COBIT4.

1
4 2007 IT Governance Institute. All rights reserved. www.itgi.org

TABLE OF CO

TE T!

E"ecutive Overvie# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......$ COBIT Fra%e#or& . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ................' (lan and Organise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2' Ac)uire and I%*le%ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7+ ,eliver and !u**ort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -0.onitor and Evaluate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -$+ A**endi" I/Ta0les Lin&ing Goals and (rocesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -1' A**endi" II/.a**ing IT (rocesses to IT Governance Focus Areas2 CO!O2 COBIT IT 3esources and COBIT In4or%ation Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -7+ A**endi" III/.aturit5 .odel 4or Internal Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -7$ A**endi" I6/COBIT 7.- (ri%ar5 3e4erence .aterial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -77 A**endi" 6/Cross8re4erences Bet#een COBIT +rd Edition and COBIT 7.- . . . . . . . . . . . . . . . . . . . . . . . . . -7' A**endi" 6I/A**roach to 3esearch and ,evelo*%ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -97 A**endi" 6II/ Glossar5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -9' A**endi" 6III/COBIT and 3elated (roducts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -'$ Your feedback on COBIT 4.1 is welcomed. Please visit www.isaca.org/cobitfeedback to submit comments.

E :EC;TI6EO 6E36IE<
EXEC
TI!E O!E"!IE#

E:EC;TI6E O6E36IE<
For %an5 enter*rises2 in4or%ation and the technolog5 that su**orts it re*resent their %ost valua0le2 0ut o4ten least understood2

assets. !uccess4ul enter*rises recognise the 0ene4its o4 in4or%ation technolog5 and use it to drive their sta&eholders= value. These enter*rises also understand and %anage the associated ris&s2 such as increasing regulator5 co%*liance and critical de*endence o4 %an5 0usiness *rocesses on in4or%ation technolog5 >IT?. The need 4or assurance a0out the value o4 IT2 the %anage%ent o4 IT8related ris&s and increased re)uire%ents 4or control over in4or%ation are no# understood as &e5 ele%ents o4 enter*rise governance. 6alue2 ris& and control constitute the core o4 IT governance. IT $overnance is t%e res&onsibilit' of e(ecutives and t%e board of directors) and consists of t%e leaders%i&) or$anisational structures and &rocesses t%at ensure t%at t%e enter&rise*s IT sustains and e(tends t%e or$anisation*s strate$ies and ob+ectives. Further%ore2 IT governance integrates and institutionalises good *ractices to ensure that the enter*rise=s IT su**orts the 0usiness o0@ectives. IT governance ena0les the enter*rise to ta&e 4ull advantage o4 its in4or%ation2 there05 %a"i%ising 0ene4its2 ca*italising on o**ortunities and gaining co%*etitive advantage. These outco%es re)uire a 4ra%e#or& 4or control over IT that 4its #ith and su**orts the Co%%ittee o4 !*onsoring Organisations o4 the Tread#a5 Co%%ission=s >CO!O=s? Internal ControlIntegrated Framework2 the #idel5 acce*ted control 4ra%e#or& 4or enter*rise governance and ris& %anage%ent2 and si%ilar co%*liant 4ra%e#or&s. Organisations should satis45 the )ualit52 4iduciar5 and securit5 re)uire%ents 4or their in4or%ation2 as 4or all assets. .anage%ent should also o*ti%ise the use o4 availa0le IT resources2 including a**lications2 in4or%ation2 in4rastructure and *eo*le. To discharge these res*onsi0ilities2 as #ell as to achieve its o0@ectives2 %anage%ent should understand the status o4 its enter*rise architecture 4or IT and decide #hat governance and control it should *rovide. Control Objectives for Information and related Technology >COBITA? *rovides good *ractices across a do%ain and *rocess 4ra%e#or& and *resents activities in a %anagea0le and logical structure. C OBIT=s good *ractices re*resent the consensus o4 e"*erts. The5 are strongl5 4ocused %ore on control2 less on e"ecution. These *ractices #ill hel* o*ti%ise IT8ena0led invest%ents2 ensure service deliver5 and *rovide a %easure against #hich to @udge #hen things do go #rong. For IT to 0e success4ul in delivering against 0usiness re)uire%ents2 %anage%ent should *ut an internal control s5ste% or 4ra%e#or& in *lace. The COBIT control 4ra%e#or& contri0utes to these needs 05B C .a&ing a lin& to the 0usiness re)uire%ents C Organising IT activities into a generall5 acce*ted *rocess %odel C Identi45ing the %a@or IT resources to 0e leveraged C ,e4ining the %anage%ent control o0@ectives to 0e considered The 0usiness orientation o4 COBIT consists o4 lin&ing 0usiness goals to IT goals2 *roviding %etrics and %aturit5 %odels to %easure their achieve%ent2 and identi45ing the associated res*onsi0ilities o4 0usiness and IT *rocess o#ners. The *rocess 4ocus o4 COBIT is illustrated 05 a *rocess %odel that su0divides IT into 4our do%ains and +7 *rocesses in line #ith the res*onsi0ilit5 areas o4 *lan2 0uild2 run and %onitor2 *roviding an end8to8end vie# o4 IT. Enter*rise architecture conce*ts hel* identi45 the resources essential 4or *rocess success2 i.e.2 a**lications2 in4or%ation2 in4rastructure and

*eo*le. In su%%ar52 to *rovide the in4or%ation that the enter*rise needs to achieve its o0@ectives2 IT resources need to 0e %anaged 05 a set o4 naturall5 grou*ed *rocesses. But ho# does the enter*rise get IT under control such that it delivers the in4or%ation the enter*rise needsD Eo# does it %anage the ris&s and secure the IT resources on #hich it is so de*endentD Eo# does the enter*rise ensure that IT achieves its o0@ectives and su**orts the 0usinessD First2 %anage%ent needs control o0@ectives that de4ine the ulti%ate goal o4 i%*le%enting *olicies2 *lans and *rocedures2 and organisational structures designed to *rovide reasona0le assurance thatB C Business o0@ectives are achieved C ;ndesired events are *revented or detected and corrected

EXECUTIVEOVERVIEW COBIT4.1
2007 IT Governance Institute. All rights reserved. www.itgi.org

6 2007 IT Governance Institute. All rights reserved. www.itgi.org !econd2 in toda5=s co%*le" environ%ents2 %anage%ent is continuousl5 searching 4or condensed and ti%el5 in4or%ation to %a&e di44icult decisions on value2 ris& and control )uic&l5 and success4ull5. <hat should 0e %easured2 and ho#D Enter*rises need an o0@ective %easure o4 #here the5 are and #here i%*rove%ent is re)uired2 and the5 need to i%*le%ent a %anage%ent tool &it to %onitor this i%*rove%ent. ,i$ure 1 sho#s so%e traditional )uestions and the %anage%ent in4or%ation tools used to 4ind the res*onses2 0ut these dash0oards need indicators2 scorecards need %easures and 0ench%ar&ing needs a scale 4or co%*arison. An ans#er to these re)uire%ents o4 deter%ining and %onitoring the a**ro*riate IT control and *er4or%ance level is COBIT=s de4inition o4B C Benc%markin$ o4 IT *rocess *er4or%ance and ca*a0ilit52 e"*ressed as %aturit5 %odels2 derived 4ro% the !o4t#are Engineering Institute=s Ca*a0ilit5 .aturit5 .odel >C..? C -oals and metrics o4 the IT *rocesses to de4ine and %easure their outco%e and *er4or%ance 0ased on the *rinci*les o4 3o0ert Fa*lan and ,avid orton=s 0alanced 0usiness scorecard C .ctivit' $oals 4or getting these *rocesses under control2 0ased on COBIT=s control o0@ectives The assess%ent o4 *rocess ca*a0ilit5 0ased on the COBIT %aturit5 %odels is a &e5 *art o4 IT governance i%*le%entation. A4ter identi45ing critical IT *rocesses and controls2 %aturit5 %odelling ena0les ga*s in ca*a0ilit5 to 0e identi4ied and de%onstrated to %anage%ent. Action *lans can then 0e develo*ed to 0ring these *rocesses u* to the desired ca*a0ilit5 target

level. Thus2 COBIT su**orts IT governance >fi$ure /? 05 *roviding a 4ra%e#or& to ensure thatB C IT is aligned #ith the 0usiness C IT ena0les the 0usiness and %a"i%ises 0ene4its C IT resources are used res*onsi0l5 C IT ris&s are %anaged a**ro*riatel5 (er4or%ance %easure%ent is essential 4or IT governance. It is su**orted 05 COBIT and includes setting and %onitoring %easura0le o0@ectives o4 #hat the IT *rocesses need to deliver >*rocess outco%e? and ho# to deliver it >*rocess ca*a0ilit5 and *er4or%ance?. .an5 surve5s have identi4ied that the lac& o4 trans*arenc5 o4 IT=s cost2 value and ris&s is one o4 the %ost i%*ortant drivers 4or IT governance. <hile the other 4ocus areas contri0ute2 trans*arenc5 is *ri%aril5 achieved through *er4or%ance %easure%ent.
How do responsible managers keep the ship on course? How can the enterprise achieve results that are satisfactory for the largest possible segment of stakeholders? How can the enterprise be adapted in a timely manner to trends and developments in its environment?

Indicators? Measures? Scales?

DASHBOARD SCORECARDS BENCHMARKING

Figure 1Management Information Figure 2IT Governance Focus Areas

Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. Value deli er! is about e ecuting the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT. Resource management is about the optimal investment in, and the proper management of, critical IT resources! applications, information, infrastructure and people. "ey issues relate to the optimisation of knowledge and infrastructure. Ris" management re#uires risk awareness by senior corporate officers, a clear understanding of the enterprise$s appetite for risk, understanding of compliance re#uirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation. #er$ormance measurement tracks and monitors strategy implementation, pro%ect completion, resource usage, process performance and service delivery, using, for e ample, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

These IT governance 4ocus areas descri0e the to*ics that e"ecutive %anage%ent needs to address to govern IT #ithin their enter*rises. O*erational %anage%ent uses *rocesses to organise and %anage ongoing IT activities. COBIT *rovides a generic *rocess %odel that re*resents all the *rocesses nor%all5 4ound in IT 4unctions2 *roviding a co%%on re4erence %odel understanda0le to o*erational IT and 0usiness %anagers. The COBIT *rocess %odel has 0een %a**ed to the IT governance 4ocus areas >see a**endi" II2 .a**ing IT (rocesses to IT Governance Focus Areas2 CO!O2 COBIT IT 3esources and COBIT In4or%ation Criteria?2 *roviding a 0ridge 0et#een #hat o*erational %anagers need to e"ecute and #hat e"ecutives #ish

to govern. To achieve e44ective governance2 e"ecutives re)uire that controls 0e i%*le%ented 05 o*erational %anagers #ithin a de4ined control 4ra%e#or& 4or all IT *rocesses. COBIT=s IT control o0@ectives are organised 05 IT *rocessG there4ore2 the 4ra%e#or& *rovides a clear lin& a%ong IT governance re)uire%ents2 IT *rocesses and IT controls. COBIT is 4ocused on #hat is re)uired to achieve ade)uate %anage%ent and control o4 IT2 and is *ositioned at a high level. COBIT has 0een aligned and har%onised #ith other2 %ore detailed2 IT standards and good *ractices >see a**endi" I62 COBIT 7.- (ri%ar5 3e4erence .aterial?. COBIT acts as an integrator o4 these di44erent guidance %aterials2 su%%arising &e5 o0@ectives under one u%0rella 4ra%e#or& that also lin&s to governance and 0usiness re)uire%ents. CO!O >and si%ilar co%*liant 4ra%e#or&s? is generall5 acce*ted as the internal control 4ra%e#or& 4or enter*rises. COBIT is the generall5 acce*ted internal control 4ra%e#or& 4or IT. The COBIT *roducts have 0een organised into three levels >fi$ure 0? designed to su**ortB C E"ecutive %anage%ent and 0oards C Business and IT %anage%ent C Governance2 assurance2 control and securit5 *ro4essionals Brie4l52 the COBIT *roducts includeB C Board Briefing on IT Governance !nd "dition/Eel*s e"ecutives understand #h5 IT governance is i%*ortant2 #hat its issues are and #hat their res*onsi0ilit5 is 4or %anaging it C .anage%ent guidelinesH%aturit5 %odels/ Eel* assign res*onsi0ilit52 %easure *er4or%ance2 and 0ench%ar& and address ga*s in ca*a0ilit5 C Fra%e#or&s/Organise IT governance o0@ectives and good *ractices 05 IT do%ains and *rocesses2 and lin&s the% to 0usiness re)uire%ents C Control o0@ectives/ (rovide a co%*lete set o4 high8level re)uire%ents to 0e considered 05 %anage%ent 4or e44ective control o4 each IT *rocess C IT Governance Im#lementation G$ide% &sing COBIT ' and (al IT T. !nd "dition/ (rovides a generic road %a* 4or i%*le%enting IT governance using the COBIT and 6al ITT. resources C COBIT' Control )ractices% G$idance to *chieve Control Objectives for +$ccessf$l IT Governance ! nd "dition/(rovides guidance on #h5 controls are #orth i%*le%enting and ho# to i%*le%ent the% C IT *ss$rance G$ide% &sing COBIT A/(rovides guidance on ho# COBIT can 0e used to su**ort a variet5 o4 assurance activities together #ith suggested testing ste*s 4or all the IT *rocesses and control o0@ectives The COBIT content diagra% de*icted in fi$ure 0 *resents the *ri%ar5 audiences2 their )uestions on IT

governance and the generall5 a**lica0le *roducts that *rovide res*onses. There are also derived *roducts 4or s*eci4ic *ur*oses2 4or do%ains such as securit5 or 4or s*eci4ic enter*rises.
&aturity models &anagement guidelines Board Briefing on IT How Governance, 2nd Edition

does the board e ercise its responsibilities? E%ecuti es and Boards How do we measure performance? How do we compare to others? 'nd how do we improve over time? Business and &ec'nolog! Management (hat is the IT governance framework? How do we assess the IT governance framework? How do we implement it in the enterprise? Go ernance( Assurance( Control and Securit! #ro$essionals
IT Governance Implementation Guide, 2nd Edition COBIT Control Practices, 2nd Edition )ontrol ob%ectives )*+IT and ,al IT IT Assurance Guide frameworks "ey management practices

This )*+IT-based product diagram presents the generally applicable products and their primary audience. There are also derived products for specific purposes .IT Control Objectives for arbanes!O"le#, 2nd Edition/, for domains such as security .)*+IT ecurit# Baseline and Information ecurit# Governance$ Guidance for Boards of %irectors and E"ecutive &anagement /, or for specific enterprises .)*+IT 'uic(start for small and medium-si0ed enterprises or for large enterprises wishing to ramp up to a more e tensive IT governance implementation/.

in4or%ation2 visit www.isaca.org,cobit and www.isaca.org,valit.