Volume 4, October 2013

In This Issue:
• What Does COBIT 5 Mean for Your Business?
• Using COBIT 5 for Risk Management
• COBIT and the CPA Firm
• COBIT 5: Enabling Information Update
• Information and Communications Technology Study of Public Health Institutions in Mexico
• Gain From Practical Guidance Based on COBIT 5

Come join the discussion! Sagar Anisingaraju will respond to questions in

the discussion area of the COBIT 5—Use It Effectively
topic beginning 21 October 2013. Call for Articles

How are you using COBIT®

What Does COBIT 5 Mean for Your Business? at your enterprise?
By Sagar Anisingaraju
We welcome articles on your
When it comes to enterprise use of IT assets, executives are looking for answers to
three things: experiences with this
1. Is the organization getting IT right? framework. Deadline
2. Is the organization is buying or building the right IT capabilities? to submit copy for
3. Are there any gaps in capabilities exposing the business to unwarranted risk? volume 1, 2014:
For most companies, the answers to these questions come from understanding the 4 December 2013
®1, 2
underlying multiple frameworks used across operations. For example, COBIT
enables companies to improve IT governance by ensuring that appropriate process, Submit articles for
governance and management enablers are used to build IT capabilities to achieve peer review to:
stakeholder goals. As a framework that can be used to measure and monitor IT
3 publication@isaca.org
services and implement best practices for those services, ITIL provides an
4
operational level of service management. The ISO/IEC 27000 series comprises the
preferred standards used by IT security professionals. For companies that compete in
regulated segments such as banking, insurance, utilities or health care, additional
industry specific standards, frameworks and guidelines may be in use. Case Studies
When an organization leverages multiple standards, frameworks and guidelines, it
may end up creating separate controls recommended by each that are managed
separately. As a result, it not only creates duplicate work, as controls may be
Visit the
overlapping, but more important, it becomes challenging for executives to get a COBIT Recognition and
comprehensive understanding of their organization’s IT risk exposure and governance Case Studies pages to read
process. Current tools that enable organizations to create a shared library of common more COBIT 5 and COBIT 4.1
controls across frameworks are cumbersome to use and manage. Control libraries case studies.
often become huge and complex to use for most companywide governance, risk and
compliance (GRC) initiatives.
®
COBIT 5, the latest edition of ISACA’s globally accepted framework for governance
and management of enterprise IT (GEIT), addresses this issue. It provides an end-to-
end business view that integrates other standards, frameworks and guidelines, such as ITIL and ISO/IEC 27001, into an
overall enterprise governance and management framework. With a COBIT 5-inspired model, stakeholders such as security
professionals, IT operations executives and IT auditors can see how their work relates to the overall scope of governance and
management. COBIT 5 does not replace these other sources of reference. Instead, it is an overarching umbrella framework
that helps them all fit together. For example, COBIT 5 is the frame on which ITIL can provide additional color for daily
management of IT operations. Using this frame embodies the same essential principles of business analysis, helping
information and technology teams to achieve strategic business goals.

IT has always had to deal with risk factors such as cyberattacks, external hacking and disgruntled employees. New risk
factors are, however, driven by consumerization of IT—ranging from bring your own device (BYOD) to social media and
associated big data.
®
With these new unstructured external threats, the security perimeter is changing. COBIT 5 for Information Security offers
additional, security-specific guidance designed to help your IT department implement an effective framework and reduce risk
exposures.

The key changes in COBIT 5 include:

• A clear distinction between governance and management, bringing greater relevance to a wider business audience
• A linkage between specific IT-enabler goals and broader enterprise-level goals. It also includes more explicit guidance to
levers of change (enablers) beyond process, such as culture, ethics, behavior, people, skills and competencies.
• Modifications to the process model, including new processes
• A new process capability assessment approach, which replaces the COBIT 4.1 capability maturity model (CMM)-based
modeling

COBIT 5 is not a panacea. It is not something to lift and use exactly as-is. Each enterprise needs to map it and mold it to the
business’s requirements, organizational structure and processes. The comprehensive scope of COBIT 5 guidance may
overwhelm new users and inhibit its adoption. Use of all available ISACA guidance and tools, as well as having key staff take
the COBIT 5 training available in the marketplace (COBIT Foundation, COBIT Implementation and COBIT Assessor courses),
is highly recommended.

COBIT 5 should be implemented to ensure that the organization has a road map that will allow it to address all of its IT
governance and risk issues. If the organization is already using some level of COBIT selectively within pockets of the
organization, the changes in COBIT 5 should be reviewed to identify where it can help address specific issues or
organizational changes. In addition, with COBIT 5 as a single enterprisewide IT GRC framework, the organization can
implement a comprehensive analytics solution that enables it to continuously measure and improve its governance status, risk
exposure, and overall compliance with policies and regulations. There will be no further need to reconcile multiple silos
through reports to assess the organization’s overall risk or compliance status.

COBIT 5 is an important milestone. Adopting it will be a very promising journey to simplify the organization’s efforts in
implementing a single organizationwide GRC framework. If the organization already has a mature GRC environment, it will
quickly realize that COBIT 5 gives it a better handle on GEIT. If the organization is just starting, COBIT 5 will give it the formal
road map it needs for a fast-track approach.

Sagar Anisingaraju
Is the chief strategy officer at Saama Technologies Inc. Anisingaraju creates strategic initiatives to lead Saama into emerging
business areas with competitive differentiation. He enjoys his time spent with customers to understand their business
problems specifically related to big data. He was the winner of the 2013 Chief Strategy Officer of the Year award, presented
by Innovation Enterprise.

Endnotes
1
ISACA, COBIT 5, USA, 2012
2
ISACA, COBIT 5 Training and Accreditation FAQs
3
APM Group Ltd., ITIL
4
International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27000, Information Security
Management Systems (ISMS) standards

Volume 4, October 2013 Page 2

Using COBIT 5 for Risk Management
By Steven Babb, CGEIT, CRISC, ITIL
®
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and
management of enterprise IT (GEIT). Simply stated, it helps enterprises create optimal value from IT by maintaining a balance
between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be governed and managed in a
holistic manner for the entire enterprise, taking into account the full end-to-end business and IT functional areas of
responsibility and the requirements of internal and external stakeholders.
®
COBIT 5 for Risk builds on the COBIT 5 framework. Focused on risk, it provides more detailed and practical guidance for
risk professionals and other interested parties at all levels of the enterprise on how to use COBIT 5 to support a variety of IT
risk activities. It also elaborates on using the COBIT 5 enablers for risk management in practice. Finally, it introduces and
aligns the elements of COBIT 5 found in COBIT 5 for Risk with relevant IT or ERM standards and practices, including COSO
Enterprise Risk Management, ISO 31000, ISO/IEC 27005 and ISO Guide 73.

For an enterprise that is already using COBIT 5 as its framework for GEIT, COBIT 5 for Risk enables the enterprise to
leverage COBIT 5 when planning how to build and sustain a risk function and how to optimize risk and identify, analyze,
respond to and report on risk on a daily basis.

There are multiple drivers for risk management in the enterprise; they contribute to improving business outcomes, decision
making and overall strategy. Improving these areas is accomplished by providing stakeholders with substantiated and
consistent opinions on the current state of risk throughout the enterprise, guidance on how to manage the risk to levels within
the enterprise’s risk appetite, guidance on how to set up the appropriate risk culture for the enterprise, and, wherever
possible, quantitative risk assessments that enable stakeholders to consider the cost of mitigation and the required resources
against the loss exposure.

As it uses COBIT 5 for Risk, the enterprise will gain risk-related capabilities. And, through development of greater risk
capabilities, an enterprise can attain various benefits. These potential benefits include:
• More accurate identification of risk and measurement of success in addressing risk
• Better understanding of the risk impact on the enterprise
• End-to-end guidance on how to manage risk
• Knowledge of how to capitalize on investments related to IT risk management practices
• Understanding of how effective IT risk management optimizes value with business process effectiveness and efficiency,
improved quality, and reduced waste and costs
• Opportunities to integrate IT risk management with enterprise risk and compliance structures
• Improved communication and understanding among all internal and external stakeholders, due to the use of a common
and sustainable globally accepted framework and language for assessing and responding to risk
• Promotion of risk responsibility and acceptance across the enterprise
• A complete risk profile, identifying the full enterprise risk exposure and enabling better utilization of enterprise resources
• Improved risk awareness throughout the enterprise

COBIT 5 for Risk appeals to multiple parties, each finding various benefits. Boards and executive management can gain a better
understanding of their responsibilities and roles with regard to IT risk management and the implications of IT risk on enterprise
strategic objectives. Risk managers responsible for enterprise risk management (ERM) can find assistance with managing IT risk
according to generally accepted ERM principles and incorporating IT risk into enterprise risk. Operational risk managers can link
back to COBIT 5 and gain guidance on identifying operational losses or developing key risk indicators (KRIs).

Steven A. Babb, CGEIT, CRISC, ITIL

Is head of governance, risk and assurance for Betfair, one of the world’s largest online sports betting providers. Babb leads a global
team of security, risk, compliance and assurance professionals. Prior to this, he was head of technology risk in the UK practice of
KPMG’s risk consulting team and has more than 16 years of consulting and assurance experience covering areas such as IS
governance, IT risk and control, service management, and program and project management. Babb chairs ISACA’s Framework
Committee and the COBIT for Risk Task Force and was also a member of ISACA’s Risk IT and COBIT 5 development teams.

Volume 4, October 2013 Page 3

 Come join the discussion! R. Curtis Thompson will respond to questions in the discussion area of
the COBIT 5—Use It Effectively topic beginning 21 October 2013.

COBIT and the CPA Firm

R. Curtis Thompson, CISA, CPA.CITP
®
With the introduction of COBIT 5, the framework is moving toward a more global application to the enterprise. But, can a
smaller organization still take advantage of COBIT 5 to help direct its IT function? This is an account of one organization’s
beginning steps toward implementing COBIT 5.

Yount, Hyde & Barbour is a mid-sized regional accounting firm with 21 shareholders and 140 employees. The firm has six
locations, with at least 20 people working remotely or at a client’s location at any given time. Thus, there is a complexity to the
IT function that is greater than the size of the organization would suggest. The loss of the firm’s IT manager and an IT staff
member reduced the IT staff to a single person. While this was a major issue for an accounting firm in the middle of its busiest
season, it was an opportunity to redefine the IT function for the entire firm. Several short-term fixes were initiated (hiring an IT
generalist and relying on an outsourced vendor to fill in gaps in staffing).

The shareholders of the firm had always had an IT steering committee to communicate the firm’s direction and needs to the IT
manager, but the committee had not taken a true governance role. The risk advisory services team was comprised of several
Certified Information Systems Auditors (CISAs), including the principal, who was the chair of the IT steering committee.
Therefore, it was a logical direction for the IT steering committee to look to the newly released COBIT 5 as the framework on
which to develop a better IT function.

COBIT 5 has a diagram that perfectly illustrates the separation of governance and management (figure 1). Defining
management’s role as planning, building, running and monitoring appropriately separates it from the role of governance.
Defining governance’s role as monitoring, evaluating and giving direction enables the IT steering committee to understand its
role and eliminate a tendency
for micromanaging the IT
Figure 1—COBIT 5 Governance and Management Key Areas function.

The COBIT 5 process reference

model illustrates the various
processes (figure 2). It lays out
the overall scope of the IT
function nicely, but is this
excessive for an IT department
with only one to three staff
members? In an accounting firm
with 21 partners, all with different
practices, there is a great variety
of requirements and opinions.
While a full implementation of the
framework would likely be overly
burdensome, there is a great
advantage to using the model to
design the processes and roles.
Some areas will need to be fully
documented and formally put in
place; others may be more ad
hoc and informal.
Source: ISACA, COBIT 5, USA, 2012, figure 15

Volume 4, October 2013 Page 4

 Figure 2—COBIT 5 Process Reference Model

Source: ISACA, COBIT 5, USA, 2012, figure 16

The firm is a small organization with a lot of demands on resources. The effort to organize the IT function using a framework
so that it can be efficient and fill the needs and expectations of the stakeholders is ongoing. COBIT 5 is a solution for
organizing and integrating the IT function within the overall organization. One advantage that the firm has is that the
shareholders and staff understand the importance of IT to filling the needs of the firm and its clients effectively and efficiently.

COBIT 5 Implementation lays out seven phases for implementing COBIT 5. Using this guide, the firm began by identifying the
drivers as well as the challenges of the initiative (phase 1, What are the drivers?). There were several drivers for the firm.
There was a general disconnect between IT and the needs of the professionals. With different practices across the firm there
are different needs that were not always understood or addressed. While IT spending was within budget, spending did not
always follow the needs of the firm. And for the IT department, one of the biggest issues was the rarely consistent, individual
demands of 21 individual shareholders.

The firm is currently between phase 2 (Where are we now?) and phase 3 (Where do we want to be?). These phases are logically
being worked on concurrently but are challenging. The busy schedules of the professional staff and the demands on a small IT
department tend to interfere with planning sessions and discussions. Milestones and deadlines are now being put in place to
help keep the project on track. Some departments have completed the process of identifying where they are and where they
want to be. This has been accomplished through planning sessions and discussions. With the input of the IT steering committee,
the remaining departments will get these phases completed so the next phases can begin. Plans are in place to begin phase 4
(What needs to be done?) and phase 5 (How do we get there?) in early November.

Volume 4, October 2013 Page 5

COBIT 5 has helped the firm think about its IT processes and how they interrelate with
the objectives of the firm. Even in a small organization like Yount, Hyde & Barbour, there
is room for a framework to help direct the structure and function.
Training Update
R. Curtis Thompson, CISA, CPA.CITP
Is a shareholder at Yount, Hyde & Barbour, PC, a regional CPA firm. His practice is COBIT 5 Foundation
focused on technology and internal controls services for various industries with a
concentration in financial institutions. The COBIT 5 Foundation course
introduces the candidate to
COBIT’s five basic principles and
includes extensive guidance on
COBIT 5: Enabling Information Update enablers for governance and
By Steven De Haes, Ph.D. management of enterprise IT
® ®
The latest publication in the COBIT 5 product family, COBIT 5: Enabling Information,
(GEIT).
will be published in November 2013. Focusing on the information asset as an enabler,
®
the main advantage COBIT 5: Enabling Information will provide is the reference guide
to assist COBIT 5 users with structured thinking about information and typical COBIT 5 Implementation
information governance and management issues in any type of organization. This
structured thinking can be applied throughout the life cycle of information, from This is a practitioner-level course
conception and design, through building information systems, securing information,
using information, providing assurance over information, and disposing of information.
in which candidates acquire the
knowledge to apply the COBIT 5
This guide will provide information practitioners with the following three key benefits: good-practice, continual-
• A comprehensive information model, based on the generic COBIT 5 enabler model, improvement, life-cycle approach
that comprises all aspects of information, e.g., stakeholders, goals (quality), life-cycle
to GEIT and tailor it to suit the
stages and good practices (information attributes). The information model allows
practitioners to effectively consider and develop relevant, usable information models needs of a specific enterprise.
from a governance and management point of view.
• Guidance on how to use an established governance and management framework
(COBIT 5) to address common information governance and management issues COBIT 5 Assessor
(e.g., big data, master data management, information disintermediation and privacy)
and how COBIT 5 principles and concepts, especially the enablers, can address This practitioner-level course is
these issues
• An understanding of the reasons why information needs to be managed and
part of the COBIT Certified
governed in an appropriate way and the criticality of information that is contained Assessor program, which
within a given context focuses on how to apply the
COBIT Process Assessment
The guide will assist enterprises with information issues and challenges such as:
Model and how to analyze the
• Demand-side/use of information
• Big data, covering three areas: results. Upon successful
- Marketing situational awareness (variety of information) completion of the Assessor
- Fraud detection (volume of information) course, passing the Assessor
- IT predictive analytics (velocity of information) exam, and attaining five or more
• Master and reference data management years of work experience
• End-user computing
performing process-based
• Disintermediation
• Regulatory compliance
activities, candidates may apply
• Privacy to become a COBIT Certified
Assessor.
The intent of this guide is to provide readers with a better understanding of information
governance and management issues and improve their ability to generate benefits and
manage information-related risk. This guide supports readers in their efforts to use
information-centric thinking about their enterprise.

Volume 4, October 2013 Page 6

The target audience groups for this publication include a broad range of business and IT professionals, since all work with
information as a resource and/or asset, including:
• Board and executive management (i.e., chief executive officers, chief operating officers, chief financial officers)
• Business process owners and business process architects
• Information architects, information solution builders, information managers, IT architects and IT developers
• Chief information officers and IT management, technology service providers (internal and external), and application
managers
• IT operations
• IT security and continuity professionals
• Assurance professionals, including internal and external auditors
• External audit staff
• Records management professionals and knowledge managers
• Data governance and management professionals
• Government and regulators
• Educators
• Privacy professionals
• Compliance and risk professionals
• Data owners

COBIT 5: Enabling Information builds on COBIT 5 (the framework). Relevant key concepts of COBIT 5 are repeated and
elaborated on in this guide, making it a fairly stand-alone guide—not requiring any prerequisite knowledge of COBIT 5.
However, an understanding of COBIT 5 principles, concepts and structure at the foundation level can accelerate and improve
comprehension of the contents of this guide.

Steven De Haes, Ph.D.

Is associate professor at the University of Antwerp and the Antwerp Management School (Belgium) and academic director of
the IT Alignment and Governance (ITAG) Research Institute and the Executive Masters in IT Governance & Assurance and
Enterprise IT Architecture. He can be contacted at steven.dehaes@ua.ac.be.

Come join the discussion! Carlos Zamora Sotelo and Carlos H. García Orozco will respond to questions in
the discussion area of the COBIT 5—Use It Effectively topic beginning 21 October 2013.

Information and Communications Technology Study of Public Health

Institutions in Mexico
By Carlos Zamora Sotelo, CISA, CISM, CGEIT, and Carlos H. Garcia Orozco
Health services are a crucial activity worldwide and reflect the level of awareness and social development of a country. In
Mexico, 44 percent of the people perceive the main problem of health services to be poor quality, with the affecting factors
1
being timely care services, quality of diagnosis and treatment. Another crucial issue is the availability of medical records
among public health institutions in which information and communication technologies (ICTs) play a key role. According to the
Organisation for Economic Co-operation and Development (OECD), Mexico is among the countries with the lowest
2
expenditure on health. However, it has been increasing steadily over the previous decade.
3
The ICT Study of Public Health Institutions in Mexico was conducted under the sponsorship of Strategic Consulting
Information Technology (ConSETI) and Brio Software Mexico (Brio). ConSETI and Brio are using this study to help evolve
health services in Mexico. The study includes a gap/risk analysis of the current ICT situation, proposing recommendations that
will lead to the improvement and implementation of better ICT objectives in the public health institutions. For this purpose, the
®
sponsors became convinced of the importance of using COBIT 5 and recognize it as the best practice framework for the
governance and management of enterprise IT (GEIT). It provides a holistic view, and a common language between ICT and

Volume 4, October 2013 Page 7

 Figure 1—Mapping Business Objectives vs. IT Objectives

BUSINESS OBJECTIVES

Optimization of Organizational

Services Innovation Culture

Organizational Product and
Motivation Required by the
Customer Service-oriented

Continuity and Availability

Processes Functionality

Staff With the Skills and

Financial Transparency
Laws and Regulations

Administration in the
Business Services

Change Programs

Organization

Organization
Compliance

Culture
4 5 6 7 11 13 16 17
IT-RELATED OBJECTIVE F C P A
1 IT and business strategy alignment P P S S
IT as a contribution to laws and regulations
2 P
compliance
Commitment of the board for decision making related
3 S S S S
Financial to ICT
4 IT risk administration S P S S
5 IT investments generating value P S S
Transparency in the management of costs, benefits
6 P
and risks of IT

7 Product and service delivery in adherence to S P S S S S S

Citizens/clients internal/external client business requirements
Proper use of applications, information and
8 S S P S S
technology solutions
9 IT capacity and timely deployment S P S S S

10 Processing, infrastructure and application systems, P S

and information security.
11 IT resources, capabilities and asset optimization S S S
Application integration and technology infrastructure
Internal 12 S P S S
for business processes
processes
Time and cost fulfillment, and standard quality of
13 S P
program delivery

14 Availability of reliable and useful information for S P

decision-making process support
IT management compliance through internal policies
15 S
and procedures
16 Competent and motivated IT staff S P S
Learning and
growth Initiatives, knowledge base and experience as
17 S S S S P
enablers of innovation.

business. Thus, for the as-is stage of this study—the understanding and evaluation of the current situation—the goals sought
®
through COBIT were to:
• Select the main processes
• Identify the current health services’ capacities, gaps and risk factors related to those gaps
• Reach implementation and maturity goals

Development
COBIT 5 utilization in the ICT assessment of public health institutions in Mexico was focused on the following areas:
• Defining the IT substantive processes—According to COBIT 5 and as a first step, ConSETI and Brio selected the
business objectives that had higher impact on the citizens. Eight were selected and mapped, as shown in figure 1,
resulting in 13 IT-related objectives, highlighted in green in figure 1.

Volume 4, October 2013 Page 8

 The second step was to map IT-selected objectives vs. the 37 primary COBIT processes. Figure 2 is an example of the
Align, Plan and Organize (APO) process with seven priority processes. The total number of processes selected was 34.

Figure 2—Mapping IT Objectives to COBIT Processes

IT OBJECTIVES

Availability of Reliable and Useful Information

Initiatives, Knowledge Base and Experience

Proper Use of Applications, Information and
Transparency in the Management of Costs,

Processing, Infrastructure and Application

Time and Cost Fulfillment, and Standard

Application Integration and Technology

for Decision-making Process Support

IT and Business Strategy Alignment

IT and Business Strategy Alignment

IT Capacity and Timely Deployment

Infrastructure for Business Process

Systems, and Information Security

Competent and Motivated IT Staff

IT Investments Generating Value

Quality of Program Delivery

as Enablers of Innovation
Benefits and Risk of IT
IT Risk Administration

Technology Solutions
Learning/
COBIT PROCESSES Financial Clients Internal Processes
Growth

Manage IT administration
APO01 P P P P S S S S S S S
framework

AP002 Manage strategy P S S S S S S S S S

Manage enterprise
APO03 S S S S S P S S S S
architecture

APO04 Manage innovation S S S P S S S P

APO05 Manage portfolio P S P S S S P S

Align, Plan and Organize

Manage budget and

AP006 S S P P S S
costs

Human resources
APO07 S S S S S S S S
management

Relationship
APO08 S S S S S S S S S
management

APO09 SLA’s management S S S S S S S S S

Third-party services
APO10 S S S S S S S S S S
management

APO11 Quality management S S S S S S S S S S

APO12 Manage risk S S S S S S S S S S

APO13 Manage security S S S S P S

Volume 4, October 2013 Page 9

•
®
Scoring processes capacities—For this assessment, the COBIT 4.1 process maturity model was used rather than the
newer COBIT Process Assessment Model (PAM) because the PAM framework was released after the conclusion of the
assessment.

The COBIT 4.1 process maturity model was used for scoring IT-selected processes, taking into account the following
attributes: responsibility and accountability; skills and expertise; policies, plans and procedures; awareness and
communication; goal setting and measurement; and tools and automation. Every attribute was evaluated according to the
level of maturity defined in COBIT, to obtain the final score for every selected process, as shown in figure 3.

Figure 3—Maturity Scoring Table

Scoring Process Capacities
Responsibility
Skills and Policies, Plans Awareness and Goal Setting and Tools and
and
Expertise and Procedures Communication Measurement Automation
Accountability
Manage IT administration
3 2 2 3 2 2
APO01 framework
Align, Plan and Organize

AP002 Manage strategy 2 2 2 2 2 2

APO03 Manage enterprise architecture 2 2 2 3 2 2

APO04 Manage innovation 2 2 2 2 2 2

APO05 Manage portfolio 2 2 2 2 3 2

AP006 Manage budget and costs 3 3 3 3 2 2

APO13 Manage security 2 2 2 2 2 2

PEOPLE PEOPLE PROCESS PROCESS PROCESS TECHNOLOGY

• Gap analysis—To determine gaps, the fourth maturity level of capacity (the process is able to generate the results
defined) was defined as the goal to achieve and it was contrasted against the capacity level evaluated previously. Process
capability level 4 (ensure efficient and effective health services, and make predictable processes) was established as the
goal and is the basis for further definition of the strategy and action plan.
• Associated risk—To identify the risk factors of each COBIT process selected, identified gaps were taken into the gap
analysis performed, thus evaluating the potential negative impact that these gaps could have if not adequately addressed
and materialized. Relevant and inherent risk scenarios for each process were generated. For this, it was necessary to
build on the mapping of COBIT risk scenarios. Figure 4 is an example of the mapping performed.

It is important to mention that, in the identification of risk scenarios, ConSETI and Brio did not evaluate the frequency of
occurrence of identified risk.

Figure 4—COBIT Risk Scenario Mapping

Risk Scenario COBIT Process

An inadequate ICT program selection could result in the following risk

factors:
ICT program selection 1. Incorrect programs are selected for implementation, and these APO02 Manage strategy
programs are misaligned with the institution strategy and priorities.
2. The communication of the IT strategy to the direction is not effective.

An inadequate integration of ICT within the business could result in the

Integration of ICT following risk factors:
EDM01 Ensure governance
within business 1. The ICT solutions are separated and not integrated with the support
framework setting and maintenance
processes business processes.
2. The ICT solutions do not offer the maximum value to the institute.

Volume 4, October 2013 Page 10

Benefits
Integrating the COBIT 5 framework into the ICT Study of Public Health Institutions in Research Update
Mexico has resulted in the following positive impacts:
• The development of a well-defined, standardized analysis methodology, to Recently Released COBIT 5
determine gaps and risk factors associated to the main IT processes selected for Materials
health services institutions, related and aligned to major problems, such as the
availability of health records and medical consultation time improvement • COBIT® 5 for Risk
• Better alignment among IT and business goals and pain points • Configuration Management:
• The generation of proposals, projects and IT strategies based on gap and risk Using COBIT® 5
analysis, according to the capacity goal defined

At this point, COBIT 5 has been used only in the as-is diagnosis. In the future, the
sponsors of this study plan to use the same framework for the to-be state, in order to Upcoming Fourth Quarter 2013
define a competitive products and services portfolio, within and while implementing COBIT 5 Releases
governance of enterprise IT assurance. • COBIT® 5: Enabling
Information
Carlos Zamora Sotelo, CISA, CISM, CGEIT
Is the chief executive officer at ConSETI and has more than 15 years of experience in
IT audit and training more than 3,000 people. He can be contacted at
czamora@conseti.com. Additional COBIT 5 Initiatives
in Development
Carlos H. García Orozco • COBIT® 5 Online:
Is vice president at Brio and has more than 15 years of experience in IT, software - Access to publications in
development, and business intelligence assessment and implementation. He can be
contacted at carlos.garcia@brio.com.mx. the COBIT 5 product
family (tentative release
Endnotes fourth quarter 2013)
- Access to other non-
1
The Organisation for Economic Co-operation and Development (OECD), Mexico COBIT ISACA content
and current, relevant
2
Ibid.

GEIT material (tentative

3
A summary of the study is available at www.tissmexico.net. The complete study is available only for
Mexican Public Health Federal Agencies at the Panamerican Public Health Organization Library in
Mexico and Washington DC, USA, offices. release first quarter 2014)
- Ability to customize
COBIT with multiple-user
Gain From Practical Guidance Based access (tentative release
third quarter 2014)
on COBIT 5
For more information on COBIT
By Rolf von Roessing, CISA, CISM, CGEIT
publications, visit the COBIT 5
®
In addition to the publications in the COBIT 5 product family, ISACA supports
®
page of the ISACA web site.
®
COBIT users and ISACA constituents with practical guidance to address specific
business and technical issues they address in their work. Such products include white COBIT 5 translations are
papers, which provide a high-level introduction to relevant issues; audit/assurance
programs to support effective evaluation of specific aspects of IT use; and survey available on the COBIT Product
reports. Family page.
This practical guidance also includes a number of larger products to address major
topics such as cloud technologies, mobile devices and cybersecurity. These larger
products frequently use COBIT as the basis for addressing the issues covered. Two
recent examples of such products are:
• Securing Mobile Devices Using COBIT 5 for Information Security (November 2012)
®

• Transforming Cybersecurity Using COBIT 5 (May 2013)

®

Volume 4, October 2013 Page 11

Securing Mobile Devices Using COBIT 5 for Information Security is intended for several audiences who use mobile devices
directly or indirectly, including end users, IT administrators, information security managers, service providers for mobile
devices and IT auditors. The main purpose of applying COBIT 5 to mobile device security is to establish a uniform
management framework and to give guidance on planning, implementing and maintaining comprehensive security for mobile
devices in the context of enterprises. The secondary purpose is to provide guidance on how to embed security for mobile
devices in a corporate governance, risk management and compliance (GRC) strategy, using COBIT 5 as the overarching
framework for GRC.

Transforming Cybersecurity Using COBIT 5 is intended for several audiences who are dealing with cybersecurity directly or
indirectly, including information security managers, corporate security managers, end users, service providers, IT
administrators and IT auditors. The primary purpose of applying COBIT 5 to the transformation of cybersecurity is to enable a
uniform governance, risk management and security management framework for enterprises and other organizations. The
secondary purpose is to provide guidance on detailed concepts and steps in transforming cybersecurity and to align these
concepts and steps with the existing information security strategy and processes. This publication complements the ISACA
publication Responding to Targeted Cyberattacks by integrating cybersecurity and the COBIT 5 product family. Transforming
Cybersecurity Using COBIT 5 provides step-by-step guidance to address detailed cybersecurity issues and apply relevant
parts of COBIT 5 to them.

These practical products as well as other ISACA research products help professionals address specific business and
technical issues effectively and efficiently. Visit the Research page of the ISACA web site for more information on these and
other ISACA research products.

Rolf von Roessing, CISA, CISM, CGEIT

Is the president of Forfa AG, a Swiss consulting network, and a retired partner at KPMG Germany. He has served as a
consultant with large international banks and insurance companies and was responsible for international projects in business
continuity management and information security. Prior to entering the consulting sector, he was head of IT for the EMEA
region in a leading global security firm. Von Roessing is a member of ISACA’s Professional Influence and Advocacy
Committee and is a past international vice president of ISACA.

COBIT Focus is published by ISACA. Opinions Framework Committee

expressed in COBIT Focus represent the views
of the authors. They may differ from policies and
official statements of ISACA and its committees,
and from opinions endorsed by authors,
employers or the editors of COBIT Focus.
COBIT Focus does not attest to the originality of
authors’ content.
© ISACA. All rights reserved.
Instructors are permitted to photocopy isolated
articles for noncommercial classroom use without
fee. For other copying, reprint or republication,
permission must be obtained in writing from the
association. Please contact Julia Fullerton at
jfullerton@isaca.org.
Steven A. Babb, CGEIT, CRISC, ITIL, UK, chair
David Cau, ITIL, MSP, Prince2, France
Sushil Chatterji, CGEIT, Singapore
Frank Cindrich, CGEIT, CIPP, CIPP/G, USA
Joanne De Vito De Palma, USA
Jimmy Heschl, CISA, CISM, CGEIT, ITIL, Austria
Katherine McIntosh, CISA, USA
Andre Pitkowski, CGEIT, CRISC, OCTAVE, Brazil
Paras Shah, CISA, CGEIT, CRISC, CA, Australia
Editorial Content
Comments regarding the editorial content may be directed to
Jennifer Hajigeorgiou, senior editorial manager, at
jhajigeorgiou@isaca.org.

©2013 ISACA. All rights reserved.

Volume 4, October 2013 Page 12