What Is COBIT — Exam Framing
COBIT (Control Objectives for Information and Related Technology) is ISACA's governance and management framework for enterprise IT. Understanding the framing is critical before you memorize a single objective: COBIT is not a security framework — it is a governance framework for all of enterprise IT. Security is one element within that broader governance mandate.
The full name "enterprise IT governance" tells you the scope: any organization that relies on technology (which is every modern organization) can benefit from COBIT. The framework helps boards and executives govern IT by providing principles, objectives, and design guidance that can be tailored to any enterprise.
If you hold CISM, you already understand governance. You know that governance sets direction and management executes. You know about aligning IT to business objectives, managing risk, and measuring performance. COBIT takes that same governance logic and applies it to all of enterprise IT — not just security. You are not learning a new concept; you are learning a new framework vocabulary for a concept you live every day.
The exam tests whether you understand COBIT 2019's specific structure, terminology, and design approach. You must know the principles, domains, objectives, capability levels, and design factors by name — not just the general concept. COBIT is a framework-specific exam. Precision of terminology matters.
COBIT 2019 Structure — Memorize This
6 Governance System Principles
These are the foundational principles of the entire COBIT 2019 governance system. The exam expects you to name all six and understand what each means.
| # | Principle | What It Means |
|---|---|---|
| 1 | Provide Stakeholder Value | The governance system exists to create value for stakeholders — balancing benefits realization, resource optimization, and risk optimization. Governance is not an end in itself. |
| 2 | Holistic Approach | Governance requires all components to work together: principles, policies, processes, organizational structures, culture, information, services and infrastructure, people, and skills. No single component alone creates effective governance. |
| 3 | Dynamic Governance System | Governance must be adaptable. As the business, environment, regulations, and technology change, the governance system must respond. It is not a one-time design — it is continuously maintained. |
| 4 | Governance Distinct from Management | Governance (Evaluate, Direct, Monitor — EDM) is distinct from management (Plan, Build, Run, Monitor — PBRM). This is a foundational COBIT distinction. The board governs; the executive manages. These are different functions with different actors and different objectives. |
| 5 | Tailored to Enterprise Needs | COBIT provides a comprehensive framework, but it must be tailored to the specific enterprise using design factors. There is no one-size-fits-all implementation. The right scope and focus depend on the enterprise's strategy, size, risk profile, and regulatory context. |
| 6 | End-to-End Governance System | COBIT covers the full enterprise — not just the IT department. All IT-related activities, whether performed by IT staff, business units, or third parties, fall within the scope of enterprise IT governance. It includes all stakeholders with roles in governance and management of IT. |
The exam will test these principles with scenario questions. The most commonly confused pair is #4 (Governance distinct from management) and #6 (End-to-end governance). Remember: #4 is about the nature of the two functions; #6 is about the organizational scope (all of the enterprise, not just IT). They are different dimensions.
3 Governance Objectives
COBIT 2019 identifies three overarching governance objectives, each with five supporting goals (15 goals total). The exam tests awareness of these objectives and what they represent.
| Objective | Description | 5 Supporting Goals (Examples) |
|---|---|---|
| Benefits Realization | Achieving value from IT investments and capabilities — ensuring IT delivers what the business needs. | Portfolio of competitive products, business service continuity, customer service quality, staff productivity, compliance with external laws/regulations |
| Risk Optimization | Managing IT-related risk to an acceptable level — not eliminating risk, but managing it within tolerance. | Managed IT-related business risk, information security maturity, managed regulatory compliance risk, managed fraud risk, managed operational IT risk |
| Resource Optimization | Using IT resources (people, process, technology) optimally — getting maximum value from available resources without over- or under-investment. | IT cost optimization, managed IT assets, optimized sourcing, optimized IT skills, effective IT governance and management practices |
37 Governance and Management Objectives — The 5 Domains
COBIT 2019 has 40 governance and management objectives organized across 5 domains (COBIT 5 had 37; COBIT 2019 has 40 — the exam tests COBIT 2019 numbers). Each domain has a specific focus and type of objective.
| Domain | Name | Type | Objectives |
|---|---|---|---|
| EDM | Evaluate, Direct and Monitor | Governance | 5 objectives — board-level governance |
| APO | Align, Plan and Organize | Management | 14 objectives — strategy and organization |
| BAI | Build, Acquire and Implement | Management | 11 objectives — solutions delivery |
| DSS | Deliver, Service and Support | Management | 6 objectives — IT operations |
| MEA | Monitor, Evaluate and Assess | Management | 4 objectives — monitoring and assurance |
EDM is the only governance domain. APO, BAI, DSS, and MEA are all management domains. This is the COBIT expression of Principle #4: Governance Distinct from Management. The exam will ask which domain performs governance — EDM only. The other four perform management functions even though MEA also includes monitoring activities.
4 Design Factors
COBIT 2019 introduced a design factor concept that replaced the simpler COBIT 5 enabler model. Design factors are the variables that shape how an enterprise should tailor its governance system. There are 11 design factors organized into 4 categories.
| Design Factor | Examples / Description |
|---|---|
| Enterprise Strategy | Growth/acquisition, innovation/differentiation, cost leadership, compliance/stability — the strategy determines where governance emphasis goes |
| Enterprise Goals | Linked to the three governance objectives (benefits, risk, resource); what outcomes matter most to this enterprise right now |
| Risk Profile | Current level of IT-related risk the enterprise faces — high-risk profile requires more intensive governance of risk objectives |
| I&T-Related Issues | Known pain points: compliance issues, security incidents, IT project failures, service quality problems — signals where the governance system needs attention |
| Threat Landscape | Current threat environment — low, normal, high, or very high. Affects how much emphasis to place on risk-related management objectives |
| Compliance Requirements | Regulatory, contractual, and legal obligations that shape governance priorities and required controls |
| IT Role | Is IT a support function, a factory (operational), a strategic asset, or a turnaround engine? Role determines governance depth required |
| Sourcing Model | In-house, outsourced, cloud, hybrid — different sourcing models require different governance approaches for oversight and accountability |
| IT Implementation Methods | Traditional, agile, DevOps, hybrid — affects how build and delivery objectives are implemented and governed |
| Technology Adoption Strategy | First mover, follower, slow adopter — how aggressively the enterprise adopts new technology affects risk profile and required governance |
| Enterprise Size | Large enterprise, medium, small — smaller enterprises apply a simplified subset of COBIT objectives using the SME focus area |
Focus Areas
Focus areas are predefined collections of COBIT guidance for specific topics. They are not separate frameworks — they are lenses that apply COBIT to specific contexts:
- DevOps — applying governance to agile and DevOps delivery models
- Information & Technology Risk — deep dive on risk management across the governance system
- Small & Medium Enterprise (SME) — simplified COBIT subset for smaller organizations
- Cloud Computing — governance considerations for cloud sourcing and services
- Privacy — governance of personal data and privacy compliance
COBIT 2019 vs COBIT 5 — What Changed
The exam will test whether you know the key differences between versions. Do not confuse COBIT 5 terminology with COBIT 2019 terminology — they are close enough to create traps.
| Element | COBIT 5 | COBIT 2019 |
|---|---|---|
| Principles | 5 principles | 6 principles (added "End-to-End Governance") |
| Objectives | 37 governance and management objectives | 40 governance and management objectives (3 added) |
| Enablers | 7 enablers (People, Processes, etc.) | Replaced with components of governance system |
| Capability Model | Process Capability Model (ISO 15504 / SPICE) | CMMI-based capability model (levels 0–5) |
| Design Guidance | Implementation guidance only | Design factors — formal tailoring methodology added |
| Focus Areas | Not defined | Focus areas concept introduced (DevOps, Cloud, SME, etc.) |
| Goals Cascade | Enterprise goals → IT goals → enabler goals (3-level) | Simplified to enterprise goals → alignment goals → governance/management objectives |
Questions about "how many principles" or "how many objectives" are testing which version you know. COBIT 2019 = 6 principles, 40 objectives. COBIT 5 = 5 principles, 37 objectives. The exam is COBIT 2019. Do not confuse these.
Governance vs Management in COBIT
This is the most important conceptual distinction in COBIT — and the one most likely to appear in exam questions. COBIT 2019 makes this distinction structural, not just conceptual.
Governance — Evaluate, Direct, Monitor (EDM)
Governance is the responsibility of the board of directors (or equivalent governing body). Governance answers the questions: What are our objectives? What level of risk is acceptable? Are we on track? Governance is performed through three verbs: Evaluate, Direct, Monitor.
The EDM domain contains 5 governance objectives:
- EDM01 — Ensured Governance Framework Setting and Maintenance (establish and maintain the governance framework itself)
- EDM02 — Ensured Benefits Delivery (governance of value delivery — are IT investments delivering expected benefits?)
- EDM03 — Ensured Risk Optimization (governance of risk — is risk managed within appetite?)
- EDM04 — Ensured Resource Optimization (governance of resources — are people, assets, and capabilities used efficiently?)
- EDM05 — Ensured Stakeholder Engagement (governance of transparency and communication — are stakeholders appropriately informed?)
Management — Plan, Build, Run, Monitor (PBRM)
Management is the responsibility of executive management (CEO, CIO, CISO, and their teams). Management answers: How do we achieve the governance direction? How do we execute? Management operates through four verbs: Plan, Build, Run, Monitor — which map to the four management domains:
- APO (Align, Plan, Organize) = Plan
- BAI (Build, Acquire, Implement) = Build
- DSS (Deliver, Service, Support) = Run
- MEA (Monitor, Evaluate, Assess) = Monitor
The 40 Governance and Management Objectives
EDM — Evaluate, Direct and Monitor (5 Governance Objectives)
| ID | Name | Focus |
|---|---|---|
| EDM01 | Ensured Governance Framework Setting and Maintenance | The governance system itself — structure, principles, accountability |
| EDM02 | Ensured Benefits Delivery | Value realization from IT investments |
| EDM03 | Ensured Risk Optimization | Risk within appetite; risk treatment decisions |
| EDM04 | Ensured Resource Optimization | Efficient use of people, processes, infrastructure |
| EDM05 | Ensured Stakeholder Engagement | Transparency, communication, and stakeholder satisfaction |
APO — Align, Plan and Organize (14 Management Objectives)
| ID | Name | Focus |
|---|---|---|
| APO01 | Managed I&T Management Framework | Operating model for the IT function |
| APO02 | Managed Strategy | IT strategy aligned with enterprise strategy |
| APO03 | Managed Enterprise Architecture | Business, data, application, and technology architecture |
| APO04 | Managed Innovation | Systematic identification and exploitation of technology innovations |
| APO05 | Managed Portfolio | IT investment portfolio management |
| APO06 | Managed Budget and Costs | IT financial management and cost allocation |
| APO07 | Managed Human Resources | IT workforce planning, acquisition, and development |
| APO08 | Managed Relationships | Business-IT relationship management |
| APO09 | Managed Service Agreements | IT service level management |
| APO10 | Managed Vendors | Third-party and supplier management |
| APO11 | Managed Quality | Quality management across IT services and products |
| APO12 | Managed Risk | Enterprise IT risk management processes |
| APO13 | Managed Security | Information security management system |
| APO14 | Managed Data | Data governance — data quality, classification, lifecycle (added in COBIT 2019) |
BAI — Build, Acquire and Implement (11 Management Objectives)
| ID | Name | Focus |
|---|---|---|
| BAI01 | Managed Programs | Program management for significant IT initiatives |
| BAI02 | Managed Requirements Definition | Business requirements for IT solutions |
| BAI03 | Managed Solutions Identification and Build | Solution design and development |
| BAI04 | Managed Availability and Capacity | Availability and performance planning |
| BAI05 | Managed Organizational Change Enablement | Change management for IT-driven organizational change |
| BAI06 | Managed IT Changes | Change control for IT systems and services |
| BAI07 | Managed IT Change Acceptance and Transitioning | Release and deployment management |
| BAI08 | Managed Knowledge | Knowledge management and capture |
| BAI09 | Managed Assets | IT asset lifecycle management |
| BAI10 | Managed Configuration | Configuration management and CMDB |
| BAI11 | Managed Projects | IT project management methodology |
DSS — Deliver, Service and Support (6 Management Objectives)
| ID | Name | Focus |
|---|---|---|
| DSS01 | Managed Operations | Day-to-day IT operations and facilities |
| DSS02 | Managed Service Requests and Incidents | Incident and service request management |
| DSS03 | Managed Problems | Problem management and root cause analysis |
| DSS04 | Managed Continuity | Business continuity and disaster recovery for IT |
| DSS05 | Managed Security Services | Operational information security controls |
| DSS06 | Managed Business Process Controls | Controls within business process operations |
MEA — Monitor, Evaluate and Assess (4 Management Objectives)
| ID | Name | Focus |
|---|---|---|
| MEA01 | Managed Performance and Conformance Monitoring | Monitoring IT performance against targets |
| MEA02 | Managed System of Internal Control | Internal control effectiveness assessment |
| MEA03 | Managed Compliance with External Requirements | Regulatory and contractual compliance monitoring |
| MEA04 | Managed Assurance | Independent assurance and audit coordination (added in COBIT 2019) |
Capability Levels (0–5) — CMMI-Based in COBIT 2019
COBIT 2019 adopted a CMMI-based capability model, replacing the ISO 15504/SPICE model used in COBIT 5. The levels measure how well each management or governance objective is being performed:
| Level | Name | Description |
|---|---|---|
| 0 | Incomplete | Process is not implemented or does not achieve its purpose. No evidence of systematic execution. |
| 1 | Initial | Process is implemented and achieves its purpose. Implementation may be informal, undocumented, and inconsistent. People-dependent. |
| 2 | Managed | Process is planned, monitored, and adjusted. Products conform to requirements. Basic project management applied. |
| 3 | Defined | Process is documented, standardized, and integrated into organization-wide processes. Consistent execution across the enterprise. |
| 4 | Quantitatively Managed | Process is controlled using statistical and quantitative techniques. Performance is predictable within defined boundaries. |
| 5 | Optimizing | Continuous improvement. Process performance continuously improved through incremental and innovative changes. Proactive, benchmarked. |
COBIT 2019 uses capability levels (0–5) assessed per objective, not a single maturity score for the whole organization. Most organizations target Level 3 (Defined) for critical objectives and accept Level 2 for less critical ones. The exam may ask what "target capability level" an organization should aim for — the answer depends on the enterprise's risk profile and objectives, not a single universal target.
How COBIT Maps to CISM Domains
Your CISM background gives you a significant advantage because COBIT and CISM share conceptual foundations rooted in ISACA's governance philosophy. Here is where the overlap is strongest:
| CISM Domain | Most Relevant COBIT Objectives | Overlap Strength |
|---|---|---|
| Domain 1: Information Security Governance | EDM01–EDM05, APO01, APO02, APO12, APO13 | Very High — governance principles are nearly identical |
| Domain 2: Risk Management | EDM03, APO12, APO13, MEA03 | Very High — risk identification, assessment, treatment framework aligns directly |
| Domain 3: Security Program | APO13, DSS05, BAI02, BAI06, MEA01, MEA02 | High — program management and control monitoring overlap well |
| Domain 4: Incident Management | DSS02, DSS04, DSS05, MEA01 | Moderate-High — incident and continuity objectives align with CISM D4 |
The key difference: CISM focuses exclusively on information security management. COBIT applies the same governance logic to all of IT — including IT service management, IT project delivery, IT asset management, and IT financial management. When you see a COBIT question about IT service management or IT project governance, translate it to the same governance mindset you used in CISM.
COBIT Exam Strategy
Unlike CISM — which is scenario-based and tests judgment — COBIT Foundation is more framework-specific. You will see questions that ask you to identify the correct principle, the correct domain, or the correct objective by name. Terminology precision is required.
- Structure questions: "Which domain contains governance objectives?" → EDM only
- Principle questions: "Which principle states that governance must adapt to change?" → Dynamic Governance System
- Objective questions: "Which management objective covers IT risk management?" → APO12
- Design factor questions: "An enterprise is highly regulated with a conservative technology strategy. Which design factors most influence governance system design?" → Compliance requirements, IT role, technology adoption strategy
- Governance vs management: "The board reviews whether IT investments are delivering value. This is an example of which COBIT governance objective?" → EDM02
65% means you need to get about 49 of 75 questions right. Focus your energy: (1) all 6 principles — must know cold, (2) governance vs management distinction + EDM domain, (3) which objectives belong to which domain at a high level, (4) capability levels 0–5, (5) key differences from COBIT 5. The full 40-objective list is useful context but you rarely need to know specific objective numbers — you need to know domains and general purpose.
Flashcards — COBIT 2019
Click a card to flip it. Use arrow keys or buttons to navigate. Shuffle to randomize.
Practice Quiz — COBIT 2019
10 questions covering COBIT 2019 structure, principles, and domains. Target 75%+.