Robert N. Phillips
CEO, Lasotell Pty Ltd.

If you are involved in trying to understand the various facets of Information Technology (IT) service delivery or of an IT organisation in general, there are two very useful models/methodologies you can investigate. They take all the mystique out of such tasks—including documenting them:

  • Information Technology Infrastructure Library (ITIL)
  • Control Objectives for Information and related Technology (CobiT)—yes, that is the correct capitalisation.

This, the second article, deals with CobiT. You can read the first article at

CobiT is the most useful tool of its kind for IT that I have seen in the last 15 years. You may not have an immediate need for it, but it is worth keeping in your drawer.

In a nutshell, CobiT defines 34 processes that are needed to manage an IT organisation (and 318 control objectives below them). Each process is described in two pages. The first page contains

  • The objective of the process
  • Critical Success Factors—the most important things to do that contribute to the process achieving its goals (but leaves it to you to determine how to implement them)
  • Key Goal Indicators—to measure (in percentage or numeric terms) what has been accomplished
  • Key Performance Indicators—to measure (in percentage or numeric terms) how well the process is performing

The second page contains

  • a description of the process under five levels of maturity

For more information about CobiT, visit To download the five major documents (all less than 500KB in size), visit

The following are a few paragraphs from the Executive Summary of the downloadable Management Guidelines document.

How do we get Information Technology under control such that it delivers the information the organisation needs? How do we manage the risks and secure the infrastructure we are so dependent on? As with many issues facing management, these broad strategic questions generate the following traditional questions to which we will provide answers:

  • What is the issue/problem?
  • What is the solution?
  • What does it consist of?
  • Will it work?
  • How do I do it?

An approach to addressing these issues has been provided by the CobiT Framework. CobiT stands for Control Objectives for Information and related Technology and is an open standard for control over information technology, developed and promoted by the IT Governance Institute. This framework identifies 34 information technology (IT) processes, a high-level approach to control over these processes, as well as 318 detailed control objectives and audit guidelines to assess the 34 IT processes. It provides a generally applicable and accepted standard for good IT security and control practices to support management’s needs in determining and monitoring the appropriate level of IT security and control for their organisations.

The IT Governance Institute has further built on this with leading-edge research, in cooperation with world-wide industry experts, analysts and academics. This has resulted in the definition of Management Guidelines for CobiT, which consist of Maturity Models, Critical Success Factors (CSFs), Key Goal Indicators (KGIs) and Key Performance Indicators (KPIs). This delivers a significantly improved framework responding to management’s need for control and measurability of IT by providing management with tools to assess and measure their organisation’s IT environment against the 34 IT processes CobiT identifies.

There are numerous changes in IT and in networking that emphasise the need to better manage IT related risks. Dependence on electronic information and IT systems is essential to support critical business processes. Successful businesses need to better manage the complex technology that is pervasive throughout their organisations in order to respond quickly and safely to business needs. In addition, the regulatory environment is mandating stricter control over information. This in turn, is driven by increasing disclosures of information system disasters and increasing electronic fraud. The management of IT related risks is now being understood as a key part of enterprise governance.

Within enterprise governance, IT governance is becoming more and more prominent in achieving the organisation’s goals by adding value while balancing risk versus return over IT and its processes. IT governance is integral to the success of enterprise governance by assuring efficient and effective measurable improvements in related enterprise processes. IT governance provides the structure that links IT processes, IT resources and information to enterprise strategies and objectives. Furthermore, IT governance integrates and institutionalises good (or best) practices for planning and organising, acquiring and implementing, delivering and supporting, and monitoring IT performance to ensure that the enterprise’s information and related technology support its business objectives. IT governance thus enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage.