A well-structured approach is required for building information security around confidentiality (stressing the "need to know" as the guiding principle for implementing a security program), managing integrity (by focusing on the "control of privilege to create, modify, store, copy or delete information or information resources) and ensuring the availability of information (based on the "business' need" and regulatory obligations to have systems, resources and data available). 

Through the use of an integrated process based approach and directed from the governance layer, with a management system to coordinate improvements:

  • Identify the IT activities necessary for effective information security using the 37 COBIT 5 processes as a guide
  • Build capability in information security processes and related activities
  • Focus on delivering the outcomes that business expects from information security (and avoid unnecessary concepts of 'best practice').


  • There are a large number of IT processes that will have an impact on the effectiveness of information security
  • The outcome expected from information security should be based on what the business actually needs (e.g. security in a hostile environment, regulatory compliance, etc.).

Capability Assessment & Improvement

COBIT 5 capability assessments can be highly subjective and depend on the assessor's IT knowledge and experience. The ITGN has the skill, experience and tools needed to ensure reliable results.

Learn more...

COBIT Management System

Improve your IT organisation's efficiency and effectiveness with a management system to coordinate and continuously improve the operational practices.


Go to top