PURPOSE

The templates outlined in the next three worksheets are examples to get you started. Many assessors
prefer to develop their own tools; some will create small questionnaires based on the COBIT Process
Assessment Model (PAM) requirements and some will create checklists. The templates provided here
were used in early pilots and proved very useful to collect data and analyse the assessment levels.
Assessors are encouraged to create their own templates. The following outlines how to use the three
templates.

Summary Results—Use this after you have analysed the evidence collected and rated the assessment
level to include in the assessment report. This example was displayed in appendix D.3 in the assessor
guide. **Note the red comment indicator which gives additional comments on each cell in the
spreadsheet.
Process Ratings and Attributes—Use this template in two ways:
1. To summarise the evidence for all level 1 assessments to enable a rating score to be assigned.

2. To assess against level 2 to 5 for generic practices and generic work products. The level of detail
required decreases, the higher the levels assessed and the questions and evidence required are generic
for all COBIT processes. From levels 2 to 5, the assessor does NOT look at the specifics of the detailed
COBIT process content. ** Note also the red comment indicators and drop-down cells provided for ease
of populating this template.

Example Data Collection Level 1—To be used to collect the detailed and specific evidentiary requirements
for those COBIT processes being assessed. An example for AI1 Identify automated solutions is provided.
For other COBIT processes, consult the COBIT PAM, start with the outcomes, then match the base
practices, then the inputs required to fulfil the base practices. Comments and gaps, recommendations for
improvement are self-explanatory.
 Summary Results
Achieved Capability Level
Process 1 2 3 4 5
PROCESS ID Process Purpose Performed Managed Established Predictable Optimising
Description

Satisfies the business requirement for IT of

Identify
translating business functional and control
AI1 Automated F
requirements into effective and efficient
Solutions
design of automated solutions.

Acquire and Satisfies the business requirement for IT of

Maintain aligning available applications with
AI2 F L
Application business requirements, and doing so in a
Software timely manner and at a reasonable cost.

Satisfies the business requirement for IT of

Manage Third- providing satisfactory third-party services
DS2 L
party Services while being transparent about benefits,
costs and risks.

Satisfies the business requirement for IT of

maintaining the integrity of information
DS5 Ensure Systems and processing infrastructure and F F L
Security minimising the impact of security
vulnerabilities and incidents.

Satisfies the business requirement for IT of

optimising the use of information and
DS11 Manage Data ensuring that information is available as L
required.
 Process Ratings and Attributes
Organisa
tion:

Process ID Process Description Process Purpose

Outcomes

O1

O2
O3

Level 0: Incomplete process

The process is not implemented or fails Capability Rating Notes/ Assessor(s)
to achieve its process purpose. At this Comments
level, there is little or no evidence of /
any achievement of the process Evidenced
purpose. by

Level 1: Performed process

The implemented process achieves its
process purpose.
PA 1.1 Process performance N
1.1.1 Achieve
the
process
outcom
es.
There is
evidenc
e that
the
intent of
base
practice
is being
perform
ed.
 Work
product
s are
produce
d that
provide
evidenc
e of
process
outcom
es.

Level 2: Managed process

The previously described performed
process is now implemented in a
managed fashion (planned, monitored
and adjusted) and its work products are
appropriately established, controlled
and maintained.
PA 2.1 Performance N
management
a
2.1.1 Identify
the
objectiv
es for
the
perform
ance of
the
process.
The
perform
ance
objectiv
es,
scope
together
with
assump
tion and
constrai
nts are
defined
and
commu
nicated.

1.0 Process
docume
ntation
should
outline
the
process
scope.
 2.0 Process
plan
should
provide
details
of the
process
perform
ance
objectiv
es.

2.1.2 Plan and

monitor
the
perform
ance
of the
process
to fulfil
the
identifie
d
objectiv
es.
Basic
measur
2.0 Process
es of
plan
process
should
perform
provide
ance
details
linked
of
to the
process
business
perform
objectiv
ance
es are
objectiv
establis
es.
hed and
monitor
ed. They
include
key
milesto
nes,
required
activitie
s,
estimat
es and
schedul
es.
 9.0 Process
perform
ance
records
should
provide
details
of the
outcom
es. Note
at this
level the
record
of
process
perform
ance
may be
in the
form of
reports,
issues
registers
and
informal
records.

c
 2.1.3 Adjust
the
perform
ance of
the
process.
Action is
taken
when
planned
perform
ance is
not
achieve
d,
includin
g
identific
ation of
process
perform
ance
issues
and
adjustm
ent of
plans
and
schedul
es as
appropri
ate.

4.0 Quality
record
should
provide
details
of
action
taken
when
perform
ance is
not
achieve
d.

d
2.1.4 Define
responsi
bilities
and
authoriti
es for
perform
ing the
process.
The key
responsi
bilities
and
authoriti
es for
perform
ing the
key
activitie
s of the
process
are
defined,
assigned
and
commu
nicated.
The
needs
for
process
perform
ance
experie
1.0 Process
docume
ntation
should
provide
details
of
process
owner
and
RACIs.
 2.0 Process
plan
should
include
details
of the
process
commu
nication
plan as
well as
process
perform
ance
experie
nce,
skills
require
ment.

e
 2.1.5 Identify
and
make
availabl
e
resourc
es to
perform
the
process
accordin
g to
plan.
Resourc
es and
informa
tion
necessa
ry for
perform
ing the
key
activitie
s of the
process
are
identifie
d made
availabl
e,
allocate
d and
used.
2.0 Process
plan
should
provide
details
of the
process
training
plan and
process
resourci
ng plan.

f
2.1.6 Manage
the
interfac
es
betwee
n
involved
parties.
The
individu
als and
groups
involved
with the
process
are
identifie
d,
responsi
bilities
defined
and
effective
commu
nication
mechani
sms are
in place.
 1.0 Process
docume
ntation
should
provide
details
of the
individu
als and
groups
involved
(supplie
rs and
custome
rs as
well as
custome
rs and
RACIs).

2.0 Process
plan
should
provide
details
of the
process
commu
nication
plan.

PA 2.2 Work product N

management
a
 2.2.1 Define
the
require
ments
for the
work
product
s. The
work
product
s
required
from
the
process
es are
defined,
includin
g
content
structur
e and
quality
criteria.

3.0 Quality
plan
should
provide
details
of
quality
criteria
and
work
product
content
and
structur
e.

b
 2.2.2 Define
the
require
ments
for
docume
ntation
and
control
of the
work
product
s. The
require
1.0 Process
ments
docume
for
ntation
docume
should
ntation
provide
and
details
control
of
of work
controls
product
(control
s are
matrix).
defined.
This
should
include
3.0 Quality
identific
plan
ation of
should
depend
provide
encies,
details
approva
of work
ls and
product,
traceabi
c quality
lity of
criteria,
require
docume
ments.
2.2.3 Identify,
ntation
docume
require
nt and
ments
control
and
the
change
work
control.
product
s. Work
product
s are
3.0 Quality
identifie
plan
d,
should
docume
provide
nted
details
and
of work
subject
d
product,
to
quality
change
criteria,
control,
docume
versioni
ntation
ng and
require
configur
ments
ation
and
manage
change
ment as
 2.2.4 Review
and
adjust
work
product
s to
meet
the
defined
require
ments.
Work
product
s are
subject
to
review
against
require
ments in
accorda
nce with
planned
arrange
ments
and any
issues
arising
are
resolved
.

4.0 Quality
records
should
provide
and
audit
trail of
reviews
underta
ken.

Level 3: Established process

The previously described Managed
process is now implemented using a
defined process that is capable of
achieving its outcomes.
PA 3.1 Process definition N
a

3.1.1 Define
the
standar
d
process
that will
support
the
deploy
ment of
the
defined
process.
A
standar
d
process
is
defined
that
identifie
s the
fundam
ental
process
element
s,
provides
guidanc
e and
procedu
res to
support
implem
 5.0 Policies
and
standar
ds
should
provide
details
of the
organisa
tional
objectiv
es for
the
process,
minimu
m
standar
ds of
perform
ance,
standar
d
procedu
res and
reportin
g and
monitori
ng
require
ments.
The
evidenti
al
require
b
3.1.2 Determi
ne the
sequenc
e and
interacti
on
betwee
n
process
es so
that
they
work as
an
integrat
ed
system
of
process
es. The
standar
d
process
sequenc
e and
interacti
on with
other
process
es are
determi
ned and
maintai
ned
 5.0 Policies
and
standar
ds
should
provide
details
of the
organisa
tional
objectiv
es for
the
process,
minimu
m
standar
ds of
perform
ance,
standar
d
procedu
res and
reportin
g and
monitori
ng
require
ments.
The
evidenti
al
require
c
3.1.3 Identify
the
roles
and
compet
encies
for
perform
ing the
standar
d
process.
The
roles
and
compet
encies
required
for
perform
ing the
standar
d
process
es are
identifie
d.
 5.0 Policies
and
standar
ds
should
provide
details
of roles
and
compet
encies
for
perform
ing. The
evidenti
al
require
ment at
this
level is
not just
that
policies
and
standar
ds exist
but that
they are
applied
across
the
organisa
tion.

d
3.1.4 Identify
the
required
infrastru
cture
and
work
environ
ment
for
perform
ing the
standar
d
process.
The
infrastru
cture
(facilitie
s, tools,
method
s, etc.)
and
work
environ
ment
for
perform
ing the
standar
d
process
are
identifie
 5.0 Policies
and
standar
ds
should
provide
details
of roles
and
compet
encies
for
perform
ing. The
evidenti
al
require
ment at
this
level is
not just
that
policies
and
standar
ds exist,
but that
they are
applied
across
the
organisa
tion.

e
3.1.5 Determi
ne
suitable
method
s to
monitor
the
effective
ness
and
suitabilit
y of the
standar
d
process.
Method
s of
monitori
ng the
effective
ness
and
suitabilit
y of the
process
are
determi
ned.
This
includes
ensuring
that
appropri
ate
 5.0 Policies
and
standar
ds
should
provide
details
of the
organisa
tional
objectiv
es for
process,
minimu
m
standar
ds of
perform
ance,
standar
d
procedu
res and
reportin
g and
monitori
ng
require
ments.
The
evidenti
al
require
ment at
4.0 Quality
records
and WP
9.0
Process
perform
PA 3.2 Process deployment
ance N
a records
should
provide
evidenc
e of
reviews
underta
ken.
 3.2.1 Deploy
a
defined
process
that
satisfies
the
context.
When
the
same
process
is used
5.0 within
Policies
differen
and
t areas
standar
of the
ds
organisa
should
tion, it is
define
based
the
on a
standar
standar
ds to be
d
followe
process,
d across
tailored
all
as
implem
appropri
entation
sate
of with
the
conform
process.
ance to
The
the
evidenti
require
al
ments
require
of theat
ment
defined
this
process
level is
verified.
not just
that
policies
and
standar
ds exist,
but that
they are
applied
across
the
b
3.2.2 Assign
and
commu
nicate
roles,
responsi
bilities
and
authoriti
es for
perform
ing the
defined
process.
When
the
same
process
is used
within
differen
t areas
of the
organisa
tion, the
authoriti
es and
roles for
perform
ing the
activitie
s of
process
are
 5.0 Policies
and
standar
ds
should
provide
details
of,
responsi
bilities
and
authoriti
es for
perform
ing the
activitie
s of
process.
The
evidenti
al
require
ment at
this
level is
not just
that
policies
and
standar
ds exist,
but that
they are
applied
c
3.2.3 Ensure
necessa
ry
compet
encies
for
perform
ing the
defined
process.
When
the
same
process
is used
within
differen
t areas
of the
organisa
tion, the
appropri
ate
compet
encies
for
assigned
personn
el are
identifie
d and
suitable
training
is
1.0 Process
docume
ntation
should
provide
details
of
compet
encies
and
training
require
ments.
 2.0 Process
plan
should
include
details
of
process
d commu
nication
plan,
training
plan and
3.2.4 Provide
resourci
resourc
ng plan
es
forand
each
informa
instance
tion to
of the
support
process.
the
perform
ance of
the
defined
process.
When
the
same
process
is used
within
differen
t areas
of the
organisa
tion, the
required
human
resourc
es and
informa
tion to
perform
the
process
are
made
2.0 Process
plan
should
include
e details
of
resourci
ng plan
for each
instance
of the
process.
3.2.5 Provide
adequat
e
process
infrastru
cture to
support
the
perform
ance of
the
defined
process.
When
the
same
process
is used
within
differen
t areas
of the
organisa
tion, the
required
organisa
tional
support,
infrastru
cture
and
work
environ
ment
 2.0 Process
plan
should
include
details
of the
process
infrastru
cture
and
work
environ
ment
for each
instance
of the
process.

f
3.2.8 Collect
and
analyse
data
about
perform
ance of
the
process
to
demons
trate its
suitabilit
y and
effective
ness
Data
required
to
monitor
the
effective
ness
and
suitabilit
y of the
process
across
the
organisa
tion, is
defined,
collecte
d and
 4.0 Quality
records
and WP
9.0
Process
perform
ance
records
should
provide
evidenc
e of
reviews
underta
ken
tools for
each
instance
of the
process

Level 4: Predictable process

The previously described Established
process now operates within defined
limits to achieve its process outcomes.
PA 4.1 Process N
measurement
a

4.1.1 Identify
process
informa
tion
needs,
in
relation
with
business
goals.
The
business
goals
and
process
stakehol
der
informa
tion
needs
have
been
establis
hed as a
basis for
determi
 6.0 Process
improve
ment
plan
should
provide
Process
Improve
ment
Objectiv
es and
propose
d
Improve
ment
actions.

4.1.2 Derive
process
measur
ement
objectiv
es from
process
informa
tion
needs.
Measur
ement
objectiv
es are
based
on the
defined
process
measur
ement
objectiv
es.
 7.0 Process
measur
ement
plan
should
provide
details
of
propose
d
Measur
ement
objectiv
es.

4.1.3 Establis
h
quantita
tive
objectiv
es for
the
perform
ance of
the
defined
process,
accordin
g to the
alignme
nt of the
process
with the
business
goals
Quantit
ative
measur
ement
objectiv
es are
establis
hed that
explicitl
y reflect
business
goals
and
have
 7.0 Process
measur
ement
plan
should
provide
details
of
propose
d
Measur
ement
measur
es and
indicato
rs.

d
4.1.4 Identify
product
and
process
measur
es that
support
the
achieve
ment of
the
quantita
tive
objectiv
es for
process
perform
ance.
Detailed
measur
es for
product
s and
process
are
identifie
d
together
with the
frequen
cy of
data
collectio
n and
 7.0 Process
measur
ement
plan
should
provide
details
of
propose
d
measur
e/indica
tors
together
with
data
collectio
n
procedu
res and
analytic
al
procedu
res.

e
4.1.5 Collect
product
and
process
measur
ement
results
through
perform
ing the
defined
process.
Product
and
process
measur
ement
results
are
collecte
d
analyse
d and
reporte
d
accordin
g to a
defined
plan.

7.0 Process
measur
ement
plan
should
provide
details
of
propose
d
analytic
al
procedu
res.
 9.0 Process
perform
ance
records
should
provide
details
of
measur
ements
collecte
d and
analyse
d.

4.1.6 Use the

results
of the
defined
measur
ement
to
monitor
and
verify
the
achieve
ment of
the
process
perform
ance
objectiv
es. The
results
of the
defined
measur
ement
are
analyse
d, to
verify
the
achieve
ment
against
the
process
perform
ance
objectiv
es.
Appropr
iate
 9.0 Process
perform
ance
records
should
provide
details
of
measur
ements
collecte
d and
analyse
d.

PA 4.2 Process control N

a
4.2.1 Determi
ne
analysis
and
control
techniq
ues,
appropri
ate to
control
the
process
perform
ance.
Method
s of
measuri
ng the
effective
ness of
process
control
are
defined
and
validate
d.

1.0 Process
docume
ntation
should
provide
details
of
controls
(control
matrix).
 8.0 Process
control
plan
should
exist
that
specifies
for each
process
the
measur
ement
approac
h.

4.2.2 Define
paramet
ers
suitable
to
control
the
process
perform
ance.
The
standar
d
process
definitio
n is
modifie
d to
include
method
s for
process
control,
and
control
limits
establis
hed.
 8.0 Process
control
plan
should
exist
that
specifies
control
limits
for
normal
perform
ance.

4.2.3 Analyse
process
and
product
measur
ement
results
to
identify
variatio
ns in
process
perform
ance.
The
results
of
process
control
measur
ements
are
analyse
d to
determi
ne
issues of
concern
and
forward
ed for
action.
 9.0 Process
perform
ance
record
should
provide
details
of
measur
ements
collecte
d and
analyse
d.

4.2.4 Identify
and
implem
ent
correcti
ve
actions
to
address
assignab
le
causes.
Correcti
ve
action is
taken to
address
process
control
concern
s and
results
are
monitor
ed and
evaluate
d.
 9.0 Process
perform
ance
record
should
provide
details
e of
measur
ements
4.2.5 Re-
collecte
establis
d and
h
analyse
control
d, and
limits
correcti
followin
ve
gaction.
correcti
ve
action.
Process
control
limits
are
appropri
ately
modifie
d
after
correcti
ve
action is
taken.
 8.0 Process
control
plan
should
exist
that
specifies
control
limits
for
normal
perform
ance.

Level 5: Optimizing process

The previously described Predictable
process is continuously improved to
meet relevant current and projected
business goals.
PA 5.1 Process innovation N
a
5.1.1 Define
the
process
improve
ment
objectiv
es for
the
process
that
support
the
relevant
business
goals.
Directio
ns to
process
innovati
on are
set.
Quantit
ative
and
qualitati
ve
process
improve
ment
objectiv
es have
been
defined
and
7.0 Process
improve
ment
plan
should
provide
process
improve
ment
objectiv
es and
propose
d
Improve
ment
actions.
b

5.1.2 Analyse
measur
ement
data of
the
process
to
identify
real and
potentia
l
variatio
ns in the
process
perform
ance.
Process
perform
ance
data is
analyse
d to
identify
variatio
ns in
process
perform
ance
together
with the
root
cause of
commo
n
9.0 Process
perform
ance
records
should
provide
details
of
measur
ements
collecte
d and
analyse
d.
c

5.1.3 Identify
improve
ment
opportu
nities of
the
process
based
on
innovati
on and
best
practice
s.
Process
improve
ment
opportu
nities
are
identifie
d based
on
compari
son with
industry
best
practice
s.

6.0 Process
improve
ment
plan
should
provide
details
of
analysis
against
best
practice.
d

5.1.4 Derive
improve
ment
opportu
nities of
the
process
from
new
technol
ogies
and
process
concept
s.
Process
improve
6.0 ment
Process
opportu
improve
nities
ment
are
plan
identifie
should
d based
provide
on
details
review
of
and
analysis
analysis
of
of
technol
emergin
ogy
gimprove
technol
ment
ogical
opportu
and
nities.
process
concept
innovati
ons.
Taking
e into
account
business
environ
ment
changes
includin
g
emergin
g
business
risk.
 5.1.5 Define
an
implem
entation
strategy
based
on long-
term
improve
ment
vision
and
objectiv
es. A
process
improve
6.0 ment
Process
strategy
improve
is
ment
defined
plan
and
should
validate
provide
d based
details
onthe
of long-
term
implem
improve
entation
ment
strategy
goals
for
and
process
objectiv
improve
es.
ment.
Commit
ment to
improve
ment is
demons
trated
PA 5.2 Continuous by N
optimisation organiza
a tional
manage
ment
and
process
owner(s
).
 5.2.1 Assess
the
impact
of each
propose
d
change
against
the
objectiv
es of the
defined
and
standar
d
6.0 Process
process.
improve
The
ment
impact
plan
of
should
propose
provide
d
details
changes
of
is
required
assesse
process
d
improve
against
ment
the
project
objectiv
quality
es of the
approac
process
h
and to
(reviews
determi
,ne
PIR,
the
etc.)
impact
on
product
quality
and
process
perform
ance as
b well as
other
related
process
es.
5.2.2 Manage
the
implem
entation
of
agreed
changes
to
selected
areas of
the
defined
and
standar
d
process
6.0 accordin
Process
g to the
improve
implem
ment
entation
plan
strategy
should
. The
provide
Implem
details
entation
of
of
required
agreed
process
changes
improve
is
ment
manage
project
d in
quality
accorda
approac
nce with
h
defined
(reviews
,change
PIR,
manage
etc.)
ment
and
change
enable
ment
process
es.
 Also
evidenc
e of
changes
in:
• GWP
1.0
Process
docume
ntation
• GWP
3.0
Quality
plan
• GWP
5.0
Policies
and
standar
ds

c
5.2.3 Evaluate
the
effective
ness of
process
change
on the
basis of
actual
perform
ance
against
process
perform
ance
and
capabilit
y
objectiv
es and
business
goals.
The
effective
ness of
the
changes
made to
the
process
is
measur
ed,
evaluate
6.0 Process
improve
ment
plan
should
provide
details
of
required
process
improve
ment
project
quality
approac
h
(reviews
, PIR,
etc.).
 Example Data Collection
Organisation Name
Process Description
AI1 Identify Automated Solutions
Process Outcomes Process Purpose
AI1-O1 Business and technical requirements are defined and maintained. Satisfy the business requirement of identifying automated solutions that translate
AI1-O2 Risk is identified and analysed as part of requirements development. business functional and control requirements into effective and efficient solutions.

AI1-O3 Business requirement feasibility studies are prepared.

AI1-O4 Approved (or rejected) requirements and feasibility study results are prepared.
PAM Work Product Outputs (Evidence) Base Practices (Evidence) Work Product Inputs (Evidence) Observations/Gaps Recommendations
Reference
AI1-BP1 Define business functional and technical PO1-WP1 Strategic IT plan
requirements.
AI1-BP2 Establish processes for integrity/currency PO1-WP2 Tactical IT plan
of requirements.
PO3-WP2 Technology standards
PO3-WP3 Regular ‘state of technology’ updates
PO8-WP1 Acquisition standards
WP1 Business requirements feasibility PO8-WP2 Development standards
PA 1.1
study
PO10-WP3 Project management guidelines
PO10-WP4 Detailed project plans
AI6-WP1 Change process description
AI6-WP2 Change process procedures
DS1-WP4 Service level agreements (SLAs)
DS3-WP2 Performance and capacity plan
(requirements)
WP1 Business requirements feasibility AI1-BP3 Identify, document and analyse business All Inputs
study process risk.
AI1-BP4 Conduct a feasibility study/impact
assessment in respect of implementing proposed
business requirements.
WP1 Business requirements feasibility All Inputs
study AI1-BP5 Assess IT operational benefits of proposed
solutions.
AI1-BP6 Assess business benefits of proposed
solutions.

AI1-BP7 Develop a requirements approval process.

All Inputs
AI1-BP8 Approve and sign off on solutions proposed.