If one or more of the statements below reflects your thoughts on COBIT®, you should investigate the latest ISACA publication, COBIT for Small and Medium Enterprises (SMEs).
- COBIT only applies for large and complex companies, companies in the financial sector or the government.
- COBIT is only useful for auditors and assessors.
- I have heard of COBIT, but do not know exactly what it is.
- COBIT is too complicated for my organization.
In a newly released guide—COBIT for Small and Medium Enterprises—you will find an introduction to enterprise governance of information and technology (EGIT) and will learn how to get started with your own governance initiative.
For small and medium enterprises, information & technology (I&T) has become crucial for support, sustainability and growth. Previously, boards of directors and senior management could delegate, ignore or avoid I&T-related decisions. But today, such attitudes are ill-advised, to put it mildly.
SMEs are, just like large enterprises, increasingly dependent on technology and digitization (and thus, I&T for survival and growth). Therefore, top management needs to be involved in the management of I&T assets.
Some familiar with COBIT have commented that it is an excellent resource for larger enterprises, but it is difficult to implement in a smaller enterprise setting. This publication puts COBIT concepts in a small to medium context, allowing those enterprises to adopt pertinent COBIT concepts tailored to their size, scope and industry, enabling the benefits afforded by implementing COBIT. The publication provides examples of the tools needed to scope a governance program and define priorities.
Once you have defined your program, you can access information about the governance and management objectives, how they are linked to organizational functions, which inputs are used by the related processes, and which outputs they produce.
The target audience for this guide includes different functions in an SME, such as business managers, IT managers, quality or security professionals, internal audit, and others who are looking for detailed guidance on developing and implementing governance practices in their organization. The guide provides some simple tools that can help you to define if it is applicable for your organization.
Practitioners who are less familiar with COBIT should know it is a framework for the governance and management of enterprise information and technology aimed at the whole enterprise. Enterprise I&T means all the technology and information processing the enterprise puts in place to achieve its goals, regardless of where this happens in the enterprise. In other words, enterprise I&T is not limited to the IT department of an organization but certainly includes it.
COBIT defines the components to build and sustain a governance system as follows: processes, policies and procedures; organizational structures; information flows; skills; infrastructure; and culture and behaviors (figure below).
About the author: Greet Volders, CGEIT, is a managing consultant and chief executive officer of Voquals N.V., which she founded in 1995. Her main activity is providing advice for customers, and she regularly gives training and seminars related to enterprise governance of IT, process improvement and IT/business alignment. In 2004, Volders became an accredited trainer for the COBIT Foundation course and the IT Governance Implementation training, using COBIT, which she has continued for COBIT 5 and COBIT 2019. Since 2002, she has been an active member in several development teams for COBIT and she is regularly asked to serve as an expert reviewer for ISACA publications. She can be reached at gvolders@voquals.be.