Multimatics Insight

Measuring IT Maturity with COBIT® 2019 Framework

Measuring IT Maturity with COBIT® 2019 Framework

Only organizations with a capacity for continual development will be able to maintain competitiveness in the digital era, and this capacity can only be attained by achieving a specific level of IT maturity.

Have you ever measured your organization’s IT maturity?

Before answering that question, let’s define what’s IT Maturity first!

What’s IT Maturity?

IT maturity is an overall set of IT capabilities, or what the IT department can perform for business. Organizations with a good IT maturity level can fulfill the business’ needs, operate efficiently, and have the flexibility to adapt to the changing business environment. On the other hand, low-IT maturity organizations frequently make errors and deliver slowly—and fail to adapt quickly.

Therefore, measuring IT Maturity is indeed crucial for ensuring your organization’s success. The goal is to figure out the effectiveness of your IT capability and identify what is needed to improve in order to meet the organizational goals.

Then, what’s the relationship between IT Maturity and COBIT® 2019?

COBIT® 2019: A Quick Glimpse

COBIT® is a commonly used comprehensive framework that integrates IT governance into enterprise governance and integrates other frameworks such as Val IT and Risk IT. The main purpose of COBIT® is to balance the benefits and risks of IT while putting the significances of all stakeholders into consideration. The latest version of COBIT® framework is COBIT® 2019. It is intended to provide greater adaptability for organizations while customizing an IT governance procedure.

With the help of COBIT® 2019, organizations can make crucial decisions about the architecture of their governance systems and successfully accomplish their goals. This is achieved by concentrating on goals particular to a governance system's management and components. COBIT® 2019 also provides guidance on how governance and management should be defined.

Measuring IT Maturity with COBIT® 2019

COBIT® 2019 Framework: Governance and Management Objectives describes the expected capability levels. With a scale from 0 to 5, the Capability Maturity Model Integration® (CMMI)-based process-capability scheme is supported by COBIT® 2019. From the score obtained, it's possible to determine the maturity level for the 231 practices and 40 objectives organized in five domains in the COBIT® 2019 framework.

The five domains are:

  1. Evaluate, Direct and Monitor (EDM)
  2. Align, Plan and Organize (APO)
  3. Build, Acquire and Implement (BAI)
  4. Deliver, Service and Support (DSS)
  5. Monitor, Evaluate and Assess (MEA)

What’s Inside the COBIT® 2019 Maturity Model: Capability and Maturity Levels

The success of the IT Maturity assessment depends on tailoring the process activities to the appropriate capability and maturity levels. The COBIT® 2019 Framework Governance and Management Objective guide contains information on this. Let’s break down the capability and maturity levels in COBIT® 2019 Maturity Model!

Capability Level

Ranging from 0 to 5, the process activities can function at different levels of capacity and maturity. Cited from ISACA®, capability level is a measure of how well a process is implemented and performing.

Capability Level
  • Lack of any basic capability
  • Incomplete approach to address governance and management purpose
  • May or may not be meeting the intent of any process practices
1 The process more or less achieves its purpose through the application of an incomplete set of activities that can be characterized as initial or intuitive—not very organized.
2 The process achieves its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed.
3 The process achieves its purpose in a much more organized way using organizational assets. Processes typically are well defined.
4 The process achieves its purpose, is well defined, and its performance is (quantitatively) measured.
5 The process achieves its purpose, is well defined, its performance is measured to improve performance and continuous improvement is pursued.

Source from ISACA®

Maturity Level

Maturity level, which is associated with focus areas, is a measure of how these processes contained in the focus area achieve that particular capability level, through the collections of substantial underlying evidence to support enterprise goals.

The following is the maturity level for focus area based on the COBIT® 2019 Framework.

Maturity Level
0 Incomplete–Work may or may not be completed toward achieving the purpose of governance and management objectives in the focus area.
1 Initial–Work is completed, but the full goal and intent of the focus area are not yet achieved.
2 Managed–Planning and performance measurement take place, although not yet in a standardized way.
3 Defined–Enterprisewide standards provide guidance across the enterprise.
4 Quantitative–The enterprise is data-driven, with quantitative performance improvement.
5 Optimizing–The Enterprise is focused on continuous improvement.

Source from ISACA®

The capability and maturity levels will be given a value between 1 to 5:

  1. Initial—Unpredictable process that is poorly controlled and reactive
  2. Managed—Process is planned, documented and monitored at the project level and often are reactive
  3. Defined—Proactive process meant for organizations
  4. Quantitively Managed—Measured and controlled process
  5. Optimizing—Focus is on continuous process and improvement


The COBIT® Maturity Model serves as a roadmap for developing gap analyses and improvement plans. As every organization is unique, many paths may be taken to bring about the desired outcomes. Nevertheless, it is highly important to always remember that higher IT maturity enables organizations to anticipate future issues and take preventative measures. The IT department can then use its data to run scenarios and analyze potential outcomes, offering insight into more intelligent business strategies.


Elue, E. (2020). Effective Capability and Maturity Assessment Using COBIT 2019. ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2020/effective-capability-and-maturity-assessment-using-cobit-2019

ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. ISACA.

Axio Systems. (2018). IT Maturity Matters Because IT Matters. https://www.thinkhdi.com/library/supportworld/2018/it-maturity-matters-because-it-matters.aspx

Björnsdóttir, Svana. H. et.al. (2021). The Importance of Risk Management: What is Missing in ISO Standards? https://doi.org/10.1111/risa.13803

Share this on:

Scroll to Top