Evaluation of Information Technology Governance Maturity Using COBIT 2019: A Case Study on the IT Security Industry

Abstract

This study aims to evaluate the maturity of IT governance in the IT security industry using COBIT 2019. The assessment covered 13 COBIT 2019 domains, namely APO03—Managed Enterprise Architecture, APO07—Managed Human Resources, APO12—Managed Risk, APO13—Managed Security, APO14—Managed Data, BAI02—Managed Requirements Definition, BAI03—Managed Solutions Identification & Build, BAI05—Managed Organizational Change, BAI06—Managed IT Changes, BAI07—Managed IT Change Acceptance and Transitioning, BAI09—Managed Assets, BAI10—Managed Configuration, and BAI11—Managed Projects. The research methodology included observation, domain-based question formulation, RACI interviews, data collection, and question validation testing, with maturity calculation performed using appropriate formulas. Results indicate that most domains are at Level 2 (Managed), with significant contributions to maturity at Levels 3 and 4. Significant gaps were found between the current state and the desired maturity targets for many domains, such as APO03 and BAI03. The percentage contribution from Level 2 is the highest, while contributions from Levels 3 and 4 vary, with very low contributions from Level 5. The total maturity score is 2.49, with percentage contributions from Levels 2, 3, 4, and 5 being 74%, 26%, 11%, and 3%, respectively. Recommendations include improving processes to achieve Levels 3 and 4 across more domains and investing in training and development for relevant teams.