1 | P a g e

ISO/IEC 27001 Process Mapping to

COBIT 4.1 to Derive a Balanced

Scorecard for IT Governance By Christopher Oparaugo, CISM, CGEIT, CRISC

COBIT Focus | 14 December 2015

The balanced scorecard (BSC) initially developed by Kaplan and Norton1, 2, 3, 4

is a performance management system

that should allow enterprises to drive their strategies on measurement and follow-up.

In recent years, the BSC has been applied to IT and, currently, the first real-life IT security governance application

has been developed based on mapping International Organization for Standardization/International

Electrotechnical Commission (ISO/IEC) 27001 control objectives to COBIT®

4.1 process areas and IT governance

focus areas. As a further exercise, the relationships and similarities of COBIT 4.1 and COBIT 5 can be explored to

create a mapping for COBIT 5 in future publications.

This article explains how an exercise in instituting controls can be used to establish the IT BSC, which can be linked

to the business BSC and, in so doing, can support the IT/business governance and alignment processes as derived

from mapping ISO/IEC 27001 and COBIT 4.1 controls.

Balanced Scorecard Introduction Kaplan and Norton introduced the BSC at the enterprise level. Their basic idea is that the evaluation of an

organization should not be restricted to a traditional financial evaluation, but should be supplemented with

measures concerning customer satisfaction, internal processes and the ability to innovate. These additional

measures should assure future financial results and drive the organization toward its strategic goals while keeping

all 4 perspectives in balance. Kaplan and Norton proposed a triple-layered structure for the 4 perspectives: mission

(e.g., to become the customers’ most preferred supplier), objectives (e.g., to provide the customers with new

products) and measures (e.g., percentage of turnover generated by new products).

The BSC can be applied to the IT function and its processes.5, 6, 7, 8

This article transformed previous visions into

actions that can be used to correct any lapses and reduce value in the BSC results. The use of the BSC can also be

applied to IT risk management.9

IT Governance Through Controls This article illustrates how a cascade of scorecards can be instrumental in the development of IT/business

DISCUSS THIS ARTICLE

2 | P a g e

governance processes and how this hierarchy of scorecards can support the alignment of business and IT strategy.

The IT development BSC and the IT controls/operational BSC are introduced as enablers for the strategic BSC,

which, in turn, is the enabler of the business BSC (figure 1).

Governance is established through compliance to standards and control objectives.

Figure 1—IT Balanced Scorecard as a Business Enabler

Source: Christopher Oparaugo. Reprinted with permission.

Controls Through Compliance to Standards IT governance is part of corporate governance and has to provide the organizational structures to enable the

creation of business value through IT, the assurance that there are no IT investments in bad projects and that there

are adequate IT control mechanisms established through compliance to the control objectives of COBIT®

and

ISO/IEC 27001.

The methodology of the BSC is a measurement and management system that is suitable for supporting the IT

governance process and the IT-business alignment process. Figure 2 shows sample cumulative average scores for

the ISO/IEC 27001 control objectives and questions showing inputs for the security policy domain used in the

exercise for mapping ISO/IEC 27001 to COBIT 4.1.

Figure 2—Sample Cumulative Average Scores for the ISO/IEC 27001 Control Objectives and

Questions Showing Inputs for Security Policy Domain

Reference ISO/IEC 27001 Control Objective and Question Results

Checklist Standard Section Control Question Status (%)

Security Policy

1.1 5.1 Information Security Policy

1.1.1 5.1.1

Information

security policy

document

Whether there exists an information

security policy, ‎which is approved by

the management, published

and ‎communicated as appropriate

93.33

3 | P a g e

to all employees?

Whether the policy states

management commitment ‎and sets

out the organizational approach to

managing ‎information security?

83.33

1.1.2 5.1.2

Review of

informational

security policy

Whether the information security

policy is reviewed at ‎planned

intervals, or if significant changes

occur to ‎ensure its continuing

suitability, adequacy

and ‎effectiveness?

68.33

Whether the information security

policy has an owner ‎who has

approved management

responsibility for ‎development,

review and evaluation of the

security policy?

100.00

Whether any defined information

security policy ‎review procedures

exist and whether they

include ‎requirements for the

management review?

93.33

Whether the results of the

management review are taken into

account?

80.00

Whether management approval is

obtained for the ‎revised policy? 96.67

Source: Christopher Oparaugo. Reprinted with permission.

Figure 3 shows sample cumulative domain scores for the ISO/IEC 27001 control objectives. These results are

computed by domain as used in the exercise for mapping ISO/IEC 27001 to COBIT 4.1. The future state results are

arbitrary figures that are being aspired to as targets for the exercise.

Figure 3—Resulting ISO/IEC 27001 Compliance Data by Domain

4 | P a g e

Domain Objecives Status

(%) Security Policy Information security policy 88%

Organization of Information Security

Internal organization 72%

External parties 40%

Asset Management Responsibilities for assets 74%

Information classification 37%

Human Resources Security

Prior to employment 74%

During employment 70%

Termination or change of employment 77%

Physical and Environmental

Security

Secure areas 42%

Equipment security 66%

Communication and Operations

Management

Operational procedures and responsibilities 69%

Third-party service delivery management 57%

System planning and acceptance 58%

Protection against malicious and mobile code 73%

Backup 57%

Network security management 64%

Media handling 57%

Exchange of information 65%

Electronic commerce services 71%

Monitoring 54%

Access Control

Business control for access control 78%

User access management 68%

User responsibilities 59%

Network access control 60%

Operating system access control 78%

Application and information access control 57%

Mobile computing and telecommuting 65%

Information System Acquisition,

Development and Maintenance

Security requirements of information systems 58%

Correct processing in applications 71%

Cryptographic controls 78%

Security of system files 72%

Security in development and support services 70%

Technical vulnerability management 74%

Information Security Incident Management

Reporting information security events and weaknesses 63%

Management of information security incidents 73%

5 | P a g e

Source: Christopher Oparaugo. Reprinted with permission.

Figure 4 is the bar chart representation of the ISO/IEC 27001 results.

Figure 4—ISO/IEC 27001 Compliance Data by Domain Result in Bar Chart Format

Source: Christopher Oparaugo. Reprinted with permission.

The generic maturity model score was derived from the data of the assessment based on the values that are

mapped to the COBIT 4.1 domains (figure 5). These scores are used to create the charts in figures 6 and 7 for

maturity benchmark results by domains.

87.86

56.20 55.28

73.61

56.49 62.31 64.66

70.50 67.74

52.67 60.10

0.00

10.00

20.00

30.00

40.00

50.00

60.00

70.00

80.00

90.00

100.00

% C

om

plia

nce

By

Do

mai

n

Domain Status (%)

and improvements

Business Continuity Management

Information security aspects of Business continuity management 53%

Compliance

Compliance with legal requirements 58%

Compliance with technical policies and standards and technical compliance 60%

Information system audit considerations 63%

6 | P a g e

Figure 5—Compliance Output Data to Generic Future Desired State With Generic Maturity Model

Source: Christopher Oparaugo. Reprinted with permission.

Figure 6—ISO/IEC 27001 Compliance Data Results to Generic Future Desired State

7 | P a g e

Source: Christopher Oparaugo. Reprinted with permission.

Figure 7—COBIT Compliance to Generic Future Desired State

Source: Christopher Oparaugo. Reprinted with permission.

The value inputs of 0% to 100% from the ISO control objectives, sections and control questions are mapped to

COBIT 4.1 domains and processes. These are linked to the IT focus areas as shown in figure 8.

Figure 8—Sample Results Showing Mapping of ISO/IEC 27001 Data to COBIT Processes

8 | P a g e

COBIT 4.1 Domains and

Processes IT Governance Focus Areas

Mapped COBIT4.1 processes cumulative

average scores from ISO/IEC 27001 Assessment

results

Res

ourc

e

Ri

sk

R

a

n

k

Strat

egic

Align

men

t

Val

ue

Deli

ver

y

Resou

rce

Mana

geme

nt

Risk

Mana

geme

nt

Perfor

manc

e

Mana

geme

nt

ISO/IE

C

27001

Stat

us

(%)

1 Plan and Organize

Res

ourc

e

ISO/IEC 27001 Mapped cumulative

average results =>

Mappe

d

Result

PO1 Define a strategic IT plan H P S S - 0%

PO2

Define the information

architecture L P S P S

69.85 70%

PO3 Determine technological direction M S S P S

66.78 67%

PO4

Define the IT processes,

organization and relationships L S P P

64.09 64%

PO5 Manage the IT investment M S P S S

86.67 87%

PO6

Communicate management aims

and direction M P P

66.78 67%

PO7 Manage IT human resources

L P P S S

73.75 74%

PO8 Manage quality M P S S

61.67 62%

PO9 Assess and manage IT risk H P P

64.58 65%

PO10 Manage projects H P S S S S - 0%

55%

2 Acquire and Implement

Res

ourc

e

AI1 Identify automated solutions M P P S S

53%

9 | P a g e

53.33

AI2

Acquire and maintain application

software M P P S

64.29 64%

AI3

Acquire and maintain technology

infrastructure L P

66.90 67%

AI4

Enable operation and use

L S P S S

56.19 56%

AI5

Procure IT resources

M S P

65.00 65%

AI6

Manage changes

H P S

73.47 73%

AI7

Install and accredit solutions and

changes M S P S S S

70.36 70%

64%

3 Deliver and Support

Res

ourc

e

DS1 Define and manage service levels. M P P P P

47.50 48%

DS2

Manage third-party services

L P S P S

62.69 63%

DS3

Manage performance and capacity

L S S P S S

60.00 60%

DS4

Ensure continuous service

M S P S P S

55.83 56%

DS5

Ensure systems security

H P

66.29 66%

DS6 Identify and allocate costs

L S P S - 0%

DS7

Educate and train users

M S P S

43.33 43%

DS8

Manage service desk and incidents

M S P S

63.82 64%

DS9

Manage the configuration

M P S

65.44 65%

10 | P a g e

Source: ISACA, Mapping COBIT 4.1 to ISO /IEC 27001, USA, 2005

These resultant data from the exercise are further employed as COBIT information criteria for primary and

secondary grouping. The resultant values of the ISO/IEC 27001 mapping into COBIT processes are linked with the

defined IT goals. Exercise results showing the values from the data mapping outputs are shown in figure 9.

Figure 9—Linking COBIT Processes Data Results to IT Goals Showing the Information Criteria for

Governance Activities

COBIT's Domains and Processes IT GOVERNANCE FOCUS AREAS

Resource

Risk

Rank

Strategic

Alignment

Value

Delivery

Resource

Mgt

Risk

Mgt

Perfor

mance

Manag

ement

ISO

27001 Status

(%)

1 Plan and Organise Resource

Mappi

ng

DS10

Manage problems

M P S

75.00 75%

DS11

Manage data

H P P P

56.44 56%

DS12

Manage the physical environment

L S P

66.85 67%

DS13

Manage operations

L P

73.33 73%

55%

4 Monitor and Evaluate

Res

ourc

e

ME1

Monitor and evaluate IT

performance H P

56.22 56%

ME2

Monitor and evaluate internal

control M P P

69.00 69%

ME3 Ensure regulatory compliance H P P

62.58 63%

ME4

Provide IT governance

H P P P P P

69.37 69%

64%

11 | P a g e

PO1 Define a strategic IT plan H P S S

- 0%

PO2

Define the information

architecture L P S P S

69.85 70%

PO3

Determine technological

direction M S S P S

66.78 67%

PO4

Define the IT processes,

organisation and relationships L S P P

64.09 64%

PO5 Manage the IT investment M S P S S

86.67 87%

PO6

Communicate management aims

and direction M P P

66.78 67%

PO7 Manage IT human resources

L P P S S

73.75 74%

PO8 Manage quality M P S S

61.67 62%

PO9 Assess and manage IT risk H P P

64.58 65%

PO10 Manage projects H P S S S S

- 0%

55%

2 Acquire and Implement Resource

AI1 Identify automated solutions M P P S S

53.33 53%

AI2

Acquire and maintain application

software M P P S

64.29 64%

AI3

Acquire and maintain technology

infrastructure L P

66.90 67%

AI4

Enable operation and use

L S P S S

56.19 56%

AI5

Procure IT resources

M S P

65.00 65%

AI6

Manage changes

H P S

73.47 73%

AI7

Install and accredit solutions and

changes M S P S S S

70.36 70%

12 | P a g e

64%

3 Deliver and Support Resource

DS1 Define and manage service levels M P P P P

47.50 48%

DS2

Manage third-party services

L P S P S

62.69 63%

DS3

Manage performance and

capacity L S S P S S

60.00 60%

DS4

Ensure continuous service

M S P S P S

55.83 56%

DS5

Ensure systems security

H P

66.29 66%

DS6

Identify and allocate costs

L S P S

- 0%

DS7

Educate and train users

M S P S

43.33 43%

DS8

Manage service desk and

incidents M S P S

63.82 64%

DS9

Manage the configuration

M P S

65.44 65%

DS10

Manage problems

M P S

75.00 75%

DS11

Manage data

H P P P

56.44 56%

DS12

Manage the physical

environment L S P

66.85 67%

DS13

Manage operations

L P

73.33 73%

55%

4 Monitor and Evaluate Resource

ME1

Monitor and evaluate IT

performance H P

56.22 56%

ME2

Monitor and evaluate internal

control M P P

69.00 69%

ME3 Ensure regulatory compliance H P P

63%

13 | P a g e

62.58

ME4

Provide IT governance

H P P P P P

69.37 69%

64%

Source: Christopher Oparaugo. Reprinted with permission.

Based on the data values from the COBIT process linking to IT goals, the IT goals to business goals are derived and

the elements of the BSC are developed. Figure 10 shows the results of these links.

Figure 10—Data Linking IT Goals to Business Goals

Legend

Linking IT Goals To Business Goals

COBIT Information Criteria

✔ = Used; Blank=Not Used

Eff

ect

ive

ne

ss

Eff

icie

ncy

Co

nfi

de

nti

ality

Inte

gri

ty

Ava

ila

bilit

y

Co

mp

lia

nce

Re

lia

bilit

y

Cu

mu

lati

ve

Ave

rag

e

sco

re %

Sta

tus

Re

sult

%

Business Goals IT Goals

Financial

Perspective

1 Expand market share 25 28 ✔ ✔

41.10 41.1

2 Increase revenue 25 28 ✔ ✔

41.10 41.1

3 Return on investment 24 ✔

50.56 50.6

4 Optimize asset

utilization 14 ✔ ✔

66.43 66.4

5 Manage business risk 2 14 17 18 19 20 21 22 ✔ ✔ ✔

62.71 62.7

52.38 52

Customer

Perspective

6

Improve customer

orientation and

service 3 23 ✔

61.84 61.8

7 Offer competitive

products and services 5 24 ✔ ✔

59.60 59.6

8 Service availability 10 16 22 23 ✔ ✔

64.75 64.8

9

Agility in responding

to changing business

requirements (time to

market) 1 5 25 ✔ ✔

49.65 49.7

14 | P a g e

10 Cost optimization of

service delivery 7 8 10 24 ✔

61.14 61.1

59.40 59

Internal

Business

Perspective

11

Automate and

integrate the

enterprise value chain 6 7 8 11 ✔ ✔

64.86 64.9

12

Improve and maintain

business process

functionality 6 7 11 ✔ ✔

64.49 64.5

13 Lower process costs 7 8 13 15 24 ✔

60.49 60.5

14

Compliance with

external laws and

regulations 2 19 20 21 22 26 27 ✔ ✔

62.19 62.2

15 Transparency 2 18 ✔

64.58 64.6

16 Compliance with

internal policies 2 13 ✔ ✔

48.34 48.3

17

Improve and maintain

operational and staff

productivity 7 8 11 13 ✔ ✔

64.22 64.2

61.31 61

Learning

and Growth

Perspective

18 Product/business

innovation 5 25 28 ✔ ✔

50.28 50.3

19

Obtain reliable and

useful information for

strategic decision

making 2 4 12 20 26 ✔ ✔ ✔

58.59 58.6

20 Increase in value

delivery per employee 9 15 24 ✔ ✔

57.25 57.3

21

Acquire and maintain

skilled and motivated

personnel 9 28 ✔ ✔

56.03 56

55.54 56

Source: ISACA®, COBIT®

4.1: Framework for IT Governance and Control and IT Governance Institute

Information Security Governance Balanced Scorecard The BSC is a management system (not only a measurement system) that enables organizations to clarify their vision

15 | P a g e

and strategy and translate those into action. It provides feedback around both the internal business processes and

external outcomes in order to continuously improve strategic performance and results. When fully deployed, the

BSC transforms strategic planning from an academic exercise into the nerve center of an enterprise.

The BSC uses 4 perspectives, develops metrics, collects data and analyzes the data relative to each of these

perspectives:

1. Financial—To succeed financially, how should we appear to our shareholders? 52.38%

2. Customer—To achieve our vision, how should we appear to our customers? 59.40%

3. Internal business—To satisfy our shareholders and customers, at what business process must we excel?

61.31%

4. Learning and growth—To achieve our vision, how will we sustain our ability to change and improve? 55.54%

Conclusion The vision and strategy driver scores are achieved from the mapping exercise of ISO/IEC 27001 to COBIT 4.1 and

these can be used in determinig key permormance indicator (KPI) scores for a department and be drilled down to

an individual’s contribution in the overall department success. The results from linking IT goals to business goals

and reviewing with the COBIT information criteria helps form a better perspective of the BSC. The assessment

results can be drilled and backward review of the mapping values used in determining the root cause of having low

values from a set of mapped data in ISO/IEC 27001 control objectives and questions; this will form a basis for

developing an action plan as needed by the business.

Successful enterprises understand the risk and exploit the benefits of IT, and find ways to deal with aligning IT

strategy with the business strategy, cascading IT strategy and goals down into the enterprise and insisting that an IT

control framework be adopted and implemented. IT governance is not an isolated discipline. It is an integral part of

overall enterprise governance that drives the business in these days of the Internet of Things. The need to integrate

IT governance with overall business governance is similar to the need for IT to be an integral part of the enterprise

business.

Christopher Oparaugo, CISM, CGEIT, CRISC Is the chief technology officer of KATEC Consulting Ltd. He has worked for IBM Global Business Services as an

information security consultant. He has also worked in the telecommunication and banking industries in West

Africa. Oparaugo has contributed to the ISACA®

CISM®

, CGEIT®

and CRISC™ Certification Project and Test

Enhancement Committee since 2005, setting exam questions and reviewing the manuals.

Endnotes 1 Kaplan, R.; D. Norton; “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review. January-February 1992, p. 71-79 2 Kaplan, R.; D. Norton; “Putting the Balanced Scorecard to Work,” Harvard Business Review. September-October 1993, p. 134-142 3 Kaplan, R.;D. Norton; “Using the Balanced Scorecard as a Strategic Management System,” Harvard Business Review. January-February 1996, p. 75-

85 4 Kaplan, R.; D. Norton; The Balanced Scorecard: Translating Vision Into Action, Harvard Business School Press, Boston, 1996. 5 Gold, C.; “Total Quality Management in Information Services—IS Measures: A Balancing Act,” research note, Ernst & Young Center for

Information Technology and Strategy, USA, 1992 6 Gold, C.; “US Measures—A Balancing Act,” Ernst &Young Center for Business Innovation, USA, 1994. 7 Willcocks, L.; Information Management, The Evaluation of Information Systems Investments, Chapman & Hall, UK, 1995 8 Van Grembergen, W.; D. Timmerman; “Monitoring the IT Process Through the Balanced Scorecard,” Proceedings of the 9th Information

Resources Management (IRMA) International Conference, USA, May 1998, p. 105-116

16 | P a g e

9 Van Grembergen, W.; ”The Balanced Scorecard and IT Governance,” Information Systems Control Journal, vol.2, 2000