What is COBIT?
COBIT stands for Control Objectives for Information and Related Technologies. It is a framework for IT Governance and management, developed by ISACA. COBIT helps organisations align IT with business objectives, with a focus on control, risk and performance.
Although COBIT was developed primarily for IT, it is also applicable in OT environments, particularly when integrating with IT, risk management and regulatory compliance.
🧠 How does COBIT work?
COBIT 2019 (the latest version) consists of four core components:
- Governance system and components
- Includes guidelines, processes, organisational structures and culture
- Governance and management objectives
- E.g. “Ensure Risk Optimisation” or “Manage Security”
- Performance management
- Measures the effectiveness of controls using maturity and capability models
- Alignment with business goals
- IT and OT support strategic business goals through measurable outcomes
COBIT is not technical, but emphasises policy, accountability and management structure.
🏭 Use of COBIT in OT environments
- Direction and control of access management, patch management and Asset Inventory
- Aligning OT security objectives with business risks (e.g. production continuity)
- Integration with NIST CSF, IEC 62443 and ISO 27001 for broader best practices
- Use in lifecycle management of SCADA systems or MES
- Governance of OT outsourcing and supplier management
COBIT is particularly useful for large or regulated organisations with maturity targets.
🔍 COBIT vs. NIST CSF vs. IEC 62443
| Aspect | COBIT | NIST CSF | IEC 62443 |
|---|---|---|---|
| Type | Governance and management framework | Cybersecurity framework | OT security standard |
| Application | IT and OT management and direction | Risk management and cybersecurity | Technical and organisational, OT-specific |
| Technical depth | Limited | Moderate | High |
| OT focus | Indirect | Yes | Yes — specifically |
🔐 Security considerations
- Supports Risk Management, compliance and audit-trail management
- Includes principles for Access Control, Change Management and Incident Response
- Improves communication between IT, OT, business and security
- Fits well within Defense in Depth strategies at governance level
- Can link maturity models to OT processes for continuous improvement
COBIT helps to integrate cybersecurity with broader business goals and risk strategies.
📌 In summary
COBIT is a framework for managing and governing information and technology processes, also applicable to OT. It provides a structured way to align risks, controls and performance with business objectives.