COBIT 2019

COBIT 2019 is the latest framework for Enterprise Governance of Information and Technology (EGIT), published by ISACA. Its core principle is the distinction between governance and management. Governance, a board-level responsibility, involves evaluating stakeholder needs to set enterprise objectives (Evaluate, Direct, Monitor). Management, led by the executive team, plans, builds, runs, and monitors activities to achieve these objectives. The framework provides 40 governance and management objectives and aligns with standards like ISO/IEC 27001 (Information Security) and the NIST Cybersecurity Framework. In risk management, COBIT 2019 offers a high-level structure that integrates I&T risk into the overall enterprise risk landscape, focusing on value creation, unlike ISO/IEC 27001 which is specific to the Information Security Management System (ISMS).

Enterprises apply COBIT 2019 for risk management through a structured approach: 1. **Scoping and Objective Setting:** Using COBIT's 'Design Factors,' an organization analyzes its industry, risk profile, and strategic goals to prioritize the most relevant of the 40 objectives. For instance, a financial services firm might prioritize APO12 (Manage Risk) and DSS05 (Manage Security Services). 2. **Implementation and Capability Assessment:** The processes and practices for the selected objectives are implemented. The COBIT Performance Management (CPM) model is then used to assess the current capability level (from 0 to 5) of these processes, identifying gaps for improvement. 3. **Monitoring and Continuous Improvement:** Key Goal Indicators (KGIs) and Key Performance Indicators (KPIs) are established to track effectiveness, such as 'number of critical security incidents.' A global manufacturing firm used this approach to govern its IT/OT convergence, reducing critical vulnerabilities by 25% and successfully passing key supplier security audits.

Taiwanese enterprises face several key challenges when implementing COBIT 2019: 1. **Resource Constraints & Lack of Executive Buy-in:** Many SMEs lack dedicated IT governance professionals and budgets. Leadership often views governance as a technical IT issue rather than a strategic enterprise-level concern. 2. **Framework Complexity:** With 40 objectives and numerous practices, the framework can be overwhelming, making it difficult for organizations to tailor it effectively without expert guidance. 3. **Local Regulatory Alignment:** Significant effort is required to map COBIT's framework to Taiwan-specific regulations, such as the Cyber Security Management Act and rules for publicly traded companies. **Solutions:** * Adopt a phased implementation, focusing on high-risk areas like cybersecurity to demonstrate quick wins. * Utilize COBIT's Design Factors toolkit to systematically prioritize a manageable number of objectives. * Develop a compliance matrix that maps local legal requirements to specific COBIT practices to ensure both governance and regulatory needs are met efficiently.

Winners Consulting specializes in COBIT 2019 for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact