COBIT 5

All together now!

Geoff Harmer
PhD, CEng, FBCS, CITP, CGEIT

Maat Consulting
Reading, UK
www.maatconsulting.com

Copyright Notice
COBIT is 1996, 1998, 2000, 2005 2012 ISACA and IT Governance Institute.
COBIT, Val IT, Risk IT, BMIS, ITAF, TGF are the registered trade marks of ISACA and the IT Governance Institute
ISO is a registered trademarks of the International Organisation for Standards.
BS is a registered trademark of British Standards Institute
ITIL, PRINCE2 and MSP are registered trademarks of the Cabinet Office, UK
IT-CMF is a registered trademark of Innovation Value Institute
CMM and CMMI - DEV are US Registered trademark of Software Engineering Institute, Carnegie Mellon University
PMBOK is a registered trademark of Project Management Institute
TOGAF is a registered trademark of The Open Group
Course design and content: 2012 Maat Consulting Ltd. All rights reserved.
Neither ISACA nor ITGI endorse, sponsor or are otherwise affiliated with this COBIT 5 presentation content and they do
not warrant or guarantee its accuracy
Maat Consulting Ltd is always seeking improvements and welcomes comments on these materials to:
feedback@maatconsulting.com

Agenda

Introduction to COBIT 5

Dive deeper

Framework

5 Principles

7 Enablers

Domains and processes

Management practices

Process capability assessment

Current and future ISACA resources for COBIT 5

Summary

Based on COBIT 5 (2012)

Introduction to COBIT 5
A business
framework for the
governance and
management of
enterprise IT

ISACA

COBIT : Audit to GEIT in 16 years

Scope
Governance of Enterprise IT
IT Governance
Val IT
2.0
2008

Management
Control

Risk IT
2009

Audit
COBIT 1

1996

COBIT 2

1998

Based on COBIT 5 (2012)

COBIT 3

2000

COBIT 4.0/4.1

2005/7

COBIT 5

2012

Approach to the design of COBIT 5

Aims to be the only business framework for the governance and
management of enterprise IT

Integrates ISACAs frameworks and knowledge resources

COBIT 4.1 ( IT governance and management)

Val ITTM (Value delivery)
Risk ITTM (Risk management)
BMISTM (Business Model for Information Security)
ITAFTM ( IT Audit Framework)
TGFTM (Taking Governance Forward)
Board Briefing on IT Governance 2nd Edition

All
to

get

her

no w

Integrates other major frameworks and standards

Particularly ISO 38500:2008 Corporate Governance of IT

Plus latest enterprise governance and management techniques

Based on COBIT 5 (2012)

COBIT documents: 10 April 2012

COBIT 5: A Business Framework for Governance &

Management of Enterprise IT

Main guidance document

COBIT 5: Enabling Processes

5 domains, 37 processes & 208 governance/management practices

COBIT 5: Implementation

Includes a toolkit: PowerPoint slide sets and PDF docs

No equivalent of the COBIT 4.1 Assessment Excel tool

Based on COBIT 5 (2012)

COBIT 5: A Business Framework

The main guidance document

Contents:

Executive summary

Description of framework components

5 principles

7 enablers

Overview of implementation guidance

Overview of COBIT Process Capability Model (PCM)

Based on COBIT 5 (2012)

COBIT 5: Governance v. Management

Governance (EDM)

Evaluates stakeholder needs, conditions and options

Sets direction by prioritisation and decision making

Monitors performance, compliance and progress against agreed
direction

Responsibility: Board; Leader: Chairperson

Management (PBRM)

Plans, builds, runs and monitors activities

Aligned with governance bodys direction
With goal of achieving enterprise objectives
Responsibility: Executive management; Leader: CEO

Management & Governance Practices

COBIT 4.1

Control Objectives

COBIT 5

210

Val ITTM

Management Practices
22

Risk ITTM

Governance
Practices

15

Management
Practices

193

Management Practices
9

10

COBIT 5: 5 Principles
1.
2.
3.
4.
5.

Meeting stakeholder needs

Covering the enterprise end-to-end
Single integrated framework
Holistic approach of 7 enterprise enablers
Separating governance from management

Based on COBIT 5 (2012)

11

COBIT 5: 7 Enterprise Enablers

Organisational
Structures
Culture, Ethics
and Behaviour

Processes

Information

Service Infrastructure
& Applications

Based on COBIT 5 (2012)

People, Skills
& Competencies

Resources

Resources

Principles, Policies
and Frameworks

12

Summary of COBIT 5
5 Principles allow
Building of a governance and management framework
Based on 7 enablers that
Optimise information and technology investment
and its use to benefit stakeholders

Based on COBIT 5 (2012)

13

Dive deeper into COBIT 5

A business
framework for the
governance and
management of
enterprise IT

ISACA

14

COBIT 5: The 5 Principles

1.
2.
3.
4.
5.

Meeting stakeholders needs

Covering the enterprise end-to-end
Single integrated framework
Holistic approach of 7 enterprise enablers
Separating governance from management

Based on COBIT 5 (2012)

15

What are Stakeholders needs?

Internal Stakeholders

Board
CxOs
Business process owners & managers
Risk and security managers
HR managers
IT managers and IT audit
IT users

Shareholders
Business partners and suppliers
Regulators./government
Customers
External users
External auditors

Needs

Needs

External Stakeholders

Value from IT
Performance of IT
Strategic use of new technology
Compliance with regulations
IT-related risk control
Control IT costs (+ sourcing options)
IT skills
IT programme/project control

Based on COBIT 5 (2012)

Security/reliability of partners?

Is enterprise compliant?

Effective enterprise internal
controls?

16

Stakeholders Needs

Governance Objective: Value Creation

Benefits
Realisation

Risk
Optimisation

Based on COBIT 5 (2012)

Resource
Optimisation

17

Meeting Stakeholders Needs

Stakeholder
Drivers PESTLE

Governance Requirements

Influence

Stakeholder Needs
Benefits
Risk
Resource
Realisation Optimisation Optimisation

Goals Cascade

Cascade

Enterprise Goals
Cascade

IT-related Goals
Cascade

Enabler Goals
(Processes +++)

Based on COBIT 5 (2012)

18

Covering the Enterprise End-to-End

COBIT 5 covers governance & management of IT
(GEIT)

Integrates GEIT into Enterprise Governance

Seamless integration since aligned with latest views

Not focused ONLY on the IT function

Covers all functions and processes with the enterprise

IT is like all other assets in an enterprise

Based on COBIT 5 (2012)

19

Single Integrated Framework

COSO
ERM

COSO

Kotter
ISO 31000
OECD CG
UK CCCG
ISO 9001
King III
BS 25999
MSP

ITIL 2011
ISO 38500
TOGAF
CEAF
FEA

PRINCE2
PMBOK
ISO 27000
ISO 20000
CMMIDEV

20

Enabling a Holistic Approach - 1

e
Th

rs
e
l
ab
n
E

Organisational
Structures
Culture, Ethics
And Behaviour

Processes

Information

Service Infrastructure
& Applications

Based on COBIT 5 (2012)

People, Skills
& Competencies

Resources

Resources

Principles, Policies
and Frameworks

21

Enabling a Holistic Approach - 2

Enablers must be interconnected

Inputs from other enablers

Outputs to benefit other enablers

Information
People, Skills
and Competencies

Processes

Information

Organisational
Structures

Based on COBIT 5 (2012)

22

Enabler Performance Management

Metrics for Achievement of
Goals
(LAG indicators)

Stakeholders needs addressed?

Enabler Goals achieved?

Based on COBIT 5 (2012)

Metrics for Application of

Practice
(LEAD indicators)

Lifecycle managed?

Good practices applied?

23

Separating Governance from Management

Business Needs

Governance
Evaluate

Direct

Plan
(APO)
ISO 38500
Based on ISO 38500 (2008)

Management
Feedback

Build
(BAI)

Monitor

Run
(DSS)

Monitor
(MEA)

Management
COBIT 5
Based on COBIT 5 (2012)

24

Domains & Processes

25

COBIT 5: Processes (37)

Processes for Governance of Enterprise IT
Evaluate, Direct and Monitor (EDM)
EDM01 EDM05

Align, Plan and Organise (APO)

APO01 APO13

Build, Acquire and Implement (BAI)

BAI01 BAI010

Deliver, Service and Support (DSS)

DSS01 DSS06

13

10

Monitor,
Evaluate
And
Assess
(MEA)
MEA01

MEA03

Processes for Management of Enterprise IT

Based on COBIT 5 (2012)

26

Evaluate, Direct and Monitor (EDM)

EDM01
EDM02
EDM03
EDM04
EDM05

Ensure Governance Framework Setting and Maintenance

Ensure Benefits Delivery
Ensure Risk Optimisation
Ensure Resource Optimisation
Ensure Stakeholder Transparency

Based on COBIT 5 (2012)

27

Align, Plan and Organise (APO)

APO01
APO02
APO03
APO04
APO05
APO06
APO07
APO08
APO09
APO10
APO11
APO12
APO13

Manage the IT Management Framework

Manage Strategy
Manage Enterprise Architecture
Manage Innovation
Manage Portfolio
Manage Budget and Costs
Manage Human Resources
Manage Relationships
Manage Service Agreements
Manage Suppliers
Manage Quality
Manage Risk
Manage Security

Based on COBIT 5 (2012)

28

Build, Acquire and Implement (BAI)

BAI01
BAI02
BAI03
BAI04
BAI05
BAI06
BAI07
BAI08
BAI09
BAI10

Manage Programmes and Projects

Manage Requirements Definition
Manage Solution, Identification and Build
Manage Availability and Capacity
Manage Organisational Change Enablement
Manage Changes
Manage Change Acceptance and Transitioning
Manage Knowledge
Manage Assets
Manage Configuration

Based on COBIT 5 (2012)

29

Deliver, Service and Support (DSS)

DSS01
DSS02
DSS03
DSS04
DSS05
DSS06

Manage Operations
Manage Service Requests and Incidents
Manage Problems
Manage Continuity
Manage Security Services
Manage Business Process Controls

Based on COBIT 5 (2012)

30

Monitor, Evaluate and Assess (MEA)

MEA01 Monitor, Evaluate and Assess Performance and Conformance
MEA02 Monitor, Evaluate and Assess the System of Internal Controls
MEA03 Monitor, Evaluate and Assess Compliance with External Requirements

Based on COBIT 5 (2012)

31

Processes new to COBIT 5

Adopted from other frameworks and standards
EDM01 EDM05
The 5 Governance processes
APO03 Manage Enterprise Architecture
APO04 Manage Innovation
APO05 Manage Portfolio
APO06 Manage Budget and Costs
APO08 Manage Relationships
APO10 Manage Suppliers
APO13 Manage Security
BAI05
Manage Organisational Change Enablement
BAI08
Manage Knowledge
BAI09
Manage Assets
DSS05 Manage Security Service
DSS06 Manage Business Process Controls

Based on COBIT 5 (2012)

32

Whats in each COBIT 5 process?

Process Name, Area (Gov. or Mgt.) and Domain

Process Description (a paragraph)

Process Purpose Statement (a paragraph)
l
e
d
o

Process Goals and Metrics
m
ty
i
r
tu

RACI chart
a
m
o

For each governance/management practice
N

26 roles used

Practices, Inputs, Outputs and Activities

Related guidance

Other frameworks and standards

Based on COBIT 5 (2012)

33

Governance Practices
E.g. Ensure Benefits Delivery (EDM02)

EDM02.01 Evaluate value optimisation

EDM02.02 Direct value optimisation

EDM02.03 Monitor value optimisation

Each Governance process has 3 Governance practices

Evaluate, Direct and Monitor

Each Governance practice has between 3 & 8 activities

Each Governance practice has inputs and outputs

Based on COBIT 5 (2012)

34

Management Practices
E.g. Manage Service Requests and Incidents (DSS02)

DSS02.01 Define incident & service request classification schemes

DSS02.02 Record, classify and prioritise requests and incidents
DSS02.03 Verify, approve and fulfil service requests
DSS02.04 Investigate, diagnose and allocate incidents
DSS02.05 Resolve and recover from incidents
DSS02.06 Close service requests and incidents
DSS02.07 Track status and produce reports

Each Management practice has between 2 &13 activities

Each Management practice has inputs and outputs

Based on COBIT 5 (2012)

35

COBIT 5 Process Capability Model

Replacement for Maturity Models:

TM

COBIT , Val IT , Risk IT

TM

Based on COBIT 4.1 Process Assessment Model (PAM)

Which itself is based on ISO/IEC 15504-2:

Process Assessment: Performing an assessment

NB: Processes are only 1 of 7 Enablers

Process assessment alone wont assess IT Governance maturity

Based on COBIT 5 (2012)

36

How COBIT 5 PCM works 1

Process Capability Levels
0 Incomplete Process (1 attribute)
Process not implemented or fails to achieve its purpose

1 Performed Process (1 attribute)

Implemented process achieves its purpose

2 Managed Process (2 attributes)

Performed process is managed (planned, monitored, adjusted).
Its Work Products are established, controlled, maintained.

3 Established Process (2 attributes)

Managed process uses a defined process that can achieve outcomes

4 Predictable Process (2 attributes)

Established process operates within defined limits to meet outcomes

5 Optimising Process (2 attributes)

Predictable process: continually improved to meet current/projected bus. goals

Based on COBIT 5 (2012)

37

How COBIT 5 PCM works 2

1. Lower level must be achieved else cant go to next level
2. Significant distinction between Cap. L1 & Cap. L2 - L5

Cap. Level 1 requires:

Process performance attributes to be largely achieved

i.e. process works and outcomes achieved

Whereas, Cap. Level 2 L5 add different attributes to it

So, Capacity Level 1 is a Significant Achievement!

Based on COBIT 5 (2012)

38

Current & future COBIT 5 resources

Guide type

Title

Publication Date Pages

Framework

COBIT 5: A Business Framework 10 April 2012

94

Enabler

COBIT 5: Enabling Processes

10 April 2012

230

Enabler

COBIT 5: Enabling Information

In development

Professional COBIT 5 Implementation

10 April 2012

Professional COBIT 5 for Information Security

July 2012

Professional COBIT 5 for Assurance

In development

Professional COBIT 5 for Risk

In development

Professional COBIT Assessment Programme ?

C4.1 PAM
upgrade?

Professional COBIT 5 Online

In planning

Based on COBIT 5 (2012)

78

39

Summary

40

5 key facts about COBIT 5

1. Leads to more value from information and technology

Improved risk management

Improved business-IT communication
Improved delivery of business objectives
Improved business competitiveness and lower costs

2. Is a business framework for GEIT

Meets needs of business execs. and IT leaders

3. Provides effective decision making

Systematic approach that clarifies goals

4. Addresses needs of stakeholders

An end-end framework integrating 80+ other approaches

5. Based on collective wisdom of 95 global experts.

Based on COBIT 5 (2012)

41

COBIT integrates

ITIL (ITSM)

ISO 20000 (ITSM)

PRINCE2, PMBOK (ProjMan)

ISO 27000 (InfoSec)

TOGAF (Enterprise Architecture)

Basel III (Banking compliance)

PCI DSS (Data card security standard)

COSO (Internal and financial controls)

Sarbanes- Oxley (Financial practice &
corporate governance)

Based on COBIT 5 (2012)

42

COBIT 5: Training Roadmap

Foundation

6/2012

All have
certificates
IT Process Level

Implementation

Assessor

9/2012

12/2012

43

Is there a COBIT 5 competitor?

Maybe, but not at the level of COBITs user-base

Nearest that includes governance and management is:

IT Capability Maturity Framework (IT-CMF ) V1.0: 2010

From Innovation Value Institute (IVI) consortium of blue-chips

4 macro-capabilities = domains

Managing IT like a business (13 critical capabilities= processes)

Managing the IT Budget (4)
33 critical

Managing the IT Capability (13)
capabilities

Managing IT for Business Value (3)

Based on a maturity assessment approach to improvement

Qualifications: 5 tiers up to MSc in IT Management available
http://ivi.nuim.ie/itcmf.shtml
Uses 80+ frameworks and standards!
Based on IT-CMF (2010)

44

References
COBIT 4.1 (2007), COBIT 4.1 Framework, Rolling Meadows, Illinois, USA,
ISACA
COBIT 5 (2012), A Business Framework for the Governance and Management
of Enterprise IT, Rolling Meadows, Illinois, USA , ISACA
ISO 15504-2 (2003) Process assessment: Performing an assessment, Geneva,
ISO
ISO 38500 (2008), Corporate governance of information technology, Geneva ,
ISO
IT-CMF (2010), IT Capability Maturity Framework, Maynooth, Irish Republic ,
Innovation Value Institute
Risk IT (2009), Risk IT Framework, Rolling Meadows, Illinois, USA , ISACA
Val IT 2.0 (2008), Val IT V2.0 Framework, Rolling Meadows, Illinois, USA ,
ISACA

45

Any Further Questions?

46

Education and Consultancy

for IT Best Practices

www.maatconsulting.com
47