Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

COBIT 5 IT Governance Model: an Introduction

This lecture provides quick and direct insight about Information technologies governance using COBIT 5 framework. COBIT 5 in its fifth edition released by information systems audit and control association ( in 2012 to supersede the version 4.1 / 2007. It also included ISACA’s VAL-IT model that aimed to manage the financial perspective of IT as well as RISK-IT framework.
The lecture was part of ISACA- Riyadh chapter activities in April 2015 under the sponsorship of Al-Fisal University.

  • Login to see the comments

COBIT 5 IT Governance Model: an Introduction

  1. 1. IT Governance Using COBIT 5: An Introduction BY: AQEL M. AQEL A C C R E D I T E D T R A I N E R B Y A P M G 1 TUESDAY 28-APRIL-2015 E-mail:
  2. 2. 2 P. O. BOX 40496 – 11499 Riyadh - Saudi Arabia +966-502-104-007 Aqel Mohammed Aqel, CISA, MBA, CSSGB, COBIT5 Information Technology & Management Consultant Information Systems Audit & Control Association – Riyadh Chapter CISA Coordinator and Research Director • Certified information System Auditor • Master of Business Administration- UK • Certified as Lean Six Sigma Green Built • Certified COBIT-5 Trainer (Foundation) • Member of Association for Strategic Planning
  3. 3. Topics for tonight session  Overview: COBIT, the past and present  The Five Principles  COBIT Processes  Enablers  Process Assessment Model (PAM)  Implementation Overview  Closure 3
  4. 4. Why Develop COBIT 5?  ISACA want “Tie together and reinforce all ISACA knowledge assets with COBIT.”  Provide a renewed and authoritative governance and management framework for enterprise information and related technology  Integrate all other major ISACA frameworks and guidance  Align with other major frameworks and standards 4
  5. 5. Governance of Enterprise IT COBIT 5 IT Governance COBIT4.0/4.1 Management COBIT3 Control COBIT2 Audit COBIT1 2005/720001998 Evolution 1996 2012 Val IT 2.0 (2008) Risk IT (2009) BMIS (2010) The Evolution of COBIT 5 5
  6. 6. Drivers for the development of a Framework  Provide guidance in: ◦ Enterprise architecture ◦ Asset and service management ◦ Emerging sourcing and organization models ◦ Innovation and emerging technologies  End to end business and IT responsibilities  Controls for user-initiated and user-controlled IT solutions  A need for the enterprise to: ◦ Achieve increased value creation ◦ Obtain business user satisfaction ◦ Achieve compliance with relevant laws, regulations and policies 6
  7. 7. COBIT 5 Product Family 7 S O U R C E : C O B I T 5 , I S A C A
  8. 8. COBIT and Other IT Governance Frameworks COBIT ISO 9000 ISO 27002 ITIL COSO WHAT HOW SCOPE OF COVERAGE 8
  9. 9. COBIT 5 Mapping Specifics ..1  ISO/IEC 38500 o ISO’s 6 principles map to COBIT 5 o ITIL v3 The following 5 areas and domains are covered by ITIL v3: o A subset of process in the DSS domain o A sunset of processes in the BAI domain o Some process in the APO domain  ISO/IEC 27000 o Security and IT-related processes in domains EDM, APO and DSS o Some monitoring of security monitoring activities in MEA  ISO/IEC 31000 o Risk management related activities in EDM and APO 9
  10. 10. COBIT 5 Mapping Specifics ..2  TOGAF (The Open Group Architecture Framework) o Resource-related processes in EDM o TOGAF components of the architecture board and governance areas o Enterprise architecture processes of APO  PRINCE2 o Programme and project management processes in the BAI domain o Portfolio related processes in the APO domain  CMMI  ISO 15504 o Some organisational and quality-related processes in the APO domain o Application –building and acquisition related processes in BAI 10
  11. 11. COBIT Principles 11
  12. 12. COBIT 5 Principles  A Principle general truth, that helps people determine the appropriate decision, given the circumstance at hand. They are guidelines that provide an indication of what to do, but not how to do it. For example: ◦ Team members ensure they are in attendance when they feel responsibility for the success of the team  Policies or Procedures define specifically what and how to do something - they define specific actions or behaviors. For example: ◦ Team Members who attend late, on more than three occasions, will receive a formal warning. 12 S O U R C E : C O B I T 5 , I S A C A
  13. 13. Principle 1: Meeting Stakeholder Needs  Enterprises have many stakeholders  Governance is about Negotiating, & Deciding amongst different stakeholders’ value interests Considering all stakeholders when making benefit, resource and risk assessment decisions  For each decision, ask: ◦ For whom are the benefits? ◦ Who bears the risk? ◦ What resources are required? 13
  14. 14. Principle 1: Meeting Stakeholder Needs  Enterprises exist to create value for their stakeholders  Value creation: realizing benefits at an optimal resource cost while optimizing risk. 14 S O U R C E : C O B I T 5 , I S A C A
  15. 15. Principle 1: Meeting Stakeholder Needs 15 S O U R C E : C O B I T 5 , I S A C A
  16. 16. Principle 1 – Cascade steps Figure 5 16
  17. 17. Principle 1 – Cascade Steps 17
  18. 18. Principle 2: Covering the Enterprise End–to–End 18 S O U R C E : C O B I T 5 , I S A C A
  19. 19. Principle 2: Covering the Enterprise End–to–End Main elements of the governance approach:  Governance Enablers comprising ◦ The organizational resources for governance ◦ The enterprise’s resources ◦ A lack of resources or enablers may affect the ability of the enterprise to create value  Governance Scope comprising ◦ The whole enterprise ◦ An entity, a tangible or intangible asset, etc. 19
  20. 20. Principle 2: Covering the Enterprise End–to–End  Governance roles, activities and relationships ◦ Define Who is involved in governance ◦ How they are involved ◦ What they do and ◦ How they interact  COBIT 5 defines the difference between governance and management activities in principle 5 20
  21. 21. Principle 3: Applying a Single Integrated Framework  COBIT 5: ◦ Aligns with the latest relevant standards and frameworks ◦ Is complete in enterprise coverage ◦ Provides a basis to integrate effectively other frameworks, standards and practices used ◦ Integrates all knowledge previously dispersed over different ISACA frameworks ◦ Provides a simple architecture for structuring guidance materials and producing a consistent product set 21
  22. 22. Principle 4: Enabling a Holistic Approach COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. COBIT 5 enablers are:  Factors that, individually and collectively, influence whether something will work  Driven by the goals cascade  Described by the COBIT 5 framework in seven categories 22
  23. 23. Principle 4: Enabling a Holistic Approach 23 S O U R C E : C O B I T 5 , I S A C A
  24. 24. Principle 4: Enabling a Holistic Approach Enablers: 1. Principles, policies and frameworks 2. Processes 3. Organizational structures 4. Culture, ethics and behaviour 5. Information 6. Services, infrastructure and applications 7. People, skills and competencies 24
  25. 25. Principle 4: Enabling a Holistic Approach COBIT 5 enabler dimensions:  All enablers have a set of common dimensions that: ◦ Provide a common, simple and structured way to deal with enablers ◦ Allow an entity to manage its complex interactions ◦ Facilitate successful outcomes of the enablers 25
  26. 26. Principle 5: Separating Governance from Management 26 S O U R C E : C O B I T 5 , I S A C A
  27. 27. Principle 5: Separating Governance from Management  The COBIT 5 framework makes a clear distinction between governance and management  Governance and management ◦ Encompass different types of activities ◦ Require different organizational structures ◦ Serve different purposes  COBIT 5: Enabling Processes differentiates the activities associated with each 27
  28. 28. Principle 5: Separating Governance from Management  Governance ensures that stakeholder needs, conditions and options are: ◦ Evaluated to determine balanced, agreed-on enterprise objectives to be achieved ◦ Setting direction through prioritization and decision making ◦ Monitoring performance, compliance and progress against agreed direction and objectives (EDM)  Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM) 28
  29. 29. COBIT 5 Processes 29
  30. 30. Concept  Based on PLAN-DO-CHECK-ACT  Integrated 5 sets of processes that which covers Governance and management of Enterprise IT: 1. Evaluate, Plan and Monitor 2. Align, Plan and Organize 3. Build, Acquire and Implement 4. Deliver, Service and Support 5. Monitor, Evaluate and Assess 30
  31. 31. COBIT 5 Process Reference Model © 2012 ISACA. All Rights Reserved. 31 S O U R C E : C O B I T 5 , I S A C A
  32. 32. The COBIT 5 Enterprise Enablers 32 S O U R C E : C O B I T 5 , I S A C A
  33. 33. Recap Principle 4: Enabling a Holistic Approach COBIT 5 enabler dimensions: 33
  34. 34. Enabler 1 Principles, Policies & Frameworks…1  The purpose: to convey the governing body’s and management’s direction and instructions.  They are instruments to communicate the rules of the enterprise, in support of the governance objectives and enterprise. o Differences between principles and policies – o Principles need to be limited in number o Put in simple language, expressing as clearly as possible the core values of the enterprise o Policies are more detailed guidance on how to put principles into practice 34
  35. 35. Enabler 1 Principles, Policies & Frameworks…2  The characteristics of good policies; they should o Be effective – achieve their purpose o Be efficient – especially when implementing them o Non-intrusive – Should make sense and be logical to those who have to comply with them.  Policies should have a mechanism (framework) in place where they can be effectively managed and users know where to go. Specifically they should be: o Comprehensive, covering all required areas o Open and flexible allowing for easy adaptation and change. o Current and up to date  The purpose of a policy life cycle is that it must support a policy framework in order to achieve defined goals. 35
  36. 36. Enabler 2: Processes  COBIT 5 Enablers: Processes complements COBIT 5 and contains a detailed reference guide to the processes that are defined in the COBIT 5 process reference model: ◦ The COBIT 5 goals cascade is recapitulated and complemented with a set of example metrics for the enterprise goals and the IT-related goals. An example is given in the appendix ◦ The COBIT 5 process model is explained and its components defined. ◦ The Enabler process guide which is referenced in this module contains the detailed process information for all 37 COBIT 5 processes shown in the process reference model. 36
  37. 37. Enabler 2 – Process continued – PRM Structure…2  Each process is divided into : o Process Description o Process Purpose statement o IT-related Goals (from the Goals cascade see example in the Appendix) o Each IT-related goal is associated with a set of generic related metrics o Process Goals (Also from the Goals cascade mechanism and is referred to as Enabler Goals. o Each Process Goal is associated or related with a set of generic metrics. o Each Process contains a set of Management Practices o These are associated with a generic RACI chart (Responsible, Accountable, Consulted, Informed) o Each management practices contains a set of inputs and outputs (called work products in module PC) o Each management Practice is associated with a set of activities 37
  38. 38. Enabler 3 Organisational Structures  A number of Good Practices of organisational structure can be distinguished such as: o Operating principles – The practical arrangements regarding how the structure will operate, such as meeting frequency documentation and other rules o Span of control – The boundaries of the organisation structure’s decision rights. o Level of authority – The decisions that the structure is authorised to take. o Delegation of responsibility – The structure can delegate a subset of its decision rights to other structures reporting to it. o Escalation procedures – The escalation path for a structure describes the required actions in case of problems in making decisions. 38
  39. 39. Enabler 4 Culture, Ethics and Behaviour  Good practices for creating, encouraging and maintaining desired behaviour throughout the enterprise include: o Communication throughout the enterprise of desired behaviours and corporate values. o Awareness of desired behaviour, strengthened by senior management example. o senior management and the executives ‘walk the talk’ so to speak. o Incentives to encourage and deterrents to enforce desired behaviour. o Rules and norms which provide more guidance and will typically be found in a Code of Ethics 39
  40. 40. Enabler 5 Information  Importance of the Information Quality categories and dimensions; o The concept of information criteria was introduced in COBIT 3rd edition in 2000 and played a key role in COBIT 4.1; these were very important to be able show how to meet business requirements.  Importance of Information Criteria o COBIT 4.1 introduced us to the concept of 7 Key Information criteria to meet Business requirements. This concept has been retained but translated differently in Figure 9 below: Figure 26 Appendix F. 40
  41. 41. Enabler 6 –Services, Infrastructure and Applications  The five architecture principles that govern the implementation and use of IT-Related resources o Architecture Principles are overall guidelines that govern the implementation and use of IT-related resources within the enterprise. Examples of such principles: o Reuse – Common components of the architecture should be used when designing and implementing solutions as part of the target or transition architectures. o Buy vs. build – Solutions should be purchased unless there is an approved rationale for developing them internally. o Simplicity – The enterprise architecture should be designed and maintained to be simple as possible while still meeting enterprise requirements. o Agility – The enterprise architecture should incorporate agility to meet changing business needs in an effective and efficient manner. o Openness - The enterprise architecture should leverage open industry standards. 41
  42. 42. Enabler 6 –Services, Infrastructure and Applications Cont.  Relationship To other Enablers o Information – is a service capability that is leveraged through processes to deliver internal and external services. o Cultural and behavioural aspects – relevant when a service-oriented culture needs to be built o Process inputs and outputs – Most of the inputs and outputs (work products) of the process management practices and activities in the PRM include service capabilities.  Consider other frameworks such as: o ITIL 3 o TOGAF ( ) which provides an integrated information infrastructure reference model. 42
  43. 43. Enabler 7 – People, Skills and Competencies  Identify the good practices of people, Skills and Competencies, specifically: o Described by different skill levels for different roles. o Defining Skill requirements for each role o Mapping skill categories to COBIT 5 process domains (APO; BAI etc.) o These correspond to the IT-related activities undertaken, e.g. business analysis, information management etc. o Using external sources for good practices such as:  The Skills Framework for the information age (SFIA) 43
  44. 44. Process Assessment 44
  45. 45. What is a Process Assessment  Process assessment: an activity that can be performed either as part of a process improvement initiative or as part of a capability determination approach  Purpose: to continually improve the enterprise’s effectiveness and efficiency  It provides an understandable, logical, repeatable, reliable and robust methodology for assessing the capability of IT processes.  COBIT 5 switched to ISO 15504 Approach rather than CMMI. Source: ISO/IEC 15504-4 45
  46. 46. Advantages of the ISO 15504 Approach  A robust assessment process based on ISO 15504  An alignment of COBIT’s maturity model scale with the international standard  A new capability-based assessment model which includes: o Specific process requirements derived from COBIT 4.1& COBIT 5 o Ability to achieve process attributes based on ISO 15504 o Evidence requirements  Assessor qualifications and experiential requirements  Results in a more robust, objective and repeatable assessment 46
  47. 47. Key ISO 15504 definitions  ISO 15504 defines the following key terms: ◦ Process purpose – The high-level measurable objectives of performing the process and the likely outcomes of effective implementation of the process. ◦ Process outcomes - An observable result of a process (Note: An outcome is an artefact, a significant change of state or the meeting of specified constraints.) ◦ Base practices – The activities that, when consistently performed, contribute to achieving the process purpose ◦ Work product - An artefact associated with the execution of a process – defined in terms of process ‘inputs’ and process ‘outputs’. 47
  48. 48. Differences between the Capability & Process Dimension  ISO 15504 defines two levels: o A Capability Dimension which focuses on the process capability dimension (levels 1 to 5) based on process attribute indicators (PAI) that are solely deals with Generic attributes o A Process dimension that contains additional indicators for process for process performance assessment based on very specific performance indicators. o ** Note that the PRM or process reference model is used only for this dimension at LEVEL 1. Levels 2 to 5 focuses only on the Capability dimension based on generic attributes. The next slide demonstrates this concept. 48
  49. 49. Process capability levels Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose Level 1 Performed process PA.1.1 Process Performance attribute Performed The process is implemented and achieves its process purpose Level 2 Managed Process PA.2.1 Performance Management attribute PA.2.2 Work Product Management attribute Managed The process is managed i.e. (planned, monitored and adjusted) work products are appropriately established, controlled & maintained. Level 4 Predictable Process PA.4.1 Process Measurement attribute PA.4.2 Process Control attribute Predictable The process is enacted consistently within defined limits Level 5 Optimizing process PA.5.1 Process Innovation attribute PA.5.2 Process Optimization attribute Optimizing The process is continuously improved to meet relevant current and projected business goals Level 3 Established Process PA.3.1 Process Definition attribute PA.3.2 Process Deployment attribute Established A defined process is used based on a standard process. 49 49
  50. 50. Assessment Process Activities 50 1 – Initiation 2 – Planning the Assessment 3 – Briefing 4 – Data Collection 5 – Data Validation 6 – Process Rating 7 – Reporting 50
  51. 51. Implementation 51
  52. 52. COBIT 5 Implementation 52 S O U R C E : C O B I T 5 , I S A C A
  53. 53. Thank you 53 For Further Questions, Please Communicate With Aqel: +966-502-104-007 For Arabic lectures about IT Governance - ‫المعلومات‬ ‫تقنية‬ ‫حوكمة‬ ‫حول‬ ‫محاضرات‬ ‫الى‬ ‫استمع‬