Mapping cyber governance code to ISACA COBIT-19
Published 8 April 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cyber-governance-mapping/mapping-cyber-governance-code-to-isaca-cobit-19
Introduction
This mapping document is for boards, directors and Chief Information Security Officers (or equivalent) and will help understand the Cyber Governance Code of Practice (the Code).
The mapping document illustrates where there are similarities and differences between the Code and the ISACA COBIT-19 framework. It can be used by organisations to understand what actions of the Code they may already be implementing through adherence to the ISACA COBIT-19 framework.
The mapping document is illustrative and should only be used as a point of reference. It is not intended to be authoritative or be taken as legal advice on compliance with the framework mentioned.
If you have any comments or questions on the Cyber Governance mapping, please contact cybergovernance@dsit.gov.uk
Principle A: Risk management
Action A1: Gain assurance that the technology processes, information and services critical to the organisation’s objectives have been identified, prioritised and agreed.
Alignment with ISACA COBIT-19: BAI09.02 Manage critical assets, DSS04.01 Define the business continuity policy, objectives and scope
Action A2: Agree senior ownership of cyber security risks and gain assurance that they are integrated into the organisation’s wider enterprise risk management and internal controls.
Alignment with ISACA COBIT-19: EDM01 Ensured Governance Framework Setting and Maintenance, APO01.05 Establish roles and responsibilities
Action A3: Define and clearly communicate the organisation’s cyber security risk appetite and gain assurance that the organisation has an action plan to meet these risk expectations.
Alignment with ISACA COBIT-19: EDM03.01 Evaluate risk management, APO12.02 Analyse risk, APO13.02 Define and manage an information security and privacy risk treatment plan, BAI02.03 Manage requirements risk
Action A4: Gain assurance that supplier information is routinely assessed, proportionate to their level of risk and that the organisation is resilient to cyber security risks from its supply chain and business partners.
Alignment with ISACA COBIT-19: APO10.05 Monitor vendor performance and compliance
Action A5: Gain assurance that risk assessments are conducted regularly and that risk mitigations account for recent, or expected, changes in the organisation, technology, regulations or wider threat landscape.
Alignment with ISACA COBIT-19: APO01.11 Manage continual improvement of the I&T management system, MEA04.08 Report and follow up on the assurance initiative, MEA04.09 Follow up on recommendations and actions
Principle B: Strategy
Action B1: Gain assurance that the organisation has developed a cyber strategy and this is aligned with, and embedded within, the wider organisational strategy.
Alignment with ISACA COBIT-19: APO02.06 Communicate the I&T strategy and direction, APO02.05 Define the strategic plan and road map
Action B2: Gain assurance that the cyber strategy aligns with the agreed cyber risk appetite (Action A3), meets relevant regulatory obligations, and accounts for current or expected changes (Action A5).
Alignment with ISACA COBIT-19: EDM03.01 Evaluate risk management, EDM03.02 Direct risk management, APO12.02 Analyse risk, APO12.03 Maintain a risk profile, MEA03 Managed Compliance with External Requirements
Action B3: Gain assurance that resources are allocated effectively to manage the agreed cyber risks (Action A3 and A5).
Alignment with ISACA COBIT-19: APO06.02 Prioritise resource allocation, EDM04.02 Direct resource management
Action B4: Gain assurance that the cyber strategy is being delivered effectively and is achieving the intended outcomes.
Alignment with ISACA COBIT-19: EDM02.04 Monitor value optimisation
Principle C: People
Action C1: Promote a cyber security culture that encourages positive behaviours and accountability across all levels. This should be aligned with the organisation’s strategy (Action B1).
Alignment with ISACA COBIT-19: APO01.01 Design the management system for enterprise I&T, APO01.02 Communicate management objectives, direction and decisions made
Action C2: Gain assurance that there are clear policies that support a positive cyber security culture.
Alignment with ISACA COBIT-19: No comparison
Action C3: Undertake training to improve your own cyber literacy and take responsibility for the security of the data and digital assets that you use.
Alignment with ISACA COBIT-19: No comparison
Action C4: Gain assurance using suitable metrics that the organisation has an effective cyber security training, education and awareness programme.
Alignment with ISACA COBIT-19: APO07.03 Maintain the skills and competencies of personnel, DSS04.06 Conduct continuity plan training
Principle D: Incident, planning response and recovery
Action D1: Gain assurance that the organisation has a plan to respond to and recover from a cyber incident impacting business critical technology processes, information and services.
Alignment with ISACA COBIT-19: No comparison
Action D2: Gain assurance that there is at least annual exercising of the plan involving relevant internal and external stakeholders and that lessons from the exercise are reflected in the incident plan (Action D1) and risk assessments (Action A5).
Alignment with ISACA COBIT-19: DSS04.04 Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP)
Action D3: In the event of an incident, take responsibility for individual regulatory obligations, such as reporting, and support the organisation in critical decision making and external communications.
Alignment with ISACA COBIT-19: DSS02 - Managed Service Requests and Incidents
Action D4: Gain assurance that a post incident review process is in place to incorporate lessons learned into future risk assessments (Action A5), response and recovery plans (Action D1) and exercising (Action D2).
Alignment with ISACA COBIT-19: DSS04.08 Conduct post-resumption review
Principle E: Assurance and oversight
Action E1: Establish a cyber governance structure which is embedded within the wider governance structure of the organisation. This should include clear definition of roles and responsibilities, including ownership of cyber at executive and non-executive director level.
Alignment with ISACA COBIT-19: EDM01.02 Direct the governance system, APO01.04 Define and implement the organizational structures
Action E2: Require formal reporting on at least a quarterly basis, set suitable metrics to track, and agree tolerances for each. These should be aligned to the cyber strategy (Action B1) and based on the agreed cyber risk appetite (Action A3).
Alignment with ISACA COBIT-19: MEA01 - Managed Performance and Conformance Monitoring
Action E3: Establish regular two-way dialogue with relevant senior executives, including but not limited to, the chief information security officer (or equivalent).
Alignment with ISACA COBIT-19: EDM05 - Ensured Stakeholder Engagement
Action E4: Gain assurance that cyber security considerations (including the actions in this code) are integrated and consistent with existing internal and external audit and assurance mechanisms.
Alignment with ISACA COBIT-19: MEA04 - Managed Assurance
Action E5: Gain assurance that senior executives are aware of relevant regulatory obligations, as well as best practice contained within other Codes of Practice.
Alignment with ISACA COBIT-19: MEA03 - Managed Compliance with External Requirements