C i g COBIT4 1 Comparing COBIT4.1 and COBIT 5m.isaca.org/COBIT/Documents/Comparing-COBIT.pdfComparing COBIT 4.1 and COBIT 5 Abstract COBIT 5 integrates Risk IT, Val IT, BMIS and COBIT

C i g COBIT4 1 Comparing COBIT4.1 and COBIT 5

R O B E R T E S T R O U D C G E I T C R I S CR O B E R T E S T R O U D C G E I T C R I S CI S A C A S T R AT E G I C A D V I S O R Y B O A R D

V I C E P R E S I D E N T S T R AT E GY & I N N O VAT I O N C A T E C H N O L O G I E S

© 2012 ISACA. All Rights Reserved.1

Comparing COBIT 4.1 and COBIT 5AbstractAbstract

COBIT 5 integrates Risk IT, Val IT, BMIS and COBIT 4.1 into a i l b i f k Thi i d h f ili single business framework. This integrated approach facilitates

more effective delivery of value to stakeholders from the more appropriate and effective governance and management of enterprise IT assets. By now you are aware that COBIT 5 distinguishes between governance and management, but did you know that COBIT 5 is now organized around five governance of enterprise IT (GEIT) principles and seven enablers, delivers a new process reference model, covers enterprise activities end-to-end and much more? This session will provide you with information on the differences between COBIT 4.1 and COBIT 5 and provide you information you need to move forward with COBIT 5!

2 © 2012 ISACA. All Rights Reserved.

Robert E Stroud CRISC CGEIT

Vice President Strategy & InnovationEvangelist Service Management, Governance & Cloud ComputingImmediate Past International Vice President ISACA\ITGI\ISACA Strategic Advisory Council 15 years Banking Experience C t ib t COBIT VALIT d RISK IT Contributor COBIT, VALIT and RISK IT Immediate Past Executive Board itSMF Intl.Treasurer and Director Audit Standards & complianceFormer Board Member USA itSMFAuthor Public Speaker & Industry GeeK

3

Author, Public Speaker & Industry GeeK

Where are we…

COBIT 4.1, Val IT and Risk IT users who are already engaged in governance of enterprise IT (GEIT)Implementation activities can transition to COBIT 5 and b fi f h l d i d idbenefit from the latest and improved guidanceCOBIT 5 builds on previous versions ISACA IP

4

Stakeholder Value and Business ObjectivesBusiness Objectives

Enterprises exist to create value for their stakeholdersConsequently, any enterprise, commercial or not—will have value creation as a governance objective

Value creation: Realising benefits at anRealising benefits at an optimal resource cost while optimising risk

Source: COBIT® 5, figure 3. © 2012 ISACA® All rights reserved.

5

Stakeholder Value andBusiness ObjectivesBusiness Objectives

Principle 1. Meeting Stakeholder Needs:

Stakeholder needs transformed into an enterprise’s actionableinto an enterprise s actionable strategyCOBIT 5 goals cascade translatesCOBIT 5 goals cascade translates stakeholder needs into specific, actionable and customised goals

ithi th t t f thwithin the context of the enterprise, IT-related goals and enabler goals

6

g

Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.

Stakeholder Value and Business ObjectivesObjectives (cont.)

Stakeholder needs can be related to a set of generic enterprise goalsThese enterprise goals have been developed using the Balanced Scorecard (BSC) dimensions (Kaplan Robert S ;Balanced Scorecard (BSC) dimensions. (Kaplan, Robert S.; David P. Norton; The Balanced Scorecard: Translating Strategy into Action, Harvard University Press, USA, 1996)The enterprise goals are a list of commonly used goals that an enterprise has defined for itselfAlth h thi li t i t h ti t t i ifiAlthough this list is not exhaustive, most enterprise-specific goals can be easily mapped onto one or more of the generic enterprise goals

7

Stakeholder Value and Business Objectives (cont )Objectives (cont.)

8 Source: COBIT® 5, figure 5. © 2012 ISACA® All rights reserved.

Stakeholder Value and Business ObjectivesObjectives (cont.)

Goals cascade introduced in COBIT 4.0 in 2005Goals cascade supports the COBIT 5 stakeholder needs principleThe goals cascade has been revisited and updated for the COBIT 5 release

9

COBIT framework evolution

Governance of Enterprise IT

IT Governance

scop

e

V l IT 2 0Management

Controlutio

n of

s Val IT 2.0(2008)

Ri k IT

COBIT 5COBIT4 0/4 1COBIT3COBIT2

Audit

COBIT1

Evo

l Risk IT(2009)

COBIT4.0/4.1COBIT3COBIT2

An business framework from ISACA at www isaca org/cobit

COBIT1

2005/7200019981996 2012

An business framework from ISACA, at www.isaca.org/cobit

10 © 2012 ISACA® All rights reserved.

Governance and Management Defined

Governance ensures that enterprise objectives are p jachieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM)and objectives (EDM).Management plans, builds, runs and monitorsactivities in alignment with the direction set by theactivities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

11

( )

Governance and Management Defined


Areas of Change

Major changes in COBIT 5 contentNew GEIT PrinciplesIncreased Focus on EnablersNew Process Reference ModelNew Process Reference ModelNew and Modified ProcessesPractices and ActivitiesGoals and MetricsInputs and OutputsRACI Ch tRACI ChartsProcess Capability Maturity Models and Assessments

13

New GEIT Principles


New GEIT Principles (cont.)

Val IT and Risk IT frameworks are principles-basedFeedback indicated that principles are easy to understand and put into an enterprise context, allowing

l b d i d f h i idvalue to be derived from the supporting guidance more effectively.ISO/IEC 38500 also incorporates principles to underpinISO/IEC 38500 also incorporates principles to underpin its messages to achieve the same market benefit delivery

Principles in ISO/IEC 38500 and COBIT 5 differp

15

Focus on Enablers


Increased Focus on Enablers

Information, infrastructure, applications (services) and l ( l kill d i ) COBITpeople (people, skills and competencies) were COBIT

4.1 resourcesPrinciples policies and frameworks were mentioned inPrinciples, policies and frameworks were mentioned in a few COBIT 4.1 processesProcesses were central to COBIT 4.1Organisational structure was implied through the responsible, accountable, consulted or informed (RACI) roles and their definitionsroles and their definitionsCulture, ethics and behaviour were mentioned in a few COBIT 4.1 processes

17

New Process Reference Model for COBIT 5Model for COBIT 5

Revised process reference model with a new governance domain

Several new and modified processesEnterprise activities end-to-endBusiness and IT function areas

Ali ith t b t ti ITIL TOGAFAligns with current best practices, e.g., ITIL, TOGAF, PmBok, ISO\IEC 27000, etcThe new model can be used as a guide for adjusting asThe new model can be used as a guide for adjusting as necessary the enterprise’s own process model

18

19Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

New and Modified Processes

Five new governance processes that have leveraged and improved COBIT 4.1, Val IT and Risk IT governance approachesThi idThis guidance:

Helps enterprises to further refine and strengthen executive management-level GEIT practices and activitiesexecutive management-level GEIT practices and activitiesSupports GEIT integration with existing enterprise governance practices and is aligned with g p gISO/IEC 38500

20


Single process reference model

21


New and modified processes:APO03 M t i hit tAPO03 Manage enterprise architecture.APO04 Manage innovation.APO05 Manage portfolio.g pAPO06 Manage budget and costs.APO08 Manage relationships.A O13 iAPO13 Manage security.BAI05 Manage organisational change enablement.BAI08 Manage knowledgeBAI08 Manage knowledge.BAI09 Manage assets.DSS05 Manage security service.

22

DSS06 Manage business process controls.


COBIT 5 processes now cover end-to-end business and IT activities, i.e., a full enterprise-level viewThis provides for a more holistic and complete coverage

f i fl i h i i idof practices reflecting the pervasive enterprise-wide nature of IT useThe involvement responsibilities and accountabilities ofThe involvement, responsibilities and accountabilities of business stakeholders in the use of IT more explicit and transparent

23

Practices and Activities

The COBIT 5 governance or management practices are i l h COBIT 4 1 l bj i d V lequivalent to the COBIT 4.1 control objectives and Val

IT and Risk IT processeswww.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-g/J / / /V / g /WHave-All-the-Control-Objectives-Gone.aspxThe COBIT 5 activities are equivalent to the COBIT 4.1 control practices and Val IT and Risk IT managementcontrol practices and Val IT and Risk IT management practices COBIT 5 integrates and updates all of the previous g p pcontent into the one new model, making it easier for users to understand and use this material when implementing improvements

24

p g p

Goals and Metrics

COBIT 5 follows the same goal and metric concepts as COBIT 4.1, Val IT and Risk IT, but these are renamed enterprise goals, IT-related goals and process goals reflecting an enterprise level viewreflecting an enterprise level viewCOBIT 5 provides a revised goals cascade based on enterprise goals driving IT-related goals and thenenterprise goals driving IT related goals and then supported by critical processesCOBIT 5 provides examples of goals and metrics at the enterprise, process and management practice levels. This is a change to COBIT 4.1, Val IT and Risk IT, which went down one level lower

25

which went down one level lower

Inputs and Outputs

COBIT 5 provides inputs and outputs for every management practice, whereas COBIT 4.1 only provided these at the process levelAddi i l d il d id f d i iAdditional detailed guidance for designing processes to include essential work products and to assist with inter-process integrationprocess integration

26

RACI Charts

COBIT 5 provides RACI charts describing roles and responsibilities in a similar way to COBIT 4.1, Val IT and Risk ITCOBIT 5 id l d il d dCOBIT 5 provides a more complete, detailed and clearer range of generic business and IT role players and charts than COBIT 4.1 for each management practice,charts than COBIT 4.1 for each management practice, enabling better definition of role player responsibilities or level of involvement when designing and i l tiimplementing processes

27

RACI Charts (cont.)

Source: COBIT® 4.1, page 39. © 2007 IT Governance Institute® All rights reserved.

28 Source: COBIT® 5: Enabling Processes, page 31. © 2012 ISACA® All rights reserved.

Process Capability Maturity Models and AssessmentsModels and Assessments

COBIT 4.1, Val IT and Risk IT CMM-based capability i d lli h i dmaturity modelling approach terminated

New process capability assessment approach based on ISO/IEC 15504 and the COBIT AssessmentISO/IEC 15504, and the COBIT Assessment Programmewww.isaca.org/Knowledge-Center/cobit/Pages/COBIT-A PAssessment-Programme.aspxCOBIT 4.1, Val IT and Risk IT CMM-based approaches are not considered compatible with the ISO/IECare not considered compatible with the ISO/IEC 15504 approach because the methods use different attributes and measurement scales.

29

Process Capability Maturity Models and Assessments

COBIT 4.1/5

Models and Assessments

30 © 2012 ISACA® All rights reserved.


The COBIT Assessment Programme approach is id d b ISACA b b li bl d


considered by ISACA to be more robust, reliable and repeatable as a process capability assessment methodThe COBIT Assessment Programme supports:The COBIT Assessment Programme supports:

Formal assessments by accredited assessorsLess rigorous self-assessments for internal gap analysis g g p yand process improvement planning

The COBIT Assessment Programme potentially enable an enterprise to obtain an independent and certifiedan enterprise to obtain an independent and certified assessments aligned to the ISO/IEC standard

31


COBIT Process Assessment Model (PAM): Using COBIT 4 1


COBIT 4.1Serves as a base reference document for the performance of a capability assessment of an organisation’s current IT processes against COBITagainst COBIT

COBIT Assessor Guide: Using COBIT 4.1Provides details on how to undertake a full ISO-compliant passessment

COBIT Self-assessment Guide: Using COBIT 4.1P id id h t f b i lf t fProvides guidance on how to perform a basic self-assessment of an organisation’s current IT process capability levels against COBIT processes

32


COBIT 4.1, Val IT and Risk IT users wishing to move


to the new COBIT Assessment Programme approach will need to:

li th i i tirealign their previous ratingsadopt and learn the new methodinitiate a new set of assessmentsinitiate a new set of assessments

33

Process Capability Maturity Models and AssessmentsModels and Assessments

COBIT 4.1, Val IT and Risk IT users wishing to continue with the CMM-based approach, either as an interim or ongoing approach, can use the COBIT 5 guidance but must use the COBIT 4 1 generic attributeguidance, but must use the COBIT 4.1 generic attribute table without the high-level maturity models.

34

COBIT 5 delivers value!

COBIT 5 helps enterprises create optimal value from IT p p pby maintaining a balance between realising benefits and optimising risk levels and resource use.COBIT 5 enables information and related technology to be governed and managed in a holistic mannerThe COBIT 5 principles and enablers are generic –generally applicable! A series of publications, education and online collaboration will drive COBIT forward!

35

COBIT 5 Product Family


COBIT 5 Future Supporting ProductsProducts

• Professional Guides:• COBIT 5 for Information Security• COBIT 5 for Assurance• COBIT 5 for Risk

• Enabler Guides:COBIT 5 E bli I f ti• COBIT 5: Enabling Information

• COBIT Online Replacement• COBIT Assessment Programme:COBIT Assessment Programme:

• Process Assessment Model (PAM): Using COBIT 5• Assessor Guide: Using COBIT 5

37

g• Self-assessment Guide: Using COBIT 5