CObIT 4

Several people have asked me what’s new and different about the latest release of the Control Objectives for Information and related Technology (CObIT4). I have not read the official release yet from the Information Systems Audit and Control Foundation and IT Governance Institute (the primary backers) but here are some of the things that have stood out so far:

The framework has some basic rewording and reorganization that is intended to be more consistent with other standards, such as ITIL (convergence is good). For example Plan and Organize 8 (PO8) “Ensure compliance with external requirements” has been completely removed and the text transfered to a new Monitor and Evaluate 4 (ME4) “Ensure regulatory compliance”, which replaces the old ME4 “Provide for independent audit” since that was considered outside the scope of IT. Deliver and Support 8 (DS8) was renamed “Manage service desk and incidents” with Deliver and Support 10 (DS10) being renamed to “Manage problems”, which means problems will be handled separately. You get the idea…

There is also a shift from five resources to four:
– People
– Information (instead of “Data”)
– Applications
– Infrastructure (to replace both “Technology” and “Facilities”)

And the overall structure has been changed to
– Control over IT processes of…
– to satisfy the business requirement of…
– is achieved by…
– is managed by…
– and is measured by…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.