IT governance in the enterprise is the set of rules, roles and decision bodies that ensure information technology genuinely serves the business strategy, keeps risk under control and uses resources well. It answers a boardroom question, not a help-desk one: is IT aligned with the business, and is it under control?
Quick answer: IT governance answers "does IT serve the business and is it under control?", while IT management answers "how do we run services day to day?". COBIT is the governance framework (strategic), ITIL is the service-management framework (operational); they are complementary, and ISO/IEC 38500 acts as the board-level compass. In Morocco the stakes are now concrete: the CNDP moved to active enforcement in February 2025, Law 05-20 and the DNSSI impose a security baseline, and Maroc Digital 2030 is pushing firms toward greater maturity.
This article explains, without jargon, what IT governance is, why mid-to-large Moroccan firms need it now, how ITIL and COBIT relate to each other, and which roles, processes and controls to put in place to begin.
What is IT governance, and how is it different from day-to-day IT management?
The most common mistake is to blur governance and management. They are two different layers. Governance sets direction: it evaluates needs, directs investments and monitors outcomes. That is the job of executive leadership and the board. Management executes: it designs, delivers and improves IT services day to day, under the responsibility of the CIO and operational teams.
A simple image: governance decides we drive on the right and sets the speed limit; management drives the car. In practice, governance answers questions like "are we investing in the right ERP given our strategy?" or "is our cyber risk exposure acceptable?". Management answers "how do we resolve this incident in under four hours?". Many Moroccan companies have decent IT management (teams that fix things) but no governance at all (nobody who arbitrates and controls at the strategic level). That imbalance is exactly what frameworks are designed to correct.
Why do mid-to-large Moroccan firms need an IT governance framework in 2025-2026?
Because the context has shifted on three fronts at once. First, regulation. The CNDP closed its fifteen-year awareness phase in February 2025 and moved to active enforcement, with sectoral campaigns and compliance orders issued to several companies as early as May 2025. Data compliance is no longer optional. Second, cybersecurity: Law 05-20 (with its 2021 implementing decree 2-21-406) and the National Directive on Information System Security (DNSSI) impose a minimum baseline on government bodies, public institutions and critical infrastructure (IIV), whether public or private.
Third, the macro environment. Maroc Digital 2030 mobilizes 11 billion MAD for 2024-2026, targets a sovereign cloud and is rolling out digital-maturity tools for firms. In an economy that is roughly 95% SMEs (HCP, 2024), few companies have a full-fledged CIO. IT governance becomes the way to structure technology decisions before a crisis (a CNDP audit, a cyber incident, an ERP project going off the rails) forces a reaction.
ITIL vs COBIT in the enterprise: what is each one actually for?
Treating them as competitors is the costliest error. ITIL and COBIT do not cover the same ground. Most mature organizations use both: COBIT to align IT with business objectives, ITIL to run efficient services. Industry data confirms it: around 95% of companies use one of the major governance frameworks, and more than 65% use more than one (Invensis Learning).
The table below captures the distinction a leader actually needs.
| Criterion | COBIT | ITIL | |---|---|---| | Nature | Governance framework | Service-management framework | | Question it answers | Does IT serve the business and is it controlled? | How do we deliver good services day to day? | | Scope | The whole enterprise (not just IT) | IT services and operations | | Owner | Executive leadership, the board | CIO, operational teams | | Time to results | 12 to 18 months for a full rollout | 3 to 6 months on a given service |
So the real question is not "which one to choose" but "in what order to deploy them". To frame that choice calmly, our digital consulting practice always starts from strategy before tooling.
What does COBIT cover, and who owns it?
COBIT is ISACA's framework for the governance and management of enterprise information and technology. The key point: it addresses the whole enterprise, not just the IT department. It covers "enterprise I&T", meaning all the information and technology the organization uses to reach its goals.
COBIT 2019 defines 40 governance and management objectives across 5 domains. The EDM domain (Evaluate, Direct, Monitor) holds the 5 governance objectives owned by the governing body: this is the strategic core. The other four domains are management domains: APO (Align, Plan, Organize), BAI (Build, Acquire, Implement), DSS (Deliver, Service, Support) and MEA (Monitor, Evaluate, Assess).
In practice, COBIT answers boardroom questions: are our IT investments creating value? Are our risks identified and treated? Are we compliant? ISACA even published guidance in 2025 on leveraging COBIT to govern AI systems, a sign the framework is extending to the new use cases that Maroc Digital 2030 encourages.
What does ITIL 4 cover, and when should you adopt it first?
ITIL 4 is the IT service-management framework. It is built around the Service Value System (SVS) and 34 management practices (which replace the older ITIL v3 processes), plus four dimensions of service management: organizations and people, information and technology, partners and suppliers, value streams and processes.
For a leader, the essentials sit in a handful of very concrete operational practices: incident management (restore an interrupted service fast), problem management (address root causes to stop recurrence) and service request management (handle routine requests cleanly). ITIL 4 also rests on seven guiding principles anyone can read: focus on value, start where you are, progress iteratively with feedback, collaborate and promote visibility, think and work holistically, keep it simple and practical, and optimize and automate.
When should you start with ITIL? When the pain is operational: repeated outages, disorganized support, frustrated users. ITIL can show visible results within 3 to 6 months on a targeted service, which makes it an excellent entry point.
Should you use ITIL and COBIT together, and where does ISO/IEC 38500 fit for the board?
Yes, together, and ISO/IEC 38500 sits one level above COBIT. It is a principle-based standard for boards and executives, resting on six principles: responsibility, strategy, acquisition, performance, conformance and human behavior. Its role is to set direction at the top, not to describe detailed processes.
The right arrangement is therefore a three-level pyramid. ISO/IEC 38500 is the board's compass: what do we want from IT, which principles guide our decisions? COBIT translates those principles into measurable governance and management objectives. ITIL executes at the service level. The three are complementary, not competing.
For a Moroccan company, this picture has a practical benefit: it avoids the "all-in COBIT" trap that is disproportionate for many firms. An SME or mid-cap can adopt the spirit of ISO/IEC 38500 at the executive committee, select a few priority COBIT objectives (risk, compliance, investment value), and deploy ITIL wherever the operational pain is sharpest.
What roles, processes and controls should you put in place to start?
Governance only exists if someone owns it. Four building blocks are enough to begin.
On roles: an IT governance committee (executive leadership, CIO, finance, a business lead) that meets quarterly to arbitrate investments and review risks; a data-compliance lead (direct line to the CNDP); and a security lead (a CISO or equivalent, even a shared one).
On processes: an IT project arbitration committee, a risk register kept up to date, and an incident-management process inspired by ITIL.
On controls: a data map (who holds what, where, for what purpose), access monitoring, and a few simple indicators (uptime, incident resolution time, status of CNDP filings).
The whole thing must stay proportionate. An initial maturity audit, of the kind ClaroDigi runs through its digital consulting, lets you calibrate the effort to your actual size. To pick the partner who will drive this structuring, our guide to choosing an IT consulting firm in Morocco lays out the criteria to check.
How does IT governance connect to the CNDP, Law 05-20 and the DNSSI?
IT governance is precisely the frame that turns these legal obligations into workable controls. On data, Law 09-08, supervised by the CNDP, requires any organization that collects, processes or stores personal data (websites, apps, CRMs, HR databases) to declare its processing or obtain prior authorization. The sanctions are concrete: article 52 sets a fine of 10,000 to 100,000 MAD for running a personal-data file without declaration or authorization, up to 300,000 MAD for violations involving sensitive data, with prison terms (three months to roughly one or two years).
On cybersecurity, Law 05-20 sets organizational and technical security measures and designates the DGSSI as the national authority. The DNSSI imposes a minimum baseline on administrations, public institutions, local authorities and critical infrastructure, public or private. Well-designed IT governance ties both requirements back to your data map and your risk register. For a deeper dive on this dimension, see our dedicated guide to enterprise data security and compliance in Morocco.
Where do you start: a pragmatic roadmap?
The sequence that works has four steps, spread over six to twelve months. Step one (months 1-2): a maturity audit and a data map. You cannot govern what you do not know. Step two (months 2-4): quick ITIL wins on the most painful service (often incident management and support), to prove value fast. Step three (in parallel): lay the governance layer by selecting a few priority COBIT objectives (investment value, risk, compliance) rather than attempting a full deployment.
Step four: anchor it all in living bodies (a quarterly committee, a risk register, indicators). A complete COBIT rollout typically takes 12 to 18 months; there is no need to do everything at once. The golden rule for a Moroccan enterprise: start small, measure, expand. A proportionate governance that actually sticks beats an ambitious framework abandoned after six months every time.
Want to structure your company's IT governance without overloading it? Let's talk: a first maturity audit is often all it takes to draw the right roadmap.
FAQ
What is the difference between ITIL and COBIT in one sentence? COBIT is a governance framework that checks IT serves the business and stays under control (strategic level), while ITIL is a service-management framework that organizes day-to-day operational delivery (incidents, problems, requests). They are complementary: COBIT decides and controls, ITIL executes.
Do you have to choose between ITIL and COBIT? No. Most mature organizations use both: around 95% of companies use a major framework and more than 65% combine several (Invensis Learning). The real question is sequencing: often quick ITIL wins first, then the COBIT governance layer in parallel rather than one instead of the other.
Does a Moroccan SME need full COBIT? Rarely. In an economy that is 95% SMEs, few firms have a full-fledged CIO. It is better to adopt the spirit of ISO/IEC 38500 at the executive committee, select a few priority COBIT objectives (risk, compliance, value), and deploy ITIL wherever the operational pain is sharpest.
How does IT governance relate to the CNDP? IT governance is the frame that makes CNDP compliance workable. Law 09-08 requires you to declare or have authorized any processing of personal data, with fines of 10,000 to 100,000 MAD (up to 300,000 MAD for sensitive data) and prison terms. The data map, a core governance building block, feeds your filings directly.
How long does it take to set up IT governance? First ITIL wins appear within 3 to 6 months on a targeted service. A full COBIT deployment typically takes 12 to 18 months. The right approach is to sequence: audit and data map first, quick wins next, then a proportionate governance layer installed gradually rather than all at once.
Sources
- ISACA, COBIT (governance and management of enterprise I&T): https://www.isaca.org/resources/cobit
- ManageEngine, COBIT 2019 (40 objectives, EDM/APO/BAI/DSS/MEA domains): https://www.manageengine.com/products/service-desk/itsm/what-is-cobit-2019.html
- Atlassian, ITIL 4 (Service Value System, 34 practices, four dimensions): https://www.atlassian.com/itsm/itil
- Freshworks, ITIL 4 seven guiding principles: https://www.freshworks.com/itil/itil-4/
- Standarity, ISO/IEC 38500 (six principles, board level): https://standarity.com/blog/iso-iec-38500-it-governance-board
- Invensis Learning, framework adoption (~95% / 65%+): https://www.invensislearning.com/blog/cobit-vs-itil/
- PDCA Consulting, ITIL/COBIT deployment horizons: https://pdcaconsulting.com/cobit-vs-itil-key-differences/
- CNDP, Law 09-08: https://www.cndp.ma/loi-09-08/
- Lafrouji Avocats, end of the CNDP awareness phase (February 2025): https://lafroujiavocats.com/protection-donnees-maroc-cndp-maroc/
- Medias24, Law 09-08 sanctions (articles 52 and 56): https://medias24.com/2023/07/01/donnees-personnelles-ce-que-prevoit-la-loi-en-cas-de-violations/
- DGSSI, Law 05-20 on cybersecurity: https://www.dgssi.gov.ma/fr/textes-legislatifs-et-reglementaires/loi-ndeg-05-20-relative-la-cybersecurite/
- DGSSI, DNSSI (national directive): https://www.dgssi.gov.ma/en/publications/national-directive-information-system-security-ndiss/
- Le Desk, Maroc Digital 2030 (11 billion MAD, 2024-2026): https://ledesk.ma/2024/09/25/transition-numerique-les-details-de-la-strategie-maroc-digital-2030/
- ISACA, COBIT for AI system governance (2025): https://www.isaca.org/resources/white-papers/2025/leveraging-cobit-for-effective-ai-system-governance
Last verified: 17 June 2026.