Design and

Implementation Course
Instructor name

Copyright © 2019 Information Systems Audit and Control Association, Inc. All rights reserved.
MODULE 1
COURSE INTRODUCTION

2
 SECTION 1 TOPICS – NOT TESTED / NOT FOR EXAM

Welcome

Housekeeping & Course Materials

Exam Information

See video lectures and Student Guide for Section 1 Topics Content

3
MODULE 2
COBIT 2019 BASIC CONCEPTS

4
 MODULE 2 TOPICS AND LEARNING OBJECTIVE

Topics Learning Objectives

• COBIT 2019 Architecture and Products (1) Describe the key concepts of COBIT 2019 as
• Governance & Management Objectives taught in the COBIT Foundation course.
• Components of the Governance
System
• Design Factors
• Focus Areas
• Performance Management
• Module Summary

5
 COBIT 2019 ARCHITECTURE AND PRODUCTS

6
 COBIT 2019 ARCHITECTURE

7 Reference: COBIT 2019 Framework: Introduction and Methodology, Chapter 4: Basic Concepts, page 19
 COBIT 2019 PRODUCT PRODUCTS

COBIT® 2019 Framework: Introduction and Methodology

COBIT® 2019 Framework: Governance and Management Objectives

COBIT® 2019 Design Guide: Designing an Information and

Technology Governance Solution

COBIT® 2019 Implementation Guide: Implementing and Optimizing an

Information and Technology

8 Reference: COBIT 2019 Framework: Introduction and Methodology, Chapter 4: Basic Concepts, page 19
 GOVERNANCE AND MANAGEMENT OBJECTIVES

9
 GOVERNANCE AND MANAGEMENT
OBJECTIVES
For I&T to contribute to enterprise goals, several
governance and management objectives should be
achieved.

Basic concepts include:

• A governance or management objective always relates
to one process and a series of related components of
other types to help achieve the objective.
• A governance objective relates to a governance
process, while a management objective relates to a
management process.
• Governance processes typically are under the
accountability of boards and executive management;
management processes are the domain of senior and
middle management.
10 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4, page 20
 GOVERNANCE AND MANAGEMENT OBJECTIVES

Governance
Management Objectives
Objectives

EDM APO BAI DSS MEA

Evaluate, Direct Align, Plan and Build, Acquire Deliver, Service Monitor, Evaluate
and Monitor Organize and Implement and Support and Assess

11 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4, page 20
 COBIT CORE MODEL

12 Reference: COBIT 2019 Framework: Governance and Management Objectives, Chapter 1 Introduction, pages 10-11
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 COMPONENTS OF THE GOVERNANCE SYSTEM

14
 COMPONENTS OF A
GOVERNANCE SYSTEM
To satisfy governance and management objectives,
each enterprise needs to establish, tailor and
sustain a governance system built from several
components.
• Components are factors that, individually and
collectively, contribute to the good operations of the
enterprise’s governance system over I&T.
• Components interact with each other, resulting in a
holistic governance system for I&T.
• Components can be of different types; the most familiar
are processes.

15 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4, page 21
 COMPONENTS OF A GOVERNANCE SYSTEM

Processes

Services,
Infrastructure Organizational
and Structures
Applications

Governance
System
Information
Culture, Ethics
Flows and
and Behaviour
Items

Principles, People, Skills

Policies, and
Procedures Competencies

16 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4, page 21-22
 DESIGN FACTORS

17
 DESIGN FACTORS

18 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4, page 23
 FOCUS AREAS

19
 FOCUS AREAS

A focus area describes a certain governance topic, domain or

issue that can be addressed by a collection of governance
and management objectives and their components. Examples of focus
areas:
Focus areas can contain a combination of generic Small and medium
governance components and variants. enterprises
Cybersecurity
The number of focus areas is virtually unlimited. That is what
makes COBIT open-ended: New focus areas can be added Risk
as required or as subject matter experts and practitioners DevOps
contribute.

20 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4, page 22-23
 PERFORMANCE MANAGEMENT

21
 COBIT PERFORMANCE MANAGEMENT
DEFINITION AND PRINCIPLES
Performance management is an essential part of a The term “COBIT
governance and management system. Performance
Management” (CPM)
How an enterprise can be improved up to the required level: is used to describe
capability and
• Capability levels maturity level
• Maturity levels assessment
activities, and the
COBIT 2019 is based on the following principles: concept is an
• Simple to understand and use integral part of the
• Consistent with and support the COBIT conceptual model COBIT framework.
• Provide reliable, repeatable and relevant results
• Must be flexible
• Should support different types of assessments

22 Reference: COBIT 2019 Framework: Introduction and Methodology, Chapter 6: Performance Management in COBIT page 37
 COBIT PERFORMANCE MANAGEMENT OVERVIEW

The CPM model largely aligns to and extends CMMI® Development

2.0 concepts:
• Process activities are associated to capability levels. This is included in
COBIT 2019 Framework: Governance and Management Objectives.
• Other governance and management component types (e.g., organizational
structures, information) may also have capability levels defined for them in
future guidance that ISACA may release.
• Maturity levels are associated with focus areas (i.e., a collection of
governance and management objectives and underlying components) and
will be achieved if all required capability levels are achieved.

23
23 Reference: COBIT 2019 Framework: Introduction and Methodology, Chapter 6: Performance Management in COBIT, page 37
 COBIT PERFORMANCE MANAGEMENT OVERVIEW

24 Reference: COBIT 2019 Framework: Introduction and Methodology, Chapter 6: Performance Management in COBIT , page 38
 PROCESS CAPABILITY LEVELS

25 Reference: COBIT 2019 Framework: Introduction and Methodology, Chapter 6: Performance Management in COBIT
 FOCUS AREA MATURITY LEVELS

26 Reference: COBIT 2019 Framework: Introduction and Methodology, Chapter 6: Performance Management in COBIT
 MODULE 2 SUMMARY

27
 SECTION 2 SUMMARY

• COBIT 2019 Architecture and Products

• Governance & Management Objectives
• Components of the Governance System
• Design Factors
• Focus Areas
• Performance Management

28
MODULE 3
DESIGN FACTORS FOR A GOVERNANCE SYSTEM

29
 MODULE 3 TOPICS AND LEARNING OBJECTIVES

Topics Learning Objectives

• Definition and overview (2) Describe the benefits of the COBIT 2019
• Enterprise strategy Design Guide for its target audience.
• Enterprise goals
• Risk profile (3) Describe the current design factors in COBIT
2019.
• I&T related issues
• Threat landscape
(4) Apply the design factor concept to identify
• Compliance requirements relevant values.
• Role of IT
• Sourcing model for IT
• Implementation methods
• Technology adoption
• Enterprise size
• Industry dimension
• Case study exercise
30 • Module Summary
 DEFINITION AND OVERVIEW

31
 DESIGN FACTORS Design factors
include any
combination of the
Design factors are elements that can influence the design of following:
an enterprise’s governance system and position it for success Enterprise strategy
in the use of I&T. Enterprise goals
• The design factors are listed here and the potential impacts they Risk profile
can have on the governance system are noted throughout this IT-related issues
module. Threat landscape
• More information and detailed guidance on how to use the design Compliance requirements
factors for designing a governance system can be found in the Role of IT
COBIT 2019 Design Guide. Sourcing model for IT
IT implementation methods
Technology adoption
strategy
Enterprise size
Future factors

32 Reference: COBIT 2019 Framework, Chapter 4, page 23

 DESIGN FACTORS

33 Reference: COBIT 2019 Framework, Chapter 4, page 23

 INTENDED AUDIENCE
Board members
Executive and senior
The Design Guide explores Direct management
design factors that can influence Stakeholders Experience enterprise
professionals
governance and includes a
workflow for planning a tailored
governance system for the Customers
enterprise. Indirect
Users
Stakeholders
Citizens

Those responsible
during the whole life
Responsible cycle of the
Parties governance solution,
from initial design to
execution

34 Reference: COBIT 2019 Design Guide, Chapter 1, page 16

 DESIGN FACTORS

35
 DESIGN FACTOR 1: ENTERPRISE STRATEGY

Enterprises can have different strategies, which can be expressed as (a combination of)
the archetypes shown below. Organizations typically have a primary strategy and, at
most, one secondary strategy.

Figure 2.5—Enterprise Strategy Design Factor

Strategy Archetype Explanation
Growth/Acquisition The enterprise has a focus on growing (revenues).
Innovation/Differentiation The enterprise has a focus on offering different and/or innovative products
and services to their clients.
Cost Leadership The enterprise has a focus on short-term cost minimization.
Client Service/Stability The enterprise has a focus on providing stable and client-oriented service.

36 Reference: COBIT 2019 Design Guide, Chapter 2, page 22

 DESIGN FACTOR 2: ENTERPRISE GOALS

Figure 2.6—Enterprise Goals Design Factor

Reference Balanced Enterprise Goal
Scorecard (BSC)
Dimension
Enterprise strategy is EG01 Financial Portfolio of competitive products and services
realized by the achievement EG02 Financial Managed business risk
of (a set of) enterprise goals. EG03 Financial Compliance with external laws and regulations
These goals are defined in EG04 Financial Quality of financial information
the COBIT framework, EG05 Customer Customer-oriented service culture
structured along the EG06 Customer Business-service continuity and availability
balanced scorecard (BSC) EG07 Customer Quality of management information

dimensions. EG08 Internal Optimization of internal business process functionality

EG09 Internal Optimization of business process costs

EG10 Internal Staff skills, motivation and productivity
EG11 Internal Compliance with internal policies
EG12 Growth Managed digital transformation programs
EG13 Growth Product and business innovation

37 Reference: COBIT 2019 Design Guide, Chapter 2, page 22

 DESIGN FACTOR 3: RISK PROFILE

2.7

The risk profile identifies the sort of I&T-

related risk to which the enterprise is
currently exposed and indicates which
areas of risk are exceeding the risk
appetite.

38 Reference: COBIT 2019 Design Guide, Chapter 2, page 23 - 25

 DESIGN FACTOR 3: RISK PROFILE

IT-investment
Program and
decision making, IT cost and Enterprise/IT IT expertise, skills
projects lifecycle
portfolio definition oversight architecture and behavior
management
and maintenance

IT operational Software
Unauthorized Hardware
infrastructure adoption/usage Software failures
actions incidents
incidents problems

Logical attacks Third-

Geopolitical
(hacking, party/supplier Noncompliance Industrial action
issues
malware, etc.) incidents

Data and
Technology-
Acts of nature information Environmental
based innovation
management

39 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.7

 DESIGN FACTOR 4: I&T RELATED ISSUES
A related method for an I&T risk assessment is for the enterprise is to consider which I&T-related
issues it currently faces, or, in other words, what I&T-related risk has materialized. These are the
most common of such issues:
Figure 2.8–I&T Related Issues Design Factor
Reference Description
Frustration between different IT entities across the organization because of a perception of
A
low contribution to business value.
Frustration between business departments (i.e., the IT customer) and the IT department
B
because of failed initiatives or a perception of low contribution to business value.
Significant IT related incidents, such as data loss, security breaches, project failure,
C
application errors, etc. linked to IT.
D Service delivery problems by the IT outsourcer(s).
E Failures to meet IT related regulatory or contractual requirements.
Regular audit findings or other assessment reports about poor IT performance or reported
F
IT quality or service problems.

40 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.8

 DESIGN FACTOR 4: I&T RELATED ISSUES (CONTINUED)
Figure 2.8–I&T Related Issues Design Factor
Reference Description
Substantial hidden and rogue IT spending, that is, IT spending by user departments outside
G
the control of the normal IT investment decision mechanisms and approved budgets.
H Duplications or overlaps between various initiatives or other forms of wasting resources.
I Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction.
IT-enabled changes or projects frequently failing to meet business needs and delivered late
J
or over budget.
Reluctance by board members, executives or senior management to engage with IT, or lack
K
of committed business sponsors for IT.
L Complex IT operating model and/or unclear decision mechanisms for IT-related decisions.

M Excessively high cost of IT.

Obstructed or failed implementations of new initiatives or innovations caused by the current
N
IT architecture and system.

41 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.8

 DESIGN FACTOR 4: I&T RELATED ISSUES (CONTINUED)
Figure 2.8–I&T Related Issues Design Factor
Reference Description
O Gap between business and technical knowledge which leads to business users and IT
and/or technology specialists speaking different languages.
P Regular issues with data quality and integration of data across various sources.

Q High level of end-user computing, creating (among other problems) a lack of oversight and
quality control over the applications that are being developed and put in operation.
R Business departments implementing their own information solutions with little or no
involvement of the enterprise IT department.
S Ignorance and/or noncompliance with security and privacy regulations.

T Inability to exploit new technologies or to innovate using I&T.

42 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.8

 DESIGN FACTOR 5: THREAT LANDSCAPE

The threat landscape under which the enterprise operates can be classified as shown
below:
Figure 2.9–Threat Landscape Design Factor
Threat Landscape Explanation
Normal The enterprise is operating under what are considered normal threat levels.

High Due to its geopolitical situation, industry sector or particular profile, the
enterprise is operating in a high-threat environment.

43 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.9

 DESIGN FACTOR 6: COMPLIANCE REQUIREMENTS

The compliance requirements to which the enterprise is subject can be classified

according to the categories below.
Figure 2.10—Compliance Requirements Design Factor
Regulatory Environment Explanation
Low compliance The enterprise is subject to a minimal set of regular compliance
requirements requirements that are lower than average.

Normal compliance The enterprise is subject to a set of regular compliance requirements that
requirements are common across different industries.

High compliance The enterprise is subject to higher-than-average compliance

requirements requirements, most often related to industry sector or geopolitical
conditions.

44 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.10

 DESIGN FACTOR 7: ROLE OF IT

The role of IT for the enterprise can be classified as shown below.

Figure 2.11—Role of IT Design Factor

Role of IT Explanation
Support IT is not crucial for the running and continuity of the business process
and services, nor for their innovation.
Factory When IT fails, there is an immediate impact on the running and continuity
of the business processes and services. However, IT is not seen as a
driver for innovating business processes and services.
Turnaround IT is seen as a driver for innovating business processes and services. At
this moment, however, there is not a critical dependency on IT for the
current running and continuity of the business processes and services.
Strategic IT is critical for both running and innovating the organization’s business
processes and services.

45 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.11

 DESIGN FACTOR 8: SOURCING MODEL FOR IT

The sourcing model for IT the enterprise adopts can be classified as shown below.

Figure 2.12—Sourcing Model for IT Design Factor

Sourcing Model Explanation
Outsourcing The enterprise calls upon the services of a third party to provide IT
services.
Cloud The enterprise maximizes the use of the cloud for providing IT services
to its users.
Insourced The enterprise provides for its own IT staff and services.

Hybrid A mixed model is applied, combining the other three models in varying
degrees.

46 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.12

 DESIGN FACTOR 9: IT IMPLEMENTATION METHODS

The IT implementation methods the enterprise adopts can be classified as shown below.

Figure 2.13—IT Implementation Methods Design Factor

IT Implementation Explanation
Agile The enterprise uses Agile development working methods for its
software development.
DevOps The enterprise uses DevOps working methods for software building,
deployment and operations.
Traditional The enterprise uses a more classic approach to software development
(waterfall) and separates software development from operations.
Hybrid The enterprise uses a mix of traditional and modern IT implementation,
often referred to as “bimodal IT.”

47 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.13

 DESIGN FACTOR 10: TECHNOLOGY ADOPTION STRATEGY

The technology adoption strategy can be classified as shown below.

Figure 2.14—Technology Adoption Strategy Design Factor

Technology Adoption Standards Explanation
First mover The enterprise generally adopts new technologies as early
as possible and tries to gain first-mover advantage.
Follower The enterprise typically waits for new technologies to
become mainstream and proven before adopting them.
Slow adopter The enterprise is very late with adoption of new technologies.

48 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.14

 DESIGN FACTOR 11: ENTERPRISE SIZE

Two categories are identified for the design of an enterprise’s governance system.
Micro-enterprises (i.e., enterprises with fewer than 50 staff members) are not considered
in this view.

Figure 2.15—Enterprise Size Design Factor

Enterprise Size Explanation

Large enterprise (Default) Enterprise with more than 250 full-time employees (FTEs)

Small and medium enterprise Enterprise with 50 to 250 FTEs

49 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.15

 INDUSTRY DIMENSION (OPTION 1)

Why is there no industry sector design factor?

Every industry sector has its own unique set of
requirements regarding expectations from the use of
I&T.

However, it is possible to capture the key

characteristics of an industry sector by a
combination of the design factors listed in the
preceding tables.

For example:
• Financial sector
• Healthcare providers
• Nonprofit enterprises
• Public sector agencies

50 Reference: COBIT 2019 Design Guide, Chapter 2, page 28

 MODULE 3 SUMMARY

51
 SESCTION 3 SUMMARY

Topics
• Definition and overview
• Enterprise strategy
• Enterprise goals
• Risk profile
• I&T related issues
• Threat landscape
• Compliance requirements
• Role of IT
• Sourcing model for IT
• Implementation methods
• Technology adoption
• Enterprise size
• Industry dimension
• Case study exercise
52
MODULE 4
IMPACT OF DESIGN FACTORS

53
 MODULE 4 TOPICS AND OBJECTIVES

Topics Objectives
• Introduction (5) Describe the impact design factors can have
• Management Objective Selection on the design of a governance systems.
• Component Variations
• Specific Focus Areas
• Module Summary

54
 INTRODUCTION

55
 IMPACT OF DESIGN FACTORS
Management
Objective
Priority and
Design factors influence in different ways Target
Capability
the tailoring of the governance system of Levels
an enterprise. There are three different
types of impacts.

Design
Factors

Specific Component
Focus Areas Variations

56 Reference: COBIT 2019 Design Guide, Chapter 3, page 29

 MANAGEMENT OBJECTIVE SELECTION

57
 IMPACT OF DESIGN FACTORS

Management Objective Priority and

Management
Objective Target Capability Levels
Priority and
Target
Capability
Design factor influence can make some governance
Levels
and management objectives more important than
others. In practice, this higher importance translates
into setting higher target capability levels.

Design
Factors

Specific Focus Component

Areas Variations

58 Reference: COBIT 2019 Design Guide, Chapter 3, page 29

 IMPACT OF DESIGN FACTORS

Management Objective Priority and Target Capability Levels – EXAMPLES

Appendix A and B of COBIT 2019 Framework: Governance and Management Objectives show the
mappings from enterprise goals to alignment goals, and then from alignment goals to governance
and management objectives.

Identify the most relevant

enterprise goal(s) from Selection of priority
Apply the goals cascade. management objectives.
the enterprise goal list.

Enterprise profile: Goals:

Fill in
Risk-avoidant

59 Reference: COBIT 2019 Design Guide, Chapter 3, page 29

 IMPACT OF DESIGN FACTORS

Management Objective Priority and Target Capability Levels - EXAMPLES

Enterprise profile: Goal: Objective:

Diversify offerings • EG01 Portfolio of • APO05 Managed
increasing profit and growth competitive products portfolio
and services

Enterprise profile: Goals: Objective:

Risk-avoidant • EG02 Managed • EDM03 Ensured risk
business risk optimization
• APO12 Managed risk
• APO13 Managed security
• DSS05 Managed security
services

60 Reference: COBIT 2019 Design Guide, Chapter 3, page 29

 IMPACT OF DESIGN FACTORS

Management Objective Priority and Target Capability Levels - EXAMPLES

Enterprise profile: Goal: Objective:

Operating in a high-threat • EG02 Managed business • APO13 Managed
landscape risk security
• EG06 Business service • DSS05 Managed
continuity and availability security services

Enterprise profile: Goals: Objective:

Role of IT is strategic and • EG01 Portfolio of • APO02 Managed
crucial to the success of competitive products strategy
the business and services • APO08 Managed
• EG05 Customer relationships
oriented service
culture

61 Reference: COBIT 2019 Design Guide, Chapter 3, page 29

 COMPONENT VARIATIONS

62
 IMPACT OF DESIGN FACTORS

Component Variations
Management
Objective
Priority and Components are required to achieve governance and
Target
Capability management objectives. Some design factors can
Levels
influence the importance of one or more components
or can require specific variations.

Design
Factors

Specific Focus Component

Areas Variations

63 Reference: COBIT 2019 Design Guide, Chapter 3, page 30

 IMPACT OF DESIGN FACTORS

Components Variation - EXAMPLES

Small and medium-sized enterprises might not need the

full set of roles and organizational structures as laid out in
the COBIT core model but may use a reduced set instead.

DevOps in solution development and operations example:

• BAI03 Managed solutions identification
• DSS01 Managed operations

64 Reference: COBIT 2019 Design Guide, Chapter 3, page 30

 SPECIFIC FOCUS AREAS

65
 IMPACT OF DESIGN FACTORS

Specific Focus Areas

Management
Objective
Some design factors, such as threat landscape, specific
Priority and
Target
risk, target development methods and infrastructure set-
Capability
Levels up, will drive the need for variation of the core COBIT
model content to a specific context.

Design
Factors

Specific Focus Component

Areas Variations

66 Reference: COBIT 2019 Design Guide, Chapter 3, page 30

 IMPACT OF DESIGN FACTORS

Specific Focus Areas - EXAMPLES

Enterprises adopting a DevOps approach will require a

governance system that has a variant of several generic
COBIT processes, described in the DevOps focus area
guidance (in development) for COBIT.

Small and medium enterprises differ from large

enterprises in that they:
• Have less staff
• Fewer IT resources
• Shorter and more direct reporting lines
• Many more aspects

67 Reference: COBIT 2019 Design Guide, Chapter 3, page 30

 MODULE 4 SUMMARY

68
 SECTION 4 SUMMARY

Topics
• Introduction
• Management objective selection
• Component variations
• Specific focus areas

69
MODULE 5
THE GOVERNANCE SYSTEM DESIGN WORKFLOW

70
 MODULE 5 TOPICS AND LEARNING OBJECTIVES

Topics Learning Objectives

• Introduction (6) Describe design workflow of a governance
• Step 1: Understand enterprise context system.
and strategy
• Step 2: Determine initial scope (7) Use the steps in the design workflow for
governance systems.
• Step 3: Refine the scope
• Step 4: Resolve conflicts and conclude (8) Apply the design workflow to a concrete
• Translating design factors into situation in order to obtain a governance system
governance/management objectives design.
(for each step)
• Exercises
• Module Summary

71
 INTRODUCTION

72
 DESIGN PROCESS

The design process describes how an enterprise can design a

customized governance solution for enterprise I&T.

An effective and efficient governance system over I&T is the

starting point for generating value and applies to all types and
sizes of enterprises.

Governance over a complex domain like I&T requires a multitude

of components, including processes, organizational structures,
information flows and behaviors that must work together in a
systemic way.

There is no unique, one-size-fits-all governance system for

enterprise I&T, every enterprise has its own distinct character and
profile, and will differ from other organizations in several critical
respects.

Tailoring means that an enterprise should start from the COBIT

core model, and from there, apply changes to the generic
framework based on the relevance and importance.
73 Reference: COBIT 2019 Design Guide, Chapter 1, page 15
 GOVERNANCE SYSTEM DESIGN WORKFLOW

74 Reference: COBIT 2019 Design Guide, Chapter 4, page 34

 STEP 1: UNDERSTAND ENTERPRISE CONTEXT AND STRATEGY

75
 UNDERSTAND THE ENTERPRISE CONTEXT AND STRATEGY

1.
2. Determine 4. Conclude
Understand 3. Refine the
the initial the
the scope of the
scope of the governance
enterprise governance
governance system
context and system.
system. design.
strategy.

In the first step, we examine context, strategy and business environment to achieve a
clear understanding across four partially overlapping, interdependent and complementary
domains.

The following subsections outline the critical sub-steps in Step 1:

• Enterprise strategy
• Enterprise goals and alignment goals
• I&T risk profile
• Current I&T-related issues

76 Reference: COBIT 2019 Design Guide, Chapter 4, page 32

 ENTERPRISE STRATEGY

• Determine which of the archetypes enterprise strategies best fits When an enterprise
enterprise strategy. strategy is defined as
• The translation works best when clear choices are made for a mix of equally
enterprise strategy archetypes. important strategy
• It is best to identify one primary and one secondary archetype. archetypes, the
governance and
management
objectives from the
COBIT core model
tend to become equally
Client important, making
Growth / Cost Innovation /
Acquisition Leadership Differentiation
Service / prioritization difficult.
Stability

77 Reference: COBIT 2019 Design Guide, Chapter 4, page 32

 ENTERPRISE GOALS

• The enterprise strategy is realized through the achievement of When all enterprise
enterprise goals. goals are assigned
• COBIT defines a set of 13 generic enterprise goals. equally important
• To translate enterprise goals into a relative rating of importance of priorities, the
governance and management objectives (see the goals cascade), governance and
make clear choices when selecting enterprise strategy archetypes. management
objectives from the
• Identify a few primary enterprise goals and a limited number of COBIT core model
secondary enterprise goals: 3-5 with high priority. tend to become
equally important,
making prioritization
difficult.

78 Reference: COBIT 2019 Design Guide, Chapter 4, page 32

 RISK PROFILE

Understand which risk scenarios may affect the enterprise and

how to assess their impact and likelihood of materializing.
When all IT risk is rated
To achieve this understanding, a high-level risk analysis should as equally important,
the governance and
be performed, including:
management objectives
from the COBIT core
model tend to become
equally
important, making
prioritization difficult.
Identification Assessment Rating

Risk Impact & High, Med,

Scenarios Likelihood Low

79 Reference: COBIT 2019 Design Guide, Chapter 4, page 32; Section 2.6, Item 3; see figure 2.7 page 23
 CURRENT I&T RELATED ISSUES

These are also called pain points—from which the enterprise

is suffering. When all I&T-related
issues are rated as
• These could be considered risks that have materialized. equally serious, the
governance and
• IT issues can be identified or reported through risk management objectives
management, audit, senior management or external from the COBIT core
stakeholders. model tend to become
equally important,
• Clear differentiation should be made in rating I&T issues, in making prioritization
order to provide the necessary inputs to determine difficult.
governance design priorities.

80 Reference: COBIT 2019 Design Guide, Chapter 4, page 33

 STEP 1 CONCLUSION

At the end of Step 1, the enterprise will

have a clear and consistent view of
enterprise strategy, enterprise goals, IT-
related risk and current I&T issues.
In the next step this information will be
translated into prioritized governance/
management objectives for an initial
scoping of a customized governance
system for the enterprise.

81 Reference: COBIT 2019 Design Guide, Chapter 4, page 33

 STEP 2: DETERMINE INITIAL SCOPE OF THE GOVERNANCE SYSTEM

82
 DETERMINE THE INITIAL SCOPE OF THE GOVERNANCE SYSTEM

To determine the initial scope of the governance system, Step 2 synthesizes information
collected during Step 1. Values derived for enterprise strategy, enterprise goals, risk
profile and I&T-related issues are translated into a set of prioritized governance
components to yield the initial tailored governance system for the enterprise.

1. 2. Determine 4. Conclude
3. Refine the
Understand the initial the
scope of the
the enterprise scope of the governance
governance
context and governance system
system
strategy system design

83 Reference: COBIT 2019 Design Guide, Chapter 4, page 34

 TRANSLATING DESIGN FACTORS INTO
GOVERNANCE AND MANAGEMENT PRIORITIES
Step 2 presents a number of relevant design factors and associated
descriptive values, whose selection will drive prioritization of
governance and management objectives.
• Decide on a qualitative vs. a quantitative approach.
• Mapping tables contain values between zero (0) and four (4) where zero is
no relevance and four is maximum relevance.
• Translating design factor values into governance and management
objective importance involves a matrix calculation, resulting in a score for
each governance and management objective.
• Scores can be further manipulated for presentation purposes.

84
84 Reference: COBIT 2019 Design Guide, Chapter 4, page 34
 ENTERPRISE STRATEGY – DESIGN FACTOR 1
Figure 4.2—Governance and Management Objectives Priority Mapped to Enterprise Strategy Design Factor
Governance and Management
Design Factor Value
Objectives Priority
Growth/acquisition Important* management objectives
include:
• APO02, APO03, APO05
• BAI01, BAI05, BAI11
Innovation/ Important governance and
differentiation management objectives include:
• APO02, APO04, APO05
• BAI08, BAI05, BAI11
Cost leadership Important governance and
management objectives include:
• EDM04
• APO06, APO10
Client service/stability Important governance and
management objectives include:
• EDM02
• APO08, APO09, APO11
• BAI04
• DSS02, DSS03, DSS04
85 Reference: COBIT 2019 Design Guide, Chapter 4, page 33
Focus Area
Components
Variants
Important components: COBIT core model
• Organizational structures
 Support the portfolio management role with an investment office
• Enterprise architect
• Services, infrastructure and applications
 Facilitate automation and growth and realize economies of scale
Important components: COBIT core model
• Organizational structures
• Chief digital officer and/or chief innovation officer
• Important influence of culture and behavior component for innovation
Important components: COBIT core model
• Skills and competencies
 Focus on IT costing and budgeting skills
• Important influence of culture and behavior component
• Services, infrastructure and applications component
(e.g., for automation of controls, improving efficiency)
Important component: COBIT core model
• Important influence of culture and behavior component (client
centricity)
 ENTERPRISE STRATEGY – DESIGN FACTOR 1
MAPPING TABLES

The mappings express the degree to which design factor values influence the
importance of a governance or management objective.

The mappings use

a scale from zero
(0) to four (4)
4 indicates the
most influence
0 indicates the
absence of any
relationship.

86 Reference: COBIT 2019 Design Guide, Appendix A, page 137

 ENTERPRISE GOALS – DESIGN FACTOR 2

The enterprise strategy is realized by achieving a set of enterprise goals. COBIT defines
13 generic enterprise goals—each enterprise should prioritize these enterprise goals in
alignment with the enterprise strategy.

Step 1 Step 2 Step 3

Start with the generic Find the prioritized enterprise Find the prioritized alignment
enterprise goals and goals on the mapping table goals on the mapping table
determine the most important between enterprise goals and between alignment goals and
enterprise goals for the alignment goals. Use the governance and management
organization. Select the top mapping to determine the objectives. Use the mapping
three to five most important most important alignment to determine the most
enterprise goals goals. important governance and
management objectives.

87 Reference: COBIT 2019 Design Guide, Chapter 4, page 35

 ENTERPRISE GOALS – DESIGN FACTOR 2
MAPPING TABLES

88 Reference: COBIT 2019 Design Guide, Appendix B and C, Pages 139-140

 RISK PROFILE – DESIGN FACTOR 3

In Step 1, risks exceeding the enterprise’s risk appetite were

identified. Here, the results of the risk analysis are translated into
priorities for governance and management objectives.
• The most common risk response is risk mitigation requiring controls, or
governance and management objectives that need to be achieved. Map the
IT risk categories and the governance and management objectives.
• The mapping table relates the risk profile to governance and management
objectives and their priorities.

89
89 Reference: COBIT 2019 Design Guide, Chapter 4, page 36
 RISK PROFILE – DESIGN FACTOR 3
MAPPING TABLES

The mappings express the degree to which design factor values influence the
importance of a governance or management objective.

The mappings use a scale

from zero (0) to four (4).
4 indicates the most
influence.
0 indicates the absence of
any relationship.

90 Reference: COBIT 2019 Design Guide, Appendix D, page 141

 I&T RELATED ISSUES – DESIGN FACTOR 4

In Step 1, a high-level diagnostic on the I&T-related issues was

performed. Here, the results of this diagnostic are translated into
priorities for governance and management objectives.
• Map I&T issues to governance and management objectives.
• Each I&T-related issue is associated to one or more governance
or management objective. Each governance or management objective can
influence the I&T-related issue.

91
91 Reference: COBIT 2019 Design Guide, Chapter 4, page 36
 I&T RELATED ISSUES – DESIGN FACTOR 4
MAPPING TABLES

The mappings express the degree to which design factor values influence the
importance of a governance or management objective.
Figure A.5 Mapping Table – Mapping I&T-Related Issues to Governance and Management Objectives

The mappings use a scale

from zero (0) to four (4).
4 indicates the most
influence.
0 indicates the absence of
any relationship.

92 Reference: COBIT 2019 Design Guide, Appendix E, page 143

 STEP 2 CONCLUSION
Proceeding Forward:
At the end of Step 2, all elements are
available to define the initial scope of a
customized governance system:
Choose to elaborate
current initial design
Prioritized governance and and resolve differences.
management objectives indicate
which governance and management
objectives should be the focus.
Wait until Step 4 and
Guidance on specific governance combine different inputs
components can potentially also be with scope refinements
from Step 3.
included in the initial design.

93 Reference: COBIT 2019 Design Guide, Chapter 4, page 36 - 37

 STEP 3: REFINE THE SCOPE OF THE GOVERNANCE SYSTEM

94
 REFINE THE SCOPE OF THE GOVERNANCE SYSTEM

Step 3 identifies refinements to the initial scope of the governance system,

based on the remaining set of design factors.

1. 2. Determine 4. Conclude
3. Refine the
Understand the initial the
scope of the
the enterprise scope of the governance
governance
context and governance system
system
strategy system design

95 Reference: COBIT 2019 Design Guide, Chapter 4, page 34

 REFINE THE SCOPE OF THE GOVERNANCE SYSTEM

The result of each consideration of a design factor is a ranked list of governance and
management objectives. In this step, the governance system designer will:

Step 1 Step 2 Step 3

Walk through each design Determine whether each For applicable design
factor (DF) from DF5 design factor is applicable. factors, determine which of
Threat landscape through the potential values—or
DF11 Enterprise size. which combination of
potential values—is most
applicable to the
enterprise.

96 Reference: COBIT 2019 Design Guide, Chapter 4, page 37

 THREAT LANDSCAPE – DESIGN FACTOR 5

Decide which combination of values best fits the current situation of the enterprise
and consider the listed guidance for governance and management objectives,
components and focus areas. Include the pertinent information on the design canvas
for resolution and conclusion in Step 4.
Figure 4.3—Governance and Management Objectives Priority Mapped to Threat Landscape Design Factor

Design
Governance and Management Objectives
Factor Components Focus Area Variants
Priority
Value
High Important governance and management Important organizational structures include: Information security
objectives include: • Security strategy committee focus area
• EDM01, EDM03 • Chief information security officer (CISO)
• APO01, APO03, APO10, APO12, APO13, Important culture and behavior aspects include:
APO14 • Security awareness
• BAI06, BAI10 Information flows include:
• DSS02, DSS04, DSS05, DSS06 • Security policy
• MEA01, MEA03, MEA04 • Security strategy
Normal As per the initial scope definition N/A COBIT core model

97 Reference: COBIT 2019 Design Guide, Chapter 4, page 37

 COMPLIANCE REQUIREMENTS – DESIGN FACTOR 6

Decide which combination of values best fits the current situation of the enterprise.
Consider the listed guidance for governance and management objectives,
components and focus areas, and include the pertinent information on the design
canvas for resolution and conclusion in Step 4.
Figure 4.4—Governance and Management Objectives Priority Mapped to Compliance Requirements Design Factor
Design
Governance and Management Objectives Focus Area
Factor Components
Priority Variants
Value
High Important governance and management objectives Importance of compliance function: COBIT core model
include: • High relevance of documentation (information items) and policies
• EDM01, EDM03 and procedures
• APO12
• MEA03, MEA04
Normal As per the initial scope definition N/A COBIT core model

Low As per the initial scope definition N/A COBIT core model

98 Reference: COBIT 2019 Design Guide, Chapter 4, page 38

 THE ROLE OF IT – DESIGN FACTOR 7

Decide which combination of values best fits the current situation of the enterprise.
Consider the listed guidance for governance and management objectives,
components and focus areas, and include the pertinent information on the design
canvas for resolution and conclusion in Step 4.
Figure 4.5—Governance and Management Objectives Priority Mapped to Role of IT Design Factor
Design
Governance and Management
Factor Components Focus Area Variants
Objectives Priority
Value
Support • As per the initial scope definition • N/A COBIT core model

Factory Important governance and management • N/A Information security

objectives include: focus area
• EDM03
• DSS01, DSS02, DSS03, DSS04
Turnaround Important governance and management • N/A DevOps focus area
objectives include:
• APO02, APO04
• BAI02, BAI03

99 Reference: COBIT 2019 Design Guide, Chapter 4, page 38-39

 THE ROLE OF IT – DESIGN FACTOR 7 (CONTINUED)

Figure 4.5—Governance and Management Objectives Priority Mapped to Role of IT Design Factor
Design
Governance and Management
Factor Components Focus Area Variants
Objectives Priority
Value
Strategic Important governance and management Typical bimodal components include: Digital transformation
objectives include: • Organizational structures focus area
• EDM01, EDM02, EDM03  Chief digital officer
• APO02, APO04, APO05, APO12, • Skills and competencies
APO13  Staff who can work in an ambidextrous environment that
• BAI02, BAI03 combines both exploration and exploitation
• DSS01, DSS02, DSS03, DSS04, • Processes
DSS05  A portfolio and innovation process that integrates exploration
and exploitation of digital transformation opportunities

100 Reference: COBIT 2019 Design Guide, Chapter 4, page 38-39

 SOURCING MODEL FOR IT – DESIGN FACTOR 8

Decide which combination of values best fits the current situation of the enterprise.
Consider the listed guidance for governance and management objectives,
components and focus areas, and include the pertinent information on the design
canvas for resolution and conclusion in Step 4.
Figure 4.6—Governance and Management Objectives Priority Mapped to Sourcing Model for IT Design Factor
Design
Governance and Management Objectives
Factor Components Focus Area Variants
Priority
Value
Outsourcing Important management objectives include: • N/A Vendor management focus
• APO09, APO10 area
• MEA01
Cloud Important management objectives include: • N/A Cloud focus area
• APO09, APO10
• MEA01
Insourced • As per the initial scope definition • N/A COBIT core model

Hybrid Combination of guidance for the three specific options

101 Reference: COBIT 2019 Design Guide, Chapter 4, page 39

 IT IMPLEMENTATION METHODS – DESIGN FACTOR 9

Decide which combination of values best fits the current situation of the enterprise.
Consider the listed guidance for governance and management objectives,
components and focus areas, and include the pertinent information on the design
canvas for resolution and conclusion in Step 4.
Figure 4.7—Governance and Management Objectives Priority Mapped to IT Implementation Methods Design Factor
Design
Governance and Management Objectives
Factor Components Focus Area Variants
Priority
Value
Agile Important management objectives include: • Important and specific roles as identified in the Agile focus area Agile focus area
• BAI02, BAI03, BAI06 guidance
DevOps Important management objectives include: • Important and specific roles as identified in the DevOps focus DevOps focus area
• BAI03 area guidance
Traditional • As per the initial scope definition • N/A COBIT core model

Hybrid Combination of guidance for the three specific options

102 Reference: COBIT 2019 Design Guide, Chapter 4, page 39-40

 TECHNOLOGY ADOPTION STRATEGY – DESIGN FACTOR 10

Decide which combination of values best fits the current situation of the enterprise.
Consider the listed guidance for governance and management objectives,
components and focus areas, and include the pertinent information on the design
canvas for resolution and conclusion in Step 4.
Figure 4.8—Governance and Management Objectives Priority Mapped to Technology Adoption Strategy Design Factor
Design
Governance and Management Objectives
Factor Components Focus Area Variants
Priority
Value
First Mover Important governance and management • N/A DevOps focus area
objectives include: Digital transformation focus
• EDM01, EDM02 area
• APO02, APO04, APO05, APO08
• BAI01, BAI02, BAI03, BAI05, BAI07,
BAI11
• MEA01
Follower Important management objectives include: • N/A COBIT core model
• APO02, APO04
• BAI01
Slow • As per the initial scope definition • N/A COBIT core model
Adopter

103 Reference: COBIT 2019 Design Guide, Chapter 4, page 40

 ENTERPRISE SIZE – DESIGN FACTOR 11

Decide which combination of values best fits the current situation of the enterprise.
Consider the listed guidance for governance and management objectives,
components and focus areas, and include the pertinent information on the design
canvas for resolution and conclusion in Step 4.
Figure 4.9—Governance and Management Objectives Priority Mapped to Enterprise Size Design Factor
Design
Governance and Management Objectives
Factor Components Focus Area Variants
Priority
Value
Large • As per the initial scope definition • N/A COBIT core model

Small/ • As per the initial scope definition • As applicable in the SME focus area description SME focus area
Medium

104 Reference: COBIT 2019 Design Guide, Chapter 4, page 41

 STEP 3 CONCLUSION

At the end of Step 3, the enterprise will

have identified a series of potential
refinements for the initial governance
system and put them all on the canvas for
consolidation during Step 4 of the design
workflow.

The following refinements are typically

expressed similar to outcome from Step 2:
prioritized governance and management
objectives, important components for the
governance system, and specific focus
area guidance.

105 Reference: COBIT 2019 Design Guide, Chapter 4, page 41

 STEP 4: RESOLVE CONFLICTS AND CONCLUDE GOVERNANCE
SYSTEM DESIGN

106
 RESOLVE CONFLICTS AND CONCLUDE THE GOVERNANCE
SYSTEM DESIGN

As the last step in the design process, Step 4 brings together all inputs from previous
steps to conclude the governance system design, as depicted in the diagram on the
following slide. The resulting governance system must reflect careful consideration of all
inputs—understanding that these inputs may sometimes conflict.

1. 2. Determine 4. Conclude
3. Refine the
Understand the initial the
scope of the
the enterprise scope of the governance
governance
context and governance system
system
strategy system design

107 Reference: COBIT 2019 Design Guide, Chapter 4, page 34

 RESOLVE CONFLICTS AND CONCLUDE
THE GOVERNANCE SYSTEM DESIGN

Tailored Governance System

Step 1: Step 2: Step 3: Refine Step 4: Resolve

Understand the Determine the the scope of the conflicts and
enterprise initial scope of governance conclude the
strategy the governance system governance Tailored System
system • Scope Refinement system design
• Initial Scope

108 Reference: COBIT 2019 Design Guide, Chapter 4, page 42

 RESOLVE PRIORITY CONFLICTS

The following outputs from previous steps

will be considered before any conclusion
is made:
• Initial design of the governance system, as
obtained during Step 2, based on the
enterprise strategy, enterprise goals, risk
profile and I&T-related issues.
• This initial design probably reflects some
diverging sets of prioritized management
objectives.
• Scope refinements obtained in Step 3
through the analysis of remaining design
factors and diverging sets of priorities.

109 Reference: COBIT 2019 Design Guide, Chapter 4, page 42

 RESOLUTION STRATEGIES

The workflow can be applied to different situations,

requiring different strategies for conclusion.
• Analyze the data and results after applying design
factors in the context of its goals for implementing a
governance program.

Governance system design

• Review governance and management objectives and
analyze current performance level(s).
• Take the results of these assessments into account
when defining the road map toward the target
governance system.
• Looking first of all for quick wins (i.e., those initiatives
entailing limited effort, but yielding high benefit).

110 Reference: COBIT 2019 Design Guide, Chapter 4, page 42

 RESOLUTION APPROACH

There are no universally applicable guidelines for

resolving competing or conflicting priorities valid
across all enterprise contexts. However, a few
recommendations to approach include:
• Include all key stakeholders
• Consider the generic nature of COBIT guidance and the
mapping tables
• Specific context of the enterprise may require deviations

111 Reference: COBIT 2019 Design Guide, Chapter 4, page 42

 CONCLUDE THE GOVERNANCE SYSTEM DESIGN

The conclusion of this phase must result in one design for the governance system for
enterprise I&T. This includes prioritized governance and management objectives, target
capability levels, governance components requiring attention and focus area guidance.

Conclude Sustain

112 Reference: COBIT 2019 Design Guide, Chapter 4, page 43 - 44

 CONCLUDING THE DESIGN

The conclusion of the design phase must result in one design for
the governance system for enterprise I&T. This design will include:
• Prioritized governance and management objectives
• A variety of target capability levels for processes (or equivalent performance
targets for other components)
• A governance component requiring specific attention due to a particular
issue or circumstance
• Focus area guidance complementing the core COBIT guidance (when
available, necessary and appropriate)

113 Reference: COBIT 2019 Design Guide, Chapter 4, page 43

 SUSTAINING THE GOVERNANCE
SYSTEM
• Result of the last step in the governance design
workflow is a well-designed governance system.

• A governance system is inherently dynamic.

• Strategies can change, important investment

programs are launched, threat landscapes
change, technologies change, etc.

• This should be reviewed on a regular basis and

changes should be made when necessary.

• Use the COBIT 2019 Implementation Guide for

continuous improvement.

114 Reference: COBIT 2019 Design Guide, Chapter 4, page 44

 MODULE 5 SUMMARY

115
 SECTION 5 SUMMARY

Topics
• Introduction
• Step 1: Understand enterprise context and strategy
• Step 2: Determine initial scope
• Step 3: Refine the scope
• Step 4: Resolve conflicts and conclude
• Exercises

116
MODULE 6
THE GOVERNANCE DESIGN TOOLKIT

117
 TOOLKIT INTRODUCTION

The COBIT Design Guide companion toolkit is an Excel®

spreadsheet-based tool that facilitates the application of
the governance system design workflow explained in
Module 5.

This module offers a basic understanding of the toolkit and

an understanding of how the results are generated.

The toolkit as downloaded shows the values illustrated in

this module.

To use the tool, change the values to fit the enterprise

context.

A governance or management objective always relates to

one process and a series of related components of other
types to help achieve the objective.

118 Reference: COBIT 2019 Design Guide, Chapter 6

 STEP 1 AND 2: DETERMINE THE INITIAL SCOPE OF THE
GOVERNANCE SYSTEM

1.
2. Determine 4. Conclude
Understand 3. Refine the
the initial the
the scope of the
scope of the governance
enterprise governance
governance system
context and system
system design
strategy

In these steps of the governance design workflow, the strategy, goals, risk profile and I&T-
related issues of the enterprise are assessed. The steps assess the first four design factors
(as defined in Module 3) to determine their impact on the initial design of a governance
system: 1. Enterprise strategy, 2. Enterprise goals (via the goals cascade), 3. IT risk profile
and 4. I&T-related issues.

119 Reference: COBIT 2019 Design Guide, Chapter 6

 ENTERPRISE STRATEGY (DESIGN FACTOR 1)

Input • Each of the four possible values for the enterprise strategy design factor—growth/acquisition,
innovation/differentiation, cost leadership, client services/stability—must be rated between 1 (not
important) and 5 (most important).
• It is recommended to maintain sufficient spread between values.
Calculation • The toolkit performs a matrix calculation of the entered values for Design Factor 1 Enterprise
strategy with the mapping table for design factor 1, resulting in a score for each
governance/management objective.
• The toolkit performs a second matrix calculation of a baseline set of values for design factor 1 with
the mapping table for design factor 1, resulting in a baseline score for each
governance/management objective.
• The toolkit then calculates a relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5. This
number can be positive or negative, indicating that a governance/management objective is more or
less important when compared to the baseline score.
Output • The output section of this tab contains the calculated relative importance of each of the 40 COBIT®
2019 governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.

120 Reference: COBIT 2019 Design Guide, Chapter 6, page 52

 ENTERPRISE STRATEGY (DESIGN FACTOR 1)

121 Reference: COBIT 2019 Design Guide, Chapter 6, page 52

 ENTERPRISE GOALS (DESIGN FACTOR 2)

Input • Each of the thirteen enterprise goals must be rated between 1 (not important) and 5
(most important).
• Using the generic enterprise goals, determine the most important goals for the enterprise.
It is advisable to select the top three to five most important enterprise goals; too many high-priority
goals will lead to less meaningful goals cascade results.
• It is recommended to maintain sufficient spread between values.
Calculation • The tool performs a double matrix calculation between (1) the rated enterprise goals and the
mapping table between enterprise goals and IT alignment goals, and (2) the result of the first matrix
calculation and the mapping table between IT alignment goals and governance/management
objectives.
• The tool performs a second set of matrix calculations of a baseline set of values for Design Factor 2
Enterprise goals, resulting in a baseline score for each governance/management objective.
• The tool then calculates the relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5. This
number can be positive or negative, indicating that a governance/management objective is more or
less important when compared to the baseline score.
Output • The output section of this sheet contains the calculated relative importance of each of the 40 COBIT
2019 governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.

122 Reference: COBIT 2019 Design Guide, Chapter 6, page 53

 ENTERPRISE GOALS AND APPLYING THE GOALS CASCADE
(DESIGN FACTOR 2)

123 Reference: COBIT 2019 Design Guide, Chapter 6, page 53

 RISK PROFILE OF THE ENTERPRISE (DESIGN FACTOR 3)

Input • Each of the 19 risk categories contained in the risk profile design factor must be rated as follows:
 Impact of the risk should it occur, as a value between 1 (not important) and 5 (critical)
 Likelihood of the risk to occur, as a value between 1 (very unlikely) and 5 (very likely)
 The tool assigns a risk rating (very high, high, normal, low) to each risk category, based on the
combination of the impact and likelihood ratings.
 It is recommended to maintain sufficient spread between values.
Calculation • The tool performs a matrix calculation of the risk ratings with the mapping table for Design Factor 3
Risk profile, resulting in a score for each governance/management objective.
• The tool performs a second matrix calculation of a baseline set of risk ratings for design factor 3 with
the mapping table for design factor 3, resulting in a baseline score for each
governance/management objective.
• The tool then calculates a relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5. This
number can be positive or negative, indicating that governance/management objective is more or
less important when compared to the baseline score.
Output • The output section of this tool contains the calculated relative importance of each of the 40 COBIT
2019 governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.

124 Reference: COBIT 2019 Design Guide, Chapter 6, page 54

 RISK PROFILE OF THE ENTERPRISE (DESIGN FACTOR 3)

125 Reference: COBIT 2019 Design Guide, Chapter 6, page 54

 CURRENT I&T RELATED ISSUES OF THE ENTERPRISE
(DESIGN FACTOR 4)
Input • Each of the 20 I&T-related issues for the I&T-related issues design factor must be rated between 1
(no issue) and 3 (serious issue). Numbers 1, 2 or 3 should be keyed into the tool; the tool will then
automatically translate values into a symbol, based on the tool’s key for this rating.
• It is recommended to maintain sufficient spread between values.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 4 I&T-Related Issues
with the mapping table for design factor 4, resulting in a score for each governance/management
objective.
• The tool performs a second matrix calculation of a baseline set of values for design factor 4 with the
mapping table for design factor 4, resulting in a baseline score for each governance/management
objective.
• The tool then calculates a relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5. This
number can be positive or negative, indicating that a governance/management objective is more or
less important when compared to the baseline score.
Output • The output section of this tab contains the calculated relative importance of each of the 40 COBIT
2019 governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.

126 Reference: COBIT 2019 Design Guide, Chapter 6, page 55

 CURRENT I&T RELATED ISSUES OF THE ENTERPRISE
(DESIGN FACTOR 4)

127 Reference: COBIT 2019 Design Guide, Chapter 6, page 55

 CONCLUSION

Input • N/A

Calculation • The tool performs a weighted summation of the calculated governance/management objectives
importance scores related to the first four design factors.
• Weights can be entered on the canvas tab and are set to 1 by default. The weighting can be
changed, if, for example, the enterprise strategy is of greater importance than enterprise goals,
risk or I&T-related issues.
• The achieved results are then normalized on a scale of 100 (both positive and negative) and
reflected on the Step 2 summary tab.
 The highest value (positive or negative) obtains a score of 100.
 All other values are then prorated against this value.
• The resulting list of scores not only provides a reliable view of the relative importance of all
governance/management objectives against each other, but also gives an indication of the absolute
importance. This output allows an enterprise not only to prioritize governance/management
objectives against each other, but also to define adequate target capability levels.
Output • The Step 2 summary tab contains the calculated relative importance of each of the 40 COBIT 2019
governance and management objectives.
• The results are represented in table format (on the canvas tab), and as a bar chart (Step 2 summary
tab).

128 Reference: COBIT 2019 Design Guide, Chapter 6, page 56

 CONCLUSION

129 Reference: COBIT 2019 Design Guide, Chapter 6, page 57

 STEP 3: REFINE THE SCOPE OF THE GOVERNANCE SYSTEM

1. 2. Determine 4. Conclude
3. Refine the
Understand the initial the
scope of the
the enterprise scope of the governance
governance
context and governance system
system
strategy system design

In this step, the initial scope of the governance system is further refined based on the
assessment of the remaining design factors.

130 Reference: COBIT 2019 Design Guide, Chapter 6

 THREAT LANDSCAPE (DESIGN FACTOR 5)

Input • Each of the two possible values (high and normal) for the threat landscape design factor must be
rated between 0% and 100%. The sum of both values must be 100%.
• For many enterprises, 100% will be assigned to one of the categories. The option is available to
assign percentages where a portion of enterprise operations is subject to a high threat landscape,
while others are subject to a more normal threat landscape.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 5 Threat landscape
with the mapping table for design factor 5, resulting in a score for each governance/management
objective.
• The tool performs a second matrix calculation of a baseline set of values for design factor 5 with the
mapping table for design factor 5, resulting in a baseline score for each governance/management
objective.
• The tool then calculates the relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5. This
number can be positive or negative, indicating that a governance/management objective is more or
less important when compared to the baseline score.
Output • The output of this tab contains the calculated relative importance of each of the 40 COBIT® 2019
governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.

131 Reference: COBIT 2019 Design Guide, Chapter 6, page 59

 THREAT LANDSCAPE (DESIGN FACTOR 5)

132 Reference: COBIT 2019 Design Guide, Chapter 6, page 59

 COMPLIANCE REQUIREMENTS (DESIGN FACTOR 6)

Input • Each of the three possible values for the compliance requirements design factor must be rated
between 0% and 100%. The sum of all three values must be 100%.
• For many enterprises, 100% will be assigned to one of the categories. However, the option is
available to assign different percentages, if the enterprise’s IT landscape is quite vast, and certain
parts are subject to strict compliance regulation, while other parts are subject to less strict regulation.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 6 Compliance
Requirements with the mapping table for design factor 6, resulting in a score for each
governance/management objective.
• The tool performs a second matrix calculation of a baseline set of values for design factor 6 with the
mapping table for design factor 6, resulting in a baseline score for each governance/management
objective.
• The tool then calculates a relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5. This
number can be positive or negative, indicating that a governance/management objective is more or
less important when compared to the baseline score.
Output • The output of this tab contains the calculated relative importance of each of the 40 COBIT® 2019
governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.

133 Reference: COBIT 2019 Design Guide, Chapter 6, page 60

 COMPLIANCE REQUIREMENTS (DESIGN FACTOR 6)

134 Reference: COBIT 2019 Design Guide, Chapter 6, page 60

 THE ROLE OF IT (DESIGN FACTOR 7)

Input • Each of the four possible values for the role of IT design factor—support, factory, turnaround and
strategic—must be rated between 1 (not important) and 5 (most important).
• It is recommended to maintain sufficient spread between values.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 7 Role of IT with the
mapping table for design factor 7, resulting in a score for each governance/management objective.
• The tool performs a second matrix calculation of a baseline set of values for design factor 7 with the
mapping table for design factor 7, resulting in a baseline score for each governance/management
objective.
• The tool then calculates a relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5.
This number can be positive or negative, indicating that a governance/management objective is
more or less important when compared to the baseline score.
Output • The output of this tab contains the calculated relative importance of each of the 40 COBIT® 2019
governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.

135 Reference: COBIT 2019 Design Guide, Chapter 6, page 61

 THE ROLE OF IT (DESIGN FACTOR 7)

136 Reference: COBIT 2019 Design Guide, Chapter 6, page 61

 SOURCING MODEL FOR IT (DESIGN FACTOR 8)

Input • Each of the three possible values for the sourcing model for IT design factor—outsourcing, cloud
and insourcing—must be rated between 0% and 100%. The sum of all three values must be 100%.
• Note that there is a fourth category—the hybrid classification. This is not denoted in the tool,
because, by definition, assigning percentages to more than one of the other three values creates a
hybrid model.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 8 Sourcing Model for
IT with its corresponding mapping table, resulting in a score for each governance/management
objective.
• The tool performs a second matrix calculation of a baseline set of values for design factor 8 with the
mapping table for design factor 8, resulting in a baseline score for each governance/management
objective.
• The tool then calculates a relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5. This
number can be positive or negative, indicating that a governance/management objective is more or
less important when compared to the baseline score.
Output • The output section of this tab contains the calculated relative importance of each of the 40 COBIT®
2019 governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.

137 Reference: COBIT 2019 Design Guide, Chapter 6, page 62

 SOURCING MODEL FOR IT (DESIGN FACTOR 8)

138 Reference: COBIT 2019 Design Guide, Chapter 6, page 62

 IT IMPLEMENTATION METHODS (DESIGN FACTOR 9)

Input • Each of the three possible values for the IT implementation methods design factor— Agile, DevOps
and traditional—must be rated between 0% and 100%. The sum of all three values must be 100%.
• Note that there is a fourth category—the hybrid classification. This is not denoted in the tool
because, by definition, assigning percentages to more than one of the other three values creates a
hybrid model.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 9 IT Implementation
Methods with the mapping table for design factor 9, resulting in a score for each
governance/management objective.
• The tool performs a second matrix calculation of a baseline set of values for design factor 9 with the
mapping table for design factor 9, resulting in a baseline score for each governance/management
objective.
• The tool then calculates a relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5. This
number can be positive or negative, indicating that a governance/management objective is more or
less important when compared to the baseline score.
Output • The output section of this tab contains the calculated relative importance of each of the 40 COBIT®
2019 governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.

139 Reference: COBIT 2019 Design Guide, Chapter 6, page 63

 IT IMPLEMENTATION METHODS (DESIGN FACTOR 9)

140 Reference: COBIT 2019 Design Guide, Chapter 6, page 63

 TECHNOLOGY ADOPTION STRATEGY (DESIGN FACTOR 10)

Input • Each of the three possible values for the technology adoption strategy design factor—first mover,
follower, slow adopter—must be rated between 0% and 100%. The sum of all three values must be
100%.
• For many enterprises, 100% may be assigned to one of the categories. However, the option is
available to assign different percentages, if the enterprise’s IT landscape is quite vast, and different
areas adopt technology at difference paces.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 10 Technology
Adoption Strategy with the mapping table for design factor 10, resulting in a score for each
governance/management objective.
• The tool performs a second matrix calculation of a baseline set of values for design factor 10 with
the mapping table for design factor 10, resulting in a baseline score for each
governance/management objective.
• The tool then calculates a relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5. This
number can be positive or negative, indicating that a governance/management objective is more or
less important when compared to the baseline score.
Output • The output of this tab contains the calculated relative importance of each of the 40 COBIT® 2019
governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.

141 Reference: COBIT 2019 Design Guide, Chapter 6, page 64

 TECHNOLOGY ADOPTION STRATEGY (DESIGN FACTOR 10)

142 Reference: COBIT 2019 Design Guide, Chapter 6, page 64

 ENTERPRISE SIZE (DESIGN FACTOR 11)

The enterprise size design factor

only indicates whether the small and medium
enterprise focus area guidance should be used,
instead of the core COBIT guidance.

The size of an enterprise has no impact on the

priority and target capability levels of
governance and management objectives.

Note: This design factor is not part of the COBIT

2019 Design Toolkit.

143 Reference: COBIT 2019 Design Guide, Chapter 6, page 65

 CONCLUSION

Input • N/A

Calculation • The tool performs a weighted summation of the calculated governance/management objectives
importance scores related to the design factors 5 through 10 and combines it with the results of Step
2 Initial design of the governance system.
• Weights can be entered on the canvas tab and are set to 1 by default. The weighting can be
changed, if, for example, compliance requirements are of greater importance (because the
enterprise operates in a highly regulated industry).
• The achieved results are then normalized on a scale of 100.
 The highest value (positive or negative) obtains a score of 100.
 All other values are then prorated against this value.
• The resulting list of scores not only provides a reliable view of the relative importance of all
governance/management objectives against each other, but also gives an indication of the absolute
importance. This output allows an enterprise not only to prioritize governance/management
objectives against each other, but also to define adequate target capability levels.
Output • The Step 3 summary tab contains the calculated relative importance of each of the 40 COBIT® 2019
governance and management objectives.
• The results are represented in table format (on the canvas tab) and as a bar chart (on the Step 3
summary tab)

144 Reference: COBIT 2019 Design Guide, Chapter 6, page 65

 CONCLUSION

145 Reference: COBIT 2019 Design Guide, Chapter 6, page 66

MODULE 7
IMPLEMENTING AND OPTIMIZING I&T GOVERNANCE

146
 MODULE 7 TOPICS AND LEARNING OBJECTIVES
Topics
• COBIT 2019 Implementation Guide
• Positioning I&T Governance
• Creating the Appropriate Environment
• Governance Implementation Roadmap
• Trigger Events for Governance
Improvement
• Stakeholder Stakes and Roles
• Module Summary
147
Learning Objectives
(11) Describe purpose and scope of the COBIT
2019 Implementation Guide.
(12) Apply the implementation methodology and
approach for a governance implementation
program.
(13) Combine the concepts from both the COBIT
2019 Implementation Guide and the COBIT 2019
Design Guide together efficiently.
 COBIT 2019 IMPLEMENTATION GUIDE

148
OBJECTIVES AND SCOPE OF THE
IMPLEMENTATION GUIDE
COBIT 2019 Implementation Guide: Implementing
and Optimizing an Information and Technology
Governance Solution is the fourth publication in the
COBIT 2019 suite of products.

Reflects enhanced understanding of and practical

experience with EGIT implementations, lessons
learned while applying and using previous versions
of COBIT, and updates made to ISACA’s guidance.

Provides good practices for implementing and

optimizing an I&T governance system based on a
continual improvement life cycle approach and
tailored to suit the enterprise’s specific needs.

Reference: COBIT 2019 Implementation Guide, Chapter 1, page 12-13

OBJECTIVES AND SCOPE OF THE
IMPLEMENTATION GUIDE
The COBIT 2019 Implementation Guide emphasizes
an enterprise-wide view of governance of I&T.

I&T are pervasive in enterprises; it is neither

possible nor good practice to separate business and
IT-related activities.

Implemented as an integral part of enterprise

governance, covering the full end-to-end business
and IT functional areas of responsibility.

Reference: COBIT 2019 Implementation Guide, Chapter 1, page 13

OBJECTIVES AND SCOPE OF THE IMPLEMENTATION GUIDE

Why do some governance system implementations fail?

• They are not initiated and then managed properly as programs to ensure benefits are realized.

Governance programs need to be:

• Sponsored by executive management
• Properly scoped
• Defined with attainable objectives
• Program management is addressed as an integral part of the implementation life cycle.

Reference: COBIT 2019 Implementation Guide, Chapter 1, page 13

OBJECTIVES AND SCOPE OF THE IMPLEMENTATION GUIDE

Assumed that while a program and project approach is recommended to effectively drive
improvement initiatives, the goal is also to establish:
• Normal business practice
• Sustainable approach to governing and managing enterprise I&T

The implementation approach is based on empowering business and IT stakeholders

and role players to take ownership of IT-related governance and management decisions
and activities by facilitating and enabling change.

The implementation program is closed when the process for focusing on IT-related
priorities and governance improvement is generating a measurable benefit, and the
program has become embedded in ongoing business activity.

Reference: COBIT 2019 Implementation Guide, Chapter 1, page 13

TARGET AUDIENCE A certain level of
experience and a
thorough understanding
of the enterprise are
required to benefit from
Business this guide.
Audit Security Privacy
Departments
Such experience and
understanding allow
users to customize the
Target Audience core COBIT guidance,
which is generic in
nature, into tailored and
focused guidance for
Others
Risk IT External Involved in the enterprise, taking
Management Professionals Professionals EGIT context into account.
Implementation

Reference: COBIT 2019 Implementation Guide, Chapter 1, page 14

IMPLEMENTATION AND DESIGN
GUIDES

The Design Guide workflow has a number

of connection points with the
Implementation Guide

The design guide elaborates a set of

tasks defined in the Implementation
Guide.

Reference: COBIT 2019 Design Guide, Chapter 5, page 47

 DESIGN GUIDE AND IMPLEMENTATION GUIDE RELATIONSHIPS

The workflow explained in the COBIT 2019 Design Guide elaborates a set of tasks defined in the
Implementation Guide and has the following connection points:
COBIT Implementation Guide COBIT Design Guide

Phase 1
What are the drivers? •Step 1 – Understand the enterprise context and strategy
(Continuous improvement [CI] Tasks)

Phase 2 •Step 2 – Determine the initial scope of the governance system

Where are we now? •Step 3 – Refine the scope of the governance system
(CI Tasks) •Step 4 – Conclude the governance system design

Phase 3
Where do we want to be? •Step 4 – Conclude the governance system design
(CI Tasks)

155 Reference: COBIT 2019 Framework: Design Guide, Chapter 5, page 48-49
 POSITIONING I&T GOVERNANCE

156
UNDERSTANDING THE CONTEXT OF A GOVERNANCE SYSTEM

EGIT does not occur in a vacuum. Implementation takes place in different conditions
and circumstances determined by numerous factors in the internal and external
environment, such as:

• The community’s ethics and culture The enterprise’s:

• Governing laws, regulations and • Reason for existence, mission, vision,
policies goals and values
• International standards • Governance policies and practices
• Industry practices • Culture and management style
• The economic and competitive • Models for roles and responsibilities
environment • Business plans and strategic intentions
• Technology advancements and • Operating model and level of maturity
evolution
• The threat landscape

Reference: COBIT 2019 Implementation Guide, Chapter 2, page 15

IMPORTANCE OF EGIT

Globally, enterprises—whether public or private, large or

small—increasingly understand that information is a key
Research has shown
resource and technology is a strategic asset, both critical to that enterprises with
success. Why is EGIT important? poorly designed or
• I&T is critical to enterprise success. adopted approaches
• I&T has the potential for business transformation. to EGIT perform
worse in aligning
• I&T often represents a very significant investment. business and I&T
• The networked economy presents a spectrum of IT-related risk. strategies and
• EGIT addresses the complex regulatory environment faced by processes.
enterprises.

Reference: COBIT 2019 Implementation Guide, Chapter 2, page 16-17

 EGIT OUTCOMES

Fundamentally, EGIT is concerned with

value delivery from digital transformation
and the mitigation of business risk that
results from digital transformation.
More specifically, three main outcomes
can be expected after successful adoption
of EGIT:
• Benefits realization
• Risk optimization
• Resource optimization

159 Reference: COBIT 2019 Implementation Guide, Chapter 2, page 17

 COBIT AS AN I&T FRAMEWORK

Over the years, best-practice frameworks have been developed and

promoted to assist in in understanding, designing and implementing
EGIT.

COBIT 2019 builds on and integrates more than 25 years of

development in this field.

From its foundation in the IT audit community, COBIT has developed

into a broader and more comprehensive I&T governance and
management framework.
COBIT continues to establish itself as a generally accepted
framework for I&T governance.

160
160 Reference: COBIT 2019 Framework: Introduction and Methodology, Chapter 1: Introduction, page 12
 LEVERAGING COBIT AND INTEGRATING
FRAMEWORKS

COBIT considers an enterprise view and aligns with governance good

practices.

COBIT outlines a general approach as well as references other

detailed standards.

COBIT is a single, overarching framework.

COBIT can be tailored to meet the needs of the enterprise.

Aligning with COBIT should result in faster and more efficient

assurance initiatives.

161
161 Reference: COBIT 2019 Implementation Guide, Chapter 2, pages 17-18
 CREATING THE APPROPRIATE ENVIRONMENT

162
 CREATING THE APPROPRIATE ENVIRONMENT

It is important for the appropriate context to exist when implementing

EGIT improvements. This helps ensure that the initiative is governed
and adequately guided and supported by management.

• An appropriate environment should be created and maintained.

• Ensure that EGIT is implemented as an integral part of an overall

governance approach within the enterprise.

• Include direction and oversight of the implementation initiative,

including guiding principles.

• Provide sufficient commitment, direction and control of activities.

163
163 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 21
 CREATING THE APPROPRIATE ENVIRONMENT

A common approach to formalize EGIT and provide a mechanism for

executive and board oversight and direction of I&T-related activities is
to establish an I&T governance board.

• Acts on behalf of the board of directors

• Responsible for how I&T is used within the enterprise and for
making key I&T-related decisions

• Have a clearly defined mandate and is best chaired by a business

executive

• Representation includes chief information officer, chief digital

officer, chief technology officer, senior managers, internal audit,
security and risk.

164
164 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 21
 ROLES IN CREATING THE APPROPRIATE ENVIRONMENT

165 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 22

 ROLES IN CREATING THE APPROPRIATE ENVIRONMENT

166 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 22

 GOVERNANCE IMPLEMENTATION ROADMAP

167
 IMPLEMENTATION GUIDE PURPOSE AND SCOPE

The continual improvement life cycle

approach allows enterprises to address
the complexity and challenges typically
encountered during EGIT
implementation. There are three
interrelated components to the life
cycle.
• The core EGIT continual improvement life
cycle
• Change enablement (addressing
behavioral and cultural aspects of
implementation or improvement)
• Program management

168 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 23

 IMPLEMENTATION ROAD MAP

The COBIT 2019 Implementation

Guide emphasizes an enterprise-
wide view of governance of I&T. It
recognizes that I&T are pervasive
in enterprises and that it is neither
possible nor good practice to
separate business and IT-related
activities.

169 Reference: COBIT 2019 Framework, Chapter 8, page 49

 PHASE 1 WHAT ARE THE DRIVERS?

Phase 1 identifies current change drivers and

creates at a desire to change then expressed in an
outline of a business case.
• A change driver is an internal or external event,
condition or key issue that serves as a stimulus for
change.
• Events, trends (industry, market or technical),
performance shortfalls, software implementations
and even the goals of the enterprise
• Risk associated with implementation of the
program itself is described in the business case
and managed throughout the life cycle.
• Preparing, maintaining and monitoring a business
case are fundamental and important disciplines for
justifying, supporting and then ensuring successful
outcomes for any initiative.

170 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 24

 PHASE 2 WHERE ARE WE NOW?

Phase 2 aligns I&T-related objectives with

enterprise strategies and risk, and prioritizes
the most important enterprise goals,
alignment goals and processes.
• The COBIT 2019 Design Guide provides
several design factors to help with the
selection.
• The enterprise must identify critical
governance and management objectives and
underlying processes that are of sufficient
capability to ensure successful outcomes.
• Management needs to know its current
capability and where deficiencies may exist.
This can be achieved by a process capability
assessment of the current status of the
selected processes.

171 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 24

 PHASE 3 WHERE DO WE WANT TO BE?

Phase 3 sets a target for improvement

followed by a gap analysis to identify
potential solutions.
• Some solutions will be quick wins and
others more challenging, long-term tasks.
• Priority should be given to projects that
are easier to achieve and likely to give the
greatest benefit.
• Longer-term tasks should be broken down
into manageable pieces.

172 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 25

 PHASE 4 WHAT NEEDS TO BE DONE?

Phase 4 describes how to plan feasible

and practical solutions by defining
projects supported by justifiable
business cases and a change plan for
implementation.
• A well-developed business case can help
ensure the project’s benefits are identified
and continually monitored.

173 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 25

 PHASE 5 HOW DO WE GET THERE?

Phase 5 provides for implementing the

proposed solutions.
• Day-to-day practices
• Establishing measures
• Monitoring systems to ensure business
alignment is achieved and performance can
be measured.
Success requires engagement, awareness
and communication, understanding and
commitment of top management, and
ownership by the affected business and IT
process owners.

174 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 25

 PHASE 6 DID WE GET THERE?

Phase 6 focuses on sustainable

transition of the improved governance
and management practices into normal
business operations.
• Further focuses on monitoring
achievement of the improvements
• Using the performance metrics and
expected benefits

175 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 25

 PHASE 7 HOW DO WE KEEP THE MOMENTUM GOING?

Phase 7 reviews the overall success of the

initiative, identifies further governance or
management requirements and reinforces
the need for continual improvement. It also
prioritizes further opportunities to improve
the governance system.
• Program and project management is based on
good practices
• Provides for checkpoints at each of the seven
phases to ensure that the program’s
performance is on track
• Business case and risk are updated and
planning for the next phase is adjusted as
appropriate. Assumed that the enterprise’s
standard approach would be followed.

176 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 25

 PHASE 7 HOW DO WE KEEP THE MOMENTUM GOING?
(CONTINUED)

Further guidance on program and

project management can also be found
in COBIT management objectives:
• BAI01 Managed programs
• BAI11 Managed projects
Although reporting is not mentioned
explicitly in any of the phases, it is a
continual thread through all of the
phases and iterations.

177 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 25

 TRIGGER EVENTS FOR GOVERNANCE IMPROVEMENT

178
 PAIN POINTS AND TRIGGER EVENTS

Many factors can indicate a need for new or revised EGIT

practices and can reveal complex networks of underlying
issues. Using pain points or trigger events can:
• Relate the business case for improvement to concrete stakeholder A sense of urgency
issues within the enterprise
• Assists in buy-in may be necessary to
kick-start
• Support quick wins
implementation.

179 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 26

 TYPICAL PAINT POINTS

New or revised EGIT practices can typically or help address

the following symptoms. A short list of these includes:
These are also listed
• Frustration between different IT entities across the organization in the Design Guide
because of a perception of low contribution to business value. under Design Factor
4 I&T-related issues
• Frustration between business departments and the IT department as well and are
because of failed initiatives or a perception of low contribution to illustrated in Module
business value. 4 of this training.
• Significant I&T-related incidents, such as data loss, security
breaches, project failure, application errors, linked to IT.

• Service delivery problems by the IT outsourcer(s).

• Failure to meet IT-related regulatory or contractual requirements.

180 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 26-28

 TRIGGER EVENTS
In addition to paint points, other events in the enterprise’s internal and external
environments can signal or trigger a focus on EGIT and drive it high on the enterprise
agenda.

• Merger, acquisition or divestiture • Enterprise-wide governance focus or

project
• Shifts in the market, economy or
competitive position • New leadership
• Changes in business operating model • External audit or consultant assessments
or sourcing arrangements
• New business strategy or priority
• New regulatory or compliance
• Desire to significantly improve the value
requirements
gained from I&T
• Significant technology change or
paradigm shifts

181 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 28-29

 GROUP DISCUSSION TOPICS

What are some typical challenges to creating an

appropriate environment and how can they be
overcome?

What are techniques to gaining active executive

level sponsorship and support?

182
 STAKEHOLDER STAKES AND ROLES

183
 INTERNAL STAKEHOLDERS
Internal Stakeholders
Board and executive
management
Business management and
business process owners
184 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 30-32
Overview of Internal EGIT Stakeholders
Important High-Level Accountabilities Interest in the Implementation Program
and Responsibilities Outcomes
Set the overall direction, context and objectives The board and executive management are interested in
for the improvement program and ensure alignment with the obtaining the maximum business benefits from the
enterprise business strategy governance and risk implementation program. They want to ensure that all
management. Provide visible support and commitment for the relevant, required issues and areas are addressed; required
initiative, including the roles of sponsoring and promoting the activities are undertaken; and expected outcomes are
initiative. Approve the outcomes of the program, and ensure successfully delivered.
envisioned benefits are attained and corrective measures are
taken as appropriate. Ensure that the required resources
(financial, human and other) are available to the initiative.
Set the direction at the top and lead by example.
Provide applicable business resources to the core These stakeholders would like the program to result in
implementation team. Work with IT to ensure that the better alignment of I&T with the overall business
outcomes of the improvement program are aligned to and environment and their specific areas.
appropriate for the business environment of the enterprise,
value is delivered, and risk is managed. Visibly support the
improvement program and work with IT to address any issues
that are experienced. Ensure that the business is adequately
involved during implementation and in the transition to use.
 INTERNAL STAKEHOLDERS
Internal Stakeholders
Chief information
officer (CIO)
IT management and IT
process owners
(such as the head of operations,
chief architect, IT security
manager, privacy officer, business
continuity management specialist)
Compliance, risk
management and legal
experts
185 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 30-32
Overview of Internal EGIT Stakeholders
Important High-Level Accountabilities
and Responsibilities
Provide leadership to the program and applicable IT resources
to the core implementation team. Work with business
management and executives to set the appropriate objectives,
direction and approach for the program.
Provide leadership for applicable work streams of the program
and resources to the implementation team. Give key input into
the assessment of current performance and setting of
improvement targets for process areas with the respective
domains. Provide input on relevant good practices that should
be incorporated and related expert advice. Ensure that the
business case and program plan are realistic and achievable.
Participate as required throughout the program and provide
compliance, risk management and legal inputs on relevant
issues. Ensure alignment with the overall ERM approach and
confirm relevant compliance and risk management objectives
are met, issues are considered and benefits are attained.
Provide guidance as required during implementation.
Interest in the Implementation Program
Outcomes
The CIO wants to ensure that all EGIT implementation
objectives are attained. For the CIO, the program should
result in mechanisms that will continually improve the
relationship with, and alignment to, the business (including
having a shared view on I&T performance); lead to better
management of IT supply and demand; and improve the
management of I&T-related business risk.
These stakeholders would like the program to result in
better alignment of I&T with the overall business
environment and their specific areas.
These stakeholders want to ensure that the initiative
establishes or improves the mechanisms for ensuring legal
and contract compliance and effective I&T-related business
risk management, and alignment of these mechanisms to
any enterprise-wide approaches that may exist.
 INTERNAL STAKEHOLDERS
Internal Stakeholders
Internal audit
Implementation team
(combined business
and IT team, consisting
of individuals from
previously listed
stakeholder categories)
Users
Customers
186 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 30-32
Overview of Internal EGIT Stakeholders
Important High-Level Accountabilities
and Responsibilities
Participate as required throughout the program and provide
audit inputs on relevant issues. Provide advice on current
issues being experienced and input on control practices and
approaches. Review the feasibility of business cases and
implementation plans. Provide advice and guidance as
required during implementation. Potentially verify assessment
results independently.
Direct, design, control, drive and execute the end-to-end
program from the identification of objectives and requirements
to the eventual evaluation of the program against business
case objectives and the identification of new triggers and
objectives for further implementation or improvement cycles.
Ensure skills transfer during the transition from the
implementation environment to the operation, use and
maintenance environments.
Support EGIT by performing specific roles and responsibilities
as assigned to them.
Interest in the Implementation Program
Outcomes
These stakeholders are interested in the outcomes of the
implementation program related to control practices and
approaches, and how the mechanisms that are established
or improved will enable current audit findings to be
addressed.
The team wants to ensure that all envisioned outcomes of
the EGIT initiative are obtained and maximized.
These stakeholders are interested in the impact(s) the
initiative will have on their day-today lives—their jobs, roles
and responsibilities, and activities.
Customers are part of the extended value chain
and have expectations regarding delivery of
services, products, etc.
 EXTERNAL STAKEHOLDERS

Overview of Internal EGIT Stakeholders

External Stakeholders Interest in the Implementation Program Outcomes

Customers and society Organizations exist to serve customers. Thus, customers are directly affected by the degree to which an enterprise’s EGIT
objectives are met. If an enterprise is exposed in the security and privacy domain, such as through loss of customer banking
data, the customer will be affected, and thus has an interest in the successful outcomes of the EGIT implementation program.

IT service providers Enterprise management should ensure that there is alignment and interface between the enterprise’s own overall EGIT
and the governance and management of the services provided by IT service providers.

Regulators Regulators are interested in whether the implementation program outcomes satisfy and/or provide structures and
mechanisms to satisfy all applicable regulatory and compliance requirements.

Shareholders Shareholders may partially base investment decisions on the state of an enterprise’s corporate and EGIT governance and
(where relevant) its record of accomplishment in this area.

External auditors External auditors may be able to rely on I&T-related controls more fully as a result of an effective implementation program,
as substantiated by an audit. They are also interested in regulatory compliance aspects and financial reporting.

Business partners Business partners that use automated electronic transactions with the enterprise could have an interest in the outcomes
(e.g., suppliers) of the implementation program with respect to improved information security, integrity and timeliness. They may also be
interested in regulatory compliance and international standards certifications that could be outcomes of the program.

187 Reference: COBIT 2019 Implementation Guide, Chapter 3, page 32-33

 INDEPENDENT ASSURANCE AND AUDIT

Increasingly, boards and executive management seek independent

advice and opinions regarding critical I&T functions and services.
There is also a general increase in the need to demonstrate
compliance with national and international regulations.

It is important to take these stakeholders and their interests into

account when defining the EGIT implementation plan:
• Internal auditors
• External auditors
• ISO/IEC standards auditors
• Professionals commissioned to provide an assessment on IT services and
processes.

188
188 Reference: COBIT 2019 Design Guide, Chapter 3, page 33
 MODULE 7 SUMMARY

189
 SECTION 7 TOPICS

Topics
• COBIT 2019 Implementation Guide
• Positioning I&T Governance
• Creating the Appropriate Environment
• Governance Implementation Roadmap
• Trigger Events for Governance Improvement
• Stakeholder Stakes and Roles

190
MODULE 8
GOVERNANCE IMPLEMENTATION LIFECYCLE

191
 SECTION 8 TOPICS

Topics
• Phase 1: What are the drivers?
• Phase 2: Where are we now?
• Phase 3: Where do we want to be?
• Phase 4: What needs to be done?
• Phase 5: How do we get there?
• Phase 6: Did we get there?
• Phase 7: How do we keep the
momentum going?
• Exercise
• Module Summary

192
 PHASE 1: WHAT ARE THE DRIVERS?

193
 PHASE 1 WHAT ARE THE DRIVERS?

Phase objective
• Obtain an understanding of the program
background and objectives and current
governance approach.
• Define the initial program concept business
case.
• Obtain the buy-in and commitment of all key
stakeholders.
Phase description
• Articulate the compelling reasons to act.
• Define the program background, objectives,
current governance culture, and initial
business case.
• Obtain buy-in and commitment of all key
stakeholders.

194 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 51

 PHASE 1 KEY STAKEHOLDERS

Figure 6.2—Phase 1 Roles

When you are… Your role in this phase is to…

Board and executive
Business management
IT management
Internal Audit
Risk, compliance,
and legal
Provide guidance regarding stakeholder needs (including customer needs), business strategy,
priorities, objectives and guiding principles with respect to EGIT. Approve the high-level approach.
Together with IT, ensure that stakeholder needs and business objectives are stated with sufficient
clarity to enable translation into business goals for I&T. Provide input to understanding of risk and
priorities.
Gather requirements and objectives from all stakeholders, gaining consensus on approach and
scope. Provide expert advice and guidance regarding IT matters.
Provide advice and challenge proposed activities and actions, ensuring that objective and balanced
decisions are made. Provide input on current issues. Provide advice regarding controls and risk
management practices and approaches.
Provide advice and guidance regarding risk, compliance and legal matters. Ensure that the
management-proposed approach is likely to meet risk, compliance and legal requirements.

195 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 50

 PHASE 1 TASKS

Recognize the need to Establish the desire to

Initiate the program:
act: change:
• Identify the governance • Analyze the environment • Provide high-level
context, business and IT in which the change strategic direction and set
pain points and events. needs to be enabled. high-level program
• Identify business and • Determine ongoing or • Define and assign high-
governance drivers. planned enterprise level roles within the
• Identify compliance initiatives. program
requirements. • Understand the breadth • Develop an outline
• Identify priorities and and depth of the change. business case indicating
business strategy • Identify stakeholders the success factors
dependent on IT. involved in the initiative • Obtain executive
• Define EGIT policy, from different areas of the sponsorship.
objectives, guiding enterprise
principles and high-level • Determine the ability to
improvement targets. implement the change.

196 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 51

 PHASE 1 INPUTS AND OUTPUTS
Inputs
•Enterprise policies, strategies,
governance and business plans and
audit reports
•Major initiatives
•Inputs that indicate current IT pain
points
•Useful and relevant industry
overviews, case studies and success
stories
•Specific customer requirements,
marketing and servicing strategy,
market position, enterprise vision and
mission statements
197 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 52
•Business case outline
•High-level roles and responsibilities
•Identified stakeholder map, including
support and involvement required,
influence and impact, and agreed
understanding of the efforts required to
manage human change
•Program wake-up call (all
stakeholders)
•Program kick-off communication (key
Outputs
stakeholders)
 PHASE 1 RACI CHART

198 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 52

 PHASE 1 CHALLENGES, ROOT CAUSES AND
SUCCESS FACTORS
For each
This is a list of typical challenges that may be encountered in implementation
Phase 1 of the implementation lifecycle. phase, the
• Lack of senior management buy-in, commitment and Implementation Guide
support identifies challenges,
root causes and
success factors.
• Difficulty in demonstrating value and benefits
For these phase one
• Difficulty in getting the required business participation challenges, refer to
Figure 4.1 for a
• Difficulty in identifying stakeholders and role players
further description of
• Lack of current enterprise policy and direction root causes and
success factors.
• Weak current enterprise governance

199 Reference: COBIT 2019 Implementation Guide, Chapter 4, page 35-37

 PHASE 1 AVAILABLE RESOURCES

• COBIT® 2019 Design Guide (design factors)

• COBIT® 2019 Framework: Governance and Management
Objectives (particularly EDM01, APO01, MEA01) and
COBIT® 2019 Framework: Introduction and Methodology,
Chapter 9, Getting Started With COBIT: Making the Case,
www.isaca.org/cobit
• The example decision matrix in the appendix of this
publication
• ISACA supporting products currently listed at
www.isaca.org

200 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 52

 PHASE 2: WHERE ARE WE NOW?

201
 PHASE 2 WHERE ARE WE NOW?

Phase objectives
• Ensure the program team knows and understands
the enterprise goals.
• Identify the critical processes or other enablers
addressed in the improvement plan.
• Identify the appropriate management practices for
each selected process.
• Obtain an understanding of the enterprise’s
present and future attitude toward risk.
• Determine the current capability of the selected
processes.
• Understand the enterprise’s capacity and
capability for change.
Phase description
• This phase identifies the enterprise and alignment
goals and illustrates how I&T contributes to
enterprise goals via solutions and services.

202 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 53-54

 PHASE 2 KEY STAKEHOLDERS

Figure 6.6—Phase 2 Roles

When you are… Your role in this phase is to…

Board and executive Verify and interpret the results/conclusions of assessments.

Business Assist IT in determining the reasonableness of current assessments by providing the

management customer view.

IT management Ensure open and fair assessment of IT activities. Guide assessment of current practice.
Obtain consensus.
Internal Audit Provide advice, input and assistance to current-state assessments. If required,
independently verify assessment results.
Risk, compliance, Review assessments to ensure that risk, compliance and legal issues have been
and legal considered adequately.

203 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 53

 PHASE 2 TASKS

Form a powerful Define problems and

Assess the current state:
implementation team:
• Identify key enterprise and • Assemble a core team from
supporting alignment goals. the business and IT with the
• Identify key governance appropriate knowledge,
issues and weaknesses expertise, profile,
related to the current and experience, credibility and
required future solutions authority.
and services. • Identify and manage any
• Assess benefit/value potential vested interests
enablement risk, existing within the team to
program/project delivery create the required level of
and service delivery/IT trust.
operations risk. • Identify change agents with
• Assess performance. whom the core team can
work.
opportunities:
• Review and evaluate the
outline business case,
program feasibility and
potential ROI.
• Assign roles, responsibilities
and process ownership.
• Ensure commitment and
support of affected
stakeholders in program
definition and execution.
• Identify challenges and
success factors

204 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 54-55

 PHASE 2 SELECTED INPUTS AND OUTPUTS
Inputs
•Outline business case
•Roles and responsibilities
•Identified stakeholder map
•Program wake-up call
•Business and IT plans and strategies
•IT process descriptions, policies,
standards, procedures, technical
specifications
•Understanding of business and IT
contribution
205 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 55-56
•Agreed alignment goals and impact
•Selected governance and
management objectives
Current performance levels of selected
governance and management
objectives
•Risk acceptance position and profile
•Strengths on which to build
•Evaluated outline business case
Outputs
•Agreed understanding of the issues
and challenges
 PHASE 2 RACI CHART

206 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 56

 PHASE 2 CHALLENGES, ROOT CAUSES AND
SUCCESS FACTORS
This is a list of typical challenges that may be encountered in For each
implementation
Phase 2 of the implementation lifecycle. Refer to Figure 4.2 in
phase, the
the Implementation Guide for the associated root causes and Implementation Guide
success factors. Note that these are the same for both identifies challenges,
phases 2 and 3. root causes and
success factors. For
Inability to gain and sustain support for improvement these phase one
objectives challenges, refer to
Figure 4.2 for a
Communication gap between IT and the business further description of
root causes and
Cost of improvements outweighing perceived benefits success factors.
Lack of trust and good relationships between IT and the
enterprise

207 Reference: COBIT 2019 Implementation Guide, Chapter 4, page 37-38

 PHASE 2 AVAILABLE RESOURCES

• COBIT 2019 Framework: Introduction and Methodology

(governance and management objectives, goals
cascade, enterprise goals-alignment goals cascade),
www.isaca.org/cobit
• COBIT 2019 Framework: Governance and
Management Objectives (APO01, APO02, APO05,
APO12, BAI01, BAI11, MEA01, MEA02, MEA03,
MEA04, used for process selection and process
capability assessment, as well as implementation and
program planning)
• Chapter 5, Enabling Change, in this publication
• ISACA supporting products as currently listed at
www.isaca.org

208 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 56

 PHASE 3: WHERE DO WE WANT TO BE?

209
 PHASE 3 WHERE DO WE WANT TO BE?

Phase objectives
• Determine the targeted capability for processes
within governance and management objectives.
• Determine gaps
• Translate gaps into improvement opportunities.
• Create a detailed business case and high-level
program plan from gathered information.
Phase description
Based on assessed current-state process
capability levels, an appropriate target capability
level should be determined for each process.

210 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 58

 PHASE 3 KEY STAKEHOLDERS

Figure 6.10—Phase 3 Roles

When you are… Your role in this phase is to…

Board and executive Set priorities, time scales and expectations regarding the future capability required from
I&T.
Business Assist IT with the setting of capability targets. Ensure that the envisaged solutions are
management aligned to enterprise goals.
IT management Apply professional judgment in formulating improvement priority plans and initiatives.
Obtain consensus on a required capability target. Ensure that the envisaged solution is
aligned to alignment goals.
Internal audit Provide advice and assist with target-state positioning and gap priorities. If required,
independently verify assessment results.
Risk, compliance, Review plans to ensure that risk, compliance and legal issues have been addressed
and legal adequately.

211 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 57

 PHASE 3 TASKS

Describe and communicate

Define target state:
desired outcomes:
• Define and identify • Secure participation
improvement targets • Describe the high-level road
• Based on performance and map to achieve the vision
conformance, decide initial, and involvement required of
ideal short- and long-term various stakeholders
target capability levels for • Set the tone at the top by
each process using senior management
• Analyze gaps to deliver key messages
• Collate gaps into potential • Use change agents to
improvements communicate informally and
• Identify unmitigated residual formally
risk and ensure its formal • Capture communication
acceptance feedback adapting the
strategy accordingly
Define the road map:
• Set program direction,
scope, benefits and
objectives at a high level
• Ensure alignment of the
objectives with business
and IT strategies
• Consider risk and adjust the
scope accordingly
• Consider change
enablement implications
• Obtain necessary budgets
• Define program
accountabilities and
responsibilities

212 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 58-59

 PHASE 3 SELECTED INPUTS AND OUTPUTS
Inputs
•Agreed enterprise goals and impact
on alignment goals
•Current capability rating for selected
processes
•Risk acceptance position and risk
profile
•Change agents in different parts and
at different levels in the enterprise
•Evaluated outline business case
•Internal and external capability
benchmarks
213 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 59
Target capability rating for selected
processes
•Description of improvement
opportunities
•Risk response document, including
risk not mitigated
•Change enablement plan and
objectives
•Detailed business case
•High-level program plan
Outputs
 PHASE 3 RACI CHART

214 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 60

 PHASE 3 CHALLENGES, ROOT CAUSES AND
SUCCESS FACTORS
For each
This is a list of typical challenges that may be encountered in implementation
Phase 3 of the implementation lifecycle. Refer to Figure 4.2 in phase, the
the Implementation Guide for the associated root causes and Implementation Guide
success factors. Note that these are the same for both identifies challenges,
phases 2 and 3. root causes and
success factors.
Inability to gain and sustain support for improvement
For these phase one
objectives challenges, refer to
Communication gap between IT and the business Figure 4.2 for a further
description of root
Cost of improvements outweighing perceived benefits causes and success
factors.
Lack of trust and good relationships between IT and the
enterprise

215 Reference: COBIT 2019 Implementation Guide, Chapter 4, page 37-38

 PHASE 3 AVAILABLE RESOURCES

• COBIT 2019 Framework: Introduction and

Methodology (enterprise goals),
www.isaca.org/cobit
• COBIT 2019 Framework: Governance and
Management Objectives (management practices
and activities for the target-state definition and
gap analysis, APO01, APO02)
• ISACA supporting products, as currently listed at
www.isaca.org

216 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 59

 PHASE 4: WHAT NEEDS TO BE DONE?

217
 PHASE 4 WHAT NEEDS TO BE DONE?

Phase objectives
• Translate improvement opportunities into
justifiable contributing projects.
• Prioritize and focus on high-impact projects.
• Integrate the improvement projects into the
overall program plan.
• Execute quick wins.
Phase description
Prioritize potential initiatives into formal and
justifiable projects.

218 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 61

 PHASE 4 KEY STAKEHOLDERS

Figure 6.14—Phase 4 Roles

When you are… Your role in this phase is to…

Board and executive
Business management
IT management
Internal audit
Risk, compliance,
and legal
Consider and challenge proposals, support justified actions, provide budgets, and set priorities as
appropriate.
Together with IT, ensure that the proposed improvement actions are aligned with agreed
enterprise and IT-related goals and that any activities requiring business input or action are
supported. Ensure that required business resources are allocated and available. Agree with IT on
the metrics for measuring the outcomes of the improvement program.
Ensure viability and reasonableness of the program plan. Ensure that the plan is achievable, and
resources are available to execute the plan. Consider the plan together with priorities of the
enterprise’s portfolio of I&T-enabled investments to decide a basis for investment funding.
Provide independent assurance that issues identified are valid, business cases are objectively and
accurately presented, and plans appear achievable. Provide expert advice and guidance where
appropriate.
Ensure that any identified risk, compliance and legal issues are being addressed, and that
proposals conform with any relevant policies or regulations.

219 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 61

 PHASE 4 TASKS

Design and build: Empower role players: Develop the program plan:

• Consider potential benefit and • Obtain buy-in • Organize potential projects

ease of implementation for • Design change response into the overall program.
each improvement. plans • Ensure that the program
• Plot improvements onto an • Identify quick wins conforms to strategic goals
opportunity grid. • Build on any existing and that I&T has a balanced
• Focus on alternatives strengths identified in phase 2 set of initiatives
showing high benefit/high to realize quick wins, where • Develop a change plan.
ease of implementation. possible. • Identify and agree on metrics
• Consider alternatives. • Identify strengths in existing for measuring the outcomes
• Prioritize, select, and analyze enterprise processes that • Define a portfolio of projects.
improvements. could be leveraged. • Define required deliverables.
• Agree on projects to be • Nominate project steering
included in the business case committees.
for approval. • Establish project plans and
• Record unapproved projects reporting.
and initiatives in a register for
potential future consideration.

220 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 62

 PHASE 4 SELECTED INPUTS AND OUTPUTS
Inputs

•Target maturity rating for selected •Improvement project definitions

processes Defined change response plans
•Description of improvement Identified quick wins
opportunities
Record of unapproved projects
•Risk response document
Program plan that sequences individual
•Change enablement plan and plans with allocated resources, priorities
objectives and deliverables
•Communication strategy and Project plans and reporting procedures
communication of the change vision enabled through committed resources
•Detailed business case such as skills and investment

Outputs
•Strengths identified in earlier phases Success metrics

221 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 63

 PHASE 4 RACI CHART

222 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 63

 PHASE 4 CHALLENGES, ROOT CAUSES AND
SUCCESS FACTORS For each
implementation
This is a list of typical challenges that may be encountered in phase, the
Phase 4 of the implementation lifecycle: Implementation Guide
identifies challenges,
• Failure to understand the environment root causes and
success factors.
• Various levels of complexity (technical, organizational,
operating model) For these phase one
challenges, refer to
• Difficulty in understanding COBIT and associated Figure 4.3 for a further
frameworks, procedures and practices description of root
causes and success
• Resistance to change factors.
• Failure to adopt improvements

• Difficulty in integrating internal governance approach with

the governance models of outsourcing partners
223 Reference: COBIT 2019 Implementation Guide, Chapter 4, page 38-40
 PHASE 4 AVAILABLE RESOURCES

• COBIT 2019 Framework: Introduction and

Methodology (governance and management
objectives, components of the governance
system), www.isaca.org/cobit
• COBIT 2019 Framework: Governance and
Management Objectives (APO5, APO12, BAI01,
BAI11, goals and metrics)
• ISACA supporting products as currently listed at
www.isaca.org

224 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 63

 PHASE 5: HOW DO WE GET THERE?

225
 PHASE 5 HOW DO WE GET THERE?

Phase objectives
• Implement the detailed improvement projects.
• Leverage enterprise program and project
management capabilities, standards and
practices.
• Monitor, measure and report on project progress.
Phase description
The approved improvement projects are now ready
for implementation. Solutions defined by the
program can now be acquired or developed and
implemented into the enterprise.

226 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 65

 PHASE 5 KEY STAKEHOLDERS

Figure 6.18—Phase 5 Roles

When you are… Your role in this phase is to…

Board and executive Monitor implementation and provide support and direction as required.

Business management Take ownership for business participation in the implementation, especially where business
processes are affected, and IT processes require user/customer involvement.

IT management Make sure that the implementation includes the full scope of activities required (e.g., policy and
process changes, technology solutions, organizational changes, new roles and responsibilities,
other enablers); ensure that implementations are practical, achievable, and likely to be adopted
and used. Make sure that process owners are involved, buy into the new approach and own the
resulting processes. Resolve issues and manage risk as encountered during the implementation.
Internal audit Review and provide input during implementation to avoid after-the-fact identification of missing
enablers and especially key controls. Provide guidance on implementation of control aspects.
If required, provide a project/implementation risk review service, monitoring risk that could
jeopardize implementation and providing independent feedback to the program and project teams.
Risk, compliance, Provide guidance as required on risk, compliance and legal aspects during implementation.
and legal

227 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 64

 PHASE 5 TASKS

Implement improvements: Enable operation and use: Execute the plan:

• Develop and/or acquire • Build on the momentum and
solutions that include the full credibility.
scope of activities required. • Communicate quick-win
• Adopt and adapt available successes and recognize and
guidance to suit the reward those involved.
enterprise’s approach to • Implement the change
policies and procedures. response plans.
• Test the practicality and • Communicate roles and
suitability of the solutions in responsibilities.
the real working environment. • Define measures of success.
• Roll out the solutions, • Close the loop and ensure
considering any existing that all change requirements
processes and migration have been addressed.
requirements.
• Monitor the change
enablement effectiveness and
take corrective action where
necessary.
• Ensure that the execution of
the program is based on an
up-to-date and integrated
(business and IT) plan of the
projects within the program.
• Direct and monitor the
contribution of all the projects
in the program.
• Provide regular update
reports to stakeholders.
• Document and monitor
significant program risk and
issues and agree on
remediation actions.
• Approve any major changes
to the program and project
plans.

228 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 65

 PHASE 5 SELECTED INPUTS AND OUTPUTS
Inputs
•Improvement project definitions
•Defined change response plans
•Identified quick wins
•Record of unapproved projects
•Program plan with allocated
resources, priorities and deliverables
•Project plans and reporting
procedures
•Success metrics
•Project definitions, plans, change
strategy and response plans
•Integrated program and project plans
229 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 66
•Implemented improvements
•Implemented change response plans
•Realized quick wins and visibility of
change success
•Success communications
•Defined and communicated roles and
responsibilities in the business-as-usual
environment
•Project change logs and issue/risk logs
•Defined business and perception
Outputs
success measures
•Benefits tracked to monitor realization
 PHASE 5 RACI CHART

230 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 66

 PHASE 5 CHALLENGES, ROOT CAUSES AND
SUCCESS FACTORS For each
implementation phase,
This is a list of typical challenges that may be encountered in the Implementation
Phase 5 of the implementation lifecycle. Guide identifies
challenges, root
Failure to realize implementation commitments causes and success
factors.
Trying to do too much at once; tackling overly complex, overly
difficult or simply too many problems For these phase one
challenges, refer to
IT and/or business in fire-fighting mode Figure 4.4 for a further
description of root
Lack of required skills and competencies, such as causes and success
understanding governance, management, business, factors.
processes, soft skills

231 Reference: COBIT 2019 Implementation Guide, Chapter 4, page 40-41

 PHASE 5 AVAILABLE RESOURCES

COBIT 2019 Framework: Governance and

Management Objectives (all objectives as good
practice input, BAI01, BAI11), www.isaca.org/cobit

ISACA supporting products as currently listed at

www.isaca.org

232 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 66

 PHASE 6: DID WE GET THERE?

233
 PHASE 6 DID WE GET THERE?

Phase objective
• Integrate the metrics for project performance
and benefits realization.

Phase description
Monitor the described program improvements
via alignment goals and process goals using
suitable techniques such as an IT balanced
scorecard (BSC) and benefits register to verify
the change outcomes have been achieved.

234 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 68

 PHASE 6 KEY STAKEHOLDERS
Figure 6.22—Phase 6 Roles
When you are… Your role in this phase is to…
Board and executive Assess performance in meeting the original objectives and confirm realization of desired outcomes.
Consider the need to redirect future activities and take corrective action. Assist in the resolution of
significant issues, if required.
Business management Provide feedback and consider the effectiveness of the business’s contribution to the initiative. Use
positive results to improve current business-related activities. Use lessons learned to adapt and improve
the business’s approach to future initiatives.
IT management Provide feedback and consider the effectiveness of IT’s contribution to the initiative. Use positive
results to improve current IT-related activities. Monitor projects based on project criticality as they
are developing, using both program management and project management techniques. Be prepared to
change the plan and/or cancel one or more projects or take other corrective action, if early indications
show that a project is off track and may not meet critical milestones. Use lessons learned to adapt and
improve IT’s approach to future initiatives.
Internal audit Provide independent assessment of the overall efficiency and effectiveness of the initiative. Provide
feedback and consider the effectiveness of audit’s contribution to the initiative. Use positive results to
improve current audit-related activities. Use lessons learned to adapt and improve audit’s approach to
future initiatives.
Risk, compliance, Assess whether the initiative has improved the ability of the enterprise to identify and manage risk
and legal and legal, regulatory and contractual requirements. Provide feedback and make any necessary
recommendations for improvements.
235 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 67
PHASE 6 TASKS

Operate and measure Embed new approaches Realize benefits

• Set targets for each • New ways of working • Monitor performance

metric become part of the against objectives
• Obtain and gather enterprise’s culture • Monitor investment
measures • Leverage pockets of performance
• Investigate variances excellence to provide a • Document lessons
• Develop and agree on source of inspiration learned
proposed corrective • Maintain the
measures communication strategy
• Adjust long-term targets to achieve ongoing
based on experience awareness and highlight
successes
• Communicate results
from performance • Ensure open
monitoring to all communication among
interested stakeholders all to resolve issues

Reference: COBIT 2019 Implementation Guide, Chapter 6, page 68

 PHASE 6 SELECTED INPUTS AND OUTPUTS
Inputs

•Implemented improvements •Updated project and program

•Implemented change response plans
•Realized quick wins and success
communications
•Defined and communicated roles and
responsibilities
•Project change and issue/risk logs
•Defined business and perception
success measures
•Alignment goals and IT process
goals
scorecards
•Change effectiveness measures (both
business and perception measures)
•Report explaining scorecard results
•Improvements entrenched in operations
•Key metrics added into ongoing IT
performance measurement approach

Outputs
•Existing measures and/or scorecards
•Business case benefits
•Change response plans and strategy

237 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 69

 PHASE 6 RACI CHART

238 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 69

 PHASE 6 CHALLENGES, ROOT CAUSES AND
SUCCESS FACTORS
For each
This is a list of typical challenges that may be encountered in implementation
Phase 6 of the implementation lifecycle. Refer to Figure 4.5 in phase, the
the Implementation Guide for the associated root causes and Implementation Guide
success factors. Note: the challenges noted here are the identifies challenges,
same challenges identified for Phase 7. root causes and
success factors.

For these phase one

• Failure to adopt or apply improvements challenges, refer to
Figure 4.5 for a further
• Difficulty in showing or proving benefits description of root
causes and success
• Lost interest and momentum, change fatigue factors.

239 Reference: COBIT 2019 Implementation Guide, Chapter 4, page 41-42

 PHASE 6 AVAILABLE RESOURCES

COBIT 2019 Framework: Governance and

Management Objectives (as good practice input and
EDM05, APO05, BAI01, BAI11, MEA01),
www.isaca.org/cobit

ISACA supporting products as currently listed at

www.isaca.org

240 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 69

 PHASE 7: HOW DO WE KEEP THE MOMENTUM GOING?

241
 PHASE 7 HOW DO WE KEEP THE MOMENTUM GOING?

Phase objectives
• Assess the results and experience gained from the
program.
• Record and share any lessons learned.
• Ensure that new, required actions drive further
iterations of the life cycle.
• Continually monitor performance and ensure
results are regularly reported.
• Drive commitment and ownership of all
accountabilities and responsibilities.
Phase description
This phase enables the team to determine whether
the program delivered against expectations.

242 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 71

 PHASE 7 KEY STAKEHOLDERS
When you are…
Board and executive
Business management
IT management
Internal audit
Risk, compliance,
and legal
Figure 6.26—Phase 7 Roles
Your role in this phase is to…
Provide direction, set objectives, and allocate roles and responsibilities for the enterprise’s
ongoing approach to, and improvement of, EGIT. Continue to set the tone at the top, develop
organizational structures, and encourage a culture of good governance and accountability for I&T
among business and IT executives. Ensure that IT is aware of and, as appropriate, involved in,
new business objectives and requirements in as timely a manner as possible.
Provide support and commitment by continuing to work positively with IT to improve EGIT and
make it business as usual. Verify that new EGIT objectives are aligned with current enterprise
objectives.
Drive and provide strong leadership to sustain the momentum of the improvement program.
Engage in governance activities as part of normal business practice. Create policies, standards
and processes to ensure that governance becomes business as usual.
Provide objective and constructive input, encourage self-assessment, and provide assurance to
management that governance is working effectively, thus building confidence in I&T. Provide
ongoing audits based on an integrated governance approach, using criteria shared with IT and the
business based on the COBIT 2019 framework.
Work with IT and the business to anticipate legal and regulatory requirements.
Identify and respond to I&T-related risk as a normal activity in EGIT.

243 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 70

PHASE 7 TASKS

Review program
Monitor and evaluate: Sustain:
effectiveness:
• Identify new governance • Provide conscious • At program closure, ensure
objectives and requirements reinforcement and ongoing that a program review takes
• Gather feedback communication place and approve
• Measure and report actual • Confirm conformance to conclusions
results against originally objectives and requirements • Review program
established project measures • Continually monitor the effectiveness
• Perform a facilitated project effectiveness of the change
review process • Implement corrective action
• Look for additional high- plans where required
impact, low-cost opportunities • Provide feedback on
to further improve EGIT performance and publicize
• Identify lessons learned successes
• Communicate requirements • Build on lessons learned
for further improvements • Share knowledge from the
initiative to the broader
enterprise

Reference: COBIT 2019 Implementation Guide, Chapter 6, page 71

 PHASE 7 SELECTED INPUTS AND OUTPUTS
Inputs

•Updated project and program •Recommendations for further EGIT

scorecards
•Change effectiveness measures
(both business and perception
measures)
•Report explaining scorecard results
•Postimplementation review report
•Performance reports
•Business and IT strategy
activities after a period of normalization
•Stakeholder satisfaction survey
•Documented success stories and
lessons learned
•Ongoing communication plan
•Performance reward scheme

Outputs
•New triggers such as new regulatory
requirements

245 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 71-72

 PHASE 7 RACI CHART

246 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 72

 PHASE 7 CHALLENGES, ROOT CAUSES AND
SUCCESS FACTORS
For each
This is a list of typical challenges that may be encountered in implementation
Phase 7 of the implementation lifecycle. Refer to Figure 4.5 in phase, the
the Implementation Guide for the associated root causes and Implementation Guide
success factors. Note: the challenges noted here are the identifies challenges,
same challenges identified for Phase 6. root causes and
success factors.

For these phase one

• Failure to adopt or apply improvements challenges, refer to
Figure 4.5 for a further
• Difficulty in showing or proving benefits description of root
causes and success
• Lost interest and momentum, change fatigue factors.

247 Reference: COBIT 2019 Implementation Guide, Chapter 4, page 41 - 42

 PHASE 7 AVAILABLE RESOURCES

• COBIT 2019 Framework: Governance and

Management Objectives (EDM01, APO01, BAI08,
MEA01), www.isaca.org/cobit
• ISACA supporting products as currently listed at
www.isaca.org

248 Reference: COBIT 2019 Implementation Guide, Chapter 6, page 72

 MODULE 8 SUMMARY

249
 SECTION 8 TOPICS

Topics
• Phase 1: What are the drivers?
• Phase 2: Where are we now?
• Phase 3: Where do we want to be?
• Phase 4: What needs to be done?
• Phase 5: How do we get there?
• Phase 6: Did we get there?
• Phase 7: How do we keep the momentum going?

250
MODULE 9
KEY TOPICS DECISION MATRIX

251
 MODULE 9 TOPICS AND OBJECTIVES

Topics Objectives
• Decision matrix (16) Apply the key decision topics and
• Group discussion related responsibilities for governance
implementation to concrete situations.

252
 DECISION MATRIX

253
 DECISION MATRIX

Appendix A of the Implementation Guide outlines key topic areas

that require clear decision making roles and responsibilities.

This is an example of how to identify key topic areas requiring clear

decision-making roles and responsibilities.

It is provided as a guide and can be modified and adapted to suit

an enterprise’s specific organization and requirements.

254
254
 EXAMPLE DECISION MATRIX
Responsible, Accountable, Consulted, Informed
(RACI)

Steering (Programs/Projects)
Enterprise Risk Committee

Business Process Owners

I&T Governance Board
Executive Committee

Portfolio Manager

IT Management

Employees
Committee
Decision Topic Scope
Governance • Integrating with enterprise governance A/R R C C R I
• Establishing principles, structures, objectives

Enterprise strategy • Defining enterprise goals and objectives A/R R C C R I

• Deciding where and how I&T can enable and support enterprise objectives

I&T policies • Providing accurate, understandable and approved policies, I A C R C C

• procedures, guidelines and other documentation to stakeholders
• Developing and rolling out I&T policies
• Ensuring that policies result in beneficial outcomes in accordance with guiding
principles
• Enforcing I&T policies
I&T strategy • Incorporating IT and business management in the translation of business I A C I R C C
requirements into service offering and developing strategies to deliver these
services in a transparent and effective manner.
• Engaging with business and senior management in aligning I&T strategic
planning with current and future business needs
• Understanding current I&T capabilities
• Providing a prioritization scheme for business objective that quantifies business
255 requirements
 EXAMPLE DECISION MATRIX (CONTINUED)
Responsible, Accountable, Consulted, Informed
(RACI)

Steering (Programs/Projects)
Enterprise Risk Committee

Business Process Owners

I&T Governance Board
Executive Committee

Portfolio Manager

IT Management

Employees
Committee
Decision Topic Scope
I&T direction • Providing appropriate platforms for the business applications and services in I C C A/R C C
line with the defined I&T architecture and information & technology standards
• Producing an information and technology provisioning plan
I&T methods and • Establishing transparent, flexible and responsive IT organizational structures I C C I I A/R I I
frameworks and defining and implementing I&T processes that integrate owners, roles and
responsibilities into business and decision processes
• Defining a practical I&T process framework
• Establishing appropriate organizational bodies and structure
• Defining roles and responsibilities
Enterprise architecture • Defining and implementing architecture and standards that recognize and A C C I I R R C
leverage technology opportunities
• Establishing a forum to guide architecture and verify compliance
• Establishing the architecture plan balanced against cost, risk and requirements
• Defining the information architecture, including the establishment of an
enterprise data model that incorporates a data classification scheme
• Ensuring the accuracy of the information architecture and data model
• Assigning data ownership
• Classifying information using an agreed classification scheme
256
 EXAMPLE DECISION MATRIX (CONTINUED)
Responsible, Accountable, Consulted, Informed
(RACI)

Steering (Programs/Projects)
Enterprise Risk Committee

Business Process Owners

I&T Governance Board
Executive Committee

Portfolio Manager

IT Management

Employees
Committee
Decision Topic Scope
I&T-enabled investment • Making effective and efficient I&T-enabled investment and portfolio decisions I A C C R
and portfolio • Forecasting and allocating budgets
prioritization • Defining formal investment criteria
• Measuring and assessing business value against forecast
I&T-enabled • Setting and tracking I&T budgets in line with I&T strategy and investment I A R C C/I C/I C/I
investment and decisions
program prioritization • Measuring and assessing business value against forecast
• Defining a program and project management approach that is applied to I&T-
enabled business projects and enables stakeholder participation in, and
monitoring of, project risk and progress
• Defining and enforcing program and project frameworks and approach
• Issuing project management guidelines
• Performing project planning for each project detailed in the project portfolio

257
 EXAMPLE DECISION MATRIX (CONTINUED)
Responsible, Accountable, Consulted, Informed
(RACI)

Steering (Programs/Projects)
Enterprise Risk Committee

Business Process Owners

I&T Governance Board
Executive Committee

Portfolio Manager

IT Management

Employees
Committee
Decision Topic Scope
Managing, monitoring • Identifying service requirements, agreeing on service levels and monitoring the I A R R R I
and evaluating SLAs achievement of service levels
• Formalizing internal and external agreements in line with requirements and
delivery capabilities
• Reporting on service level achievements (reports and meetings)
• Identifying and communicating new and updated service requirements to
strategic planning
• Meeting operational service levels for scheduled data processing, protecting
sensitive output, and monitoring and maintaining infrastructure
IT application • Identifying technically feasible and cost-effective solutions I I C A/R C C
management • Defining business and technical requirements
• Undertaking feasibility studies as defined in the development standards
• Approving (or rejecting) requirements and feasibility study results
• Ensuring that there is a timely and cost-effective development or acquisition
process
• Translating business requirements into design specifications
• Selecting appropriate development and maintenance standards (waterfall, Agile,
DevOps, etc.) and adhering to the standards for all modifications
• Separating development, testing and operational activities
258
 EXAMPLE DECISION MATRIX (CONTINUED)
Responsible, Accountable, Consulted, Informed
(RACI)

Steering (Programs/Projects)
Enterprise Risk Committee

Business Process Owners

I&T Governance Board
Executive Committee

Portfolio Manager

IT Management

Employees
Committee
Decision Topic Scope
IT infrastructure • Operating the IT environment in line with agreed service levels and defined I I C A/R C C
instructions
• Maintaining the IT infrastructure

I&T security • Defining I&T security policies, plans and procedures and monitoring, detecting, I A R R R C/I
reporting and resolving security vulnerabilities and incidents
• Understanding security requirements, including privacy and cybersecurity,
vulnerabilities and threats, in line with business requirements and impact
• Managing user identities and authorizations in a standardized manner
• Testing security regularly

259
 EXAMPLE DECISION MATRIX (CONTINUED)
Responsible, Accountable, Consulted, Informed
(RACI)

Steering (Programs/Projects)
Enterprise Risk Committee

Business Process Owners

I&T Governance Board
Executive Committee

Portfolio Manager

IT Management

Employees
Committee
Decision Topic Scope
Procurement and • Acquiring and maintaining I&T resources that respond to the delivery strategy, I I C A/R C C
contracts establishing an integrated and standardized IT infrastructure, and reducing IT
procurement risk
• Obtaining professional legal and contractual advice
• Defining procurement procedures and standards
• Procuring requested hardware, software and services in line with defined
procedures
I&T compliance • Identifying all applicable laws, regulations and contracts; defining the C/I A C A/R C C/I
corresponding level of I&T compliance; and optimizing IT processes to reduce
the risk of noncompliance
• Identifying legal, regulatory and contractual requirements related to I&T
• Assessing the impact of compliance requirements
• Monitoring and reporting on compliance with these requirements

260
 MODULE 9 SUMMARY

261
 SECTION 9 TOPICS

Topics
• Decision matrix

262
MODULE 10
CLOSING REMARKS

263
 SECTION 10 TOPICS – NOT TESTED

Topics
• Course Wrap-up

See video lectures for Section 10 Topics Content

264