What is IT Governance?

IT governance is a component of corporate governance focused on enhancing overall IT

management and maximizing the value of information and technology investments. IT
governance frameworks assist organizations in successfully managing their IT risks and ensure that
their IT activities are coherent with their organizational objectives.
The Importance of IT Governance
IT governance is helpful for organizations in various ways, such as

 It helps them show measurable results against their goals and objectives.

 It helps them show compliance with relevant legal and regulatory obligations, such as the
Companies Act 2016 and GDPR.

 It makes stakeholders confident in their IT services.

 It enhances the ROI on IT investment, and lastly.

 Organizations can fulfill requirements from corporate governance and public listings.

Introduction to Corporate Governance

Corporate governance enables an organization's management and the board to face the challenges
of effectively running their business. It also ensures the adequacy of the decision-making capabilities
of the organizations to ensure the fulfillment of the stakeholders' interests. Furthermore, it also
enables organizations to fulfill their commitment to various legal and regulatory frameworks, such as
the GDPR and the DPA (Data Protection Act) 2018.
How Does Corporate Governance Help With Fulfilling GDPR
Requirements?
How are GDPR and corporate governance connected? GDPR requires data processors and
controllers to show their compliance with its requirements using specific documentation, such as
procedures, logs, and policies. Organizations can easily maintain their data privacy policies and
procedures by incorporating the elements of corporate governance and IT governance.

What Are Some of the Best Models of IT

Governance?
Following are some of the most well-known IT governance models and frameworks used globally.
ITIL - Information Technology Information Library
ITIL is one of the most well-recognized ITSM (Information Technology Service Management)
frameworks. The latest version of ITIL, i.e., ITIL 4, was introduced in 2019. ITIL is also
supported by ISO/IEC 2000-1:2018. Mainly, the ITIL framework emphasizes service
management.

COBIT - Control Objectives for Information and Related Technology)

COBIT is another well-recognized IT governance control framework that assists organizations with
risk management, regulatory compliance, and connecting an organization's IT strategy with its
overall goals. The most recent version of COBIT is COBIT 2019, launched in 2018. COBIT 2019
extends COBIT 5, and it provides the most recent advancements in enterprise IT, along with its new
principles. The primary focus of the COBIT framework is process management.

ISO/IEC 38500:2015
ISO/IEC 38500 sets forth concepts, definitions, and a high-level framework that organizations of all
sizes may use better to align their use of information technology with organizational decisions and
satisfy their legal, regulatory, and ethical requirements.

Calder-Moir IT Governance Framework

This framework offers a systematic direction for approaching IT governance. It can aid in
benchmarking the balance and efficacy of an organization's IT governance practices.

IT Governance - The Five Domains

There are five domains of IT governance:
 Enterprise Governance and IT Governance
Given the importance of technology in today's industry, it is essential to realize that IT is the key
differentiator that gives businesses a competitive advantage, such as agility and speed to market,
compared to their competitors. IT Governance can no longer exist in isolation and must be
integrated into Enterprise Governance. IT governance plays a critical role in achieving
corporate objectives. Its function is to guarantee the responsible and efficient use of IT resources
while controlling any risks an organization may face.
The Foundation of Good Governance Practices in Modern
Organizational Practices
There are 3 pillars of good governance practices concerning the modern corporate culture, policy-
making, and enterprise practices:

 Transparency: It enables trust by making the strategy, processes, and transactions visible to internal
and external stakeholders.

 Accountability: Accountability creates a sense of ownership by making individuals realize their

responsibilities.

 Security ensures the organization remains protected against IP theft, hacking, ransomware, data
breaches, and cyber-attacks. Without proper security measures in place, the organization cannot
function effectively and will create a lack of trust in its stakeholders.

Enterprise Governance - Framework

Enterprise Governance - Framework
Keeping the picture from the previous page in mind, we can see that Corporate Governance and
related operations are more concerned with conformity and assurance. It has a "look back/after the
fact" perspective. Business Governance includes performance, strategy, strategy implementation,
management, and business improvement, and it has a look ahead/forward perspective. This said,
organizations must balance both these governance models to achieve their business objectives
successfully.
Side Effects of Overdone Compliance Monitoring

Compliance monitoring is an integral part of both corporate and business governance.

However, overdone compliance monitoring, purposeless assurance monitoring, and associated
redundant or duplicative processes can all contribute to the hindered progression of an
organization.
Side Effects of Underdone Compliance Monitoring
If overdoing compliance monitoring is dangerous, then not doing it properly is also detrimental. Lack
of effective risk management, mitigation methods, or an accurate understanding of risk
exposure can all be a barrier to attaining business objectives. Therefore, Corporate
Governance must induce a sense of accountability and offer assurance to the organizations, while
Business Governance should aid in creating value and optimal resource use. Together, both these
frameworks can provide a feedback loop to the organization to change its direction into a correct
course.

How is IT Helping Organizations Reshape?

IT and technology have played a constructive role, especially where organizations have had to alter
and adjust their operations. We can look at several success stories about how IT has shaped
various organizations and their overall operational dynamics.

For example, Zoom was not much popular before the COVID-19 pandemic but has seen exceptional
growth ever since. Also, the COVID-19 pandemic has significantly changed our perceptions about
communicating and connecting with each other.

The Work From Home (WFH) model, remote working, and online meetings have significantly
replaced the requirement of an onsite presence that was previously imposed upon by the
organizations.

Another example of IT reshaping organizational functions can be taken from the example of
hospitals. Instead of requiring patients to visit their physicians, many of them have introduced the
telehealth model. Through telehealth, patients can consult doctors using online video-calling
platforms. Innovations like these advocate for robust IT service management systems within
enterprises. Those organizations, businesses, and enterprise that would not upgrade themselves in
this regard cannot confront their competitors in the market.

What is COBIT?
As we mentioned in the previous topic, COBIT (Control Objectives for Information and related
Technologies) is an IT governance framework, with its latest version being released in 2019. It is
used by businesses that aim to implement, monitor, and enhance best practices in IT
management. The credit for developing the COBIT framework goes to ISACA. ISACA is a global,
independent, non-profit organization dedicated to creating, accepting, and using globally accepted
information system (IS) knowledge and practices.
Which Organizations can Implement COBIT?
Any organization willing to ensure the quality, control, and reliability of its information
system can implement COBIT. As we mentioned earlier, IT governance frameworks, like ITIL and
COBIT, can help organizations become compliant with different regulators. With COBIT, for
example, we know that US organizations use it to become compliant with the Sarbanes-Oxley Act
(SOX).

COBIT - A Brief History

 COBIT - A Brief History
This a brief historical timeline of COBIT nad its subsequent versions that have been released in the
latest years:

 1996 - COBIT was first released to help financial auditors handle the growing complexity of IT
settings.

 1998 - ISACA published a complete version that covered topics other than audit controls.

 2000s - Versions 3 and 4 were released. They contained further cybersecurity management
principles.

 2013 - COBIT 5 was released with the goal of offering tools, best practices, and goals that were
universally relevant to all enterprise IT operations. COBIT 5 expanded on COBIT 4 by including
associated International Organization for Standardization (ISO) standards, such as IT Infrastructure
Library (ITIL.)

 2019 - This latest edition is a more generic, comprehensive, and adaptable tool that may be utilized
by any business, regardless of size or immediate goals.
 The Basics of the COBIT Framework and
Principles
The COBIT framework allows businesses to meet their objectives by combining the use of IT, linked
sources, and processes. The following are the two primary parameters provided through the COBIT
framework:

 Control - It contains practices, procedures, structures, and policies to provide an assurance level to
the businesses to meet their goals.

 IT Control Objectives - It defines the level of acceptable results that a business can attain with
implementing the control procedures regarding a specific IT operation.

The Five Principles of the COBIT Framework

Following are the five principles of the COBIT framework:

 Fulfilling the stakeholders' needs.

 End-to-end coverage of enterprise needs.

 Application of a single integrated framework.

 Taking a holistic approach.

 Separating governance and management.

Prerequisites for Implementing COBIT

COBIT 2019 is a tool designed to help businesses support their IT operations. Therefore, to use this
framework to its full potential, it is essential to learn about some of the major prerequisites before
implementing this framework:

 Objectives: COBIT 2019 has around 40 corporate management and governance goals. Based on
the needs of various stakeholders, IT administrators might prioritize or ignore these objectives.

 Domains: All COBIT objectives have been grouped into specific domains which are concerned with
different business processes, such as planning, monitoring, and building.

 Goals cascade: It explains the connections between business needs and goals.
 Components (Enablers): These are generic elements, such as process descriptions, infrastructure,
skills, and IT-influencing infrastructures.

 Designing factors: These are the contextual, tactical, and strategic factors defining the organizational
needs and the way to address them. The design factors opt for the technology choices, e.g., cloud
data. They also drive implementation methodologies, such as outsourcing, DevOps, ITIL4, Agile, etc.

COBIT 5 vs COBIT 2019

Some of the major differences between the COBIT 5 and COBIT 2019 are:

 Enhancement in the framework's alignment with global frameworks, standards, and best practices.

 A new mechanism added in the 2019 version allows COBIT users to provide feedback, application
sharing, and change the framework further.

 Newly added guidance and tools also allow tweaking the IT governance system to fulfill specific IT
goals and make the decision-making processes even better.

The Importance of COBIT

In the absence of a standard language, an enterprise being audited must educate each individual
auditor about when, how, and why various IT controls were implemented. The COBIT framework fills
this gap and allows business leaders, compliance auditors, and IT professionals to communicate
about IT controls, goals, objectives, and outcomes.

COBIT and Other Governance Frameworks

This is a brief comparison of COBIT with two IT governance frameworks, i.e. ITIL and TOGAF:
COBIT and ITIL
Both COBIT and ITIL are critical analytical tools for IT governance. The two frameworks,
which have some overlap, can be used efficiently together. While the ITIL framework focuses on
IT service management (ITSM), the COBIT framework focuses on risk management and may
apply to practically any aspect of the business. ITIL uses third-party tools, such as the Tudor IT
Process Assessment (TIPA), when a company needs to document compliance. COBIT audits are
always performed by ISACA Certified Information Systems Auditors.
 COBIT and TOGAF

The Open Group Architecture Framework (TOGAF) is a complementary Governance, Risk, and
Compliance (GRC) framework. TOGAF was founded and is maintained by The Open Group, an
independent industry association.

Here, it is essential to know that TOGAF is based on TAFIM, or Technical Architecture Framework
for Information Management, which was developed by the United States Defense Department
(DOD).

The Open Group released TOGAF version 9 in early 2009. The Open Group and others now lead
TOGAF certification and instructional programs, and enterprise architects are typically in charge of
implementing TOGAF within enterprises.

The COBIT Product Architecture

COBIT has developed an end-to-end approach centered on the COBIT Core Model, with the
Governance and Management Objectives as the primary piece, to achieve a customized framework
for each firm willing to implement a strong EGIT (Enterprise Governance for IT).

This core model will receive input not only from external frameworks and laws but also from
company stakeholders. These requirements result in a set of objectives that must be met according
to Design Factors and Focus Areas. The results of this entire strategic design then aid in the
transition to the Tailored Enterprise Governance System, which is then implemented, monitored, and
managed to achieve the required EGIT objectives and performance.
To ensure the best possible acceptance, a number of fundamental COBIT publications, from
Foundation to Governance to Design and Implementation, were created for this new version,
including step-by-step comprehension and training guides.

The COBIT Core Model

The Five Domains of COBIT
The EDM Domain
The APO Domain

The BAI Domain

The DSS Domain

 The COBIT Core Model - Domains
The EDM Domain
In the COBIT Core Model, the governance objectives are grouped in the EDM (Evaluate, Direct,
and Monitor) domain. This domain allows the governing body to:

 Analyze strategic options.

 Direct the senior management on the chosen objectives.

 Monitor the fulfillment of the strategy.

The APO Domain

The APO (Align, Plan, and Organize) domain addresses the following:

 The overall organizational strategy.

 The supporting activities for Information and Technology (I&T.)

The BAI Domain

The BAI (Build, Acquire, and Implement) domain addresses the following components:

 Definition of IT solutions and their integration into the business process.

 Acquisition of IT solutions and their integration into the business process.

 Implementation of IT solutions and their integration into the business process.

The DSS Domain

The DSS (Deliver, Service, and Support) domain is related to the operational delivery and support of
IT delivery services and security.
The MEA Domain
The MEA (Monitor, Evaluate, and Assess) domain is concerned with performance monitoring, I&T
conformance with internal performance targets, external objectives, and internal control objectives.
 The Objectives of COBIT 2019

One of the essential management objectives is the APO(Align, Plan, and Organize) domain. The
main focus of this COBIT objective is to help enterprises build a robust strategy. This objective
includes several important questions, such as:

 Is there a viable strategy present within the organization?

 Is the strategy right for the organization?

 Can the organization embark on its strategic journey?

 What parameters can help organization determine if its strategy is right.

Cascading the COBIT Goals

COBIT provides information about EGs (Enterprise Goals), AGs (Alignment Goals), and the
metrics used to measure them. In this figure, you can see how the COBIT goals are cascaded.
Firstly, stakeholders' needs must be converted into the actionable strategy of the enterprise. Further
cascading these goals helps with the transformation of EGs into AGs.
 COBIT Performance Management
The goal of COBIT Performance Management (CPM) is to assess how well a company's
governance and management system and all of its components work and how they can be improved
to attain desired levels of process and practice competence and maturity.

The CPM assessment results show the current process, focus area capability, and maturity. They
are also used for improving the relevant governance and management components, allowing
businesses to:

 Increase their value.

 Measure their progress in achieving the current and projected business goals.

 Modify their benchmarking.

 Report consistently.

 Adhere to the organizational compliance .

You will learn more about COBIT performance management in the next topic.
 Grouping the COBIT 2019 Domain
Recalling from the previous topic, all the governance objectives from the COBIT framework are
collected under the EDM Domain. Here, the governing body :

 Assesses all the strategic options.

 Guides the senior management regarding the chosen objectives

 Monitors the progress of the strategy.

Along with the EDM domain, the management objectives are grouped as under:

 The APO Domain: It addresses the organizational strategy and supports the enterprise's IT activities.

 The BAI Domain: It defines and helps with the acquisition and implementation of IT solutions and
their incorporation into business.

 The DSS Domain: It addresses operational delivery and supports security and IT activities.

 The MEA Domain: It is related to performance monitoring and conformity of IT and internal
performance targets, along with external requirements and internal control objectives.

Applying the COBIT Performance

Management
Any organization willing to incorporate CPM can do so by dividing the process into various steps,
such as

1. Conducting the COBIT 2019 awareness sessions with the identified stakeholders.
2. Tailoring a governance system the applicable governance and management objectives of
COBIT 2019.
3. Identification of the respective process owners.
4. Obtaining evidence.
5. Performing the process activity rating.
6. Reporting the identified opportunities and strengths.

Applying the COBIT Framework - Steps 1 & 2

 1. Conducting the COBIT Awareness Session

There are a lot of benefits associated with conducting the COBIT 2019 sessions with the identified
stakeholders. By conducting these sessions, an organization can ensure that all identified
stakeholders actively participate during the assessment. Their participation is essential to complete
these assessment activities and make

 Proper decisions.

 Take corrective actions.

In order to understand the assessment scope properly, it is necessary to assess the context of the
business and its IT operations. This will be helpful for both the business and its stakeholders to
understand the important priorities and find any defects that might be encountered in their progress.
2. Designing a Governance System
There are various stages involved in the governance system workflow (shown on the next page).
They prioritize governance and management objectives and allow the organization to assign and
achieve the target capability levels.

Pictorial Representation of the Governance

System
After concluding the governance system design workflow, the following must be included
(1) Prioritized governance and management objectives, (2) Target capability for processes, and
(3) Recognizing any governance component that must be resolved after a particular issue
Applying the COBIT Performance
Management
3. Identification of the Respective Process Onwers
4. Obtaining Evidence
Here, the organization creates templates for process assessments for all agreed-upon processes.
The primary sources of information and process experience are the process owners, participants,
and users of the process outputs. These groups are also in a good position to spot possible
process capability gaps. Management should express unambiguous support for the evaluation in
order to encourage participants to be constructive throughout.

It should be made clear that process assessments are concerned with the processes themselves
and not with the efficiency of the involved enterprise personnel. The purpose here is to improve
the processes' performance in support of clearly defined corporate goals, not to assign blame for
subpar performance of specific individuals.
While obtaining evidence, it is necessary for the organization to relate each objective with the
relevant processes, practices, and activities. This evidence can either be direct, i.e., documented or
 in the form of the outcomes, or indirect, i.e., plans for producing specific outcomes. Here, the
primary evidence will be obtained from interviews, and their results will be confirmed by examining
work products and outputs from the practices whose objectives have been assessed.

4. Obtaining Evidence

Evidence should be gathered methodically using a clearly stated plan and technique that is
simple to demonstrate. All of the data should be sufficient to fulfill the assessment's objectives
and purpose, and it should be simple to connect the data to the relevant governance and
management goals.
While obtaining evidence, it is necessary for the organization to relate each objective with the relevant
processes, practices, and activities. This evidence can either be direct, i.e., documented or in the form of the
outcomes, or indirect, i.e., plans for producing specific outcomes. Here, the primary evidence will be obtained
from interviews, and their results will be confirmed by examining work products and outputs from the
practices whose objectives have been assessed.

Applying the COBIT Performance Management

5. Performing the Process Activity Rating
While assessing each objective, a rating is assigned for each process activity. This rating includes the highest
capability level defined within the assessment scope. The rating is based on verified data, and a traceable
relationship must be kept between the quantifiable data gathered and the process activity ratings given.
This is the rating scale to be used here:

 Fully - This capability level is achieved at 85%

 Largely - This capability level stays between 50% and 85%

 Partially - This capability level is designated for 15% and 50%

 Not - This capability level s designated for less than 5%

Applying the COBIT Performance Management

6. Reporting the Identified Strengths
 The assessment sponsor must get the output document with the assessment results. The report should contain
the observed strengths and weaknesses found in the process capabilities and highlight any possibilities for
process improvement. The report analyzes and presents the assessment's findings. An assessment's final output
is a report that specifies the current competency level.
Through this topic, we have learned how the COBIT CPM incorporates several steps that can help an
organization to evaluate its governance and management system. This Cobit performance Management is also
helpful in evaluating various components of the enterprise framework.

By following these steps correctly, organizations can perform an effective capability assessment of their
governance and management system. Not only that, but this evaluation is also helpful in determining any
improvement required. Furthermore, it is important to mention that:

 Process activities are associated with capability levels that manage the processes' performance.

 Maturity levels are associated with focus and can be achieved after fulfilling all the required capability levels.
 Transforming the Organizational IT Structure
An IT department's organizational structuring (or restructuring) often results from a number of adjustments,
trials, experiments, and political maneuvers. It is frequently changed to fit or accommodate different people. In
turn, this makes the organization occasionally inefficient, problematic, and expensive.
To avoid such problems, it is necessary to opt for an efficient, workable method that makes this transformation
process smooth and easy. In this regard, it will require some steps to be followed, i.e.
1. Selecting the standards.

2. Performing the first iteration.

3. Designing the APO, DSS, and BAI sections.

4. Designing the MEA section.

5. Designing the job descriptions.

6. Revising the IT processes.

Step 1- Selecting the Standards

Delivering value to stakeholders via IT-enabled investments is the primary goal of structuring an
organization's IT framework. In order to make the ultimate design non-controversial, the organizational
design should adhere to standards and best practices. Here, the organization can choose any of the following
set of IT governance frameworks:

 COBIT 2019: It covers all the required aspects of IT in terms of processes and tasks. It also enables the
organization to ensure the alignment between the stakeholder requirements, enablers, and the enterprise's IT-
related goals.

 ISO/IEC 38500:2015: It covers all the aspects of governance.

 ISO/IEC 20000: It covers all the aspects of service management.

 ISO/IEC 27001: It covers all aspects of information security.

 Skills Framework for the Information Age (SFIA V6): This framework ensures gaining of the required skills
and their reflection within the job descriptions.
 ISO/IEC 27001 - Dynamics of Information Security Management System (ISMS) is a vital course offered
by Alison. It explains the ISO 27001 standard regarding the creation of a robust Information Security
Management System (ISMS) within an organization.

Step 2: Performing the First Iteration

After selecting the COBIT 2019 framework to structure the IT infrastructure of the enterprise, the next step
will be to perform the first iteration using the following functional elements:

 EDM (Evaluate, Direct, and Monitor) domain

 APO (Align, Plan, and Organize) domain

 BAI (Build, Acquire, and Implement) domain

 DSS (Deliver, Support, and Service) domain, and

 MEA (Monitor, Evaluate, and Assess) domain

 BoD (Board of Directors)

 BoD strategy executive committee

 Steering committee (It reports to the CEO)

 CEO

 CIO (Chief Information Officer)

Outputs from the First Iteration (Step 2)

Outputs from the First Iteration - 1
From Key Practice:
- Output Description: APO13.02 Information security risk treatment plan
Destination: All EDM, All APO; All BAI, All DSS; All MEA

From Governance Practice:

- Output Description: EDM01.01 Enterprise governance guiding principles
Destination: All EDM
- Output Description: EDM01.01 Decision-making model
Destination: All EDM
- Output Description: EDM01.02 Enterprise governance communication
Destination: All EDM
- Output Description: EDM01.01 Authority levels
Destination: All EDM
- Output Description: EDM01.03 Feedback on governance effectiveness and performance
Destination: All EDM

Outputs from the First Iteration - 2

Outputs to All Management Processes
From Management Practice:
- Output Description: APO01.01 Management system design
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO01.01 Priority governance and management objectives
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO01.02 Communication on I&T objectives
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO01.02 Communication ground rules
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO01.03 Target model gap analysis
Destination: All APO; All BAI; All DSS; All MEA

Outputs from the First Iteration - 3

- Output Description: APO01.11 Process improvement opportunities
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO02.05 I&T strategy and objectives
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO02.06 Communication package
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO11.03 Quality management standards
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO11.04 Process quality of service goals and metrics
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO11.05 Communications on continual improvement and best practices
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO11.05 Examples of good practice to be shared
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: APO11.05 Quality review benchmark results
Destination: All APO; All BAI; All DSS; All MEA
 Outputs from the First Iteration - 4
-- Output Description: MEA01.02 Monitoring targets
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA01.04 Performance reports
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA01.05 Remedial actions and assignments
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA02.01 Results of internal control monitoring and reviews
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA02.01 Results of benchmarking and other evaluations
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA02.03 Results of reviews of self-assessments
Destination: All APO; All BAI; All DSS
- Output Description: MEA02.03 Self-assessment plans and criteria
Destination: All APO; All BAI; All DSS; All MEA

Outputs from the First Iteration - 5

- Output Description: MEA02.04 Control deficiencies
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA02.04 Remedial actions
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA03.02 Communications of changed compliance requirements
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA04.02 Assurance plans
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA04.08 Assurance review report
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA04.08 Assurance review results
Destination: All APO; All BAI; All DSS; All MEA
- Output Description: MEA04.09 Remedial actions
Destination: All APO; All BAI; All DSS; All MEA

Step 3 - Designing the APO, DSS, and BAI

Sections
The APO, DSS, and BAI domains of the COBIT framework comprise subdomains, also known as processes.
They form various sections, as was shown in the third topic.
 Picture of the APO domain from the third topic COBIT framework
Now, we will look at how some of these processes can be grouped together:

 APO01 and APO02 can be grouped as IT strategies.

 APO05, APO06, and APO07 can be grouped as IT Project Management.

 APO11 and APO12 can be combined as IT Assurance.

The same can be done for the DSS and BAI sections.

Steps 4 and 5 of Organizational Restructuring

Step 4: Designing the MEA Section

Every medium-sized and large IT setup must have an IT assurance section to ensure IT governance within the
setup. This must be coordinated with the internal audit in terms of planning and technology audits. This
cooperation must also be ensured with the corporate compliance department to plan, implement, and monitor
laws, standards, codes, and good practices.
In contrast to larger organizations, smaller organizations can make their MEA section a part of the internal
audit or split it among internal audit and corporate compliance.
Step 5: Designing the Job Description
Once the organization's structure is designed, it's time to move on to designing the job descriptions. These
descriptions can either be a combination of the activities and related metrics given in COBIT and the activities
in SFIA V6.

Finalizing the Job Descriptions

Any metrics or activities not assigned must be mentioned with their nonassignment being justified.
 6. Revising the IT Processes
Job descriptions should be in step with IT procedures. As a result, all IT processes must be evaluated, and roles
redistributed to adhere to the new job definitions. Some of the best tools for IT organization, design, and
maintenance are:

 Process management.

 Risk management.

 Enterprise architecture.

Many governance, risk management, and compliance (GRC) technologies have been evaluated and examined
with the goal of applying them to build organizations. A GRC tool with strong process management skills with
risk management and enterprise architecture is required. It would be excellent if that package of tools also
included a maturity evaluation.

The 6-step technique outlined in this topic has been used to restructure an organization's IT framework in
many large and small firms. In large companies, the activity may take weeks, whereas in small ones, it may
take only a week.