1 Cobit-5-Principles Whp Eng 0714

8/17/2019 1 Cobit-5-Principles Whp Eng 0714

1/12

Governance and management of enterprise information and

related technology (GEIT) is ultimately the board of directors’(or other governing entity’s) responsibility. The board sets the

direction for management to achieve the enterprise objectives

and is accountable to the enterprise stakeholders. COBIT 5 is

an internationally accepted business GEIT framework from

ISACA that was developed by, and for, practitioners and

includes insights from IT and general management literature.

This white paper helps practitioners to better understand the

COBIT 5 principles and, therefore, be more efficient and

effective in the application of the COBIT 5 GEIT framework to

their enterprises. This paper clearly explains how the principlesof COBIT 5 are built on sound, accepted IT and general

governance and management guidance and practices.

PRINCIPLES:WHERE DID THEY COME FROM?

AN ISACA COBIT SERIES WHITE PAPER

COBIT 5


2/12

ISACA ®

With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business

and IT leaders build trust in, and value from, information and information systems. Established i

1969, ISACA is the trusted source of knowledge, standards, networking, and career developme

for information systems audit, assurance, security, risk, privacy and governance professionals.

ISACA oers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity

professionals, and COBIT ®, a business framework that helps enterprises govern and manage

their information and technology. ISACA also advances and validates business-critical ski lls

and knowledge through the globally respected Certied Information Systems Auditor® (CISA ®),

Certied Information Security Manager® (CISM®), Certied in the Governance of Enterprise IT ®

(CGEIT ®

) and Certied in Risk and Information Systems Control™

(CRISC™

) credentials. Theassociation has more than 200 chapters worldwide.

DISCLAIMERISACA has designed and created COBIT ® 5 Principles: Where Did They Come From? white paper (the “Work”) primarily as

an educational resource for assurance, governance, risk and security professionals. ISACA makes no claim that use of any of

the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, proceduresand tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In

determining the propriety of any specic information, procedure or test, assurance, governance, risk and security professionals

should apply their own professional judgment to the specic circumstances presented by the particular systems or information

technology environment.

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA

Phone: +1.847.253.1545

Fax: +1.847.253.1443

Email: [email protected]

Web site: www.isaca.org

Provide feedback:

www.isaca.org/COBIT5-Principles

Participate in the ISACA

Knowledge Center:

www.isaca.org/knowledge-center

Follow ISACA on Twitter:

https://twitter.com/ISACANews

Join ISACA on LinkedIn:

ISACA (Ocial),

http://linkd.in/ISACAOfcial

Like ISACA on Facebook:

www.facebook.com/ISACAHQ

© 2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse

COBIT ® 5 Principles: Where Did They Come From?


3/12

3© 2014 ISACA. All rights reserved

Development Team

Steven De Haes Ph.D.

University of Antwerp—Antwerp

Management School, Belgium

Roger Debreceny Ph.D.

CGEIT, FCPA,

University of Hawaii at Manoa, USA

Wim Van Grembergen Ph.D.

University of Antwerp—Antwerp

Management School, Belgium

Expert Reviewers

Steven A. Babb

CGEIT, CRISC, ITIL, Vodafone, UK

Sushil Chatterji

CGEIT,

Edutech Enterprises, Singapore

Joanne De Vito De Palma

CISM, BCMM Assessor

Konica Minolta Business Solutions,

All Covered Financial Services Division, USA

Jimmy Heschl

CISA, CISM, CGEIT, ITIL Expert,

bwin.party digital entertainment plc, Austria

Andre Pitkowski

CGEIT, CRISC,

APIT Informatica, BrazilParas Kesharichand Shah

CISA, CGEIT, CRISC, CA,

Vital Interacts, Australia

ISACA Board of Directors

Robert E Stroud

CGEIT, CRISC, CA,

USA, International President

Steven A. Babb

CGEIT, CRISC, ITIL,

Vodafone, UK, Vice President

Garry J. Barnes

CISA, CISM, CGEIT, CRISC,

BAE Systems Detica, Australia, Vice President

Robert A. Clyde

CISM, Adaptive Computing,

USA, Vice President

ACKNOWLEDGMENTS

Sushil ChatterjiCGEIT,

Edutech Enterprises, Singapore

Phil J. Lageschulte

CGEIT, CPA,

KPMG LLP, USA

Anthony P. Noble

CISA,

Viacom, USA

Jamie Pasfeld

CGEIT, ITIL V3, MSP, PRINCE2,

Pfizer, UK

Ivan Sanchez Lopez

CISA, CISM, ISO 27001 LA, CISSP,

DHL Global Forwarding & Freight, Germany

Framework Committee

Sushil Chatterji

CGEIT,

Edutech Enterprises, Singapore, Chairman

David Cau

GRCP, ITIL V3, MSP,

Deloitte, Luxembourg

Joanne De Vito De Palma

CISM, BCMM Assessor,

Konica Minolta Business Solutions,

All Covered Financial Services Division, USA

Jimmy Heschl

CISA, CISM, CGEIT, ITIL Expert,

bwin.party digital entertainment plc, Austria

Katherine McIntosh

CISA, CIA,

Central Hudson Gas & Electric Corp., USA

Andre Pitkowski

CGEIT, CRISC, APIT,

Informatica, Brazil

Paras Kesharichand Shah

CISA, CGEIT, CRISC, CA,

Vital Interacts, Australia

Sylvia Tosar

CGEIT, PMP,

Uruguay

Tichaona Zororo

CISA, CISM, CGEIT, CRISC, CIA, CRMA,

EGIT | Enterprise Governance of IT (PTY) LTD., South Africa

Steven A. Babb

CGEIT, CRISC, ITIL,

Vodafone, UK (2013-2014)

Frank J. Cindrich

CGEIT, CIPP, CIPP/G,

Deloitte & Touche LLP, USA (2013-1014)


Ramses GallegoCISM, CGEIT, CCSK, CISSP, SCPM,

Six Sigma Black Belt, Dell,

Spain, Vice President

Theresa Grafenstine

CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA,

US House of Representatives,

USA, Vice President

Vittal R. Raj

CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA,

Kumar & Raj,

India, Vice President

Tony Hayes

CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,

Queensland Government, Australia, Past International President

Gregory T. Grocholski

CISA, The Dow Chemical Co.,

USA, Past International President

Debbie A. Lew

CISA, CRISC, Ernst & Young LLP,

USA, Director

Frank K.M. Yam

CISA, CIA, FHKCS, FHKIoD,

Focus Strategic Group Inc.,

Hong Kong, Director

Alexander Zapata Lenis

CISA, CGEIT, CRISC, ITIL, PMP,

Grupo Cynthus S.A. de C.V.,Mexico, Director

Knowledge Board

Steven A. Babb

CGEIT, CRISC, ITIL,

Vodafone, UK, Chairman

Rosemary M. Amato

CISA, CMA, CPA,

Deloitte Touche Tohmatsu Ltd., The Netherlands

Neil Patrick Barlow

CISA, CISM, CRISC, CISSP,

IntercontinentalExchange, Inc. NYSE, UK

Charlie Blanchard

CISA, CISM, CRISC, CIPP/US,

CIPP/E, CISSP, FBCS, ACA,

Amgen Inc., USA


4/12

4 © 2014 ISACA. All rights reserved

Figure 1—The Five COBIT 5 PrinciplesCOBIT 5 is an internationally accepted governance andmanagement of enterprise information and related technology

(GEIT) framework from ISACA that was developed by, and

for, practitioners and includes insights from IT and general

management literature. This white paper helps practitioners

to better understand the COBIT 5 principles (gure 1) and,

therefore, be more ecient and eective in the application of

the COBIT 5 GEIT framework to their enterprises. This paper

clearly explains how the principles of COBIT 5 are built on

sound, accepted IT and general governance and management

guidance and practices.


Source: COBIT ® 5 (the framework), ISACA, USA, 2012, gure 2

INTRODUCTION


5/12


Figure 2—COBIT 5 Goals CascadeThe rst principle addresses the need to align individual anddepartmental objectives and priorities with enterprise and

stakeholder needs. The main purpose of GEIT is to achieve

strategic alignment of information and related technology

with the goals of the enterprise. However, a continuing

challenge for enterprises is how to achieve and maintain this

alignment as stakeholder needs and enterprise goals change.To assist enterprises with establishing and maintaining

strategic alignment, ISACA undertook research to provide

guidance for understanding how enterprise goals drive IT-

related goals and vice versa. From this research, developers

recorded generic enterprise goals and IT-related goals and

represented their interrelationships in the COBIT 5 goals

cascade (gure 2).

This cascade constitutes the “top-down” entry point to

COBIT 5 for enterprises that are considering the alignment

of their information and related technology assets and

resources. The goals cascade indicates that the rst step

that enterprises should take to analyze their business/IT

strategic alignment is to dene and link enterprise goals andIT-related goals in support of stakeholder needs.

To facilitate a comprehensive approach to governing and

managing the alignment of IT performance with enterprise

goals, ISACA built on the balanced scorecard (BSC)

concepts.1,2,3 The BSC is an approach to strategic planning

and management that is accepted by many enterprises. The

COBIT 5 enterprise goals and IT-related goals are grouped

into the following BSC business perspectives:

• Financial

• Customer

• Internal

• Learning and Growth

COBIT 5 provides detailed mappings of enterprise goals to

IT-related goals and detailed mappings of IT-related goals to

IT-related processes, in addition to general outcome metrics

to measure each of those goals and to build a scorecard for

IT-related activities.



1 Kaplan, R.; D. Norton; “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review, USA, 19922 Van Grembergen, W.; R. Saul; S. De Haes; “Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial Group,” Journal for Information Technology Cases and

Applications, USA, 20033 Balanced Scorecard Institute, a Strategy Management Group company, USA, 1998-2014, https://balancedscorecard.org

MEETING STAKEHOLDER NEEDS

PRINCIPLE 1


6/12


The governance system for enterprise IT (GEIT) proposed by

COBIT 5 integrates seamlessly in any enterprise governance

system. COBIT 5 aligns with the latest views on enterprise

governance.

COBIT 5 covers all functions and processes within the

enterprise, not only the IT function, as was sometimesperceived to be the case with earlier COBIT versions. COBIT

5 considers information and related technologies to be assets

and resources and treats them the same as other assets

within the enterprise—an approach termed “IT savvy” by

Weill and Ross.4 Business managers are required to take on

the accountability for governing and managing the IT-related

assets within their own organizational units and functions—in

the same way that they take on the accountability for other

assets such as physical plant, nancial and human resource

assets. Business managers must take ownership of, and be

accountable for, governing the use of IT while creating value

from IT-enabled business investments—business managers

must become more IT savvy.5 COBIT provides a common,

nontechnical business language framework of guidancefor business managers to use when engaging with their IT

professional colleagues and advisors to make IT-related

business decisions—supporting IT savviness.

The second principle recognizes that the need for business

managers to assume accountability for eectively governing

and managing their use of IT is increasingly critical to

enable the enterprise to achieve the goal of satisfying

stakeholder needs. Decisions on IT asset and resource

use (e.g., outsourced service selection and acquisition via

cloud solution providers and bring your own device [BYOD])

are being made increasingly by business managers. These

decisions must be made within the overall GEIT arrangements

of the enterprise, to create optimum value for stakeholders.


4 Weill, P.; J. Ross; IT Savvy: What Top Executives Must Know to Go From Pain to Gain, Harvard Business Press, USA, 20095 Ibid.6 Ibid.

This principle implies a crucial shift in the minds of business

and IT management; it comprises a move from managing IT

as a cost to managing IT as an asset. This shift is an essential

element of business value creation. “If senior managers do not

accept accountability for IT, the company will inevitably throw its

IT money to multiple tactical initiatives with no clear impact on

the organizational capabilities. IT becomes a liability instead of astrategic asset.”6

COBIT 5 covers both IT and IT-related business accountabilities

and responsibilities. Specically, charts that show who is

responsible, accountable, consulted and informed (RACI) for

both business and IT function roles are provided in the COBIT ® 5:

Enabling Processes guide (gure 3). RACI charts indicate that, fo

every COBIT 5 process, both business and IT function roles have

accountabilities and responsibilities.

COVERING THE ENTERPRISE END-TO-END

PRINCIPLE 2


7/12

APO01 RACI Chart

Key Management Practice B o a r d

C h i e f E x e c u t i v e O f f i c e r

C h i e f F i n a n c i a l O f f i c e r

C h i e f O p e r a t i n g O f f i c e r

B u s i n e s s E x e c u t i v e s

B u s i n e s s P r o c e s s O w n e r s

S t r a t e g y E x e c u t i v e C o m m i t t e e

S t e e r i n g ( P r o g r a m m e s / P r o j e c t s ) C o m m i t t e e

P r o j e c t M a n a g e m e n t O f f i c e

V a l u e M a n a g e m e n t O f f i c e

C h i e f R i s k O f f i c e r

C h i e f I n f o r m a t i o n S e c u r i t y O f f i c e r

A r c h i t e c t u r e B o a r d

E n t e r p r i s e R i s k C o m m i t t e e

H e a d H u m a n R e s o u r c e s

C o m p l i a n c e

A u d i t

C h i e f I n f o r m a t i o n O f f i c e r

H e a d A r c h i t e c t

H e a d D e v e l o p m e n t

H e a d I T O p e r a t i o n s

H e a d I T A d m i n i s t r a t i o n

S e r v i c e M a n a g e r

I n f o r m a t i o n S e c u r i t y M a n a g e r

B u s i n e s s C o n t i n u i t y M a n a g e r

P r i v a c y O f f i c e r

APO01.01

Define the organisationalstructure.

C C C C I C R I I A C C C R C C C

APO01.02

Establish roles andresponsibilities.

I C C C C C A C C C R C C C C

APO01.03

Maintain the enablers of themanagement system.

C A C R C C I C C C C C C R R

APO01.04

Communicate managementobjectives and direction.

A R R R I R I I I R R I I I I I R I I I I I I I I

APO01.05

Optimise the placement of theIT function.

C C C C A C C C C R C C C R C C C

APO01.06

Define information (data) andsystem ownership.

I I C A R C C C C C C C

APO01.07

Manage continual improvementof processes.

A R R C I C C R R R R R R R R

APO01.08

Maintain compliance withpolicies and procedures.

A R R R R C I R R R R R R R R

Business roles IT Function roles



Figure 3—COBIT 5 RACI Chart Example

Source: COBIT ® 5: Enabling Processes, ISACA, USA, 2012, page 52

COVERING THE ENTERPRISE END-TO-END (CONT.)

PRINCIPLE 2


8/12



7 ISO, “ISO/IEC 38500:2008 Corporate governance of information technology,” Switzerland, 2008, www.iso.org8 ISO, “ISO/IEC:27001:2013 Information technology—Security techniques—Information security management systems – Requirements,“ Switzerland, 2013, www.iso.org9 ISO, “ISO/IEC 20000-1:2011 Information technology—Service management—Part 1: Service management system requirements,” Switzerland, 2011, www.iso.org10 ISO, “ISO 31000:2009 Risk management – Principles and guidelines,“ Switzerland, 2009, www.iso.org11 ISO, “ISO 9001:2008 Quality management systems—Requirements,” Switzerland, 2008, www.iso.org12 Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control—Integrated Framework (2013),” USA, 2013, www.coso.org/IC.htm13 ITIL® Home, “Welcome to the Ocial ITIL® Website,” UK,” www.itil-ofcialsite.com14 Project Management Institute, A Guide to the Project Management Body of Knowledge ( PMBOK ® ), USA, 200815 Data Management Association International (DAMA), The DAMA Guide to the Data Management Body of Knowledge (DMBOK), USA, 200916 The Open Group, TOGAF® 9, UK, 2009, www.opengroup.org/togaf 17 PRINCE2—Projects In Controlled Environments Home, “Welcome to the Ocial PRINCE2® Website,” UK, www.prince-ofcialsite.com

APPLYING A SINGLE INTEGRATED FRAMEWORK

PRINCIPLE 3

The third principle highlights the need to use an overall single,

integrated GEIT framework to deliver the optimum value from the

IT assets and resources used.

COBIT 5 aligns with other relevant standards and frameworks at

a high level and, thus, can serve as the overarching framework for

GEIT (gure 4). ISACA made a major investment over the years toalign COBIT with other standards and frameworks, including:

Many of the processes in COBIT 5 are inspired by the guidance

in these standards and frameworks, which are used by IT

professionals worldwide. As such, many of the processes and

practices in COBIT 5 relate to, and align with, one or more

detailed standards or frameworks that are used by enterprises

to govern and manage their IT assets and resources. To

help enterprises to work eectively with COBIT 5 and otherstandards and frameworks, COBIT ® 5: Enabling Processes and

the COBIT 5 professional guides contain high-level mappings

of COBIT 5 processes to the major related standards and

frameworks.

COBIT 5 also integrates and harmonizes the Risk IT and Val IT

framework guidance, which ISACA published previously, into

a single framework, making COBIT 5 a “one-stop shop” for

overall GEIT guidance. COBIT 5 includes in its scope previous

guidance from ISACA and guidance from other standards and

frameworks in the eld.

Further, COBIT 5 provides a single overarching framework that

serves as a consistent and integrated source of guidance ina nontechnical, technology-agnostic common language. This

source can be eectively used as the basis for more detailed

guidance on addressing specic GEIT aspects including

information security/cybersecurity, risk, assurance, vendor

management, conguration management, cloud controls, etc.,

in an eective way.

• ISO/IEC 38500:20087

• ISO/IEC 27001:20138

• ISO/IEC 200009

• ISO 31000 series10

• ISO 9001:200811

• Committee of Sponsoring Organizations of

the Treadway Commission (COSO) Internal

Control—Integrated Framework12

• IT Infrastructure Library® (ITIL® V3)13

• Project Management Body of Knowledge (PMBOK® )14

• Data Management Body of Knowledge (DMBOK)15

• The Open Group Architecture Framework (TOGAF® 9)16

• Projects in Controlled Environments (PRINCE2® )17


9/12



APPLYING A SINGLE INTEGRATED FRAMEWORK (CONT.)

PRINCIPLE 3

Figure 4—COBIT 5 Coverage of Other Standards and Frameworks



10/12

Source: COBIT ®

5 (the framework), ISACA, USA, 2012, gure 12



The fourth principle emphasizes that ecient and eective

implementation of GEIT requires a holistic approach that

takes into account several interacting components or

mechanisms—termed “enablers” in COBIT—because they

interact to support governance and management of enterprise

activities and are interdependent.

The challenge of implementing a holistic approach is related

to the need for an organizational system, which is described

in strategic management literature as the way a rm gets its

people to work together to carry out the business.18 Such

organizational systems require the denition and application,

in a holistic manner, of structures (e.g., organizational

units and functions) and processes (to ensure that tasks

are coordinated and integrated), and attention to people

and relational aspects (e.g., culture, values, joint beliefs).

Enterprises are applying this organizational system theory to

GEIT implementation by using a holistic mixture of structures,

processes and other components or mechanisms.19,20

COBIT 5 builds on these systemic insights with the concept ofenablers. Enablers are dened as factors that individually and

collectively inuence whether something will work—in this

case, governance and management over enterprise IT. The

COBIT 5 framework describes seven categories of enablers

(gure 5)—of which Processes; Organisational Structures;

and Culture, Ethics and Behaviour are most closely related to

the organizational systems concept. COBIT 5 complements

these organizational systems enablers with other important

enablers: Principles, Policies and Frameworks; Information;

Services, Infrastructure and Applications; and People, Skills

and Competencies.

18 De Wit, B.; R. Meyer; Strategy Synthesis: Revolving Strategy Paradoxes to Create Competitive Advantage, Cengage Learning EMEA, USA, 200519 Peterson, R.; “Crafting Information Technology Governance,” Information Systems Management , USA, 200420 De Haes, S.; W. Van Grembergen; “An Exploratory Study Into IT Governance Implementations and Its Impact on Business/IT Alignment,” Information Systems Management , USA, 2009

Figure 5—COBIT 5 Enablers

ENABLING A HOLISTIC APPROACH

PRINCIPLE 4


11/12



Finally, COBIT 5 makes a distinction between governance

and management. This distinction aligns with the following

guidance in ISO/IEC 38500:2008:

Directors should govern IT through three main tasks:

a) Evaluate the current and future use of IT.

b) Direct preparation and implementation of

plans and policies to ensure that use of IT meets

business objectives.

c) Monitor conformance to policies, and performance

against the plans. 21

21 ISO, “ISO/IEC 38500:2008 Corporate governance of information technology,” Switzerland, 2008, www.iso.org

SEPARATING GOVERNANCE FROM MANAGEMENT

PRINCIPLE 5

In COBIT 5, ISACA states for the rst time that GEIT processes

encompass dierent types of activities. The governance

processes are organized following the evaluate, direct and monito

(EDM) model, as proposed by ISO/IEC 38500. IT governance

processes ensure that enterprise goals are achieved by evaluating

stakeholder needs; setting direction through prioritization and

decision making; and monitoring performance, compliance andprogress against plans. Based on the results, guidance and outpu

from these governance activities, business and IT management

plans, builds, runs and monitors activities (PBRM) to ensure

alignment with the direction that was set by the governance body

and, thus, achieve the enterprise objectives (gure 6).

Figure 6—COBIT 5 Governance and Management Key Areas


Management Feedback

Business Needs

Management

Evaluate

MonitorDirect

Plan(APO)

Build(BAI)

RUN(DSS)

MONITOR(MEA)

Governance


12/12

12 © 2014 ISACA All rights reserved


GEIT is the board’s accountability and responsibility, and the

execution of the set direction is management’s accountability and

responsibility.22 COBIT 5 is primarily a business GEIT framework

made by, and for, practitioners and includes insights from IT and

general management literature, including concepts and modelssuch as strategic alignment, balanced scorecard, IT savviness

and organizational systems.

The core elements of COBIT 5 are built on these IT and general

management insights. Practitioners can use the insights in this

white paper and its references to apply COBIT 5 principles and

guidance in their enterprises.

22 Van Grembergen, W.; S. De Haes; Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, USA, 2009

CONCLUSION

1 Cobit-5-Principles Whp Eng 0714

Documents