COBIT as a foundation for Information Security Management

Information security is now highly dependent on business decision-making and user activities that involve the entire enterprise population. Most organisations have a large number of inter-enterprise connections and a wide range of internally integrated technology and operations across multiple processing environments. The ITGN uses COBIT 5 as the foundation on which to establish and build a capability in information security management.

The integrated nature of the COBIT 5 process model enables accountability and responsibility to be identified and assigned. Selection, testing and deployment of appropriate mechanisms to supply security functions is complex. Few organisations have established the processes necessary for effective information security and therefore COBIT 5 provides an excellent reference and foundation on which to establish information security enterprise in an effective, lean and sustainable manner.

A well-structured approach is required for building information security around confidentiality (stressing the "need to know" as the guiding principle for implementing a security program), managing integrity (by focusing on the "control of privilege to create, modify, store, copy or delete information or information resources) and ensuring the availability of information (based on the "business' need" and regulatory obligations to have systems, resources and data available). 

Through the use of an integrated process based approach and directed from the governance layer, with a management system to coordinate improvements:

  • Identify the IT activities necessary for effective information security using the 37 COBIT 5 processes as a guide
  • Build capability in information security processes and related activities
  • Focus on delivering the outcomes that business expects from information security (and avoid unnecessary concepts of 'best practice').


  • There are a large number of IT processes that will have an impact on the effectiveness of information security
  • The outcome expected from information security should be based on what the business actually needs (e.g. security in a hostile environment, regulatory compliance, etc.).

POPI Risk Assessment

The COBIT 4 Maturity Model can provide management with an initial, high-level view of the current level of organisational maturity.

Free POPI Risk tool

POPI Management System

Managing the IT function and continuously improving its capability.

View video

POPI Capability Assessments

COBIT 5 capability assessments are highly subjective and depend entirely on the assessor's IT knowledge and experience.

The ITGN has the skill, experience and tools needed to ensure reliable results. Read more...

POPI Management System

Improve your IT organisation's efficiency and effectiveness with a management system to coordinate and continuously improve the operational practices.


POPI Expertise

IT governance experts are available to assist establish, implement and improve the governance of IT based on the ISO 38500 standard and COBIT 5 good practices.


Go to top