DESIGN GUIDE
Designing an Information
and Technology
Governance Solution
About ISACA
Nearing its 50th year, ISACA
®
(isaca.org) is a global association helping individuals and enterprises achieve the
positive potential of technology. Technology powers today’s world and ISACA equips professionals with the
knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA
leverages the expertise of its half-million engaged professionals in information and cyber security, governance,
assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI
®
Institute, to help advance
innovation through technology. ISACA has a presence in more than 188 countries, including more than 217 chapters
and offices in both the United States and China.
Disclaimer
ISACA has designed and created COBIT
®
2019 Design Guide: Designing an Information and Technology
Governance Solution (the “Work”) primarily as an educational resource for enterprise governance of information and
technology (EGIT), assurance, risk and security professionals. ISACA makes no claim that use of any of the Work
will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific information, procedure or test, enterprise governance of
information and technology (EGIT), assurance, risk and security professionals should apply their own professional
judgment to the specific circumstances presented by the particular systems or information technology environment.
Copyright
© 2018 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse.
ISACA
1700 E. Golf Road, Suite 400
Schaumburg, IL 60173, USA
Phone: +1.847.660.5505
Fax: +1.847.253.1755
Contact us: https://support.isaca.org
Website: www.isaca.org
Participate in the ISACA Online Forums: https://engage.isaca.org/onlineforums
Twitter: http://twitter.com/ISACANews
LinkedIn: http://linkd.in/ISACAOfficial
Facebook: www.facebook.com/ISACAHQ
Instagram: www.instagram.com/isacanews/
COBIT
®
2019 DESIGN GUIDE
2
COBIT
®
2019 Design Guide: Designing an Information and Technology Governance Solution
ISBN 978-1-60420-765-1
3
IN MEMORIAM: JOHN LAINHART (1946-2018)
In Memoriam: John Lainhart (1946-2018)
Dedicated to John Lainhart, ISACA Board chair 1984-1985. John was instrumental in the creation of the COBIT
®
framework and most recently served as chair of the working group for COBIT
®
2019, which culminated in the
creation of this work. Over his four decades with ISACA, John was involved in numerous aspects of the association
as well as holding ISACA’s CISA, CRISC, CISM and CGEIT certifications. John leaves behind a remarkable
personal and professional legacy, and his efforts significantly impacted ISACA.
COBIT
®
2019 DESIGN GUIDE
Page intentionally left blank
4
Acknowledgments
ISACA wishes to recognize:
COBIT Working Group (2017-2018)
John Lainhart, Chair, CISA, CRISC, CISM, CGEIT, CIPP/G, CIPP/US, Grant Thornton, USA
Matt Conboy, Cigna, USA
Ron Saull, CGEIT, CSP, Great-West Lifeco & IGM Financial (retired), Canada
Development Team
Steven De Haes, Ph.D., Antwerp Management School, University of Antwerp, Belgium
Matthias Goorden, PwC, Belgium
Stefanie Grijp, PwC, Belgium
Bart Peeters, PwC, Belgium
Geert Poels, Ph.D., Ghent University, Belgium
Dirk Steuperaert, CISA, CRISC, CGEIT, IT In Balance, Belgium
Expert Reviewers
Floris Ampe, CISA, CRISC, CGEIT, CIA, ISO27000, PRINCE2, TOGAF, PwC, Belgium
Graciela Braga, CGEIT, Auditor and Advisor, Argentina
James L. Golden, Golden Consulting Associates, USA
J. Winston Hayden, CISA, CRISC, CISM, CGEIT, South Africa
Abdul Rafeq, CISA, CGEIT, FCA, Managing Director, Wincer Infotech Limited, India
Jo Stewart-Rattray, CISA, CRISC, CISM, CGEIT, FACS CP, BRM Holdich, Australia
ISACA Board of Directors
Rob Clyde, CISM, Clyde Consulting LLC, USA, Chair
Brennan Baybeck, CISA, CRISC, CISM, CISSP, Oracle Corporation, USA, Vice-Chair
Tracey Dedrick, Former Chief Risk Officer with Hudson City Bancorp, USA
Leonard Ong, CISA, CRISC, CISM, CGEIT, COBIT 5 Implementer and Assessor, CFE, CIPM, CIPT, CISSP,
CITBCM, CPP, CSSLP, GCFA, GCIA, GCIH, GSNA, ISSMP-ISSAP, PMP, Merck & Co., Inc., Singapore
R.V. Raghu, CISA, CRISC, Versatilist Consulting India Pvt. Ltd., India
Gabriela Reynaga, CISA, CRISC, COBIT 5 Foundation, GRCP, Holistics GRC, Mexico
Gregory Touhill, CISM, CISSP, Cyxtera Federal Group, USA
Ted Wolff, CISA, Vanguard, Inc., USA
Tichaona Zororo, CISA, CRISC, CISM, CGEIT, COBIT 5 Assessor, CIA, CRMA, EGIT | Enterprise Governance
of IT (Pty) Ltd, South Africa
Theresa Grafenstine, CISA, CRISC, CGEIT, CGAP, CGMA, CIA, CISSP, CPA, Deloitte & Touche LLP, USA,
ISACA Board Chair, 2017-2018
Chris K. Dimitriadis, Ph.D., CISA, CRISC, CISM, INTRALOT, Greece, ISACA Board Chair, 2015-2017
Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA, USA
Robert E Stroud (1965-2018), CRISC, CGEIT, XebiaLabs, Inc., USA, ISACA Board Chair, 2014-2015
ISACA is deeply saddened by the passing of Robert E Stroud in September 2018.
ACKNOWLEDGMENTS
5