Introductiontocobit2019anditmanagement 190411195810 PDF

COBIT 2019 and IT Management
- Introduction
Christian F. Nissen, CFN Consult
RESILIATM, ITIL®, PRINCE2® MSP®, MoP® and MoV® are Registered Trade Marks of AXELOS in the United Kingdom and other countries
COBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)
TOGAFTM and IT4ITTM are trademarks of The Open Group
SIAM® is a registered trademark of EXIN
© 2019 of CFN Consult unless otherwise stated

Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
2 © 2019
Assignment
 What is the difference between “IT Governance” and

“IT Management”?
Governance
 What are the differences and similarities between

“Corporate governance”, “IT Governance”, “Project
governance”, “Process governance”, “Service
governance”, “Information governance” and
“application governance”?
 Time: 10 minutes
3 © 2019
Governance – an introduction
Definition? MANAGEMENT of MANAGEMENT

Governance
Object?
Value
Asset
System Lifecycle
(Architecture/configuration of
resources)
4 © 2019
Who?
Evaluate & Plan-do-
Governance
Delegate Gover- Operation

direct Manage- check-act
Owner nance &
ment
Accountable body Monitor Report execution
Why?
Maximize return on investment
Asset
Optimize Optimize
resources risk
Meet preference
5 © 2019
How?
Evaluate
Governance
Direct Monitor
What?
❍ Principles, policies and plans (Boundaries, principles,
policies, decision models, strategies, plans, etc.)
❍ Goals (Performance and outcome goals)
❍ Controls (Control objectives, requirements, agreements, etc.)
❍ Maturity (Capability maturity, benchmarks, etc.)
❍ Resources (Money, etc. etc.)
6 © 2019
When?
Governance
Asset value
Need for governance
Complexity of asset
(system/lifecycle)
7 © 2019
A delicate balance
IT governance balances:
Governance
Conformance
 Adhering to legislation, internal
policies, audit requirements, etc.
Performance Performance
 Improving profitability, efficiency,
effectiveness, growth, etc.
Conformance
9 © 2019
Agenda
1. Governance of IT
2. COBIT Background
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
10 © 2019
COBIT
 Originally: The Control Objectives for Information and

related Technology (COBIT)
 COBIT consists of a number of general goals, practices

COBIT
(controls), processes, organizational structures, information

flows, and other components for governance and
management of enterprise IT
 Are references, sets of best practices, not an ‘off-the-shelf’

cure (descriptive – not prescriptive)
 COBIT is produced and owned by Information Systems

Audit and Control Association (ISACA) and the IT
Governance Institute (ITGI)
www.isaca.org/cobit
11 © 2019
Why COBIT 2019?
Value creation:
 Benefits realization
 Risk optimization
COBIT
 Resource optimization
Enterprise Business/IT
Value Creation
Governance of IT Alignment
12 © 2019
COBIT 2019 – Governance framework principles
1. Based on
a conceptual
COBIT
model
3. Aligned 2. Open
to major and
standards flexible
13 © 2019
COBIT History
Manage- Gover- Capabili-

Audit Control Practices ment nance ties
COBIT
For latest updates on COBIT, visit www.isaca.org/cobit.

14 © 2019
COBIT 2019 – Scope
Governance ensures that:

 Stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives.
COBIT
 Direction is set through prioritization and decision making.
 Performance and compliance are monitored against agreed-

on direction and objectives.
Management
 Plans, builds, runs and monitors activities, in alignment with
the direction set by the governance body, to achieve the
enterprise objectives.
15 © 2019
COBIT
16 © 2019
 COBIT defines the components to build and sustain a

governance system: processes, organizational structures,
policies and procedures, information flows, culture and
behaviors, skills, and infrastructure.
COBIT
 COBIT addresses governance issues by grouping relevant

governance components into governance and management
objectives that can be managed to the required capability
levels.
 COBIT defines the design factors that should be considered
by the enterprise to build a best-fit governance system.
17 © 2019
COBIT 2019 – Target audience
Stakeholder Benefit of COBIT
Internal Stakeholders
Boards Provides insights on how to get value from the use of IT and explains relevant
board responsibilities
Executive Helps to understand how to obtain the IT solutions enterprises require and how
Management best to exploit new technology for new strategic opportunities
COBIT
Business Provides guidance on how to organize and monitor performance of IT across the
Managers enterprise
IT Managers Provides guidance on how best to build and structure the IT department, manage
performance of IT, run an efficient and effective IT operation, control IT costs, align
IT strategy to business priorities, etc.
Assurance Helps to manage dependency on external service providers, get assurance over
Providers IT, and ensure the existence of an effective and efficient system of internal controls
Risk Helps to ensure the identification and management of all IT-related risk
Management
External Stakeholders
Regulators Helps to ensure the enterprise is compliant with applicable rules and regulations
and has the right governance system in place to manage and sustain compliance
Business Helps to ensure that a business partner’s operations are secure, reliable and
Partners compliant with applicable rules and regulations
IT Vendors Helps to ensure that an IT vendor’s operations are secure, reliable and compliant
with applicable rules and regulations
18
COBIT 2019 – Overview
COBIT
19 © 2019
COBIT 2019 – Product family
Products
 COBIT 2019 Framework: Introduction and Methodology

COBIT
 COBIT 2019 Framework: Governance and Management

Objectives
 COBIT 2019 Design Guide
 COBIT 2019 Implementation Guide
20 © 2019
Agenda
1. Governance of IT
2. COBIT Background
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
21 © 2019
COBIT and related frameworks
Some relevant best practices and standards
Best practices Standards Regulations
Corporate God Selskabsledelse Sarbanes-Oxley
Governance COSO (SoX)
IT Governance COBIT, MoV, MoP ISO/IEC 38500
IT Management COBIT / MoR
Enterprise TOGAF ISO/IEC 42016
Architecture
IT Service ITIL, eTOM, VeriSM, ISO/IEC 20000, IT4IT
Management SAFe
Information Security ISF ISO/IEC 27000 Data protection
& privacy acts, GDPR
Quality Management LEAN, EFQM, Six ISO 9000
Sigma, Test
Process Maturity CMMi, TIPA ISO/IEC 33000
Project & Program PRINCE2, MSP,
Management PMBOK
Industry specific GAMP, Basel II, FDA requirements
Solvency II
22 © 2019
COBIT and related frameworks (COBIT 5, Appendix E)
23
Governance related best practices and standards
 IT Governance Institute (ISACA)

 Board Briefing on IT Governance
 COBIT
 Peter Weill and Jeanne W. Ross
 IT Governance
 Cabinet Office
 ITIL
 PRINCE2
 MoR
 MSP
 MoV, MoP, P3O, P3M3
 ISO/IEC
 ISO/IEC 38500 Corporate governance of IT
24 © 2019
ISO/IEC 38500
 Formal standard for IT Governance

 ISO/IEC 38500 is produced and owned by Standards
Organization (ISO)
 ISO/IEC 38500 covers six principles for IT
Governance:
 Responsibility
 Strategy
 Acquisition
 Performance
 Conformance
 Human behavior
 www.iso.org
25 © 2019
ISO/IEC 38500 History and ownership
 ISO/IEC 38500 was originally developed by the

Australian standardization organization and was
named AS8015:2005.
 In 2009 it was fast tracked through ISO and officially

re-named to ISO/IEC 38500:2008 in April 2008.
 In 2016 it was revised to ISO/IEC 38500:2016
26 © 2019
ISO/IEC 38500 The six principles
 Principle 1: Responsibility
Individuals and groups within the organization understand
and accept their responsibilities in respect of both supply of,
and demand for IT. Those with responsibility for actions also
have the authority to perform those actions.
 Principle 2: Strategy
The organization’s business strategy takes into account the
current and future capabilities of IT; the strategic plans for IT
satisfy the current and ongoing needs of the organization’s
business strategy.
 Principle 3: Acquisition
IT acquisitions are made for valid reasons, on the basis of
appropriate and ongoing analysis, with clear and
transparent decision making. There is appropriate balance
between benefits, opportunities, costs, and risks, in both the
short term and the long term.
27 © 2019
ISO/IEC 38500 The six principles
 Principle 4: Performance
IT is fit for purpose in supporting the organization, providing
the services, levels of service and service quality required to
meet current and future business requirements.
 Principle 5: Conformance
The use of IT complies with all mandatory legislation and
regulations. Policies and practices are clearly defined,
implemented and enforced.
 Principle 6: Human Behavior
IT policies, practices and decisions demonstrate respect for
Human Behavior, including the current and evolving needs
of all the ‘people in the process’.
28 © 2019
Governance activities according to ISO/IEC 38500
 Evaluate (Current and future use of IT)

 Direct (Preparation and implementation)
 Monitor (Conformance and performance)
29 © 2019
Agenda
1. Governance of IT
2. COBIT Background
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
30 © 2019
COBIT 2019 – Six governance system principles
COBIT Principles
6. End-to-End 1. provide
Governance Stakeholder
System Value
5. Tailored to COBIT
2. Holistic
Enterprise 2019 Approach
Needs
principles
4. Governance 3. Dynamic
Distinct From Governance
Management System
31 © 2019
Agenda
1. Governance of IT
2. COBIT Background
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
32 © 2019
COBIT 2019 – Goals cascade
Stakeholder Drivers and Needs

COBIT Goals
Cascade to
Enterprise Goals
Cascade to
Alignment Goals
Cascade to
Governance and Management

Objectives
33 © 2019
COBIT 2019 – Enterprise Goals
BSC dimension Ref. Enterprise Goal
Financial EG01 Portfolio of competitive products and services
EG02 Managed business risk
COBIT Goals
EG03 Compliance with external laws and regulations

EG04 Quality of financial information
Customer EG05 Customer-oriented service culture
EG06 Business-service continuity and availability
EG07 Quality of management information
Internal EG08 Optimization of internal business process functionality
EG09 Optimization of business process costs
EG10 Staff skills, motivation and productivity
EG11 Compliance with internal policies
Learning and EG12 Managed digital transformation programs
Growth
EG13 Product and business innovation
34 © 2019
COBIT 2019 – Alignment Goals
BSC dimension Ref. Alignment Goal
Financial AG01 IT compliance and support for business compliance with external
laws and regulations
COBIT Goals
AG02 Managed IT-related risk

AG03 Realized benefits from IT enabled investments and services
portfolio
AG04 Quality of technology-related financial information
Customer AG05 Delivery of I&T services in line with business requirements
AG06 Agility to turn business requirements into operational solutions
Internal AG07 Security of information, processing infrastructure and applications,
and privacy
AG08 Enabling and supporting business processes by integrating
applications and technology
AG09 Delivery of programs on time, on budget and meeting
requirements and quality standards
AG10 Quality of IT management information
AG11 IT compliance with internal policies
Learning and AG12 Competent and motivated staff with mutual
Growth understanding of technology and business
AG13 Knowledge, expertise and initiatives for business innovation
35 © 2019
COBIT 2019 – Mapping Enterprise and Alignment Goals
COBIT Goals
36 © 2019
COBIT 2019 – Mapping Alignment Goals and Objectives
COBIT Goals
37 © 2019
Agenda
1. Governance of IT
2. COBIT Background
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
38 © 2019
COBIT 2019 – Objectives
 For information and technology to contribute to

COBIT Objectives
enterprise goals, a number of governance and

management objectives (i.e. capabilities) should be
achieved.
 A governance or management objective always

relates to one process and a series of related
components of other types to help achieve the
objective.
39 © 2019
COBIT 2019 – Objectives
 COBIT 2019 includes 5 governance objectives and 35

COBIT Objectives
management objectives and covering 231 governance

and management practices (controls) in five domains:
 Evaluate, Direct and Monitor (Governance)
 Align, Plan and Organize (Management)
 Build, Acquire and Implement (Management)

 Deliver, Service and Support (Management)
 Monitor, Evaluate and Assess (Management)
40 © 2019
COBIT 2019 – Core model (40 objectives)
COBIT Objectives
41 © 2019
COBIT 2019 – Core model
EDM01 Ensured Governance Framework Setting & Maintenance

COBIT Objectives
EDM02 Ensured Benefits Delivery

EDM03 Ensured Risk Optimization
EDM04 Ensured Resource Optimization
EDM05 Ensured Stakeholder Engagement
APO01 Managed I&T Management Framework
APO02 Managed Strategy
APO03 Managed Enterprise Architecture
APO04 Managed Innovation
APO05 Managed Portfolio
APO06 Managed Budget & Costs
APO07 Managed Human Resources
APO08 Managed Relationships
APO09 Managed Service Agreements
APO10 Managed Vendors
APO11 Managed Quality
APO12 Managed Risk
APO13 Managed Security
APO14 Managed Data
42 © 2019
COBIT 2019 – Core model
BAI01 Managed Programs

COBIT Objectives
BAI02 Managed Requirements Definition

BAI03 Managed Solutions Identification & Build
BAI04 Managed Availability & Capacity
BAI05 Managed Organizational Change
BAI06 Managed IT Changes
BAI07 Managed IT Change Acceptance and Transitioning
BAI08 Managed Knowledge
BAI09 Managed Assets
BAI10 Managed Configuration
BAI11 Managed Projects
DSS01 Managed Operations
DSS02 Managed Service Requests & Incidents
DSS03 Managed Problems
DSS04 Managed Continuity
DSS05 Managed Security Services
DSS06 Managed Business Process Controls
MEA01 Managed Performance and Conformance Monitoring
MEA02 Managed System of Internal Control
MEA03 Managed Compliance with External Requirements
MEA04 Managed Assurance
43 © 2019
COBIT 2019 – Objective – Example
COBIT Objectives
44 © 2019
Agenda
1. Governance of IT
2. COBIT Background
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
45 © 2019
COBIT 2019 – Components
COBIT Components
To satisfy the objectives, each enterprise needs to

establish, tailor and sustain a governance system built
from a number of components.
 Components are factors that, individually and

collectively, contribute to the good operations of the
enterprise’s governance system over IT.
 Components interact with each other, resulting in a

holistic governance system for IT.
 Components can be of different types.
46 © 2019
COBIT 2019 – Components
COBIT Components
Processes
Services,
Infrastructure Organizational
and Structures
Applications
Governance
System
Culture, Ethics
Information
and Behavior
Principles, People, Skills

Policies, and
Procedures Competences
47 © 2019
COBIT 2019 – Processes – Example
COBIT Components
48 © 2019
COBIT 2019 – Processes – Controls
COBIT Components
 Controls are statements of managerial actions to

increase value or reduce risk
 Are designed to provide reasonable assurance that
business objectives will be achieved and undesired
events will be prevented or detected and corrected
 In COBIT, called “Governance Practices” and
“Management Practices”
49 © 2019
COBIT 2019 – Processes – Control types
COBIT Components
 Directive controls
 Preventive controls
 Compensating
 Detective controls
 Corrective controls
50 © 2019
COBIT 2019 – Processes – Process specific controls
COBIT Components
Example: Manager IT Changes

BAI06.01 Evaluate, prioritize and authorize change requests.
 Evaluate all requests for change to determine the impact on business processes and
IT services, and to assess whether change will adversely affect the operational
environment and introduce unacceptable risk. Ensure that changes are logged,
prioritized, categorized, assessed, authorized, planned and scheduled.
BAI06.02 Manage emergency changes
 Carefully manage emergency changes to minimize further incidents. Ensure the
emergency change is controlled and takes place securely. Verify that emergency
changes are appropriately assessed and authorized after the change.
BAI06.03 Track and report change status
 Maintain a tracking and reporting system to document rejected changes and
communicate the status of approved, in-process and complete changes. Make
certain that approved changes are implemented as planned.
BAI06.04 Close and document the changes
 Whenever changes are implemented, update the solution, user documentation and
procedures affected by the change
51 © 2019
ISO/IEC 20000-1:2011 – Requirements
COBIT Components
9.2 Change management

A change management policy shall be established that defines:
a) CIs which are under the control of change management;
b) criteria to determine changes with potential to have a major impact
on services or the customer.
Removal of a service shall be classified as a change to a service with
the potential to have a major impact. Transfer of a service from the
service provider to the customer or a different party shall be classified
as a change with potential to have a major impact.
There shall be a documented procedure to record, classify, assess
and approve requests for change.
The service provider shall document and agree with the customer the
definition of an emergency change. There shall be a documented
procedure for managing emergency changes.
All changes to a service or service component shall be raised using a
request for change. Requests for change shall have a defined scope.
...
52 © 2019
ISO/IEC 27002:2013 – Requirements
COBIT Components
12.1.2 Change Management

Control
Changes to the organization, business processes, information processing facilities and
systems that affect information security should be controlled.
Implementation guidance
In particular, the following items should be considered:
a) identification and recording of significant changes;
b) planning and testing of changes;
c) assessment of the potential impacts, including information security impacts, of such
changes;
d) formal approval procedure for proposed changes;
e) verification that information security requirements have been met;
f) communication of change details to all relevant persons;
g) fall-back procedures, including procedures and responsibilities for aborting and
recovering from unsuccessful changes and unforeseen events;
h) provision of an emergency change process to enable quick and controlled
implementation of changes needed to resolve an incident.
Formal management responsibilities and procedures should be in place to ensure

satisfactory control of all changes. When changes are made, an audit log containing all
relevant information should be retained.
53 © 2019
Compliance requirements
COBIT Components
 Security standards
 Privacy legislation
 Spam legislation
 Trade practices legislation
 Intellectual property rights, including software
licensing agreements
 Record keeping requirements
 Environmental legislation and regulations
 Health and safety legislation
 Accessibility legislation
 Social responsibility standards
 ...
54 © 2019
Mapping compliance requirements
COBIT Components
BAI10.03 Maintain an up-

to-date repository of
configuration items
(CIs) by populating COBIT Policy
any configuration
changes. . . .
9.1 Configuration Process

management shall
provide information to
the change management
ISO/IEC Control
process on the impact of
Objective Procedure
a requested change on 20000
the service and Database
infrastructure
configurations . . . Work
instructions
7.1 Owners should be
identified for all assets
and the responsibility for ISO/IEC
the maintenance of Roles
27000
appropriate controls
should be assigned . . .
55 © 2019
COBIT 2019 – Organizational Structures – Example
COBIT Components
56 © 2019
COBIT 2019 – Information – Example
COBIT Components
57 © 2019
COBIT 2019 – People, Skills, Competences – Example
COBIT Components
The people, skills and competencies governance component identifies human

resources and skills required to achieve the governance or management objective.
COBIT® 2019 based this guidance on the Skills Framework for the Information Age
(SFIA®) V6 (version 6). All listed skills are described in detail in the SFIA framework.
The Detailed Reference provides a unique code that correlates to SFIA guidance on the
skill
58 © 2019
COBIT 2019 – Policies, Procedures – Example
COBIT Components
59 © 2019
COBIT 2019 – Culture, Ethics, Behavior – Example
COBIT Components
60 © 2019
COBIT 2019 – Services, Infrastructure, Applications – Example
COBIT Components
61 © 2019
Agenda
1. Governance of IT
2. COBIT Background
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
62 © 2019
COBIT 2019 – Design factors
COBIT Design factors
Design factors are factors that can influence the design

of an enterprise’s governance system and position it for
success in the use of IT. Design factors include any
combination of the following:
1. Enterprise 2. Enterprise 4. IT-Related 5. Threat

3. Risk Profile
Strategy Goals Issues Landscape
9. IT 10.
6. Compliance 8. Sourcing Implemen- Technology 11. Enterprise
7. Role of IT
Requirements Model for IT tation Adoption Size
Methods Strategy
63 © 2019
1. Enterprise strategy. Organizations typically have a

primary strategy and, at most, one secondary strategy.
Enterprises can have different strategies, which can be
expressed as one or more of the following archetypes:
Strategy Archetype Explanation
Growth/Acquisition The enterprise has a focus on growing (revenues)
Innovation/Differentiation The enterprise has a focus on offering different and/or

innovative products and services to their clients
Cost leadership The enterprise has a focus on short-term cost
minimization
Client service/Stability The enterprise has a focus on providing stable and
client-oriented service
64 © 2019
2. Enterprise goals supporting the enterprise strategy:

BSC dimension Ref. Enterprise goal
Financial EG01 Portfolio of competitive products and services
EG02 Managed business risk
EG03 Compliance with external laws and regulations
EG04 Quality of financial information
Customer EG05 Customer-oriented service culture
EG06 Business-service continuity and availability
EG07 Quality of management information
Internal EG08 Optimization of internal business process functionality
EG09 Optimization of business process costs
EG10 Staff skills, motivation and productivity
EG11 Compliance with internal policies
Growth EG12 Managed digital transformation programs
EG13 Product and business innovation
65 © 2019
3. Risk profile of the enterprise:

1 IT investment decision making, portfolio definition & maintenance
2 Program & projects life cycle management
3 IT cost & oversight
4 IT expertise, skills & behavior
5 Enterprise/IT architecture
6 IT operational infrastructure incidents
7 Unauthorized actions
8 Software adoption/usage problems
9 Hardware incidents
10 Software failures
11 Logical attacks (hacking, malware, etc.)
12 Third-party/supplier incidents
13 Noncompliance
14 Geopolitical Issues
15 Industrial action
16 Acts of nature
17 Technology-based innovation
18 Environmental
19 Data & information management
66 © 2019
4. IT-related issues. The most common issues include:

A Frustration between different IT entities across the organization because of a perception
of low contribution to business value
B Frustration between business departments (i.e., the IT customer) and the IT department
because of failed initiatives or a perception of low contribution to business value
C Significant I&T-related incidents, such as data loss, security breaches, project failure and
application errors, linked to IT
D Service delivery problems by the IT outsourcer(s)
E Failures to meet IT-related regulatory or contractual requirements
F Regular audit findings or other assessment reports about poor IT performance or reported
IT quality or service problems
G Substantial hidden and rogue IT spending, that is, I&T spending by user departments
outside the control of the normal I&T investment decision mechanisms and approved
budgets
H Duplications or overlaps between various initiatives, or other forms of wasted resources
I Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction
J IT-enabled changes or projects frequently failing to meet business needs and delivered
late or over budget
K Reluctance by board members, executives or senior management to engage with IT, or a
lack of committed business sponsorship for IT
L Complex IT operating model and/or unclear decision mechanisms for IT-related decisions
M Excessively high cost of IT
67 © 2019
4. IT-related issues continued . . .

N Obstructed or failed implementation of new initiatives or innovations caused by the current
IT architecture and systems
O Gap between business and technical knowledge, which leads to business users and
information and/or technology specialists speaking different languages
P Regular issues with data quality and integration of data across various sources
Q High level of end-user computing, creating (among other problems) a lack of oversight
and quality control over the applications that are being developed and put in operation
R Business departments implementing their own information solutions with little or no
involvement of the enterprise IT department (related to end-user computing, which often
stems from dissatisfaction with IT solutions and services)
S Ignorance of and/or noncompliance with privacy regulations
T Inability to exploit new technologies or innovate using I&T
68 © 2019
5. Threat landscape under which the enterprise operates:

Threat Landscape Explanation
Normal The enterprise is operating under what are considered

normal threat levels.
High Due to its geopolitical situation, industry sector or particular
profile, the enterprise is operating in a high-threat
environment.
69 © 2019
6. Compliance requirements to which the enterprise is subject:

Regulatory Explanation
Environment
Low compliance The enterprise is subject to a minimal set of regular
requirements compliance requirements that are lower than average.
Normal compliance The enterprise is subject to a set of regular compliance
requirements requirements that are common across different industries.
High compliance The enterprise is subject to higher-than-average
requirements compliance requirements, most often related to industry
sector or geopolitical conditions.
70 © 2019
7. Role of IT for the enterprise:

Role of IT Explanation
Support IT is not crucial for the running and continuity of the

business process and services, nor for their innovation.
Factory When IT fails, there is an immediate impact on the running
and continuity of the business processes and services.
However, IT is not seen as a driver for innovating business
processes and services.
Turnaround IT is seen as a driver for innovating business processes
and services. At this moment, however, there is not a
critical dependency on IT for the current running and
continuity of the business processes and services.
Strategic IT is critical for both running and innovating the
organization’s business processes and services.
71 © 2019
8. Sourcing model for IT that the enterprise adopts:

Sourcing Model Explanation
Outsourcing The enterprise calls upon the services of a third party to

provide IT services.
Cloud The enterprise maximizes the use of the cloud for providing
IT services to its users.
Insourced The enterprise provides for its own IT staff and services.
Hybrid A mixed model is applied, combining the other three

models in varying degrees.
72 © 2019
9. IT implementation methods that the enterprise adopts:

Agile The enterprise uses Agile development working methods

for its software development.
DevOps The enterprise uses DevOps working methods for software
building, deployment and operations.
Traditional The enterprise uses a more classic approach to software
development (waterfall) and separates software
development from operations.
Hybrid The enterprise uses a mix of traditional and modern IT
implementation, often referred to as “bimodal IT.”
73 © 2019
10. Technology Adaption Strategy:

First mover The enterprise generally adopts new technologies as early

as possible and tries to gain first-mover advantage.
Follower The enterprise typically waits for new technologies to
become mainstream and proven before adopting them.
Slow adopter The enterprise is very late with adoption of new
technologies.
74 © 2019
11. Enterprise size:

Large enterprise Enterprise with more than 250 full-time employees (FTEs)
(Default)
Small and medium Enterprise with 50 to 250 FTEs
enterprise
75 © 2019
COBIT 2019 Governance System Design Workbook – Canvas
76 © 2019
Agenda
1. Governance of IT
2. COBIT Background
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
77 © 2019
COBIT 2019 – Focus areas
COBIT Focus areas
A focus area describes a certain governance topic,

domain or issue that can be addressed by a collection of
governance and management objectives and their
components.
 Examples of focus areas include: small and medium

enterprises, cybersecurity, digital transformation,
cloud computing, privacy, and DevOps.
 Focus areas may contain a combination of generic

governance components and variants.
 The number of focus areas is virtually unlimited. That

is what makes COBIT open-ended.
78 © 2019
Agenda
1. Governance of IT
2. COBIT Background
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
79 © 2019
COBIT Performance management
COBIT 2019 – Performance management
The COBIT Performance Management (CPM) model

largely aligns to the CMMI® Development concepts:
 Process activities are associated to capability levels
included in the Governance and Management
Objectives guide.
 Other governance and management component types
(e.g., organizational structures, information) may also
have capability levels defined for them in future
guidance.
 Maturity levels are associated with focus areas (i.e., a
collection of governance and management objectives
and underlying components) and will be achieved if all
required capability levels are achieved.
80 © 2019
Capability and maturity levels:
Maturity
Processes Capability
Other types of governance

Capability
and management components
81 © 2019
Capability levels for processes:

The process its purpose, is well defined, its performance
5 is measured to improve performance and continuous
improvement is pursued.
The process achieves its purpose, is well defined, and its

4 performance is (quantitatively) measured.
The process achieves its purpose in a much more organized way

3 using organizational assets. Processes typically are well defined.
The process achieves its purpose through the application of a basic, yet
2 complete, set of activities that can be characterized as performed.
The process more or less achieves its purpose through the application of an
1 incomplete set of activities that can be characterized as initial or intuitive—not
very organized.
• Lack of any basic capability
0 • Incomplete approach to address governance and management purpose
• May or may not be meeting the intent of any process practices
82 © 2019
The COBIT core model assigns capability levels to all

process activities, enabling clear definition of the
processes and required activities for achieving the
different capability levels.
83 © 2019
COBIT also provides guidance for how to assign

capability levels for the other governance and
management component types such as:
 Organizational structures,
 Information, and
 Culture and behavior
84 © 2019
Maturity levels for focus areas:

Optimizing—The enterprise is focused on continuous
5 improvement.
Quantitative—The enterprise is data driven, with quantitative

4 performance improvement.
Defined—Enterprise wide standards provide guidance across the

3 enterprise.
Managed—Planning and performance measurement take place, although

2 not yet in a standardized way.
Initial—Work is completed, but the full goal and intent of the focus area are not
1 yet achieved.
Incomplete—Work may or may not be completed toward achieving the purpose of

0 governance and management objectives in the focus area.
85 © 2019
Agenda
1. Governance of IT
2. COBIT Background
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
86 © 2019
Design and implement governance
COBIT 2019 – Governance System Design Workflow
87 © 2019
COBIT 2019 – Implementation Road Map
There are seven phases that comprise the COBIT

implementation approach:
1. What are the drivers?
2. Where are we now?
3. Where do we want to be?
4. What needs to be done?
5. How do we get there?
6. Did we get there?
7. How do we keep the
momentum going?
88 © 2019
COBIT 2019 – Design vs. Implementation
Connection Points Between COBIT Design Guide and

COBIT Implementation Guide:
COBIT Implementation Guide COBIT Design Guide

Phase 1—What are the drivers? Step 1—Understand the enterprise
(Continuous improvement [CI] tasks) context and strategy.
Phase 2—Where are we now? (CI Step 2—Determine the initial scope
tasks) of the governance system.
Step 3—Refine the scope of the
governance system.
Step 4—Conclude the governance
system design.
Phase 3—Where do we want to be? Step 4—Conclude the governance
(CI tasks) system design
89 © 2019
COBIT 2019 – Overview
Conclusion
90 © 2019
Questions and comments
Conclusion
91 © 2019
Christian F. Nissen
Contact
cfn@cfnconsult.dk
+45 40 19 41 45
CFN Consult ApS

Nysoevang 15A
DK-2750 Ballerup
CVR: 39 36 47 86
92 © 2019

Introductiontocobit2019anditmanagement 190411195810 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introductiontocobit2019anditmanagement 190411195810 PDF

Uploaded by

Copyright:

Available Formats

COBIT 2019 and IT Management

Christian F. Nissen, CFN Consult

© 2019 of CFN Consult unless otherwise stated

 What is the difference between “IT Governance” and

 What are the differences and similarities between

Definition? MANAGEMENT of MANAGEMENT

Delegate Gover- Operation

 Originally: The Control Objectives for Information and

 COBIT consists of a number of general goals, practices

(controls), processes, organizational structures, information

 Are references, sets of best practices, not an ‘off-the-shelf’

 COBIT is produced and owned by Information Systems

Manage- Gover- Capabili-

For latest updates on COBIT, visit www.isaca.org/cobit.

Governance ensures that:

 Direction is set through prioritization and decision making.

 Performance and compliance are monitored against agreed-

 COBIT defines the components to build and sustain a

 COBIT addresses governance issues by grouping relevant

 COBIT 2019 Framework: Introduction and Methodology

 COBIT 2019 Framework: Governance and Management

 COBIT 2019 Design Guide

 COBIT 2019 Implementation Guide

 IT Governance Institute (ISACA)

 Formal standard for IT Governance

 ISO/IEC 38500 was originally developed by the

 In 2009 it was fast tracked through ISO and officially

 In 2016 it was revised to ISO/IEC 38500:2016

 Evaluate (Current and future use of IT)

Stakeholder Drivers and Needs

Governance and Management

EG03 Compliance with external laws and regulations

AG02 Managed IT-related risk

 For information and technology to contribute to

enterprise goals, a number of governance and

 A governance or management objective always

 COBIT 2019 includes 5 governance objectives and 35

management objectives and covering 231 governance

 Align, Plan and Organize (Management)

 Build, Acquire and Implement (Management)

 Monitor, Evaluate and Assess (Management)

EDM01 Ensured Governance Framework Setting & Maintenance

EDM02 Ensured Benefits Delivery

BAI01 Managed Programs

BAI02 Managed Requirements Definition

To satisfy the objectives, each enterprise needs to

 Components are factors that, individually and

 Components interact with each other, resulting in a

 Components can be of different types.

Principles, People, Skills

 Controls are statements of managerial actions to

Example: Manager IT Changes

9.2 Change management

12.1.2 Change Management

Formal management responsibilities and procedures should be in place to ensure

BAI10.03 Maintain an up-

9.1 Configuration Process

The people, skills and competencies governance component identifies human

Design factors are factors that can influence the design

1. Enterprise 2. Enterprise 4. IT-Related 5. Threat

1. Enterprise strategy. Organizations typically have a

Growth/Acquisition The enterprise has a focus on growing (revenues)

Innovation/Differentiation The enterprise has a focus on offering different and/or