Preview of COBIT 5 - isacantx.orgisacantx.org/Presentations/2011-12 Pre - COBIT 5.pdf · Page 5 Preview of COBIT5 COBIT® history COBIT® has evolved from an auditor„s tool to an

Preview of COBIT® 5

(Differences between v4.0/4.1 and v5) December 8, 2011

Preview of COBIT5 Page 2

AGENDA

► Introductions

► Quick COBIT® Overview

► Drivers of COBIT®5 – Increased focus on Enterprise

Governance

► Benefits of COBIT®5

► Updated Process Model

► Details of the Change

► New - COBIT® 5 Process Capability Model

► Wrap Up

COBIT® - An Overview


COBIT® 4.1 – The IT governance framework

• Internationally accepted good practices

• Management-oriented • Supported by tools and

training • Freely available • Sharing knowledge and

leveraging expert volunteers • Continually evolving • Maintained by reputable not-

for-profit organization • Maps strongly to all major

related standards • Is a reference, set of best

practices, not an “off-the-shelf” cure

The only IT management

and control framework

that covers the end-to-end

IT life cycle

IT Processes IT Processes

IT Management Processes IT Management Processes

IT Governance Processes IT Governance Processes

CobiT CobiT best practices repository for

IT Processes IT Processes

IT Management Processes IT Management Processes

IT Governance Processes IT Governance Processes

COBIT best practices repository for


COBIT® history

COBIT® has evolved from an auditor„s tool to an IT

governance framework, used increasingly by IT

management

Governance

Management

Control

Audit

COBIT 1 COBIT 2 COBIT 3 COBIT 4

1996 1998 2000 2005


Introduction to COBIT®


Waterfall model

The control of

that satisfy

is enabled by

considering

4 Domains - 34 Processes - 210 Control Objectives

IT Processes

Business

Requirements

Control

Statements

Control

Practices


Processes

A series of joined activities with

natural control breaks

Activities

or tasks

Actions needed to achieve a

measurable result—activities have

a life cycle whereas tasks are

discrete

Domains

Natural grouping of processes,

often matching an organizational

domain of responsibility

Process orientation


IT Domains • Plan and

Organize

• Acquire and

Implement

• Deliver and

Support

• Monitor and

Evaluate

IT Processes • IT strategy

• Computer operations

• Incident handling

• Acceptance testing

• Change management

• Contingency planning

• Problem management

Activities • Record new problem.

• Analyse.

• Propose solution.

• Monitor solution.

• Record known

problem. Natural grouping of

processes, often

matching an

organisational domain of

responsibility

A series of joined

activities with natural

(control) breaks

Actions needed to achieve a

measurable result—

activities have a life cycle

whereas tasks are discrete

Process Orientation


COBIT® processes

Planning and Organizing

Acquire and Implement

PO1 Define and IT Strategic Plan

PO2 Define the Information Architecture

PO3 Determine Technological Direction

PO4 Define the IT Processes, Organisation and Relationships

PO5 Manage the IT Investment

PO6 Communicate Management Aims and Direction

PO7 Manage IT Human Resources

PO8 Manage Quality

PO9 Assess and Manage IT Risks

PO10 Manage Projects

AI1 Identify Automated Solutions

AI2 Acquire and Maintain Application Software

AI3 Acquire and Maintain Technology Infrastructure

AI4 Enable Operation and Use

AI5 Procure IT Resources

AI6 Manage Changes

AI7 Install and Accredit Solutions and Changes


COBIT® processes

Deliver and Support

Monitor and Evaluate

DS1 Define and Manage Service Levels

DS2 Manage Third-party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous Service

DS5 Ensure Systems Security

DS6 Identify and Allocate Costs

DS7 Educate and Train Users

DS8 Manage Service Desk and Incidents

DS9 Manage the Configuration

DS10 Manage Problems

DS11 Manage Data

DS12 Manage the Physical Environment

DS13 Manage Operations

ME1 Monitor and Evaluate IT Performance

ME2 Monitor and Evaluate Internal Control

ME3 Ensure Regulatory Compliance

ME4 Provide IT Governance


Acquire and

Implement

Deliver and

Support

Monitor and

Evaluate

Criteria • Effectiveness

• Efficiency

• Confidentiality

• Integrity

• Availability

• Compliance

• Reliability

• Data

• Application Systems

• Technology

• Facilities

• People

IT Resources

Business Objectives

Plan and

Organise

COBIT® framework


COBIT® IT processes

Information

Monitor and

Evaluate

Deliver and

Support Acquire and

Implement

Plan and

Organize

PO1 Define a strategic IT plan.

PO2 Define the information architecture.

PO3 Determine technological direction.

PO4 Define the IT processes,

organisation and relationships.

PO5 Manage the IT investment.

PO6 Communicate management aims

and direction.

PO7 Manage IT human resources.

PO8 Manage quality.

PO9 Assess and manage IT risks.

PO10 Manage projects.

AI1 Identify automated solutions.

AI2 Acquire and maintain application software.

AI3 Acquire and maintain technology

infrastructure.

AI4 Enable operation and use.

AI5 Procure IT resources.

AI6 Manage changes.

AI7 Install and accredit solutions and changes.

DS1 Define and manage service levels.

DS2 Manage third-party services.

DS3 Manage performance and capacity.

DS4 Ensure continuous service.

DS5 Ensure systems security.

DS6 Identify and allocate costs.

DS7 Educate and train users.

DS8 Manage service desk and incidents.

DS9 Manage the configuration.

DS10 Manage problems.

DS11 Manage data.

DS12 Manage the physical environment.

DS13 Manage operations.

ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure regulatory compliance.

ME4 Provide IT governance.


Linking business goals to IT goals


Linking IT goals to IT processes


For 34 IT processes you have …

Process

description

IT domain &

Information

indicators

IT goals

Process goals

Key practices

Key metrics

IT governance

& IT resource


Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Perfo

rman

ce

Measu

remen

t

IT IT GovernanceGovernance

DomainsDomains

Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Perfo

rman

ce

Measu

remen

t

IT IT GovernanceGovernance

DomainsDomains

1. Strategic Alignment aligning with the business and providing collaborative solutions

2. Value Delivery focus on IT costs and proof of value

3. Risk Management safeguarding assets, business continuity and compliance

4. Resource Management IT assets, knowledge, infrastructure and partners.

5. Performance Measurement metrics, IT Scorecards and dashboards

F

OC

US

A

RE

AS

Are we doing the right things?

Are we getting the benefits?

Are we getting them done well?

Are we doing them the right

way?

Five focus areas of IT governance


Governance lifecycle

COBIT®5 Update


► The initiative charge from the Board of Directors:

► “tie together and reinforce all ISACA knowledge assets with COBIT.”

► The COBIT 5 Task Force:

► experts from ISACA constituency groups

► reports to the Framework Committee and then the Knowledge Board

COBIT ®5 initiative


► Increased Focus on Enterprise Governance

► Link and reinforce all ISACA‟s Guidance

► Primary - VAL IT, Risk IT

► Considering BMIS, ITAF, TGF, Board Briefing

► Need to connect to other frameworks and standards (such as, ITIL, PMBOK, Prince2, TOGAF, ISO)

► Further guidance in high interest areas

► Improve ease of use, consistency in concepts, terminology, & level of detail

► Scope covers full end-to-end business and IT functional responsibilities

News Major Drivers for COBIT® 5


► Concepts and Objectives

► Enterprises exist to deliver value to their Stakeholders

► Achieved within value and risk parameters and use of resources responsibly

► Governance system “steers” via means and mechanisms within an effective structure

► Incident caused and legislative driven need

► Governance at the top of the agenda for most enterprises

News Increased Focus on Enterprise Governance


Governance Objective


► Practical guidance with consideration of all, unique

stakeholders

► Non-technical overarching framework

► Clear distinction between governance and management

► Scope addressing management and governance of information

► Clear migration guidance from prior versions

► Process model updates addressing innovation and emerging technologies

► Addressing governance enablers such as behavior, skills and decision making

News Responding Features from COBIT®5


Distinction between Governance and Management Processes


COBIT ®5 Governance Enablers

Service

Capabilities

Processes

Culture,

Ethics,

Behaviour

Organisational

Structures

InformationPrinciples &

Policies

Skills &

Competencies


► Enterprise wide benefits:

► Increased value creation through effective governance

and management of enterprise information and

technology assets

► Increased business user satisfaction with IT

engagement and services–IT seen as a key enabler.

► Increased compliance with relevant laws, regulations

and policies

► IT function becomes more business focused

► Increases the COBIT ® 5 users‟ contribution to the

enterprise

Benefits of Using COBIT® 5


► Represents all the processes normally found in an enterprise

relating to IT

► Provides a common reference model understandable to IT

and business managers.

► Provides a common language

► Provides a framework for measuring, monitoring IT

performance, communicating with service providers, and

integrating best mgmt. practices

► Subdivides governance (1) and management (4) domains.

► 36 Processes

► VAL IT and Risk IT integrated

News Process Reference Model


Process Reference Model


► 4 Domains to 5 Domains (1 Governance & 4 Management)

► Domains have 3-character acronyms vs. 2-character

acronyms:

► EDM (Evaluate, Direct & Monitor)

► APO (Align, Plan & Organization)

► BAI (Build, Acquire & Implement)

► DSS (Deliver, Service & Support)

► MEA (Monitor, Evaluate & Assess)

► 34 COBIT4.1 processes to 5 Governance processes and

31 Management processes in COBIT 5 = 36 processes

News Review of Process Changes


► New and modified processes

► APO3 – Manage Enterprise Architecture (combo of PO2 and PO3)

► APO4 – Management Innovation (new)

► APO5 – Manage Portfolio (previous PO5 Manage IT Investments)

► APO6 – Manage Budget and Costs (previous PO5 IT Investments)

► APO8 – Manage Relationships (new)

► BAI5 – Enable Organizational Change (new)

► BAI8 – Knowledge Management (new)

► DSS2 – Manage Assets (new)

► DSS8 – Manage Business Process Controls (new)

News Review of Process Changes


Process Enabler Model


► A separate publication that expands on the process-enabler

model

► Contains full details of the COBIT processes in a similar way to the process documentation in COBIT 4.1

► Process description and purpose

► Goals cascade (enterprise and IT)

► Process goals and metrics

► Process practices, activities and inputs/Outputs at practice level

► RACI Chart

► Integrates contents of 4.1, VAL IT and RISK IT

► Mapping between COBIT 5 and Legacy ISACA Frameworks

News Process Reference Guide


► Architecture changes emphasizing systemic nature of a

governance and management system

► Process Model changes

► Integration of COBIT, VAL IT, Risk IT with explicit

structural differentiation between governance and

management processes

► Framework components reviewed and simplified

News Most important differences between COBIT ®5 and earlier versions.


► Alignment with the most up-to-date views on Governance as expressed in the Taking Governance Forward initiative and ISO/IEC 38500, resulting in an overarching architecture with o Stakeholder driven governance and management of enterprise IT.

o Governance Objectives being defined in terms of Value, Risk and Resource Use optimization.

► Systemic nature of enterprise governance, demonstrated by o A set of interconnected and interrelated enablers to support

governance of enterprise IT and ensure objectives are achieved

o Note: ISO/IEC 38500 Corporate governance of information technology standard,

provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations‟ use of IT.

News Architecture Change Principles


News COBIT ®5 Architecture

Stakeholder

Needs

Service

Capabilities

Processes

Culture,

Ethics,

Behaviour

Organisational

Structures

InformationPrinciples and

Policies

Skills and

Competencies

COBIT 5

Enablers

COBIT 5 Knowledge Base

Current guidance and contents Structure for future contents

COBIT 5 Product Family

Governance

Objectives:

Value

(Benefits, Risk, Resource)

Existing ISACA

Guidance(COBIT, Val IT,

Risk IT, BMIS, …)

Other

Standards

and

Frameworks

COBIT 5 : Framework Implementation

Guide

COBIT 5 for Security

Other Practice

Guides

COBIT 5 Practice Guides

COBIT 5 Online Collaborative Environment

COBIT 5 : Process Reference GuideOther Enabler

Guidance

COBIT 5 Enabler Guides

COBIT 5: The Framework

Knowledge Base

Content Filter


► Addition of a separate „Governance‟ domain, which contains five separate governance processes for enterprise IT (5 Domains)

► Continuation of the „Management‟ domains concept, where 31 processes are included, spread over four domains. Domains, although they have now 3- character acronyms compared to 2-character acronyms in COBIT 4.1. (PO, AI, DS, ME to EDM, APO, BAI, DSS, MEA)

► Some of the processes are very similar to their predecessors, some are a consolidation of processes in earlier frameworks, and some new processes have been added.

News Process Model Change Principles


► The names have been changed from Business Goals to

Enterprise Goals, and from IT Goals to IT Related Goals in order to better reflect that COBIT ® 5 is intended for all sorts of enterprises, not only commercial environments, and the fact that COBIT ® 5 is not only about making sure the IT function is performing, but also that the business functions assume their responsibility in providing the right direction, making good use of IT, and following up on IT investments and use.

► There are now 17 Enterprise Goals and also 17 IT Related goals. The goals are now also written more as outcome statements.

► The stakeholders for IT are now explicitly named, and there are also some illustrative stakeholder issues included in the guidance to show how the framework addresses them.

News Framework Component Changes


News Enterprise Goals


News IT Related Goals


News Internal Stakeholder Needs


News External Stakeholder Needs


► Process Capability Model

► Based on ISO/IEC 15504 “Software

Engineering – Process Assessment Std.”

► Different from the COBIT ® 4.1 Maturity Model

in design and use.

► Focus on capability

News The NEW COBIT ® 5 Process Capability Model


► Six levels of capability including “incomplete”

► Each level can only be achieved only when the

level below is fully achieved

► Level 1 is “largely achieved” and benefits realized

by the organization

► Higher capabilities add differing attributes and

benefits

News Process Capability Model Characteristics


► Naming and meaning of levels are different

► Process is described in terms of its purpose and outcomes

► Maturity level in COBIT ®4 and capability level in COBIT ®5 are not directly comparable and cannot be used interchangeably or mixed.

► Scores in COBIT ®5 will be lower due to completion of all process capabilities at lower level

► Nine Process Capability Attributes (v5) vs. six maturity Attributes (v4)

News Differences - COBIT ®5 PCM and COBIT ®4.1 MM


COBIT 4.1 Maturity Model Comparison to

COBIT 5 Process Capability Levels


Comparison of v4 Maturity Attributes vs.

V5 Process Capability Attributes


► COBIT ®5 Major changes

► Consolidation of frameworks

► Adjustment of domains and processes

► 4 to 5 domains

► 34 to 36 IT Processes

► Assessment process changed to focus on

Capability using ISO 15504

News COBIT ®5 Preview Summary


► An enterprise wide, “end-to-end” framework addressing

governance and management of information and related

technology

► The framework structure will include familiar components such as a

domain/process model and other components such as

governance/management practices, RACI charts and inputs/outputs.

► An initial publication introduces, defines and describes the

components that make up the COBIT®5 Framework

► Principles

► Architecture

► Enablers

► Introduction to implementation guidance and the COBIT

process assessment approach

The COBIT® 5 Framework – What will be delivered?


• As the initiative progresses throughout 2011 and 2012 there will be periodic updates provided:

On the ISACA web site, www.isaca.org/COBIT5

In the COBIT Focus newsletter

In other ISACA membership communications, events, marketing materials and PR activities

• Watch these spaces for more news!

COBIT® 5 news

http://www.isaca.org/COBIT5


Thank you

Contact details:

Ernst & Young’s

IT Risk Management Center of Excellence

Josh Turcotte, CISA

Email: [email protected]

Phone: (214) 969 0678 (Dallas)

Stacey Hamaker, CISA CIA

Email: [email protected]

Phone: (214) 969 8832 (Dallas) This presentation contains materials that are property of ISACA and Ernst & Young. All rights reserved.

Documents

Preview of COBIT 5 - isacantx.orgisacantx.org/Presentations/2011-12 Pre - COBIT 5.pdf · Page 5 Preview of COBIT5 COBIT® history COBIT® has evolved from an auditor„s tool to an