COBIT 5 Framework Patrick Soenen

1CobiT® is a trademark of the ISACA.

COBIT 5 FrameworkPatrick Soenen

Presentation based on COBIT 5 Exposure Draft – ©2011 ISACAISACA has designed COBIT 5 : The Framework as an educational resource for control professionals

Reproduction only for academic non –commercial use


A governance and management framework for information and related technology thatstarts from stakeholder needs with regard to information and technology.

The COBIT 5 framework is intended for all enterprises, including non-profit and public sector.

Today enterprises need to achieve increased:• Value creation through enterprise IT;• Business user satisfaction with IT engagement and services;• Compliance with relevant laws, regulations and policies.


COBIT evolution

GovernanceGovernance

COBIT 4COBIT 4

20052005

Governance

COBIT 4

2005

COBIT 3

Management

2000

COBIT 2

Control

1998

COBIT 1

Audit

1996

Evo

luti

on

Enterprise Governance of IT

COBIT 5 ties together all ISACAknowledge assets, i.e.•COBIT 4.1•Val IT™•Risk IT•Business Model for Information

Security™ (BMIS™)•IT Assurance Framework™ (ITAF™),•Taking Governance Forward (TGF),•Board Briefing on IT Governance,

2nd Edition.

COBIT 5

2011


ISACA Frameworks Included


The COBIT 5 Framework is based on 5 principles

COBIT 5 Principles


COBIT 5 Principles

1. Integrator Framework

COBIT 5 is complete in enterprisecoverage, providing a basis tointegrate effectively otherframeworks, standards andpractices used.

Value creation

Governanceobjectives

Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds


COBIT 5 Principles

2. The Governance Objective:Stakeholder Value

Enterprises exist to create value for theirstakeholders, so the governance objective forany enterprise is value creation.

Value creation means realising benefits at anoptimal resource cost whilst optimising risk


COBIT 5 Principles

3. Business and Context Focus

focussing on enterprise goals and objectives,by covering all of the critical business elements.

Every organisation has its own contextdetermined by external and internal factors

Goals cascade to translate into specific IT goals


COBIT 5 Principles

4. Governance Approach— Enabler BasedMain elements of the governance approach :

Governance enablers are the organisationalresources for governance, such as frameworks,principles, structure, processes and practices,toward which or through which action isdirected and objectives can be attained

Governance scope: Governance can be appliedto the whole enterprise, an entity, a tangible orintangible asset, etc.

Roles, Activities and Relationships: It defines• who is involved in governance,• how they are involved,• what they do and• how they interact


COBIT 5 Principles

5. Governance- and Management structured

A clear distinction between governance andmanagement.

These two disciplines• include different types of activities,• require different organisational structures,• serve different purposes


COBIT 5 Architecture

Stakeholder value is basedon the stakeholder needs

The governance objectives take into account• ISACA Guidance• Other standards

By structuring guidance around enablers

Building a consistent knowledge basefor all the guidance

Filter to build

• Framework• Process reference guide• Implementation guide• Practice guide

Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds

CobiT 5Architecture


Value creation

Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds

The governance objective is value creation =Realising benefits at optimal resource cost whilst optimising risk

The stakeholders for enterprise IT can be• internal (Board, CEO, CFO, business executives, process

owners, risk managers, IT users, IT managers, etc… ) and• External (business partners, suppliers, shareholders,

customers, regulators… )They can have different and even conflicting needs


Governance Objectives


Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds

• Governance objectives are based on the stakeholders needsand the value creation i.e. benefits, resources and risks

• The existing ISACA guidance is used : CobiT, Val IT, Risk IT,BMIS, ITAF, TGF and Board Briefing

• Other relevant frameworks : ITIL, TOGAF


Goals Cascade

Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds


Enterprise Goals

IT Goals

Mapping

Mapping

Mapping

Governance objectivestranslate into enterprise goals

Realising enterprise goalsrequires IT related goals

For IT related goals to beachieved, enablers arerequired


Goals cascade

Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds

Governance objectives

BSC Description Benefits Risk ResourceFINANCIAL

1.Stakeholder value of business investments P

2.Portfolio of competitive products/services P S

3.Managed business risks P S

4.Compliance with ext. laws and regulations P

5.Financial transparency P S SCUSTOMER

6.Customer oriented service culture P S

7.Business service continuity & availability P

8.Agile responses to changing environment P S

9.Information based strategic decision making P P P

10.Optimisation of service delivery costs P SINTERNAL

11.Optimisat.of business process functionality P P

12.Optimisation of business process costs P P

13.Managed business process changes P P S

14.Operational and staff productivity P P

15.Compliance with internal policies P

L&G

16.Skilled and motivated people S S P

17.Product and business innovation culture P

Entreprise goals mapped to Governance Objectives


Goals cascade

Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds

BSC DescriptionFINANCIAL

1. Alignment of IT and business strategy

2. IT compliance and support for business compliance with ext. laws & reg.

3. Commitment of executive management for making IT related decisions

4. Managed IT related business risks

5. Realised benefits form IT-enabled investments and services portfolio

6. Transparency of IT costs, benefits and risksCUST

7. Delivery of IT services in line with business requirements

8. Adequate use of applications, information and technology structure

INTERNAL

9. IT agility

10. Security of information, processing infrastructure and applications

11. Optimisation of IT assets, resources and capabilities

12. Enablement and support of business processes by integration

13. Delivery of programme on time, on budget et on business requirements

14. Availability of reliable and useful information

15. IT compliance with internal policies

L&G

16. Competent and motivated IT personnel

17. Knowledge, expertise and initiatives of business motivation

IT related goals


Enablers

Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds

ProcessesCulture,Ethics,Behaviour

ServiceCapabilities

OrganisationalStructures

Skills &Competencies

Principles &Policies

Information

Enablers are tangible and intangible elements that makegovernance and management over enterprise IT work.The enablers are driven by the goal cascade


Enablers

Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds

To achieve objectivesand to produce output

Of individuals andof the organisation

Key decisionmaking entities

Required for keeping theorganisation runningand well governed

To translate desiredbehaviour into guidancefor day-to-day mgt

Required for successfulcompletion of activitiesand for taking correctdecisions

Include infrastructure,technology andapplications


Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds

Generic enabler model

The generic enabler model applies to all CobiT enabler.The generic model has been applied to the Process enabler


Enabler capability levels

COBIT 4.1Maturity Model

Levels

COBIT 5 ISO/IEC15504 Based

CapabilityLevels

Meaning of the COBIT 5 ISO/IEC 15504Based Capability Levels

Context

5. Optimised 5. OptimisedContinuously improved to meet relevant current andprojected enterprise goals.

Enterprise view/corporate

knowledge

4. Managed andMeasurable

4. PredictableOperates within defined limits to achieve its processoutcomes.

3. Defined 3. EstablishedImplemented using a defined process that is capableof achieving its process outcomes.

N/A 2. Managed

Implemented in a managed fashion (planned,monitored and adjusted) and its work products areappropriately established, controlled andmaintained. Instance view/

individualknowledgeN/A 1. Performed Process achieves its process purpose.

2. Repeatable

1. Ad Hoc

0. Non-existent

0. IncompleteNot implemented or little or no evidence of anysystematic achievement of the process purpose.

The process maturity model of COBIT 4.1 has been replaced with acapability model based on ISO/IEC 15504

Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds


Knowledge base & products

Value creation


Enablers

Knowledgebase

Content filter

Productfamily

Stakeholderneeds

The knowledge base contains all guidance and content

Series of products builtfrom the knowledge base


Governance & management processes

COBIT 5 advocates that organisation implement governance andmanagement processes, such that the key areas below are covered

1 governancedomain

4 managementdomains


Evaluate, Direct & Monitor (EDM)

Processes for Governance of Enterprise IT

Process reference model

Align, Plan & Organise (APO)

Build, Acquire & Implement (BAI)

Deliver, Service & Support (DSS)

Monitor,Evaluate& Assess(MEA)

Processes for Management of Enterprise IT

• The process reference model is divided into 5 domains :1 governance domain : EDM

• 4 management domains : APO,BAI, DSS & MEA


Process reference model

The complete set of 36 processes :5 governance and 31 management processes


The 7 phases ofthe implementation life cycle

Implementation

Documents

COBIT 5 Framework Patrick Soenen