See Resources


Qualys Solutions for IT Security & Compliance

Qualys' continuous security approach to IT security and compliance enables organizations of all sizes to successfully achieve both vulnerability management and policy compliance initiatives cohesively, while reducing costs and streamlining operations. Using an innovative Software as a Service (SaaS) approach, the Qualys® Security and Compliance Suite combines Qualys' industry leading vulnerability management service with a comprehensive IT compliance solution.

Related Links

COBIT is an acronym for the IT governance and control framework called Control Objectives for Information and related Technology. COBIT provides a management and operational framework for compliance whereas laws mandating information security usually say little to nothing about how to achieve that requirement for compliance. As such, COBIT is an "intermediary standard" because it is accepted best practices are checked by an organization's auditors for IT security compliance with laws such as Sarbanes-Oxley and Gramm-Leach-Bliley. This page provides background information about COBIT and describes how solutions from Qualys help organizations use this framework for compliance.


The first version of COBIT was published in 1996. Its sponsors were the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). According to ISACA, "COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework." COBIT has undergone several iterations; the current version is 5.

Why COBIT Matters to Your Organization

COBIT is important because it provides organizations with an actionable framework that covers all aspects of governance and management of information and technology assets. In addition, auditors rely on COBIT for verification of compliance with security mandates in public laws. Typically, legislators focus on setting policy and leave implementation details to standards set by accredited organizations. For example, a huge driver for IT security in public corporations is the Sarbanes-Oxley Act of 2002. The Act requires improving and safeguarding the reliability and transparency of accounting statements and regulatory filings, but its key section (Section 404) contains less than 75 words about internal controls and procedures — and does not even mention information technology or IT security. However, COBIT fills in the blanks by specifying a comprehensive framework of best practices with actionable measures, indicators and processes for compliance.

Considerations for Using COBIT

The adoption and implementation of COBIT entails understanding and using its key concepts, principles, enablers, domains, processes and practices. COBIT 5 starts with two main areas: governance and management. COBIT 5 is further separated into domains of process including four management domains:

The domains include 37 high-level IT processes. Achieving these requires appropriate governance and implementation of business processes and information systems. See the COBIT framework for details.

COBIT 5 Management Processes
Align, Plan and Organize

AP001 Mange the IT Managment Framework

AP002 Manage Strategy

AP003 Manage Enterprise Architecture

AP004 Manage Innovation

AP005 Manage Portfolio

AP006 Manage Budget and Costs

AP007 Manage Human Resources

AP008 Manage Relationships

AP009 Manage Service Agreements

AP010 Manage Suppliers

AP011 Manage Quality

AP012 Manage Risk

AP013 Manage Security

Build Acquire and Implement

BAI01 Manage Programmes and Projects

BAI02 Manage Requirements Definition

BAI03 Manage Solutions Identification and Build

BAI04 Manage Availability and Capacity

BAI05 Manage Organizational Change Enablement

BAI06 Manage Changes

BAI07 Manage Change Acceptance and Transitioning

BAI08 Manage Knowledge

BAI09 Manage Assets

BAI10 Manage Configuration

Deliver Service and Support

DSS01 Manage Operations

DSS02 Manage Service Requests and Incidents

DSS03 Manage Problems

DSS04 Manage Continuity

DSS05 Manage Security Services

DSS06 Manage Business Process Controls

Monitor, Evaluate and Assess

MEA01 Monitor, Evaluate and Assess

Performance and Conformance

MEA02 Monitor, Evaluate and Assess the System of Internal Control

MEA03 Monitor, Evaluate and Assess

Compliance with External Requirements

Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Free Trial & Tools
Popular Topics