Extracting More Value from IoT Using COBIT 2019

The time for making predictions about the number of IoT devices in future years and waiting for that time to come is long gone (however, if you really want to know, one source predicts there are going to be 75 billion IoT devices in 2025). If enterprises still have not thought about the ways IoT could bring them new value, now is certainly the right time to get started.

As the title suggests, COBIT 2019 and IoT could be a great combination for adding value to the enterprise. Auditors (including myself) need to follow the enterprises and keep up with IoT, so auditors can give reasonable assurance on topic.

Business Perspective

If an enterprise plans to adopt IoT, the most likely COBIT 2019 governance and management objectives it would have to focus on (in one of the possible scenarios) are:

  • APO03 Managed enterprise architecture
  • APO04 Managed innovation
  • APO07 Managed human resources
  • BAI10 Managed configuration
  • BAI03 Managed solutions identification and build
  • BAI07 Managed IT change acceptance and transitioning

Of course, those are only six of 40 governance and management objectives recognized by the COBIT 2019 framework. The rest of them should not be neglected by default.

To satisfy stated objectives, consider these seven components of the governance system:

  • Processes
  • Organizational structures
  • Principles, policies and frameworks
  • Information
  • Culture, ethics and behavior
  • People, skills and competencies
  • Services, infrastructure and applications

Although the components are thoroughly explained in COBIT 2019, they do not prescribe any IT-related decisions. Every enterprise needs to customize COBIT to its own needs, as there is no “one size fits all” solution.

Audit Perspective

As for auditors, we must agree there are differences when auditing technology that has been previously audited numerous times (database management systems, operating systems, etc.) compared to auditing some of the emerging technologies (such as IoT). Before you get a headache trying to figure out IoT-related risks, audit scope, etc., please continue reading.

In the ISACA Journal article “Auditing the IoT”, you’ll find important steps for conducting IoT audit engagements.

You might be asking yourself: “So, can COBIT 2019 also help?“. The answer is (obviously, if we look at the blog title) yes. Whether the organization harnessed the power of COBIT 2019 to incorporate IoT in its business or did it another way, the auditor has plenty of information in COBIT 2019 to kick-start an effective audit engagement. The rationale behind that is as follows:

  1. COBIT is a framework for the governance and management of enterprise information and technology – all the technology and information processing the enterprise puts in place to achieve its goals.
  2. Let us switch for a second to a definition of internal auditing by the Institute of Internal Auditors. Part of it states: ”It helps an organization accomplish its objectives.”

When we put one and two together, it is clear that:

  • If auditors are not aware of enterprise’s goals, they cannot fulfill their purpose; and
  • COBIT 2019 can help in getting more insight on achieving the following goal – getting value from IoT.

Auditors would be well-served to focus on the same governance and management objectives mentioned in the “Business Perspective” section of this blog, but it’s of great importance to repeat once more ... customize, customize, customize.

Written by Dusan Zikic, CISA, CISM, CRISC, COBIT 5 Foundation, COBIT 2019 Foundation, CSXP, CSXF, Cybersecurity Audit Certificate, ITIL Foundation (Serbia); excerpted from the ISACA Now Blog