Are the control objectives meant to be a minimum level of control or best practice?
IT control objectives are statements of managerial actions to achieve necessary outcomes or purposes to control risk and add value within a particular IT process. They are written as short, action-oriented management practices and expressed wherever possible in a life cycle sequence. Control objectives are complemented by COBIT Control Practices, Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition, which describe a set of management actions designed to attain the outcomes described in the control objective. Management makes choices relative to control objectives: • Selecting those that are applicable in the enterprise’s setting • Determining the cost-benefit ratio of adopting the control objective, including acceptance of the risk of not implementing a control objective • Deciding on the actual control practices and implementing them or choosing alternative management actions to achieve the similar outcomes • Choosing how to implement (frequency, span, reso
They are both minimum levels of control and best practice, because we are still at the level of control objectives, not yet at the control guidelines or control practices level. This will be addressed by further phases of the COBIT project, where the environment of the enterprise, the specific business objectives, the level of security at which one wants to achieve, the degree of risk one wants to accept, etc., will all determine how the control objectives for a process will be translated into the right level of control. Because all of these choices are not self-evident, and because the control selection process can be onerous and time consuming, standard minimum security and control levels certainly should be developed and promoted.
