1. Download: COBIT® 5 Reference Cards (PDFs)
2. Official COBIT® 5 - Publications
2.1. COBIT® 5: A Business Framework for the Governance and Management of Enterprise IT
2.2. COBIT® 5 Enabler Guides
2.2.1. COBIT® 5: Enabling Processes
2.2.1.1. http://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx
2.2.2. COBIT® 5: Enabling Information
2.2.2.1. http://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Information-product-page.aspx
2.2.3. ...
2.3. COBIT® 5 Professional Guides
2.3.1. COBIT® 5: Implementation
2.3.1.1. http://www.isaca.org/COBIT/Pages/COBIT-5-Implementation-product-page.aspx
2.3.2. COBIT® 5: for Information Security
2.3.2.1. http://www.isaca.org/COBIT/Pages/Information-Security-Product-Page.aspx
2.3.3. COBIT® 5: for Assurance
2.3.3.1. http://www.isaca.org/COBIT/Pages/Assurance-product-page.aspx
2.3.4. COBIT® 5: for Risk
2.3.4.1. http://www.isaca.org/COBIT/Pages/Risk-product-page.aspx
2.3.5. ...
2.4. COBIT® 5 Assessment Programme
2.4.1. COBIT® 5 Process Assessment Programme
2.4.1.1. http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx
2.4.2. COBIT® 5 Process Assessment Model (PAM)
2.4.2.1. Serves as a base reference document for the performance of a capability assessment of an organisation’s current IT processes against COBIT®.
2.4.2.2. http://www.isaca.org/COBIT/Pages/COBIT-5-PAM.aspx
2.4.3. COBIT® 5 Self-assessment Guide
2.4.3.1. Provides guidance on how to perform a basic self-assessment of an organisation’s current IT process capability levels against COBIT® processes.
2.4.3.2. http://www.isaca.org/COBIT/Pages/Self-Assessment-Guide.aspx
2.4.4. COBIT® 5 Assessor Guide
2.4.4.1. Provides details on how to undertake a full ISO-compliant assessment.
2.4.4.2. http://www.isaca.org/COBIT/Pages/Assessor-Guide.aspx
3. COBIT® 5 - Principles (5)
3.1. Watch: COBIT® 5 - Principles (by Orbus Software)
3.1.1. https://www.youtube.com/watch?v=1cAslMQu2kE
3.2. 1. Meeting stakeholder needs
3.2.1. Watch: COBIT® 5 - Principle One (by Orbus Software)
3.2.1.1. https://www.youtube.com/watch?v=MOPGlbqAngU
3.2.2. Enterprises have many stakeholders
3.2.3. Governance is about
3.2.3.1. Negotiating.
3.2.3.2. Deciding amongst different stakeholders’ value interests.
3.2.3.3. Considering all stakeholders when making benefit, resource and risk assessment decisions.
3.2.4. Enterprises exist to create value for their stakeholders
3.2.4.1. Value creation: realizing benefits at an optimal resource cost while optimizing risk.
3.2.5. The COBIT® 5 goals cascade allows the definition of priorities for:
3.2.5.1. Implementation.
3.2.5.2. Improvement.
3.2.5.3. Assurance of enterprise governance of IT.
3.2.5.4. In practice, the goals cascade:
3.2.5.4.1. Defines relevant and tangible goals and objectives at various levels of responsibility.
3.2.5.4.2. Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects.
3.2.5.4.3. Clearly identifies and communicates how enablers are used to achieve enterprise goals.
3.2.5.5. Cascade Step #1 - Identify the influence of Key stakeholder drivers on stakeholder needs
3.2.5.5.1. e.g.
3.2.5.6. Cascade Step #2 - Stakeholders needs cascade to Enterprise Goals
3.2.5.6.1. There are 17 generic enterprise goals as shown in figure of the Framework guide, which have been translated into Balance Score Card dimensions (BSC) and the relationship to the 3 main governance objectives of benefits realisation, risk and resource optimisation
3.2.5.7. Cascade Step #3 - Enterprise Goals cascade to IT related Goals
3.2.5.7.1. There are also 17 generic IT related goals as shown in Figure 6 (shown below) that are also categorised into the Balanced Score Card (BSC) categories.
3.2.5.8. Cascade Step #4 - IT related Goals Cascade to Enabler Goals
3.2.5.8.1. Processes are one of the key enablers which is expanded on in the Enabler Learning Area module, but it is important to know that Enabler Goals are represented in the Process Reference module in all 37 processes
3.2.6. Internal stakeholder concerns include:
3.2.6.1. How do I get value from the use of IT?
3.2.6.2. How do I manage performance of IT?
3.2.6.3. How can I best exploit new technology for new strategic opportunities?
3.2.6.4. How do I know whether I’m compliant with all applicable laws and regulations?
3.2.6.5. Am I running an efficient and resilient IT operation?
3.2.6.6. How do I control cost of IT?
3.2.6.7. Is the information I am processing adequately and appropriately secured?
3.2.6.8. How critical is IT to sustaining the enterprise?
3.2.6.9. What do I do if IT is not available?
3.2.7. COBIT® 5 addresses the governance and management of information and related technology from an enterprise-wide, end-to-end perspective.
3.2.8. External stakeholders
3.2.8.1. Business partners, suppliers, shareholders, regulators/ government, external users, customers, standardisation organisations, external auditors, consultants, etc.
3.2.8.2. External stakeholder needs
3.2.8.2.1. How do I know my business partner’s operations are secure and reliable?
3.2.8.2.2. How do I know the organisation is compliant with applicable rules and regulations?
3.2.8.2.3. How do I know the enterprise is maintaining an effective system of internal control?
3.2.9. Internal stakeholders
3.2.9.1. Internal stakeholder needs
3.2.9.1.1. How do I get value from the use of IT?
3.2.9.1.2. How do I manage performance of IT?
3.2.9.1.3. How can I best exploit new technology for new strategic opportunities?
3.2.9.1.4. How do I know whether I’m compliant with all applicable laws and regulations?
3.2.9.1.5. Am I running an efficient and resilient IT operation?
3.2.9.1.6. How do I control cost of IT?
3.2.9.1.7. Is the information I am processing adequately and appropriately secured?
3.2.9.1.8. How critical is IT to sustaining the enterprise?
3.2.9.1.9. What do I do if IT is not available?
3.2.9.1.10. What are (control) requirements for Information?
3.2.9.1.11. Did I address major IT-related risks?
3.2.9.1.12. Do I have enough people for IT? How do I develop and maintain their skills, and how do I manage their performance?
3.3. 2. Covering the enterprise end–to–end
3.3.1. Watch: COBIT® 5 - Principle Two (by Orbus Software)
3.3.1.1. https://www.youtube.com/watch?v=aAY5r2NqTxc
3.3.2. Integrates the governance of enterprise IT into enterprise governance and covers all functions and processes required to govern and manage enterprise information and related technologies wherever that information is processed.
3.3.3. COBIT® 5 addresses all relevant internal and external IT services as well as external and internal business processes.
3.3.4. Main elements of the governance approach:
3.3.4.1. Governance Enablers comprising:
3.3.4.1.1. The organizational resources for governance.
3.3.4.1.2. The enterprise’s resources.
3.3.4.1.3. A lack of resources or enablers may affect the ability of the enterprise to create value.
3.3.4.2. Governance Scope comprising:
3.3.4.2.1. The whole enterprise.
3.3.4.2.2. An entity, a tangible or intangible asset, etc.
3.3.5. Governance roles, activities and relationships:
3.3.5.1. Define Who is involved in governance.
3.3.5.2. How they are involved.
3.3.5.3. What they do.
3.3.5.4. How they interact.
3.3.6. COBIT® 5 defines the difference between governance and management activities in principle 5.
3.4. 3. Applying a single integrated framework
3.4.1. Watch: COBIT® 5 - Principle Three (by Orbus Software)
3.4.1.1. https://www.youtube.com/watch?v=DiEDYII5sDo
3.4.2. COBIT® 5 and Legacy ISACA Frameworks
3.4.3. COBIT® 5 Product Family
3.4.4. Aligns with the latest relevant standards and frameworks.
3.4.5. Is complete in enterprise coverage.
3.4.6. Provides a basis to integrate effectively other frameworks, standards and practices used.
3.4.7. Integrates all knowledge previously dispersed over different ISACA frameworks.
3.4.8. Provides a simple architecture for structuring guidance materials and producing a consistent product set.
3.4.9. The COBIT® 5 product family is the connection:
3.4.9.1. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.
3.4.9.2. COBIT 5: Enabling Processes.
3.4.9.3. COBIT 5 Implementation Guide.
3.4.9.4. COBIT 5 for Information Security.
3.4.9.5. COBIT 5 for Assurance.
3.4.9.6. COBIT 5 for Risk.
3.4.9.7. A series of other products is planned; they will be tailored for specific audiences or topics.
3.4.9.8. COBIT 5 Online.
3.5. 4. Enabling a holistic approach of 7 enterprise enables
3.5.1. Watch: COBIT® 5 - Principle Four (by Orbus Software)
3.5.1.1. https://www.youtube.com/watch?v=uxWPx_uuFrk
3.5.2. COBIT® 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT.
3.5.3. COBIT® 5 enablers are:
3.5.3.1. Factors that, individually and collectively, influence whether something will work.
3.5.3.2. Driven by the goals cascade.
3.5.3.3. Described by the COBIT®5 framework in seven categories.
3.5.4. Enablers:
3.5.4.1. 1. Principles, policies and frameworks
3.5.4.2. 2. Processes
3.5.4.3. 3. Organizational structures
3.5.4.4. 4. Culture, ethics and behaviour
3.5.4.5. 5. Information
3.5.4.6. 6. Services, infrastructure and applications
3.5.4.7. 7. People, skills and competencies
3.6. 5. Separate governance from management
3.6.1. Watch: COBIT® 5 - Principle Five (by Orbus Software
3.6.1.1. https://www.youtube.com/watch?v=accatUbftxg
3.6.2. The COBIT® 5 framework makes a clear distinction between governance and management.
3.6.3. Governance and management:
3.6.3.1. Governance system
3.6.3.1.1. A governance system refers to all the methods and techniques that enable multiple stakeholders in an enterprise to have an organized say in evaluating conditions and options; setting direction; and monitoring compliance, performance, and progress against plans, to satisfy specific enterprise objectives.
3.6.3.1.2. Methods and techniques include frameworks, principles, policies, sponsorship, structures and decision tools, roles and responsibilities, processes and practices, to set direction and monitor compliance and performance aligned with the overall objectives.
3.6.3.2. Management
3.6.3.2.1. Entails the considered use of means (resources, people, processes, practices, etc.) to achieve an identified end.
3.6.3.2.2. It is through management that the governance body achieves a result or objective.
3.6.3.2.3. Management is responsible for the execution of the direction set by the guiding body or unit.
3.6.3.3. Encompass different types of activities.
3.6.3.4. Require different organizational structures.
3.6.3.5. Serve different purposes.
3.6.4. COBIT® 5: Enabling Processes differentiates the activities associated with each.
3.6.5. Governance ensures that stakeholder needs, conditions and options are:
3.6.5.1. Evaluated to determine balanced, agreed-on enterprise objectives to be achieved.
3.6.5.2. Setting direction through prioritization and decision making.
3.6.5.3. Monitoring performance, compliance and progress against agreed direction and objectives (EDM).
3.6.6. Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM) (see Process Reference Model (PRM))
4. COBIT® 5 - Enterprise Enablers (7)
4.1. Watch: COBIT® 5 - Enablers (by Orbus Software)
4.1.1. https://www.youtube.com/watch?v=_FtKV4CQ60k
4.2. These are the tangible and intangible elements that make something work - in this case, governance, and management of the enterprise over IT.
4.2.1. Enablers are driven by the goals cascade: the higher-level IT-related goals define what the different enablers should achieve.
4.3. All enablers have a set of common dimensions that:
4.3.1. Provide a common, simple and structured way to deal with enablers
4.3.2. Allow an entity to manage its complex interactions
4.3.3. Facilitate successful outcomes of the enablers
4.4. 1. Principles, policies and frameworks
4.4.1. Principles, policies and frameworks are the vehicle to translate the desired behaviour into practical guidance for day- to-day management.
4.4.2. The purpose of this enabler is to convey the governing body’s and management’s direction and instructions
4.4.3. They are instruments to communicate the rules of the enterprise, in support of the governance objectives and enterprise values as defined by the board and executive management:
4.4.3.1. Differences between principles and policies:
4.4.3.1.1. Principles need to be limited in number
4.4.3.1.2. Put in simple language, expressing as clearly as possible the core values of the enterprise
4.4.3.1.3. Policies are more detailed guidance on how to put principles into practice
4.4.4. The characteristics of good policies; they should:
4.4.4.1. Be effective
4.4.4.1.1. Achieve their purpose
4.4.4.2. Be efficient
4.4.4.2.1. Especially when implementing them
4.4.4.3. Non-intrusive
4.4.4.3.1. Should make sense and be logical to those who have to comply with them
4.4.5. Policies should have a mechanism (framework) in place where they can be effectively managed and users know where to go
4.4.5.1. Specifically they should be:
4.4.5.1.1. Comprehensive, covering all required areas
4.4.5.1.2. Open and flexible allowing for easy adaptation and change
4.4.5.1.3. Current and up to date
4.5. 2. Processes
4.5.1. Processes describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.
4.5.2. COBIT 5 Enablers: Processes complements COBIT 5 and contains a detailed reference guide to the processes that are defined in the COBIT 5 Process Reference Model (PRM):
4.5.2.1. The COBIT 5 goals cascade is recapitulated and complemented with a set of example metrics for the enterprise goals and the IT-related goals
4.5.2.2. The COBIT 5 process model is explained and its components defined
4.5.2.3. The Enabler process guide which is referenced in this module contains the detailed process information for all 37 COBIT 5 processes shown in the Process Reference Model (PRM)
4.5.3. The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areas - governance and management - with management further divided into domains of processes:
4.5.3.1. The 1 GOVERNANCE domain
4.5.3.1.1. Contains 5 governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined
4.5.3.2. The 4 MANAGEMENT domains
4.5.3.2.1. Are in line with the responsibility areas of plan, build, run and monitor (PBRM)
4.5.4. Each process is divided into:
4.5.4.1. Process Description
4.5.4.2. Process Purpose statement
4.5.4.3. IT-related Goals (from the Goals cascade see example in the Appendix)
4.5.4.4. Each IT-related goal is associated with a set of generic related metrics
4.5.4.5. Process Goals (Also from the Goals cascade mechanism and is referred to as Enabler Goals
4.5.4.6. Each Process Goal is associated or related with a set of generic metrics
4.5.4.7. Each Process contains a set of Management Practices
4.5.4.8. These are associated with a generic RACI
4.5.4.9. Each management practices contains a set of inputs and outputs (called work products in module PC)
4.5.4.10. Each management Practice is associated with a set of activities
4.5.5. Key Characteristics of Process Goals:
4.5.5.1. Process Goals are defined as a statement describing the desired outcome of a process. An outcome can be an artefact, a significant change of state or a significant capability improvement of other processes. (SEE learning area PC) They are part of the goals cascade in which process goals link to IT-related goals which link to Enterprise goals. (See PR) There are also 3 categories:
4.5.5.1.1. Intrinsic Goals
4.5.5.1.2. Contextual Goals
4.5.5.1.3. Accessibility and Security goals
4.5.6. Relationship between Process and other enablers:
4.5.6.1. Processes need information as one form of input
4.5.6.2. Processes need Organizational structure
4.5.6.3. Processes produce and require services, infrastructure and applications
4.5.6.4. Processes are dependent on other processes
4.5.6.5. Processes need policies and procedures to ensure consistent implementation
4.6. 3. Organizational structures
4.6.1. Organisational structures are the key decision-making entities in an enterprise.
4.6.2. A number of Good Practices of organisational structure can be distinguished such as:
4.6.2.1. Operating principles
4.6.2.1.1. The practical arrangements regarding how the structure will operate, such as meeting frequency documentation and other rules
4.6.2.2. Span of control
4.6.2.2.1. The boundaries of the organisation structure’s decision rights
4.6.2.3. Level of authority
4.6.2.3.1. The decisions that the structure is authorised to take
4.6.2.4. Delegation of responsibility
4.6.2.4.1. The structure can delegate a subset of its decision rights to other structures reporting to it
4.6.2.5. Escalation procedures
4.6.2.5.1. The escalation path for a structure describes the required actions in case of problems in making decisions
4.7. 4. Culture, ethics and behaviour
4.7.1. Culture, ethics and behaviour of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.
4.7.2. Good practices for creating, encouraging and maintaining desired behaviour throughout the enterprise include:
4.7.2.1. Communication throughout the enterprise of desired behaviours and corporate values. (This can be done via a code of ethics)
4.7.2.2. Awareness of desired behaviour, strengthened by senior management example:
4.7.2.2.1. This is one of the keys to a good governance environment when senior management and the executives ‘walk the talk’ so to speak.
4.7.2.2.2. It is sometimes a difficult area and one that causes many enterprises to fail because it leads to poor governance. (Typically this will be part of a training and awareness sessions based around a code of ethics)
4.7.2.3. Incentives to encourage and deterrents to enforce desired behaviour
4.7.2.3.1. There is a clear link to HR payment and reward schemes
4.7.2.4. Rules and norms which provide more guidance and will typically be found in a Code of Ethics
4.7.3. Relationship of Goals for culture, ethics and behaviour:
4.7.3.1. Organisational Ethics determine the values by which the enterprise want to live (its code)
4.7.3.2. Individual ethics determined by each person’s personal values and dependent to some extent on external factors not always under the enterprise’s control
4.7.3.3. Individual behaviours which collectively determine the culture of the enterprise and is dependent on both organisational and individual ethics
4.7.4. The relationship of this enabler to other enablers:
4.7.4.1. Links to processes for execution process activities
4.7.4.2. Links to organisational structures for the implementation of decisions
4.7.4.3. Links to principles and policies to be able to communicate the corporate values
4.8. 5. Information
4.8.1. Information is pervasive throughout any organisation and includes all information produced and used by the enterprise.
4.8.1.1. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
4.8.2. COBIT 4.1 introduced the concept of 7 Key Information criteria to meet Business requirements. This concept has been retained but translated differently in Figure 9 below: Figure 26 Appendix F
4.8.3. To satisfy business objectives, information needs to conform to certain control criteria, which COBIT refers to as business requirements for information
4.8.4. Based on broader quality, fiduciary, and security requirements, seven distinct information criteria are defined
4.8.4.1. These are:
4.8.4.1.1. Effectiveness
4.8.4.1.2. Efficiency
4.8.4.1.3. Confidentiality
4.8.4.1.4. Integrity
4.8.4.1.5. Availability
4.8.4.1.6. Compliance
4.8.4.1.7. Reliability
4.8.5. Meta Data Information Cycle
4.8.6. Information Attributes Applied to the following layers:
4.8.6.1. Physical World Layer
4.8.6.1.1. The world where all phenomena that can be empirically observed takes place.
4.8.6.1.2. Where will information be stored?
4.8.6.2. Empirical layer
4.8.6.2.1. The empirical observation of the signs used to encode information and their distinction from each other.
4.8.6.2.2. How can the information be accessed? What are the access channels to the information?
4.8.6.3. Syntactical Layer
4.8.6.3.1. The rules and principles for constructing sentences in natural or artificial languages. Syntax refers to the form of information.
4.8.6.3.2. How will the information be structured and coded?
4.8.6.4. Semantic Layer
4.8.6.4.1. The rules and principles for constructing meaning out of the syntax structures.
4.8.6.4.2. What sort of information is it? What is the information level? What type of information is it? Is the information current or relating to the past or to the future?
4.8.6.5. Pragmatic Layer
4.8.6.5.1. The rules and structures for constructing larger language structures that fulfil specific purposes in human communication
4.8.6.5.2. What are the retention requirements? What other information is required for this information to be useful and usable? What are the retention requirements? Is information historic or operational?
4.8.6.6. Social World Layer
4.8.6.6.1. The world that is socially constructed through the use of language structures at the pragmatic level of semiotics, e.g. contracts, laws. Culture
4.8.7. The contextual and representational quality of information requirements to the user which includes:
4.8.7.1. Relevancy
4.8.7.1.1. The extent to which information is applicable and helpful for the task at hand
4.8.7.2. Completeness
4.8.7.2.1. The extent to which information is not missing and is of sufficient depth and breath for the task at hand
4.8.7.3. Appropriateness
4.8.7.3.1. The extent to which the volume of information is appropriate for the task at hand
4.8.7.4. Conciseness
4.8.7.4.1. The extent to which the information is compactly represented
4.8.7.5. Consistency
4.8.7.5.1. The extent to which the information is presented in the same format
4.8.7.6. Understandability
4.8.7.6.1. The extent to which the information is easily understandable
4.8.7.7. Ease of Manipulation
4.8.7.7.1. The extent to which information is easy to manipulate and apply to different tasks
4.9. 6. Services, infrastructure and applications
4.9.1. Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services.
4.9.2. The 5 architecture principles that govern the implementation and use of IT-Related resources:
4.9.2.1. This is part of the Good Practices of this enabler
4.9.2.2. Architecture Principles are overall guidelines that govern the implementation and use of IT-related resources within the enterprise
4.9.2.3. Examples of such principles:
4.9.2.3.1. Reuse
4.9.2.3.2. Buy vs. build
4.9.2.3.3. Simplicity
4.9.2.3.4. Agility
4.9.2.3.5. Openness
4.9.3. Relationship To other Enablers:
4.9.3.1. Information:
4.9.3.1.1. Is a service capability that is leveraged through processes to deliver internal and external services.
4.9.3.2. Cultural and behavioural aspects:
4.9.3.2.1. Relevant when a service-oriented culture needs to be built.
4.10. 7. People, skills and competencies
4.10.1. People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions.
4.10.2. Identify the good practices of people, Skills and Competencies, specifically:
4.10.2.1. Described by different skill levels for different roles.
4.10.2.2. Defining Skill requirements for each role.
4.10.2.3. Mapping skill categories to COBIT 5 process domains (APO; BAI etc.).
4.10.2.4. These correspond to the IT-related activities undertaken, e.g. business analysis, information management etc.
4.10.2.5. Using external sources for good practices such as:
5. COBIT® 5 Processes (37) - Process Reference Model (PRM)
5.1. Structure of the PRM Template is based on the ISO 15504 process definitions and structure.
5.2. PRM is divided into 5 domains
5.2.1. 1 Governance Domain
5.2.1.1. EDM (Evaluate, Direct, and Monitor)
5.2.1.1.1. 5 processes
5.2.2. 4 Management domains (a.k.a. PBRM, Plan, Build, Run, Monitor)
5.2.2.1. APO (Align, Plan and Organise) - strategic
5.2.2.1.1. 13 processes
5.2.2.2. BAI (Build, Acquire and Implement) - tactical
5.2.2.2.1. 10 processes
5.2.2.3. DSS (Deliver, Service and Support) - operational
5.2.2.3.1. 6 processes
5.2.2.4. MEA (Monitor, Evaluate and Assess)
5.2.2.4.1. 3 processes
5.2.3. This makes a total of 37 processes, 32 for Management and 5 for Governance.
6. COBIT® 5 Implementation Phases / Lifecycle (7)
6.1. Phase 1 - What Are the Drivers?
6.1.1. Initiate the Programme
6.1.2. Establish desire to change
6.1.3. This phase starts with recognizing and agreeing to the need for an implementation. It identifies the current pain points and triggers and creates a desire to change at executive management levels.
6.2. Phase 2 - Where are We Now?
6.2.1. Define the problems and opportunities [Programme Management]
6.2.2. Form a powerful guiding team [Change Enablement]
6.2.3. Assess the current state [Continual Improvement Life cycle attribute]
6.2.4. This phase is focused on defining the scope of the implementation using COBIT’s mapping of enterprise goals to IT-related goals to the associated IT processes, and considering how risk scenarios could also highlight key processes on which to focus.
6.3. Phase 3 - Where Do We Want to Be?
6.3.1. Define the roadmap
6.3.2. Communicate desired vision
6.3.3. Define target state and perform gap analysis
6.3.4. In this phase, an improvement target is set, followed by a more detailed analysis using COBIT’s guidance to identify gaps and potential solutions. Some solutions may offer quick wins and others might be more challenging.
6.4. Phase 4 - What Needs to Be Done?
6.4.1. Develop program plan
6.4.2. Empower role players and identify quick wins
6.4.3. Design and build improvements
6.4.4. This plans practical solutions by defining projects supported by justifiable business cases. A change plan for implementation is also developed.
6.5. Phase 5 - How Do We Get There?
6.5.1. Execute the plan
6.5.2. Enable operation and use
6.5.3. Implement improvements
6.5.4. The proposed solutions are implemented into day-to-day practices in this phase. Measures can be defined and established using COBIT’s goals and metrics to ensure that business alignment is achieved and maintained and performance can be measured.
6.6. Phase 6 - Did We Get There?
6.6.1. Realize benefits
6.6.2. Embed new approaches
6.6.3. Operate and measure
6.6.4. This phase focuses on the sustainable operation of the new or improved enablers and the monitoring of the achievement of expected benefits.
6.7. Phase 7 - How Do We Keep Momentum?
6.7.1. Continual improvements
6.7.2. Review the program benefits
6.7.3. Sustain
6.7.4. Monitor and evaluate
6.7.5. In this phase, the overall success of the initiative is reviewed, further requirements for the governance or management of enterprise are identified and the need for continual improvement is reinforced.
7. COBIT® 5 - Process Capability Assessment Model (PAM)
7.1. Process capability models are used to measure the ‘as-is’ maturity of an enterprise’s IT-related processes, to define a required ‘to-be’ state of maturity, and to determine the gap between them and how to improve the process to achieve the desired maturity level.
7.2. Serves as a base reference document for the performance of a capability assessment of an organisation’s current IT processes against COBIT®.
7.3. The COBIT® Process Assessment Model (PAM) brings together two proven heavyweights in the IT arena, ISO and ISACA®.
7.4. The new Process Capability Model based on ISO 15504 replaces the Process Capability Maturity Model used in earlier COBIT® versions.
7.4.1. Advantages of the ISO 15504 Approach
7.4.1.1. A robust assessment process based on ISO 15504
7.4.1.2. An alignment of COBIT’s maturity model scale with the international standard
7.4.1.3. A new capability-based assessment model which includes
7.4.1.4. Assessor qualifications and experiential requirements
7.4.1.5. Results in a more robust, objective and repeatable assessment
7.5. Process Capability Assessment differences COBIT 4.1 & 5.0
7.5.1. The naming and meaning of the ISO/IEC 15504-defined capability levels are quite different from the current COBIT 4.1 maturity levels for processes.
7.5.2. In ISO/IEC 15504, capability levels are defined by a set of nine process attributes
7.5.3. Maturity Assessment
7.5.3.1. Done at an enterprise or organizational level and uses a different measurement scale than a capability assessment and different criteria and attributes
7.5.4. Capability Assessment
7.5.4.1. Done at a process level and is done for purposes of process Improvement
7.6. 9 Process Attributes (based on ISO/IEC 15504-2)
7.6.1. 0
7.6.1.1. Incomplete (no attributes)
7.6.1.1.1. The process is not implemented or fails to achieve its process purpose. Little or no evidence of any systematic achievement of the process purpose.
7.6.2. 1
7.6.2.1. Performed (one attribute)
7.6.2.1.1. The implemented process achieves its process purpose.
7.6.2.1.2. PA1.1
7.6.3. 2
7.6.3.1. Managed (two attributes)
7.6.3.1.1. The process is implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained.
7.6.3.1.2. PA2.1
7.6.3.1.3. PA2.2
7.6.4. 3
7.6.4.1. Established (two attributes)
7.6.4.1.1. The process is implemented using a defined process that is capable of achieving its process outcomes.
7.6.4.1.2. PA3.1
7.6.4.1.3. PA3.2
7.6.5. 4
7.6.5.1. Predictable (two attributes)
7.6.5.1.1. The process operates within defined limits to achieve its process outcomes.
7.6.5.1.2. PA4.1
7.6.5.1.3. PA4.2
7.6.6. 5
7.6.6.1. Optimising (two attributes)
7.6.6.1.1. The process is continuously improved to meet relevant current and projected business goals.
7.6.6.1.2. PA5.1
7.6.6.1.3. PA5.2
7.7. Assessment Process Activities
7.7.1. 1. Initiation
7.7.1.1. Identify the sponsor and define the purpose of the assessment
7.7.1.2. Define the scope of the assessment
7.7.1.3. Identify any additional information that needs to be gathered.
7.7.1.4. Select the assessment participants, the assessment team and define the roles of team members.
7.7.1.5. Define assessment inputs and outputs
7.7.2. 2. Planning the assessment
7.7.2.1. An assessment plan describing all activities performed in conducting the assessment is
7.7.2.2. Identify the project scope.
7.7.2.3. Secure the necessary resources to perform the assessment
7.7.2.4. Determine the method of collating, reviewing, validating and documenting the information required for the assessment
7.7.2.5. Co-ordinate assessment activities with the Organizational Unit being assessed
7.7.3. 3. Briefing
7.7.3.1. The Assessment Team Leader ensures that the assessment team understands the assessment
7.7.3.2. Brief the Organizational Unit on the performance of the assessment
7.7.4. 4. Data collection
7.7.4.1. The assessor obtains (and documents) an understanding of the process(es) including process purpose, inputs, outputs and work products, sufficient to enable and support the assessment
7.7.4.2. Data required for evaluating the processes within the scope of the assessment is collected in a systematic manner
7.7.4.3. The strategy and techniques for the selection, collection, analysis of data and justification of the ratings are explicitly identified and demonstrable
7.7.4.4. Each process identified in the assessment scope is assessed on the basis of objective evidence
7.7.5. 5. Data validation
7.7.5.1. Actions are taken to ensure that the data is accurate and sufficiently covers the assessment scope, including
7.7.5.2. Some data validation may occur as the data is being collected
7.7.6. 6. Process attributes rating
7.7.6.1. For each process assessed, a rating is assigned for each process attribute up to and including the highest capability level defined in the assessment scope
7.7.6.2. The rating is based on data validated in the previous activity
7.7.6.3. Traceability shall be maintained between the objective evidence collected and the process attribute ratings assigned
7.7.6.4. For each process attribute rated, the relationship between the indicators and the objective evidence is recorded
7.7.7. 7. Reporting the results
7.7.7.1. The results of the assessment are analysed and presented in a report
7.7.7.2. The report also covers any key issues raised during the assessment
7.8. The COBIT® Assessment Program includes:
7.8.1. COBIT Process Assessment Model (PAM) - Using COBIT 4.1
7.8.2. COBIT Process Assessment Model (PAM) - Using COBIT 5
7.8.3. COBIT Assessor’s Guide - Using COBIT 4.1
7.8.4. COBIT Assessor’s Guide - Using COBIT 5.0
7.8.5. COBIT Self Assessment Guide - Using COBIT 4.1
7.8.6. COBIT Self Assessment Guide - Using COBIT 5.0
8. Basic definitions
8.1. Maturity Assessment
8.1.1. Is done at an enterprise or organizational level and uses a different measurement scale than a capability assessment and different criteria and attributes.
8.2. Capability Assessment
8.2.1. Is done at a process level and is done for purposes of process Improvement.
8.3. Lead assessor
8.3.1. A ‘competent’ assessor responsible for overseeing the assessment activities.
8.4. Assessor
8.4.1. An individual, developing assessor competencies, who performs the assessment activities.
9. COBIT®5 Exams
9.1. APMG
9.1.1. http://www.apmg-exams.com/index.aspx?subid=101&
9.2. 3rd party
9.2.1. http://www.glenfis.ch/custom/Demos/COBIT5_FOUND_PRFG_EN/story_html5.html
10. Interactive COBIT® 5 Glossary
10.1. Interactive COBIT® 5 Glossary
11. COBIT5 training road map
12. This freeware, non-commercial mind map (aligned with the newest version of COBIT®) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the standard and framework COBIT® and as a learning tool for candidates wanting to gain COBIT® qualification. (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)
12.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website: www.miroslawdabrowski.com
12.1.1. http://www.miroslawdabrowski.com
12.1.2. http://www.linkedin.com/in/miroslawdabrowski
12.1.3. https://www.google.com/+MiroslawDabrowski
12.1.4. https://play.spotify.com/user/miroslawdabrowski/
12.1.5. https://twitter.com/mirodabrowski
12.1.6. miroslaw_dabrowski
13. The Evolution of COBIT 5
14. COBIT® 5 has clarified management level processes and integrated COBIT® 4.1, Val IT and Risk IT content into one process reference model
14.1. Watch: Comparing COBIT® 4.1 to COBIT® 5 (by Orbus Software)
14.1.1. https://www.youtube.com/watch?v=_W8DuJNi-2M