Cob It 5 in Nutshell

1
COBIT 5 Foundation Training

Vanilla Material – Learning Area Module
OV – Overview
Prof. Richardus Eko Indrajit

President of IASA Indonesia
indrajit@post.harvard.edu
Topics 2
 1 – The Reasons for the Development of COBIT 5

 2 – The History of COBIT
 3 – The Drivers for developing a Framework
 4 – The Benefits of using COBIT 5
 5 – The COBIT 5 Format & product Architecture
 6 – COBIT 5 and Other Frameworks
 Estimated Time – Approximately 45 minutes to 1 Hour,
 ***NOTE This area is no longer part of the
syllabus.
Learning Outcomes 3
Understand the concepts relating to the

structure and format of the framework, the
drivers and business benefits of using the
COBIT 5 framework, Specifically to identify:
o The drivers for the development of COBIT 5, specifically
the needs for the next generation of ISACA’s guidance on
the enterprise governance and management of IT.
o The benefits to the enterprise stakeholders by using the
COBIT 5 framework
Why Develop COBIT 5? 4
COBIT 5:
• ISACA Board of Directors directive: “Tie together and reinforce
all ISACA knowledge assets with COBIT.”
• Provide a renewed and authoritative governance and

management framework for enterprise information and related
technology
• Integrate all other major ISACA frameworks and guidance
• Align with other major frameworks and standards
© 2012 ISACA. All Rights Reserved.

The Evolution of COBIT 5 5
Governance of Enterprise IT
IT Governance
BMIS
(2010)
Evolution
Management
Val IT 2.0
(2008)
Control
Audit Risk IT
(2009)
COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5
1996 1998 2000 2005/7 2012

Drivers for the development of a Framework….1 6
• Provide guidance in:

– Enterprise architecture
– Asset and service management
– Emerging sourcing and organization models
– Innovation and emerging technologies
• End to end business and IT responsibilities
• Controls for user-initiated and user-controlled
IT solutions

Drivers for the development of a Framework….2 7
• A need for the enterprise to:

– Achieve increased value creation
– Obtain business user satisfaction
– Achieve compliance with relevant laws, regulations
and policies
– Improve the relation between business and IT
– Increase the return of governance over enterprise IT
– Connect and align with other major frameworks and
standards

COBIT 5 Scope 8
• Not simply IT; not only for big business!

– COBIT 5 is about governing and managing
information
• Whatever medium is used
• End to end throughout the enterprise
– Information is equally important to:
• Global, multinational business
• National and local government
• Charities and not for profit enterprises
• Small to medium enterprises and
• Clubs and associations

Benefits 9
• Information is the business currency of the 21st

Century
– Information has a life cycle: it is created, used, retained,
disclosed and destroyed
– Technology plays a key role in these actions.
– Technology is becoming pervasive in all aspects of business
and personal life
– Every form of enterprise needs to be able to rely on quality
information to support quality executive decisions!

Enterprise Benefits 10
Enterprises and their executives strive to:

• Maintain quality information to support business decisions.
• Generate business value from IT-enabled investments, i.e.,
achieve strategic goals and realise business benefits through
effective and innovative use of IT.
• Achieve operational excellence through reliable and efficient
application of technology.
• Maintain IT-related risk at an acceptable level.
• Optimise the cost of IT services and technology.
How can these benefits be realised to create

enterprise stakeholder value?
© 2012 ISACA. All rights reserved.

11
Stakeholder Value
• Delivering enterprise stakeholder value requires good
governance and management of information and technology
(IT) assets.
• Enterprise boards, executives and management have to
embrace IT like any other significant part of the business.
• External legal, regulatory and contractual compliance
requirements related to enterprise use of information and
technology are increasing, threatening value if breached.
• COBIT 5 provides a comprehensive framework that assists
enterprises to achieve their goals and deliver value through
effective governance and management of enterprise IT.

Benefits . . . 12
 COBIT 5 :
• Defines the starting point of governance and management
activities with the stakeholder needs related to enterprise IT
• Creates a more holistic, integrated and complete view of
enterprise governance and management of IT that is consistent,
provides an end-to-end view on all IT-related matters and
provides a holistic view
• Creates a common language between IT and business for the
enterprise governance and management of IT
• Is consistent with generally accepted corporate governance
standards, and thus helps to meet regulatory requirements

Business Needs 13
• Enterprises are under constant pressure to:

– Increase benefits realization through effective and innovative use of
enterprise IT
• Generate business value from new enterprise investments with a
supporting IT investment
• Achieve operational excellence through application of technology
– Maintain IT related risk at an acceptable level
– Contain cost of IT services and technology
– Ensure business and IT collaboration, leading to business user
satisfaction with IT engagement and services
– Comply with ever increasing relevant laws, regulations and policies

The COBIT 5 Format 14
• Simplified
– COBIT 5 directly addresses the needs of the viewer from different
perspectives
– Development continues with specific practitioner guides
• COBIT 5 is initially in 3 volumes:
1. The Framework
2. Process Reference Guide
3. Implementation Guide
• COBIT 5 is based on:

– 5 principles and
– 7 enablers

COBIT 5 Product Family 15

COBIT 5 Mapping Summary 16

COBIT and Other IT Governance Frameworks 17
COSO
COBIT
ISO 27002
ISO 9000
WHAT ITIL HOW
SCOPE OF COVERAGE

Source ISACA 2007
Where Does COBIT Fit?
18
CONFORMANCE
Drivers PERFORMANCE: Basel II, Sarbanes-
Business Goals Oxley Act, etc.
Balanced
Enterprise Governance COSO
Scorecard
IT Governance
COBIT
ISO ISO ISO

Best Practice Standards 9001:2000 27002 20000
Processes and Procedures QA Security ITIL

Procedures Principles

COBIT 5 Mapping Specifics ..1 19
 ISO/IEC 38500
o ISO’s 6 principles map to COBIT 5 (appendix E)
 ITIL v3The following 5 areas and domains are covered by ITIL
v3:
o A subset of process in the DSS domain
o A sunset of processes in the BAI domain
o Some process in the APO domain
 ISO/IEC 27000
o Security and IT-related processes in domains EDM, APO and DSS
o Some monitoring of security monitoring activities in MEA
 ISO/IEC 31000
o Risk management related activities in EDM and APO

COBIT 5 Mapping Specifics ..2 20
 TOGAF (The Open Group Architecture Framework)

o Resource-related processes in EDM
o TOGAF components of the architecture board and governance areas
o Enterprise architecture processes of APO
 PRINCE2
o Programme and project management processes in the BAI domain
o Portfolio related processes in the APO domain
 CMMI
o Some organisational and quality-related processes in the APO domain
o Application –building and acquisition related processes in BAI

21
22

PR – Principles
Trainer
APM Group Limited
Topics 23
Introducing the 5 Principles

Principle 1 Meeting Stakeholder Needs
Principle 2 Covering the Enterprise End-to-End
Principle 3 Applying a Single Integrated
Framework
Principle 4 Enabling a Holistic Approach
Principle 5 Separating Governance from
management
Appendix – Additional Tables B,C & D COBIT 5
Learning Outcomes…1 24
• Know facts and terms relating to the five Principles of COBIT 5;

Specifically to recall:
 The names and Key aspects of the five key Principles for governance and
management of IT
 The names and descriptions of the seven categories of Enablers that influence
how the governance and management of IT works.
 The Process Reference Model Governance Domain, specifically, the names of the
five process in the Governance Domain.
 The process Reference Model Management Domain, specifically:
 The four questions to ask when establishing how to manage the enabler
performance.
• Understand the concepts relating to the structure and format of the

framework, the drivers and business benefits of using the COBIT 5
framework. Specifically to identify:
 How the Governance Objective of Value Creation meets stakeholder needs
 The types of Stakeholder drivers and where they fit into the COBIT 5 goals
cascade mechanism.
 The importance of Stakeholder needs and where they fit in the COBIT 5 goals
cascade mechanism
 The relationships of the enterprise goals to the 3 main governance objectives
 How Enterprise Goals cascade to IT-related Goals within the COBIT 5 goals
cascade mechanism
 How IT-related Goals cascade to Enabler Goals within the COBIT 5 goals cascade
mechanism
 The purpose of the Goals Cascade mechanism
• Understand the concepts relating to the structure and format of the

framework, the drivers and business benefits of using the COBIT 5
framework. Specifically to identify:
 The key components of a Governance System
 How Key roles and activities interrelate
 The purpose of the COBIT 5 Integrator model and how it integrates and aligns
with existing ISACA guidance, new guidance and other standards and
frameworks.
 The reasons why COBIT 5 is an integrated Framework
 The importance of the key components of the enabler dimension
 The purpose of measurement indicators in the achievement of Goals
 The definition and responsibilities of Governance and Management
 The interactions between governance and management
COBIT 5 Principles 27
© 2012 ISACA All rights reserved.

Principle 1:
28
Meeting Stakeholder Needs
 Enterprises have many stakeholders

 Governance is about
 Negotiating
 Deciding amongst different stakeholders’ value interests
 Considering all stakeholders when making benefit, resource and risk
assessment decisions
 For each decision, ask:
 For whom are the benefits?
– Who bears the risk?
– What resources are required?

Principle 1:
29
• Enterprises exist to create value for their stakeholders
• Value creation: realizing benefits at an optimal resource cost

while optimizing risk.

Principle 1: Meeting Stakeholder Needs 30

Principle 1:
31
• The COBIT 5 goals cascade allows the definition of priorities for
– Implementation
– Improvement
– Assurance of enterprise governance of IT
• In practice, the goals cascade:

– Defines relevant and tangible goals and objectives at various levels of responsibility
– Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant
guidance for inclusion in specific implementation, improvement or assurance projects
– Clearly identifies and communicates how enablers are used to achieve enterprise goals

Principle 1: 32
EXTERNAL STAKEHOLDERS EXTERNAL STAKEHOLDER NEEDS

Business partners, suppliers,  How do I know my business partner’s operations are secure and
shareholders, regulators/ reliable?
government, external users,  How do I know the organisation is compliant with applicable rules
customers, standardisation and regulations?
organisations, external auditors,
consultants, etc.  How do I know the enterprise is maintaining an effective system of
internal control?

Principle 1:
33
• Internal stakeholder concerns include:
– How do I get value from the use of IT?
– How do I manage performance of IT?
– How can I best exploit new technology for new strategic opportunities?
– How do I know whether I’m compliant with all applicable laws and regulations?
– Am I running an efficient and resilient IT operation?
– How do I control cost of IT?
– Is the information I am processing adequately and appropriately secured?
– How critical is IT to sustaining the enterprise?
– What do I do if IT is not available?

Principle 1:
34
• COBIT 5 addresses the governance and management of
information and related technology from an enterprise-wide,
end-to-end perspective
• COBIT 5:
– Integrates governance of enterprise IT into enterprise governance
– Covers all functions and processes within the enterprise
– Does not focus only on the ‘IT function’

Principle 1 – Cascade Steps 35
Step 1 Identify the influence of Key stakeholder drivers on stakeholder needs; examples
 Strategy changes
 Changing business environment
 Changing regulatory environment
 New technologies
Step 2 Stakeholders needs cascade to Enterprise Goals. See appendix D Stakeholder needs
mapped to Enterprise Goals.
There are 17 generic enterprise goals as shown in figure 5 (shown below) of the Framework guide,
which have been translated into Balance Score Card dimensions (BSC) and the relationship to the 3
main governance objectives of benefits realisation, risk and resource optimisation.
Also included is an important categorisation based on:
P – Primary business relationship
S- Secondary business relationship
This means that the enterprise goal being considered have a stronger relationship to one of the 3
governance objectives if primary or a less of an impact so secondary. A blank does not mean there is
no relationship between a particular enterprise goal and the 3 objectives. It means that if there is one,
it is very small or insignificant.
Principle 1 – Cascade steps Figure 5 36
Step 3 - Enterprise Goals cascade to IT related Goals
There are also 17 generic IT related goals as shown in Figure 6 (shown below) that are also categorised into
the Balanced Score Card (BSC) categories. The relationship of enterprise goals to IT related Goals are shown
in Appendix B Figure 22 page 50
Step 4 IT related Goals Cascade to Enabler Goals
Processes are one of the key enablers which is expanded on in the Enabler Learning Area
module, but it is important to know that Enabler Goals are represented in the Process
Reference module in all 37 processes. A mapping is shown in Appendix C Figure 23
Principle 2: 39
Covering the Enterprise End–to–End
This means that COBIT 5:

o integrates the governance of enterprise IT into enterprise governance and
o covers all functions and processes required to govern and manage
enterprise information and related technologies wherever that
information is processed.
o COBIT 5 addresses all relevant internal and external IT services as well as
external and internal business processes.

Principle 2: 40

Principle 2: 41
Main elements of the governance approach:
• Governance Enablers comprising
– The organizational resources for governance
– The enterprise’s resources
– A lack of resources or enablers may affect the ability of the
enterprise to create value
• Governance Scope comprising
– The whole enterprise
– An entity, a tangible or intangible asset, etc.

Principle 2:
42
• Governance roles, activities and relationships
– Define Who is involved in governance
– How they are involved
– What they do and
– How they interact
• COBIT 5 defines the difference between governance and
management activities in principle 5

Principle 3: 43
Applying a Single Integrated Framework
• COBIT 5:
– Aligns with the latest relevant standards and frameworks
– Is complete in enterprise coverage
– Provides a basis to integrate effectively other frameworks,
standards and practices used
– Integrates all knowledge previously dispersed over different
ISACA frameworks
– Provides a simple architecture for structuring guidance
materials and producing a consistent product set

Principle 3:
44

COBIT 5 and Legacy ISACA Frameworks 45

Principle 3:
46
• The COBIT 5 product family is the connection:
– COBIT 5: A Business Framework for the Governance and Management of
Enterprise IT
– COBIT 5: Enabling Processes
– COBIT 5 Implementation Guide
– COBIT 5 for Information Security
– COBIT 5 for Assurance
– COBIT 5 for Risk
– A series of other products is planned; they will be tailored for specific
audiences or topics
– COBIT 5 Online
• The perspective concept links the above to external sources for
standards

COBIT 5 Product Family 47

Principle 4:
48
Enabling a Holistic Approach
COBIT 5 defines a set of enablers to support the implementation
of a comprehensive governance and management system for
enterprise IT.
COBIT 5 enablers are:

• Factors that, individually and collectively, influence whether
something will work
• Driven by the goals cascade
• Described by the COBIT 5 framework in seven categories

Principle 4:
49

Principle 4:
50
Enablers:
1. Principles, policies and frameworks
2. Processes
3. Organizational structures
4. Culture, ethics and behaviour
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies

Principle 4: 51
COBIT 5 enabler dimensions:
• All enablers have a set of common dimensions that:
– Provide a common, simple and structured way to deal with enablers
– Allow an entity to manage its complex interactions
– Facilitate successful outcomes of the enablers

Principle 5 - Governance and Management Defined 52
© 2012 ISACA® All rights reserved.

Principle 5:
53
Separating Governance from Management
• The COBIT 5 framework makes a clear distinction between
governance and management
• Governance and management

– Encompass different types of activities
– Require different organizational structures
– Serve different purposes
• COBIT 5: Enabling Processes differentiates the activities

associated with each

Principle 5: 54
Separating Governance from Management
• Governance ensures that stakeholder needs, conditions and options
are:
– Evaluated to determine balanced, agreed-on enterprise objectives to be
achieved
– Setting direction through prioritization and decision making
– Monitoring performance, compliance and progress against agreed
direction and objectives (EDM)
• Management plans, builds, runs and monitors activities in

alignment with the direction set by the governance body to achieve
the enterprise objectives (PBRM)

COBIT 5 Process Reference Model
55
55

Governance Management Interaction – Figure 14 56
57
APPENDIX –
Additional tables from Appendix B, C, D
Figure 22—Mapping COBIT 5 Enterprise Goals to IT-related Goals
58
Figure 23—Mapping COBIT 5 IT-related Goals to Processes
59
Figure 23—Mapping COBIT 5 IT-related Goals to Processes (cont.)
60
Figure 24—Mapping COBIT 5 Enterprise Goals to Governance and Management Questions
61
Figure 24—Mapping COBIT 5 Enterprise Goals to Governance and Management Questions (cont.)
62
63
64

Vanilla Material – Area EN – Enablers
Trainer
APM Group Limited
Topics – Contents of Section 3 65
 3.0 Recap and Overview of Principle 4 – Enabling holistic View

 3.1 Enabler 1 – Principles, Policies and frameworks
 3.2 Enabler 2 – Processes
 3.3 Enabler 3 – Organisational Structures
 3.4 Enabler 4 Culture, Ethics, and Behaviour
 3.5 Information
 3.6 Services, Infrastructure and Applications
 3.7 People, Skills and Competencies
 Appendix – Walk Through on using Goals cascade to scope Processes
Learning Outcomes …1 66
 Know facts and terms relating to the COBIT 5 Enablers.

Specifically to recall:
o The definition of a Process.
 Understand that COBIT enables IT to be governed and
managed in a holistic manner for the entire enterprise.
Specifically to identify:
o Enabler 1
o The purpose of principles, policies and frameworks in the enabling
model.
o The differences between Policies and Principles
o The characteristics of good policies.
o The purpose of the Policy life cycle.
o The good practice requirements for policies, principles and frameworks.

o The links and relationships between the Principles, policies and
frameworks Enabler and other enablers
o Enabler 2 Processes - Examples of Internal and External stakeholders
o The key characteristics of the process goal categories
o The activities in the process life cycle.
o The differences in the Process Reference Model between Process
Practices, Process Activities, Inputs and Outputs (Work products).
o The Relationships between the Processes enabler and other enablers

o Enabler 3 Organizational Structures - The Good Practices of an
organizational structure
o The responsibilities and characteristics of the roles in an organization
specified at appendix G figure 33
o Enabler 4 Culture, Ethics Behaviour -The good practices for creating,
encouraging and maintaining desired behaviour throughout the
enterprise.
o The relationship of Goals for culture, ethics and behaviour
o The links and relationships of the Culture, ethics and behaviour enabler
and to the other enablers
o Enabler 5 Information - The importance of the information quality
categories and dimensions of the COBIT 5 Information enablers.

o Enabler 5 Information - The five steps of the Information Cycle, and how
they interrelate and apply to the Information enablers
o The information attributes that are applied to the information layers
o The possible uses of the Information Model.
o The attributes that are required to assess context and quality of
information to the user

o Enabler 6 Services, Infrastructure and Applications - The five
architecture principles that govern the implementation and use of IT-
related resources
o The relationship of the Services, Infrastructure and Applications Enabler
to the other enablers
o Enabler 7 People, Skills and Competencies - The good practices of skills
and competencies
o The skill categories, related to the COBIT Process Domains
The COBIT 5 Enterprise Enablers 71

Recap Principle 4 :
72
Enablers:
1. Principles, policies and frameworks
2. Processes
3. Organizational structures
4. Culture, ethics and behaviour
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies

Recap Principle 4:
73
COBIT 5 enabler dimensions:
• All enablers have a set of common dimensions that:
– Provide a common, simple and structured way to deal with enablers
– Allow an entity to manage its complex interactions
– Facilitate successful outcomes of the enablers

Enabler 1 Principles, Policies & Frameworks…1 74
 The purpose of this enabler is to convey the governing body’s and

management’s direction and instructions. They are instruments to
communicate the rules of the enterprise, in support of the governance
objectives and enterprise values as defined by the board and executive
management.
o Differences between principles and policies –
o Principles need to be limited in number
o Put in simple language, expressing as clearly as possible the core values of the
enterprise
o Policies are more detailed guidance on how to put principles into practice

 The characteristics of good policies; they should

o Be effective – achieve their purpose
o Be efficient – especially when implementing them
o Non-intrusive – Should make sense and be logical to those who have to comply with them.
 Policies should have a mechanism (framework) in place where they can be
effectively managed and users know where to go. Specifically they should be:
o Comprehensive, covering all required areas
o Open and flexible allowing for easy adaptation and change.
o Current and up to date
 The purpose of a policy life cycle is that it must support a policy framework in
order to achieve defined goals.

 The Good Practice Requirements for policies and frameworks, are

important, specifically:
o Their Scope
o Consequences of failing to comply with the policy
o The means of handling exceptions
o How they will be monitored.
 The links and relationships between principles, policies and frameworks and
other enablers:
o Principles, policies and frameworks reflect the cultures, ethics and values of the enterprise
o Processes are the most important vehicle for executing policies
o Organisational structures can define and implement policies
o Policies are part of information.

Enabler 2: Processes 77
• COBIT 5 Enablers: Processes complements COBIT 5 and contains

a detailed reference guide to the processes that are defined in
the COBIT 5 process reference model:
– The COBIT 5 goals cascade is recapitulated and complemented with a set
of example metrics for the enterprise goals and the IT-related goals. An
example is given in the appendix
– The COBIT 5 process model is explained and its components defined.
– The Enabler process guide which is referenced in this module contains
the detailed process information for all 37 COBIT 5 processes shown in
the process reference model.

Enabler 2: Processes (Cont.) 78

78
Enabler 2: Processes 79
COBIT 5: Enabling Processes

• The COBIT 5 process reference model subdivides the IT-
related practices and activities of the enterprise into two main
areas—governance and management— with management
further divided into domains of processes:
• The GOVERNANCE domain contains five governance processes;
within each process, evaluate, direct and monitor (EDM) practices are
defined.
• The four MANAGEMENT domains are in line with the responsibility
areas of plan, build, run and monitor (PBRM)

79
80
80

80
Enabler 2 – Process continued – PRM Structure 81
 Structure of the PRM Template (based on the ISO 15504 process

definitions and structure)
o The PRM is divided into a Governance Domain with 5 Processes titled
EDM (Evaluate, Direct, and Monitor)
o Four management domains titled APO (Align, Plan and Organise; BAI
(Build, Acquire and Implement) DSS (deliver, service and Support) and
MEA (Monitor, Evaluate and Assess)
o APO contains 13 processes, BAI 10 processes, DSS 6 processes and MEA 3
processes
o This makes a total of 37 processes, 32 for management and 5 for
Governance

81
Enabler 2 – Process continued – PRM Structure…2 82
 Each process is divided into :

o Process Description
o Process Purpose statement
o IT-related Goals (from the Goals cascade see example in the Appendix)
o Each IT-related goal is associated with a set of generic related metrics
o Process Goals (Also from the Goals cascade mechanism and is referred to as
Enabler Goals.
o Each Process Goal is associated or related with a set of generic metrics.
o Each Process contains a set of Management Practices
o These are associated with a generic RACI chart (Responsible, Accountable,
Consulted, Informed)
o Each management practices contains a set of inputs and outputs (called work
products in module PC)
o Each management Practice is associated with a set of activities

82
Enabler 2 Process - Definitions 83
 A process is defined as ‘a collection of practices influenced by the enterprises

policies, and procedures that takes inputs from a number of sources
(including other processes) manipulates the inputs and produces outputs
(e.g. products and services)
 Process Practices are defined as the ‘guidance’ necessary to achieve process
goals.
 Process Activities are defined as the ‘guidance’ to achieve management
practices for successful governance and management of enterprise IT.
 Inputs and Outputs are the process work products/artefacts considered
necessary to support operation of the process.

83
84
Process Example Walk Through

EDM01 – Ensure Governance Framework Setting and Maintenance
85

EDM01 – Ensure Governance Framework Setting and Maintenance
86

BAI04 RACI Example Manage Availability & Capacity
87

Enabler 2 Process cont. 88
Figure 6- EDM01.01 Management Practice, inputs/outputs and activities
EDM01 Process Practices , inputs/outputs and activities Inputs Outputs

MEA03.02. Communications changed compliance Enterprise governance guiding principles - To all
requirements EDM, APO01.01, APO01.03
From outside of COBIT . Decision-making model - To all EDM, APO01.01

Business environment trends
EDM01.01 EVALUATE The Governance System. Continually identify Regulations
and engage with the enterprise's stakeholders, document an Governance/decisionmaking model
understanding of the requireme Constitution/bylaws/
statutes of organisation
Authority Levels - To all EDM , APO01.02

EDM01.01 Activities 89

Enabler 2 process cont. 90
 Examples of Internal & external Stakeholders

o External Stakeholders would be customers, business partners, shareholders,
regulators
o Internal stakeholders would include the board, management, staff, volunteers
• TIP: Use the RACI chart for the different management practices to
identify more examples of stakeholders.

Enabler 2 Process continued 91
 Key Characteristics of Process Goals:

o Process Goals are defined as a statement describing the desired outcome of a process. An
outcome can be an artefact , a significant change of state or a significant capability
improvement of other processes. (SEE learning area PC) They are part of the goals cascade
in which process goals link to IT-related goals which link to Enterprise goals. (See PR) There
are also 3 categories:
a) Intrinsic Goals
b) Contextual Goals
c) Accessibility and Security goals
 Relationship between Process and other enablers:
o Processes need information as one form of input
o Processes need Organizational structure
o Processes produce and require services, infrastructure and applications
o Processes are dependent on other processes
o Processes need policies and procedures to ensure consistent implementation.

Enabler 3 Organisational Structures 92
 A number of Good Practices of organisational structure can be

distinguished such as:
o Operating principles – The practical arrangements regarding how the
structure will operate, such as meeting frequency documentation and
other rules
o Span of control – The boundaries of the organisation structure’s decision
rights.
o Level of authority – The decisions that the structure is authorised to take.
o Delegation of responsibility – The structure can delegate a subset of its
decision rights to other structures reporting to it.
o Escalation procedures – The escalation path for a structure describes the
required actions in case of problems in making decisions.

Figure 33 - COBIT 5 Roles and Organisational Structures

Role /Structure Defeinition/Description
Board The group of the most senior executives and/or non-executive directors of the enterprise
who are accountable for the governance of the enterprise and have overall control of its
resources
CEO The highest-ranking officer who is in charge of the total management of the enterprise
CFO The most senior official of the enterprise who is accountable for all aspects of financial
management, including financial risk and controls and reliable and accurate accounts
Chief Operating officer (COO) The most senior official of the enterprise who is accountable for the operation of the
enterprise
CRO The most senior official of the enterprise who is accountable for all aspects of risk
management across the enterprise. An IT risk officer function may be established to oversee
IT-related risk.
CIO The most senior official of the enterprise who is responsible for aligning IT and business
strategies and accountable for planning, resourcing and managing the delivery of IT services
and solutions to support enterprise objectives
Chief Information security Officer The most senior official of the enterprise who is accountable for the security of enterprise
(CISO) information in all its forms
Business executive A senior management individual accountable for the operation of a specific business unit or
subsidiary
Business Process Owner An individual accountable for the performance of a process in realising its objectives, driving
process improvement and approving process changes
Strategy Committee (IT Executive) A group of senior executives appointed by the board to ensure that the board is involved in,
and kept informed of, major IT-related matters and decisions. The committee is accountable
for managing the portfolios of IT-enabled investments, IT services and IT assets, ensuring
that value is delivered and risk is managed. The committee is normally chaired by a board
member, not by the CIO.

Project and Programme Steering A group of stakeholders and experts who are accountable for guidance of programmes and
Committees projects, including management and monitoring of plans, allocation of resources, delivery of
benefits and value, and management of programme and project risk
Architecture Board A group of stakeholders and experts who are accountable for guidance on enterprise
architecture-related matters and decisions, and for setting architectural policies and
standards
Enterprise Risk Committee The group of executives of the enterprise who are accountable for the enterprise-level
collaboration and consensus required to support enterprise risk management (ERM)
activities and decisions. An IT risk council may be established to consider IT risk in more
detail and advise the enterprise risk committee.
Head of HR The most senior official of an enterprise who is accountable for planning and policies with
respect to all human resources in that enterprise
Compliance The function in the enterprise responsible for guidance on legal, regulatory and contractual
compliance.
Audit The function in the enterprise responsible for provision of internal audits
Head of Architecture A senior individual accountable for the enterprise architecture process

Head of Development A senior individual accountable for IT-related solution development processes
Head of It Operations Operations A senior individual accountable for the IT operational environments and
infrastructure
Head of IT Administration Administration A senior individual accountable for IT-related records and responsible for
supporting IT-related administrative matters
Programme and Project The function responsible for supporting programme and project managers, and gathering,
Management Office (PMO) assessing and reporting information about the conduct of their programmes and constituent
projects
Value Management Office (VMO) The function that acts as the secretariat for managing investment and service portfolios,
including assessing and advising on investment opportunities and business cases,
recommending value governance/management methods and controls, and reporting on
progress on sustaining and creating value from investments and services
Service Manager An individual who manages the development, implementation, evaluation and ongoing
management of new and existing products and services for a specific customer (user) or
group of customers (users)
Enabler 4 Culture, Ethics and Behaviour 96
 Good practices for creating, encouraging and maintaining desired behaviour

throughout the enterprise include:
o Communication throughout the enterprise of desired behaviours and corporate
values. (This can be done via a code of ethics)
o Awareness of desired behaviour, strengthened by senior management example.
This is one of the keys to a good governance environment when senior
management and the executives ‘walk the talk’ so to speak. It is sometimes a
difficult area and one that causes many enterprises to fail because it leads to poor
governance. (Typically this will be part of a training and awareness sessions
based around a code of ethics)
o Incentives to encourage and deterrents to enforce desired behaviour. There is a
clear link to HR payment and reward schemes.
o Rules and norms which provide more guidance and will typically be found in a
Code of Ethics

96
 Relationship of Goals for culture, ethics and behaviour

o Organisational Ethics determine the values by which the enterprise want to live
(its code)
o Individual ethics determined by each person’s personal values and dependent to
some extent on external factors not always under the enterprise’s control.
o Individual behaviours which collectively determine the culture of the enterprise
and is dependent on both organisational and individual ethics. Some examples
are:
o Behaviour towards risk taking
o Behaviour towards the enterprise’s principles and policies
o Behaviour towards negative outcomes, e.g. loss events

The relationship of this enabler to other

enablers
o Links to processes for execution process activities
o Links to organisational structures for the
implementation of decisions and
o Links to principles and policies to be able to
communicate the corporate values. (many
organisations include their code of ethics with their
policies)

Enabler 5 Information 99
 Importance of the Information Quality categories and

dimensions;
o The concept of information criteria was introduced in COBIT 3rd edition in
2000 and played a key role in COBIT 4.1; these were very important to be
able show how to meet business requirements.
 Importance of Information Criteria
o COBIT 4.1 introduced us to the concept of 7 Key Information criteria to
meet Business requirements. This concept has been retained but
translated differently in Figure 9 below: Figure 26 Appendix F.

Enabler 5 - The COBIT 4.1 Information Criteria Cube: Business Requirements
100
► To satisfy business objectives, information needs to conform to certain control criteria, which
COBIT refers to as business requirements for information. Based on broader quality, fiduciary, and
security requirements, seven distinct information criteria are defined. These are:
 Effectiveness
 Efficiency
 Confidentiality Effectiveness
 Integrity
Efficiency
 Availability
Confidentiality
 Compliance
Integrity
 Reliability
Availability
Compliance
Business Requirements
Reliability
IT Resources
IT Processes

The Enabler 5 Information : Business Requirements)..
101
From COBIT 4.1.
Deals with information being relevant and pertinent to the business process as
Effectiveness well as being delivered in a timely, correct, consistent, and usable manner.
Concerns the provision of information through the optimal ─ most

Efficiency productive and economical ─ use of resources.
Information Criteria
Concerns the protection of sensitive information from

Confidentiality unauthorized disclosure. IT Resources
IT Processes
Relates to the accuracy and completeness of information as well as
Integrity to its validity in accordance with business values and expectations.
Relates to information being available ,when required by the business process, at present and in the
Availability future. It also concerns the safeguarding of necessary resources and associated capabilities.
Deals with complying with those laws, regulations, and contractual arrangements to which the business
Compliance process is subject, that is, externally imposed business criteria as well as internal policies.
Relates to the provision of appropriate information for the management to operate the entity and to exercise its
Reliability fiduciary and governance responsibilities.

Enabler 5 - Information 102
COBIT 4.1
INFORMATION CRITERIA COBIT 5 EQUIVALENT
Information is effective if it meets the needs of the information consumer who uses the
information for a specific task. If the information consumer can perform the task with the
Effectiveness information, then the information is effective. This corresponds to the following
information quality goals: appropriate amount, relevance, understandability,
interpretability, objectivity.
Whereas effectiveness considers the information as a product, efficiency relates more to
the process of obtaining and using information, so it aligns to the ‘information as a service’
view. If information that meets the needs of the information consumer is obtained and
Efficiency used in an easy way (i.e., it takes few resources—physical effort, cognitive effort, time,
money), then the use of information is efficient. This corresponds to the following
information quality goals: believability, accessibility, ease of operation, reputation.
Integrity If information has integrity, then it is free of error and complete. It corresponds to
Integrity the following information quality goals: completeness, accuracy.
Reliability is often seen as a synonym of accuracy; however, it can also be said that
information is reliable if it is regarded as true and credible. Compared to integrity,
Reliability reliability is more subjective, more related to perception, and not just factual. It
corresponds to the following information quality goals: believability, reputation,
objectivity.
Availability is one of the information quality goals under the accessibility and security
Availability heading.
Confidentiality corresponds to the restricted access information quality goal.

Confidentiality
Compliance in the sense that information must conform to specifications is covered by any
of the information quality goals, depending on the requirements. Compliance to
Compliance regulations is most often a goal or requirement of the use of the information, not so much
an inherent quality of information.

COBIT 5 Enabler 5 Information – Meta Data 103
Information Cycle
Generate and Process Business Process Drive
IT Processes
Data Value
Information Knowledge
Transform Transform Create

Enabler 5 – Information cont. 104
 Information Attributes Applied to the following layers:

o Physical World Layer – The world where all phenomena that can be empirically
observed takes place.
o Empirical layer – the empirical observation of the signs used to encode
information and their distinction from each other.
o Syntactical Layer – the rules and principles for constructing sentences in natural
or artificial languages. Syntax refers to the form of information

Enabler 5 Information cont. 105
 Semantic layer – The rules and principles for constructing meaning out of the
syntax structures.
 Pragmatic Layer – The rules and structures for constructing larger language
structures that fulfil specific purposes in human communication. Pragmatics
refers to the use of information.
 Social World Layer – The world that is socially constructed through the use of
language structures at the pragmatic level of semiotics, e.g. contracts, laws.
Culture.
 The Possible uses of the information Model
o Used for Information Specifications
o Used to determine required protection
o Used to determine Ease of data Use

Enabler 5 Information Example 13 106
EXAMPLE 13—INFORMATION MODEL USED FOR INFORMATION SPECIFICATIONS

When developing a new application, the IM can be used to assist with the specifications of
the application and the associated information or data models.
The information attributes of the IM can be used to define specifications for the application
and the business processes that will use the information.
For example, the design and specifications of the new system need to specify:
• Physical layer—Where will information be stored?
• Empirical layer—How can the information be accessed?
• Syntactical layer—How will the information be structured and coded?
• Semantic layer—What sort of information is it? What is the information level?
• Pragmatic layer—What are the retention requirements? What other information is required
for this information to be useful and usable?
Looking at the stakeholder dimension combined with the information life cycle, one can
define who will need what type of access to the data during
which phase of the information life cycle.
When the application is tested, testers can look at the information quality criteria to develop
a comprehensive set of test cases.

EXAMPLE 14—INFORMATION MODEL USED TO DETERMINE REQUIRED PROTECTION

Security groups within the enterprise can benefit from the attributes dimension of the IM.
Indeed, when charged with protection of information, they need to look at:
• Physical layer—How and where is information physically stored?
• Empirical layer—What are the access channels to the information?
• Semantic layer—What type of information is it? Is the information current or relating to the
past or to the future?
• Pragmatic layer—What are the retention requirements? Is information historic or
operational?
Using these attributes will allow the user to determine the level of protection and the
protection mechanisms required.
Looking at another dimension of the IM, security professionals can also consider the
information life cycle stages, because information needs to be
protected during all phases of the life cycle. Indeed, security starts at the information planning
phase, and implies different protection mechanisms for
storing, sharing and disposition of information. The IM ensures that information is protected
during the full life cycle of the information

EXAMPLE 15—INFORMATION MODEL USED TO DETERMINE EASE OF DATA USE
When performing a review of a business process (or an application), the IM can be used to
assist with a general review of the information processed
delivered by the process, and of the underlying information systems. The quality criteria can
be used to assess the extent to which information is
available—whether the information is complete, available on a timely basis, factually correct,
relevant, available in the appropriate amount. One can also
consider the accessibility criteria—whether the information is accessible when required and
adequately protected.
Review can be even further extended to include representation criteria, e.g., the ease with
which the information can be understood, interpreted,
used and manipulated.
Review that uses the information quality criteria of the IM provides an enterprise with a
comprehensive and complete view on the current information
quality within a business process.

Enabler 5 Information 109
 The contextual and representational quality of information

requirements to the user which includes:
o Relevancy – The extent to which information is applicable and helpful for the
task at hand
o Completeness – The extent to which information is not missing and is of
sufficient depth and breath for the task at hand
o Appropriateness – The extent to which the volume of information is appropriate
for the task at hand.
o Conciseness – The extent to which the information is compactly represented.
o Consistency – the extent to which the information is presented in the same
format.
o Understandability – The extent to which the information is easily understandable
o Ease of Manipulation – The extent to which information is easy to manipulate
and apply to different tasks.

Enabler 6 –Services, Infrastructure and Applications 110
 The five architecture principles that govern the implementation and use of
IT-Related resources
o This is part of the Good Practices of this enabler.
o Architecture Principles are overall guidelines that govern the implementation and use of
IT-related resources within the enterprise. Examples of such principles:
o Reuse – Common components of the architecture should be used when designing and
implementing solutions as part of the target or transition architectures.
o Buy vs. build – Solutions should be purchased unless there is an approved rationale for
developing them internally.
o Simplicity – The enterprise architecture should be designed and maintained to be simple as
possible while still meeting enterprise requirements.
o Agility – The enterprise architecture should incorporate agility to meet changing business
needs in an effective and efficient manner.
o Openness - The enterprise architecture should leverage open industry standards.

Enabler 6 –Services, Infrastructure and Applications
Cont. 111
 Relationship To other Enablers

o Information – is a service capability that is leveraged through processes to deliver internal
and external services.
o Cultural and behavioural aspects – relevant when a service-oriented culture needs to be built
o Process inputs and outputs – Most of the inputs and outputs (work products) of the process
management practices and activities in the PRM include service capabilities.
 Consider other frameworks such as:
o ITIL 3
o TOGAF (www.opengroup.org/togaf ) which provides an integrated information
infrastructure reference model.

Enabler 7 – People, Skills and Competencies 112
 Identify the good practices of people, Skills and Competencies, specifically:

o Described by different skill levels for different roles.
o Defining Skill requirements for each role
o Mapping skill categories to COBIT 5 process domains (APO; BAI etc.)
o These correspond to the IT-related activities undertaken, e.g. business analysis,
information management etc.
o Using external sources for good practices such as:
 The Skills Framework for the information age (SFIA)

Enabler 7 – People, Skills and Competencies 113
FIGURE 39 - COBIT 5 SKILL CATEGORIES EN 02 25

PROCESS DOMAIN EXAMPLES OF SKILL CATEGORIES
Evaluate, Direct and Monitor (EDM) Governance of enterprise IT
IT Policy formulation
IT strategy
Enterprise architecture
Align, Plan and Organise (APO) Innovation
Financial management
Portfolio management
Business analysis
Project management
Usability evaluation
Requirements definition and
management
Build, Acquire and Implement (BAI)
Programming
System ergonomics
Software decommissioning
Capacity management
Availability management
Problem management
Service desk and incident management
Deliver, Service and Support (DSS) Security administration
IT operations
Database administration
Compliance review
Performance monitoring
Monitor, Evaluate and Assess (MEA)
Controls audit
114
APPENDIX 115
Use the Goals Cascade to scope which processes

to focus on
EXAMPLE

Start with BSC category step 1 116
Balanced Enterprise IT Related Goal

Scorecard Goals (ITRG) COBIT Process
Financial
Customer
Internal
Learning
Customer
6. Customer-oriented service culture
7. Business service continuity and availability
8. Agile responses to a changing business environment
9. Information-based strategic decision making
10. Optimisation of service delivery costs

Step 2 – Select Enterprise Goal, IT related Goal, and
117
Processes
Customer
6. Customer-oriented service culture
7. Business service continuity and availability
ITRG 07 Delivery of IT services in line with business requirements
ITRG 08 Adequate use of applications, information and technology solutions
ITRG 01 Alignment of IT and business strategy
ITRG 04 Managed IT-related business risk
ITRG 10 Security of information, processing infrastructure and applications
ITRG 14 Availability of reliable and useful information for decision making
PROCESSES PRIMARY IMPORTANCE OR

IMPACT
APO09 Manage Service Agreements P
APO13 Manage Security P
BAI04 Manage Availability and Capacity P
BAI08 Manage Knowledge P
BAI10 Manage Configuration P
DSS03 Manage Problems P
DSS04 Manage Continuity P

118
Step .3
Example APO09 – Examine Metrics
Process ID APO09
Process Name Manage Service Agreements
Process Align IT-enabled services and service levels with enterprise needs and expectations, including identification, specification, design, publishing, agreement, and monitoring of IT services,
Description service levels and performance indicators.
Process Purpose Ensure that IT services and service levels meet current and future enterprise needs.
Outcomes (OS)
Number Description RELATED METRICS

The number of business processes with unidentified service
APO09-O1 IT services are identified, defined and catalogued according to enterprise needs. agreements
% of live IT services covered by service Agreements
APO09-O2 Service agreements reflect enterprise needs and the capabilities of IT.
% of Customers satisfied that service delivery meets agreed-on
APO09-O3 IT services perform as stipulated in service agreements. levels
Number & severity of service breaches
% of services being monitored to service levels
% of service targets being met

119

Vanilla Material – Area IM –
Implementation Introduced
Trainer
APM Group Limited
Topics 120
 The Life cycle Approach

 Inter related components of the life cycle
 Understanding the enterprise internal and external factors
 Key success factors for implementation
 The seven phases of the Life Cycle model explained
 The seven Change Enablement characteristics used in the life cycle.
 Change Enablement relationships to the Continual Improvement Life Cycle
 Making the Business case
 Appendix – SUMMARY OF THE DIFFERENCES BETWEEN COBIT 4.1 AND
COBIT 5. Not Tested
 To know facts, terms and concepts relating to the Implementation of

COBIT 5, specifically to recall:
o The three interrelated components of the life cycle model.
 Management of the programme
 Change enablement specifically addressing behaviour and cultural aspects and
 Core continual improvement life cycle.
 Understand the guidance that ISACA offers on implementing COBIT 5,
the use of the continual improvement life cycle’ in enabling change in an
enterprise. Specifically to identify:
o The enterprise specific internal and external environment factors as they apply to
change management.
o The Importance of Pain Points and Trigger events that require improved
governance and management of enterprise IT.
 Understand the guidance that ISACA offers on implementing COBIT 5,

the use of the continual improvement life cycle’ in enabling change in an
enterprise. Specifically to identify:
o The seven phases of Programme management used in the life cycle model.
o The seven Change enablement characteristics used in the life cycle model
o The seven Continual Improvement life cycle characteristics used in the life cycle
model.
o The importance of the business case to a programme initiative leveraging COBIT
5.
o The characteristics of a good business case and what it should typically include
COBIT 5 Implementation 123
 ISACA has developed the COBIT5 framework to help enterprises

implement sound governance enablers. Indeed, implementing good
GEIT is almost impossible without engaging an effective governance
framework. Best practices and standards are also available to
underpin COBIT5.
 However, frameworks, best practices and standards are useful only if
they are adopted and adapted effectively. There are challenges that
need to be overcome and issues that need to be addressed if GEIT is
to be implemented successfully.
 COBIT 5 Implementation provides guidance on how to do this.

COBIT 5 Implementation cont. 124
 The COBIT 5 Implementation Guide was released at the same

time as the COBIT 5 Framework and COBIT 5 Enabling Processes
 Information and information technology are increasingly part of
every aspect of business.
 The need to drive more value from IT investments and manage
an increasing array of IT-related risk has never been greater
 Increasing regulation and legislation is also raising awareness of
the importance of good governance

Challenges to Success 125
What are the drivers?

Where are we now and where do we want to be?
What needs to be done?
How do we get there?
Did we get there and how do we keep the
momentum going?

COBIT 5 Implementation 126

Enterprise Internal and External factors 127
 Understanding the Enterprise Internal and external factors as they apply to

change management such as:
o Ethics and culture
o Applicable laws, regulations and policies
o Mission, vision and values
o Governance policies and practices
o Business plans and strategic intentions
o Operating Model
o Management style
o Risk appetite
o Capabilities and available resources
o Industry practices

Key Success Factors 128
 Top Management providing the direction and mandate for the initiative as
well as on-going commitment
 All parties supporting the governance and management processes to
understand the business and IT objectives.
 Ensuring effective communication and enablement of the necessary changes
 Tailoring COBIT and other supporting good practices and standards to fit the
unique context of the enterprise and
 Focusing on quick wins and prioritising the most beneficial improvements
that are easiest to implement.

The purpose of each of the three interrelated components of 129
the life cycle. (0205)
Core Continual improvement – this is not a one-

off project
Enablement of change – Addressing the
behavioural and cultural aspects
Management of the programme.
COBIT 5 Implementation Phase 1 130

Phase 1 – What Are the Drivers? 131
Initiate the Programme

 Establish desire to change:
 Recognise need to act

Phase 1 – What Are the Drivers? 132
Need for new or improved IT governance

organization is usually recognized by pain
points and/or trigger events
Board and executive management should:
 Analyze pain points to identify root cause
 Look for opportunities during trigger events
The goal of this phase of the lifecycle includes:

 Outlining the business case
 Identification of stakeholders and roles & responsibilities
 IT governance program “wake-up call” and kick-off communications

Phase 1 - Typical Pain Points (0202) 133
13
3
 Resource waste through duplication or

 Failed IT initiatives
overlap in IT initiatives
 Rising costs  Insufficient IT resources
 Perception of low business value for IT IT staff burnout / dissatisfaction
investments  IT enabled changes frequently failing
 Significant incidents related to IT risk to meet business needs (late deliveries
(e.g. data loss) or budget overruns)
 Multiple and complex IT assurance
 Service delivery problems
efforts
 Failure to meet regulatory or  Board members or senior managers
contractual requirements that are reluctant to engage with IT
 Audit findings for poor IT performance
or low service levels
 Hidden and/or rogue IT spending

Phase 1 - Relevant Trigger Events (0202) 134
13
4
 Merger, acquisition or divestiture  An enterprise-wide governance focus or

 Shift in the market, economy or project
competitive position  A new CIO, CFO, COO or CEO
 Change in business operating  External audit or consultant
model or sourcing arrangements assessments
 A new business strategy or priority
 New regulatory or compliance
requirements
 Significant technology change or By using pain points or trigger events as the
launching point for IT governance initiatives, the
paradigm shift
business case for GEIT improvement can be
related to issues being experienced, which will
improve buy-in to the business case.


Phase 2 – Where are We Now? 136
 Define the problems and opportunities [Programme

Management]
o Understand the pain points that have been identified as governance
problems
o Take advantage of trigger events that provide opportunity for
improvement
• Form a powerful guiding team [Change Enablement]
o Knowledge of the business environment
o Insight into influencing factors
• Assess the current state [Continual Improvement Life cycle
attribute]
o Identify the IT goals in respect to enterprise goals
o Identify the most important processes
o Understand management risk appetite
o Understand the maturity of existing governance
o Related processes © 2012 ISACA. All Rights Reserved.

Phase 3 – Where Do We Want to Be? 138
Define the roadmap

o Describe the high level change enablement plan and objectives
Communicate desired vision

o Develop a communication strategy
o Communicate the vision
o Articulate the rationale and benefits of the change
o Set the tone at the top
Define target state and perform gap analysis
o Define the target for improvement
o Analyze the gaps
o Identify potential improvements

13
8

Phase 4 – What Needs to Be Done? 140
Develop program plan

 Prioritize potential initiatives
 Develop formal and justifiable projects
 Use plans that include contribution and program objectives
Empower role players and identify quick wins

 High benefit, easy implementations should come first
 Obtain buy-in by key stakeholders affected by the change
 Identify strengths in existing processes and leverage accordingly
Design and build improvements

 Plot improvements onto a grid to assist with prioritization
 Consider approach, deliverables, resources needed, costs, estimated time scales, project
dependencies and risks


Phase 5 – How Do We Get There? 142
Execute the plan

 Execute projects according to an integrated program plan
 Provide regular update reports to stakeholders
 Document and monitor the contribution of projects while managing risks
identified
Enable operation and use

 Build on the momentum and credibility of quick wins
 Plan cultural and behavioral aspects of the broader transition
 Define measures of success
Implement improvements
 Adopt and adapt best practices to suit the enterprise’s approach to policies and
process changes


Phase 6 – Did We Get There? 144
Realize benefits
o Monitor the overall performance of the program against business case objectives
o Monitor and measure the investment performance
Embed new approaches

o Provide transition from project mode to business as usual mode
o Monitor whether new roles and responsibilities have been taken on
o Track and assess objectives of the change response plans
o Maintain communication and ensure communication between appropriate
stakeholders continues
Operate and measure

o Set targets for each metric
o Measure metrics against targets
o Communicate results and adjust targets as necessary


Phase 7 – How Do We Keep Momentum? 146
 Continual improvements – keeping the momentum is critical to

sustainment of the lifecycle
 Review the program benefits
o Review program effectiveness through a program review gate
 Sustain
o Conscious reinforcement (reward achievers)
o Ongoing communication campaign (feedback on performance)
o Continuous top management commitment
 Monitor and evaluate
o Identify new governance objectives based on program
experience
o Communicate lessons learned and further improvement
requirements for the next iteration of the cycle

Change Enablement relationships to Programme 147
management Steps
 We have already outlined the seven phases and shown which of the
programme management steps they relate to; this section outlines the seven
enablers ( the second or red circle) and their relationship to the seven
program management steps (the outer ring or dark blue ring).:
PHASE & PROGRAMME STEP ENABLER REALTED TO THAT STEP

1. Initiate Programme Establish desire to change
2. Define Problems & Opportunities Form Implementation team
3. Define Road Map Communicate outcome
4. Plan Programme Identify role players
5. Execute Plan Operate and use
6. Realise Benefits Embed new approaches
7. Review Effectiveness Sustain

Change Enablement relationships to the Continual 148
Improvement Life Cycle
 Now let us at look at the core or central ring (Light blue). These are the tasks
associated with each change enabler.
CHANGE ENABLER CONTINUAL IMPROVEMENT LIFE CYCLE

1. Establish desire to change Recognise need to act
1. Form Implementation team Assess current state
1. Communicate outcome Define target state
1. Identify role players Build Improvement
1. Operate and use Implement improvements
1. Embed new approaches Operate and Measure
1. Sustain Monitor and Evaluate

Making the Business Case 149
 The characteristics of a good business case:

o The importance of a business case cannot be over stated. An appropriate level of
urgency needs to be instilled and the key stakeholders should be aware of the risk
of not taking action. An initiative should be owned by a sponsor (senior), involve
all key stakeholders, and be based on a business case.
o Initially this can be a high-level business case dealing with the strategic benefits
and costs and then progress to a more detailed business case. It is a valuable tool
available to management in guiding the creation of business value.

Characteristics of Good Business Case 150
 At a minimum a Business case should include:

o The business benefits that will be realized
o The business changes required
o The investments needed
o The on-going IT operating costs
o Constraints and dependencies derived from the risk assessment
o Roles, responsibilities and accountabilities relative to other initiative
o How the investment will be monitored

151
COBIT 4.1Differences to
COBIT 5

Transition Message 152
COBIT 4.1, Val IT and Risk IT users who are already

engaged in governance of enterprise IT (GEIT)
implementation activities can transition to COBIT 5
and benefit from the latest and improved guidance
that it provides during the next iterations of their
enterprise’s improvement life cycle.
COBIT 5 builds on previous versions of COBIT (and Val
IT and Risk IT) and so enterprises can also build on
what they have developed using earlier versions.

Areas of Change 153
 The following slides summarise the major changes in COBIT 5

content and how they may impact GEIT
implementation/improvement:
1. New GEIT Principles
2. Increased Focus on Enablers
3. New Process Reference Model
4. New and Modified Processes separating governance from Management
5. Practices and Activities
6. Revised and expanded Goals and Metrics
7. Inputs and Outputs provided at Management practice level verses process
level in COBIT4.1
8. Expanded RACI Charts at management practice level
9. New Process Capability Maturity Model

Stakeholder Value and Business Objectives 154
(cont.)
 The goals cascade is not ‘new’ to COBIT.

 It was introduced in COBIT 4.0 in 2005.
 Those COBIT users who have applied the thinking to their
enterprises have found value.
 BUT not everyone has recognized this value.
 The goals cascade supports the COBIT 5 stakeholder needs
principle that is fundamental to COBIT and has therefore been
made prominent early in the COBIT 5 guidance.
 The goals cascade has been revisited and updated for the COBIT
5 release.

Governance and Management Defined 155
 What sort of framework is COBIT?

o An IT audit and control framework?
 COBIT (1996) and COBIT 2nd Edition (1998)
 Focus on Control Objectives
o An IT management framework?
 COBIT 3rd Edition (2000)
 Management Guidelines added
o An IT governance framework?
 COBIT 4.0 (2005) and COBIT 4.1 (2007)
 Governance and compliance processes added
 Assurance processes removed
 BUT what is the difference between governance and management?
© 2012ISACA. All rights reserved.

Governance and Management Defined (cont.) 156
The COBIT 5 process reference model subdivides the IT-related practices and
activities of the enterprise into two main areas—governance and management—
with management further divided into domains of processes:
 The GOVERNANCE domain
o contains five governance
o processes; within each process,
o evaluate, direct and monitor
o (EDM) practices are defined.
 The four MANAGEMENT
domains are in line with the
responsibility areas of plan,
build, run and monitor (PBRM)

1. New GEIT Principles 157
COBIT 5 Principles

158
1. New GEIT Principles (cont.)
Val IT and Risk IT frameworks are principles-

based.
Feedback indicated that principles are easy to
understand and put into an enterprise context,
allowing value to be derived from the supporting
guidance more effectively.
ISO/IEC 38500 also incorporates principles to
underpin its messages to achieve the same market
benefit delivery, although the principles in this
standard and COBIT 5 are not the same.

2. Increased Focus on Enablers
159
COBIT 4.1 did not have enablers! Yes it did—they were

not called enablers, but they were there, explicitly or
implicitly!

2. Increased Focus on Enablers (cont.)
160
 Information, infrastructure, applications (services) and people

(people, skills and competencies) were COBIT 4.1 resources.
 Principles, policies and frameworks were mentioned in a few
COBIT 4.1 processes.
 Processes were central to COBIT 4.1 use.
 Organisational structure was implied through the responsible,
accountable, consulted or informed (RACI) roles and their
definitions.
 Culture, ethics and behaviour were mentioned in a few COBIT
4.1 processes.

3. New Process Reference Model
161
COBIT 5 is based on a revised process reference model

with a new governance domain and several new and
modified processes that now cover enterprise activities
end-to-end—i.e., business and IT function areas.
COBIT 5 consolidates COBIT 4.1, Val IT and Risk IT into
one framework, and has been updated to align with
current best practices—e.g., ITIL, TOGAF.
The new model can be used as a guide for adjusting as
necessary the enterprise’s own process model (just like
COBIT 4.1).

162
162

4. New and Modified Processes
163
COBIT 5 introduces five new governance processes that

have leveraged and improved COBIT 4.1, Val IT and
Risk IT governance approaches.
This guidance:
o Helps enterprises to further refine and strengthen executive
management-level GEIT practices and activities
o Supports GEIT integration with existing enterprise
governance practices and is aligned with
ISO/IEC 38500

4. New and Modified Processes (cont.)
164
COBIT 5 has clarified management level processes and

integrated COBIT 4.1, Val IT and Risk IT content into one
process reference model

165
There are several new and modified processes that

reflect current thinking, in particular:
o APO03 Manage enterprise architecture.
o APO04 Manage innovation.
o APO05 Manage portfolio.
o APO06 Manage budget and costs.
o APO08 Manage relationships.
o APO13 Manage security.
o BAI05 Manage organisational change enablement.
o BAI08 Manage knowledge.
o BAI09 Manage assets.
o DSS05 Manage security service.
o DSS06 Manage business process controls.

166
COBIT 5 processes now cover end-to-end business and

IT activities—i.e., a full enterprise-level view.
This provides for a more holistic and complete
coverage of practices reflecting the pervasive
enterprisewide nature of IT use.
It makes the involvement, responsibilities and
accountabilities of business stakeholders in the use of
IT more explicit and transparent.

5. Practices and Activities
167
The COBIT 5 governance or management practices are

equivalent to the COBIT 4.1 control objectives and Val
IT and Risk IT processes.
 www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-
Control-Objectives-Gone.aspx
The COBIT 5 activities are equivalent to the COBIT 4.1

control practices and Val IT and Risk IT management
practices.
COBIT 5 integrates and updates all of the previous
content into the one new model, making it easier for
users to understand and use this material when
implementing improvements.
6. Enhanced Goals and Metrics
168
 COBIT 5 follows the same goal and metric concepts as

COBIT 4.1, Val IT and Risk IT, but these are renamed
enterprise goals, IT-related goals and process goals
reflecting an enterprise level view.
 COBIT 5 provides a revised goals cascade based on
enterprise goals driving IT-related goals and then
supported by critical processes.
 COBIT 5 provides examples of goals and metrics at the
enterprise, process and management practice levels. This
is a change to COBIT 4.1, Val IT and Risk IT, which went
down one level lower.

169
7. Revised and Enhanced Inputs and Outputs
COBIT 5 provides inputs and outputs for every

management practice, whereas COBIT 4.1 only
provided these at the process level.
This provides additional detailed guidance for
designing processes to include essential work products
and to assist with interprocess integration.

8. Expanded RACI Charts
170
COBIT 5 provides RACI charts describing roles and

responsibilities in a similar way to COBIT4.1, Val IT and
Risk IT.
COBIT 5 provides a more complete, detailed and
clearer range of generic business and IT role players
and charts than COBIT 4.1 for each management
practice, enabling better definition of role player
responsibilities or level of involvement when designing
and implementing processes.

8. RACI Charts (cont.)
171

9. New Process Capability Assessment Model 172
 COBIT 5 discontinues the COBIT4.1, Val IT and Risk IT CMM-based

capability maturity modelling approach.
 COBIT 5 will be supported by a new process capability assessment
approach based on ISO/IEC 15504, and the COBIT Assessment
Programme has already been established for COBIT 4.1 as an
alternative to the CMM approach. COBIT 5 will be launched soon;
a supplementary guide has been provided for ATO’s
 www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-
Assessment-Programme.aspx
 The COBIT 4.1, Val IT and Risk IT CMM-based approaches are not
considered compatible with the ISO/IEC 15504 approach
because the methods use different attributes and measurement
scales.

9. Process Capability Maturity Models 173
and Assessments (cont.)
COBIT 4.1/5

 The COBIT Assessment Programme approach is considered by
ISACA to be more robust, reliable and repeatable as a process
capability assessment method.
 The COBIT Assessment Programme supports:
o Formal assessments by accredited assessors
(assessor training is being developed)
o Less rigorous self-assessments for internal gap
analysis and process improvement planning
 The COBIT Assessment Programme, in the future, will also
potentially enable an enterprise to obtain an independent and
certified assessments aligned to the ISO/IEC standard.

COBIT 4.1, Val IT and Risk IT users wishing to move to

the new COBIT Assessment Programme approach will
need to realign their previous ratings, adopt and learn
the new method, and initiate a new set of assessments
in order to gain the benefits of the new approach.
Although some of the information gathered from
previous assessments may be reusable, care will be
needed in migrating this information forward because
there are significant differences in requirements.

176
177

PC – Process Capability
Trainer
APM Group Limited
Topics 178
 Introduction and Purpose of the Guide

 Syllabus Learning Areas & Topics
 Process Assessment Explained
 What is a process assessment
 What is the COBIT Assessment Programme
 The differences between a capability and maturity assessment
 Differences to the COBIT 4.1 CMM (Not being tested)
 Overview of the COBIT Capability Model & Assessments
 The Process Reference Model (PRM)
 The Process Assessment Model (PAM)
 The Measurement Framework
 Introduction to the Assessor Training Steps (Not being tested)
Learning Outcomes….1 179
 To know facts, terms and concepts relating to the Process

Capability Model. Specifically to recall:
 The six Capability Levels based on ISO 15504
 The nine Attributes based on ISO 15504
 The Rating Scale based on ISO 15504
 The definition of Key ISO 15504 terms
 To understand the Process Capability Model and the basic
ISO 15504 concepts. Specifically to identify:
 The Reasons for carrying out a Process Assessment.
 The Scope of the COBIT assessment programme, specifically the purpose
of the 3 guides:
 The differences between a Maturity and a Capability Assessment
Learning Outcomes….2 180
 To understand the Process Capability Model and the basic ISO 15504
concepts. Specifically to identify:
 The purpose of a Process Reference Model.
 How a Process Reference Model is used in the COBIT 5 PAM (Process Assessment
Model).
 The characteristics of the COBIT 5 Process Reference Model which meet ISO
15504 standards .
 The Differences between the two dimensions outlined in the ISO 15504
approach.
 The differences between the Generic and Specific attributes outlined in the COBIT
PAM
 The benefits of the COBIT Capability Assessment approach
 How the rating scales are used in an assessment
What is a Process Assessment 181
 ISO/IEC 15504-4 identifies process assessment as an activity that can be

performed either as part of a process improvement initiative or as part of a
capability determination approach
 The purpose of process improvement is to continually improve the
enterprise’s effectiveness and efficiency
 The purpose of process capability determination is to identify the strengths,
weaknesses and risk of selected processes with respect to a particular
specified requirement through the processes used and their alignment with
the business need
 It provides an understandable, logical, repeatable, reliable and robust
methodology for assessing the capability of IT processes.
Process Capability Assessments 182
• The COBIT Assessment Programme approach is

considered by ISACA to be more robust, reliable and
repeatable as a process capability assessment
method
• The COBIT Assessment Programme supports:
– Formal assessments by accredited assessors
– Less rigorous self-assessments for internal gap analysis and
process improvement planning
• The COBIT Assessment Programme potentially
enables an enterprise to obtain an independent and
certified assessments aligned to the ISO/IEC
standard

What is the COBIT Assessment Program? 183
 The COBIT Assessment Program includes:

 COBIT Process Assessment Model (PAM) – Using COBIT 4.1
 COBIT Process Assessment Model (PAM) Using COBIT 5
 COBIT Assessor’s Guide – using COBIT 4.1
 COBIT Assessor’s Guide – using COBIT 5.0
 COBIT Self Assessment Guide – Using COBIT 4.1
 COBIT Self Assessment Guide – Using COBIT 5.0
 The COBIT Process Assessment Model (PAM) brings together
two proven heavyweights in the IT arena, ISO and ISACA.
 The new Process Capability Model based on ISO 15504
replaces the Process Capability Maturity Model used in earlier
COBIT versions.

• COBIT Process Assessment Model (PAM): Using COBIT

4.1 & COBIT 5.0
– Serves as a base reference document for the performance of a
capability assessment of an organisation’s current IT processes
against COBIT
• COBIT Assessor Guide: Using COBIT 4.1 &COBIT 5.0
– Provides details on how to undertake a full ISO-compliant
assessment
• COBIT Self-assessment Guide: Using COBIT 4.1&COBIT
5.0
– Provides guidance on how to perform a basic self-assessment of
an organisation’s current IT process capability levels against
COBIT processes

Differences Between a Capability & Maturity 185
Assessment
 Historically most frame works from COBIT, ITIL to PRINCE 2 have adopted
the SEI (Software Engineering Institute) CMMI approach which combines a
Capability and a Maturity Assessment into a single assessment.
 ISO 15504 argues that they are two separate assessments:
 A Maturity Assessment is done at an Enterprise or organizational level and

uses a different measurement scale than a capability assessment and different
criteria and attributes.
 A Capability Assessment is done at a process Level and is done for purposes of
process Improvement. You cannot ‘role up’ an assessment of many different
processes mathematically to an enterprise level. It works for SEI’s CMMI because
they are assessing a single process, ‘software engineering development or
application development. Most frameworks like COBIT contain 34 and 37
processes respectively for COBIT 4.1 and COBIT 5.
 So the concept of a Maturity Assessment has been redeveloped in COBIT 5 to the
ISO 15504 Process Capability Assessment.
Differences to a CMM Model ? 186
 But don’t we already have maturity models for COBIT4.1 processes?

 The new COBIT Assessment Program
o A robust assessment process based on ISO15504
o Aligns COBIT’s maturity model scale with ISO15504 standard
o New capability based assessment model includes:
 Specific process requirements derived from COBIT 4.1
 Ability of process to achieve process attributes based on
15504
 Evidence requirements
 Assessor qualifications and experiential requirements
 Results in a more robust, objective and repeatable assessment
 Assessment results will likely vary from existing COBIT maturity models
 COBIT 5 only adopts the ISO 15504 approach

COBIT 4.1 MM Attributes vs. ISO 15504 187
COBIT 4.1 Process ISO/IEC 15504 Process

Maturity Level
Capability Level Attribute
5 Optimised 5 Optimizing PA 5.1 Process innovation

PA 5.2 Process optimization
4 Managed and 4 Predictable PA 4.1 Process measurement

measurable PA 4.2 Process control
3 Defined 3 Established PA 3.1 Process definition

PA 3.2 Process deployment
2 Repeatable but 2 Managed PA 2.1Performance management

intuitive PA 2.2 Work product management
1 Initial/ad hoc 1 Performed PA 1.1 Process performance
0 Non-existent 0 Incomplete
188
Process Capability Assessment Differences COBIT 4.1 & COBIT 5.0
 The key difference to note from the above

definitions:
o A Maturity Assessment is done at an Enterprise or
organizational level and uses a different
measurement scale than a capability assessment and
different criteria and attributes.
o A Capability Assessment is done at a process Level
and is done for purposes of process Improvement

Advantages of the ISO 15504 Approach 189
 A robust assessment process based on ISO 15504

 An alignment of COBIT’s maturity model scale with the international
standard
 A new capability-based assessment model which includes:
o Specific process requirements derived from COBIT 4.1& COBIT 5
o Ability to achieve process attributes based on ISO 15504
o Evidence requirements
 Assessor qualifications and experiential requirements
 Results in a more robust, objective and repeatable assessment
Benefits of the Approach 190
 Improved focus on the process being performed, to confirm that it is actually

achieving its purpose.
 Simplified content through elimination of duplication especially with COBIT
4.1 which required duplicating control objectives, RACI activities to be
converted.
 Improved reliability and repeatability of process capability activities and
evaluations, reducing debates and disagreements between stakeholders of
the assessed results. (evidence-based)
 Increased usability of process capability assessment results as the approach
is more rigorous for both internal and external purposes.
 Compliance with a generally accepted process assessment standard and
therefore a strong support for the approach in the market place.
Purposes of Carrying out a process assessment 191
To Enable the Governance body and management
to benchmark process capability.
To Enable high-level ‚as is‘ and ‚to be‘ health checks
to support the governance body and management
investment decision making with regards to
process improvement.
Provide gap analysis and improvement planning
information to support definition of justifiable
improvement projects.
Provid the governance body and management with
assessment ratings to measure and monitor current
capabilities.
Assessment Approach Overview 192
COBIT 4.1 & 5.0
Process Assessment Model
Assessment Process

192
Key ISO 15504 definitions 193
• ISO 15504 defines the following key terms:

• Process purpose – The high-level measurable objectives of
performing the process and the likely outcomes of effective
implementation of the process.
• Process outcomes - An observable result of a process (Note:
An outcome is an artefact, a significant change of state or the
meeting of specified constraints.)
• Base practices – The activities that, when consistently
performed, contribute to achieving the process purpose
• Work product - An artefact associated with the execution of a
process – defined in terms of process ‘inputs’ and process
‘outputs’.

194
Process Reference Model Walkthrough

UNDERSTANDING THE ISO
STRUCTURE

195
COBIT 5 PRM
COBIT 5 Process Reference Model 196

Process ID APO13
Process Name Manage Security 197
Process define operate and monitor a system for information security management
Description
Process Keep the impact and occurrence of information security incidents within the enterprise's risk appetite levels.
Purpose
Outcomes (OS)
Number Description
APO13-O1 A system is in place that considers and effectively addresses enterprise information security requirements.
APO13-O2 A security plan has been established, accepted and communicated throughout the enterprise.
APO13-O3 Information security solutions are implemented and operated consistently throughout the enterprise.
Base Practices (BP)
Number Description Supports
APO13-BP01 APO13.01 Establish and maintain an information security Outcome APO13.O1
management system (ISMS).
Establish and maintain an ISMS that provides a standard, formal and
continuous approach to security management for information, enabling
APO13-BP02 APO13.02 Define and manage an information security risk Outcome APO13.O2
treatment plan.
Maintain an information security plan that describes how information
security risk is to be managed and aligned with the enterprise strategy and
enterprise architecture. Ensure that recommendations for implementing
security improvements are based on approved business cases and
APO13-BP03 APO13.03 Monitor and review the ISMS. Outcome

Maintain and regularly communicate the need for, and benefits of, APO13.O1/O3
continuous information security improvement. Collect and analyse data
about the ISMS, and improve the effectiveness of the ISMS. Correct non-
conformities to prevent recurrence. Promote a culture of security and
Work Products (WPs) 198
Inputs
Number Description Supports
DSS02-WP5 Classified and prioritised incidents and service requests Base practice APO13.BP03 and outcomes
APO13.O1/O3
Outside COBIT Enterprise security approach Base practice APO13.BP01 and outcome
APO13.O1
APO02-WP8 Gaps and changes required to realise target capability Base practice APO13.BP02 and outcome
APO13.O2
APO03-WP4 APO03.02 - Baseline domain descriptions and architecture definition Base practice APO13.BP02 and outcome
APO13.O2
APO12-WP13 APO12.05 - Project proposals for reducing risk Base practice APO13.BP02 and outcome
APO13.O2
Outputs
Number Description Input to Supports
APO13-WP1 ISMS policy Internal from base practice APO13.BPO1 and

outcome APO13.O1
APO13-WP2 ISMS scope statement APO01.02; DSS06.03 from base practice APO13.BPO1 and
outcome APO13.O1
APO13-WP3 Information security risk treatment plan All EDM; All APO; All BAI; All from base practice APO13.BPO2 and
DSS; All MEA outcome APO13.O2
APO13-WP4 Information security business cases APO02.05 from base practice APO13.BPO2 and
outcome APO13.O2
APO13-WP5 ISMS audit reports MEA02.01 from base practice APO13.BPO3 and
outcome APO13.O1/O3
APO13-WP6 Recommendations for improving the ISMS Internal from base practice APO13.BPO3 and
outcome APO13.O1/O3
199
COBIT 4.1 PRM

COBIT 4.1 Process Reference Model 200
BUSINESS OBJECTIVES AND

GOVERNANCE OBJECTIVES
C O B I T
ME1 Monitor and evaluate IT FRAMEWORK
PO1 Define a strategic IT plan.
performance. INFORMATION
PO2 Define the information architecture.
ME2 Monitor and evaluate internal
PO3 Determine technological direction.
control.
Efficiency Integrity PO4 Define the IT processes, organisation
ME3 Ensure compliance with external
Effectiveness Availability and relationships.
requirements.
Compliance PO5 Manage the IT investment.
ME4 Provide IT governance. Confidentiality
PO6 Communicate management aims and
Reliability direction.
MONITOR PLAN PO7 Manage IT human resources.
AND AND PO8 Manage quality.
EVALUATE ORGANISE PO9 Assess and manage IT risks.
IT PO10 Manage projects.
DS1 Define and manage service levels. RESOURCES
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs. Applications
Information
DS7 Educate and train users. AI1 Identify automated solutions.
Infrastructure
DS8 Manage service desk and incidents. People AI2 Acquire and maintain application
DS9 Manage the configuration. software.
DELIVER ACQUIRE
DS10 Manage problems. AND AI3 Acquire and maintain technology
AND
DS11 Manage data. SUPPORT IMPLEMENT infrastructure.
DS12 Manage the physical environment. AI4 Enable operation and use.
DS13 Manage operations. AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and
changes.

Process Reference Model 201
The high-level measurable objectives of performing the process and the likely
outcomes of effective implementation of the process
An observable result of a process - an object, a significant change of state or
the meeting of specified constraints
The activities that, when consistently performed, contribute to achieving the
process purpose
The objects associated with the execution

of a process – defined in terms of process
“inputs” and process “outputs”

201
PRM Based on COBIT 4.1 202

202
• COBIT 4.1, Val IT and Risk IT users wishing to

move to the new COBIT Assessment Programme
approach will need to:
– realign their previous ratings
– adopt and learn the new method
– initiate a new set of assessments

204
The process Assessment Model

(PAM) Explained
 Scope
 Indicators
 Mapping

PAM Scope 205
 A Process Assessment Model is related to one or more Process Reference

Models. It forms the basis for the collection of evidence and rating of process
capability. A Process Assessment Model shall relate to at least one process
from the specified Process Reference Model(s).
 A Process Assessment Model shall address, for a given process, all, or a
continuous subset, of
 the levels (starting at level 1) of the measurement framework for process
capability for each of the processes within its scope.
 NOTE It would be permissible for a model, for example, to address solely level
1, or to address levels 1, 2 and 3, but it would not be permissible to address
levels 2 and 3 without level 1.

Differences between the Capability & Process 206
Dimension
 ISO 15504 defines two levels:
o A Capability Dimension which focuses on the process capability
dimension (levels 1 to 5) based on process attribute indicators (PAI) that
are solely deals with Generic attributes
o A Process dimension that contains additional indicators for process for
process performance assessment based on very specific performance
indicators.
o ** Note that the PRM or process reference model is used only for this
dimension at LEVEL 1. Levels 2 to 5 focuses only on the Capability
dimension based on generic attributes. The ISO model shown at Figure 7
in the next slide demonstrates this concept.
Indicators 207

Indicators with COBIT 5 PRM 208

Assessing Process Capability 209
PA 2.1 Performance Management

Result of Full Generic Practices (GPs) Generic Work Products (GWPs)
Achievement of the
Attribute
a. Objectives for the GP 2.1.1 Identify the objectives for the GWP 1.0 Process documentation should
performance of the performance of the process. The performance outline the process scope.
process are identified. objectives, scoped together with assumptions GWP 2.0 Process plan should provide details
and constraints, are defined and of the process performance objectives.
communicated.
b. Performance of the GP 2.1.2 Plan and monitor the performance GWP 2.0 Process plan should provide details
process is planned and of the process to fulfil the identified objectives. of the process performance objectives.
monitored. Basic measures of process performance linked GWP 9.0 Process performance records
to business objectives are established and should provide details of the outcomes.
monitored. They include key milestones, Note: At this level, the record of process
required activities, estimates and schedules. performance may be in the form of reports,
issues registers and informal records.
c. Performance of the GP 2.1.3 Adjust the performance of the GWP 4.0 Quality record should provide
process is adjusted to process. Action is taken when planned details of action taken when performance is
meet plans. performance is not achieved. Actions include not achieved.
identification of process performance issues
and adjustment of plans and schedules as
appropriate.

Mapping to PRM’s 210
 A Process Assessment Model shall provide an explicit mapping from the

relevant elements of the model to the processes of the selected Process
Reference Model and to the relevant process attributes of the measurement
framework.
 The mapping shall be complete, clear and unambiguous. The mapping of the
indicators within the Process Assessment Model shall be:
 a) the purposes and outcomes of the processes in the specified Process
Reference Model;
 b) the process attributes (including all of the results of achievements listed
for each process attribute) in the measurement framework. This enables
Process Assessment Models that are structurally different to be related to the
same Process Reference Model.

Process capability levels 211
Optimizing
Level 5 Optimizing process
The process is continuously improved to meet relevant current PA.5.1 Process Innovation attribute
and projected business goals PA.5.2 Process Optimization attribute
Predictable Level 4 Predictable Process

The process is enacted consistently within PA.4.1 Process Measurement attribute
defined limits
PA.4.2 Process Control attribute
Established
A defined process is used based on a Level 3 Established Process
standard process. PA.3.1 Process Definition attribute
PA.3.2 Process Deployment attribute
Level 2 Managed Process Managed

The process is managed and work
PA.2.1 Performance Management attribute
products are established, controlled
PA.2.2 Work Product Management attribute
and maintained.
Level 1 Performed process Performed
PA.1.1 Process Performance attribute The process is implemented and
achieves its process purpose
Incomplete
Level 0 Incomplete process The process is not implemented or fails to
achieve its purpose
211
Measurement Framework 212
 COBIT Assessment Process measures the extent to which a given process

achieves specific attributes relative to that process – “Process Attributes”
 COBIT Assessment Process defines 9 Process Attributes (based on ISO/IEC
15504-2)
 PA1.1 – process performance
 PA2.1 – work product management
 PA2.2 – performance management
 PA3.1 – process definition
 PA3.2 – process deployment
 PA4.1 – process measurement
 PA4.2 – process control
 PA5.1 – process innovation
 PA5.2 – continuous optimization

Process Attributes (example) 213
PA 1.1 Process performance

– The process performance attribute is a measure of
the extent to which the process purpose is achieved.
– As a result of full achievement of this attribute the
process achieves its defined outcomes.

Process Attributes (example) 214
 PA 2.1 Performance Management

–A measure of the extent to which the performance of the process is managed. As a result of full
achievement of this attribute:
a. Objectives for the performance of the process are identified
b. Performance of the process is planned and monitored
c. Performance of the process is adjusted to meet plans
d. Responsibilities and authorities for performing the process are defined, assigned and communicated
e. Resources and information necessary for performing the process are identified, made available, allocated
and used
f. Interfaces between the involved parties are managed to ensure effective communication and clear
assignment of responsibility
 PA 2.2 Work Product Management
–A measure of the extent to which the work products produced by the process are
appropriately managed. As a result of full achievement of this attribute:
a. Requirements for the work products of the process are defined.
b. Requirements for documentation and control of the work products are defined.
c. Work products are appropriately identified, documented and controlled.
d. Work products are reviewed in accordance with planned arrangements and adjusted as necessary to
meet requirements.

Process Attribute Rating Scale 215
 COBIT Assessment Process measures the extent to which a given process achieves
the “Process Attributes”
N Not achieved 0 to 15 % achievement
There is little or no evidence of achievement of the defined attribute in the assessed process
P Partially achieved > 15 % to 50 % achievement
There is some evidence of an approach to, and some achievement of, the defined attribute in the
assessed process. Some aspects of achievement of the attribute may be unpredictable
L Largely achieved > 50 % to 85% achievement
There is evidence of a systematic approach to, and significant achievement of, the defined
attribute in the assessed process. Some weakness related to this attribute may exist in the assessed
process
F Fully achieved > 85 % to 100 % achievement
There is evidence of a complete and systematic approach to, and full achievement of, the defined
attribute in the assessed process. No significant weaknesses related to this attribute exist in the
assessed process
© 2012 ISACA® All rights reserved. 215

Process Attribute Ratings and Capability Levels 216
1 2 3 4 5
PA5.2 Optimization L
Level 5 - Optimizing /
PA5.1 Innovation F
PA4.2 Control L F
Level 4 - Predictable /
PA4.1 Measurement F
PA3.2 Deployment L F F
Level 3 - Established /
PA3.1 Definition F
PA2.2 Work Product Management L F F F

Level 2 - Managed /
PA2.1 Performance Management F
L F F F F
Level 1 - Performed PA1.1 Process Performance /
F
Level 0 - Incomplete L/F = Largely or Fully F= Fully
Target Process Capabilities (example) 217
Level 1 Level 2 Level 3
PA 1.1 PA 2.1 PA 2.2 PA 3.1 PA 3.2
Process A Target Capability L
Assessed
Process B Target Capability F L L
Assessed
Process C Target Capability F F F L L
Assessed

Consequence of Capability Gaps 218
Table A.3 — Consequence of gaps at various capability levels

Capability Gaps and Risk 219
Table A.4 — Risk associated with each capability level

220
Summary of Assessor Assessment

steps
FACILITATOR’S GUIDE REFERENCE
3.9 (NOT TESTED

Overview 221

221
Assessment Process Activities 222
1 – Initiation
2 – Planning the Assessment
3 – Briefing
4 – Data Collection
5 – Data Validation
6 – Process Attribute Rating
7 – Reporting the Results

222
1. Initiation 223
• Identify the sponsor and define the purpose of the assessment

– why it is being carried out
• Define the scope of the assessment
– which processes are being assessed
– what constraints, if any, apply to the assessment
• Identify any additional information that needs to be gathered,
• Select the assessment participants, the assessment team and
define the roles of team members,
• Define assessment inputs and outputs
– Have them approved by the sponsor

2. Planning the Assessment 224
• An assessment plan describing all activities performed in

conducting the assessment is
– developed and
– documented together with
– an assessment schedule
• Identify the project scope,
• Secure the necessary resources to perform the assessment
• Determine the method of collating, reviewing, validating and
documenting the information required for the assessment
• Co-ordinate assessment activities with the Organizational Unit
being assessed

3. Briefing 225
• The Assessment Team Leader ensures that the assessment

team understands the assessment
– input,
– process and
– output
• Brief the Organizational Unit on the performance of the
assessment
– PAM, assessment scope, scheduling, constraints, roles and
responsibilities, resource requirements, etc.

4. Data Collection 226
• The assessor obtains (and documents) an understanding of the process(es)

including process purpose, inputs, outputs and work products, sufficient to
enable and support the assessment
• Data required for evaluating the processes within the scope of the
assessment is collected in a systematic manner
• The strategy and techniques for the selection, collection, analysis of
data and justification of the ratings are explicitly identified and
demonstrable
• Each process identified in the assessment scope is assessed on the basis of
objective evidence
 The objective evidence gathered for each attribute of each process assessed must be
sufficient to meet the assessment purpose and scope
 Objective evidence that supports the assessors’ judgement of process attribute ratings is
recorded and maintained in the Assessment Record.
 This Record provides evidence to substantiate the ratings and to verify compliance with the
requirements.

5. Data Validation 227
• Actions are taken to ensure that the data is accurate and

sufficiently covers the assessment scope, including
– seeking information from first hand, independent sources;
– using past assessment results; and
– holding feedback sessions to validate the information
collected.
• Some data validation may occur as the data is being collected

6. Process Attribute Rating 228
• For each process assessed, a rating is assigned for each process

attribute up to and including the highest capability level defined
in the assessment scope
• The rating is based on data validated in the previous activity
• Traceability shall be maintained between the objective
evidence collected and the process attribute ratings
assigned
• For each process attribute rated, the relationship between the
indicators and the objective evidence is recorded

7. Reporting the Results 229
• The results of the assessment are analysed

and presented in a report
• The report also covers any key issues raised

during the assessment such as:
• observed areas of strength and weakness
• findings of high risk
• i.e. magnitude of gap between assessed capability and
desired/required capability

Assessor Certification 230
• COBIT Process Assessment roles:

– Lead Assessor – a “competent” assessor responsible for overseeing the
assessment activities
– Assessor – an individual, developing assessor competencies, that
performs the assessment activities
• Assessor Competencies:
– Knowledge, Skills and Experience
• With the Process Reference Model; Process Assessment Model,
methods and tools; and rating processes
• With the processes/domains being assessed
• Personal attributes which contribute to effective performance
• An Assessor’s training and certification course for assessors is being
developed for COBIT 4.1 and COBIT 5.0. Availability Q1 2013

231
232
Thank You

Cob It 5 in Nutshell

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cob It 5 in Nutshell

Uploaded by

Copyright:

Available Formats

1

COBIT 5 Foundation Training

Prof. Richardus Eko Indrajit

 1 – The Reasons for the Development of COBIT 5

Understand the concepts relating to the

• Provide a renewed and authoritative governance and

• Integrate all other major ISACA frameworks and guidance

• Align with other major frameworks and standards

© 2012 ISACA. All Rights Reserved.

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5

1996 1998 2000 2005/7 2012

© 2012 ISACA. All Rights Reserved.

• Provide guidance in:

© 2012 ISACA. All Rights Reserved.

• A need for the enterprise to:

© 2012 ISACA. All Rights Reserved.

• Not simply IT; not only for big business!

© 2012 ISACA. All Rights Reserved.

• Information is the business currency of the 21st

© 2012 ISACA. All Rights Reserved.

Enterprises and their executives strive to:

How can these benefits be realised to create

© 2012 ISACA. All rights reserved.

© 2012 ISACA. All rights reserved.

© 2012 ISACA. All Rights Reserved.

• Enterprises are under constant pressure to:

© 2012 ISACA. All Rights Reserved.

• COBIT 5 is based on:

© 2012 ISACA. All Rights Reserved.

© 2012 ISACA. All Rights Reserved.

© 2012 ISACA. All rights reserved.

WHAT ITIL HOW

© 2012 ISACA. All rights reserved.

ISO ISO ISO

Processes and Procedures QA Security ITIL

© 2012 ISACA. All rights reserved.

© 2012 ISACA. All rights reserved.

 TOGAF (The Open Group Architecture Framework)

© 2012 ISACA. All rights reserved.

COBIT 5 Foundation Training

Introducing the 5 Principles

• Know facts and terms relating to the five Principles of COBIT 5;

• Understand the concepts relating to the structure and format of the

• Understand the concepts relating to the structure and format of the

© 2012 ISACA All rights reserved.

 Enterprises have many stakeholders

© 2012 ISACA. All Rights Reserved.

• Enterprises exist to create value for their stakeholders

• Value creation: realizing benefits at an optimal resource cost

© 2012 ISACA. All Rights Reserved.

© 2012 ISACA. All Rights Reserved.

• In practice, the goals cascade:

© 2012 ISACA. All Rights Reserved.

EXTERNAL STAKEHOLDERS EXTERNAL STAKEHOLDER NEEDS

© 2012 ISACA. All Rights Reserved.

© 2012 ISACA. All Rights Reserved.

© 2012 ISACA. All Rights Reserved.

Also included is an important categorisation based on:

P – Primary business relationship

S- Secondary business relationship

Step 3 - Enterprise Goals cascade to IT related Goals

Step 4 IT related Goals Cascade to Enabler Goals

This means that COBIT 5:

© 2012 ISACA. All Rights Reserved.