In 1996, the Information Systems Audit and Control Foundation (ISACF) published Control Objectives for Information and Related Technology (COBIT)1. COBIT provides a framework of generally applicable and accepted IT security and control practices that can be used to evaluate an organization’s current and planned IT environment. As of August 1997 more than 5,000 copies of COBIT had been sold, and many organizations had begun to adopt it. In August of 1997 a survey was sent to COBIT purchasers to determine their characteristics and how they intended to use COBIT. For those who had gone forward and had begun to use COBIT, the survey was intended to determine if their actions were consistent with their intentions. The survey also captures the characteristics of those who had not adopted COBIT and their reasons for not adopting it. This chapter reports the results of that survey.