COBIT 5 for information security: The underlying principles

COBIT 5, a governance model for enterprise IT, introduces a framework that is better focused on information security.

COBIT’s presence in the enterprise. Prior to SOX, publicly traded organizations saw very little audit oversight of electronic data resource utilization and security. Security professionals instead relied heavily on standards of best practice, such as ITIL to safeguard resources. However, auditors chose to use the limited guidelines of COBIT 4 to govern SOX compliance. While COBIT 4 provided some guidance on information security (InfoSec), it lacked the comprehensive coverage of traditional standards. This changed with the release of COBIT 5.


With COBIT 5,

Controls Matrix

One method of ensuring optimum use of controls is creation and management of a controls matrix, as shown in Figure A. (A working matrix Excel template is available for download at A matrix should include areas of interest and critical controls, either developed during risk assessments or by using standards of best practice: