What to expect with the upcoming release of COBIT 4.1

Later this month, COBIT 4.1 will be released along with a number of new and revised Control Objectives for Information and related Technology (COBIT) publications, thereby aligning all of the COBIT products within the COBIT 4 series.

The first quarter releases will include COBIT 4.1; COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition; IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition; and IT Assurance Guide: Using COBIT. Shortly after those releases, COBIT Online will be updated to reflect the changes in these publications, and in the near future the IT Governance Institute (ITGI) will release the second editions of COBIT Security Baseline and COBIT Quickstart.

The 4.1 updates can be seen as a fine-tuning of the COBIT framework, without any fundamental changes to COBIT 4.0.

COBIT 4.1 features an enhanced executive overview and a better explanation of performance measurement, putting the metrics in the context of the cascade of IT, process and activity goals, and expanding on the difference between performance drivers and outcome measures. The point is made that an outcome measure is also a performance driver for a higher-level goal.

It also includes improved control objectives resulting from updated control practices and Val IT development activity. At the level of the control objectives, the definition of a control objective has changed, shifting more toward management practices statements. Also, some control objectives have been regrouped and/or reworded to avoid overlaps and make the list of control objectives within a process more consistent. In this context, AI5.4, AI5.5 and AI5.6 were combined, as were AI7.9, AI7.10 and AI7.11.

Changes were also made to ME3 to include compliance with internal policies and contractual requirements, in addition to legal and regulatory requirements. These changes resulted in the renumbering of the remaining control objectives. Some other control objectives were reworded to make them more action-oriented and consistent.

The section on application controls has been expanded, with fewer but enhanced application controls, without loss of any of the generally applicable control requirements. Specifically:

* They have been consolidated and enhanced, moving from 18 to six control objectives, with the detail now provided in the new COBIT Control Practices, 2nd Edition.
* Manual controls have been removed.
* Security controls have either been moved to the security process or removed if already covered there.
* The responsibilities for business, general and application controls are explained.

The list of business goals and IT goals in appendix I was improved as well, based on new insights obtained during validation research executed by the University of Antwerp Management School (UAMS), located in Belgium.

Trek to the summit

00Days

:

00Hrs

:

00Min

:

00Sec

The new material in this publication consists of control practice statements that have been derived from the first edition, released in 2004, but improved and aligned with COBIT 4.1. The control practices are expressed as action-oriented implementation practices with value and risk statements that provide "why do it?" arguments in the form of value to be obtained and risks to be avoided by implementing practices to meet control objectives.

The newly updated publication will replace the current volume. It extends the capabilities of the COBIT framework and will support the IT Assurance Guide and the IT Governance Implementation Guide, 2nd Edition, with an additional level of detail. The COBIT IT processes, business requirements and control objectives define what needs to be done to implement an effective control structure.

IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition, provides a detailed road map for establishing effective IT governance in an organisation and offers guidance on how COBIT and Val IT can be used to support these activities. This second edition of the guide reflects updates to align with the release of COBIT 4.1 and Val IT, enhanced understanding of governance project scoping, and general improvements based on feedback from COBIT users.

The guide assists various stakeholders with a detailed road map that can help the enterprise implement its IT governance needs. It provides the identification of COBIT and Val IT components to be leveraged, from initial needs identification, through envisioning and planning stages, all the way to the implementation of a solution.

The new IT Assurance Guide: Using COBIT provides detailed guidance on how COBIT can be used to support a variety of assurance activities, such as planning, scoping and risk assessment, as well as how an assurance review can be performed for each of the IT processes. It will replace the current COBIT Audit Guidelines.

The IT Assurance Guide contains much more detailed testing guidance, now at the IT process and control objective levels and based on control practices, compared to the current audit guidelines, which provide guidance only at the IT process level. The assurance steps test the operational effectiveness of the control design, control existence and process outcome. Generic assurance steps cover the existence and design effectiveness of the control design proposed, as well as associated responsibilities.

COBIT Security Baseline and COBIT Quickstart will be updated to align with COBIT 4.1, but they will essentially remain the same guidance.

COBIT Online content has already been updated for COBIT 4.0, and will be updated to reflect the COBIT 4.1 changes and incorporate the additional content developed.