IT Governance Implementation Guide—Supplemental Tools and Materials

IT Governance Institute
The IT Governance Institute (ITGI™) (www.itgi.org) was established in 1998 to advance international thinking and
standards in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure
that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and
opportunities. ITGI offers electronic resources, original research and case studies to assist enterprise leaders and
boards of directors in their IT governance responsibilities.

Disclaimer
ITGI (the “Owner”) and the author have designed and created this publication, titled IT Governance Implementation
Guide—Supplemental Tools and Materials (the “Work”), primarily as an educational resource for control
professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work
should not be considered inclusive of all proper information procedures and tests or exclusive of other information,
procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, controls professionals should apply their own professional judgement to the
specific control circumstances presented by the particular systems or information technology environment.

Disclosure
2007 IT Governance Institute. All rights reserved. No part of this publication may be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic,
mechanical, photocopying, recording or otherwise) without the prior written authorisation of ITGI. Reproduction of
selections of this publication for internal and non-commercial or academic use only is permitted and must include
full attribution of the material’s source. No other right or permission is granted with respect to this work.

IT Governance Institute
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.590.7491
Fax: +1.847.253.1443
E-mail: info@itgi.org
Web site: www.itgi.org

ISBN 1-933284-88-9
IT Governance Implementation Guide—Supplemental Tools and Materials
Published in the United States of America

1
 Table of Contents
The IT Governance Implementation Guide: Using COBIT® and Val IT™, 2nd Edition, is supported by this
implementation tool kit (CD-ROM), containing a variety of resources. The tools are in Microsoft Office, Word,
PowerPoint or Excel. A short description for each tool available on the CD-ROM follows:
 Self-assessment, measurement and diagnostic tools:
- Management Awareness Diagnostic 1—This tool is useful for getting management’s attention and raising
awareness, by analysing, understanding and communicating an organisation’s IT control environment for
each of the IT processes. This diagnostic ranks process importance and performance, and records whether
the process is audited, formalised and accountable as well as who performs it.
- Management Awareness Diagnostic 2—This diagnostic assesses process importance and checks some key
issues about the way the process is being managed.
- Maturity Measurement Tool—This pragmatic tool will help in setting up a maturity measurement for an IT
process. It provides a template to decompose the maturity descriptions into a number of
statements/attributes per maturity level. Additionally, a weight factor can be assigned to each maturity
attribute and maturity level (depending on the organisation). The maturity measurement article in related
articles and further explanations provides more context regarding this tool.
- MyCOBIT Control Objective Assessment Forms—This example illustrates how a filter has been applied in
COBIT Online® to DS8.
- Themes Mapped to Risk Factors Diagnostic—This tool maps a number of risk factors commonly found in
IT environments with two sets of themes. The first set is the facets of IT governance, and the second set is
examples of current management concerns. This tool helps in understanding how risks and themes
interrelate.
- Themes to Control Objectives Diagnostic—This tool maps the themes described previously to the COBIT
IT processes and detailed control objectives. It helps in selecting the processes and controls that are likely
to be relevant to a particular theme. Note that the selection is subjective and intended only to be a guide.
 PowerPoint presentations:
- Introductory COBIT Presentation—This presentation can be used selectively to support individual COBIT
presentations and should be tailored where necessary to reflect each organisation’s specific circumstances
and requirements.
- IT Balanced Scorecard Example—The IT balanced scorecard is a very important mechanism for managing
and aligning IT. Therefore, step 12 of the implementation road map refers to the establishment of an IT
balanced scorecard. In the tool kit, an example IT balanced scorecard is provided, along with a high-level
implementation process to create it.
- IT Governance Implementation Templates—These are examples of all the templates needed to support the
IT governance activities identified in the implementation road map. The templates are listed in this
document in the order to which they are referred in the implementation action plan within the guide. They
are intended to be generic and simple to use and can be tailored to suit a particular organisation. Within
some of the templates are Excel objects; these can be modified by double-clicking on the object.
- Reporting Techniques—The communication of results from Control Objectives for Information and
related Technology (COBIT®) implementation projects can be greatly enhanced through the use of graphics
and colours. They help to convey key messages to management and other audiences, thus raising awareness
and enabling a focus on important topics that are otherwise often lost in lengthy written reports. These
slides provide some simple examples of how graphics can enhance COBIT reports and presentations.
- Risk Analysis Approach—A generally accepted approach toward risk analysis is described in this
document, which can be applied in step 3 of phase 1 of the implementation road map (Define Risks). It
starts with combining the probability of a threat, the degree of vulnerability and the severity of an impact,
to conclude on a risk assessment. This is followed by the selection of countermeasures (controls) and an
evaluation of their effectiveness, which also identifies residual risk.
 Related articles and further explanations:
- COBIT Frequently Asked Questions—This Word document contains a list of common questions and
corresponding answers regarding the use of COBIT, its goals, its structure, etc. These questions and answers
can help professionals better understand the framework and its objectives. A continuously updated list of
FAQs can be found in COBIT Online.

2
 - “Maturity Measurement”—This Information Systems Control Journal® article briefly describes the purpose
of ‘health warnings’ about and some approaches to maturity measurement.

Additional material available on the ISACA web site (www.isaca.org) includes:

 Board Briefing on IT Governance, 2nd Edition, www.isaca.org/boardbriefing
 COBIT mapping publications, www.isaca.org/cobitmapping
 COBIT case studies, www.isaca.org/cobitcasestudies