cobit 5 isaca's new framework for it governance, risk, security
TRANSCRIPT
![Page 1: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/1.jpg)
COBIT 5© ISACA
COBIT 5 ISACA’s new framework for IT Governance, Risk,Security and Auditing
An overview
M. GarsouxCOBIT 5 Licensed Training Provider
![Page 2: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/2.jpg)
COBIT 5© ISACA
Introduction
Principles
Processes
Implementation
Supporting Products
Questions
2
![Page 3: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/3.jpg)
COBIT 5© ISACA
3
![Page 4: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/4.jpg)
COBIT 5© ISACA
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
A business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
2005/720001998
Evol
utio
n of
sco
pe
1996 2012
Val IT 2.0(2008)
Risk IT(2009)
4
![Page 5: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/5.jpg)
COBIT 5© ISACA
What is CobiT?• Control Objectives for Information and Related Technology (CobiT)• is a set of best practices for Information Technology management• developed by ISACA (Information Systems Audit & Control Association)• and IT Governance Institute• in 1996.
ISACA develops and maintains the internationally recognized COBITframework, helping IT professionals and enterprise leaders fulfil their ITGovernance responsibilities while delivering value to the business.
The latest ISACA’s globally accepted frameworkCOBIT 5 is aimed to provide an end-to-end businessview of the governance of enterprise IT that reflectsthe central role of IT in creating value for enterprises
5
![Page 6: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/6.jpg)
COBIT 5© ISACA
• Information is a key resource for all enterprises.• Information is created, used, retained, disclosed
and destroyed.• Technology plays a key role in these actions.• Technology is becoming pervasive in all aspects of
business and personal life.
What benefits does information and technologybring to enterprises?
6
![Page 7: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/7.jpg)
COBIT 5© ISACA
Helps enterprises:
• Bring Order to ComplexStandards and Frameworks
• Extract Value from InformationChaos
• Address all Stakeholders Needsand Maximize Value ofCorporate Information
• Protect and Drive EnterpriseValue
7
![Page 8: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/8.jpg)
COBIT 5© ISACA
Enterprises and their executives strive to :• Maintain quality information to support business decisions.• Generate business value from IT-enabled investments, i.e.,
achieve strategic goals and realise business benefits througheffective and innovative use of IT.
• Achieve operational excellence through reliable and efficientapplication of technology.
• Maintain IT-related risk at an acceptable level.• Optimise the cost of IT services and technology.
How can these benefits be realized to createenterprise stakeholder value?
8
![Page 9: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/9.jpg)
COBIT 5© ISACA
• COBIT 5 is a comprehensive framework that helpsenterprises to create optimal value from IT by maintaining abalance between realising benefits and optimising risk levelsand resource use.
• COBIT 5 enables information and related technology to begoverned and managed in a holistic manner for the wholeenterprise, taking in the full end-to-end business andfunctional areas of responsibility, considering the IT-relatedinterests of internal and external stakeholders.
• The COBIT 5 principles and enablers are generic and usefulfor enterprises of all sizes, whether commercial, not-for -profit or in the public sector.
9
![Page 10: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/10.jpg)
COBIT 5© ISACA
10
![Page 11: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/11.jpg)
COBIT 5© ISACA
11
![Page 12: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/12.jpg)
COBIT 5© ISACA
• Enterprises exist to create value for their stakeholders
12
![Page 13: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/13.jpg)
COBIT 5© ISACA
• Delivering enterprise stakeholder value requires good governanceand management of information and technology (IT) assets.
• Enterprise boards, executives and management have to embraceIT like any other significant part of the business.
• External legal, regulatory and contractual compliancerequirements related to enterprise use of information andtechnology are increasing, threatening value if breached.
• COBIT 5 provides a comprehensive framework that assistsenterprises to achieve their goals and deliver value througheffective governance and management of enterprise IT.
Stakeholder Value
13
![Page 14: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/14.jpg)
COBIT 5© ISACA
• Stakeholder needs have to betransformed into an enterprises’actionable strategy.
• The COBIT 5 goals cascadetranslates stakeholder needs intospecific, actionable and customisedgoals within the context of theenterprise, IT-related goals andenabler goals.
Goals cascade
14
![Page 15: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/15.jpg)
COBIT 5© ISACA
COBIT 5 entreprise goalsGovernance objectives
BSC Description Benefits Risk ResourceFINANCIAL
1.Stakeholder value of business investments P S2.Portfolio of competitive products and services P P S3.Managed business risks (safeguarding of assets) P S4.Compliance with external laws and regulations P5.Financial transparency P S S
CUSTOMER
6.Customer oriented service culture P S7.Business service continuity and availability P8.Agile responses to a changing business environment P S9.Information based strategic decision making P P P10.Optimisation of service delivery costs P P
INTERNAL
11.Optimisation of business process functionality P P12.Optimisation of business process costs P P13.Managed business change programmes P P S14.Operational and staff productivity P P15.Compliance with internal policies P
Learning&Growth
16.Skilled and motivated people S P P17.Product and business innovation culture P 15
![Page 16: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/16.jpg)
COBIT 5© ISACA
COBIT 5 IT-related goalsBSC Description
FINANCIAL
1. Alignment of IT and business strategy2. IT compliance and support for business compliance with external laws & regulations3. Commitment of executive management for making IT related decisions4. Managed IT related business risks5. Realised benefits form IT-enabled investments and services portfolio6. Transparency of IT costs, benefits and risk
CUST
7. Delivery of IT services in line with business requirements8. Adequate use of applications, information and technology structure
INTERNAL
9. IT agility10. Security of information, processing infrastructure and applications11. Optimisation of IT assets, resources and capabilities12. Enablement and support of business processes by integrating applications and technology13. Delivery of programme on time, on budget, and meeting requirements and quality standards14. Availability of reliable and useful information for decision making15. IT compliance with internal policies
L&G
16. Competent and motivated business and IT personnel17. Knowledge, expertise and initiatives for business innovation 16
![Page 17: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/17.jpg)
COBIT 5© ISACA
Stakeholder Value ofBusiness investments
Customer - orientedservice culture
Optimisation of businessprocess functionality
Skilled andmotivated peole
1 6 11 16Financial Customer Internal Learning and Growth
Financial 1Alignment of IT andbusiness strategy
P P P S
Customer 7Delivery of IT servicesin line with businessrequirements
P P P S
Internal 9 IT agility S S P S
Learningand Growth
16Competent andmotivated businessand IT personnel
S S P
Enterprise Goal
IT -Related Goal
Mapping of Enterprise goals into IT-goals
17
![Page 18: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/18.jpg)
COBIT 5© ISACA
Mapping IT goals to processes
18
Alignment of IT andbusiness strategy
Delivery of IT servicesin line with business
requirements IT agility
Knowledge, expertiseand initiatives for
business innovation1 7 9 17
Financial Customer Internal
EDM01
EnsureGovernanceFrameworkSetting and
Maintenance
P P S S
EDM02EnsureBenefitsDelivery
P P PEDM03
Ensure RiskOptimisation S S S
EDM04
EnsureRessource
OptimisationS S P S
EDM05Ensure
StakeholderTransparency
S P S
Evaluate,Direct and
Monitor
IT - Related Goal
COBIT 5 Process
![Page 19: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/19.jpg)
COBIT 5© ISACA
Key components of agovernance system
19
![Page 20: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/20.jpg)
COBIT 5© ISACA
• COBIT 5 aligns with the latest relevant other standards andframeworks used by enterprises:– Enterprise: COSO, COSO ERM, ISO 9000, ISO 31000– IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF, PMBOK/PRINCE2,
CMMI– Etc.
• This allows the enterprise to use COBIT 5 as the overarchinggovernance and management framework integrator.
• ISACA plans a capability to facilitate COBIT user mapping ofpractices and activities to third-party references.
20
![Page 21: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/21.jpg)
COBIT 5© ISACA
COBIT 5 defines a set of enablers to support theimplementation of a comprehensive governance and
management system for enterprise IT.
COBIT 5 enablers are:• Factors that, individually and collectively, influence
whether something will work• Driven by the goals cascade• Described by the COBIT 5 framework in seven
categories
21
![Page 22: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/22.jpg)
COBIT 5© ISACA
1
23 4
56
7
22
![Page 23: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/23.jpg)
COBIT 5© ISACA
1. Principles, policies and frameworks—Are the vehicle to translate the desired behaviourinto practical guidance for day-to-day management
2. Processes—Describe an organised set of practices and activities to achieve certainobjectives and produce a set of outputs in support of achieving overall IT related goals
3. Organisational structures—Are the key decision-making entities in an organisation4. Culture, ethics and behaviour—Of individuals and of the organisation; very often
underestimated as a success factor in governance and management activities5. Information—Is pervasive throughout any organisation, i.e., deals with all information
produced and used by the enterprise. Information is required for keeping theorganisation running and well governed, but at the operational level, information is veryoften the key product of the enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure, technology andapplications that provide the enterprise with information technology processing andservices
7. People, skills and competencies—Are linked to people and are required for successfulcompletion of all activities and for making correct decisions and taking correctiveactions
23
![Page 24: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/24.jpg)
COBIT 5© ISACA
• Governance ensures that enterprise objectives areachieved by evaluating stakeholder needs, conditionsand options; setting direction through prioritisation anddecision making; and monitoring performance,compliance and progress against agreed direction andobjectives (EDM)
• Management plans, builds, runs and monitors activitiesin alignment with the direction set by the governancebody to achieve the enterprise objectives (PBRM)
24
![Page 25: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/25.jpg)
COBIT 5© ISACA
COBIT 5 is not prescriptive, but it advocates thatorganisations implement governance and managementprocesses such that the key areas are covered, as shown.
25
![Page 26: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/26.jpg)
COBIT 5© ISACA
COBIT 5 brings together the five principles thatallow the enterprise to build an effectivegovernance and management framework based ona holistic set of seven enablers that optimisesinformation and technology investment and use forthe benefit of stakeholders.
26
![Page 27: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/27.jpg)
COBIT 5© ISACA
27
![Page 28: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/28.jpg)
COBIT 5© ISACA
28
![Page 29: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/29.jpg)
COBIT 5© ISACA
29
![Page 30: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/30.jpg)
COBIT 5© ISACA
30
![Page 31: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/31.jpg)
COBIT 5© ISACA
31
![Page 32: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/32.jpg)
COBIT 5© ISACA
32
![Page 33: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/33.jpg)
COBIT 5© ISACA
33
![Page 34: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/34.jpg)
COBIT 5© ISACA
• Failed IT initiatives• Rising costs• Perception of low business value
for IT investments• Significant incidents related to IT
risk (e.g. data loss)• Service delivery problems• Failure to meet regulatory or
contractual requirements• Audit findings for poor IT
performance or low service levels• Hidden and/or rogue IT spending
Resource waste through duplicationor overlap in IT initiatives
Insufficient IT resources IT staff burnout / dissatisfaction IT enabled changes frequently
failing to meet business needs (latedeliveries or budget overruns)
Multiple and complex IT assuranceefforts
Board members or senior managersthat are reluctant to engage with IT
34
![Page 35: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/35.jpg)
COBIT 5© ISACA
• Merger, acquisition or divestiture• Shift in the market, economy or
competitive position• Change in business operating
model or sourcing arrangements• New regulatory or compliance
requirements• Significant technology change or
paradigm shift
An enterprise-wide governance focusor project
A new CIO, CFO, COO or CEO External audit or consultant
assessments A new business strategy or priority
By using pain points or trigger events as thelaunching point for IT governance initiatives,the business case for GEIT improvement canbe related to issues being experienced,which will improve buy-in to the businesscase.
35
![Page 36: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/36.jpg)
COBIT 5© ISACA
36
![Page 37: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/37.jpg)
COBIT 5© ISACA
37
![Page 38: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/38.jpg)
COBIT 5© ISACA
38
![Page 39: COBIT 5 ISACA's new Framework for IT Governance, Risk, Security](https://reader037.vdocuments.mx/reader037/viewer/2022102918/584b71021a28ab85738d0512/html5/thumbnails/39.jpg)
COBIT 5© ISACA
39