The Business of IT Blog

COBIT 2019 vs COBIT 5: What’s The Difference?

4 minute read
Muhammad Raza

COBIT is an IT management framework designed to help organizations yield significant value from their IT initiatives while managing the underlying risks. Unlike most IT frameworks, COBIT offers a specific perspective—how to better secure and govern your assets to reduce risk.

In the years since 2012, when COBIT 5 debuted, the enterprise IT landscape has changed dramatically. A greater emphasis on security, risk management, and governance is mandatory in today’s multi-cloud environments that scale rapidly in response to market changes. Released last year, COBIT 2019 aims to reshape this changed landscape. Let’s take a look at the differences between COBIT 5 and the new COBIT 2019.

COBIT 5: The basics

Released in 2012, the COBIT 5 framework offered guidelines for improving enterprise governance and management as more organizations migrated mission-critical workloads to the cloud. COBIT 5 provided a narrow and unique set of guidelines applicable to organizations across all industries and remained as a standard for many years.

What’s new in COBIT 2019?

According to ISACA, the governing body of COBIT, the 2019 version of the framework offers the following updates:

  • Focus areas and design factors enable organizations to establish risk management and governance protocols based on their unique requirements.
  • COBIT 19 aligns with global risk management and security standards, frameworks, and protocols.
  • Periodic updates ensure that the framework guidelines work effectively with next-generation technologies rapidly adopted at scale across all industry verticals.
  • Guidelines follow a more prescriptive approach, especially by supporting more tooling and technology available for governance and risk management.
  • An enriched open-source model ensures that feedback from the global governance community is incorporated into future versions framework updates. The community suggestions will be evaluated by an expert Steering Committee to ensure high quality and consistent update releases.
  • Strong focus on new technologies and SDLC methodologies, including DevOps and Agile concepts and operational practices in IT-enabled organizations such as off-premise operations, outsourcing, connectivity, and cloud-based systems.

Major changes in COBIT 2019

The following sections outline the biggest changes in the latest COBIT framework:

The COBIT Core Model

Update coverage areas now include new processes applicable to projects, business information and global regulatory or compliance frameworks. While the Governance Objectives and Management Objectives follow the same classifications as before, new processes have been introduced (or updated from COBIT 5). Specifically, Manage Programs and Project component is split into Managed Programs and Managed Projects. Additionally, Monitor, Evaluate and Assess the System of Internal Control is now Managed System of Internal Control and Managed Assurance. This brings the total COBIT processes from 37 to 40.

Focus Areas

With this concept of Focus Areas, COBIT aims to keep pace with the changing tech-business risk landscape. Certain governance topics now constitute the Focus Areas, which can be updated and modified based on end-user feedback, market trends, and research.

There’s no limitation as to how many Focus Areas can be incorporated into the COBIT framework. With this flexibility, organizations following the COBIT framework can manage risk provisions as they pursue disruptive digital transformation projects.

Design Factors

Every business organization faces a unique set of governance challenges. In COBIT 2019, the Design Factor concept aims to address this issue by allowing organizations of all verticals and sizes to establish their own custom governance mechanism. The new Design Factors can be categorized as:

  • Contextual: Beyond the control of the organizations, especially with use cases associated with cloud computing, connectivity, and outsourcing IT services.
  • Strategic: Focus on internal decision choices of the organization. These may include long-term objectives for business growth enabled by adopting new technology trends or migrating from traditional IT service delivery and management approaches.
  • Tactical: The implementation choices adopted by the organization as per its strategic objectives. These may include the technologies adopted and processes followed under various ITSM and SDLC frameworks.

COBIT Performance Management and Capability Assessment

This model is designed and updated to evaluate various risk management and governance mechanism, objectives, and strategies. COBIT Performance Management (CPM) was originally introduced to evaluate how the various components of the governance and risk management systems work collectively and align with the expected target levels of the organization. As a result, organizations can identify the changes necessary to enhance their governance capability maturity levels. ISACA recommends the following high-level activities to achieve this goal:

  1. Involve stakeholders in the CPM awareness and training sessions.
  2. Design a tailored governance system as per COBIT 2019 Governance and Management Objectives as described in the figure below:
    Source: ISACA
  3. Bring onboard the respective process owners and conduct briefing sessions on all agreed processes. Obtaining stakeholder support early during strategy building and systems implementation prevents the blame-game that may affect business progress and organizational culture in the future.
  4. Follow a systematic approach to obtain evidence on governance mechanism and practices followed within the COBIT 2019 framework. The choices should be validated with evidence, align with the agreed purpose and understood in enough detail.
  5. Identify and report on strengths and opportunities achieved with various activities. The current capability level should be evaluated and understood extensively, as future changes to the governance and risk management systems are proposed and adopted.

Things removed, changed, and updated in COBIT 2019

The COBIT 2019 framework offers an elaborated conceptual model that uses both concepts and relationships within the framework as a Unified Modeling Language (UML) model. This allows organizations to maintain a governance framework design and use automation capabilities as available.

COBIT 2019 includes additional changes, updates, and removals. For instance:

  • The generic enabler model, Enabler Guidance and Process Goals, have been removed in the new, simplified framework.
  • The CPM and Process Capability Assessment now follows a CMMI-inspired capability model.
  • Enablers have been renamed to Components of the Governance Systems.

Learning COBIT

Users may follow COBIT certification programs to obtain extensive knowledge, including COBIT Bridge, COBIT 2019 Foundation, or the COBIT 2019 Design and Implementation certification program. Finally, the COBIT 2019 Design Guide has been published to discuss the updates and new framework guidelines in detail.

New strategies for modern service assurance

86% of global IT leaders in a recent IDG survey find it very, or extremely, challenging to optimize their IT resources to meet changing business demands.


These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing blogs@bmc.com.

BMC Brings the A-Game

BMC works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. With our history of innovation, industry-leading automation, operations, and service management solutions, combined with unmatched flexibility, we help organizations free up time and space to become an Autonomous Digital Enterprise that conquers the opportunities ahead.
Learn more about BMC ›

About the author

Muhammad Raza

Muhammad Raza is a Stockholm-based technology consultant working with leading startups and Fortune 500 firms on thought leadership branding projects across DevOps, Cloud, Security and IoT.