Embed Size (px)
Citation preview
COBIT 5 Product Family
Source: COBIT 5, figure 11
COBIT® 5
COBIT 5 Online Collaborative Environment
COBIT 5 Enabler Guides
COBIT 5 Professional Guides
COBIT® 5 Implementation
COBIT® 5:Enabling Information
COBIT® 5:Enabling Processes
Other EnablerGuides
COBIT® 5for Assurance
COBIT® 5for Information
Security
COBIT® 5for Risk
Other ProfessionalGuides
COBIT 5 Principles
Source: COBIT 5, figure 2
1. MeetingStakeholder
Needs
5. SeparatingGovernance
FromManagement
4. Enabling aHolistic
Approach
3. Applying aSingle
IntegratedFramework
2. Covering theEnterpriseEnd-to-end
COBIT 5Principles
3701 Algonquin Road, Suite 1010 • Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545 • Fax: +1.847.253.1443 • Email: [email protected]
Web site: www.isaca.org
© 2 0 1 2 I S A C A . A l l r I g h t S r e S e r v e d . F o r u S A g e g u I d e l I n e S , S e e w w w . i s a c a . o r g / c o B i T u s e .
Governance and Management in COBIT 5
Source: COBIT 5, figure 8
Key Roles, Activities and Relationships
Source: COBIT 5, figure 9
Roles, Activities and Relationships
Owners andStakeholders
GoverningBody Management
Operationsand
Execution
Instruct andAlign
Report
Set Direction
Monitor
Delegate
Accountable
BenefitsRealisation
GovernanceEnablers
Roles, Activities and Relationships
GovernanceScope
ResourceOptimisation
RiskOptimisation
Governance Objective: Value Creation
COBIT 5 Governance and Management Key Areas
Source: COBIT 5, figure 15
Governance
Management
Evaluate
Direct Monitor
Plan(APO)
Build(BAI)
Run(DSS)
Monitor(MEA)
Management Feedback
Business Needs
© 2 0 1 2 I S A C A . A l l r I g h t S r e S e r v e d . F o r u S A g e g u I d e l I n e S , S e e w w w . i s a c a . o r g / c o B i T u s e .
The Seven Phases of the Implementation Life Cycle
Source: COBIT 5, figure 17 and COBIT 5 Implementation, figure 6
7 H
ow do
we keep
the momentum going?
6 Di
d we
get
ther
e?
5 How do we get there?
4 What needs to be done?
3 Where
do w
e wan
t to
be?
2 Where are we now?
1 What are the drivers?
• Programme management (outer ring)
• Change enablement (middle ring)
• Continual improvement life cycle (inner ring)
Initiate programme
Define problems and
opportunities
Define r
oad
map
Plan programme
Execute plan
Real
ise
bene
fits
Review
effectiveness
Operate
Identify roleCommun
icat
e
team
to change
and use
players
outcom
e
Form im
plementation
Establish desire
Embe
d ne
w
Sustain
appr
oach
es
Implem
ent
improvements
state
Assess
RecogniseMonitor
Oper
ate
improvements Build
target
current
need toand
and
Defin
e
state
acteva
luate
mea
sure
Summary of the COBIT 5 Process Capability Model
Source: COBIT 5, figure 19
Generic Process Capability Attributes
COBIT 5 Process AssessmentModel–Capability Indicators
COBIT 5 Process AssessmentModel—Performance Indicators
Base Practices(Management/
GovernancePractices)
Process Outcomes
WorkProducts(Inputs/Outputs)
Generic Practices Generic Resources Generic Work Products
IncompleteProcess
PerformedProcess
ManagedProcess
EstablishedProcess
PredictableProcess
OptimisingProcess
PerformanceAttribute (PA) 1.1
ProcessPerformance
PA 2.1PerformanceManagement
PA 2.2Work
ProductManagement
PA 3.1Process
Definition
PA 3.2Process
Deployment
PA 4.1Process
Management
PA 4.2ProcessControl
PA 5.1Process
Innovation
PA 5.2Process
Optimisation
0 1 2 3 4 5
© 2 0 1 2 I S A C A . A l l r I g h t S r e S e r v e d . F o r u S A g e g u I d e l I n e S , S e e w w w . i s a c a . o r g / c o B i T u s e .
COBIT 5 Enterprise Enablers
Source: COBIT 5, figure 12
2. Processes3. Organisational
Structures
1. Principles, Policies and Frameworks
6. Services,Infrastructure
and Applications
7. People,Skills and
Competencies
Resources
5. Information
4. Culture, Ethicsand Behaviour
COBIT 5 Enablers: Generic
Source: COBIT 5, figure 13
Enab
ler D
imen
sion Stakeholders Goals Life Cycle Good Practices
• Internal Stakeholders• External Stakeholders
• Practices• Work Products (Inputs/Outputs)
• Intrinsic Quality• Contextual Quality (Relevance, Effectiveness)• Accessibility and Security
• Plan• Design• Build/Acquire/ Create/Implement• Use/Operate• Evaluate/Monitor• Update/Dispose
Enab
ler P
erfo
rman
ceM
anag
emen
t Are StakeholdersNeeds Addressed?
Are EnablerGoals Achieved?
Metrics for Achievement of Goals(Lag Indicators)
Metrics for Application of Practice(Lead Indicators)
Is Life CycleManaged?
Are Good PracticesApplied?
© 2 0 1 2 I S A C A . A l l r I g h t S r e S e r v e d . F o r u S A g e g u I d e l I n e S , S e e w w w . i s a c a . o r g / c o B i T u s e .
COBIT 5 Goals Cascade Overview
Source: COBIT 5, figure 4
BenefitsRealisation
Stakeholder Drivers(Environment, Technology Evolution, …)
Enterprise Goals
IT-related Goals
Enabler Goals
Influence
Cascade to
Cascade to
Appendix B
Appendix C
Figure 5
Figure 6
ResourceOptimisation
RiskOptimisation
Stakeholder Needs
Cascade to Appendix D
© 2 0 1 2 I S A C A . A l l r I g h t S r e S e r v e d . F o r u S A g e g u I d e l I n e S , S e e w w w . i s a c a . o r g / c o B i T u s e .
Figure 7—Governance and Management Questions on IT Internal Stakeholders Internal Stakeholder Questions
Board Chief Executive Officer (CEO) Chief financial Officer (CFO) Chier Information Officer (CIO) Chief Risk Officer (CRO) Business Executives Business process owners Business Managers Risk Managers Security Managers Service Managers Human Resource (HR)
Managers Internal audit Privacy officers IT Users IT Managers etc.
How do I get value from the use of IT? Are end users satisfied with the quality of the IT Service? How do I manage performance of IT? How can I best exploit new technology for new strategic opportunities? How do I best build and structure my IT department? How dependent am I on external providers? How well are IT outsourcing agreements being managed? How do I obtain assurance of external providers? What are the (control) requirements of information? Did I address all IT-related risks? Am I running an efficient and resilient IT operation? How do I control the cost of IT? How do I use IT resources in the most effective and efficient manner? What are the most effective and efficient sourcing options? Do I have enough people for IT? How do I develop and maintain their skills, and how do I manage their performance? How do I get assurance over IT? Is the information I am processing well secured? How do I improve business agility through a more flexible IT environment? Do IT projects fail to deliver what they promised – and if so, why? Is IT standing in the way of executing the business
strategy? How critical is IT to sustaining the enterprise? What do I do if IT is not available? What critical business processes are dependent on IT, and what are the requirements of business processes? What has been the average overrun on the IT operational budget? How often and how much do IT projects go over
budget? How much of the IT effort goes to fighting fires than to enabling business improvements? Are sufficient IT resources and infrastructure available to meet required enterprise strategic objectives? How long does it takes to make major IT decisions? Are the total IT effort and investments transparent? Does IT support the enterprise in complying with regulators and service levels? How do I know whether I am compliant with
all the applicable regulations?
External Stakeholders External Stakeholder Questions
Business Partners Suppliers Shareholders Regulators/government External users Customers Standardisation organisations External auditors Consultans etc.
How do I know my business partner’s operations are secure and reliable? How do I know the enterprise is compliant with applicable rules and regulations? How do I know the enterprise is maintaining an effective system of internal control? Do business partners have the information chain between them under control?
APPENDIX D STAKEHOLDER NEEDS AND ENTERPRISE GOALS
55
APPENDIX DSTAKEHOLDER NEEDS AND ENTERPRISE GOALS
Chapter 4 showed the individual steps of the goals cascade, starting from stakeholder needs down to enabler goals. Chapter 2 included a table with typical governance and management questions on IT. From a stakeholder point of view it is interesting to know how these questions relate to the enterprise goals. For that reason, figure 24 is included; it shows how a list of internal stakeholder needs can be linked to the enterprise goals.
This table can be used to help setting and prioritising specific enterprise goals or IT-related goals, based on specific stakeholder needs. The same precautions should be used when using these tables as with the other goals cascade tables, i.e., every enterprise’s individual situation differs, and these tables should not be used in a mechanical way, but only as a suggested generic set of relationships. In figure 24, the intersection of a stakeholder need and enterprise goal is filled in if that need should be considered for that goal.
Figure 24—Mapping COBIT 5 Enterprise Goals to Governance and Management Questions
STAKEHOLDER NEEDS
Stak
ehol
der v
alue
of b
usin
ess
inve
stm
ents
Portf
olio
of c
ompe
titiv
e pr
oduc
ts
and
serv
ices
Man
aged
bus
ines
s ris
k (s
afeg
uard
ing
of a
sset
s)
Com
plia
nce
with
ext
erna
l law
s an
d re
gula
tions
Fina
ncia
l tra
nspa
renc
y
Cust
omer
-orie
nted
ser
vice
cu
lture
Busi
ness
ser
vice
con
tinui
ty a
nd
avai
labi
lity
Agile
resp
onse
s to
a c
hang
ing
busi
ness
env
ironm
ent
Info
rmat
ion-
base
d st
rate
gic
deci
sion
mak
ing
Optim
isat
ion
of s
ervi
ce d
eliv
ery
cost
s
Optim
isat
ion
of b
usin
ess
proc
ess
func
tiona
lity
Optim
isat
ion
of b
usin
ess
proc
ess
cost
s
Man
aged
bus
ines
s ch
ange
pr
ogra
mm
es
Oper
atio
nal a
nd s
taff
prod
uctiv
ity
Com
plia
nce
with
inte
rnal
pol
icie
s
Skill
ed a
nd m
otiv
ated
peo
ple
Prod
uct a
nd b
usin
ess
inno
vatio
n cu
lture
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
with the quality of the IT
technology for new strategic
are IT outsourcing agreements
obtain assurance over external
What are the (control)
Am I running an efficient and
the most effective and efficient
effective and efficient sourcing
their skills, and how do I
56
Figure 24—Mapping COBIT 5 Enterprise Goals to Governance and Management Questions (cont.)
STAKEHOLDER NEEDS
Stak
ehol
der v
alue
of b
usin
ess
inve
stm
ents
Portf
olio
of c
ompe
titiv
e pr
oduc
ts
and
serv
ices
Man
aged
bus
ines
s ris
k (s
afeg
uard
ing
of a
sset
s)
Com
plia
nce
with
ext
erna
l law
s an
d re
gula
tions
Fina
ncia
l tra
nspa
renc
y
Cust
omer
-orie
nted
ser
vice
cu
lture
Busi
ness
ser
vice
con
tinui
ty a
nd
avai
labi
lity
Agile
resp
onse
s to
a c
hang
ing
busi
ness
env
ironm
ent
Info
rmat
ion-
base
d st
rate
gic
deci
sion
mak
ing
Optim
isat
ion
of s
ervi
ce d
eliv
ery
cost
s
Optim
isat
ion
of b
usin
ess
proc
ess
func
tiona
lity
Optim
isat
ion
of b
usin
ess
proc
ess
cost
s
Man
aged
bus
ines
s ch
ange
pr
ogra
mm
es
Oper
atio
nal a
nd s
taff
prod
uctiv
ity
Com
plia
nce
with
inte
rnal
pol
icie
s
Skill
ed a
nd m
otiv
ated
peo
ple
Prod
uct a
nd b
usin
ess
inno
vatio
n cu
lture
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
Is the information I am
agility through a more flexible IT
Do IT projects fail to deliver
way of executing the business
What concrete vital primary business processes are dependent on IT, and what are the requirements of business
What has been the average overrun of the IT operational
much do IT projects go over
goes to fighting fires rather than to enabling business
Are sufficient IT resources and infrastructure available to meet required enterprise strategic
Are the total IT effort and
Does IT support the enterprise in complying with regulations
know whether I am compliant
CHAPTER 2
P RINCIPLE 1: M EETING STAKEHOLDER NEEDS
19
Figure 5—COBIT 5 Enterprise Goals
BSC Dimension Enterprise Goal
Relation to Governance Objectives
Benefits Realisation
Risk Optimisation
Resource Optimisation
Financial 1. Stakeholder value of business investments P S
2. Portfolio of competitive products and services P P S
3. Managed business risk (safeguarding of assets) P S
4. Compliance with external laws and regulations P
5. Financial transparency P S S
Customer 6. Customer-oriented service culture P S
7. Business service continuity and availability P
8. Agile responses to a changing business environment P S
9. Information-based strategic decision making P P P
10. Optimisation of service delivery costs P P
Internal 11. Optimisation of business process functionality P P
12. Optimisation of business process costs P P
13. Managed business change programmes P P S
14. Operational and staff productivity P P
15. Compliance with internal policies P
Learning and Growth 16. Skilled and motivated people S P P
17. Product and business innovation culture P
Figure 6—IT-related Goals
IT BSC Dimension Information and Related Technology Goal
Financial 01 Alignment of IT and business strategy
02 IT compliance and support for business compliance with external laws and regulations
03 Commitment of executive management for making IT-related decisions
04 Managed IT-related business risk
05 Realised benefits from IT-enabled investments and services portfolio
06 Transparency of IT costs, benefits and risk
Customer 07 Delivery of IT services in line with business requirements
08 Adequate use of applications, information and technology solutions
Internal 09 IT agility
10 Security of information, processing infrastructure and applications
11 Optimisation of IT assets, resources and capabilities
12 Enablement and support of business processes by integrating applications and technology into business processes
13 Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards
14 Availability of reliable and useful information for decision making
15 IT compliance with internal policies
Learning and Growth 16 Competent and motivated business and IT personnel
17 Knowledge, expertise and initiatives for business innovation
50
When using the table in figure 22, please consider the remarks made in chapter 2 on how to use the COBIT 5 goals cascade.
Figure 22—Mapping COBIT 5 Enterprise Goals to IT-related Goals
Enterprise Goal
Stak
ehol
der v
alue
of b
usin
ess
inve
stm
ents
Portf
olio
of c
ompe
titiv
e pr
oduc
ts a
nd s
ervi
ces
Man
aged
bus
ines
s ris
k (s
afeg
uard
ing
of a
sset
s)
Com
plia
nce
with
ext
erna
l law
s an
d re
gula
tions
Fina
ncia
l tra
nspa
renc
y
Cust
omer
-orie
nted
ser
vice
cul
ture
Busi
ness
ser
vice
con
tinui
ty a
nd a
vaila
bilit
y
Agile
resp
onse
s to
a c
hang
ing
busi
ness
env
ironm
ent
Info
rmat
ion-
base
d st
rate
gic
deci
sion
mak
ing
Optim
isat
ion
of s
ervi
ce d
eliv
ery
cost
s
Optim
isat
ion
of b
usin
ess
proc
ess
func
tiona
lity
Optim
isat
ion
of b
usin
ess
proc
ess
cost
s
Man
aged
bus
ines
s ch
ange
pro
gram
mes
Oper
atio
nal a
nd s
taff
prod
uctiv
ity
Com
plia
nce
with
inte
rnal
pol
icie
s
Skill
ed a
nd m
otiv
ated
peo
ple
Prod
uct a
nd b
usin
ess
inno
vatio
n cu
lture
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
IT-related Goal Financial Customer Internal
Learning and
Growth
Fina
ncia
l
01 Alignment of IT and business strategy P P S P S P P S P S P S S
02 IT compliance and support for business compliance with external laws and regulations
S P P
03 Commitment of executive management for making IT-related decisions P S S S S S P S S
04 Managed IT-related business risk P S P S P S S S
05 Realised benefits from IT-enabled investments and services portfolio P P S S S S P S S
06 Transparency of IT costs, benefits and risk S S P S P P
Cust
omer
07 Delivery of IT services in line with business requirements P P S S P S P S P S S S S
08 Adequate use of applications, information and technology solutions S S S S S S S P S P S S
Inte
rnal
09 IT agility S P S S P P S S S P
10 Security of information, processing infrastructure and applications P P P P
11 Optimisation of IT assets, resources and capabilities P S S P S P S S S
12 Enablement and support of business processes by integrating applications and technology into business processes
S P S S S S P S S S S
13 Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards
P S S S S S P S
14 Availability of reliable and useful information for decision making S S S S P P S
15 IT compliance with internal policies S S P
Lear
ning
an
d Gr
owth
16 Competent and motivated business and IT personnel S S P S S P P S
17 Knowledge, expertise and initiatives for business innovation S P S P S S S S P
52
When using the table in figure 23, please consider the remarks made in chapter 2 on how to use the COBIT 5 goals cascade.
Figure 23—Mapping COBIT 5 IT-related Goals to Processes
IT-related Goal
Alig
nmen
t of I
T an
d bu
sine
ss s
trate
gy
IT c
ompl
ianc
e an
d su
ppor
t for
bus
ines
s co
mpl
ianc
e w
ith
exte
rnal
law
s an
d re
gula
tions
Com
mitm
ent o
f exe
cutiv
e m
anag
emen
t for
mak
ing
IT-r
elat
ed d
ecis
ions
Man
aged
IT-r
elat
ed b
usin
ess
risk
Real
ised
ben
efits
from
IT-e
nabl
ed in
vest
men
ts a
nd
serv
ices
por
tfolio
Tran
spar
ency
of I
T co
sts,
ben
efits
and
risk
Deliv
ery
of IT
ser
vice
s in
line
with
bus
ines
s re
quire
men
ts
Adeq
uate
use
of a
pplic
atio
ns, i
nfor
mat
ion
and
tech
nolo
gy
solu
tions
IT a
gilit
y
Secu
rity
of in
form
atio
n, p
roce
ssin
g in
frast
ruct
ure
and
appl
icat
ions
Optim
isat
ion
of IT
ass
ets,
reso
urce
s an
d ca
pabi
litie
s
Enab
lem
ent a
nd s
uppo
rt of
bus
ines
s pr
oces
ses
by
inte
grat
ing
appl
icat
ions
and
tech
nolo
gy in
to
busi
ness
pro
cess
es
Deliv
ery
of p
rogr
amm
es d
eliv
erin
g be
nefit
s, o
n tim
e, o
n bu
dget
, and
mee
ting
requ
irem
ents
and
qua
lity
stan
dard
s
Avai
labi
lity
of re
liabl
e an
d us
eful
info
rmat
ion
for d
ecis
ion
mak
ing
IT c
ompl
ianc
e w
ith in
tern
al p
olic
ies
Com
pete
nt a
nd m
otiv
ated
bus
ines
s an
d IT
per
sonn
el
Know
ledg
e, e
xper
tise
and
initi
ativ
es fo
r bus
ines
s in
nova
tion
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17
COBIT 5 Process Financial Customer Internal
Learning and
Growth
Eval
uate
, Dire
ct a
nd M
onito
r EDM01 Ensure Governance Framework Setting and Maintenance
P S P S S S P S S S S S S S S S
EDM02 Ensure Benefits Delivery P S P P P S S S S S S P
EDM03 Ensure Risk Optimisation S S S P P S S P S S P S S
EDM04 Ensure Resource Optimisation S S S S S S S P P S P S
EDM05 Ensure Stakeholder Transparency S S P P P S S S S
Alig
n, P
lan
and
Orga
nise
APO01 Manage the IT Management Framework P P S S S P S P S S S P P P
APO02 Manage Strategy P S S S P S S S S S S S S P
APO03 Manage Enterprise Architecture P S S S S S S P S P S S S
APO04 Manage Innovation S S P P P P S S P
APO05 Manage Portfolio P S S P S S S S S P S
APO06 Manage Budget and Costs S S S P P S S S S
APO07 P S S S S S S P P S P P
APO08 Manage Relationships P S S S S P S S P S S S P
APO09 Manage Service Agreements S S S S P S S S S S P S
APO10 Manage Suppliers S P S S P S P S S S S S S
APO11 Manage Quality S S S P P S S S P S S S S
APO12 Manage Risk P P P S S S P P S S S S
APO13 Manage Security P P P S S P P
APPENDIX C DETAILED MAPPING IT-RELATED GOALS—IT-RELATED PROCESSES
53
Figure 23—Mapping COBIT 5 IT-related Goals to Processes (cont.)
IT-related Goal
Alig
nmen
t of I
T an
d bu
sine
ss s
trate
gy
IT c
ompl
ianc
e an
d su
ppor
t for
bus
ines
s co
mpl
ianc
e w
ith
exte
rnal
law
s an
d re
gula
tions
Com
mitm
ent o
f exe
cutiv
e m
anag
emen
t for
mak
ing
IT-
rela
ted
deci
sion
s
Man
aged
IT-r
elat
ed b
usin
ess
risk
Real
ised
ben
efits
from
IT-e
nabl
ed in
vest
men
ts a
nd
serv
ices
por
tfolio
Tran
spar
ency
of I
T co
sts,
ben
efits
and
risk
Deliv
ery
of IT
ser
vice
s in
line
with
bus
ines
s re
quire
men
ts
Adeq
uate
use
of a
pplic
atio
ns, i
nfor
mat
ion
and
tech
nolo
gy
solu
tions
IT a
gilit
y
Secu
rity
of in
form
atio
n, p
roce
ssin
g in
frast
ruct
ure
and
appl
icat
ions
Optim
isat
ion
of IT
ass
ets,
reso
urce
s an
d ca
pabi
litie
s
Enab
lem
ent a
nd s
uppo
rt of
bus
ines
s pr
oces
ses
by
inte
grat
ing
appl
icat
ions
and
tech
nolo
gy in
to
busi
ness
pro
cess
es
Deliv
ery
of p
rogr
amm
es d
eliv
erin
g be
nefit
s, o
n tim
e, o
n bu
dget
, and
mee
ting
requ
irem
ents
and
qua
lity
stan
dard
s
Avai
labi
lity
of re
liabl
e an
d us
eful
info
rmat
ion
for d
ecis
ion
mak
ing
IT c
ompl
ianc
e w
ith in
tern
al p
olic
ies
Com
pete
nt a
nd m
otiv
ated
bus
ines
s an
d IT
per
sonn
el
Know
ledg
e, e
xper
tise
and
initi
ativ
es fo
r bus
ines
s in
nova
tion
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17
COBIT 5 Process Financial Customer Internal
Learning and
Growth
Build
, Acq
uire
and
Impl
emen
t
BAI01 Manage Programmes and Projects P S P P S S S S P S S
BAI02 Manage Requirements Definition P S S S S P S S S S P S S S
BAI03 Manage Solutions Identification and Build S S S P S S S S S S
BAI04 Manage Availability and Capacity S S P S S P S P S
BAI05 Manage Organisational Change Enablement S S S S P S S S P S P
BAI06 Manage Changes S P S P S S P S S S S S S
BAI07 Manage Change Acceptance and Transitioning S S S P S P S S S S
BAI08 Manage Knowledge S S S S P S S S S P
BAI09 Manage Assets S S P S S S P S S
BAI10 Manage Configuration P S S S S S P P S
Deliv
er, S
ervi
ce a
nd S
uppo
rt DSS01 Manage Operations S P S P S S S P S S S S
DSS02 Manage Service Requests and Incidents P P S S S S S
DSS03 Manage Problems S P S P S S P S P S S
DSS04 Manage Continuity S S P S P S S S S S P S S S
DSS05 Manage Security Services S P P S S P S S S S
DSS06 Manage Business Process Controls S P P S S S S S S S S
Mon
itor,
Eval
uate
and
Ass
ess MEA01 Monitor, Evaluate and
Assess Performance and Conformance
S S S P S S P S S S P S S P S S
MEA02 Monitor, Evaluate and Assess the System of Internal Control
P P S S S S S P S
MEA03 Monitor, Evaluate and Assess Compliance With External Requirements
P P S S S S S
© 2012 ISACA ‐ Glenfis AG
Domain ID CO5 Processes Governance / Management PracticeEDM01.01 Evaluate the governance system.EDM01.02 Direct the governance system.EDM01.03 Monitor the governance system.EDM02.01 Evaluate value optimisation.EDM02.02 Direct value optimisation.EDM02.03 Monitor value optimisation.EDM03.01 Evaluate risk management.EDM03.02 Direct risk management.EDM03.03 Monitor risk management.EDM04.01 Evaluate resource management.EDM04.02 Direct resource management.EDM04.03 Monitor resource management.EDM05.01 Evaluate stakeholder reporting requirements.EDM05.02 Direct stakeholder communication and reporting.EDM05.03 Monitor stakeholder communication.APO01.01 Define the organisational structure.APO01.02 Establish roles and responsibilities.APO01.03 Maintain the enablers of the management system.APO01.04 Communicate management objectives and direction.APO01.05 Optimise the placement of the IT function.APO01.06 Define information (data) and system ownership.APO01.07 Manage continual improvement of processes.APO01.08 Maintain compliance with policies and procedures.APO02.01 Understand enterprise direction.APO02.02 Assess the current environment, capabilities and performance.APO02.03 Define the target IT capabilities.APO02.04 Conduct a gap analysis.APO02.05 Define the strategic plan and road map.APO02.06 Communicate the IT strategy and direction.APO03.01 Develop the enterprise architecture vision.APO03.02 Define reference architecture.APO03.03 Select opportunties and solutions.APO03.04 Define architecture implementation.APO03.05 Provide enterprise architecture services.APO04.01 Create an environment conducive to innovation.APO04.02 Maintain an understanding of the enterprise environment.APO04.03 Monitor and scan the technology environment.APO04.04 Assess the potential of emerging technologies and innovation ideas.APO04.05 Recommend appropriate further initiatives.APO04.06 Monitor the implementation and use of innovation.APO05.01 Establish the target investment mix.APO05.02 Determien the availability and sources of funds.APO05.03 Evaluate and select programmes to fund.APO05.04 Monitor, optimise and report on investment portfolio performance.APO05.05 Maintain portfolios.APO05.06 Manage benefits achievement.APO06.01 Manage finance and accounting.APO06.02 Prioritise resource allocation.APO06.03 Create and maintain budgets.APO06.04 Model and allocate costs.APO06.05 Manage costs.APO07.01 Maintain adequate and appropriate staffing.APO07.02 Identify key IT personnel.APO07.03 Maintain the skills and competencies of personnel.APO07.04 Evaluate employee job performance.APO07.05 Plan and track the usage of IT and business human resources.APO07.06 Manage contract staff.APO08.01 Understand business exepctations.APO08.02 Identify opportunities, risk and constraints for IT to enhance the business.APO08.03 Manage the business relationship.APO08.04 Co-ordinate and communicate.APO08.05 Provide input to the continual improvement of services.APO09.01 Identify IT services.APO09.02 Catalogue IT-enabled services.APO09.03 Define and prepare service agreements.APO09.04 Monitor and report service levels.APO09.05 Review service agreements and contracts.APO10.01 Identify and evaluate supplier relationships and contracts.APO10.02 Select suppliers.APO10.03 Manage supplier relationships and contracts.APO10.04 Manage supplier risk.APO10.05 Monitor supplier performance and compliance.APO11.01 Establish a quality management system (QMS).APO11.02 Define and manage quality standards, practices and procedures.APO11.03 Focus quality management on customers.APO11.04 Perform quality monitoring, control and reviews.APO11.05 Integrate quality management into solutions for development and service delivery.APO11.06 Maintain continuous improvement.APO12.01 Collect data.APO12.02 Analyse risk.APO12.03 Maintain a risk profile.APO12.04 Articulate risk.APO12.05 Define a risk management action portfolio.APO12.06 Respond to risk.APO13.01 Establish and maintain an ISMS.APO13.02 Define and manage an information security risk treatment plan.APO13.03 Monitor and review the ISMS.BAI01.01 Maintain a standard approach for programme and project management.BAI01.02 Initiate a programme.BAI01.03 Manage stakeholder engagement.BAI01.04 Develop and maintain the programme plan.BAI01.05 Launch and execute the programme.BAI01.06 Monitor, control and report on the programme outcomes.BAI01.07 Start up and initiate projects within a programme.BAI01.08 Plan projects.BAI01.09 Manage programme and project quality.BAI01.10 Manage programme and project risk.BAI01.11 Monitor and control projects.BAI01.12 Manage project resources and work packages.BAI01.13 Close a project or iteration.BAI01.14 Close a programme.BAI02.01 Define and maintain business functional and technical requirements.BAI02.02 Perform a feasibility study and formulate alternative solutions.BAI02.03 Manage requirements risk.BAI02.04 Obtain approval of requirements and solutions.BAI03.01 Design high-level solutions.BAI03.02 Design detailed solution components.BAI03.03 Develop solution components.BAI03.04 Procure solution components.BAI03.05 Build solutions.BAI03.06 Perform quality assurance.BAI03.07 Prepare for solution testing.BAI03.08 Execute solution testing.BAI03.09 Manage changes to requirements.BAI03.10 Maintain solutions.BAI03.11 Define IT services and maintain the service portfolio.BAI04.01 Assess current availability, performance and capacity and create a baseline.
Manage Programmes and Projects
Manage Requirements Definition
Manage SolutionsIdentification and Build
BAI02
BAI03
Manage Relationships
Manage Service Agreements
Manage Suppliers
Manage Quality
Manage Risk
Manage Security
APO11
APO12
APO13
Manage the IT Management Framework
Manage Strategy
Manage Enterprise Architecture
Manage Innovation
Manage Portfolio
Manage Budget and Costs
Manage Human Resources
APO05
APO06
APO07
APO08
APO09
APO10
Man
agem
ent
Ensure Risk Optimisation
Ensure Resource Optimisation
Ensure Stakeholder Transparency
Alig
n, P
lan
and
Org
anis
em
ent
APO01
APO02
APO03
APO04
BAI01
Activities associated with each of the governance and management practices in COBIT 5.G
over
nanc
e
Eval
uate
, Dire
ct a
nd M
onito
r
EDM01 Ensure Governance Framework Setting and Maintenance
EDM02
EDM03
EDM04
EDM05
Ensure Benefits Delivery
© 2012 ISACA ‐ Glenfis AG
Domain ID CO5 Processes Governance / Management Practice
Activities associated with each of the governance and management practices in COBIT 5.
BAI04.02 Assess business impact.BAI04.03 Plan for new or changed service requirements.BAI04.04 Monitor and review availability and capacity.BAI04.05 Investigate and address availability, performance and capacity issues.BAI05.01 Establish the desire to change.BAI05.02 Form an effective implementation team.BAI05.03 Communicate desired vision.BAI05.04 Empower role players and identify short-term wins.BAI05.05 Enable operation and use.BAI05.06 Embed new approaches.BAI05.07 Sustain changes.BAI06.01 Evaluate, prioritise and authorise change requests.BAI06.02 Manage emergency changes.BAI06.03 Track and report change status.BAI06.04 Close and document the changes.BAI07.01 Establish an implementation plan.BAI07.02 Plan business process, system and data conversion.BAI07.03 Plan acceptance tests.BAI07.04 Establish a test environment.BAI07.05 Perform acceptance tests.BAI07.06 Promote to production and manage releases.BAI07.07 Provide early production support.BAI07.08 Perform a post-implementation review.BAI08.01 Nurture and facilitate a knowledge-sharing culture.BAI08.02 Identify and classify sources of information.BAI08.03 Organise and contextualise information into knowledge.BAI08.04 Use and share knowledge.BAI08.05 Evaluate and retire information.BAI09.01 Identify and record current assets.BAI09.02 Manage critical assets.BAI09.03 Manage the asset life cycle.BAI09.04 Optimise asset costs.BAI09.05 Manage licences.BAI10.01 Establish and maintain a configuration model.BAI10.02 Establish and maintain a configuration repository and baseline.BAI10.03 Maintain and control configuration items.BAI10.04 Produce status and configuration reports.BAI10.05 Verify and review integrity of the configuration repository.DSS01.01 Perform operational procedures.DSS01.02 Manage outsourced IT services.DSS01.03 Monitor IT infrastructure.DSS01.04 Manage the environment.DSS01.05 Manage facilities.DSS02.01 Define incident and service request classification schemes.DSS02.02 Record, classify and prioritise requests and incidents.DSS02.03 Verify, approve and fulfil service requests.DSS02.04 Investigate, diagnose and allocate incidents.DSS02.05 Resolve and recover from incidents.DSS02.06 Close service requests and incidents.DSS02.07 Track status and produce reports.DSS03.01 Identify and classify problems.DSS03.02 Investigate and diagnose problems.DSS03.03 Raise known errors.DSS03.04 Resolve and close problems.DSS03.05 Perform proactive problem management.DSS04.01 Define the business continuity policy, objectives and scope.DSS04.02 Maintain a continuity strategy.DSS04.03 Develop and implement a business continuity response.DSS04.04 Exercise, test and review the BCP.DSS04.05 Review, maintain and improve the continuity plan.DSS04.06 Conduct continuity plan training.DSS04.07 Manage backup arrangements.DSS04.08 Conduct post-resumption review.DSS05.01 Protect against malware.DSS05.02 Manage network and connectivity security.DSS05.03 Manage endpoint security.DSS05.04 Manage user identity and logical access.DSS05.05 Manage physical access to IT assets.DSS05.06 Manage sensitive documents and output devices.DSS05.07 Monitor the infrastructure for security-related events.DSS06.01 Align control activities embedded in business processes with enterprise objectives.DSS06.02 Control the processing of information.DSS06.03 Manage roles, responsibilities, access privileges and levels of authority.DSS06.04 Manage errors and exceptions.DSS06.05 Ensure traceability of information events and accountabilities.DSS06.06 Secure information assets.MEA01.01 Establish a monitoring approach.MEA01.02 Set performance and conformance targets.MEA01.03 Collect and process performance and conformance data.MEA01.04 Analyse and report performance.MEA01.05 Ensure the implementation of corrective actions.MEA02.01 Monitor internal controls.MEA02.02 Review business process controls effectiveness.MEA02.03 Perform control self-assessments.MEA02.04 Identify and report control deficiencies.MEA02.05 Ensure that assurance providers are independent and qualified.MEA02.06 Plan assurance initiatives.MEA02.07 Scope assurance initiatives.MEA02.08 Execute assurance initiatives.MEA03.01 Identify external compliance requirements.MEA03.02 Optimise response to external requirements.MEA03.03 Confirm external compliance.MEA03.04 Obtain assurance of external compliance.
MEA01
MEA02
MEA03
Monitor, Evaluate and Assess Performance and Conformance
Monitor, Evaluate and Assess the System of Internal Control
Monitor, Evaluate and Assess Compliance with External Requirements
DSS04
DSS05
DSS06
Manage Operations
Manage Service Requests and Incidents
Manage Problems
Manage Continuity
Manage Security Services
Manage Business Process Controls
Manage Knowledge
Manage Assets
Manage Configuration
DSS01
DSS02
DSS03
BAI08
BAI09
BAI10
Manage Availability and Capacity
Manage Organisational Change Enablement
Manage Changes
Manage Change Acceptance and Transitioning
BAI04
BAI05
BAI06
BAI07
Del
iver
, Ser
vice
and
Sup
port
Mon
itor,
Eval
uate
and
Ass
ess
Man
agem
ent
Man
agem
ent
Man
agem
ent
Bui
ld, A
cqui
re a
nd Im
plem
Glenfis AG Seite 1 von 1
ITIL© Edition 2011 - COBIT© 5 Mapping
Stra
tegy
man
agem
ent f
or IT
ser
vice
s
Serv
ice
port
folio
man
agem
ent
Fina
ncia
l man
agem
ent f
or IT
ser
vice
s
Dem
and
man
agem
ent
Bus
ines
s re
latio
nshi
p m
anag
emen
t
Des
ign
coor
dina
tion
Serv
ice
cata
logu
e m
anag
emen
t
Serv
ice
Leve
l Mgm
t
Ava
ilabi
lity
man
agem
ent
Cap
acity
man
agem
ent
IT s
ervi
ce c
ontin
uity
man
agem
ent
Info
rmat
ion
secu
rity
man
agem
ent
Supp
lier m
anag
emen
t
Tran
sitio
n pl
anni
ng a
nd s
uppo
rt
Cha
nge
man
agem
ent
Rel
ease
and
dep
loym
ent m
anag
emen
t
Serv
ice
valid
atio
n an
d te
stin
g
Cha
nge
eval
uatio
n
Kno
wle
dge
man
agem
ent
Even
t man
agem
ent
Inci
dent
man
agem
ent
Req
uest
fulfi
lmen
t
Prob
lem
man
agem
ent
Acc
ess
man
agem
ent
Serv
ice
Rep
ortin
g
The
seve
n-st
ep im
prov
emen
t pro
cess
EDM Evaluate, Direct and Monitor
EDM01 Ensure Governance Framework Setting and Maintenance
EDM02 Ensure Benefits Delivery x
EDM03 Ensure Risk Optimisation
EDM04 Ensure Resource Optimisation x
EDM05 Ensure Stakeholder Transparency x
APO Align, Plan and Organise
APO01 Manage the IT Management Framework x
APO02 Manage Strategy x
APO03 Manage Enterprise Architecture
APO04 Manage Innovation
APO05 Manage Portfolio x x
APO06 Manage Budget and Costs x
APO07 Manage Human Resources x
APO08 Manage Relationships x x
APO09 Manage Service Agreements x x x x x
APO10 Manage Suppliers x
APO11 Manage Quality x
APO12 Manage Risk x
APO13 Manage Security x
BAI Build, Acquire and Implement
BAI01 Manage Programmes and Projects x
BAI02 Manage Requirements Definition x
BAI03 Manage Solutions Identification and Build
BAI04 Manage Availability and Capacity x x
BAI05 Manage Organisational Change Enablement
BAI06 Manage Changes x
BAI07 Manage Change Acceptance and Transitioning x x x x x
BAI08 Manage Knowledge x
BAI09 Manage Assets x
BAI10 Manage Configuration x
DSS Deliver, Service and Support
DSS01 Manage Operations x
DSS02 Manage Service Requests and Incidents x x
DSS03 Manage Problems x
DSS04 Manage Continuity x
DSS05 Manage Security Services x
DSS06 Manage Business Process Controls x
MEA Monitor, Evaluate and Assess
MEA01 Monitor, Evaluate and Assess Performance and Conformance x
MEA02 Monitor, Evaluate and Assess the System of Internal Control x
MEA03 Monitor, Evaluate and Assess Compliance with External Requirements x
ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Cabinet Office, and is Registered in the U.S. Patent and Trademark Office, and is used hereby GLENFIS AG
under licence from and with the permission of OC.
COBIT® is a trademark of ISACA registered in the U.S. and other countries. COBIT 5 is an ISACA publication (www.isaca.org) and portions of COBIT 5 appear in this document with permission
from ISACA
Service Operation CSIService
DesignService
TransitionServiceStrategy
Serv
ice
asse
t and
con
figur
atio
n m
anag
emen
t
ITIL© Edition 2011 - COBIT® 5 Mapping
COBIT
Evaluate
Direct Monitor
Plan (APO)
Build (BAI)
Run (DSS)
Monitor (MEA)
Governance of Enterprise IT
(c) Glenfis AG
www.glenfis.ch
www.itil.org
www.ISO20000.chV 2.0
Proc
esse
s fo
r Man
agem
ent o
f Ent
erpr
ise
IT
Eval
uate
, Dire
ct a
nd M
onito
r
Proc
esse
s fo
r Gov
erna
nce
of E
nter
pris
e IT
Alig
n, P
lan
and
Orga
nise
Mon
itor,
Eval
uate
and
Asse
ss
Build
, Acq
uire
and
Impl
emen
t
Deliv
er, S
ervi
ce a
nd S
uppo
rt
EDM
01 E
nsur
eGo
vern
ance
Fram
ewor
k Se
tting
and
Mai
nten
ance
APO0
1 M
anag
eth
e IT
Man
agem
ent
Fram
ewor
k
APO0
8 M
anag
eRe
latio
nshi
ps
APO0
2 M
anag
eSt
rate
gy
APO0
9 M
anag
eSe
rvic
eAg
reem
ents
APO0
3 M
anag
eEn
terp
rise
Arch
itect
ure
APO1
0 M
anag
eSu
pplie
rs
APO0
4 M
anag
eIn
nova
tion
APO1
1 M
anag
eQu
ality
APO0
5 M
anag
ePo
rtfol
io
APO1
2 M
anag
eRi
sk
APO0
6 M
anag
eBu
dget
and
Cos
tsAP
O07
Man
age
Hum
an R
esou
rces
MEA
01 M
onito
r,Ev
alua
te a
nd A
sses
sPe
rform
ance
and
Conf
orm
ance
MEA
02 M
onito
r,Ev
alua
te a
nd A
sses
sth
e Sy
stem
of I
nter
nal
Cont
rol
MEA
03 M
onito
r,Ev
alua
te a
nd A
sses
sCo
mpl
ianc
e W
ithEx
tern
al R
equi
rem
ents
APO1
3 M
anag
eSe
curit
y
DSS0
1 M
anag
eOp
erat
ions
DSS0
2 M
anag
eSe
rvic
e Re
ques
tsan
d In
cide
nts
DSS0
3 M
anag
ePr
oble
ms
DSS0
4 M
anag
eCo
ntin
uity
DSS0
5 M
anag
eSe
curit
ySe
rvic
es
DSS0
6 M
anag
eBu
sine
ssPr
oces
s Co
ntro
ls
BAI0
1 M
anag
ePr
ogra
mm
es a
ndPr
ojec
ts
BAI0
8 M
anag
eKn
owle
dge
BAI0
2 M
anag
eRe
quire
men
tsDe
finiti
on
BAI0
9 M
anag
eAs
sets
BAI0
3 M
anag
eSo
lutio
nsId
entif
icat
ion
and
Build
BAI0
10 M
anag
eCo
nfig
urat
ion
BAI0
4 M
anag
eAv
aila
bilit
y an
d Ca
paci
ty
BAI0
5 M
anag
eOr
gani
satio
nal
Chan
geEn
able
men
t
BAI0
6 M
anag
eCh
ange
s
BAI0
7 M
anag
eCh
ange
Acce
ptan
ce a
ndTr
ansi
tioni
ng
EDM
02 E
nsur
eBe
nefit
s De
liver
yED
M03
Ens
ure
Risk
Opt
imis
atio
n
EDM
04 E
nsur
eRe
sour
ceOp
timis
atio
n
EDM
05 E
nsur
eSt
akeh
olde
rTr
ansp
aren
cy
CO
BIT
5 Pr
oces
s Re
fere
nce
Mod
el
Sour
ce:
COBI
T 5,
figu
re 1
6
© 2 0 1 2 I S A C A . A l l r I g h t S r e S e r v e d . F o r u S A g e g u I d e l I n e S , S e e w w w . i s a c a . o r g / c o B i T u s e .
