The COBIT 5® First Aid KitEssential information for professionals and enterprises using COBIT 5®
1
2
The COBIT 5® First Aid KitThe COBIT 5® First Aid Kit is an essential toolkit for the effective utilization of COBIT 5® in any enterprise. The kit provides essential COBIT 5® components to support you when you need them the most. In any IT governance emergency, think of this kit before looking elsewhere.
COBIT is a registered trademark of ISACA and the IT Governance Institute. © 2012 ISACA. All rights reserved.
I T G o v e r n a n c e
FaK_coB_060309_en
3
Typical IT Challenges
Aligning IT with Business
Enforcing Security
Keeping IT Up and Running
Managing Complexity
Achieving Regulatory Compliance
Balancing Value and Cost
Enterprises require a structured approach to
manage these and other challenges.
IT Governance ensures that there are agreed objectives for IT, good management controls are in place, and performance is monitored to avoid unexpected outcomes.
44
5IT Governance?Governance ensures that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. While management executes the direction set by the board by planning, building, delivering, and monitoring operational activities to achieve enterprise objectives.
Optimizing risks
Realizing benefits
Optimizing resources
IT governance is an integral part of enterprise governance.
6Enterprise Governance
PERFORMANCE
Improving profitability,
efficiency, effectiveness,
growth, and so on.
CONFORMANCE
Adhering to legislation,
internal policies, audit
requirements, and so on. PERFORMANCE
CONFORMANCE
7Internal Stakeholders of IT Governancei n t e r n a l S ta k e h o l d e r S i n t e r e S t S
IT Manager How do I manage IT performance?
Board and Executives How do I get value from IT?
IT Auditor How do I provide independent assurance?
Business Executive and Process Owner How do I exploit IT for strategic advantages?
Risk and Compliance Manager How do I ensure compliance with policies, regulations, and laws?
8e X t e r n a l S ta k e h o l d e r S i n t e r e S t S
Regulators Do you comply with regulations?
Suppliers Is my business partner secure and reliable?
External Auditor Are there adequate financial controls?
Customers Is my personal information secure and private?
External Stakeholders of IT Governance
COBIT 5® Principles
COBIT 5® Principles
Meeting Stakeholder
needs
Separating Governance from
Management
Enabling a holistic
Approach
Applying a Single Integrated
Framework
Covering the Enterprise End to End
9
COBIT Provides a Framework for IT Governance Effective governance and management can only be achieved by adopting and implementing a suitable
framework that:
Considers all stakeholders.
Addresses all the necessary enablers.
Is based on best practices and standards.
Controls the use of information and IT enterprise -wide.
Clarifies the scope of governance and management.
10
Benefits of IT Governance
Increased efficiencies and optimized costs
Better returns on IT-related investments
Confidence and trust of senior management
Transparent and meaningful management information about IT performance
Solutions and services that are reliable, secure, and aligned with business needs and priorities
Nimble enterprise that can respond quickly to changing IT-related requirements
risks
Costs Failures
Incidents
Benefits
Trust rOI
Transparency
11
Implementation of Effective IT Governance using COBIT 5® 12Enables the mapping of enterprise goals to IT-related goals and of IT-related goals to process goals.
Allows for better alignment based on a business focus.
Provides a management view of IT performance that is understandable.
Defines clear ownership and responsibilities based on process orientation.
Establishes general acceptability with third parties and regulators.
Creates shared understanding among all stakeholders based on a common language.
11
COBIT 5®:
COBIT 5® addresses the governance and management of information and related technology from an enterprise-wide, end-to-end perspective. This means:
•COBIT 5® integrates governance of enterprise IT into
enterprise governance.
•COBIT 5® covers all functions and processes within the
enterprise.
COBIT 5® is a single and integrated framework because it:
Aligns with the latest relevant standards and frameworks.
Is complete in enterprise coverage.
Provides a simple architecture.
Also integrates all knowledge.
c o B I T 5 ® o v e r v I e w
13Covering the Enterprise End-to-End
COBIT 5® focuses on the following IT governance enablers:
Processes
Information
Organizational structures
Culture, ethics, and behavior
People, skills, and competencies
Services, infrastructure, and applications
Frameworks, principles, and policies
14COBIT 5® Enablers
CONFORMANCELegal and Contractual Requirements
BALANCEDSCORECARD COSO/OECD/KING III
ISO/IEC 9001:2008
ISO/IEC 27000:2009
ITIL 2011 & ISO/IEC 20000:2008
QAPROCEDURES
SECURITYPRINCIPLES
IT SERVICE MANAGEMENT PRINCIPLES
DRIVERS
ENTERPRISE GOVERNANCE
IT GOVERNANCE
BEST PRACTICE STANDARDS
PROCESS AND PROCEDURES
COBIT 5
PERFORMANCEEnterprise Goals
®
COBIT and Other Frameworks 15
16Processes for Governance of Enterprise IT
Evaluate, Direct, and Monitor
17
18The COBIT 5® Process Components: Practices
Each COBIT 5® process has Activities and Practices.
For each COBIT 5® process, the governance and management practices provide a complete set of high-level requirements for effective and practical governance and management of enterprise IT.
19The COBIT 5® Process Components: ActivitiesActivities provide guidance to achieve key practices and provide the how, why, and what to implement and improve IT performance and address risks.
how what
why
Improving IT perform
ance
Implem
enting
COBIT 5® Activities Governance or management practice
20Inputs and OutputsEach COBIT 5® process also has inputs and outputs that are defined for each management practice. Process linkages are shown for each input and output. Some outputs are only internal to the process.
Inputs and Outputs for a process
21Process Goals and Metrics
Goals and metrics describe how processes should be measured. These are defined at three levels:
Enterprise goals and metrics: Define the strategic objectives of the enterprise and how these goals will be measured by execu-
tive management.
IT-related goals and metrics: Define what the enterprise expects from its use of IT, and what the business will use to measure
use of IT.
Process goals and metrics: Define what the governance and management of IT processes must deliver to support the IT-relat-
ed goals, that is, how the IT process owner will be measured.
RACI charts indicate roles and responsibilities in relation to processes and activities.
For a variety oF roles, For example:
22COBIT and Process Roles and Ownership
•Chief executive officer (Ceo)
•Chief financial officer (CFo)
•Business executives
•Chief information officer (Cio)
•Business process owner
•Head operations
•Chief architect
•Head development
•Head it administration
•the project management office (pmo) or function
•Compliance, audit, risk, and security
rRESPONSIBLE
aACCOUNTABLE
CCONSULTED
iINFORMED
W h o i s :
c o B I T aT a G l a n c e
23The New ISO/IEC 15504 Process Capability Assessment Approach
The COBIT 5® product set includes a new process assessment model, based on the internationally recognized
ISO/IEC 15504 Software Engineering—Process Assessment standard.
Process Assessment Model
Level 5 Optimizing Process (2 attributes) Level 4 Predictable Process (2 attributes) Level 3 Established Process (2 attributes) Level 2 Managed Process (2 attributes) Level 1 Performed Process (1 attribute) Level 0 Incomplete Process
Based on ISO/IEC 15504-2
Capability Dimension
Process Dimension EDM Evaluate, direct and Monitor
APO Align, Plan and Organise
BAI Build, Acquire and Implement DSS
Deliver, Service and Support MEA
Monitor, Evaluate and Assess
reviewing the process outcomes.
Assessing the process (governance or management) practices.
Considering the work products.
24Process Assessment
The assessment distinguishes between assessing capability level 1 and the higher levels. Capability level 1 can be
assessed by:
25Higher Process Capability Levels
For higher process capability levels, the standard generic practices and work products taken from ISO/IEC
15504:2 are used. An example for PA 2.1, Performance Management, is:
Result of Full Achievement of the Attribute
Generic Practices (GPs) Generic Work Products (GWPs)
a. Objectives for the
performance of the process
are identified.
GP 2.1.1 Identify the objectives for
the performance of the process. The
performance objectives, scoped together with
assumptions and constraints, are defined and
communicated.
GWP 1.0 Process documentation should outline the process
scope.
GWP 2.0 Process plan should provide details of the process
performance outcomes.
b. Performance of the process
is planned and monitored.
GP 2.1.2 Plan and monitor the performance of the process to fulfill the identified objectives.
Basic measures of process performance
linked to business objectives are established
and monitored. They include key milestones,
required activities, estimates and schedules.
GWP 2.0 Process plan should provide details of the process
performance outcomes.
GWP 9.0 Process performance records should provide
details of the outcomes.
Note: At this level, the record of process performance may be
in the form of reports, issues registers and informal records.
26Application of the COBIT 4 Maturity Model Approach with COBIT 5®
The most important differences between an ISO/IEC 15504–based process capability assessment and the current
COBIT 4.1 maturity model are:
The naming style and meaning of the capability levels.
different types of attributes. requirement for an
ISO/IEC 15504:2 compliant process reference model.
27Maturity Profile of an Enterprise
The difference between the COBIT 4.1 maturity model and COBIT 5® assessment model is:
In COBIT 4.1, the maturity model produced a maturity profile of an enterprise primarily for benchmarking purposes, not for formal assessments.
In COBIT 5®, the assessment model provides a measurement scale for each capability attribute; each level must be achieved completely before reaching the next level.
TOOLS AND AUTOMATION
SKILLS AND EXPERTISE
RESPONSIBILITY AND ACCOUNTABILITY
GOAL SETTING AND MEASUREMENT
AWARENESS AND COMMUNICATION
POLICIES, STANDARDS AND
PROCEDURES
28Using the COBIT 4.1 CMM Method for COBIT 5®
recognition of the need for the process is emerging. There is
sporadic communication about issues.
There is an awareness of the need to act. The management
communicates the overall issues.
There is an understanding of the need to act. The
management is more formal and structured in its communication.
There is an understanding of the total requirements.
Mature communication techniques are applied and standard communication tools are in use.
There is an advanced, forward-looking understanding of
requirements. There is proactive communication of issues based on trends, mature communication techniques are applied, and integrated communication tools are in use.
51 2 3 4
AWARENESS AND COMMUNICATION
POLICIES, STANDARDS AND
PROCEDURES
TOOLS AND AUTOMATION
SKILLS AND EXPERTISE
RESPONSIBILITY AND ACCOUNTABILITY
GOAL SETTING AND MEASUREMENT
29Using the COBIT 4.1 CMM Method for COBIT 5®
There are ad-hoc approaches to processes and
practices and the processes and policies are undefined.
Similar and common processes emerge but are largely intuitive
because of individual expertise. Some aspects of the process are repeatable because of individual expertise and the existence of some documentation and an informal understanding of policy and procedures.
Usage of good practices emerges. Processes, policies,
and procedures are defined and documented for all key activities.
The process is sound and complete and internal best
practices are applied. All aspects of the process are documented and repeatable. Policies have been approved and signed off by the management. Standards for developing and maintaining the processes and procedures are adopted and followed.
External best practices and standards are applied.
Process documentation has evolved to automated workflows. Processes, policies, and procedures are standardized and integrated to enable end-to-end management and improvement.
51 2 3 4
TOOLS AND AUTOMATION
SKILLS AND EXPERTISE
RESPONSIBILITY AND ACCOUNTABILITY
GOAL SETTING AND MEASUREMENT
POLICIES, STANDARDS AND
PROCEDURES
AWARENESS AND COMMUNICATION
30Using the COBIT 4.1 CMM Method for COBIT 5®
Some tools may exist and usage is based on standard desktop
tools. There is no planned approach to tool usage.
Common approaches to the use of tools exist but are based
on solutions developed by key individuals. Vendor tools may have been acquired but are probably not applied correctly and may even be shelf ware.
A plan has been defined for the use and standardization
of tools to automate the process. Tools are being used for their basic purposes but may not all be in accordance with the agreed plan and may not be integrated with one another.
Tools are implemented according to
a standardized plan and some have been integrated with other related tools. Tools are being used in main areas to automate the management of the process and monitor critical activities and controls.
Standardized toolsets are used across the enterprise. Tools are
fully integrated with other related tools to enable end-to-end support for the processes. Tools are being used to support the improvement of the process and automatically detect control exceptions.
51 2 3 4
SKILLS AND EXPERTISE
RESPONSIBILITY AND ACCOUNTABILITY
GOAL SETTING AND MEASUREMENT
POLICIES, STANDARDS AND
PROCEDURES
AWARENESS AND COMMUNICATION
TOOLS AND AUTOMATION
31Using the COBIT 4.1 CMM Method for COBIT 5®
Skills required for the process are not identified. A training
plan does not exist and no formal training takes place.
Minimum skill requirements are identified for critical
areas. Training is provided in response to needs, rather than based on an agreed plan, and informal on-the-job training occurs.
Skill requirements are defined and documented for all
areas. A formal training plan has been developed, but formal training is still based on individual initiatives.
Skill requirements and proficiency are updated and
ensured for all areas. Mature training techniques are applied according to the training plan and knowledge sharing is encouraged. All internal domain experts are involved and the effectiveness of the training plan is assessed.
The organization encourages continuous
improvement of skills based on defined personal and organizational goals. Training and education support external best practices, the use of leading-edge concepts and techniques, deployment of knowledge-based systems, and the advice of experts and leaders.
51 2 3 4
RESPONSIBILITY AND ACCOUNTABILITY
AWARENESS AND COMMUNICATION
TOOLS AND AUTOMATION
SKILLS AND EXPERTISE
GOAL SETTING AND MEASUREMENT
POLICIES, STANDARDS AND
PROCEDURES
32Using the COBIT 4.1 CMM Method for COBIT 5®
There is no definition of accountability and responsibility.
People take ownership of issues based on their own initiative and on a reactive basis.
An individual assumes responsibility and is usually held
accountable, even if this is not formally agreed. There is confusion about responsibility when problems occur and a tendency toward a culture of blame.
Process responsibility and accountability are defined and
process owners have been identified. The process owner is unlikely to have full authority to exercise the responsibilities.
Process responsibility and accountability are
accepted and working in a way that enables a process owner to fully discharge responsibilities. A reward culture that motivates positive action in place.
Process owners are empowered to make decisions and
take action. Acceptance of responsibility has been cascaded down throughout the organization in a consistent fashion.
51 2 3 4
GOAL SETTING AND MEASUREMENT
AWARENESS AND COMMUNICATION
TOOLS AND AUTOMATION
SKILLS AND EXPERTISE
RESPONSIBILITY AND ACCOUNTABILITY
POLICIES, STANDARDS AND
PROCEDURES
33Using the COBIT 4.1 CMM Method for COBIT 5®
Goals are not clear and no measurement takes place.
Some goal setting occurs and a few financial measures
are established but are known only by senior management. There is inconsistent monitoring in isolated areas.
Some effectiveness, goals and measures are set but not
communicated, and there is a clear link to business goals. Measurement processes emerge but are not consistently applied. IT balanced-scorecard concepts are being adopted, as is occasional intuitive application of root cause analysis.
Efficiency and effectiveness are measured,
communicated, and linked to business goals and the IT strategic plan. The IT balanced scorecard is implemented in some areas with some exceptions and root cause analysis is being standardized. Continuous improvement is emerging.
There is an integrated performance measurement system
linking IT performance to business goals by the global application of the IT balanced scorecard. Exceptions are globally and consistently noted by the management and a root cause analysis is applied.
51 2 3 4
Training solutions that help
professionals and organizations
understand and implement COBIT in
a better manner.
“A best practice is only as good as the person using it.”
34COBIT Education
c o B I T e d u c aT I o n
35Mastering COBIT Using Effective Learning Solutions Enterprises using or planning to use COBIT to improve IT governance and management
Suitable for business, IT and assurance professionals
From awareness level understanding to be expert practitioner or advisor
Please go to www.itpreneurs.com/cobit to learn more about the ITpreneurs COBIT 5® course offerings.
We would like to hear from you if you have
any suggestions or ideas or if you have been
involved in an IT governance crisis for which
you did not find an answer in the kit.
Forward your comments and suggestions to
36Your Opinion Counts!
ITIL® COBIT® TOGAF® TIPA® XBRL®
Cloud Computing® PRINCE2®
Kepner-Tregoe® PMBOK® ISO/IEC 27001®
37ITpreneurs’ IT Best Practice Domains
ITpreneurs is a global provider of training solutions in the IT management and IT governance best practice domains.
For more information visit www.ITpreneurs.com
www.ITpreneurs.com
38