Avoid Framework OverloadUse COBIT5 to LeverageMultiple Best Practices
Mark Thomas CGEIT, CRISC,
ITIL Expert, PRINCE2
Areas of expertise
Governance of Enterprise IT (CGEIT)
Enterprise Risk Management (CRISC)
COBIT
ITIL Expert
PRINCE2 Practitioner
Experience
IT Director
VP, IT Operations
Enterprise Program Manager
Governance frameworks consulting
Mark Thomas, CGEIT, CRISC
Agenda
Introduction and Background
Value Creation
The Framework Ecosystem
A Framework to Manage Frameworks
Closing and Questions
Presentation SynopsisIn the IT Governance environment there are multiple frameworks, models and standards to choose from. A challenge for most organizations is simply understanding what all of these are, and which ones are applicable or appropriate for them. Some common questions include: If we’re using ITIL, should we consider COBIT? How do ISO standards fit into my model? Should I be using Project Management models if I already use COBIT?
In this insightful presentation on frameworks and standards integration, explore the many models that are available today: what they are, how they fit, and why choose them. Most importantly, we will use COBIT as the framework integrator to create a more holistic approach to leveraging multiple best practices under a single model.
The purpose of this presentation is to gain an understanding of various applicable frameworks that exist in the GEIT space, and how to understand, position, and integrate multiple frameworks using COBIT5.
Presentation Goals
Recognize the various frameworks in the GEIT ecosystem and how they can be collectively used to align with enterprise needs.
Understand a model to synchronize various frameworks such as COBIT, ITIL, TOGAF, PRINCE2, PMBOK, and many more.
Understand a model to synchronize various standards such as ISO38500, ISO27000, ISO20000, ISO31000, and many more.
Identify approaches to selecting appropriate frameworks for your needs by leveraging COBIT5 as the framework integrator.
Value Creation
Why the enterprise exists
Today’s Challenges
Why Does the Enterprise Exist?
How Do We Provide This Value?
EVALUATE stakeholder needs, conditions and options
DIRECT through prioritization and decision making
MONITOR performance, compliance and progress against agreed-on direction and objectives
PLAN, BUILD, RUS and MONITOR activities
Align with the direction set by the governance body to achieve the enterprise objectives
The FrameworkEcosystem
What is out there?
Drivers for Framework Adoption
Rising demand for best practices
More competitive landscape
Cost control
Conformance and performance
Meeting enterprise objectives
Technology investment justification
Standards and Good Practices
Example Framework Categories
Gov
erna
nce
Arch
itect
ure
IT S
ervi
ceM
anag
emen
t
Prog
ram
and
Proj
ect
Man
agem
ent
Ris
kM
anag
emen
t
Secu
rity
Man
agem
ent
Qua
lity
and
Impr
ovem
ent
Life
cycl
es
ExampleStandards
ISO38500 ISO42010 ISO20000 ISO21500ISO31000
NIST
ISO27001
NISTISO15504 ISO12207
ExampleGoodPractices
COSO
COBIT
TOGAF
ASL/BiSLITIL
PMBOK
PRINCE2
COBIT5 For Risk
COBIT5 for
Security
SIXSIGMA
PDCA
SDLC
AGILE
DEVOPS
This is not a complete list. It is a representation of the presenter’s experience only.
A Framework toManage Frameworks
Using COBIT5
ScenarioCompany Background Managed service provider
Mid-market
Multi-tenant environment
Challenges Regulatory and compliance
Multiple fragmented frameworks
Customer satisfaction
Duplicated efforts
Goals
Adopt an enterprise IT governance framework that supports value creation and alignment.
Leverage applicable standards and industry best practices to balance performance and conformance.
Approach
Analyze Business Needs Leverage the Goals Cascade
from COBIT.
Translate stakeholder needs into specific, practical and customized goals.
Cascade the goals to selected enablers.
Consider external regulations, laws and contractual obligations.
Determine the implications of the overall enterprise control environment with regard to IT.
ISACA – Information Systems Audit and Control Association. ITGI – IT Governance Institute
Modified Goals Cascade
Approach
Understand the Enablers
Principles, Policies and Frameworks
Processes
Organizational Structures
Culture, Ethics and Behaviours
Information
Services, Infrastructure and Applications
People, Skills and Competencies
Approach
Inventory Frameworks
Standards
Best Practices
Inventory FrameworksEDM APO BAI DSS MEA
COSOISO/IEC 38500King IIIOECDCOSO/ERMISO/IEC 31000TOGAF 9
ISO/IEC 20000ISO/IEC 27002ITIL 2011TOGAF 9SFIAISO/IEC 27002PMBOKISO/IEC 9001-2008ISO/IEC 27001:2005ISO/IEC 27002:2011NIST SP800-53 Rev 1
PMBOKPRINCE2ISO/IEC20000ITIL 2011
ITIL V3 2011ISO/IEC 20000ISO/IEC 27002BS 25999:2007ISO/IEC 27002:2011NIST SP800-53 Rev 1
ISO/IEC 20000ITIL 2011
COSO = Committee of Sponsoring Organizations of the Treadway CommitteeOECD = Organization for Economic Cooperation and DevelopmentTOGAF = The Open Group Architecture ForumSFIA = Skills Framework for the Information Age PMBOK = Project Management Body of KnowledgeNIST = National Institute of Standards and Technology
Approach
Link Frameworks to Selected Enablers
Initial focus on the process enabler.
Process selection based on internal assessment.
Cross reference to avoid duplication.
Use the COBIT5 Enabling Process Guide for guidance.
Domains and Processes
ISACA – Information Systems Audit and Control Association. ITGI – IT Governance Institute
COBIT5 Process Reference Model
Process Identification
Process Description
Process Purpose
Statement
Goals Cascade Information
Process Goals & Metrics RACI Chart
Detailed Practice
Descriptions
Related Guidance
ISACA – Information Systems Audit and Control Association. ITGI – IT Governance Institute
Link Frameworks to Selected Enablers
Closing and Questions
Consideration and Tips
You don’t have to call it by its name!
Use more than one framework, they each have unique focus areas.
There is no such thing as a single silver bullet.
Ownership and accountability are key.
Communicate value in business terms.
Use COBIT Online to assist.
Don’t underestimate Culture, Ethics and Behaviors.