8/17/2019 1 Cobit-5-Principles Whp Eng 0714
1/12
Governance and management of enterprise information and
related technology (GEIT) is ultimately the board of directors’(or other governing entity’s) responsibility. The board sets the
direction for management to achieve the enterprise objectives
and is accountable to the enterprise stakeholders. COBIT 5 is
an internationally accepted business GEIT framework from
ISACA that was developed by, and for, practitioners and
includes insights from IT and general management literature.
This white paper helps practitioners to better understand the
COBIT 5 principles and, therefore, be more efficient and
effective in the application of the COBIT 5 GEIT framework to
their enterprises. This paper clearly explains how the principlesof COBIT 5 are built on sound, accepted IT and general
governance and management guidance and practices.
PRINCIPLES:WHERE DID THEY COME FROM?
AN ISACA COBIT SERIES WHITE PAPER
COBIT 5
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
2/12
ISACA ®
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business
and IT leaders build trust in, and value from, information and information systems. Established i
1969, ISACA is the trusted source of knowledge, standards, networking, and career developme
for information systems audit, assurance, security, risk, privacy and governance professionals.
ISACA oers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity
professionals, and COBIT ®, a business framework that helps enterprises govern and manage
their information and technology. ISACA also advances and validates business-critical ski lls
and knowledge through the globally respected Certied Information Systems Auditor® (CISA ®),
Certied Information Security Manager® (CISM®), Certied in the Governance of Enterprise IT ®
(CGEIT ®
) and Certied in Risk and Information Systems Control™
(CRISC™
) credentials. Theassociation has more than 200 chapters worldwide.
DISCLAIMERISACA has designed and created COBIT ® 5 Principles: Where Did They Come From? white paper (the “Work”) primarily as
an educational resource for assurance, governance, risk and security professionals. ISACA makes no claim that use of any of
the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, proceduresand tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specic information, procedure or test, assurance, governance, risk and security professionals
should apply their own professional judgment to the specic circumstances presented by the particular systems or information
technology environment.
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: [email protected]
Web site: www.isaca.org
Provide feedback:
www.isaca.org/COBIT5-Principles
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
https://twitter.com/ISACANews
Join ISACA on LinkedIn:
ISACA (Ocial),
http://linkd.in/ISACAOfcial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ
© 2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse
COBIT ® 5 Principles: Where Did They Come From?
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
3/12
3© 2014 ISACA. All rights reserved
Development Team
Steven De Haes Ph.D.
University of Antwerp—Antwerp
Management School, Belgium
Roger Debreceny Ph.D.
CGEIT, FCPA,
University of Hawaii at Manoa, USA
Wim Van Grembergen Ph.D.
University of Antwerp—Antwerp
Management School, Belgium
Expert Reviewers
Steven A. Babb
CGEIT, CRISC, ITIL, Vodafone, UK
Sushil Chatterji
CGEIT,
Edutech Enterprises, Singapore
Joanne De Vito De Palma
CISM, BCMM Assessor
Konica Minolta Business Solutions,
All Covered Financial Services Division, USA
Jimmy Heschl
CISA, CISM, CGEIT, ITIL Expert,
bwin.party digital entertainment plc, Austria
Andre Pitkowski
CGEIT, CRISC,
APIT Informatica, BrazilParas Kesharichand Shah
CISA, CGEIT, CRISC, CA,
Vital Interacts, Australia
ISACA Board of Directors
Robert E Stroud
CGEIT, CRISC, CA,
USA, International President
Steven A. Babb
CGEIT, CRISC, ITIL,
Vodafone, UK, Vice President
Garry J. Barnes
CISA, CISM, CGEIT, CRISC,
BAE Systems Detica, Australia, Vice President
Robert A. Clyde
CISM, Adaptive Computing,
USA, Vice President
ACKNOWLEDGMENTS
Sushil ChatterjiCGEIT,
Edutech Enterprises, Singapore
Phil J. Lageschulte
CGEIT, CPA,
KPMG LLP, USA
Anthony P. Noble
CISA,
Viacom, USA
Jamie Pasfeld
CGEIT, ITIL V3, MSP, PRINCE2,
Pfizer, UK
Ivan Sanchez Lopez
CISA, CISM, ISO 27001 LA, CISSP,
DHL Global Forwarding & Freight, Germany
Framework Committee
Sushil Chatterji
CGEIT,
Edutech Enterprises, Singapore, Chairman
David Cau
GRCP, ITIL V3, MSP,
Deloitte, Luxembourg
Joanne De Vito De Palma
CISM, BCMM Assessor,
Konica Minolta Business Solutions,
All Covered Financial Services Division, USA
Jimmy Heschl
CISA, CISM, CGEIT, ITIL Expert,
bwin.party digital entertainment plc, Austria
Katherine McIntosh
CISA, CIA,
Central Hudson Gas & Electric Corp., USA
Andre Pitkowski
CGEIT, CRISC, APIT,
Informatica, Brazil
Paras Kesharichand Shah
CISA, CGEIT, CRISC, CA,
Vital Interacts, Australia
Sylvia Tosar
CGEIT, PMP,
Uruguay
Tichaona Zororo
CISA, CISM, CGEIT, CRISC, CIA, CRMA,
EGIT | Enterprise Governance of IT (PTY) LTD., South Africa
Steven A. Babb
CGEIT, CRISC, ITIL,
Vodafone, UK (2013-2014)
Frank J. Cindrich
CGEIT, CIPP, CIPP/G,
Deloitte & Touche LLP, USA (2013-1014)
COBIT ® 5 Principles: Where Did They Come From?
Ramses GallegoCISM, CGEIT, CCSK, CISSP, SCPM,
Six Sigma Black Belt, Dell,
Spain, Vice President
Theresa Grafenstine
CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA,
US House of Representatives,
USA, Vice President
Vittal R. Raj
CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA,
Kumar & Raj,
India, Vice President
Tony Hayes
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
Queensland Government, Australia, Past International President
Gregory T. Grocholski
CISA, The Dow Chemical Co.,
USA, Past International President
Debbie A. Lew
CISA, CRISC, Ernst & Young LLP,
USA, Director
Frank K.M. Yam
CISA, CIA, FHKCS, FHKIoD,
Focus Strategic Group Inc.,
Hong Kong, Director
Alexander Zapata Lenis
CISA, CGEIT, CRISC, ITIL, PMP,
Grupo Cynthus S.A. de C.V.,Mexico, Director
Knowledge Board
Steven A. Babb
CGEIT, CRISC, ITIL,
Vodafone, UK, Chairman
Rosemary M. Amato
CISA, CMA, CPA,
Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow
CISA, CISM, CRISC, CISSP,
IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard
CISA, CISM, CRISC, CIPP/US,
CIPP/E, CISSP, FBCS, ACA,
Amgen Inc., USA
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
4/12
4 © 2014 ISACA. All rights reserved
Figure 1—The Five COBIT 5 PrinciplesCOBIT 5 is an internationally accepted governance andmanagement of enterprise information and related technology
(GEIT) framework from ISACA that was developed by, and
for, practitioners and includes insights from IT and general
management literature. This white paper helps practitioners
to better understand the COBIT 5 principles (gure 1) and,
therefore, be more ecient and eective in the application of
the COBIT 5 GEIT framework to their enterprises. This paper
clearly explains how the principles of COBIT 5 are built on
sound, accepted IT and general governance and management
guidance and practices.
COBIT ® 5 Principles: Where Did They Come From?
Source: COBIT ® 5 (the framework), ISACA, USA, 2012, gure 2
INTRODUCTION
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
5/12
5 © 2014 ISACA. All rights reserved
Figure 2—COBIT 5 Goals CascadeThe rst principle addresses the need to align individual anddepartmental objectives and priorities with enterprise and
stakeholder needs. The main purpose of GEIT is to achieve
strategic alignment of information and related technology
with the goals of the enterprise. However, a continuing
challenge for enterprises is how to achieve and maintain this
alignment as stakeholder needs and enterprise goals change.To assist enterprises with establishing and maintaining
strategic alignment, ISACA undertook research to provide
guidance for understanding how enterprise goals drive IT-
related goals and vice versa. From this research, developers
recorded generic enterprise goals and IT-related goals and
represented their interrelationships in the COBIT 5 goals
cascade (gure 2).
This cascade constitutes the “top-down” entry point to
COBIT 5 for enterprises that are considering the alignment
of their information and related technology assets and
resources. The goals cascade indicates that the rst step
that enterprises should take to analyze their business/IT
strategic alignment is to dene and link enterprise goals andIT-related goals in support of stakeholder needs.
To facilitate a comprehensive approach to governing and
managing the alignment of IT performance with enterprise
goals, ISACA built on the balanced scorecard (BSC)
concepts.1,2,3 The BSC is an approach to strategic planning
and management that is accepted by many enterprises. The
COBIT 5 enterprise goals and IT-related goals are grouped
into the following BSC business perspectives:
• Financial
• Customer
• Internal
• Learning and Growth
COBIT 5 provides detailed mappings of enterprise goals to
IT-related goals and detailed mappings of IT-related goals to
IT-related processes, in addition to general outcome metrics
to measure each of those goals and to build a scorecard for
IT-related activities.
COBIT ® 5 Principles: Where Did They Come From?
Source: COBIT ® 5 (the framework), ISACA, USA, 2012, gure 4
1 Kaplan, R.; D. Norton; “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review, USA, 19922 Van Grembergen, W.; R. Saul; S. De Haes; “Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial Group,” Journal for Information Technology Cases and
Applications, USA, 20033 Balanced Scorecard Institute, a Strategy Management Group company, USA, 1998-2014, https://balancedscorecard.org
MEETING STAKEHOLDER NEEDS
PRINCIPLE 1
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
6/12
6 © 2014 ISACA. All rights reserved
The governance system for enterprise IT (GEIT) proposed by
COBIT 5 integrates seamlessly in any enterprise governance
system. COBIT 5 aligns with the latest views on enterprise
governance.
COBIT 5 covers all functions and processes within the
enterprise, not only the IT function, as was sometimesperceived to be the case with earlier COBIT versions. COBIT
5 considers information and related technologies to be assets
and resources and treats them the same as other assets
within the enterprise—an approach termed “IT savvy” by
Weill and Ross.4 Business managers are required to take on
the accountability for governing and managing the IT-related
assets within their own organizational units and functions—in
the same way that they take on the accountability for other
assets such as physical plant, nancial and human resource
assets. Business managers must take ownership of, and be
accountable for, governing the use of IT while creating value
from IT-enabled business investments—business managers
must become more IT savvy.5 COBIT provides a common,
nontechnical business language framework of guidancefor business managers to use when engaging with their IT
professional colleagues and advisors to make IT-related
business decisions—supporting IT savviness.
The second principle recognizes that the need for business
managers to assume accountability for eectively governing
and managing their use of IT is increasingly critical to
enable the enterprise to achieve the goal of satisfying
stakeholder needs. Decisions on IT asset and resource
use (e.g., outsourced service selection and acquisition via
cloud solution providers and bring your own device [BYOD])
are being made increasingly by business managers. These
decisions must be made within the overall GEIT arrangements
of the enterprise, to create optimum value for stakeholders.
COBIT ® 5 Principles: Where Did They Come From?
4 Weill, P.; J. Ross; IT Savvy: What Top Executives Must Know to Go From Pain to Gain, Harvard Business Press, USA, 20095 Ibid.6 Ibid.
This principle implies a crucial shift in the minds of business
and IT management; it comprises a move from managing IT
as a cost to managing IT as an asset. This shift is an essential
element of business value creation. “If senior managers do not
accept accountability for IT, the company will inevitably throw its
IT money to multiple tactical initiatives with no clear impact on
the organizational capabilities. IT becomes a liability instead of astrategic asset.”6
COBIT 5 covers both IT and IT-related business accountabilities
and responsibilities. Specically, charts that show who is
responsible, accountable, consulted and informed (RACI) for
both business and IT function roles are provided in the COBIT ® 5:
Enabling Processes guide (gure 3). RACI charts indicate that, fo
every COBIT 5 process, both business and IT function roles have
accountabilities and responsibilities.
COVERING THE ENTERPRISE END-TO-END
PRINCIPLE 2
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
7/12
APO01 RACI Chart
Key Management Practice B o a r d
C h i e f E x e c u t i v e O f f i c e r
C h i e f F i n a n c i a l O f f i c e r
C h i e f O p e r a t i n g O f f i c e r
B u s i n e s s E x e c u t i v e s
B u s i n e s s P r o c e s s O w n e r s
S t r a t e g y E x e c u t i v e C o m m i t t e e
S t e e r i n g ( P r o g r a m m e s / P r o j e c t s ) C o m m i t t e e
P r o j e c t M a n a g e m e n t O f f i c e
V a l u e M a n a g e m e n t O f f i c e
C h i e f R i s k O f f i c e r
C h i e f I n f o r m a t i o n S e c u r i t y O f f i c e r
A r c h i t e c t u r e B o a r d
E n t e r p r i s e R i s k C o m m i t t e e
H e a d H u m a n R e s o u r c e s
C o m p l i a n c e
A u d i t
C h i e f I n f o r m a t i o n O f f i c e r
H e a d A r c h i t e c t
H e a d D e v e l o p m e n t
H e a d I T O p e r a t i o n s
H e a d I T A d m i n i s t r a t i o n
S e r v i c e M a n a g e r
I n f o r m a t i o n S e c u r i t y M a n a g e r
B u s i n e s s C o n t i n u i t y M a n a g e r
P r i v a c y O f f i c e r
APO01.01
Define the organisationalstructure.
C C C C I C R I I A C C C R C C C
APO01.02
Establish roles andresponsibilities.
I C C C C C A C C C R C C C C
APO01.03
Maintain the enablers of themanagement system.
C A C R C C I C C C C C C R R
APO01.04
Communicate managementobjectives and direction.
A R R R I R I I I R R I I I I I R I I I I I I I I
APO01.05
Optimise the placement of theIT function.
C C C C A C C C C R C C C R C C C
APO01.06
Define information (data) andsystem ownership.
I I C A R C C C C C C C
APO01.07
Manage continual improvementof processes.
A R R C I C C R R R R R R R R
APO01.08
Maintain compliance withpolicies and procedures.
A R R R R C I R R R R R R R R
Business roles IT Function roles
7 © 2014 ISACA. All rights reserved
COBIT ® 5 Principles: Where Did They Come From?
Figure 3—COBIT 5 RACI Chart Example
Source: COBIT ® 5: Enabling Processes, ISACA, USA, 2012, page 52
COVERING THE ENTERPRISE END-TO-END (CONT.)
PRINCIPLE 2
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
8/12
8 © 2014 ISACA. All rights reserved
COBIT ® 5 Principles: Where Did They Come From?
7 ISO, “ISO/IEC 38500:2008 Corporate governance of information technology,” Switzerland, 2008, www.iso.org8 ISO, “ISO/IEC:27001:2013 Information technology—Security techniques—Information security management systems – Requirements,“ Switzerland, 2013, www.iso.org9 ISO, “ISO/IEC 20000-1:2011 Information technology—Service management—Part 1: Service management system requirements,” Switzerland, 2011, www.iso.org10 ISO, “ISO 31000:2009 Risk management – Principles and guidelines,“ Switzerland, 2009, www.iso.org11 ISO, “ISO 9001:2008 Quality management systems—Requirements,” Switzerland, 2008, www.iso.org12 Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control—Integrated Framework (2013),” USA, 2013, www.coso.org/IC.htm13 ITIL® Home, “Welcome to the Ocial ITIL® Website,” UK,” www.itil-ofcialsite.com14 Project Management Institute, A Guide to the Project Management Body of Knowledge ( PMBOK ® ), USA, 200815 Data Management Association International (DAMA), The DAMA Guide to the Data Management Body of Knowledge (DMBOK), USA, 200916 The Open Group, TOGAF® 9, UK, 2009, www.opengroup.org/togaf 17 PRINCE2—Projects In Controlled Environments Home, “Welcome to the Ocial PRINCE2® Website,” UK, www.prince-ofcialsite.com
APPLYING A SINGLE INTEGRATED FRAMEWORK
PRINCIPLE 3
The third principle highlights the need to use an overall single,
integrated GEIT framework to deliver the optimum value from the
IT assets and resources used.
COBIT 5 aligns with other relevant standards and frameworks at
a high level and, thus, can serve as the overarching framework for
GEIT (gure 4). ISACA made a major investment over the years toalign COBIT with other standards and frameworks, including:
Many of the processes in COBIT 5 are inspired by the guidance
in these standards and frameworks, which are used by IT
professionals worldwide. As such, many of the processes and
practices in COBIT 5 relate to, and align with, one or more
detailed standards or frameworks that are used by enterprises
to govern and manage their IT assets and resources. To
help enterprises to work eectively with COBIT 5 and otherstandards and frameworks, COBIT ® 5: Enabling Processes and
the COBIT 5 professional guides contain high-level mappings
of COBIT 5 processes to the major related standards and
frameworks.
COBIT 5 also integrates and harmonizes the Risk IT and Val IT
framework guidance, which ISACA published previously, into
a single framework, making COBIT 5 a “one-stop shop” for
overall GEIT guidance. COBIT 5 includes in its scope previous
guidance from ISACA and guidance from other standards and
frameworks in the eld.
Further, COBIT 5 provides a single overarching framework that
serves as a consistent and integrated source of guidance ina nontechnical, technology-agnostic common language. This
source can be eectively used as the basis for more detailed
guidance on addressing specic GEIT aspects including
information security/cybersecurity, risk, assurance, vendor
management, conguration management, cloud controls, etc.,
in an eective way.
• ISO/IEC 38500:20087
• ISO/IEC 27001:20138
• ISO/IEC 200009
• ISO 31000 series10
• ISO 9001:200811
• Committee of Sponsoring Organizations of
the Treadway Commission (COSO) Internal
Control—Integrated Framework12
• IT Infrastructure Library® (ITIL® V3)13
• Project Management Body of Knowledge (PMBOK® )14
• Data Management Body of Knowledge (DMBOK)15
• The Open Group Architecture Framework (TOGAF® 9)16
• Projects in Controlled Environments (PRINCE2® )17
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
9/12
9 © 2014 ISACA. All rights reserved
COBIT ® 5 Principles: Where Did They Come From?
APPLYING A SINGLE INTEGRATED FRAMEWORK (CONT.)
PRINCIPLE 3
Figure 4—COBIT 5 Coverage of Other Standards and Frameworks
Source: COBIT ® 5 (the framework), ISACA, USA, 2012, gure 25
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
10/12
Source: COBIT ®
5 (the framework), ISACA, USA, 2012, gure 12
10 © 2014 ISACA. All rights reserved
COBIT ® 5 Principles: Where Did They Come From?
The fourth principle emphasizes that ecient and eective
implementation of GEIT requires a holistic approach that
takes into account several interacting components or
mechanisms—termed “enablers” in COBIT—because they
interact to support governance and management of enterprise
activities and are interdependent.
The challenge of implementing a holistic approach is related
to the need for an organizational system, which is described
in strategic management literature as the way a rm gets its
people to work together to carry out the business.18 Such
organizational systems require the denition and application,
in a holistic manner, of structures (e.g., organizational
units and functions) and processes (to ensure that tasks
are coordinated and integrated), and attention to people
and relational aspects (e.g., culture, values, joint beliefs).
Enterprises are applying this organizational system theory to
GEIT implementation by using a holistic mixture of structures,
processes and other components or mechanisms.19,20
COBIT 5 builds on these systemic insights with the concept ofenablers. Enablers are dened as factors that individually and
collectively inuence whether something will work—in this
case, governance and management over enterprise IT. The
COBIT 5 framework describes seven categories of enablers
(gure 5)—of which Processes; Organisational Structures;
and Culture, Ethics and Behaviour are most closely related to
the organizational systems concept. COBIT 5 complements
these organizational systems enablers with other important
enablers: Principles, Policies and Frameworks; Information;
Services, Infrastructure and Applications; and People, Skills
and Competencies.
18 De Wit, B.; R. Meyer; Strategy Synthesis: Revolving Strategy Paradoxes to Create Competitive Advantage, Cengage Learning EMEA, USA, 200519 Peterson, R.; “Crafting Information Technology Governance,” Information Systems Management , USA, 200420 De Haes, S.; W. Van Grembergen; “An Exploratory Study Into IT Governance Implementations and Its Impact on Business/IT Alignment,” Information Systems Management , USA, 2009
Figure 5—COBIT 5 Enablers
ENABLING A HOLISTIC APPROACH
PRINCIPLE 4
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
11/12
11 © 2014 ISACA. All rights reserved
COBIT ® 5 Principles: Where Did They Come From?
Finally, COBIT 5 makes a distinction between governance
and management. This distinction aligns with the following
guidance in ISO/IEC 38500:2008:
Directors should govern IT through three main tasks:
a) Evaluate the current and future use of IT.
b) Direct preparation and implementation of
plans and policies to ensure that use of IT meets
business objectives.
c) Monitor conformance to policies, and performance
against the plans. 21
21 ISO, “ISO/IEC 38500:2008 Corporate governance of information technology,” Switzerland, 2008, www.iso.org
SEPARATING GOVERNANCE FROM MANAGEMENT
PRINCIPLE 5
In COBIT 5, ISACA states for the rst time that GEIT processes
encompass dierent types of activities. The governance
processes are organized following the evaluate, direct and monito
(EDM) model, as proposed by ISO/IEC 38500. IT governance
processes ensure that enterprise goals are achieved by evaluating
stakeholder needs; setting direction through prioritization and
decision making; and monitoring performance, compliance andprogress against plans. Based on the results, guidance and outpu
from these governance activities, business and IT management
plans, builds, runs and monitors activities (PBRM) to ensure
alignment with the direction that was set by the governance body
and, thus, achieve the enterprise objectives (gure 6).
Figure 6—COBIT 5 Governance and Management Key Areas
Source: COBIT ® 5 (the framework), ISACA, USA, 2012, gure 30
Management Feedback
Business Needs
Management
Evaluate
MonitorDirect
Plan(APO)
Build(BAI)
RUN(DSS)
MONITOR(MEA)
Governance
8/17/2019 1 Cobit-5-Principles Whp Eng 0714
12/12
12 © 2014 ISACA All rights reserved
COBIT ® 5 Principles: Where Did They Come From?
GEIT is the board’s accountability and responsibility, and the
execution of the set direction is management’s accountability and
responsibility.22 COBIT 5 is primarily a business GEIT framework
made by, and for, practitioners and includes insights from IT and
general management literature, including concepts and modelssuch as strategic alignment, balanced scorecard, IT savviness
and organizational systems.
The core elements of COBIT 5 are built on these IT and general
management insights. Practitioners can use the insights in this
white paper and its references to apply COBIT 5 principles and
guidance in their enterprises.
22 Van Grembergen, W.; S. De Haes; Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, USA, 2009
CONCLUSION