Rolling Meadows, IL, USA (28 April 2005)—COBIT (Control Objectives for Information and related Technology) has been selected by the Commission of the European Communities (EC) as one of the three internationally accepted standards to be used to provide information security and control over its agricultural paying agencies.

The regulation, adopted on 22 March 2005, is aimed at tightening information systems security across the European Union’s 25 member states. Paying agencies associated with the European Agricultural Guidance and Guarantee Fund (EAGGF) are now required to select either COBIT, ISO Standard 17799 or the Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutzhandbuch/IT Baseline Protection Manual (BSI) as the basis for their information systems security.

“This regulation is a strong step toward greatly improved information systems security throughout the EU,” said Georges Ataya, a member of the IT Governance Institute (ITGI) Steering Committee and a professor at the Solvay Business School in Brussels. “All organizations—whether in the public or private sector—should follow international standards to protect their customers, constituents, employees, vendors and other stakeholders. COBIT has been used by the Directorate General of Agriculture since 2001, when we were given the opportunity to train the teams that audit operations related to nearly half of the EU's total budget (approximately EUR 98 billion for 2004).”

The EU regulation directs that one of the three standards must be used retroactively from 16 October 2004. From financial year 2008, starting 16 October 2007, auditors must provide a statement on the security measures in place based on the chosen standard.
 
During the period 2004-2007, the annual auditors’ reports are required to include a score for each domain of the chosen standard based on a maturity model developed directly from COBIT’s Generic Process Maturity Model. Even if a member state chooses one of the other two standards, the auditor still needs to use the COBIT-based maturity model as part of the reporting mechanism.