02/22/2024

COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Terms & Definitions

Relative importance Relative importance (of governance and management objectives) is a number that indicates the influence of a certain design factor on the importance of a certain
COBIT governance or management objective as compared to a baseline (standard) situation. The number is calculated as a percentage difference between the
baseline and the current situation, as determined by the values given to the design factor at hand.

Instructions

Sheet
In this sheet all results of the impact assessment of the design factors are summarized. This is done in line with the governance system design flow explained in the
COBIT Design Guide.

Canvas The user can provide input in columns R/S to adjust the results of the automated calculations, taking into account the enterprise's specific context. When making
adjustments in column R, the spreadsheet expects an explanation in column S.

Sheet Input Section Output Section

In this sheet, the importance of different enterprise strategies can be described. The The output section of this sheet contains the calculated relative importance of
importance is expressed as an integer value between 1 (Not Important) and 5 each of the 40 COBIT 2019 Governance and Management Objectives
(Critical) and can be entered in cells C8-C11.

The chosen values are represented graphically in the two diagrams in the input
Description
section. The diagrams depict the same information, one in a bar chart, the other in a
spider chart.

DF1
[Optional] Enter values between 1 and 5 expressing the importance or relevance of a) Observe the resulting importance scores for each of the 40
each of the given generic enterprise strategies for the user enterprise governance/management objectives.
b) [Optional] Use the graphic(s) for reporting the outcome of this step in the
governance system design process. Both diagrams contain the same
information but in a different representation. Use the one that suits you best.
User Action Required

Copyright ISACA 2018 729206698.xlsx Instructions—Page 1

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Description

DF2

User Action Required

Description

DF3

User Action Required

Description

DF4

User Action Required

Description

DF5

User Action Required

Copyright ISACA 2018 729206698.xlsx Instructions—Page 2

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Description

DF6

User Action Required

Description

DF7

User Action Required

Description

DF8

User Action Required

Description

DF9

User Action Required

Copyright ISACA 2018 729206698.xlsx Instructions—Page 3

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Description

DF10

User Action Required

Chart 1
Chart 2

Copyright ISACA 2018 729206698.xlsx Instructions—Page 4

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Canvas

Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System

Sourcing Refined Scope: Concluded Scope:

Design Factors: Enterprise Strategy Enterprise
Goals Risk Profile
IT-Related
Issues
Initial Scope: Governance/
Management Objectives
Threat
Landscape Compliance Req's
Role of
IT Model
IT Implementation
Methods Technology Adoption Strategy
Governance/ Adjustment
(between -100 and Reason
Governance/ Suggested Target Agreed Target
Reason
for IT Management Objectives Management Objectives Capability Level Capability Level
Score +100)
Score Priority
Weight 1 1 1 1 1 1 1 1 1 1

Considero que la organización si cuenta con la

EDM01—Ensured Governance Framework Setting & 10 -25 5 0 ### -10 -15 -30 0 5 10 -10 -35 30 mayoria de los cumplimiento normativo,
-5 1 3 ok
Maintenance contratuales, regulaciones dictados por el
gobierno.

EDM02—Ensured Benefits Delivery 25 -15 5 0 ### 15 10 -35 0 0 5 15 5 5 1 1

EDM03—Ensured Risk Optimization 5 -10 0 0 ### -5 -25 -35 0 0 0 -20 -55 -55 1 1

No se nota una mejora con respecto a la buena

EDM04—Ensured Resource Optimization 15 -10 10 0 ### 15 -5 -30 0 0 10 0 -5 0 optimización de los recursos en la UNAS. -5 1 1

Asegurar el compromiso de las partes

interesadas debe relevante, sin embargo
actualmente en la UNAS se ve que no le dan la
EDM05—Ensured Stakeholder Engagement 15 -65 10 0 ### -45 0 -25 0 0 5 15 -30 30 debida atencion(Eleccion de autoridades) aun 0 1 1 Nada que agregar
asi diferentes facultades lo manejan de distinta
manera y satisfacen brevemente la necesidad
APO01—Managed I&T Management Framework -10 -35 10 0 ### -40 10 -30 0 5 10 0 -25 -25 1 1

APO02—Managed Strategy 5 -35 5 0 ### -25 -5 -30 0 0 5 -5 -40 -40 1 1

APO03—Managed Enterprise Architecture 10 -45 15 0 ### -20 10 -30 0 0 5 5 -20 -20 1 1

APO04—Managed Innovation 25 -15 0 0 ### 10 5 -30 0 0 -5 -25 -30 -30 1 1

APO05—Managed Portfolio -15 -10 5 0 ### -20 -10 -35 0 0 10 55 0 0 1 1

APO06—Managed Budget & Costs 5 -10 -5 0 ### -10 0 -30 0 0 0 -5 -30 -30 1 1

APO07—Managed Human Resources 30 10 -35 0 ### 5 -15 -30 0 0 0 0 -25 -25 1 1

APO08—Managed Relationships 10 -5 0 0 ### 5 0 -30 0 0 0 -20 -30 -30 1 1

APO09—Managed Service Agreements 5 -35 30 0 ### 0 -15 -30 0 0 0 -10 -35 -35 1 1

APO10—Managed Vendors 0 15 -5 0 ### 10 -10 -30 0 0 10 -10 -20 -20 1 1

APO11—Managed Quality 5 -10 5 0 ### 0 -10 -20 0 5 10 0 -10 -10 1 1

APO12—Managed Risk 0 -100 10 0 ### -100 -15 -35 0 0 5 -15 -100 -100 1 1

APO13—Managed Security 10 -50 15 0 ### -25 0 -30 0 5 5 5 -25 -25 1 1

APO14—Managed Data 20 -45 5 0 ### -20 15 -30 0 5 0 -20 -35 cpncidero que una buena gestion de proyecytos -35 1 1
es indispensable ya que ayuda a reducir el riesgo
de retrasos, costes.ademas garantiza el valor y la
BAI01—Managed Programs 40 -10 -5 0 ### 25 5 -30 0 5 5 20 20 30 calidad de los entregables a y realizar un 50 3 3
seguimiento de los proyectos.
BAI02—Managed Requirements Definition 5 -5 0 0 ### 0 10 -30 0 0 5 -5 -15 -15 1 1

BAI03—Managed Solutions Identification & Build 30 -5 5 0 ### 35 15 -25 0 5 5 -25 5 5 1 1

BAI04—Managed Availability & Capacity 5 0 5 0 ### 10 5 -30 0 5 10 0 0 0 1 1

BAI05—Managed Organizational Change -10 -20 15 0 ### -15 5 -30 0 5 0 0 -25 -25 1 1

BAI06—Managed IT Changes 5 -35 15 0 ### -15 10 -30 0 5 5 -10 -25 -25 1 1

BAI07—Managed IT Change Acceptance and Transitioning 0 0 0 0 ### 0 10 -25 0 0 10 15 5 0 No hay razones para agregar 5 1 0 no hay razones para agregar.

BAI08—Managed Knowledge -10 -10 0 0 ### -20 0 -35 0 0 5 5 -30 -30 1 1

BAI09—Managed Assets 20 -55 5 0 ### -35 -15 -30 0 0 5 25 -30 -30 1 1

BAI10—Managed Configuration 20 -50 5 0 ### -25 15 -25 0 0 10 10 -10 -10 1 1

BAI11—Managed Projects -5 15 -25 0 ### -15 -10 -30 0 0 10 10 -25 -25 1 1

DSS01—Managed Operations 40 10 15 0 ### 70 15 -30 0 0 0 20 45 45 2 2

DSS02—Managed Service Requests & Incidents 40 25 15 0 ### 90 15 -30 0 5 10 20 65 65 3 3

DSS03—Managed Problems 40 25 20 0 ### 95 15 -30 0 5 10 -5 55 55 3 3

Copyright ISACA 2018 729206698.xlsx Canvas—Page 5

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Canvas

Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System

Sourcing Refined Scope: Concluded Scope:

Design Factors: Enterprise Strategy Enterprise
Goals Risk Profile
IT-Related
Issues
Initial Scope: Governance/
Management Objectives
Threat
Landscape Compliance Req's
Role of
IT Model
IT Implementation
Methods Technology Adoption Strategy
Governance/ Adjustment
(between -100 and Reason
Governance/ Suggested Target Agreed Target
Reason
for IT Management Objectives Management Objectives Capability Level Capability Level
Score +100)
Score Priority
Weight 1 1 1 1 1 1 1 1 1 1

DSS04—Managed Continuity 20 30 10 0 ### 65 20 -30 0 0 5 60 75 75 4 4

DSS05—Managed Security Services 5 45 10 0 ### 65 15 -30 0 0 -5 45 55 55 3 3

DSS06—Managed Business Process Controls 10 -80 5 0 ### -70 -20 -30 0 0 5 0 -75 -75 1 1

MEA01—Managed Performance and Conformance Monitoring 25 -5 0 0 ### 20 5 -25 0 5 5 30 25 25 2 2

MEA02—Managed System of Internal Control 20 -35 15 0 ### 0 -15 -30 0 0 0 0 -30 -30 1 1

MEA03—Managed Compliance with External Requirements -10 15 -10 0 ### -5 -20 -35 0 0 0 0 -40 -40 1 1

MEA04—Managed Assurance -5 -50 -5 0 ### -65 -10 -35 0 0 5 -20 -80 10 -70 1 1

Copyright ISACA 2018 729206698.xlsx Canvas—Page 6

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy

Input Section—Importance of Each Enterprise Strategy Archetype Input Section—Importance of Each Enterprise Strategy Archetype

Value Importance Baseline Design Factor 1 Enterprise Strategy

(1-5)
Importance of different strategies (Input)
Growth/Acquisition 1 3
Innovation/Differentiation 3 3
Cost Leadership 1 3
Client Service/Stability 5 3
5

Average 2.50
Design Factor 1 Enterprise Strategy 4
Stdev
Importance of different strategies1.66
(Input)
Correction Factor 1.20
0 1 2 3 4 5
3

1
1

Copyright ISACA 2018 729206698.xlsx DF1—Page 7

 02/22/2024
COBIT® 2019 Governance System Design Toolkit
1

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/Management Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Objectives Importance Resulting Governance/Management Objectives Resulting Governance/Management Objectives Importance (Output)
Importance (Output)
Governance /
Management Score Baseline Relative EDM01
Score Importance EDM02 MEA04
Objective EDM03 MEA03
-100 -75 -50 -25 0 25 50 75 100
EDM04 MEA02
EDM01 25 27 10 EDM01 100
EDM02 EDM05 MEA01
26.5 25.5 25 EDM02
EDM03 26 30 5 EDM03 75
APO01 DSS06
EDM04 33.5 34.5 15 EDM04 50
EDM05 29 30 15 EDM05 APO02 DSS05
APO01 32 42 -10 APO01 25
APO02 36 42 5 APO02 APO03 DSS04
0
APO03 39.5 43.5 10 APO03
APO04 38 36 25 APO04 APO04 -25 DSS03
APO05 23 33 -15 APO05
APO06 -50
APO06 36 42 5 APO05 DSS02
APO07 32 30 30 APO07 -75
APO08 35 39 10 APO08
APO09 APO06 -100 DSS01
APO09 26 30 5
APO10 26.5 31.5 0 APO10
APO11 APO11
30.5 34.5 5 APO07 BAI11
APO12 APO12
22 27 0
APO13 APO13
25 27 10 APO08 BAI10
APO14
APO14 21 21 20
BAI01
BAI01 31 27 40
BAI02 APO09 BAI09
BAI03
BAI04 APO10 BAI08
Copyright ISACA 2018 BAI05 729206698.xlsx DF1—Page 8
APO11 BAI07
BAI06
 APO09 APO06 -100 DSS01
APO10
APO11 02/22/2024
COBIT® 2019 Governance System Design Toolkit APO07 BAI11
APO12
APO13
Information & Technology
APO14
Governance System Design APO08 Information & Technology Governance SystemBAI10Design
Design
BAI01
Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
BAI02 APO09 BAI09
BAI02 29 33 5
BAI03
BAI03 23 21 30
BAI04 APO10 BAI08
BAI04 27.5 31.5 5
BAI05
BAI05 25 33 -10 APO11 BAI07
BAI06
BAI06 13 15 5
BAI07 APO12 BAI06
BAI07 13.5 16.5 0 BAI08 APO13 BAI05
BAI08 26.5 34.5 -10 BAI09 APO14 BAI04
BAI09 27 27 20 BAI01 BAI02 BAI03
BAI10
BAI10 18 18 20 BAI11
BAI11 24 30 -5 DSS01
DSS01 28 24 40 DSS02
DSS02 28 24 40 DSS03
DSS03 28 24 40 DSS04
DSS04 27 27 20 DSS05
DSS05 16 18 5 DSS06
DSS06 12.5 13.5 10 MEA01
MEA01 32.5 31.5 25 MEA02
MEA02 30 30 20 MEA03
MEA03 16.5 22.5 -10 MEA04
MEA04 28 36 -5

Copyright ISACA 2018 729206698.xlsx DF1—Page 9

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Growth / Innovation / Client Service /

DF1 Acquisition Differentiation
Cost Leadership
Stability
EDM01 3.0 2.0 1.0 3.0
EDM02 1.5 2.0 1.5 3.5
EDM03 3.0 4.0 1.0 2.0
EDM04 2.0 4.0 2.0 3.5
EDM05 1.5 3.5 2.0 3.0
APO01 4.0 3.0 4.0 3.0
APO02 4.0 3.0 3.0 4.0
APO03 3.0 4.5 3.0 4.0
APO04 1.0 5.0 2.0 4.0
APO05 3.5 4.0 2.5 1.0
APO06 2.0 3.0 5.0 4.0
APO07 1.0 3.0 2.0 4.0
APO08 4.0 3.0 2.0 4.0
APO09 2.5 3.0 2.0 2.5
APO10 3.0 3.0 2.0 2.5
APO11 2.5 3.5 2.5 3.0
APO12 3.0 1.5 2.0 2.5
APO13 2.0 2.0 2.0 3.0
APO14 1.0 1.0 2.0 3.0
BAI01 1.0 3.0 1.0 4.0
BAI02 3.0 3.0 2.0 3.0
BAI03 1.0 2.0 1.0 3.0
BAI04 3.0 2.5 2.0 3.0
BAI05 5.0 3.0 1.0 2.0
BAI06 1.0 1.0 1.5 1.5
BAI07 2.0 1.0 1.0 1.5
BAI08 4.0 1.5 3.0 3.0
BAI09 2.0 3.0 1.0 3.0
BAI10 1.0 2.0 1.0 2.0
BAI11 3.5 3.0 1.5 2.0
DSS01 1.0 2.0 1.0 4.0
DSS02 1.0 2.0 1.0 4.0
DSS03 1.0 2.0 1.0 4.0

Copyright ISACA 2018 729206698.xlsx DF1map—Page 10

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Growth / Innovation / Client Service /

DF1 Acquisition Differentiation
Cost Leadership
Stability
DSS04 3.0 1.0 1.0 4.0
DSS05 2.0 1.0 1.0 2.0
DSS06 1.0 1.0 1.0 1.5
MEA01 2.5 3.0 1.0 4.0
MEA02 3.0 2.0 1.0 4.0
MEA03 3.0 2.5 1.0 1.0
MEA04 4.0 2.0 3.0 3.0

Copyright ISACA 2018 729206698.xlsx DF1map—Page 11

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals

Input Section—Importance of Each Enterprise Goal Input Section—Importance of Each Enterprise Goal

Importance
Value (1-5) Baseline

EG01—Portfolio of competitive products and services 4 3 Design Factor 2 Enterprise Goals (Input)
EG02—Managed business risk 5 3
EG03—Compliance with external laws and regulations 5 3 EG01—Portfolio of competitive products and services 4
EG04—Quality of financial information 1 3
EG05—Customer-oriented service culture 4 3 EG02—Managed business risk 5
EG06—Business-service continuity and availability 5 3
EG07—Quality of management information 1 3 EG03—Compliance with external laws and regulations 5
EG08—Optimization of internal business process functionality 1 3
EG04—Quality of financial information 1
EG09—Optimization of business process costs 3 3
EG10—Staff skills, motivation and productivity 2 3
EG05—Customer-oriented service culture 4
EG11—Compliance with internal policies 5 3
EG12—Managed digital transformation programs 5 3
EG06—Business-service continuity and availability 5
EG13—Product and business innovation 3 3

Average 3.38
EG07—Quality of management information 1
Design Factor 2 Enterprise Goals (Input) Stdev 1.60
Correction Fact 0.89 EG08—Optimization of internal business process functionality 1

EG09—Optimization of business process costs 3

EG01—Portfolio of competitive products and services

EG13—Product and business innovation EG02—Managed business risk EG10—Staff skills, motivation and productivity 2
5
EG12—Managed digital transformation programs 4 EG03—Compliance with external laws and regulations
3 EG11—Compliance with internal policies 5
2
EG11—Compliance with internal policies 1 EG04—Quality of financial information
0
EG12—Managed digital transformation programs 5

EG10—Staff
Copyright skills, motivation
ISACA 2018 and productivity EG05—Customer-oriented service culture 729206698.xlsx
EG13—Product and business innovation 3 DF2—Page 12
 EG01—Portfolio of competitive products and services
EG13—Product and business innovation
COBIT® 2019 Governance System Design Toolkit
EG12—Managed digital transformation programs
EG11—Compliance with internal policies
EG02—Managed business risk EG10—Staff skills, motivation and productivity 2 02/22/2024
5
4 EG03—Compliance with external laws and regulations
3 Information & Technology Governance System Design EG11—Compliance with internal policies
Information 5 Design
& Technology Governance System
2 Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
1 EG04—Quality of financial information
0
EG12—Managed digital transformation programs 5

EG10—Staff skills, motivation and productivity EG05—Customer-oriented service culture EG13—Product and business innovation 3

EG09—Optimization of business process costs EG06—Business-service continuity and availability

EG08—Optimization of internal business process functionality EG07—Quality of management information

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance
Governance / Baseline Relative Design Factor 2 Enterprise Goals
Management Score Design Factor 2 Enterprise Goals
Objective
Score Importance Resulting Governance/Management Objectives Importance
Resulting Governance/ Man-
EDM01 94 111 -25 agement Objectives Importance
EDM02 112 117 -15
EDM03 70 69 -10
EDM04 142 138 -10 EDM02 EDM01 MEA04
-100 -75 -50 -25 0 25 50 75 100 EDM03 MEA03
EDM05 24 63 -65 EDM01 EDM04 MEA02
APO01 133 183 -35 EDM02
APO02 98 135 -35 EDM03 EDM05 100 MEA01
APO03 87 138 -45 EDM04
EDM05 APO01 75 DSS06
APO04 120 126 -15 APO01
APO05 145 141 -10 APO02 50 DSS05
APO02
APO06 117 117 -10 APO03
25
APO07 143 114 10 APO04 APO03 DSS04
APO05
APO08 208 195 -5 0
APO06
APO09 46 63 -35 APO07 APO04 DSS03
-25
APO08
APO09 -50
APO10 APO05 DSS02
Copyright ISACA 2018 729206698.xlsx DF2—Page 13
APO11 -75
APO12
 EDM04
EDM05 APO01 75 DSS06
APO01 02/22/2024
COBIT® 2019 Governance System Design Toolkit APO02 50 DSS05
APO02
APO03
25
APO04
Information & Technology Governance System Design APO03 Information & Technology Governance
DSS04System Design
APO05 0
Design
APO06 Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
APO07 APO04 -25 DSS03
APO10 101 78 15 APO08
APO11 137 132 -10 APO09 -50
APO10 APO05 DSS02
APO12 0 42 -100
APO11 -75
APO13 25 45 -50 APO12
APO14 49 81 -45 APO13 APO06 -100 DSS01
BIA01 133 129 -10 APO14
BAI02 186 174 -5 BIA01
BAI02 APO07 BAI11
BAI03 178 165 -5 BAI03
BAI04 80 72 0 BAI04
BAI05 164 183 -20 BAI05 APO08 BAI10
BAI06 65 90 -35 BAI06
BAI07
BAI07 76 69 0 APO09 BAI09
BAI08
BAI08 141 141 -10 BAI09
BAI09 27 51 -55 BAI10 APO10 BAI08
BAI10 23 42 -50 BAI11
DSS01 APO11 BAI07
BAI11 177 138 15
DSS02
DSS01 78 63 10 DSS03 APO12 BAI06
DSS02 81 57 25 DSS04
APO13 BAI05
DSS03 81 57 25 DSS05
DSS06 APO14 BAI04
DSS04 101 69 30 BIA01 BAI02 BAI03
MEA01
DSS05 143 87 45 MEA02
DSS06 23 108 -80 MEA03
MEA01 141 135 -5 MEA04
MEA02 99 138 -35
MEA03 50 39 15
MEA04 65 114 -50

Copyright ISACA 2018 729206698.xlsx DF2—Page 14

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Agile portfolio of Transparency and Optimization of internal

competitive products and Managed business risks Compliance with external accuracy of financial Customer-oriented service Business service continuity Quality of management business process Optimization of business Staff skills, motivation and Compliance with internal Managed business Product and business
laws and regulations culture and availability information process costs productivity policies transformation programs innovation
services information functionality

Prioridad 4 5 5 1 4 5 1 1 3 2 5 5 3
Línea base 3 3 3 3 3 3 3 3 3 3 3 3 3

AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13

IT compliance and Enablement and Delivery of programs Competent and

Mapping table EG-GA support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business Security of information, support
processing of business on time, on budget, Quality of IT IT compliance with motivated staff with Knowledge, expertise
compliance with Information related IT-enabled investments related financial in line with business requirements into processes by
infrastructure and Integrating and meeting Management internal policies mutual understanding and initiatives for
external laws and risks and services portfolio information requirements operational solutions applications applications requirements and Information of technology and business innovation
regulations and technology quality standards business.

EG01 Portfolio of agile and competitive

products and services 0 0 1 0 2 2 0 2 2 0 0 0 2
EG02 Managed business risks 1 2 0 0 0 0 2 0 1 0 1 0 0
EG03 Compliance with external laws and
regulations 2 0 0 0 0 0 0 0 0 0 2 0 1
EG04 Transparency and accuracy of financial
information 0 0 0 2 0 0 0 0 0 2 0 0 0
EG05 Customer-oriented service culture 0 0 1 0 1 1 0 2 1 0 0 1 0
EG06 Business service continuity and
availability 0 1 0 0 1 0 2 0 0 0 0 0 0
EG07 Accuracy (Quality?) of Management
Information 0 0 0 2 0 0 0 0 0 2 0 0 0
EG08 Optimization of business process
functionality 0 0 1 0 1 1 0 1 1 0 0 0 0
EG09 Optimization of business process costs
0 0 1 2 0 0 0 0 1 1 0 0 0
EG10 Staff skills, motivation and productivity
0 0 0 0 0 0 0 1 0 0 0 2 0
EG11 Compliance with internal policies 2 0 0 0 0 0 0 0 0 0 2 0 0
EG12 Managed business transformation
programs 0 0 2 0 1 1 0 2 2 0 0 0 1
EG13 Product and business innovation 0 0 0 0 0 1 0 1 1 0 0 0 2

AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13

IT compliance and Enablement and Delivery of programs Competent and

support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business Security of information, support
processing of business on time, on budget, Quality of IT IT compliance with motivated staff with Knowledge, expertise
compliance with Information related IT-enabled investments related financial in line with business requirements into processes by
infrastructure and Integrating and meeting Management internal policies mutual understanding and initiatives for
external laws and risks and services portfolio information requirements operational solutions applications applications requirements and Information of technology and business innovation
regulations and technology quality standards business.

Result Prioridad 25 15 22 10 23 21 20 32 34 7 25 8 24
Result LB 15 9 18 18 18 18 12 27 27 15 15 9 18

EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04

Managed Managed IT Managed Managed Managed Managed Managed

Mapping Table AG-GMO Ensured Governance
Ensured Resource Ensured Stakeholder Managed IT Management Managed Human
Managed
Managed Managed
Managed
Managed
Managed
Solutions
Managed Managed
Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed
Managed
Business
Performance System of
Compliance Managed
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Optimization Transparency Framework Managed Strategy Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Resources Managed Relationships Service Suppliers Quality Managed Risk Information Managed Data Programs Requirements Identification Availability & Organizational Changes Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Security Process & Internal with External Internal Audit
Maintenance Agreements Security Definition & Build Capacity Change Transitioning Incidents Services Controls Conformance Control Requirements
Monitoring

IT compliance and support for business

AG01 compliance with external laws and 2.00 0.00 1.00 0.00 0.00 1.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 1.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 0.00 1.00 1.00 2.00 1.00
regulations
Managed Technology & Information
AG02
related risks 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 1.00 1.00 2.00 0.00 0.00 0.00 0.00 0.00
Realized benefits from IT-enabled
AG03
investments and services portfolio 2.00 2.00 0.00 1.00 0.00 2.00 1.00 1.00 1.00 2.00 1.00 1.00 1.00 0.00 0.00 1.00 0.00 0.00 0.00 2.00 1.00 1.00 0.00 2.00 0.00 0.00 1.00 0.00 0.00 2.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 0.00 0.00 0.00
Quality of technology related financial
AG04
information 0.00 0.00 2.00 0.00 1.00 0.00 0.00 0.00 0.00 0.00 2.00 0.00 0.00 0.00 0.00 1.00 0.00 0.00 1.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 2.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 0.00 1.00
Delivery of IT services in line with business
AG05
requirements 0.00 1.00 0.00 1.00 0.00 1.00 1.00 1.00 0.00 2.00 0.00 1.00 2.00 2.00 2.00 1.00 0.00 0.00 0.00 0.00 2.00 2.00 2.00 1.00 1.00 0.00 0.00 0.00 1.00 1.00 2.00 2.00 2.00 2.00 1.00 1.00 2.00 1.00 0.00 1.00
Agility to turn business requirements into
AG06
operational solutions 0.00 1.00 0.00 1.00 0.00 0.00 1.00 2.00 2.00 1.00 0.00 0.00 2.00 0.00 1.00 0.00 0.00 0.00 0.00 1.00 2.00 2.00 0.00 1.00 2.00 2.00 1.00 0.00 0.00 2.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
Security of information, processing
AG07
infrastructure and applications 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 1.00 2.00 2.00 0.00 0.00 0.00 0.00 0.00
Enablement and support of business
AG08 processes by Integrating applications and 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
technology
Delivery of programs on time, on budget,
AG09 and meeting requirements and quality 0.00 0.00 0.00 2.00 0.00 1.00 0.00 0.00 0.00 1.00 2.00 1.00 1.00 0.00 1.00 2.00 0.00 0.00 0.00 2.00 2.00 2.00 1.00 2.00 0.00 1.00 1.00 0.00 0.00 2.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 1.00 0.00 0.00
standards
AG10 Quality of IT Management Information 0.00 0.00 0.00 0.00 2.00 1.00 0.00 0.00 0.00 0.00 1.00 0.00 0.00 0.00 0.00 2.00 0.00 0.00 2.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 2.00 1.00 0.00 1.00
AG11 IT compliance with internal policies 0.00 0.00 1.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 0.00 0.00 0.00 0.00 0.00
Competent and motivated staff with
AG12 mutual understanding of technology and 0.00 0.00 0.00 1.00 0.00 0.00 1.00 0.00 1.00 0.00 0.00 2.00 2.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1.00 0.00 0.00 1.00 0.00 0.00 2.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
business.
Knowledge, expertise and initiatives for
AG13
business innovation 0.00 1.00 0.00 0.00 0.00 0.00 1.00 0.00 2.00 0.00 0.00 2.00 2.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 2.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04

Managed
Managed Managed IT Managed Managed Managed Managed
Ensured Governance Managed Managed Managed Managed Managed Managed Performance System of
Ensured Resource Ensured Stakeholder Managed IT Management Managed Human Managed Managed Managed Solutions Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed Business Compliance Managed
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Optimization Managed Strategy Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Resources Managed Relationships Service Managed Risk Information Managed Data Programs Requirements Identification Availability & Organizational Changes Security &
Transparency Framework Suppliers Quality Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Process Internal with External Internal Audit
Maintenance Agreements Security Definition Capacity Change Services Conformance Control
& Build Transitioning Incidents Controls Requirements
Monitoring

Importancia 94 112 70 142 24 133 98 87 120 145 117 143 208 46 101 137 0 25 49 133 186 178 80 164 65 76 141 27 23 177 78 81 81 101 143 23 141 99 50 65
Baseline 111 117 69 138 63 183 135 138 126 141 117 114 195 63 78 132 42 45 81 129 174 165 72 183 90 69 141 51 42 138 63 57 57 69 87 108 135 138 39 114
Imp® -16 -5 1 2 -62 -28 -28 -37 -5 2 0 25 6 -27 29 3 -100 -45 -40 3 6 7 11 -11 -28 10 0 -48 -46 28 458 42 42 46 64 -79 4 -29 28 -43

Copyright ISACA 2018 729206698.xlsx DF2map—Page 15

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile Design Factor 3 Risk Profile

Input Section—Importance of Each Generic IT Risk Category Input Section—Importance of Each Generic IT Risk Category

Impact Likelihood
Risk Scenario Category (1-5) (1-5) Risk Rating Baseline

IT investment decision making, portfolio definition & maintenance || Toma

4 2 9 Very High Risk
de decisiones de inversión en TI, definición y mantenimiento de cartera.

Program & projects life cycle management || Gestión del ciclo de vida de
3 2 9 High Risk
programas y proyectos.
IT cost & oversight || Costo y supervisión de TI 4 3 9 Normal Risk
Experiencia, habilidades y comportamiento de TI 2 2 9 Low Risk
Arquitectura Empresarial/TI 3 3 9
IT operational infrastructure incidents 4 2 9
Unauthorized actions 4 2 9
Software adoption/usage problems 4 3 9
Hardware incidents/ Incidencias de Hardware 2 2 9
Design Factor 3 IT Risk Profile
Fallos de Software 3 5 9 Risk Rating of IT Risk Scenario Categories (Input)
Ataques lógicos (hacking, malware, etc.) 2 4 9
0 2 4 6 8 10 12 14 16
Incidentes de terceros/proveedores 2 3 9 IT investment decision making, portfolio definition & maintenance || Toma de
decisiones de inversión en TI, definición y mantenimiento de cartera.
Incumplimiento 3 2 9 Program & projects life cycle management || Gestión del ciclo de vida de
Geopolitical Issues ( Problemas Geopoliticos) 1 1 9 programas y proyectos.
IT cost & oversight || Costo y supervisión de TI
Industrial action(Acción sindical) 2 1 9
Acts of nature || Actos de la naturaleza 4 2 9 Experiencia, habilidades y comportamiento de TI

Technology-based innovation || Innovación basada en tecnología 2 2 9 Arquitectura Empresarial/TI

Medioambiental 4 2 9 IT operational infrastructure incidents

Gestion de informacion y datos 4 3 9 Unauthorized actions

Software adoption/usage problems

Average 7.42
Stdev Hardware incidents/ Incidencias de Hardware
3.53
Correction Factor 1.21 Fallos de Software

Ataques lógicos (hacking, malware, etc.)

Incidentes de terceros/proveedores
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Incumplimiento

Geopolitical Issues ( Problemas Geopoliticos)

Resulting Governance/Management Objectives Importance Design Factor 3 IT Risk Profile
Industrial action(Acción
Resulting Governance/Management sindical) Importance
Objectives
Acts of nature || Actos de la naturaleza

Technology-based innovation || Innovación basada en tecnología

Copyright ISACA 2018 729206698.xlsx DF3—Page 16
Medioambiental
 Fallos de Software

Ataques lógicos (hacking, malware, etc.)

02/22/2024
COBIT® 2019 Governance System Design Toolkit
Incidentes de terceros/proveedores

Incumplimiento
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile Geopolitical Issues ( Problemas Geopoliticos) Design Factor 3 Risk Profile
Design Factor 3 IT Risk Profile
Industrial action(Acción
Resulting Governance/Management sindical) Importance
Objectives
Governance / Baseline Acts of nature || Actos de la naturaleza
Management Score Score Relative Importance
Objective Technology-based innovation || Innovación basada en tecnología
Design Factor 3 IT Risk Profile
EDM01 277 315 5 Resulting Governance/Management Medioambiental
EDM02 514.5 607.5 5 Objectives Importance Gestion de informacion y datos
EDM03 132 162 0
EDM04 327 360 10
-100 -75 -50 -25 0 25 50 75 100
EDM05 417 468 10 EDM02 EDM01 MEA04
EDM01 EDM03 MEA03
APO01 225 252 10
EDM02 EDM04 MEA02
APO02 417 486 5
EDM03 EDM05 MEA01
APO03 257 274.5 15 100
EDM04
APO04 499.5 594 0 APO01 DSS06
EDM05 75
APO05 340.5 400.5 5
APO01
APO06 120 153 -5 APO02 50 DSS05
APO02
APO07 78 144 -35 APO03 25
APO08 483 571.5 0 APO03 DSS04
APO04
APO09 125 117 30 0
APO05
APO10 204 256.5 -5 APO06
APO04
-25
DSS03
APO11 369 418.5 5 APO07
APO12 -50
280 310.5 10 APO08 APO05 DSS02
APO13 257 274.5 15 APO09 -75
APO14 292 342 5 APO10
APO06 -100 DSS01
BIA01 322 405 -5 APO11
BAI02 235 288 0 APO12
BAI03 393 459 5 APO13 APO07 BAI11
BAI04 389 450 5 APO14
BAI05 68 72 15 BIA01
APO08 BAI10
BAI06 176 189 15 BAI02
BAI07 BAI03
186 225 0
BAI04 APO09 BAI09
BAI08 234 279 0
BAI05
BAI09 110 126 5 APO10 BAI08
BAI06
BAI10 133 153 5
BAI07
BAI11 54 90 -25 APO11 BAI07
BAI08
DSS01 177 189 15
BAI09 APO12 BAI06
DSS02 248 261 15 BAI10 APO13 BAI05
DSS03 211 216 20 BAI11 APO14 BAI04
DSS04 196 216 10 DSS01 BIA01 BAI02 BAI03
DSS05 245 270 10 DSS02
DSS06 257 297 5 DSS03
MEA01 335.5 414 0 DSS04
DSS05
DSS06
Copyright ISACA 2018 MEA01 729206698.xlsx DF3—Page 17
MEA02
MEA03
 APO11 BAI07
BAI08
BAI09 APO12 BAI06
BAI10 APO13 BAI05 02/22/2024
COBIT® 2019 Governance System Design Toolkit
BAI11 APO14 BAI04
DSS01 BIA01 BAI02 BAI03
Information & Technology Governance
DSS02 System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile
DSS03 Design Factor 3 Risk Profile
DSS04
MEA02 224 234 15 DSS05
MEA03 116 153 -10 DSS06
MEA04 194 252 -5 MEA01
MEA02
MEA03
MEA04

Copyright ISACA 2018 729206698.xlsx DF3—Page 18

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19

DF3 IT Investment
Decision Making,
Program &
Projects Life IT Cost &
IT Expertise,
Skills & Enterprise/
IT Operational
Infrastructure Unauthorized
Software
Adoption/ Hardware Software
Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight Behavior IT Architecture Incidents Actions Usage Incidents Failures Malware, etc.) Incidents Issues Action Innovation Management
Maintenance Management Problems
EDM01 0.0 1.0 3.0 0.0 0.0 1.0 3.0 3.0 3.0 3.0 2.0 1.0 4.0 4.0 0.0 2.0 2.0 0.0 3.0
EDM02 4.5 4.0 4.0 3.5 4.5 3.0 3.5 4.0 3.0 3.5 4.5 3.5 4.0 2.5 3.0 2.0 4.5 2.0 4.0
EDM03 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 2.0 3.0
EDM04 4.0 2.0 4.0 2.0 3.0 1.0 1.0 2.0 3.0 3.0 1.0 1.0 1.0 1.0 1.0 1.0 4.0 1.0 4.0
EDM05 3.0 3.0 4.0 2.0 3.0 4.0 2.0 3.0 4.0 4.0 2.0 2.0 3.0 2.0 2.0 1.0 2.0 2.0 4.0
APO01 2.0 2.0 2.0 4.0 2.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 0.0 0.0 1.0 2.0 1.0 4.0
APO02 4.0 4.0 2.0 2.0 3.0 4.0 2.0 4.0 3.0 4.0 3.0 2.0 4.0 4.0 1.0 2.0 2.0 1.0 3.0
APO03 2.0 0.5 1.0 1.0 4.0 2.0 1.0 3.0 0.5 2.0 2.0 1.0 0.5 1.0 0.0 0.0 4.0 2.0 3.0
APO04 4.0 4.5 3.5 3.0 4.5 3.0 3.5 4.0 3.0 3.5 4.5 3.5 4.0 2.5 3.0 1.0 5.0 2.0 4.0
APO05 3.5 3.0 3.5 2.5 3.0 1.5 1.5 3.0 3.0 2.0 2.0 2.0 2.5 1.5 1.5 1.5 3.0 1.5 2.5
APO06 2.0 3.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0
APO07 0.0 0.0 0.0 4.0 0.0 1.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 2.0 4.0 0.0 2.0 0.0 0.0
APO08 4.0 3.0 4.0 4.0 4.0 3.5 3.5 3.5 4.0 4.0 3.5 2.0 3.0 3.0 3.0 2.0 4.0 1.5 4.0
APO09 0.0 0.0 2.0 0.0 0.0 0.0 2.0 3.0 0.0 1.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
APO10 2.0 1.0 2.5 1.0 3.0 2.0 2.0 0.0 1.0 1.0 0.0 2.0 1.0 2.0 1.0 0.0 4.0 1.0 2.0
APO11 2.5 4.0 2.0 3.0 3.0 4.0 2.0 3.0 3.0 4.0 3.0 1.0 2.0 2.0 1.0 1.0 2.0 1.0 3.0
APO12 2.0 2.0 2.5 0.5 2.0 3.0 2.0 2.0 2.0 2.0 2.0 1.0 0.5 1.0 1.0 3.0 2.0 2.0 2.0
APO13 0.0 0.0 2.5 1.0 1.0 2.0 2.0 2.0 3.0 3.0 2.0 2.0 1.0 1.0 1.0 2.0 1.0 1.0 3.0
APO14 1.0 1.0 2.0 2.0 2.0 1.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 3.0 2.0 2.0 4.0
BAI01 3.0 4.0 1.0 3.0 2.0 1.0 2.0 3.0 2.0 3.0 3.0 2.0 2.0 3.0 2.0 3.0 3.0 2.0 1.0
BAI02 4.0 3.0 2.0 1.0 2.0 2.0 1.0 1.0 1.0 0.0 0.0 1.0 3.0 1.0 1.0 1.0 3.0 2.0 3.0
BAI03 2.0 4.0 2.0 4.0 3.0 3.0 2.0 2.0 2.0 3.0 4.0 1.0 3.0 1.0 2.0 4.0 3.0 2.0 4.0
BAI04 3.0 3.0 3.0 2.0 4.0 3.0 4.0 2.0 2.0 2.0 4.0 4.0 3.0 1.0 1.0 1.0 3.0 2.0 3.0
BAI05 0.0 2.0 0.0 2.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI06 0.0 1.0 0.0 0.0 2.0 2.0 3.0 1.0 3.0 2.0 1.0 2.0 1.0 0.0 0.0 1.0 0.0 0.0 2.0
BAI07 2.0 1.0 0.0 1.0 0.0 0.0 1.0 3.0 1.0 1.0 2.0 1.0 1.0 1.0 2.0 1.0 3.0 1.0 3.0
BAI08 2.0 1.0 1.0 2.0 1.0 3.0 1.0 2.0 1.0 2.0 2.0 1.0 3.0 1.0 2.0 1.0 2.0 1.0 2.0
BAI09 1.0 1.0 2.0 1.0 0.0 1.0 1.0 0.0 0.0 0.0 0.0 0.0 1.0 0.0 1.0 0.0 2.0 0.0 3.0
BAI10 1.0 0.0 0.0 2.0 0.0 2.0 0.0 2.0 2.0 1.0 1.0 0.0 0.0 0.0 1.0 0.0 2.0 0.0 3.0
BAI11 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 2.0
DSS01 0.0 0.0 1.0 0.0 0.0 4.0 3.0 0.0 4.0 4.0 2.0 0.0 0.0 1.0 0.0 0.0 0.0 2.0 0.0
DSS02 0.0 0.0 0.0 0.0 0.0 4.0 0.0 4.0 4.0 4.0 3.0 3.0 3.0 0.0 0.0 4.0 0.0 0.0 0.0
DSS03 0.0 0.0 0.0 0.0 0.0 4.0 0.0 4.0 3.0 3.0 3.0 3.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0
DSS04 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0 4.0 4.0 4.0 4.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0
DSS05 1.0 1.0 2.0 2.0 1.0 2.0 1.0 1.0 2.0 3.0 2.0 2.0 1.0 1.0 1.0 2.0 1.0 1.0 3.0
DSS06 2.0 3.0 2.0 2.0 1.5 2.5 2.0 2.0 1.0 1.5 2.0 1.0 2.0 1.0 1.0 1.0 2.0 1.0 2.5
MEA01 2.0 2.5 1.5 2.0 2.5 3.5 3.0 1.0 3.0 3.5 3.0 2.0 4.0 3.5 2.0 2.0 1.0 2.0 2.0
MEA02 1.0 2.0 2.0 2.0 2.0 3.0 3.0 0.0 0.0 2.0 3.0 0.0 2.0 0.0 0.0 2.0 0.0 0.0 2.0

Copyright ISACA 2018 729206698.xlsx DF3map—Page 19

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19

DF3 IT Investment
Decision Making,
Program &
Projects Life IT Cost &
IT Expertise,
Skills & Enterprise/
IT Operational
Infrastructure Unauthorized
Software
Adoption/ Hardware Software
Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight Behavior IT Architecture Incidents Actions Usage Incidents Failures Malware, etc.) Incidents Issues Action Innovation Management
Maintenance Management Problems
MEA03 0.0 1.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 0.0 3.0 2.0 4.0 2.0 0.0 0.0 0.0 0.0 2.0
MEA04 1.0 2.0 1.0 2.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 4.0 0.0 2.0 2.0 0.0 2.0

Copyright ISACA 2018 729206698.xlsx DF3map—Page 20

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues

Input Section—Importance of Each Generic IT-Related Issue Input Section—Importance of Each Generic IT-Related Issue

Importance
IT-Related Issue (1-3) Baseline Design Factor 4 IT-Related Issues
Importance of IT-Related Issues (Input)
Frustration between different IT entities across the organization because
of a perception of low contribution to business value
2 No Issue 0 1 2 3

Frustration between business departments (i.e., the IT customer) and the

IT department because of failed initiatives or a perception of low 2 Issue
contribution to business value

Significant IT-related incidents, such as data loss, security breaches,

project failure and application errors, linked to IT
2 Serious Issue

te using I&T IT-enabled changes or projects frequently failing to meet business needs and delivered late or over budget
Service delivery problems by the IT outsourcer(s) 2

Failures to meet IT-related regulatory or contractual requirements

(Incumplimiento de los requisitos reglamentarios o contractuales 2
relacionados con las TI.)

Regular audit findings or other assessment reports about poor IT

performance or reported IT quality or service problems(Resultados de
auditorías periódicas u otros informes de evaluación sobre un rendimiento 2
informático deficiente o problemas de calidad o servicio informáticos
notificados.)

Substantial hidden and rogue IT spending, that is, IT spending by user

departments outside the control of the normal IT investment decision 2
mechanisms and approved budgets

Duplications or overlaps between various initiatives, or other forms of

2
wasted resources

Insufficient IT resources, staff with inadequate skills or staff

2
burnout/dissatisfaction

IT-enabled changes or projects frequently failing to meet business needs

2
and delivered late or over budget

Reluctance by board members, executives or senior management to

2
engage with IT, or a lack of committed business sponsorship for IT

Complex IT operating model and/or unclear decision mechanisms for IT-

2
related decisions

Excessively high cost of IT 2

Copyright ISACA 2018 729206698.xlsx DF4—Page 21

 Inability to exploit new technologies or innovate using I&T IT-enabled changes or projects frequ
02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues

Obstructed or failed implementation of new initiatives or innovations

2
caused by the current IT architecture and systems

Gap between business and technical knowledge, which leads to business

users and information and/or technology specialists speaking different 2
languages

Regular issues with data quality and integration of data across various
2
sources

High level of end-user computing, creating (among other problems) a lack

of oversight and quality control over the applications that are being 2
developed and put in operation

Business departments implementing their own information solutions with

little or no involvement of the enterprise IT department (related to end-
user computing, which often stems from dissatisfaction with IT solutions
2 Average f
and services)

Ignorance of and/or noncompliance with privacy regulations 2 Stdev 0.77

Correction
Inability to exploit new technologies or innovate using I&T 2
Factor #VALUE!

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Design Factor 4 IT-Related Issues

Objectives Importance Resulting Governance/ Management Objectives Design Factor 4 IT-Related Issues
Importance Resulting Governance/Management Objectives Importance

Governance / Baseline Relative

Management Score Score Importance
Objective -100 -75 -50 -25 0 25 50 75 100
EDM01
EDM01 60.5 60 0 EDM02
EDM02 173 153 0 EDM03
EDM01
EDM02 MEA04
EDM03 56 47 0 EDM04 EDM03 MEA03
EDM04 127.5 110 0 EDM05 EDM04 MEA02
EDM05 116 104 0 APO01
EDM05 100 MEA01
APO01 98.5 90 0 APO02
APO02 103.5 91 0 APO03 APO01 75 DSS06
APO03 83 74 0 APO04
APO04 APO05 APO02 50 DSS05
172.5 153 0
APO05 APO06
104.5 94 0 25
APO07
APO06 70.5 62 0 APO03 DSS04
APO08
0
APO09
Copyright ISACA 2018 APO10 APO04
729206698.xlsx -25 DSS03
DF4—Page 22
APO11
APO12 -50
 EDM04 MEA02
APO01
EDM05 100 MEA01
APO02
02/22/2024
COBIT® 2019 Governance System Design Toolkit APO03 APO01 75 DSS06
APO04
APO05 APO02 50 DSS05
Information & Technology Governance System Design Information & Technology Governance System Design
APO06
Design Factor 4 IT-Related Issues 25 Design Factor 4 IT-Related Issues
APO07
APO03 DSS04
APO08
APO07 39 36 0 0
APO09
APO08 160 137.5 0
APO10 APO04 -25 DSS03
APO09 51.5 43 0
APO11
APO10 53 44 0 -50
APO12
APO11 83.5 74 0 APO05 DSS02
APO13
APO12 70 63 0 APO14
-75
APO13 47 42 0 BIA01
APO06 -100 DSS01
APO14 93.5 78 0 BAI02
BIA01 86 73 0 BAI03
BAI02 78 68 0 BAI04 APO07 BAI11
BAI03 105.5 99 0 BAI05
BAI04 98.5 86 0 BAI06
BAI05 32.5 28 0 BAI07 APO08 BAI10
BAI06 30.5 29 0 BAI08
BAI07 34.5 34 0 BAI09 APO09 BAI09
BAI08 60.5 53 0 BAI10
BAI09 49.5 43 0 BAI11
APO10 BAI08
BAI10 31 25 0 DSS01
BAI11 60.5 52 0 DSS02
APO11 BAI07
DSS01 46 41 0 DSS03
DSS02 DSS04 APO12 BAI06
25 18 0
DSS05
DSS03 19 14 0 APO13 BAI05
DSS06
DSS04 9 6 0 APO14 BAI04
MEA01 BIA01 BAI03
DSS05 71 60 0 BAI02
MEA02
DSS06 57.5 52 0
MEA03
MEA01 137 121 0
MEA04
MEA02 64.5 52 0
MEA03 39 29 0
MEA04 67 58 0

Copyright ISACA 2018 729206698.xlsx DF4—Page 23

 Step 2 Initial Design
Governance and Management Objectives Importance

-100 -80 -60 -40 -20 0 20 40 60 80 100

-10
EDM01

EDM02 15

-5
EDM03

EDM04 15

-45 EDM05

-40 APO01

-25 APO02

-20 APO03

APO04 10

-20 APO05

-10
APO06

APO07 5

APO08 5

0
APO09

APO10 10

0
APO11

-100 APO12

-25 APO13

-20 APO14

BAI01 25

0
BAI02

BAI03 35

BAI04 10

-15 BAI05

-15 BAI06

0
BAI07

-20 BAI08

-35 BAI09

-25 BAI10

-15 BAI11

DSS01 70

DSS02 90

DSS03 95

DSS04 65

DSS05 65

-70 DSS06

MEA01 20

0
MEA02

-5
MEA03

-65 MEA04
 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Frustration between Substantial hidden High level of end-user

Frustration between business departments and rogue IT spending, Reluctance by board Obstructed or failed Gap between business computing, creating Business departments
different IT entities (i.e., the IT customer) Significant IT-related Regular audit findings that is, IT spending by Duplications or Insufficient IT IT-enabled changes or members, executives Complex IT operating implementation of and technical (among other implementing their
across the and the IT department incidents, such as data Service delivery Failures to meet IT- or other assessment user departments overlaps between resources, staff with projects frequently or senior management model and/or unclear new initiatives or knowledge, which Regular issues with problems) a lack of own information Ignorance of and/or Inability to exploit
loss, security related regulatory or reports about poor IT outside the control of various initiatives or inadequate skills or failing to meet Excessively high cost leads to business data quality and
DF4 organization because because of failed
breaches, project
problems by the IT
contractual performance or business needs and
to engage with IT, or a decision mechanisms
of IT
innovations caused by
users and information integration of data
oversight and quality solutions with little or noncompliance with new technologies or
of a perception of low initiatives or a outsourcer(s) the normal IT other forms of wasted staff burnout / lack of committed for IT-related the current IT control over the no involvement of the privacy regulations innovate using I&T
contribution to perception of low failure and application requirements reported IT quality or investment decision resources dissatisfaction delivered late or over business sponsorship decisions architecture and and/or technology across various sources applications that are enterprise IT
business value contribution to errors, linked to IT service problems mechanisms and budget for IT systems specialists speaking being developed and department
business value approved budgets different languages put in operation

EDM01 3.5 2.0 1.5 3.0 1.0 3.0 0.0 0.0 4.0 1.0 0.0 0.0 1.0 0.0 1.0 0.0 1.0 4.0 1.0 3.0 Benjamin 30

EDM02 3.0 4.0 4.5 3.5 4.0 3.5 3.0 3.5 4.0 4.5 3.5 4.0 3.5 4.5 4.0 4.0 3.5 3.0 4.0 5.0 77

EDM03 1.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.0 0.0 1.0 1.5 1.0 2.0 1.0 1.0 2.5 1.0 24

EDM04 1.0 2.0 3.0 3.0 3.0 3.5 4.0 3.5 4.0 3.5 2.0 0.0 4.0 2.0 2.0 3.5 2.5 2.5 2.5 3.5 Bruss 55

EDM05 2.5 3.0 2.5 2.5 2.5 2.0 2.5 2.5 3.0 3.0 2.5 3.0 2.5 2.0 3.0 2.5 2.5 2.5 2.5 3.0 Abel 52

APO01 1.0 2.5 1.0 1.0 2.5 2.5 2.5 1.0 3.5 1.0 4.0 3.0 2.0 1.0 3.5 3.5 2.0 3.5 2.0 2.0 45

APO02 2.0 2.5 2.5 2.0 2.5 2.5 2.0 2.0 2.5 2.0 2.5 2.5 2.5 2.5 2.0 2.5 2.0 2.0 2.5 2.0 Naty 46

APO03 1.5 1.5 2.0 1.0 1.0 1.5 1.0 1.5 1.5 3.5 1.0 1.0 2.0 4.0 1.0 3.0 2.0 3.0 1.0 3.0 Mayli 37

APO04 3.0 4.5 4.0 3.5 4.0 3.5 3.0 3.5 4.5 4.5 3.0 4.0 3.5 4.5 4.0 4.0 3.5 3.0 4.0 5.0 77

APO05 2.5 2.5 2.0 2.5 2.5 2.5 2.5 3.0 2.0 3.0 2.5 2.0 2.5 2.0 1.5 1.5 3.0 3.0 1.5 2.5 47

APO06 3.5 2.0 1.0 1.5 1.5 2.0 4.0 3.0 1.0 2.0 1.0 1.5 4.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 31

APO07 1.5 1.0 1.0 1.0 1.0 1.0 0.0 0.0 4.0 1.0 0.0 0.0 0.0 0.0 3.0 0.0 0.5 0.5 1.5 1.0 Masgo 18

APO08 4.5 3.0 4.5 4.5 3.0 3.0 4.5 4.5 3.0 4.5 4.5 3.0 3.0 3.0 3.0 2.5 2.5 3.0 2.3 3.0 Reynaga 69

APO09 2.0 1.5 2.0 4.0 1.0 2.5 1.5 2.0 0.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 1.0 1.5 0.0 0.0 22

APO10 1.0 2.0 1.0 3.0 1.0 1.0 2.0 2.0 1.0 0.0 2.0 1.0 0.0 1.0 0.0 1.0 0.0 2.0 0.0 1.0 Saldaña 22

APO11 2.0 2.0 3.0 1.0 1.0 3.5 1.0 1.5 2.5 2.0 1.0 1.0 2.0 2.0 1.0 3.5 2.0 2.0 1.0 2.0 37

APO12 1.5 0.5 3.0 1.5 2.0 2.0 1.0 1.0 0.5 1.0 1.0 1.5 2.0 1.0 3.0 2.0 1.0 2.5 2.5 1.0 32

APO13 0.0 1.0 2.0 1.0 0.0 1.0 1.0 0.0 1.0 1.0 1.0 0.0 2.0 0.0 1.0 2.0 2.0 1.0 3.0 1.0 Fiorela 21

APO14 3.0 2.0 3.0 2.0 2.0 2.0 1.0 1.5 2.5 1.5 3.0 1.0 0.5 2.0 2.0 4.0 1.0 1.0 2.0 2.0 Maiz 39

BAI01 2.0 2.0 3.0 2.0 1.0 2.0 2.0 1.0 3.0 3.0 2.0 1.0 1.5 2.0 2.0 1.0 1.0 2.0 2.0 1.0 Teddy 37

BAI02 2.0 3.0 1.0 2.0 2.0 1.0 0.0 1.0 2.0 3.0 2.0 1.0 2.0 2.0 2.0 1.0 1.0 2.0 2.0 2.0 34

BAI03 2.0 2.0 4.0 3.0 1.0 3.0 2.0 3.0 4.0 3.0 1.0 1.5 2.0 1.0 3.0 1.0 3.0 4.0 3.0 3.0 JORDI 50

BAI04 1.0 1.0 3.0 1.0 4.0 2.0 2.0 3.0 3.0 3.0 3.0 2.0 1.5 2.0 1.0 2.0 1.0 3.0 2.0 2.5 43

BAI05 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 3.0 1.0 0.0 0.0 0.5 2.0 0.0 0.5 1.5 0.0 1.0 14

BAI06 1.0 2.0 1.0 1.0 0.0 0.0 0.5 0.0 1.0 1.0 0.0 1.0 0.5 0.0 0.5 0.0 0.0 2.0 2.0 1.0 Jonel 15

BAI07 0.5 0.5 1.0 0.0 0.5 0.0 0.0 0.0 2.0 2.0 1.5 1.0 3.0 0.0 0.0 0.0 0.0 1.0 1.0 3.0 berrospi 17

BAI08 1.0 1.0 1.5 2.0 1.0 1.0 2.0 1.0 2.0 0.5 1.0 0.5 1.0 1.0 3.0 2.0 1.0 1.5 1.0 1.5 yonil 27

BAI09 2.0 1.0 1.0 2.0 2.0 0.0 2.0 2.0 0.0 0.0 1.0 0.0 2.0 1.0 1.0 0.0 1.0 1.5 1.0 1.0 igor 22

BAI10 0.0 0.0 1.0 2.0 1.0 0.0 0.0 0.0 1.0 0.0 2.0 0.5 0.0 2.0 0.5 0.0 0.5 0.0 1.0 1.0 weli 13

BAI11 1.0 2.0 2.5 0.0 0.0 0.0 2.0 3.0 1.0 4.0 0.0 2.0 2.0 3.0 0.5 0.0 1.0 1.5 0.0 0.5 montoya 26

Copyright ISACA 2018 729206698.xlsx DF4map—Page 25

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape

c Input Section—Importance of Threat Landscape

Value Importance (100%) Baseline Page intentionally left blank

High 15% 33%

Normal 85% 67%

Average
Stdev
Correction Factor 1.00

Design Factor 5 IT Th
High No

Copyright ISACA 2018 729206698.xlsx DF5—Page 26

85%
 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape

85%

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance Design Factor 5 Threat Landscape
Resulting Governance/Management Objectives Importance
Governance / Baseline Relative Design Factor 5 Threat Landscape
Management Score Score Importance Resulting Governance/Management
Objective
Objectives Importance
EDM01 1.15 1.33 -15
EDM02 3.28 3.01 10
-100 -75 -50 -25 0 25 50 75 100
EDM03 1.45 1.99 -25
EDM01 EDM01
EDM04 3.15 3.33 -5 EDM02 MEA04
EDM02 EDM03 MEA03
EDM05 4.00 4.00 0 EDM03 EDM04 MEA02
APO01 1.85 1.67 10 EDM04 EDM05 100 MEA01
APO02 3.15 3.33 -5 EDM05
APO03 3.70 3.34 10 APO01 APO01 75 DSS06
APO04 APO02
2.85 2.67 5
APO03 APO02 50 DSS05
APO05 2.15 2.33 -10 APO04
APO06 1.00 1.00 0 APO05 25
APO03 DSS04
APO07 1.15 1.33 -15 APO06
0
APO08 1.00 1.00 0 APO07
APO08 APO04 DSS03
APO09 1.15 1.33 -15 -25
APO09
APO10 2.15 2.33 -10
APO10 -50
APO05 DSS02
APO11
APO12 -75
Copyright ISACA 2018 APO13 729206698.xlsx DF5—Page 27
APO06 -100 DSS01
APO14
 APO02
APO03 APO02 50 DSS05
APO04 02/22/2024
COBIT® 2019 Governance System Design Toolkit 25
APO05
APO03 DSS04
APO06
0
Information & APO07
Technology Governance System Design Information & Technology Governance System Design
APO08 APO04 DSS03
Design Factor 5 Threat Landscape -25 Design Factor 5 Threat Landscape
APO09
APO10 -50
APO11 2.15 2.33 -10 APO11
APO05 DSS02
APO12 2.30 2.66 -15 APO12 -75
APO13 2.00 2.00 0 APO13
APO06 -100 DSS01
APO14 2.70 2.34 15 APO14
BIA01 2.85 2.67 5 BIA01
BAI02
BAI02 1.85 1.67 10 APO07 BAI11
BAI03
BAI03 2.70 2.34 15 BAI04
BAI04 2.85 2.67 5 BAI05 APO08 BAI10
BAI05 1.92 1.84 5 BAI06
BAI06 1.85 1.67 10 BAI07
APO09 BAI09
BAI07 1.85 1.67 10 BAI08
BAI09
BAI08 1.00 1.00 0 APO10 BAI08
BAI10
BAI09 1.15 1.33 -15 BAI11
BAI10 2.70 2.34 15 DSS01 APO11 BAI07
BAI11 2.15 2.33 -10 DSS02
APO12 BAI06
DSS01 2.70 2.34 15 DSS03
DSS04 APO13 BAI05
DSS02 2.70 2.34 15
DSS05 APO14 BAI04
DSS03 2.70 2.34 15 BIA01 BAI02 BAI03
DSS06
DSS04 3.55 3.01 20 MEA01
DSS05 2.70 2.34 15 MEA02
DSS06 1.30 1.66 -20 MEA03
MEA01 2.43 2.34 5 MEA04
MEA02 1.15 1.33 -15
MEA03 1.30 1.66 -20
MEA04 2.15 2.33 -10

Copyright ISACA 2018 729206698.xlsx DF5—Page 28

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF5 High Normal

EDM01 2.0 1.0
EDM02 2.0 3.5
EDM03 4.0 1.0
EDM04 4.0 3.0
EDM05 4.0 4.0
APO01 1.0 2.0
APO02 4.0 3.0
APO03 2.0 4.0
APO04 2.0 3.0
APO05 3.0 2.0
APO06 1.0 1.0
APO07 2.0 1.0
APO08 1.0 1.0
APO09 2.0 1.0
APO10 3.0 2.0
APO11 3.0 2.0
APO12 4.0 2.0
APO13 2.0 2.0
APO14 1.0 3.0
BAI01 2.0 3.0
BAI02 1.0 2.0
BAI03 1.0 3.0
BAI04 2.0 3.0
BAI05 1.5 2.0
BAI06 1.0 2.0
BAI07 1.0 2.0
BAI08 1.0 1.0
BAI09 2.0 1.0
BAI10 1.0 3.0
BAI11 3.0 2.0
DSS01 1.0 3.0
DSS02 1.0 3.0
DSS03 1.0 3.0

Copyright ISACA 2018 729206698.xlsx DF5map—Page 29

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF5 High Normal

DSS04 1.0 4.0
DSS05 1.0 3.0
DSS06 3.0 1.0
MEA01 2.0 2.5
MEA02 2.0 1.0
MEA03 3.0 1.0
MEA04 3.0 2.0

Copyright ISACA 2018 729206698.xlsx DF5map—Page 30

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements

Input Section—Importance of Compliance Requirements Input Section—Importance of Compliance Requirements

Value Importance Baseline Page intentionally left blank

(100%)
High 20% 40%
Normal 70% 100% Design Factor 6 Compliance Requirements
Low 10% 0%
High Normal Low
Average
10%

20%

Stdev

70%

Correction Facto 1.00

Copyright ISACA 2018 729206698.xlsx DF6—Page 31

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management

Objectives Importance Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Resulting Governance/Management Resulting Governance/Management Objectives Importance
Governance / Objectives Importance
Score Baseline Relative
Management Score Importance
Objective
-100 -75 -50 -25 0 25 50 75 100
EDM01 2.80 4.00 -30 EDM01
EDM02 2.10 3.20 -35 EDM02
EDM03 2.30 3.60 -35 EDM03
EDM04 3.60 5.20 -30 EDM04 EDM02 EDM01 MEA04
EDM03 MEA03
EDM05 3.25 4.30 -25 EDM05
EDM04 MEA02
APO01 2.35 3.40 -30 APO01
APO02 EDM05 100 MEA01
APO02 2.60 3.80 -30
APO03
APO03 2.60 3.80 -30 APO01 75 DSS06
APO04
APO04 3.50 5.00 -30 APO05 APO02 50 DSS05
APO05 3.10 4.60 -35 APO06
APO06 1.00 1.40 -30 APO07 25
APO03 DSS04
APO07 1.00 1.40 -30 APO08
0
APO08 1.70 2.40 -30 APO09
APO04 DSS03
APO09 1.00 1.40 -30 APO10 -25
APO10 2.30 3.40 -30 APO11
-50
APO12 APO05 DSS02
APO11 1.90 2.40 -20
APO13 -75
APO12 3.00 4.60 -35
APO14
APO13 2.30 3.40 -30 BIA01 APO06 -100 DSS01
APO14 2.30 3.40 -30 BAI02
BIA01 2.70 3.80 -30 BAI03
APO07 BAI11
BAI02 2.40 3.40 -30 BAI04
BAI03 2.50 3.40 -25 BAI05
BAI04 2.50 3.60 -30 BAI06 APO08 BAI10
BAI05 BAI07
2.75 3.90 -30
BAI08 APO09 BAI09
BAI06 2.70 3.80 -30
BAI09
BAI07 1.75 2.40 -25 BAI10 APO10 BAI08
BAI08 1.20 1.80 -35 BAI11
DSS01 APO11 BAI07
DSS02
Copyright ISACA 2018 DSS03 729206698.xlsx APO12 BAI06 DF6—Page 32
DSS04 APO13 BAI05
 BAI03
APO07 BAI11
BAI04
BAI05 02/22/2024
COBIT® 2019 Governance System Design Toolkit BAI06 APO08 BAI10
BAI07
BAI08 APO09 BAI09 Design
Information & Technology Governance System Design Information & Technology Governance System
BAI09
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
BAI10 APO10 BAI08
BAI11
BAI09 1.70 2.40 -30 DSS01 APO11 BAI07
BAI10 2.50 3.40 -25 DSS02
APO12 BAI06
BAI11 2.80 3.90 -30 DSS03
DSS01 2.30 3.40 -30 DSS04 APO13 BAI05
DSS05 APO14 BAI04
DSS02 2.30 3.40 -30 BIA01 BAI02 BAI03
DSS06
DSS03 2.10 3.00 -30
MEA01
DSS04 2.80 4.00 -30 MEA02
DSS05 2.30 3.40 -30 MEA03
DSS06 1.00 1.40 -30 MEA04
MEA01 2.10 2.80 -25
MEA02 1.00 1.40 -30
MEA03 2.30 3.60 -35
MEA04 2.10 3.20 -35

Copyright ISACA 2018 729206698.xlsx DF6—Page 33

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF6 High Normal Low

EDM01 0.0 4.0 0.0
EDM02 3.0 2.0 1.0
EDM03 4.0 2.0 1.0
EDM04 3.0 4.0 2.0
EDM05 2.0 3.5 4.0
APO01 1.0 3.0 0.5
APO02 2.0 3.0 1.0
APO03 2.0 3.0 1.0
APO04 2.5 4.0 2.0
APO05 4.0 3.0 2.0
APO06 1.0 1.0 1.0
APO07 1.0 1.0 1.0
APO08 1.0 2.0 1.0
APO09 1.0 1.0 1.0
APO10 1.0 3.0 0.0
APO11 1.0 2.0 3.0
APO12 4.0 3.0 1.0
APO13 1.0 3.0 0.0
APO14 1.0 3.0 0.0
BAI01 2.0 3.0 2.0
BAI02 1.0 3.0 1.0
BAI03 1.0 3.0 2.0
BAI04 1.5 3.0 1.0
BAI05 1.0 3.5 1.0
BAI06 2.0 3.0 2.0
BAI07 1.0 2.0 1.5
BAI08 2.0 1.0 1.0
BAI09 1.0 2.0 1.0
BAI10 1.0 3.0 2.0
BAI11 1.0 3.5 1.5
DSS01 1.0 3.0 0.0
DSS02 1.0 3.0 0.0
DSS03 0.0 3.0 0.0

Copyright ISACA 2018 729206698.xlsx DF6map—Page 34

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF6 High Normal Low

DSS04 0.0 4.0 0.0
DSS05 1.0 3.0 0.0
DSS06 1.0 1.0 1.0
MEA01 2.0 2.0 3.0
MEA02 1.0 1.0 1.0
MEA03 4.0 2.0 1.0
MEA04 3.0 2.0 1.0

Copyright ISACA 2018 729206698.xlsx DF6map—Page 35

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT

Input Section—Importance of Role of IT Input Section—Importance of Role of IT

Value Importance (1-5) Baseline Page intentionally left blank

Support 5 3
Factory 2 3
Turnaround 0 3
Strategic 4 3

Average 2.75
Stdev 1.92
Correction Factor 1.09

Design Factor 7 Role of IT (Input)

0 1 2 3 4 5

Support 5

Factory 2

0
Turnaround

Strategic 4

Copyright ISACA 2018 729206698.xlsx DF7—Page 36

 Support 5

02/22/2024
COBIT® 2019 Governance System Design Toolkit

Factory 2Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT

0
Turnaround

Strategic 4

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance Design Factor 7 Role of IT
Design Factor 7 Role of IT Resulting Governance/Management Objectives Importance
Governance / Baseline Relative Resulting Governance/Management Ob-
Management Score
Objective
Score Importance jectives Importance
EDM01 ### #VALUE! 0
-100 -75 -50 -25 0 25 50 75 100
EDM02 ### #VALUE! 0
EDM01
EDM03 ### #VALUE! 0 EDM01
EDM02 EDM02 MEA04
EDM04 ### #VALUE! 0 EDM03
EDM03 MEA03
EDM05 ### #VALUE! 0 EDM04
EDM04 MEA02
APO01 ### #VALUE! 0 EDM05 EDM05 100 MEA01
APO02 ### #VALUE! 0 APO01
APO03 ### #VALUE! 0 APO02 APO01 75 DSS06
APO04 ### #VALUE! 0 APO03
APO02 50 DSS05
APO05 ### #VALUE! 0 APO04
APO06 ### #VALUE! 0 APO05 25
APO07 ### #VALUE! 0 APO06 APO03 DSS04
APO08 ### #VALUE! 0 APO07 0
APO09 ### #VALUE! 0 APO08
APO04 -25 DSS03
APO09
APO10
-50
Copyright ISACA 2018 APO11 729206698.xlsx
APO05 DF7—Page 37
DSS02
APO12
-75
 APO02 APO01 75 DSS06
APO03
APO02 50 DSS05 02/22/2024
COBIT® 2019 Governance System Design Toolkit APO04
APO05 25
APO06 APO03 DSS04
Information & Technology Governance System Design Information & Technology Governance System Design
APO07 0
Design Factor 7 Role of IT Design Factor 7 Role of IT
APO08
APO04 -25 DSS03
APO10 APO09
### #VALUE! 0
APO10
APO11 ### #VALUE! 0 -50
APO11 APO05 DSS02
APO12 ### #VALUE! 0
APO12
APO13 ### #VALUE! 0 -75
APO13
APO14 ### #VALUE! 0
APO14 APO06 -100 DSS01
BIA01 ### #VALUE! 0 BIA01
BAI02 ### #VALUE! 0 BAI02
BAI03 ### #VALUE! 0 BAI03 APO07 BAI11
BAI04 ### #VALUE! 0 BAI04
BAI05 ### #VALUE! 0 BAI05
BAI06 ### #VALUE! 0 BAI06 APO08 BAI10
BAI07 ### #VALUE! 0 BAI07
BAI08 ### #VALUE! 0 BAI08 APO09 BAI09
BAI09 ### #VALUE! 0 BAI09
BAI10 ### #VALUE! 0 BAI10
APO10 BAI08
BAI11 ### #VALUE! 0 BAI11
DSS01 ### #VALUE! 0 DSS01
APO11 BAI07
DSS02 DSS02
### #VALUE! 0
DSS03
DSS03 ### #VALUE! 0 APO12 BAI06
DSS04
DSS04 ### #VALUE! 0 APO13 BAI05
DSS05
DSS05 ### #VALUE! 0 APO14 BAI04
DSS06 BIA01 BAI03
DSS06 ### #VALUE! 0 BAI02
MEA01
MEA01 ### #VALUE! 0 MEA02
MEA02 ### #VALUE! 0 MEA03
MEA03 ### #VALUE! 0 MEA04
MEA04 ### #VALUE! 0

Copyright ISACA 2018 729206698.xlsx DF7—Page 38

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF7 Support Factory Turnaround Strategic

EDM01 2.5 2.0 1.0 0.0
EDM02 2.5 1.0 2.5 1.5
EDM03 1.0 3.0 1.0 3.0
EDM04 4.0 3.0 1.0 0.0
EDM05 4.0 1.0 3.0 2.0
APO01 3.0 1.0 0.0 0.5
APO02 2.0 1.0 0.0 0.0
APO03 3.0 1.5 2.0 0.5
APO04 0.5 1.0 3.5 4.0
APO05 3.5 2.0 1.0 1.0
APO06 1.0 1.0 1.0 2.0
APO07 1.0 1.0 1.0 1.5
APO08 1.0 1.0 2.0 2.5
APO09 1.0 2.0 1.5 2.0
APO10 3.0 0.0 0.0 0.0
APO11 3.0 1.0 2.0 1.0
APO12 3.0 1.5 1.5 4.0
APO13 3.0 0.0 0.0 0.0
APO14 4.0 0.0 0.0 0.0
BAI01 2.0 1.0 0.0 0.0
BAI02 3.0 1.0 0.0 0.0
BAI03 4.0 1.0 0.0 1.0
BAI04 3.0 1.0 0.5 0.5
BAI05 2.0 1.5 1.0 3.0
BAI06 3.0 1.0 1.0 1.0
BAI07 3.0 2.0 1.5 2.5
BAI08 2.0 1.0 1.5 2.0
BAI09 2.0 0.0 1.0 1.0
BAI10 3.0 1.0 3.0 2.5
BAI11 3.5 2.5 2.0 1.0
DSS01 1.0 1.0 3.0 2.0
DSS02 4.0 3.0 0.0 0.0
DSS03 3.0 1.0 0.0 0.0

Copyright ISACA 2018 729206698.xlsx DF7map—Page 39

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF7 Support Factory Turnaround Strategic

DSS04 0.0 4.0 3.0 0.0
DSS05 3.0 1.0 2.0 2.0
DSS06 1.0 1.0 1.0 2.5
MEA01 5.0 2.0 2.0 1.0
MEA02 1.0 1.0 1.0 2.0
MEA03 1.0 1.0 1.0 1.5
MEA04 1.0 1.0 1.0 2.0

Copyright ISACA 2018 729206698.xlsx DF7map—Page 40

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT

Input Section—Importance of Sourcing Model for IT Input Section—Importance of Sourcing Model for IT

Value Importance (100%) Baseline

Outsourcing 30% 33% Page intentionally left blank
Cloud 35% 33%
Insourced 35% 34%

Average
Design Factor 8 IT Sourcing Model (Input)
Stdev
Correction Fact 1.00
Outsourcing Cloud Insourced

30%
35%

35%
Copyright ISACA 2018 729206698.xlsx DF8—Page 41
 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT

35%

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance
Governance / Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Baseline Relative Resulting Governance/ Management Objectives Importance
Management Score Score Importance Resulting Governance/Management Objec-
Objective tives Importance
EDM01 1.05 1.00 5
EDM02 2.05 2.02 0
-100 -75 -50 -25 0 25 50 75 100
EDM03 1.35 1.33 0 EDM01
EDM01 EDM02 MEA04
EDM04 2.40 2.35 0 EDM02
EDM03 MEA03
EDM05 1.65 1.67 0 EDM03
EDM04 MEA02
APO01 1.40 1.35 5 EDM04 EDM05 100 MEA01
APO02 2.20 2.19 0 EDM05
APO01 APO01 75 DSS06
APO03 1.87 1.85 0
APO02
APO04 1.35 1.33 0 APO03 APO02 50 DSS05
APO05 2.20 2.18 0 APO04
25
APO06 1.00 1.00 0 APO05 APO03 DSS04
APO07 1.35 1.34 0 APO06 0
APO08 APO07
1.00 1.00 0 APO04 DSS03
APO08 -25
APO09 2.95 2.98 0 APO09
APO10 2.40 2.35 0 APO10 -50
APO05 DSS02
APO11 1.40 1.35 5 APO11
APO12 -75
APO12 1.65 1.66 0
APO13 APO13
1.05 1.02 5 APO06 -100 DSS01
APO14
APO14 1.40 1.36 5 BIA01
BIA01 0.70 0.68 5 BAI02
BAI02 1.70 1.68 0 BAI03 APO07 BAI11
BAI03 2.10 2.02 5 BAI04
BAI05
APO08 BAI10
BAI06
BAI07
Copyright ISACA 2018 BAI08 729206698.xlsxAPO09 BAI09 DF8—Page 42
BAI09
BAI10 APO10 BAI08
 APO05 DSS02
APO11
APO12 -75
APO13 02/22/2024
COBIT® 2019 Governance System Design Toolkit APO06 -100 DSS01
APO14
BIA01
Information & Technology Governance System Design
BAI02 Information & Technology Governance System Design
APO07 BAI11
Design BAI03
Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
BAI04
BAI05
BAI04 1.05 1.01 5 APO08 BAI10
BAI06
BAI05 1.40 1.35 5 BAI07
BAI06 1.75 1.68 5 BAI08 APO09 BAI09
BAI07 2.40 2.35 0 BAI09
BAI08 1.65 1.67 0 BAI10 APO10 BAI08
BAI11
BAI09 1.35 1.34 0
DSS01 APO11 BAI07
BAI10 2.40 2.35 0 DSS02
BAI11 2.40 2.35 0 DSS03 APO12 BAI06
DSS01 2.70 2.68 0 DSS04
APO13 BAI05
DSS02 1.75 1.69 5 DSS05
DSS06 APO14 BAI04
DSS03 1.75 1.69 5 BIA01 BAI02 BAI03
MEA01
DSS04 2.70 2.68 0 MEA02
DSS05 1.70 1.67 0 MEA03
DSS06 1.00 1.00 0 MEA04
MEA01 2.05 2.00 0
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.35 1.32 0

Copyright ISACA 2018 729206698.xlsx DF8—Page 43

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF8 Outsourcing Cloud Insourcing

EDM01 0.0 2.0 1.0
EDM02 1.0 1.0 4.0
EDM03 1.0 2.0 1.0
EDM04 1.0 2.0 4.0
EDM05 2.0 1.0 2.0
APO01 0.0 1.0 3.0
APO02 1.5 1.0 4.0
APO03 1.0 1.5 3.0
APO04 1.0 2.0 1.0
APO05 1.5 1.5 3.5
APO06 1.0 1.0 1.0
APO07 1.0 1.0 2.0
APO08 1.0 1.0 1.0
APO09 4.0 4.0 1.0
APO10 1.0 2.0 4.0
APO11 0.0 1.0 3.0
APO12 2.0 2.0 1.0
APO13 0.0 0.0 3.0
APO14 0.0 0.0 4.0
BAI01 0.0 0.0 2.0
BAI02 1.0 1.0 3.0
BAI03 0.0 2.0 4.0
BAI04 0.0 1.0 2.0
BAI05 0.0 1.0 3.0
BAI06 0.0 2.0 3.0
BAI07 1.0 2.0 4.0
BAI08 2.0 1.0 2.0
BAI09 1.0 1.0 2.0
BAI10 1.0 2.0 4.0
BAI11 1.0 2.0 4.0
DSS01 2.0 2.0 4.0
DSS02 0.0 1.0 4.0
DSS03 0.0 1.0 4.0

Copyright ISACA 2018 729206698.xlsx DF8map—Page 44

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF8 Outsourcing Cloud Insourcing

DSS04 2.0 2.0 4.0
DSS05 1.0 2.0 2.0
DSS06 1.0 1.0 1.0
MEA01 1.0 3.0 2.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 3.0 0.0

Copyright ISACA 2018 729206698.xlsx DF8map—Page 45

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods

Input Section—Importance of IT Implementation Methods Input Section—Importance of IT Implementation Methods

Value Importance (100%) Baseline Page intentionally left blank

Agile 20% 15%

DevOps 0% 10%

Traditional 80% 75%

Design Factor 9 IT Implementation Methods

Agile DevOps Traditional

20%

80%

Copyright ISACA 2018 729206698.xlsx DF9—Page 46

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
80% Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance
Design Factor 9 IT Implementation Methods
Design Factor 9 IT Implementation Methods Resulting Governance/Management Objectives Importance
Governance /
Management Score
Baseline Relative Resulting Governance/Management Objec-
Score Importance tives Importance
Objective
EDM01 3.40 3.15 10 EDM01
EDM02 MEA04
EDM02 2.80 2.63 5 EDM03 MEA03
EDM03 1.00 1.00 0 -100 -75 -50 -25 0 25 50 75 100 EDM04 MEA02
EDM04 3.60 3.30 10 EDM01 EDM05 100 MEA01
EDM05 1.60 1.53 5 EDM02
EDM03 75
APO01 3.40 3.15 10 APO01 DSS06
EDM04
APO02 3.80 3.55 5 EDM05 50
APO03 3.70 3.48 5 APO01 APO02 DSS05
APO04 1.90 1.95 -5 APO02 25
APO03
APO05 1.50 1.38 10 APO03 DSS04
APO04
APO06 1.00 1.00 0 0
APO05
APO07 1.00 1.00 0 APO06 APO04 DSS03
-25
APO08 1.00 1.00 0 APO07
APO08
APO09 1.00 1.00 0 -50
APO09 APO05 DSS02
APO10 2.60 2.40 10 APO10
APO11 3.40 3.15 10 APO11 -75
APO12 3.40 3.30 5 APO12
APO13 APO06 -100 DSS01
APO14
BIA01
Copyright ISACA 2018 BAI02 729206698.xlsx
APO07 DF9—Page
BAI11 47
BAI03
BAI04
 APO04
0
APO05
APO06 APO04 DSS03
-25 02/22/2024
COBIT® 2019 Governance System Design Toolkit APO07
APO08
APO09 -50
APO05 DSS02
Information & Technology Governance System Design
APO10 Information & Technology Governance System Design
-75
Design FactorAPO11
9 IT Implementation Methods Design Factor 9 IT Implementation Methods
APO12
APO13 APO06 -100 DSS01
APO13 1.60 1.50 5
APO14
APO14 2.40 2.35 0 BIA01
BIA01 2.60 2.50 5 BAI02 APO07 BAI11
BAI02 2.60 2.50 5 BAI03
BAI04
BAI03 3.60 3.40 5
BAI05 APO08 BAI10
BAI04 2.50 2.33 10 BAI06
BAI05 1.30 1.28 0 BAI07
BAI06 3.20 3.00 5 BAI08 APO09 BAI09
BAI07 BAI09
1.00 0.90 10
BAI10
BAI08 2.60 2.50 5 BAI11 APO10 BAI08
BAI09 2.60 2.50 5 DSS01
BAI10 3.10 2.85 10 DSS02 APO11 BAI07
BAI11 DSS03
3.50 3.23 10
DSS04 APO12 BAI06
DSS01 2.40 2.35 0 DSS05
DSS02 2.60 2.40 10 DSS06 APO13 BAI05
DSS03 2.60 2.40 10 MEA01 APO14 BAI04
MEA02 BIA01 BAI02 BAI03
DSS04 1.60 1.50 5
MEA03
DSS05 1.80 1.85 -5 MEA04
DSS06 1.80 1.75 5
MEA01 3.50 3.38 5
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 2.20 2.05 5

Copyright ISACA 2018 729206698.xlsx DF9—Page 48

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF9 Agile DevOps Traditional

EDM01 1.0 0.0 4.0
EDM02 4.0 1.5 2.5
EDM03 1.0 1.0 1.0
EDM04 2.0 0.0 4.0
EDM05 2.0 1.0 1.5
APO01 1.0 0.0 4.0
APO02 3.0 1.0 4.0
APO03 2.5 1.0 4.0
APO04 3.5 3.0 1.5
APO05 3.5 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.0 1.0
APO08 1.0 1.0 1.0
APO09 1.0 1.0 1.0
APO10 1.0 0.0 3.0
APO11 1.0 0.0 4.0
APO12 1.0 1.5 4.0
APO13 0.0 0.0 2.0
APO14 0.0 1.0 3.0
BAI01 1.0 1.0 3.0
BAI02 1.0 1.0 3.0
BAI03 2.0 1.0 4.0
BAI04 0.5 0.0 3.0
BAI05 2.5 1.5 1.0
BAI06 0.0 0.0 4.0
BAI07 1.0 0.0 1.0
BAI08 1.0 1.0 3.0
BAI09 1.0 1.0 3.0
BAI10 1.5 0.0 3.5
BAI11 1.5 0.0 4.0
DSS01 0.0 1.0 3.0
DSS02 1.0 0.0 3.0
DSS03 1.0 0.0 3.0

Copyright ISACA 2018 729206698.xlsx DF9map—Page 49

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF9 Agile DevOps Traditional

DSS04 0.0 0.0 2.0
DSS05 1.0 2.0 2.0
DSS06 1.0 1.0 2.0
MEA01 1.5 1.5 4.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 3.0 1.0 2.0

Copyright ISACA 2018 729206698.xlsx DF9map—Page 50

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy

Input Section—Importance of Technology Adoption Strategy Input Section—Importance of Technology Adoption Strategy

Value Importance (100%) Baseline Page intentionally left blank

First mover 1% 15%
Follower 54% 70%
Slow adopter 45% 15%

Design Factor 10 Technology Adoption Strategy

First mover Follower Slow adopter

1%

45%

54%

Copyright ISACA 2018 729206698.xlsx DF10—Page 51

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance
Design Factor 10 Technology Adoption
Governance / Baseline Relative Strategy Design Factor 10 Technology Adoption Strategy
Management Score Score Importance Resulting Governance/Management Objec- Resulting Governance/Management Objectives Importance
Objective
tives Importance
EDM01 2.07 2.25 -10
EDM02 2.95 2.58 15
EDM03 2.63 3.25 -20 -100 -75 -50 -25 0 25 50 75 100
EDM02 EDM01 MEA04
EDM04 EDM01 EDM03 MEA03
3.06 3.10 0
EDM02 EDM04 MEA02
EDM05 3.96 3.40 15 EDM03
APO01 2.53 2.55 0 EDM04 EDM05 100 MEA01
APO02 3.07 3.25 -5 EDM05
APO01 75 DSS06
APO03 3.25 3.05 5 APO01
APO02
APO04 2.11 2.85 -25 APO02 50 DSS05
APO03
APO05 2.13 1.38 55 APO04 25
APO06 1.27 1.35 -5 APO05 APO03 DSS04
APO07 1.00 1.00 0 APO06 0
APO07
APO08 1.29 1.65 -20 APO04 DSS03
APO08 -25
APO09 1.28 1.42 -10 APO09
APO10 2.07 2.25 -10 APO10 -50
APO05 DSS02
APO11 2.53 2.55 0 APO11
APO12 -75
APO12 1.55 1.85 -15
APO13
APO13 2.52 2.40 5 APO14 APO06 -100 DSS01
APO14 2.09 2.55 -20 BIA01
BIA01 2.44 2.00 20 BAI02
BAI03 APO07 BAI11
BAI02 2.27 2.35 -5
BAI04
BAI03 1.84 2.50 -25 BAI05
BAI04 1.53 1.55 0 BAI06
APO08 BAI10
BAI05 3.06 3.10 0 BAI07
BAI06 2.07 2.25 -10 BAI08 APO09 BAI09
BAI09
BAI07 1.72 1.50 15
BAI10
BAI08 1.23 1.15 5 BAI11
APO10 BAI08
DSS01
DSS02 APO11 BAI07
Copyright ISACA 2018 DSS03 729206698.xlsx DF10—Page 52
APO12 BAI06
DSS04
DSS05 APO13 BAI05
 BAI03 APO07 BAI11
BAI04
BAI05 02/22/2024
COBIT® 2019 Governance System Design Toolkit APO08 BAI10
BAI06
BAI07
BAI08
Information & Technology Governance System Design APO09 Information & Technology Governance
BAI09 System Design
Design Factor 10 BAI09
Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
BAI10
APO10 BAI08
BAI11
BAI09 1.45 1.15 25 DSS01
APO11 BAI07
BAI10 2.98 2.70 10 DSS02
BAI11 DSS03
2.75 2.55 10 APO12 BAI06
DSS04
DSS01 2.44 2.00 20 DSS05 APO13 BAI05
DSS02 2.44 2.00 20 DSS06 APO14 BAI04
DSS03 2.31 2.47 -5 MEA01 BIA01 BAI02 BAI03

DSS04 2.35 1.45 60 MEA02

MEA03
DSS05 1.90 1.30 45 MEA04
DSS06 1.00 1.00 0
MEA01 3.36 2.60 30
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 2.09 2.55 -20

Copyright ISACA 2018 729206698.xlsx DF10—Page 53

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF10 First Mover Follower Slow Adopter

EDM01 0.0 3.0 1.0
EDM02 2.0 2.5 3.5
EDM03 2.0 4.0 1.0
EDM04 0.0 4.0 2.0
EDM05 0.0 4.0 4.0
APO01 1.0 3.0 2.0
APO02 1.0 4.0 2.0
APO03 1.0 3.5 3.0
APO04 4.0 3.0 1.0
APO05 1.0 1.0 3.5
APO06 1.0 1.5 1.0
APO07 1.0 1.0 1.0
APO08 3.0 1.5 1.0
APO09 1.5 1.5 1.0
APO10 0.0 3.0 1.0
APO11 1.0 3.0 2.0
APO12 2.0 2.0 1.0
APO13 0.0 3.0 2.0
APO14 2.0 3.0 1.0
BAI01 1.0 2.0 3.0
BAI02 2.0 2.5 2.0
BAI03 4.0 2.5 1.0
BAI04 0.0 2.0 1.0
BAI05 0.0 4.0 2.0
BAI06 0.0 3.0 1.0
BAI07 1.0 1.5 2.0
BAI08 1.5 1.0 1.5
BAI09 1.0 1.0 2.0
BAI10 1.0 3.0 3.0
BAI11 0.5 3.0 2.5
DSS01 1.0 2.0 3.0
DSS02 1.0 2.0 3.0
DSS03 1.0 3.0 1.5

Copyright ISACA 2018 729206698.xlsx DF10map—Page 54

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

DF10 First Mover Follower Slow Adopter

DSS04 1.0 1.0 4.0
DSS05 1.0 1.0 3.0
DSS06 1.0 1.0 1.0
MEA01 3.0 2.0 5.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 2.0 3.0 1.0

Copyright ISACA 2018 729206698.xlsx DF10map—Page 55

 Step 2 Initial Design
Governance and Management Objectives Importance

-100 -80 -60 -40 -20 0 20 40 60 80 100

-10

15

-5

15

-45

-40

-25

-20

10

-20

-10

10

-100

-25

-20

25

35

10

-15

-15

-20

-35

-25

-15

70

90

95

65

65

-70

20

-5

-65
 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Design Factor 1 Enterprise Strategy Design Factor 2 Enterprise Goals

Resulting Governance/Management Resulting Governance/ Management Initial Summary—Governance and Management Objectives
Objectives Importance Objectives Importance
-100 -50 0 50 100 150
EDM01 EDM02 EDM01 MEA04
EDM02
EDM03
MEA04
MEA03 EDM03 MEA03 -10
EDM01—Ensured Governance Framework Setting & Maintenance
EDM04 MEA02 EDM04 MEA02
100 EDM05 100 MEA01 EDM02—Ensured Benefits Delivery 15
EDM05 MEA01
APO01 75 DSS06 APO01 75 DSS06 -5
EDM03—Ensured Risk Optimization
50
APO02 50 DSS05 APO02 DSS05 EDM04—Ensured Resource Optimization 15
25 25
APO03 DSS04 APO03 DSS04 -45
EDM05—Ensured Stakeholder Engagement
0 0
APO04 DSS03 -40 I&T Management Framework
APO01—Managed
APO04 -25 DSS03 -25
-50 -25
APO02—Managed Strategy
APO05 -50 DSS02 APO05 DSS02
-75 -75 -20 Architecture
APO03—Managed Enterprise
APO06 -100 DSS01 APO06 -100 DSS01 APO04—Managed Innovation 10
-20
APO05—Managed Portfolio
APO07 BAI11 APO07 BAI11
APO06—Managed Budget -10
& Costs
APO08 BAI10 APO08 BAI10
APO07—Managed Human Resources 5
APO09 BAI09 APO09 BAI09 APO08—Managed Relationships 5
APO10 BAI08 APO10 BAI08 0
APO09—Managed Service Agreements
APO11 BAI07 APO11 BAI07 APO10—Managed Vendors 10
APO12 BAI06 APO12 BAI06
0
APO11—Managed Quality
APO13 BAI05 APO13 BAI05
APO14 BAI04 APO14 BAI04 -100 APO12—Managed Risk
BAI01 BAI02 BAI03 BIA01 BAI02 BAI03
-25
APO13—Managed Security
-20
APO14—Managed Data
Design Factor 3 Risk Profile Design Factor 4 IT-Related Issues BAI01—Managed Programs 25
Resulting Governance/Management Resulting Governance/Management 0
BAI02—Managed Requirements Definition
Objectives Importance Objectives Importance BAI03—Managed Solutions Identification & Build 35
EDM02 EDM01 MEA04 EDM02 EDM01 MEA04 BAI04—Managed Availability & Capacity 10
EDM03 MEA03 EDM03 MEA03
EDM04 MEA02 EDM04 MEA02
100 100
-15 Change
BAI05—Managed Organizational
EDM05 MEA01 EDM05 MEA01
75 75 BAI06—Managed-15
IT Changes
APO01 DSS06 APO01 DSS06
50 50 0
BAI07—Managed IT Change Acceptance and Transitioning
APO02 DSS05 APO02 DSS05
25 25 -20 Knowledge
BAI08—Managed
APO03 DSS04 APO03 DSS04
0 0 -35 BAI09—Managed Assets
APO04 DSS03 APO04 -25 DSS03
-25 -25
BAI10—Managed Configuration
-50 -50
APO05 DSS02 APO05 DSS02 -15 Projects
BAI11—Managed
-75 -75
DSS01—Managed Operations 70
APO06 -100 DSS01 APO06 -100 DSS01
DSS02—Managed Service Requests & Incidents 90
APO07 BAI11 APO07 BAI11 DSS03—Managed Problems 95
DSS04—Managed Continuity 65
APO08 BAI10 APO08 BAI10
DSS05—Managed Security Services 65
APO09 BAI09 APO09 BAI09
-70 DSS06—Managed Business Process Controls
APO10 BAI08 APO10 BAI08 MEA01—Managed Performance and Conformance Monitoring 20
APO11 BAI07 APO11 BAI07 MEA02—Managed System of Internal Control0
APO12 BAI06 APO12 BAI06
-5
MEA03—Managed Compliance with External Requirements
APO13 BAI05 APO13 BAI05
APO14
BIA01 BAI03
BAI04 APO14
BIA01 BAI03
BAI04 -65 MEA04—Managed Assurance
BAI02 BAI02

Copyright ISACA 2018 729206698.xlsx Dashboard1—Page 57

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Design Factor 5 Threat Landscape Design Factor 6 Compliance Requirements

Resulting Governance/Management Resulting Governance/Management
Objectives Importance Objectives Importance

EDM02 EDM01 MEA04 EDM02 EDM01 MEA04

EDM03 MEA03 EDM03 MEA03
EDM04 MEA02 EDM04 MEA02
EDM05 100 MEA01 EDM05 100 MEA01

APO01 75 DSS06 APO01 75 DSS06

50 50
APO02 DSS05 APO02 DSS05
25 25
APO03 DSS04 APO03 DSS04
0 0

APO04 -25 DSS03 APO04 -25 DSS03

-50 -50
APO05 DSS02 APO05 DSS02
-75 -75

APO06 -100 DSS01 APO06 -100 DSS01

APO07 BAI11 APO07 BAI11

APO08 BAI10 APO08 BAI10

APO09 BAI09 APO09 BAI09

APO10 BAI08 APO10 BAI08

APO11 BAI07 APO11 BAI07

APO12 BAI06 APO12 BAI06

APO13 BAI05 APO13 BAI05
APO14 BAI04 APO14 BAI04
BIA01 BAI02 BAI03 BIA01 BAI02 BAI03

Design Factor 7 Role of IT Design Factor 8 Sourcing Model for IT

Resulting Governance/Management Resulting Governance/Management
Objectives Importance Objectives Importance

EDM01 EDM02 EDM01 MEA04

EDM02 MEA04 EDM03 MEA03
EDM03 MEA03
EDM04 MEA02 EDM04 MEA02
100 EDM05 100 MEA01
EDM05 MEA01

75 APO01 75 DSS06
APO01 DSS06

50 50
APO02 DSS05 APO02 DSS05

25 25
APO03 DSS04 APO03 DSS04
0 0

APO04 DSS03 APO04 -25 DSS03

-25

-50 -50
APO05 DSS02 APO05 DSS02
-75 -75

APO06 -100 DSS01 APO06 -100 DSS01

APO07 BAI11 APO07 BAI11

APO08 BAI10 APO08 BAI10

APO09 BAI09 APO09 BAI09

APO10 BAI08 APO10 BAI08

APO11 BAI07 APO11 BAI07

APO12 BAI06 APO12 BAI06

APO13 BAI05 APO13 BAI05

APO14 BAI04 APO14 BAI04
BIA01 BAI03 BIA01 BAI02 BAI03
BAI02

Copyright ISACA 2018 729206698.xlsx Dashboard2—Page 58

 02/22/2024
COBIT® 2019 Governance System Design Toolkit

Design Factor 9 IT Implementation Methods Design Factor 10 Technology Adoption Strategy

Resulting Governance/Management Resulting Governance/Management
Objectives Importance Objectives Importance

EDM02 EDM01 MEA04 EDM02 EDM01 MEA04

EDM03 MEA03 EDM03 MEA03
EDM04 MEA02 EDM04 MEA02
EDM05 100 MEA01 EDM05 100 MEA01

APO01 75 DSS06 APO01 75 DSS06

50 50
APO02 DSS05 APO02 DSS05
25 25
APO03
0
DSS04 APO03
0
DSS04
Governance and Management Objectives Importance (All Design Fac
APO04 -25 DSS03 APO04 -25 DSS03

-50 -50
APO05 DSS02 APO05 DSS02
-75 -75 -35 & Maintenance
EDM01—Ensured Governance Framework Setting
APO06 -100 DSS01 APO06 -100 DSS01

EDM02—Ensured Benefits Delivery 5

APO07 BAI11 APO07 BAI11

APO08 BAI10 APO08 BAI10 -55

EDM03—Ensured Risk Optimization

APO09 BAI09 APO09 BAI09

-5
EDM04—Ensured Resource Optimization
APO10 BAI08 APO10 BAI08

APO11 BAI07 APO11 BAI07 -30 Engagement

EDM05—Ensured Stakeholder
APO12 BAI06 APO12 BAI06
APO13
APO14 BAI04
BAI05 APO13
APO14 BAI04
BAI05
-25 Framework
APO01—Managed I&T Management
BIA01 BAI02 BAI03 BIA01 BAI02 BAI03

-40
APO02—Managed Strategy

-20
APO03—Managed Enterprise Architecture

-30
APO04—Managed Innovation

0
APO05—Managed Portfolio

-30Budget & Costs

APO06—Managed

-25 Resources
APO07—Managed Human

-30 Relationships
APO08—Managed

-35
APO09—Managed Service Agreements

-20 Vendors
APO10—Managed

-10
APO11—Managed Quality

-100 APO12—Managed Risk

-25 Security
APO13—Managed

-35
APO14—Managed Data

BAI01—Managed Programs 20

-15
BAI02—Managed Requirements Definition

BAI03—Managed Solutions Identification & Build 5

Copyright ISACA 2018 729206698.xlsx Dashboard2—Page 59

0
BAI04—Managed Availability & Capacity