This document provides an overview of key concepts from COBIT 2019, an enterprise governance of IT framework. It begins with an introduction to IT management and governance, explaining that IT management involves planning, building, running and monitoring IT activities in alignment with governance. Effective enterprise governance of IT (EGIT) helps realize benefits, optimize risks and resources, and improve business/IT alignment. Frameworks like COBIT provide best practices to assist with understanding, designing and implementing EGIT. COBIT 2019 builds on over 25 years of development and aligns with major standards. It defines six principles for effective governance systems and three principles for governance frameworks. The document concludes with an introduction to COBIT 2019 concepts.
2. Agenda
• Introduction
• IT Management and IT Governance
• The role of frameworks in EGIT
• COBIT 2019 Basics
• COBIT 2019 Principles
• COBIT 2019 Concepts
• COBIT 2019 Core Structure
10. Can we buy Everything?
10
“There are some things money can't buy /…/”
11. A company can’t buy …
11
Capabilities
Capabilities need to be established and evolved.
12. Are people resources or capabilities?
We can hire a
person.
A person has to
be trained and
educated.
Both
13. Are resources and capabilities related?
13
Capabilities coordinate, control and deploy resources.
14. Capabilities and Resources are Assets
• Something of either tangible or intangible value that is worth
protecting, including people, information, infrastructure, finances
and reputation.
15. 15
B. Orand, Foundations of IT Service Management: The ITIL Foundations
Course in a Book, 3rd ed. CreateSpace Independent Publishing
Platform, 2011.
16. IT Management and Governance
An introduction to IT Management with COBIT 2019
17. What is IT Management?
• Planning, building, running and monitoring of IT activities in
alignment with the direction set by the governance body to achieve
the enterprise objectives.
Governance body
Enterpise
goals
18. Business – IT relationship
• Traditionally business and economy
were separated from information
technology.
• Governing boards (boards of directors)
and senior management could delegate,
ignore or avoid I&T-related decisions.
• In most sectors and industries, such
attitudes are now ill-advised.
• In the light of digital transformation,
information and technology (I&T)
have become crucial in the support,
sustainability and growth of
enterprises.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
Joined business and IT as an integral
part of a modern enterprise.
IT BUSINESS
19. The Role of IT in Business and Economics
Provide support for
basic enterprise
services and
stabilize operations.
Support
Enable business and
partnership,
consolidate
management
information and
integrate process
orientation.
Improve
Provide inter-
enterprise solutions,
assure business
growth, flexibility
and business
intelligence.
Innovate
Efficiency Effectiveness Transformation
20. The impact of IT on Business and Economics
• Stakeholder value creation is often
driven by a high degree of digitization
in new business models, efficient
processes, successful innovation, etc.
• Modern organizations (i.e., digitized
enterprises) are increasingly
dependent on I&T for survival and
growth.
IT
Performance
Business / IT
alignment
Enterprise
performance
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
22. What is IT Governance?
• The responsibility of executives and the board of directors.
• Consists of the leadership, organizational structures and processes that ensure
that the enterprise’s IT sustains and extends the enterprise's strategies and
objectives.
Governance body
CIO
Enterprise goals
CxO
23. Enterprise Governance of Information and
Technology - EGIT
• EGIT is an integral part of corporate
governance.
• EGIT consists of governance and
management activities.
• EGIT is complex and multifaceted.
• There is no silver bullet (i.e., ideal way) to
design, implement and maintain effective
EGIT within an organization
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
24. Benefits of Effective EGIT
• Benefits realization assures the
creation of value for the enterprise
through I&T.
• Risk optimization entails addressing
the business risk associated with the
use, ownership, operation,
involvement, influence and adoption
of I&T within an enterprise.
• Resource optimization ensures that
the appropriate capabilities are in
place to execute the strategic plan and
sufficient, appropriate and effective
resources are provided.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
Source: Information Systems Audit and Control Association, Ur., COBIT
5: a business framework for the governance and management of
enterprise IT: an ISACA® framework. Rolling Meadows, Ill: ISACA, 2012.
25. The role of EGIT frameworks
An introduction to IT Management with COBIT 2019
29. How to manage and govern IT?
„No institution can possibly survive if it needs geniuses or supermen to manage it. It
must be organized in such a way as to be able to get along under a leadership
composed of average human beings.“ [Peter F. Drucker]
Superman Trained and educated
CxO
30. Modern management approaches are based on
best practices – based EGIT frameworks.
„IT is complex, IT management doesn‘ t need to be!“
Solution for IT management and governance
31. What is the role of IT frameworks?
Checklists Best practices
32. Benefits of IT Management frameworks
• They are time effective.
• They provide structure.
• They follow best practices.
• Knowledge can be shared.
• They are auditable.
35. COBIT – a framework for EGIT
• Over the years, best-practice frameworks have been developed and promoted to
assist in the process of understanding, designing and implementing EGIT.
• COBIT 2019 builds on and integrates more than 25 years of development in this
field, not only incorporating new insights from science, but also operationalizing
these insights as practices.
• From its foundation in the IT audit community, COBIT has developed into a
broader and more comprehensive I&T governance and management framework
and continues to establish itself as a generally accepted framework for I&T
governance.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
36.
37. ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.
38. Facts about COBIT 2019
What IS COBIT
• COBIT is a framework for the GEIT,
aimed at the whole enterprise.
• COBIT defines the components to
build and sustain a governance
system.
• COBIT defines the design factors that
should be considered by the
enterprise to build a best-fit
governance system.
What IS NOT COBIT
• COBIT is not a full description of the
whole IT environment of an
enterprise.
• COBIT is not a framework to organize
business processes.
• COBIT is not an IT/technical
framework to manage all technology.
• COBIT does not make or prescribe any
IT-related decisions.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
39. COBIT Audience – Internal stakeholders
• Boards Provides insights on how to get value from the use of I&T and
explains relevant board responsibilities.
• Executive Management Provides guidance on how to organize and
monitor performance of I&T across the enterprise.
• Business Managers Helps to understand how to obtain the I&T solutions
enterprises require and how best to exploit new technology for new
strategic opportunities.
• IT Managers Provides guidance on how best to build and structure the IT
department, manage performance of IT, run an efficient and effective IT
operation, control IT costs, align IT strategy to business priorities, etc.
• Assurance Providers Helps to manage dependency on external service
providers, get assurance over IT, and ensure the existence of an effective
and efficient system of internal controls.
• Risk Management Helps to ensure the identification and management of
all IT-related risk.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
40. COBIT Audience – External stakeholders
• Regulators Helps to ensure the enterprise is compliant with applicable
rules and regulations and has the right governance system in place to
manage and sustain compliance.
• Business Partners Helps to ensure that a business partner’s operations
are secure, reliable and compliant with applicable rules and
regulations.
• IT Vendors Helps to ensure that an IT vendor’s operations are secure,
reliable and compliant with applicable rules and regulations.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
41. Sample COBIT adoptions in Europe
• The benefits of COBIT implementation have been achieved by public sector and
governmental agencies across Europe. The table below lists where COBIT is used
within the regulatory bodies throughout Europe.
• Greece: COBIT framework was recognized and standards based on COBIT were
adopted by the banking industry.
• Lithuania: COBIT is being used by the National Audit Office of the Lithuanian
Republic for auditing the IT activities in the government sector. COBIT was translated
into Lithuanian as only material in the state language can be used in state-approved
methodologies. COBIT is used as the official material for governmental organizations,
and private audit and consulting companies, especially if they have business relations
with government institutions.
• Poland: COBIT is recognized by the Inspector General of Poland.
• Romania: COBIT has been adopted for internal use within the public sector and
government agencies.
Source: https://www.itgovernance.eu/sv-se/cobit-adoption-in-europe-se
43. „A principle is a fundamental truth or proposition that serves as the foundation for a system
of belief or behavior or for a chain of reasoning.“ [lexico.com]
44. Overview of COBIT 2019 Principles
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
46. Provide Stakeholder Value
• Each enterprise needs a governance
system to satisfy stakeholder needs
and to generate value from the use of
I&T.
• Value reflects a balance among
benefits, risk and resources, and
enterprises need an actionable
strategy and governance system to
realize this value.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
47. Holistic Approach
• A governance system for
enterprise I&T is built from
several components that can be
of different types and that work
together in a holistic way.
Source: https://www.businessbeam.com/blog/cobit-2019/
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
48. Dynamic Governance System
• A governance system should be
dynamic.
• This means that each time one or
more of the design factors are
changed (e.g., a change in strategy or
technology), the impact of these
changes on the EGIT system must be
considered.
• A dynamic view of EGIT will lead
toward a viable and future-proof EGIT
system.
The dynamic priciple is evident from
the COBIT 2019 logo
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
49. Governance Distinct from Management
• A governance system should
clearly distinguish between
governance and management
activities and structures.
Source: White, Barbara. (2008). IT GOVERNANCE, IT SERVICE MANAGEMENT
AND THE ORGANIZING ROLE OF THE INFORMATION TECHNOLOGY
INFRASTRUCTURE LIBRARY (ITIL). Issues in Information Systems. 9.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
50. Tailored to Enterprise Needs
• A governance system should be
tailored to the enterprise’s
needs using a set of design
factors as parameters to
customize and prioritize the
governance system components.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
51. End-to-End Governance System
• A governance system should
cover the enterprise end to end,
focusing not only on the IT
function but on all technology
and information processing the
enterprise puts in place to
achieve its goals, regardless
where the processing is located
in the enterprise
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
Enterprise
End-to-End
Governance
53. Based on Conceptual Model
• A governance framework should
be based on a conceptual
model, identifying the key
components and relationships
among components, to
maximize consistency and allow
automation.
COBIT 2019 Conceptual Model, acquired with
reversed engineering
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
54. Open and Flexible
• A governance framework should
be open and flexible. It should
allow the addition of new
content and the ability to
address new issues in the most
flexible way, while maintaining
integrity and consistency.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
55. Aligned to Major Standards
• A governance framework should
align to relevant major related
standards, frameworks and
regulations.
Source: https://grcmusings.com/a-beginners-guide-to-information-security-
frameworks/
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
56. Referenced standards in COBIT 2019
• International Organization for Standardization /
International Electrotechnical Commission (ISO/IEC)
standards
• ISO/IEC 20000-1:2011(E)
• ISO/IEC 27001:2013/Cor.2:2015(E)
• ISO/IEC 27002:2013/Cor.2:2015(E)
• ISO/IEC 27004:2016(E)
• ISO/IEC 27005:2011(E)
• ISO/IEC 38500:2015(E)
• ISO/IEC 38502:2017(E)
• Information Technology Infrastructure Library (ITIL®) v3,
2011
• Institute of Internal Auditors® (IIA®), “Core
Principles for the Professional Practice of Internal
Auditing”
• King IV Report on Corporate Governance™, 2016
• King IV Report on Corporate Governance™, 2016
• CIS® Center for Internet Security®, The CIS Critical
Security Controls for Effective Cyber Defense, Version 6.1,
August 2016
• CMMI® Cybermaturity Platform, 2018
• CMMI® Data Management Maturity (DMM)SM model,
2014
• Committee of Sponsoring Organizations (COSO)
Enterprise Risk Management (ERM) Framework, June
2017
• European Committee for Standardization (CEN), e-
Competence Framework (e-CF) - A common European
Framework for ICT Professionals in all industry sectors -
Part 1: Framework, EN 16234-1:2016
• HITRUST® Common Security Framework, version 9,
September 2017
• Information Security Forum (ISF), The Standard of Good
Practice for Information Security 2016
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
57. Referenced standards in COBIT 2019
• US National Institute of Standards and Technology
(NIST) standards
• Framework for Improving Critical Infrastructure
Cybersecurity V1.1, April 2018
• Special Publication 800-37, Revision 2 (Draft), May 2018
• Special Publication 800-53, Revision 5 (Draft), August 2017
• A Guide to the Project Management Body of
Knowledge: PMBOK® Guide Sixth Edition, 2017
• PROSCI® 3-Phase Change Management Process
• Scaled Agile Framework for Lean Enterprises (SAFe®)
• Skills Framework for the Information Age (SFIA®) V6,
2015
• The Open Group IT4IT® Reference Architecture,
version 2.0
• The Open Group Standard TOGAF® version 9.2, 2018
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
59. „/…/ concepts are entities that exist in the mind (mental objects)“ [Wikipedia]
Tangible entities Mental entities
60. COBIT 2019 – Products family / Publications
• COBIT® 2019 Framework: Introduction and Methodology
• Presentation of basic COBIT concepts.
• COBIT® 2019 Framework: Governance and Management
Objectives
• 40 basic management and governance goals and associated
processes.
• COBIT® 2019 Design Guide: Designing an Information and
Technology Governance Solution
• Design factors, including the process of designing a
customized management system for a specific organization.
• COBIT® 2019 Implementation Guide: Implementing and
Optimizing an Information and Technology Governance
Solution.
• IT Management System Implementation Guidelines. Based on
COBI5.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
61. Comparing COBIT 2019 with COBIT5
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
62. ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.
63. Management and Governance Objectives
• If we want IT to contribute to the
goals of the company, it is
necessary to meet several goals of
their management and leadership.
• The objective of management or
governance always refers to:
• 1 process (with identical or similar
name).
• Several related components that help
achieve the goal.
• 40 objectives of the management
and governance of EGIT.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
64. Governance and Management Domains
• Governance objectives are grouped in the Evaluate, Direct and
Monitor (EDM) domain.
• Management objectives are grouped into four domains:
• Align, Plan and Organize (APO) addresses the overall organization, strategy
and supporting activities for I&T.
• Build, Acquire and Implement (BAI) treats the definition, acquisition and
implementation of I&T solutions and their integration in business processes.
• Deliver, Service and Support (DSS) addresses the operational delivery and
support of I&T services, including security.
• Monitor, Evaluate and Assess (MEA) addresses performance monitoring and
conformance of I&T with internal performance targets, internal control
objectives and external requirements.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
66. 7 Components of the Governance System
• Components are factors that,
individually and collectively,
contribute to the good operations of
the enterprise’s governance system
over I&T.
• Components interact with each
other, resulting in a holistic
governance system for I&T.
• Components can be of different
types. The most familiar are
processes.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
67. 1. Processes
• Processes describe an organized
set of practices and activities to
achieve certain objectives and
produce a set of outputs that
support achievement of overall
IT-related goals.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
Management
objective
Process
objective
68. 2. Organizational structures
• Organizational structures are the
key decision-making entities in
an enterprise.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
69. 3. Principles, policies and frameworks
• Principles, policies and frameworks
translate desired behavior into
practical guidance for day-to-day
management.
• E.g., „governance knowledge use
policy“
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
70. 4. Information
• Information is pervasive throughout
any organization and includes all
information produced and used by the
enterprise.
• COBIT focuses on the information
required for the effective functioning
of the governance system of the
enterprise.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
71. 5. Culture, ethics and behavior
• Culture, ethics and behavior of
individuals and of the enterprise
are often underestimated as
factors in the success of
governance and management
activities.
• Examples:
• „Embed a knowledge-sharing culture
in the enterprise.“
• „Proactively communicate the value
of knowledge to encourage
knowledge creation, use, reuse and
sharing.“
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
72. 6. People, skills and competencies
• People, skills and competencies
are required for good decisions,
execution of corrective action
and successful completion of all
activities.
Vir: https://www.wikijob.co.uk/content/interview-advice/competencies/key-competencies
73. 7. Services, infrastructure and applications
• Services, infrastructure and
applications include the
infrastructure, technology and
applications that provide the
enterprise with the governance
system for I&T processing.
Vir: https://talks.navixy.com/reviews/infrastructure-as-a-service-and-telematics/
74. Focus Areas
• A focus area describes a certain
governance topic, domain or issue
that can be addressed by a
collection of governance and
management objectives and their
components.
• Examples of focus areas include
• small and medium enterprises,
• cybersecurity,
• digital transformation,
• cloud computing,
• privacy,
• DevOps.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
75. 11 Design factors
1. The strategy of the company.
2. Company goals that support the company strategy.
3. The IT risk profile of the company to which the
company is exposed.
4. I&T risks or matters that have already materialized.
5. The landscape of threats in which the company
operates.
6. Compliance requirements to be met by the
company.
7. The role of IT in the company.
8. Company acquisition model (outsource, cloud,
insource, hybrid,…)
9. IT implementation method (agile, DevOps,
traditional, hybrid)
10. Technology adoption strategy
11. Company size
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
Design factors are factors that can
influence the design of an enterprise’s
governance system and position it for
success in the use of I&T
76. Goals cascade
• Stakeholder drivers and needs
• 13 enterprise goals
• 13 alignment goals
(„Business – IT alignment)
• 40 governance and management
objectives
• Objectives
• BSC dimensions: finance, customers,
internally, growth
• Examples of metrics
COBIT 2019
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
77. Mapping Table: Enterprise Goals—Alignment
Goals
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
78. Mapping Table: Alignment Goals—Governance
and Management Objectives
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
79. … Mapping Table: Alignment Goals—Governance
and Management Objectives
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
80. COBIT 2019 Core Structure
An introduction to IT Management with COBIT 2019
81. COBIT 2019 Core Structure
The core structure
specifies how COBIT
2019 concepts are
interrelated and
presented.
82. COBIT 2019 – Metamodel
• The meta-model specifies the
main concepts of COBIT 2019
and their interrelationships.
• The metamodel is specified in
Unified Modeling Language
(UML) Class Diagrams Notation.
J. Rumbaugh, I. Jacobson, in G. Booch, Unified Modeling Language
Reference Manual, The (2Nd Edition). Pearson Higher Education, 2004.
85. Organization of objectives
• 40 management objectives
• Evaluate, Direct and Monitor (EDO)
• Align, Plan and Organize (APO)
• Build, Acquire and Implement (BAI)
• Deliver, Service and Support (DSS)
• Monitor, Evaluate and Assess (MEA)
• Information about specific objective
• Generic information
• Domain
• Focus area
• Name of objective
• Description
• Purpose
A
B
C
D E
F
G
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
86. High-level information detailed for each
objective
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
87. Goals Cascade
• Each governance or management objective supports the achievement
of alignment goals that are related to larger enterprise goals.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
88. Alignment goals
• AG01: I&T compliance and support for business compliance with external laws and regulations
• AG02: Managed I&T-related risk
• AG03: Realized benefits from I&T-enabled investments and services portfolio
• AG04: Quality of technology-related financial information
• AG05: Delivery of I&T services in line with business requirements
• AG06: Agility to turn business requirements into operational solutions
• AG07: Security of information, processing infrastructure and applications, and privacy
• AG08: Enabling and supporting business processes by integrating applications and technology
• AG09: Delivering programs on time, on budget and meeting requirements and quality standards
• AG10: Quality of I&T management information
• AG11: I&T compliance with internal policies
• AG12: Competent and motivated staff with mutual understanding of technology and business
• AG13: Knowledge, expertise and initiatives for business innovation
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
90. Component: A. Proces
• Each governance and management objective includes several process practices.
• Each process has one or more activities.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
91. Component: A. Proces
• A capability level is assigned to
all process activities, enabling
clear definition of processes at
different capability levels.
• A process reaches a certain
capability level as soon as all
activities of that level are
performed successfully.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
92. Component: B. Organizational Structures
• RACI matrix
• Responsible (R) Who is getting the task done? Who drives the task?
• Accountable (A) Who accounts for the success and achievement of the task?
• Consulted (C) Who is providing input?
• Informed (I) Who is receiving information?
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
93. Component: C. Information Flows and Items
• Each practice includes inputs and outputs, with indications of origin and
destination.
• In general, each output is sent to one or a limited number of destinations,
typically another COBIT process practice.
• That output then becomes an input to its destination
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
94. Component: C. Information Flows and Items
• A number of outputs have many
destinations.
• A complete list of such outputs
is included in figure 3.8.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
95. Component: D. People, Skills and
Competencies
• The people, skills and competencies governance component
identifies human resources and skills required to achieve the
governance or management objective.
• COBIT® 2019 based this guidance on the Skills Framework for the
Information Age (SFIA®) V6 (version 6).
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
96. Component: E. Policies and Procedures
• This component provides detailed guidance on policies and procedures that are relevant for the
governance or management objective.
• The name of relevant policies and procedures is included, with a description of the purpose and
content of the policy.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
97. Component: F. Culture, Ethics and Behavior
• The governance component on culture, ethics and behavior provides detailed
guidance on desired cultural elements within the organization that support the
achievement of a governance or management objective.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
98. Component: G. Services, Infrastructure and
Applications
• The services, infrastructure and applications governance component provides
detailed guidance on third-party services, types of infrastructure and categories
of applications that can be applied to support the achievement of a governance
or management objective.
• Guidance is generic (to avoid naming specific vendors or products).
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
103. What is Enterprise Architecture
• Enterprise architecture (EA) is
concerned with the structures and
behaviors of a business, especially
business roles and processes that
create and use business data.
• The term architecture refers to
fundamental concepts or properties
of a system in its environment,
embodied in its elements,
relationships, and in the principles of
its design and evolution.
Source: https://www.modeliosoft.com/en/technologies/enterprise-architecture.html
104. APO03 — Managed Enterprise Architecture
• Establish a common architecture consisting of
business process, information, data, application and
technology architecture layers.
• Create key models and practices that describe the
baseline and target architectures, in line with the
enterprise and I&T strategy.
• Define requirements for taxonomy, standards,
guidelines, procedures, templates and tools, and
provide a linkage for these components.
• Improve alignment, increase agility, improve quality
of information and generate potential cost savings
through initiatives such as re-use of building block
components.
105. APO03 – Key Management Practices
• APO03.01 Develop the enterprise architecture vision.
• a first-cut, high-level description of the baseline and target architectures,
covering the business, information, data, application and technology domains.
• APO03.02 Define reference architecture.
• describes the current and target architectures for the business, information, data,
application and technology domains.
• APO03.03 Select opportunities and solutions.
• rationalizing the gaps between baseline and target architectures,
accounting for both business and technical perspectives, and logically
group them into project work packages.
• APO03.04 Define architecture implementation.
• creating a viable implementation and migration plan in alignment
with the program and project portfolios.
• APO03.05 Provide enterprise architecture services.
• including guidance to and monitoring of implementation projects.
Source: https://www.opengroup.org/togaf
107. Knowledge management
• Knowledge management (KM) is the process of creating, sharing, using and
managing the knowledge and information of an organization.
• It refers to a multidisciplinary approach to achieve organizational objectives by
making the best use of knowledge.
Source: https://www.theifactory.com/news/gaining-wisdom-from-data/
108. BAI08—Managed Knowledge
• Maintain the availability of relevant,
current, validated and reliable
knowledge and management
information to support all process
activities and to facilitate decision
making related to the governance and
management of enterprise I&T.
• Plan for the identification, gathering,
organizing, maintaining, use and
retirement of knowledge.
109. BAI08 - Key Management Practices
• BAI08.01 Identify and classify sources of information for governance and
management of I&T.
• Identify, validate and classify diverse sources of internal and external information
required to enable governance and management of I&T, including strategy
documents, incident reports and configuration information that progresses from
development to operations before going live.
• BAI08.02 Organize and contextualize information into knowledge.
• based on classification criteria. Identify owners, and leverage and implement
enterprise defined information levels of access to management information and
knowledge resources.
• BAI08.03 Use and share knowledge.
• Propagate available knowledge resources to relevant stakeholders and
communicate how these resources can be used to address different needs (e.g.,
problem solving, learning, strategic planning and decision making).
• BAI08.04 Evaluate and update or retire information.
• Measure the use and evaluate the currency and relevance of information.
Update information or retire obsolete information.
111. Operations Management
• Operations management (OPM) is an area of management concerned with
designing and controlling the process of production and redesigning
business operations in the production of goods or services.
• Operations management is mainly concerned with managing the physical
and technical function of an organization, particularly those relating to
production and manufacturing.
• OPM is generally concerned with controlling an existing process without
necessarily changing it.
• Business process management (BPM) is a form of operations management
that analyzes, models, executes, and monitors improvements.
112. DSS01—Managed Operations
• Coordinate and execute the
activities and operational
procedures required to deliver
internal and outsourced I&T
services.
• Include the execution of
predefined standard operating
procedures and the required
monitoring activities.
113. DSS01 – Key Management Practices
• DSS01.01 Perform operational procedures.
• Maintain and perform operational procedures and operational tasks reliably and consistently.
• DSS01.02 Manage outsourced I&T services.
• Manage the operation of outsourced I&T services to maintain the protection of enterprise
information and reliability of service delivery.
• DSS01.03 Monitor I&T infrastructure.
• Store sufficient chronological information in operations logs to reconstruct and review time
sequences of operations and other activities surrounding or supporting operations.
• DSS01.04 Manage the environment.
• Install specialized equipment and devices to monitor and control the environment.
• DSS01.05 Manage facilities.
• Manage facilities, including power and communications equipment, in line with laws and
regulations, technical and business requirements, vendor specifications, and health and
safety guidelines.
115. Performance and Conformance Management
• Performance management (PM) is the process
of ensuring that a set of activities and outputs
meets an organization's goals in an effective
and efficient manner.
• Performance management can focus on the
performance of an organization, a
department, an employee, or the processes in
place to manage particular tasks.
• Performance aims at improving profitability,
efficiency, effectiveness, growth, etc.
• Conformance aims at adhering to legislation,
internal policies, audit requirements, etc.
Source: http://www.maternatorre.it/?p=85742
116. MEA01—Managed Performance and
Conformance Monitoring
• Managed Performance and Conformance
Monitoring aims to collect, validate and evaluate
enterprise and alignment goals and metrics.
• It monitors that processes and practices are
performing against agreed performance and
conformance goals and metrics.
• It provides reporting that is systematic and
timely.
• The purpose is to provide transparency of
performance and conformance and drive
achievement of goals.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
117. MEA01 – Key Management Practices
• MEA01.01 Establish a monitoring approach.
• establish and maintain a monitoring approach to define the objectives, scope and method for
measuring business solution and service delivery and contribution to enterprise objectives.
• MEA01.02 Set performance and conformance targets.
• periodically review, update and approve performance and conformance targets within the
performance measurement system.
• MEA01.03 Collect and process performance and conformance data.
• Collect and process timely and accurate data aligned with enterprise approaches.
• MEA01.04 Analyze and report performance.
• Periodically review and report performance against targets.
• MEA01.05 Ensure the implementation of corrective actions
• Assist stakeholders in identifying, initiating and tracking corrective actions to address
anomalies.
119. Resource Optimization
• Resource optimization is a set of
processes and methods to match the
available resources (human,
machinery, financial) with the needs
of the organization in order to achieve
established goals.
Source: https://doc-archives.microstrategy.com/
120. EDM04—Ensured Resource Optimization
• Ensure that adequate and sufficient
business and I&T-related resources
(people, process and technology) are
available to support enterprise objectives
effectively and, at optimal cost.
• The purpose is to ensure that the
resource needs of the enterprise are met
in the optimal manner, I&T costs are
optimized, and there is an increased
likelihood of benefit realization and
readiness for future change.
121. EDM04 - Key Governance Practices
• EDM04.01 Evaluate resource management.
• Continually examine and evaluate the current and future need for business and I&T resources
(financial and human), options for resourcing (including sourcing strategies), and allocation
and management principles to meet the needs of the enterprise in the optimal manner.
• EDM04.02 Direct resource management.
• Ensure the adoption of resource management principles to enable optimal use of business
and I&T resources throughout their full economic life cycle.
• EDM04.03 Monitor resource management.
• Monitor the key goals and metrics of the resource management processes. Determine how
deviations or problems will be identified, tracked and reported for remediation.
122. Independent work
• Review COBIT 2019 Governance and Management objectives.
• Get familiar with the objectives (i.e. process area), most familiar
to you.
• Independently of COBIT 2019, study and get an insight into the
selected process area:
• Identify the main concepts and try to understand them.
• Identify potential software, which supports the process area.
• Identify potential referencing standards and best practices, which
may be applied to the process area.
• Apply relevant COBIT 2019 Governance and Management
objectives to the process area.
Get familiar with
process area, relevant
concepts, software,
standards, best
practices, etc.
1.
2.
3. Apply COBIT
124. Literature and sources
• K. Brand, IT Governance based on Cobit 4.1 - A Management Guide, 3rd izd. Van Haren Publishing, 2007.
• G. Hardy, „Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges“, Information Security
Technical Report, let. 11, št. 1, str. 55–61, 2006, doi: 10.1016/j.istr.2005.12.004.
• I. S. Audit in C. Association, COBIT 2019 Framework: Introduction and Methodology. ISACA, 2018.
• Steuperaert D. COBIT 2019: A significant update. EDPACS. 2019 Jan 2;59(1):14-8.
• De Haes S, Van Grembergen W, Joshi A, Huygh T. COBIT as a Framework for Enterprise Governance of IT. InEnterprise governance of information
technology 2020 (pp. 125-162). Springer, Cham.
• Svatá V. COBIT 2019: Should We Care?. In2019 9th International Conference on Advanced Computer Information Technologies (ACIT) 2019 Jun 5 (pp.
329-332). IEEE.
• Fernandes A, Almeida R, Mira da Silva M. A Flexible Method for COBIT 2019 Process Selection.
• Yasin M, Arman AA, Edward IJ, Shalannanda W. Designing Information Security Governance Recommendations and Roadmap Using COBIT 2019
Framework and ISO 27001: 2013 (Case Study Ditreskrimsus Polda XYZ). In2020 14th International Conference on Telecommunication Systems,
Services, and Applications (TSSA 2020 Nov 4 (pp. 1-5). IEEE.
• Gerl A, von der Heyde M, Groß R, Seck R, Watkowski L. Applying COBIT 2019 to IT Governance in Higher Education. INFORMATIK 2020. 2021.
• COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, Information Systems Audit and Control Association, Isaca,
Information Systems Audit and Control Association, 2018, ISBN 1604207612.
• Nachrowi, E., Nurhadryani, Y., & Sukoco, H. (2020). Evaluation of Governance and Management of Information Technology Services Using Cobit 2019
and ITIL 4. Jurnal RESTI (Rekayasa Sistem Dan Teknologi Informasi), 4(4), 764-774.
125. Thank you for your attetion!
gregor.polancic@um.si
www.polancic.com