New COBIT Resource from ISACA Offers Guidance for Governance and Management of Information Security


COBIT Focus Area: Information Security helps integrate information security throughout the organisation

Effective governance and management of information security is necessary for achieving enterprise objectives. It can help enterprises build resilience and minimise the occurrence and impact of security breaches that can cause reputational damage, legal and regulatory risk, or even threaten their very survival. COBIT Focus Area: Information Security is the highly anticipated first focus area publication to launch under the COBIT 2019 umbrella, fulfilling its promise to make its guidance more flexible and practical to use.

COBIT Focus Area: Information Security serves to extend the COBIT portfolio by building upon best practices shared for the governance and management of information and technology aimed at the whole enterprise through the lens of information security, and details additional metrics and activities that should be considered when implementing or assessing COBIT in the context of information security. The major drivers for the development of this publication include:

  • Clarifying the roles of governance and management and showing how they relate to each other
  • Providing a clear end-to-end view into distinction within the enterprise and during all process steps between information security governance and information security management practices
  • Providing a comprehensive and holistic guidance on information security – not only to processes but to all components in an enterprise, including organisation structure, skills, policies, etc.

Stakeholders throughout the enterprise who interact with information security, whether a board director, CISO or business manager will benefit from guidance on:

  • Reduced complexity and increased cost-effectiveness due to improved and easier integration and alignment of information security standards, good practices and/or sector-specific guidelines
  • Increased stakeholder satisfaction with information security arrangements and outcomes
  • Improved integration of information security in the enterprise
  • Informed risk decisions and risk awareness
  • Improved prevention, detection and recovery
  • Reduced (impact and probability of) information security incidents
  • Enhanced support for innovation and competitiveness
  • Improved management and optimisation of costs related to information security
  • Better understanding of information security by stakeholders

“COBIT is an open-ended and flexible framework, which allows for easy customization to an organisation’s needs,” said Winston Hayden, CISA, CISM, CGEIT, CRISC, Executive Governance and Information Security Advisor, and a developer of the publication. “COBIT Focus Area: Information Security cohesively outlines the benefits of applying good governance techniques in the context of information security, particularly at a time when the significance of information and technology is increasing and the need to mitigate information risk and protect I&T assets is constantly intensifying.”

This focus area publication is comprehensive, providing an overview and description of COBIT roles and organisational structures, COBIT terminology and key concepts including the components of a governance system and COBIT governance and management objectives.

“This new guidance makes COBIT more practical than ever, giving clear guidance on how to govern and manage information security in your organisation,” said Nader Qaimari, chief learning officer at ISACA. “Studies show that bad actors have taken advantage of COVID-19 and ramped up attacks on organisations. This guidance will enhance your readiness and resiliency, while at the same time optimising your budget, in the face of a challenging threat landscape.”

For more on ISACA visit