT 5 PAM can continue to use that model should
they wish, because the process-related guidance contains all
required information to do so.

IMPACT FOR MANAGEMENT AND PRACTITIONERS

So, why would managers and practitioners embrace COBIT 2019
and what would be the impact of this adoption? The benefits
brought by COBIT 2019 include (but are not limited to):

ª Copyright 2019 Taylor & Francis—All rights reserved. 3

E D P A C S 2019

● An up-to-date and flexible framework for governance of

enterprise IT, incorporating the latest technology evolutions
and methods, and including new guidance on data
management;
● A framework that is open and that will continuously be
updated with specific focused topics in a coherent way, such
as security, risk, DevOps, small and medium enterprises, and
many more planned;
● A framework that has been reviewed for simplicity, where all
unnecessary content has been removed;
● A more intuitive process capability model, based on CMMI,
which is more encouraging for process improvement
initiatives and easier to communicate with senior
management;
● A new governance design guide, allowing to tailor a governance
system to an enterprise’s specific context, defining the right
priorities and providing a leaner, much more effective and
efficient governance system;
● An updated set of generic risk scenarios to help guide risk
management efforts;
● A framework useable by internal stakeholders such as boards,
senior management, business and IT management and
practitioners, audit and risk professionals and external
stakeholders, like regulators and external auditors. They find
in COBIT 2019 an authoritative reference framework for
governing information and technology, including design tools
for their governance system, implementation guidance, and
reporting and performance management tools.
The impact of migrating from earlier versions of COBIT, in most
cases COBIT 5, to this new version are very similar to any migra-
tion, meaning that potential users need to take the following steps:
1. Understand the new version and assess to what extent the
new or changed features constitute a benefit for the enterprise.
Questions that should be asked here could include:
(a) Are the updated governance and management objectives
(controls) a sufficiently important update compared to
the current governance system of the enterprise?
(b) Can the new COBIT 2019 Design Guide assist in developing
a leaner and more effective and efficient governance
system?
(c) Is the new performance management approach, most
notably the new process capability model (based on
CMMI), likely to be an acceptable replacement for
whatever process assessment system is in place today?
(d) Do the new focus areas and their specific contents bring
value to the enterprise’s governance system?
(e) Are there or will there be any regulations that require us
to adopt the newest version of COBIT?
2. Understand the changes and related effort that would be
required for a migration. In this context, enterprises should at
least consider the following:
(a) Adapting all systems (automated or not) used for their
governance efforts—typically this will include

4 ª Copyright 2019 Taylor & Francis—All rights reserved.

2019 E D P A C S

Governance, Risk & Compliance (GRC) systems that need

to be aligned to the new contents and performance
management methods;
(b) Adapting the risk and audit universes based on the new
design guide and using the updated reference
framework, such as the new 40 governance and
management objectives;
(c) Adapting reporting schemes based on the COBIT
framework;
(d) Updating risk analyses based on the updated risk
scenarios;
(e) Adapting policies and procedures based on the COBIT
framework;
(f) Training and awareness on the new COBIT 2019
framework, which could include updating or obtaining
the relevant COBIT 2019 certifications.
3. Complete the business case, weighing the potential benefits
with the effort required, and in case of a positive outcome, look
into the COBIT 2019 implementation guidance to set up
a governance improvement initiative, including proper organiza-
tional change management and program management.

Dirk Steuperaert, IT & Risk Governance Consultant, Trainer, Researcher.

Experienced consultant, coach and well appreciated trainer in IT Risk
Management, IT Governance and all COBIT 5 and as of now COBIT 2019
related matters. Dirk’s mission is to use his experience as consultant and his
insights as researcher in his role as project leader and one of the key authors
of all main COBIT 5 and COBIT 2019 publications by ISACA to teach all those
that can benefit from COBIT and to help them apply it in practice in a very
pragmatic way. Based in Belgium but travels around the world to teach,
consult and coach.

ª Copyright 2019 Taylor & Francis—All rights reserved. 5