Professional Documents
Culture Documents
C T Framework: Cobit Cobit
C T Framework: Cobit Cobit
<event name>
CobiT
<name of presenter> best practices
repository for
PO
AI
DS
MO
Board Briefing
Product Set
Practices
Responsibilities
Executives &
and
Boards
Boards
Performance measures
Management Guidelines
Critical success factors
Maturity models
Audit, Control
control and
and security
Securityprofessional
Professionals
Control Objectives
An open standard at www.isaca.org
Control Practices
© ITGI, ISACA - not for commercial use.
COBIT: An IT Control Framework
IT
Why should an organisation adopt COBIT?
BUSINESS
BUSINESS
REQUIREMENTS
REQUIREMENTS
IT
IT PROCESSES
PROCESSES
IT
IT RESOURCES
RESOURCES
IT IT Business
Resources Processes Requirements
IT IT Business
Resources Processes Requirements
Topics Topics
Strategy and tactics IT solutions
Vision planned Changes and maintenance
Organisation and infrastructure
Questions
Questions Are new projects likely to deliver
Are IT and the business strategy solutions that meet business
aligned? needs?
Is the enterprise achieving optimum Are new projects likely to deliver
use of its resources? on time and within budget?
Does everyone in the organisation Will the new systems work
understand the IT objectives?
properly when implemented?
Are IT risks understood and being Will changes be made without
managed?
upsetting current business
Is the quality of IT systems
operations?
appropriate for business needs?
Topics Topics
Delivery of required services Assessment over time, delivering
Setup of support processes assurance
Processing by application Management’s oversight of the
systems control system
Questions Performance measurement
Are IT services being delivered in Questions
line with business priorities? Can IT’s performance be
Are IT costs optimised? measured and can problems be
Is the workforce able to use the IT detected before it is too late?
systems productively and safely? Is independent assurance
Are adequate security, integrity needed to ensure that critical
and availability in place? areas are operating as intended?
The control of
IT Processes which satisfy
Business
Requirements is enabled by
Control
Statements considering
Control
Practices
Framework
Criteria PO3 Determine the technological direction
•• Effectiveness PO4 Define the IT organisation and relationships
•• Efficiency PO5 Manage the IT investment
•• Confidentiality PO6 Communicate management aims and direction
•• Integrity PO7 Manage human resources
•• Availability
•• Compliance PO8 Ensure compliance with external requirements
•• Reliability PO9 Assess risks
PO10 Manage projects
M1 Monitor the process IT PO11 Manage quality
M2 Assess internal control adequacy RESOURCES
M3 Obtain independent assurance
M4 Provide for independent audit • Data
• Application systems
• Technology
• Facilities
• People PLAN AND
ORGANISE
MONITOR AND
EVALUATE
ACQUIRE AND
IMPLEMENT
DS1 Define service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and attribute costs
DS7 Educate and train users DELIVER AND
DS8 Assist and advise IT customers SUPPORT AI1 Identify automated solutions
DS9 Manage the configuration
AI2 Acquire and maintain application software
DS10 Manage problems and incidents
AI3 Acquire and maintain technology infrastructure
DS11 Manage data
AI4 Develop and maintain IT procedures
DS12 Manage facilities
AI5 Install and accredit systems
DS13 Manage operations
AI6 Manage changes
COBIT Products
Performance measures
Critical success factors
Maturity models
COBIT Products
Performance measures
Critical success factors
Maturity models
Control Objectives
COBIT provides a set of 34 high-level control objectives, one for each of the IT
processes, grouped into four domains: Plan and Organise, Acquire and Implement,
Deliver and Support, and Monitor and Evaluate. This structure covers all aspects of
information and the technology that supports it. By addressing these 34 high-level
control objectives, the business process owner can ensure that an adequate control
system is provided for the IT environment.
Control Practices
IT control practices expand the capabilities of COBIT by providing the practitioner
with an additional level of detail. The COBIT IT processes, business requirements and
detailed control objectives define what needs to be done to implement an effective
control structure. The IT control practices provide the more detailed how and why
needed by management, service providers, end users and control professionals to
implement highly specific controls based on an analysis of operational and IT risks.
COBIT Products
Performance measures
Critical success factors
Maturity models
Management Guidelines
Provide management direction for:
• Getting the enterprise's information and related processes under control
• Monitoring achievement of organisational goals
• Monitoring and improving performance within each IT process
• Benchmarking organisational achievement
Action-oriented and generic
Provide answers to typical management questions:
• How far should we go in controlling IT, and is the cost justified by the benefit?
• What are the indicators of good performance?
• What are the critical success factors?
• What are the risks of not achieving our objectives?
• What do others do? How do we measure and compare?
COBIT Products
Performance measures
Critical success factors
Maturity models
COBIT Online
COBIT Online is, as its name suggests, an online offering of C OBIT, including full
browsing and searching capabilities, benchmarking functions, downloads, a discussion
area and the capacity to customise and create the user's own version of C OBIT.
Feedback
Raise
Analyse
awareness Select
values Post-
& make processes
and risks implement.
decision
review
Identify needs
Define Define
Analyse
where you where you
gaps
are want to be
Implementation
Manual
COBIT Products
Performance measures
Critical success factors
Maturity models
Quickstart
Objective is also to assist management in implementing IT
governance.
Focuses on small and medium-sized enterprises (SMEs), and
other entities where:
• IT is not strategic or absolutely critical for survival.
• Breadth and depth of COBIT is too detailed, too time-
consuming to analyse and focus on.
Provides a selection of the complete COBIT framework
A baseline and a set of smart things to do
A starting point for other enterprises in their move towards
an appropriate level of control and governance of IT
As Is
To Be
PO – Plan and Organise