Discover your certification today Browse
Open page navigation
Cyber SecurityIT ManagementIT Governance

Help for you to decide

Conclusions first

Business is complex. COBIT 5 is different to its predecessors.  It covers the entire enterprise, so no wonder it, too, is complex. That suggests I, and others, should take the time to understand COBIT 5 from its fundamental principles through to application in the workplace. Employers may not voice requirements but they hold expectations that the reviews and assessments will cope with the complexity.  This blog follows my thought process to get to these conclusions.

The road to Damascus

This is a ‘dither blog’.  There are three dithers affecting me.®

My first dither was whether to vote ‘leave’ or ‘remain’ in the UK’s European Union membership referendum of the 23rd June. The perceived benefits of either option were unclear. The complexity prevented simple and succinct explanations.

The second dither is about India.  At ‘the India Seminar’ a couple of weeks ago, hosted by Lalcap, the Expert Panel shared views on India’s business performance.  My conclusion: India dithers on how best to embrace opportunity.  The need to modernise is understood but complexity prevents India going for the benefits modernisation can bring.

The third dither is whether I should do the COBIT 5 Implementer qualification. Should I  ‘modernise’ or rely, instead, on my past experience. After all, I am an old hand at assurance over governance, risk, security and controls.

Looking at my three dithers, the common theme is clarifying the benefits. Let’s concentrate on the third dither:

  1. What are the upsides of the qualifications?
  2. How much guidance is on offer?
  3. Does anyone care if I have them?

Finding the upsides

COBIT 5’s content and purpose is to provide valuable insights into organisations’ effectiveness.

The training has four tracks, ‘Implementer’, ‘Assessor’, ‘NIST Cybersecurity Framework’ and ‘COBIT 5 Assessor for Security’, all based on a shared ‘Foundation’ level course and exam.  The choice of ‘which track?’ is then down to the individual. For me, it is whether I go down the ‘Assessor’ or ‘Implementer’ track.

Having looked at both the ‘Implementer’ certification would best suit my career development. I am expert at reviewing and assessing but, where firms need more help, is in their obtaining practical advice to address what the reviews revealed. I need to understand each COBIT 5 component and when to use them. That is why I believe the Implementer track is the right choice.  ISACA states that I will “get a practical appreciation of how to apply COBIT 5 to specific business problems”.

The Foundation level provides insight to the components.  We should make COBIT 5 fit the organisation, not the other way around.  COBIT 5 has been designed that way and the Practitioner level, the second part of the Implementer track, shows how to extract and apply the appropriate bits of COBIT 5 to the organisation.

Summarising the upsides: the Implementer track seems an excellent approach to establishing solid governance and control across business and IT.  This qualification is something for people of all experiences as it prepares us to deal with the issues facing a 21st century business.  In fact, I would say it is more important for the more experienced, who tend to rely on their past experience.


There is a lot of advice available and training options available, but navigating through them takes time. Here are three examples, each helpful in describing what is on offer, but none has instantly helped me decide on what to do:

  • ISACA’s website has information on qualifications. Training is carried out by ISACA-approved trainers, all charging their own fees.
  • APMG offers self-study for all levels and their website lists over 350 global training organisations.
  • There are firms that try to address COBIT 5’s complexity. One such example is from IT Governance at, not to be confused with ISACA’s own IT Governance Institute. On offer is a toolkit for purchase that allows you to “simplify your COBIT® 5 implementation project”.

Will employers value my qualification?

I feel this is a key issue. I want employers to value the qualification I have. In research I did a few months back for an ISACA blog, I found a mixed response to COBIT: it was assumed IT auditors would have COBIT experience but there was no mention of needing COBIT 5 qualifications.

Looping back to my three dithers, the benefits must be clear. If we do not understand them, we will miss the opportunities COBIT 5 brings.

Last conclusions

  • COBIT 5 qualifications will bring benefits to the holders of those qualifications and the organisations they work for but ….
  • …. The benefits need to be stated more clearly and that, I hope, will make employers value them.
  • My journey to this last and to my opening conclusions has made me recognise I must, in my own way, modernise.

Interested in getting certified in ISACA’s globally renowned IT Governance Framework? We have trainers across the globe that are committed to providing the best quality training – find one near you.


Author - Sue Milton

Originally published - 30 June 2016


Man with a head torch shining light into the sky

GCHQ Certified Training (GCT)

Leading the search for exceptional cyber security training courses

View more

Cyber Essentials

Official confirmation that your organisation takes data protection seriously. The UK Government endorsed Cyber Essentials scheme

View more
Large pile of timber logs perfectly stacked

ISO/IEC 27001

Demonstrate exemplary management of information security

View more