Business IT Support in Toronto, Durham Region +

Guide to COBIT Compliance for Business in Canada

COBIT Compliance Guide PDF cover

In 2021, Canadian businesses must have an internal conversation about compliance. Small and Medium Businesses in Canada are increasingly susceptible to cyberattacks. According to the Canadian Centre for Cyber Security (CCCS), cybercrime is the biggest threat to Canadian businesses with more than 11 cyberattacks on average per day. In a different study published by Hiscox, it was revealed that the cost of a single SMB cyber incident could go as high as $200,000.

And while lack of IT security infrastructure plays a major role, most of these attacks were based on social engineering and phishing – highlighting the need for better general awareness and cybersecurity education.

This is where a global cybersecurity standard like COBIT comes in.

What is COBIT Compliance?

If you search online for the most important IT compliance frameworks for Canadian businesses, you’ll most likely find COBIT to be among the top results. But what is it?

COBIT, short for Control Objectives for Information and Related Technologies, is an IT governance framework utilized by different organizations to implement IT governance strategies. It was launched as a regulatory program by Information Systems Audit and Control Association (ISACA) in 1996.

ISACA is a professional organization guiding and overseeing IT governance. Their goal is to draft methodologies to allow organizations to link IT objectives with overall business goals. Since then, it has pushed IT teams to look into critical business integrations and operations and also educated numerous businesses on cybersecurity policies and best practices.

COBIT has evolved six times to tackle the ever-changing challenges of modern IT security – with the most recent iteration being COBIT 2019. The latest version of the framework brings numerous changes from its predecessor COBIT-5.

What Does It Mean to Be COBIT Compliant?

COBIT compliance helps Canadian businesses monitor, manage, and implement their different IT processes.

COBIT touches nearly every aspect of a business’s operations and businesses that are COBIT compliant can be expected to have a certain level of operational efficiency and risk mitigation, especially in how IT resources are utilized and processes carried out. In addition to this, COBIT compliant businesses meet a series of globally recognized business requirements based on metrics such as integrity, effectiveness, efficiency, compliance, service reliability, and more.

Being COBIT compliant doesn’t, however, guarantee that a business possesses a specific capability or technology. Instead, the entire framework is built around a series of best practices and guidelines developed to improve IT governance and management.

In other words, being COBIT compliant means that a business has the minimum level of operational awareness to effectively achieve IT goals along with overall organizational goals. This level is determined by the ISACA. The “operational awareness” refers to the knowledge of numerous best practices and processes (40 in total) that COBIT-compliant businesses implement.

How is COBIT Structured?

Governance Management Objectives diagram - COBIT

At the core, COBIT 2019 is a framework for governance and management. Unsurprisingly then, the main COBIT 2019 guide is structured around these two domains and discusses various objectives, processes, and approaches that can be implemented to achieve organizational goals.

The Framework guide has two parts:

  1. Introduction and methodology
  2. Governance and management objectives

In addition to the Framework guide, there are two other components:

  • a companion design guide
  • a companion implementation guide.

Objectives of COBIT 2019

COBIT 19 principles -governance

A business that wants to become COBIT compliant should incorporate these six principles:

  1. Provide stakeholder value and address stakeholder needs related to SMB security
  2. Follow holistic business management approach for comprehensive coverage of the whole business
  3. Use a dynamic governance system
  4. Governance should be distinct from management
  5. Build an end-to-end governance system
  6. Tailor it to enterprise needs

How COBIT helps with IT governance?

COBIT encourages and enables businesses to use the EDM approach to better govern their IT practices. EDM stands for:

  • Evaluate
  • Direct
  • Monitor

How COBIT helps with IT process management?

IT Compliance - process capability level diagram - COBIT

Similarly, for management purposes, the primary method is called the PBRM method, which stands for Plan, Build, Run, and Monitor.

There are other approaches as well that can be used for this as well, namely: APO, RAI, DSS, and, MEA.

In addition to these approaches and methods, COBIT also outlines:

  • Process descriptions
  • Management guidelines
  • Maturity models
  • Control objectives


Measuring Process Capability Level

Within COBIT 19, an organization will measure and continuously improve their process capability level across each process.

Level 0

Lack of any basic capability.

Incomplete approach to address governance and management purpose.

May or may not be meeting the intent of any process practices.


Level 1

The process more or less achieves its purpose through the application of an incomplete set of activities that can be characterized as initial or intuitive – not organized.


Level 2

The process achieves its purpose through the application of a basic, yet complete set of activities that can be characterized as performed.


Level 3

The process achieves its purpose in a much more organized way using organizational assets. Processes are typically well defined.


Level 4

The process achieves its purpose, is well defined, and its performance is quantitatively measured.


Level 5

The process achieves its purpose, is well defined, its performance is measured to improve performance and continuous improvement is pursued.

How Can Canadian Small Businesses Become COBIT Compliant?

At its core, the COBIT framework is a series of comprehensive guidelines that businesses can use to improve their IT governance and management. It is not a rulebook with steps that need to be followed by the word. Instead, it covers a myriad of areas (not all of which have to be relevant to your business) that need to be analyzed and then applied to your own business operations.

Becoming COBIT-compliant involves going through the study material and then taking an exam.

Businesses can get access to content and training by purchasing it themselves or by working with a managed service provider who has already bought COBIT’s content and can use it to analyze the business’s compliance level. Most of the “study material” or content carries forward from the previous iteration called COBIT 5 with slight changes in terminology and structure as well as a larger emphasis on risk management.

The certification itself comes in a few different forms, based on how you achieved COBIT compliance. The main ways of becoming COBIT compliant include:

  • A one-day COBIT Bridge Workshop
  • COBIT 2019 Foundation exam after a two-day course
  • COBIT 2019 Design and Implementation exam

After completing the COBIT courses, you should be able to:

  • Identify your IT direction and goals.
  • Identify your IT relationships and infrastructure.
  • Make sure that you have a strategic information technology plan.
  • Clarify and define your company’s susceptible information architecture.
  • Evaluate your severity level and risks for every potential outcome.
  • Pinpoint the best route to manage your IT systems.
  • Communicate with your internal and external stakeholders your IT management requirements and goals.
  • Thoroughly map out all controls to your compliance checklist.
  • Closely monitor control efficacies and compliance goals.

As is the case with every other compliance framework, it’s almost always best to get in touch with an expert to ensure a successful and on-time remediation process.

The Cost of COBIT Compliance?

The COBIT 2019 Foundation exam fee varies globally, and in Canada, it ranges from $231 to $362 CAD. This fee is non-transferable and non-refundable. If you’re taking the online exam for COBIT compliance, you need to confirm your access to said exam before you register.

You don’t have to worry about specific prerequisites before taking the exam but you do need to study COBIT foundational courses with insights on IT Security Canada to answer the questions in the exam correctly.

Benefits of Becoming COBIT Compliant

Becoming COBIT compliant has numerous benefits – some of which often go under the radar. To fully understand its true value, let’s take a closer look at the benefits of becoming compliant with COBIT 2019.

Improved odds of passing vendor screenings: Compliance for SMBs with the COBIT framework is essential since it’s the common language businesses speak when they need to talk about risk management goals, business objectives, and IT controls. Without this language, an organization that goes through vendor screenings could face difficulties conveying the specifics of its IT controls and capabilities. Consequently, they would only be making the screening process longer while also reducing their odds of passing it.

On the other hand, being COBIT 2019 compliant is a welcome green flag for potential clients who not only see your IT system as safe and secure but also respect the lengths you’ve gone to improve IT governance and management.

Compliance also wins the trust of stakeholders, suppliers, customers, and employees.

IT infrastructure and systems alignment: Aside from ensuring that customer and user needs are met, COBIT also helps ensure that your IT goals are consistent with your bigger business goals and strategies. With this, day-to-day operations become smoother, thanks to more efficient use of resources.

Better compliance: Adhering to COBIT guidelines is a great investment if you plan on further strengthening your business with other compliance frameworks. COBIT 2019 can be easily integrated with other compliance and regulatory frameworks including:

  • ITIL
  • ISO 20,000
  • ISO 27,001

IT optimization and future-proofing: COBIT 2019 enables businesses to identify areas that need to be prioritized and also learn the best practices and acquire tools to make improvements in those areas much easier. In the end, these processes become more cost-effective and efficient.

COBIT 2019 introduces you to advanced tools and models that better equip you for both future growth and threats.

Wrapping up…

Many SMB business owners don’t think about investing in cybersecurity because it could take a portion of their operating budget. This short term mindset is precisely what works for cybercriminals and is one of the reasons why small businesses are easy targets for hackers.

Today, governments around the world, and particularly in Canada, are ramping up data security measures which means ignoring compliance and data security is no longer feasible.

If you’re a small business in Canada, you need to act now. Don’t wait and invest in your COBIT education and certification today. COBIT is one of the most cost-effective regulatory frameworks that take into account the specific pain points of small businesses.

It generally costs little in terms of IT infrastructure and security upgrades. But the benefits of an aware team and secure system certainly outweigh the investment cost. And of course, businesses significantly reduce the risk of getting their data and operations compromised.

Already know the importance of IT security and looking for a Toronto Managed IT Services Provider to help you achieve your objectives? Talk to us today. TUCU has been serving small and growing business in Toronto with integrity and skill since 2003.


More Posts

Free Consultation

Get IT Solutions for your business.