Which framework is most closely aligned with governance over enterprise IT rather than specific security controls?

CobiT is built around governance and management of IT across the whole organization, not just the security controls themselves. It provides a complete set of process areas, objectives, and performance metrics that help senior leaders oversee value delivery, risk management, resource optimization, and performance across the IT landscape. This framework is designed to bridge business goals with IT activities, clarifying who makes decisions, who is responsible, and how IT performance is measured at the governance level. Other options focus more on implementing and managing security controls or general risk and internal controls. PCI-DSS specifies security requirements for protecting payment card data, ISO/IEC 27002 is a broad catalog of information security controls, and COSO addresses enterprise risk management and internal controls at a wider organizational level but isn’t IT-specific. Because the question emphasizes governance of enterprise IT rather than implementing particular controls, CobiT is the best fit.