Control Objectives (PO1 - PO2 - PO4)
Control Objectives (PO1 - PO2 - PO4)
Control Objectives (PO1 - PO2 - PO4)
PO1.1 : IT Value Management no 1 2 3 4 5 6 7 statement Ensure that the enterprise portfolio of IT-enabled investments contains programmes that have solid business cases. Recognise that mandatory investments that differ in complexity and degree of freedom in allocating funds. Recognise that sustaining investments that differ in complexity and degree of freedom in allocating funds. Recognise that discretionary investments that differ in complexity and degree of freedom in allocating funds. IT processes provide effective delivery of the IT components of programmes, that might impact the expected outcomes of the programmes. IT processes provide efficient delivery of the IT components of programmes, that might impact the expected outcomes of the programmes. IT processes provide early warning of any deviations from plan, including cost, schedule or functionality, that might impact the expected outcomes of the programmes. IT services is executed against equitable service level agreements (SLAs). IT services is executed against enforceable service level agreements (SLAs). Accountability for achieving the benefits isclearly assigned and monitored. Controlling the costs is clearly assigned and monitored. Establish fair evaluation of business cases. Establish transparent evaluation of business cases. Establish repeatable evaluation of business cases. Establish comparable evaluation of business case. total value 1 2 v v v v v v
8 9 10 11 12 13 14
v v v v v v
PO1.2 : Bussiness-IT Alignment no 1 statement Establish processes of education in strategic planning to achieve business and IT alignment. value 1 2
2 Establish processes of educationin in strategic planning to achieve integration. Establish processes of reciprocal involvement in strategic planning to achieve business and IT alignment. Establish processes of reciprocal involvement in strategic planning to achieve 4 integration. 3 5 Mediate between business and IT imperatives so priorities can be mutually agreed. total v v v
PO1.3 : Assessment of Current Capability and Performance no 1 2 3 4 5 6 7 8 statement Compare the current capability and performance of solution and service delivery to establish a baseline against which future requirements. Define performance in terms of ITs contribution to business objectives. Define performance in terms of ITs contribution to business functionality. Define performance in terms of ITs contribution to business stability. Define performance in terms of ITs contribution to business complexity. Define performance in terms of ITs contribution to business costs. Define performance in terms of ITs contribution to business strengths. Define performance in terms of ITs contribution to business weaknesses. total value 1 2 v v v v v v v v
PO1.4 : IT Startegic Plan no statement 1 Create a strategic plan that defines in co-operation with relevant stakeholders. Create a strategic plan that defines how IT goals will contribute to the enterprises strategic objectives and related costs and risks Create a strategic plan that include how IT will support IT-enabled investment 3 programmes, IT services and IT assets. Create a strategic plan that include how IT will support IT-enabled investment 4 programmes. 2 5 Create a strategic plan that include how IT will support IT-enabled IT services. 6 Create a strategic plan that include how IT will support IT assets. 7 IT defines how the objectives will be met, the measurements to be used. IT defines how the objectives will be met, the procedures to obtain formal sign-off 8 from the stakeholders. total PO1.5 : IT Tactical Plans no statement 1 Create a portfolio of tactical IT plans that are derived from the IT strategic plan. 2 3 4 5 6 The tactical plans address IT-enabled programme investments. The tactical plans address IT services. The tactical plans address IT services IT assets. The tactical plans describe required IT initiatives. The tactical plans describe resource requirements. The tactical plans describe how the use of resources and achievement of benefits will 7 be monitored. The tactical plans describe how the use of resources and achievement of benefits will 8 be managed. value 1 2 v value 1 2
v v v
v v
9 The tactical plans sufficiently detailed to allow the definition of project plans. 10 Actively manage the set of tactical IT plans. 11 Actively manage initiatives through analysis of project and service portfolios. total PO1.6 : IT Portfolio Management no 1 statement Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by identifying programmes. Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by defining programmes. Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by evaluating programmes. Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by prioritising programmes. Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by selecting programmes. Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by initiating programmes. Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by managing programmes. Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by controlling programmes.
value 1 2
v v v
9 IT Portofolio include clarifying desired business outcomes at programme launch. IT Portofolio include ensuring that programme objectives support achievement of the outcomes at programme launch. IT Portofolio include clarifying understanding the full scope of effort required to 11 v achieve the outcomes at programme launch. IT Portofolio include assigning clear accountability with supporting measures at 12 v programme launch. 10 13 IT Portofolio include defining projects within the programme at programme launch. 14 IT Portofolio include allocating resources and funding at programme launch. 15 IT Portofolio include delegating authority at programme launch. v
value 3
total 2 1 1 1 2 2
v v
3 1 1 1 4 2 3 2 2
value 3 v v
total 4 3 2 2 2
value 3
total 2 2 2 2 2 2 2 2
value 3 v v
total 3 3 2 2 2 3 3 2
v v
value 3
total 2 3 3 3 1 3 1 1
v v v v
1 3 1
value 3
total
2 2 2 1 1 1 3 3
v v
v v v v v
v v v
This scheme includes a brief description of data retention and destruction requirements, criticality and sensitivity. This scheme is used as the basis for applying controls such as access 5 v controls, archiving or encryption. total 4 PO2.4 : Integrity Management no statement Define and implement procedures to ensure the integrity and consistency 1 of all data stored in electronic form, such as databases, data warehouses and data archives. implement procedures to ensure the integrity and consistency of all data 2 stored in electronic form, such as databases, data warehouses and data archives. total
value 1 2 3
value 4
total
2 3 3 2 3 1 1 1 2
value 4
total 1 1 1 1
value 4
total
3 3 2
2 1
value 4
total
Establish an IT steering committee (or equivalent) composed of executive, business and IT management to Determine prioritisation of IT-enabled 1 investment programmes in line with the enterprises business strategy and priorities. Establish an IT steering committee (or equivalent) composed of executive, 2 business and IT management to Track status of projects and resolve resource conflict. Establish an IT steering committee (or equivalent) composed of executive, 3 business and IT management to Monitor service levels and service improvements. total PO4.4 : Organisational Placement of the IT Function no statement Place the IT function in the overall organisational structure with a business 1 model contingent on the importance of IT within the enterprise. The reporting line of the CIO commensurate with the importance of IT within 2 the enterprise. total PO4.5 : IT Organisational Structure no 1 statement Establish an internal and external IT organisational structure that reflects business needs. Put a process in place for periodically reviewing the IT organisational 2 structure to adjust staffing requirements. Sourcing strategies to meet expected 3 business objectives and changing circumstances. total PO4.6 : Establishment of Roles and Responsibilities no statement Establish roles and responsibilities for IT personnel and end users that 1 delineate between IT personnel and end-user authority, responsibilities and accountability for meeting the organisations needs. Communicate roles and responsibilities for IT personnel and end users that 2 delineate between IT personnel and end-user authority, responsibilities and accountability for meeting the organisations needs. total PO4.7 : Responsibility for IT Quality Assurance
value 1 2 3
value 1 2 3
v v
value 1 2 3
no 1
statement Assign responsibility for the performance of the quality assurance (QA) function. Provide the QA group with appropriate QA systems, controls and 2 communications expertise. 3 Ensure that the organisational placement and the responsibilities and size of the QA group satisfy the requirements of the organisation. total
value 1 2 3 v v
PO4.8 : Responsibility for Risk, Security and Compliance no 1 2 3 4 5 statement Embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles critical for managing IT risks, including the specific responsibility for information security, physical security and compliance. Establish risk and security management responsibility at the enterprise level to deal with organisationwide issues. Additional security management responsibilities may need to be assigned at a system-specific level to deal with related security issues. Obtain direction from senior management on the appetite for IT risk and approval of any residual IT risks. total v value 1 2 3
v v
PO4.9 : Data and System Ownership no statement Provide the business with procedures and tools, enabling it to address its 1 responsibilities for ownership of data and information systems. Owners make decisions about classifying information and systems and 2 protecting them in line with this classification. total PO4.10 : Supervision no statement value 1 2 3 value 1 2 3
Implement adequate supervisory practices in the IT function to ensure that roles are properly exercised, 1 to assess whether all personnel have sufficient authority and resources to execute their roles and responsibilities, and to generally review KPIs. Implement adequate supervisory practices in the IT function to ensure that responsibilities are properly exercised, 2 to assess whether all personnel have sufficient authority and resources to execute their roles and responsibilities, and to generally review KPIs. total PO4.11 : Segregation of Duties no statement Implement a division of roles and responsibilities that reduces the possibility 1 for a single individual to compromise a critical process. Make sure that personnel are performing only authorised duties relevant to 2 their respective jobs and positions. total PO4.12 : IT Staffing no statement Evaluate staffing requirements on a regular basis or upon major changes to the business, operational or IT environments to ensure 1 that the IT function has sufficient resources to adequately and appropriately support the business goals and objectives. total PO4.13 :Key IT Personnel no statement Define and identify key IT personnel (e.g., replacements/backup personnel), 1 and minimise reliance on a single individual performing a critical job function. total PO4.14 : Contracted Staff Policies and Procedures no statement 1
value 1 2 3
v v
value 2 3
value 1 2 3
value 1 2 3
Ensure that consultants and contract personnel who support the IT function know with the organisations policies for the 1 protection of the organisations information assets such that they meet agreed-upon contractual requirements. Ensure that consultants and contract personnel who support the IT function comply with the organisations policies for the 2 protection of the organisations information assets such that they meet agreed-upon contractual requirements. total PO4.15 : Relationships no statement Establish an optimal co-ordination, communication and liaison structure between the IT function and various other interests inside and outside the IT function, such as the board, executives, 1 business units, individual users, suppliers, security officers, risk managers, the corporate compliance group, outsourcers and offsite management. Maintain an optimal co-ordination, communication and liaison structure between the IT function and various other interests inside and outside the IT function, such as the board, executives, 2 business units, individual users, suppliers, security officers, risk managers, the corporate compliance group, outsourcers and offsite management. total 1
value 2 3
value 4
total 3 2 2 1 1 1 1 2 1 2 2 1 1 1
value 4
total 3 2 2
value 4
total
value 4
total
4 3
value 4 v
total 4 3 3
value 4
total
value 4
total 2 2
value 4 v
total 4
4 3
2 2
value 4
total
value 4
total
value 4
total
2 2
value 4
total
value 4
total
value 4
total
value 4
total