COBIT 5 Update Research - Isaca Malta Chapter

COBIT 5

ISACA Malta Chapter

Steven Babb

Dirk Steuperaert

Steven Babb

• Education – 1st Class BSc (Hons) Computing (1996)

– BS7799 Lead Auditor, ITIL Service Manager

– Prince 2 Certified Practitioner

– CGEIT, CRISC

• Professional Career – International Brewer, various roles (1991-1996)

– KPMG, Head of IT Risk (1996-2012)

– Betfair, Head of Governance, Risk & Assurance (2012-…)

• Professional Organisations – RiskIT Task Force, COBIT 5 Task Force, Cloud Computing Task

Force

– Framework Committee Chair, COBIT for Risk Chair

• Contact – [email protected]

mailto:[email protected]

Dirk Steuperaert

• Education – Master Engineering (Ugent, 1986)

– Master Computer Auditing (UAMS, 1995)

– CISA (1995), CGEIT (2009), CRISC (2011)

• Professional Career – Software Engineer (SWIFT) (1988-1992)

– IT Auditor (SWIFT, BBL, Cedel) (1992-1997)

– Consultant (PwC, 1997-2008)

– Independent Consultant (IT In Balance, 2008 - …)

• Professional Organisations – ISACA (COBIT Steering Committee, Lead Developer of Risk IT,

Project Manager of COBIT 5 Development, Project Manager for COBIT 5 for Risk, COBIT 5 for Assurance)

• Contact – [email protected]






• To provide you with:

– An overview of the development approach behind

COBIT 5 and a brief history of COBIT

– An understanding of the key principles underpinning

the COBIT 5 framework

– Key considerations on how to implement COBIT 5

– Additional COBIT 5 publications – what is here now

and what is coming next

– Thoughts on migration from legacy to COBIT 5

Objectives for this session

1. COBIT 5 Drivers

2. COBIT 5 Framework – COBIT 5 Principles

3. COBIT 5 Framework – Enablers

4. COBIT 5 Framework – Process Capability Model

5. COBIT 5 Enabling Processes – Introduction

6. COBIT 5 Enabling Processes – Structure

7. COBIT 5 Enabling Processes – Overview of COBIT 5 Process

Domains and Processes

8. COBIT 5 Implementation Guide

9. Additional Pubs: COBIT 5 for Security, COBIT 5 PAM

10. Upcoming Pubs: COBIT 5 for Assurance, COBIT 5 for Risk

11. Migrating to COBIT 5 – some more things to consider

12. Q&A

Agenda

• Steven

• Steven

• Steven

• Dirk

• Dirk

• Dirk

• Dirk

• Dirk

• Steven

• Steven

• Dirk

1. 1. Introduction & COBIT 5 Drivers

• A Framework – definition:

– Framework ≠ Standard

– Framework ≠ Complete Solution

– Framework ≠ Ready-to-use Solution

– Framework ⊂ Structures and components

– Framework ⊂ Way of thinking

– Framework ⇒ Basis that needs customisation

Introduction – The Basic Equation 1

• The very original acronym COBIT stood for ‘Control

Objectives for Information and Related Technology’

• The control objectives are gone now… well, at least the

name has…

• But Information and Related Technology stand!

• Information

– is a key resource for all enterprises

– Information is created, used, retained, disclosed and destroyed

• Technology

– plays a key role in these actions

– Technology is becoming pervasive in all aspects of business and

personal life

COBIT – ‘The’ Word 1

• Today, enterprises and their executives have to:

– Maintain high-quality information

– Generate business value from IT-enabled investments

– Achieve operational excellence

– Maintain IT-related risk at an acceptable level

– Optimise the cost of IT services and technology

– Comply with ever-increasing relevant laws, regulations,

contractual agreements and policies

• COBIT 5 provides the framework to fulfill these

requirements

COBIT – Enterprise Context and Benefits 1

• The world has moved on since COBIT 4.1 and related

ISACA Guidance were published:

– Importance of information

– Role of technology

– Technology landscape

– Views on governance and standards landscape

– Economic context

– Regulatory context

– Need for rationalisation of various ISACA guidance

Drivers for COBIT 5: Changing World 1

• Delivering enterprise stakeholder value requires good

governance and management of information and

technology (IT) assets

• Enterprise boards, executives and management have to

embrace IT like any other significant part of the business

• COBIT 5 provides the comprehensive framework for

enterprises to:

– achieve their goals

– deliver value through effective governance and management of

enterprise IT

Drivers for COBIT 5: Stakeholder Value 1

• Simply stated: COBIT 5 helps enterprises create optimal

value from IT by maintaining a balance between realising

benefits and optimising risk levels and resource use

– COBIT 5 enables information and related technology to be

governed and managed in a holistic manner for the entire

enterprise

– The COBIT 5 principles and enablers are generic and useful for

enterprises of all sizes, whether commercial, not-for-profit or in

the public sector

The COBIT 5 Framework 1

Governance of Enterprise IT

COBIT 5

IT Governance

COBIT4.0/4.1

Management

COBIT3

Control

COBIT2

A business framework from ISACA, at www.isaca.org/cobit

Audit

COBIT1

2005/7 2000 1998

Evo

lutio

n o

f sco

pe

1996 2012

Val IT 2.0 (2008)

Risk IT (2009)

COBIT: Its development history 1

COBIT 5: Timeline…

3/09/2009 10/04/2012

1/01/2010 1/01/2011 1/01/2012

10/04/2012

Publication COBIT 5

1/07/2011

Public Exposure COBIT 5

Framework and Process Guide

nov-11

Final C5TF Meeting

mei-10

First SME

Development

Workshop

aug-10

Second SME

Development

Workshop

20/03/2010

Public Exposure COBIT 5

Architecture Blueprint29/03/2011

SME Exposure COBIT 5

feb-10

Dev Team

Meeting

apr-10

C5TF Meeting

okt-10

Dev Team

Meeting

jan-12

End of Development

dec-10

C5TF Meeting

jan-11

End of Design

mei-11

C5TF Meeting

nov-09

Start of Design

sep-09

Joint FC-C5TF

Kick-Off Meeting

1

1. 2. COBIT 5 Framework (1)

COBIT 5 Principles

• The main, overarching COBIT 5 product

• Contains the executive summary and the full description of all of the COBIT 5 framework components: – The COBIT 5 principles –

there are 5 of them!

– The seven COBIT 5 enablers

– An introduction to the implementation guidance (COBIT 5 Implementation)

– An introduction to the COBIT Assessment Programme (not specific to COBIT 5)

2 The COBIT 5 Framework

The COBIT 5 Principles 2

• Enterprises exist to

create value for their

stakeholders. Therefore:

– Governance Objective =

Value Creation

– Governance objectives

driven by stakeholder

needs

– Value is the interaction and

combination of three

components

18

2 The COBIT 5 Principles

1. Meeting Stakeholder Needs

• Enterprises exist to create value

for their stakeholders

• Therefore:

– Governance objectives need to be

translated into manageable goals

– This is the COBIT 5 goals cascade

– This translates stakeholder needs

into specific, actionable and

customised goals

The COBIT 5 Principles

1. Meeting Stakeholder Needs

2


2. Covering the Enterprise End-to-End

2

• COBIT 5:

– Integrates governance of

enterprise IT into enterprise

governance

– Covers all functions and

processes within the enterprise

• Key components of a

governance system:

– Governance Enablers – the

organisational resources for

governance

– Governance Scope – the entity

to which governance is applied

• Third component: the governance roles, activities

and relationships.

– defines who is involved in governance, how they are

involved, what they do and how they interact, within the

scope of any governance system


2. Covering the Enterprise End-to-End


3. Integrated Framework

2

• COBIT 5 aligns with the latest relevant other standards

and frameworks:

– Enterprise: COSO, COSO ERM, ISO 9000, ISO 31000

– IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF,

PMBOK/PRINCE2, CMMI, …

• This allows COBIT 5 to be used as the overarching

governance and management framework integrator

• COBIT 5 also integrates all major ISACA guidance:

COBIT 4.1, Risk IT, Val IT, BMIS, ITAF

• One consistent knowledge-base to build the COBIT 5

Product Family on


3. Integrated Framework

2


4. Enabling a Holistic Approach

• Enablers are factors that, individually and collectively,

influence whether something will work

• Enablers are driven by the goals cascade

• The COBIT 5 framework describes seven categories of

enablers

• Governance: Governance ensures that enterprise

objectives are achieved by evaluating stakeholder

needs, conditions and options; setting direction through

prioritisation and decision making; and monitoring

performance, compliance and progress against agreed

direction and objectives [EDM]

• Management: Management plans, builds, runs and

monitors activities in alignment with the direction set by

the governance body to achieve the enterprise

objectives [PBRM]


5. Separating Governance from Management

2


5. Separating Governance from Management

2


COBIT 5 Enablers and the Enabler Model

3 The COBIT 5 Enablers

3 The COBIT 5 Enabler Model

• This generic enabler model is repeated for each of the

seven enablers, adding more specific details, guidance

and some simple examples



Performance Management


COBIT 5 Process Capability Model

• COBIT 5 is supported by a new process capability assessment approach based on ISO/IEC 15504: the COBIT Assessment Programme.

• The COBIT 4.1, Val IT and Risk IT CMM-based approaches are not considered compatible with the ISO/IEC 15504 approach as the methods use different attributes and measurement scales

• In Practice – In general, ‘ratings’ of a process will be lower with the new

capability assessment approach (but are not comparable anyway)

– COBIT 5 does not include a specific maturity model per process

The COBIT 5 Framework

Process Capability Model

4

Recap of Process Evaluation Methods:

COBIT 4.1

4

Recap of Process Evaluation Methods:

Risk IT

4

The COBIT 5 Framework

Process Capability Model

4

• The COBIT Assessment Programme approach is considered by ISACA to be more robust, reliable and repeatable as a process capability assessment method

• The COBIT Assessment Programme supports – formal assessments by accredited assessors (assessor

training is being developed)

– less rigorous self-assessments for internal gap analysis and process improvement planning

• The COBIT Assessment Programme, in the future, will also potentially enable an enterprise to obtain an independent and certified assessments aligned to the ISO standard

Recap of Process Evaluation Methods

Rationale for change

4

• COBIT4.1, Val IT and Risk IT users wishing to move to the new COBIT Assessment Programme approach: – realign their previous ratings,

– adopt and learn the new method, and

– initiate a new set of assessments in order to gain the benefits of the new approach

• Information gathered from previous assessments may be reusable, but needed as there are significant differences in requirements

• COBIT 4.1, Val IT and Risk IT users wishing to continue with the CMM-based approach, either as an interim or on-going approach, can use the COBIT 5 guidance, but must use the COBIT4.1 generic attribute table without the high-level maturity models

Recap of Process Evaluation Methods

Rationale for change

4

Recap of Enabler Performance

Management

• The ISO15504 based approach is a process assessment scheme

• The generic enabler performance model aligns quite well with the 15504 approach – same basic questions asked…

• So performance of other enablers can be assessed in a similar manner

• BUT: – COBIT 5 as it stands does not elaborate this explicitly

as it does for processes

Assessing Other Enablers 4

1. 5. COBIT 5 Enabling Processes

Introduction

• COBIT 5 goals cascade complemented with example metrics for the enterprise goals and the IT-related goals

• COBIT 5 process model is explained and its components defined

• Process reference model of 37 processes with detailed information for all processes

5 COBIT 5 Enabling Processes – Detailed

Process Guidance

COBIT 5 Enabling Processes – COBIT 5

Process Model

5

COBIT 5 Enabling Processes – Process

Reference Model

5


Structure


Process Guidance

• COBIT 5 provides a revised goals cascade based on Enterprise goals (previously: Business Goals) driving IT-related goals (previously: IT Goals) and then supported by critical Enablers (previously: Processes)

• COBIT 5 provides examples of goals and metrics at the enterprise, IT –related and process levels – This is a change to COBIT 4.1, Val IT and Risk IT

which went down one level lower but did not have the higher level

COBIT 5 Enabling Processes – Detailed

Process Guidance

6

• Each process starts with:

– Header information

– Process description

– Process Purpose Statement


Process Guidance

• Goals cascade information:

– IT Related goals supported by this process +

related metrics

– Process Goals + related metrics


Process Guidance


Process Guidance

6

• Process Practices, with

– Inputs & outputs

– Process activities

• RACI chart


Process Guidance

6


Process Guidance

6


Process Guidance

6

• Related guidance


Process Guidance


Process Domains and Processes

The COBIT 5 Process Reference Guide

Process Reference Model

7

Evaluate, Direct & Monitor Processes for Governance of Enterprise IT

EDM1 – Ensure

Governance

Framework Setting

and Maintenance

EDM2 – Ensure

Benefits Delivery

EDM3 – Ensure Risk

Optimisation

EDM4 – Ensure

Resource

Optimisation

EDM5 – Ensure

Stakeholder

Transparency

Process Process Purpose

EDM01 Ensure

Governance Framework

Setting and Maintenance

Provide a consistent approach integrated and aligned with the

enterprise governance approach. To ensure that IT-related

decisions are made in line with the enterprise’s strategies and

objectives, IT-related processes are overseen effectively and

transparently, compliance with legal and regulatory requirements

are confirmed, and the governance requirements for board

members are met

EDM02 Ensure Benefits

Delivery

Secure optimal value from IT-enabled initiatives services and

assets, cost-efficient delivery of solutions and services, and a

reliable and accurate picture of costs and likely benefits so that

business needs are supported effectively and efficiently

7 The COBIT 5 Process Reference Guide

Process Reference Model – EDM

Evaluate, Direct & Monitor Processes for Governance of Enterprise IT

EDM1 – Ensure

Governance

Framework Setting

and Maintenance

EDM2 – Ensure

Benefits Delivery

EDM3 – Ensure Risk

Optimisation

EDM4 – Ensure

Resource

Optimisation

EDM5 – Ensure

Stakeholder

Transparency


EDM03 Ensure Risk

Optimisation

Ensure that IT-related enterprise risk does not exceed risk

appetite and risk tolerance, the impact of IT risk to enterprise

value is identified and managed, and the potential for

compliance failures is minimised

EDM04 Ensure Resource

Optimisation

Ensure that the resource needs of the enterprise are met in the

most optimal manner, IT costs are optimised, and there is an

increased likelihood of benefit realisation and readiness for

future change

EDM05 Ensure

Stakeholder

Transparency

Make sure that the communication to stakeholders is effective

and timely and the basis for reporting is established to increase

performance, identify areas for improvement, and confirm that

IT-related objectives and strategies are in line with the

enterprise’s strategy


Process Reference Model – EDM

Processes for Management of Enterprise IT

Align, Plan & Organise

APO1 – Manage the

IT Management

Framework

APO2 - Manage

Strategy

APO3 – Manage

Enterprise

Architecture

APO4 – Manage

Innovation

APO5 - Manage

Portfolio

APO6 Manage

Budget & Costs

APO7 – Manage

Human Resources

APO8 – Manage

Relationships

APO9 – Manage

Service Agreements

APO10 - Manage

Suppliers

APO11 - Manage

Quality

APO12 – Manage

Risk

APO13 – Manage

Security


APO01 Manage the IT

Management

Framework

Provide a consistent management approach to enable the enterprise governance

requirements to be met, covering management processes, organisational structures,

roles and responsibilities, reliable and repeatable activities, and skills and

competencies

APO02 Manage

Strategy

Align strategic IT plans with business objectives, clearly communicate the objectives

and associated accountabilities so they are understood by all, with the IT strategic

options identified, structured and integrated with the business plans

APO03 Manage

Enterprise

Architecture

Represent the different building blocks that make up the enterprise and their inter-

relationships as well as the principles guiding their design and evolution over time,

enabling a standard, responsive and efficient delivery of operational and strategic

objectives


Process Reference Model – APO



APO1 – Manage the

IT Management

Framework

APO2 - Manage

Strategy

APO3 – Manage

Enterprise

Architecture

APO4 – Manage

Innovation

APO5 - Manage

Portfolio

APO6 Manage

Budget & Costs

APO7 – Manage

Human Resources

APO8 – Manage

Relationships

APO9 – Manage

Service Agreements

APO10 - Manage

Suppliers

APO11 - Manage

Quality

APO12 – Manage

Risk

APO13 – Manage

Security


APO04 Manage

Innovation

Achieve competitive advantage, business innovation, and improved

operational effectiveness and efficiency by exploiting information

technology developments

APO05 Manage

Portfolio

Optimise the performance of the overall portfolio of programmes in

response to programme and service performance and changing enterprise

priorities and demands

APO06 Manage

Budget and Costs

Enable the effective and efficient use of IT-related resources and provide

transparency and accountability of the cost and business value of solutions

and services. Enable the enterprise to make informed decisions regarding

the use of IT solutions and services





APO1 – Manage the

IT Management

Framework

APO2 - Manage

Strategy

APO3 – Manage

Enterprise

Architecture

APO4 – Manage

Innovation

APO5 - Manage

Portfolio

APO6 Manage

Budget & Costs

APO7 – Manage

Human Resources

APO8 – Manage

Relationships

APO9 – Manage

Service Agreements

APO10 - Manage

Suppliers

APO11 - Manage

Quality

APO12 – Manage

Risk

APO13 – Manage

Security


APO07 Manage Human

Resources

Optimise human resources capabilities to meet enterprise

objectives

APO08 Manage

Relationships

Create improved outcomes, increased confidence, and trust in IT

and effective use of resources

APO09 Manage Service

Agreements

IT services and service levels meet current and future enterprise

needs





APO1 – Manage the

IT Management

Framework

APO2 - Manage

Strategy

APO3 – Manage

Enterprise

Architecture

APO4 – Manage

Innovation

APO5 - Manage

Portfolio

APO6 Manage

Budget & Costs

APO7 – Manage

Human Resources

APO8 – Manage

Relationships

APO9 – Manage

Service Agreements

APO10 - Manage

Suppliers

APO11 - Manage

Quality

APO12 – Manage

Risk

APO13 – Manage

Security


APO10 Manage

Suppliers

Minimise the risk associated with non-performing suppliers and ensure

competitive pricing

APO11 Manage

Quality

Consistent delivery of solutions and services to meet the quality

requirements of the enterprise and satisfy stakeholder needs

APO12 Manage Risk Integrate the management of IT-related enterprise risk with overall

ERM, and balance the costs and benefits of managing

IT-related enterprise risk

APO13 Manage

Security

Keep the impact and occurrence of information security incidents

within the enterprise’s risk appetite levels




Build, Acquire & Implement

BAI1 – Manage

Programmes And

Projects

BAI2 – Manage

Requirements

Definition

BAI3 – Manage

Solutions

Identification &

Build

BAI4 – Manage

Availability &

Capacity

BAI5 – Manage

Organisational

Change Enablement

BAI6 – Manage

Changes

BAI7 – Manage

Changes

Acceptance and

Transitioning

BAI8 – Manage

Knowledge

BAI9 – Manage

Assets

BAI10 – Manage

Configuration


BAI01 Manage Programmes

and Projects

Realise business benefits and reduce the risk of unexpected

delays, costs and value erosion, ensuring the value and

quality of project deliverables, and maximising their

contribution to the investment and services portfolio

BAI02 Manage Requirements

Definition

Create feasible optimal solutions that meet enterprise needs

while minimising risk

BAI03 Manage Solutions

Identification and Build

Establish timely and cost-effective solutions capable of

supporting enterprise strategic and operational objectives


Process Reference Model – BAI



BAI1 – Manage

Programmes And

Projects

BAI2 – Manage

Requirements

Definition

BAI3 – Manage

Solutions

Identification &

Build

BAI4 – Manage

Availability &

Capacity

BAI5 – Manage

Organisational

Change Enablement

BAI6 – Manage

Changes

BAI7 – Manage

Changes

Acceptance and

Transitioning

BAI8 – Manage

Knowledge

BAI9 – Manage

Assets

BAI10 – Manage

Configuration


BAI04 Manage Availability

and Capacity

Maintain service availability, efficient management of resources

and optimisation of system performance through prediction of

future performance and capacity requirements

BAI05 Manage

Organisational Change

Enablement

Prepare and commit stakeholders for business change and

reduce the risk of failure

BAI06 Manage Changes Enable fast and reliable delivery of change to the business and

mitigation of the risk of negatively impacting the stability or

integrity of the changed environment





BAI1 – Manage

Programmes And

Projects

BAI2 – Manage

Requirements

Definition

BAI3 – Manage

Solutions

Identification &

Build

BAI4 – Manage

Availability &

Capacity

BAI5 – Manage

Organisational

Change Enablement

BAI6 – Manage

Changes

BAI7 – Manage

Changes

Acceptance and

Transitioning

BAI8 – Manage

Knowledge

BAI9 – Manage

Assets

BAI10 – Manage

Configuration


BAI07 Manage Changes,

Acceptance and Transitioning

Implement solutions safely and in line with the agreed-on

expectations and outcomes

BAI08 Manage Knowledge Provide the knowledge required to support all staff in their work

activities and for informed decision making and enhanced

productivity

BAI09 Manage Assets Account for all IT assets and optimise the value provided by these

assets

BAI10 Manage Configuration Provide sufficient information about service assets to enable the

service to be effectively managed, to assess the impact of

changes and to deal with service incidents.




Deliver, Service & Support

DSS1 – Manage

Operations

DSS2 – Manage

Service Requests &

Incidents

DSS3 – Manage

Problems

DSS4 – Manage

Continuity

DSS5 – Manage

Security Services

DSS6 – Manage

Business Process

Controls


DSS01 Manage

Operations

Deliver IT operational service outcomes as planned

DSS02 Manage Service

Requests and Incidents

Achieve increased productivity and minimise disruptions through

quick resolution of user queries and incidents

DSS03 Manage

Problems

Increase availability, improve service levels, reduce costs, and

improve customer convenience and satisfaction, by reducing the

number of operational problems


Process Reference Model – DSS


Deliver, Service & Support

DSS1 – Manage

Operations

DSS2 – Manage

Service Requests &

Incidents

DSS3 – Manage

Problems

DSS4 – Manage

Continuity

DSS5 – Manage

Security Services

DSS6 – Manage

Business Process

Controls


DSS04 Manage

Continuity

Continue critical business operations and maintain availability of

information at a level acceptable to the enterprise in the event of a

significant disruption

DSS05 Manage Security

Services

DSS06 Manage Business

Process Controls

Maintain information integrity and the security of information

assets handled within business processes in the enterprise or

outsourced


Process Reference Model – DSS

Processes for

Management of

Enterprise IT

Monitor, Evaluate

& Assess

MEA2 – Monitor,

Evaluate and Assess

the System of Internal

Control

MEA1 – Monitor,

Evaluate and Assess

Performance and

Conformance

MEA3 – Monitor,

Evaluate and Assess

Compliance with

External Requirements


MEA01 Monitor,

Evaluate and Assess

Performance and

Conformance

Provide transparency of performance and

conformance and drive achievement of goals

MEA02 Monitor,

Evaluate and Assess the

System of Internal

Control

Obtain transparency for key stakeholders on

the adequacy of the system of internal

controls and thus provide trust in operations,

confidence in the achievement of enterprise

objectives and an adequate understanding of

residual risk

MEA03 Monitor,

Evaluate and Assess

Compliance with

External Requirements

The enterprise is compliant with all applicable

external requirements


Process Reference Model – MEA

1. 8. COBIT 5 Implementation Guide

• COBIT 5: Implementation covers the following

subjects:

– Positioning GEIT within an enterprise

– Taking the first steps towards improving GEIT

– Implementation challenges and success factors

– Enabling GEIT-related organisational and behavioural

change

– Implementing continual improvement that includes

change enablement and programme management

– Using COBIT 5 and its components

COBIT 5 Implementation 8

COBIT 4.1

COBIT 5

Migrate to COBIT 5 or stay with COBIT 4?

Some considerations...

8

COBIT 5 because we have to do

it…

COBIT 5 because we want to do

it…

Migrate to COBIT 5 or stay with COBIT 4?

Some considerations…

8

• Recap: it’s the enablers that make governance work. So:

• ‘roadmap to COBIT’ implies working on all these enablers: – Defining and implementing

processes

– Putting in place effective organisational structures

– Defining the right information streams

– Developing the right culture and associated behaviours

– Having the right skills, competences and (number of) people

8 Roadmap to COBIT 5

If you adopt COBIT 5: It’s the enablers…

COBIT 5 Implementation Roadmap 8

• What are the drivers for a COBIT 5 implementation?

• Are there any existing ‘pains’ ? • Lack of control ?

• Growing number of ‘loose ends’ ?

• Uncertain ROI of investments?

• Any important trigger events • Major new project?

• External pressure? Regulatory pressure?

Questions: Are these issues real? If not, in theory no need to act urgently

If real issues exist, is the Board convinced that something needs to be done here?

Roadmap to COBIT 5

Step 1: Why would we do it?

8

• Assess the Current Situation:

– Determine – based on existing ‘pains’, the relevant

areas for you in COBIT 5

– Diagnosis/High-Level Review of selected governance

enablers should be made, resulting in

• Capability score of processes

• Evaluations of other enablers

Roadmap to COBIT 5

Step 2: Where are we now?

8

• Express target levels for capability of enablers

• This applies to processes, but also to other enablers

• Remember: Raising your level of governance capability: – Requires resources,

including time

– Has to be subject to a business case!

8 Roadmap to COBIT 5

Step 3: Where do we want to be?

• Some key success factors, without which failure

is guaranteed

– Continuous top management support and

committment

– Resources

– Regular success stories & quick wins

– Understanding key objectives (see next slide)

Success Factors 8

0

1

2

3

4

5

Benefits Risk Resources

Before

0

1

2

3

4

5


After

8 Governance often perceived as this...

0

1

2

3

4

5


Before

0

1

2

3

4

5


After

8 Governance could also result

(preferably) in this

8 Some quotes recorded during COBIT 5

development…

• Quote 1

– “COBIT 5 is not a

framework for the

IT people…”

• Quote 2

– “Organisations

have the IT they

deserve…”

8 Some quotes recorded during COBIT 5

development…

1. 9. Additional COBIT 5 Publications

- COBIT 5 for Information Security

- COBIT Assessment Programme

• This is an extended view of COBIT 5

• It explains each component of COBIT 5

from an information security perspective

• It provides security professionals detailed

guidance for using COBIT 5 as they

establish, implement and maintain

information security in the business

policies, processes and structures of an

enterprise

9 Additional Publications

COBIT 5 for Information Security

• This enables the evaluation of selected IT

processes – a view on process capability

• Process improvement, delivering business

value, measuring the achievement of business

goals, benchmarking, consistent reporting, etc

• Processes can be assessed individually or

alternatively in groups. Scoping areas include:

– Capability of processes to support cloud services

– Capability of processes to support achievement of

IT and business goals

– Capability of processes to support SOX compliance

– Capability of processes to support the enterprise

governance of IT

9 Additional Publications

COBIT Assessment Programme

1. 10. Upcoming COBIT 5 Publications

- COBIT 5 for Assurance

- COBIT 5 for Risk

• This creates an information assurance view

of COBIT 5

• It provides guidance for ISACA’s

information assurance constituents

• It should be considered as the assurance

equivalent of COBIT 5 for Information

Security

• It is scheduled to be available in the second

quarter of 2013 – currently proposed to be

launched at Insights 2013

10 COBIT 5 for Assurance

• In COBIT 5, governance/management practices are the

replacements for

– the COBIT 4.1 control objectives

– The Val IT and Risk IT practices

• In COBIT 5, the focus is on enabler goals

• Achievement of enabler goals can be assessed:

– Are goals achieved – associated metrics at various levels in the

cascade

– Is appropriate good practice applied (design question)

– Are process activities (which include control activities)

adequately performed?

– Is the process capability level adequate or fit for purpose?

10 COBIT 5 for Assurance

• This creates an information risk view of

COBIT 5

• It will serve as the information risk specific

guidance for ISACA’s information risk

constituents

• It should be considered as the risk focused

equivalent of COBIT 5 for Information

Security

• It is scheduled to be available in the second

quarter of 2013 – currently proposed to be

launched at Insights 2013

10 COBIT 5 for Risk

1. 11. Some more migrating implementation

considerations. How to put COBIT 5 to use in

practice?

• Example Stakeholder question: How do I get value from

IT? Do I get value from IT?

– COBIT 5: Value is the key driver for all enablers; COBIT 5

describes the organisational structures, processes, behaviours,

information flows etc. that are needed to have IT deliver value to

the enterprise; COBIT 5 also describes the mechanisms to

analyse performance of all enablers, and includes a roadmap for

a Governance improvement project

– COBIT 5 contains specific processes and other enablers for

value management, e.g.. EDM02, APO05 and the linked

organisational structures, information flows etc.

COBIT 5 Has Arrived – Now What?

Meeting Stakeholder Needs – Are they?

11

• Example Stakeholder question: How do I manage

performance of IT? Am I running an efficient and resilient

IT operation? How do I best build and structure my IT

department?

– COBIT 5 defines a set of interacting enablers that – when working

and interacting well – provide a performing IT for the enterprise;

– COBIT 5 includes a generic enabler model with a performance

management module. Using this model to assess all enablers

systematically will provide accurate and useful performance data;

– COBIT 5 contains metrics associated with goals at various levels –

these metrics can be included in a performance mgmnt system

– Dealing with the ‘efficiency’ and ‘resilience’ questions can be done

by putting appropriate emphasis and priority on specific processes

and other enablers



11

• Example Stakeholder question: How do I know if I’m

compliant with all applicable regulations? Am I?

– COBIT 5 includes a number of processes that specifically deal with

compliance – from identifying compliance requirements, over

implementing appropriate controls to (independent) evaluation of

compliance; the goals cascade include several compliance related

goals at various levels

– COBIT 5 extends towards business processes, ensuring that

compliance requirements are taken care of consistently throughout

the enterprise

– The mechanisms to assess performance of these processes and

other enablers can be used to manage performance of the

compliance system



11

• Example Stakeholder question: Did I address all IT related

risks?

– COBIT 5 includes several IT risk related goals at various levels,

which – when prioritised correctly – will identify relevant processes

and other enablers to manage risk

– Specific processes at governance and management level deal with

risk management, e.g. EDM03, APO12, APO13, MEA domain

– Same for organisational structures, specific skills etc.

– Again, the built-in performance system allows to monitor

performance and outcome of all enablers, providing an accurate

view on current status

– In case improvements are needed, the Implementation Guide

provides a roadmap towards enhanced governance practices



11

• >32 definitions of ‘complexity’ exist

• Is COBIT 5 complex? YES, because:

– It covers a complex matter and provides a model to deal with this

complexity!

– Models are a simplification of reality to the level where the model

still is relevant – simplification but not simplistic!

• Is COBIT 5 complex? NO, because:

– If complex is defined as ‘time needed to understand’ (for normal

person) then we could argue that it is not very complex… 5

principles, seven enablers with each four dimensions…

Finally – one word on ‘complexity’… 11

11

• The Basic equation… A

Framework is a Framework

• COBIT 5 is comprehensive in its

vision on governance

• BUT: a lot remains to be done by

yourselves, based on individual

circumstances

• We already posess the most

important tool required for that –

shown at the right…

Some final advice...

Q & A

COBIT 5 Update Research - Isaca Malta Chapter

Documents