1. The IT Governance Institute® is pleased to offer
you this complimentary download of COBIT®.
COBIT provides good practices for the management of IT processes in a manageable and logical structure,
meeting the multiple needs of enterprise management by bridging the gaps between business risks, technical
issues, control needs and performance measurement requirements. If you believe as we do, that COBIT enables
the development of clear policy and good practices for IT control throughout your organisation, we invite you to
support ongoing COBIT research and development.
There are two ways in which you may express your support: (1) Purchase COBIT through the association
(ISACA) Bookstore (please see the following pages for order form and association membership application.
Association members are able to purchase COBIT at a significant discount); (2) Make a generous donation to
the IT Governance Institute, which conducts research and authors COBIT.
The complete COBIT package consists of all six publications, an ASCII text diskette, four COBIT implementation/
orientation Microsoft® PowerPoint® presentations and a CD-ROM. A brief overview of each component is
provided below. Thank you for your interest in and support of COBIT!
For additional information about the IT Governance Institute, visit www.itgi.org.
Management Guidelines Control Objectives
To ensure a successful enterprise, you must effectively manage the The key to maintaining profitability in a technologically changing
union between business processes and information systems. The environment is how well you maintain control. COBIT’s Control
new Management Guidelines is composed of maturity models, Objectives provides the critical insight needed to delineate a clear
critical success factors, key goal indicators and key performance policy and good practice for IT controls. Included are the state-
indicators. These Management Guidelines will help answer the ments of desired results or purposes to be achieved by
questions of immediate concern to all those who have a stake in implementing the 318 specific, detailed control objectives
enterprise success. throughout the 34 high-level control objectives.
Executive Summary Implementation Tool Set
Sound business decisions are based on timely, relevant and con- The Implementation Tool Set contains management awareness and
cise information. Specifically designed for time-pressed senior IT control diagnostics, implementation guide, frequently asked
executives and managers, the COBIT Executive Summary questions, case studies from organizations currently using COBIT
explains COBIT’s key concepts and principles. and slide presentations that can be used to introduce COBIT into
organizations. The tool set is designed to facilitate the implementa-
Framework tion of COBIT, relate lessons learned from organizations that
A successful organization is built on a solid framework of data quickly and successfully applied COBIT in their work environ-
and information. The Framework explains how IT processes ments and assist management in choosing implementation options.
deliver the information that the business needs to achieve its
objectives. This delivery is controlled through 34 high-level CD-ROM
control objectives, one for each IT process, contained in the The CD-ROM, which contains all of COBIT, is published as a
four domains. The Framework identifies which of the seven Folio infobase. The material is accessed using Folio Views®, which
information criteria (effectiveness, efficiency, confidentiality, is a high-performance, information retrieval software tool. Access
integrity, availability, compliance and reliability), as well as to COBIT’s text and graphics is now easier than ever, with flexible
which IT resources (people, applications, technology, facilities keyword searching and built-in index links (optional purchase).
and data) are important for the IT processes to fully support
the business objective. A network version (multi-user) of COBIT 3rd Edition is
available. It is compatible with Microsoft Windows NT/2000 and
Audit Guidelines Novell NetWare environments. Contact the ISACA Bookstore for
Analyze, assess, interpret, react, implement. To achieve your pricing and availability.
desired goals and objectives you must constantly and consistently
audit your procedures. Audit Guidelines outlines and suggests See order form, donation information and membership
actual activities to be performed corresponding to each of the 34 application on the following pages.
high-level IT control objectives, while substantiating the risk of
control objectives not being met.
We invite your comments and suggestions regarding COBIT. Please visit www.isaca.org/cobitinput.
2. ITGI Contribution Form
Contributor: ______________________________________________ Contribution amount (US $):
$25 (donor) $100 (Silver) $250 (Gold)
Address:_________________________________________________
$500 (Platinum) Other US $_______
________________________________________________________ Check enclosed payable in US dollars to ITGI
City_________________________State/Province ________________ Charge my: VISA MasterCard
American Express Diners Club
Zip/Postal Code ________________Country ____________________
Card number ____________________________Exp. Date _________
Remitted by: _____________________________________________
Name of cardholder: _______________________________________
Phone: __________________________________________________ Signature of cardholder: ____________________________________
E-mail: __________________________________________________ Complete card billing address if different from address on left
________________________________________________________
________________________________________________________
For information on the institute and
contribution benefits see www.itgi.org ________________________________________________________
U.S. Tax ID number: 95-3080691
Fax your credit card contribution to ITGI at +1.847.253.1443, or mail your contribution to:
ITGI, 135 S. LaSalle Street, Department 1055, Chicago, IL 60674-1055 USA
Direct any questions to Scott Artman at +1.847.253.1545, ext. 459, or finance@isaca.org.
Thank you for supporting COBIT!
Recent ITGI Research Projects
Security Provisioning: Risks of Customer Relationship Management
Managing Access in Extended Enterprises, ISSP A Security, control and Audit Approach, ISCR
Member - $20 Nonmember - $30 e-Commerce Security Member - $75 Nonmember - $85
Public Key Infrastructure: Good Practices
for Secure Communications, TRS-2
Member - $35 Nonmember - $50
e-Commerce Security e-Commerce Security
Securing the Network Perimeter, TRS-3 Business Continuity Planning, IBCP
Member - $35 Nonmember - $50 Member - $35 Nonmember - $50
For additional information on these publications and others offered through the Bookstore, please visit www.isaca.org/bookstore.
4. Please complete both sides
U.S. Federal I.D. No. 23-7067291
www.isaca.org
MEMBERSHIP APPLICATION membership@isaca.org
□ MR. □ MS. □ MRS. □ MISS □ OTHER _______________ Date ____________________________
MONTH/DAY/YEAR
Name_______________________________________________________________________________________________________
FIRST MIDDLE LAST/FAMILY
____________________________________________________________________________________________________________
PRINT NAME AS YOU WANT IT TO APPEAR ON MEMBERSHIP CERTIFICATE
Residence address ____________________________________________________________________________________________
STREET
____________________________________________________________________________________________
CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP
Residence phone _____________________________________ Residence facsimile ____________________________________
AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER
Company name ____________________________________________________________________________________________
Business address ____________________________________________________________________________________________
STREET
____________________________________________________________________________________________
CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP
Business phone _____________________________________ Business facsimile _____________________________________
AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER
E-mail ________________________________________________________
Send mail to Form of Membership requested s I do not want to be included on How did you hear about ISACA?
s Home s Chapter Number (see reverse)________________ a mailing list, other than that for 1 s Friend/Coworker
s Business s Member at large (no chapter within 50 miles/80 km) Association mailings. 2 s Employer
s Student (must be verified as full-time) 3 s Internet Search 6 s Local Chapter
s Retired (no longer seeking employment) 4 s IS Control Journal 7 s CISA Program
5 s Other Publication 8 s Direct Mail
9 s Educational Event
Current field of employment (check one) Level of education achieved Work experience
1 s Financial (indicate degree achieved, or number of years of (check the number of years of Information
2 s Banking university education if degree not obtained) Systems work experience)
3 s Insurance 1s One year or less 7 s AS 1 s No experience 4 s 8-9 years
4 s Transportation 2s Two years 8s BS/BA 2 s 1-3 years 5 s 10-13 years
5 s Retail & Wholesale 3s Three years 9s MS/MBA/Masters 3 s 4-7 years 6 s 14 years or more
6 s Government/National 4s Four years 10 s Ph.D.
7 s Government/State/Local 5s Five years 99 s Other Current professional activity (check one)
8 s Consulting 6s Six years or more 1
______________ s CEO
9 s Education/Student 2 s CFO
10 s Education/Instructor Certifications obtained (other than CISA) 3 s CIO/IS Director
11 s Public Accounting 1 s CISM 8 s FCA 4 s Audit Director/General Auditor
12 s Manufacturing 2 s CPA 9 s CFE 5 s IS Security Director
13 s Mining/Construction/Petroleum 3 s CA 10 s MA 6 s IS Audit Manager
14 s Utilities 4 s CIA 11 s FCPA 7 s IS Security Manager
15 s Other Service Industry 5 s CBA 12 s CFSA 8 s IS Manager
16 s Law 6 s CCP 13 s CISSP 9 s IS Auditor
17 s Health Care 7 s CSP 99 s Other __________ 10 s External Audit Partner/Manager
99 s Other 11 s External Auditor
12 s Internal Auditor
Date of Birth________________________ 13 s IS Security Staff
MONTH/DAY/YEAR 14 s IS Consultant
15 s IS Vendor/Supplier
16 s IS Educator/Student
99 s Other ____________________________
Payment due By applying for membership in the Information Systems Audit and Control
• Association dues ✝ $ 120.00 (US) Association, members agree to hold the association and the IT Governance
• Chapter dues (see following page) $ _____ (US) Institute, their officers, directors, agents, trustees, and employees and members,
• New member processing fee $ 30.00 (US)* harmless for all acts or failures to act while carrying out the purpose of the
association and the institute as set forth in their respective bylaws, and they
PLEASE PAY THIS TOTAL $ _____ (US) certify that they will abide by the association’s Code of Professional Ethics
✝ For student membership information please visit www.isaca.org/student (www.isaca.org/ethics).
* Membership dues consist of association dues, chapter dues and new member Initial payment entitles new members to membership beginning the first day of
processing fee. the month following the date payment is received by International Headquarters
through the end of that year. No rebate of dues is available upon early resignation
Method of payment of membership.
s Check payable in US dollars, drawn on US bank Contributions, dues or gifts to the Information Systems Audit and Control
s Send invoice (Applications cannot be processed until dues payment is received.) Association are not tax deductible as charitable contributions in the United States.
s MasterCard s VISA s American Express s Diners Club However, they may be tax deductible as ordinary and necessary business
All payments by credit card will be processed in US dollars expenses.
Membership dues allocated to a 1-year subscription to the IS Control Journal are
ACCT # ____________________________________________ as follows: $45 for US members, $60 for non-US members. This amount is not
Print name of cardholder _______________________________ deductible from dues.
Expiration date _______________________________________ Make checks payable to:
MONTH/YEAR
Information Systems Audit and Control Association
Mail your application and check to:
Signature ___________________________________________ Information Systems Audit and Control Association
Cardholder billing address if different than address provided above: 135 S. LaSalle, Dept. 1055
Chicago, IL 60674-1055 USA
___________________________________________________ Phone: +1.847.253.1545 x470
___________________________________________________ Fax: +1.847.253.1443
5. U.S. dollar amounts listed below are for local chapter dues. For current chapter dues, or if the amount is not listed below, please
While correct at the time of printing, chapter dues are subject to visit the web site www.isaca.org/chapdues or contact your local
change without notice. Please include the appropriate chapter dues chapter at www.isaca.org/chapters.
amount with your remittance.
Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter
Name Number Dues Name Number Dues Name Number Dues Name Number Dues
ASIA Kenya 158 $40 New England (Boston, MA) 18 $30 Boise, ID 42 $30
Hong Kong 64 $40 Latvia 139 $10 New Jersey (Newark) 30 $40 Willamette Valley, OR 50 $30
Bangalore, India 138 $15 Lithuania 180 $20 Central New York 29 $0 (Portland)
Cochin, India 176 $10 Netherlands 97 $50 (Syracuse) Utah (Salt Lake City) 04 $30
Coimbatore, India 155 $10 Lagos, Nigeria 149 $20 Hudson Valley, NY 120 $0 Mt. Rainier, WA (Olympia) 129 $20
Hyderabad, India 164 $17 Oslo, Norway 74 $50 (Albany) Puget Sound, WA (Seattle) 35 $25
Kolkata, India 165 ✳ Warsaw, Poland 151 $30 New York Metropolitan 10 $50
Madras, India (Chennai) 99 $10 Moscow, Russia 167 $0 Western New York 46 $30 OCEANIA
Mumbai, India 145 ✳ Romania 172 $50 (Buffalo) Adelaide, Australia 68 $0
New Delhi, India 140 $10 Slovenia 137 $50 Harrisburg, PA 45 $25 Brisbane, Australia 44 $16
Pune, India 159 $17 Slovensko 160 $40 Lehigh Valley 122 $35 Canberra, Australia 92 $15
Indonesia 123 ✳ South Africa 130 $35 (Allentown, PA) Melbourne, Australia 47 $25
Nagoya, Japan 118 $130 Barcelona, Spain 171 $110 Philadelphia, PA 06 $40 Perth, Australia 63 $5
Osaka, Japan 103 $10 Valencia, Spain 182 $25 Pittsburgh, PA 13 $20 Sydney, Australia 17 $30
Tokyo, Japan 89 $120 Sweden 88 $45 National Capital Area, DC 05 $40 Auckland, New Zealand 84 $30
Korea 107 $30 Switzerland 116 $35 Wellington, New Zealand 73 $22
Lebanon 181 $35 Tanzania 174 $40 Southeastern United States Papua New Guinea 152 $0
Malaysia 93 $10 London, UK 60 $80 North Alabama (Birmingham) 65 $30
Muscat, Oman 168 $40 Central UK 132 $55 Jacksonville, FL 58 $30
Karachi, Pakistan 148 $15 Northern England 111 $50 Central Florida (Orlando) 67 $30 To receive your copy of the
Manila, Philippines 136 $0 Scottish, UK 175 $45 South Florida (Miami) 33 $40 Information Systems Control Journal,
West Florida (Tampa) 41 $35 please complete
Jeddah, Saudi Arabia 163 $0
NORTH AMERICA Atlanta, GA 39 $35 the following subscriber
Riyadh, Saudi Arabia 154 $0 information:
Singapore 70 $10 Canada Charlotte, NC 51 $35
Sri Lanka 141 $15 Calgary, AB 121 $0 Research Triangle 59 $25 Size of organization
Edmonton, AB 131 $25 (at your primary place of business)
Taiwan 142 $50 (Raleigh, NC)
Vancouver, BC 25 $20 Piedmont/Triad 128 $30 ➀ s Fewer than 50 employees
Bangkok, Thailand 109 $10 ➁ s 50-100 employess
UAE 150 $10 Victoria, BC 100 $0 (Winston-Salem, NC)
➂ s 101-500 employees
Winnipeg, MB 72 $15 Greenville, SC 54 $30 ➃ s More than 500 employees
CENTRAL/SOUTH AMERICA Nova Scotia 105 $0 Memphis, TN 48 $45
Size of your professional audit staff
Buenos Aires, Argentina 124 $35 Ottawa Valley, ON 32 $10 Middle Tennessee 102 $45
(local office)
Mendoza, Argentina 144 ✳ Toronto, ON 21 $25 (Nashville)
➀ s 1 individual
São Paulo, Brazil 166 $25 Montreal, PQ 36 $20 Virginia (Richmond) 22 $30 ➁ s 2-5 individuals
LaPaz, Bolivia 173 $25 Quebec City, PQ 91 $35 ➂ s 6-10 individuals
Santiago de Chile 135 $40 Southwestern United States ➃ s 11-25 individuals
Bogotá, Colombia 126 $50 Islands Central Arkansas 82 $60 ➄ s More than 25 individuals
San José, Costa Rica 31 $33 Bermuda 147 $0 (Little Rock) Your level of purchasing authority
Quito, Ecuador 179 $15 Trinidad & Tobago 106 $25 Central Mississippi 161 $0 ➀ s Recommend products/services
Mérida, Yucatán, México 101 $50 (Jackson) ➁ s Approve purchase
Mexico City, México 14 $65 Midwestern United States Denver, CO 16 $40 ➂ s Recommend and approve
Monterrey, México 80 $65 Chicago, IL 02 $50 Greater Kansas City, KS 87 $0 purchase
Panamá 94 $25 Illini (Springfield, IL) 77 $30 Baton Rouge, LA 85 $25 Education courses attended
Lima, Perú 146 $15 Central Indiana 56 $30 Greater New Orleans, LA 61 $20 annually (check one)
Puerto Rico 86 $30 (Indianapolis) St. Louis, MO 11 $25 ➀ s None
Montevideo, Uruguay 133 $100 Michiana (South Bend, IN) 127 $25 New Mexico (Albuquerque) 83 $25 ➁s1
Iowa (Des Moines) 110 $25 Central Oklahoma (OK City) 49 $30 ➂ s 2-3
Venezuela 113 $25
Kentuckiana (Louisville, KY) 37 $30 Tulsa, OK 34 $25 ➃ s 4-5
➄ s More than 5
EUROPE/AFRICA Detroit, MI 08 $35 Austin, TX 20 $25
Austria 157 $45 Western Michigan 38 $25 Greater Houston Area, TX 09 $40 Conferences attended annually
Belux 143 $48 (Grand Rapids) North Texas (Dallas) 12 $30 (check one)
Minnesota (Minneapolis) 07 $30 San Antonio/So. Texas 81 $25 ➀ s None
(Belgium and Luxembourg)
➁s1
Croatia 170 $50 Omaha, NE 23 $30 ➂ s 2-3
Czech Republic 153 $110 Central Ohio (Columbus) 27 $25 Western United States ➃ s 4-5
Denmark 96 ✳ Greater Cincinnati, OH 03 $20 Anchorage, AK 177 $20 ➄ s More than 5
Estonian 162 $10 Northeast Ohio (Cleveland) 26 $30 Phoenix, AZ 53 $30
Primary reason for joining the
Finland 115 $70 Kettle Moraine, WI 57 $25 Los Angeles, CA 01 $25 association (check one)
Paris, France 75 ✳ (Milwaukee) Orange County, CA 79 $30 ➀ s Discounts on association
German 104 $80 Quad Cities 169 $0 (Anaheim) products and services
Athens, Greece 134 $20 Sacramento, CA 76 $20 ➁ s Subscription to IS Control Journal
Budapest, Hungary 125 $60 Northeastern United States San Francisco, CA 15 $45 ➂ s Professional advancement/
Irish 156 $40 Greater Hartford, CT 28 $40 San Diego, CA 19 $25 certification
Silicon Valley, CA 62 $25 ➃ s Access to research, publications,
Tel-Aviv, Israel 40 ✳ (Southern New England)
Central Maryland 24 $25 and education
Milano, Italy 43 $53 (Sunnyvale)
99 s Other___________________
Rome, Italy 178 $26 (Baltimore) Hawaii (Honolulu) 71 $30
✳Call chapter for information
6. Certification
One of the most important assets of an enterprise is its information. The integrity and reliability of
that information and the systems that generate it are crucial to an enterprise’s success. Faced with
complex and correspondingly ingenious cyberthreats, organizations are looking for individuals who
have the proven experience and knowledge to identify, evaluate and recommend solutions to mitigate
IT system vulnerabilities. ISACA offers two certifications to meet these needs.
Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM)
The CISA program is designed to assess and certify individuals in the CISM is a newly created credential for security managers that pro-
IS audit, control and security profession who demonstrate exception- vides executive management with the assurance that those certified
al skill and judgment. have the expertise to provide effective security management and
consulting. It is business-oriented and focused on information risk
The CISA examination content areas include: management while addressing management, design and technical
• The IS audit process security issues at a conceptual level.
• Management, planning and organization of IS
• Technical infrastructure and operational practices The CISM credential measures expertise in the areas of:
• Protection of information assets • Information security governance
• Disaster recovery and business continuity • Risk management
• Business application system development, acquisition, • Information security program(me) development
implementation and maintenance • Information security management
• Business process evaluation and risk management • Response management
To earn the CISA designation, candidates are required to: To earn the CISM designation, information security professionals are
• Successfully complete the CISA examination required to:
• Adhere to the Information Systems Audit and Control Association • Successfully complete the CISM examination
(ISACA) Code of Professional Ethics • Adhere to the Information Systems Audit and Control Association
• Submit verified evidence of a minimum number of years of (ISACA) Code of Professional Ethics
professional information systems auditing, control or security • Submit verified evidence of a minimum number of years of
work experience information security experience, with a number of those years in the
• Comply with the CISA continuing education program (after job analysis domains
becoming certified) • Comply with the CISM continuing education program (after
becoming certified)
A grandfathering opportunity, available through 31 December 2003,
allows information security professionals with the necessary experi-
ence to apply for certification without taking the CISM exam.
Being a CISA or a CISM is more than passing an examination. It demonstrates the
commitment, dedication and proficiency required to excel in your profession. These
certifications identify their holders as consummate professionals who maintain a
competitive advantage among their peers. Earning these designations helps assure a
positive reputation and distinguishes you among other candidates seeking positions in
both the private and public sectors. As a member of ISACA, you have the opportunity to
sit for the exams, purchase review materials and attend ISACA conferences to maintain
your certifications at a substantially reduced cost.
For more information on becoming a CISA or a CISM, visit the ISACA web site at
www.isaca.org/certification.
7. ®
COBIT 3rd Edition
Control Objectives
July 2000
Released by the COBIT Steering Committee and the IT Governance InstituteTM
The COBIT Mission:
To research, develop, publicise and promote an authoritative, up-to-date,
international set of generally accepted information technology control objectives
for day-to-day use by business managers and auditors.
8. LATVIA
AMERICAN SAMOA LEBANON
ARGENTINA INFORMATION SYSTEMS AUDIT AND LIECHTENSTEIN
ARMENIA
AUSTRALIA CONTROL ASSOCIATION LITHUANIA
LUXEMBURG
AUSTRIA MALAYSIA
BAHAMAS A Single International Source MALTA
BAHRAIN MALAWI
BANGLADESH for Information Technology Controls MAURITIUS
BARBADOS MEXICO
BELGIUM NAMIBIA
BERMUDA The Information Systems Audit and • Its professional education programme
NEPAL
BOLIVIA Control Association is a leading global offers technical and management NETHERLANDS
BOTSWANA NEW GUINEA
BRAZIL professional organisation representing conferences on five continents, as well
NEW ZEALAND
BRITISH VIRGIN ISLANDS individuals in more than 100 countries as seminars worldwide to help NICARAGUA
CANADA NIGERIA
CAYMAN ISLANDS and comprising all levels of IT — professionals everywhere receive high-
NORWAY
CHILE executive, management, middle quality continuing education. OMAN
CHINA PAKISTAN
COLOMBIA management and practitioner. The • Its technical publishing area provides
PANAMA
COSTA RICA Association is uniquely positioned to references and professional PARAGUAY
CROATIA PERU
CURACAO fulfil the role of a central, harmonising development materials to augment its
PHILIPPINES
CYPRUS source of IT control practice standards for distinguished selection of programmes POLAND
CZECH REPUBLIC PORTUGAL
DENMARK the world over. Its strategic alliances with and services.
QATAR
DOMINICAN REPUBLIC RUSSIA
other groups in the financial, accounting,
ECUADOR SAUDI ARABIA
EGYPT auditing and IT professions are ensuring The Information Systems Audit and SCOTLAND
EL SALVADOR SEYCHELLES
an unparalleled level of integration and Control Association was formed in 1969
ESTONIA SINGAPORE
FAEROE ISLANDS commitment by business process owners. to meet the unique, diverse and high SLOVAK REPUBLIC
FIJI SLOVENIA
technology needs of the burgeoning IT
FINLAND SOUTH AFRICA
FRANCE Association Programmes field. In an industry in which progress is SPAIN
GERMANY SRI LANKA
GHANA and Services measured in nano-seconds, ISACA has
ST. KITTS
GREECE moved with agility and speed to bridge ST. LUCIA
The Association’s services and programmes
GUAM SWEDEN
GUATEMALA have earned distinction by establishing the needs of the international business
SWITZERLAND
HONDURAS community and the IT controls profession. TAIWAN
the highest levels of excellence in
HONG KONG TANZANIA
HUNGARY certification, standards, professional TASMANIA
ICELAND For More Information THAILAND
INDIA education and technical publishing.
TRINIDAD & TOBAGO
INDONESIA • Its certification programme (the Certified To receive additional information, you
TUNISIA
IRAN TURKEY
Information Systems Auditor ) is the
TM may telephone (+1.847.253.1545), send
IRELAND UGANDA
ISRAEL only global designation throughout the an e-mail (research@isaca.org) or visit UNITED ARAB EMIRATES
ITALY UNITED KINGDOM
IT audit and control community. these web sites:
IVORY COAST UNITED STATES
JAMAICA • Its standards activities establish the www.ITgovernance.org URUGUAY
JAPAN VENEZUELA
quality baseline by which other IT www.isaca.org
JORDAN VIETNAM
KAZAKHSTAN audit and control activities are WALES
KENYA YUGOSLAVIA
KOREA measured.
ZAMBIA
KUWAIT ZIMBABWE
10. ACKNOWLEDGMENTS
COBIT STEERING COMMITTEE
Erik Guldentops, S.W.I.F.T. sc, Belgium
John Lainhart, PricewaterhouseCoopers, USA
Eddy Schuermans, PricewaterhouseCoopers, Belgium
John Beveridge, State Auditor’s Office, Massachusetts, USA
Michael Donahue, PricewaterhouseCoopers, USA
Gary Hardy, Arthur Andersen, United Kingdom
Ronald Saull, Great-West Life Assurance, London Life and Investors Group, Canada
Mark Stanley, Sun America Inc., USA
SPECIAL THANKS to the ISACA Boston and National Capital Area Chapters for
their contributions to the COBIT Control Objectives.
SPECIAL THANKS to the members of the Board of the Information Systems Audit
and Control Association and Trustees of the Information Systems Audit and
Control Foundation, headed by International President Paul Williams, for their
continuing and unwavering support of COBIT.
4 IT GOVERNANCE INSTITUTE
11. CONTROL OBJECTIVES
EXECUTIVE OVERVIEW
Critically important to themanagementthis globalofinforma-
organisation is effective
survival and success an
related Information Technology (IT). In
of information and
acquiring and implementing, delivering and supporting, and
monitoring IT performance to ensure that the enterprise’s
information and related technology support its business
tion society—where information travels through cyberspace objectives. IT governance thus enables the enterprise to take
without the constraints of time, distance and speed—this full advantage of its information, thereby maximising bene-
criticality arises from the: fits, capitalising on opportunities and gaining competitive
• Increasing dependence on information and the systems advantage.
that deliver this information
• Increasing vulnerabilities and a wide spectrum of
threats, such as cyber threats and information warfare IT GOVERNANCE
• Scale and cost of the current and future investments in A structure of relationships and processes to direct
information and information systems and control the enterprise in order to achieve the
• Potential for technologies to dramatically change organi- enterprise’s goals by adding value while balancing risk
sations and business practices, create new opportunities versus return over IT and its processes.
and reduce costs
For many organisations, information and the technology that
supports it represent the organisation’s most valuable assets.
Moreover, in today’s very competitive and rapidly changing
Organisations must for theirthethe use offiduciaryall assets.
rity requirements
satisfy
Management must also optimise
quality,
information, as for
and secu-
available
business environment, management has heightened expecta- resources, including data, application systems, technology,
tions regarding IT delivery functions: management requires facilities and people. To discharge these responsibilities, as
increased quality, functionality and ease of use; decreased well as to achieve its objectives, management must under-
delivery time; and continuously improving service levels— stand the status of its own IT systems and decide what secu-
while demanding that this be accomplished at lower costs. rity and control they should provide.
Many organisations recognise the potential benefits that Control Objectives for Information and related Technology
technology can yield. Successful organisations, however, (COBIT), now in its 3rd edition, helps meet the multiple needs
understand and manage the risks associated with imple- of management by bridging the gaps between business risks,
menting new technologies. control needs and technical issues. It provides good practices
across a domain and process framework and presents activi-
There are numerous changes in IT and its operating environ- ties in a manageable and logical structure. COBIT’s “good
ment that emphasise the need to better manage IT-related practices” means consensus of the experts—they will help
risks. Dependence on electronic information and IT systems optimise information investments and will provide a measure
is essential to support critical business processes. In addition, to be judged against when things do go wrong.
the regulatory environment is mandating stricter control over
information. This, in turn, is driven by increasing disclosures Management must ensure that an internal control system or
of information system disasters and increasing electronic framework is in place which supports the business processes,
fraud. The management of IT-related risks is now being makes it clear how each individual control activity satisfies
understood as a key part of enterprise governance. the information requirements and impacts the IT resources.
Impact on IT resources is highlighted in the COBIT
Within enterprise governance, IT governance is becoming Framework together with the business requirements for
more and more prominent, and is defined as a structure of effectiveness, efficiency, confidentiality, integrity, availabili-
relationships and processes to direct and control the enter- ty, compliance and reliability of information that need to be
prise in order to achieve the enterprise’s goals by adding satisfied. Control, which includes policies, organisational
value while balancing risk versus return over IT and its structures, practices and procedures, is management’s
processes. IT governance is integral to the success of enter- responsibility. Management, through its enterprise gover-
prise governance by assuring efficient and effective measur- nance, must ensure that due diligence is exercised by all indi-
able improvements in related enterprise processes. IT gover- viduals involved in the management, use, design, develop-
nance provides the structure that links IT processes, IT ment, maintenance or operation of information systems. An
resources and information to enterprise strategies and objec- IT control objective is a statement of the desired result or
tives. Furthermore, IT governance integrates and institution- purpose to be achieved by implementing control procedures
alises good (or best) practices of planning and organising, within a particular IT activity.
IT GOVERNANCE INSTITUTE 5
12. Balso, andorientation is the mainonly by users andguidance
but
usiness
designed to be employed not
theme of C T. It is
more importantly, as comprehensive
OBI
auditors,
Specifically, COBIT provides Maturity Models for control
over IT processes, so that management can map where the
organisation is today, where it stands in relation to the best-
for management and business process owners. Increasingly, in-class in its industry and to international standards and
business practice involves the full empowerment of business where the organisation wants to be; Critical Success
process owners so they have total responsibility for all Factors, which define the most important management-ori-
aspects of the business process. In particular, this includes ented implementation guidelines to achieve control over and
providing adequate controls. within its IT processes; Key Goal Indicators, which define
measures that tell management—after the fact—whether an
The COBIT Framework provides a tool for the business IT process has achieved its business requirements; and Key
process owner that facilitates the discharge of this responsi- Performance Indicators, which are lead indicators that
bility. The Framework starts from a simple and pragmatic define measures of how well the IT process is performing in
premise: enabling the goal to be reached.
In order to provide the information that the organisation
needs to achieve its objectives, IT resources need to be COBIT’s Management Guidelines are generic and
managed by a set of naturally grouped processes. action oriented for the purpose of answering the fol-
lowing types of management questions: How far
The Framework continues with a set of 34 high-level Control should we go, and is the cost justified by the benefit?
Objectives, one for each of the IT processes, grouped into What are the indicators of good performance? What
four domains: planning and organisation, acquisition and are the critical success factors? What are the risks of
implementation, delivery and support, and monitoring. This not achieving our objectives? What do others do? How
structure covers all aspects of information and the technolo- do we measure and compare?
gy that supports it. By addressing these 34 high-level control
objectives, the business process owner can ensure that an COBIT also contains an Implementation Tool Set that provides
adequate control system is provided for the IT environment. lessons learned from those organisations that quickly and
successfully applied COBIT in their work environments. It
provided in the C T
IT governanceITguidance is alsoand information to enterprise
Framework. governance provides the structure that
links IT processes, IT resources
OBI has two particularly useful tools—Management Awareness
Diagnostic and IT Control Diagnostic—to assist in analysing
an organisation’s IT control environment.
strategies and objectives. IT governance integrates optimal
ways of planning and organising, acquiring and implement- Over the next few years, the management of organisations
ing, delivering and supporting, and monitoring IT perfor- will need to demonstrably attain increased levels of security
mance. IT governance enables the enterprise to take full and control. COBIT is a tool that allows managers to bridge
advantage of its information, thereby maximising benefits, the gap with respect to control requirements, technical issues
capitalising on opportunities and gaining competitive advan- and business risks and communicate that level of control to
tage. stakeholders. COBIT enables the development of clear policy
and good practice for IT control throughout organisations,
In addition, corresponding to each of the 34 high-level con- worldwide. Thus, COBIT is designed to be the break-
trol objectives is an Audit Guideline to enable the review of through IT governance tool that helps in understanding
IT processes against COBIT’s 318 recommended detailed and managing the risks and benefits associated with
control objectives to provide management assurance and/or information and related IT.
advice for improvement.
ThetoManagementeffectively andCenablesmostand require-
Guidelines,
opment, further enhances
ment deal more
T’s
OBI recent devel-
enterprise manage-
with the needs
ments of IT governance. The guidelines are action oriented
and generic and provide management direction for getting
the enterprise’s information and related processes under con-
trol, for monitoring achievement of organisational goals, for
monitoring performance within each IT process and for
benchmarking organisational achievement.
6 IT GOVERNANCE INSTITUTE
13. CONTROL OBJECTIVES
COBIT IT PROCESSES DEFINED WITHIN THE FOUR DOMAINS
BUSINESS OBJECTIVES
IT GOVERNANCE
M1 monitor the processes PO1 define a strategic IT plan
M2 assess internal control adequacy PO2 define the information architecture
M3 obtain independent assurance PO3 determine the technological direction
M4 provide for independent audit PO4 define the IT organisation and relationships
PO5 manage the IT investment
PO6 communicate management aims and direction
PO7 manage human resources
PO8 ensure compliance with external requirements
PO9 assess risks
PO10 manage projects
PO11 manage quality
INFORMATION
effectiveness
efficiency
confidentiality
integrity
availability
compliance
reliability
MONITORING PLANNING &
ORGANISATION
IT RESOURCES
people
application systems
technology
facilities
data
DELIVERY &
SUPPORT ACQUISITION &
IMPLEMENTATION
DS1 define and manage service levels
DS2 manage third-party services
DS3 manage performance and capacity
DS4 ensure continuous service
DS5 ensure systems security
DS6 identify and allocate costs
DS7 educate and train users
DS8 assist and advise customers AI1 identify automated solutions
DS9 manage the configuration AI2 acquire and maintain application software
DS10 manage problems and incidents AI3 acquire and maintain technology infrastructure
DS11 manage data AI4 develop and maintain procedures
DS12 manage facilities AI5 install and accredit systems
DS13 manage operations AI6 manage changes
IT GOVERNANCE INSTITUTE 7
14. THE COBIT FRAMEWORK
THE NEED FOR CONTROL IN THE BUSINESS ENVIRONMENT:
INFORMATION TECHNOLOGY COMPETITION, CHANGE AND COST
In recent years, it has become increasingly evident that Global competition is here. Organisations are restructur-
there is a need for a reference framework for security and ing to streamline operations and simultaneously take
control in IT. Successful organisations require an appreci- advantage of the advances in IT to improve their compet-
ation for and a basic understanding of the risks and itive position. Business re-engineering, right-sizing, out-
constraints of IT at all levels within the enterprise in sourcing, empowerment, flattened organisations and dis-
order to achieve effective direction and adequate controls. tributed processing are all changes that impact the way
that business and governmental organisations operate.
MANAGEMENT has to decide what to reasonably These changes are having, and will continue to have,
invest for security and control in IT and how to balance profound implications for the management and opera-
risk and control investment in an often unpredictable IT tional control structures within organisations worldwide.
environment. While information systems security and
control help manage risks, they do not eliminate them. Emphasis on attaining competitive advantage and cost-
In addition, the exact level of risk can never be known efficiency implies an ever-increasing reliance on tech-
since there is always some degree of uncertainty. nology as a major component in the strategy of most
Ultimately, management must decide on the level of risk organisations. Automating organisational functions is, by
it is willing to accept. Judging what level can be tolerat- its very nature, dictating the incorporation of more pow-
ed, particularly when weighted against the cost, can be a erful control mechanisms into computers and networks,
difficult management decision. Therefore, management both hardware-based and software-based. Furthermore,
clearly needs a framework of generally accepted IT the fundamental structural characteristics of these con-
security and control practices to benchmark the existing trols are evolving at the same rate and in the same “leap
and planned IT environment. frog” manner as the underlying computing and network-
ing technologies are evolving.
There is an increasing need for USERS of IT services to
be assured, through accreditation and audit of IT ser- Within the framework of accelerated change, if man-
vices provided by internal or third parties, that adequate agers, information systems specialists and auditors are
security and control exists. At present, however, the indeed going to be able to effectively fulfil their roles,
implementation of good IT controls in information sys- their skills must evolve as rapidly as the technology and
tems, be they commercial, non-profit or governmental, the environment. One must understand the technology
is hampered by confusion. The confusion arises from the of controls involved and its changing nature if one is to
different evaluation methods such as ITSEC, TCSEC, exercise reasonable and prudent judgments in evaluating
IS0 9000 evaluations, emerging COSO internal control control practices found in typical business or govern-
evaluations, etc. As a result, users need a general foun- mental organisations.
dation to be established as a first step.
EMERGENCE OF ENTERPRISE
Frequently, AUDITORS have taken the lead in such AND IT GOVERNANCE
international standardisation efforts because they are To achieve success in this information economy, enter-
continuously confronted with the need to substantiate prise governance and IT governance can no longer be
their opinion on internal control to management. considered separate and distinct disciplines. Effective
Without a framework, this is an exceedingly difficult enterprise governance focuses individual and group
task. Furthermore, auditors are increasingly being called expertise and experience where it can be most produc-
on by management to proactively consult and advise on tive, monitors and measures performance and provides
IT security and control-related matters. assurance to critical issues. IT, long considered solely an
8 IT GOVERNANCE INSTITUTE
15. CONTROL OBJECTIVES
enabler of an enterprise’s strategy, must now be regard- aligned with and enable the enterprise to take full advan-
ed as an integral part of that strategy. tage of its information, thereby maximising benefits,
capitalising on opportunities and gaining a competitive
IT governance provides the structure that links IT advantage.
processes, IT resources, and information to enterprise
strategies and objectives. IT governance integrates and Enterprise
institutionalises optimal ways of planning and organis- Activities
ing, acquiring and implementing, delivering and sup-
porting, and monitoring IT performance. IT governance
require information from
is integral to the success of enterprise governance by
assuring efficient and effective measurable improve-
ments in related enterprise processes. IT governance Information
Technology
enables the enterprise to take full advantage of its infor- Activities
mation, thereby maximising benefits, capitalising on
opportunities and gaining competitive advantage.
Enterprises are governed by generally accepted good (or
Looking at the interplay of enterprise and IT governance best) practices, to ensure that the enterprise is achieving
processes in more detail, enterprise governance, the sys- its goals-the assurance of which is guaranteed by certain
tem by which entities are directed and controlled, drives controls. From these objectives flows the organisation’s
and sets IT governance. At the same time, IT should direction, which dictates certain enterprise activities,
provide critical input to, and constitute an important using the enterprise’s resources. The results of the enter-
component of, strategic plans. IT may in fact influence prise activities are measured and reported on, providing
strategic opportunities outlined by the enterprise. input to the constant revision and maintenance of the
controls, beginning the cycle again.
Enterprise
Governance
Enterprise Governance
drives and sets DIRECT
Information
Technology Enterprise
Governance Objectives CONTROL Resources
Activities
Enterprise activities require information from IT activi- USING
ties in order to meet business objectives. Successful REPORT
organisations ensure interdependence between their
strategic planning and their IT activities. IT must be
IT GOVERNANCE INSTITUTE 9
16. THE COBIT FRAMEWORK, continued
IT also is governed by good (or best) practices, to porting, and monitoring, for the dual purposes of man-
ensure that the enterprise’s information and related tech- aging risks (to gain security, reliability and compliance)
nology support its business objectives, its resources are and realising benefits (increasing effectiveness and effi-
used responsibly and its risks are managed appropriate- ciency). Reports are issued on the outcomes of IT activi-
ly. These practices form a basis for direction of IT activ- ties, which are measured against the various practices
ities, which can be characterised as planning and organ- and controls, and the cycle begins again.
ising, acquiring and implementing, delivering and sup-
IT Governance
DIRECT
Objectives IT Activities
• IT is aligned with PLAN Planning and Organisation
the business, DO Acquisition and Implementation
enables the CHECK Delivery and Support
business and
CORRECT Monitoring
maximises CONTROL
benefits
Manage risks Realise Benefits
• IT resources are
• security Increase Decrease
used responsibly • reliability Automation - Costs - be
• compliance be effective efficient
• IT related risks
are managed
appropriately
REPORT
In order to ensure that management reaches its business objectives, it must direct and manage IT activities to
reach an effective balance between managing risks and realising benefits. To accomplish this, management
needs to identify the most important activities to be performed, measure progress towards achieving goals and
determine how well the IT processes are performing. In addition, it needs the ability to evaluate the organisa-
tion’s maturity level against industry best practices and international standards. To support these manage-
ment needs, the COBIT Management Guidelines have identified specific Critical Success Factors, Key
Goal Indicators, Key Performance Indicators and an associated Maturity Model for IT governance, as
presented in Appendix I.
10 IT GOVERNANCE INSTITUTE
17. CONTROL OBJECTIVES
RESPONSE TO THE NEED related international standards evolved the original
In view of these ongoing changes, the development of Information Systems Audit and Control Foundation’s
this framework for control objectives for IT, along with Control Objectives from an auditor’s tool to COBIT, a
continued applied research in IT controls based on this management tool. Further, the development of IT
framework, are cornerstones for effective progress in the Management Guidelines has taken COBIT to the next
field of information and related technology controls. level-providing management with Key Goal Indicators
(KGIs), Key Performance Indicators (KPIs), Critical
On the one hand, we have witnessed the development Success Factors (CSFs) and Maturity Models so that it
and publication of overall business control models like can assess its IT environment and make choices for con-
COSO (Committee of Sponsoring Organisations of the trol implementation and control improvements over the
Treadway Commission-Internal Control—Integrated organisation’s information and related technology.
Framework, 1992) in the US, Cadbury in the UK, CoCo
in Canada and King in South Africa. On the other hand, Hence, the main objective of the COBIT project is the
an important number of more focused control models development of clear policies and good practices for
are in existence at the level of IT. Good examples of the security and control in IT for worldwide endorsement by
latter category are the Security Code of Conduct from commercial, governmental and professional organisa-
DTI (Department of Trade and Industry, UK), tions. It is the goal of the project to develop these con-
Information Technology Control Guidelines from CICA trol objectives primarily from the business objectives
(Canadian Institute of Chartered Accountants, Canada), and needs perspective. (This is compliant with the
and the Security Handbook from NIST (National COSO perspective, which is first and foremost a man-
Institute of Standards and Technology, US). However, agement framework for internal controls.) Subsequently,
these focused control models do not provide a compre- control objectives have been developed from the audit
hensive and usable control model over IT in support of objectives (certification of financial information, certifi-
business processes. The purpose of COBIT is to bridge cation of internal control measures, efficiency and effec-
this gap by providing a foundation that is closely linked tiveness, etc.) perspective.
to business objectives while focusing on IT.
AUDIENCE: MANAGEMENT,
(Most closely related to COBIT is the recently published USERS AND AUDITORS
AICPA/CICA SysTrustTM Principles and Criteria for COBIT is designed to be used by three distinct audiences.
Systems Reliability. SysTrust is an authoritative
issuance of both the Assurance Services Executive MANAGEMENT:
Committee in the United States and the Assurance to help them balance risk and control investment in an
Services Development Board in Canada, based in part often unpredictable IT environment.
on the COBIT Control Objectives. SysTrust is designed
to increase the comfort of management, customers and USERS:
business partners with the systems that support a busi- to obtain assurance on the security and controls of IT
ness or a particular activity. The SysTrust service entails services provided by internal or third parties.
the public accountant providing an assurance service in
which he or she evaluates and tests whether a system is AUDITORS:
reliable when measured against four essential principles: to substantiate their opinions and/or provide advice to
availability, security, integrity and maintainability.) management on internal controls.
A focus on the business requirements for controls in IT
and the application of emerging control models and
IT GOVERNANCE INSTITUTE 11
18. THE COBIT FRAMEWORK, continued
BUSINESS OBJECTIVES ORIENTATION Control is
the policies, procedures, practices
COBIT is aimed at addressing business objectives. The and organisational structures
defined as designed to provide reasonable
control objectives make a clear and distinct link to busi-
ness objectives in order to support significant use out- assurance that business objectives
side the audit community. Control objectives are defined will be achieved and that undesired
in a process-oriented manner following the principle of events will be prevented or detect-
business re-engineering. At identified domains and ed and corrected.
processes, a high-level control objective is identified and
rationale provided to document the link to the business
objectives. In addition, considerations and guidelines a statement of the desired result or
IT Control Objective
are provided to define and implement the IT control purpose to be achieved by imple-
is defined as menting control procedures in a
objective.
particular IT activity.
The classification of domains where high-level control
objectives apply (domains and processes), an indication
of the business requirements for information in that a structure of relationships and
domain, as well as the IT resources primarily impacted IT Governance processes to direct and control the
by the control objectives, together form the COBIT is defined as enterprise in order to achieve the
Framework. The Framework is based on the research enterprise’s goals by adding value
activities that have identified 34 high-level control while balancing risk versus return
objectives and 318 detailed control objectives. The over IT and its processes.
Framework was exposed to the IT industry and the audit
profession to allow an opportunity for review, challenge
and comment. The insights gained have been appropri-
ately incorporated.
GENERAL DEFINITIONS
For the purpose of this project, the following definitions
are provided. “Control” is adapted from the COSO
Report (Internal Control—Integrated Framework,
Committee of Sponsoring Organisations of the
Treadway Commission, 1992) and “IT Control
Objective” is adapted from the SAC Report (Systems
Auditability and Control Report, The Institute of
Internal Auditors Research Foundation, 1991 and 1994).
12 IT GOVERNANCE INSTITUTE