Integrated IT Governance Series - COBIT 5

8/13/2019 Integrated IT Governance Series - COBIT 5

1/15

Integrated IT Governance Series COBIT 5

Overview

COBIT 5 is the latest version of ISACAs (www.isaca.org) guidance of the enterrise governance and

!anage!ent of IT" u#lished in $%&$. COBIT 5 rovides a fra!ewor' for oti!ising the value that organisations

o#tain fro! their invest!ents in IT # #alancing the three ele!ents of realising #enefits" !anaging ris' andconsu!ing resources.

hilst COBIT 5 #uilds uon revious versions" it does reresent a significant restructure of the guidance. This

!a !ean so!e effort for organisations alread using COBIT *.&" #ut we #elieve that it offers significant

oortunities to organisations alread using or considering incororating COBIT rinciles and concets into an

integrated governance aroach to the rovision of IT services.

There are !ultile sources of good ractice guidance and suorting fra!ewor's to assist IT service roviders to

design and deliver end+to+end services that are aligned to the needs of their custo!er" whether the are internal"

e,ternal or a !i,ture of #oth. The different sources cover various asects and stages of the service lifeccle fro!

architecture" through rogra!!e- roect and ris' !anage!ent" IT service !anage!ent" cororate governance

of IT to s'ills definition and !anage!ent.

This #rief is one of a series that descri#es the 'e concets of so!e of the !aor sources of good ractice and


2/15

2

Integrated IT Governance

Series COBIT 5

how the can #e alied # service roviders to i!rove service design and deliver. It is /roActives view thatorganisations should avoid

an either-or aroach when considering fra!ewor's. 0ach has its areas of focus and strengths" #ut no one

source would clai! to have all the answers. In fact" each organisation has to oerate within its own conte,t and

with its own uni1ue set of caa#ilities. 2ood ractice should not #e seen as dog!a that should #e rigorousl

adhered to without an areciation of the conte,t within which activit occurs. e find that the different

fra!ewor's usuall rovide co!le!entar guidance and organisations can and should #e aware of what is

availa#le" how relevant the guidance is to the! and to incororate ele!ents fro! !ultile fra!ewor's as

necessar to achieve their o#ectives.


3/15

Co!!ercial in Confidence /age 3 of &5


Series COBIT 5

The Evolution of COBIT

ith earlier versions there was a focus on defining what needed to #e achieved to rovide effective governance

and !anage!ent of the infor!ation assets of an organisation. 4or each descri#ed rocess" a set of control

o#ectives docu!ented this what to achieve" along with !anage!ent guidelines with s'eletal 6ACI charts and

suggested !etrics. hile this was ver useful to adoters" ISACA also started to roduce co!le!entar guidance

on how the o#ectives !ight #e achieved and on assurance guidance on !easuring the effectiveness of controls.

ISACA also develoed the 7alIT and 6is'IT fra!ewor's to loo' at realising value and !anaging ris'. There was also

a growing recognition that !an organisations were still struggling with the concet that governance and

!anage!ent are different activities and that the should #e searated.

COBIT 5 Principles

The develo!ent of COBIT 5 was #ased on five 'e rinciles8

1. Meeting stakeholder needsOrganisations need to oti!ise value for their sta'eholders # achieving an aroriate #alance #etween

realising #enefits" !anaging ris' effectivel and using resources efficientl and effectivel. COBIT 5

descri#es a set of rocesses and ena#lers that suort this o#ective.

2. Covering the enterprise end-to-endCOBIT 5 is designed to integrate IT governance into overall enterrise governance. Its scoe covers all

infor!ation and related technolog assets" wherever the !a #e in an organisation" and includes internal

and e,ternal roviders.

. Single integrated !ra"e#orkCOBIT is aligned to other relevant standards and good ractice fra!ewor's. It also incororates the

guidance of 7alIT and 6is'IT.

$. %olistic approachCOBIT defines a set of seven ena#lers to suort the i!le!entation of governance and !anage!ent of

an organisations IT. These are covered in the ne,t section.

5. Separation o! governance !ro" "anage"entCOBIT 5 introduces an additional rocess do!ain for governance rocess as distinct fro! !anage!ent

ones and this do!ain aligns to the Evaluate, Direct and Monitorconcets of ISO-I0C 395%% : Cororate

governance of IT&


4/15

Co!!ercial in Confidence /age * of &5


Series COBIT 5

COBIT 5 &na'lers

One of the COBIT 5 rinciles is the adotion of a holistic aroach to the esta#lish!ent of effective governance

and !anage!ent of IT. Seven ena#lers are identified as deicted in 4igure $$.

1. (rinciples) (olicies and *ra"e#orksThese rovide the !eans of ensuring that the desired #ehaviour is articulated through ractical guidance

for use # !anage!ent and staff. /eole are !ore li'el to co!l if the understand wh such #ehaviour

is necessar.

2. (rocessesCOBIT descri#es 3; rocesses within five do!ains that each incororate a structured set of governance or

!anage!ent ractices to achieve o#ectives that suort IT and enterrise goals.

. Organisational Str+ct+resThese rovide sta#ilit to an organisation and suort the delegation of resonsi#ilities and decision+

!a'ing. There is no one organisational structure that will suit ever situation. Structures are influences #

the enterrise culture" revious e,erience and the s'ills and caa#ilities of staff.

$. C+lt+re) &thics and Behavio+rThese are 'e influencers on the success of governance and !anage!ent activities at #oth the

organisational and individual level.


5/15



Series COBIT 5

of IT. Conversel" neglecting an of the! during an i!le!entation rogra!!e could have a significant adverse

i!act on success. The last three ena#lers are also referred to as resources and this is a concet carried forward

fro! COBIT *.&.

The COBIT 5 Process Reference Model

/rocesses for! one of the seven COBIT ena#lers and the reference !odel defines 3; rocesses in the five do!ains

of8

0valuate" =irect and >onitor (0=>) Align" /lan and Organise (A/O) Build" Ac1uire and I!le!ent (BAI) =eliver" Service and Suort (=SS) >onitor" 0valuate and Assess (>0A)

The first of these is a new do!ain created to hold the secific governance (as distinct fro! !anage!ent)

rocesses. The other four are ver si!ilar to the rocess do!ains of COBIT *.& and are #ased on the stages of lan"

#uild" run and !onitor" although there has #een so!e reallocation of rocesses #etween do!ains. This structure

aligns 1uite well with the service lifeccle aroach adoted # ITI? since the $%%; edition of the guidance.

The COBIT 5 rocess reference !odel is shown in 4igure 3 on the ne,t age. The !odel is descri#ed in detail in

COBIT 5 0na#ling /rocesses

3

. The 'e infor!ation rovided # COBIT for each rocess will #e su!!arised in a latersection.

0ach rocess has a uni1ue five+character identifier co!rised of8 the three character do!ain identifier (0=>" A/O"

BAI" =SS" or >0A) followed # a two digit nu!#er to distinguish it fro! other rocesses in the sa!e do!ain. The

five+character rocess identifier is also used in the governance or !anage!ent ractices that are docu!ented for

each rocess" so that each ractice is #oth uni1uel identified and easil locata#le. 2overnance and !anage!ent

ractices are a further develo!ent of the control o#ectives and control ractices fro! COBIT *.&.

The COBIT 5 rocess reference !odel incororates the 7alIT and 6is'IT fra!ewor's into a single unified fra!ewor'.


6/15

Co!!ercial in Confidence /age @ of &5


Series COBIT 5

*ig+re 1 The COBIT 5 (rocess /e!erence Model


7/15

Co!!ercial in Confidence /age ; of &5


Series COBIT 5

The COBIT Goals Cascade

One of the strengths of COBIT 5 is the lin'age of sta'eholder needs through enterrise and IT+related goals to

ena#ler goals. A set of generic enterrise and IT+related goals is sulied in the COBIT 5 4ra!ewor' u#lication*

with the re!inder that organisations will need to adat the! to !eet their secific re1uire!ents. 0ach set of goals

is arranged in a #alanced scorecard for!at with the enterrise goals also having an indication of the contri#ution

that the !a'e to the three governance drivers of #enefits realisation" ris' oti!isation and resource oti!isation.

The sa!e docu!ent also rovides !aing of8

a generic set of sta'eholder needs onto the enterrise goals

enterrise goals to IT related goals and

IT+related goals to the 3; rocesses in the rocess reference !odel and.

4inall" the rocess reference !odel suggests !etrics that !ight #e useful to udge how well each rocess is

suorting the relevant IT+related goals. The goals cascade rovides tracea#ilit #etween sta'eholder drivers and

the ICT rocesses that act as a 'e ena#ler. This rovides a !eans to identif" where a secific sta'eholder need or

enterrise goal is not #eing fulfilled" the underling ICT rocesses that !a #e undererfor!ing and target

i!rove!ent activit where it will realise the greatest value for the enterrise and its sta'eholders.

The goals cascade is shown in 4igure * on the following age. The references to the right of the figure refer to artsof the COBIT 5 4ra!ewor' docu!ent.


8/15



Series COBIT 5

*ig+re 2 The COBIT 5 Goals Cascade


9/15

Co!!ercial in Confidence /age of &5


Series COBIT 5

COBIT 5 Process Information

In a si!ilar !anner to earlier versions" COBIT 5 rovides infor!ation on each rocess in its reference !odel. This is

contained in Chater 5 of the 0na#ling /rocesses docu!ent5. The infor!ation for each rocess is structured in the

sa!e wa and" at first glance" there aear to #e significant differences to the structure used in COBIT *.&@. In

realit" !an of the concets and useful infor!ation are carried forward fro! the earlier version and enhanced.

COBIT 5 rocess infor!ation is structured as follows8

Ite" 0escription COBIT $.1 &+ivalent

/rocess identification Process label (do!ain refi, and two+digit

nu!#er)

Process name

Area: governance or !anage!ent

Domain: 0=>" A/O" BAI" =SS or >0A

The Process Descriptionage rovides

si!ilar infor!ation

/rocess descrition An overview of what the rocess does

/rocess urose state!ent The overall urose of the rocess

2oals cascade infor!ation The IT+related goals that the rocess

ri!aril suorts and suggested !etrics to

!easure how well those goals are achieved

/rovided at the IT level in the Goals and

Metricssection on the Management

Guidelinesage

/rocess goals and !etrics A set of rocess goals and a li!ited set of

ea"ple!etrics

/rovided at the rocess level in the Goals

and Metricssection on the Management

Guidelinesage

6ACI chart A suggested set of assign!ent of rocessractices to different roles and structures.

The chart distinguishes enterrise roles fro!

those in IT.

Management Guidelinesinclude a 6ACIchart with 'e activities that do not !a

clearl onto control o#ectives.

=etailed descritions of rocess ractices A set of governance or !anage!ent

ractices that are re1uired to esta#lish

effective rocess control. 0ach ractice

Includes8

Practice label: The five+character rocess

la#el followed # a two+digit nu!#er to

uni1uel identif the ractice

Practice title and description: The ractice

na!e and a descrition of what needs to #e

done to esta#lish it

Practice inputs and outputs:These include

details of inut sources and outut

destinations.

Process activities: 4urther guidance on the

activities that are re1uired to esta#lish and

!aintain the ractice

/rocess ractices reresent further

develo!ent of the Control Objectives

listed for each rocess and the suorting

Control Practices that were docu!ented in

a searate docu!ent;.

In COBIT *.&" inuts and oututs are

docu!ented at the overall rocess level"

rather than the o#ective-ractice level.

6elated guidance 6eferences to other standards and sources of

guidance

/rovided at an overall level in Aendi, I7

of the COBIT *.& docu!ent and e,anded

in a nu!#er of !aing docu!ents

u#lished # ISACA.


10/15

Co!!ercial in Confidence /age &% of &5


Series COBIT 5

There are other o'vio+s di!!erences 'et#een COBIT 5 and $.1

Infor!ation criteria are now generall incororated into goals for the COBIT 5 Informationena#ler and>aturit !odels are no longer included in the reference !odel #ut covered in a searate rocess

assess!ent !odel that confor!s with the re1uire!ents of the IT rocess assess!ent standard ISO+I0C

&55%*+$9

The Value of COBIT 5

e #elieve that COBIT 5 can rovide significant value to organisations wishing to adot an integrated governance

aroach to the rovision of IT services. In articular" COBIT rovides8

Clear lin'age of ICT rocesses to enterrise goals and sta'eholder needs through the goals cascade

Searation of governance and !anage!ent rocesses

A #road scoe that can lin' other fra!ewor's such as ITI?" /3O" /6IC0 $" TO2A4 and relevant

international standards

A well+defined set of governance and !anage!ent ractices that rovide a control fra!ewor' to oti!ise

value # delivering the re1uired #enefits to sta'eholders while !anaging ris's and resources effectivel

and

A set of suggested goals and suorting !etrics that organisations should adat to !eet their secific

needs

0ach #est ractice fra!ewor' co!es with its own set of strengths and a udicious co!#ination of fra!ewor's can

ena#le effective governance while oti!ising align!ent" effectiveness and efficienc of IT services to !eet the

needs of the organisation and its custo!ers. COBIT can !a'e an i!ortant contri#ution to governance and version

5 is a significant udate that should !a'e it !ore attractive and easier to use in organisations that see' greater

levels of governance and control in IT service rovision. e see COBIT as ver co!le!entar with ITI?" with the

for!er focusing on the ractices re1uired to esta#lish effective governance and !anage!ent and the latter

roviding !ore infor!ation on how to esta#lish the rocesses within each stage of the service lifeccle.


11/15

Co!!ercial in Confidence /age && of &5


Series COBIT 5

Appendix A: IT Governance

The diagra! #elow shows at the high level the governance 1uestions that !ost IT leaders are faced with. /roActive

can hel IT leaders answer those 1uestions" using an IT service driven aroach as e!#odied in fra!ewor's that

include ITI?" Co#iT" /3>3 (/ortfolio" /rogra!!e and /roect >anage!ent)" ISO-I0C$%%%%" Software Asset

>anage!ent" TO2A4 and ISO$;%%&. 0ach solution roosed ta'es into account these 'e 1uestions and as such"

ensures that consideration is ta'en for the #igger icture.

*ig+re 3e4 IT governance +estions

4igure &$ + #ased on!e information Parado" # $eali%ing t!e &usiness &enefits of Information ec!nolog'(, )o!n !orp *ritten

jointl' *it! +ujitsu, --. and revised /001, McGra*23ill, Canada4

re #e doing the right things6

To answer this 1uestion the correct strategies are re1uired" so that we can deliver ICT services that !eet the needs

of the #usiness as regards8+

o 4unctionalito Caa#ilito Ongoing invest!ent


12/15

Co!!ercial in Confidence /age &$ of &5


Series COBIT 5

This !eans that ou need to have8+

o A !easure of the custo!ers 1ualit of e,erience with e,isting ICT services and an understanding of ITService 7alue >anage!ent

o Dnderstand gas in IT + Business align!ento 6elevant IT strategies to deliver the right IT services including an overall ICT strateg" IT Service Strateg"

ITS> strateg" Technolog road!as" Sourcing strateg etc

o /ortfolio >anage!ent caa#ilit underinned # a Business Service Catalogueo A #ench!ar' of the caa#ilit of our IT organisationo An understanding of the fra!ewor's we should #e using" eg ITI?" Co#iT" TO2A4" /3>3

re #e doing the" the right #a46To answer this 1uestion re1uired are8+

o A lifeccle aroach to the deliver of ICT services that is integratedo An 0nterrise Architectureo A /ortfolio" /rogra!!e and /roect 4ra!ewor'o A 6is' and Securit !ethodolog

This !eans ou need to have8+

o 2overnance ?ifeccle 4ra!ewor'o Dnderstand the gas in the 1ualit of 'e ICT services and IT caa#ilit shortfallso Tactical /lans for /eole" /rocess" /artners" /roductso

>anage!ent of Organisational Change caa#ilito The a#ilit to ut the a#ove into effect through a Caa#ilit I!rove!ent ourne

re #e getting the" done #ell6

This !eans ou have to have8+

o 0ffective and discilined !anage!ent of the whole lifeccleo 0ffective rocesseso Co!etent resources availa#le to rovide8+

o the re1uired caa#ilitieso the organisational changes re1uired to leverage the caa#ilities

To ut this into effect ou need to effect8+

o A Caa#ilit I!rove!ent Eourneo To have converted the 'e re1uire!ents into an oerational Conte,to To i!le!ent the li'es of Fnowledge Centred Suort (FCS) for Fnowledge to i!rove efficienc and

effectiveness

o To #e using 56ills +rame*or6 for t!e Information Age(S4IA) and S4IAplusto roerl define 6oles and to#e a#le to identif and address s'ills gas

o Integration of rocess and caa#ilities covering /eole" /roducts" /rocesses and /artners


13/15

Co!!ercial in Confidence /age &3 of &5


Series COBIT 5

Appendix B: About ProActive

0sta#lished in Australasia in &9;" /roActive has a co!rehensive suite of services that includes integrating all IT

2overnance that underins the IT Service lifeccle. In &5" /roActive introduced the ITI? #est ractice guidance to

Australia and ew Gealand" and has rovided thought leadershi in Service >anage!ent ever since.

/roActive are Australia and ew GealandHs longest Service >anage!ent education rovider" and have trained in

e,cess of 39"%%% students. In addition to our e,tensive consultanc services and we# #ased caa#ilit

assess!ent-surve tools" /roActive is a BCS accredited training organisation for ITI? training" an accredited

rovider of Fnowledge Centred Suort (FCSS>) training" a S4IA accredited artner.

II78 is a registered rade Mar6 of t!e 9 Cabinet Office in t!e 9 and ot!er countries4 C55M

is a servicemar6 of t!e

Consortium for 5ervice Innovation5M

4 5+IA8is a registered trademar6 of t!e 5+IA +oundation4

O+r (eople

/roActive consultants are highl s'illed #usiness rocess analsts with e,tensive ractical e,erience co!#ined

with in+deth 'nowledge of a nu!#er of governance fra!ewor's. All consultants have !an ears ractical"

hands+on e,erience of ITI? i!le!entation in organisations throughout Australia" ew Gealand and

internationall.

The all hold the highest level of accreditation in their fields" including ITI? 73 (0,ert level)" Co#iT" /rince$" ISO-I0C

$%%%%" Software Asset >anage!ent" and FCS.

>ore secificall the have8

a thorough 'nowledge of Service >anage!ent rocesses

e,tensive 'nowledge and e,erience of industr standards and ractices in these rocesses

considera#le 'nowledge and understanding of a range of the leading IT software solutions for these rocesses

e,tensive 'nowledge of how the rocesses ulti!atel translate into IT sste! wor' ractices

the s'ills and !aturit to la a facilitating and influencing role at all levels.

7hat #e do

/roActive can assist organisations via our consulting and education services in all asects of service and rocess

i!rove!ent #ased on our fle,i#le /roActive Services Caa#ilit I!rove!ent Eourne !ethodolog. e can also

hel to sustain this change and ensure continual service i!rove!ent.

Organisations #e #ork #ith

e have wor'ed e,tensivel with Australian and ew Gealand IT organisations of all sies across the rivate" state

and federal govern!ent sectors. A sa!le of the organisations we wor' with includes8

AG Ban' Aurora 0nerg


14/15

Co!!ercial in Confidence /age &* of &5


Series COBIT 5

Aurecon /t ?td

IA2

>inistr of 0cono!ic =evelo!ent

Dniversit of >el#ourne

AB

S Businesslin'

S Co!!unities

Otus Co!!unications

Origin 0nerg

Jueensland =eart!ent of the CIO

Ta#cor otor Cororation Australia

7ictoria Dniversit of ellington

estac Ban'ing Cororation

Certi!ication and ccreditation

/roActive achieved and have !aintained ISO %%& certification for over &% ears" with our !ost

recent audit ta'ing lace in Octo#er $%&%. Certification covers the deliver of Service

>anage!ent consultanc and education services.

/roActive are also accredited # the following organisations to deliver education services8

Infor!ation Sste!s 0,a!ination Board8 ITI? training.

A/>28 COBIT

Consortiu! for Service Innovation8 FCS


15/15

Co!!ercial in Confidence /age &5 of &5


Series COBIT 5

& ISO ($%%9)" I5O;IEC 1.

Date post:	04-Jun-2018
Category:	Documents
Upload:	agus-sevtiana
View:	223 times
Download:	0 times

Integrated IT Governance Series - COBIT 5

Documents