September 17, 2012

Pittsburgh ISACA Chapter

What is COBIT?

Control Objectives for Information and related Technologies

ISACAs guidance on the enterprise governance and management of IT.
Builds on more than 15 years of practical usage and application of COBIT by
many enterprises and users from business, IT, risk, security and assurance
communities.

Connect to, and, where relevant, align with, other major frameworks
and standards in the marketplace, such as

Information Technology Infrastructure Library (ITIL)

The Open Group Architecture Forum (TOGAF)
Project Management Body of Knowledge (PMBOK)
PRojects IN Controlled Environments 2 (PRINCE2)
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
International Organization for Standardization (ISO) standards.

What is COBIT?
COBIT 5 brings together the five principles
that allow the organizations to build an
effective governance and management
framework based on a holistic set of seven
enablers that optimizes information and
technology investment and use for the benefit
of stakeholders.

What you need to remember

All models are wrong, some models are useful
George Box or W. Edwards Deming
Thus, when adopting COBIT, a certain degree of
adaptation also needs to occur in order for it to be
of value.
Incorporate an operation model and a common
language for all parts of the enterprise involved in
IT activities
Leverage the Appendices for Model navigation
Adapt to each unique organization

Why Version 5?
Provide more stakeholders a say
Address the increasing dependency on external
business and IT parties
Deal with the amount of information, which has
increased significantly
Deal with much more pervasive IT
Provide further guidance in the area of
innovation and emerging technologies
Less about audit and more about governance

Why Version 5?

All previous content from these 3 models are

integrated and updated into COBIT 5

COBIT begins with Information

Information is a key resource.
Information is created, used, modified,
retained, disclosed and destroyed.
Technology plays a key role in these actions.
Technology is pervasive in all aspects of
business.
What benefits do information and technology
bring to organizations?

Enterprise Benefits
Organizations and their leaders strive to:
Maintain quality information to support business decisions.
Generate business value from IT-enabled investments, i.e.,
achieve strategic goals and realize business benefits through
effective and innovative use of IT.
Achieve operational excellence through reliable and efficient
application of technology.
Maintain IT-related risk at an acceptable level.
Optimize the cost of IT services and technology.

How can these benefits be realized to create enterprise

stakeholder value?

Stakeholder Value
Delivering organizational stakeholder value requires good
governance and management of information and technology
(IT) assets.
Corporate boards, executives and management have to
embrace IT like any other significant part of the business.
External legal, regulatory and contractual compliance
requirements related to enterprise use of information and
technology are increasing, threatening value if breached.
COBIT 5 provides a comprehensive framework that assists
enterprises to achieve their goals and deliver value through
effective governance and management of enterprise IT.

The COBIT 5 Framework

COBIT 5 helps organizations create optimal value from IT
by maintaining a balance between realizing benefits and
optimizing risk levels and resource use.
COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the entire
organization, taking in the full end-to-end business and
functional areas of responsibility, considering the IT-related
interests of internal and external stakeholders.
The COBIT 5 principles and enablers are generic and
useful for organizations of all sizes, whether commercial,
not-for-profit or in the public sector.

COBIT Structure
COBIT provides cascading guidance to
align the complex relationship between
business and IT goals by depicting a
cascading relationship between the sets of
goals and enablers.
COBIT provides the What for defining
best practices and their subsequent
measures.

COBIT 5 Principles

Source: COBIT 5, 2012 ISACA

Goals Cascade

The COBIT 5 Goals Cascade

is the mechanism to translate
stakeholder needs into
specific, actionable and
customized enterprise goals,
IT-related goals and
enabler goals.

Source: COBIT 5. 2012 ISACA

COBIT Stakeholder
Drivers & Needs

A governance system should consider all stakeholders when making

benefit, risk and resource assessment decisions.
For each decision, the following questions can and should be asked:
For whom are the benefits?
Who bears the risk?
What resources are required?

Stakeholders
Needs

These
questions
point us
towards
Enterprise
Goal
focus

Source: COBIT 5. 2012 ISACA

Stakeholder
Needs

These
questions
point us
towards
Enterprise
Goal
focus

Source: COBIT 5. 2012 ISACA

COBIT Enterprise Goals

COBIT provides 17 general enterprise
goals
These goals are categorized into four
domains:
Financial
Customer
Internal
Learning and Growth

COBIT Enterprise Goals

Source: COBIT 5. 2012 ISACA

Primary & Secondary

COBIT 5 Model
P stands for primary, when there is an
important relationship and is primary
support for the achievement of a COBIT
object (e.g. goal).
S stands for secondary, when there is still
a strong, but less important, relationship.

COBIT Enterprise Goals Metrics

Source: COBIT 5. 2012 ISACA

COBIT Enterprise Goals Metrics

Source: COBIT 5. 2012 ISACA

COBIT IT Goals
COBIT provides 17 Generic IT Goals
Enterprise
Goals

Traceability
IT Goals

Enterprise Goals translate into these IT

Goals
The IT Goals require the successful
application and use of a number of
enablers.

COBIT IT Goals

Source: COBIT 5. 2012 ISACA

COBIT IT Goals - Metrics

Source: COBIT 5. 2012 ISACA

COBIT IT Goals - Metrics

Source: COBIT 5. 2012 ISACA

COBIT IT Goals - Metrics

Source: COBIT 5. 2012 ISACA All rights reserved.

Mapping of
Goals
Understanding
the alignment of
Enterprise
Goals with IT
Goals is critical
to leveraging
COBIT 5.

Source: COBIT 5. 2012 ISACA All rights reserved.

COBIT 5 Enablers

Source: COBIT 5. 2012 ISACA

COBIT Enablers
Enablers are factors that, individually and
collectively, influence whether something
will workin this case, governance and
management over enterprise IT.
Enablers are driven by the goals cascade,
i.e., higher-level IT-related goals define
what the different enablers should
achieve.

COBIT Enablers
1. Principles, policies and frameworks are the vehicle to translate the desired
behavior into practical guidance for day-to-day management.
2. Processes describe an organized set of practices and activities to achieve certain
objectives and produce a set of outputs in support of achieving overall IT-related
goals.
3. Organizational structures are the key decision-making entities in an enterprise.
4. Culture, ethics and behavior of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
5. Information is pervasive throughout any organization and includes all information
produced and used by the enterprise. Information is required for keeping the
organization running and well governed, but at the operational level, information is
very often the key product of the enterprise itself.
6. Services, infrastructure and applications include the infrastructure, technology and
applications that provide the enterprise with information technology processing and
services.
7. People, skills and competencies are linked to people and are required for
successful completion of all activities and for making correct decisions and taking
corrective actions.

COBIT Enablers
Some of the enablers defined previously are also
enterprise resources that need to be managed and
governed as well.
This applies to:
Information, which needs to be managed as a
resource. Some information, such as management
reports and business intelligence information, are
important enablers for the governance and
management of the enterprise.
Service, infrastructure and applications
People, skills and competencies

COBIT Enablers Interconnected

Each enabler needs the input of other enablers to be fully effective;

For Example:
processes need information
organizational structures need skills and behavior
And delivers output to the benefit of other enablers.
For Example :
processes deliver information,
skills and behavior make processes efficient.
This means that to deal with any stakeholder need, all interrelated
enablers have to be analyzed for relevance and addressed if
required.

COBIT 5 Enablers

33
Source: COBIT 5. 2012 ISACA

COBIT Enablers
All enablers have a set of common dimensions. This set
of common dimensions:
Provides a common, simple and structured way to deal
with enablers
Allows an entity to manage its complex interactions
Facilitates successful outcomes of the enablers

COBIT Enabler Dimensions

Source: COBIT 5. 2012 ISACA

COBIT Information Criteria

COBIT 5 information model allows definition of an additional set of criteria, hence

adding value to the COBIT 4.1 criteria.

COBIT: Enabling Processes

COBIT: Enabling Processes

A process is defined as a collection of
practices influenced by the enterprises
policies and procedures that takes inputs
from a number of sources (including other
processes), manipulates the inputs and
produces outputs (e.g., products,
services).

COBIT: Enabling Processes

The processes model shows:
Stakeholders - Processes have internal and external
stakeholders, with their own roles; stakeholders and their
responsibility levels are documented in RACI charts. External
stakeholders include customers, business partners,
shareholders and regulators. Internal stakeholders include the
board, management, staff and volunteers.
Goals - process goals are defined as a statement describing
the desired outcome of a process. An outcome can be an
artifact, a significant change of a state or a significant
capability improvement of other processes. They are part of
the goals cascade, i.e., process goals support IT-related
goals, which in turn support enterprise goals.

Process Goals
Process goals can be categorized as:
Intrinsic goalsDoes the process have intrinsic
quality? Is it accurate and in line with good practice? Is it
compliant with internal and external rules?
Contextual goalsIs the process customized and
adapted to the enterprises specific situation? Is the
process relevant, understandable, easy to apply?
Accessibility and security goalsThe process
remains confidential, when required, and is known and
accessible those who need it.

Process Goal Metrics

At each level of the goals cascade, metrics are defined
to measure the extent to which goals are achieved.
Metrics can be defined as a quantifiable entity that
allows the measurement of the achievement of a
process goal.
Metrics should be SMARTspecific, measurable,
actionable, relevant and timely.
To manage the enabler effectively and efficiently,
metrics need to be defined to measure the extent to
which the expected outcomes are achieved.

Process Life cycle

Life cycleEach process has a life cycle. It is
defined, created, operated, monitored, and
adjusted/updated or retired.

Generic process practices such as those defined

in the COBIT process assessment model based
on ISO/IEC 15504 can assist with defining,
running, monitoring and optimizing processes.

Good Practices
Good practicesCOBIT 5: Enabling
Processes contains a process reference model,
in which process internal good practices are
described in growing levels of detail: practices,
activities and detailed activities.

COBIT Enabling Processes

COBIT provides 37 IT Processes
segmented into 5 domains
Evaluate, Direct and Monitor (EDM)
Align, Plan and Organize (APO)
Build, Acquire and Implement (BAI)
Delver, Service and Support (DSS)
Monitor, Evaluate and Assess (MEA)

COBIT Enabling Processes

Although, as described previously, most of the
processes require planning, implementation,
execution and monitoring activities within the process
or within the specific issue being addressed (e.g.,
quality, security), they are placed in domains in line with
what is generally the most relevant area of activity when
regarding IT at the enterprise level.
In COBIT 5, the processes also cover the full scope of
business and IT activities related to the governance and
management of enterprise IT, thus making the process
model truly enterprise-wide.

Governance and Management

Governance ensures that organizational objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritization and
decision making; and monitoring performance,
compliance and progress against agreed-upon direction
and objectives.
Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the organizational
objectives.

46

Source: COBIT 5. 2012 ISACA

Evaluate, Direct and Monitor

(EDM)
Governance ensures that enterprise
objectives are achieved by evaluating
stakeholder needs, conditions and options;
setting direction through prioritization and
decision making; and monitoring
performance, compliance and progress
against agreed-on direction and objectives
(EDM).

Evaluate, Direct and Monitor

(EDM)
EDM01

Ensure Governance Framework

Setting and Maintenance

EDM02

Ensure Benefits Delivery

EDM03

Ensure Risk Optimization

EDM04

Ensure Resource Optimization

EDM05 Ensure Stakeholder Transparency

Align, Plan and Organize

(APO)
The Align, Planning and Organization domain
covers the use of information & technology and
how best it can be used in a company to help
achieve the companys goals and objectives. It
also highlights the organizational and
infrastructural form IT is to take in order to
achieve the optimal results and to generate the
most benefits from the use of IT.

Align, Plan and Organize

(APO)
APO01

Manage the IT Management Framework

APO02
APO03

Manage Strategy
Manage Enterprise Architecture

APO04

Manage Innovation

APO05

Manage Portfolio

APO06

Manage Budget and Costs

APO07

Manage Human Relations

APO08
APO09

Manage Relationships
Manage Service Agreements

APO10
APO11
APO12
APO13

Manage Suppliers
Manage Quality
Manage Risk
Manage Security

Build, Acquire and Implement

(BAI)
The Build, Acquire and Implement domain
covers identifying IT requirements,
acquiring the technology, and
implementing it within the companys
current business processes.

Build, Acquire and Implement

(BAI)
BAI01

Manage Programs and Projects

BAI02

Manage Requirements Definition

BAI03

Manage Solutions Identification and Build

BAI04

Manage Availability and Capacity

BAI05

Manage Organizational Change Enablement

BAI06
BAI07

Manage Changes
Manage Changes Acceptance and
Transitioning

BAI08

Manage Knowledge

BAI09

Manage Assets

BAI10

Manage Configuration

Deliver, Service and Support

(DSS)
The Deliver, Service and Support domain
focuses on the delivery aspects of the
information technology. It covers areas
such as the execution of the applications
within the IT system and its results, as well
as, the support processes that enable the
effective and efficient execution of these IT
systems.

Deliver, Service and Support

(DSS)
DSS01

Manage Operations

DSS02

Manage Service Requests and

Incidents

DSS03

Manage Problems

DSS04

Manage Continuity

DSS05

Manage Security Services

DSS06

Manage Business Process

Controls

Monitor, Evaluate and Assess

(MEA)
The Monitor, Evaluate and Assess domain deals with a
companys strategy in assessing the needs of the
company and whether or not the current IT system still
meets the objectives for which it was designed and the
controls necessary to comply with regulatory
requirements. Monitoring also covers the issue of an
independent assessment of the effectiveness of IT
system in its ability to meet business objectives and the
companys control processes by internal and external
auditors

Monitor, Evaluate and Assess

(MEA)
MEA01

Monitor, Evaluate and Assess

Performance and Conformance

MEA02

Monitor, Evaluate and Asses the

System of Internal Control

MEA03

Evaluate and Assess Compliance

with External Requirements

Governance & Management

Source: COBIT 5. 2012 ISACA

IT Process
to IT Goal
Mapping

Source: COBIT 5. 2012 ISACA

IT Process
to IT Goal
Mapping

Source: COBIT 5. 2012 ISACA

COBIT Enabling Process

Example Walkthrough:
APO 02 Manage Strategy
Process Label Domain Prefix and Number
Process Name
Area of the Process Governance or Management

APO 02 Manage Strategy

Description What it does and accomplishes

Purpose Statement Overall purpose description

Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

Goal Cascade Related IT Goals

Generic Metrics Measure achievement of IT Goals

Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

Process Goals
Process Metrics
Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

RACI Chart
Responsible Who is getting the task
done?
Accountable - Who accounts for the
success of the task?
Consulted Who is providing input?
Informed Who is receiving information?

APO 02 Manage Strategy

Detailed description
Activities
Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

Source: COBIT 5. 2012 ISACA

Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy

Related guidance from external sources

Source: COBIT 5. 2012 ISACA

Generic Guidance for

Processes

Source: COBIT 5. 2012 ISACA

New & Modified Processes

5 new Governance Processes
EDM 01 Ensure Governance Framework
Setting and Maintenance
EDM 02 Ensure Benefits Delivery
EDM 03 Ensure Risk Optimization
EDM 04 Ensure Resource Optimization
EDM 05 Ensure Stakeholder Transparency

New & Modified Processes

Summary of changes between COBIT 4.1
and COBIT 5

Processes in CobiT 4.1 that are merged in CobiT 5

DS7 is merged with PO7 (Education and Human Resources)
PO6 is merged with PO1 (Management Communications and
Management)
PO2 is merged with PO3 (Information and Technical Architectures)
AI2 is merged with AI3 (Application Software and Infrastructure
Components)
DS12 is merged with DS5 (Physical Environment and Information
Security)

New & Modified Processes

Entirely new processes in COBIT

EDM1 Set and Maintain Governance Framework

APO1 Define the Management Framework
APO4 Manage Innovation (partly PO3)
APO8 Manage Relationships
BAI8 Knowledge Management
DSS2 Manage Assets (partly DS9)
DSS8 Manage Business Process Controls.

New & Modified Processes

Processes in COBIT 4.1 that are
reassigned in COBIT 5
ME4 to EDM1, 2, 3, 4, 5 (Governance)
Processes in COBIT 4.1 that are
relocated in COBIT 5
PO1 to APO2 (Strategic Planning)
PO4 to APO1 (Organization, Relationships
and Processes)

Putting this all together

Enterprise
Goals
IT
Goals

Enabler
Goals

Processes

Activities

COBIT Capability

COBIT Process Capability

Model

Source: COBIT 5. 2012 ISACA

COBIT Process Capability

Model

Source: COBIT 5. 2012 ISACA

COBIT Process Capability

Model
There are six levels of capability that a process can achieve, including an incomplete
process designation if the practices in it do not achieve the intended purpose of the
process:
0 Incomplete processThe process is not implemented or fails to achieve its
process purpose. At this level, there is little or no evidence of any systematic
achievement of the process purpose.
1 Performed process (one attribute)The implemented process achieves its
process purpose.
2 Managed process (two attributes)The previously described performed process is
now implemented in a managed fashion (planned, monitored and adjusted) and its
work products are appropriately established, controlled and maintained.
3 Established process (two attributes)The previously described managed process
is now implemented using a defined process that is capable of achieving its process
outcomes.
4 Predictable process (two attributes)The previously described established
process now operates within defined limits to achieve its process outcomes.
5 Optimizing process (two attributes)The previously described predictable
process is continuously improved to meet relevant current and projected business
goals.

COBIT Process Capability

Model
Assessing whether the process achieves its goalsor, in other words, achieves capability level
1can be done by:
1. Reviewing the process outcomes as they are described for each process in the detailed
process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what
degree each objective is achieved. This scale consists of the following ratings:

N (Not achieved)There is little or no evidence of achievement of the defined attribute in

the assessed process. (0 to 15 percent achievement)
P (Partially achieved)There is some evidence of an approach to, and some achievement
of, the defined attribute in the assessed process. Some aspects of achievement of the attribute
may be unpredictable. (15 to 50 percent achievement)
L (Largely achieved)There is evidence of a systematic approach to, and significant
achievement of, the defined attribute in the assessed process. Some weakness related to this
attribute may exist in the assessed process. (50 to 85 percent achievement)
F (Fully achieved)There is evidence of a complete and systematic approach to, and full
achievement of, the defined attribute in the assessed process. No significant weaknesses
related to this attribute exist in the assessed process. (85 to 100 percent achievement)

2. In addition, the process (governance or management) practices can be assessed using the
same rating scale, expressing the extent to which the base practices are applied.
3. To further refine the assessment, the work products also may be taken into consideration to
determine the extent to which a specific assessment attribute has been achieved.

Auditor Tips
Evidence of activities (as well as
inputs/outputs) are critical in assessing the
existence of controls
Information, metrics/measurements are
key to any critical IT process.

Remaining Thoughts

COBIT has evolved to provide the overarching framework for organizations to

achieve IT Governance while leveraging
other industry best practices,
frameworks, and models to provide
prescriptive actions.
COBIT promotes tight alignment with IT
processes and enterprise goals.
COBIT is a useful tool beyond just the
standard audit guidance.

Questions?

Thank you