Home / Study Resources / IT Governance & Management Frameworks
Domain 2

IT Governance & Management Frameworks: COBIT, ITIL & Enterprise Architecture

📅 January 2025 ⏱️ 26 min read 🎯 Framework Focus 📚 17% Weight

CISA Domain 2 examines your ability to evaluate IT governance structures that align technology with business strategy. Accounting for 17% of the exam (approximately 26 questions), this domain tests whether you can assess organizational structures, governance frameworks like COBIT and ITIL, strategic planning processes, and risk management practices that ensure effective IT oversight.

Understanding Domain 2's Role in the CISA Exam

IT governance represents the strategic component of information technology management—the decision-making framework that determines how organizations use technology to achieve business objectives. While management focuses on day-to-day operations and tactical execution, governance provides direction, oversight, and accountability at the board and executive level.

Domain 2 validates your ability to evaluate whether organizations have implemented appropriate governance structures, policies, and procedures. You must demonstrate knowledge of industry-standard frameworks, understand how to assess organizational maturity, and recognize the distinction between governance activities (strategic) and management activities (operational).

The Governance vs. Management Distinction

This is one of the most critical concepts for CISA success. Governance involves evaluating strategic options, directing management on priorities, and monitoring achievement of objectives—typically performed by the board of directors and executive leadership. Management involves planning, building, running, and monitoring activities according to the direction set by governance—performed by IT leadership and operational teams.

Governance

  • ✓ Board/Executive Level
  • ✓ Strategic Direction
  • ✓ Policy Approval
  • ✓ Risk Appetite Setting
  • ✓ Performance Oversight

Management

  • ✓ CIO/IT Leadership
  • ✓ Tactical Implementation
  • ✓ Policy Execution
  • ✓ Risk Mitigation
  • ✓ Day-to-Day Operations

COBIT 2019: The Foundation of IT Governance

COBIT (Control Objectives for Information and Related Technologies) serves as the premier framework for IT governance and management. Developed by ISACA, COBIT 2019 represents the current iteration—note that ISACA now uses year-based versioning rather than version numbers to reflect the dynamic nature of technology governance.

COBIT's Core Purpose and Structure

COBIT 2019 provides a comprehensive framework for enterprise governance of information and technology (EGIT). It helps organizations create value from IT initiatives, optimize risk, optimize resource utilization, and align IT with business objectives. The framework addresses critical governance challenges: benefits realization, risk optimization, resource optimization, and business-IT alignment.

COBIT 2019: Five Domains and 40 Objectives

EDM (Evaluate, Direct, Monitor) - Governance Domain

The governance domain contains 5 objectives focused on board and executive-level activities:

  • EDM01 - Ensured Governance Framework Setting and Maintenance
  • EDM02 - Ensured Benefits Delivery
  • EDM03 - Ensured Risk Optimization
  • EDM04 - Ensured Resource Optimization
  • EDM05 - Ensured Stakeholder Engagement

Management Domains (35 Objectives)

APO (Align, Plan, and Organize) - 14 objectives covering strategy, architecture, innovation, portfolios, budget, human resources, relationships, agreements, suppliers, quality, risk, and security. This domain addresses overall organization strategy and supporting activities.

BAI (Build, Acquire, and Implement) - 11 objectives covering programs, requirements, solutions, availability, organizational change, changes, change acceptance, knowledge, assets, and configuration. This domain handles solution identification through implementation.

DSS (Deliver, Service, and Support) - 6 objectives covering operations, service requests, problems, continuity, security services, and business process controls. This domain covers operational delivery and support.

MEA (Monitor, Evaluate, and Assess) - 4 objectives covering performance, system of internal control, compliance, and assurance. This domain addresses performance monitoring and compliance assessment.

COBIT 2019's Key Innovations

COBIT 2019 introduced several significant improvements over COBIT 5:

Design Factors: Organizations can now customize COBIT implementation based on contextual factors including enterprise strategy, enterprise goals, risk profile, IT issues, compliance requirements, role of IT, sourcing model, implementation methods, technology adoption, enterprise size, and culture. These factors allow tailoring the framework to specific organizational needs.

Focus Areas: COBIT 2019 introduced modular focus areas that address specific governance topics like cybersecurity, cloud computing, DevOps, small and medium enterprises, and digital transformation. Focus areas combine generic governance components with variants customized for specific contexts.

Goals Cascade: COBIT maps stakeholder needs to enterprise goals, then to alignment goals (IT-related goals), and finally to specific governance and management objectives. This cascade ensures that all IT activities trace back to business value.

COBIT Goals Cascade Example

Stakeholder Need: Business service continuity
Enterprise Goal: EG06 - Business service continuity and availability
Alignment Goal: AG07 - Managed IT services
Governance/Management Objectives: APO12, BAI10, DSS01-04, MEA01

This cascade ensures audit work connects technical controls to business value delivery.

Using COBIT in CISA Audit Context

As a CISA candidate, you must understand how to apply COBIT principles during audits. Key applications include:

Maturity Assessment: COBIT provides capability levels (0-5) for each process, allowing auditors to assess organizational maturity. Level 0 represents incomplete processes, while Level 5 represents optimizing processes with continuous improvement.

Control Evaluation: COBIT's 40 objectives contain detailed guidance on key management practices, work products, and activities. Auditors use these as benchmarks when evaluating whether organizations have implemented appropriate controls.

Risk Assessment: COBIT helps auditors identify IT-related risks by providing a structured view of all IT processes and their interconnections. Gaps in governance objectives indicate potential risk areas.

Compliance Mapping: COBIT serves as an umbrella framework that maps to other standards (ISO 27001, ITIL, NIST, regulatory requirements). Auditors can use COBIT to assess compliance across multiple frameworks simultaneously.

ITIL 4: IT Service Management Best Practices

While COBIT provides governance oversight, ITIL (Information Technology Infrastructure Library) focuses specifically on IT service management (ITSM)—the practical delivery of IT services to meet business needs. ITIL 4, released in 2019, represents the current version with emphasis on value co-creation and integration with modern approaches like Agile, DevOps, and Lean.

ITIL 4 Service Value System

ITIL 4 centers on the Service Value System (SVS)—a holistic model showing how components and activities work together to facilitate value creation through IT services. The SVS includes guiding principles, governance, service value chain, practices, and continual improvement.

ITIL 4: Seven Guiding Principles
  • Focus on Value: Everything relates back to value for stakeholders—customers, users, and organization
  • Start Where You Are: Don't build from scratch; assess current state and preserve what works
  • Progress Iteratively with Feedback: Work in timeboxed iterations with regular feedback rather than attempting large changes at once
  • Collaborate and Promote Visibility: Work across boundaries with appropriate transparency
  • Think and Work Holistically: No service or element stands alone; consider the entire value stream
  • Keep It Simple and Practical: Eliminate non-value-adding activities; use minimum number of steps
  • Optimize and Automate: Maximize value of human work by automating routine tasks

ITIL 4 Service Value Chain

The service value chain represents the operating model for service delivery with six interconnected activities:

Plan: Understanding organizational context, shared direction, and improvement opportunities

Improve: Continual improvement of products, services, and practices across all value chain activities

Engage: Continuous interaction with stakeholders to understand needs and ensure transparency

Design & Transition: Ensuring products and services meet stakeholder expectations for quality, cost, and time-to-market

Obtain/Build: Ensuring service components are available when needed, whether building, buying, or reusing

Deliver & Support: Ensuring services are delivered and supported according to specifications and stakeholder expectations

ITIL 4's 34 Management Practices

ITIL 4 defines 34 practices (replacing the concept of "processes" from earlier versions) organized into three categories:

General Management Practices (14): Adapted from general business management domains including architecture management, continual improvement, information security management, knowledge management, measurement and reporting, portfolio management, project management, relationship management, risk management, service financial management, strategy management, supplier management, workforce and talent management.

Service Management Practices (17): ITSM-specific practices including availability management, business analysis, capacity and performance management, change enablement, incident management, IT asset management, monitoring and event management, problem management, release management, service catalog management, service configuration management, service continuity management, service design, service desk, service level management, service request management, service validation and testing.

Technical Management Practices (3): Technology-focused practices including deployment management, infrastructure and platform management, software development and management.

ITIL in CISA Questions

CISA exam questions test whether you understand ITIL's role in operational service delivery rather than memorizing all 34 practices. Focus on understanding the service value system concept, how practices interact, and recognizing appropriate ITIL practices for specific scenarios. Common question patterns include identifying which practice handles specific issues (incident vs. problem management), understanding service level agreement principles, and recognizing when ITIL practices support governance objectives.

Four Dimensions of Service Management

ITIL 4 emphasizes that successful service management requires attention to four dimensions:

Organizations and People: Organizational structure, roles, responsibilities, culture, required competencies, and communication

Information and Technology: Information management, technologies supporting service delivery, and relationships between components

Partners and Suppliers: Organization's relationships with external parties that co-create value

Value Streams and Processes: How activities and workflows are organized to create value

Auditors should verify that organizations address all four dimensions rather than over-focusing on technology alone.

Enterprise Architecture Frameworks

Enterprise architecture provides the blueprint for how an organization's business strategy translates into IT systems and processes. Several frameworks guide enterprise architecture development and documentation.

TOGAF (The Open Group Architecture Framework)

TOGAF represents the most widely adopted enterprise architecture framework, used by 60% of Fortune 500 companies. It provides a comprehensive approach to designing, planning, implementing, and governing enterprise information architecture.

TOGAF Architecture Development Method (ADM)

TOGAF's centerpiece is the Architecture Development Method—an iterative process for developing enterprise architecture:

  • Preliminary Phase: Prepare organization for architecture projects
  • Phase A - Architecture Vision: Define scope, stakeholders, and create high-level vision
  • Phase B - Business Architecture: Develop business architecture supporting vision
  • Phase C - Information Systems Architecture: Develop data and application architectures
  • Phase D - Technology Architecture: Develop technology architecture
  • Phase E - Opportunities & Solutions: Identify delivery vehicles and plan implementation
  • Phase F - Migration Planning: Develop detailed implementation and migration plan
  • Phase G - Implementation Governance: Provide architectural oversight during implementation
  • Phase H - Architecture Change Management: Manage changes to architecture
  • Requirements Management: Central process managing requirements throughout ADM

TOGAF's Four Architecture Domains:

  • Business Architecture: Business strategy, governance, organization, and key business processes
  • Data Architecture: Structure of logical and physical data assets and data management resources
  • Application Architecture: Blueprint for individual applications, their interactions, and relationships to core business processes
  • Technology Architecture: Software and hardware capabilities required to support business, data, and application services

Zachman Framework

The Zachman Framework represents a fundamental taxonomy for organizing enterprise architecture artifacts. Created by John Zachman in 1987, it uses a two-dimensional matrix approach.

Matrix Structure: The framework organizes architecture descriptions using:

Six Columns (Interrogatives): What (data), How (function), Where (network), Who (people), When (time), Why (motivation)

Six Rows (Perspectives): Executive (planner), Business Management (owner), Architect (designer), Engineer (builder), Technician (implementer), Enterprise (functioning system)

Each of the 36 cells describes the enterprise from a specific viewpoint answering a specific question. Unlike TOGAF, Zachman doesn't provide implementation methodology—it's a classification scheme for organizing architectural artifacts rather than a process for creating them.

Aspect TOGAF Zachman
Type Methodology and framework Ontology and taxonomy
Focus Process for developing architecture Classification of architectural artifacts
Guidance Detailed implementation steps (ADM) Organizing framework without methodology
Best For Organizations building EA practice Organizing existing architectural work
Compatibility Can incorporate Zachman for documentation Often used with TOGAF for categorization

Other Enterprise Architecture Frameworks

Federal Enterprise Architecture Framework (FEAF): Developed for U.S. federal agencies, FEAF provides a common methodology for IT acquisition and use across government. It emphasizes common reference models and segment architecture for agency-specific needs.

Department of Defense Architecture Framework (DoDAF): Created for military and defense applications, DoDAF addresses integration challenges across long-lasting systems and diverse organizations. It provides viewpoints optimized for defense mission requirements.

ISO/IEC 38500: International standard for corporate governance of IT, providing principles, definitions, and model for governing body decisions about IT use within organizations.

IT Strategic Planning and Alignment

A critical component of Domain 2 involves evaluating how organizations develop IT strategy and ensure alignment with business objectives.

IT Strategy Development Process

Effective IT strategy follows a structured development process:

Environmental Analysis: Assess current state including existing capabilities, constraints, organizational culture, market position, technology trends, regulatory environment, and competitive landscape. Tools like SWOT analysis identify internal strengths/weaknesses and external opportunities/threats.

Business Strategy Alignment: Understand organizational mission, vision, strategic objectives, and critical success factors. IT strategy must directly support business strategy rather than existing as independent plan.

IT Strategic Goals Definition: Translate business objectives into IT-specific strategic goals. These might include improving operational efficiency, enabling new business capabilities, enhancing customer experience, reducing technology costs, or managing IT risks.

Strategic Initiatives Identification: Define specific programs and projects that achieve strategic goals. Initiatives should be prioritized based on business value, feasibility, resource requirements, and dependencies.

Resource Planning: Determine budget, staffing, technology investments, and partnerships required to execute strategy.

Performance Metrics: Establish Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) to measure strategic success.

IT Governance Structure Components

Effective governance requires appropriate organizational structure:

Key Governance Committees

IT Strategy Committee

Composition: Board members and C-level executives
Responsibilities: Set overall IT direction, approve major IT investments, oversee IT risk management, ensure IT delivers business value
Frequency: Typically quarterly

IT Steering Committee

Composition: Senior IT leadership and business unit leaders
Responsibilities: Prioritize IT projects, allocate IT resources, resolve cross-functional IT issues, monitor project portfolios
Frequency: Typically monthly

Architecture Review Board

Composition: Enterprise architects and technical leads
Responsibilities: Review and approve architectural changes, ensure compliance with enterprise architecture standards, evaluate technology choices
Frequency: As needed for project approvals

Change Advisory Board (CAB)

Composition: IT operations, application owners, business representatives
Responsibilities: Review and authorize changes to production systems, assess change risk and impact, coordinate change scheduling
Frequency: Weekly or as change volume requires

Common Exam Trap: Committee Confusion

CISA questions often test whether you can distinguish between IT Strategy Committee (strategic, board-level, quarterly) and IT Steering Committee (tactical, management-level, more frequent). Remember: Strategy Committee sets direction; Steering Committee executes direction. Questions about who approves major IT investments → Strategy Committee. Questions about project prioritization → Steering Committee.

Organizational Structures for IT

How organizations structure IT functions significantly impacts governance effectiveness. CISA tests your understanding of different organizational models:

Centralized IT Structure: Single IT department provides services to entire organization. Advantages include standardization, economies of scale, consistent policies, and efficient resource utilization. Disadvantages include potential disconnect from business unit needs and slower response to local requirements.

Decentralized IT Structure: Individual business units manage their own IT resources. Advantages include better alignment with business unit needs and faster local response. Disadvantages include duplication of effort, inconsistent standards, and difficulty achieving enterprise-wide initiatives.

Hybrid IT Structure: Combines centralized and decentralized elements—typically with central governance, infrastructure, and security while allowing business units to manage applications and local support. Most large organizations use hybrid models to balance standardization with flexibility.

Federated IT Structure: Business units have IT autonomy but follow enterprise architecture standards and governance processes. Central IT provides strategic direction, standards, and shared services while business units maintain operational control.

Maturity Models and Capability Assessment

Maturity models provide structured approaches for assessing organizational capability and improvement opportunities.

Capability Maturity Model Integration (CMMI)

CMMI measures process maturity across five levels:

Level 0 - Incomplete: Process not performed or fails to achieve objectives

Level 1 - Initial: Process achieves objectives but is unpredictable, poorly controlled, and reactive

Level 2 - Managed: Process is planned, performed, monitored, and controlled at project level

Level 3 - Defined: Process is well characterized, understood, and described in standards, procedures, and tools

Level 4 - Quantitatively Managed: Process is controlled using statistical and quantitative techniques

Level 5 - Optimizing: Process is continuously improved based on quantitative understanding of common causes of variation

Auditors use maturity assessments to identify improvement opportunities and benchmark organizations against industry standards.

Balanced Scorecard

The Balanced Scorecard measures organizational performance across four perspectives:

Financial: ROI, cost reduction, revenue generation from IT investments

Customer: User satisfaction, service quality, business value delivered

Internal Processes: Process efficiency, quality metrics, cycle times

Learning & Growth: Staff capabilities, innovation, technology adaptation

IT organizations adapt the balanced scorecard to measure how technology contributes to business objectives across all four dimensions rather than focusing solely on technical metrics.

Domain 2 Study Strategy

High-Priority Topics

  • Governance vs. Management distinction (appears in multiple questions)
  • COBIT 2019 structure: 5 domains (EDM + 4 management domains), 40 objectives
  • COBIT goals cascade: stakeholder needs → enterprise goals → alignment goals → objectives
  • ITIL 4 Service Value System and 7 guiding principles
  • ITIL key practices: incident management, problem management, change enablement, service level management
  • TOGAF ADM phases and when to use them
  • Zachman Framework structure (6x6 matrix)
  • IT Strategy Committee vs. IT Steering Committee roles
  • Centralized vs. decentralized organizational structures
  • CMMI maturity levels and characteristics
  • Balanced Scorecard four perspectives
  • Enterprise architecture domains (business, data, application, technology)

Common Question Patterns

Framework Selection: "Which framework would BEST help an organization..." Questions test when to apply COBIT (governance), ITIL (service management), TOGAF (enterprise architecture), or other frameworks based on organizational needs.

Committee Authority: "Who should approve..." Questions test understanding of which governance body handles which decisions. Remember: strategy approves investments; steering prioritizes projects; architecture reviews designs; CAB authorizes changes.

Maturity Assessment: "An organization that uses documented procedures but no quantitative metrics operates at which maturity level?" Questions test CMMI level understanding.

Structural Impact: "What is the PRIMARY advantage/disadvantage of centralized IT?" Questions test understanding of how organizational structure affects service delivery, standardization, and responsiveness.

Study Tips

Create comparison charts for similar concepts (COBIT vs. ITIL vs. TOGAF; governance vs. management; Strategy Committee vs. Steering Committee; centralized vs. decentralized structures). Visual organization helps distinguish easily confused elements.

Memorize the COBIT 2019 structure: 1 governance domain (EDM), 4 management domains (APO, BAI, DSS, MEA), 40 total objectives. Know representative objectives from each domain but don't memorize all 40.

Understand ITIL principles conceptually rather than memorizing all 34 practices. Focus on common practices (incident, problem, change) and the service value system concept.

Practice identifying governance-level activities (evaluating options, directing management, monitoring performance) versus management activities (planning, building, running, monitoring operations). This distinction appears throughout Domain 2 questions.

The Best Answer Technique for Domain 2

Domain 2 questions frequently present scenarios where multiple governance actions seem appropriate. Choose answers that demonstrate systematic methodology, involve appropriate stakeholders, follow established frameworks, and address root causes rather than symptoms. When in doubt, select the answer that elevates the issue to the appropriate governance level rather than keeping it at the operational level.

Final Thoughts on Domain 2 Mastery

Success in Domain 2 requires understanding that IT governance isn't merely about technology—it's about ensuring technology investments deliver business value under appropriate oversight. The frameworks discussed (COBIT, ITIL, TOGAF, Zachman) provide proven methodologies that organizations adapt to their specific contexts.

When studying Domain 2, focus on understanding the strategic purpose behind each framework rather than memorizing every detail. CISA questions test whether you can apply governance principles to realistic scenarios, recognize appropriate frameworks for specific situations, and distinguish between governance and management activities.

Remember that governance frameworks complement each other: COBIT provides overarching governance structure, ITIL handles operational service delivery, TOGAF guides enterprise architecture development, and maturity models measure organizational capability. Strong CISA candidates understand how these frameworks integrate to create comprehensive IT governance systems.

Ready to Master IT Audit & Pass CISA?

Test your knowledge with 2000+ CISA practice questions covering all 5 exam domains