1. 1 Framework Introduction
1.1. Enterprise Governance of Information and Technology (EGIT)
1.1.1. Information and technology (I&T) is not limited to IT departments
1.1.2. Focus: I&T for enterprise risk management and value generation
1.1.3. EGIT is an integral part of corporate governance.
1.1.4. It is exercised by the board
1.2. Benefits of Information and Technology Governance
1.2.1. Three main outcomes can be expected after successful adoption of EGIT:
1.2.1.1. Benefits realization
1.2.1.1.1. This consists of creating value for the enterprise through I&T, maintaining and increasing value derived from existing I&T investments, and eliminating IT initiatives and assets that are not creating sufficient value.
1.2.1.2. Risk optimization
1.2.1.2.1. This entails addressing the business risk associated with the use, ownership, operation, involvement, influence and adoption of I&T within an enterprise.
1.2.1.3. Resource optimization
1.2.1.3.1. This ensures that the appropriate capabilities are in place to execute the strategic plan and sufficient, appropriate and effective resources are provided.
1.3. COBIT as an I&T Governance Framework
1.3.1. COBIT® has developed into a broader and more comprehensive I&T governance and management framework and continues to establish itself as a generally accepted framework for I&T governance.
1.4. What Is COBIT and What Is It Not?
1.4.1. What COBIT is:
1.4.1.1. COBIT is a framework for the governance and management of enterprise information and technology, aimed at the whole enterprise.
1.4.1.2. COBIT framework makes a clear distinction between governance and management.
1.4.1.2.1. Governance ensures that:
1.4.1.2.2. Management
1.4.1.3. COBIT defines the components to build and sustain a governance system: processes, organizational structures, policies and procedures, information flows, culture and behaviors, skills, and infrastructure.
1.4.1.4. COBIT defines the design factors that should be considered by the enterprise to build a best-fit governance system.
1.4.1.5. COBIT addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels.
1.4.2. What COBIT is not:
1.4.2.1. COBIT is not a full description of the whole IT environment of an enterprise.
1.4.2.2. COBIT is not a framework to organize business processes.
1.4.2.3. COBIT is not an (IT-)technical framework to manage all technology.
1.4.2.4. COBIT does not make or prescribe any IT-related decisions.
1.5. Intended Audience for COBIT
1.5.1. Internal Stakeholders
1.5.1.1. Boards
1.5.1.2. Executive Management
1.5.1.3. Business Managers
1.5.1.4. IT Managers
1.5.1.5. Assurance Providers
1.5.1.6. Risk Management
1.5.2. External Stakeholders
1.5.2.1. Regulators
1.5.2.2. Business Partners
1.5.2.3. IT Vendors
2. 2 Principles
2.1. Six Principles for a Governance System
2.1.1. 1. Provide Stakeholder Value
2.1.1.1. Each enterprise needs a governance system to satisfy stakeholder needs and to generate value from the use of I&T. Value reflects a balance among benefits, risk and resources, and enterprises need an actionable strategy and governance system to realize this value.
2.1.2. 2. Holistic Approach
2.1.2.1. A governance system for enterprise I&T is built from a number of components that can be of different types and that work together in a holistic way.
2.1.3. 3. Dynamic Governance System
2.1.3.1. A governance system should be dynamic. This means that each time one or more of the design factors are changed (e.g., a change in strategy or technology), the impact of these changes on the EGIT system must be considered. A dynamic view of EGIT will lead toward a viable and future-proof EGIT system.
2.1.4. 4. Governance Distinct From Management
2.1.4.1. A governance system should clearly distinguish between governance and management activities and structures.
2.1.5. 5. Tailored to Enterprise Needs
2.1.5.1. A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customize and prioritize the governance system components.
2.1.6. 6. End-to-End Governance System
2.1.6.1. A governance system should cover the enterprise end to end, focusing not only on the IT function but on all technology and information processing the enterprise puts in place to achieve its goals, regardless where the processing is located in the enterprise.
2.2. Three Principles for a Governance Framework
2.2.1. 1. Based on Conceptual Model
2.2.1.1. A governance framework should be based on a conceptual model, identifying the 1. key components and relationships among components, to maximize consistency and allow automation.
2.2.2. 2. Open and Flexible
2.2.2.1. A governance framework should be open and flexible. It should allow the addition of new content and the ability to address new issues in the most flexible way, while maintaining integrity and consistency.
2.2.3. 3. Aligned to Major Standards
2.2.3.1. A governance framework should align to relevant major related standards, frameworks and regulations.
3. 3 Governance System and Components
3.1. Governance and Management Objectives
3.1.1. Governance or management objective
3.1.1.1. Always relates to one process (with an identical or similar name) and a series of related components of other types to help achieve the objective.
3.1.1.2. are the domain of senior and middle management.
3.1.2. Governance objective
3.1.2.1. Relates to a governance process, while a management objective relates to a management process .
3.1.2.2. Boards and executive management are typically accountable
3.1.3. The governance and management objectives in COBIT are grouped into five domains.
3.1.3.1. Governance objectives are grouped in the Evaluate, Direct and Monitor (EDM) domain.
3.1.3.2. Management objectives are grouped in four domains:
3.1.3.2.1. A lign, Plan and Organize (APO)
3.1.3.2.2. Build, Acquire and Implement (BAI)
3.1.3.2.3. Deliver, Service and Support (DSS)
3.1.3.2.4. Monitor, Evaluate and Assess (MEA)
3.2. Components of the Governance System
3.2.1. Processes
3.2.1.1. Describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs that support achievement of overall IT-related goals.
3.2.2. Organizational structures
3.2.2.1. Are the key decision-making entities in an enterprise.
3.2.3. Principles, policies and frameworks
3.2.3.1. Translate desired behavior into practical guidance for day-to-day management.
3.2.4. Information
3.2.4.1. Is pervasive throughout any organization and includes all information produced and used by the enterprise.
3.2.5. Culture, ethics and behavior
3.2.5.1. Of individuals and of the enterprise are often underestimated as factors in the success of governance and management activities.
3.2.6. People, skills and competencies
3.2.6.1. Are required for good decisions, execution of corrective action and successful completion of all activities.
3.2.7. Services, infrastructure and applications
3.2.7.1. Include the infrastructure, technology and applications that provide the enterprise with the governance system for I&T processing.
3.3. Focus Areas
3.3.1. describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.
3.3.2. Examples include: small and medium enterprises, cybersecurity, digital transformation, cloud computing, privacy, and DevOps.
3.4. Design Factors
3.4.1. are factors that can influence the design of an enterprise’s governance system and position it for success in the use of I&T.
3.4.2. Design factors include any combination of the following
3.5. Goals Cascade
3.5.1. IT Supports enterprise goals, which is one of the key design factors for a governance system
3.5.2. It supports prioritization of management objectives based on prioritization of enterprise goals.
3.5.3. COBIT Goals Cascade
4. 4 Governance and Management Objectives
4.1. Purpose of each 40 governance and management objectives.
4.1.1. Evaluate, Direct and Monitor (EDM)
4.1.1.1. EDM01 Ensured governance framework setting and maintenance
4.1.1.1.1. Provide a consistent approach, integrated and aligned with the enterprise governance approach. I&T-related decisions must be made in line with the enterprise’s strategies and objectives and desired value is realized.
4.1.1.2. EDM02 Ensured benefits delivery
4.1.1.2.1. Secure optimal value from I&T-enabled initiatives, services and assets; cost-effective delivery of solutions and services; and a reliable and accurate picture of costs and likely benefits so that business needs are supported effectively and efficiently.
4.1.1.3. EDM03 Ensured risk optimization
4.1.1.3.1. Ensure that I&T-related enterprise risk does not exceed the enterprise’s risk appetite and risk tolerance, the impact of I&T risk to enterprise value is identified and managed, and the potential for compliance failures is minimized.
4.1.1.4. EDM04 Ensured resource optimization
4.1.1.4.1. Ensure that the resource needs of the enterprise are met in the optimal manner, I&T costs are optimized, and there is an increased likelihood of benefit realization and readiness for future change.
4.1.1.5. EDM05 Ensured stakeholder engagement
4.1.1.5.1. Ensure that stakeholders are supportive of the I&T strategy and road map, communication to stakeholders is effective and timely, and the basis for reporting is established to increase performance. Identify areas for improvement, and confirm that I&T-related objectives and strategies are in line with the enterprise’s strategy.
4.1.2. Align, Plan and Organize (APO)
4.1.2.1. APO01 Managed I&T management framework
4.1.2.1.1. Implement a consistent management approach for enterprise governance requirements to be met, covering governance components such as management processes; organizational structures; roles and responsibilities; reliable and repeatable activities; information items; policies and procedures; skills and competencies; culture and behavior; and services, infrastructure and applications.
4.1.2.2. APO02 Managed strategy
4.1.2.2.1. Support the digital transformation strategy of the organization and deliver the desired value through a road map of incremental changes.
4.1.2.3. APO03 Managed enterprise architecture
4.1.2.3.1. Represent the different building blocks that make up the enterprise and its interrelationships, as well as the principles guiding their design and evolution over time, to enable a standard, responsive and efficient delivery of operational and strategic objectives.
4.1.2.4. APO04 Managed innovation
4.1.2.4.1. Achieve competitive advantage, business innovation, improved customer experience, and improved operational effectiveness and efficiency by exploiting I&T developments and emerging technologies.
4.1.2.5. APO05 Managed portfolio
4.1.2.5.1. Optimize the performance of the overall portfolio of programs in response to individual program, product and service performance and changing enterprise priorities and demand.
4.1.2.6. APO06 Managed budget and costs
4.1.2.6.1. Foster a partnership between IT and enterprise stakeholders to enable the effective and efficient use of I&T-related resources and provide transparency and accountability of the cost and business value of solutions and services.
4.1.2.7. APO07 Managed human resources
4.1.2.7.1. Optimize human-resources capabilities to meet enterprise objectives.
4.1.2.8. APO08 Managed relationships
4.1.2.8.1. Enable the right knowledge, skills and behaviors to create improved outcomes, increased confidence, mutual trust and effective use of resources that stimulate a productive relationship with business stakeholders.
4.1.2.9. APO09 Managed service agreements
4.1.2.9.1. Ensure that I&T products, services and service levels meet current and future enterprise needs.
4.1.2.10. APO10 Managed vendors
4.1.2.10.1. Optimize available I&T capabilities to support the I&T strategy and road map, minimize the risk associated with nonperforming or noncompliant vendors, and ensure competitive pricing.
4.1.2.11. APO11 Managed quality
4.1.2.11.1. Ensure consistent delivery of technology solutions and services to meet the quality requirements of the enterprise and satisfy stakeholder needs.
4.1.2.12. APO12 Managed risk
4.1.2.12.1. Integrate the management of I&T-related enterprise risk with overall enterprise risk management (ERM) and balance the costs and benefits of managing I&T-related enterprise risk.
4.1.2.13. APO13 Managed security
4.1.2.13.1. Keep the impact and occurrence of information security incidents within the enterprise’s risk appetite levels.
4.1.2.14. APO14 Managed data
4.1.2.14.1. Ensure effective utilization of the critical data assets to achieve enterprise goals and objectives.
4.1.3. Build, Acquire and Implement (BAI)
4.1.3.1. BAI01 Managed programs
4.1.3.1.1. Realize desired business value and reduce the risk of unexpected delays, costs and value erosion.
4.1.3.2. BAI02 Managed requirements definition
4.1.3.2.1. Create optimal solutions that meet enterprise needs while minimizing risk.
4.1.3.3. BAI03 Managed solutions identification and build
4.1.3.3.1. Ensure agile and scalable delivery of digital products and services.
4.1.3.4. BAI04 Managed availability and capacity
4.1.3.4.1. Maintain service availability, efficient management of resources and optimization of system performance through prediction of future performance and capacity requirements.
4.1.3.5. BAI05 Managed organizational change
4.1.3.5.1. Prepare and commit stakeholders for business change and reduce the risk of failure.
4.1.3.6. BAI06 Managed IT changes
4.1.3.6.1. Enable fast and reliable delivery of change to the business.
4.1.3.7. BAI07 Managed IT change acceptance and transitioning
4.1.3.7.1. Implement solutions safely and in line with the agreed expectations and outcomes.
4.1.3.8. BAI08 Managed knowledge
4.1.3.8.1. Provide the knowledge and management information required to support all staff in the governance and management of enterprise I&T and allow for informed decision making.
4.1.3.9. BAI09 Managed assets
4.1.3.9.1. Account for all I&T assets and optimize the value provided by their use.
4.1.3.10. BAI10 Managed configuration
4.1.3.10.1. Provide sufficient information about service assets to enable the service to be effectively managed. Assess the impact of changes and deal with service incidents.
4.1.3.11. BAI11 Managed projects
4.1.3.11.1. Realize defined project outcomes and reduce the risk of unexpected delays, costs and value erosion by improving communications to and involvement of business and end users.
4.1.4. Deliver, Service and Support (DSS)
4.1.4.1. DSS01 Managed operations
4.1.4.1.1. Deliver I&T operational product and service outcomes as planned.
4.1.4.2. DSS02 Managed service requests and incidents
4.1.4.2.1. Achieve increased productivity and minimize disruptions through quick resolution of user queries and incidents.
4.1.4.3. DSS03 Managed problems
4.1.4.3.1. Increase availability, improve service levels, reduce costs, improve customer convenience and satisfaction by reducing the number of operational problems, and identify root causes as part of problem resolution.
4.1.4.4. DSS04 Managed continuity
4.1.4.4.1. Adapt rapidly, continue business operations, and maintain availability of resources and information at a level acceptable to the enterprise in the event of a significant disruption (e.g., threats, opportunities, demands).
4.1.4.5. DSS05 Managed security services
4.1.4.5.1. Minimize the business impact of operational information security vulnerabilities and incidents.
4.1.4.6. DSS06 Managed business process controls
4.1.4.6.1. Maintain information integrity and the security of information assets handled within business processes in the enterprise or its outsourced operation.
4.1.5. Deliver, Service and Support (DSS)
4.1.5.1. DSS01 Managed operations
4.1.5.1.1. Deliver I&T operational product and service outcomes as planned.
4.1.5.2. DSS02 Managed service requests and incidents
4.1.5.2.1. Achieve increased productivity and minimize disruptions through quick resolution of user queries and incidents.
4.1.5.3. DSS03 Managed problems
4.1.5.3.1. Increase availability, improve service levels, reduce costs, improve customer convenience and satisfaction by reducing the number of operational problems, and identify root causes as part of problem resolution.
4.1.5.4. DSS04 Managed continuity
4.1.5.4.1. Adapt rapidly, continue business operations, and maintain availability of resources and information at a level acceptable to the enterprise in the event of a significant disruption (e.g., threats, opportunities, demands).
4.1.5.5. DSS05 Managed security services
4.1.5.5.1. Minimize the business impact of operational information security vulnerabilities and incidents.
4.1.5.6. DSS06 Managed business process controls
4.1.5.6.1. Maintain information integrity and the security of information assets handled within business processes in the enterprise or its outsourced operation.
4.1.6. Monitor, Evaluate and Assess (MEA)
4.1.6.1. MEA01 Managed performance and conformance monitoring
4.1.6.1.1. Provide transparency of performance and conformance and drive achievement of goals.
4.1.6.2. MEA02 Managed system of internal control
4.1.6.2.1. Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.
4.1.6.3. MEA03 Managed compliance with external requirements
4.1.6.3.1. Ensure that the enterprise is compliant with all applicable external requirements.
4.1.6.4. MEA04 Managed assurance
4.1.6.4.1. Enable the organization to design and develop efficient and effective assurance initiatives, providing guidance on planning, scoping, executing and following up on assurance reviews, using a road map based on well-accepted assurance approaches.
5. 5 Performance Management
5.1. Definition of Performance management
5.1.1. represents a general term for all activities and methods.
5.1.2. expresses how well the governance and management system and all the components of an enterprise work, and how they can be improved to achieve the required level.
5.1.3. It includes concepts and methods such as capability levels and maturity levels.
5.1.4. COBIT uses the term COBIT performance management (CPM) to describe these activities, and the concept is an integral part of the COBIT framework.
5.2. COBIT Performance Management Principles
5.2.1. 1. The CPM should be simple to understand and use.
5.2.2. 2. The CPM should be consistent with, and support, the COBIT conceptual model.
5.2.3. 3. The CPM should provide reliable, repeatable and relevant results.
5.2.4. 4. The CPM must be flexible.
5.2.5. 5. The CPM should support different types of assessment,
5.3. COBIT Performance Management Overview
5.3.1. The CPM model (figure 6.1) largely aligns to and extends CMMI® Development V2.0 concepts:
5.3.1.1. Process activities are associated to capability levels.
5.3.1.2. Other governance and management component types (e.g., organizational structures, information) may also have capability levels defined for them in future guidance.
5.3.1.3. Maturity levels are associated with focus areas (i.e., a collection of governance and management objectives and underlying components) and will be achieved if all required capability levels are achieved.
5.4. Process Capability Levels
5.4.1. COBIT® 2019 supports a CMMI-based process capability scheme.
5.4.2. Ranging from 0 to 5.
5.5. Rating Process Activities
5.5.1. Fully
5.5.1.1. The capability level is achieved for more than 85 percent.
5.5.2. Largely
5.5.2.1. The capability level is achieved between 50 percent and 85 percent.
5.5.3. Partially
5.5.3.1. The capability level is achieved between 15 percent and 50 percent.
5.5.4. Not
5.5.4.1. The capability level is achieved less than 15 percent.
5.6. Focus Area Maturity Levels
5.6.1. Maturity levels are associated with focus areas (i.e., a collection of governance and management objectives and underlying components) and a certain maturity level is achieved if all the processes contained in the focus area achieve that particular capability level.
5.7. Performance Management of Information Items
5.7.1. Information Quality Criteria
5.7.1.1. Intrinsic
5.7.1.1.1. Accuracy
5.7.1.1.2. Objectivity
5.7.1.1.3. Believability
5.7.1.1.4. Reputation
5.7.1.2. Contextual
5.7.1.2.1. Relevancy
5.7.1.2.2. Completeness
5.7.1.2.3. Currency
5.7.1.2.4. Appropriate Amount
5.7.1.2.5. Concise Representation
5.7.1.2.6. Consistent Representation
5.7.1.2.7. Interpretability
5.7.1.2.8. Understandability
5.7.1.2.9. Ease of Manipulation
5.7.1.3. Security/ Privacy/ Accessibility
5.7.1.3.1. Availability
5.7.1.3.2. Restricted Access
6. 6 Designing a Tailored Governance System
6.1. Impact of Design Factors
6.1.1. 1. Management Objective Priority and Target Capability Levels
6.1.1.1. The COBIT core model contains 40 governance and management objectives, each consisting of the process and a number of related components.
6.1.2. 2. Component Variations
6.1.2.1. Components are required to achieve governance and management objectives. Some design factors can influence the importance of one or more components or can require specific variations
6.1.3. 3. Need for Specific Focus Areas
6.1.3.1. Some design factors, such as threat landscape, specific risk, target development methods and infrastructure set-up, will drive the need for variation of the core COBIT model content to a specific context.
6.2. Stages and Steps in the Design Process
6.2.1. Figure 7.2 illustrates the proposed flow for designing a tailored governance system.
7. 7 Business Case
7.1. Business Case
7.1.1. Common business practice dictates preparing a business case to analyze and justify the initiation of a large project and/or financial investment.
7.2. Structure recommended
7.2.1. Executive Summary
7.2.2. Background
7.2.3. Business Challenges
7.2.4. Gap Analysis and Goal
7.2.5. Alternatives Considered
7.2.6. Proposed Solution
7.2.6.1. Phase 1. Pre-planning
7.2.6.2. Phase 2. Program Implementation
7.2.6.3. Program Scope
7.2.6.4. Program Methodology and Alignment
7.2.6.5. Program Deliverables
7.2.6.6. Program Risk
7.2.6.7. Stakeholders
7.2.6.8. Cost-Benefit Analysis
7.2.6.9. Challenges and Success Factors