Knowledge Center / COBIT
ISACA · Global

COBIT

A governance and management framework for enterprise information and technology.

As of 2026, ISACA continues to present COBIT 2019 as its core framework for the governance and management of enterprise information and technology. COBIT provides a core model of 40 governance and management objectives, supported by design guidance, implementation guidance, performance management and specialist focus areas.

Copyright note
ISACA’s COBIT publications contain licensed material. The checklists and guidance below are original, practical content aligned with COBIT concepts; they do not reproduce ISACA’s licensed COBIT publications.

What COBIT is

COBIT is an enterprise-wide framework for governing and managing information and technology — not merely an IT-department control checklist. Its purpose is to help an organisation deliver value from technology, align technology strategy with business strategy, optimise technology risk and resources, clarify accountabilities, and monitor performance, compliance and internal control.

COBIT is deliberately designed to integrate other frameworks and requirements — ISO 27001, ISO 20000, ITIL, NIST, PCI DSS, TOGAF, COSO and applicable regulations — under one governance system. A defining principle is the separation of governance from management:

GovernanceManagement
Evaluates stakeholder needs and conditionsPlans and organises activities
Sets direction and prioritiesBuilds or acquires solutions
Monitors performance and complianceOperates services and controls
Normally led by the board / governance bodyNormally led by executive management

Governance operates through Evaluate, Direct and Monitor; management Plans, Builds, Runs and Monitors activities according to governance direction.

COBIT 2019 structure

The five domains (40 objectives)

DomainMeaningObjectives
EDMEvaluate, Direct and Monitor (governance)5
APOAlign, Plan and Organise14
BAIBuild, Acquire and Implement11
DSSDeliver, Service and Support6
MEAMonitor, Evaluate and Assess4
Total40

EDM represents governance; APO, BAI, DSS and MEA mainly represent management.

Six governance-system principles

  1. Provide stakeholder value.
  2. Use a holistic approach.
  3. Maintain a dynamic governance system.
  4. Keep governance distinct from management.
  5. Tailor governance to enterprise needs.
  6. Apply governance end to end across the enterprise.

Three governance-framework principles

  • Based on a conceptual model.
  • Open and flexible.
  • Aligned with major standards, frameworks and regulations.

Seven governance components

Each selected objective should be implemented through all seven components — not policies or process documents alone.

ComponentWhat must be established
ProcessesDefined activities, inputs, outputs and controls
Organisational structuresCommittees, reporting lines, decision rights
Principles, policies and proceduresApproved governance documents
InformationReports, records, data and evidence
Culture, ethics and behaviourExpected conduct and accountability
People, skills and competenciesRole capability, training and staffing
Services, infrastructure and applicationsSupporting technology and tooling

The goals cascade

COBIT should not begin by blindly implementing all 40 objectives. The correct flow is: Stakeholder drivers & needs → Enterprise goals → Alignment goals → Governance & management objectives → Practices, controls, metrics and evidence. COBIT 2019 defines 13 enterprise goals and 13 alignment goals.

13 enterprise goals

IDEnterprise goal
EG01Portfolio of competitive products and services
EG02Managed business risk
EG03Compliance with external laws and regulations
EG04Quality of financial information
EG05Customer-oriented service culture
EG06Business service continuity and availability
EG07Quality of management information
EG08Optimisation of internal business-process functionality
EG09Optimisation of business-process costs
EG10Staff skills, motivation and productivity
EG11Compliance with internal policies
EG12Managed digital-transformation programmes
EG13Product and business innovation

13 alignment goals

IDAlignment goal
AG01I&T compliance and support for business compliance with external requirements
AG02Managed I&T-related risk
AG03Realised benefits from I&T-enabled investments and service portfolios
AG04Quality of technology-related financial information
AG05Delivery of I&T services in line with business requirements
AG06Agility to translate business requirements into operational solutions
AG07Security of information, infrastructure, applications and privacy
AG08Enablement of business processes through integrated technology
AG09Programmes delivered on time, within budget and meeting requirements
AG10Quality of I&T management information
AG11I&T compliance with internal policies
AG12Competent and motivated staff with business and technology understanding
AG13Knowledge and initiatives supporting business innovation

The eleven design factors

Design factors determine which objectives matter most and what capability level to target — creating a tailored governance system instead of one-size-fits-all.

#Design factorQuestions to ask
1Enterprise strategyGrowth, innovation, cost leadership or client service?
2Enterprise goalsWhich business outcomes matter most?
3Enterprise risk profileWhat technology scenarios could cause major harm?
4I&T-related issuesWhat incidents, failures, audit findings or weaknesses exist?
5Threat landscapeNormal or elevated cyber and operational threat exposure?
6Compliance requirementsLow, normal or highly regulated environment?
7Role of ITSupport, factory, turnaround or strategic?
8Sourcing modelInternal, cloud, outsourced or hybrid?
9Implementation methodsTraditional, agile, DevOps or hybrid?
10Technology-adoption strategyFirst mover, follower or slow adopter?
11Enterprise sizeSmall, medium or large?

Master checklist — all 40 objectives

EDM — Evaluate, Direct and Monitor

ObjectiveKey assessment questionsTypical evidence
EDM01 Governance Framework Setting & MaintenanceIs an enterprise I&T governance framework approved? Are governance and management accountabilities separated? Are decision rights documented?Governance charter, committee terms, authority matrix, RACI, board minutes
EDM02 Benefits DeliveryAre expected benefits defined and owned for technology investments? Are benefits tracked after deployment?Business cases, benefit register, portfolio reports, post-implementation reviews
EDM03 Risk OptimisationHas the board approved I&T risk appetite and tolerance? Are major technology risks reported and treated?Risk appetite, enterprise risk register, KRIs, board risk reports
EDM04 Resource OptimisationAre people, applications, infrastructure, data and budgets optimised? Are capacity and skill shortages addressed?Resource strategy, workforce plan, capacity reports, asset portfolio
EDM05 Stakeholder EngagementAre stakeholder information needs identified? Are reporting and transparency mechanisms effective?Stakeholder map, reporting calendar, governance dashboards, survey results

APO — Align, Plan and Organise

ObjectiveKey assessment questionsTypical evidence
APO01 Managed I&T Management FrameworkIs the I&T operating model, policies, processes and roles documented?IT governance manual, policy hierarchy, process inventory, RACI
APO02 Managed StrategyIs there an approved technology strategy aligned to enterprise strategy, reviewed on change?IT strategy, roadmap, SWOT, investment plan
APO03 Managed Enterprise ArchitectureAre business, data, application and technology architectures documented and governed?Architecture principles, current/target architecture, standards
APO04 Managed InnovationIs innovation systematically identified, evaluated, piloted and measured?Innovation register, PoC reports, emerging-tech assessments
APO05 Managed PortfolioAre programmes, projects, products and services prioritised as a portfolio? Are low-value initiatives stopped?Portfolio register, prioritisation criteria, steering minutes
APO06 Managed Budget & CostsAre technology budgets transparent, approved and monitored with variance analysis?Budgets, forecasts, chargeback model, cost dashboards
APO07 Managed Human ResourcesAre staffing, skills, succession, training and SoD requirements managed?Skill matrix, training plan, job descriptions, SoD review
APO08 Managed RelationshipsAre business–IT relationships formally managed and satisfaction measured?Relationship plan, service reviews, satisfaction reports
APO09 Managed Service AgreementsAre services catalogued with defined, measured SLAs and OLAs?Service catalogue, SLA/OLA, service reports
APO10 Managed VendorsAre vendors risk-assessed, contracted, monitored and exited securely?Vendor inventory, due diligence, contracts, scorecards, exit plans
APO11 Managed QualityIs a quality-management system applied to technology processes and deliverables?Quality policy, quality plans, review records, defect metrics
APO12 Managed RiskIs a structured I&T risk process integrated with enterprise risk management?Risk methodology, scenarios, risk register, treatment plans
APO13 Managed SecurityIs an information-security management system established and aligned to risk?Security strategy, policies, ISMS scope, security metrics
APO14 Managed DataIs data ownership, classification, quality, lifecycle, privacy and retention governed?Data policy, catalogue, ownership register, retention schedule

BAI — Build, Acquire and Implement

ObjectiveKey assessment questionsTypical evidence
BAI01 Managed ProgrammesAre related projects governed as programmes with outcomes and benefit ownership?Programme charter, benefits plan, dependency map, minutes
BAI02 Managed Requirements DefinitionAre functional, security, privacy, compliance and operational requirements documented and approved?BRD, user stories, traceability matrix, acceptance criteria
BAI03 Managed Solutions BuildAre solutions designed, developed, configured and tested through controlled practices?Designs, source-control records, secure-dev evidence, test reports
BAI04 Managed Availability & CapacityAre capacity, performance and availability forecast and monitored?Capacity plan, utilisation dashboard, availability reports
BAI05 Managed Organisational ChangeAre adoption, communication, training and resistance actively managed?Change-impact assessment, communication plan, training records
BAI06 Managed IT ChangesAre normal, standard and emergency changes authorised, tested, scheduled and reviewed?Change tickets, approvals, CAB minutes, emergency-change review
BAI07 Managed Change Acceptance & TransitionAre releases accepted by business owners before production, with rollback and support readiness?UAT approval, release checklist, rollback plan, readiness assessment
BAI08 Managed KnowledgeIs operational, technical and business knowledge captured, protected and maintained?Knowledge base, operating manuals, runbooks, review logs
BAI09 Managed AssetsAre assets inventoried, owned, licensed, protected and securely disposed?CMDB/asset register, licence records, disposal certificates
BAI10 Managed ConfigurationAre configuration items and baselines identified, controlled and verified?Config-management plan, CMDB, baseline records, reconciliation
BAI11 Managed ProjectsAre projects governed for scope, time, cost, quality, risk and acceptance?Project charter, plan, RAID log, status reports, closure review

DSS — Deliver, Service and Support

ObjectiveKey assessment questionsTypical evidence
DSS01 Managed OperationsAre scheduled jobs, backups, infrastructure, facilities and procedures controlled?SOPs, job logs, backup reports, monitoring records, handover
DSS02 Managed Requests & IncidentsAre requests and incidents logged, prioritised, escalated and closed within targets?Tickets, SLA reports, major-incident reports, escalation records
DSS03 Managed ProblemsAre recurring and major incidents subjected to root-cause analysis with tracked corrective actions?Problem tickets, RCA reports, known-error database, trend reports
DSS04 Managed ContinuityAre business impact, recovery strategies, plans and exercises maintained?BIA, BCP, DR plan, test reports, recovery evidence
DSS05 Managed Security ServicesAre identity, endpoint, network, vulnerability, logging and security-event controls operated effectively?IAM reviews, vulnerability scans, SIEM reports, patch reports
DSS06 Managed Business Process ControlsAre automated and manual controls embedded into critical business processes?Control matrix, reconciliations, approval logs, exception reports

MEA — Monitor, Evaluate and Assess

ObjectiveKey assessment questionsTypical evidence
MEA01 Managed Performance & ConformanceAre KPIs, KRIs, targets and deviations monitored and reported?Performance framework, dashboards, variance reports, action logs
MEA02 Managed System of Internal ControlIs the design and operating effectiveness of controls evaluated and deficiencies remediated?RCM, control testing, self-assessments, issue register
MEA03 Managed Compliance with External RequirementsAre legal, regulatory and contractual obligations identified and monitored?Compliance register, legal opinions, regulatory submissions
MEA04 Managed AssuranceIs an independent, risk-based assurance programme established and coordinated?Audit universe, audit plan, reports, follow-up records

Organisation-level readiness checklist

Governance and leadership

  • Board has formally accepted accountability for enterprise I&T governance.
  • An I&T governance committee (or equivalent) exists.
  • Committee includes business, risk, compliance, security, finance and technology.
  • Governance and management responsibilities are separated.
  • Decision rights and escalation authorities are documented.
  • I&T risk appetite and tolerance are approved.
  • Technology-investment principles are approved.
  • Governance performance is periodically reported to the board.

Strategy and alignment

  • Enterprise strategy and IT strategy are formally linked.
  • Enterprise goals and alignment goals have been prioritised.
  • The 11 design factors have been assessed.
  • Strategic initiatives have owners, budgets and measurable outcomes.
  • Architecture principles and target architecture are approved.
  • Digital-transformation dependencies and risks are documented.
  • Benefits are measured after project completion.

Risk, compliance and security

  • Technology risks are integrated into enterprise risk management.
  • Regulatory obligations are inventoried.
  • Risks have owners, ratings, treatments and due dates.
  • Information-security governance is approved.
  • Privacy and data-governance requirements are addressed.
  • Third-party technology risks are managed.
  • Cyber incidents are reported through governance channels.
  • Exceptions and risk acceptances have expiry dates.

Service delivery

  • Service catalogue exists with assigned owners.
  • SLAs and OLAs are approved.
  • Incidents, problems and requests are measured.
  • Availability and capacity are monitored.
  • Backup and recovery controls are tested.
  • Business continuity and DR exercises are conducted.
  • Operational procedures are current and approved.

Change and development

  • Business, security, regulatory and privacy requirements are documented.
  • A secure development lifecycle is implemented.
  • Testing is independent from development where required.
  • Production access is restricted.
  • Changes are tested and approved; emergency changes get retrospective review.
  • UAT and production-readiness approvals are retained.
  • Post-implementation reviews are performed.

Monitoring and assurance

  • KPIs and KRIs are defined for selected objectives.
  • Control owners perform self-assessment.
  • Independent assurance follows a risk-based plan.
  • Findings are risk-rated with owners and deadlines.
  • Overdue actions are escalated.
  • Capability levels are periodically reassessed.
  • Governance design factors are reviewed after major changes.

Implementation approach — seven phases

COBIT uses a continuous seven-phase implementation lifecycle, repeated as risks, strategy and technology change — not a one-time compliance exercise.

Phase 1 — What are the drivers?

  • Activities: identify regulatory, audit, operational and strategic drivers; record pain points and incidents; develop the executive business case; establish sponsorship; agree scope and value.
  • Deliverables: business case, driver/pain-point register, stakeholder map, programme charter, initial scope, sponsor approval.

Phase 2 — Where are we now?

  • Activities: complete the 11 design factors; prioritise enterprise/alignment goals; identify relevant objectives; assess current capability; review policies, processes, roles and evidence; find quick wins and weaknesses.
  • Deliverables: design-factor assessment, goals-cascade matrix, current-state capability scores, gap register, evidence inventory.

Phase 3 — Where do we want to be?

  • Activities: set target capability levels; define the target operating model, policies, committees and responsibilities; define KPIs/KRIs; prioritise by risk and value.
  • Deliverables: target-state governance design, target capability matrix, target RACI, policy/process roadmap, measurement framework.

Phase 4 — What needs to be done?

  • Activities: convert gaps into initiatives; prioritise by risk, dependency, effort and value; assign resources, budgets and owners; define project and change plans.
  • Deliverables: remediation plan, prioritised initiative portfolio, resource plan, budget, communication and training plan.

Phase 5 — How do we get there?

  • Activities: implement policies, workflows, committees and controls; configure GRC, ITSM, security and reporting systems; train owners; collect operating evidence.
  • Deliverables: approved policies, implemented controls, system configurations, training records, performance dashboards.

Phase 6 — Did we get there?

  • Activities: test design and operating effectiveness; reassess capability; compare actual vs target; validate benefits; report residual gaps and risks.
  • Deliverables: capability reassessment, control-testing report, benefits-realisation report, residual-risk report, management acceptance.

Phase 7 — How do we keep momentum?

  • Activities: integrate COBIT into normal governance; schedule periodic self-assessment and assurance; monitor metrics and compliance changes; refresh design factors; launch the next cycle.
  • Deliverables: continuous-improvement register, annual assessment calendar, governance review schedule, lessons-learned, updated roadmap.

Capability and maturity assessment

Capability levels (0–5)

LevelDescriptionPractical interpretation
0IncompleteProcess absent or does not achieve its purpose
1PerformedRequired activities are performed, often informally
2ManagedActivities are planned, monitored and controlled
3DefinedA standard documented process is implemented consistently
4Quantitatively managedProcess is measured and controlled using quantitative data
5OptimisingContinuous improvement and innovation are institutionalised

Activity achievement ratings

RatingAchievement
N — Not achievedLess than 15%
P — Partially achieved15% to 50%
L — Largely achievedMore than 50% to 85%
F — Fully achievedMore than 85%

Evidence-based scoring

ScoreAssessment
0No evidence
1Ad hoc evidence; person-dependent
2Documented but inconsistently applied
3Defined, approved and consistently operating
4Measured with reliable KPIs/KRIs and thresholds
5Predictive, automated and continuously improving
Scoring rule
Do not award a level only because a policy exists. Evaluate design, assigned accountability, actual operating records, coverage, frequency/timeliness, exception handling, measurement and improvement history.

Risk-based target capability

CriticalitySuggested target
Board governance, cybersecurity, risk, compliance, continuityLevel 3–4
Critical banking / payment / customer servicesLevel 3–4
Change, incident, vendor and data managementLevel 3
Stable supporting processesLevel 2–3
Emerging or low-priority processesLevel 1–2
Innovation-heavy strategic areasLevel 3 → 4–5

These are practical recommendations, not mandatory COBIT targets. Actual targets should be derived from the 11 design factors and enterprise risk.

COBIT audit approach

  1. Define audit objectives (e.g., assess governance adequacy, evaluate capability vs target, test design and operating effectiveness, evaluate regulatory alignment).
  2. Determine scope (enterprise-wide, entity, business unit, technology function, cloud, payment platform, data centre, outsourced service, or selected domains/objectives).
  3. Select applicable objectives using enterprise/alignment goals, design factors, risk, regulatory obligations, prior findings and incidents — do not audit all 40 with equal depth.
  4. Build the risk and control matrix (columns below).
  5. Perform design-effectiveness testing — would the control, as designed, manage the risk?
  6. Perform operating-effectiveness testing — sample and verify controls operated consistently over the period.
  7. Rate capability and gaps (current vs target, evidence, root cause, impact).
  8. Rate findings (Critical / High / Medium / Low / Observation).
  9. Issue the report.
  10. Follow up — validate corrective evidence, retest, escalate overdue high/critical, close only after independent validation.

Risk & control matrix columns

  • COBIT domain · Objective · Practice/control area · Risk statement · Expected control · Control owner · Frequency · Evidence required · Test procedure · Sample size · Current capability · Target capability · Finding · Risk rating · Corrective action · Due date.

Finding ratings

RatingTypical condition
CriticalImmediate threat to business viability, regulatory status or critical services
HighMaterial risk, control failure or significant regulatory exposure
MediumImportant weakness requiring planned remediation
LowLimited exposure or improvement opportunity
ObservationGood-practice enhancement without material control failure

Audit report contents

  • Executive summary · scope and exclusions · methodology · design-factor results · current and target capability · domain-level dashboard · objective-level findings · positive practices · risk-rated recommendations · management responses · remediation roadmap · residual-risk statement.

Evidence request list

Governance & strategy

  • Corporate and IT strategy; governance framework; board/committee charters and minutes; delegation-of-authority matrix; risk-appetite statement; organisation chart; RACI; policy inventory.

Portfolio & financial

  • Project/programme portfolio; approved business cases; benefits register; technology budget; cost-allocation methodology; forecasts and variance reports; post-implementation reviews.

Risk & compliance

  • Enterprise and I&T risk registers; regulatory-obligation register; compliance assessments; risk-treatment plans; exception/risk-acceptance register; audit reports; finding-remediation tracker.

Architecture, data, service, security, continuity, vendor & HR

  • Architecture diagrams, application inventory, data-flow diagrams, data catalogue and classification, retention schedule.
  • Service catalogue, SLAs/OLAs, incident/problem/change records, availability and capacity reports.
  • Security strategy, ISMS policies, IAM and privileged-access reviews, vulnerability/patch reports, monitoring, IR exercises, penetration-test reports.
  • BIA, BCP/DR plans, recovery objectives, backup and restoration evidence, DR exercise results.
  • Vendor inventory, due diligence, security/privacy assessments, contracts/SLAs, scorecards, exit plans.
  • Job descriptions, competency matrix, training plan and completion, background screening, succession plan, joiner-mover-leaver evidence.

Key COBIT roles

RolePrimary responsibility
BoardAccountability for enterprise I&T governance
Board risk/audit committeeOversight of risks, controls and assurance
CEOExecutive sponsorship and enterprise alignment
CIO / CTOTechnology strategy and management system
CISOInformation-security governance and operations
CROEnterprise and I&T risk integration
DPO / Privacy OfficerPrivacy and personal-data governance
CFOBudget, investment value and financial transparency
Business ownersBenefits, requirements and process controls
Enterprise architectTarget architecture and standards
Portfolio / programme officePortfolio, programme and project governance
Service ownersService performance and SLA accountability
Control ownersOperation and evidence of assigned controls
Internal auditIndependent assurance
External assessorIndependent assessment against agreed criteria

COBIT KPIs and KRIs

Governance & risk

  • % of strategic investments with approved business cases; % achieving planned benefits; % of governance decisions completed on time; stakeholder satisfaction; % of critical objectives at target capability.
  • Number of technology risks above tolerance; expired risk acceptances; % of high risks without funded treatment; critical vendor risks; regulatory breaches attributable to technology controls.

Service, change & security

  • Service availability; MTTA/MTTR; SLA compliance; repeat-incident rate; problem backlog; successful backup/restoration rate.
  • Change success rate; emergency-change %; change-related incident rate; projects within budget/schedule; benefits realisation; defect leakage.
  • Critical vulnerabilities beyond SLA; privileged accounts reviewed on time; incidents by severity; MTTD/MTTC; patch compliance; security-training completion; third-party review completion.

Compliance & assurance

  • Controls tested on schedule; control pass rate; overdue audit actions; repeat findings; high findings past due; regulatory submissions completed on time.

Policy and procedure library

A mature COBIT implementation typically maintains policies including: Enterprise I&T Governance; IT Strategy & Planning; Enterprise Architecture; Portfolio & Investment Governance; IT Financial Management; Technology Risk Management; Information Security; Data Governance; Privacy & Personal Data; Third-Party/Vendor Management; Service Level Management; Change & Release Management; Secure Development Lifecycle; Project & Programme Management; Asset Management; Configuration Management; Incident & Problem Management; Business Continuity & DR; Backup & Restoration; Capacity & Availability; HR & Competency; Compliance Management; Internal Control & Assurance; Performance Measurement & Reporting; Records Retention & Disposal.

COBIT and other frameworks

FrameworkPrimary focusHow COBIT is used with it
ISO/IEC 27001Information-security management systemCOBIT governs security alignment, accountability and performance
ISO/IEC 20000-1IT service-management systemCOBIT governs service strategy and oversight
ITILDetailed service-management practicesITIL supports DSS and service-related APO objectives
NIST CSFCybersecurity risk outcomesCOBIT provides enterprise governance around NIST implementation
PCI DSSCardholder-data securityCOBIT governs accountability, risk, investment and assurance
TOGAFEnterprise architectureSupports APO03
COSOEnterprise internal control and riskIntegrates with EDM03, APO12 and MEA02
PMBOK / PRINCE2Project managementSupports BAI01 and BAI11
ISO/IEC 38500Governance of ITClosely aligned with COBIT’s governance concept

Implementation priorities for a regulated organisation

  • Priority 1 — Governance foundation: EDM01, EDM03, EDM05, APO01, APO02, APO12, MEA03, MEA04.
  • Priority 2 — Cybersecurity & resilience: APO13, APO14, DSS04, DSS05, BAI04, DSS01.
  • Priority 3 — Technology delivery: APO05, BAI01, BAI02, BAI03, BAI06, BAI07, BAI11.
  • Priority 4 — Service & vendor governance: APO09, APO10, DSS02, DSS03, BAI09, BAI10.
  • Priority 5 — Measurement & optimisation: EDM02, EDM04, APO06, APO11, MEA01, MEA02.

Twelve-month implementation roadmap

PeriodActivities
Month 1Sponsorship, charter, stakeholders and drivers
Month 2Design factors, goals cascade and scope
Months 3–4Current-state assessment and evidence review
Month 5Target capability and target operating model
Month 6Policies, RACI, committee structure and metrics
Months 7–8High-risk control implementation
Months 9–10Workflow automation, dashboards and evidence collection
Month 11Internal assessment and remediation
Month 12Independent validation, management review and next-cycle plan

For a large financial institution, group company or multi-country enterprise, full institutionalisation may require multiple annual improvement cycles.

Certification note
ISACA offers COBIT credentials for individuals (e.g., COBIT Foundation, COBIT Design & Implementation). For an organisation, COBIT is used for governance-system design, capability assessment and continuous improvement rather than an ISO-style management-system certificate.

Frequently asked questions

Is COBIT the same as ITIL?
No. COBIT is about governance (what must be achieved and controlled); ITIL is about IT service management operations (how services are delivered). They are complementary.
How does COBIT relate to ISO 27001 and NIST?
COBIT governs the overall IT system; ISO 27001 and NIST focus on information security. Organisations often use COBIT for governance and ISO/NIST for the security control layer beneath it.
Is there a COBIT certification?
Individuals can be certified (e.g., COBIT Foundation). Organisations are not "COBIT certified" — they adopt and are audited against it.
Official documents

Need help with COBIT?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.