for Information Security

COBIT 5 Product Family

COBIT® 5
COBIT 5 Enabler Guides
COBIT® 5: COBIT® 5: Other Enabler
Enabling Processes Enabling Information Guides

COBIT 5 Professional Guides

COBIT® 5 COBIT® 5 COBIT® 5 Other Professional
COBIT® 5 Implementation for Information for Assurance for Risk Guides
Security

COBIT 5 Online Collaborative Environment

Source: COBIT 5 for Information Security, figure 1

COBIT 5 Principles

1. Meeting
Stakeholder
Needs

5. Separating 2. Covering the

Governance Enterprise
From End-to-end
Management
COBIT 5
Principles

4. Enabling a 3. Applying a
Holistic Single
Approach Integrated
Framework

Source: COBIT 5, figure 2

3701 Algonquin Road, Suite 1010 • Rolling Meadows, IL 60008 USA

Phone: +1.847.253.1545 • Fax: +1.847.253.1443 • Email: info@isaca.org
Web site: www.isaca.org
©2013 ISACA. A l l r i g h t s r e s e r v e d .
 for Information Security

COBIT 5 Goals Cascade Overview

Stakeholder Drivers
(Environment, Technology Evolution, …)

Influence

Stakeholder Needs
Benefits Risk Resource
Realisation Optimisation Optimisation

Cascade to

Enterprise Goals

Cascade to

IT-related Goals

Cascade to

Enabler Goals

Source: COBIT 5, figure 4

Selected Guidance From the COBIT 5 Family

These charts and figures are elements of COBIT 5 and its supporting guides. This excerpt is available as a complimentary
PDF (www.isaca.org/cobit) and for purchase in hard copy (www.isaca.org/bookstore). It provides an overview of the
COBIT 5 guidance, its five principles and seven enablers. We encourage you to share this document with your enterprise
leaders, team members, clients and/or consultants.

COBIT enables enterprises to maximize the value and minimize the risk related to information, which has become the
currency of the 21st century. COBIT 5 is a comprehensive framework of globally accepted principles, practices, analytical
tools and models that can help any enterprise effectively address critical business issues related to the governance and
management of information and technology. Additional information is available at www.isaca.org/cobit.

©2013 ISACA. A l l r i g h t s r e s e r v e d .
 for Information Security

Governance and Management in COBIT 5

Governance Objective: Value Creation

Benefits Risk Resource

Realisation Optimisation Optimisation

Governance Governance
Enablers Scope

Roles, Activities and Relationships

Source: COBIT 5, figure 8

Key Roles, Activities and Relationships

Roles, Activities and Relationships

Instruct and
Delegate Set Direction
Owners and Align Operations
Governing Management and
Stakeholders Body
Accountable Monitor Report Execution

Source: COBIT 5, figure 9

COBIT 5 Governance and Management Key Areas

Business Needs

Governance
Evaluate

Direct Management Feedback Monitor

Management

Plan Build Run Monitor

(APO) (BAI) (DSS) (MEA)

Source: COBIT 5, figure 15

©2013 ISACA. A l l r i g h t s r e s e r v e d .
 for Information Security

Information Security Skills/Competencies

Skills/Competencies
Information security governance
Information security strategy formulation
Information risk management
Information security architecture development
Information security operations
Information assessment and testing and compliance
Source: COBIT 5 for Information Security, Figure 20

Example Stakeholders for Information Security-related Information (Small/Medium Enterprise)

Information Type

Information Security Service Catalogue

Information Security Review Reports
Information Security Requirements

Information Security Dashboard

Information Security Strategy

Information Security Budget

Information Security Plan

Information Risk Profile

Awareness Material
Policies
Stakeholder
Internal: Enterprise
Board U I U I A
Chief executive officer (CEO) U A U I U
Chief financial officer (CFO) A U U U
Chief information security officer (CISO) O U O O A A A A U U
Information security steering committee (ISSC) A O A U U I U I U U
Business process owner U O U U U
Head of human resources (HR) U U
Internal: IT
Chief information officer (CIO)/IT manager U O U U U U I U U
Information security manager (ISM) U U U O U O O O O O
External
Investors I
Insurers I I I
Regulators I I I
Business Partners I I
Vendors/Suppliers I
External Auditors I I I I I

An indication of the nature of the relationship of the stakeholder for each information type:
A—Approver
O—Originator
I—Informed of information type
U—User of information type

Source: COBIT 5 for Information Security, Figure 17

©2013 ISACA. A l l r i g h t s r e s e r v e d .
 for Information Security

Advantages and Disadvantages of Potential Paths for Information Security Reporting

Role
Chief executive officer (CEO)
Chief information officer (CIO)
Chief financial officer (CFO)
Chief risk officer (CRO)
Chief technology officer (CTO)
Chief operating officer (COO)
Board of directors
(indirect report)
Source: COBIT 5 for Information Security, Figure 14
Advantages
Information risk is elevated to the highest level in
the enterprise.
Information security issues and solutions can be aligned
with all IT initiatives.
Information security issues can be addressed from a
financial business impact point of view.
Information risk is elevated to a position that can also look
at risk from strategic, financial, operational, reputational
and compliance perspectives.
Information security can be partnered and included in
future technology road maps.
Information security issues and solutions can be
addressed from the standpoint of impact to the business’
operations.
Information risk is elevated to the highest level in
the enterprise.
Disadvantages
Information risk needs to be presented in a format that
is understandable to the CEO. Given the multitude of
responsibilities of the CEO, information risk might be
monitored and managed at too high a level of abstraction
or might not be fully understood in its relevant details.
Information risk may not be addressed due to other
IT initiatives and deadlines taking precedence over
information security. There is a potential conflict of
interest. The work performed by information security
professionals may be IT-focussed and not information
security-focussed. In other words, there may be an
insufficient business focus.
Information risk may not be addressed due to financial
initiatives and deadlines taking precedence over
information security. There is a potential conflict
of interest.
This role does not exist in most enterprises. It is most
often found in financial service organisations. In
enterprises in which a CRO is not present, organisational
risk decisions may be decided by the CEO or board
of directors.
Information risk may not be addressed due to technology
directions taking precedence over information security.
Information risk may not be addressed due to operational
initiatives and deadlines taking precedence over
information security.
Information risk needs to be presented in a format that
is understandable to board members, and hence may
become too high-level to be relevant.

Policy Framework

Policy Framework Input

Information Security Principles Mandatory
Information
Security Standards,
Information Security Policy Frameworks
and Models
Specific Information Security Policies
Generic Information
Information Security Procedures Security Standards,
Frameworks and
Information Security Requirements Models
and Documentation

Source: COBIT 5 for Information Security, Figure 10

©2013 ISACA. A l l r i g h t s r e s e r v e d .
 COBIT 5 Process Reference Model

Processes for Governance of Enterprise IT

Evaluate, Direct and Monitor

EDM01 Ensure
Governance EDM02 Ensure EDM03 Ensure EDM04 Ensure EDM05 Ensure
Framework Setting Benefits Delivery Risk Optimisation Resource Stakeholder
and Maintenance Optimisation Transparency

Align, Plan and Organise Monitor, Evaluate

and Assess
APO01 Manage APO02 Manage APO03 Manage APO06 Manage APO07 Manage
the IT Management Enterprise APO04 Manage APO05 Manage
Strategy Innovation Portfolio Budget and Costs Human Resources
Framework Architecture

MEA01 Monitor,
for Information

Evaluate and Assess

APO09 Manage Performance and
APO08 Manage APO10 Manage APO11 Manage APO12 Manage APO13 Manage Conformance
Service Risk Security
Relationships Agreements Suppliers Quality

©2013 ISACA. A
Build, Acquire and Implement
Security

l l
BAI03 Manage BAI04 Manage BAI05 Manage BAI07 Manage
BAI01 Manage BAI02 Manage Solutions Organisational Change
Programmes and Requirements Availability BAI06 Manage
Identification and Capacity Change Changes Acceptance and MEA02 Monitor,
Projects Definition

r i g h t s
and Build Enablement Transitioning Evaluate and Assess
the System of Internal
Control

BAI08 Manage BAI09 Manage BAI10 Manage

Knowledge Assets Configuration

r e s e r v e d
.
Deliver, Service and Support
MEA03 Monitor,
DSS02 Manage DSS05 Manage DSS06 Manage Evaluate and Assess
DSS01 Manage DSS03 Manage DSS04 Manage Compliance With
Operations Service Requests Security Business
and Incidents Problems Continuity Services Process Controls External Requirements

Processes for Management of Enterprise IT

Source: COBIT 5, figure 16

 for Information Security

COBIT 5 Enterprise Enablers

3. Organisational 4. Culture, Ethics

2. Processes Structures and Behaviour

1. Principles, Policies and Frameworks

6. Services, 7. People,
5. Information Infrastructure Skills and
and Applications Competencies

Resources

Source: COBIT 5, figure 12

COBIT 5 Enablers: Generic

Stakeholders Goals Life Cycle Good Practices

Enabler Dimension

• Internal • Intrinsic Quality • Plan • Practices

Stakeholders • Contextual Quality • Design • Work Products
• External (Relevance, • Build/Acquire/ (Inputs/Outputs)
Stakeholders Effectiveness) Create/Implement
• Accessibility and • Use/Operate
Security • Evaluate/Monitor
• Update/Dispose
Enabler Performance

Are Stakeholders Are Enabler Is Life Cycle Are Good Practices

Management

Needs Addressed? Goals Achieved? Managed? Applied?

Metrics for Achievement of Goals Metrics for Application of Practice

(Lag Indicators) (Lead Indicators)

Source: COBIT 5, figure 13

©2013 ISACA. A l l r i g h t s r e s e r v e d .
 for Information Security

The Seven Phases of the Implementation Life Cycle

mentu
m going? 1 What a
the mo re th
ed
eep rive
ek Initiat rs?
viewness
w e pr
do Re ogr
ow ive am
fect me
7H

ef
Establ
is
stai
n to ch h des
Su ang ire

2W
e

Def opport
re?

efits
6 Did we get the

ine
Recog

here a
r
nito

Fo
Mo and need nise

rm team
• Programme management

probleities
Realise ben

ate act to
approach ew

alu
es

re we now?
impl
ev
Embed n

(outer ring)

un
ementation
Operate

Asseent
e

curr te

ms and
measur

• Change enablement
sta
and

ss
(middle ring)
I m p o ve m

rg n e

• Continual improvement life cycle

imp

De
ta e t
fi
le m
r

e ta
te

en n t

m e te
s (inner ring)
ts B u il d co c a
O p d us

i m pro
ut u ni
ve m e nts
an
er

ap
e
m

m
at
E xe

e?
e Co o

dm
5H

to b
cu

I d e n tif y r o l e
oa
ow

te

ant
la
er
pla ye rs
n fi n
p
do

De ew
we

ow
ge

th e
ed

er
t

re ? P la n p ro g ra m m e Wh
3
4 W hat n eeds to be d one?
Source: COBIT 5, figure 17 and COBIT 5 Implementation, figure 6

Summary of the COBIT 5 Process Capability Model

Generic Process Capability Attributes

Performance PA 2.1 PA 2.2 PA 3.1 PA 3.2 PA 4.1 PA 4.2 PA 5.1 PA 5.2

Attribute (PA) 1.1 Performance Work Process Process Process Process Process Process
Process Management Product Definition Deployment Management Control Innovation Optimisation
Performance Management

Incomplete Performed Managed Established Predictable Optimising

Process Process Process Process Process Process
0 1 2 3 4 5

COBIT 5 Process Assessment COBIT 5 Process Assessment

Model—Performance Indicators Model–Capability Indicators
Process Outcomes

Base Practices Work

(Management/ Products Generic Practices Generic Resources Generic Work Products
Governance (Inputs/
Practices) Outputs)

Source: COBIT 5, figure 19

©2013 ISACA. A l l r i g h t s r e s e r v e d .