... to an acceptable level of residual risk.

Control implementation is focused on mitigating risks. Every IT process brings to the business a level of inherent risk that needs to be mitigated so that the level of residual risk is acceptable and aligned to the organisation's risk apetite. The CobiT Control Framework provides guidance on the implementation of control for each IT process.

These controls are applied to the key practices developed from sources of good practice such as ITIL (IT Infrastructure Library). However, the selection and sequence of control implementation should take into account the level of organisational maturity.

Intial controls address the direct risks associated with a particular process. Subsequent controls are management (or governance) orientated, and thereafter the controls address process, its efficiency, effectiveness, defects (quality) and finally continuous improvement. At all times, the implementation of controls is focused on the business requirement to manage risk and therefore the actions are aligned with the need to mitigate business related risk.