Professional Documents
Culture Documents
Cob It 5 in Nutshell
Cob It 5 in Nutshell
COBIT 5:
• ISACA Board of Directors directive: “Tie together and reinforce
all ISACA knowledge assets with COBIT.”
Governance of Enterprise IT
IT Governance
BMIS
(2010)
Evolution
Management
Val IT 2.0
(2008)
Control
Audit Risk IT
(2009)
COBIT 5 :
• Defines the starting point of governance and management
activities with the stakeholder needs related to enterprise IT
• Creates a more holistic, integrated and complete view of
enterprise governance and management of IT that is consistent,
provides an end-to-end view on all IT-related matters and
provides a holistic view
• Creates a common language between IT and business for the
enterprise governance and management of IT
• Is consistent with generally accepted corporate governance
standards, and thus helps to meet regulatory requirements
• Simplified
– COBIT 5 directly addresses the needs of the viewer from different
perspectives
– Development continues with specific practitioner guides
• COBIT 5 is initially in 3 volumes:
1. The Framework
2. Process Reference Guide
3. Implementation Guide
COSO
COBIT
ISO 27002
ISO 9000
SCOPE OF COVERAGE
CONFORMANCE
Drivers PERFORMANCE: Basel II, Sarbanes-
Business Goals Oxley Act, etc.
Balanced
Enterprise Governance COSO
Scorecard
IT Governance
COBIT
ISO/IEC 38500
o ISO’s 6 principles map to COBIT 5 (appendix E)
ITIL v3The following 5 areas and domains are covered by ITIL
v3:
o A subset of process in the DSS domain
o A sunset of processes in the BAI domain
o Some process in the APO domain
ISO/IEC 27000
o Security and IT-related processes in domains EDM, APO and DSS
o Some monitoring of security monitoring activities in MEA
ISO/IEC 31000
o Risk management related activities in EDM and APO
Trainer
APM Group Limited
Topics 23
The four questions to ask when establishing how to manage the enabler
performance.
Learning Outcomes…2 25
• COBIT 5:
– Integrates governance of enterprise IT into enterprise governance
– Covers all functions and processes within the enterprise
– Does not focus only on the ‘IT function’
Step 1 Identify the influence of Key stakeholder drivers on stakeholder needs; examples
Strategy changes
Changing business environment
Changing regulatory environment
New technologies
Step 2 Stakeholders needs cascade to Enterprise Goals. See appendix D Stakeholder needs
mapped to Enterprise Goals.
There are 17 generic enterprise goals as shown in figure 5 (shown below) of the Framework guide,
which have been translated into Balance Score Card dimensions (BSC) and the relationship to the 3
main governance objectives of benefits realisation, risk and resource optimisation.
This means that the enterprise goal being considered have a stronger relationship to one of the 3
governance objectives if primary or a less of an impact so secondary. A blank does not mean there is
no relationship between a particular enterprise goal and the 3 objectives. It means that if there is one,
it is very small or insignificant.
Principle 1 – Cascade steps Figure 5 36
Principle 1 – Cascade Steps 37
There are also 17 generic IT related goals as shown in Figure 6 (shown below) that are also categorised into
the Balanced Score Card (BSC) categories. The relationship of enterprise goals to IT related Goals are shown
in Appendix B Figure 22 page 50
Principle 1 – Cascade Steps 38
Processes are one of the key enablers which is expanded on in the Enabler Learning Area
module, but it is important to know that Enabler Goals are represented in the Process
Reference module in all 37 processes. A mapping is shown in Appendix C Figure 23
Principle 2: 39
Covering the Enterprise End–to–End
Enablers:
1. Principles, policies and frameworks
2. Processes
3. Organizational structures
4. Culture, ethics and behaviour
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies
55
APPENDIX –
Additional tables from Appendix B, C, D
Figure 22—Mapping COBIT 5 Enterprise Goals to IT-related Goals
58
Figure 23—Mapping COBIT 5 IT-related Goals to Processes
59
Figure 23—Mapping COBIT 5 IT-related Goals to Processes (cont.)
60
Figure 24—Mapping COBIT 5 Enterprise Goals to Governance and Management Questions
61
Figure 24—Mapping COBIT 5 Enterprise Goals to Governance and Management Questions (cont.)
62
63
64
Trainer
APM Group Limited
Topics – Contents of Section 3 65
Enablers:
1. Principles, policies and frameworks
2. Processes
3. Organizational structures
4. Culture, ethics and behaviour
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies
80
• TIP: Use the RACI chart for the different management practices to
identify more examples of stakeholders.
► To satisfy business objectives, information needs to conform to certain control criteria, which
COBIT refers to as business requirements for information. Based on broader quality, fiduciary, and
security requirements, seven distinct information criteria are defined. These are:
Effectiveness
Efficiency
Confidentiality Effectiveness
Integrity
Efficiency
Availability
Confidentiality
Compliance
Integrity
Reliability
Availability
Compliance
Business Requirements
Reliability
IT Resources
IT Processes
Relates to information being available ,when required by the business process, at present and in the
Availability future. It also concerns the safeguarding of necessary resources and associated capabilities.
Deals with complying with those laws, regulations, and contractual arrangements to which the business
Compliance process is subject, that is, externally imposed business criteria as well as internal policies.
Relates to the provision of appropriate information for the management to operate the entity and to exercise its
Reliability fiduciary and governance responsibilities.
COBIT 4.1
INFORMATION CRITERIA COBIT 5 EQUIVALENT
Information is effective if it meets the needs of the information consumer who uses the
information for a specific task. If the information consumer can perform the task with the
Effectiveness information, then the information is effective. This corresponds to the following
information quality goals: appropriate amount, relevance, understandability,
interpretability, objectivity.
Whereas effectiveness considers the information as a product, efficiency relates more to
the process of obtaining and using information, so it aligns to the ‘information as a service’
view. If information that meets the needs of the information consumer is obtained and
Efficiency used in an easy way (i.e., it takes few resources—physical effort, cognitive effort, time,
money), then the use of information is efficient. This corresponds to the following
information quality goals: believability, accessibility, ease of operation, reputation.
Integrity If information has integrity, then it is free of error and complete. It corresponds to
Integrity the following information quality goals: completeness, accuracy.
Reliability is often seen as a synonym of accuracy; however, it can also be said that
information is reliable if it is regarded as true and credible. Compared to integrity,
Reliability reliability is more subjective, more related to perception, and not just factual. It
corresponds to the following information quality goals: believability, reputation,
objectivity.
Availability is one of the information quality goals under the accessibility and security
Availability heading.
IT Processes
Data Value
Information Knowledge
Transform Transform Create
Semantic layer – The rules and principles for constructing meaning out of the
syntax structures.
Pragmatic Layer – The rules and structures for constructing larger language
structures that fulfil specific purposes in human communication. Pragmatics
refers to the use of information.
Social World Layer – The world that is socially constructed through the use of
language structures at the pragmatic level of semiotics, e.g. contracts, laws.
Culture.
The Possible uses of the information Model
o Used for Information Specifications
o Used to determine required protection
o Used to determine Ease of data Use
When performing a review of a business process (or an application), the IM can be used to
assist with a general review of the information processed
delivered by the process, and of the underlying information systems. The quality criteria can
be used to assess the extent to which information is
available—whether the information is complete, available on a timely basis, factually correct,
relevant, available in the appropriate amount. One can also
consider the accessibility criteria—whether the information is accessible when required and
adequately protected.
Review can be even further extended to include representation criteria, e.g., the ease with
which the information can be understood, interpreted,
used and manipulated.
Review that uses the information quality criteria of the IM provides an enterprise with a
comprehensive and complete view on the current information
quality within a business process.
The five architecture principles that govern the implementation and use of
IT-Related resources
o This is part of the Good Practices of this enabler.
o Architecture Principles are overall guidelines that govern the implementation and use of
IT-related resources within the enterprise. Examples of such principles:
o Reuse – Common components of the architecture should be used when designing and
implementing solutions as part of the target or transition architectures.
o Buy vs. build – Solutions should be purchased unless there is an approved rationale for
developing them internally.
o Simplicity – The enterprise architecture should be designed and maintained to be simple as
possible while still meeting enterprise requirements.
o Agility – The enterprise architecture should incorporate agility to meet changing business
needs in an effective and efficient manner.
o Openness - The enterprise architecture should leverage open industry standards.
Business analysis
Project management
Usability evaluation
Requirements definition and
management
Build, Acquire and Implement (BAI)
Programming
System ergonomics
Software decommissioning
Capacity management
Availability management
Problem management
Service desk and incident management
Deliver, Service and Support (DSS) Security administration
IT operations
Database administration
Compliance review
Performance monitoring
Monitor, Evaluate and Assess (MEA)
Controls audit
114
APPENDIX 115
EXAMPLE
Customer
6. Customer-oriented service culture
7. Business service continuity and availability
8. Agile responses to a changing business environment
9. Information-based strategic decision making
10. Optimisation of service delivery costs
Process ID APO09
Process Name Manage Service Agreements
Process Align IT-enabled services and service levels with enterprise needs and expectations, including identification, specification, design, publishing, agreement, and monitoring of IT services,
Description service levels and performance indicators.
Process Purpose Ensure that IT services and service levels meet current and future enterprise needs.
Outcomes (OS)
Trainer
APM Group Limited
Topics 120
Top Management providing the direction and mandate for the initiative as
well as on-going commitment
All parties supporting the governance and management processes to
understand the business and IT objectives.
Ensuring effective communication and enablement of the necessary changes
Tailoring COBIT and other supporting good practices and standards to fit the
unique context of the enterprise and
Focusing on quick wins and prioritising the most beneficial improvements
that are easiest to implement.
13
3
13
4
Implement improvements
Adopt and adapt best practices to suit the enterprise’s approach to policies and
process changes
Realize benefits
o Monitor the overall performance of the program against business case objectives
o Monitor and measure the investment performance
We have already outlined the seven phases and shown which of the
programme management steps they relate to; this section outlines the seven
enablers ( the second or red circle) and their relationship to the seven
program management steps (the outer ring or dark blue ring).:
Now let us at look at the core or central ring (Light blue). These are the tasks
associated with each change enabler.
o Initially this can be a high-level business case dealing with the strategic benefits
and costs and then progress to a more detailed business case. It is a valuable tool
available to management in guiding the creation of business value.
COBIT 4.1Differences to
COBIT 5
The COBIT 5 process reference model subdivides the IT-related practices and
activities of the enterprise into two main areas—governance and management—
with management further divided into domains of processes:
The GOVERNANCE domain
o contains five governance
o processes; within each process,
o evaluate, direct and monitor
o (EDM) practices are defined.
The four MANAGEMENT
domains are in line with the
responsibility areas of plan,
build, run and monitor (PBRM)
COBIT 5 Principles
162
COBIT 4.1/5
Trainer
APM Group Limited
Topics 178
To understand the Process Capability Model and the basic ISO 15504
concepts. Specifically to identify:
The purpose of a Process Reference Model.
How a Process Reference Model is used in the COBIT 5 PAM (Process Assessment
Model).
The characteristics of the COBIT 5 Process Reference Model which meet ISO
15504 standards .
The Differences between the two dimensions outlined in the ISO 15504
approach.
The differences between the Generic and Specific attributes outlined in the COBIT
PAM
The benefits of the COBIT Capability Assessment approach
How the rating scales are used in an assessment
What is a Process Assessment 181
0 Non-existent 0 Incomplete
188
Process Capability Assessment Differences COBIT 4.1 & COBIT 5.0
Assessment Process
COBIT 5 PRM
COBIT 5 Process Reference Model 196
APO13-BP02 APO13.02 Define and manage an information security risk Outcome APO13.O2
treatment plan.
Maintain an information security plan that describes how information
security risk is to be managed and aligned with the enterprise strategy and
enterprise architecture. Ensure that recommendations for implementing
security improvements are based on approved business cases and
C O B I T
ME1 Monitor and evaluate IT FRAMEWORK
PO1 Define a strategic IT plan.
performance. INFORMATION
PO2 Define the information architecture.
ME2 Monitor and evaluate internal
PO3 Determine technological direction.
control.
Efficiency Integrity PO4 Define the IT processes, organisation
ME3 Ensure compliance with external
Effectiveness Availability and relationships.
requirements.
Compliance PO5 Manage the IT investment.
ME4 Provide IT governance. Confidentiality
PO6 Communicate management aims and
Reliability direction.
MONITOR PLAN PO7 Manage IT human resources.
AND AND PO8 Manage quality.
EVALUATE ORGANISE PO9 Assess and manage IT risks.
IT PO10 Manage projects.
DS1 Define and manage service levels. RESOURCES
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs. Applications
Information
DS7 Educate and train users. AI1 Identify automated solutions.
Infrastructure
DS8 Manage service desk and incidents. People AI2 Acquire and maintain application
DS9 Manage the configuration. software.
DELIVER ACQUIRE
DS10 Manage problems. AND AI3 Acquire and maintain technology
AND
DS11 Manage data. SUPPORT IMPLEMENT infrastructure.
DS12 Manage the physical environment. AI4 Enable operation and use.
DS13 Manage operations. AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and
changes.
The high-level measurable objectives of performing the process and the likely
outcomes of effective implementation of the process
An observable result of a process - an object, a significant change of state or
the meeting of specified constraints
The activities that, when consistently performed, contribute to achieving the
process purpose
Scope
Indicators
Mapping
NOTE It would be permissible for a model, for example, to address solely level
1, or to address levels 1, 2 and 3, but it would not be permissible to address
levels 2 and 3 without level 1.
a. Objectives for the GP 2.1.1 Identify the objectives for the GWP 1.0 Process documentation should
performance of the performance of the process. The performance outline the process scope.
process are identified. objectives, scoped together with assumptions GWP 2.0 Process plan should provide details
and constraints, are defined and of the process performance objectives.
communicated.
b. Performance of the GP 2.1.2 Plan and monitor the performance GWP 2.0 Process plan should provide details
process is planned and of the process to fulfil the identified objectives. of the process performance objectives.
monitored. Basic measures of process performance linked GWP 9.0 Process performance records
to business objectives are established and should provide details of the outcomes.
monitored. They include key milestones, Note: At this level, the record of process
required activities, estimates and schedules. performance may be in the form of reports,
issues registers and informal records.
c. Performance of the GP 2.1.3 Adjust the performance of the GWP 4.0 Quality record should provide
process is adjusted to process. Action is taken when planned details of action taken when performance is
meet plans. performance is not achieved. Actions include not achieved.
identification of process performance issues
and adjustment of plans and schedules as
appropriate.
The mapping shall be complete, clear and unambiguous. The mapping of the
indicators within the Process Assessment Model shall be:
a) the purposes and outcomes of the processes in the specified Process
Reference Model;
b) the process attributes (including all of the results of achievements listed
for each process attribute) in the measurement framework. This enables
Process Assessment Models that are structurally different to be related to the
same Process Reference Model.
Optimizing
Level 5 Optimizing process
The process is continuously improved to meet relevant current PA.5.1 Process Innovation attribute
and projected business goals PA.5.2 Process Optimization attribute
Established
A defined process is used based on a Level 3 Established Process
standard process. PA.3.1 Process Definition attribute
PA.3.2 Process Deployment attribute
Incomplete
Level 0 Incomplete process The process is not implemented or fails to
achieve its purpose
© 2012 ISACA® All rights reserved.
211
Measurement Framework 212
COBIT Assessment Process measures the extent to which a given process achieves
the “Process Attributes”
N Not achieved 0 to 15 % achievement
There is little or no evidence of achievement of the defined attribute in the assessed process
P Partially achieved > 15 % to 50 % achievement
There is some evidence of an approach to, and some achievement of, the defined attribute in the
assessed process. Some aspects of achievement of the attribute may be unpredictable
L Largely achieved > 50 % to 85% achievement
There is evidence of a systematic approach to, and significant achievement of, the defined
attribute in the assessed process. Some weakness related to this attribute may exist in the assessed
process
F Fully achieved > 85 % to 100 % achievement
There is evidence of a complete and systematic approach to, and full achievement of, the defined
attribute in the assessed process. No significant weaknesses related to this attribute exist in the
assessed process
1 2 3 4 5
PA5.2 Optimization L
Level 5 - Optimizing /
PA5.1 Innovation F
PA4.2 Control L F
Level 4 - Predictable /
PA4.1 Measurement F
PA3.2 Deployment L F F
Level 3 - Established /
PA3.1 Definition F
L F F F F
Level 1 - Performed PA1.1 Process Performance /
F
Level 0 - Incomplete L/F = Largely or Fully F= Fully
© 2012 ISACA® All rights reserved. 216
Target Process Capabilities (example) 217
Assessed
Process B Target Capability F L L
Assessed
Assessed
1 – Initiation
3 – Briefing
4 – Data Collection
5 – Data Validation
Thank You