COSO, COBIT, service management, and major external compliance regimes.
This chapter explains the governance and compliance frameworks that shape how organizations manage technology risk. ISC questions in this area usually turn on knowing which framework or regulatory lens best fits the situation.
ISC framework questions usually ask which lens best fits the problem. COSO emphasizes internal control and governance objectives, COSO ERM broadens the discussion to enterprise risk, COBIT focuses on governance of information and technology, ITIL addresses service-management discipline, and external rules impose compliance obligations for particular data or industries.
| Framework or rule set | Best exam use | Common ISC trap |
|---|---|---|
| COSO Internal Control | Evaluate control environment, risk assessment, activities, information, and monitoring. | Using it as if it were an IT operations framework. |
| COSO ERM | Connect technology risk to enterprise strategy, risk appetite, and performance. | Treating every control weakness as only a process-level issue. |
| COBIT | Govern and manage enterprise information and technology. | Reducing COBIT to a cybersecurity checklist instead of a governance system. |
| ITIL | Manage IT services, incidents, changes, and service quality. | Confusing service management with regulatory compliance. |
| PCI DSS, HIPAA, GDPR, and similar regimes | Identify external obligations tied to payment data, health data, personal data, or jurisdiction. | Applying a regulation because it sounds security-related rather than because the facts trigger it. |
| Step | What to do | Why it matters on ISC |
|---|---|---|
| 1. Identify the problem type | Decide whether the issue is internal control, enterprise risk, IT governance, service management, or external compliance. | Framework choice depends on the kind of problem being solved. |
| 2. Match the framework purpose | Use COSO for control, COSO ERM for enterprise risk, COBIT for IT governance, ITIL for service management, and regulations for legal obligations. | Framework names are not interchangeable. |
| 3. Define responsible ownership | Identify board, management, IT, compliance, process owner, or third-party responsibility. | Governance questions often turn on who owns the control or risk response. |
| 4. Apply criteria to the facts | Connect principles, control objectives, service processes, or regulatory requirements to the scenario. | The exam rewards application, not framework-name recall. |
| 5. Identify evidence and monitoring | Determine what documentation, metrics, reporting, or monitoring shows the framework is operating. | Governance is incomplete without evidence of oversight and follow-through. |