One of the popular maturity models derived from CMMI is the Control OBjectives for Information and related Technology (COBIT) maturity model. COBIT is an international recognized framework for IT Governance. It was originally developed in 1993 by the Information Systems Audit and Control Association (ISACA) and is now developed further by the IT Governance Institute [ISA09]. The rules defined in this maturity model are slightly different compared to CMMI. For this description COBIT version 4.1 is used.  

 

The application as defined by COBIT is to measure the state where the enterprise currently is, decide where it needs to go, and to measure the progress against that goal. Additionally, it can be used as a benchmark in order to compare the own attributes to other companies within a specific industry. The specific domain COBIT uses its maturity model for is IT Governance. More concrete the COBIT maturity model is measuring how well IT processes are managed. Therefore, COBIT defines a generic maturity model scale. Subsequently, out of this generic scale there is a specific maturity model derived for each of the 34 IT management processes defined in COBIT. The specific models consist of a textual description of the target state for each level.  

In contrast to other application domains COBIT stresses that the model should not be used to assess a level of adherence to its control objectives but should be used to identify issues and set priorities for improvements [COB07]. Unlike the CMMI approach the COBIT maturity model is not designed as a threshold model. Hence, it is quite common to move to a level of maturity without having fulfilled all criteria for the maturity levels below. 

[1] shows a feasible fulfillment of the maturity levels of an IT process. As aforementioned the criteria for level one and level two are barely fulfilled although the overall process is at maturity level three which does fulfill the criteria in large part. Levels four and five comply with about 35% and 15% to the defined criteria, respectively. Depending on the domain of application, this modification of the way how to use a maturity model is feasible. Nevertheless, if a maturity level heavily depends on the fulfillment of the maturity levels below, the abovementioned approach is not adoptable. 

Although in [1] only five levels of maturity (level one to five) are shown, the generic maturity model defined by COBIT consists of six maturity levels (level zero to five) [COB07]: 

 

The dimensions of maturity across these five levels are the capability, the coverage and the control of a process. COBIT also defines a graphical representation of its maturity model to facilitate the use of the model as a means to support communication during management briefings. As shown in [2] the graphical representation allows mapping the current status of the enterprise (circle) as well as the target state (star) on the six levels of maturity. If information about the industry average position (arrow) is available, it can also be illustrated in the same graphical representation to allow comparisons. 

In [COB07] the IT Governance Institute also recommends users of the COBIT maturity model not to necessarily strive for the highest maturity level in each of the 34 processes. The right level of maturity is in many cases not the highest level of maturity since the right level of maturity is influenced by cost-benefit decisions as well as the overall strategy, the environment, and the type of enterprise. The highest maturity level for security management could for example be necessary for the most critical systems but maybe oversized for other systems.