COBIT 5 Update Research - Isaca Malta Chapter
Transcript of COBIT 5 Update Research - Isaca Malta Chapter
COBIT 5
ISACA Malta Chapter
Steven Babb
Dirk Steuperaert
Steven Babb
• Education – 1st Class BSc (Hons) Computing (1996)
– BS7799 Lead Auditor, ITIL Service Manager
– Prince 2 Certified Practitioner
– CGEIT, CRISC
• Professional Career – International Brewer, various roles (1991-1996)
– KPMG, Head of IT Risk (1996-2012)
– Betfair, Head of Governance, Risk & Assurance (2012-…)
• Professional Organisations – RiskIT Task Force, COBIT 5 Task Force, Cloud Computing Task
Force
– Framework Committee Chair, COBIT for Risk Chair
• Contact – [email protected]
Dirk Steuperaert
• Education – Master Engineering (Ugent, 1986)
– Master Computer Auditing (UAMS, 1995)
– CISA (1995), CGEIT (2009), CRISC (2011)
• Professional Career – Software Engineer (SWIFT) (1988-1992)
– IT Auditor (SWIFT, BBL, Cedel) (1992-1997)
– Consultant (PwC, 1997-2008)
– Independent Consultant (IT In Balance, 2008 - …)
• Professional Organisations – ISACA (COBIT Steering Committee, Lead Developer of Risk IT,
Project Manager of COBIT 5 Development, Project Manager for COBIT 5 for Risk, COBIT 5 for Assurance)
• Contact – [email protected]
• To provide you with:
– An overview of the development approach behind
COBIT 5 and a brief history of COBIT
– An understanding of the key principles underpinning
the COBIT 5 framework
– Key considerations on how to implement COBIT 5
– Additional COBIT 5 publications – what is here now
and what is coming next
– Thoughts on migration from legacy to COBIT 5
Objectives for this session
1. COBIT 5 Drivers
2. COBIT 5 Framework – COBIT 5 Principles
3. COBIT 5 Framework – Enablers
4. COBIT 5 Framework – Process Capability Model
5. COBIT 5 Enabling Processes – Introduction
6. COBIT 5 Enabling Processes – Structure
7. COBIT 5 Enabling Processes – Overview of COBIT 5 Process
Domains and Processes
8. COBIT 5 Implementation Guide
9. Additional Pubs: COBIT 5 for Security, COBIT 5 PAM
10. Upcoming Pubs: COBIT 5 for Assurance, COBIT 5 for Risk
11. Migrating to COBIT 5 – some more things to consider
12. Q&A
Agenda
• Steven
• Steven
• Steven
• Dirk
• Dirk
• Dirk
• Dirk
• Dirk
• Steven
• Steven
• Dirk
1. 1. Introduction & COBIT 5 Drivers
• A Framework – definition:
– Framework ≠ Standard
– Framework ≠ Complete Solution
– Framework ≠ Ready-to-use Solution
– Framework ⊂ Structures and components
– Framework ⊂ Way of thinking
– Framework ⇒ Basis that needs customisation
Introduction – The Basic Equation 1
• The very original acronym COBIT stood for ‘Control
Objectives for Information and Related Technology’
• The control objectives are gone now… well, at least the
name has…
• But Information and Related Technology stand!
• Information
– is a key resource for all enterprises
– Information is created, used, retained, disclosed and destroyed
• Technology
– plays a key role in these actions
– Technology is becoming pervasive in all aspects of business and
personal life
COBIT – ‘The’ Word 1
• Today, enterprises and their executives have to:
– Maintain high-quality information
– Generate business value from IT-enabled investments
– Achieve operational excellence
– Maintain IT-related risk at an acceptable level
– Optimise the cost of IT services and technology
– Comply with ever-increasing relevant laws, regulations,
contractual agreements and policies
• COBIT 5 provides the framework to fulfill these
requirements
COBIT – Enterprise Context and Benefits 1
• The world has moved on since COBIT 4.1 and related
ISACA Guidance were published:
– Importance of information
– Role of technology
– Technology landscape
– Views on governance and standards landscape
– Economic context
– Regulatory context
– Need for rationalisation of various ISACA guidance
Drivers for COBIT 5: Changing World 1
• Delivering enterprise stakeholder value requires good
governance and management of information and
technology (IT) assets
• Enterprise boards, executives and management have to
embrace IT like any other significant part of the business
• COBIT 5 provides the comprehensive framework for
enterprises to:
– achieve their goals
– deliver value through effective governance and management of
enterprise IT
Drivers for COBIT 5: Stakeholder Value 1
• Simply stated: COBIT 5 helps enterprises create optimal
value from IT by maintaining a balance between realising
benefits and optimising risk levels and resource use
– COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the entire
enterprise
– The COBIT 5 principles and enablers are generic and useful for
enterprises of all sizes, whether commercial, not-for-profit or in
the public sector
The COBIT 5 Framework 1
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
A business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
2005/7 2000 1998
Evo
lutio
n o
f sco
pe
1996 2012
Val IT 2.0 (2008)
Risk IT (2009)
COBIT: Its development history 1
COBIT 5: Timeline…
3/09/2009 10/04/2012
1/01/2010 1/01/2011 1/01/2012
10/04/2012
Publication COBIT 5
1/07/2011
Public Exposure COBIT 5
Framework and Process Guide
nov-11
Final C5TF Meeting
mei-10
First SME
Development
Workshop
aug-10
Second SME
Development
Workshop
20/03/2010
Public Exposure COBIT 5
Architecture Blueprint29/03/2011
SME Exposure COBIT 5
feb-10
Dev Team
Meeting
apr-10
C5TF Meeting
okt-10
Dev Team
Meeting
jan-12
End of Development
dec-10
C5TF Meeting
jan-11
End of Design
mei-11
C5TF Meeting
nov-09
Start of Design
sep-09
Joint FC-C5TF
Kick-Off Meeting
1
1. 2. COBIT 5 Framework (1)
COBIT 5 Principles
• The main, overarching COBIT 5 product
• Contains the executive summary and the full description of all of the COBIT 5 framework components: – The COBIT 5 principles –
there are 5 of them!
– The seven COBIT 5 enablers
– An introduction to the implementation guidance (COBIT 5 Implementation)
– An introduction to the COBIT Assessment Programme (not specific to COBIT 5)
2 The COBIT 5 Framework
The COBIT 5 Principles 2
• Enterprises exist to
create value for their
stakeholders. Therefore:
– Governance Objective =
Value Creation
– Governance objectives
driven by stakeholder
needs
– Value is the interaction and
combination of three
components
18
2 The COBIT 5 Principles
1. Meeting Stakeholder Needs
• Enterprises exist to create value
for their stakeholders
• Therefore:
– Governance objectives need to be
translated into manageable goals
– This is the COBIT 5 goals cascade
– This translates stakeholder needs
into specific, actionable and
customised goals
The COBIT 5 Principles
1. Meeting Stakeholder Needs
2
The COBIT 5 Principles
2. Covering the Enterprise End-to-End
2
• COBIT 5:
– Integrates governance of
enterprise IT into enterprise
governance
– Covers all functions and
processes within the enterprise
• Key components of a
governance system:
– Governance Enablers – the
organisational resources for
governance
– Governance Scope – the entity
to which governance is applied
• Third component: the governance roles, activities
and relationships.
– defines who is involved in governance, how they are
involved, what they do and how they interact, within the
scope of any governance system
2 The COBIT 5 Principles
2. Covering the Enterprise End-to-End
The COBIT 5 Principles
3. Integrated Framework
2
• COBIT 5 aligns with the latest relevant other standards
and frameworks:
– Enterprise: COSO, COSO ERM, ISO 9000, ISO 31000
– IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF,
PMBOK/PRINCE2, CMMI, …
• This allows COBIT 5 to be used as the overarching
governance and management framework integrator
• COBIT 5 also integrates all major ISACA guidance:
COBIT 4.1, Risk IT, Val IT, BMIS, ITAF
• One consistent knowledge-base to build the COBIT 5
Product Family on
The COBIT 5 Principles
3. Integrated Framework
2
2 The COBIT 5 Principles
4. Enabling a Holistic Approach
• Enablers are factors that, individually and collectively,
influence whether something will work
• Enablers are driven by the goals cascade
• The COBIT 5 framework describes seven categories of
enablers
• Governance: Governance ensures that enterprise
objectives are achieved by evaluating stakeholder
needs, conditions and options; setting direction through
prioritisation and decision making; and monitoring
performance, compliance and progress against agreed
direction and objectives [EDM]
• Management: Management plans, builds, runs and
monitors activities in alignment with the direction set by
the governance body to achieve the enterprise
objectives [PBRM]
The COBIT 5 Principles
5. Separating Governance from Management
2
The COBIT 5 Principles
5. Separating Governance from Management
2
1. 3. COBIT 5 Framework (2)
COBIT 5 Enablers and the Enabler Model
3 The COBIT 5 Enablers
3 The COBIT 5 Enabler Model
• This generic enabler model is repeated for each of the
seven enablers, adding more specific details, guidance
and some simple examples
3 The COBIT 5 Enabler Model
3 The COBIT 5 Enabler Model
Performance Management
1. 4. COBIT 5 Framework (3)
COBIT 5 Process Capability Model
• COBIT 5 is supported by a new process capability assessment approach based on ISO/IEC 15504: the COBIT Assessment Programme.
• The COBIT 4.1, Val IT and Risk IT CMM-based approaches are not considered compatible with the ISO/IEC 15504 approach as the methods use different attributes and measurement scales
• In Practice – In general, ‘ratings’ of a process will be lower with the new
capability assessment approach (but are not comparable anyway)
– COBIT 5 does not include a specific maturity model per process
The COBIT 5 Framework
Process Capability Model
4
Recap of Process Evaluation Methods:
COBIT 4.1
4
Recap of Process Evaluation Methods:
Risk IT
4
The COBIT 5 Framework
Process Capability Model
4
• The COBIT Assessment Programme approach is considered by ISACA to be more robust, reliable and repeatable as a process capability assessment method
• The COBIT Assessment Programme supports – formal assessments by accredited assessors (assessor
training is being developed)
– less rigorous self-assessments for internal gap analysis and process improvement planning
• The COBIT Assessment Programme, in the future, will also potentially enable an enterprise to obtain an independent and certified assessments aligned to the ISO standard
Recap of Process Evaluation Methods
Rationale for change
4
• COBIT4.1, Val IT and Risk IT users wishing to move to the new COBIT Assessment Programme approach: – realign their previous ratings,
– adopt and learn the new method, and
– initiate a new set of assessments in order to gain the benefits of the new approach
• Information gathered from previous assessments may be reusable, but needed as there are significant differences in requirements
• COBIT 4.1, Val IT and Risk IT users wishing to continue with the CMM-based approach, either as an interim or on-going approach, can use the COBIT 5 guidance, but must use the COBIT4.1 generic attribute table without the high-level maturity models
Recap of Process Evaluation Methods
Rationale for change
4
Recap of Enabler Performance
Management
• The ISO15504 based approach is a process assessment scheme
• The generic enabler performance model aligns quite well with the 15504 approach – same basic questions asked…
• So performance of other enablers can be assessed in a similar manner
• BUT: – COBIT 5 as it stands does not elaborate this explicitly
as it does for processes
Assessing Other Enablers 4
1. 5. COBIT 5 Enabling Processes
Introduction
• COBIT 5 goals cascade complemented with example metrics for the enterprise goals and the IT-related goals
• COBIT 5 process model is explained and its components defined
• Process reference model of 37 processes with detailed information for all processes
5 COBIT 5 Enabling Processes – Detailed
Process Guidance
COBIT 5 Enabling Processes – COBIT 5
Process Model
5
COBIT 5 Enabling Processes – Process
Reference Model
5
1. 6. COBIT 5 Enabling Processes
Structure
6 COBIT 5 Enabling Processes – Detailed
Process Guidance
• COBIT 5 provides a revised goals cascade based on Enterprise goals (previously: Business Goals) driving IT-related goals (previously: IT Goals) and then supported by critical Enablers (previously: Processes)
• COBIT 5 provides examples of goals and metrics at the enterprise, IT –related and process levels – This is a change to COBIT 4.1, Val IT and Risk IT
which went down one level lower but did not have the higher level
COBIT 5 Enabling Processes – Detailed
Process Guidance
6
• Each process starts with:
– Header information
– Process description
– Process Purpose Statement
6 COBIT 5 Enabling Processes – Detailed
Process Guidance
• Goals cascade information:
– IT Related goals supported by this process +
related metrics
– Process Goals + related metrics
6 COBIT 5 Enabling Processes – Detailed
Process Guidance
COBIT 5 Enabling Processes – Detailed
Process Guidance
6
• Process Practices, with
– Inputs & outputs
– Process activities
• RACI chart
COBIT 5 Enabling Processes – Detailed
Process Guidance
6
COBIT 5 Enabling Processes – Detailed
Process Guidance
6
COBIT 5 Enabling Processes – Detailed
Process Guidance
6
• Related guidance
6 COBIT 5 Enabling Processes – Detailed
Process Guidance
1. 7. COBIT 5 Enabling Processes
Process Domains and Processes
The COBIT 5 Process Reference Guide
Process Reference Model
7
Evaluate, Direct & Monitor Processes for Governance of Enterprise IT
EDM1 – Ensure
Governance
Framework Setting
and Maintenance
EDM2 – Ensure
Benefits Delivery
EDM3 – Ensure Risk
Optimisation
EDM4 – Ensure
Resource
Optimisation
EDM5 – Ensure
Stakeholder
Transparency
Process Process Purpose
EDM01 Ensure
Governance Framework
Setting and Maintenance
Provide a consistent approach integrated and aligned with the
enterprise governance approach. To ensure that IT-related
decisions are made in line with the enterprise’s strategies and
objectives, IT-related processes are overseen effectively and
transparently, compliance with legal and regulatory requirements
are confirmed, and the governance requirements for board
members are met
EDM02 Ensure Benefits
Delivery
Secure optimal value from IT-enabled initiatives services and
assets, cost-efficient delivery of solutions and services, and a
reliable and accurate picture of costs and likely benefits so that
business needs are supported effectively and efficiently
7 The COBIT 5 Process Reference Guide
Process Reference Model – EDM
Evaluate, Direct & Monitor Processes for Governance of Enterprise IT
EDM1 – Ensure
Governance
Framework Setting
and Maintenance
EDM2 – Ensure
Benefits Delivery
EDM3 – Ensure Risk
Optimisation
EDM4 – Ensure
Resource
Optimisation
EDM5 – Ensure
Stakeholder
Transparency
Process Process Purpose
EDM03 Ensure Risk
Optimisation
Ensure that IT-related enterprise risk does not exceed risk
appetite and risk tolerance, the impact of IT risk to enterprise
value is identified and managed, and the potential for
compliance failures is minimised
EDM04 Ensure Resource
Optimisation
Ensure that the resource needs of the enterprise are met in the
most optimal manner, IT costs are optimised, and there is an
increased likelihood of benefit realisation and readiness for
future change
EDM05 Ensure
Stakeholder
Transparency
Make sure that the communication to stakeholders is effective
and timely and the basis for reporting is established to increase
performance, identify areas for improvement, and confirm that
IT-related objectives and strategies are in line with the
enterprise’s strategy
7 The COBIT 5 Process Reference Guide
Process Reference Model – EDM
Processes for Management of Enterprise IT
Align, Plan & Organise
APO1 – Manage the
IT Management
Framework
APO2 - Manage
Strategy
APO3 – Manage
Enterprise
Architecture
APO4 – Manage
Innovation
APO5 - Manage
Portfolio
APO6 Manage
Budget & Costs
APO7 – Manage
Human Resources
APO8 – Manage
Relationships
APO9 – Manage
Service Agreements
APO10 - Manage
Suppliers
APO11 - Manage
Quality
APO12 – Manage
Risk
APO13 – Manage
Security
Process Process Purpose
APO01 Manage the IT
Management
Framework
Provide a consistent management approach to enable the enterprise governance
requirements to be met, covering management processes, organisational structures,
roles and responsibilities, reliable and repeatable activities, and skills and
competencies
APO02 Manage
Strategy
Align strategic IT plans with business objectives, clearly communicate the objectives
and associated accountabilities so they are understood by all, with the IT strategic
options identified, structured and integrated with the business plans
APO03 Manage
Enterprise
Architecture
Represent the different building blocks that make up the enterprise and their inter-
relationships as well as the principles guiding their design and evolution over time,
enabling a standard, responsive and efficient delivery of operational and strategic
objectives
7 The COBIT 5 Process Reference Guide
Process Reference Model – APO
Processes for Management of Enterprise IT
Align, Plan & Organise
APO1 – Manage the
IT Management
Framework
APO2 - Manage
Strategy
APO3 – Manage
Enterprise
Architecture
APO4 – Manage
Innovation
APO5 - Manage
Portfolio
APO6 Manage
Budget & Costs
APO7 – Manage
Human Resources
APO8 – Manage
Relationships
APO9 – Manage
Service Agreements
APO10 - Manage
Suppliers
APO11 - Manage
Quality
APO12 – Manage
Risk
APO13 – Manage
Security
Process Process Purpose
APO04 Manage
Innovation
Achieve competitive advantage, business innovation, and improved
operational effectiveness and efficiency by exploiting information
technology developments
APO05 Manage
Portfolio
Optimise the performance of the overall portfolio of programmes in
response to programme and service performance and changing enterprise
priorities and demands
APO06 Manage
Budget and Costs
Enable the effective and efficient use of IT-related resources and provide
transparency and accountability of the cost and business value of solutions
and services. Enable the enterprise to make informed decisions regarding
the use of IT solutions and services
7 The COBIT 5 Process Reference Guide
Process Reference Model – APO
Processes for Management of Enterprise IT
Align, Plan & Organise
APO1 – Manage the
IT Management
Framework
APO2 - Manage
Strategy
APO3 – Manage
Enterprise
Architecture
APO4 – Manage
Innovation
APO5 - Manage
Portfolio
APO6 Manage
Budget & Costs
APO7 – Manage
Human Resources
APO8 – Manage
Relationships
APO9 – Manage
Service Agreements
APO10 - Manage
Suppliers
APO11 - Manage
Quality
APO12 – Manage
Risk
APO13 – Manage
Security
Process Process Purpose
APO07 Manage Human
Resources
Optimise human resources capabilities to meet enterprise
objectives
APO08 Manage
Relationships
Create improved outcomes, increased confidence, and trust in IT
and effective use of resources
APO09 Manage Service
Agreements
IT services and service levels meet current and future enterprise
needs
7 The COBIT 5 Process Reference Guide
Process Reference Model – APO
Processes for Management of Enterprise IT
Align, Plan & Organise
APO1 – Manage the
IT Management
Framework
APO2 - Manage
Strategy
APO3 – Manage
Enterprise
Architecture
APO4 – Manage
Innovation
APO5 - Manage
Portfolio
APO6 Manage
Budget & Costs
APO7 – Manage
Human Resources
APO8 – Manage
Relationships
APO9 – Manage
Service Agreements
APO10 - Manage
Suppliers
APO11 - Manage
Quality
APO12 – Manage
Risk
APO13 – Manage
Security
Process Process Purpose
APO10 Manage
Suppliers
Minimise the risk associated with non-performing suppliers and ensure
competitive pricing
APO11 Manage
Quality
Consistent delivery of solutions and services to meet the quality
requirements of the enterprise and satisfy stakeholder needs
APO12 Manage Risk Integrate the management of IT-related enterprise risk with overall
ERM, and balance the costs and benefits of managing
IT-related enterprise risk
APO13 Manage
Security
Keep the impact and occurrence of information security incidents
within the enterprise’s risk appetite levels
7 The COBIT 5 Process Reference Guide
Process Reference Model – APO
Processes for Management of Enterprise IT
Build, Acquire & Implement
BAI1 – Manage
Programmes And
Projects
BAI2 – Manage
Requirements
Definition
BAI3 – Manage
Solutions
Identification &
Build
BAI4 – Manage
Availability &
Capacity
BAI5 – Manage
Organisational
Change Enablement
BAI6 – Manage
Changes
BAI7 – Manage
Changes
Acceptance and
Transitioning
BAI8 – Manage
Knowledge
BAI9 – Manage
Assets
BAI10 – Manage
Configuration
Process Process Purpose
BAI01 Manage Programmes
and Projects
Realise business benefits and reduce the risk of unexpected
delays, costs and value erosion, ensuring the value and
quality of project deliverables, and maximising their
contribution to the investment and services portfolio
BAI02 Manage Requirements
Definition
Create feasible optimal solutions that meet enterprise needs
while minimising risk
BAI03 Manage Solutions
Identification and Build
Establish timely and cost-effective solutions capable of
supporting enterprise strategic and operational objectives
7 The COBIT 5 Process Reference Guide
Process Reference Model – BAI
Processes for Management of Enterprise IT
Build, Acquire & Implement
BAI1 – Manage
Programmes And
Projects
BAI2 – Manage
Requirements
Definition
BAI3 – Manage
Solutions
Identification &
Build
BAI4 – Manage
Availability &
Capacity
BAI5 – Manage
Organisational
Change Enablement
BAI6 – Manage
Changes
BAI7 – Manage
Changes
Acceptance and
Transitioning
BAI8 – Manage
Knowledge
BAI9 – Manage
Assets
BAI10 – Manage
Configuration
Process Process Purpose
BAI04 Manage Availability
and Capacity
Maintain service availability, efficient management of resources
and optimisation of system performance through prediction of
future performance and capacity requirements
BAI05 Manage
Organisational Change
Enablement
Prepare and commit stakeholders for business change and
reduce the risk of failure
BAI06 Manage Changes Enable fast and reliable delivery of change to the business and
mitigation of the risk of negatively impacting the stability or
integrity of the changed environment
7 The COBIT 5 Process Reference Guide
Process Reference Model – BAI
Processes for Management of Enterprise IT
Build, Acquire & Implement
BAI1 – Manage
Programmes And
Projects
BAI2 – Manage
Requirements
Definition
BAI3 – Manage
Solutions
Identification &
Build
BAI4 – Manage
Availability &
Capacity
BAI5 – Manage
Organisational
Change Enablement
BAI6 – Manage
Changes
BAI7 – Manage
Changes
Acceptance and
Transitioning
BAI8 – Manage
Knowledge
BAI9 – Manage
Assets
BAI10 – Manage
Configuration
Process Process Purpose
BAI07 Manage Changes,
Acceptance and Transitioning
Implement solutions safely and in line with the agreed-on
expectations and outcomes
BAI08 Manage Knowledge Provide the knowledge required to support all staff in their work
activities and for informed decision making and enhanced
productivity
BAI09 Manage Assets Account for all IT assets and optimise the value provided by these
assets
BAI10 Manage Configuration Provide sufficient information about service assets to enable the
service to be effectively managed, to assess the impact of
changes and to deal with service incidents.
7 The COBIT 5 Process Reference Guide
Process Reference Model – BAI
Processes for Management of Enterprise IT
Deliver, Service & Support
DSS1 – Manage
Operations
DSS2 – Manage
Service Requests &
Incidents
DSS3 – Manage
Problems
DSS4 – Manage
Continuity
DSS5 – Manage
Security Services
DSS6 – Manage
Business Process
Controls
Process Process Purpose
DSS01 Manage
Operations
Deliver IT operational service outcomes as planned
DSS02 Manage Service
Requests and Incidents
Achieve increased productivity and minimise disruptions through
quick resolution of user queries and incidents
DSS03 Manage
Problems
Increase availability, improve service levels, reduce costs, and
improve customer convenience and satisfaction, by reducing the
number of operational problems
7 The COBIT 5 Process Reference Guide
Process Reference Model – DSS
Processes for Management of Enterprise IT
Deliver, Service & Support
DSS1 – Manage
Operations
DSS2 – Manage
Service Requests &
Incidents
DSS3 – Manage
Problems
DSS4 – Manage
Continuity
DSS5 – Manage
Security Services
DSS6 – Manage
Business Process
Controls
Process Process Purpose
DSS04 Manage
Continuity
Continue critical business operations and maintain availability of
information at a level acceptable to the enterprise in the event of a
significant disruption
DSS05 Manage Security
Services
DSS06 Manage Business
Process Controls
Maintain information integrity and the security of information
assets handled within business processes in the enterprise or
outsourced
7 The COBIT 5 Process Reference Guide
Process Reference Model – DSS
Processes for
Management of
Enterprise IT
Monitor, Evaluate
& Assess
MEA2 – Monitor,
Evaluate and Assess
the System of Internal
Control
MEA1 – Monitor,
Evaluate and Assess
Performance and
Conformance
MEA3 – Monitor,
Evaluate and Assess
Compliance with
External Requirements
Process Process Purpose
MEA01 Monitor,
Evaluate and Assess
Performance and
Conformance
Provide transparency of performance and
conformance and drive achievement of goals
MEA02 Monitor,
Evaluate and Assess the
System of Internal
Control
Obtain transparency for key stakeholders on
the adequacy of the system of internal
controls and thus provide trust in operations,
confidence in the achievement of enterprise
objectives and an adequate understanding of
residual risk
MEA03 Monitor,
Evaluate and Assess
Compliance with
External Requirements
The enterprise is compliant with all applicable
external requirements
7 The COBIT 5 Process Reference Guide
Process Reference Model – MEA
1. 8. COBIT 5 Implementation Guide
• COBIT 5: Implementation covers the following
subjects:
– Positioning GEIT within an enterprise
– Taking the first steps towards improving GEIT
– Implementation challenges and success factors
– Enabling GEIT-related organisational and behavioural
change
– Implementing continual improvement that includes
change enablement and programme management
– Using COBIT 5 and its components
COBIT 5 Implementation 8
COBIT 4.1
COBIT 5
Migrate to COBIT 5 or stay with COBIT 4?
Some considerations...
8
COBIT 5 because we have to do
it…
COBIT 5 because we want to do
it…
Migrate to COBIT 5 or stay with COBIT 4?
Some considerations…
8
• Recap: it’s the enablers that make governance work. So:
• ‘roadmap to COBIT’ implies working on all these enablers: – Defining and implementing
processes
– Putting in place effective organisational structures
– Defining the right information streams
– Developing the right culture and associated behaviours
– Having the right skills, competences and (number of) people
8 Roadmap to COBIT 5
If you adopt COBIT 5: It’s the enablers…
COBIT 5 Implementation Roadmap 8
• What are the drivers for a COBIT 5 implementation?
• Are there any existing ‘pains’ ? • Lack of control ?
• Growing number of ‘loose ends’ ?
• Uncertain ROI of investments?
• Any important trigger events • Major new project?
• External pressure? Regulatory pressure?
Questions: Are these issues real? If not, in theory no need to act urgently
If real issues exist, is the Board convinced that something needs to be done here?
Roadmap to COBIT 5
Step 1: Why would we do it?
8
• Assess the Current Situation:
– Determine – based on existing ‘pains’, the relevant
areas for you in COBIT 5
– Diagnosis/High-Level Review of selected governance
enablers should be made, resulting in
• Capability score of processes
• Evaluations of other enablers
Roadmap to COBIT 5
Step 2: Where are we now?
8
• Express target levels for capability of enablers
• This applies to processes, but also to other enablers
• Remember: Raising your level of governance capability: – Requires resources,
including time
– Has to be subject to a business case!
8 Roadmap to COBIT 5
Step 3: Where do we want to be?
• Some key success factors, without which failure
is guaranteed
– Continuous top management support and
committment
– Resources
– Regular success stories & quick wins
– Understanding key objectives (see next slide)
Success Factors 8
0
1
2
3
4
5
Benefits Risk Resources
Before
0
1
2
3
4
5
Benefits Risk Resources
After
8 Governance often perceived as this...
0
1
2
3
4
5
Benefits Risk Resources
Before
0
1
2
3
4
5
Benefits Risk Resources
After
8 Governance could also result
(preferably) in this
8 Some quotes recorded during COBIT 5
development…
• Quote 1
– “COBIT 5 is not a
framework for the
IT people…”
• Quote 2
– “Organisations
have the IT they
deserve…”
8 Some quotes recorded during COBIT 5
development…
1. 9. Additional COBIT 5 Publications
- COBIT 5 for Information Security
- COBIT Assessment Programme
• This is an extended view of COBIT 5
• It explains each component of COBIT 5
from an information security perspective
• It provides security professionals detailed
guidance for using COBIT 5 as they
establish, implement and maintain
information security in the business
policies, processes and structures of an
enterprise
9 Additional Publications
COBIT 5 for Information Security
• This enables the evaluation of selected IT
processes – a view on process capability
• Process improvement, delivering business
value, measuring the achievement of business
goals, benchmarking, consistent reporting, etc
• Processes can be assessed individually or
alternatively in groups. Scoping areas include:
– Capability of processes to support cloud services
– Capability of processes to support achievement of
IT and business goals
– Capability of processes to support SOX compliance
– Capability of processes to support the enterprise
governance of IT
9 Additional Publications
COBIT Assessment Programme
1. 10. Upcoming COBIT 5 Publications
- COBIT 5 for Assurance
- COBIT 5 for Risk
• This creates an information assurance view
of COBIT 5
• It provides guidance for ISACA’s
information assurance constituents
• It should be considered as the assurance
equivalent of COBIT 5 for Information
Security
• It is scheduled to be available in the second
quarter of 2013 – currently proposed to be
launched at Insights 2013
10 COBIT 5 for Assurance
• In COBIT 5, governance/management practices are the
replacements for
– the COBIT 4.1 control objectives
– The Val IT and Risk IT practices
• In COBIT 5, the focus is on enabler goals
• Achievement of enabler goals can be assessed:
– Are goals achieved – associated metrics at various levels in the
cascade
– Is appropriate good practice applied (design question)
– Are process activities (which include control activities)
adequately performed?
– Is the process capability level adequate or fit for purpose?
10 COBIT 5 for Assurance
• This creates an information risk view of
COBIT 5
• It will serve as the information risk specific
guidance for ISACA’s information risk
constituents
• It should be considered as the risk focused
equivalent of COBIT 5 for Information
Security
• It is scheduled to be available in the second
quarter of 2013 – currently proposed to be
launched at Insights 2013
10 COBIT 5 for Risk
1. 11. Some more migrating implementation
considerations. How to put COBIT 5 to use in
practice?
• Example Stakeholder question: How do I get value from
IT? Do I get value from IT?
– COBIT 5: Value is the key driver for all enablers; COBIT 5
describes the organisational structures, processes, behaviours,
information flows etc. that are needed to have IT deliver value to
the enterprise; COBIT 5 also describes the mechanisms to
analyse performance of all enablers, and includes a roadmap for
a Governance improvement project
– COBIT 5 contains specific processes and other enablers for
value management, e.g.. EDM02, APO05 and the linked
organisational structures, information flows etc.
COBIT 5 Has Arrived – Now What?
Meeting Stakeholder Needs – Are they?
11
• Example Stakeholder question: How do I manage
performance of IT? Am I running an efficient and resilient
IT operation? How do I best build and structure my IT
department?
– COBIT 5 defines a set of interacting enablers that – when working
and interacting well – provide a performing IT for the enterprise;
– COBIT 5 includes a generic enabler model with a performance
management module. Using this model to assess all enablers
systematically will provide accurate and useful performance data;
– COBIT 5 contains metrics associated with goals at various levels –
these metrics can be included in a performance mgmnt system
– Dealing with the ‘efficiency’ and ‘resilience’ questions can be done
by putting appropriate emphasis and priority on specific processes
and other enablers
COBIT 5 Has Arrived – Now What?
Meeting Stakeholder Needs – Are they?
11
• Example Stakeholder question: How do I know if I’m
compliant with all applicable regulations? Am I?
– COBIT 5 includes a number of processes that specifically deal with
compliance – from identifying compliance requirements, over
implementing appropriate controls to (independent) evaluation of
compliance; the goals cascade include several compliance related
goals at various levels
– COBIT 5 extends towards business processes, ensuring that
compliance requirements are taken care of consistently throughout
the enterprise
– The mechanisms to assess performance of these processes and
other enablers can be used to manage performance of the
compliance system
COBIT 5 Has Arrived – Now What?
Meeting Stakeholder Needs – Are they?
11
• Example Stakeholder question: Did I address all IT related
risks?
– COBIT 5 includes several IT risk related goals at various levels,
which – when prioritised correctly – will identify relevant processes
and other enablers to manage risk
– Specific processes at governance and management level deal with
risk management, e.g. EDM03, APO12, APO13, MEA domain
– Same for organisational structures, specific skills etc.
– Again, the built-in performance system allows to monitor
performance and outcome of all enablers, providing an accurate
view on current status
– In case improvements are needed, the Implementation Guide
provides a roadmap towards enhanced governance practices
COBIT 5 Has Arrived – Now What?
Meeting Stakeholder Needs – Are they?
11
• >32 definitions of ‘complexity’ exist
• Is COBIT 5 complex? YES, because:
– It covers a complex matter and provides a model to deal with this
complexity!
– Models are a simplification of reality to the level where the model
still is relevant – simplification but not simplistic!
• Is COBIT 5 complex? NO, because:
– If complex is defined as ‘time needed to understand’ (for normal
person) then we could argue that it is not very complex… 5
principles, seven enablers with each four dimensions…
Finally – one word on ‘complexity’… 11
11
• The Basic equation… A
Framework is a Framework
• COBIT 5 is comprehensive in its
vision on governance
• BUT: a lot remains to be done by
yourselves, based on individual
circumstances
• We already posess the most
important tool required for that –
shown at the right…
Some final advice...
Q & A