What is COBIT? A Roadmap for Banks, Payment Institutions, and Brokerage Firms
As the banking and finance sector becomes more digital,
risks also increase: data breaches, cyberattacks, IT disruptions. So, is it
possible to manage information technologies strategically and minimize these
risks? Yes, it is—with COBIT. COBIT (Control Objectives for Information and
Related Technologies) is a comprehensive governance framework used worldwide
for IT management and auditing. In Turkey, it has become a key to regulatory
compliance for banks, payment institutions, brokerage firms, and savings finance
companies.
What is COBIT?
COBIT is an Enterprise Governance Framework for Information
and Technology developed and continuously updated by ISACA. This framework
helps organizations manage their IT resources effectively, securely, and in
compliance with regulations. The COBIT 2019 version focuses on measurable
performance, risk optimization, resource utilization, and value delivery.
- COBIT
provides full control over information systems.
- Facilitates
regulatory compliance and reduces risks.
- Enables
effective management of resources.
Example: A bank can implement COBIT processes toensure customer data privacy and compliance with the BRSA’s (Banking Regulationand Supervision Agency of Turkey) Information Systems Regulation by
establishing systematic control points.
What is Information Technology Governance?
Information Technology (IT) Governance is the structured set
of processes and frameworks that enables an organization to manage IT in
alignment with strategic goals. This governance aims to reduce risks, improve
performance, and add value through IT. COBIT is a comprehensive framework that
brings this governance model to life.
- Aligns
IT investments with corporate goals.
- Ensures
accountability and measurability in IT processes.
- Promotes
effective, efficient, and secure management of IT resources.
Example: A brokerage firm establishes IT
governance using COBIT to manage information security gaps and reduce risks
through regular reporting.
What Are the COBIT Principles?
COBIT 2019 is built upon 6 core governance system
principles and 3 governance framework principles.
These principles ensure the structured, controlled, and
strategic management of information technology.
- Adaptable
to organizational needs.
- Provides
a standards-based operating structure.
A) 6 Principles of the COBIT Governance System
|
Principle |
Description |
|
1. Deliver Value to Stakeholders |
Balance benefits, risk, and resources |
|
2. Holistic Approach |
Include all components like processes, information,
people, technology |
|
3. Dynamic Governance System |
Adaptable to changing conditions |
|
4. Distinct Governance from Management |
Governance focuses on decisions; management on
implementation |
|
5. Tailored to Enterprise Needs |
Customizable structure for each organization |
|
6. End-to-End Governance |
Covers all IT processes |
B) 3 Principles of the Governance Framework
- Based
on a Conceptual Model
- Open
and Flexible Structure
- Aligned
with Standards (e.g., ISO 27001, ITIL)
What Does the COBIT 2019 Framework Cover?
COBIT 2019 includes the following components for managing
and auditing information technologies:
- Systematically
classifies IT assets of the organization.
- Aligns
IT operations with standards.
- Provides
infrastructure for audits and continuity.
|
Component |
Description |
|
Processes |
Control points for IT activities |
|
Information Items |
Reports, data flows, documentation |
|
Policies and Procedures |
Rules and guiding documents |
|
People and Competencies |
Role and responsibility distribution, skill sets |
|
Infrastructure and Applications |
Hardware, software, system tools |
|
Culture and Behavior |
Ethics, security culture, governance mindset |
Example: In savings finance companies, defining
and testing data backup policies is assessed under COBIT process DSS04
"Managed Continuity."
What Are the COBIT Components?
The core components of COBIT are:
- Ensure
applicability of the governance system.
- Provide
tools for performance monitoring.
- Evaluate
IT processes based on maturity levels.
- Governance
and Management Objectives: 40 objectives defined (e.g., Risk
Management, Security Services)
- Domains: 5
domains (EDM, APO, BAI, DSS, MEA)
- Performance
Measurement: CMMI-based capability levels (Level 1-5 maturity)
Example: To ensure system continuity in
brokerage firms, a "Business Continuity Test" must be conducted under
DSS04.
In Which Institutions Can COBIT Be Applied?
COBIT ensures transparency, control, and compliance in
various financial institutions.
- Increases
audit readiness and supports operational efficiency.
- Minimizes
risks.
|
Institution |
Key Benefits |
|
Banks |
BRSA compliance, risk management, transaction security |
|
Payment Institutions |
Identity verification, IT infrastructure security |
|
Brokerage Firms |
Data integrity, reporting compliance |
|
Savings Finance Companies |
IT asset management, audit requirements |
Example: A payment institution applies COBIT
objective APO13 "Managed Security" to comply with BRSA’s Remote
Identity Verification Regulation.
Want to see how well the COBIT framework aligns with BRSA regulations for Turkish banks? Check out this detailed analysis.
What Is the Key Difference Between COBIT 5 and COBIT 2019?
COBIT 2019 offers a more flexible, customizable, and
up-to-date structure.
- Performance
measurement is more realistic and comparable.
- Compatible
with new standards (ISO 27001, ITIL 4).
|
Feature |
COBIT 5 |
COBIT 2019 |
|
Governance Principles |
5 Principles |
6 System + 3 Framework Principles |
|
Performance Measurement |
Maturity Model |
CMMI-Based Capability Levels |
|
Flexibility |
Limited |
Customizable Design |
|
Components |
7 Enablers |
Processes + Information + People etc. |
|
Standard Compatibility |
Older Standards (ITIL v3) |
New Standards (ISO 27001 etc.) |
Conclusion: COBIT 2019 is better aligned with
today’s threat landscape and regulations. It provides a more applicable and
measurable structure for banks and financial institutions.
COBIT is not just a framework in the financial sector—it’s a
roadmap that minimizes risk, increases customer trust, and ensures regulatory
compliance. In an era of rapid digitalization, organizations not applying COBIT
risk losing control. Stay in control with COBIT.
Frequently Asked Questions (FAQ)
1. Does COBIT replace ISO 27001 or ITIL?
No. COBIT is a framework that works with and complements standards like ISO 27001. ISO defines what should be done; COBIT shows how to do it.
2. Can small-scale financial institutions use COBIT?
Yes. COBIT is scalable and customizable, making it applicable for small organizations. It simplifies compliance and risk management processes.
3. Is COBIT only relevant for the IT department?
No. COBIT involves all units—from top management to audit teams. It focuses on integrating IT strategies into overall business strategies.
4. Is COBIT mandatory to implement?
There is no legal requirement. However, systems compliant with COBIT are considered stronger and more audit-ready in BRSA and CMB audits.
5. Who should take COBIT training?
COBIT training is ideal for IT managers, auditors, risk managers, and compliance professionals.
Author:
