Robert Stroud, profile picture
Uploaded byRobert Stroud
PPTX, PDF69,759 views

Vendor management using COBIT 5

The document outlines best practices for vendor management using COBIT 5, emphasizing the strategic importance of building and maintaining effective vendor relationships. It highlights objectives such as value creation, risk minimization, and the enhancement of service delivery through well-defined contracts and Service Level Agreements (SLAs). The guidance provided includes risk management strategies and recommendations for establishing a governance model to improve vendor selection, communication, and performance monitoring.

Embed presentation

Downloaded 405 times
Vendor Management: Using COBIT 5
Introduction
New Guidance from ISACA Areas covered • IT • Process owners and stakeholders • Compliance and laws • Risk management • Audit • Contracts • Service monitoring
Vendors • A vendor is a third party that supplies products or services to an enterprise. • Most enterprises seek external vendor support for assistance with operations for one of the following reasons: – Vendor expertise – Vendor capacity – Vendor assuming risk – Vendor leveraging scale
Vendor Management • Vendor management is a strategic process that is dedicated to the sourcing and management of vendor relationships so that: – value creation is maximized and – risk to the enterprise is minimized
Vendor Management Objectives Managing vendors has many benefits, including: • Data loss reduction • Decrease in audit findings • Cost optimization • Increased availability • Liability reduction • Increased end-user satisfaction • Value creation
Vendors to include  Play a critical role in daily operations  Can have critical impact on the success of strategic projects  Require long-term contracts  Have potential significant financial implications  Are difficult to change overnight  Require frequent interaction and/or disputes  Access or manage substantial critical or sensitive data
Important Documents
Contract Lifecycle
Contract Contracts accomplishes the following: • Form a common understanding of what needs to be achieved • Define all deliverables, relevant service levels and metrics • Define responsibilities and obligations • Define the terms and conditions • Specify how risk will be allocated between parties • Define legal counsel and jurisdiction stipulations
SLAs • An SLA is an agreement, preferably documented, between a product or service provider and the enterprise that defines minimum performance targets for a deliverable and how they will be measured and reported. • The SLA enables customer and vendor accountabilities and expectations to be clearly understood. Performance can have the following implications: – Financial rewards (for exceeding targets) – Financial penalties (for underperformance)
SLA Common Pitfalls • Focus on the wrong objectives • Simplistic metrics • Inappropriate terminology • Room for interpretation • Labor-intensive reporting requirements
SLA Management Benefits • Better alignment with business objectives • Ability to manage services proactively • Greater transparency of service delivery • Lower service level management overhead • Better relationships between the enterprise and vendor
SLA Diagram
Stakeholder Responsibilities
Risk – 5 Threat Categories • T1 – Selection: Wrong vendor • T2 – Contract: Incomplete | Static • T3 – Requirements: Poorly defined • T4 – Governance: Inadequate vendor management • T5 – Strategy: Vendor lock-in
Mitigation Strategy Threat COBIT 5 Guidance 1. Diversify sourcing strategy to avoid overreliance or vendor lock in T5 APO02 Manage strategy, APO10 Manage suppliers 2. Establish policies and procedures for vendor management T4, T5 APO11 Manage quality – Enablers: Principles, Policies and Frameworks; Information 3. Establish a vendor management governance model T4, T5 APO09 Manage service agreements, APO10 Manage suppliers – Enabler: Organisational Structures 4. Set up a vendor management organization within the enterprise (VMO) T4, T5 APO10 Manage suppliers -- Enablers: Organisational Structures; People, Skills and Competencies 5. Forecast requirements regarding the skills and competencies of the vendor employees T2 APO10 Manage suppliers – Enablers: People, Skills and Competencies 6. Use standard documents and templates T2 – Enabler: Information
Mitigation Strategy Threat COBIT 5 Guidance 7. Formulate clear requirements T3, T5 BAI02 Manage requirements definition, BAI03 Manage solutions identification and build – Enabler: Information 8. Perform adequate vendor selection T1, T5 APO10 Manage suppliers, APO12 Manage risk – Enablers: People, Skills and Competencies 9. Cover all relevant life-cycle events during contract drafting T2 APO11 Manage quality, APO12 Manage risk – Enabler: Information 10. Determine the adequate security and controls needed during the relationship T4, T2 APO11 Manage quality; APO12 Manage risk, MEA01 Monitor, evaluate and assess performance and conformance – Enablers: Service, Infrastructure and Applications; Information
Mitigation Strategy Threat COBIT 5 Guidance 11. Set up SLAs T2 APO09 Manage service agreements – Enabler: Information 12. Set up operating level agreements (OLAs) and underpinning contracts T2 APO09 Manage service agreements – Enabler: Information 13. Set up appropriate vendor performance/service level monitoring and reporting T2, T4 APO09 Manage service agreements, APO10 Manage suppliers, MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Information 14. Establish a penalties and reward model with the vendor T2 APO09 Manage service agreements, APO10 Manage suppliers
Mitigation Strategy Threat COBIT 5 Guidance 15. Conduct adequate vendor relationship management during the life cycle T4 APO08 Manage relationships, APO10 Manage suppliers – Enablers: Ethics, Culture and Behaviour 16. Review contracts and SLAs on a periodic basis T4, T5 APO09 Manage service agreements, MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Information 17. Conduct vendor risk management T4, T5 APO10 Manage suppliers, APO12 Manage risk – Enabler: Organisational Structures
Mitigation Strategy Threat COBIT 5 Guidance 18. Perform an evaluation of compliance with enterprise policies T4 APO10 Manage suppliers; MEA01 Monitor, evaluate and assess performance and conformance; MEA03 Monitor, evaluate and assess compliance with external requirements – Enablers: Principles, Policies and Frameworks; Information 19. Perform an evaluation of vendor internal controls T4 APO10 Manage suppliers; APO12 Manage risk; MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Organisational Structures; Information
Mitigation Strategy Threat COBIT 5 Guidance 20. Plan and manage the end of the relationship T2, T4, T5 APO09 Manage service agreements; APO10 Manage suppliers; APO12 Manage risk – Enabler: Services, Infrastructure and Applications; People, Skills and Competencies; Information 21. Use a vendor management system T1, T2, T3, T4 APO08 Manage relationships; APO09 Manage service agreements; APO11 Manage quality; APO12 Manage risk – Enabler: Services, Infrastructure and Applications 22. Create data and hardware disposal stipulations T2, T4 APO12 Manage risk – Enablers: Services, Infrastructure and Applications; Information; Principles, Policies and Frameworks
Q&A

More Related Content

PDF
Creating A Business Focussed Information Technology Strategy
byAlan McSweeney
 
PDF
Request to Fulfill Presentation (IT4IT)
byRob Akershoek
 
PDF
ITIL,COBIT and IT4IT Mapping
byRob Akershoek
 
PDF
Using ITIL 4 and IT4IT together
byRob Akershoek
 
PDF
Cobit, itil and cmmi - a tutorial
byseveman
 
PDF
IT4IT - Manage the Digital Enterprise.pdf
byitSMF Belgium
 
PDF
IT4IT™ - Managing the Business of IT
byReal IRM
 
PDF
Real Time Data Strategy and Architecture
byAlan McSweeney
 
Creating A Business Focussed Information Technology Strategy
byAlan McSweeney
 
Request to Fulfill Presentation (IT4IT)
byRob Akershoek
 
ITIL,COBIT and IT4IT Mapping
byRob Akershoek
 
Using ITIL 4 and IT4IT together
byRob Akershoek
 
Cobit, itil and cmmi - a tutorial
byseveman
 
IT4IT - Manage the Digital Enterprise.pdf
byitSMF Belgium
 
IT4IT™ - Managing the Business of IT
byReal IRM
 
Real Time Data Strategy and Architecture
byAlan McSweeney
 

What's hot

PDF
PMBOK 7th Edition What is Changing?
byAbdelrahman Elsheikh PMOC,PMP,CBAP,RMP,ACP,SP,MCITP,ITIL
 
PPTX
Introduction to COBIT 5 and IT management
byChristian F. Nissen
 
PDF
IT4IT™ Reference Architecture in short.
byArchitecture Center Ltd
 
PDF
IT Governance - COBIT 5 Capability Assessment
byEryk Budi Pratama
 
PPTX
IT4IT Overview (A new standard for IT management)
byCharles Betz
 
PDF
ITIL 4 service value chain data flows (input and outputs)
byRob Akershoek
 
PPTX
Business continuity management per ISO 22301 - a certification training cour...
byMart Rovers
 
PPTX
COBIT 5 IT Governance Model: an Introduction
byaqel aqel
 
PDF
CISA DOMAIN 2 Governance & Management of IT
byShivamSharma909
 
PDF
IT Demand and Delivery Management
byDavid Messineo
 
PDF
GRC - Isaca Training 16.9.2014
byPaul Simidi
 
PDF
It governance & cobit 5
byLaddawan Rattanaruang
 
PDF
IT Strategy
byFlevy.com Best Practices
 
PDF
TOGAF 9.2 - the update
byDanny Greefhorst
 
PDF
IT4IT real life examples & myths and rumors dispelled
byTony Price
 
PDF
PMBOK GUIDE 7th Summary
byAmr Miqdadi
 
PDF
IT Governance
byCarlos Chalico
 
PDF
IT Governance - Governing IT: Do or Die?
byEryk Budi Pratama
 
PDF
The New PMP Exam: Changes and Implications (With Annotation)
byCliffordEgbomeade
 
PDF
Pmbok6 to 7 transformation
byZaur Ahmadov, PMP
 
PMBOK 7th Edition What is Changing?
byAbdelrahman Elsheikh PMOC,PMP,CBAP,RMP,ACP,SP,MCITP,ITIL
 
Introduction to COBIT 5 and IT management
byChristian F. Nissen
 
IT4IT™ Reference Architecture in short.
byArchitecture Center Ltd
 
IT Governance - COBIT 5 Capability Assessment
byEryk Budi Pratama
 
IT4IT Overview (A new standard for IT management)
byCharles Betz
 
ITIL 4 service value chain data flows (input and outputs)
byRob Akershoek
 
Business continuity management per ISO 22301 - a certification training cour...
byMart Rovers
 
COBIT 5 IT Governance Model: an Introduction
byaqel aqel
 
CISA DOMAIN 2 Governance & Management of IT
byShivamSharma909
 
IT Demand and Delivery Management
byDavid Messineo
 
GRC - Isaca Training 16.9.2014
byPaul Simidi
 
It governance & cobit 5
byLaddawan Rattanaruang
 
IT Strategy
byFlevy.com Best Practices
 
TOGAF 9.2 - the update
byDanny Greefhorst
 
IT4IT real life examples & myths and rumors dispelled
byTony Price
 
PMBOK GUIDE 7th Summary
byAmr Miqdadi
 
IT Governance
byCarlos Chalico
 
IT Governance - Governing IT: Do or Die?
byEryk Budi Pratama
 
The New PMP Exam: Changes and Implications (With Annotation)
byCliffordEgbomeade
 
Pmbok6 to 7 transformation
byZaur Ahmadov, PMP
 

Viewers also liked

PPTX
Outsourcing and Vendor management
byRaminder Pal Singh
 
PPT
Vendor Management
bymikecarey491
 
PPTX
Governance and Management of Enterprise IT with COBIT 5 Framework
byGoutama Bachtiar
 
PPT
IT Strategic Vendor Management
byBill Whetstone
 
PPTX
Introduction to Val IT
byVaruna Harshana
 
PPT
Vendor Management - Compliance Checklist Manifesto Series
byContinuity Control
 
PPT
Supply Chain Council
bySergio Grisa
 
PPT
Top 10 Procurement KPI\'s
byamberkar
 
PPT
Vendor management kpi
bybichuklejones
 
PDF
Talend Data Preparation Overview
byJean-Michel Franco
 
PPTX
Agility under Control - SCRUM vs COBIT
byPrzemek Wysota
 
PDF
Negotiation
byIra Tobing
 
PPT
Vendor Management Systems Best Practices
byjeffmonaghan
 
PPTX
Procurement Solutions - Paul Turner
byPaul_M_Turner
 
PDF
Equipo Interno de Implementacion ERP
byCorponet
 
PPTX
BravoConnect 2014: Risk Management
byBravoSolution
 
PPTX
Horizon 2013 Zycus Vision
byZycus
 
PDF
Key Challenges Facing Vendor Risk Management Programs
byColleen Beck-Domanico
 
PDF
Tactica advanced sourcing solution
byChee Wee Loke
 
PPTX
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
bycentralohioissa
 
Outsourcing and Vendor management
byRaminder Pal Singh
 
Vendor Management
bymikecarey491
 
Governance and Management of Enterprise IT with COBIT 5 Framework
byGoutama Bachtiar
 
IT Strategic Vendor Management
byBill Whetstone
 
Introduction to Val IT
byVaruna Harshana
 
Vendor Management - Compliance Checklist Manifesto Series
byContinuity Control
 
Supply Chain Council
bySergio Grisa
 
Top 10 Procurement KPI\'s
byamberkar
 
Vendor management kpi
bybichuklejones
 
Talend Data Preparation Overview
byJean-Michel Franco
 
Agility under Control - SCRUM vs COBIT
byPrzemek Wysota
 
Negotiation
byIra Tobing
 
Vendor Management Systems Best Practices
byjeffmonaghan
 
Procurement Solutions - Paul Turner
byPaul_M_Turner
 
Equipo Interno de Implementacion ERP
byCorponet
 
BravoConnect 2014: Risk Management
byBravoSolution
 
Horizon 2013 Zycus Vision
byZycus
 
Key Challenges Facing Vendor Risk Management Programs
byColleen Beck-Domanico
 
Tactica advanced sourcing solution
byChee Wee Loke
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
bycentralohioissa
 

Similar to Vendor management using COBIT 5

PPSX
How to implement a strategic IT vendor management program
byJeff Kubacki
 
PPTX
type of Vendor management in civil engineering
bydeepikas438869
 
PDF
Best-in-class vendor management office
byWGroup
 
PPT
Danforth Intl Presentation
bykendan4th
 
PDF
COBITlaminate_online_RD3 introduction overview
byssusercf2d3e
 
PDF
TrustArc Webinar - How to Build a Vendor Risk Management Program
byTrustArc
 
PPTX
Cobit5
byISACA-Istanbul
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Megan James...
byContinuity and Resilience
 
DOCX
Vendor Management - An Overview (Project File)
byJyoti Kumari
 
PDF
Professional services Sourcing and Vendor
byRamiro Tolosa
 
PPTX
Vendor_Mgmt_101_IIMC_v2
bySteve Markey
 
PPTX
00025-01-vendor-management-powerpoint-template-16x9-1.pptx
byKeithSpencer21
 
PPT
What the Cloud Vendors Don't Want You to Know
byChris Mullins
 
PDF
Aavenir.com mastering it contracts management tips to optimize it vendor mana...
byAavenir
 
PDF
Vendor Risk Management - Find It Before It Finds You
byChad Kreimendahl
 
PPTX
Managed IT Presentation
byTomsmyth1
 
PDF
NCHICA - Contracts with Healthcare Cloud Computing Vendors
byWhitmeyerTuffin
 
PDF
IT Partner Checklist
byShardul (Sam) B
 
PDF
DATAMARK Outsourcing Relationship Checkup
byDATAMARK
 
PPTX
Ivanti Threat Thursday for January 23
byIvanti
 
How to implement a strategic IT vendor management program
byJeff Kubacki
 
type of Vendor management in civil engineering
bydeepikas438869
 
Best-in-class vendor management office
byWGroup
 
Danforth Intl Presentation
bykendan4th
 
COBITlaminate_online_RD3 introduction overview
byssusercf2d3e
 
TrustArc Webinar - How to Build a Vendor Risk Management Program
byTrustArc
 
Cobit5
byISACA-Istanbul
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Megan James...
byContinuity and Resilience
 
Vendor Management - An Overview (Project File)
byJyoti Kumari
 
Professional services Sourcing and Vendor
byRamiro Tolosa
 
Vendor_Mgmt_101_IIMC_v2
bySteve Markey
 
00025-01-vendor-management-powerpoint-template-16x9-1.pptx
byKeithSpencer21
 
What the Cloud Vendors Don't Want You to Know
byChris Mullins
 
Aavenir.com mastering it contracts management tips to optimize it vendor mana...
byAavenir
 
Vendor Risk Management - Find It Before It Finds You
byChad Kreimendahl
 
Managed IT Presentation
byTomsmyth1
 
NCHICA - Contracts with Healthcare Cloud Computing Vendors
byWhitmeyerTuffin
 
IT Partner Checklist
byShardul (Sam) B
 
DATAMARK Outsourcing Relationship Checkup
byDATAMARK
 
Ivanti Threat Thursday for January 23
byIvanti
 

Recently uploaded

DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 

Vendor management using COBIT 5

  • 1.
  • 2.
  • 3.
    New Guidance fromISACA Areas covered • IT • Process owners and stakeholders • Compliance and laws • Risk management • Audit • Contracts • Service monitoring
  • 4.
    Vendors • A vendoris a third party that supplies products or services to an enterprise. • Most enterprises seek external vendor support for assistance with operations for one of the following reasons: – Vendor expertise – Vendor capacity – Vendor assuming risk – Vendor leveraging scale
  • 5.
    Vendor Management • Vendormanagement is a strategic process that is dedicated to the sourcing and management of vendor relationships so that: – value creation is maximized and – risk to the enterprise is minimized
  • 6.
    Vendor Management Objectives Managingvendors has many benefits, including: • Data loss reduction • Decrease in audit findings • Cost optimization • Increased availability • Liability reduction • Increased end-user satisfaction • Value creation
  • 7.
    Vendors to include Play a critical role in daily operations  Can have critical impact on the success of strategic projects  Require long-term contracts  Have potential significant financial implications  Are difficult to change overnight  Require frequent interaction and/or disputes  Access or manage substantial critical or sensitive data
  • 8.
  • 9.
  • 10.
    Contract Contracts accomplishes thefollowing: • Form a common understanding of what needs to be achieved • Define all deliverables, relevant service levels and metrics • Define responsibilities and obligations • Define the terms and conditions • Specify how risk will be allocated between parties • Define legal counsel and jurisdiction stipulations
  • 11.
    SLAs • An SLAis an agreement, preferably documented, between a product or service provider and the enterprise that defines minimum performance targets for a deliverable and how they will be measured and reported. • The SLA enables customer and vendor accountabilities and expectations to be clearly understood. Performance can have the following implications: – Financial rewards (for exceeding targets) – Financial penalties (for underperformance)
  • 12.
    SLA Common Pitfalls •Focus on the wrong objectives • Simplistic metrics • Inappropriate terminology • Room for interpretation • Labor-intensive reporting requirements
  • 13.
    SLA Management Benefits •Better alignment with business objectives • Ability to manage services proactively • Greater transparency of service delivery • Lower service level management overhead • Better relationships between the enterprise and vendor
  • 14.
  • 15.
  • 16.
    Risk – 5Threat Categories • T1 – Selection: Wrong vendor • T2 – Contract: Incomplete | Static • T3 – Requirements: Poorly defined • T4 – Governance: Inadequate vendor management • T5 – Strategy: Vendor lock-in
  • 17.
    Mitigation Strategy Threat COBIT5 Guidance 1. Diversify sourcing strategy to avoid overreliance or vendor lock in T5 APO02 Manage strategy, APO10 Manage suppliers 2. Establish policies and procedures for vendor management T4, T5 APO11 Manage quality – Enablers: Principles, Policies and Frameworks; Information 3. Establish a vendor management governance model T4, T5 APO09 Manage service agreements, APO10 Manage suppliers – Enabler: Organisational Structures 4. Set up a vendor management organization within the enterprise (VMO) T4, T5 APO10 Manage suppliers -- Enablers: Organisational Structures; People, Skills and Competencies 5. Forecast requirements regarding the skills and competencies of the vendor employees T2 APO10 Manage suppliers – Enablers: People, Skills and Competencies 6. Use standard documents and templates T2 – Enabler: Information
  • 18.
    Mitigation Strategy Threat COBIT5 Guidance 7. Formulate clear requirements T3, T5 BAI02 Manage requirements definition, BAI03 Manage solutions identification and build – Enabler: Information 8. Perform adequate vendor selection T1, T5 APO10 Manage suppliers, APO12 Manage risk – Enablers: People, Skills and Competencies 9. Cover all relevant life-cycle events during contract drafting T2 APO11 Manage quality, APO12 Manage risk – Enabler: Information 10. Determine the adequate security and controls needed during the relationship T4, T2 APO11 Manage quality; APO12 Manage risk, MEA01 Monitor, evaluate and assess performance and conformance – Enablers: Service, Infrastructure and Applications; Information
  • 19.
    Mitigation Strategy Threat COBIT5 Guidance 11. Set up SLAs T2 APO09 Manage service agreements – Enabler: Information 12. Set up operating level agreements (OLAs) and underpinning contracts T2 APO09 Manage service agreements – Enabler: Information 13. Set up appropriate vendor performance/service level monitoring and reporting T2, T4 APO09 Manage service agreements, APO10 Manage suppliers, MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Information 14. Establish a penalties and reward model with the vendor T2 APO09 Manage service agreements, APO10 Manage suppliers
  • 20.
    Mitigation Strategy Threat COBIT5 Guidance 15. Conduct adequate vendor relationship management during the life cycle T4 APO08 Manage relationships, APO10 Manage suppliers – Enablers: Ethics, Culture and Behaviour 16. Review contracts and SLAs on a periodic basis T4, T5 APO09 Manage service agreements, MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Information 17. Conduct vendor risk management T4, T5 APO10 Manage suppliers, APO12 Manage risk – Enabler: Organisational Structures
  • 21.
    Mitigation Strategy Threat COBIT5 Guidance 18. Perform an evaluation of compliance with enterprise policies T4 APO10 Manage suppliers; MEA01 Monitor, evaluate and assess performance and conformance; MEA03 Monitor, evaluate and assess compliance with external requirements – Enablers: Principles, Policies and Frameworks; Information 19. Perform an evaluation of vendor internal controls T4 APO10 Manage suppliers; APO12 Manage risk; MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Organisational Structures; Information
  • 22.
    Mitigation Strategy Threat COBIT5 Guidance 20. Plan and manage the end of the relationship T2, T4, T5 APO09 Manage service agreements; APO10 Manage suppliers; APO12 Manage risk – Enabler: Services, Infrastructure and Applications; People, Skills and Competencies; Information 21. Use a vendor management system T1, T2, T3, T4 APO08 Manage relationships; APO09 Manage service agreements; APO11 Manage quality; APO12 Manage risk – Enabler: Services, Infrastructure and Applications 22. Create data and hardware disposal stipulations T2, T4 APO12 Manage risk – Enablers: Services, Infrastructure and Applications; Information; Principles, Policies and Frameworks
  • 23.