COBIT-5 for Information Security


Below is an outline of COBIT-5 for Information Security. If you’re a member, then you can log into the Library and view it in your browser using the email address you signed up with.

PS. Only Members and Clients can successfully log in.

  • Click HERE to log into the library (Members only).
  • Folder: Books and Guides > Security Docs

If you are having issues logging in, please check the following help guide, HERE.



1. Executive Summary
1.1.1. Introduction
1.1.2. Drivers
1.1.3. Benefits
1.1.4. Target Audience
1.1.5. Conventions Used and Overview

2. Information Security
3. Information Security Defined

4. COBIT 5 Principles
4.1.1. Overview
4.1.2. Principle 1: Meeting Stakeholder Needs
4.1.3. Principle 2: Covering the Enterprise End-to-end
4.1.4. Principle 3: Applying a Single Integrated Framework
4.1.5. Principle 4: Enabling a Holistic Approach
4.1.6. Principle 5: Separating Governance From Management

5. Using COBIT 5 Enablers for Implementing Information Security in Practice
6. Introduction
6.1.1. The Generic Enabler Model
6.1.2. Enabler Performance Management
6.1.3. COBIT 5 for Information Security and Enablers

7. Enabler: Principles, Policies and Frameworks
7.1.1. Principles, Policies and Framework Model
7.1.2. Information Security Principles
7.1.3. Information Security Policies
7.1.4. Adapting Policies to the Enterprise’s Environment
7.1.5. Policy Life Cycle

8. Enabler: Processes
8.1.1. The Process Model
8.1.2. Governance and Management Processes
8.1.3. Information Security Governance and Management Processes
8.1.4. Linking Processes to Other Enablers

9. Enabler: Organisational Structures
9.1.1. Organisational Structures Model
9.1.2. Information Security Roles and Structures
9.1.3. Accountability Over Information Security

10. Enabler: Culture Ethics and Behaviour
10.1.1. Culture Model
10.1.2. Culture Life Cycle
10.1.3. Leadership and Champions
10.1.4. Desirable Behaviour

11. Enabler: Information
11.1.1. Information Model
11.1.2. Information Types
11.1.3. Information Stakeholders
11.1.4. Information Life Cycle

12. Enabler: Services Infrastructure and Applications
12.1.1. Services, Infrastructure and Applications Model
12.1.2. Information Security Services, Infrastructure and Applications

13. Enabler: People Skills and Competencies
13.1.1. People, Skills and Competencies Model
13.1.2. Information Security-related Skills and Competencies

14. Adapting COBIT 5 for Information Security to the Enterprise Environment
15. Introduction

16. Implementing Information Security Initiatives
16.1.1. Considering the Enterprise’s Information Security Context
16.1.2. Creating the Appropriate Environment
16.1.3. Recognising Pain Points and Trigger Events
16.1.4. Enabling Change
16.1.5. A Life Cycle Approach

17. Using COBIT 5 for Information Security to Connect Other Frameworks, Models, Good Practices and Standards
18. Appendices
19. Appendix A Detailed Guidance: Principles, Policies and Frameworks Enabler
19.1.1. Information Security Principles
19.1.2. Information Security Policy
19.1.3. Specific Information Security Policies Driven by the Information Security Function
19.1.4. Specific Information Security Policies Driven by Other Functions Within the Enterprise

20. Appendix B Detailed Guidance: Processes Enabler
20.1.1. Evaluate, Direct and Monitor (EDM)
20.1.2. Align, Plan and Organise (APO)
20.1.3. Build, Acquire and Implement (BAI)
20.1.4. Deliver, Service and Support (DSS)
20.1.5. Monitor, Evaluate and Assess (MEA)

21. Appendix C Detailed Guidance: Organisational Structures Enabler
21.1.1. Chief Information Security Officer
21.1.2. Information Security Steering Committee
21.1.3. Information Security Manager
21.1.4. Enterprise Risk Management Committee
21.1.5. Information Custodians/Business Owners

22. Appendix D Detailed Guidance: Culture Ethics and Behaviour Enabler
22.1.1. Behaviours
22.1.2. Leadership

23. Appendix E Detailed Guidance Information Enabler:
23.1.1. Information Security Stakeholders Template
23.1.2. Information Security Strategy
23.1.3. Information Security Budget E Information Security Plan
23.1.4. Policies
23.1.5. Information Security Requirements
23.1.6. Awareness Material
23.1.7. Information Security Review Reports
23.1.8. Information Security Dashboard

24. Appendix F Detailed Guidance: Services, Infrastructure and Applications Enabler
24.1.1. Security Architecture
24.1.2. Security Awareness
24.1.3. Secure Development
24.1.4. Security Assessments
24.1.5. Adequately Secured and Configured Systems Aligned With Security Requirements and Security Architecture
24.1.6. User Access and Access Rights in Line With Business Requirements
24.1.7. Adequate Protection Against Malware External Attacks and Intrusion Attempts
24.1.8. Adequate Incident Response
24.1.9. Security Testing
24.1.10. Monitoring and Alert Services for Security-related Events

25. Appendix G Detailed Guidance: People, Skills and Competencies Enabler
25.1.1. Information Security Governance
25.1.2. Information Security Strategy Formulation
25.1.3. Information Risk Management
25.1.4. Information Security Architecture Development G Information Security Operations
25.1.5. Information Assessment and Testing and Compliance

26. Appendix H Detailed Mappings
27. Acronyms
28. Glossary



This article was contributed by Jason Jacobs from Guyana. Jason is a member of our CCT Professional Community on Discord. CCT means Caribbean Cyber Team.