IT Governance

COBIT 2019 Framework Explained: Domains and Objectives

Standarity Editorial Team·IT Governance and ISACA Framework Specialists
··5 min read

COBIT 2019 is the ISACA governance framework for enterprise information and technology. It gives boards and executives a structured model of 40 governance and management objectives, helping them direct, evaluate and monitor technology investment so that it delivers measurable business value rather than uncontrolled cost.

The COBIT 2019 Governance System and Its Principles

At the heart of COBIT 2019 sits a governance system that turns stakeholder needs into a tailored set of governance and management objectives. ISACA built the framework on six governance system principles, which describe what any effective enterprise governance system for information and technology must do. They keep the model holistic, adaptable and clearly separated from day to day management.

  • Provide stakeholder value as the central purpose of the governance system.
  • Take a holistic approach using several interacting components, not isolated controls.
  • Build a dynamic governance system that responds when design factors change.
  • Keep governance distinct from management, with different activities and structures.
  • Tailor the system to enterprise needs rather than applying a fixed template.
  • Cover the enterprise end to end, spanning all functions, not just the IT department.

The 40 Objectives Across Five Domains

COBIT 2019 organises its work into 40 governance and management objectives. Five of these sit in the governance domain, where the board evaluates, directs and monitors. The remaining thirty five fall under four management domains that mirror a familiar plan, build, run and monitor cycle. Each objective links to processes, organisational structures, information flows, skills and culture, so it is never a checklist item in isolation.

  • EDM, Evaluate, Direct and Monitor, the governance domain with five objectives overseen by the board.
  • APO, Align, Plan and Organise, covering strategy, architecture, risk and resource planning.
  • BAI, Build, Acquire and Implement, covering solution delivery, change and project management.
  • DSS, Deliver, Service and Support, covering operations, incidents, security and continuity.
  • MEA, Monitor, Evaluate and Assess, covering performance, compliance and assurance.

Industry analysis compiled by ManageEngine notes that full COBIT 2019 deployments commonly take 12 to 18 months, reflecting the framework breadth across all 40 objectives rather than a single service or process.

The split matters in practice. The single EDM domain carries the governance layer, the responsibility of the board and executive committee, while APO, BAI, DSS and MEA carry the management layers run by the chief information officer and their teams. That separation is principle four in action, and it is one of the clearest differences between COBIT and frameworks built only for operational delivery.

Components and Performance Management

Each objective in COBIT 2019 is supported by a set of governance components that, taken together, make the objective work. These components are processes, organisational structures, policies and procedures, information flows, people skills and competencies, and culture, ethics and behaviour. Treating an objective as only a process is the most common adoption mistake; a control rarely succeeds without the matching structure, skills and culture around it. This component view is what lets COBIT describe governance as a system rather than a list of activities.

COBIT 2019 also brought a more rigorous performance management scheme, aligned with the capability and maturity ideas used in CMMI. Individual processes are rated on capability levels from zero to five, showing how reliably an activity is performed, while maturity levels describe how well an entire focus area is governed. This gives leadership a defensible way to set target levels, measure the gap and prioritise improvement rather than chasing a perfect score everywhere, which would waste budget on low risk areas.

Design Factors: Why No Two COBIT Implementations Match

COBIT 2019 is not meant to be adopted wholesale. Its eleven design factors let an enterprise tailor which objectives matter most and how rigorously to govern them. They include enterprise strategy, enterprise goals, the risk profile, current technology related issues, the threat landscape, compliance requirements, the role of IT, the sourcing model, IT implementation methods, the technology adoption strategy and enterprise size. Feeding these into the design guide produces a governance system scoped to one organisation rather than a generic ideal.

COBIT 2019 vs ITIL 4

COBIT 2019 and ITIL 4 are often compared, but they answer different questions. COBIT, with its audit heritage, sets the "what" of governance: the outcomes, objectives and controls the board expects. ITIL 4 sets the "how" of service delivery at the operational level. COBIT operates from the board downward, while ITIL works from service management upward, and the two integrate cleanly rather than competing. For a full side by side breakdown, see our COBIT 2019 vs ITIL 4 guide, which maps where each framework adds the most value.

Certification Path and Where to Start

ISACA offers two main COBIT 2019 credentials. The COBIT Foundation certificate validates your grasp of the principles, components, objectives and performance management model; its exam is 75 multiple choice questions over two hours with a 65 percent pass mark, and there are no prerequisites. The COBIT Design and Implementation certificate proves you can tailor a governance system and run improvement programmes; its exam is 60 questions over three hours at a 60 percent pass mark. Most learners start with Foundation, then progress to Design and Implementation as they apply the framework. Pair the theory with practical work from our IT governance implementation resources to make the objectives concrete.

Whether your goal is the certificate or a working governance system, the most reliable starting point is the same: learn the six principles, the five domains and the eleven design factors cold, then practise applying them to scenarios until the objectives feel routine rather than abstract.

How COBIT Fits with Other Frameworks

One of the strengths of COBIT 2019 is that it does not ask an organisation to abandon what already works. It was deliberately designed as an umbrella that aligns with major standards rather than replacing them. An enterprise can keep ITIL 4 for service management, ISO 27001 for information security and NIST guidance for cyber risk, then use COBIT objectives to govern all of them from a single board level view. In this model COBIT answers the accountability question, who owns the outcome and how do we know it is working, while the specialist frameworks supply the detailed operating practices underneath.

This is why audit and assurance teams favour COBIT. Because every objective links back to stakeholder needs and enterprise goals, an auditor can trace a line from a board priority down to a specific control and its capability rating. That traceability is hard to achieve with operational frameworks alone, and it is the practical reason COBIT remains the default reference for IT governance maturity assessments. A common starting project is to select a handful of high risk objectives, rate their current capability, set a realistic target and build an improvement roadmap, rather than attempting all 40 objectives at once.

Frequently Asked Questions

What is COBIT 2019 used for?

COBIT 2019 is used to govern and manage enterprise information and technology. It gives boards and executives a structured set of 40 objectives to align IT with business goals, manage risk, optimise resources and demonstrate value, often as the basis for assurance and audit work.

What are the five COBIT 2019 domains?

The five domains are EDM (Evaluate, Direct and Monitor), APO (Align, Plan and Organise), BAI (Build, Acquire and Implement), DSS (Deliver, Service and Support) and MEA (Monitor, Evaluate and Assess). EDM is the governance domain and the other four are management domains.

How many objectives are in COBIT 2019?

COBIT 2019 contains 40 governance and management objectives. Five belong to the EDM governance domain and the remaining thirty five are spread across the APO, BAI, DSS and MEA management domains.

What is the difference between COBIT 2019 and ITIL 4?

COBIT 2019 defines the what of IT governance, setting objectives and controls from the board level, while ITIL 4 defines the how of service delivery at the operational level. They are complementary, and many enterprises run them together rather than choosing one.

Is there a COBIT 2019 certification?

Yes. ISACA offers the COBIT Foundation certificate as an entry point and the COBIT Design and Implementation certificate for tailoring and running governance programmes. Foundation has no prerequisites, and most learners take it before Design and Implementation.

How hard is the COBIT Foundation exam?

The COBIT Foundation exam is moderate in difficulty. It is a two hour, 75 question multiple choice exam with a 65 percent pass mark and no prerequisites. With focused study of the principles, domains and design factors, most candidates pass on the first attempt.

Explore Courses on Udemy

Intermediate

Implement IT Governance Step by Step

Intermediate

COBIT® 2019 Design and Implementation Practice Exam

Beginner

COBIT® 2019 Foundation Practice Test (450 Questions)

Intermediate

COBIT® 2019 Design and Implementation Practice Exam

Beginner

COBIT® 2019 Foundation Practice Test (450 Questions)