Effective Capability and Maturity Assessment Using COBIT 2019 https://www.isaca.org/resources/news-and-trends/industry-news/...

"
! Home / Resources / News and Trends / Industry News / 2020 /
Effective Capability and Maturity Assessment Using COBIT 2019

INDUSTRY NEWS

Effective Capability and

Maturity Assessment Using
COBIT 2019
Author: Emeka Elue, CISA, CDPSE
Date Published: 27 July 2020

COBIT® provides guidance to assist enterprises in making key governance system

design decisions to successfully achieve enterprise goals and objectives. This is
accomplished by focusing on objectives speciPc to both the governance and
management components of a governance system. Organizations vary in how they
approach, design and dePne the parameters for how governance and management
operate within an enterprise. COBIT® 2019 provides guidance on how governance and
management should be dePned within an enterprise.

Governance ensures that:1

Stakeholder needs, conditions and options are evaluated to determine balanced,

agreed-on enterprise objectives.

Direction is set through prioritization and decision-making.

Performance and compliance are monitored against agreed-on direction and

objectives.

1 of 7 5/10/21, 9:23 AM
Effective Capability and Maturity Assessment Using COBIT 2019 https://www.isaca.org/resources/news-and-trends/industry-news/...

Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve enterprise objectives.2

Each governance and management objective includes a process component, which

encompasses several practices. Each of these practices have activities that help
ensure the achievement of the associated processes. To help measure the
achievement of an enterprise’s program (e.g., privileged access management) and its
contribution to the overall enterprise objective, a Capability Maturity Model Integration
(CMMI)–based process capability scheme (ranging from 0-5) can be used However,
using COBIT, which can equally measure the same enterprise program achievements,
is done using a concept called “COBIT performance management” (CPM)
Performance management could represent how well the governance and
management system and all the components of an enterprise work and how they can
be improved to achieve the required capability and maturity levels. The CPM model
largely aligns with and extends CMMI® Development V2.02 concepts.

Capability and maturity levels are assigned to all process activities, enabling clear
dePnition of processes at different levels. This can be effective through a thorough
assessment of the enterprise program and capabilities using performance
management. There are some techniques which can help in the thorough assessment
of an enterprise program. One notable technique, which is effective and has stood the
test of time in the Peld of risk management is the technology risk assessment (TRA).
The dePnition of a TRA varies from organization to organization, however, it maintains
the same functionality. This assessment examines the key areas of people,
processes and technology in relation to an enterprise program and measures their
effectiveness. Thus, the TRA can provide a risk score rating based on identifying gaps
in its evaluation. The application of CPM can seem like a daunting task to apply to
assessments or techniques performed by risk practitioners for their enterprise.
However, breaking it down into various actionable steps makes this endeavor more
achievable and manageable. Those steps are outlined here.

Step 1: Introduce COBIT 2019 to

Stakeholders and Establish
Assessment Awareness
During the execution of an assessment, it is important to ensure that the
stakeholders, whose processes and technology are being reviewed and measured,
fully understand what metrics are being evaluated. For example, a possible metric
could assess how many privileged accounts are not managed by a privileged access

2 of 7 5/10/21, 9:23 AM
Effective Capability and Maturity Assessment Using COBIT 2019 https://www.isaca.org/resources/news-and-trends/industry-news/...

management tool. This also elicits full participation during the assessment process
and helps ensure successful completion of the exercise. This is also the time to
introduce the COBIT 2019 framework, which will be used to effectively measure the
capabilities and maturity levels of the enterprise program.

Understanding the various processes and technologies managed by these

stakeholders helps determine the scope of the assessment and guides the exercise
more effectively. This, in turn, helps prioritize key areas relevant to the stakeholders
and the enterprise to be assessed.

Step 2: Tailor the Enterprise Program

and Process to the Applicable COBIT
2019 Framework
Tailoring the process activities to the appropriate capability and maturity levels is
critical to the success of the assessment. This is included in the COBIT® 2019
Framework Governance and Management Objective guide.

The process activities can operate at various capability and maturity levels, ranging
from 0 to 5. The capability level is a measure of how well a process is implemented
and performing (Kgure 1), while the maturity level, which is associated with focus
areas, is a measure of how these processes contained in the focus area achieve that
particular capability level, through the collections of substantial underlying evidence
to support enterprise goals (Kgure 2).3

Figure 1—Capability Level for Processes

3 of 7 5/10/21, 9:23 AM
Effective Capability and Maturity Assessment Using COBIT 2019 https://www.isaca.org/resources/news-and-trends/industry-news/...

Figure 2—Maturity Level for Focus Area

Step 3: Rate Process Activities

Providing a score rating for capability and maturity levels can be achieved using
various methods. One such method is using the available ratings outlined in the
COBIT 2019 framework. The ratings utilize descriptors such as: fully, largely, partially,
or not, that have varying percentages assigned to each one.

Another score rating used could be through a formal method leading to a binary
pass/fail set of ratings. However, a less formal method (often used in performance
improvement contexts) works better with a value range from 1-5.

For the assessment, based on the maturity of the process, a value of 1-5 will be
assigned to the capability and maturity levels. Those values are:4

1. Initial—Unpredictable process that is poorly controlled and reactive

2. Managed—Process is planned, documented and monitored at the project level and

often are reactive

3. DeKned—Proactive process meant for organizations

4. Quantitively Managed—Measured and controlled process

5. Optimizing—Focus is on continuous process and improvement

4 of 7 5/10/21, 9:23 AM
Effective Capability and Maturity Assessment Using COBIT 2019 https://www.isaca.org/resources/news-and-trends/industry-news/...

These values are rated subjectively, based on interviews with stakeholders, reviews of
executed procedure documents, oversight programs and execution of an enterprise’s
goals and objectives.

Step 4: Obtain Assessment Results

Obtaining the results from the assessment is a crucial step in helping the enterprise
improve in areas with low score ratings. The areas noted with low score ratings are
documented with recommendations, highlighting the enterprise’s strengthens and
weaknesses. The results are provided to the enterprise’s leadership and stakeholders
for review and prioritization.

The areas with low score ratings also eventually make their way into a repository as a
managed self-identiPed (MSI) issue or Pnding. This ensures that the issues or
Pndings are tracked to resolution and helps achieve an improved future-state process.

Conclusion
Following these steps consecutively helps the practitioner perform an effective
capability and maturity assessment for an enterprise on the governance and
management processes and systems.

CPM denotes how well the governance and management processes and systems
function and how they can be improved to meet the required level.

No matter the requirement the practitioner intends to achieve, it is imperative to keep

in mind that COBIT is a reference model to be used as you see Pt, based on your
organization’s goals and objectives. It is the user’s choice to determine how it is
utilized.

Emeka Elue, CISA, CDPSE

Is a cyber governance, risk and compliance integration professional in the Pnancial
services industry. His experience includes driving identity and access management
risk and controls initiatives, cyberrisk management, regulatory compliance and
cybersecurity assurance (US Sarbanes Oxley Act [SOX], Serivce Organization Controls
[SOC] and IT general controls audit [ITGC] assessment and audit). His expertise is in
information security and technology, cloud security and enterprise program
development, management and governance. He is attuned to emerging security
trends, which enhances his ability to quickly assess challenges, capture the vision of
the desired state, and build stakeholder relationships, both internal and external to an

5 of 7 5/10/21, 9:23 AM
Effective Capability and Maturity Assessment Using COBIT 2019 https://www.isaca.org/resources/news-and-trends/industry-news/...

organization.

Endnotes
1 ISACA®, COBIT® 2019 Framework: Governance and Management Objectives, USA
2018
2 Ibid.

3 ISACA, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018

4 CMMI® Institute, CMMI® V2.0, USA, 2020

Previous Article Next Article

QUICK LINKS

Resources

COBIT ISACA Journal Press Releases Resources FAQs

Insights and Expertise ∠

Audit Programs and Tools

Publications
White Papers
Engage Online Community

News & Trends ∠

@ ISACA
Industry News
ISACA Now Blog

6 of 7 5/10/21, 9:23 AM
Effective Capability and Maturity Assessment Using COBIT 2019 https://www.isaca.org/resources/news-and-trends/industry-news/...

ISACA Podcasts

Frameworks Standards and Models ∠

IT Audit
IT Risk
Glossary

$ % & ' (

Navigating COVID-19 | Contact Us | Terms | Privacy | Cookie Notice | Fraud Reporting

| ©2021 ISACA. All rights reserved.

7 of 7 5/10/21, 9:23 AM