A Comprehensive Manual for the Governance and Management of Enterprise Information and Technology

Abstract

This comprehensive manual provides an authoritative examination of COBIT 2019, the leading framework for enterprise governance of information and technology (EGIT), published by ISACA. The paper systematically analyzes the framework’s evolution from its 1996 inception through its 2019 iteration, documenting the strategic shift from “IT Governance” to enterprise-wide governance that addresses digital transformation imperatives. Drawing from 42 academic and industry sources, this manual examines COBIT 2019’s architectural components: six governance system principles, three framework design principles, seven governance system components, 40 governance and management objectives across five domains, the goals cascade mechanism, 11 design factors for customization, and the capability maturity model based on CMMI. The paper provides detailed implementation guidance through a five-phase lifecycle (Planning, Design, Implementation, Operation, Continual Improvement), integrates Focus Areas for emerging technologies (DevOps, Information Security, Risk Management), demonstrates alignment with complementary standards (ITIL, ISO 27001, NIST CSF), and presents case studies illustrating practical application in enterprise contexts. This manual serves as both a theoretical foundation for understanding modern IT governance frameworks and a practical guide for organizations implementing systematic governance to balance benefits realization, risk optimization, and resource efficiency.

Keywords

COBIT 2019, Enterprise Governance, Information Technology Governance, EGIT, ISACA Framework, Governance Maturity Model, IT Value Delivery, Risk Management, Compliance, Digital Transformation, Goals Cascade, Design Factors, Capability Assessment, CMMI, Governance Implementation, Focus Areas, Framework Integration

---

Part I: The Foundations of COBIT 2019 for Enterprise Governance

This foundational section establishes the strategic context of COBIT 2019, analyzing its evolution from a set of control objectives to a comprehensive framework for enterprise governance. It details the core principles that define a modern governance system and the components required to build one.

1.1 Executive Foreword: The Mandate for Enterprise Governance of I&T (EGIT)

COBIT, an acronym for Control Objectives for Information and Related Technology, is a comprehensive framework for the governance and management of enterprise information and technology (I&T).¹ Published by the Information Systems Audit and Control Association (ISACA), COBIT provides a reference model and common language for organizations to manage IT processes and align them with business requirements.¹

A significant evolution in the framework is the deliberate shift in terminology from “IT Governance” to “Enterprise Governance of Information and Technology” (EGIT).² This is not a superficial semantic change; it represents a fundamental strategic realignment. “IT Governance” traditionally implied a focus on the IT department as a distinct service provider. EGIT, conversely, establishes that I&T is a pervasive and integral asset, like finance or human capital, that is governed from the enterprise level.⁵ This shift is a direct response to digital transformation, where technology is often inseparable from the business model itself, driving innovation in areas like DevOps, cloud computing, and AI.⁴

COBIT 2019’s primary function is to provide a common language and structured approach for the board of directors and executive management—many of whom are not technology experts—to direct, monitor, and evaluate the I&T assets that are fundamental to achieving enterprise goals.⁴ It successfully bridges the persistent gap between high-level business strategy and detailed technical implementation.⁸

The central purpose of this framework is to create value for stakeholders.⁵ This is achieved by systematically balancing three key objectives:

1. Benefits Realization: Maximizing the value and benefits gained from IT investments.⁷
2. Risk Optimization: Balancing IT-related risks with reward by minimizing their impact.⁷
3. Resource Optimization: Ensuring the efficient and effective use of all I&T resources, including people, processes, and technology.⁷

The framework itself has evolved to maintain this value proposition. First published in 1996¹, COBIT has been instrumental in helping organizations meet compliance standards, such as the Sarbanes-Oxley (SOX) Act.¹ The latest version, COBIT 2019, was released in 2018 to specifically address modern trends in digitization and digital transformation.⁴ This positions COBIT as a living, dynamic framework that adapts to the changing technological and business landscape.⁴

The COBIT framework is designed for a broad audience of stakeholders. Internally, this includes executive management, business managers, IT managers, risk management professionals, and assurance providers.⁹ Externally, it provides a common reference point for regulators, business partners, and IT vendors, enabling clear communication of governance and compliance expectations.⁹

To justify adoption, particularly for enterprises familiar with previous versions, the following table summarizes the critical evolutions from COBIT 5 to COBIT 2019.

Table 1: COBIT 5 vs. COBIT 2019 - Key Evolutions

Feature	COBIT 5 (2012)	COBIT 2019 (2018)
Principles	5 Principles for governance and management	6 principles for a Governance System and 3 principles for a Governance Framework
Core Components	7 “Enablers"	"Enablers” are renamed to 7 “Components”
Core Model	37 processes grouped into 5 domains	40 Governance and Management Objectives grouped into 5 domains
Customization	Limited explicit guidance on tailoring	Introduction of 11 “Design Factors” for tailoring a “best-fit” governance system
Performance Mgt.	Based on an ISO/IEC 33000 scale	Adopts a CMMI (Capability Maturity Model Integration) based capability and maturity model
Flexibility	A more monolithic, integrated framework	An “open and flexible” architecture that supports new “Focus Areas” (e.g., DevOps, Security, Risk)
Alignment	Integrated Val IT and Risk IT frameworks	Improved alignment with global standards (e.g., NIST) and best practices

1.2 The Principles of COBIT 2019

COBIT 2019 is built upon two distinct sets of principles: those that define the requirements for an organization’s own governance system, and those that define the design philosophy of the COBIT framework itself.

1.2.1 The Six Principles of a Governance System

These six principles describe the core requirements for an enterprise’s tailored governance system over I&T.⁵

1. Meet Stakeholder Needs: This is the primary objective. The governance system must be designed to generate value by balancing the realization of benefits, the optimization of risk, and the efficient use of resources.¹¹ This principle is the starting point for the Goals Cascade mechanism.¹⁰

2. Enable a Holistic Approach: An effective governance system is not merely a collection of processes. It is a multi-faceted system built from several interacting components, including organizational structures, policies, culture, and information, which must work together.⁷ These are detailed in the 7 Components model.

3. Dynamic Governance System: The governance system cannot be a static, “set it and forget it” implementation. It must be dynamic, meaning it is designed to be re-evaluated and adapted whenever key “design factors”—such as enterprise strategy, technology, or the threat landscape—change.⁵

4. Distinguish Governance from Management: This is a fundamental concept.

   • Governance is the domain of the governing body (e.g., Board of Directors). It involves evaluating stakeholder needs, directing the enterprise by setting priorities and strategy, and monitoring performance against those objectives. This corresponds to the EDM domain.⁷
   • Management is the domain of executive and operational teams. It involves planning, building, running, and monitoring activities in alignment with the direction set by the governing body to achieve enterprise goals. This corresponds to the APO, BAI, DSS, and MEA domains.¹⁰

5. Tailored to Enterprise Needs: COBIT is not a one-size-fits-all solution.⁹ The generic framework must be customized into a “best-fit” system by applying the “Design Factors” (e.g., enterprise size, industry, risk profile).¹⁸

6. End-to-End Governance System: The governance system must cover the entire enterprise, integrating I&T governance seamlessly into overall enterprise governance.⁷ It is not limited to the IT department but encompasses all technology and information processing used to achieve enterprise goals.²

1.2.2 The Three Principles of a Governance Framework

These three principles describe the design philosophy of COBIT 2019 as a framework.¹³

1. Based on a Conceptual Model: The framework is built on a consistent model that identifies key components and their relationships, which maximizes consistency and allows for automation.¹³

2. Open and Flexible: COBIT’s architecture is explicitly “open”.⁴ This allows new content, such as specific “Focus Areas” for topics like DevOps, cloud, or cybersecurity, to be added or modified without breaking the core model.⁶

3. Aligned to Major Standards: COBIT is designed to be an “umbrella” or integrator framework. It aligns with and can be used alongside other major standards like ITIL, NIST, ISO, and CMMI, providing a governance layer on top of their detailed guidance.¹

The separation of these principles is key to understanding COBIT 2019’s design. The System principles are the goals an organization strives to achieve (e.g., “be tailored,” “be dynamic”). The Framework principles are the features of COBIT itself that an organization uses to achieve those goals. For example, an organization uses COBIT’s Framework Principle of being “Open and Flexible”¹³ (by incorporating a DevOps Focus Area) to achieve its System Principle of having a “Dynamic Governance System”¹⁶ that can adapt to new implementation methods. This meta-structure is what makes COBIT 2019 a true framework-builder, not just a static set of controls.¹⁸

1.3 The Seven Components of the Governance System

To achieve the “Holistic Approach” principle¹⁶, COBIT 2019 defines seven categories of components. These were known as “enablers” in COBIT 5.⁴ For any governance objective to be met, all seven components must be considered and addressed.²⁰

Table 2: The 7 Components of the Governance System

Component	Description
1. Processes	An organized set of practices and activities designed to achieve specific objectives and produce a set of outputs.⁷
2. Organizational Structures	The key decision-making entities, roles, and responsibilities within an enterprise (e.g., Board committees, IT steering committee).⁷
3. Principles, Policies, and Frameworks	The vehicle to translate desired behavior into practical, verbalized guidance for day-to-day management.
4. Information	All information produced and used by the enterprise. COBIT focuses on the information required for the governance system to function effectively.
5. Culture, Ethics, and Behavior	The individual and collective behaviors that are “often underestimated as factors in the success” of governance and management activities.
6. People, Skills, and Competencies	The human resources and skills necessary for the execution of all activities and for making correct decisions and taking corrective actions.
7. Services, Infrastructure, and Applications	The technology and service-based resources (e.g., applications, infrastructure, and services) that provide the I&T processing for the enterprise.

This 7-component model is a powerful diagnostic tool. A common failure in governance implementation is an over-focus on “Processes” (Component 1) and “Policies” (Component 3). For example, if an organization is failing at business continuity (Objective DSS04)²⁵, a superficial analysis might blame the “Process” (Component 1) or “People” (Component 6).

The 7-Component model²⁰ forces a more sophisticated diagnosis. The DSS04 failure might not be the process itself. It could be:

• An Organizational Structure issue (Component 2): No executive is formally designated as the “owner” of the Business Continuity Plan (BCP).
• A Culture issue (Component 5): The enterprise culture does not take drills seriously because “a disaster has never happened here”.²⁵
• An Information issue (Component 4): The BCP itself is outdated and does not reflect new cloud-based Services, Infrastructure, and Applications (Component 7).²⁵

This holistic model prevents simplistic, ineffective solutions and guides leadership toward systemic improvements that build true resilience.

---

Part II: The COBIT 2019 Core Model: Governance and Management Objectives

This section serves as the central reference of the manual, detailing the 40 specific objectives that form the COBIT Core Model.⁴ These objectives are organized into five domains, which are grouped according to the fundamental distinction between governance and management.²

2.1 The Fundamental Distinction: Governance vs. Management

As established in the principles, COBIT 2019 makes a critical separation between governance and management activities and structures.⁵ This separation defines the structure of the Core Model’s five domains.

• Governance Domain: This domain contains objectives for the governing body (e.g., Board of Directors).

  • EDM (Evaluate, Direct, and Monitor): This is the “strategic layer”.²¹ The governing body evaluates strategic options, directs senior management by setting priorities, and monitors the achievement of the strategy.²³

• Management Domains: These four domains contain objectives for senior and middle management, who are responsible for executing the board’s strategy.

  • APO (Align, Plan, and Organize): Focuses on the overall organization, strategy, and supporting activities for I&T.²¹
  • BAI (Build, Acquire, and Implement): Addresses the definition, acquisition, and implementation of I&T solutions and their integration into business processes.²¹
  • DSS (Deliver, Service, and Support): Addresses the operational delivery and support of I&T services, including security.²¹
  • MEA (Monitor, Evaluate, and Assess): Focuses on performance monitoring and conformance of I&T with internal performance targets, internal control objectives, and external requirements.²³

These four management domains (APO, BAI, DSS, MEA) are not arbitrary. They represent a strategic-level implementation of the classic “Plan-Do-Check-Act” (PDCA) continuous improvement cycle.

• APO is the Plan phase.²¹
• BAI is the Do (or Build) phase.²¹
• DSS is the Run (or Deliver) phase.²¹
• MEA is the Check (or Monitor) phase.²³

This structure creates a fully integrated, closed-loop system. The Board (via EDM) sets the strategy (e.g., “We must optimize risk”). Management then uses the continuous PDCA loop (APO-BAI-DSS-MEA) to execute that strategy, with MEA providing the performance feedback loop back to EDM for monitoring and oversight.⁹

2.2 The COBIT 2019 Core Model: 40 Objectives

The following table presents the complete list of 40 Governance and Management Objectives that constitute the COBIT 2019 Core Model.⁴ The COBIT 2019 Framework: Governance and Management Objectives publication contains a detailed description of each objective, its purpose, and its related processes and practices.²

Table 3: The COBIT 2019 Core Model (40 Governance & Management Objectives)

Domain	ID	Objective Name
Governance (EDM)	EDM01	Ensured Governance Framework Setting and Maintenance
	EDM02	Ensured Benefits Delivery
	EDM03	Ensured Risk Optimization
	EDM04	Ensured Resource Optimization
	EDM05	Ensured Stakeholder Engagement
Management (APO)	APO01	Managed I&T Management Framework
	APO02	Managed Strategy
	APO03	Managed Enterprise Architecture
	APO04	Managed Innovation
	APO05	Managed Portfolio
	APO06	Managed Budget and Costs
	APO07	Managed Human Resources
	APO08	Managed Relationships
	APO09	Managed Service Agreements
	APO10	Managed Vendors
	APO11	Managed Quality
	APO12	Managed Risk
	APO13	Managed Security
	APO14	Managed Data
Management (BAI)	BAI01	Managed Programs
	BAI02	Managed Requirements Definition
	BAI03	Managed Solutions Identification and Build
	BAI04	Managed Availability and Capacity
	BAI05	Managed Organizational Change
	BAI06	Managed IT Changes
	BAI07	Managed IT Change Acceptance and Transitioning
	BAI08	Managed Knowledge
	BAI09	Managed Assets
	BAI10	Managed Configuration
	BAI11	Managed Projects
Management (DSS)	DSS01	Managed Operations
	DSS02	Managed Service Requests and Incidents
	DSS03	Managed Problems
	DSS04	Managed Continuity
	DSS05	Managed Security Services
	DSS06	Managed Business Process Controls
Management (MEA)	MEA01	Managed Performance and Conformance Monitoring
	MEA02	Managed System of Internal Control
	MEA03	Managed Compliance with External Requirements
	MEA04	Managed Assurance

---

Part III: Core Mechanisms for Alignment and Tailoring

This section details the dynamic “engine” of COBIT 2019, explaining the interconnected mechanisms used to align I&T with business strategy and tailor the framework to a specific enterprise context.

3.1 The Goals Cascade: Translating Strategy into Action

The Goals Cascade is the primary alignment mechanism in COBIT.⁹ It provides a clear, top-down approach¹⁰ to translate abstract stakeholder needs into specific, actionable governance and management objectives.

Step 1: Stakeholder Needs to Enterprise Goals (EGs)

The cascade begins with stakeholder needs (e.g., “increase regulatory compliance,” “improve customer service”).²³ These needs are transformed into an actionable strategy²³ and then mapped to a set of 13 generic Enterprise Goals (EGs).²³ Examples of EGs include:

• EG01: Portfolio of competitive products and services
• EG05: Customer-oriented service culture
• EG12: Managed digital transformation programs²³

Step 2: Enterprise Goals to Alignment Goals (AGs)

The 13 Enterprise Goals are then mapped to 13 Alignment Goals (AGs).²⁶ AGs rephrase the high-level EGs in the specific context of I&T. For example, the Enterprise Goal EG05 (“Customer-oriented service culture”) maps directly to the Alignment Goal AG08 (“Enabling and supporting business processes by integrating applications and technology”).²³

Step 3: Alignment Goals to Governance & Management (G&M) Objectives

Finally, the prioritized Alignment Goals are mapped to the 40 G&M Objectives detailed in Part II.¹⁰ This crucial step identifies which of the 40 objectives are the most critical for achieving the desired AGs and, by extension, the EGs.³² For example, achieving AG08 would be primarily supported by objectives such as APO02 (Managed Strategy), BAI03 (Managed Solutions Identification and Build), and DSS01 (Managed Operations).²³

This entire mechanism provides a clear line of sight from a stakeholder driver (e.g., value creation) down to a specific management practice (e.g., managing operations).

Table 4: The COBIT 2019 Goals Cascade

Cascade Level	Description	Example
Level 1: Stakeholder Needs	The drivers and needs of stakeholders (e.g., Board, customers) that shape the enterprise strategy	Need: “Improve customer experience to increase market share”
↓	Needs are transformed into…
Level 2: Enterprise Goals (EGs)	A set of 13 generic goals for the enterprise, derived from stakeholder needs	EG05: “Customer-oriented service culture”
↓	EGs are translated into…
Level 3: Alignment Goals (AGs)	A set of 13 I&T-related goals that support the achievement of the Enterprise Goals	AG08: “Enabling and supporting business processes by integrating applications and technology”
↓	AGs are supported by…
Level 4: G&M Objectives	The 40 specific Governance & Management Objectives from the COBIT Core Model that are prioritized based on their contribution to the AGs	APO02: “Managed Strategy”, BAI03: “Managed Solutions Identification and Build”

3.2 The Design Guide: Tailoring a “Best-Fit” Governance System

A core principle of COBIT 2019 is that governance systems must be “Tailored to Enterprise Needs”.⁵ The framework is not prescriptive; it is designed to be a “best-fit” solution.¹¹ This tailoring is achieved using 11 Design Factors.⁴ These factors are used as parameters to prioritize G&M Objectives, select and customize components, and define target capability levels.¹⁸

Table 5: The 11 COBIT 2019 Design Factors

Design Factor Category	Design Factors
Enterprise Context	1. Enterprise Strategy
	2. Enterprise Goals (derived from Goals Cascade)
	3. Risk Profile
	4. I&T-Related Issues
Strategic Focus	5. Threat Landscape
	6. Compliance Requirements
	7. Role of IT
	8. Sourcing Model for IT (e.g., in-house, cloud, outsourced)
Implementation	9. Implementation Methods (e.g., Agile, DevOps, waterfall)
	10. Technology Adoption Strategy (e.g., first-mover, follower)
	11. Enterprise Size

The COBIT 2019 Design Guide¹⁸ provides a formal, four-step workflow for applying these factors:

1. Understand Context and Strategy: Analyze Design Factors 1, 2, 3, and 4 to understand the enterprise and its environment.⁸
2. Determine Initial Scope: Use the Goals Cascade (Design Factor 2) to create a preliminary prioritization of G&M Objectives.³³
3. Refine Scope: Use Design Factors 5 through 11 to refine and adjust the prioritization based on specific context (e.g., a high “Threat Landscape” score will increase the priority of security-related objectives).³³
4. Resolve Conflicts & Conclude Design: Finalize the governance system design, resolve any priority conflicts between objectives, and set target capability levels.³³

The Goals Cascade and Design Factors are not independent mechanisms; they have a symbiotic relationship. The Goals Cascade²⁶ is a top-down strategic tool that defines the direction of travel (e.g., “Because our strategy is ‘digital transformation’ [EG12], ‘Managed Innovation’ [APO04] is critical”). The Design Factors⁷ are a contextual tool that informs the specific path and priorities of the journey (e.g., “Even though innovation [APO04] is critical, our ‘Risk Profile’ and ‘Compliance Requirements’ are extremely high, so ‘Managed Risk’ [APO12] and ‘Managed Security’ [APO13] must have a higher priority and capability level first”).

An implementation using only the Goals Cascade would be strategically aligned but contextually naive. An implementation using only Design Factors would be tactically focused but strategically adrift. The COBIT 2019 Design Guide³⁴ provides the essential process for merging these two, creating a governance system that is both strategically aligned and operationally relevant.³³

3.3 Performance Management: Measuring Capability and Maturity

COBIT 2019 provides a formal system for performance management⁹ based on the CMMI (Capability Maturity Model Integration) Performance Management Scheme.⁴ This replaces the model used in COBIT 5.⁴

Process Capability Levels

Each of the 40 G&M Objectives and their underlying processes can be measured against a 0-5 capability level scale.⁷ This scale defines how well a process is implemented and performing:

• Level 0: Incomplete
• Level 1: Initial
• Level 2: Managed²⁹
• Level 3: Defined²⁹
• Level 4: Quantitative²⁹
• Level 5: Optimizing⁷

Maturity Levels

Maturity levels are a broader concept associated with “Focus Areas” (e.g., “DevOps Maturity” or “Risk Maturity”).¹³ A specific maturity level is achieved when all of its required processes have achieved their target capability levels.¹³

This CMMI-based model provides a clear, structured approach for an organization to:

1. Assess the current capability of its processes (“Where are we now?”).¹⁹
2. Define a desired, realistic target capability level for each process (“Where do we want to be?”).¹⁹
3. Identify and prioritize the gaps that require improvement.¹⁹
4. Objectively benchmark performance and demonstrate progress over time.³⁵

---

Part IV: The COBIT 2019 Implementation and Continuous Improvement Lifecycle

This section provides a practical, “how-to” guide for implementing COBIT 2019. The COBIT 2019 Implementation Guide⁶ advocates for a continuous improvement lifecycle³⁶, adapting the 7-phase model established in COBIT 5.⁶ This approach frames implementation not as a one-time project, but as a continuous program centered on change enablement and program management.³⁶

4.1 The 7-Phase Implementation Lifecycle

The implementation journey is structured around seven key questions, creating a virtuous cycle of continuous improvement.

Table 6: The 7-Phase Implementation Lifecycle: Purpose and Key Questions

Phase	Key Question	Purpose and Key Activities
Phase 1	What Are the Drivers?	Initiate the Program. Identify stakeholder needs, pain points, and drivers for change (e.g., new strategy, risk exposure, compliance failure). Secure executive buy-in and establish a mandate.
Phase 2	Where Are We Now?	Define the Current State. Assess the capability of current I&T processes against the COBIT CMMI model. Identify gaps, “I&T-related issues”, and baseline performance.
Phase 3	Where Do We Want to Be?	Define the Target State. Use the COBIT Design Guide workflow, applying the Goals Cascade and Design Factors, to select and prioritize G&M objectives. Define specific, realistic target capability levels.
Phase 4	What Needs to Be Done?	Plan the Roadmap. Analyze the gaps between the current (Phase 2) and target (Phase 3) states. Develop a comprehensive, practical roadmap with clear projects, milestones, resource allocations, and risk mitigation strategies.
Phase 5	How Do We Get There?	Execute the Plan. Implement the defined improvements, often starting with pilot projects. This phase requires managing all 7 “Components” (e.g., process redesign, staff training, new policies, cultural change initiatives).
Phase 6	Did We Get There?	Measure and Confirm Results. Track key metrics and Key Performance Indicators (KPIs) to assess the effectiveness of the implementation. Monitor outcomes to ensure that business benefits were realized.
Phase 7	How Do We Keep the Momentum Going?	Embed Continuous Improvement. Review the overall success of the program, identify new requirements and lessons learned, and institutionalize the new practices. This feeds back into Phase 1, restarting the cycle to ensure the governance system remains dynamic.

A common point of confusion is the relationship between this 7-Phase Implementation Lifecycle³⁸ and the 4-Step Governance System Design Workflow.³³ They are not competing models. The Design Workflow is the detailed set of design activities that are performed inside the broader Implementation Lifecycle.

This relationship can be understood as follows:

• Implementation Phase 2 (“Where are we now?”) uses Design Workflow Step 1 (“Understand Context”).⁸
• Implementation Phase 3 (“Where do we want to be?”) uses Design Workflow Steps 2 & 3 (“Determine Scope” and “Refine Scope”).³³
• Implementation Phase 4 (“What needs to be done?”) uses **Design Workflow Step 4 (“Conclude Design”)**³³ to produce the final implementation roadmap.³⁹

This clarifies how the COBIT 2019 Design Guide³⁴ and the COBIT 2019 Implementation Guide⁶ are intended to be used together to create a practical, tailored, and continuous governance program.

---

Part V: Practical Application and Governance Artifacts

This final section provides actionable resources, templates, and advanced strategic guidance for integrating COBIT 2019 into the enterprise.

5.1 COBIT 2019 Focus Areas: Tailoring for Specific Topics

Reflecting its “open and flexible” principle¹³, COBIT 2019 uses Focus Areas to provide specific, detailed guidance on particular topics. These are not separate frameworks but overlays that adapt and highlight specific parts of the COBIT Core Model to address a given domain.⁷

Key Focus Areas published by ISACA include:

• Information Security⁶: Provides guidance on applying COBIT to information security, highlighting security-specific practices, activities, and metrics within the 40 objectives.⁶
• Information and Technology Risk⁶: Enhances the core guidance with risk-specific practices and activities, aligning with and building upon the ISACA Risk IT framework.¹⁵
• DevOps⁶: Describes how COBIT concepts apply to a DevOps environment, helping enterprises evaluate and build an effective governance system over their DevOps practices.⁶
• Other Areas: The open model is designed to accommodate other emerging areas such as cloud computing, data privacy⁷, and artificial intelligence (AI).⁶

5.2 Governance Artifacts: Templates and Examples

To be effective, a governance system must be formally documented. The “Principles, Policies, and Frameworks” component⁷ relies on key artifacts like charters and policies. The following outlines serve as best-practice starting points.⁶

Template 7: IT Governance Charter Outline

A charter grants authority and defines the scope, membership, and responsibilities of a governance body (e.g., an IT Steering Committee).⁴¹

1. Purpose and Mandate: Defines the committee’s existence, authority, and strategic purpose.⁴¹
2. Scope of Authority: Outlines the specific decisions the committee is empowered to make (e.g., IT strategy, architecture exceptions, investment prioritization).⁴¹
3. Expected Results / Value Proposition: Links the committee’s work to the core COBIT objectives (Benefits Realization, Risk Optimization, Resource Optimization).⁷
4. Membership: Defines roles (e.g., Chair, voting members, non-voting advisors, secretary) and required representation (e.g., CIO, CFO, business unit leads).⁴¹
5. Roles and Responsibilities: Details the specific duties of the committee and its members.⁴¹
6. Operating Principles & Decision Making: Defines how the committee functions (e.g., meeting frequency, quorum, voting rules, process for submitting proposals, prioritization framework).⁴¹
7. Key Inputs & Outputs: Lists the information the committee requires to function (e.g., business strategy, risk assessments) and the artifacts it produces (e.g., approved IT portfolio, strategic roadmap).⁴³
8. Approval and Review Cycle: Defines the charter’s effective date, owner, approver, and mandatory review interval.⁴¹

Template 8: IT Governance Policy Outline

A policy formally documents high-level rules and communicates required or prohibited behaviors to guide operational processes.⁶

1. Purpose⁴¹
2. Applicability / Scope⁴¹
3. Definitions⁴¹
4. Policy Statements: The high-level rules, which should be cross-referenced to specific COBIT objectives.
5. Roles and Responsibilities⁴¹
6. Standards: Links to related, more detailed mandatory standards.
7. Exceptions and Exclusions: Defines the formal process for requesting and approving exceptions.⁴¹
8. Supporting References: (e.g., COBIT 2019 Framework, NIST CSF, ISO 27001).⁴¹
9. Review Interval and Ownership⁴¹

Process-to-Policy Mapping Examples

Policies should not exist in a vacuum; they are a key component for achieving G&M Objectives.⁴⁴

• Example 1: A “Data Security Policy”²⁵ directly supports APO13 Managed Security and APO14 Managed Data. Its policy statements (e.g., “All sensitive data must be encrypted at rest and in transit”) are derived from the detailed practices within those objectives.

• Example 2: A “Business Continuity Policy”²⁵ directly supports DSS04 Managed Continuity. A policy statement such as “All critical business continuity plans (BCPs) must be fully exercised at least annually” is a direct translation of the COBIT practice DSS04.04: Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP).²⁵

5.3 Framework Integration: COBIT as the Integrator

COBIT 2019 is designed to be an “umbrella framework”.⁹ It does not replace other, more detailed technical or service management frameworks but rather provides the governance structure to integrate them and ensure they align with business goals.

• COBIT and ITIL: This is a classic pairing. COBIT defines what needs to be done from a governance and control perspective (e.g., G&M Objective APO09 Managed Service Agreements), while ITIL describes how to do it in detail (e.g., the ITIL practices for Service Level Management).¹

• COBIT and NIST/ISO 27001: An organization can adopt the NIST Cybersecurity Framework (CSF) or ISO 27001 to define its detailed security controls. It would then use COBIT—specifically objectives like APO13 (Managed Security), DSS05 (Managed Security Services), and the COBIT Security Focus Area⁶—to govern and manage that implementation. COBIT ensures the security program is aligned with business goals, its risks are optimized, and its performance is monitored (e.g., via MEA03, Managed Compliance).⁶

• COBIT and SOX: COBIT has long been a preferred framework for demonstrating compliance with the Sarbanes-Oxley (SOX) Act.¹ Objectives MEA02 (Managed System of Internal Control) and MEA03 (Managed Compliance with External Requirements) provide the specific framework for managing, assessing, and reporting on the internal controls required by SOX.

5.4 Concluding Analysis: The Future-Proof Governance System

The primary value of COBIT 2019 is its ability to create a “dynamic governance system”.⁵ The framework is not a static set of controls to be “installed” once. Rather, it is an operating system for governance.⁹

The combination of its core mechanisms creates a continuous loop:

1. The Goals Cascade³⁰ translates enterprise strategy into I&T priorities.
2. The Design Factors⁷ tailor those priorities to the organization’s unique operational context and risk profile.
3. The 7-Phase Lifecycle³⁸ provides the program management engine to implement these priorities.
4. The Performance Management model⁷ measures the results.
5. This feeds back into the EDM domain²³, allowing the board to monitor and direct, thus restarting the cycle.

This integrated loop empowers an enterprise to manage not just today’s I&T environment but to continuously sense and respond to the inevitable changes in strategy, risk, and technology. It is this adaptability that moves governance from a compliance burden to a strategic enabler, equipping the enterprise to “survive and thrive in the digital era”.⁹

---

References

1. What is COBIT Framework? Goals and Principles of COBIT - Fortinet. https://www.fortinet.com/resources/cyberglossary/what-is-cobit
2. Governance and Management Objectives. https://netmarket.oss.aliyuncs.com/df5c71cb-f91a-4bf8-85a6-991e1c2c0a3e.pdf
3. COBIT - Wikipedia. https://en.wikipedia.org/wiki/COBIT
4. Understanding the COBIT Framework: A Comprehensive Guide - The LastPass Blog. https://blog.lastpass.com/posts/cobit-framework
5. COBIT 2019 and the IIA 2019 Guiding Principles of Corporate Governance - ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2020/cobit-2019-and-the-iia-2019-guiding-principles-of-corporate-governance
6. COBIT®| Control Objectives for Information Technologies® - ISACA. https://www.isaca.org/resources/cobit
7. COBIT 2019: IT governance framework - ITLawCo. https://itlawco.com/cobit-2019-it-governance-framework/
8. Applying COBIT 2019 to Design a Tailored IT Governance System for PT. Telekomunikasi Seluler Manado Branch. https://jidt.org/jidt/article/download/572/368/
9. Seven Key Features Lessons and Tips from a COBIT Journey of 27 Years - ISACA. https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2023/volume-46/seven-key-features-lessons-and-tips-from-a-cobit-journey-of-27-years
10. COBIT: An A – Z Guide for 2019 | Joe The IT Guy. https://www.joetheitguy.com/cobit-a-z/
11. What is COBIT? COBIT Explained – BMC Software | Blogs. https://www.bmc.com/blogs/cobit/
12. Industry News 2020 COBIT 2019 and COBIT 5 Comparison - ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2020/cobit-2019-and-cobit-5-comparison
13. cobit® 2019 framework: introduction & methodology - Temple MIS. https://community.mis.temple.edu/mis5203sec003spring2020/files/2019/01/COBIT-2019-Framework-Introduction-and-Methodology_res_eng_1118.pdf
14. COBIT 2019 Framework Intended Audience - Testprep Training Tutorials. https://www.testpreptraining.com/tutorial/cobit-audience/
15. COBIT® 5 Framework Publications - ISACA. https://www.isaca.org/resources/cobit/cobit-5
16. WHAT IS COBIT? INSIGHTS INTO ITS IMPORTANCE AND BENEFITS - Bilginç IT Academy. https://bilginc.com/en/blog/what-is-cobit-insights-into-its-importance-and-benefits-5931/
17. Industry News 2019 COBIT Design Factors - ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2019/cobit-design-factors
18. COBIT Guide: Principles, Enablers & IT Governance Explained - AuditBoard. https://auditboard.com/blog/cobit
19. Governance System Components - Testprep Training Tutorials. http://www.testpreptraining.com/tutorial/governance-system-components/
20. Understanding the COBIT 2019 Framework: The 5 Core Domains - Multimatics. https://multimatics.co.id/insight/aug/it-governance-professionals-must-know-the-cobit-2019-domains
21. COBIT 5 Domains - ITSM Docs. https://www.itsm-docs.com/blogs/cobit/cobit-5-domains
22. Using COBIT 2019 to Plan and Execute an Organization’s Transformation Strategy - ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2020/using-cobit-2019-to-plan-and-execute-an-organization-transformation-strategy
23. COBIT 5 Framework: A Comprehensive Guide to IT Governance - Invensis Learning. https://www.invensislearning.com/blog/cobit-5-framework-tutorial/
24. A Systematic Approach to Implementing a Governance System Using COBIT 2019 - ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2021/a-systematic-approach-to-implementing-a-governance-system-using-cobit-2019
25. Employing COBIT 2019 for Enterprise Governance Strategy - ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2019/employing-cobit-2019-for-enterprise-governance-strategy
26. ISACA® Publications. https://www.isaca.org/resources/insights-and-expertise/publications
27. Defining Target Capability Levels in COBIT 2019: A Proposal for Refinement - ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2019/defining-target-capability-levels-in-cobit-2019-a-proposal-for-refinement
28. COBIT 2019 Goals Cascade: A Blueprint for Success - Tech Prognosis Blog. https://blog.techprognosis.com/cobit-2019-goals-cascade-a-blueprint-for-organizational-success/
29. Exam COBIT 2019 topic 1 question 33 discussion - ExamTopics. https://www.examtopics.com/discussions/isaca/view/120295-exam-cobit-2019-topic-1-question-33-discussion/
30. Using COBIT 2019 to Proactively Mitigate the Impact of COVID-19 - ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2021/using-cobit-2019-to-proactively-mitigate-the-impact-of-covid-19
31. Understanding COBIT 2019 Design Factors - Multimatics. https://multimatics.co.id/insight/nov/dive-into-cobit-2019-design-factors
32. Press Releases 2018 New COBIT 2019 Resources Help Organizations Design and Implement Tailored Governance Systems - ISACA. https://www.isaca.org/about-us/newsroom/press-releases/2018/new-cobit-2019-resources-help-organizations-design-and-implement-tailored-governance-systems
33. COBIT 2019 Implementation guide pdf - ITSM Docs. https://www.itsm-docs.com/blogs/cobit/cobit-2019-implementation-guide-pdf
34. COBIT 2019 Implementation: Understanding the 7-Phase Life Cycle - Multimatics. https://multimatics.co.id/insight/apr/cobit-2019-the-7-phases-of-implementation-life-cycle
35. COBIT® Case Studies - ISACA. https://www.isaca.org/resources/cobit/cobit-case-studies
36. 7 Phases in COBIT Implementation: COBIT Certification Training - Simplilearn.com. https://www.simplilearn.com/cobit-implementation-seven-phases-article
37. 7 Phases of COBIT Implementation: Explained - The Knowledge Academy. https://www.theknowledgeacademy.com/blog/cobit-implementation/
38. COBIT Focus Area: Information and Technology Risk—A Model for Internal Audit Analysis. https://www.isaca.org/resources/news-and-trends/industry-news/2021/cobit-focus-area-information-and-technology-risk-a-model-for-internal-audit-analysis
39. IT Governance Guide - Oregon.gov. https://www.oregon.gov/eis/Documents/IT_Governance_Guide_EIS.pdf
40. IT Governance Charter Sample - CIO Index. https://cioindex.com/reference/it-governance-charter-sample/
41. 13 Digital Governance Committee Charter | PDF - Scribd. https://www.scribd.com/document/676853530/13-Digital-Governance-Committee-Charter
42. COBIT Process Policy Mapping Template - ITSM Docs. https://www.itsm-docs.com/blogs/cobit-templates/cobit-process-policy-mapping-template

---

This comprehensive manual provides the foundation for implementing COBIT 2019 as a dynamic governance system that aligns information and technology with enterprise objectives, optimizes risks, and delivers value to stakeholders.