What is COBIT, and how does it differ from security-specific frameworks?
COBIT (Control Objectives for Information and Related Technology) is a framework for IT governance — it governs ALL of IT, with security as one concern among many.
* COBIT governs all of IT; ISO 27001 / NIST CSF are security-specific — often used together. *
Published by ISACA, COBIT answers: "is our IT organization doing the right things, efficiently, and under control?" — covering value delivery, resource and risk management, performance measurement, and compliance.
How it relates to the others:
- Broader scope than ISO 27001 / NIST CSF: those target information security; COBIT targets IT governance overall
- NIST CSF subcategories frequently cite COBIT 5 process IDs (e.g. APO08.04) as informative references
- Often used alongside a security framework: COBIT for the governance layer, ISO 27001 or CSF for the security management layer
- Frequently the lens of IT auditors — ISACA also runs the CISA certification
Tip: Same family as ITIL — ITIL focuses on IT service management (operations, incident, change), COBIT on governance and control. Both touch security but neither is a security standard.
Go deeper:
COBIT — offizielle ISACA-Seite — Primärquelle des Herausgebers ISACA: COBIT als Rahmen für Enterprise Governance of IT (EGIT).
COBIT (Wikipedia) — Ordnet COBIT ins Ökosystem ein (ITIL, ISO 27000, COSO, CMMI).