Professional Documents
Culture Documents
COBIT® 2019 Governance System Design Workbook-Instructions: Terms & Definitions
COBIT® 2019 Governance System Design Workbook-Instructions: Terms & Definitions
COBIT® 2019 Governance System Design Workbook-Instructions: Terms & Definitions
Relative importance Relative importance (of governance and management objectives) is a number that indicates the influence of a certain design factor on the importance of a certain
COBIT governance or management objective as compared to a baseline (standard) situation. The number is calculated as a percentage difference between the
baseline and the current situation, as determined by the values given to the design factor at hand.
Instructions
Sheet
In this sheet all results of the impact assessment of the design factors are summarized. This is done in line with the governance system design flow explained in the
COBIT Design Guide.
Canvas The user can provide input in columns R/S to adjust the results of the automated calculations, taking into account the enterprise's specific context. When making
adjustments in column R, the spreadsheet expects an explanation in column S.
The chosen values are represented graphically in the two diagrams in the input
Description section. The diagrams depict the same information, one in a bar chart, the other in a
spider chart.
DF1
[Optional] Enter values between 1 and 5 expressing the importance or relevance of a) Observe the resulting importance scores for each of the 40
each of the given generic enterprise strategies for the user enterprise governance/management objectives.
b) [Optional] Use the graphic(s) for reporting the outcome of this step in the
governance system design process. Both diagrams contain the same
information but in a different representation. Use the one that suits you best.
User Action Required
Description
DF2
Description
DF3
Description
DF4
Description
DF5
Description
DF6
Description
DF7
Description
DF8
Description
DF9
Description
DF10
Chart 1
Chart 2
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
APO06—Managed Budget & Costs -25 -5 -20 -10 ### -40 0 0 25 0 0 -20 -25 -25 1 1
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Input Section—Importance of Each Enterprise Strategy Archetype Input Section—Importance of Each Enterprise Strategy Archetype
Design Average
Factor 1 Enterprise Strategy2.75 4
Stdev of different strategies1.48
Importance (Input)
Correction Factor 1.09 3
0 1 2 3 4 5
3
1
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Resulting Governance/Management Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Objectives Importance Resulting Governance/Management Objectives Importance Resulting Governance/Management Objectives Importance (Output)
(Output)
Governance /
Management Score Baseline Relative
Score Importance EDM02 EDM01 MEA04
Objective EDM03 MEA03
-100 -75 -50 -25 0 25 50 75 100
EDM04 MEA02
EDM01 12.5 15 -10 EDM01 100
EDM02 18.5 24 -15 EDM05 MEA01
EDM02
EDM03 13 15 -5 EDM03 75
APO01 DSS06
EDM04 15.5 22.5 -25 EDM04
50
EDM05 17 18 5 EDM05 APO02 DSS05
APO01 11 12 0 APO01 25
APO02 31.5 28.5 20 APO02 APO03 DSS04
0
APO03 25 24 15 APO03
APO04 26 21 35 APO04 -25
APO04 DSS03
APO05 35 33 15 APO05
APO06 -50
APO06 15.5 22.5 -25
APO05 DSS02
APO07 14 15 0 APO07 -75
APO08 18.5 21 -5 APO08
APO09 APO06 -100 DSS01
APO09 17.5 22.5 -15
APO10 APO10
14.5 21 -25
APO11 APO11 APO07 BAI11
17 21 -10
APO12 APO12
16.5 18 0
APO13
APO13 14 16.5 -5 APO08 BAI10
APO14
APO14 11 12 0
BAI01
BAI01 26.5 27 5
BAI02 APO09 BAI09
BAI03
Copyright ISACA 2018 BAI04 482052441.xlsx APO10 BAI08 DF1—Page 8
BAI05
APO11 BAI07
APO09 APO06 -100 DSS01
APO10
APO11 APO07 06/30/2020
BAI11
COBIT® 2019 Governance System Design Toolkit
APO12
APO13
Information & Technology Governance System Design APO08 Information & Technology Governance System BAI10
Design
APO14
Design
BAI01
Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
BAI02 APO09 BAI09
BAI02 11.5 13.5 -5
BAI03
BAI03 11.5 13.5 -5
BAI04 APO10 BAI08
BAI04 15 18 -10
BAI05
BAI05 26 25.5 10 APO11 BAI07
BAI06
BAI06 20 19.5 10
BAI07 APO12 BAI06
BAI07 18.5 18 10 BAI08
BAI08 APO13 BAI05
23.5 19.5 30 BAI09 APO14 BAI04
BAI09 11 12 0 BAI01 BAI02 BAI03
BAI10
BAI10 11 12 0 BAI11
BAI11 29 27 15 DSS01
DSS01 12 13.5 -5 DSS02
DSS02 17 21 -10 DSS03
DSS03 15 18 -10 DSS04
DSS04 17 21 -10 DSS05
DSS05 14 16.5 -5 DSS06
DSS06 12 13.5 -5 MEA01
MEA01 11 12 0 MEA02
MEA02 11 12 0 MEA03
MEA03 11 12 0 MEA04
MEA04 11 12 0
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
Input Section—Importance of Each Enterprise Goal Input Section—Importance of Each Enterprise Goal
Average 2.77
EG07—Quality of management information 2
Design Factor 2 Enterprise GoalsStdev
(Input) 1.31
Correction Fact 1.08 EG08—Optimization of internal business process functionality 3
EG10—Staff skills, motivation and productivity EG05—Customer-oriented service culture EG13—Product and business innovation 5
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Agile portfolio of Compliance with external Transparency and Customer-oriented service Business service continuity Quality of management Optimization of internal Optimization of business Staff skills, motivation and Compliance with internal Managed business Product and business
competitive products and Managed business risks accuracy of financial business process
services laws and regulations information culture and availability information functionality process costs productivity policies transformation programs innovation
4 2 2 1 2 3 2 3 1 4 2 5 5
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
8 7 20 8 21 23 8 34 29 7 10 10 23
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
Managed
Ensured Governance Managed Managed Managed Managed Managed Managed Managed IT Managed Managed Managed Performance Managed Managed
Ensured Resource Ensured Stakeholder Managed IT Management Managed Human Managed Managed Managed Managed Solutions Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed Business System of Compliance Managed
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Optimization Transparency Framework Managed Strategy Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Resources Managed Relationships Service Suppliers Quality Managed Risk Information Data Programs Requirements Identification Availability & Organizationa Changes Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Security Process & Internal with External Internal Audit
Maintenance Agreements Security Definition & Build Capacity l Change Transitioning Incidents Services Controls Conformance Control Requirements
Monitoring
99 141 48 156 32 174 165 163 156 168 101 136 237 76 94 121 30 31 45 155 210 200 79 220 108 82 172 23 21 165 76 57 57 57 69 114 123 108 26 79
Baseline 99 114 63 129 63 180 132 135 120 141 117 108 189 63 78 132 36 39 78 129 174 165 69 183 90 69 135 51 18 138 63 54 54 54 81 105 135 135 39 111
Imp® 0 23 -24 20 -50 -4 25 20 30 19 -14 25 25 20 20 -9 -17 -21 -43 20 20 21 14 20 20 18 27 -55 16 19 20 5 5 5 -15 8 -9 -20 -34 -29
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
Input Section—Importance of Each Generic IT Risk Category Input Section—Importance of Each Generic IT Risk Category
Environmental
Average 8.89
Stdev 5.06 Data & information management
Correction Factor 1.01
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Resulting Governance/Management
Objectives Importance Design Factor 3 IT Risk Profile Design Factor 3 IT Risk Profile
Resulting Governance/Management Resulting Governance/Management Objectives Importance
Governance / Baseline Relative Objectives Importance
Management Score Score Importance
Objective
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
EDM01 3.0 2.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 2.0 2.0
EDM02 3.0 2.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 3.0 1.0 3.0
EDM03 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 2.0 3.0
EDM04 3.0 0.0 4.0 3.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 2.0 0.0 0.0 2.0 3.0
EDM05 3.0 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 1.0 0.0 1.0 3.0 3.0 0.0 0.0 0.0 2.0 2.0
APO01 2.0 3.0 2.0 0.0 2.0 2.0 4.0 2.0 0.0 2.0 3.0 3.0 3.0 0.0 0.0 0.0 3.0 2.0 3.0
APO02 2.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 1.0 0.0 1.0 2.0 0.0 0.0 0.0 0.0 2.0 2.0 1.0
APO03 2.0 0.0 0.0 0.0 4.0 0.0 0.0 2.0 0.0 2.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 0.0 3.0
APO04 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0
APO05 4.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0
APO06 2.0 3.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0
APO07 0.0 0.0 0.0 4.0 0.0 2.0 3.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 4.0 0.0 2.0 2.0 0.0
APO08 0.0 0.0 0.0 2.0 2.0 0.0 0.0 4.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 2.0
APO09 0.0 0.0 2.0 0.0 0.0 0.0 2.0 3.0 0.0 1.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
APO10 0.0 2.0 3.0 0.0 0.0 0.0 2.0 2.0 3.0 2.0 2.0 4.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0
APO11 0.0 3.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0
APO12 0.0 0.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0
APO13 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 4.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0
APO14 0.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 0.0 3.0 0.0 2.0 4.0 2.0 0.0 4.0
BAI01 0.0 4.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI02 2.0 2.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI03 0.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI04 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI05 0.0 2.0 0.0 2.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 3.0
BAI07 0.0 0.0 0.0 0.0 0.0 2.0 3.0 2.0 0.0 4.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI08 0.0 0.0 0.0 2.0 0.0 3.0 0.0 3.0 0.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 2.0
BAI09 0.0 0.0 0.0 0.0 0.0 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI10 0.0 0.0 0.0 0.0 0.0 2.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI11 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS01 0.0 0.0 0.0 0.0 0.0 4.0 3.0 0.0 4.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0
DSS02 0.0 0.0 0.0 0.0 0.0 3.0 2.0 3.0 2.0 2.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS03 0.0 0.0 0.0 0.0 0.0 3.0 1.0 4.0 0.0 3.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS04 0.0 0.0 0.0 0.0 0.0 3.0 3.0 0.0 3.0 0.0 4.0 0.0 2.0 0.0 3.0 4.0 0.0 0.0 2.0
DSS05 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 2.0 0.0 4.0 0.0 3.0 0.0 3.0 2.0 0.0 0.0 3.0
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
DSS06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 2.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0
MEA01 1.0 2.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 2.0 3.0 2.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0
MEA02 1.0 2.0 2.0 0.0 0.0 3.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 3.0 0.0 2.0 0.0 0.0 2.0
MEA03 0.0 1.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 0.0 3.0 2.0 4.0 2.0 0.0 0.0 0.0 0.0 2.0
MEA04 1.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 4.0 0.0 2.0 2.0 0.0 2.0
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues
Input Section—Importance of Each Generic IT-Related Issue Input Section—Importance of Each Generic IT-Related Issue
Frustration between business departments (i.e., the IT customer) and the Frustration between different IT entities across the organization because of a perception of low contribution to business value
IT department because of failed initiatives or a perception of low 2 Issue
contribution to business value
Frustration between business departments (i.e., the IT customer) and the IT department because of failed initiatives or a perception of low contribution to business value
Significant IT-related incidents, such as data loss, security breaches, project
failure and application errors, linked to IT
2 Serious Issue
Significant IT-related incidents, such as data loss, security breaches, project failure and application errors, linked to IT
Service delivery problems by the IT outsourcer(s) 2
Failures to meet IT-related regulatory or contractual requirements 2 Service delivery problems by the IT outsourcer(s)
Gap between business and technical knowledge, which leads to business users and information and/or technology specialists speaking different languages
Copyright ISACA 2018 482052441.xlsx Regular issues with data quality and integration of data across various sources DF4—Page 22
IT-enabled changes or projects frequently failing to meet business needs and delivered late or over budget
Reluctance by board members, executives or senior management to engage with IT, or a lack of committed business sponsorship for IT 06/30/2020
COBIT® 2019 Governance System Design Toolkit
Complex IT operating model and/or unclear decision mechanisms for IT-related decisions
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 4 IT-Related Issues Design Excessively
Factor high cost of IT4 IT-Related Issues
Gap between business and technical knowledge, which leads to business Obstructed or failed implementation of new initiatives or innovations caused by the current IT architecture and systems
users and information and/or technology specialists speaking different 2
languages
Gap between business and technical knowledge, which leads to business users and information and/or technology specialists speaking different languages
Regular issues with data quality and integration of data across various 2
sources Regular issues with data quality and integration of data across various sources
Business departments implementing their own information solutions with little or no involvement of the enterprise IT department (related to end-user computing, which often stems from dissatisfaction with IT solutions and services)
Business departments implementing their own information solutions with
little or no involvement of the enterprise IT department (related to end-
user computing, which often stems from dissatisfaction with IT solutions 2 Average 1.85
and services) Ignorance of and/or noncompliance with privacy regulations
Ignorance of and/or noncompliance with privacy regulations 2 Stdev 0.79 Inability to exploit new technologies or innovate using I&T
Inability to exploit new technologies or innovate using I&T 2
Correction 1.08
Factor
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
APO05 61 68 -5 APO06
APO02 50 DSS05
APO06 52 62 -10 APO07
APO07 49 47 15 APO08 25
APO03 DSS04
APO09
0
APO10
Copyright ISACA 2018 APO11 482052441.xlsxAPO04 -25 DF4—Page 23
DSS03
APO12
APO13 -50
APO02 EDM04 MEA02
APO03 EDM05 MEA01
100 06/30/2020
COBIT® 2019 Governance System Design Toolkit APO04
APO05 APO01 75 DSS06
Frustration between different Frustration between business Significant IT-related Regular audit findings or Substantial hidden and rogue IT IT-enabled changes or Reluctance by board members, Complex IT operating model Obstructed or failed Gap between business and technical High level of end-user computing,
Duplications or overlaps creating (among other problems) Business departments implementing
IT entities across the departments (i.e., the IT customer) incidents, such as data loss, Service delivery problems by Failures to meet IT-related other assessment reports spending, that is, IT spending by user between various initiatives Insufficient IT resources, staff projects frequently failing to executives or senior management and/or unclear decision implementation of new knowledge, which leads to business Regular issues with data a lack of oversight and quality their own information solutions with Ignorance of and/or Inability to exploit new
DF4 organization because of a and the IT department because of security breaches, project the IT outsourcer(s) regulatory or contractual about poor IT performance departments outside the control of or other forms of wasted with inadequate skills or staff meet business needs and to engage with IT, or a lack of Excessively high cost of IT initiatives or innovations users and information and/or quality and integration of noncompliance with technologies or innovate
perception of low contribution failed initiatives or a perception of failure and application requirements or reported IT quality or the normal IT investment decision burnout / dissatisfaction delivered late or over committed business sponsorship mechanisms for IT-related caused by the current IT technology specialists speaking data across various sources control over the applications that little or no involvement of the privacy regulations using I&T
to business value low contribution to business value errors, linked to IT service problems mechanisms and approved budgets resources budget for IT decisions architecture and systems different languages are being developed and put in enterprise IT department
operation
EDM01 3.0 3.0 1.0 1.0 2.0 2.0 2.0 1.0 1.0 1.0 3.0 3.5 1.0 1.0 1.0 1.0 2.0 3.0 1.5 1.0 35
EDM02 2.5 3.0 1.0 1.0 1.5 2.5 2.0 1.5 0.5 2.5 1.5 1.0 3.0 2.0 1.0 1.0 2.0 2.0 1.0 2.5 35
EDM03 1.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.0 0.0 1.0 1.5 1.0 2.0 1.0 1.0 2.5 1.0 24
EDM04 1.0 1.0 1.0 1.0 1.0 2.0 3.0 3.5 3.5 1.0 1.5 0.0 4.0 2.0 1.0 1.5 2.0 2.5 0.0 1.0 34
EDM05 1.0 1.0 1.0 1.0 1.5 2.0 1.0 1.0 0.0 1.0 3.0 1.5 1.5 0.5 0.0 0.5 1.0 1.0 1.0 0.0 21
APO01 2.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.5 4.0 1.0 2.0 1.0 1.0 1.5 2.0 0.5 1.0 28
APO02 1.5 1.5 1.5 1.5 1.0 1.5 1.0 1.0 0.0 1.0 2.5 0.5 0.5 1.5 1.5 0.5 2.0 2.0 0.0 2.5 25
APO03 1.0 1.5 1.0 2.0 0.5 1.5 2.0 1.5 1.0 3.5 0.5 0.5 1.0 4.0 1.0 3.5 2.0 3.0 0.0 2.0 33
APO04 1.0 1.0 1.0 1.0 0.5 0.5 0.5 0.5 0.0 0.0 0.5 1.0 0.5 2.0 1.0 0.0 0.5 0.5 0.0 4.0 16
APO05 3.0 3.0 1.0 1.5 2.0 2.0 1.5 3.5 0.5 2.0 2.0 1.5 2.0 1.0 0.5 0.0 2.5 2.5 0.0 2.0 34
APO06 3.5 2.0 1.0 1.5 1.5 2.0 4.0 3.0 1.0 2.0 1.0 1.5 4.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 31
APO07 1.5 1.0 1.0 1.0 1.0 1.5 2.0 2.0 4.0 1.0 0.0 0.0 1.0 0.0 3.0 0.0 0.5 0.5 1.5 1.0 24
APO08 2.5 2.0 1.0 2.5 1.5 1.0 2.5 2.0 1.5 1.0 3.0 1.0 0.5 1.0 4.0 1.0 3.0 3.5 0.0 0.5 35
APO09 2.0 1.5 2.0 4.0 1.0 2.5 1.5 2.0 0.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 1.0 1.5 0.0 0.0 22
APO10 1.0 1.0 2.0 4.0 1.5 1.5 1.5 0.0 1.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 0.5 2.0 1.0 0.0 20
APO11 1.0 1.0 3.0 1.5 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.5 0.5 3.0 2.0 2.0 0.0 1.0 22
APO12 1.0 0.5 2.5 1.5 2.0 2.0 1.0 1.0 0.5 1.0 1.0 1.0 1.0 1.0 1.0 2.0 1.0 1.5 2.5 1.0 26
APO13 0.0 0.0 3.5 1.0 2.0 1.0 0.0 1.0 0.0 0.5 0.0 0.0 0.0 0.0 0.0 1.5 2.0 1.0 2.0 1.0 17
APO14 1.0 1.5 3.0 1.0 2.5 1.5 1.0 1.5 0.0 1.5 0.0 0.0 0.5 2.5 0.5 4.0 2.5 2.0 3.0 0.5 30
BAI01 0.0 1.0 1.5 0.0 0.0 0.0 0.0 3.0 1.0 3.5 0.0 0.0 1.5 0.5 1.0 0.0 1.5 2.0 0.0 1.0 18
BAI02 0.0 3.0 0.0 0.0 0.5 2.0 0.0 2.0 0.0 3.5 0.0 1.0 1.0 2.0 2.0 1.5 2.5 3.0 0.5 1.0 26
BAI03 1.0 2.0 2.0 0.0 0.0 2.0 0.0 1.0 0.0 3.0 0.0 0.5 1.0 1.0 1.0 0.5 2.0 2.0 1.0 0.5 21
BAI04 0.5 0.0 2.0 3.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 0.0 1.0 1.0 1.0 0.0 0.5 12
BAI05 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 3.0 1.0 0.0 0.0 0.5 2.0 0.0 0.5 1.5 0.0 1.0 14
BAI06 0.0 0.0 2.5 3.0 0.5 1.5 0.0 1.0 0.0 1.5 0.0 1.0 0.5 1.0 0.5 2.0 2.0 2.0 1.0 1.0 21
BAI07 0.0 1.0 2.0 2.0 0.5 1.5 0.0 0.5 0.0 2.0 0.0 1.0 0.0 1.0 0.5 2.0 2.0 2.0 0.0 1.0 19
BAI08 0.0 0.0 0.0 1.5 0.5 0.5 0.0 1.0 2.0 0.5 0.0 0.5 0.0 1.0 3.0 2.0 1.0 1.5 0.0 0.5 16
BAI09 0.5 0.5 1.0 0.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 0.0 1.0 1.5 0.0 0.0 12
BAI10 0.0 0.0 2.5 2.0 0.5 0.0 0.0 0.5 0.0 0.0 0.0 0.0 1.0 1.5 0.0 1.5 1.0 2.0 0.0 0.0 13
BAI11 1.0 2.0 2.5 0.0 0.0 0.0 2.0 3.0 1.0 4.0 0.0 0.0 1.5 2.0 0.5 0.0 1.0 1.5 0.0 0.5 23
-5
EDM04
-50 EDM05
APO01 10
APO02 40
APO03 45
APO04 100
APO05 15
-40 APO06
APO07 45
APO08 55
APO09 10
-10
APO10
APO11 5
APO12 25
APO13 15
-10
APO14
BAI01 45
BAI02 30
BAI03 35
BAI04 25
BAI05 65
BAI06 60
BAI07 45
BAI08 75
-15
BAI09
BAI10 45
BAI11 65
DSS01 5
DSS02 10
DSS03 10
DSS04 5
-5
DSS05
DSS06 20
MEA01 5
-15
MEA02
-25 MEA03
-10
MEA04
06/30/2020
COBIT® 2019 Governance System Design Toolkit
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
Average
Stdev
Design Factor 5 IT Threat Landscape
Correction Factor
1.00
High Normal
25%
75%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
75%
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Average
Design Factor 6 Compliance Requirements
High Normal Low
25%
Stdev
75%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT
Average 2.25
Stdev 1.64
Correction Factor 1.33
Support 1
Factory 1
Turnaround 2
Strategic 5
Factory 1 Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT
Turnaround 2
Strategic 5
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Input Section—Importance of Sourcing Model for IT Input Section—Importance of Sourcing Model for IT
20%
30%
50%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
50%
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
40%
50%
10%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
10%
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
Input Section—Importance of Technology Adoption Strategy Input Section—Importance of Technology Adoption Strategy
10%
15%
75%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
EDM02EDM01MEA04
BAI04—Managed Availability & Capacity 25
EDM03 MEA03 EDM02EDM01MEA04
EDM03 MEA03
EDM04 MEA02
EDM04 MEA02
BAI05—Managed Organizational Change 65
EDM05 100 MEA01 EDM05 100 MEA01 BAI06—Managed IT Changes 60
APO01 75 DSS06 APO01 75 DSS06
BAI07—Managed IT Change Acceptance and Transitioning 45
APO02 50 DSS05 50
APO02 DSS05
25 BAI08—Managed Knowledge 75
25
APO03 DSS04 APO03 DSS04
0 0 -15 Assets
BAI09—Managed
APO04 -25 DSS03 APO04 -25 DSS03 BAI10—Managed Configuration 45
-50 -50 BAI11—Managed Projects 65
APO05 DSS02 APO05 DSS02
-75 -75
DSS01—Managed Operations 5
APO06 -100 DSS01 APO06 -100 DSS01
DSS02—Managed Service Requests & Incidents 10
APO07 BAI11 APO07 BAI11 DSS03—Managed Problems 10
APO08 BAI10 APO08 BAI10 DSS04—Managed Continuity 5
-5
DSS05—Managed Security Services
APO09 BAI09 APO09 BAI09
DSS06—Managed Business Process Controls 20
APO10 BAI08 APO10 BAI08
MEA01—Managed Performance and Conformance Monitoring 5
APO11 BAI07 APO11 BAI07
APO12 BAI06 -15 Control
MEA02—Managed System of Internal
APO12 BAI06
APO13 BAI05 -25 Requirements
MEA03—Managed Compliance with External
APO13 BAI05 APO14 BAI04
APO14 BAI04 BIA01 BAI02 BAI03
BIA01 BAI02 BAI03 -10
MEA04—Managed Assurance
-50 -50
APO05 DSS02 APO05 DSS02
EDM05—Ensured Stakeholder Engagement 15
-75 -75
APO02—Managed Strategy 50
APO08 BAI10 APO08 BAI10
Design Factor 7 Role of IT Design Factor 8 Sourcing Model for IT APO08—Managed Relationships 70
Resulting Governance/Management Resulting Governance/Management
Objectives Importance Objectives Importance
APO09—Managed Service Agreements 30
APO10—Managed Vendors 50
EDM02 EDM01 MEA04 EDM02 EDM01 MEA04
EDM03 MEA03 EDM03 MEA03
EDM04 MEA02 EDM04 MEA02 APO11—Managed Quality 20
EDM05 MEA01 EDM05 100 MEA01
100
APO01 75 DSS06
APO01 75 DSS06 APO12—Managed Risk 80
50 APO02 50 DSS05
APO02 DSS05
25
APO03
25
DSS04 APO03 DSS04 APO13—Managed Security 60
0 0
BAI08—Managed Knowledge 70
Design Factor 9 IT Implementation Methods Design Factor 10 Technology Adoption Strategy
Resulting Governance/Management Resulting Governance/Management BAI09—Managed Assets 0
Objectives Importance Objectives Importance
BAI10—Managed Configuration 80
BAI11—Managed Projects 85
EDM02 EDM01 MEA04 EDM02 EDM01 MEA04
EDM03 MEA03 EDM03 MEA03
EDM04 MEA02 EDM04 MEA02
EDM05 100 MEA01 EDM05 100 MEA01 DSS01—Managed Operations 5
APO01 75 DSS06 APO01 75 DSS06
APO05
-50
DSS02 APO05
-50
DSS02
DSS04—Managed Continuity 60
-75 -75
MEA04—Managed Assurance 35