Relationship to Other Frameworks and Standards

COBIT 2019 Foundation: Relationship to Other Frameworks and Standards

Understanding the Relationship to Other Frameworks and Standards

Understanding how COBIT 2019 relates to other frameworks and standards is crucial for several reasons:

• Organizations often use multiple frameworks simultaneously (ISO/IEC 27001, ITIL, etc.)
• It helps professionals implement governance holistically across their organization
• It demonstrates how COBIT complements rather than replaces other standards
• It provides clarity on where COBIT fits in the broader ecosystem of governance and management frameworks
• It enables seamless integration of different frameworks without duplication or conflicts
• It's frequently tested in COBIT 2019 Foundation exams

COBIT 2019 is designed as a comprehensive governance and management framework that works alongside other established frameworks rather than independently. The relationship encompasses:

• Complementary Positioning: COBIT provides the governance layer while other frameworks handle specific domains
• Integration Points: Clear mappings showing how COBIT practices align with other frameworks' requirements
• Mutual Support: Using multiple frameworks together creates a more robust, comprehensive control environment
• Standards Alignment: COBIT incorporates elements from ISO/IEC standards, ensuring consistency across frameworks

1. ISO/IEC 27001 and ISO/IEC 27002

• Focus: Information Security Management
• Relationship: COBIT's governance processes align with ISO's security controls
• How They Work Together: ISO provides detailed security controls; COBIT provides governance oversight of these controls
• Key Mapping: COBIT governance processes support ISO security domains

2. ITIL (IT Service Management)

• Focus: Service delivery and operational management
• Relationship: COBIT governance framework encompasses ITIL service management practices
• How They Work Together: ITIL handles day-to-day service operations; COBIT provides strategic governance and oversight
• Key Mapping: COBIT's governance processes incorporate ITIL service management principles

3. ISO/IEC 38500 (IT Governance)

• Focus: Strategic IT governance and board-level oversight
• Relationship: COBIT 2019 is built upon and extends ISO/IEC 38500 principles
• How They Work Together: ISO 38500 provides high-level principles; COBIT provides detailed governance practices
• Key Mapping: COBIT implements the six principles of ISO 38500

4. NIST Cybersecurity Framework

• Focus: Cybersecurity risk management
• Relationship: COBIT's governance aligns with NIST's functions (Identify, Protect, Detect, Respond, Recover)
• How They Work Together: Both provide structured approaches to managing cybersecurity risks
• Key Mapping: COBIT governance processes map to NIST functions

5. ISO/IEC 31000 (Risk Management)

• Focus: Enterprise risk management
• Relationship: COBIT incorporates risk management principles aligned with ISO 31000
• How They Work Together: ISO 31000 provides risk framework; COBIT integrates risk governance
• Key Mapping: COBIT's governance processes embed ISO 31000 risk principles

6. Balanced Scorecard and Strategic Planning Frameworks

• Focus: Strategic performance management
• Relationship: COBIT incorporates balanced scorecard concepts for measuring governance effectiveness
• How They Work Together: COBIT uses balanced scorecard metrics for monitoring and optimization

The Governance Orchestration Model

COBIT acts as an orchestrator that brings together various frameworks:

• Strategic Layer: COBIT governance aligns organizational objectives with IT strategy
• Management Layer: COBIT practices incorporate operational frameworks like ITIL
• Control Layer: COBIT governance oversees specific controls from ISO 27001, NIST, etc.
• Compliance Layer: COBIT ensures alignment with all applicable standards simultaneously

Integration Without Duplication

• COBIT identifies which processes should be governed for each framework requirement
• Organizations select appropriate practices rather than implementing entire frameworks redundantly
• Cross-mapping ensures a single process can address multiple frameworks' requirements
• This approach reduces implementation burden and improves efficiency

• Complementary, Not Competitive: COBIT doesn't replace other frameworks; it coordinates their implementation
• Principle-Based Alignment: Relationships are built on shared principles and objectives
• Flexible Implementation: Organizations choose which frameworks to implement based on their context
• Coherent Governance: Multiple frameworks create a cohesive governance structure
• Risk-Based Selection: Framework choices align with organizational risk profile

Example 1: Information Security Governance

• COBIT Process: APO13 (Manage Security)
• ISO 27001 Controls: Maps to multiple security domains
• NIST Framework: Align with Protect and Detect functions
• Integration: COBIT governance ensures ISO controls are implemented and NIST functions are managed

Example 2: Service Delivery Governance

• COBIT Process: BAI05 (Manage Organizational Change)
• ITIL Concepts: Change management processes
• Integration: COBIT governance oversees ITIL change management practices

Example 3: Risk Management Governance

• COBIT Process: APO12 (Manage Risk)
• ISO 31000: Risk management principles
• Integration: COBIT embeds ISO 31000 framework in governance processes

• Determine which framework or standard the question references (ISO 27001, ITIL, NIST, etc.)
• Recall the primary focus of that framework
• Consider which COBIT domain or process would relate to it

• Governance vs. Operational: COBIT provides governance; other frameworks often provide operational specifics
• Strategic vs. Tactical: COBIT addresses strategic governance; frameworks may focus on tactical implementation
• Principle-Based vs. Control-Based: COBIT's relationship is principle-based, not one-to-one control mapping

• Where in COBIT would this framework's requirements be governed?
• Which COBIT processes address this framework's objectives?
• How does COBIT ensure the framework's requirements are met?

• Explain what each framework brings to the organization
• Clarify that COBIT orchestrates rather than replaces
• Show how their combined implementation is stronger than separate efforts

• COBIT doesn't replace other frameworks
• COBIT integrates and governs other frameworks
• When asked about relationships, think about how COBIT provides governance oversight
• Key phrases to use: "COBIT complements," "COBIT orchestrates," "COBIT governs the implementation of"

• ISO 27001: Information security controls and compliance
• ITIL: IT service delivery and operational management
• ISO 38500: IT governance principles (COBIT is built on this)
• NIST: Cybersecurity risk management framework
• ISO 31000: Enterprise risk management principles

• Questions often test whether you understand governance (COBIT) vs. operational implementation (other frameworks)
• If the question asks about governance, COBIT is primary
• If the question asks about operational controls, COBIT governs while other frameworks implement
• Recognize questions asking about coordination and alignment (COBIT's role)

• Familiarize yourself with how COBIT processes align with key frameworks
• For example: APO13 relates to ISO 27001; BAI processes relate to ITIL concepts
• When answering, reference which COBIT process/domain addresses the framework's concern
• This demonstrates integrated understanding

• COBIT's relationship to other frameworks is based on shared principles, not one-to-one mapping
• When answering, emphasize principles rather than granular control matching
• Explain how COBIT principles support and enable other frameworks
• Show understanding that relationships are holistic, not merely technical

• Wrong Answer Type: "COBIT replaces ITIL," "COBIT makes ISO 27001 unnecessary"
• Correct Approach: COBIT and other frameworks work together for comprehensive governance
• When you see "replaces" or "eliminates," it's likely a wrong answer
• Look for answers indicating complementary relationships

• Real organizations use COBIT alongside other frameworks
• Questions may ask how an organization uses COBIT with other frameworks
• The answer usually involves using COBIT for governance and other frameworks for specific domains
• Think about practical, integrated implementation rather than isolated framework use

• COBIT is broader and strategic (governance focus)
• Other frameworks are often more specific (ISO 27001 = security, ITIL = service management)
• Questions may test whether you understand what each framework covers
• COBIT covers governance of IT, which includes multiple specific domains

Pattern 1: "Which COBIT process governs the implementation of [specific framework]?"

• Answer: Identify the relevant COBIT domain, then the specific process
• Example: "APO13 (Manage Security) provides governance for ISO 27001 implementation"

Pattern 2: "How does COBIT relate to [framework name]?"

• Answer: Explain the complementary relationship and governance role
• Example: "COBIT provides governance oversight; ITIL provides service management practices"

Pattern 3: "An organization uses both COBIT and [another framework]. Which is responsible for [specific activity]?"

• Answer: Consider whether the activity is governance or operational
• If governance-level: COBIT is likely responsible
• If operational: The specific framework is likely responsible, with COBIT providing oversight

Pattern 4: "Which statement best describes COBIT's relationship to ISO 27001?"

• Look for answers indicating complementary roles
• COBIT governs security governance; ISO 27001 provides specific controls
• Together they ensure comprehensive information security

• This is critical: COBIT 2019 is built upon ISO/IEC 38500
• Many exam questions test understanding of this foundational relationship
• COBIT extends and implements the 6 principles of ISO 38500
• When asked about COBIT's basis, reference ISO 38500
• Understand that COBIT is the practical implementation of ISO 38500 principles

• When answering relationship questions, consider all five components: Processes, Organizational Structures, Culture/Ethics/Behavior, Information, and Services/Infrastructure/Applications
• Other frameworks may address only some components
• COBIT's holistic approach to governance encompasses what multiple frameworks address separately

• Questions may present an organizational scenario requiring multiple frameworks
• Approach: Identify which framework addresses which requirement
• Then explain how COBIT coordinates their implementation
• Example: "A company needs security (ISO 27001), service management (ITIL), and governance (COBIT). How do they work together?"
• Answer: COBIT provides overarching governance; ISO 27001 and ITIL address specific operational domains under COBIT oversight

Question 1: "Which statement best describes COBIT's relationship to ITIL?"
Approach: COBIT is governance layer; ITIL is operational layer. COBIT governs ITIL implementation.

Question 2: "An organization implements ISO 27001 controls. Which COBIT process would govern this implementation?"
Approach: APO13 (Manage Security) is the governance process for security, including ISO 27001 controls.

Question 3: "How does COBIT 2019 relate to ISO/IEC 38500?"
Approach: COBIT is built on ISO 38500 principles and provides their practical implementation.

Question 4: "Does implementing COBIT eliminate the need for NIST Cybersecurity Framework?"
Approach: No. COBIT governs governance of cybersecurity; NIST provides the cybersecurity management framework. Both are needed for comprehensive cybersecurity governance and management.

• When unsure, ask: "Is this about governance (COBIT) or operations (other frameworks)?"
• Remember COBIT is the governance orchestrator, not a replacement
• Use the principle of complementarity—frameworks work together, not against each other
• Always emphasize the role of COBIT in governance and oversight
• Connect to real-world scenarios where organizations use multiple frameworks
• Focus on how COBIT provides the governance structure for implementing other frameworks
• Review the specific COBIT processes that relate to each major framework
• Practice distinguishing between strategic/governance (COBIT) and tactical/operational (other frameworks) questions