Framework

COBIT 2019
enterprise IT governance and management for cybersecurity

COBIT 2019 is the ISACA enterprise framework for the governance and management of information and technology. The 2018 to 2019 update replaced COBIT 5 with a modular, tailored model built around 40 governance and management objectives, eleven design factors, and a performance management scheme based on capability and maturity levels. This page covers the five domains (EDM, APO, BAI, DSS, MEA), the 40 objectives with the security-specific objectives called out, the design factor analysis used to tailor the governance system, the performance management scheme, the audit evidence the framework produces, and how COBIT 2019 sits alongside NIST CSF 2.0, ISO 27001, COSO ERM, ITIL 4, and SOC 2 in an enterprise governance stack.

Get Started Free

No credit card required. Free plan available forever.

COBIT 2019 explained for cybersecurity programmes

COBIT 2019 is the ISACA enterprise framework for the governance and management of information and technology. Published as an updated edition between 2018 and 2019, COBIT 2019 replaced COBIT 5 with a modular, tailored model built around 40 governance and management objectives across five domains, eleven design factors used to tailor the governance system to the enterprise, and a performance management scheme that separates per-objective process capability from cross-objective focus area maturity. The framework is intentionally cross-functional: it covers the entire IT governance and management estate rather than only information security, and it expects the cyber programme to read against the same objective, practice, and capability vocabulary the wider IT programme operates against.

For CISOs, GRC owners, internal auditors, and IT governance leaders, COBIT 2019 is the framework that gives the cyber programme a defensible home inside the broader IT governance story. Programmes already operating against NIST CSF 2.0, ISO 27001, COSO ERM, or SOC 2 do not need to migrate; COBIT 2019 sits as the governance and management spine the other frameworks read against from the same underlying operating record.

The five domains of COBIT 2019

COBIT 2019 organises the 40 objectives across five domains. The Evaluate, Direct, and Monitor (EDM) domain carries the governance layer; the Align, Plan, and Organise (APO), Build, Acquire, and Implement (BAI), Deliver, Service, and Support (DSS), and Monitor, Evaluate, and Assess (MEA) domains carry the management layers. The governance-management split is what makes COBIT a governance framework rather than a process catalogue, and the cyber programme reads across multiple domains rather than against one isolated objective.

EDM: Evaluate, Direct, and Monitor (5 governance objectives)

The governance layer the board and the C-suite read against. EDM01 to EDM05 cover the governance framework setting, benefits delivery, risk optimisation, resource optimisation, and stakeholder engagement. EDM is what makes COBIT a governance framework rather than a process catalogue: it expects the board, the audit committee, and the executive team to evaluate, direct, and monitor the IT governance system rather than to delegate the work entirely and read a summary.

APO: Align, Plan, and Organise (14 management objectives)

The strategic management layer. APO01 to APO14 cover the management framework, strategy, enterprise architecture, innovation, portfolio, budget, human resources, relationships, service agreements, vendors, quality, risk, security, and data. APO13 (Managed Security) is the cybersecurity-specific management objective; APO12 (Managed Risk) is the enterprise risk management objective the cyber risk programme feeds. The APO objectives align the IT and cyber programmes to the enterprise direction so the operational work in BAI and DSS reads against an explicit plan.

BAI: Build, Acquire, and Implement (11 management objectives)

The build and change management layer. BAI01 to BAI11 cover programmes, requirements, solution identification, availability and capacity, organisational change, IT changes, change acceptance and transition, knowledge, assets, configuration, and projects. BAI06 (Managed IT Changes) and BAI10 (Managed Configuration) are the operating layer that keeps the production estate auditable and that the cyber programme reads against for change-driven incident analysis and configuration baseline scanning.

DSS: Deliver, Service, and Support (6 management objectives)

The day-to-day operating discipline. DSS01 to DSS06 cover operations, service requests and incidents, problems, continuity, security services, and business process controls. DSS05 (Managed Security Services) is the cybersecurity operating objective and the place day-to-day security work surfaces in the COBIT vocabulary. DSS04 (Managed Continuity) covers the business continuity and disaster recovery posture; DSS02 (Managed Service Requests and Incidents) covers the incident operating record cyber incidents read into.

MEA: Monitor, Evaluate, and Assess (4 management objectives)

The assurance layer. MEA01 (Managed Performance and Conformance Monitoring), MEA02 (Managed System of Internal Control), MEA03 (Managed Compliance With External Requirements), and MEA04 (Managed Assurance) carry the per-cycle examination work internal audit, external audit, and the regulator read against. The MEA evidence is what makes the rest of the COBIT operating record defensible at examination time.

The 40 objectives, organised by domain

The 40 objectives are the operating units of COBIT 2019. Each objective ships with described practices, activities, work products (inputs and outputs), suggested capability level descriptions, and informative references to ISO, ITIL, NIST, TOGAF, PMBOK, and other standards. The framework is modular: a programme tailors the in-scope objectives and the capability targets per objective during the design factor analysis rather than adopting all 40 objectives at full capability at once.

  • EDM (5): EDM01 Ensured Governance Framework Setting and Maintenance, EDM02 Ensured Benefits Delivery, EDM03 Ensured Risk Optimisation, EDM04 Ensured Resource Optimisation, EDM05 Ensured Stakeholder Engagement.
  • APO (14): APO01 Managed I and T Management Framework, APO02 Managed Strategy, APO03 Managed Enterprise Architecture, APO04 Managed Innovation, APO05 Managed Portfolio, APO06 Managed Budget and Costs, APO07 Managed Human Resources, APO08 Managed Relationships, APO09 Managed Service Agreements, APO10 Managed Vendors, APO11 Managed Quality, APO12 Managed Risk, APO13 Managed Security, APO14 Managed Data.
  • BAI (11): BAI01 Managed Programs, BAI02 Managed Requirements Definition, BAI03 Managed Solutions Identification and Build, BAI04 Managed Availability and Capacity, BAI05 Managed Organisational Change, BAI06 Managed IT Changes, BAI07 Managed IT Change Acceptance and Transitioning, BAI08 Managed Knowledge, BAI09 Managed Assets, BAI10 Managed Configuration, BAI11 Managed Projects.
  • DSS (6): DSS01 Managed Operations, DSS02 Managed Service Requests and Incidents, DSS03 Managed Problems, DSS04 Managed Continuity, DSS05 Managed Security Services, DSS06 Managed Business Process Controls.
  • MEA (4): MEA01 Managed Performance and Conformance Monitoring, MEA02 Managed System of Internal Control, MEA03 Managed Compliance With External Requirements, MEA04 Managed Assurance.

How cyber work maps into the objectives

APO13 (Managed Security) and DSS05 (Managed Security Services) are the cybersecurity anchor objectives, but the cyber programme touches a broader objective set. The mapping below names the cyber-side artefact each relevant objective expects to see, written so an information security programme can produce the evidence as a side effect of operational work rather than as a separate audit deliverable.

  • EDM03 (Ensured Risk Optimisation) carries the enterprise risk appetite and the cyber risk tolerance the board has approved. The cyber programme reads its prioritisation queue, its exception thresholds, and its third-party risk tolerance against this objective; the evidence is the appetite statement, the board approval record, and the periodic review minutes rather than narrative assertion.
  • EDM05 (Ensured Stakeholder Engagement) carries the leadership-side communication discipline the cyber programme operates against, including the board cyber-risk briefing cadence, the audit committee briefings, the regulator engagement schedule, and the cross-functional cyber communication record.
  • APO12 (Managed Risk) carries the enterprise risk register. Cyber findings raised through external scanning, authenticated DAST, code scanning, penetration testing, vendor reviews, incident response, and intelligence feeds aggregate against the cyber risk slice of this register.
  • APO13 (Managed Security) carries the information security management system definition, the information security plan, the information security culture, and the security incident management plan. APO13 is the security strategy and management objective the CISO owns end to end.
  • APO14 (Managed Data) covers data governance and data protection. The cyber programme reads its data classification, data handling, and data-protection control evidence against this objective.
  • BAI06 (Managed IT Changes) carries the secure change discipline. Each patch deploy, each configuration change, each infrastructure-as-code commit reads through BAI06 evidence and pairs to the BAI10 baseline record.
  • BAI10 (Managed Configuration) carries the configuration baseline against which scans, audits, and incident analysis read. The baseline evidence is the input every scanner output reads against to surface drift and unauthorised change.
  • DSS04 (Managed Continuity) carries the business continuity and disaster recovery posture, including the recovery objectives per tier, the exercise cadence, the recovery validation evidence, and the after-action records.
  • DSS05 (Managed Security Services) is the cybersecurity operating objective: endpoint and network security, identity and access management, network security, physical security, security configuration, vulnerability management, threat detection and response. DSS05 is the place the day-to-day security work lands in the COBIT vocabulary.
  • MEA02 (Managed System of Internal Control) carries the internal audit read across the cyber programme. Internal audit examines cyber controls against this objective, and the audit work produces the evidence MEA02 expects to see.
  • MEA03 (Managed Compliance With External Requirements) carries the regulator and external auditor read across the cyber programme. The regulatory compliance evidence (HIPAA, PCI DSS, SOC 2, ISO 27001 certification, SEC cybersecurity disclosure rules, NIS2, DORA, sector-specific overlays) lands under this objective.

The eleven design factors used to tailor the governance system

Design factor analysis is what makes COBIT 2019 a tailored framework rather than a copy-paste catalogue. The eleven design factors produce the tailored governance system per cycle: the in-scope objectives, the priority objectives, the capability targets per objective, and the focus areas the programme reads against. The design factor outputs are themselves evidence the framework expects to see, and the leadership review under MEA01 reads against the tailoring decisions rather than against a generic objective set.

  • Enterprise strategy. The strategic posture the enterprise has chosen (growth and acquisition, stability, cost leadership, innovation, client service) shapes which COBIT objectives are priority and which capability targets are realistic per cycle.
  • Enterprise goals. The goals the enterprise is operating against (financial, customer, internal process, learning and growth) drive the alignment goals the IT and cyber programme contribute to.
  • Risk profile. The enterprise risk profile drives the per-objective priority and the capability target. Cyber risk weight in the risk profile lifts APO13, DSS05, EDM03, APO12, and MEA02 in the priority list.
  • IT-related issues. The current IT issues the enterprise carries (cost overruns, system outages, security incidents, audit findings, regulatory penalties) inform which objectives need attention now rather than later.
  • Threat landscape. The threat landscape the enterprise operates against (sector-specific threats, regulatory exposure, supply chain exposure) lifts cyber-relevant objectives in the priority list.
  • Compliance requirements. The regulations the enterprise reads against (SOX, HIPAA, GDPR, PCI DSS, SEC, NIS2, DORA, sector-specific) lift MEA03 and the cyber operating objectives the regulations call out.
  • Role of IT. Whether IT is a support function, a factory, a turnaround, or a strategic function changes the priority across the objective set, and the cyber programme reads its priority against the broader IT posture.
  • Sourcing model for IT. In-house, outsourced, hybrid, or cloud-first models change the priority weights across APO10 (Managed Vendors), BAI03 (Managed Solutions), and DSS05 (Managed Security Services).
  • IT implementation methods. The implementation methods (agile, DevOps, traditional, hybrid) change the priority weights across BAI and the cyber-side practice expectations under APO13 and DSS05.
  • Technology adoption strategy. First-mover, fast follower, or late adopter postures change the priority weights across APO04 (Managed Innovation) and the cyber-side practice expectations for emerging technology risk.
  • Enterprise size. Small, medium, and large enterprises tailor the breadth and depth differently. ISACA publishes the SME focus area to support smaller enterprises that need a tailored subset rather than the full 40 objectives at high capability.

Performance management: capability and maturity

COBIT 2019 carries two complementary performance views. Process capability levels (0 through 5) describe per-objective capability with explicit capability indicators per level. Focus area maturity levels describe the aggregate maturity of a tailored focus area (Information Security, DevOps, Risk Management, Small and Medium Enterprises, Cloud) constructed from the underlying process capability scores. The two views compose into the leadership and audit committee reads.

  • Process capability levels run 0 through 5: 0 (Incomplete Process, the process is not implemented or fails to achieve its purpose), 1 (Performed Process), 2 (Managed Process), 3 (Established Process), 4 (Predictable Process), 5 (Innovative Process). The capability indicators per level are explicit and derived from ISO/IEC 33000 conventions, so the assessment is reproducible rather than subjective.
  • Focus area maturity levels apply to the aggregate maturity of a tailored focus area (Information Security, DevOps, Risk Management, Small and Medium Enterprise, Cloud), constructed from the underlying process capability scores per objective in the focus area scope.
  • The two views compose. Process capability is the per-objective signal the working teams act on. Focus area maturity is the cross-objective signal leadership reads. Programmes report capability for the priority objectives and maturity for the focus areas the strategy and the design factors prioritise.
  • The performance management evidence pack includes the per-objective capability assessment record, the named assessor, the assessment date, the capability indicator evidence per level, the target capability per priority objective, and the focus area maturity rollup per cycle.

Operating cadence across the cycle

A COBIT 2019 cyber programme runs as a continuous cycle rather than an annual report. The cadence below is the practical ordering most programmes follow when COBIT is treated as the operating framework rather than a reporting wrapper. The cycle compounds: each re-baseline starts from the prior tailored governance system, the capability scores improve, and the focus area maturity rollup gains continuity year over year.

  1. 1Run the design factor analysis. Document the enterprise strategy, enterprise goals, risk profile, IT issues, threat landscape, compliance requirements, role of IT, sourcing model, implementation methods, technology adoption strategy, and enterprise size. The design factor analysis output is the tailored governance system: the in-scope objectives, the priority objectives, the capability targets per objective, and the focus area selection.
  2. 2Assign the governance system roles. Name the board cyber-oversight role under EDM, the executive sponsor under APO13, the CISO accountability across APO13 and DSS05, the change manager under BAI06, the operations leader under DSS05, the internal audit liaison under MEA02, and the compliance owner under MEA03. The RACI per objective is the evidence MEA02 reads against at examination.
  3. 3Build the cyber operating record against APO13 and DSS05. The information security management system documentation (APO13), the operating record of security services (DSS05), the change and configuration evidence (BAI06 and BAI10), the continuity evidence (DSS04), and the risk register slice (APO12) all read consistently from the same workspace.
  4. 4Run the per-cycle capability assessment. Score each in-scope objective against the capability indicators, capture the evidence per level, and update the target capability based on the assessment. Roll the scores into focus area maturity for leadership reporting.
  5. 5Run the MEA cycle. MEA01 examines performance and conformance against the documented objectives. MEA02 examines the internal control system. MEA03 examines compliance with external requirements. MEA04 examines broader assurance. Each MEA examination reads against the underlying operating record rather than against a reconstructed audit deliverable.
  6. 6Report against the design factor outputs. The board pack, the audit committee report, and the cross-functional dashboards all read against the design factor analysis (priority objectives, capability targets, focus area maturity). Reporting that maps directly to the tailored governance system is what makes COBIT durable across leadership turnover.

Failure modes the framework is designed to surface

COBIT 2019 is intentionally flexible on the practices and activities programmes choose. It is unforgiving about a small number of patterns that make the framework cosmetic rather than operational. The patterns below recur across cyber adoptions and erode the year-over-year continuity the framework expects.

  • Treating COBIT 2019 as a process catalogue rather than a governance framework. The framework deliberately separates EDM (governance) from APO, BAI, DSS, and MEA (management). Programmes that operate only the management objectives and ignore the EDM governance objectives lose the board oversight thread COBIT expects to see, and the leadership-side audit read against EDM01, EDM03, and EDM05 then has no evidence to examine.
  • Adopting all 40 objectives at full capability in one cycle. The design factor model exists because not every objective is priority for every enterprise. Programmes that try to adopt the entire framework at capability level 3 or above on the first cycle exhaust the assessment capacity and produce thin evidence across the objective set rather than strong evidence in the priority objectives.
  • Skipping the design factor analysis. The design factor outputs (priority objectives, capability targets, focus area selection) are the tailoring evidence the framework expects to see. Programmes that copy the COBIT toolkit without running the design factor analysis cannot defend why specific objectives are priority and others are not, and the leadership review under MEA01 has no anchor to read against.
  • Confusing capability with maturity. Process capability is per objective and grounded on ISO/IEC 33000-derived indicators. Focus area maturity is the aggregate rollup. Programmes that report a single capability number for the entire programme misuse both views and lose the per-objective signal the working teams need to act on.
  • Separating cyber objectives from the rest of the COBIT operating record. APO13 and DSS05 are anchors, but cyber-related work extends into APO12 (Managed Risk), APO14 (Managed Data), BAI06 (Managed IT Changes), BAI10 (Managed Configuration), DSS04 (Managed Continuity), MEA02 (Managed System of Internal Control), and MEA03 (Managed Compliance With External Requirements). Programmes that operate the cyber programme as a parallel discipline outside the rest of the COBIT record lose the cross-objective audit read internal audit and the regulator both perform.
  • Treating MEA as a year-end compilation. The MEA domain expects continuous internal audit (MEA02), continuous compliance monitoring (MEA03), and continuous performance and conformance monitoring (MEA01). Programmes that rebuild the MEA evidence from scratch at the audit deadline cannot demonstrate the continuous monitoring expectation, and the per-cycle improvement plan has no continuity from cycle to cycle.

Evidence the framework expects to see

The COBIT 2019 evidence pack reads well when it is built as a side effect of the operating work rather than reconstructed at year end. The minimum set below maps to the objectives internal audit, external audit, and the regulator most often read against, and the same artefacts feed parallel reads under NIST CSF 2.0, ISO 27001, COSO ERM, SOC 2, and the wider compliance regime when the underlying record is structured.

  • Design factor analysis record: documented enterprise strategy, enterprise goals, risk profile, IT issues, threat landscape, compliance requirements, role of IT, sourcing model, implementation methods, technology adoption strategy, and enterprise size, with the tailored governance system output (priority objectives, capability targets, focus area selection).
  • Governance system documentation: the per-objective scope statement, the assigned roles per objective (RACI), the in-place practices and activities, the inputs and outputs (work products) per practice, the policies and procedures the objective expects, and the per-objective capability target.
  • Per-objective performance evidence: the practice and activity execution record, the work product inputs and outputs (configuration baselines, change records, scan output, finding records, incident records, training records, supplier records, audit records), the capability indicator evidence per level, and the per-cycle assessment record.
  • Cyber operating evidence under APO13 and DSS05: the information security plan, the documented information security culture initiatives, the security incident management plan, the endpoint security configuration evidence, the identity and access management record, the network security baseline, the vulnerability management cycle output, the threat detection and response record, the security event log evidence.
  • Change and configuration evidence under BAI06 and BAI10: the change record per production change, the change acceptance evidence, the configuration baseline per production system, the configuration drift record, and the per-change post-implementation review.
  • Continuity evidence under DSS04: the business impact analysis, the recovery objectives per tier, the recovery procedures, the exercise cadence record, the recovery validation evidence, and the after-action review.
  • Risk register evidence under APO12 and EDM03: the cyber risk register, the per-risk severity assessment, the disposition decision per risk, the named risk owner, the periodic review record, and the appetite statement the register operates against.
  • MEA cycle evidence: the MEA01 performance conformance report, the MEA02 internal control assessment record, the MEA03 compliance evidence per regulation, and the MEA04 broader assurance pack.
  • Leadership reporting evidence: the board pack covering the in-scope objectives, the capability scores against targets, the focus area maturity rollup, the substantial-change reviews, the open improvement actions, and the regulatory and audit posture.
  • Improvement plan: the documented improvement priorities for the next cycle, the named owners, the deadlines, and the dependencies on resource allocation or strategic decisions.

How COBIT 2019 relates to adjacent frameworks

COBIT 2019 is the IT governance and management framework. The frameworks below cover related ground at different layers, and most enterprise programmes read against several of them at once. The relationships matter because programmes that try to operate each framework in isolation rebuild the same evidence multiple times.

COBIT 2019 vs NIST CSF 2.0

NIST CSF 2.0 is the cybersecurity outcome framework. COBIT 2019 is the enterprise IT governance and management framework. The CSF 2.0 GOVERN function (added in the 2024 update) overlaps the COBIT EDM domain at the cyber slice. The CSF 2.0 IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER functions overlap COBIT APO13 and DSS05 at the operating slice. Programmes operate NIST CSF 2.0 as the cybersecurity outcome layer and COBIT 2019 as the broader IT governance and management spine, with the cyber operating evidence under APO13 and DSS05 reading across both frameworks from one record.

COBIT 2019 vs ISO 27001

ISO 27001 is the certifiable information security management system standard. COBIT 2019 is the IT governance and management framework. APO13 (Managed Security) in COBIT explicitly expects the management of an information security management system, and ISO 27001 is the most common ISMS standard the practice runs against. Programmes operate ISO 27001 as the ISMS standard the cyber programme is certified against and COBIT 2019 as the enterprise governance spine the wider IT programme reads against. The ISO 27001 Annex A control evidence reads through APO13 and DSS05 in the COBIT vocabulary.

COBIT 2019 vs COSO ERM

COSO ERM is the enterprise risk management framework boards and audit committees read against for cross-organisation risk. COBIT 2019 is the IT governance and management framework. EDM03 (Ensured Risk Optimisation) in COBIT reads against COSO ERM at the cyber slice; APO12 (Managed Risk) in COBIT operates the cyber risk register that feeds the enterprise risk register COSO ERM consolidates. Programmes operate COSO ERM at the enterprise risk layer and COBIT 2019 at the IT governance and management layer with the cyber risk evidence reading across both from one operating record.

COBIT 2019 vs ITIL 4

ITIL 4 is the IT service management framework. COBIT 2019 is the IT governance and management framework. The BAI and DSS domains in COBIT overlap the ITIL 4 service value chain and service value system. Programmes operate ITIL 4 as the service management practice the operations team works against day to day and COBIT 2019 as the broader governance and management spine the audit committee reads against. The service operating evidence under DSS01, DSS02, DSS03, and DSS05 reads consistently with the ITIL 4 service management practices.

COBIT 2019 vs SOC 2

SOC 2 is the AICPA service organisation assurance report under the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). COBIT 2019 is the IT governance and management framework. The SOC 2 Common Criteria map across multiple COBIT objectives, with CC1 to CC5 reading against EDM and APO, CC6 to CC8 reading against DSS05 and BAI06, and CC9 reading against APO12 and DSS04. Programmes operate SOC 2 as the assurance report sold to customers and COBIT 2019 as the enterprise governance and management spine the internal audit reads against, with the same underlying control evidence reading across both.

COBIT 2019 vs the wider standards corpus

COBIT 2019 informative references explicitly cross-walk to ISO 27001 and 27002, ISO 38500, ISO 31000, NIST SP 800-53, ITIL 4, PMBOK, TOGAF, and other standards per objective. The cross-walks are the property that lets a programme operating against COBIT 2019 read its evidence across the parallel regimes without rebuilding the underlying record. The cross-walks are also what make COBIT 2019 a viable governance spine for enterprises operating in multiple regulatory and standards environments at once.

Where SecPortal fits in a COBIT 2019 cyber programme

SecPortal is the operating layer for the cyber slice of the COBIT 2019 governance system, not a replacement for the framework or for the wider IT governance record. The platform handles the cyber-side workstreams (engagement structure, finding intake, severity scoring, retest evidence, exception register, leadership reporting) so the APO13 and DSS05 evidence is produced as structured records rather than reconstructed when the MEA cycle is due. The same workspace that hosts the engagement record hosts the external scanning, authenticated DAST, code scanning, and pentest evidence the operating signal depends on, so the line from artefact to APO13 strategy and to the EDM03 risk register stays traceable across cycles.

  • Engagement management dedicated to the per-cycle COBIT operating record, with the design factor analysis, the per-objective priority list, the capability targets, and the focus area selections tracked as a structured workstream rather than as one document stitched together at year end
  • Findings management with CVSS 3.1 severity, structured fields, and named owners so the cyber findings raised through external scanning, authenticated DAST, code scanning, and penetration testing feed the APO13 and DSS05 evidence the framework expects to see
  • Compliance tracking that maps the same evidence pack across COBIT 2019 objectives, NIST CSF 2.0 functions, ISO 27001 Annex A, SOC 2 trust services criteria, and the wider regulatory regime, so the cross-framework footprint reads from one source rather than a manually reconciled spreadsheet stack
  • AI report generation that turns the operating record into a structured leadership report covering the priority objectives, the capability scores against targets, the focus area maturity rollup, and the per-cycle improvement plan, without manual rewriting at each cycle
  • Activity log with CSV export capturing every state change to a finding, a configuration baseline, an exception decision, a change record, or an incident, with timestamp and named user, so the trail is reproducible at audit time without a multi-team excavation
  • Document management for the design factor analysis, the governance system documentation, the information security plan (APO13), the security incident management plan (DSS05), the configuration baselines (BAI10), and the audit deliverables (MEA02, MEA03, MEA04)
  • Team management with role-based access so the named EDM oversight roles, the APO13 owner, the DSS05 operator, the BAI06 change manager, the BAI10 configuration owner, the MEA02 audit liaison, and the MEA03 compliance owner each have the right permissions, and the access decisions read into the activity log
  • Continuous monitoring across external scanning, authenticated scanning, and code scanning so the DSS05 vulnerability management evidence is current rather than reconstructed when the MEA01 conformance read is due
  • Authenticated scanning, external scanning, and code scanning landing into the same finding record so the operational signal feeding APO13 and DSS05 reads consistently across surfaces rather than as parallel data silos
  • MFA, encrypted credential storage, and activity-log evidence that backs the DSS05 access control and audit control practices and the BAI06 change discipline the audit committee reads against

The day-to-day cyber operating work is where DSS05 (Managed Security Services) reads against the structured workspace. The security leadership reporting workflow carries the cadence EDM05 and MEA01 expect across the audit committee and the board. The vulnerability prioritisation workflow translates the cyber risk appetite the board approved under EDM03 into the per-finding queue DSS05 acts on. The vulnerability acceptance and exception workflow records the documented exceptions APO12 and EDM03 expect to see. The control mapping crosswalks workflow keeps the COBIT 2019 evidence pack readable under NIST CSF 2.0, ISO 27001, COSO ERM, SOC 2, and the wider regulatory regime from one underlying record. The audit fieldwork evidence request workflow operates the MEA02 internal control fieldwork and the MEA03 external compliance fieldwork against the live operating record rather than against a reconstructed audit binder.

For CISOs and security leaders carrying the EDM oversight cadence, the CISOs and security leaders workspace bundles the platform with the engagement structure the audit committee reads against under EDM03 and EDM05. For the GRC function that owns the cross-framework evidence pack, the GRC and compliance teams workspace covers the MEA02 and MEA03 audit-side discipline. For the vulnerability management function feeding the DSS05 vulnerability management practice, the vulnerability management teams workspace covers the lifecycle work that produces the operational signal the APO13 plan and the DSS05 operating evidence both read against.

For deeper reading on the leadership-side disciplines this framework supports, the board-level security reporting guide covers the structure, narrative, and cadence EDM05, MEA01, and the audit committee read against. The NIST CSF 2.0 framework page covers the cybersecurity outcome layer that overlaps the COBIT EDM and cyber-management objectives. The ISO 27001 framework page covers the certifiable ISMS standard the APO13 (Managed Security) practice operates against, and the COSO ERM framework page covers the enterprise risk framework EDM03 reads against at the cyber slice. The CISO security metrics dashboard guide covers the dashboard structure the MEA01 conformance read and the EDM05 stakeholder reporting consume. The security program KPIs and metrics framework covers the operating metrics the per-cycle capability and maturity assessment reads against, and the enterprise security program maturity guide covers the broader programme-maturity discipline that pairs with the focus area maturity rollup COBIT 2019 expects to see.

Key control areas

SecPortal helps you track and manage compliance across these domains.

Domain 1: Evaluate, Direct, and Monitor (EDM, 5 governance objectives)

The EDM domain is the governance layer the board and the C-suite read against. The five governance objectives (EDM01 Ensured Governance Framework Setting and Maintenance, EDM02 Ensured Benefits Delivery, EDM03 Ensured Risk Optimisation, EDM04 Ensured Resource Optimisation, EDM05 Ensured Stakeholder Engagement) cover the governance system, the value the IT investment is expected to return, the risk appetite the programme operates inside, the resource portfolio the programme draws on, and the stakeholder communication discipline leadership commits to. EDM03 (Ensured Risk Optimisation) is where the cyber risk appetite and the cyber risk tolerance read against the governance objective the board reviews.

Domain 2: Align, Plan, and Organise (APO, 14 management objectives)

The APO domain covers strategy, architecture, innovation, portfolio, budget, human resources, relationships, service agreements, vendors, quality, risk, security, data, and projects. APO13 (Managed Security) is the cybersecurity-specific objective. APO12 (Managed Risk) carries the enterprise risk register the cyber risk programme feeds. APO14 (Managed Data) covers data governance the security programme operates inside. The APO objectives align the cyber programme to the enterprise direction so the operational work in BAI and DSS executes against an explicit plan rather than against undocumented assumptions.

Domain 3: Build, Acquire, and Implement (BAI, 11 management objectives)

The BAI domain covers programmes, requirements, solution identification, availability and capacity, organisational change, IT changes, change acceptance and transition, knowledge, assets, configuration, and projects. BAI06 (Managed IT Changes) and BAI10 (Managed Configuration) are the operating layer that keeps the production estate auditable, and they read directly against the cyber programme: every patch deploy, every configuration change, every infrastructure-as-code commit reads through BAI06 evidence and BAI10 baseline records. Programmes that operate without BAI discipline lose the change trail security incident response and audit both depend on.

Domain 4: Deliver, Service, and Support (DSS, 6 management objectives)

The DSS domain is where the day-to-day operating discipline lives. DSS01 (Managed Operations), DSS02 (Managed Service Requests and Incidents), DSS03 (Managed Problems), DSS04 (Managed Continuity), DSS05 (Managed Security Services), and DSS06 (Managed Business Process Controls) carry the operational evidence the audit committee, the CISO, and the regulator all read against. DSS05 (Managed Security Services) is the cybersecurity operating objective and the place the day-to-day security work surfaces in the COBIT vocabulary: endpoint and network security, identity, vulnerability management, threat detection, and the security event response cycle all read against DSS05 practices.

Domain 5: Monitor, Evaluate, and Assess (MEA, 4 management objectives)

The MEA domain is the assurance layer. MEA01 (Managed Performance and Conformance Monitoring) is the cross-objective performance read leadership consumes. MEA02 (Managed System of Internal Control) is the internal control evaluation function internal audit reads against. MEA03 (Managed Compliance With External Requirements) is the regulatory compliance read external auditors and regulators read against. MEA04 (Managed Assurance) is the broader assurance over the governance system. The MEA domain is where the COBIT operating record is examined; programmes that build the MEA evidence as a side effect of operating work rather than as a separate audit deliverable carry a defensible posture into examinations.

The forty objectives at a glance

COBIT 2019 ships 40 objectives across the five domains: 5 governance objectives in EDM, 14 management objectives in APO, 11 management objectives in BAI, 6 management objectives in DSS, and 4 management objectives in MEA. Each objective ships with described practices, activities, work products (inputs and outputs), suggested capability level descriptions, and informative references to ISO, ITIL, TOGAF, NIST, PMBOK, and other standards. The framework is intentionally modular: a programme tailors the in-scope objectives, the priority objectives, and the capability targets per objective during the design factor analysis rather than adopting all 40 objectives at full capability at once.

The eleven design factors used to tailor the governance system

COBIT 2019 introduced the explicit design factor model: enterprise strategy, enterprise goals, risk profile, IT-related issues, threat landscape, compliance requirements, role of IT, sourcing model for IT, IT implementation methods, technology adoption strategy, and enterprise size. The design factor analysis produces the tailored governance system: the priority objectives, the capability targets per objective, the alignment goals, and the specific variants per objective. The design factor outputs are the evidence the framework expects to see backing the tailoring decisions, and they explain why one enterprise places APO13 at capability level 4 and DSS05 at level 5 while another sets BAI06 at level 5 and APO13 at level 3.

Performance management: process capability and focus area maturity

COBIT 2019 carries two performance management views. Process capability levels (0 through 5, anchored on ISO/IEC 33000 conventions) describe per-objective capability with explicit capability indicators per level. Focus area maturity levels describe the aggregate maturity of a focus area (Information Security, DevOps, Risk, Small and Medium Enterprises, Cloud) constructed from the underlying process capability scores. Programmes report per-objective capability for the in-scope objectives and roll the scores up into focus area maturity for leadership and audit committee reads. The two views are complementary: capability is the per-objective signal the working teams use, maturity is the cross-objective signal leadership reads.

COBIT 2019 cybersecurity mapping (APO13 and DSS05 as the anchors)

APO13 (Managed Security) is the security planning objective: the information security management system definition, the information security plan, the information security culture, and the security incident management plan. DSS05 (Managed Security Services) is the security operating objective: endpoint security, identity and access management, network security, physical security, security configuration, vulnerability management, threat detection and response. The two objectives read together: APO13 carries the strategy and management discipline, DSS05 carries the day-to-day operating evidence, and the line between them is the cyber programme story COBIT expects to see.

Cybersecurity adjacencies across the wider objective set

Cyber-related work touches more than APO13 and DSS05. APO12 (Managed Risk) carries the cyber risk register. APO14 (Managed Data) covers data governance and protection. BAI06 (Managed IT Changes) covers the secure change discipline that change-driven incidents read against. BAI10 (Managed Configuration) covers the configuration baseline scans test against. DSS04 (Managed Continuity) covers the incident recovery and BCDR programme. MEA02 (Managed System of Internal Control) reads cyber controls under internal audit. MEA03 (Managed Compliance With External Requirements) reads cyber compliance against external regulators. A defensible cyber programme produces evidence across this objective set, not just under APO13 and DSS05.

COBIT 2019 audit evidence the framework expects to see

A COBIT 2019 evidence pack covers the documented governance system design with the design factor analysis backing it, the per-objective priority list and capability targets, the assigned roles and responsibilities (RACI per objective), the work product inputs and outputs per objective, the performance management dashboard with capability scores per in-scope objective and focus area maturity for the relevant focus areas, the management review minutes documenting the per-cycle assessment, and the improvement plan with named owners and review cadence. The pack reads consistently across internal audit (MEA02), external auditors and regulators (MEA03), and the broader assurance function (MEA04).

COBIT 2019 vs NIST CSF 2.0, ISO 27001, COSO ERM, ITIL 4, and SOC 2

COBIT 2019 is the IT governance and management framework. NIST CSF 2.0 is the cybersecurity outcome framework with the new GOVERN function that overlaps the COBIT EDM domain at the cyber slice. ISO 27001 is the certifiable information security management system standard the APO13 (Managed Security) practice operates against. COSO ERM is the enterprise risk framework boards read against, and COBIT EDM03 (Ensured Risk Optimisation) reads against COSO ERM at the cyber slice. ITIL 4 is the service management framework BAI and DSS operating practices read against. SOC 2 is the AICPA assurance report the trust services criteria of which align with multiple COBIT objectives. COBIT 2019 sits as the governance and management spine; the others are the outcome, control, risk, service, and assurance layers a defensible enterprise programme reads across.

Related features

Compliance tracking without a full GRC platform

Vulnerability management software that tracks every finding

Orchestrate every security engagement from start to finish

AI-powered reports in seconds, not days

Every action recorded across the workspace

Document management for every security engagement

Collaborate across your entire team

Monitor continuously catch regressions early

Test web apps behind the login

Vulnerability scanning tools that map your attack surface

Find vulnerabilities before they ship

Multi-factor authentication on every workspace

Run a defensible COBIT 2019 cyber programme on one operating record

Hold the governance system design, the per-objective capability scores, the cyber findings under APO13 and DSS05, the configuration baseline under BAI10, the change discipline under BAI06, the security event record under DSS05, and the MEA assurance pack on one workspace. Carry the same record into NIST CSF 2.0, ISO 27001, COSO ERM, and SOC 2 without rebuilding the evidence pack. Start free.

Get Started Free

No credit card required. Free plan available forever.