a practitioner's view on cobit 5
TRANSCRIPT
A practitioner’s view on COBIT 5 Vasilijs Mihailovs MBA, ACMA, CISA, CISM, CISSP, ITIL Expert
ISACA Post President Council Meeting Event – Tel Aviv
March 2013
A practitioner’s view on COBIT 5 Page 2
Agenda
Goals cascade Process model Maturity model
How it worked in COBIT 4.1
How it works in COBIT 5
Summary: compare and contrast
Conclusions Origins of COBIT 5
► Need for master
framework
► COBIT factsheet
► COBIT 5
Development
milestones
► COBIT 5 product
family
► Benefits
► Integration
framework
► Challenges
► On balance
A practitioner’s view on COBIT 5 Page 4
Origins of COBIT 5 The need for master framework
► Businesses are challenged to map IT costs to value created
► Need for a method and a library which would help
► Create a fully traceable mesh among business goals and IT processes
► Identify controls and risks introduced by not implementing these controls
► Technology landscape changes rapidly
► Technology-based frameworks obsolete soon after they emerge
► Need for a technology-independent IT control framework
► Regulatory landscape becomes increasingly complex
► Requirements listed in laws and regulations overlap significantly
► Need for a consolidated framework mapped to multiple regulations
A practitioner’s view on COBIT 5 Page 5
Origins of COBIT 5 COBIT factsheet
► Control Objectives for Information and related Technologies
► Version 5 (2012), 4.1 (2007), 4 (2005), 3 (2000), 2 (1998), 1 (1996)
► Principal library of control objectives in IT
► Used for design, implementation, management and audit of IT
► Owned and maintained by ISACA
► Based on internal control framework defined by COSO
► Committee of Sponsoring Organizations of the National Commission on
Fraudulent Financial Reporting (COSO), in 1992, revised in 2001
► Mapped to multiple frameworks
► Version 4.0/4.1 mapped to SOx 404, ISO 27002, ITIL, TOGAF etc.
► Version 5 mapped to version 4.1
A practitioner’s view on COBIT 5 Page 6
Origins of COBIT 5 COBIT 5 development milestones
April 2012
2005
2006
2007
2008
2009
2011
A practitioner’s view on COBIT 5 Page 7
Origins of COBIT 5 COBIT 5 product family
Reproduced from:
Figure 1 on Page 11 in COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, 2012
A practitioner’s view on COBIT 5 Page 8
Agenda Goals cascade
Goals cascade Process model Maturity model
How it worked in COBIT 4.1
How it works in COBIT 5
Summary: compare and contrast
A practitioner’s view on COBIT 5 Page 10
Goals cascade How it worked in COBIT 4.1: Goals cascade at a glance
Business Goals
► 17 generic goals
► Defined by the business strategy
IT Goals
► 28 generic goals
► Mapped to Business Goals
IT Processes
► 34 generic
processes
► Mapped to IT Goals
IT Control Objectives
► 318 specific practices
► Grouped by IT Processes
A practitioner’s view on COBIT 5 Page 11
Goals cascade How it worked in COBIT 4.1: Goals cascade at a glance
Point of entry
Internal control
system for IT
Goals
Goals
Evaluation
Evaluation
Goals
Business Goals
► 17 generic goals
► Defined by the business strategy
IT Goals
► 28 generic goals
► Mapped to Business Goals
IT Processes
► 34 generic
processes
► Mapped to IT Goals
IT Control Objectives
► 318 specific practices
► Grouped by IT Processes
A practitioner’s view on COBIT 5 Page 13
Goals cascade How it works in COBIT 5: Overview
Stakeholder Drivers
► 22 generic IT-related points of concern to the businesses
Enterprise Goals
► 17 generic goals
► Mapped to Stakeholder Drivers
IT-related Goals
► 17 generic goals
► Mapped to Enterprise Goals
Enabler Goals
► 37 generic processes
► Mapped to IT-Related Goals
Management Practices
► 210 specific practices
► Grouped by enabler goals
A practitioner’s view on COBIT 5 Page 14
Goals cascade How it works in COBIT 5: Comparison to COBIT 4.1
Stakeholder Drivers
► 22 generic IT-related points of concern to the businesses
Enterprise Goals
► 17 generic goals
► Mapped to Stakeholder Drivers
IT-related Goals
► 17 generic goals
► Mapped to Enterprise Goals
Enabler Goals
► 37 generic processes
► Mapped to IT-related Goals
Management Practices
► 210 specific practices
► Grouped by enabler goals
Business Goals
► 17 generic goals
► Defined by the business strategy
IT Goals
► 28 generic goals
► Mapped to Business Goals
IT Processes
► 34 generic
processes
► Mapped to IT Goals
IT Control Objectives
► 318 specific practices
► Grouped by IT Processes
A practitioner’s view on COBIT 5 Page 15
Goals cascade How it works in COBIT 5: Stakeholder drivers
How do I best build and structure my IT department?
Is the information I am processing well secured?
How dependent am I on external providers? How well are
IT outsourcing agreements being managed? How do I
obtain assurance over external providers?
What has been the average overrun of the IT operational
budgets? How often and how much do IT projects go over
budget?
Does IT support the enterprise in complying with
regulations and service levels? How do I know whether I
am compliant with all applicable regulations?
How do I get assurance over IT?
Stakeholder Drivers
► 22 generic IT-related points of concern to the businesses
A practitioner’s view on COBIT 5 Page 16
Goals cascade How it works in COBIT 5: Stakeholder drivers in COBIT 4.1
How do I best build and structure my IT department?
Is the information I am processing well secured?
How dependent am I on external providers? How well are
IT outsourcing agreements being managed? How do I
obtain assurance over external providers?
What has been the average overrun of the IT operational
budgets? How often and how much do IT projects go over
budget?
Does IT support the enterprise in complying with
regulations and service levels? How do I know whether I
am compliant with all applicable regulations?
How do I get assurance over IT?
Stakeholder Drivers
► 22 generic IT-related points of concern to the businesses
Pages 19-21 of this publication contains a list of typical pain points and
triggers which may be considered an input in Stakeholder Drivers in
COBIT 5.
These items have not been incorporated into the COBIT 4.1 goal cascade.
A practitioner’s view on COBIT 5 Page 17
Goals cascade How it works in COBIT 5: Enterprise & IT-related Goals
Balanced Scorecard Balanced Scorecard
Internal
dimension
Learning and Growth
dimension
Financial
dimension Customer
dimension
Internal
dimension
Learning and Growth
dimension
Financial
dimension Customer
dimension
Enterprise Goals
► 17 generic goals
► Mapped to stakeholder drivers
IT-related Goals
► 17 generic goals
► Mapped to enterprise goals
A practitioner’s view on COBIT 5 Page 18
Enterprise Goals
IT-related Goals
Goals cascade How it works in COBIT 5: Enterprise & IT-related Goals in COBIT 4.1
Balanced Scorecard Balanced Scorecard
Internal
dimension
Learning and growth
dimension
Financial
dimension Customer
dimension
Internal
dimension
Learning and growth
dimension
Financial
dimension Customer
dimension
Balanced Scorecard approach has not been utilised at the goals level in COBIT 4.1; however, the idea of
using a Balanced Scorecard for IT performance measurement has been implied through the framework.
Goals were rephrased to stress the business focus at Enterprise Goals level and the IT focus on IT-related
Goals level, and reworked into Critical Success Factor statements in COBIT 5.
A practitioner’s view on COBIT 5 Page 19
Goals cascade How it works in COBIT 5: Enabler goals
APO01-APO13
Align, Plan,
and Organise BAI01-BAI10
Build, Acquire,
and Implement
DSS01-DSS06
Deliver, Service,
and Support
MEA01-MEA03
Monitor, Evaluate,
and Assess
Direct Monitor
Evaluate
EDM01-EDM05
Management
feedback
Governance
Management
Enabler Goals
► 37 generic processes
► Mapped to IT-related goals
A practitioner’s view on COBIT 5 Page 20
Goals cascade How it works in COBIT 5: Enabler goals in COBIT 4.1
AI1-AI7
Acquire and
Implement
ME1-ME4
Monitor and
Evaluate
PO1-PO10
Plan and
Organise
DS1-DS13
Deliver and
Support
APO01-APO13
Align, Plan,
and Organise BAI01-BAI10
Build, Acquire,
and Implement
DSS01-DSS06
Deliver, Service,
and Support
MEA01-MEA03
Monitor, Evaluate,
and Assess
Direct Monitor
Evaluate
EDM01-EDM05
Management
feedback
Governance
Management
Enabler Goals
► 37 generic processes
► Mapped to IT-related goals
IT Processes
► 34 generic processes
► Mapped to IT goals
A practitioner’s view on COBIT 5 Page 22
Goals cascade Summary: COBIT 4.1 goals cascade at a glance
Business Goals
► 17 generic goals
► Defined by the business strategy
IT Goals
► 28 generic goals
► Mapped to Business Goals
IT Processes
► 34 generic
processes
► Mapped to IT Goals
IT Control Objectives
► 318 specific practices
► Grouped by IT Processes
A practitioner’s view on COBIT 5 Page 23
Goals cascade Summary: COBIT 4.1 goals cascade at a glance
Point of entry
Internal control
system for IT
Goals
Goals
Evaluation
Evaluation
Goals
Business Goals
► 17 generic goals
► Defined by the business strategy
IT Goals
► 28 generic goals
► Mapped to Business Goals
IT Processes
► 34 generic
processes
► Mapped to IT Goals
IT Control Objectives
► 318 specific practices
► Grouped by IT Processes
A practitioner’s view on COBIT 5 Page 24
Goals cascade Summary: COBIT 5 goal cascade at a glance
Stakeholder Drivers
► 22 generic IT-related points of concern to the businesses
Enterprise Goals
► 17 generic goals
► Mapped to Stakeholder Drivers
IT-related Goals
► 17 generic goals
► Mapped to Enterprise Goals
Enabler Goals
► 37 generic processes
► Mapped to IT-related Goals
Management Practices
► 210 specific practices
► Grouped by Enabler Goals
A practitioner’s view on COBIT 5 Page 25
Goals cascade Summary: COBIT 5 goal cascade at a glance
Point of entry
Internal
dimension
Learning and growth
dimension
Financial
dimension Customer
dimension
Balanced Scorecard Internal control
system for IT
CSF
CSF
KPI
KPI
Stakeholder Drivers
► 22 generic IT-related points of concern to the businesses
Enterprise Goals
► 17 generic goals
► Mapped to Stakeholder Drivers
IT-related Goals
► 17 generic goals
► Mapped to Enterprise Goals
Enabler Goals
► 37 generic processes
► Mapped to IT-related Goals
Management Practices
► 210 specific practices
► Grouped by Enabler Goals
A practitioner’s view on COBIT 5 Page 26
Goals cascade Summary: COBIT 5 cascade comparison to COBIT 4.1 cascade
Internal control
system for IT
Point of entry
Internal
dimension
Learning and growth
dimension
Financial
dimension Customer
dimension
Balanced Scorecard
CSF
CSF
KPI
KPI
Point of entry
Internal control
system for IT
Goals
Goals
Evaluation
Evaluation
Goals
A practitioner’s view on COBIT 5 Page 27
Agenda Goals cascade: End of section
Goals cascade Process model Maturity model
How it worked in COBIT 4.1
How it works in COBIT 5
Summary: compare and contrast
A practitioner’s view on COBIT 5 Page 28
Agenda Process model
Goals cascade Process model Maturity model
How it worked in COBIT 4.1
How it works in COBIT 5
Summary: compare and contrast
A practitioner’s view on COBIT 5 Page 30
Process model How it worked in COBIT 4.1: General principle
Each IT Control Objective (e.g., DS4 Ensure Continuous Service) includes:
► Process description
► Control over ... that satisfies the business requirement for IT of ... by focusing on ...
is achieved by ... and is measured by ...
► Control objectives
► Management guidelines
► Inputs & Outputs, RACI chart for the process, Goals & Metrics
► Maturity model for the IT process
IT Control Objectives
► 318 specific practices
► Grouped by IT processes
AI1-AI7
Acquire and
Implement
ME1-ME4
Monitor and
Evaluate
PO1-PO10
Plan and
Organise
DS1-DS13
Deliver and
Support
A practitioner’s view on COBIT 5 Page 32
Process model How it works in COBIT 5: Enabler goals
APO01-APO13
Align, Plan,
and Organise BAI01-BAI10
Build, Acquire,
and Implement
DSS01-DSS06
Deliver, Service,
and Support
MEA01-MEA03
Monitor, Evaluate,
and Assess
Direct Monitor
Evaluate
EDM01-EDM05
Management
feedback
Governance
Management
Enabler Goals
► 37 generic processes
► Mapped to IT-related Goals
A practitioner’s view on COBIT 5 Page 33
Process model How it works in COBIT 5: Enabler goals in COBIT 4.1
APO01-APO13
Align, Plan,
and Organise BAI01-BAI10
Build, Acquire,
and Implement
DSS01-DSS06
Deliver, Service,
and Support
MEA01-MEA03
Monitor, Evaluate,
and Assess
Direct Monitor
Evaluate
EDM01-EDM05
Management
feedback
Governance
Management
Enabler Goals
► 37 generic processes
► Mapped to IT-related Goals
IT Processes
► 34 generic processes
► Mapped to IT Goals
AI1-AI7
Acquire and
Implement
ME1-ME4
Monitor and
Evaluate
PO1-PO10
Plan and
Organise
DS1-DS13
Deliver and
Support
A practitioner’s view on COBIT 5 Page 34
Process model How it works in COBIT 5: DSS04 Manage Continuity process
Reproduced from: Page 185 in COBIT 5: Enabling Processes, ISACA, 2012
A practitioner’s view on COBIT 5 Page 35
Process model How it works in COBIT 5: DS4 Ensure Continuous Service process
Reproduced from: Page 185 in COBIT 5: Enabling Processes, ISACA, 2012
Reproduced from:
Page 113 in COBIT 4.1: Framework, Control Objectives, Management Guidelines, Maturity Models, ISACA, 2007
A practitioner’s view on COBIT 5 Page 36
Process model How it works in COBIT 5: DSS04.06 Conducting Continuity Training
Reproduced from: Page 188 in COBIT 5: Enabling Processes, ISACA, 2012
A practitioner’s view on COBIT 5 Page 37
Process model How it works in COBIT 5: DS4.6 IT Continuity Plan Training
Reproduced from: Page 188 in COBIT 5: Enabling Processes, ISACA, 2012
Reproduced from:
Page 114 in COBIT 4.1: Framework, Control Objectives, Management Guidelines, Maturity Models, ISACA, 2007
A practitioner’s view on COBIT 5 Page 38
Process model How it works in COBIT 5: Goals & Metrics of DSS04 process
Stakeholder Drivers
► 22 generic IT-related points of concern to the businesses
Enterprise Goals
► 17 generic goals
► Mapped to Stakeholder Drivers
IT-related Goals
► 17 generic goals
► Mapped to Enterprise Goals
Enabler Goals
► 37 generic processes
► Mapped to IT-related Goals
Management Practices
► 210 specific practices
► Grouped by Enabler Goals
A practitioner’s view on COBIT 5 Page 39
Process model How it works in COBIT 5: Goals & Metrics of DSS04 process
Stakeholder Drivers
► 22 generic IT-related points of concern to the businesses
Enterprise Goals
► 17 generic goals
► Mapped to Stakeholder Drivers
IT-related Goals
► 17 generic goals
► Mapped to Enterprise Goals
Enabler Goals
► 37 generic processes
► Mapped to IT-related Goals
Management Practices
► 210 specific practices
► Grouped by Enabler Goals
A practitioner’s view on COBIT 5 Page 40
Process model How it works in COBIT 5: Goals & Metrics of DSS04 process
IT-related Goals
► 17 generic goals
► Mapped to Enterprise Goals
Enabler Goals
► 37 generic processes
► Mapped to IT-related Goals
A practitioner’s view on COBIT 5 Page 41
Process model How it works in COBIT 5: Goals & Metrics of DSS04 process
Reproduced from: Page 185 in COBIT 5: Enabling Processes, ISACA, 2012
IT-related Goals
► 17 generic goals
► Mapped to Enterprise Goals
Enabler Goals
► 37 generic processes
► Mapped to IT-related Goals
A practitioner’s view on COBIT 5 Page 42
Process model How it works in COBIT 5: Goals & Metrics of DS4 process
Reproduced from:
Page 115 in COBIT 4.1: Framework, Control Objectives, Management Guidelines, Maturity Models, ISACA, 2007
A practitioner’s view on COBIT 5 Page 43
Process model How it works in COBIT 5: RACI matrix of DSS04 process
Reproduced from: Page 186 in COBIT 5: Enabling Processes, ISACA, 2012
Responsible
Accountable
Consulted
Informed
A practitioner’s view on COBIT 5 Page 44
Reproduced from:
Page 186 in COBIT 5: Enabling Processes, ISACA, 2012
Page 115 in COBIT 4.1: Framework, Control Objectives, Management Guidelines, Maturity Models, ISACA, 2007
Process model How it works in COBIT 5: RACI matrix of DS4 process
Responsible
Accountable
Consulted
Informed
A practitioner’s view on COBIT 5 Page 45
Process model How it works in COBIT 5: What goes out and what comes in?
In
Out
► Process purpose statements for each Enabler Goal
► Consistent and enlarged list of stakeholders in RACI matrix for each Enabler Goal
► Precise mapping of each individual Management Practice to its own RACI matrix
► Inputs and outputs for each Management Practice rather than for each Enabler Goal
► Structured description of activities for each Management Practice
► References to external standards for each Enabler Goal
► Management Practice level Key Goal Indicators for each Enabler Goal
► Incorporated in individual activities for each Management Practice
► Enabler Goal specific Maturity Model
► Introduction of ISO 15504 aligned Process Assessment Model
► Business requirements for information and IT resources
► Incorporated in Management Practices, but not defined under individual headings
A practitioner’s view on COBIT 5 Page 47
Process model Summary: COBIT 5 Enabler goals and COBIT 4.1 IT Processes
APO01-APO13
Align, Plan,
and Organise BAI01-BAI10
Build, Acquire,
and Implement
DSS01-DSS06
Deliver, Service,
and Support
MEA01-MEA03
Monitor, Evaluate,
and Assess
Direct Monitor
Evaluate
EDM01-EDM05
Management
feedback
Governance
Management
Enabler Goals
► 37 generic processes
► Mapped to IT-related Goals
IT processes
► 34 generic processes
► Mapped to IT Goals
AI1-AI7
Acquire and
Implement
ME1-ME4
Monitor and
Evaluate
PO1-PO10
Plan and
Organise
DS1-DS13
Deliver and
Support
A practitioner’s view on COBIT 5 Page 48
Process model Summary: COBIT 5 Structure of Management Practices at a glance
Each Management Practice (e.g., DSS04 Manage Continuity) includes:
► Process Description
► Process Purpose Statement
► IT-related Goals supported by the Management Practice
► Process Goals and Metrics related to the Management Practice
► RACI chart for all activities constituting the Management Practice
► Description of activities constituting the Management Practice
► Description of activity, Inputs & Outputs
► Steps involved in performing the activity
► Reference to non-COBIT standards related to the Management Practice
A practitioner’s view on COBIT 5 Page 49
Process model Summary: Structure of Management Practices compared to COBIT 4.1
Each Management Practice (e.g., DSS04 Manage Continuity) includes:
► Process Description
► Process Purpose Statement
► IT-related Goals supported by the Management Practice
► Process Goals and Metrics related to the Management Practice
► RACI chart for all activities constituting the Management Practice
► Description of activities constituting the Management Practice
► Description of activity , inputs and outputs
► Steps involved in performing the activity
► Reference to non-COBIT standards related to the Management Practice
Significant improvement in content,
usability and/or structure compared to
the same component in COBIT 4.1
The component has not been used or has
been used in a different way in IT Control
Objectives description in COBIT 4.1
A practitioner’s view on COBIT 5 Page 50
Agenda Process model: End of Section
Goals cascade Process model Maturity model
How it worked in COBIT 4.1
How it works in COBIT 5
Summary: compare and contrast
A practitioner’s view on COBIT 5 Page 51
Agenda Maturity model
Goals cascade Process model Maturity model
How it worked in COBIT 4.1
How it works in COBIT 5
Summary: compare and contrast
A practitioner’s view on COBIT 5 Page 53
Maturity model How it worked in COBIT 4.1: Assessing maturity levels
► Maturity levels represent profiles of IT processes
► Useful for the description of current and future states
► No intention to measure the maturity level precisely
► NOT designed as a threshold model
► In a threshold model the next maturity level cannot be achieved before all
conditions relevant to the lower levels have been met
A practitioner’s view on COBIT 5 Page 54
Maturity model How it worked in COBIT 4.1: Generic maturity profiles
Awareness &
Communication
Policies, Plans
& Procedures
Tools &
Automation
Skills &
Expertise
Responsibility &
Accountability
Goal Setting
& Measurement
Initial / Ad Hoc (1)
Repeatable but Intuitive (2)
Defined Process (3)
Managed and Measurable (4)
Optimised (5)
Non-existent (0)
A practitioner’s view on COBIT 5 Page 55
Maturity model How it worked in COBIT 4.1: Process-specific maturity profiles
1 Initial/Ad Hoc when
Responsibilities for continuous service are informal, and the authority to execute responsibilities is
limited. Management is becoming aware of the risks related to and the need for continuous
service. The focus of management attention on continuous service is on infrastructure resources,
rather than on the IT services. Users implement workarounds in response to disruptions of
services. The response of IT to major disruptions is reactive and unprepared. Planned outages are
scheduled to meet IT needs but do not consider business requirements.
DS4: Ensure Continuous Service
4 Managed and Measurable when
Responsibilities and standards for continuous service are enforced. The responsibility to maintain
the continuous service plan is assigned. Maintenance activities are based on the results of
continuous service testing, internal good practices, and the changing IT and business
environment. Structured data about continuous service are being gathered, analysed, reported
and acted upon. Formal and mandatory training is provided on continuous service processes.
System availability good practices are being consistently deployed. Availability practices and
continuous service planning influence each other. Discontinuity incidents are classified, and the
increasing escalation path for each is well known to all involved. Goals and metrics for continuous
service have been developed and agreed upon but may be inconsistently measured.
A practitioner’s view on COBIT 5 Page 57
Maturity model How it works in COBIT 5: Assessing maturity levels
► Maturity levels are based on ISO 15504 standard
► ISO 15504 Information technology — Process assessment
► Part 2: process assessment model definition
► Part 3: guidance to fulfil the requirements listed in Part 2
► Also known as SPICE
► Software Process Improvement and Capability Evaluation
► Provides tools to measure the maturity level precisely
► Designed as a threshold model
► Next maturity level cannot be achieved before all conditions relevant to the
lower levels have been met
► First introduced for COBIT 4.1 in 2011
► Released for COBIT 5 in February 2013
A practitioner’s view on COBIT 5 Page 58
Maturity model How it works in COBIT 5: Generic capability profiles
Optimizing
Level 1
Predictable Established Managed Performed
Level 2 Level 3 Level 4
Process
performance
A list of process
outcomes
defined for each
Enabler Goal
Performance
management
Work product
management
Process
definition
Process
deployment
Process
measurement
Process
control
Level 5
Process
innovation
Process
optimization
Level 0
Incomplete
Process not
implemented or
fails to achieve
its purpose
Standard generic criteria for the capability level outlined in ISO 15504
Standard generic criteria for the capability level outlined in ISO 15504
Evaluation: N (not achieved, 0%-15%) P (partially achieved, 15%-50%)
L (largely achieved, 50%-85%) F (fully achieved, 85%-100%)
To achieve a certain capability maturity level, all attributes on the previous levels must be fully
achieved and all attributed on the attempted level must be largely or fully achieved
A practitioner’s view on COBIT 5 Page 60
Match by design Expected to match Expected to match
in many cases in some cases
Maturity model Summary: Matching maturity levels
Optimizing
Level 1
Predictable Established Managed Performed
Level 2 Level 3 Level 4 Level 5 Level 0
Incomplete
Optimised
Level 1
Managed and
measurable
Defined
process
Repeatable
but intuitive Initial / Ad Hoc
Level 2 Level 3 Level 4 Level 5 Level 0
Non-existent
A practitioner’s view on COBIT 5 Page 61
Maturity model Summary: Benefits of COBIT 5 approach
► Elimination of duplicate components
► Maturity model was based on multi-level components
► Generic maturity, process, control objectives, process controls
► Improved reliability and repeatability of maturity assessment
► Granular methodology and consistent decision rules
► Process assessment training and formal certification for individual assessors
► Compliance with ISO 15504 standard
► CMMI and ISO 15504 are the two most commonly accepted standards
► CMMI and ISO 15504 are consistent and compatible between themselves
► Mapping between CMMI and ISO 15504 has been developed
A practitioner’s view on COBIT 5 Page 62
Agenda Maturity model: End of Section
Goals cascade Process model Maturity model
How it worked in COBIT 4.1
How it works in COBIT 5
Summary: compare and contrast
A practitioner’s view on COBIT 5 Page 64
Conclusions Benefits
► Formalisation of the Balanced Scorecard approach
► More practical entry point to the goal cascade
► Better suitability for goal setting, achievement and monitoring
► Higher granularity and clearer connections
► Powerful support for structured control framework design
► References to connecting standards, frameworks and regulations
► Updated implementation guide: COBIT 5 Implementation
► Builds on COBIT 4.1 implementation guide
► Integration with other widely used frameworks
► Project management methodologies
► ITIL Continual Service Improvement process
A practitioner’s view on COBIT 5 Page 65
Conclusions Integration framework
Reproduced from:
Figure 25 on Page 61 in COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, 2012
A practitioner’s view on COBIT 5 Page 66
Conclusions Challenges
► Steeper learning curve than for COBIT 4.1
► Not a big difference for an entry-level user
► Maturity model / Process Assessment Model may present additional challenge
► Realisation of benefits resulting from higher granularity needs experience
► Limited support publications
► COBIT5 Quickstart, SOx 404 guide etc.
► COBIT5 direct mapping to ISO 27002, ISO 38500, PCI DSS etc.
► Online collaboration space / COBIT 5 online
► Substantial switching costs
► Major reorganisation of Enterprise, IT-related and Enabler Goals
► Business goals, IT goals, IT processes – using COBIT 4.1 terminology
A practitioner’s view on COBIT 5 Page 67
Conclusions Challenges: Perception
► COBIT 5 is more “human language” than COBIT 4.1
► “What do you want to do?” style entry point
► Large number of statements are rephrased to a better language style
► Many complex diagrams are replaced with intuitive tables and schemes
► Ambiguity is significantly reduced by establishing more precise linkages
► However,
► Not easy to find the correct entry point for a non-prepared reader
► You may consider starting at page 55 (appendix D) before going to page 1 ► COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, 2012
COBIT is not written in a human language!...
Head of IT in a mid-sized financial
services company about COBIT 4.1
A practitioner’s view on COBIT 5 Page 68
Conclusions On balance
► Mature IT governance and management tool
► Business approach to goal setting, achievement and monitoring
► Very granular guidance to all covered practices and models
► Needs to build the momentum
► Will take a few years before COBIT 5 is fully understood by practitioners
► COBIT 4.1 practitioners will need to update their knowledge database
► Homo sapiens cobitus typically know most processes by heart
► Favours complicated implementations
► Multinational corporations may benefit significantly even in short-term
► Switchover may be time-consuming and resource-intensive
► Small and medium-sized enterprises may wait for COBIT5 Quickstart
A practitioner’s view on COBIT 5 Page 69
picture
Vasilijs Mihailovs
MBA, ACMA, CISA, CISM, CISSP, ITIL Expert
Ernst & Young EMEIA FSO
FSO IT Risk & Assurance, Ireland
Email: [email protected]
About this presentation Contacts and acknowledgements
Acknowledgements
► Jerry O’Sullivan, EY Ireland
Email: [email protected]
► Rob van den Eijnden, EY Netherlands
Email: [email protected]
Contacts in Israel
► Galit Dayan, EY Tel Aviv
Email: [email protected]
A practitioner’s view on COBIT 5 Page 71
Important information
► The information in this pack is intended to provide only a general
outline of the subjects covered. It should not be regarded as
comprehensive or sufficient for making decisions, nor should it be
used in place of professional advice.
► Accordingly, Ernst & Young accepts no responsibility for loss arising
from any action taken or not taken by anyone using this pack.
► The information in this pack will have been supplemented by matters
arising from any oral presentation by us, and should be considered in
the light of this additional information.
► If you require any further information or explanations, or specific
advice, please contact us and we will be happy to discuss matters
further.