COBIT 5 for information security: The underlying principles

COBIT 5, a governance model for enterprise IT, introduces a framework that is better focused on information security.

COBIT's presence in the enterprise. Prior to SOX, publicly traded organizations saw very little audit oversight of electronic data resource utilization and security. Security professionals instead relied heavily on standards of best practice, such as ITIL to safeguard resources. However, auditors chose to use the limited guidelines of COBIT 4 to govern SOX compliance. While COBIT 4 provided some guidance on information security (InfoSec), it lacked the comprehensive coverage of traditional standards. This changed with the release of COBIT 5.


With COBIT 5,

Principle 2: Covering the enterprise end-to-end

Information security is often applied as series of point solutions, as defined in more detail in Principle 3. However, general application of security and assurance best practices requires security reviews as part of all business processes and IT development and implementation activities. This isn't just a horizontal integration. Rather, all levels of management must include InfoSec in every business strategic and operational planning activity.

For example, a department vice president might implement a new business process without consulting audit or security. If the organization has a solid

Principle 3: Applying a single integrated framework

Application of security controls is often a point-and-shoot activity. Many organizations tend to fix specific issues without stepping back and applying policies and controls that impact multiple vulnerabilities in network or system

Controls Matrix

One method of ensuring optimum use of controls is creation and management of a controls matrix, as shown in Figure A. (A working matrix Excel template is available for download at A matrix should include areas of interest and critical controls, either developed during risk assessments or by using standards of best practice:

About Tom Olzak

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks

Free Newsletters, In your Inbox