Professional Documents
Culture Documents
COBIT 5 - Principles PDF
COBIT 5 - Principles PDF
COBIT 5
PRINCIPLES:
WHERE DID THEY COME FROM?
ISACA®
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business
Fax: +1.847.253.1443
and IT leaders build trust in, and value from, information and information systems. Established in
Email: info@isaca.org 1969, ISACA is the trusted source of knowledge, standards, networking, and career development
Web site: www.isaca.org for information systems audit, assurance, security, risk, privacy and governance professionals.
ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity
Provide feedback:
professionals, and COBIT®, a business framework that helps enterprises govern and manage
www.isaca.org/COBIT5-Principles
their information and technology. ISACA also advances and validates business-critical skills
Participate in the ISACA and knowledge through the globally respected Certified Information Systems Auditor ® (CISA®),
Knowledge Center: Certified Information Security Manager ® (CISM ®), Certified in the Governance of Enterprise IT®
www.isaca.org/knowledge-center
(CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) credentials. The
Follow ISACA on Twitter: association has more than 200 chapters worldwide.
https://twitter.com/ISACANews
© 2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse.
COBIT® 5 Principles: Where Did They Come From?
ACKNOWLEDGMENTS
Development Team Ramses Gallego Sushil Chatterji
CISM, CGEIT, CCSK, CISSP, SCPM, CGEIT,
Steven De Haes Ph.D.
Six Sigma Black Belt, Dell, Edutech Enterprises, Singapore
University of Antwerp—Antwerp
Spain, Vice President Phil J. Lageschulte
Management School, Belgium
Theresa Grafenstine CGEIT, CPA,
Roger Debreceny Ph.D.
CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, KPMG LLP, USA
CGEIT, FCPA,
US House of Representatives, Anthony P. Noble
University of Hawaii at Manoa, USA
USA, Vice President CISA,
Wim Van Grembergen Ph.D.
Vittal R. Raj Viacom, USA
University of Antwerp—Antwerp
CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Jamie Pasfield
Management School, Belgium
Kumar & Raj, CGEIT, ITIL V3, MSP, PRINCE2,
India, Vice President Pfizer, UK
Expert Reviewers Tony Hayes Ivan Sanchez Lopez
Steven A. Babb CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, CISA, CISM, ISO 27001 LA, CISSP,
CGEIT, CRISC, ITIL, Queensland Government, DHL Global Forwarding & Freight, Germany
Vodafone, UK Australia, Past International President
Sushil Chatterji Gregory T. Grocholski Framework Committee
CGEIT, CISA, The Dow Chemical Co.,
Sushil Chatterji
Edutech Enterprises, Singapore USA, Past International President
CGEIT,
Joanne De Vito De Palma Debbie A. Lew Edutech Enterprises, Singapore, Chairman
CISM, BCMM Assessor CISA, CRISC, Ernst & Young LLP,
David Cau
Konica Minolta Business Solutions, USA, Director
GRCP, ITIL V3, MSP,
All Covered Financial Services Division, USA Frank K.M. Yam Deloitte, Luxembourg
Jimmy Heschl CISA, CIA, FHKCS, FHKIoD,
Joanne De Vito De Palma
CISA, CISM, CGEIT, ITIL Expert, Focus Strategic Group Inc.,
CISM, BCMM Assessor,
bwin.party digital entertainment plc, Austria Hong Kong, Director
Konica Minolta Business Solutions,
Andre Pitkowski Alexander Zapata Lenis All Covered Financial Services Division, USA
CGEIT, CRISC, CISA, CGEIT, CRISC, ITIL, PMP,
Jimmy Heschl
APIT Informatica, Brazil Grupo Cynthus S.A. de C.V.,
CISA, CISM, CGEIT, ITIL Expert,
Paras Kesharichand Shah Mexico, Director
bwin.party digital entertainment plc, Austria
CISA, CGEIT, CRISC, CA,
Katherine McIntosh
Vital Interacts, Australia
Knowledge Board CISA, CIA,
Steven A. Babb Central Hudson Gas & Electric Corp., USA
ISACA Board of Directors CGEIT, CRISC, ITIL, Andre Pitkowski
Robert E Stroud Vodafone, UK, Chairman CGEIT, CRISC, APIT,
CGEIT, CRISC, CA, Rosemary M. Amato Informatica, Brazil
USA, International President CISA, CMA, CPA, Paras Kesharichand Shah
Steven A. Babb Deloitte Touche Tohmatsu Ltd., The Netherlands CISA, CGEIT, CRISC, CA,
CGEIT, CRISC, ITIL, Neil Patrick Barlow Vital Interacts, Australia
Vodafone, UK, Vice President CISA, CISM, CRISC, CISSP, Sylvia Tosar
Garry J. Barnes IntercontinentalExchange, Inc. NYSE, UK CGEIT, PMP,
CISA, CISM, CGEIT, CRISC, Charlie Blanchard Uruguay
BAE Systems Detica, CISA, CISM, CRISC, CIPP/US, Tichaona Zororo
Australia, Vice President CIPP/E, CISSP, FBCS, ACA, CISA, CISM, CGEIT, CRISC, CIA, CRMA,
Robert A. Clyde Amgen Inc., USA EGIT | Enterprise Governance of IT (PTY) LTD., South Africa
CISM, Adaptive Computing,
Steven A. Babb
USA, Vice President
CGEIT, CRISC, ITIL,
Vodafone, UK (2013-2014)
Frank J. Cindrich
CGEIT, CIPP, CIPP/G,
Deloitte & Touche LLP, USA (2013-1014)
INTRODUCTION
COBIT 5 is an internationally accepted governance and Figure 1—The Five COBIT 5 Principles
management of enterprise information and related technology
(GEIT) framework from ISACA that was developed by, and
for, practitioners and includes insights from IT and general
management literature. This white paper helps practitioners
to better understand the COBIT 5 principles (figure 1) and,
therefore, be more efficient and effective in the application of
the COBIT 5 GEIT framework to their enterprises. This paper
clearly explains how the principles of COBIT 5 are built on
sound, accepted IT and general governance and management
guidance and practices.
PRINCIPLE 1
MEETING STAKEHOLDER NEEDS
The first principle addresses the need to align individual and Figure 2—COBIT 5 Goals Cascade
departmental objectives and priorities with enterprise and
stakeholder needs. The main purpose of GEIT is to achieve
strategic alignment of information and related technology
with the goals of the enterprise. However, a continuing
challenge for enterprises is how to achieve and maintain this
alignment as stakeholder needs and enterprise goals change.
To assist enterprises with establishing and maintaining
strategic alignment, ISACA undertook research to provide
guidance for understanding how enterprise goals drive IT-
related goals and vice versa. From this research, developers
recorded generic enterprise goals and IT-related goals and
represented their interrelationships in the COBIT 5 goals
cascade (figure 2).
• Financial
• Customer
• Internal
• Learning and Growth
1
Kaplan, R.; D. Norton; “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review, USA, 1992
2
Van Grembergen, W.; R. Saul; S. De Haes; “Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial Group,” Journal for Information Technology Cases and
Applications, USA, 2003
3
Balanced Scorecard Institute, a Strategy Management Group company, USA, 1998-2014, https://balancedscorecard.org
PRINCIPLE 2
COVERING THE ENTERPRISE END-TO-END
The governance system for enterprise IT (GEIT) proposed by This principle implies a crucial shift in the minds of business
COBIT 5 integrates seamlessly in any enterprise governance and IT management; it comprises a move from managing IT
system. COBIT 5 aligns with the latest views on enterprise as a cost to managing IT as an asset. This shift is an essential
governance. element of business value creation. “If senior managers do not
accept accountability for IT, the company will inevitably throw its
COBIT 5 covers all functions and processes within the IT money to multiple tactical initiatives with no clear impact on
enterprise, not only the IT function, as was sometimes the organizational capabilities. IT becomes a liability instead of a
perceived to be the case with earlier COBIT versions. COBIT strategic asset.”6
5 considers information and related technologies to be assets
and resources and treats them the same as other assets COBIT 5 covers both IT and IT-related business accountabilities
within the enterprise—an approach termed “IT savvy” by and responsibilities. Specifically, charts that show who is
Weill and Ross.4 Business managers are required to take on responsible, accountable, consulted and informed (RACI) for
the accountability for governing and managing the IT-related both business and IT function roles are provided in the COBIT® 5:
assets within their own organizational units and functions—in Enabling Processes guide (figure 3). RACI charts indicate that, for
the same way that they take on the accountability for other every COBIT 5 process, both business and IT function roles have
assets such as physical plant, financial and human resource accountabilities and responsibilities.
assets. Business managers must take ownership of, and be
accountable for, governing the use of IT while creating value
from IT-enabled business investments—business managers
must become more IT savvy.5 COBIT provides a common,
nontechnical business language framework of guidance
for business managers to use when engaging with their IT
professional colleagues and advisors to make IT-related
business decisions—supporting IT savviness.
4
Weill, P.; J. Ross; IT Savvy: What Top Executives Must Know to Go From Pain to Gain, Harvard Business Press, USA, 2009
5
Ibid.
6
Ibid.
PRINCIPLE 2
COVERING THE ENTERPRISE END-TO-END (CONT.)
Head IT Administration
Chief Executive Officer
Chief Financial Officer
Business Executives
Head IT Operations
Head Development
Architecture Board
Chief Risk Officer
Service Manager
Head Architect
Privacy Officer
Compliance
Board
Audit
APO01.02
Establish roles and I C C C C C A C C C R C C C C
responsibilities.
APO01.03
Maintain the enablers of the C A C R C C I C C C C C C R R
management system.
APO01.04
Communicate management A R R R I R I I I R R I I I I I R I I I I I I I I
objectives and direction.
APO01.05
Optimise the placement of the C C C C A C C C C R C C C R C C C
IT function.
APO01.06
Define information (data) and I I C A R C C C C C C C
system ownership.
APO01.07
Manage continual improvement A R R C I C C R R R R R R R R
of processes.
APO01.08
Maintain compliance with A R R R R C I R R R R R R R R
policies and procedures.
PRINCIPLE 3
APPLYING A SINGLE INTEGRATED FRAMEWORK
The third principle highlights the need to use an overall single, Many of the processes in COBIT 5 are inspired by the guidance
integrated GEIT framework to deliver the optimum value from the in these standards and frameworks, which are used by IT
IT assets and resources used. professionals worldwide. As such, many of the processes and
practices in COBIT 5 relate to, and align with, one or more
COBIT 5 aligns with other relevant standards and frameworks at detailed standards or frameworks that are used by enterprises
a high level and, thus, can serve as the overarching framework for to govern and manage their IT assets and resources. To
GEIT (figure 4). ISACA made a major investment over the years to help enterprises to work effectively with COBIT 5 and other
align COBIT with other standards and frameworks, including: standards and frameworks, COBIT® 5: Enabling Processes and
the COBIT 5 professional guides contain high-level mappings
of COBIT 5 processes to the major related standards and
• ISO/IEC 38500:20087 frameworks.
• ISO/IEC 27001:20138
• ISO/IEC 200009 COBIT 5 also integrates and harmonizes the Risk IT and Val IT
• ISO 31000 series10 framework guidance, which ISACA published previously, into
• ISO 9001:200811 a single framework, making COBIT 5 a “one-stop shop” for
• Committee of Sponsoring Organizations of overall GEIT guidance. COBIT 5 includes in its scope previous
the Treadway Commission (COSO) Internal guidance from ISACA and guidance from other standards and
frameworks in the field.
Control—Integrated Framework12
• IT Infrastructure Library® (ITIL® V3)13
Further, COBIT 5 provides a single overarching framework that
• Project Management Body of Knowledge (PMBOK®)14 serves as a consistent and integrated source of guidance in
• Data Management Body of Knowledge (DMBOK)15 a nontechnical, technology-agnostic common language. This
• The Open Group Architecture Framework (TOGAF® 9)16 source can be effectively used as the basis for more detailed
• Projects in Controlled Environments (PRINCE2®)17 guidance on addressing specific GEIT aspects including
information security/cybersecurity, risk, assurance, vendor
management, configuration management, cloud controls, etc.,
in an effective way.
7
ISO, “ISO/IEC 38500:2008 Corporate governance of information technology,” Switzerland, 2008, www.iso.org
8
ISO, “ISO/IEC:27001:2013 Information technology—Security techniques—Information security management systems – Requirements,“ Switzerland, 2013, www.iso.org
9
ISO, “ISO/IEC 20000-1:2011 Information technology—Service management—Part 1: Service management system requirements,” Switzerland, 2011, www.iso.org
10
ISO, “ISO 31000:2009 Risk management – Principles and guidelines,“ Switzerland, 2009, www.iso.org
11
ISO, “ISO 9001:2008 Quality management systems—Requirements,” Switzerland, 2008, www.iso.org
12
Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control—Integrated Framework (2013),” USA, 2013, www.coso.org/IC.htm
13
ITIL® Home, “Welcome to the Official ITIL® Website,” UK,” www.itil-officialsite.com
14
Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK®), USA, 2008
15
Data Management Association International (DAMA), The DAMA Guide to the Data Management Body of Knowledge (DMBOK), USA, 2009
16
The Open Group, TOGAF® 9, UK, 2009, www.opengroup.org/togaf
17
PRINCE2—Projects In Controlled Environments Home, “Welcome to the Official PRINCE2® Website,” UK, www.prince-officialsite.com
PRINCIPLE 3
APPLYING A SINGLE INTEGRATED FRAMEWORK (CONT.)
PRINCIPLE 4
ENABLING A HOLISTIC APPROACH
The fourth principle emphasizes that efficient and effective Figure 5—COBIT 5 Enablers
implementation of GEIT requires a holistic approach that
takes into account several interacting components or
mechanisms—termed “enablers” in COBIT—because they
interact to support governance and management of enterprise
activities and are interdependent.
COBIT 5 builds on these systemic insights with the concept of Source: COBIT® 5 (the framework), ISACA, USA, 2012, figure 12
enablers. Enablers are defined as factors that individually and
collectively influence whether something will work—in this
case, governance and management over enterprise IT. The
COBIT 5 framework describes seven categories of enablers
(figure 5)—of which Processes; Organisational Structures;
and Culture, Ethics and Behaviour are most closely related to
the organizational systems concept. COBIT 5 complements
these organizational systems enablers with other important
enablers: Principles, Policies and Frameworks; Information;
Services, Infrastructure and Applications; and People, Skills
and Competencies.
18
De Wit, B.; R. Meyer; Strategy Synthesis: Revolving Strategy Paradoxes to Create Competitive Advantage, Cengage Learning EMEA, USA, 2005
19
Peterson, R.; “Crafting Information Technology Governance,” Information Systems Management, USA, 2004
20
De Haes, S.; W. Van Grembergen; “An Exploratory Study Into IT Governance Implementations and Its Impact on Business/IT Alignment,” Information Systems Management, USA, 2009
PRINCIPLE 5
SEPARATING GOVERNANCE FROM MANAGEMENT
Finally, COBIT 5 makes a distinction between governance In COBIT 5, ISACA states for the first time that GEIT processes
and management. This distinction aligns with the following encompass different types of activities. The governance
guidance in ISO/IEC 38500:2008: processes are organized following the evaluate, direct and monitor
(EDM) model, as proposed by ISO/IEC 38500. IT governance
Directors should govern IT through three main tasks: processes ensure that enterprise goals are achieved by evaluating
a) Evaluate the current and future use of IT. stakeholder needs; setting direction through prioritization and
decision making; and monitoring performance, compliance and
b) Direct preparation and implementation of progress against plans. Based on the results, guidance and output
plans and policies to ensure that use of IT meets from these governance activities, business and IT management
business objectives. plans, builds, runs and monitors activities (PBRM) to ensure
c) Monitor conformance to policies, and performance alignment with the direction that was set by the governance body
against the plans.21 and, thus, achieve the enterprise objectives (figure 6).
Business Needs
Governance
Evaluate
Management
21
ISO, “ISO/IEC 38500:2008 Corporate governance of information technology,” Switzerland, 2008, www.iso.org
CONCLUSION
22
Van Grembergen, W.; S. De Haes; Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, USA, 2009