What is the primary objective of COBIT?

COBIT's primary objective is to create value from I&T, manage risk, and optimize resources by translating stakeholder needs into actionable governance and management objectives. COBIT 2019 defines a core model of 40 governance and management objectives across five domains (EDM, APO, BAI, DSS, MEA), supported by six governance system principles and seven components (processes, organizational structures, etc.). It separates governance (EDMevaluate, direct, monitor) from management execution, using a goals cascade (13 enterprise goals, 13 alignment goals) and CMMI-based performance management** (levels 0-5) for tailored, measurable EGIT.

Who is legally or professionally required to comply with COBIT?

No organizations are legally required to comply with COBIT, as it is a voluntary framework maintained by ISACA, not a regulation. Professionally, it is adopted by enterprises needing structured EGIT, particularly in regulated sectors like finance and utilities, where boards and executives use its 40 objectives and design factors (e.g., risk profile, compliance requirements) to demonstrate accountability. ISACA recommends it for CGEIT/CISA holders and organizations aligning I&T with stakeholder needs.

Does COBIT require an external audit or third-party certification?

COBIT does not require external audit or third-party certification, as it is a framework, not a certifiable standard. Organizations may conduct internal capability assessments using COBIT Performance Management (levels 0-5) or engage ISACA-accredited assessors for voluntary assurance via MEA04 Managed Assurance. ISACA offers individual certificates (COBIT 2019 Foundation, Design & Implementation) but no organizational certification.

How often should an assessment for COBIT be performed?

COBIT assessments should be performed annually or when significant changes occur in design factors, using the CMMI-based capability model (levels 0-5). ISACA guidance via MEA domain recommends regular capability/maturity appraisals tied to the governance system design workflow, with ongoing monitoring through process practices and metrics in objectives like APO02 Managed Strategy.

What are the consequences of non-compliance with COBIT?

There are no direct legal consequences for non-compliance with COBIT, as it is a non-mandatory framework. Indirect risks include weak EGIT leading to unaddressed I&T risks, audit deficiencies, or failure to meet external regulations, potentially resulting in operational disruptions or regulatory penalties where COBIT alignment is expected for evidence (e.g., via MEA conformance monitoring).

Can COBIT be mapped to other international frameworks?

Yes, COBIT 2019 explicitly supports mapping to other international frameworks through its governance framework principles of alignment and openness. Its 40 objectives and components integrate with standards via published ISACA resources, enabling tailored governance systems that reference external models without replacement.

What is the first step to begin implementing COBIT?

The first step to implement COBIT is to evaluate enterprise context using the six governance system principles and 11 design factors to define a tailored governance system scope. Per the COBIT 2019 Design Guide, initiate the design workflow: assess stakeholder needs via the goals cascade, conduct a current-state capability assessment (levels 0-5), and prioritize 40 core objectives into initial/refined scopes.

What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR). It comprises EN 1090-1 for conformity (Factory Production Control, FPC, and Declaration of Performance, DoP), EN 1090-2 for steel technical requirements (welding, tolerances, inspection), and EN 1090-3 for aluminium. Risk scales via Execution Classes (EXC1–EXC4) based on consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2).

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EU/EEA construction works must comply with EN 1090. This includes fabricators, welding shops, and suppliers needing CE marking via certified FPC. Applies to buildings, bridges, stadia; defaults to EXC2 if unspecified. Non-structural or non-metallic elements are excluded.

Does EN 1090 require an external audit or third-party certification?

Yes, EN 1090-1 mandates third-party certification of Factory Production Control (FPC) by a Notified Body under AVCP systems. Process includes initial inspection, ITT/ITC review, certificate issuance, and continuous surveillance audits. Responsible Welding Coordinator (rWC) competence and ISO 3834 alignment are verified.

How often should an assessment for EN 1090 be performed?

EN 1090 requires initial Notified Body certification followed by continuous surveillance audits, typically annually. Frequency per EN 1090-1 Table B.3, scaled by Execution Class (higher EXC4 demands more rigor). Internal audits maintain FPC; changes (e.g., processes, rWC) trigger re-assessments.

What are the consequences of non-compliance with EN 1090?

Non-compliance prevents lawful CE marking, risking market exclusion, product recalls, and certificate suspension/withdrawal by Notified Bodies. CPR enforcement includes fines, liability for failures, and public reporting. Major non-conformities (e.g., traceability gaps) lead to additional audits and halted production.

Can EN 1090 be mapped to other international frameworks?

Yes, EN 1090 is intrinsically mapped to other international frameworks, specifically relying on normative references to ISO standards. It requires alignment with ISO 3834 for welding quality requirements, ISO 9606 for welder qualification, and ISO 9712 for NDT personnel. Furthermore, the Factory Production Control (FPC) system is often integrated with ISO 9001 quality management principles.

What is the first step to begin implementing EN 1090?

Conduct a product scope assessment to confirm EN 1090 applicability and determine Execution Class (EXC) via CC/SC/PC matrix. Follow with gap analysis of FPC against EN 1090-1, appoint rWC, and engage a Notified Body early for certification roadmap.

Standards Comparison

COBIT vs EN 1090

COBIT

Voluntary

2019

IT governance framework aligning strategy, risk, and value

EN 1090

Mandatory

2009

EU standard for steel and aluminium structural execution.

Quick Verdict

COBIT provides voluntary IT governance frameworks for enterprises worldwide, while EN 1090 mandates CE marking for structural steel/aluminium in EU construction. Companies adopt COBIT for risk-optimized IT value; EN 1090 for legal market access and compliance.

IT Governance

COBIT

COBIT 2019 Governance and Management Objectives

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Tailorable via 11 design factors and workflow
40 objectives across 5 domains (EDM-APO-BAI-DSS-MEA)
CMMI-based capability levels 0-5 for performance
Clear separation of governance from management
Goals cascade links stakeholders to metrics

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Factory Production Control (FPC) certification
Execution Classes (EXC1-4) risk scaling
CE marking and Declaration of Performance
Welding quality via ISO 3834 alignment
Material traceability and NDT requirements

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

COBIT Details

What It Is

COBIT 2019 is ISACA's comprehensive framework for enterprise IT governance and management. It translates stakeholder needs into actionable objectives via a tailored governance system approach, emphasizing value creation, risk optimization, and resource use across the enterprise.

Key Components

40 governance/management objectives in 5 domains: EDM (governance), APO (strategy), BAI (delivery), DSS (operations), MEA (assurance).
6 governance principles and 7 components (processes, structures, culture, etc.).
11 design factors for tailoring; CMMI-based capability levels 0-5; no formal certification, but ISACA training (Foundation, Design & Implementation).

Why Organizations Use It

Supports compliance (SOX, GDPR alignments), risk reduction, digital transformation ROI, and board oversight. Builds stakeholder trust through measurable EGIT outcomes and interoperability with ITIL, ISO 27001, NIST.

Implementation Overview

Phased: assess gaps, design via toolkit, pilot objectives, build capabilities, monitor via MEA. Suited for large/regulated enterprises; voluntary, executive-sponsored programs with training essential. (178 words)

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) under the Construction Products Regulation (CPR). It governs conformity assessment and execution of structural steel and aluminium components for construction works. Primary purpose: ensure safe fabrication, assembly, and market placement via CE marking. Key approach: risk-based scaling through Execution Classes (EXC1–EXC4) linked to consequence, service, and production categories.

Key Components

EN 1090-1: Conformity assessment, Factory Production Control (FPC) certification, Declaration of Performance (DoP).
EN 1090-2/-3: Technical rules for steel/aluminium (materials, welding, tolerances, corrosion protection, inspection/NDT).
Core principles: traceability, welding quality (ISO 3834), risk-proportional controls.
Certification model: Notified Body audits FPC with ongoing surveillance.

Why Organizations Use It

Mandatory CE marking for EEA market access; non-compliance risks exclusion, fines.
Reduces liability via documented processes; enables high-risk projects.
Builds trust, competitive edge in tenders; operational efficiencies lower rework.

Implementation Overview

Phased: gap analysis, FPC design, personnel quals, NB certification (3–12 months). Applies to fabricators in construction; requires welding coordinators, audits. (178 words)

Key Differences

Aspect	COBIT	EN 1090
Scope	Enterprise IT governance and management	Structural steel/aluminium fabrication execution
Industry	All industries worldwide	Construction/metal fabrication in EU/EEA
Nature	Voluntary governance framework	Mandatory harmonized standard for CE marking
Testing	Capability/maturity assessments	FPC certification and surveillance audits
Penalties	Loss of certification/credibility	Market exclusion, fines, legal liability

Scope

COBIT

Enterprise IT governance and management

EN 1090

Structural steel/aluminium fabrication execution

Industry

COBIT

All industries worldwide

EN 1090

Construction/metal fabrication in EU/EEA

Nature

COBIT

Voluntary governance framework

EN 1090

Mandatory harmonized standard for CE marking

Testing

COBIT

Capability/maturity assessments

EN 1090

FPC certification and surveillance audits

Penalties

COBIT

Loss of certification/credibility

EN 1090

Market exclusion, fines, legal liability

Frequently Asked Questions

Common questions about COBIT and EN 1090

COBIT FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

Measuring NIST CSF 2.0 Success: KPIs, Dashboards, and Continuous Improvement Using Tiers & Profiles

Transform NIST CSF 2.0 into quantifiable success: Define board-ready KPIs for Functions, build Profile dashboards, track Tier progression. Prove ROI amid cyber

What if the EU would not have made GDPR mandatory...

Explore a world without mandatory GDPR: How would organizations manage data? What data privacy regs would emerge? Uncover impacts on businesses and privacy laws

Why the SEC Stepped In: The Investor-Driven Push for Cybersecurity Transparency

Discover why the SEC's 2023 cybersecurity rules treat cyber risks as material financial threats. Explore the 'stick and carrot' approach for standardized disclo

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how COBIT and EN 1090 compare against other standards

Other COBIT Comparisons

Other EN 1090 Comparisons

Key Components

40 governance/management objectives in 5 domains: EDM (governance), APO (strategy), BAI (delivery), DSS (operations), MEA (assurance).

6 governance principles and 7 components (processes, structures, culture, etc.).

11 design factors for tailoring; CMMI-based capability levels 0-5; no formal certification, but ISACA training (Foundation, Design & Implementation).

What It Is

Key Components

EN 1090-1: Conformity assessment, Factory Production Control (FPC) certification, Declaration of Performance (DoP).

EN 1090-2/-3: Technical rules for steel/aluminium (materials, welding, tolerances, corrosion protection, inspection/NDT).

Core principles: traceability, welding quality (ISO 3834), risk-proportional controls.

Certification model: Notified Body audits FPC with ongoing surveillance.

Aspect

COBIT

EN 1090

Scope

Enterprise IT governance and management

Structural steel/aluminium fabrication execution

Industry

All industries worldwide

Construction/metal fabrication in EU/EEA

Nature

Voluntary governance framework

Mandatory harmonized standard for CE marking

Testing

Capability/maturity assessments

FPC certification and surveillance audits

Penalties

Loss of certification/credibility

Market exclusion, fines, legal liability