COBIT5 for Information Security

COBIT5 for Information Security

Information security is a business enabler that is strictly bound to stakeholder trust, either by addressing business risk or by creating value for an enterprise, such as competitive advantage. At a time when the significance of information and related technologies is increasing in every aspect of business and public life, the need to mitigate information risk, which includes protecting information and related IT assets from ever-changing threats, is constantly intensifying. Increasing regulation within the business landscape adds to the awareness of the board of directors of the criticality of information security for information and IT-related assets.
ISACA defines information security as something that:

Ensures that within the enterprise, information is protected against disclosure to unauthorised users
(confidentiality), improper modification (integrity) and non-access when required (availability).

COBIT 5 for Information Security, builds on the COBIT 5 framework in that it focuses on information security and provides more detailed and more practical guidance for information security professionals and other interested parties at all levels of the enterprise. In COBIT 5, the processes APO13 Manage security, DSS04 Manage continuity and DSS05 Manage security services provide basic guidance on how to define, operate and monitor a system for general security management. However, it is imperative to understand that information security is pervasive throughout the entire enterprise, with information security aspects in every activity and process performed. COBIT5 for Information Security utililses the same COBIT5 principles, that need to be applied specifically for organisatonal information security needs.

Principle 1. Meeting Stakeholder Needs
Enterprises exist to create value for their stakeholders—including stakeholders for information security—by maintaining a balance between the realisation of benefits and the optimisation of risk and use of resources. Optimisation of risk is considered most relevant for information security.

Since every enterprise has different objectives, an enterprise should use the goals cascade to customise COBIT 5 to suit its own context. In the goals cascade, stakeholder needs, which are influenced by a number of drivers, are translated and specified into operational enterprise goals to be satisfied. These enterprise goals in turn require IT-related goals to be achieved, and finally translate into goals for the different enablers. Information security is one major stakeholder need, and this translates into information security-related goals for the enterprise, for IT and ultimately for the supporting enablers.

In COBIT 5 for Information Security, information security-specific goals for processes are defined in support of the information security-related stakeholder needs. Likewise, specific information security-related goals are defined for the other enablers.

Principle 2. Covering the Enterprise End-to-end
COBIT 5 integrates governance of enterprise IT into enterprise governance by:

  • Covering all functions and processes within the enterprise. COBIT 5 does not focus on only the ‘IT function’, but instead treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.
  • Considering all IT-related governance and management enablers to be enterprisewide and end-to-end, i.e., inclusive of everything and everyone, internal and external, that is relevant to governance and management of enterprise information and related IT. Applying this principle to information security, COBIT 5 for Information Security covers all stakeholders, functions and processes within the enterprise that are relevant for information security.

Principle 3. Applying a Single, Integrated Framework
There are many IT-related standards and good practices, each providing guidance on a subset of IT-related activities. COBIT 5 is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used. As a single, integrated framework, it serves as a consistent and integrated source of guidance in a nontechnical, technology-agnostic common language. COBIT 5 aligns with other relevant standards and frameworks, and thus allows the enterprise to use it as the overarching governance and management framework for enterprise IT.

More specifically, COBIT 5 for Information Security brings together knowledge previously dispersed over different ISACA frameworks and models (COBIT, BMIS, Risk IT, Val IT) with guidance from other major information security-related standards such as the ISO/IEC 27000 series, the ISF Standard of Good Practice for Information Security and U.S. National Institute of Standards and Technology (NIST).

Principle 4. Enabling a Holistic Approach
Efficient and effective governance and management of enterprise IT and information require a holistic approach, taking into account several interacting components. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT and information. Enablers are factors that, individually and collectively, influence whether something will work—in this case, governance and management over enterprise IT and, related to that, information security governance. Enablers are driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve.

Principle 5. Separating Governance From Management
The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes. In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson, while in most enterprises, management is the responsibility of the executive management under the leadership of the chief executive officer (CEO).

In practice, the different roles of information security governance and management are made visible by the COBIT 5 process reference model, which includes governance processes and management processes, each set with its own responsibilities.


Information security is essential in the day-to-day operations of enterprises. Breaches in information security can lead to a substantial impact within the enterprise through, for example, financial or operational damages. In addition, the enterprise can be exposed to external impacts such as reputational or legal risk, which can jeopardise customer or employee relations or even endanger the survival of the enterprise. Using COBIT 5 for Information Security brings a number of information security-related capabilities to the enterprise, which can result in a number of enterprise benefits such as: increased user satisfaction, informed risk decision, reduced impact of security incidents, better understanding of information security, to name a few.