COBIT 5

PRINCIPLES
PRINCIPLE 1
Meeting Stakeholder Needs
DISCLAIMER

ISACA has designed and created the COBIT 5 Principles teaching materials (the ‘Work’) primarily as an
educational resource for educational professionals. ISACA makes no claim that use of any of the Work
will assure a successful outcome. The Work should not be considered inclusive of all proper
information, procedures and tests or exclusive of other information, procedures and tests that are
reasonably directed to obtaining the same results. In determining the propriety of any specific
information, procedure or test, security governance and assurance professionals should apply their own
professional judgement to the specific circumstances presented by the particular systems or information
technology environment.

The example companies, organisations, products, domain names, email addresses, logos, people,
places and events depicted herein are fictitious. No association with any real company, organisation,
product, domain name, email address, logo, person, place or event is intended or should be inferred.

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org

3
RESERVATION OF RIGHTS

© 2015 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means
(electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of
ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic,
internal and non-commercial use and for consulting/advisory engagements, and must include full
attribution of the material’s source. No other right or permission is granted with respect to this work.

Provide Feedback: www.isaca.org/cobit-academic-materials

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ

4
ACKNOWLEDGEMENTS
Author
Anna Carlin, CISA, California State Polytechnic University, USA

Board of Directors
Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, Vital Interacts, Australia, Vice President
Robert A. Clyde, CISM, Clyde Consulting LLc, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, SABIC, Saudi Arabia, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director

Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, Capital One, UK
Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany

Academic Program Subcommittee

Matthew Liotine, Ph.D., CBCP, CHS-III, CSSBB, MBCI, University of Illinois at Chicago, USA, Chairman
Daniel Canoniero, Universidad de Montevideo, Uruguay
Tracey Choulat, CISM, CGEIT, CRISC, University of Florida, USA
Umesh Rao Hodeghatta, Xavier Institute of Management, India
Nabil Messabia, CPA, CGA, Université du Québec en Outaouais, Canada
Mark Lee Salamasick, CISA, CSP, CIA, CRMA, University of Texas, USA
Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
S. Vanderloot, CISA, CISM, CRISC, PhD, AST, CCNA, CCNA Security, CCSA, CEH, ECSA, ISO 27001 LA, NCSA, PCIP, UK
Nancy C. Wells, CISA, CRISC, USA

5
AGENDA

 Introduce Principle 1
 Stakeholders
Definition
Internal and external stakeholders
Creating value
Needs and drivers
 Goals Cascade
Stakeholder Needs Cascade to Enterprise Goals
Enterprise Goals Cascade to IT-Related Goals
IT-related Goals Cascade to Enabler Goals
 Group Exercise
 Summary

6
PRINCIPLE 1: MEETING STAKEHOLDER NEEDS

Source: ISACA, COBIT© 5, USA, 2012, figure 2

7
STAKEHOLDERS

TERM: Stakeholders are anyone who has a responsibility

for, and expectation from or some other interest in the
enterprise.

8
INTERNAL AND EXTERNAL STAKEHOLDERS

Internal Stakeholders External Stakeholders

 Board  Third-party business partners
 CEO, CFO, CIO, CRO  Suppliers
 Business executives and  Shareholders
managers  Regulators/government
 Business process owners  External users
 Risk and security managers  Customers
 Service managers  Standardisation organisations
 HR managers (e.g., ISO)
 Internal audit  External auditors
 Privacy officers  Consultants
 IT managers
 IT users

9
CREATING VALUE
Enterprises exist to create value for their
stakeholders which is usually a
governance objective.
Stakeholder needs:
• Creating values may be
different
• May conflict with each other
Governance:
• Negotiates amongst different
stakeholders
• Must consider all when making
benefit, risk and resources
decisions:
• For whom are the benefits?
• Not always financial
• Who bears the risk?
• What resources are required?

Source: ISACA, COBIT© 5, USA, 2012, figure 3

10
STAKEHOLDER DRIVERS INFLUENCE STAKEHOLDER
NEEDS

. Drivers that influence stakeholder needs:

1. Strategy changes (usually internal)
2. Changing business environment (usually external)
3. Changing regulatory environment (usually external)
4. New technologies (usually external)
. Stakeholder needs are transformed into an enterprise’s
actionable strategy
. Stakeholders needs cascade to enterprise goals
 For example, a stakeholder need may be “How do I best build
and structure my IT department?” This would result in numerous
enterprise goals of which one could be employing skilled and
motivated people.

11
COBIT 5 GOALS CASCADE

COBIT 5 translates stakeholder

needs into specific, practical and
customised goals within the
context of the enterprise, IT-
related goals and enabler goals:
 17 generic Enterprise Goals
 17 IT-related Goals 17
 Enabler Goals

Allows setting specific goals at

17
every level and in every area of
the enterprise to support overall
goals.

Source: ISACA, COBIT© 5, USA, 2012, figure 4

12
COBIT 5 GOALS CASCADE

. Identifies priorities for the implementation, improvement

and assurance of governance of enterprise IT based on:
 Strategic objectives
 Related risk
. Defines tangible goals and objectives at various levels of
responsibility
. Identifies and communicates how enablers are important
to achieve enterprise goals

13
STAKEHOLDER NEEDS CASCADE TO ENTERPRISE
GOALS

14
Source: ISACA, COBIT© 5, USA, 2012, figure 24
STAKEHOLDER NEEDS CASCADE TO ENTERPRISE
GOALS

15
Source: ISACA, COBIT© 5, USA, 2012, figure 24 (cont.)
STAKEHOLDER NEEDS AND ENTERPRISE GOALS

.The previous two slides show a list of internal stakeholder

needs that can be linked to enterprise goals.
.Helps set and prioritise specific enterprise goals or IT-related
goals, based on specific stakeholder needs
.Stakeholder needs are listed vertically on the left hand side of
the table (rows).
.Enterprise goals are listed horizontally across the top of the
table (columns).
.The intersection of a stakeholder need and enterprise goal is
filled in if that need should be considered for that goal.
.Suggested generic set of relationships that may or may not
apply to every enterprise

16
GOVERNANCE AND MANAGEMENT QUESTIONS ON IT

17
Source: ISACA, COBIT© 5, USA, 2012, figure 7
STAKEHOLDER NEEDS EXAMPLE

Source: ISACA, COBIT© 5, USA, 2012, example 2

18
ENTERPRISE GOALS

. Can be grouped into four dimensions:

 Financial
 Customer
 Internal
 Learning and Growth
. Each goal has either a (P)rimary, (S)econdary or less
strong relationship to stakeholder needs (i.e., realising
benefits, risk optimisation, and resource optimisation
shown in figure 3 on slide 10)
 Blank intersection means no relationship between the
Enterprise Goal and Governance Objective

19
COBIT 5 ENTERPRISE GOALS

Source: ISACA, COBIT© 5, USA, 2012, figure 5

20
ENTERPRISE GOALS CASCADE TO IT-RELATED GOALS

. Achieving enterprise goals requires a number of IT-related goals with the

same four dimensions of enterprise goals
 i.e., financial, customer, internal, and learning and growth
. Figure 6 on slide 23 defines 17 IT-related goals
. Figure 22 on slide 22 maps COBIT 5 enterprise goals to IT-related goals
 Lists the 17 general enterprise goals (column)
 Lists the 17 IT-related goals (rows)
. At the intersection of the enterprise goal and IT-related goal indicates
how each enterprise goal could be supported by the IT-related goals:
 ‘P’ stands for primary, meaning that it is an important relationship
 ‘S’ stands for secondary, strong but less important relationship
 Blank means no support

21
MAPPING ENTERPRISE GOALS TO IT-RELATED GOALS

22
Source: ISACA, COBIT© 5, USA, 2012, figure 22
IT-RELATED GOALS

Source: ISACA, COBIT© 5, USA, 2012, figure 6

23
MAPPING ENTERPRISE GOALS TO IT-RELATED GOALS
EXAMPLE

Source: ISACA, COBIT© 5, USA, 2012, example 7

24
IT-RELATED GOALS CASCADE TO ENABLER GOALS

. Achieving enterprise goals requires the use and application of enablers

for the governance and management of enterprise IT
 TERM: Enablers are factors that, individually or collectively,
influence whether something will work
 Has 7 categories discussed in more detail in Principle 4: Enabling a
Holistic Approach
. Enablers include:
 Processes (37 total)
 Organisational Structures
 Information
. Each enabler has a set of specific goals to support the IT-related goals

25
IT-RELATED GOALS

. IT-related goals are supported by IT-related processes

37 total processes
. Figure 23 on following slides contains:
17 generic IT-related goals in the columns which are grouped by the
4 dimensions – financial, customer, internal, and learning and growth
37 COBIT 5 processes in the rows grouped by domain
Domains will be discussed in Principle 5: Separating Governance From
Management
At the intersection of the IT-related goal and IT-related process
indicates how each goal is supported by the process:
‘P’ stands for primary, meaning that it is an important relationship
‘S’ stands for secondary, strong but less important relationship
Blank means no support

26
IT-RELATED GOALS MAPPED TO IT-RELATED PROCESSES

27 Source: ISACA, COBIT© 5, USA, 2012, figure 23

IT-RELATED GOALS MAPPED TO IT-RELATED PROCESSES

28 Source: ISACA, COBIT© 5, USA, 2012, figure 23 (cont.)

IT-RELATED GOAL TO COBIT 5 IT-RELATED PROCESS
EXAMPLE

Source: ISACA, COBIT© 5, USA, 2012, example 8

29
GOALS CASCADE EXERCISE

. Assemble (or your professor will assign you) into groups.

 Read the No-Loan University case study.
 Create the goals cascade from enterprise goals to IT-related
goals.
 Use figures on slides 20 and 23.
 Use figure on slide 22 to map enterprise goals to IT-related
goals.
. Your group will present your findings.
 Identify relevant stakeholders and their needs.
 Present the top two enterprise (i.e., university) goals.
 Present the most relevant IT-related goals (maximum of three).

30
SUMMARY

. Introduced Principle 1: Meeting Stakeholder Needs

. Stakeholders
. Goals Cascade
 Stakeholder Needs Cascade to Enterprise Goals
 Enterprise Goals Cascade to IT-related Goals
 IT-related Goals Cascade to Enabler Goals
. Group Exercise
. Next is Principle 2: Covering the Enterprise End-to-end

31