ISACA® is a registered trademark of Information Systems Audit and Control Association. COBIT® is a trademark of ISACA® registered in the United States and other countries. CISA®, Certified Information Systems Auditor®, CISM®, CGEIT®, Certified in the Governance of Enterprise IT/CGEIT® (and design)®, COBIT® are registered trademarks of ISACA®. CRISC™, Certified in Risk and Information Systems Control™, Certified Information Security Manager™, Risk IT™, Val IT™ are trademarks of ISACA®. Trademarks are properties of the holders, who are not affiliated with mind map author.
COBIT® 5: Enabling Processes, http://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx
COBIT® 5: Enabling Information, http://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Information-product-page.aspx
COBIT® 5: Implementation, http://www.isaca.org/COBIT/Pages/COBIT-5-Implementation-product-page.aspx
COBIT® 5: for Information Security, http://www.isaca.org/COBIT/Pages/Information-Security-Product-Page.aspx
COBIT® 5: for Assurance, http://www.isaca.org/COBIT/Pages/Assurance-product-page.aspx
COBIT® 5: for Risk, http://www.isaca.org/COBIT/Pages/Risk-product-page.aspx
COBIT® 5 Process Assessment Programme, http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx
COBIT® 5 Process Assessment Model (PAM), Serves as a base reference document for the performance of a capability assessment of an organisation’s current IT processes against COBIT®., http://www.isaca.org/COBIT/Pages/COBIT-5-PAM.aspx
COBIT® 5 Self-assessment Guide, Provides guidance on how to perform a basic self-assessment of an organisation’s current IT process capability levels against COBIT® processes., http://www.isaca.org/COBIT/Pages/Self-Assessment-Guide.aspx
COBIT® 5 Assessor Guide, Provides details on how to undertake a full ISO-compliant assessment., http://www.isaca.org/COBIT/Pages/Assessor-Guide.aspx
Watch: COBIT® 5 - Principle One (by Orbus Software), https://www.youtube.com/watch?v=MOPGlbqAngU
Enterprises have many stakeholders
Governance is about, Negotiating., Deciding amongst different stakeholders’ value interests., Considering all stakeholders when making benefit, resource and risk assessment decisions.
Enterprises exist to create value for their stakeholders, Value creation: realizing benefits at an optimal resource cost while optimizing risk.
The COBIT® 5 goals cascade allows the definition of priorities for:, Implementation., Improvement., Assurance of enterprise governance of IT., In practice, the goals cascade:, Defines relevant and tangible goals and objectives at various levels of responsibility., Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects., Clearly identifies and communicates how enablers are used to achieve enterprise goals., Cascade Step #1 - Identify the influence of Key stakeholder drivers on stakeholder needs, e.g., Strategy changes, Changing business environment, Changing regulatory environment new technologies, Cascade Step #2 - Stakeholders needs cascade to Enterprise Goals, There are 17 generic enterprise goals as shown in figure of the Framework guide, which have been translated into Balance Score Card dimensions (BSC) and the relationship to the 3 main governance objectives of benefits realisation, risk and resource optimisation, Cascade Step #3 - Enterprise Goals cascade to IT related Goals, There are also 17 generic IT related goals as shown in Figure 6 (shown below) that are also categorised into the Balanced Score Card (BSC) categories., Cascade Step #4 - IT related Goals Cascade to Enabler Goals, Processes are one of the key enablers which is expanded on in the Enabler Learning Area module, but it is important to know that Enabler Goals are represented in the Process Reference module in all 37 processes
Internal stakeholder concerns include:, How do I get value from the use of IT?, How do I manage performance of IT?, How can I best exploit new technology for new strategic opportunities?, How do I know whether I’m compliant with all applicable laws and regulations?, Am I running an efficient and resilient IT operation?, How do I control cost of IT?, Is the information I am processing adequately and appropriately secured?, How critical is IT to sustaining the enterprise?, What do I do if IT is not available?
COBIT® 5 addresses the governance and management of information and related technology from an enterprise-wide, end-to-end perspective.
External stakeholders, Business partners, suppliers, shareholders, regulators/ government, external users, customers, standardisation organisations, external auditors, consultants, etc., External stakeholder needs, How do I know my business partner’s operations are secure and reliable?, How do I know the organisation is compliant with applicable rules and regulations?, How do I know the enterprise is maintaining an effective system of internal control?
Internal stakeholders, Internal stakeholder needs, How do I get value from the use of IT?, How do I manage performance of IT?, How can I best exploit new technology for new strategic opportunities?, How do I know whether I’m compliant with all applicable laws and regulations?, Am I running an efficient and resilient IT operation?, How do I control cost of IT?, Is the information I am processing adequately and appropriately secured?, How critical is IT to sustaining the enterprise?, What do I do if IT is not available?, What are (control) requirements for Information?, Did I address major IT-related risks?, Do I have enough people for IT? How do I develop and maintain their skills, and how do I manage their performance?
Watch: COBIT® 5 - Principle Two (by Orbus Software), https://www.youtube.com/watch?v=aAY5r2NqTxc
Integrates the governance of enterprise IT into enterprise governance and covers all functions and processes required to govern and manage enterprise information and related technologies wherever that information is processed.
COBIT® 5 addresses all relevant internal and external IT services as well as external and internal business processes.
Main elements of the governance approach:, Governance Enablers comprising:, The organizational resources for governance., The enterprise’s resources., A lack of resources or enablers may affect the ability of the enterprise to create value., Governance Scope comprising:, The whole enterprise., An entity, a tangible or intangible asset, etc.
Governance roles, activities and relationships:, Define Who is involved in governance., How they are involved., What they do., How they interact.
COBIT® 5 defines the difference between governance and management activities in principle 5.
Watch: COBIT® 5 - Principle Three (by Orbus Software), https://www.youtube.com/watch?v=DiEDYII5sDo
COBIT® 5 and Legacy ISACA Frameworks
COBIT® 5 Product Family
Aligns with the latest relevant standards and frameworks.
Is complete in enterprise coverage.
Provides a basis to integrate effectively other frameworks, standards and practices used.
Integrates all knowledge previously dispersed over different ISACA frameworks.
Provides a simple architecture for structuring guidance materials and producing a consistent product set.
The COBIT® 5 product family is the connection:, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT., COBIT 5: Enabling Processes., COBIT 5 Implementation Guide., COBIT 5 for Information Security., COBIT 5 for Assurance., COBIT 5 for Risk., A series of other products is planned; they will be tailored for specific audiences or topics., COBIT 5 Online.
Watch: COBIT® 5 - Principle Four (by Orbus Software), https://www.youtube.com/watch?v=uxWPx_uuFrk
COBIT® 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT.
COBIT® 5 enablers are:, Factors that, individually and collectively, influence whether something will work., Driven by the goals cascade., Described by the COBIT®5 framework in seven categories.
Enablers:, 1. Principles, policies and frameworks, 2. Processes, 3. Organizational structures, 4. Culture, ethics and behaviour, 5. Information, 6. Services, infrastructure and applications, 7. People, skills and competencies
Watch: COBIT® 5 - Principle Five (by Orbus Software, https://www.youtube.com/watch?v=accatUbftxg
The COBIT® 5 framework makes a clear distinction between governance and management.
Governance and management:, Governance system, A governance system refers to all the methods and techniques that enable multiple stakeholders in an enterprise to have an organized say in evaluating conditions and options; setting direction; and monitoring compliance, performance, and progress against plans, to satisfy specific enterprise objectives., Methods and techniques include frameworks, principles, policies, sponsorship, structures and decision tools, roles and responsibilities, processes and practices, to set direction and monitor compliance and performance aligned with the overall objectives., Management, Entails the considered use of means (resources, people, processes, practices, etc.) to achieve an identified end., It is through management that the governance body achieves a result or objective., Management is responsible for the execution of the direction set by the guiding body or unit., Management is about planning, building, organizing and controlling operational activities to align with the direction set by the governance body., Encompass different types of activities., Require different organizational structures., Serve different purposes.
COBIT® 5: Enabling Processes differentiates the activities associated with each.
Governance ensures that stakeholder needs, conditions and options are:, Evaluated to determine balanced, agreed-on enterprise objectives to be achieved., Setting direction through prioritization and decision making., Monitoring performance, compliance and progress against agreed direction and objectives (EDM).
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM) (see Process Reference Model (PRM))
Enablers are driven by the goals cascade: the higher-level IT-related goals define what the different enablers should achieve.
Provide a common, simple and structured way to deal with enablers
Allow an entity to manage its complex interactions
Facilitate successful outcomes of the enablers
Principles, policies and frameworks are the vehicle to translate the desired behaviour into practical guidance for day- to-day management.
The purpose of this enabler is to convey the governing body’s and management’s direction and instructions
They are instruments to communicate the rules of the enterprise, in support of the governance objectives and enterprise values as defined by the board and executive management:, Differences between principles and policies:, Principles need to be limited in number, Put in simple language, expressing as clearly as possible the core values of the enterprise, Policies are more detailed guidance on how to put principles into practice
The characteristics of good policies; they should:, Be effective, Achieve their purpose, Be efficient, Especially when implementing them, Non-intrusive, Should make sense and be logical to those who have to comply with them
Policies should have a mechanism (framework) in place where they can be effectively managed and users know where to go, Specifically they should be:, Comprehensive, covering all required areas, Open and flexible allowing for easy adaptation and change, Current and up to date
Processes describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.
COBIT 5 Enablers: Processes complements COBIT 5 and contains a detailed reference guide to the processes that are defined in the COBIT 5 Process Reference Model (PRM):, The COBIT 5 goals cascade is recapitulated and complemented with a set of example metrics for the enterprise goals and the IT-related goals, The COBIT 5 process model is explained and its components defined, The Enabler process guide which is referenced in this module contains the detailed process information for all 37 COBIT 5 processes shown in the Process Reference Model (PRM)
The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areas - governance and management - with management further divided into domains of processes:, The 1 GOVERNANCE domain, Contains 5 governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined, The 4 MANAGEMENT domains, Are in line with the responsibility areas of plan, build, run and monitor (PBRM)
Each process is divided into:, Process Description, Process Purpose statement, IT-related Goals (from the Goals cascade see example in the Appendix), Each IT-related goal is associated with a set of generic related metrics, Process Goals (Also from the Goals cascade mechanism and is referred to as Enabler Goals, Each Process Goal is associated or related with a set of generic metrics, Each Process contains a set of Management Practices, These are associated with a generic RACI, Each management practices contains a set of inputs and outputs (called work products in module PC), Each management Practice is associated with a set of activities
Key Characteristics of Process Goals:, Process Goals are defined as a statement describing the desired outcome of a process. An outcome can be an artefact, a significant change of state or a significant capability improvement of other processes. (SEE learning area PC) They are part of the goals cascade in which process goals link to IT-related goals which link to Enterprise goals. (See PR) There are also 3 categories:, Intrinsic Goals, Contextual Goals, Accessibility and Security goals
Relationship between Process and other enablers:, Processes need information as one form of input, Processes need Organizational structure, Processes produce and require services, infrastructure and applications, Processes are dependent on other processes, Processes need policies and procedures to ensure consistent implementation
Organisational structures are the key decision-making entities in an enterprise.
A number of Good Practices of organisational structure can be distinguished such as:, Operating principles, The practical arrangements regarding how the structure will operate, such as meeting frequency documentation and other rules, Span of control, The boundaries of the organisation structure’s decision rights, Level of authority, The decisions that the structure is authorised to take, Delegation of responsibility, The structure can delegate a subset of its decision rights to other structures reporting to it, Escalation procedures, The escalation path for a structure describes the required actions in case of problems in making decisions
Culture, ethics and behaviour of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.
Good practices for creating, encouraging and maintaining desired behaviour throughout the enterprise include:, Communication throughout the enterprise of desired behaviours and corporate values. (This can be done via a code of ethics), Awareness of desired behaviour, strengthened by senior management example:, This is one of the keys to a good governance environment when senior management and the executives ‘walk the talk’ so to speak., It is sometimes a difficult area and one that causes many enterprises to fail because it leads to poor governance. (Typically this will be part of a training and awareness sessions based around a code of ethics), Incentives to encourage and deterrents to enforce desired behaviour, There is a clear link to HR payment and reward schemes, Rules and norms which provide more guidance and will typically be found in a Code of Ethics
Relationship of Goals for culture, ethics and behaviour:, Organisational Ethics determine the values by which the enterprise want to live (its code), Individual ethics determined by each person’s personal values and dependent to some extent on external factors not always under the enterprise’s control, Individual behaviours which collectively determine the culture of the enterprise and is dependent on both organisational and individual ethics
The relationship of this enabler to other enablers:, Links to processes for execution process activities, Links to organisational structures for the implementation of decisions, Links to principles and policies to be able to communicate the corporate values
Information is pervasive throughout any organisation and includes all information produced and used by the enterprise., Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
COBIT 4.1 introduced the concept of 7 Key Information criteria to meet Business requirements. This concept has been retained but translated differently in Figure 9 below: Figure 26 Appendix F
To satisfy business objectives, information needs to conform to certain control criteria, which COBIT refers to as business requirements for information
Based on broader quality, fiduciary, and security requirements, seven distinct information criteria are defined, These are:, Effectiveness, Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, and usable manner., Efficiency, Concerns the provision of information through the optimal - most productive and economical - use of resources., Confidentiality, Concerns the protection of sensitive information from unauthorized disclosure., Integrity, Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations., Availability, Relates to information being available, when required by the business process, at present and in the future., It also concerns the safeguarding of necessary resources and associated capabilities., Compliance, Deals with complying with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria as well as internal policies., Reliability, Relates to the provision of appropriate information for the management to operate the entity and to exercise its fiduciary and governance responsibilities.
Meta Data Information Cycle
Information Attributes Applied to the following layers:, Physical World Layer, The world where all phenomena that can be empirically observed takes place., Where will information be stored?, Empirical layer, The empirical observation of the signs used to encode information and their distinction from each other., How can the information be accessed? What are the access channels to the information?, Syntactical Layer, The rules and principles for constructing sentences in natural or artificial languages. Syntax refers to the form of information., How will the information be structured and coded?, Semantic Layer, The rules and principles for constructing meaning out of the syntax structures., What sort of information is it? What is the information level? What type of information is it? Is the information current or relating to the past or to the future?, Pragmatic Layer, The rules and structures for constructing larger language structures that fulfil specific purposes in human communication, Pragmatics refers to the use of information, What are the retention requirements? What other information is required for this information to be useful and usable? What are the retention requirements? Is information historic or operational?, Social World Layer, The world that is socially constructed through the use of language structures at the pragmatic level of semiotics, e.g. contracts, laws. Culture
The contextual and representational quality of information requirements to the user which includes:, Relevancy, The extent to which information is applicable and helpful for the task at hand, Completeness, The extent to which information is not missing and is of sufficient depth and breath for the task at hand, Appropriateness, The extent to which the volume of information is appropriate for the task at hand, Conciseness, The extent to which the information is compactly represented, Consistency, The extent to which the information is presented in the same format, Understandability, The extent to which the information is easily understandable, Ease of Manipulation, The extent to which information is easy to manipulate and apply to different tasks
Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services.
The 5 architecture principles that govern the implementation and use of IT-Related resources:, This is part of the Good Practices of this enabler, Architecture Principles are overall guidelines that govern the implementation and use of IT-related resources within the enterprise, Examples of such principles:, Reuse, Common components of the architecture should be used when designing and implementing solutions as part of the target or transition architectures, Buy vs. build, Solutions should be purchased unless there is an approved rationale for developing them internally, Simplicity, The enterprise architecture should be designed and maintained to be simple as possible while still meeting enterprise requirements, Agility, The enterprise architecture should incorporate agility to meet changing business needs in an effective and efficient manner, Openness, The enterprise architecture should leverage open industry standards
Relationship To other Enablers:, Information:, Is a service capability that is leveraged through processes to deliver internal and external services., Cultural and behavioural aspects:, Relevant when a service-oriented culture needs to be built.
People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions.
Identify the good practices of people, Skills and Competencies, specifically:, Described by different skill levels for different roles., Defining Skill requirements for each role., Mapping skill categories to COBIT 5 process domains (APO; BAI etc.)., These correspond to the IT-related activities undertaken, e.g. business analysis, information management etc., Using external sources for good practices such as:
1 Governance Domain, EDM (Evaluate, Direct, and Monitor), 5 processes
4 Management domains (a.k.a. PBRM, Plan, Build, Run, Monitor), APO (Align, Plan and Organise) - strategic, 13 processes, BAI (Build, Acquire and Implement) - tactical, 10 processes, DSS (Deliver, Service and Support) - operational, 6 processes, MEA (Monitor, Evaluate and Assess), 3 processes
This makes a total of 37 processes, 32 for Management and 5 for Governance.
Initiate the Programme
Establish desire to change
This phase starts with recognizing and agreeing to the need for an implementation. It identifies the current pain points and triggers and creates a desire to change at executive management levels.
Define the problems and opportunities [Programme Management]
Form a powerful guiding team [Change Enablement]
Assess the current state [Continual Improvement Life cycle attribute]
This phase is focused on defining the scope of the implementation using COBIT’s mapping of enterprise goals to IT-related goals to the associated IT processes, and considering how risk scenarios could also highlight key processes on which to focus.
Define the roadmap
Communicate desired vision
Define target state and perform gap analysis
In this phase, an improvement target is set, followed by a more detailed analysis using COBIT’s guidance to identify gaps and potential solutions. Some solutions may offer quick wins and others might be more challenging.
Develop program plan
Empower role players and identify quick wins
Design and build improvements
This plans practical solutions by defining projects supported by justifiable business cases. A change plan for implementation is also developed.
Execute the plan
Enable operation and use
The proposed solutions are implemented into day-to-day practices in this phase. Measures can be defined and established using COBIT’s goals and metrics to ensure that business alignment is achieved and maintained and performance can be measured.
Embed new approaches
Operate and measure
This phase focuses on the sustainable operation of the new or improved enablers and the monitoring of the achievement of expected benefits.
Review the program benefits
Monitor and evaluate
In this phase, the overall success of the initiative is reviewed, further requirements for the governance or management of enterprise are identified and the need for continual improvement is reinforced.
Advantages of the ISO 15504 Approach, A robust assessment process based on ISO 15504, An alignment of COBIT’s maturity model scale with the international standard, A new capability-based assessment model which includes, Assessor qualifications and experiential requirements, Results in a more robust, objective and repeatable assessment
The naming and meaning of the ISO/IEC 15504-defined capability levels are quite different from the current COBIT 4.1 maturity levels for processes.
In ISO/IEC 15504, capability levels are defined by a set of nine process attributes
Maturity Assessment, Done at an enterprise or organizational level and uses a different measurement scale than a capability assessment and different criteria and attributes
Capability Assessment, Done at a process level and is done for purposes of process Improvement
0, Incomplete (no attributes), The process is not implemented or fails to achieve its process purpose. Little or no evidence of any systematic achievement of the process purpose.
1, Performed (one attribute), The implemented process achieves its process purpose., PA1.1, Process Performance
2, Managed (two attributes), The process is implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained., PA2.1, Performance Management, PA2.2, Work Product Management
3, Established (two attributes), The process is implemented using a defined process that is capable of achieving its process outcomes., PA3.1, Process Definition, PA3.2, Process Deployment
4, Predictable (two attributes), The process operates within defined limits to achieve its process outcomes., PA4.1, Process Measurement, PA4.2, Process Control
5, Optimising (two attributes), The process is continuously improved to meet relevant current and projected business goals., PA5.1, Process Innovation, PA5.2, Continuous Optimization
1. Initiation, Identify the sponsor and define the purpose of the assessment, Define the scope of the assessment, Identify any additional information that needs to be gathered., Select the assessment participants, the assessment team and define the roles of team members., Define assessment inputs and outputs
2. Planning the assessment, An assessment plan describing all activities performed in conducting the assessment is, Identify the project scope., Secure the necessary resources to perform the assessment, Determine the method of collating, reviewing, validating and documenting the information required for the assessment, Co-ordinate assessment activities with the Organizational Unit being assessed
3. Briefing, The Assessment Team Leader ensures that the assessment team understands the assessment, Brief the Organizational Unit on the performance of the assessment
4. Data collection, The assessor obtains (and documents) an understanding of the process(es) including process purpose, inputs, outputs and work products, sufficient to enable and support the assessment, Data required for evaluating the processes within the scope of the assessment is collected in a systematic manner, The strategy and techniques for the selection, collection, analysis of data and justification of the ratings are explicitly identified and demonstrable, Each process identified in the assessment scope is assessed on the basis of objective evidence
5. Data validation, Actions are taken to ensure that the data is accurate and sufficiently covers the assessment scope, including, Some data validation may occur as the data is being collected
6. Process attributes rating, For each process assessed, a rating is assigned for each process attribute up to and including the highest capability level defined in the assessment scope, The rating is based on data validated in the previous activity, Traceability shall be maintained between the objective evidence collected and the process attribute ratings assigned, For each process attribute rated, the relationship between the indicators and the objective evidence is recorded
7. Reporting the results, The results of the assessment are analysed and presented in a report, The report also covers any key issues raised during the assessment
COBIT Process Assessment Model (PAM) - Using COBIT 4.1
COBIT Process Assessment Model (PAM) - Using COBIT 5
COBIT Assessor’s Guide - Using COBIT 4.1
COBIT Assessor’s Guide - Using COBIT 5.0
COBIT Self Assessment Guide - Using COBIT 4.1
COBIT Self Assessment Guide - Using COBIT 5.0
Is done at an enterprise or organizational level and uses a different measurement scale than a capability assessment and different criteria and attributes.
Is done at a process level and is done for purposes of process Improvement.
A ‘competent’ assessor responsible for overseeing the assessment activities.
An individual, developing assessor competencies, who performs the assessment activities.