1 | Page ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance By Christopher Oparaugo, CISM, CGEIT, CRISC COBIT Focus | 14 December 2015 The balanced scorecard (BSC) initially developed by Kaplan and Norton 1, 2, 3, 4 is a performance management system that should allow enterprises to drive their strategies on measurement and follow-up. In recent years, the BSC has been applied to IT and, currently, the first real-life IT security governance application has been developed based on mapping International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 control objectives to COBIT ® 4.1 process areas and IT governance focus areas. As a further exercise, the relationships and similarities of COBIT 4.1 and COBIT 5 can be explored to create a mapping for COBIT 5 in future publications. This article explains how an exercise in instituting controls can be used to establish the IT BSC, which can be linked to the business BSC and, in so doing, can support the IT/business governance and alignment processes as derived from mapping ISO/IEC 27001 and COBIT 4.1 controls. Balanced Scorecard Introduction Kaplan and Norton introduced the BSC at the enterprise level. Their basic idea is that the evaluation of an organization should not be restricted to a traditional financial evaluation, but should be supplemented with measures concerning customer satisfaction, internal processes and the ability to innovate. These additional measures should assure future financial results and drive the organization toward its strategic goals while keeping all 4 perspectives in balance. Kaplan and Norton proposed a triple-layered structure for the 4 perspectives: mission (e.g., to become the customers’ most preferred supplier), objectives (e.g., to provide the customers with new products) and measures (e.g., percentage of turnover generated by new products). The BSC can be applied to the IT function and its processes. 5, 6, 7, 8 This article transformed previous visions into actions that can be used to correct any lapses and reduce value in the BSC results. The use of the BSC can also be applied to IT risk management. 9 IT Governance Through Controls This article illustrates how a cascade of scorecards can be instrumental in the development of IT/business DISCUSS THIS ARTICLE
16
Embed
ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a ...m.isaca.org/Knowledge-Center/Research/Documents/COBIT-Focus-ISO... · ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1 | P a g e
ISO/IEC 27001 Process Mapping to
COBIT 4.1 to Derive a Balanced
Scorecard for IT Governance By Christopher Oparaugo, CISM, CGEIT, CRISC
COBIT Focus | 14 December 2015
The balanced scorecard (BSC) initially developed by Kaplan and Norton1, 2, 3, 4
is a performance management system
that should allow enterprises to drive their strategies on measurement and follow-up.
In recent years, the BSC has been applied to IT and, currently, the first real-life IT security governance application
has been developed based on mapping International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27001 control objectives to COBIT®
4.1 process areas and IT governance
focus areas. As a further exercise, the relationships and similarities of COBIT 4.1 and COBIT 5 can be explored to
create a mapping for COBIT 5 in future publications.
This article explains how an exercise in instituting controls can be used to establish the IT BSC, which can be linked
to the business BSC and, in so doing, can support the IT/business governance and alignment processes as derived
from mapping ISO/IEC 27001 and COBIT 4.1 controls.
Balanced Scorecard Introduction Kaplan and Norton introduced the BSC at the enterprise level. Their basic idea is that the evaluation of an
organization should not be restricted to a traditional financial evaluation, but should be supplemented with
measures concerning customer satisfaction, internal processes and the ability to innovate. These additional
measures should assure future financial results and drive the organization toward its strategic goals while keeping
all 4 perspectives in balance. Kaplan and Norton proposed a triple-layered structure for the 4 perspectives: mission
(e.g., to become the customers’ most preferred supplier), objectives (e.g., to provide the customers with new
products) and measures (e.g., percentage of turnover generated by new products).
The BSC can be applied to the IT function and its processes.5, 6, 7, 8
This article transformed previous visions into
actions that can be used to correct any lapses and reduce value in the BSC results. The use of the BSC can also be
applied to IT risk management.9
IT Governance Through Controls This article illustrates how a cascade of scorecards can be instrumental in the development of IT/business
4.1: Framework for IT Governance and Control and IT Governance Institute
Information Security Governance Balanced Scorecard The BSC is a management system (not only a measurement system) that enables organizations to clarify their vision
and strategy and translate those into action. It provides feedback around both the internal business processes and
external outcomes in order to continuously improve strategic performance and results. When fully deployed, the
BSC transforms strategic planning from an academic exercise into the nerve center of an enterprise.
The BSC uses 4 perspectives, develops metrics, collects data and analyzes the data relative to each of these
perspectives:
1. Financial—To succeed financially, how should we appear to our shareholders? 52.38%
2. Customer—To achieve our vision, how should we appear to our customers? 59.40%
3. Internal business—To satisfy our shareholders and customers, at what business process must we excel?
61.31%
4. Learning and growth—To achieve our vision, how will we sustain our ability to change and improve? 55.54%
Conclusion The vision and strategy driver scores are achieved from the mapping exercise of ISO/IEC 27001 to COBIT 4.1 and
these can be used in determinig key permormance indicator (KPI) scores for a department and be drilled down to
an individual’s contribution in the overall department success. The results from linking IT goals to business goals
and reviewing with the COBIT information criteria helps form a better perspective of the BSC. The assessment
results can be drilled and backward review of the mapping values used in determining the root cause of having low
values from a set of mapped data in ISO/IEC 27001 control objectives and questions; this will form a basis for
developing an action plan as needed by the business.
Successful enterprises understand the risk and exploit the benefits of IT, and find ways to deal with aligning IT
strategy with the business strategy, cascading IT strategy and goals down into the enterprise and insisting that an IT
control framework be adopted and implemented. IT governance is not an isolated discipline. It is an integral part of
overall enterprise governance that drives the business in these days of the Internet of Things. The need to integrate
IT governance with overall business governance is similar to the need for IT to be an integral part of the enterprise
business.
Christopher Oparaugo, CISM, CGEIT, CRISC Is the chief technology officer of KATEC Consulting Ltd. He has worked for IBM Global Business Services as an
information security consultant. He has also worked in the telecommunication and banking industries in West
Africa. Oparaugo has contributed to the ISACA®
CISM®
, CGEIT®
and CRISC™ Certification Project and Test
Enhancement Committee since 2005, setting exam questions and reviewing the manuals.
Endnotes 1 Kaplan, R.; D. Norton; “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review. January-February 1992, p. 71-79 2 Kaplan, R.; D. Norton; “Putting the Balanced Scorecard to Work,” Harvard Business Review. September-October 1993, p. 134-142 3 Kaplan, R.;D. Norton; “Using the Balanced Scorecard as a Strategic Management System,” Harvard Business Review. January-February 1996, p. 75-
85 4 Kaplan, R.; D. Norton; The Balanced Scorecard: Translating Vision Into Action, Harvard Business School Press, Boston, 1996. 5 Gold, C.; “Total Quality Management in Information Services—IS Measures: A Balancing Act,” research note, Ernst & Young Center for
Information Technology and Strategy, USA, 1992 6 Gold, C.; “US Measures—A Balancing Act,” Ernst &Young Center for Business Innovation, USA, 1994. 7 Willcocks, L.; Information Management, The Evaluation of Information Systems Investments, Chapman & Hall, UK, 1995 8 Van Grembergen, W.; D. Timmerman; “Monitoring the IT Process Through the Balanced Scorecard,” Proceedings of the 9th Information
Resources Management (IRMA) International Conference, USA, May 1998, p. 105-116
16 | P a g e
9 Van Grembergen, W.; ”The Balanced Scorecard and IT Governance,” Information Systems Control Journal, vol.2, 2000