As of 2026, ISACA continues to present COBIT 2019 as its core framework for the governance and management of enterprise information and technology. COBIT provides a core model of 40 governance and management objectives, supported by design guidance, implementation guidance, performance management and specialist focus areas.
Copyright note
ISACA’s COBIT publications contain licensed material. The checklists and guidance below are original, practical content aligned with COBIT concepts; they do not reproduce ISACA’s licensed COBIT publications.
What COBIT is
COBIT is an enterprise-wide framework for governing and managing information and technology — not merely an IT-department control checklist. Its purpose is to help an organisation deliver value from technology, align technology strategy with business strategy, optimise technology risk and resources, clarify accountabilities, and monitor performance, compliance and internal control.
COBIT is deliberately designed to integrate other frameworks and requirements — ISO 27001, ISO 20000, ITIL, NIST, PCI DSS, TOGAF, COSO and applicable regulations — under one governance system. A defining principle is the separation of governance from management:
| Governance | Management |
|---|
| Evaluates stakeholder needs and conditions | Plans and organises activities |
| Sets direction and priorities | Builds or acquires solutions |
| Monitors performance and compliance | Operates services and controls |
| Normally led by the board / governance body | Normally led by executive management |
Governance operates through Evaluate, Direct and Monitor; management Plans, Builds, Runs and Monitors activities according to governance direction.
COBIT 2019 structure
The five domains (40 objectives)
| Domain | Meaning | Objectives |
|---|
| EDM | Evaluate, Direct and Monitor (governance) | 5 |
| APO | Align, Plan and Organise | 14 |
| BAI | Build, Acquire and Implement | 11 |
| DSS | Deliver, Service and Support | 6 |
| MEA | Monitor, Evaluate and Assess | 4 |
| Total | | 40 |
EDM represents governance; APO, BAI, DSS and MEA mainly represent management.
Six governance-system principles
- Provide stakeholder value.
- Use a holistic approach.
- Maintain a dynamic governance system.
- Keep governance distinct from management.
- Tailor governance to enterprise needs.
- Apply governance end to end across the enterprise.
Three governance-framework principles
- Based on a conceptual model.
- Open and flexible.
- Aligned with major standards, frameworks and regulations.
Seven governance components
Each selected objective should be implemented through all seven components — not policies or process documents alone.
| Component | What must be established |
|---|
| Processes | Defined activities, inputs, outputs and controls |
| Organisational structures | Committees, reporting lines, decision rights |
| Principles, policies and procedures | Approved governance documents |
| Information | Reports, records, data and evidence |
| Culture, ethics and behaviour | Expected conduct and accountability |
| People, skills and competencies | Role capability, training and staffing |
| Services, infrastructure and applications | Supporting technology and tooling |
The goals cascade
COBIT should not begin by blindly implementing all 40 objectives. The correct flow is: Stakeholder drivers & needs → Enterprise goals → Alignment goals → Governance & management objectives → Practices, controls, metrics and evidence. COBIT 2019 defines 13 enterprise goals and 13 alignment goals.
13 enterprise goals
| ID | Enterprise goal |
|---|
| EG01 | Portfolio of competitive products and services |
| EG02 | Managed business risk |
| EG03 | Compliance with external laws and regulations |
| EG04 | Quality of financial information |
| EG05 | Customer-oriented service culture |
| EG06 | Business service continuity and availability |
| EG07 | Quality of management information |
| EG08 | Optimisation of internal business-process functionality |
| EG09 | Optimisation of business-process costs |
| EG10 | Staff skills, motivation and productivity |
| EG11 | Compliance with internal policies |
| EG12 | Managed digital-transformation programmes |
| EG13 | Product and business innovation |
13 alignment goals
| ID | Alignment goal |
|---|
| AG01 | I&T compliance and support for business compliance with external requirements |
| AG02 | Managed I&T-related risk |
| AG03 | Realised benefits from I&T-enabled investments and service portfolios |
| AG04 | Quality of technology-related financial information |
| AG05 | Delivery of I&T services in line with business requirements |
| AG06 | Agility to translate business requirements into operational solutions |
| AG07 | Security of information, infrastructure, applications and privacy |
| AG08 | Enablement of business processes through integrated technology |
| AG09 | Programmes delivered on time, within budget and meeting requirements |
| AG10 | Quality of I&T management information |
| AG11 | I&T compliance with internal policies |
| AG12 | Competent and motivated staff with business and technology understanding |
| AG13 | Knowledge and initiatives supporting business innovation |
The eleven design factors
Design factors determine which objectives matter most and what capability level to target — creating a tailored governance system instead of one-size-fits-all.
| # | Design factor | Questions to ask |
|---|
| 1 | Enterprise strategy | Growth, innovation, cost leadership or client service? |
| 2 | Enterprise goals | Which business outcomes matter most? |
| 3 | Enterprise risk profile | What technology scenarios could cause major harm? |
| 4 | I&T-related issues | What incidents, failures, audit findings or weaknesses exist? |
| 5 | Threat landscape | Normal or elevated cyber and operational threat exposure? |
| 6 | Compliance requirements | Low, normal or highly regulated environment? |
| 7 | Role of IT | Support, factory, turnaround or strategic? |
| 8 | Sourcing model | Internal, cloud, outsourced or hybrid? |
| 9 | Implementation methods | Traditional, agile, DevOps or hybrid? |
| 10 | Technology-adoption strategy | First mover, follower or slow adopter? |
| 11 | Enterprise size | Small, medium or large? |
Master checklist — all 40 objectives
EDM — Evaluate, Direct and Monitor
| Objective | Key assessment questions | Typical evidence |
|---|
| EDM01 Governance Framework Setting & Maintenance | Is an enterprise I&T governance framework approved? Are governance and management accountabilities separated? Are decision rights documented? | Governance charter, committee terms, authority matrix, RACI, board minutes |
| EDM02 Benefits Delivery | Are expected benefits defined and owned for technology investments? Are benefits tracked after deployment? | Business cases, benefit register, portfolio reports, post-implementation reviews |
| EDM03 Risk Optimisation | Has the board approved I&T risk appetite and tolerance? Are major technology risks reported and treated? | Risk appetite, enterprise risk register, KRIs, board risk reports |
| EDM04 Resource Optimisation | Are people, applications, infrastructure, data and budgets optimised? Are capacity and skill shortages addressed? | Resource strategy, workforce plan, capacity reports, asset portfolio |
| EDM05 Stakeholder Engagement | Are stakeholder information needs identified? Are reporting and transparency mechanisms effective? | Stakeholder map, reporting calendar, governance dashboards, survey results |
APO — Align, Plan and Organise
| Objective | Key assessment questions | Typical evidence |
|---|
| APO01 Managed I&T Management Framework | Is the I&T operating model, policies, processes and roles documented? | IT governance manual, policy hierarchy, process inventory, RACI |
| APO02 Managed Strategy | Is there an approved technology strategy aligned to enterprise strategy, reviewed on change? | IT strategy, roadmap, SWOT, investment plan |
| APO03 Managed Enterprise Architecture | Are business, data, application and technology architectures documented and governed? | Architecture principles, current/target architecture, standards |
| APO04 Managed Innovation | Is innovation systematically identified, evaluated, piloted and measured? | Innovation register, PoC reports, emerging-tech assessments |
| APO05 Managed Portfolio | Are programmes, projects, products and services prioritised as a portfolio? Are low-value initiatives stopped? | Portfolio register, prioritisation criteria, steering minutes |
| APO06 Managed Budget & Costs | Are technology budgets transparent, approved and monitored with variance analysis? | Budgets, forecasts, chargeback model, cost dashboards |
| APO07 Managed Human Resources | Are staffing, skills, succession, training and SoD requirements managed? | Skill matrix, training plan, job descriptions, SoD review |
| APO08 Managed Relationships | Are business–IT relationships formally managed and satisfaction measured? | Relationship plan, service reviews, satisfaction reports |
| APO09 Managed Service Agreements | Are services catalogued with defined, measured SLAs and OLAs? | Service catalogue, SLA/OLA, service reports |
| APO10 Managed Vendors | Are vendors risk-assessed, contracted, monitored and exited securely? | Vendor inventory, due diligence, contracts, scorecards, exit plans |
| APO11 Managed Quality | Is a quality-management system applied to technology processes and deliverables? | Quality policy, quality plans, review records, defect metrics |
| APO12 Managed Risk | Is a structured I&T risk process integrated with enterprise risk management? | Risk methodology, scenarios, risk register, treatment plans |
| APO13 Managed Security | Is an information-security management system established and aligned to risk? | Security strategy, policies, ISMS scope, security metrics |
| APO14 Managed Data | Is data ownership, classification, quality, lifecycle, privacy and retention governed? | Data policy, catalogue, ownership register, retention schedule |
BAI — Build, Acquire and Implement
| Objective | Key assessment questions | Typical evidence |
|---|
| BAI01 Managed Programmes | Are related projects governed as programmes with outcomes and benefit ownership? | Programme charter, benefits plan, dependency map, minutes |
| BAI02 Managed Requirements Definition | Are functional, security, privacy, compliance and operational requirements documented and approved? | BRD, user stories, traceability matrix, acceptance criteria |
| BAI03 Managed Solutions Build | Are solutions designed, developed, configured and tested through controlled practices? | Designs, source-control records, secure-dev evidence, test reports |
| BAI04 Managed Availability & Capacity | Are capacity, performance and availability forecast and monitored? | Capacity plan, utilisation dashboard, availability reports |
| BAI05 Managed Organisational Change | Are adoption, communication, training and resistance actively managed? | Change-impact assessment, communication plan, training records |
| BAI06 Managed IT Changes | Are normal, standard and emergency changes authorised, tested, scheduled and reviewed? | Change tickets, approvals, CAB minutes, emergency-change review |
| BAI07 Managed Change Acceptance & Transition | Are releases accepted by business owners before production, with rollback and support readiness? | UAT approval, release checklist, rollback plan, readiness assessment |
| BAI08 Managed Knowledge | Is operational, technical and business knowledge captured, protected and maintained? | Knowledge base, operating manuals, runbooks, review logs |
| BAI09 Managed Assets | Are assets inventoried, owned, licensed, protected and securely disposed? | CMDB/asset register, licence records, disposal certificates |
| BAI10 Managed Configuration | Are configuration items and baselines identified, controlled and verified? | Config-management plan, CMDB, baseline records, reconciliation |
| BAI11 Managed Projects | Are projects governed for scope, time, cost, quality, risk and acceptance? | Project charter, plan, RAID log, status reports, closure review |
DSS — Deliver, Service and Support
| Objective | Key assessment questions | Typical evidence |
|---|
| DSS01 Managed Operations | Are scheduled jobs, backups, infrastructure, facilities and procedures controlled? | SOPs, job logs, backup reports, monitoring records, handover |
| DSS02 Managed Requests & Incidents | Are requests and incidents logged, prioritised, escalated and closed within targets? | Tickets, SLA reports, major-incident reports, escalation records |
| DSS03 Managed Problems | Are recurring and major incidents subjected to root-cause analysis with tracked corrective actions? | Problem tickets, RCA reports, known-error database, trend reports |
| DSS04 Managed Continuity | Are business impact, recovery strategies, plans and exercises maintained? | BIA, BCP, DR plan, test reports, recovery evidence |
| DSS05 Managed Security Services | Are identity, endpoint, network, vulnerability, logging and security-event controls operated effectively? | IAM reviews, vulnerability scans, SIEM reports, patch reports |
| DSS06 Managed Business Process Controls | Are automated and manual controls embedded into critical business processes? | Control matrix, reconciliations, approval logs, exception reports |
MEA — Monitor, Evaluate and Assess
| Objective | Key assessment questions | Typical evidence |
|---|
| MEA01 Managed Performance & Conformance | Are KPIs, KRIs, targets and deviations monitored and reported? | Performance framework, dashboards, variance reports, action logs |
| MEA02 Managed System of Internal Control | Is the design and operating effectiveness of controls evaluated and deficiencies remediated? | RCM, control testing, self-assessments, issue register |
| MEA03 Managed Compliance with External Requirements | Are legal, regulatory and contractual obligations identified and monitored? | Compliance register, legal opinions, regulatory submissions |
| MEA04 Managed Assurance | Is an independent, risk-based assurance programme established and coordinated? | Audit universe, audit plan, reports, follow-up records |
Organisation-level readiness checklist
Governance and leadership
- Board has formally accepted accountability for enterprise I&T governance.
- An I&T governance committee (or equivalent) exists.
- Committee includes business, risk, compliance, security, finance and technology.
- Governance and management responsibilities are separated.
- Decision rights and escalation authorities are documented.
- I&T risk appetite and tolerance are approved.
- Technology-investment principles are approved.
- Governance performance is periodically reported to the board.
Strategy and alignment
- Enterprise strategy and IT strategy are formally linked.
- Enterprise goals and alignment goals have been prioritised.
- The 11 design factors have been assessed.
- Strategic initiatives have owners, budgets and measurable outcomes.
- Architecture principles and target architecture are approved.
- Digital-transformation dependencies and risks are documented.
- Benefits are measured after project completion.
Risk, compliance and security
- Technology risks are integrated into enterprise risk management.
- Regulatory obligations are inventoried.
- Risks have owners, ratings, treatments and due dates.
- Information-security governance is approved.
- Privacy and data-governance requirements are addressed.
- Third-party technology risks are managed.
- Cyber incidents are reported through governance channels.
- Exceptions and risk acceptances have expiry dates.
Service delivery
- Service catalogue exists with assigned owners.
- SLAs and OLAs are approved.
- Incidents, problems and requests are measured.
- Availability and capacity are monitored.
- Backup and recovery controls are tested.
- Business continuity and DR exercises are conducted.
- Operational procedures are current and approved.
Change and development
- Business, security, regulatory and privacy requirements are documented.
- A secure development lifecycle is implemented.
- Testing is independent from development where required.
- Production access is restricted.
- Changes are tested and approved; emergency changes get retrospective review.
- UAT and production-readiness approvals are retained.
- Post-implementation reviews are performed.
Monitoring and assurance
- KPIs and KRIs are defined for selected objectives.
- Control owners perform self-assessment.
- Independent assurance follows a risk-based plan.
- Findings are risk-rated with owners and deadlines.
- Overdue actions are escalated.
- Capability levels are periodically reassessed.
- Governance design factors are reviewed after major changes.
Implementation approach — seven phases
COBIT uses a continuous seven-phase implementation lifecycle, repeated as risks, strategy and technology change — not a one-time compliance exercise.
Phase 1 — What are the drivers?
- Activities: identify regulatory, audit, operational and strategic drivers; record pain points and incidents; develop the executive business case; establish sponsorship; agree scope and value.
- Deliverables: business case, driver/pain-point register, stakeholder map, programme charter, initial scope, sponsor approval.
Phase 2 — Where are we now?
- Activities: complete the 11 design factors; prioritise enterprise/alignment goals; identify relevant objectives; assess current capability; review policies, processes, roles and evidence; find quick wins and weaknesses.
- Deliverables: design-factor assessment, goals-cascade matrix, current-state capability scores, gap register, evidence inventory.
Phase 3 — Where do we want to be?
- Activities: set target capability levels; define the target operating model, policies, committees and responsibilities; define KPIs/KRIs; prioritise by risk and value.
- Deliverables: target-state governance design, target capability matrix, target RACI, policy/process roadmap, measurement framework.
Phase 4 — What needs to be done?
- Activities: convert gaps into initiatives; prioritise by risk, dependency, effort and value; assign resources, budgets and owners; define project and change plans.
- Deliverables: remediation plan, prioritised initiative portfolio, resource plan, budget, communication and training plan.
Phase 5 — How do we get there?
- Activities: implement policies, workflows, committees and controls; configure GRC, ITSM, security and reporting systems; train owners; collect operating evidence.
- Deliverables: approved policies, implemented controls, system configurations, training records, performance dashboards.
Phase 6 — Did we get there?
- Activities: test design and operating effectiveness; reassess capability; compare actual vs target; validate benefits; report residual gaps and risks.
- Deliverables: capability reassessment, control-testing report, benefits-realisation report, residual-risk report, management acceptance.
Phase 7 — How do we keep momentum?
- Activities: integrate COBIT into normal governance; schedule periodic self-assessment and assurance; monitor metrics and compliance changes; refresh design factors; launch the next cycle.
- Deliverables: continuous-improvement register, annual assessment calendar, governance review schedule, lessons-learned, updated roadmap.
Capability and maturity assessment
Capability levels (0–5)
| Level | Description | Practical interpretation |
|---|
| 0 | Incomplete | Process absent or does not achieve its purpose |
| 1 | Performed | Required activities are performed, often informally |
| 2 | Managed | Activities are planned, monitored and controlled |
| 3 | Defined | A standard documented process is implemented consistently |
| 4 | Quantitatively managed | Process is measured and controlled using quantitative data |
| 5 | Optimising | Continuous improvement and innovation are institutionalised |
Activity achievement ratings
| Rating | Achievement |
|---|
| N — Not achieved | Less than 15% |
| P — Partially achieved | 15% to 50% |
| L — Largely achieved | More than 50% to 85% |
| F — Fully achieved | More than 85% |
Evidence-based scoring
| Score | Assessment |
|---|
| 0 | No evidence |
| 1 | Ad hoc evidence; person-dependent |
| 2 | Documented but inconsistently applied |
| 3 | Defined, approved and consistently operating |
| 4 | Measured with reliable KPIs/KRIs and thresholds |
| 5 | Predictive, automated and continuously improving |
Scoring rule
Do not award a level only because a policy exists. Evaluate design, assigned accountability, actual operating records, coverage, frequency/timeliness, exception handling, measurement and improvement history.
Risk-based target capability
| Criticality | Suggested target |
|---|
| Board governance, cybersecurity, risk, compliance, continuity | Level 3–4 |
| Critical banking / payment / customer services | Level 3–4 |
| Change, incident, vendor and data management | Level 3 |
| Stable supporting processes | Level 2–3 |
| Emerging or low-priority processes | Level 1–2 |
| Innovation-heavy strategic areas | Level 3 → 4–5 |
These are practical recommendations, not mandatory COBIT targets. Actual targets should be derived from the 11 design factors and enterprise risk.
COBIT audit approach
- Define audit objectives (e.g., assess governance adequacy, evaluate capability vs target, test design and operating effectiveness, evaluate regulatory alignment).
- Determine scope (enterprise-wide, entity, business unit, technology function, cloud, payment platform, data centre, outsourced service, or selected domains/objectives).
- Select applicable objectives using enterprise/alignment goals, design factors, risk, regulatory obligations, prior findings and incidents — do not audit all 40 with equal depth.
- Build the risk and control matrix (columns below).
- Perform design-effectiveness testing — would the control, as designed, manage the risk?
- Perform operating-effectiveness testing — sample and verify controls operated consistently over the period.
- Rate capability and gaps (current vs target, evidence, root cause, impact).
- Rate findings (Critical / High / Medium / Low / Observation).
- Issue the report.
- Follow up — validate corrective evidence, retest, escalate overdue high/critical, close only after independent validation.
Risk & control matrix columns
- COBIT domain · Objective · Practice/control area · Risk statement · Expected control · Control owner · Frequency · Evidence required · Test procedure · Sample size · Current capability · Target capability · Finding · Risk rating · Corrective action · Due date.
Finding ratings
| Rating | Typical condition |
|---|
| Critical | Immediate threat to business viability, regulatory status or critical services |
| High | Material risk, control failure or significant regulatory exposure |
| Medium | Important weakness requiring planned remediation |
| Low | Limited exposure or improvement opportunity |
| Observation | Good-practice enhancement without material control failure |
Audit report contents
- Executive summary · scope and exclusions · methodology · design-factor results · current and target capability · domain-level dashboard · objective-level findings · positive practices · risk-rated recommendations · management responses · remediation roadmap · residual-risk statement.
Evidence request list
Governance & strategy
- Corporate and IT strategy; governance framework; board/committee charters and minutes; delegation-of-authority matrix; risk-appetite statement; organisation chart; RACI; policy inventory.
Portfolio & financial
- Project/programme portfolio; approved business cases; benefits register; technology budget; cost-allocation methodology; forecasts and variance reports; post-implementation reviews.
Risk & compliance
- Enterprise and I&T risk registers; regulatory-obligation register; compliance assessments; risk-treatment plans; exception/risk-acceptance register; audit reports; finding-remediation tracker.
Architecture, data, service, security, continuity, vendor & HR
- Architecture diagrams, application inventory, data-flow diagrams, data catalogue and classification, retention schedule.
- Service catalogue, SLAs/OLAs, incident/problem/change records, availability and capacity reports.
- Security strategy, ISMS policies, IAM and privileged-access reviews, vulnerability/patch reports, monitoring, IR exercises, penetration-test reports.
- BIA, BCP/DR plans, recovery objectives, backup and restoration evidence, DR exercise results.
- Vendor inventory, due diligence, security/privacy assessments, contracts/SLAs, scorecards, exit plans.
- Job descriptions, competency matrix, training plan and completion, background screening, succession plan, joiner-mover-leaver evidence.
Key COBIT roles
| Role | Primary responsibility |
|---|
| Board | Accountability for enterprise I&T governance |
| Board risk/audit committee | Oversight of risks, controls and assurance |
| CEO | Executive sponsorship and enterprise alignment |
| CIO / CTO | Technology strategy and management system |
| CISO | Information-security governance and operations |
| CRO | Enterprise and I&T risk integration |
| DPO / Privacy Officer | Privacy and personal-data governance |
| CFO | Budget, investment value and financial transparency |
| Business owners | Benefits, requirements and process controls |
| Enterprise architect | Target architecture and standards |
| Portfolio / programme office | Portfolio, programme and project governance |
| Service owners | Service performance and SLA accountability |
| Control owners | Operation and evidence of assigned controls |
| Internal audit | Independent assurance |
| External assessor | Independent assessment against agreed criteria |
COBIT KPIs and KRIs
Governance & risk
- % of strategic investments with approved business cases; % achieving planned benefits; % of governance decisions completed on time; stakeholder satisfaction; % of critical objectives at target capability.
- Number of technology risks above tolerance; expired risk acceptances; % of high risks without funded treatment; critical vendor risks; regulatory breaches attributable to technology controls.
Service, change & security
- Service availability; MTTA/MTTR; SLA compliance; repeat-incident rate; problem backlog; successful backup/restoration rate.
- Change success rate; emergency-change %; change-related incident rate; projects within budget/schedule; benefits realisation; defect leakage.
- Critical vulnerabilities beyond SLA; privileged accounts reviewed on time; incidents by severity; MTTD/MTTC; patch compliance; security-training completion; third-party review completion.
Compliance & assurance
- Controls tested on schedule; control pass rate; overdue audit actions; repeat findings; high findings past due; regulatory submissions completed on time.
Policy and procedure library
A mature COBIT implementation typically maintains policies including: Enterprise I&T Governance; IT Strategy & Planning; Enterprise Architecture; Portfolio & Investment Governance; IT Financial Management; Technology Risk Management; Information Security; Data Governance; Privacy & Personal Data; Third-Party/Vendor Management; Service Level Management; Change & Release Management; Secure Development Lifecycle; Project & Programme Management; Asset Management; Configuration Management; Incident & Problem Management; Business Continuity & DR; Backup & Restoration; Capacity & Availability; HR & Competency; Compliance Management; Internal Control & Assurance; Performance Measurement & Reporting; Records Retention & Disposal.
COBIT and other frameworks
| Framework | Primary focus | How COBIT is used with it |
|---|
| ISO/IEC 27001 | Information-security management system | COBIT governs security alignment, accountability and performance |
| ISO/IEC 20000-1 | IT service-management system | COBIT governs service strategy and oversight |
| ITIL | Detailed service-management practices | ITIL supports DSS and service-related APO objectives |
| NIST CSF | Cybersecurity risk outcomes | COBIT provides enterprise governance around NIST implementation |
| PCI DSS | Cardholder-data security | COBIT governs accountability, risk, investment and assurance |
| TOGAF | Enterprise architecture | Supports APO03 |
| COSO | Enterprise internal control and risk | Integrates with EDM03, APO12 and MEA02 |
| PMBOK / PRINCE2 | Project management | Supports BAI01 and BAI11 |
| ISO/IEC 38500 | Governance of IT | Closely aligned with COBIT’s governance concept |
Implementation priorities for a regulated organisation
- Priority 1 — Governance foundation: EDM01, EDM03, EDM05, APO01, APO02, APO12, MEA03, MEA04.
- Priority 2 — Cybersecurity & resilience: APO13, APO14, DSS04, DSS05, BAI04, DSS01.
- Priority 3 — Technology delivery: APO05, BAI01, BAI02, BAI03, BAI06, BAI07, BAI11.
- Priority 4 — Service & vendor governance: APO09, APO10, DSS02, DSS03, BAI09, BAI10.
- Priority 5 — Measurement & optimisation: EDM02, EDM04, APO06, APO11, MEA01, MEA02.
Twelve-month implementation roadmap
| Period | Activities |
|---|
| Month 1 | Sponsorship, charter, stakeholders and drivers |
| Month 2 | Design factors, goals cascade and scope |
| Months 3–4 | Current-state assessment and evidence review |
| Month 5 | Target capability and target operating model |
| Month 6 | Policies, RACI, committee structure and metrics |
| Months 7–8 | High-risk control implementation |
| Months 9–10 | Workflow automation, dashboards and evidence collection |
| Month 11 | Internal assessment and remediation |
| Month 12 | Independent validation, management review and next-cycle plan |
For a large financial institution, group company or multi-country enterprise, full institutionalisation may require multiple annual improvement cycles.
Certification note
ISACA offers COBIT credentials for individuals (e.g., COBIT Foundation, COBIT Design & Implementation). For an organisation, COBIT is used for governance-system design, capability assessment and continuous improvement rather than an ISO-style management-system certificate.