Scribd
Upload
139 views70 pages

COBIT5 Overview

COBIT 5

Uploaded by

ahong100
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
139 views70 pages

COBIT5 Overview

COBIT 5

Uploaded by

ahong100
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 70

COBIT® 5

A globally accepted business


framework for the governance and
management of enterprise IT
Denver ISACA AGM Chapter Meeting
April 25, 2013
Debbie Lew ([email protected] 805-778-7049)
Agenda

► What is COBIT and background?


► Why COBIT – drivers?
► Review of the framework: key features
► COBIT 5 Principles
► COBIT Enablers
► COBIT 4.1 and COBIT 5 Differences
► Process Capability Model and Assessment
► Implementing COBIT – the basics
► COBIT Benefits

Page 2
COBIT 5: The Business Framework for the
governance and management of enterprise IT
• Internationally accepted good

CCobiT
OBIT
best practices


practices
Management-oriented
Supported by tools and training
repository for • Freely available
• Sharing knowledge and
IT Processes leveraging expert volunteers
IT Management Processes • Continually evolving
IT Governance Processes • Maintained by reputable not-
for-profit organization
• Maps strongly to all major
The only framework
related standards
that covers the end-to-end • Is a reference, set of best
IT life cycle practices, not an “off-the-shelf”
cure

Page 3
The Evolution of COBIT 5
4

Governance of Enterprise IT

IT Governance
BMIS
Evolution

(2010)
Management

Val IT 2.0
Control (2008)

Audit Risk IT
(2009)

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5

1996 1998 2000 2005/7 2012

An business framework from ISACA, at www.isaca.org/cobit


© 2012 ISACA. All Rights Reserved.

Page 4
Why Develop COBIT 5?

• ISACA Board of Directors directive: “Tie together


and reinforce all ISACA knowledge assets with
COBIT.”
• Provide a renewed and authoritative governance
and management framework for enterprise
information and related technology.
• Integrate all other major ISACA frameworks and
guidance
• Align with other major frameworks and standards.

© 2012 ISACA. All Rights Reserved.

Page 5
5
Drivers for COBIT5

► Provide guidance in:


► Enterprise architecture
► Asset and service management
► Emerging sourcing and organization models
► Innovation and emerging technologies (including
streamlining product development, manufacturing and supply
chain processes to deliver products to market with increasing
levels of efficiency, speed and quality).
► End to end business and IT responsibilities
► Controls for user-initiated and user-controlled IT
solutions

© 2012 ISACA. All Rights Reserved.

Page 6
Business Needs

Enterprise are under constant pressure to:


► Increase benefits realization through effective and innovative
use of enterprise IT:
► Generate business value from new enterprise investments with
supporting IT investment
► Achieve operational excellence through application of technology
► Maintain IT related risk at an acceptable level
► Contain cost of IT services and technology
► Ensure business and IT collaboration, leading to business
user satisfaction with IT engagement and services
► Comply with ever increasing relevant laws, regulations and
policies.

© 2012 ISACA. All Rights Reserved.

Page 7
COBIT5 Scope

Not simply IT: not only for big business!


► COBIT5 is about governing and managing information
► Whatever medium is used
► End to end throughout the enterprise
► Information is equally important to:
► Global, multinational business
► National and local government
► Charities and not for profit enterprise
► Small to medium enterprises and
► Clubs and associations

© 2012 ISACA. All Rights Reserved.

Page 8
COBIT5 Scope

Not simply IT: not only for big business!


► COBIT5 is about governing and managing information
► Whatever medium is used
► End to end throughout the enterprise
► Information is equally important to:
► Global, multinational business
► National and local government
► Charities and not for profit enterprise
► Small to medium enterprises and
► Clubs and associations

© 2012 ISACA. All Rights Reserved.

Page 9
COBIT5 Scope

Not simply IT: not only for big business!


► COBIT5 is about governing and managing information
► Whatever medium is used
► End to end throughout the enterprise
► Information is equally important to:
► Global, multinational business
► National and local government
► Charities and not for profit enterprise
► Small to medium enterprises and
► Clubs and associations

© 2012 ISACA. All Rights Reserved.

Page 10
COBIT5 Format

► Simplified
► COBIT5 directly addresses the needs of the viewer from
different perspectives
► Development continues with specific practitioner guides
(COBIT5 for Security was issued June 2012)
► COBIT5 is initially in 3 volumes:
► The Framework – Free Download
► The Process Reference Guide – Free to Members
► Implementation Guide – Free to Members
► COBIT5 is based on:
► 5 principles and
► 7 enablers
© 2012 ISACA. All Rights Reserved.

Page 11
COBIT 5 Product Family

© 2012 ISACA. All Rights Reserved.

Page 12 © 2012 ISACA. All Rights Reserved.


Review of COBIT 5 Framework

Page 13
COBIT 5 Principles

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.

Page 14 14
Principle 1:
Meeting Stakeholder Needs
► Enterprises exist to create value for their stakeholders

► Value creation: realizing benefits at an optimal resource


cost while optimizing risk.

© 2012 ISACA. All Rights Reserved.

Page 15
Principle 1:
Meeting Stakeholder Needs
►Enterprises exist to create value
for their stakeholders Governance Objective:
Value Creation
►Stakeholder needs have to be
transformed into an enterprise’s
actionable strategy.
► The COBIT 5 goals cascade
allows the definition of priorities
for:
► Implementation
► Improvement
► Assurance of enterprise governance
of IT
.
© 2012 ISACA. All Rights Reserved.

16
Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.
Page 16
Principle 1:
Meeting Stakeholder Needs
► Enterprises have many stakeholders

► Governance is about
► Negotiating
► Deciding amongst different stakeholders‟ value interests
► Considering all stakeholders when making benefit, resource and
risk assessment decisions

► For each decision, ask:


► For whom are the benefits?
► Who bears the risk?
► What resources are required?

© 2012 ISACA. All Rights Reserved.

17
Page 17
Principle 1:
Meeting Stakeholder Needs

EXTERNAL STAKEHOLDERS EXTERNAL STAKEHOLDER NEEDS


Business partners, suppliers, · How do I know my business partner’s operations are secure and
shareholders, regulators/ reliable?
government, external users, · How do I know the organisation is compliant with applicable rules
customers, standardisation and regulations?
organisations, external auditors,
consultants, etc. · How do I know the enterprise is maintaining an effective system of
internal control?

© 2012 ISACA. All Rights Reserved.

Page 18
Principle 1:
Meeting Stakeholder Needs

► Internal stakeholder concerns include:


► How do I get value from the use of IT?
► How do I manage performance of IT?
► How can I best exploit new technology for new strategic opportunities?
► How do I know whether I’m compliant with all applicable laws and
regulations?
► Am I running an efficient and resilient IT operation?
► How do I control cost of IT?
► Is the information I am processing adequately and appropriately
secured?
► How critical is IT to sustaining the enterprise?
► What do I do if IT is not available?

© 2012 ISACA. All Rights Reserved.

Page 19
Enterprise Goals

Page 20 Source: COBIT® 5, © 2012 ISACA® All rights reserved.


IT Related Goals

Page 21 Source: COBIT® 5, © 2012 ISACA® All rights reserved.


Principle 2:
Covering the Enterprise End–to–End

► Governance roles, activities and relationships:

► Define Who is involved in governance


► How they are involved
► What they do and
► How they interact

► COBIT 5 defines the difference between governance


and management activities in principle 5

© 2012 ISACA. All Rights Reserved.

Page 22
Principle 2:
Covering the Enterprise End-to-End

Key components of a
governance system

Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved.

Page 23
Principle 3:
Applying a Single Integrated Framework
COBIT5:
► Is complete in enterprise coverage
► Provides a basis to integrate effectively other
frameworks, standards and practices used
► Aligns with the latest relevant standards and
frameworks (COSO, ITIL, ISO, PMBOK, NIST etc)
► Integrates all knowledge previously dispersed over
different ISACA frameworks (Risk IT, Val IT, BMIS)

Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

Page 24 24
Principle 3:
Applying a Single Integrated Framework

Enablers
provide
structure to the
COBIT 5
knowledge
base

Page 25 © 2012 ISACA. All Rights Reserved.


Mapping of COBIT5

© 2012 ISACA. All Rights Reserved.

Page 26
Principle 4:
Enabling a Holistic Approach
COBIT5 defines a set of enablers to support the
implementation of a comprehensive governance and
management system for enterprise IT.

COBIT5 enablers are:


► Factors that, individually and collectively, influence
whether something will work
► Driven by the goals cascade
► Described by the COBIT5 framework in seven
categories

© 2012 ISACA. All Rights Reserved.

Page 27 27
Principle 4:
Enabling a Holistic Approach

Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

Page 28 28
Principle 5:
Separating Governance from Management
The COBIT 5 framework makes a clear distinction between
governance and management.
► These two disciplines:
► Encompass different types of activities
► Require different organisational structures
► Serve different purposes
► Governance ensures that stakeholders needs, conditions and
options are evaluated to determine balanced, agreed-on
enterprise objectives to be achieved; setting direction through
prioritisation and decision making; and monitoring performance
and compliance against agreed-on direction and objectives.
► Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives.
© 2012 ISACA. All Rights Reserved.

Page 29 29
Principle 5:
Separating Governance from Management
COBIT 5 is not prescriptive, but it advocates that organizations
implement governance and management processes such that the key
areas are covered, as shown.

Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.

Page 30 30
COBIT5
Enabling Processes:

COBIT 5 includes a process reference model (PRM),


which defines and describes in detail a number of
governance and management processes.

Page 31
Process Reference Model

► Represents all the processes normally found in an


enterprise relating to IT
► Provides a common reference model understandable
to IT and business managers.
► Provides a common language
► Provides a framework for measuring, monitoring IT
performance, communicating with service providers,
and integrating best mgmt. practices
► Subdivides governance (1) and management (4)
domains.
► 36 Processes
► Harmonized with other frameworks and standards
© 2012 ISACA. All Rights Reserved.

Page 32
COBIT5
Process Reference Model:

Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.


Page 33 33
Exercise – Enabling a holistic approach

Developing enablers for AP012 process – Manage Risk

AP012 Manage Risk Area: Management


Domain: Align, Plan, and
Organise
Process Description
Continually identify, assess and reduce IT-related risk within levels of
tolerance set by enterprise executive management.
Process Purpose Statement
Integrate the management of IT-related risk with overall ERM, and
balance the costs and benefits of managing IT-related enterprise risk.

Page 34
Challenges to Success?

Page 35 © 2012 ISACA. All Rights Reserved.


Challenges to Success?

Page 36 © 2012 ISACA. All Rights Reserved.


COBIT 4.1 and COBIT 5 Differences

Page 37
COBIT 4.1 to COBIT 5 – The Differences

► The major changes in COBIT 5 content and how they may


impact GEIT* implementation/improvement are:
1. New GEIT principles
2. Increased focus on enablers
3. New and modified processes
4. Separated governance and management practices and
activities
5. Revised and expanded goals and metrics
6. Defined inputs and outputs
7. More detailed RACI charts
8. Process Capability Assessment Model

(* Governance of Enterprise Information Technology)


Source © 2012 ISACA® All rights reserved.

Page 38
COBIT 5 Principles

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.

Page 39 39
The COBIT 5 Enterprise Enablers

© 2012 ISACA. All Rights Reserved.

Page 40
New and Modified Processes

► There are several new and modified processes that


reflect current thinking, in particular:
► APO03 Manage enterprise architecture
► APO04 Manage innovation
► APO05 Manage portfolio
► APO06 Manage budget and costs
► APO08 Manage relationships
► APO13 Manage security
► BAI05 Management organizational change enablement
► BAI08 Manage knowledge
► BAI09 Manage assets
► DSS05 Manage security service
► DSS06 Manage business process controls
Page 41 Source © 2012 ISACA® All rights reserved.
COBIT 5 Process Reference Model

Page 42 © 2012 ISACA. All Rights Reserved.


Separating governance from management

► COBIT 5 introduces five new governance


processes

► This guidance:
► Helps enterprises to further refine and strengthen
executive management-level GEIT practices and
activities
► Supports GEIT integration with existing enterprise
governance practices and is aligned with
ISO/IEC 38500

© 2012 ISACA. All Rights Reserved.

Page 43
COBIT 5 Process Reference Model

Page 44 © 2012 ISACA. All Rights Reserved.


COBIT5 and Legacy ISACA Frameworks

Page 45 Source: COBIT® 5, © 2012 ISACA® All rights reserved.


Mapping COBIT4.1 to COBIT5

Page 46 Source: COBIT® 5, © 2012 ISACA® All rights reserved.


COBIT 5 Processes

► Cover end-to end business and IT activities

► Provides a more holistic and complete coverage of


practices

► Makes the involvement, responsibilities and


accountabilities of business stakeholders in the use of
IT more explicit and transparent.

Source © 2012 ISACA® All rights reserved.

Page 47
Practices and Activities

► The COBIT5 governance and management practices


can be related to:
► COBIT 4.1 control objectives
► Val IT and Risk IT processes

► The COBIT 5 activities are related to:


► COBIT 4.1 control practices
► Val IT and Risk IT management practices

Source © 2012 ISACA® All rights reserved.

Page 48
Goals and Metrics
Inputs and Outputs
COBIT 5
► Follows the same goal and metric concepts as
COBIT 4.1, Val IT and Risk IT renamed as :
► Enterprise goals,
► IT-related goals
► Process goals
► Provides a revised goals cascade
► Provides inputs and outputs for every management
practice
► COBIT 4.1 only provided these at the process level

Source © 2012 ISACA® All rights reserved.

Page 49
Inputs and Outputs

Page 50 Source: COBIT® 5, © 2012 ISACA® All rights reserved.


Metrics
IT Related Sample Goal Metrics

Page 51 Source: COBIT® 5, © 2012 ISACA® All rights reserved.


Metrics
Process goals and related metrics
BAI06 – Manage Changes

Source: COBIT® 5, © 2012 ISACA® All rights reserved.

Page 52
COBIT5
RACI Charts:

► Provides RACI* charts describing roles and


responsibilities
► *Responsible, Accountable, Consulted, Informed
► Provides a more complete, detailed and clearer range
of generic business and IT role players and charts
enabling better definition of role player responsibilities
or level of involvement when designing and
implementing processes.
► For example…..

© 2012 ISACA. All Rights Reserved.

Page 53
RACI Charts

Page 54 Source © 2012 ISACA® All rights reserved.


Process Capability Maturity Models
and Assessments

Page 55
What is the new COBIT Assessment
Programme?
► COBIT 5 will be supported by a new process capability
assessment approach based on ISO/IEC 15504

► The COBIT Assessment Programme includes:


► COBIT Process Assessment Model (PAM): Using COBIT 5
► COBIT Assessor Guide: Using COBIT 5
► COBIT Self Assessment Guide: Using COBIT 5

► Identical COBIT 4.1 versions also available

► The COBIT 5 PAM is based on the ISO 15504 compliant


process assessment model
© 2012 ISACA. All Rights Reserved.

Page 56 © 2012 ISACA. All Rights Reserved.


What is a process assessment?
► ISO/IEC 15504-4 identifies process assessment as an
activity that can be performed either as part of a
process improvement initiative or as part of a capability
determination approach
► The purpose of process improvement is to continually
improve the enterprise’s effectiveness and efficiency
► The purpose of process capability determination is to
identify the strengths, weaknesses and risk of selected
processes with respect to a particular specified requirement
through the processes used and their alignment with the
business need
► It provides an understandable, logical, repeatable, reliable
and robust methodology for assessing the capability of IT
processes © 2012 ISACA. All Rights Reserved.

Page 57
What’s different?
► But don’t we already have maturity models for COBIT 4.1
processes?
► The new COBIT assessment programme is:
► A robust assessment process based on ISO 15504
► An alignment of COBIT’s maturity model scale with the international
standard
► A new capability-based assessment model which includes:
► Specific process requirements derived from COBIT 4.1
► Ability to achieve process attributes based on ISO 15504
► Evidence requirements
► Assessor qualifications and experiential requirements
► Results in a more robust, objective and repeatable assessment
► Assessment results will likely vary from existing COBIT maturity
models!
© 2012 ISACA. All Rights Reserved.

Page 58
COBIT4.1 Capability Maturity Model

© 2012 ISACA. All Rights Reserved.


Page 59
Differences to COBIT Maturity Model
► The COBIT 4.1 PAM uses a measurement framework that is similar in terminology to
the existing maturity models in COBIT 4.1
► While the words are similar the scales are NOT the same:
► The COBIT PAM uses the capability scale from ISO/IEC 15504, whereas the existing COBIT
maturity models uses a scale derived from SEI\CMM
► A PAM level 3 is NOT the same as a CMM level 3
► Assessments done under the PAM are likely to result in ‘lower’ scores
► PAM assessments are based on more fully defined and defensible attributes
COBIT 4.1 Process ISO/IEC 15504 Process
Maturity Level Capability Level Attribute
5 Optimised 5 Optimizing PA 5.1 Process innovation
PA 5.2 Process optimization
4 Managed and 4 Predictable PA 4.1 Process measurement
measurable PA 4.2 Process control
3 Defined 3 Established PA 3.1 Process definition
PA 3.2 Process deployment
2 Repeatable but 2 Managed PA 2.1Performance management
intuitive PA 2.2 Work product management
1 Initial/ad hoc 1 Performed PA 1.1 Process performance
0 Non-existent 0 Incomplete
© 2012 ISACA. All Rights Reserved.
Page 60
Process Capability Model and Assessments

► The COBIT Assessment Programme approach is more


robust, reliable and repeatable as a process capability
assessment method
► The COBIT Assessment Programme supports:
► Formal assessments by accredited assessors
► Less rigorous self-assessments for internal gap analysis and
process improvement planning
► The COBIT Assessment Programme, in the future, will
also potentially enable an enterprise to obtain an
independent and certified assessments aligned to the
ISO/IEC standard

© 2012 ISACA. All Rights Reserved.

Page 61 © 2012 ISACA. All Rights Reserved.


Process Capability Model and Assessments

Page 62 Source: COBIT® 5, © 2012 ISACA® All rights reserved.


Implementing COBIT 5

The COBIT 5 Implementation Guide was released at the


same time as the COBIT 5 Framework and COBIT 5
Enabling Processes

Page 63
Continual life cycle approach

Page 64 Source: COBIT® 5, © 2012 ISACA® All rights reserved.


Challenges to Success?

Page 65 © 2012 ISACA. All Rights Reserved.


Challenges to Success?

Page 66 © 2012 ISACA. All Rights Reserved.


Benefits of Using COBIT® 5

► Enterprise wide benefits:


► Increased value creation through effective governance and
management of enterprise information and technology assets
► Increased business user satisfaction with IT engagement and
services–IT seen as a key enabler.
► Increased compliance with relevant laws, regulations and
policies
► IT function becomes more business focused
► Increases IT’s contribution to the enterprise and the management
of information
► “Companies with effective IT governance have profits that are 20%
higher than other companies pursuing similar strategies”
Source: “IT Governance: How Top Performers Manage IT Decision Rights for
Superior Results;” Weill & Ross; Harvard Business Press

Page 67 Source © 2012 ISACA® All rights reserved.


COBIT 5: Verticals

Page 68
68
In Summary…

COBIT 5 brings together the five principles that


allow the enterprise to build an effective
governance and management framework based
on a holistic set of seven enablers that optimises
information and technology investment and use
for the benefit of stakeholders.

© 2012 ISACA. All Rights Reserved.

Page 69
Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & Young


Ernst & Young is a global leader in assurance, tax, transaction and advisory
services. Worldwide, our 130,000 people are united by our shared values and an
unwavering commitment to quality. We make a difference by helping our people,
our clients and our wider communities achieve potential.

For more information, please visit www.ey.com.

xxxx-xxxxxxx

© 2008 EYGM Limited. All Rights Reserved.


Proprietary and confidential. Do not distribute without written permission.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a
separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services
to clients.

Page 70

You might also like