Maximizing the

Combined Effects of
COBIT® 5 and DMMSM:
A Guide to Using the
Practices Pathway Tool
Introduction
When designing or improving a governance program for enterprise IT, you
must be comprehensive in your approach; for example, you will likely need
to consult a number of frameworks and standards to guarantee that all
contingencies have been considered. After all, no one framework or standard
is 100-percent comprehensive for all of an enterprise’s needs. However, the
challenge for practitioners is further complicated by the fact that differing
governance frameworks and standards do not always integrate together—they
are often developed independently and use different definitions, concepts,
idioms, and terminology. They are oftentimes also written for different audiences
and from different perspectives.

“Mapping tools” have often been a helpful way to bridge the “communication
gap” among various frameworks and standards. These tools help establish
which areas in one standard or framework correlate to areas within another.
Usually these tools map only in one direction: translating topical areas from
framework or standard A to framework or standard B. While this can be useful,
it limits the ability to get full insight from – and to harness the combined power
of — both sources of information. What practitioners truly need is a way to tap
the power of multiple resources simultaneously.

To help practitioners develop more comprehensive governance programs,

ISACA and CMMI Institute have developed a Practices Pathway Tool
covering the practices found in the COBIT 5 governance framework and the
Data Maturity Management (DMM) model. As a result, the alignment between
these frameworks will help enterprises and practitioners develop better
governance structures.

Practitioners familiar with either COBIT 5 or DMM can use the Practices
Pathway Tool to learn more about – and gain value from – a framework they
might not already be familiar with. This not only enhances the value they
can derive from the framework they’re already using by providing additional
perspectives and guidance on topics where the other framework excels, but it
allows them to leverage additional guidance, supporting documentation, and
best practices in those areas. COBIT 5 users may find further insights into
data-centric aspects of their governance approach via specific DMM practices,
while DMM users may find COBIT 5 guidance enhances DMM application
by providing additional insights into the risk and assurance areas of the
organization’s data management capability.

Maximizing the Combined Effects of COBIT® 5 and DMMSM // 2

Background
The Data Management Maturity Model (DMM) offers proven best
practices to enable successful enterprise data management
programs. It fosters business engagement in data management
and measures an enterprise’s current capabilities across
twenty-five data management topics (Process Areas). The DMM
embeds successive levels of achievement in each Process Area.
Capability levels encompass both specific functional practices
and the organizational scope of implementation. Practices in a
Process Area describe the path most organizations follow in
building, developing, governing and enhancing their data
management programs.
In contrast to the DMM, COBIT 5 is designed to guide the
implementation of governance rather than to measure current
capabilities. COBIT is a business framework that aligns
stakeholder requirements with available enablers, or resources,
to generate and deliver value to enterprise stakeholders.
Used as a framework of frameworks, COBIT 5 facilitates the
integration of multiple frameworks and standards to create a
cohesive GEIT structure that is compatible with (and correlated
to) the enterprise’s specific operations, regulatory context and
other key business considerations.
Although COBIT 5 and DMM focus on IT governance and data
management respectively, their practices and guidelines are
generally applicable to governance and management across
many domains. The practices pathway tool correlates COBIT 5
and the DMM both in terms of their generic and their specific
content, when applicable. The tool highlights their affinities and
identifies how COBIT 5 and DMM practices reinforce each other
when used together to develop enterprise capabilities.
Scope of Alignment and
Alignment Criteria
Practices are the most relevant connection between the DMM
and COBIT 5. Synergies certainly exist at higher levels, but
the harmonization of practices provides the greatest benefit
for practitioners. Accordingly, the practices pathway tool
identifies practices in one product that clarify or enhance
practices in the other.
When connections between frameworks are not addressed, the
practices pathway tool indicates ‘Not Covered’ as the value for
the assignment of that practice. A practice in one product can
align with multiple practices in the other. To identify one-to-many
relationships clearly, the tool includes a separate line for each
assignment. This approach facilitates easier sorting and/or
grouping of functions within the tool.
When determining the connections between DMM and
COBIT 5, the following questions were asked for each practice:
• Is this practice useful in the other model?
• Can this practice be made better by associating it with a
practice in the other model?
For any practice that suggests an affirmative answer to these
questions, the tool records the appropriate association(s). In
short, COBIT 5 users will find additional guidance in DMM to
enhance their governance structure and vice versa.
Using the COBIT 5/DMM
Practices Pathway Tool
The COBIT 5/DMM Practices Pathway Tool assists in
designing and/or improving an enterprise’s data management
structures and practices by identifying connections between
COBIT 5 and DMM so that practitioners gain mutually
complementary sources of guidance. Their alignment can
also improve understanding of common practices and
touchpoints that logically exist between an enterprise’s
data governance and IT governance, which often share
stakeholders. Since organizations by and large have not
developed robust enterprise programs for data-as-an-asset,
the tool can also enhance capability development in the
context of IT governance.
The COBIT 5/DMM Practices Pathway Tool is available in
Microsoft Excel to serve practitioners who report that they
typically use Excel over enterprise solutions or mobile
applications. The tool takes advantage of Excel features,
such as sorting and filtering, to make it easier to view and find
information. To get started, practitioners can open the tool, sort
practices in the framework they are more familiar with, and
discover corresponding related practices in the other framework.
The tool assumes that the practitioner has a working knowledge
of COBIT 5 and at least a cursory understanding of DMM. The
tool permits identification of guidance in one model based on
input from the other; practitioners can start from DMM or from
COBIT. This feature makes the tool bi-directional, but also
requires some knowledge of the source materials.
Maximizing the Combined Effects of COBIT® 5 and DMMSM // 3
Structure of the tool
The tool consists of a spreadsheet whose rows and columns
correlate guidance from DMM and COBIT. Specific elements
of each practice have separate columns that allow the user
to sort and filter the data. As delivered, the COBIT 5/DMM
Practices Pathway Tool has the Excel filter turned on.
To locate a practice element, click on the filter drop-down icon in
a column heading and select the element from the list of values.
The tool will show the results of the selection(s) made in the filter.
Following is a step-by-step illustration for using the tool. Two
examples are presented.
FIGURE 1
FIGURE 2
Example One – Leverage DMM to find
related COBIT Guidance
This example starts with DMM Data Quality – DQS level 3 and
looks for related COBIT 5 practices. The result should include:
1. APO11.05 (Integrate quality management into solutions for
development and service delivery);
2. APO11.06 (Maintain continuous improvement); and
3. Enabling Information (Figure 21).
ANALYTICAL STEPS:
1. From the drop-down arrow in cell B6 select “Data Quality.”
The tool will display 74 records. A small portion of the result
set is displayed in the following Figure 1.
2. Narrow results by clicking on the drop-down arrow in cell C6.
Select each statement ID beginning with “DQA 3” from the
list of values. The results will narrow to 5 records as shown in
the following Figure 2.
Maximizing the Combined Effects of COBIT® 5 and DMMSM // 4
Example Two – Leverage COBIT to find related ANALYTICAL STEPS:

DMM guidance 1. From the drop-down arrow in cell E6 select “BAI.” The tool
will display 106 records. A small portion of the result set is
Start with COBIT 5 management practice BAI01.10 (Manage
displayed in the following Figure 3.
programme and project risk.) and look for all related DMM
practices. The end result should include: 2. Narrow results by clicking on the drop-down arrow in cell F6.
Select “BAI01.10.” The tool will update and display 3 records
1. DMM COM 1.1 Communications are managed locally. as shown in the following Figure 4.
2. DMM COM 2.1 The communications plan for data
management is defined, documented, approved by
stakeholders, and scheduled.
3. DMM COM 2.2 Data management standards, policies,
and processes are communicated and adjusted based
upon feedback.

FIGURE 3

FIGURE 4

Maximizing the Combined Effects of COBIT® 5 and DMMSM // 5

Acknowledgments
ISACA would like to recognize:
Development Team
Jim Halcomb
CMMI Institute, USA
Peter C. Tessin
CISA, CRISC, CISM, CGEIT, ISACA, USA
SME Reviewer
Melanie Mecca
CMMI Institute, USA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.660.5505
Fax: +1.847.253.1755
Support: support.isaca.org
Website: www.isaca.org
Provide feedback:
www.isaca.org/COBIT-DMM-
Connections
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
https://twitter.com/ISACANews
Join ISACA on LinkedIn:
ISACA (Official),
http://linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ
About ISACA
ISACA® (isaca.org) helps professionals around the globe realize the positive potential of
technology in an evolving digital world. By offering industry-leading knowledge, standards,
credentialing and education, ISACA enables professionals to apply technology in ways that
instill confidence, address threats, drive innovation and create positive momentum for their
organizations. Established in 1969, ISACA is a global association serving more than 500,000
engaged professionals in 188 countries. ISACA is the creator of the COBIT® framework, which
helps organizations effectively govern and manage their information and technology. Through its
Cybersecurity Nexus™ (CSX), ISACA helps organizations develop skilled cyber workforces and
enables individuals to grow and advance their cyber careers.
CMMI® Institute
CMMI Institute (CMMIinstitute.com) is the global leader in the advancement of best
practices in people, process, and technology. The Institute provides the tools and support for
organizations to benchmark their capabilities and build maturity by comparing their operations
to best practices and identifying performance gaps. For over 25 years, thousands of high-
performing organizations in a variety of industries, including aerospace, finance, healthcare,
software, defense, transportation, and telecommunications, have earned a CMMI maturity level
rating and proved they are capable business partners and suppliers. CMMI Institute is a part of
the ISACA family, the global non-profit association helping professionals to realize the positive
potential of technology.
Disclaimer
ISACA has designed and created “Maximizing the Combined Effects of COBIT® 5 and DMMSM: A Guide to Using the
Practices Pathway Tool” (the “Work”) primarily as an educational resource for professionals. ISACA makes no claim that
use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper
information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed
to obtaining the same results. In determining the propriety of any specific information, procedure or test, professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or
information technology environment.
Reservation of Rights
© 2017 ISACA. All rights reserved.
Maximizing the Combined Effects of COBIT® 5 and DMMSM // 6