Image: iStockphoto/Drazen Zigic

COBIT‘s presence in the enterprise. Prior to SOX, publicly traded organizations saw very little audit oversight of electronic data resource utilization and security. Security professionals instead relied heavily on standards of best practice, such as ITIL to safeguard resources. However, auditors chose to use the limited guidelines of COBIT 4 to govern SOX compliance. While COBIT 4 provided some guidance on information security (InfoSec), it lacked the comprehensive coverage of traditional standards. This changed with the release of COBIT 5.

Controls Matrix

One method of ensuring optimum use of controls is creation and management of a controls matrix. A matrix should include areas of interest and critical controls, either developed during risk assessments or by using standards of best practice:

Enabler Integration

  • Both IT and business teams use processes to get work done with consistent outcomes. Security teams must include how work is done when designing a security framework and program.
  • An organizational structure (a management hierarchy) is designed to monitor and reach strategic and operational objectives. Leaders (decision makers) from each level are typically stakeholders in business processes and expected outcomes.
  • An organization is a living entity, with its own culture, ethics, and behavior as exhibited by its employees. Changing the way employees see their working world is not easy and must be considered when trying to secure the workplace.
  • Information is what we attempt to protect… and it is usually everywhere. In most cases, information is critical for business operations and must be available when and where needed. Further, access to the data should not come with unacceptable response times caused by poorly designed security controls.
  • IT delivers information via services, infrastructure, and applications.  
  • All security control implementations require attention to people, skills, and competencies: both in and out of IT. For example, is it more appropriate to enforce a policy with technical controls, or are the employees able administratively to meet expected risk outcomes?
  • Principles, policies, and frameworks provide the means to integrate all enablers into an overall solution resulting in secure operational success. The enablers help achieve the outcomes expected when developing principles, policies, and frameworks.

Principle 5: Separating governance from management

This principle establishes a line between setting objectives and measuring outcomes. According to COBIT 5 for Information Security:

“Governance ensures that stakeholder needs, conditions, and options are evaluated to determine balances, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.

“Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives” (p. 23).

While governance and management are separate functions performed by designated teams, they must support each other. Governance defines outcomes and management implements technology and processes to meet those outcomes. Governance then determines if outcomes are met and provides feedback to help management make necessary adjustments.


  1. COBIT 5 for Information Security provides a comprehensive framework for integrating security into business processes.  It also provides a set of enablers that, when applied, help ensure stakeholder acceptance and efficient business operation.
  2. Organizations must integrate security into every facet of management and operations. This begins with identifying all business processes and associated stakeholders, including audit and InfoSec teams.
  3. Point-and-shoot approaches to managing security will not achieve the best overall results. A holistic approach—one that defines a complete framework used to integrate new controls or vulnerability remediation—is necessary for both security and financial efficiency and efficacy.