ISACA is an international professional association focused on IT governance, assurance, risk, privacy, and security. It has over 121,000 members globally, including over 55,000 in North America. ISACA offers four certifications (CISA, CISM, CRISC, CGEIT) and publishes various knowledge resources to help members stay up to date. It generates revenue through membership fees, certification exams, educational programs, and publications. ISACA has a global governance structure comprised of boards, committees, and volunteers to direct its strategy, operations, and knowledge development activities.
2. ISACA en résumé : Membership
• 121 K au 30 Nov 2014 (+4%)
– NA 55 K, Europe 32 K, Asia 25 K, LA 5 K, Oceania 4 K
– Europe 32 K
• UK 4,9 K Spain 1,6 K
• Germany 2,4 K Switzerland 1,4 K
• South Africa 2,3 K Italy 1,3 K
• Nigeria 1,9 K Kenya 1,3 K
• Netherlands 1,7 K Belgium 0,9 K
– France 0,9 K (pas dans le top 10 européen)
– Plus de membres au Québec avec une population 10X <
– Très fort potentiel de croissance
– Professional, Student (1,8K), Academic (0,8K), Retired
Membership (0,3K)
Patrick Stachtchenko AFAI : 15 janvier 2015 2
3. ISACA en résumé : Certification
Candidats Total
• CISA 19 K 107 K
• CISM 5 K 24 K
• CRISC 2 K 17 K
• CGEIT 1 K 6 K
• Depuis 2013, certificats proposés: COBIT 5, Cybersecurity
• CISA proposé en 11 langues
• 333 CISA en France!
• Fort potentiel de croissance
Patrick Stachtchenko AFAI : 15 janvier 2015 3
4. ISACA en résumé : Education
• Conférences/Workshops dans 5 régions
– CACS dans chaque région
– EUROCACS 2014 Madrid
• Conférence de 3 jours (5 tracks)
• + 8 Workshops (1 ou 2 jours)
– Autres : « COBIT 5 » (2j), « Governance, Risk and Control » (3j),..
• On line training
– Webinars (1 h): > 35 webinars en 2014
• Ex : Data Protection and Privacy: How what you don’t know can hurt you
– Virtual Conferences (1 day)
• Evolving Security for a Maturing Cloud
• Training Courses
– Training Weeks
– On site training
– Elearning Campus
Patrick Stachtchenko AFAI : 15 janvier 2015 4
5. ISACA en résumé : Knowledge 2014
• White papers
– Issues that have just begun to, or will soon impact enterprise operations
• Research projects
• Knowledge Center
– Over 100 topics
– Discussions, Documents and Publications, Events and Online Learning, Journal
Articles, User Contributed External Links, Wikis, Blog Posts
• Academia
– Model Curricula
– Teaching Material (for Academia advocates)
• Elibrary
– All ISACA publications
– 525 external books
• Career Center
Patrick Stachtchenko AFAI : 15 janvier 2015 5
6. ISACA en résumé : Knowledge 2014
• Deliver, Service and Support Audit/Assurance Programs 1-6 (25 p / process)
• A Global Look at IT Audit Best Practices (45 p)
• IT Control Objectives for Sarbanes Oxley using COBIT 5, 3rd Edition (142 p)
• Build, Acquire and Implement Audit/Assurance Programs 1-10 (25 p / process)
• Risk Scenarios Using COBIT 5 for Risk (294 p)
• Align, Plan and Organize Audit/Assurance Programs 1-13 (25 p / process)
• European Cybersecurity Implementation Series
– Overview (26 pages)
– Assurance (24 pages)
– Resilience (25 pages)
– Risk Guidance (24 pages)
– Audit/Assurance Program (47 pages)
Patrick Stachtchenko AFAI : 15 janvier 2015 6
7. ISACA en résumé : Knowledge 2014
• Cybersecurity : What the Board of Directors Needs to Ask? (20 p)
• Implementating the NIST Cybersecurity Framework (108 p)
• COBIT 5 Principles : Where did they come from? (12 p)
• Advance Persistent Threat Awareness Study Results (20 p)
• ITAF 3rd Edition (148 p)
• Controls and Assurance in the Cloud : Using COBIT 5 (266 p)
• Relating the COSO Internal Control Integrated Framework and COBIT (22 p)
• Vendor Management Using COBIT 5 (178 p)
• Evaluate, Direct and Monitor Programs 1-5 (25 p / process)
• Genrating Value from Big Data Analytics (12 p)
Patrick Stachtchenko AFAI : 15 janvier 2015 7
8. ISACA en résumé : Knowledge 2013
• Security as a Service (18 p)
• COBIT 5 : Enabling Information (90 p)
• Advanced Persistent Threats : How to manage the Risk to Your
Business? (132 p)
• COBIT 5 for Risk (244 p)
• Configuration Management Using COBIT 5 (88 p)
• Privacy and Big Data (12 p)
• Transforming Cybersecurity (190 p)
• COBIT 5 for Assurance (318 p)
Patrick Stachtchenko AFAI : 15 janvier 2015 8
9. ISACA en résumé : Knowledge 2013
• Responding to Targeted Cyberattacks (88 p)
• Cloud Governance : Questions Boards of Directors Need to Ask? (9 p)
• Big Data : Impacts and Benefits (14 p)
• Software Assurance Audit/Assurance Program (35 p)
• Identity Management Audit/Assurance Program (40 p)
• COBIT Assessment Programme Using COBIT 5 (144 p)
• Outsourced IT Environments Audit/Assurance Program (39 p)
• Personally Identifiable Information Audit/Assurance Program (34 p)
Patrick Stachtchenko AFAI : 15 janvier 2015 9
10. ISACA en résumé : Knowledge 2015
• DevOps Series 1st Q
• Getting Started With Governance 1st Q
• Industrial Control Systems (ICS) 2nd Q
• Internal Controls 1st Q
• Operational Risk Management/Basel Using COBIT 5 ?
• PCI DSS (Payment Card Industry Data Security Standard) 1st Q
• Security, Audit and Control Features SAP ERP, 4th Edition 1st Q
• + Travaux des comités et task forces (Emerging Business and
Technology Committee, Privacy Task Force, Audit/Assurance
Programs based on COBIT 5, etc…)
Patrick Stachtchenko AFAI : 15 janvier 2015 10
Ensemble du knowledge développé en respectant les principes de COBIT 5
11. ISACA en résumé : Organisation projet Knowledge
• Board of Directors
• Strategy Advisory Council
• Knowledge Board
• Framework Committee
• Guidance and Practices Committee
• Emerging Business and Technology Committee
• Task Force
• Development Team
• Expert Reviewers
Patrick Stachtchenko AFAI : 15 janvier 2015 11
12. ISACA en résumé : Organisation projet Knowledge
Board of Directors
Patrick Stachtchenko AFAI : 15 janvier 2015 12
President Robert E Stroud, CGEIT, CRISC USA
VP Steven Babb, CGEIT, CRISC, ITIL United Kingdom
VP Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD Australia
VP Rob Clyde, CISM USA
VP Ramsés Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt Spain
VP Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA USA
VP
R Vittal Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, COBIT 5
Foundation Accredited Trainer
India
Director Debbie Lew, CISA, CRISC USA
Director Frank Yam, CISA, CCP, CFE, CFSA, CIA, FFA, FHKCS, FHKIoD, FHKITJC Hong Kong
Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, COBIT Certified Assessor,
COBIT 5 Implementation, PMP, ISO 22301 Lead Implementer, ITIL, ISO
27001 Foundations
Mexico
PP Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA Australia
PP Greg Grocholski, CISA USA
13. ISACA en résumé : Organisation projet Knowledge
Governance Advisory Council
Patrick Stachtchenko AFAI : 15 janvier 2015 13
Chair Marios Damianides, CISA, CISM USA
Member Lynn Lawton, CISA, CRISC Russian Federation
Member Michael Cangemi USA
Member Gregory T. Grocholski, CISA USA
Member Jeff Spivey, CRISC USA
Member Robert E Stroud, CGEIT, CRISC USA
Member Tony Hayes, CGEIT Australia
Member Howard Nicholson, CISA, CGEIT, CRISC Australia
14. ISACA en résumé : Organisation projet Knowledge
Knowledge Board
Patrick Stachtchenko AFAI : 15 janvier 2015 14
Chair Steven Babb, CGEIT, CRISC United Kingdom
Member Sushil Chatterji, CGEIT Singapore
Member Rosemary Amato, CISA Netherlands
Member Neil Barlow, CISA, CISM, CRISC United Kingdom
Member Jamie Pasfield, CGEIT United Kingdom
Member Ivan Lopez, CISA, CISM Germany
Member Charlie Blanchard, CISA, CISM, CRISC USA
Member Phil Lageschulte, CGEIT USA
Member Anthony Noble, CISA USA
15. ISACA en résumé : Organisation projet Knowledge
Framework Committee
Patrick Stachtchenko AFAI : 15 janvier 2015 15
Chair Sushil Chatterji, CGEIT Singapore
Member Andre Pitkowski, CGEIT, CRISC Brasil
Member Sylvia Tosar, CGEIT Uruguay
Member Jimmy Heschl, CISA, CISM, CGEIT Austria
Member David Cau France (Lux)
Member Tichaona Zororo, CISA, CISM, CGEIT, CRISC South Africa
Member Joanne De Vito De Palma USA
Member Katherine McIntosh, CISA USA
Member Paras Shah, CISA, CGEIT, CRISC Australia
16. ISACA en résumé : Organisation projet Knowledge
Practices and Guidance Committee
Patrick Stachtchenko AFAI : 15 janvier 2015 16
Chair Phil James Lageschulte, CGEIT USA
Member Siang Jun Julia Yeo, CISA, CRISC Singapore
Member Aureo Monteiro Tavares da Silva, CISM, CGEIT Brasil
Member M. Yves Marcel Le Roux, CISM France
Member James Seaman, CISM, CRISC United Kingdom
Member Nikolaos Zacharopoulos, CISA Germany
Member John Erick Jasinski, CISA, CGEIT USA
Member Jotham Nyamari, CISA USA
Member Gurvinder P. Singh, CISA, CISM, CRISC Australia
17. ISACA en résumé : Organisation projet Knowledge
Emerging Business and Technology Committee
Patrick Stachtchenko AFAI : 15 janvier 2015 17
Chair Jamie Pasfield, CGEIT United Kingdom
Member William Gee, CISA, CRISC China
Member Victor Chapela, CRISC Mexico
Member Bhavesh Bhagat, CISM, CGEIT USA
Member Daniel Blum USA
Member Norman Marks USA
Member Usha Devarajah Australia
18. ISACA en résumé : Organisation projet Knowledge
Cybersecurity Task Force
Patrick Stachtchenko AFAI : 15 janvier 2015 18
Chair Eddie Schwartz, CISA, CISM, CISSP, MCSE, PMP USA
Member Manuel Aceves, CISA, CISM, CGEIT, CRISC, CISSP, FCITSM Mexico
Member Sanjay Bahl, CISM, CIPP India
Member Neil Patrick Barlow, CISA, CISM, CRISC, CISSP UK
Member Brent Conran, CISA, CISM, CISSP USA
Member Derek Grocke Australia
Member Samuel Linares, CISA, CISM, CGEIT, CRISC, CISSP, GICSP Spain
Member Marc Sachs USA
19. ISACA en résumé : Organisation projet Knowledge
Development Team
Patrick Stachtchenko AFAI : 15 janvier 2015 19
Lead Rolf M. von Roessing, CISA, CISM, CGEIT, CISSP, FBCI Switzerland
Member Vilius Benetis, Ph.D., CISA, CRISC Lithuania
Member Christos K. Dimitriadis Ph.D., CISA, CISM, CRISC Greece
Member Ivo Ivanovs, CISA, CISM, MCSE Latvia
Member Samuel Linares, CISA, CISM, CGEIT, CRISC, CISSP, GICSP Spain
Member Charlie McMurdie UK
Member Andreas Teuscher, CISA, CGEIT, CRISC Germany
20. ISACA en résumé : Organisation projet Knowledge
Expert Reviewers
Patrick Stachtchenko AFAI : 15 janvier 2015 20
Expert Jesper Hansen, CISM, CRISC, CISSP, ESL Denmark
Expert Martins Kalkis, CISM Latvia
Expert Aare Reintam, CISA Estonia
Expert Andrea Rigoni UK
Expert Marc Vael Ph.D., CISA, CISM, CGEIT, CRISC, CISSP Belgium
21. ISACA en résumé : Journal
• Journal : 2014 et 2015 (60 pages par numéro et 6
numéros par an)
– Data Privacy
– The IS Audit Transformation
– Big Data
– Governance and Management of IT
– Mobile Devices
– Cybersecurity
– Analytics and Risk Intelligence
• En 2015, articles disponibles tous les 15 jours.
Patrick Stachtchenko AFAI : 15 janvier 2015 21
22. ISACA en résumé : Solidité Financière
• Revenues
– 47,0 M$ en 2013
– 43,5 M$ en 2012
• Certification 40%
• Membership 29%
• Education 16%
• Publications 9%
• Autres 6%
• Résultats
– 6,9 M$ en 2013
– 7,7 M$ en 2012
• Réserves
– 72,0 M$ en 2013
– 65,1 M$ en 2012
Patrick Stachtchenko AFAI : 15 janvier 2015 22
23. ISACA en résumé
COBIT 5 : Etude Globale sur la Gouvernance 2014
23
AFAI : 15 janvier 2015
Patrick Stachtchenko
24. Stratégie ISACA 2022
Patrick Stachtchenko AFAI : 15 janvier 2015 24
« By 2022, ISACA should become the foremost global
organization on the topic of trust in and value from information
and information systems, providing constituents with distinctive
knowledge and services. ISACA must also provide an expanded
set of offerings to help constituents and others enhance the
governance and management of information and information
systems assets in order to enhance trust in and capture optimal
value from IS investments. »
27. ISACA : Structures de Gouvernance
Governance
• ISACA Board of Directors and IT Governance Institute
Board of Trustees
– Governance Advisory Council
– Strategic Advisory Council
– Finance Committee
– Leadership Development Committee
– Audit Committee
• Board and Committee Volunteers by Geographic Area:
– Area 1: Asia
– Area 2: Central and South America
– Area 3: Europe and Africa
– Area 4: North America
– Area 5: Oceania
Patrick Stachtchenko AFAI : 15 janvier 2015 27
28. ISACA : Structures de Gouvernance
Credentialing : Certification and Career Management Board
• CGEIT Certification Committee
– CGEIT Test Enhancement Subcommittee
• CISA Certification Committee
– CISA Test Enhancement Subcommittee
• CISM Certification Committee
– CISM Test Enhancement Subcommittee
• CRISC Certification Committee
– CRISC Test Enhancement Subcommittee
• Professional Standards and Career Management
Committee
– Academic Program Subcommittee
Knowledge : Knowledge Board
• Knowledge Management and Education Committee
– Conference Program Development Subcommittee
– Publications Subcommittee
• Emerging Business and Technology Committee
• Framework Committee
• Guidance & Practices Committee
Patrick Stachtchenko AFAI : 15 janvier 2015 28
Relations : Relations Board
• Chapter Support Committee
• Communities Committee
• Young Professionals Subcommittee
• Enterprise Advocacy Committee
• Membership Growth & Retention
Committee
• Student and Academic
Subcommittee
• Professional Advocacy Committee
• ISO Liaison Subcommittee
• GRA Committee
• GRA Regional Subcommittee Area 1
• GRA Regional Subcommittee Area 2
• GRA Regional Subcommittee Area 3
• GRA Regional Subcommittee Area 4
• GRA Regional Subcommittee Area 5
+ Task Forces
29. ISACA : Structures de Gouvernance
316 personnes dans les comités (hors task forces, experts, etc..)
NA : 121, EU 75: , AS : 47, LA : 40, OC : 33
• USA 104
• Australie 28
• UK 20
• Canada 17
• India 12
• Singapore 9
• Mexico 9
• Germany 7
• Japan 7
• Argentine 7
• Brazil 7
• China 5
• South Africa 5
• Kenya 5
Patrick Stachtchenko AFAI : 15 janvier 2015 29
• 3 pays : 4 personnes
• 5 pays : 3 personnes
• 11 pays : 2 personnes
• France : 1 ou 2 personnes
31. Illustration : Approche vue globale
– COBIT 5 Framework
• A Business Framework for the Governance and Management of Enterprise IT (94 p)
– COBIT 5 Enabler Guides
• Processes (37 IT processes) (230 p), Information (Business and IT) (90 p), …
– COBIT 5 Professional Guides
• Implementation (78 p) + Toolkit (17 fichiers), Risk (244 p) and Risk Scenarios (294 p), Assurance (318 p),
Security (220 p), …
– Practices and Guidance using COBIT 5
• Configuration Management (88 p), Vendor Management (178 p), ...
• COBIT Assessment Program : Model (144 p), Self Assessment (24 p), User Guide
– White Papers / Vision Series / Studies / Surveys
• Social Media, Business Benefits and Security, Governance and Assurance Perspectives (10 p)
• Cloud Computing, Business Benefits with Security, Governance and Assurance Perspectives (10 p)
• Big Data Impacts and Benefits (14 p), Top Business / Technology Issues Survey Results (34 p), …
– Professionals Standards and Guidance
• ITAF, A Professional Practices Framework for IS Audit / Assurance, 3rd Edition (148 p)?
– Audit/Assurance Programs
• EDM/APO/DSS/BAI (25p /P), Software Assurance (35 p), Outsourcing IT Environments (39 p), BYOD (39 p), …
– Knowledge Center (Over 100 topics : for each topic discussions, documents and publications,
events, journal articles, external links, wikis, blog posts)
• Performance Management, Business Analytics, Casinos and Gambling, Solvency 2, OS/400,…
– COBIT Focus (4 x year) : COBIT Case studies, Articles, Updates, …
– COBIT 5 Online : Multiphase project. Capabilities for accessing, understanding and applying COBIT 5
Patrick Stachtchenko AFAI : 15 janvier 2015 31
32. Illustration : Approche vue spécifique
Sécurité de l’information
– COBIT 5 Professional Guides
• Information Security (220 p)
– Practices and Guidance using COBIT 5
• Securing Mobile Devices (138 p), Transforming Cyber Security (190 p), European
Cybersecurity Implementation Series (146 p),…
– White Papers / Vision Series / Studies / Surveys
• Cybersecurity : What the Board of Directors Needs to Ask? (20 p)
• Security as a Service: Business Benefits with Security, Governance and Assurance
Perspectives (18p)
• Business Continuity Management, Emerging Trends (15 p)
• Web Application Security, Business and Risk Considerations (16 p)
• Security Considerations for Cloud Computing (80 p)
• Advanced Persistent Threat Awareness Study Results (20 p), …
– Audit / Assurance programs
• VPN Security (33 p), Biometrics (47 p), Voice-over Internet Protocol (VoIP) (42 p), …
– Knowledge Center
• Security Tools, Physical Security, Network Security, …
– COBIT 5 Online
• Specific Security View
Patrick Stachtchenko AFAI : 15 janvier 2015 32
33. COBIT 5 Deliverables : A Business Framework for the
Governance and Management of Enterprise IT (94 pages)
• Executive Summary
• Overview of COBIT 5
• Principle 1 : Meeting Stakeholders Needs
• Principle 2 : Covering the Enterprise from End-to-end
• Principle 3 : Applying a Single Integrated Framework
• Principle 4 : Enabling a Holistic Approach
• Principle 5 : Separating Governance from Management
• Implementation Guidance
• The COBIT 5 Process Capability Model
• Appendices
33Patrick Stachtchenko AFAI : 15 janvier 2015
34. COBIT 5 Deliverables : A Business Framework for the
Governance and Management of Enterprise IT
• Appendix A : References
• Appendix B : Detailed Mapping 17 Enterprise Goals –17 IT- related Goals
• Appendix C : Detailed Mapping 17 IT‐related Goals – 32 IT-related Processes
• Appendix D : 22 Stakeholder Needs and 17 Enterprise Goals
• Appendix E : Mapping of COBIT 5 with most relevant related standards and frameworks
(ISO/IEC 38500, ITIL V3 2011 - ISO/IEC 20000, ISO/IEC 27000 Series, ISO/IEC
3100 Series, TOGAF, CMMI, PRINCE2)
• Appendix F : Comparison between COBIT 5 Information Reference Model and the COBIT
4.1 information criteria
• Appendix G : Detailed description of COBIT 5 Enablers
• Appendix H : Glossary
• Appendix G: Detailed description of COBIT 5 Enablers
• Introduction
• COBIT 5 Enabler : Principles, Policies and Frameworks
• COBIT 5 Enabler : Processes
• COBIT 5 Enabler : Organisational Structures
• COBIT 5 Enabler : Culture, Ethics and Behaviour
• COBIT 5 Enabler : Information
• COBIT 5 Enabler : Services, Infrastructures and Applications
• COBIT 5 Enabler : People, Skills and Competencies
34Patrick Stachtchenko AFAI : 15 janvier 2015
35. COBIT 5 Deliverables : Enabling Processes (230 pages)
• Introduction
• The Goals Cascade and Metrics for Enterprise Goals and IT-related Goals
– COBIT 5 Goals Cascade : Stakeholders Drivers, Stakeholders Needs, Enterprise Goals, IT Goals, Enabler Goals
– Using the COBIT 5 Goals Cascade
– Metrics : Enterprise, IT
• The COBIT 5 Process Model
– Enabler Performance Management
• The COBIT 5 Process Reference Model
– Governance and Management Processes (5 governance processes and 32 management processes)
– Reference Model
• COBIT 5 Process Reference Guide Contents
– Generic Guidance for Processes :
• EDM : Evaluate, Direct and Monitor
• APO : Align, Plan and Organize
• BAI : Build, Acquire and Implement
• DSS : Deliver, Service and Support
• MEA : Monitor, Evaluate and Assess
• Appendix A : Mapping between COBIT 5 and legacy ISACA Frameworks (COBIT 4.1, Val IT
2.0, Risk IT Management Practices)
• Appendix B : Detailed Mapping 17 Enterprise Goals and 17 IT-related Goals
• Appendix C : Detailed Mapping 17 IT-related Goals and 37 IT‐related Processes
35
• 129 IT Process Goals
• 266 IT Process Goal Metrics
• 207 IT Practices
• 26 business and IT roles in IT Practices
• 1108 IT Activities
17 Enterprise Goals, 17 IT-related Goals, 59 IT-related Goals metrics
Patrick Stachtchenko AFAI : 15 janvier 2015
36. COBIT 5 Deliverables : Enabling Processes
• Process identification : Label, Name, Area, Domain
• Process description
• Process purpose statement
• IT goals and metrics supported
• 17 IT Goals, 59 IT-related Goals Metrics
• Process goals and metrics
• Governance : 15 IT Process Goals and 37 IT Process Goal metrics
• Management : 114 IT Process Goals and 229 IT Process Goal metrics
• RACI chart
• 26 Business and IT Roles concerned with the 207 IT Practices
• Detailed description of the process practices
• Description, inputs and outputs with origin/destination, activities
• Governance : 12 IT Governance Practices and 79 IT Governance Activities
• Management : 195 IT Management Practices and 1029 IT Management Activities
• Related guidance
36Patrick Stachtchenko AFAI : 15 janvier 2015
37. COBIT 5 Deliverables : Enabling Information (90 pages)
• Introduction: Benefits, Target Audience, Prerequisite Knowledge, Overview and Scope
• COBIT 5 Principles applied to Information
– COBIT 5 Principles
• Goals Cascade for the Enterprise (Function Goals)
• Examples of Information Items that support the Enterprise Value Chain Goals (Governance, Management
and Operations Items for 8 Functional areas : Human Resources (22 items), Procurement (20 items), …)
• Examples of Information Items supporting IT-related Goals (Quality Criteria, Related Metrics) (69 items)
• The COBIT 5 Information Model
– COBIT 5 Information Model Overview
• Information Stakeholders : Examples for Customer Data (8), IT Strategy (8), Supply Chain Software
Specification Document (6), Hospital Patient Records (9) (Description, Stakes)
• Information Goals : Examples for each of the 15 information quality criteria
• Lifecycle : Examples for Supplier Information, Retention Requirements, IT Change Management Data
• Good Practices : Examples for the 11 information attributes
– Additional Examples of COBIT 5 Information Model Use
• 5 sample use cases : Building IS Specifications, Definition of Information Protection Requirements, etc..
• Comprehensive Information Item Description : Illustration for Risk Profile (Lifecycle and stakeholders, Goals,
Good Practices, Link to other enablers)
• Addressing Information Governance and Management Issues Using COBIT 5
– Information Governance and Management Issues Reviewed in this Chapter (9 issues)
• For each Issue : Issue Description and Business Context, Affected Information, Affected Goals, Enablers to
Address the Issue
• Appendix A : Reference to other Guidance (DAMA-DMBOK Framework, ISO 15489-1:2001)
• Appendix B : Example Information Items Supporting Functional Area Goals (8 areas, 179 items)
• Appendix C : Example Information Items Supporting IT-related Goals (1 area, 69 items) 37
Patrick Stachtchenko AFAI : 15 janvier 2015
38. COBIT 5 Deliverables : Information Security (220 pages)
• Executive Summary: Introduction, Drivers, Benefits, Target Audience, Conventions
• Information Security
• Information Security Defined
• COBIT 5 Principles
• Using COBIT 5 Enablers for Implementing Information Security in Practice
• Introduction
• Enabler : Principles, Policies and Frameworks
• Enabler : Processes
• Enabler : Organizational Structures
• Enabler : Culture, Ethics and Behaviour
• Enabler : Information
• Enabler : Services, Infrastructure and Applications
• Enabler : People, Skills and Competencies
• Adapting COBIT 5 for Information Security to the Enterprise Environment
• Introduction
• Implementing Information Security Initiatives
• Using COBIT 5 to connect to other frameworks, models, good practices and standards
• Appendix A to G : Detailed Guidance for each of the 7 categories of enablers
• Appendix H : Detailed Mappings
• Acronyms, Glossary
38Patrick Stachtchenko AFAI : 15 janvier 2015
39. COBIT 5 Deliverables : Information Security
• Appendix A Detailed Guidance : Principles, Policies and Frameworks
• 3 high level security principles with 12 elements : Objective and description
• 13 types of policies : scope, validity, goals (5 driven by security function, 8 driven by other functions)
• Appendix B Detailed Guidance Processes (see next page)
• Appendix C Detailed Guidance : Organizational Structures
• 5 types of security-related organizational structures : Composition, Mandate, Operating principles,
Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs
• Appendix D Detailed Guidance : Culture, Ethics and Behaviour
• 8 types of security-related expected behaviours
• Appendix E Detailed Guidance : Information
• 34 types of security-related information stakeholders
• 10 types of security related information : goals, life cycle, good practice
• Appendix F Detailed Guidance : Services, Infrastructure and Applications
• 10 types of security services : 27 security-related service capabilities (supporting technology, benefit,
quality goal, metric)
• Appendix G Detailed Guidance : People, Skills and Competencies
• 7 types of security set of skills and competencies : description, experience, education, qualifications,
knowledge, technical skills, behavioural skills, related role structure
• Appendix H Detailed Mappings (ISO/IEC 27001, ISO/IEC 27002, ISF, NIST)
39Patrick Stachtchenko AFAI : 15 janvier 2015
40. COBIT 5 Deliverables : Information Security
Processes Enabler
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purpose Statement
• Security-specific Process Goals and Metrics
• Governance : 8 Security Process Goals and 17 Security Process Goals related Metrics
• Management : 71 Security Process Goals and 137 Security Process Goals related Metrics
• Security-specific Process Practices, Inputs/Outputs and Activities
• Description of governance/management practice, security-specific inputs and outputs in addition to
COBIT 5 inputs and outputs with origin/destination, security-specific activities in addition to COBIT
5 activities
• Governance : 12 Security Governance Practices and 31 Security Governance Activities
• Management : 176 Security Management Practices and 347 Security Management Activities
• Related Guidance
40Patrick Stachtchenko AFAI : 15 janvier 2015
41. COBIT 5 Deliverables : Risk (244 pages)
• Executive Summary: Introduction, Terminology, Drivers, Benefits, Target Audience, Overview
and Guidance on use of Publication, Prerequisite Knowledge
• Risk and Risk Management
• The Governance Objective : Value Creation
• Risk : Risk Categories, Risk Duality, Interrelationship between Inherent, Current and Residual Risk
• Scope of Publication (Two Perspectives on Risk : Risk Function and Risk Management Perspectives)
• Applying the COBIT 5 Principles to Managing Risks
• The Risk Function Perspective
• Introduction to Enablers
• The 7 Enablers
• The Risk Management Perspective and using COBIT 5 Enablers
• Core Risk Processes
• Risk Scenarios
• Generic Risk Scenarios
• Risk Aggregation
• Risk Response
• How this Publication Aligns with Other Standards
• ISO 31000, ISO/IEC 27005:2011, COSO ERM
• Appendix A : Glossary
• Appendix B : Detailed Risk Governance and Management Enablers
• Appendix C : Core Risk Management Processes
• Appendix D : Using COBIT 5 Enablers to Mitigate IT Risk Scenarios (20 scenarios)
• Appendix E : Comparison of Risk IT with COBIT 5
• Appendix F : Comprehensive Risk Scenario Template
41Patrick Stachtchenko AFAI : 15 janvier 2015
42. COBIT 5 Deliverables : Risk
• Appendix A. Detailed Guidance : Principles, Policies and Frameworks
• 7 high level risk principles : Principle and Explanation
• 18 types of risk policies : Scope, Validity, Management Commitment and Accountability, Risk
Governance, Risk Management Framework
• Appendix B. Detailed Guidance Processes (see next page)
• 12 key risk function supporting processes
• 2 key risk management supporting processes
• Appendix C. Detailed Guidance : Organizational Structures
• 5 key risk-related organizational structures : Composition, Mandate, Operating principles, Span of
control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs
• 17 other relevant structures for Risk : Description, Role in risk process
• Appendix D. Detailed Guidance : Culture, Ethics and Behavior
• 8 types of general behavior, 8 types of risk professional behavior, 7 types of management behavior
• Appendix E. Detailed Guidance : Information
• 13 types of risk related information items : stakeholders, stakes, goals, life cycle, good practices, links
to other enablers
• Appendix F. Detailed Guidance : Services, Infrastructure and Applications
• 6 types of risk services (description, goal, benefit, good practice, stakeholders, metric)
• 3 types of risk infrastructure (description), 5 types of risk applications (description)
• Appendix G. Detailed Guidance : People, Skills and Competencies
• 11 types of risk set of skills and competencies (description) and 2 risk roles (description, experience,
education, qualifications, knowledge, technical skills, behavioral skills, related role structure)
42Patrick Stachtchenko AFAI : 15 janvier 2015
43. COBIT 5 Deliverables : Risk
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purpose Statement
• Risk-specific Process Goals and Metrics
• Risk Function
• Governance : 5 Risk Process Goals and 12 Risk Process Goals related Metrics
• Management : 14 Risk Process Goals and 24 Risk Process Goals related Metrics
• Risk-specific Process Practices, Inputs/Outputs and Activities
• Description of governance/management practice, risk-specific inputs and outputs in
addition to COBIT 5 inputs and outputs with origin/destination, risk-specific activities in
addition to COBIT 5 activities
• Risk Function
• Governance : 9 Risk Governance Practices and 28 Risk Governance Activities
• Management : 50 Risk Management Practices and 80 Risk Management Activities
• Risk Management
• Governance : 2 Risk Governance Practices and 12 Risk Governance Activities (69 actions)
• Management : 6 Risk Management Practices and 26 Risk Management Activities (103 actions)
43Patrick Stachtchenko AFAI : 15 janvier 2015
44. COBIT 5 Deliverables : Assurance (318 pages)
• Executive Summary: Introduction and Objectives, Drivers, Benefits, Target Audience,
Document Overview and Guidance on its use, Prerequisite Knowledge
• Assurance
• Assurance defined : 3 party relationship, subject matter, suitable criteria, execution, conclusion
• Scope of Publication: Two Perspectives, Assurance Function and Assurance
• Principles of providing Assurance (Engagement types)
• Assurance Function Perspective : Using COBIT 5 Enablers for Governing and Managing an
Assurance Function
• Introduction to Enablers
• The 7 Enablers
• Assessment Perspective : Providing Assurance Over a Subject Matter
• Core Assurance Processes
• Introduction and Overview of the Assessment Approach
• Determine the scope of the Assurance Initiative (Phase A)
• 3 aspects to be taken into account (stakeholders, goals, 7 enablers), 14 steps, an example
• Understand the Enablers, Set Suitable Assessment Criteria and Perform the Assessment (Phase B)
• Achievement of goals (2 steps), 7 enablers (37 steps)
• Generic Approach for Communicating on an Assurance Initiative (Phase C)
• 2 aspects (document and communicate) and 5 steps
• How this publication relates to other Standards
• ITAF, 2nd Edition, International Professional Practices Framework (IPPF) for Internal Auditing
Standards 2013, Statement on Standards for Attestation Engagements N° 16 (SSAE 16)
• Appendix A : Glossary
• Appendix B : Detailed Enablers For Assurance Governance and Management
• Appendix C : Core Assurance Processes
• Appendix D : Example Audit / Assurance Programmes (3 examples : Change Management,
Risk Management, BYOD) 44
Patrick Stachtchenko AFAI : 15 janvier 2015
45. COBIT 5 Deliverables : Assurance
• Appendix A. Detailed Guidance : Principles, Policies and Frameworks
• 4 areas : Covered by ITAF, 2nd Edition (18 sections of ITAF)
• Appendix B. Detailed Guidance Processes (see next page)
• 11 key processes supporting assurance provisioning
• 3 key core assurance processes
• Appendix C. Detailed Guidance : Organizational Structures
• 4 key assurance-related organizational structures : Composition, Mandate, Operating principles,
Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs
• 12 other relevant structures for Assurance : Description, Stake in Assurance provisioning
• Appendix D. Detailed Guidance : Culture, Ethics and Behavior
• 5 types of enterprise wide behavior, 8 types of assurance professional behavior, 10 types of
management behavior : Behavior, Key Objective/Suitable criteria/outcome,
Communication/Enforcement actions, Incentives and rewards actions, Raising awareness actions
• Appendix E. Detailed Guidance : Information
• 18 types of information items supporting assurance : stakeholders, stakes, goals, life cycle, good
practices, links to other enablers
• 5 types of additional information items input : description
• Appendix F. Detailed Guidance : Services, Infrastructure and Applications
• 8 types of assurance services (description, goal, benefit, good practice, stakeholders)
• 8 types of assurance supporting applications (description, goal, benefit, good practice, stakeholders)
• Appendix G. Detailed Guidance : People, Skills and Competencies
• 16 types of assurance set of skills and competencies : description, experience, education,
qualifications, knowledge, technical skills, behavioral skills 45
Patrick Stachtchenko AFAI : 15 janvier 2015
46. COBIT 5 Deliverables : Assurance
• Process Identification : Label, Name, Area, Domain
• Process Description
• Process Purpose Statement
• Assurance-specific Process Goals and Metrics
• Processes Supporting Assurance Provisioning
• Governance : 8 Assurance Process Goals and 11 Assurance Process Goals related Metrics
• Management : 11 Assurance Process Goals and 19 Assurance Process Goals related Metrics
• Core Assurance Processes
• Management : 11 Assurance Process Goals and 17 Assurance Process Goals related Metrics
• Assurance-specific Process Practices, Inputs/Outputs and Activities
• Description of governance/management practice, assurance-specific inputs and outputs
in addition to COBIT 5 inputs and outputs with origin/destination, assurance-specific
activities in addition to COBIT 5 activities
• Processes Supporting Assurance Provisioning
• Governance : 9 Assurance Governance Practices and 28 Assurance Governance Activities
• Management : 50 Assurance Management Practices and 80 Assurance Management Activities
• Core Assurance Processes
• Management : 17 Core Assurance Practices and 88 Core Assurance Activities (124 actions)
46Patrick Stachtchenko AFAI : 15 janvier 2015
47. COBIT 5 Deliverables : Implementation (78 pages)
• Introduction
• Positioning GEIT
• Taking the first steps towards GEIT
• Identifying implementation challenges and success factors
• Enabling change
• Implementation life cycle tasks, roles and responsibilities
• Using the COBIT 5 components
• Appendix A : Mapping Pain Points to COBIT 5 Processes
• Appendix B : Example Decision Matrix
• Appendix C : Mapping Example Risk Scenarios to COBIT 5 Processes
• Appendix D : Example Business Case
• Appendix E : COBIT 4.1 Maturity Attribute Table
47Patrick Stachtchenko AFAI : 15 janvier 2015
48. COBIT 5 Deliverables : Securing Mobile Devices (138 pages)
• Introduction : What is a mobile device? Mobile Device Use – Past Present Future
• Mobile Device Impact on Business and Society : Mobility and Flexibility, Patterns of
Work, Organizational Perimeter, Other Impacts
• Threats, Vulnerabilities and Associated Risks : Physical, Organizational, Technical
• Security Governance : Business Case, Standardized Enterprise Solutions, BYOD,
Combines Scenario, Private Use of Mobile Devices, Defining the Business Case
• Security Management for Mobile Devices : Categories and Classification, Existing
Security Controls, 7 Enablers
• Hardening Mobile Devices : Device and SIM card, Permanent Storage, Removable
Storage and Devices, Connectivity, Remote Functionality
• Mobile Device Security Assurance: Auditing and Reviewing Mobile Devices,
Investigation and Forensics for Mobile Devices
• Guiding Principles for Mobile Device Security : 8 principles
• Appendix A. Mappings of COBIT 5 and COBIT 5 for Information Security
• Appendix B. Hardening Mobile Devices
• Appendix C. Sample Audit Steps in Forensics and Investigation
48Patrick Stachtchenko AFAI : 15 janvier 2015
49. 49
COBIT 5 Online
Patrick Stachtchenko AFAI : 15 janvier 2015
Copyright ISACA
ISACA has begun a project to create a replacement for COBIT Online,
which will support COBIT 5
The new online service will include features such as :
• Access to publications in the COBIT 5 product family
• Access to other, non-COBIT, ISACA content and current, relevant GEIT
material
• Ability to customize COBIT to fit the needs of your enterprise with
access for multiple users
• Access to tools : Goals planner, RACI Planner,…
These capabilities will be made available in a phased schedule,
providing greater functionality through the course of the year-long
rollout.
COBIT 5 Online