COBIT as a foundation for POPI Compliance Management

Information security is now highly dependent on business decision-making and user activities that involve the entire enterprise population. Most organisations have a large number of inter-enterprise connections and a wide range of internally integrated technology and operations across multiple processing environments. The ITGN uses COBIT 5 as the foundation on which to establish and build a capability in information security management.

The integrated nature of the COBIT 5 process model enables accountability and responsibility to be identified and assigned. Selection, testing and deployment of appropriate mechanisms to supply security functions is complex. Few organisations have established the processes necessary for effective information security and therefore COBIT 5 provides an excellent reference and foundation on which to establish information security enterprise in an effective, lean and sustainable manner.

A well-structured approach is required for building information security around confidentiality (stressing the "need to know" as the guiding principle for implementing a security program), managing integrity (by focusing on the "control of privilege to create, modify, store, copy or delete information or information resources) and ensuring the availability of information (based on the "business' need" and regulatory obligations to have systems, resources and data available). 

Through the use of an integrated process based approach and directed from the governance layer, with a management system to coordinate improvements:

  • Identify the IT activities necessary for effective information security using the 37 COBIT 5 processes as a guide
  • Build capability in information security processes and related activities
  • Focus on delivering the outcomes that business expects from information security (and avoid unnecessary concepts of 'best practice').


  • There are a large number of IT processes that will have an impact on the effectiveness of information security
  • The outcome expected from information security should be based on what the business actually needs (e.g. security in a hostile environment, regulatory compliance, etc.).

CPIO Certification

The CPIO exam is for individuals knowledgeable about the requirements for lawfully processing personal information and promoting access to information.

Candidates Guide


Fulfilling the Requirements, Building Capability and Being Prepared!

View video

CPIO Certification

CPIO certification demonstrate knowledge and capability to manage and protect personal information in accordance with the Protection of Personal Information Act. Read more...

CPIO Management System

Improve your 


CPIO Expertise

IT governance experts are available to assist establish, implement and improve the governance of IT based on the ISO 38500 standard and COBIT 5 good practices.


Go to top