agsandrew - Fotolia


How CMMI models compare and map to the COBIT framework

Following ISACA's recent acquisition of the CMMI Institute, expert Judith Myerson takes a closer look at COBIT and CMMI models and how they compare to one another.

ISACA, the association for IT governance, assurance and cybersecurity professionals, recently announced it has acquired CMMI Institute, the global leader in helping organizations to elevate their performance with people, process and technology. The CMMI Institute is built on the capability maturity model integration that evolved from the original CMM a few decades ago.

This acquisition expands ISACA's reach to more than 12,000 organizations globally seeking to improve their capability and achieve a higher maturity level in their operations. Many organizations have already applied CMMI models or have a CMMI certification -- required in many U.S. Department of Defense and federal contracts. Some already have used ISACA's COBIT 5 framework to cover governance and management of technology, people and process areas not addressed by CMMI models.

How will ISACA's acquisition affect COBIT and CMMI? Let's take a look at two representations of a CMMI model before discussing COBIT's advantages over CMMI, as well as how the two map to one another.

CMMI model representations

A CMMI model is structured as staged or continuous representations. An organization's choice between the two options depends on what its culture and business needs are.

Staged representation focuses on organizational maturity. It uses five maturity levels to measure how mature the processes are. Level one is assigned to processes having the lowest maturity -- ad hoc and chaotic. At level three, processes mature to be more proactive. The organization defines guidelines for tailoring how standard processes should be used. At level five, the focus is on optimizing process improvement.

Continuous representation uses six capability levels to measure how capable one or more process areas are at each level. The improvement to the process capabilities can occur at different rates. The organization assigns level zero when it identifies the process as not being capable of achieving its purpose and level five when the process is being continuously improved to meet the business goals.

COBIT advantages

COBIT has two advantages over CMMI models. First, COBIT provides self-assessment, gap analysis and improvement planning tools. Second, it has three dimensions: capability, coverage and control. The organization using COBIT decides how these dimensions should be applied.

Capability is a measure of how capable a process is. Each process capability level is expressed in a rating scale denoting a capability level from 0 to 5: Incomplete, Performed, Managed, Established, Predictable and Optimizing. This scale was created in 2013 from ISO/IEC 15504-5. It replaced the COBIT scale based on the original CMM, from when the first version of COBIT was released in 2000.

Coverage is a measure of how and where the process should be deployed. For example, a high level of security is focused only on the organization's sensitive systems. Control is a measure of actual control and execution of the process and in managing risks. A process that appears to be at the right capability level doesn't work due to inadequate control design.

Using COBIT for risk assessment management

For some organizations that are not culturally process-based and experienced in process improvement, they need to use COBIT 5 to guide them in determining how capable they are with the risk assessment management process.

A case study shows how an organization used COBIT to close the gaps with risk assessment management. First the organization conducted a simple self-assessment after examining COBIT's EDM03 (Ensure Risk Optimization) and APO12 (Manage Security) management practices from the Evaluate, Direct and Monitor and Align, Plan and Organize COBIT domains.

When the organization discovered it had no IT risk management processes in place, it assigned level zero to its process capability. To move up to level 2 (managed) process capability, the organization set risk management program goals. Program manuals, standard operating procedures, assessment tools, project requests and policy templates were in place.

COBIT-CMMI mapping

While COBIT and CMMI are different, they share some similarities that enable mappings between two. Two months before the CMMI Institute acquisition, ISACA published a key article on how CMMI for Development (CMMI-DEV) can be integrated into COBIT-based IT governance. CMMI-DEV focuses on improving the capability of an organization to develop quality products while lowering the number of defects.

Organizations that frequently use CMMI-DEV include aerospace, banking, computer hardware, software, defense and telecommunications. Some already have used COBIT. They would find CMMI-DEV maps closely to the COBIT's domains and use the mapping for self-assessment and gap analysis:

•          APO (Align, Plan and Organize)

•          BAI (Build, Acquire and Implement)

•          DSS (Delivery, Service and Support)

•          MEA (Measure, Evaluate and Assess)

A COBIT process can be mapped to one or more CMMI-DEV process areas. For example:

•          Manage the IT management framework (APO01) is mapped to Organizational Process Focus and Organizational Process Definition at maturity level 3.

•          Manage Risk (APO12) is mapped to Risk Management at maturity level 3.

•          Manage Requirements Definition (BAI02) is mapped to Requirement Management and Requirements Development at maturity levels 2 and 3 respectively.

A gap in mapping occurs when a COBIT process cannot be mapped to any CMMI-DEV process areas. For example, Manage Security (ASO13) and Manage Security Services (DSS05) are not mappable. Organizations should keep these potential gaps in mind as they consider COBIT and CMMI models.


COBIT is one of the more well-known and widely used business frameworks for governance and management of enterprise IT. CMMI is a process improvement appraisal program that is required by the U.S. Department of Defense and many federal contracts. It is lesser known than COBIT and more narrowly applied. However, ISACA's acquisition of the CMMI Institute will bring more benefits by enhancing CMMI models with the COBIT framework.

Next Steps

Find out how to choose the right IT security frameworks and standards

Discover what is required for COBIT 5 certification

Read more on the development of an ICS framework

Check out the COBIT framework's 2019 update

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing