The Differences Between

COBIT 4.1 and COBIT 5

Upgrading to the most recent version of COBIT provides
enterprises with numerous benefits unavailable in past releases

Abstract
The release of COBIT 5 developed by ISACA truly represents a next-generation evolution of the well-known
and highly regarded COBIT framework. It is a departure from the previous edition, COBIT 4.1, because COBIT
5 enables information and related technology to be governed and managed in a holistic manner for the entire
enterprise. It takes in the full end-to-end business and functional areas of responsibility, considering the IT-related
interests of all internal and external stakeholders. COBIT 5 can now be the framework for all of the frameworks
and standards employed in the enterprise. Because COBIT 5 considers the full enterprise view, it offers guidance
for both governance and management activities. To explain the sweeping changes and the enhanced benefits
of COBIT 5, this whitepaper will detail the specific differences between 4.1 and 5 as well as the thinking behind
these important changes. Central to COBIT 5 is the governance objective of value creation.
Introduction
Since 1996, the COBIT framework has undergone multiple
evolutions, as it adapts to the needs of a changing marketplace.
The original COBIT and later its 2nd edition from 1998 were
known as IT audit and control frameworks. The focus was
placed on control objectives. In 2000, COBITs 3rd edition
debuted as an IT management framework, featuring newly
added management guidelines. When COBIT 4.0 and COBIT
4.1 were released in 2005 and 2007, respectively, more
adjustments were made. The assurance processes were
removed. In return, governance and compliance processes
were added, making COBIT 4.1 an IT governance framework.
COBIT 5 represents a culmination of these previous releases,
as well as the incorporation of numerous other standards and
frameworks, into the ultimate framework for the governance
and management of enterprise IT.
COBIT 4.1, Val IT, Risk IT and BMIS users who are already
engaged in governance of enterprise IT (GEIT) implementation
activities can transition to COBIT 5 and benefit from the latest
and improved guidance that it provides during the next iterations
of their enterprises improvement life cycle. Since COBIT 5 builds
on previous versions of COBIT (and Val IT, Risk IT and BMIS),
enterprises can also build on what they have developed using
earlier versions.
Most enterprise stakeholders and executive management
are aware of the importance of the general control
frameworks with respect to their fiduciary responsibility,
such as Committee of Sponsoring Organizations of the
Treadway Commission (COSO), Code of Connection (CoCo),
the UK Corporate Governance Code, King III, etc.; however,
enterprise stakeholders and executive management may not
necessarily be aware of the details of each framework. In
addition, enterprise managers are increasingly aware of the
more technical security guidance, such as the ISO/IEC
27000 series, and service delivery guidance, such as ITIL.
Although the aforementioned standard and framework
emphasize business control and IT security and service
management and delivery issues in specific areas of
enterprise IT-related activity, only COBIT 5 integrates all
functions and processes that establish the governance of
enterprise IT (GEIT) into overall enterprise governance and from
a business perspective. COBIT 5 is not meant to replace any
of these frameworks or standards. It is intended to emphasize
what governance and management elements and practices
are required to create value from information and technology in
support of enterprise business goals.
To assure the high quality of COBIT 5, several measures
were taken, most important:
The entire research process was overseen by both
ISACAs Knowledge Board and Framework Committee,
which were responsible for overseeing all ISACA
framework research development.
The detailed research results and deliverables
were quality-controlled throughout the development
process by a dedicated task force of experienced
volunteer professionals.
A draft design document was issued for public exposure,
and the feedback was integrated into the development
work to produce the final COBIT 5 products. Before being
issued, the draft development products were distributed to
more than 100 subject matter experts around the world to
obtain their professional review.
Once ready, draft versions of COBIT 5 and COBIT 5:
Enabling Processes were made available to the public for
review. Workshops were held in London and Washington
DC; more than 650 people contributed their feedback.
Many good comments were received, suggesting further
improvements for consideration. Survey questions
concerning the level of satisfaction of the work at the draft
stage were included in the public exposure activity, with
79 percent of the responses being positive. Based on the
review comments, the development team made changes as
appropriate.
The final product was reviewed by COBIT 5 Task
Force members, the Framework Committee and the
Knowledge Board.
The Differences Between COBIT 4.1 and COBIT 5 // 2
COBIT 5 Governance Objective: Value Creation
The development of COBIT 5 was driven by this central
concept: Enterprises exist to create value for their stakeholders.
Consequently, any enterprisecommercial or notwill have
value creation as a governance objective. Value creation
means: Realizing benefits at an optimal resource cost while
optimizing risk.
Information and technology are used to bring benefits to
enterprises. In doing so, enterprises and their executives
strive to:
Maintain quality information to support business decisions
Generate business value from IT-enabled investments
(i.e., achieve strategic goals and realize business benefits
through effective and innovative use of IT)
Achieve operational excellence through reliable and efficient
application of technology
Maintain IT-related risk at an acceptable level
Optimize the cost of IT services and technology
When these benefits are properly realized, enterprises are in
a position to create value for their stakeholders.
THE GOVERNANCE OBJECTIVE: VALUE CREATION
SOURCE: COBIT 5, figure 3. 2016 ISACA All rights reserved.
Delivering enterprise stakeholder value requires good
governance and management of information and technology
(IT) assets. In addition, enterprise boards, executives and
management have to embrace IT like any other significant
part of the business. Moreover, external legal, regulatory and
contractual compliance requirements related to enterprise use
of information and technology are increasing, threatening value
if breached.
COBIT 5 provides a comprehensive framework that assists
enterprises to achieve their goals and deliver value through
effective governance and management of enterprise IT. Simply
stated, COBIT 5 helps enterprises create optimal value from
IT by maintaining a balance between realizing benefits and
optimizing risk levels and resource use.
COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the entire
enterprise, taking in the full end-to-end business and functional
areas of responsibility, considering the IT-related interests of
internal and external stakeholders. The COBIT 5 principles
and enablers are generic and useful for enterprises of all sizes,
whether commercial, not-for-profit or in the public sector.
The Differences Between COBIT 4.1 and COBIT 5 // 3
Meeting Stakeholder Needs through
the Goals Cascade
Once stakeholder needs have been recognized, those needs
must be transformed into an enterprises strategy. The COBIT
COBIT 5 GOALS CASCADE OVERVIEW
5 goals cascade translates stakeholder needs into specific,
practical and customized goals within the context of the
enterprise, IT-related goals and enabler goals.

First, stakeholder needs can be related to a set of generic

enterprise goals. These generic enterprise goals have been
developed using the Balanced Scorecard (BSC) dimensions.1

Although this list is not exhaustive, most enterprise-specific

goals can be easily mapped onto one or more of the generic
enterprise goals.

The goals cascade is not new to COBIT 5it was introduced

in COBIT 4.0 in 2005. Some COBIT 4.0 users who have
applied the thinking to their enterprises have found value. But
not everyone was able to recognize this value. So the goals
cascade has been given greater importance in the COBIT 5
release, making it prominent early in the COBIT 5 guidance
because it supports the COBIT 5 stakeholder needs principle
that is fundamental to COBIT 5.

SOURCE: COBIT 5, figure 4. 2016 ISACA All rights reserved.

1 Kaplan, Robert S.; Norton, David P.; The Balanced Scorecard: Translating Strategy into Action, Harvard University Press, USA, 1996)

The Differences Between COBIT 4.1 and COBIT 5 // 4

 SOURCE: COBIT 5, figure 5. 2016 ISACA All rights reserved.
COBIT 5: A Framework for the Governance and
Management of Enterprise IT
One of the most important changes to the COBIT framework is
COBIT 5s separation of governance and management domains:
Governance ensures that stakeholder needs, conditions
and options are evaluated to determine balanced, agreed-
on enterprise objectives to be achieved; setting direction
through prioritization and decision making; and monitoring
performance and compliance against agreed-on direction
and objectives (EDM).
Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives (PBRM).
COBIT 5 uses a Process Reference Model that subdivides
the IT-related practices and activities of the enterprise into two
main areasgovernance and managementwith management
further divided into domains of processes:
The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct and
monitor (EDM) practices are defined. (ISO/IEC 38500)
The four MANAGEMENT domains are in line with the
responsibility areas of plan, build, run and monitor (PBRM).
(ISO/IEC 15504)
The Differences Between COBIT 4.1 and COBIT 5 // 5
 COBIT 5 GOVERNANCE AND MANAGEMENT KEY AREAS

SOURCE: COBIT 5, figure 15. 2016 ISACA All rights reserved.

New Changes Introduced in the COBIT 5 Release

The move from COBIT 4.1 to COBIT 5 saw major changes New GEIT Principles: In preparing the new COBIT 5 release,
in the frameworks content and how it may impact GEIT experts recognized that the Val IT and Risk IT frameworks
implementation/improvement. These changes consist of: are principles-based. Furthermore, feedback indicated that
New GEIT Principles principles are easy to understand and put into an enterprise
context, allowing value to be derived from the supporting
Increased Focus on Enablers
guidance more effectively. (ISO/IEC 38500 also incorporates
New Process Reference Model principles to underpin its messages to achieve the same
market benefit delivery, although the principles in this standard
Control Objectives Updated
and COBIT 5 are not the same.)
New and Modified Processes
Practices and Activities
Goals and Metrics
Inputs and Outputs at the Practice Level
Expanded RACI Charts with Business and IT Roles
Process Capability Model

The Differences Between COBIT 4.1 and COBIT 5 // 6

So the new foundation of this framework is supported by the
COBIT 5 Principles:
COBIT 5 ENTERPRISE ENABLERS

COBIT 5 PRINCIPLES

SOURCE: COBIT 5, figure 12. 2016 ISACA All rights reserved.

New Process Reference Model (PRM): COBIT 5 is based

on a revised process reference model with a new governance
domain and several new and modified processes that now
cover enterprise activities end-to-end (i.e., business and IT
SOURCE: COBIT 5, figure 2. 2016 ISACA All rights reserved.
function areas). COBIT 5 consolidates COBIT 4.1, Val IT, Risk IT
and BMIS into one framework, and has been updated to align
with current best practices (e.g., ITIL V3 2011, TOGAF). The
Increased Focus on Enablers: COBIT 5 also introduces new model can be used as a guide for adjusting as necessary
seven new enablers. COBIT 4.1 did not have enablers, but the enterprises own process model (just like COBIT 4.1).
COBIT 4.1 users might recognize some common elements
Control Objectives Updated: The control objectives found
that evolved into more formal guidance in COBIT 5. COBIT
in COBIT 4.1 can be found in COBIT 5, but now they are called
4.1 discussed three resources, which are now referred to as
management practices. The content was expanded, and the
enablers. COBIT 5 introduced four new enablers for a total of
COBIT 4.1 control practices were updated and moved into the
seven in the framework.
PRM for user convenience.
COBIT 4.1 resources were known as Services and People;
New and Modified Processes: COBIT 5 introduces five
COBIT 5 has further defined and detailed these categories. In
new governance processes that have leveraged and improved
addition, Principles, Policies and Frameworks were mentioned
COBIT 4.1, Val IT and Risk IT governance approaches. This
in a few COBIT 4.1 processes, and Processes were central to
guidance helps enterprises to further refine and strengthen
COBIT 4.1 use. COBIT 5s organizational structure was implied
executive management-level GEIT practices and activities. In
through the responsible, accountable, consulted or informed
addition, the governance processes support GEIT integration
(RACI) roles and their definitions found in COBIT 4.1. Culture,
with existing enterprise governance practices and is aligned
Ethics and Behavior were also mentioned in a few COBIT
with ISO/IEC 38500.
4.1 processes.

The Differences Between COBIT 4.1 and COBIT 5 // 7

 COBIT 5 PROCESS REFERENCE MODEL

SOURCE: COBIT 5, figure 16. 2016 ISACA All rights reserved.

COBIT 5 also has clarified management level processes APO13 Manage security
and integrated COBIT 4.1, Val IT and Risk IT content into
BAI05 Manage organizational change enablement
one process reference model. There are several new and
modified management processes that reflect current thinking, BAI08 Manage knowledge
in particular:
BAI09 Manage assets
APO03 Manage enterprise architecture
DSS05 Manage security service
APO04 Manage innovation
DSS06 Manage business process controls
APO05 Manage portfolio
APO06 Manage budget and costs COBIT 5 processes now cover end-to-end business and IT
activities (i.e., a full enterprise-level view). This provides for a
APO08 Manage relationships
more holistic and complete coverage of practices reflecting

The Differences Between COBIT 4.1 and COBIT 5 // 8

the pervasive enterprise-wide nature of IT use. It makes the
involvement, responsibilities and accountabilities of business
stakeholders in the use of IT more explicit and transparent.
Practices and Activities: The COBIT 5 governance or
management practices are related to the COBIT 4.1 control
objectives and Val IT and Risk IT processes. The COBIT 5
activities are equivalent to the COBIT 4.1 control practices and
Val IT and Risk IT management practices. COBIT 5 integrates
and updates all of the previous content into the one new
model, making it easier for users to understand and use this
material when implementing improvements.
Goals and Metrics: COBIT 5 follows the same goal and
metric concepts as COBIT 4.1, Val IT and Risk IT, but these
are renamed enterprise goals, IT-related goals and process
goals, reflecting an enterprise level view. For example, COBIT
5 provides a revised Goals Cascade based on enterprise
goals driving IT-related goals and then supported by critical
processes. COBIT 5 provides examples of goals and metrics
at the enterprise, process, and governance and management
practice levels. This is a change to COBIT 4.1, Val IT and Risk
IT, which went down one level lower.
Inputs and Outputs at the Practice Level: COBIT 5
provides inputs and outputs for every management practice,
whereas COBIT 4.1 only provided these at the process level.
This provides additional detailed guidance for designing
processes to include essential work products and to assist with
inter-process integration.
Expanded RACI Charts with Business and IT Roles:
COBIT 5 provides RACI charts describing roles and
responsibilities in a similar way to COBIT 4.1, Val IT and
Risk IT. COBIT 5 provides a more complete, detailed and
clearer range of generic business and IT role players and
charts than COBIT 4.1 for each management practice,
enabling better definition of role player responsibilities or level
of involvement when designing and implementing processes.

RACI CHART

SOURCE: COBIT 5: Enabling Processes, page 31. 2016 ISACA All rights reserved.

The Differences Between COBIT 4.1 and COBIT 5 // 9

 DEVELOPING COBIT 5

SOURCE: 2016 ISACA All rights reserved

Process Capability Model: COBIT 5 discontinues the COBIT In addition, the COBIT Assessment Program approach is
4.1, Val IT and Risk IT CMM-based capability maturity modeling supported by these materials:
approach. COBIT 5 is supported by a new process capability COBIT Process Assessment Model: Using COBIT 5
assessment approach based on ISO/IEC 15504.
COBIT Assessor Guide: Using COBIT 5
The COBIT Assessment Program approach is considered COBIT Self-Assessment Guide: Using COBIT 5
by ISACA to be more robust, reliable and repeatable as a
process capability assessment method. The assessment
COBIT 4.1, Val IT and Risk IT users wishing to move to the new
objective is to understand the level of capability that is present
COBIT Assessment Program approach will need to realign their
and the level that is appropriate for a given process, based
previous ratings, adopt and learn the new method, and initiate
on business requirements, and to understand the nature of
a new set of assessments in order to gain the benefits of the
any gaps so that any significant weaknesses in the process
new approach. Although some of the information gathered from
can be identified and improved. The COBIT Assessment
previous assessments may be reusable, care will be needed in
Program supports:
migrating this information forward because there are significant
Formal assessments by accredited assessors
differences in requirements and in what is being measured.
Less rigorous self-assessments for internal gap analysis and
process improvement planning

The Differences Between COBIT 4.1 and COBIT 5 // 10

Making the Business Case for COBIT 5 in
Your Enterprise
To convince decision-makers in your enterprise to use COBIT
5, you may want to use the COBIT 5 Goals Cascade to bolster
your position:
Determine stakeholder needs and governance objectives
value creation
Identify enterprise goals that can support stakeholder
needsif the balanced scorecard (BSC) is used to develop
these goals, then a common set of terms can be used to
communicate the goals
Select IT-related goals (for each enterprise goal) that will
facilitate the achievement of the goals
Prioritize enabler-related goalsthis requires the successful
application and use of enablers (one of the enablers,
Processes, is treated separately in the COBIT 5: Enabling
Processes publication)
Present the proposed set of needs, goals and enablers to
executive management as a means of delivering effective
governance and management of IT-related technology
Another vitally important aspect to consider is the enterprises
culture. A proactive culture will be more receptive than one
that is not proactive. Consider emphasizing COBITs focus
on stakeholder value creation; it being business-driven; its
alignment with other internationally recognized standards and
frameworks; and its simple, but complete, structure. COBIT
5 is based on five principles and seven enablers. All other
governance and management guidance in COBIT 5 originate
from these basic areas.
Previous versions of COBIT have been accepted in
many enterprises globally, and new cases continue to be
documented. However, it should not be a surprise that, in
those entities where the chief information officer (CIO) has
embraced COBIT as a business framework for information and
technology, this has come as a direct consequence of one or
more COBIT champions within the audit and/or IT function(s).
Even more important than acceptance by the CIO is
acceptance by the board of directors and executive
management. Successful implementation of governance and
management of enterprise IT using COBIT depends greatly
on the commitment of the executive management team as a
whole. The CIO alone cannot implement COBIT 5 effectively
throughout the enterprise because there are implications for
many areas of the enterprise outside of the IT function.
The emphasis on value creation and alignment of stakeholder
needs, enterprise goals, and IT related goals will ensure that
COBIT 5 is seen as a business framework.
Finally, a variety of training and education opportunities
are available for enterprises and individuals seeking to
improve their COBIT 5 skillsfrom basic instruction for
executives and non-practitioners to intensive classes for
hands-on COBIT champions. For more information, go to
www.isaca.org/COBIT/Pages/Education-Training.aspx
The Differences Between COBIT 4.1 and COBIT 5 // 11
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback:
www.isaca.org
ISACA
ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving
digital world by offering innovative and world-class knowledge, standards, networking,
credentialing and career development. Established in 1969, ISACA is a global nonprofit
association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity
Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to
govern enterprise technology.

Participate in the ISACA

Knowledge Center:
Disclaimer
www.isaca.org/knowledge-center This is an educational resource and is not inclusive of all information that may be needed to assure a successful outcome.
Readers should apply their own professional judgment to their specific circumstances.
Follow ISACA on Twitter:
https://twitter.com/ISACANews
Reservation of Rights
Join ISACA on LinkedIn:
ISACA (Official), 2016 ISACA. All rights reserved.
http://linkd.in/ISACAOfficial

Like ISACA on Facebook:

www.facebook.com/ISACAHQ

The Differences Between COBIT 4.1 and COBIT 5 // 12