Back to Blog
CISA Tips

Understanding COBIT 2019: A Practical Guide for CISA and CRISC Candidates

TKMarch 10, 2026certification, exam-prep, audit

COBIT (Control Objectives for Information and Related Technologies) is ISACA's flagship framework — and it shows up frequently on both the CISA and CRISC exams. Here's what you need to know.

What is COBIT 2019?

COBIT 2019 is a comprehensive framework for the governance and management of enterprise information and technology (I&T). It helps organizations:

Align IT with business objectives
Optimize IT risk management
Deliver value from IT investments
Ensure regulatory compliance

COBIT's Core Principles

COBIT 2019 is built on 6 principles for a governance system:

Provide Stakeholder Value — Every I&T decision should create value for stakeholders
Holistic Approach — Governance requires considering multiple components working together
Dynamic Governance System — The system adapts as enterprise design factors change
Governance Distinct from Management — Governance (evaluate, direct, monitor) vs. Management (plan, build, run, monitor)
Tailored to Enterprise Needs — One size does not fit all
End-to-End Governance System — Covers the entire enterprise, not just the IT function

COBIT's Structure: 40 Objectives

COBIT organizes IT processes into 5 domains with 40 governance and management objectives:

Governance Domain (EDM)

Evaluate, Direct and Monitor — 5 objectives
Examples: EDM01 (Ensure Governance Framework), EDM02 (Ensure Benefits Delivery), EDM03 (Ensure Risk Optimization)

Management Domains

APO (Align, Plan and Organize) — 14 objectives
BAI (Build, Acquire and Implement) — 11 objectives
DSS (Deliver, Service and Support) — 6 objectives
MEA (Monitor, Evaluate and Assess) — 4 objectives

How COBIT Appears on the CISA Exam

COBIT is most heavily tested in Domain 2 (Governance and Management of IT), but it appears across all domains:

Domain 1: Audit planning using COBIT as a control framework
Domain 2: IT governance structure based on COBIT principles
Domain 3: BAI processes for system acquisition and development
Domain 4: DSS processes for operations management
Domain 5: MEA processes for monitoring security controls

Exam tip: You won't be asked to memorize all 40 objectives. Focus on understanding the governance vs. management distinction and the key processes in each domain.

How COBIT Appears on the CRISC Exam

CRISC focuses on COBIT's risk-related objectives:

EDM03: Ensure Risk Optimization
APO12: Manage Risk
APO13: Manage Security
MEA03: Manage Compliance with External Requirements

COBIT vs. Other Frameworks

COBIT is the umbrella framework that ties the others together. ISACA exams expect you to know where COBIT fits relative to other frameworks.

Study Tips

Memorize the 5 domain acronyms: EDM, APO, BAI, DSS, MEA
Understand the cascade: stakeholder needs → enterprise goals → alignment goals → governance/management objectives
Know the key difference: Governance = EDM (board-level), Management = APO/BAI/DSS/MEA (execution-level)

Deepen your COBIT knowledge with our CISA and CRISC prep courses.

Share this article:

Comments

Sign in to join the discussion

Sign In to Comment

No comments yet. Be the first to share your thoughts!

Ready to start your certification journey?

Explore our courses and take the first step toward passing your exam.

Browse Courses