COBIT (Control Objectives for Information and Related Technologies) is a

framework for developing, implementing, monitoring, and improving IT governance

and management practices. In COBIT 5 and COBIT 2019, the concept of domains
organizes governance and management objectives.

Here is a list of all COBIT control objectives (sometimes called "processes")

categorized under the five key domains (not four). COBIT traditionally uses five
domains:

COBIT 5 organizes IT governance and management into 5 domains:

Governance Domain (Evaluate, Direct and Monitor - EDM)

Management Domains:

Align, Plan and Organize (APO)

Build, Acquire and Implement (BAI)

Deliver, Service and Support (DSS)

Monitor, Evaluate and Assess (MEA)

Each domain contains several processes that group related activities. For example:

EDM domain includes processes like EDM01, EDM02, etc.

APO domain includes APO01, APO02, etc,

GOVERNANCE Domain:
1. Evaluate, Direct and Monitor (EDM)

EDM01: Ensure Governance Framework Setting and

Maintenance

i. EDM01.01 – Evaluate the Governance System

ii. EDM01.02 – Evaluate the Governance Framework Setting and
Maintenance
iii. EDM01.03 – Evaluate the Governance System Components

iv. EDM01.04 – Evaluate the Enterprise’s Strategic Direction

v. EDM01.05 – Evaluate the Performance of the Governance System

EDM02: Ensure Benefits Delivery

i. EDM02.01 – Evaluate Value Optimization

 ii. EDM02.02 – Direct Value Optimization
iii. EDM02.03 – Monitor Value Optimization

EDM03: Ensure Risk Optimization

i. EDM03.01 – Evaluate Risk Management

ii. EDM03.02 – Direct Risk Management
iii. EDM03.03 – Monitor Risk Management

EDM04: Ensure Resource Optimization

i. EDM04.01 – Evaluate Resource Management

ii. EDM04.02 – Direct Resource Management
iii. EDM04.03 – Monitor Resource Management

EDM05: Ensure Stakeholder Engagemen

i. EDM05.01 – Ensure Governance Framework Setting and Maintenance

ii. EDM05.02 – Ensure Strategic Decision Making

iii. EDM05.03 – Ensure Oversight

iv. EDM05.04 – Ensure Stakeholder Transparency

MANAGEMENT Domains:
Align, Plan and Organize (APO)

APO01: Manage the IT Management Framework

i. APO01.01 – Establish the IT Management Framework

ii. APO01.02 – Establish the Required Organizational Structures
iii. APO01.03 – Define Roles and Responsibilities

iv. APO01.04 – Maintain the Enabling Culture

v. APO01.05 – Monitor the IT Management Framework
APO02: Manage Strategy

i. APO02.01 – Define the Strategic Requirements

ii. APO02.02 – Define the Strategic Plan
iii. APO02.03 – Define the IT Tactical Plans
iv. APO02.04 – Communicate the IT Strategy and Direction
v. APO02.05 – Monitor and Evaluate the IT Strategy

APO03: Manage Enterprise Architecture

i. APO03.01 – Define Enterprise Architecture

ii. APO03.02 – Establish a Road Map
iii. APO03.03 – Establish Architecture Governance

iv. APO03.04 – Ensure Compliance With Architecture

APO04: Manage Innovation

i. APO04.01 – Identify and Evaluate Technology and Innovation

Opportunities
ii. APO04.02 – Plan for Innovation
iii. APO04.03 – Manage the Innovation Process
iv. APO04.04 – Monitor and Evaluate the Innovation Process

APO05: Manage Portfolio

i. APO05.01 – Identify Portfolio Components

ii. APO05.02 – Prioritize Portfolio Components
iii. APO05.03 – Authorize Portfolio Components
iv. APO05.04 – Manage Portfolio Performance

APO06: Manage Budget and Costs

i. APO06.01 – Establish and Maintain the IT Budget

ii. APO06.02 – Monitor IT Costs and Budget Execution

iii. APO06.03 – Control IT Costs
iv. APO06.04 – Manage IT Financial Risk
APO07: Manage Human Resources

i. APO07.01 – Plan Human Resources

ii. APO07.02 – Acquire and Retain Human Resources
iii. APO07.03 – Develop and Manage Human Resources

iv. APO07.04 – Manage Human Resource Performance

v. APO07.05 – Manage Human Resource Risks

APO08: Manage Relationships

i. APO08.01 – Identify and Understand Stakeholders

ii. APO08.02 – Define Relationship Management Strategy

iii. APO08.03 – Manage Stakeholder Communication

iv. APO08.04 – Monitor and Evaluate Relationship Performance

APO09: Manage Service Agreements

v. APO09.01 – Define Service Requirements

vi. APO09.02 – Establish Service Agreements
vii. APO09.03 – Monitor Service Performance

viii. APO09.04 – Manage Service Agreements Lifecycle

APO10: Manage Suppliers

i. APO10.01 – Develop and Maintain a Supplier Management Framework

ii. APO10.02 – Select Suppliers

iii. APO10.03 – Establish Supplier Agreements

iv. APO10.04 – Monitor Supplier Performance

v. APO10.05 – Manage Supplier Relationships

vi. APO10.06 – Manage Supplier Contract Changes and Termination

APO11: Manage Quality

i. APO11.01 – Define Quality Management Framework

ii. APO11.02 – Plan Quality Management

iii. APO11.03 – Implement Quality Assurance
iv. APO11.04 – Monitor and Improve Quality

APO12: Manage Risk

i. APO12.01 – Establish and Maintain Risk Management Framework

ii. APO12.02 – Identify and Analyze Risks

iii. APO12.03 – Develop Risk Response Plans
iv. APO12.04 – Monitor and Report Risks

APO13: Manage Security

Practic
Practice Title Key Control Focus
e ID
Establish and Maintain
APO13.0 Policies, roles, standards,
Security Management
1 awareness training
Framework
APO13.0 Security risk assessments,
Manage Security Risk
2 treatment plans, audits
Access control, network
APO13.0
Implement Security Controls security, encryption, physical
3
security
APO13.0 Monitor and Report Security Security monitoring, incident
4 Performance response, reporting

APO14: Manage Data

Practic
Practice Title Key Control Focus
e ID
Establish and Maintain Policies, governance,
APO14.0
Data Management platforms, alignment with
1
Framework architecture
APO14.0 Define and Implement Data owners/stewards,
2 Roles and Responsibilities accountability, training
APO14.0 Establish and Maintain Data standards, profiling,
3 Data Quality cleansing, monitoring
APO14.0 Classification, retention,
Manage Data Lifecycle
4 archival, destruction
APO14.0 Ensure Regulatory and Legal/regulatory compliance,
5 Policy Compliance privacy, breach response
2. Build, Acquire and Implement (BAI)

BAI01: Manage Programs and Projects

Practic
Practice Title Key Control Focus
e ID
BAI01.0 Maintain Standard Methodologies, templates,
1 Approach governance structures
BAI01.0 Charter, business case, alignment,
Initiate a Programme
2 sponsorship
BAI01.0 Manage Stakeholder Communication, involvement,
3 Engagement conflict resolution
BAI01.0 Develop and Maintain Schedule, budgeting, risk
4 Program Plan management
BAI01.0 Launch and Execute Kickoffs, performance tracking,
5 the Program issue/risk/change management
BAI01.0 Monitor, Control and Dashboards, KPIs, benefits
6 Report on Outcomes tracking, status reports
BAI01.0 Post-implementation review,
Close a Program
7 benefits validation, documentation

BAI02: Manage Requirements Definition

Practic
Practice Title Key Control Focus
e ID
Business need assessments,
BAI02.0 Identify and Evaluate
feasibility studies, cost-benefit
1 Opportunities
analysis
BAI02.0 Research and Analyze Elicitation techniques,
2 Requirements traceability, validation
BAI02.0 Manage Requirements Repository, change control,
3 Traceability and Changes impact analysis
Review and update, version
BAI02.0
Maintain Requirements control, stakeholder
4
communication

BAI03: Manage Solutions Identification and Build

Practic
Practice Title Key Control Focus
e ID
BAI03.0 Design High-Level Solution design, architecture
1 Solutions alignment, integration planning
Practic
Practice Title Key Control Focus
e ID
BAI03.0 Develop Solution Development standards,
2 Components configuration, source control
BAI03.0 Develop Solution Test Test strategy, cases, peer review,
3 Scenarios and Plans preparation
BAI03.0 Functional and non-functional
Perform Tests
4 testing, defect tracking
Reusable asset repository, reuse
BAI03.0 Manage Reuse of
policy, component lifecycle
5 Components
management

BAI04: Manage Availability and Capacity

Practic
Practice Title Key Control Focus
e ID
Assess Current
BAI04.0 Monitoring tools, performance
Availability and
1 baselines, bottleneck identification
Capacity
Forecast Future
BAI04.0 Demand prediction, trend analysis,
Availability and
2 forecasting tools
Capacity
Identify and
BAI04.0 Gap analysis, upgrades,
Implement
3 redundancy, root cause analysis
Improvements
Dashboards, SLA tracking,
BAI04.0 Monitor Availability
availability reports, stakeholder
4 and Report
communication

BAI05: Manage Organizational Change Enablement

Practic
Practice Title Key Control Focus
e ID
BAI05.0 Create Readiness for Readiness assessments, change
1 Change agents, early communications
BAI05.0 Formulate Stakeholder Stakeholder mapping, tailored
2 Engagement Plan engagement strategies
Plan and Execute
BAI05.0 Communication plans, feedback
Communication
3 loops, multi-channel strategies
Activities
BAI05.0 Enable Operation and Training, support materials, job
4 Use aids, knowledge transfer
BAI05.0 Reinforce and Sustain Monitoring adoption, success
5 Change reinforcement, behavioral
Practic
Practice Title Key Control Focus
e ID
incentives

BAI06: Manage Changes

Practic
Practice Title Key Control Focus
e ID
Evaluate, Prioritize
BAI06.0 Risk/impact analysis, prioritization,
and Authorize
1 CAB approvals
Changes
BAI06.0 Manage Emergency Fast-tracked approvals, audit trail,
2 Changes post-change review
BAI06.0 Track and Report Change log, real-time dashboards,
3 Change Status exception reports
Post-implementation reviews,
BAI06.0 Close and Document
documentation updates, lessons
4 Changes
learned

BAI07: Manage Change Acceptance and Transitioning

Practic
Practice Title Key Control Focus
e ID
BAI07.0 Transition strategy, acceptance
Plan Transition
1 criteria, scheduling
BAI07.0 Maintain Business Risk assessments, fallback plans,
2 Process Continuity monitoring
BAI07.0 Validate Readiness Readiness checklists, final testing,
3 for Transition training verification
BAI07.0 Execute Actual Cutover execution, communication,
4 Transition deployment confirmation
BAI07.0 Provide Early Life Hypercare, prioritized issue tracking,
5 Support support effectiveness monitoring
BAI07.0 Review and Close Lessons learned, outcome review,
6 the Transition formal sign-off

BAI08: Manage Knowledge

Practic
Practice Title Key Control Focus
e ID
BAI08.0 Identify and Collect SME engagement, documentation
1 Knowledge standards, capture of key learnings
Practic
Practice Title Key Control Focus
e ID
Organize and
BAI08.0 Taxonomy, metadata, templates,
Contextualize
2 role-based categorization
Knowledge
Knowledge portal access,
BAI08.0 Use and Share
knowledge integration into tools
3 Knowledge
and workflows
BAI08.0 Evaluate and Improve Content reviews, user feedback,
4 Knowledge Assets lifecycle governance

BAI09: Manage Assets

Practic
Practice Title Key Control Focus
e ID
BAI09.0 Identify and Inventory tools, asset register,
1 Classify Assets classification by criticality and ownership
BAI09.0 Manage Asset Procurement, deployment, maintenance,
2 Life Cycle and disposal practices
BAI09.0 Optimize Asset TCO tracking, license management, cost
3 Costs optimization
BAI09.0 Manage Asset Physical/logical security, access
4 Protection restrictions, asset tracking

BAI10: Manage Configuration

Practic
Practice Title Key Control Focus
e ID
BAI10.0 Identify and Record CI identification, documentation,
1 Configuration Items and relationship mapping
BAI10.0 Control Configuration Change approval, version control,
2 Changes audit trails
BAI10.0 Verify Configuration Audits, automated validation,
3 Data Integrity corrective action
BAI10.0 Report Configuration Status reporting, impact analysis,
4 Status and Changes stakeholder notifications

3. Deliver, Service and Support (DSS)

DSS01: Manage Operations

Practic
Practice Title Key Control Focus
e ID
DSS01.0 Manage Routine operations scheduling, incident
1 Operations response, performance monitoring
DSS01.0 Manage IT Maintenance, patching, capacity
2 Infrastructure monitoring
DSS01.0 Manage Job Automated scheduling, monitoring,
3 Scheduling exception handling
DSS01.0 Data integrity, secure processing,
Manage Data
4 backups

DSS02: Manage Service Requests and Incidents

Practic
Practice Title Key Control Focus
e ID
Record Service
DSS02.0 Accurate logging, ticket system
Requests and
1 usage, mandatory data fields
Incidents
DSS02.0 Impact/urgency criteria, priority
Classify and Prioritize
2 assignment, escalation triggers
DSS02.0 Root cause analysis, resolution
Diagnose and Resolve
3 workflows, knowledge base use
Notifications, escalation
DSS02.0 Communicate and
procedures, stakeholder
4 Escalate
communication
DSS02.0 Close Incidents and Closure verification, user feedback,
5 Service Requests documentation updates

DSS03: Manage Problems

Practic
Practice Title Key Control Focus
e ID
DSS03.0 Detect and Log Problem detection, logging,
1 Problems categorization
DSS03.0 Diagnose and Analyze Root cause analysis techniques,
2 Root Causes collaboration, documentation
DSS03.0 Develop and Change control, workaround
3 Implement Solutions implementation, solution testing
DSS03.0 Monitor Problem Tracking, verification, formal
4 Resolution and Closure closure, lessons learned

DSS04: Manage Continuity

Practic
Practice Title Key Control Focus
e ID
DSS04.0 Develop and Maintain Continuity plan documentation,
1 Continuity Plans recovery objectives, plan updates
DSS04.0 Conduct Continuity BIA, threat assessments, risk
2 Risk Assessments prioritization
DSS04.0 Implement Continuity Redundancy, backups, security,
3 Controls alternative sites
DSS04.0 Drills, simulations, training, plan
Test Continuity Plans
4 updates
Plan activation, stakeholder
DSS04.0 Manage Continuity
communication, incident
5 Incidents
coordination

DSS05: Manage Security Services

Practic
Practice Title Key Control Focus
e ID
DSS05.0 Manage Security Security monitoring, IDS/IPS,
1 Operations event correlation
DSS05.0 Manage Access and Access controls, RBAC, MFA,
2 Identity access reviews
DSS05.0 Manage Security Incident response, classification,
3 Incidents forensic analysis
DSS05.0 Manage Security Training programs, phishing
4 Awareness simulations, policy communication
DSS05.0 Manage Security Tools Security tool deployment,
5 and Technologies patching, integration

DSS06: Manage Business Process Controls

Practic
Practice Title Key Control Focus
e ID
DSS06.0 Define Business Process Risk and compliance
1 Control Requirements requirements identification
DSS06.0 Design and Implement SoD, authorization,
2 Controls automated/manual controls
DSS06.0 Monitor Control Self-assessments, audits,
3 Effectiveness exception reports
DSS06.0 Respond to Control Remediation plans, root cause
4 Deficiencies analysis, management reporting
4. Monitor, Evaluate and Assess (MEA)

MEA01: Monitor, Evaluate and Assess Performance and Conformance

Practice
Practice Title Key Control Focus
ID
MEA01.0 Monitor IT KPI definition, data collection,
1 Performance performance analysis
MEA01.0 Compliance audits, gap analysis,
Evaluate Compliance
2 documentation
Control testing, audit
MEA01.0 Assess Control
coordination, deficiency
3 Effectiveness
management
MEA01.0 Report Performance Dashboards, reporting cycles,
4 and Conformance communication, action plans

MEA02: Monitor, Evaluate and Assess the System of Internal Control

Practice
Practice Title Key Control Focus
ID
MEA02.0 Establish Internal Control framework adoption,
1 Control Framework documentation, roles
MEA02.0 Monitor Internal Ongoing assessments, monitoring,
2 Control Environment impact analysis
MEA02.0 Evaluate Internal Audits, control testing, gap
3 Control Effectiveness identification
MEA02.0 Report on Internal Dashboards, executive reporting,
4 Control Status deficiency communication

MEA03: Monitor, Evaluate and Assess Compliance with External

Requirements

Practice
Practice Title Key Control Focus
ID
MEA03.0 Identify Applicable Inventory maintenance,
1 External Requirements communication
MEA03.0 Monitor Compliance Monitoring tools, audits,
2 Status exception tracking
MEA03.0 Evaluate Compliance Audits, gap analysis, root cause
3 Effectiveness analysis
MEA03.0 Report Compliance Dashboards, audit reports,
4 Results communication, follow-up
 Abbreviat Number of
Domain
ion Controls
Evaluate, Direct and
EDM 5
Monitor
Align, Plan and
APO 14
Organize
Build, Acquire and
BAI 10
Implement
Deliver, Service and
DSS 6
Support
Monitor, Evaluate and
MEA 3
Assess
Total 38 Controls

EDM01
EDM01.01 – Evaluate the Governance System
EDM01.02 – Direct the Governance System
EDM01.03 – Monitor the Governance System
EDM01.04 – Ensure Continuous Improvement

EDM02- Ensure Benefits Delivery

EDM02.01 – Evaluate Value Optimization
EDM02.02 – Direct Value Management
EDM02.03 – Monitor Value Achievement

EDM03: Ensure Risk Optimization

EDM03.01 – Evaluate Risk Management

EDM03.02 – Direct Risk Management

EDM03.03 – Monitor Risk Management

EDM04 – Ensure Resource Optimization

EDM04.01 – Evaluate Resource Management
EDM04.02 – Direct Resource Management
EDM04.03 – Monitor Resource Management

EDM05: Ensure Stakeholder Engagement

EDM05.01 – Evaluate Stakeholder Engagement

EDM05.02 – Direct Stakeholder Engagement
EDM05.03 – Monitor Stakeholder Engagement
APO01: Manage the IT Management Framework