COBIT 5. ISACA Malta Chapter Steven Babb Dirk Steuperaert

Transcription

1 COBIT 5 ISACA Malta Chapter Steven Babb Dirk Steuperaert

2 Steven Babb Education 1 st Class BSc (Hons) Computing (1996) BS7799 Lead Auditor, ITIL Service Manager Prince 2 Certified Practitioner CGEIT, CRISC Professional Career International Brewer, various roles ( ) KPMG, Head of IT Risk ( ) Betfair, Head of Governance, Risk & Assurance (2012- ) Professional Organisations RiskIT Task Force, COBIT 5 Task Force, Cloud Computing Task Force Framework Committee Chair, COBIT for Risk Chair Contact steven.babb@betfair.com

3 Dirk Steuperaert Education Master Engineering (Ugent, 1986) Master Computer Auditing (UAMS, 1995) CISA (1995), CGEIT (2009), CRISC (2011) Professional Career Software Engineer (SWIFT) ( ) IT Auditor (SWIFT, BBL, Cedel) ( ) Consultant (PwC, ) Independent Consultant (IT In Balance, ) Professional Organisations ISACA (COBIT Steering Committee, Lead Developer of Risk IT, Project Manager of COBIT 5 Development, Project Manager for COBIT 5 for Risk, COBIT 5 for Assurance) Contact dirk.steuperaert@it-in-balance.be

4 Objectives for this session To provide you with: An overview of the development approach behind COBIT 5 and a brief history of COBIT An understanding of the key principles underpinning the COBIT 5 framework Key considerations on how to implement COBIT 5 Additional COBIT 5 publications what is here now and what is coming next Thoughts on migration from legacy to COBIT 5

5 Agenda 1. COBIT 5 Drivers 2. COBIT 5 Framework COBIT 5 Principles 3. COBIT 5 Framework Enablers 4. COBIT 5 Framework Process Capability Model 5. COBIT 5 Enabling Processes Introduction 6. COBIT 5 Enabling Processes Structure 7. COBIT 5 Enabling Processes Overview of COBIT 5 Process Domains and Processes 8. COBIT 5 Implementation Guide 9. Additional Pubs: COBIT 5 for Security, COBIT 5 PAM 10. Upcoming Pubs: COBIT 5 for Assurance, COBIT 5 for Risk 11. Migrating to COBIT 5 some more things to consider 12. Q&A Steven Steven Steven Dirk Dirk Dirk Dirk Dirk Steven Steven Dirk

6 1. 1. Introduction & COBIT 5 Drivers

7 Introduction The Basic Equation 1 A Framework definition: Framework Standard Framework Complete Solution Framework Ready-to-use Solution Framework Structures and components Framework Way of thinking Framework Basis that needs customisation

8 COBIT The Word 1 The very original acronym COBIT stood for Control Objectives for Information and Related Technology The control objectives are gone now well, at least the name has But Information and Related Technology stand! Information is a key resource for all enterprises Information is created, used, retained, disclosed and destroyed Technology plays a key role in these actions Technology is becoming pervasive in all aspects of business and personal life

9 COBIT Enterprise Context and Benefits 1 Today, enterprises and their executives have to: Maintain high-quality information Generate business value from IT-enabled investments Achieve operational excellence Maintain IT-related risk at an acceptable level Optimise the cost of IT services and technology Comply with ever-increasing relevant laws, regulations, contractual agreements and policies COBIT 5 provides the framework to fulfill these requirements

10 Drivers for COBIT 5: Changing World 1 The world has moved on since COBIT 4.1 and related ISACA Guidance were published: Importance of information Role of technology Technology landscape Views on governance and standards landscape Economic context Regulatory context Need for rationalisation of various ISACA guidance

11 Drivers for COBIT 5: Stakeholder Value 1 Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets Enterprise boards, executives and management have to embrace IT like any other significant part of the business COBIT 5 provides the comprehensive framework for enterprises to: achieve their goals deliver value through effective governance and management of enterprise IT

12 The COBIT 5 Framework 1 Simply stated: COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector

13 Evolution of scope COBIT: Its development history 1 Governance of Enterprise IT IT Governance Management Val IT 2.0 (2008) Control Audit Risk IT (2009) COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT / A business framework from ISACA, at

14 COBIT 5: Timeline 1 mei-10 First SME Development Workshop aug-10 Second SME Development Workshop sep-09 Joint FC-C5TF Kick-Off Meeting apr-10 C5TF Meeting dec-10 C5TF Meeting mei-11 C5TF Meeting nov-11 Final C5TF Meeting nov-09 Start of Design feb-10 Dev Team Meeting okt-10 Dev Team Meeting jan-11 End of Design jan-12 End of Development 1/01/2010 1/01/2011 1/01/2012 3/09/ /04/ /03/2010 Public Exposure COBIT 5 Architecture Blueprint 29/03/2011 SME Exposure COBIT 5 1/07/2011 Public Exposure COBIT 5 Framework and Process Guide 10/04/2012 Publication COBIT 5

15 1. 2. COBIT 5 Framework (1) COBIT 5 Principles

16 The COBIT 5 Framework 2 The main, overarching COBIT 5 product Contains the executive summary and the full description of all of the COBIT 5 framework components: The COBIT 5 principles there are 5 of them! The seven COBIT 5 enablers An introduction to the implementation guidance (COBIT 5 Implementation) An introduction to the COBIT Assessment Programme (not specific to COBIT 5)

17 The COBIT 5 Principles 2

18 The COBIT 5 Principles 1. Meeting Stakeholder Needs 2 Enterprises exist to create value for their stakeholders. Therefore: Governance Objective = Value Creation Governance objectives driven by stakeholder needs Value is the interaction and combination of three components 18

19 The COBIT 5 Principles 1. Meeting Stakeholder Needs 2 Enterprises exist to create value for their stakeholders Therefore: Governance objectives need to be translated into manageable goals This is the COBIT 5 goals cascade This translates stakeholder needs into specific, actionable and customised goals

20 The COBIT 5 Principles 2. Covering the Enterprise End-to-End 2 COBIT 5: Integrates governance of enterprise IT into enterprise governance Covers all functions and processes within the enterprise Key components of a governance system: Governance Enablers the organisational resources for governance Governance Scope the entity to which governance is applied

21 The COBIT 5 Principles 2. Covering the Enterprise End-to-End 2 Third component: the governance roles, activities and relationships. defines who is involved in governance, how they are involved, what they do and how they interact, within the scope of any governance system

22 The COBIT 5 Principles 3. Integrated Framework 2 COBIT 5 aligns with the latest relevant other standards and frameworks: Enterprise: COSO, COSO ERM, ISO 9000, ISO IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF, PMBOK/PRINCE2, CMMI, This allows COBIT 5 to be used as the overarching governance and management framework integrator COBIT 5 also integrates all major ISACA guidance: COBIT 4.1, Risk IT, Val IT, BMIS, ITAF One consistent knowledge-base to build the COBIT 5 Product Family on

23 The COBIT 5 Principles 3. Integrated Framework 2

24 The COBIT 5 Principles 4. Enabling a Holistic Approach 2 Enablers are factors that, individually and collectively, influence whether something will work Enablers are driven by the goals cascade The COBIT 5 framework describes seven categories of enablers

25 The COBIT 5 Principles 5. Separating Governance from Management 2 Governance: Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives [EDM] Management: Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives [PBRM]

26 The COBIT 5 Principles 5. Separating Governance from Management 2

27 1. 3. COBIT 5 Framework (2) COBIT 5 Enablers and the Enabler Model

28 The COBIT 5 Enablers 3

29 The COBIT 5 Enabler Model 3

30 The COBIT 5 Enabler Model 3 This generic enabler model is repeated for each of the seven enablers, adding more specific details, guidance and some simple examples

31 The COBIT 5 Enabler Model Performance Management 3

32 1. 4. COBIT 5 Framework (3) COBIT 5 Process Capability Model

33 The COBIT 5 Framework Process Capability Model 4 COBIT 5 is supported by a new process capability assessment approach based on ISO/IEC 15504: the COBIT Assessment Programme. The COBIT 4.1, Val IT and Risk IT CMM-based approaches are not considered compatible with the ISO/IEC approach as the methods use different attributes and measurement scales In Practice In general, ratings of a process will be lower with the new capability assessment approach (but are not comparable anyway) COBIT 5 does not include a specific maturity model per process

34 Recap of Process Evaluation Methods: COBIT 4.1 4

35 Recap of Process Evaluation Methods: Risk IT 4

36 The COBIT 5 Framework Process Capability Model 4

37 Recap of Process Evaluation Methods Rationale for change 4 The COBIT Assessment Programme approach is considered by ISACA to be more robust, reliable and repeatable as a process capability assessment method The COBIT Assessment Programme supports formal assessments by accredited assessors (assessor training is being developed) less rigorous self-assessments for internal gap analysis and process improvement planning The COBIT Assessment Programme, in the future, will also potentially enable an enterprise to obtain an independent and certified assessments aligned to the ISO standard

38 Recap of Process Evaluation Methods Rationale for change 4 COBIT4.1, Val IT and Risk IT users wishing to move to the new COBIT Assessment Programme approach: realign their previous ratings, adopt and learn the new method, and initiate a new set of assessments in order to gain the benefits of the new approach Information gathered from previous assessments may be reusable, but needed as there are significant differences in requirements COBIT 4.1, Val IT and Risk IT users wishing to continue with the CMM-based approach, either as an interim or on-going approach, can use the COBIT 5 guidance, but must use the COBIT4.1 generic attribute table without the high-level maturity models

39 Recap of Enabler Performance Management

40 Assessing Other Enablers 4 The ISO15504 based approach is a process assessment scheme The generic enabler performance model aligns quite well with the approach same basic questions asked So performance of other enablers can be assessed in a similar manner BUT: COBIT 5 as it stands does not elaborate this explicitly as it does for processes

41 1. 5. COBIT 5 Enabling Processes Introduction

42 COBIT 5 Enabling Processes Detailed Process Guidance 5 COBIT 5 goals cascade complemented with example metrics for the enterprise goals and the IT-related goals COBIT 5 process model is explained and its components defined Process reference model of 37 processes with detailed information for all processes

43 COBIT 5 Enabling Processes COBIT 5 Process Model 5

44 COBIT 5 Enabling Processes Process Reference Model 5

45 1. 6. COBIT 5 Enabling Processes Structure

46 COBIT 5 Enabling Processes Detailed Process Guidance 6

47 COBIT 5 Enabling Processes Detailed Process Guidance 6 COBIT 5 provides a revised goals cascade based on Enterprise goals (previously: Business Goals) driving IT-related goals (previously: IT Goals) and then supported by critical Enablers (previously: Processes) COBIT 5 provides examples of goals and metrics at the enterprise, IT related and process levels This is a change to COBIT 4.1, Val IT and Risk IT which went down one level lower but did not have the higher level

48 COBIT 5 Enabling Processes Detailed Process Guidance 6 Each process starts with: Header information Process description Process Purpose Statement

49 COBIT 5 Enabling Processes Detailed Process Guidance 6 Goals cascade information: IT Related goals supported by this process + related metrics Process Goals + related metrics

50 COBIT 5 Enabling Processes Detailed Process Guidance 6

51 COBIT 5 Enabling Processes Detailed Process Guidance 6 Process Practices, with Inputs & outputs Process activities RACI chart

52 COBIT 5 Enabling Processes Detailed Process Guidance 6

53 COBIT 5 Enabling Processes Detailed Process Guidance 6

54 COBIT 5 Enabling Processes Detailed Process Guidance 6 Related guidance

55 1. 7. COBIT 5 Enabling Processes Process Domains and Processes

56 The COBIT 5 Process Reference Guide Process Reference Model 7

57 The COBIT 5 Process Reference Guide Process Reference Model EDM 7 Evaluate, Direct & Monitor Processes for Governance of Enterprise IT EDM1 Ensure Governance Framework Setting and Maintenance EDM2 Ensure Benefits Delivery EDM3 Ensure Risk Optimisation EDM4 Ensure Resource Optimisation EDM5 Ensure Stakeholder Transparency Process Process Purpose EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the enterprise s strategies and objectives, IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements are confirmed, and the governance requirements for board members are met Secure optimal value from IT-enabled initiatives services and assets, cost-efficient delivery of solutions and services, and a reliable and accurate picture of costs and likely benefits so that business needs are supported effectively and efficiently

58 The COBIT 5 Process Reference Guide Process Reference Model EDM 7 Evaluate, Direct & Monitor Processes for Governance of Enterprise IT EDM1 Ensure Governance Framework Setting and Maintenance EDM2 Ensure Benefits Delivery EDM3 Ensure Risk Optimisation EDM4 Ensure Resource Optimisation EDM5 Ensure Stakeholder Transparency Process Process Purpose EDM03 Ensure Risk Optimisation EDM04 Ensure Resource Optimisation EDM05 Ensure Stakeholder Transparency Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised Ensure that the resource needs of the enterprise are met in the most optimal manner, IT costs are optimised, and there is an increased likelihood of benefit realisation and readiness for future change Make sure that the communication to stakeholders is effective and timely and the basis for reporting is established to increase performance, identify areas for improvement, and confirm that IT-related objectives and strategies are in line with the enterprise s strategy

59 The COBIT 5 Process Reference Guide Process Reference Model APO 7 Align, Plan & Organise APO1 Manage the IT Management Framework APO2 - Manage Strategy APO3 Manage Enterprise Architecture APO4 Manage Innovation APO5 - Manage Portfolio APO6 Manage Budget & Costs APO7 Manage Human Resources APO8 Manage Relationships APO9 Manage Service Agreements APO10 - Manage Suppliers APO11 - Manage Quality APO12 Manage Risk APO13 Manage Security Processes for Management of Enterprise IT Process Process Purpose APO01 Manage the IT Management Framework APO02 Manage Strategy APO03 Manage Enterprise Architecture Provide a consistent management approach to enable the enterprise governance requirements to be met, covering management processes, organisational structures, roles and responsibilities, reliable and repeatable activities, and skills and competencies Align strategic IT plans with business objectives, clearly communicate the objectives and associated accountabilities so they are understood by all, with the IT strategic options identified, structured and integrated with the business plans Represent the different building blocks that make up the enterprise and their interrelationships as well as the principles guiding their design and evolution over time, enabling a standard, responsive and efficient delivery of operational and strategic objectives

60 The COBIT 5 Process Reference Guide Process Reference Model APO 7 Align, Plan & Organise APO1 Manage the IT Management Framework APO2 - Manage Strategy APO3 Manage Enterprise Architecture APO4 Manage Innovation APO5 - Manage Portfolio APO6 Manage Budget & Costs APO7 Manage Human Resources APO8 Manage Relationships APO9 Manage Service Agreements APO10 - Manage Suppliers APO11 - Manage Quality APO12 Manage Risk APO13 Manage Security Processes for Management of Enterprise IT Process APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs Process Purpose Achieve competitive advantage, business innovation, and improved operational effectiveness and efficiency by exploiting information technology developments Optimise the performance of the overall portfolio of programmes in response to programme and service performance and changing enterprise priorities and demands Enable the effective and efficient use of IT-related resources and provide transparency and accountability of the cost and business value of solutions and services. Enable the enterprise to make informed decisions regarding the use of IT solutions and services

61 The COBIT 5 Process Reference Guide Process Reference Model APO 7 Align, Plan & Organise APO1 Manage the IT Management Framework APO2 - Manage Strategy APO3 Manage Enterprise Architecture APO4 Manage Innovation APO5 - Manage Portfolio APO6 Manage Budget & Costs APO7 Manage Human Resources APO8 Manage Relationships APO9 Manage Service Agreements APO10 - Manage Suppliers APO11 - Manage Quality APO12 Manage Risk APO13 Manage Security Processes for Management of Enterprise IT Process APO07 Manage Human Resources APO08 Manage Relationships APO09 Manage Service Agreements Process Purpose Optimise human resources capabilities to meet enterprise objectives Create improved outcomes, increased confidence, and trust in IT and effective use of resources IT services and service levels meet current and future enterprise needs

62 The COBIT 5 Process Reference Guide Process Reference Model APO 7 Align, Plan & Organise APO1 Manage the IT Management Framework APO2 - Manage Strategy APO3 Manage Enterprise Architecture APO4 Manage Innovation APO5 - Manage Portfolio APO6 Manage Budget & Costs APO7 Manage Human Resources APO8 Manage Relationships APO9 Manage Service Agreements APO10 - Manage Suppliers APO11 - Manage Quality APO12 Manage Risk APO13 Manage Security Processes for Management of Enterprise IT Process APO10 Manage Suppliers APO11 Manage Quality APO12 Manage Risk APO13 Manage Security Process Purpose Minimise the risk associated with non-performing suppliers and ensure competitive pricing Consistent delivery of solutions and services to meet the quality requirements of the enterprise and satisfy stakeholder needs Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk Keep the impact and occurrence of information security incidents within the enterprise s risk appetite levels

63 The COBIT 5 Process Reference Guide Process Reference Model BAI 7 Build, Acquire & Implement BAI1 Manage Programmes And Projects BAI2 Manage Requirements Definition BAI3 Manage Solutions Identification & Build BAI4 Manage Availability & Capacity BAI5 Manage Organisational Change Enablement BAI6 Manage Changes BAI7 Manage Changes Acceptance and Transitioning BAI8 Manage Knowledge BAI9 Manage Assets BAI10 Manage Configuration Processes for Management of Enterprise IT Process BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build Process Purpose Realise business benefits and reduce the risk of unexpected delays, costs and value erosion, ensuring the value and quality of project deliverables, and maximising their contribution to the investment and services portfolio Create feasible optimal solutions that meet enterprise needs while minimising risk Establish timely and cost-effective solutions capable of supporting enterprise strategic and operational objectives

64 The COBIT 5 Process Reference Guide Process Reference Model BAI 7 Build, Acquire & Implement BAI1 Manage Programmes And Projects BAI2 Manage Requirements Definition BAI3 Manage Solutions Identification & Build BAI4 Manage Availability & Capacity BAI5 Manage Organisational Change Enablement BAI6 Manage Changes BAI7 Manage Changes Acceptance and Transitioning BAI8 Manage Knowledge BAI9 Manage Assets BAI10 Manage Configuration Processes for Management of Enterprise IT Process BAI04 Manage Availability and Capacity BAI05 Manage Organisational Change Enablement BAI06 Manage Changes Process Purpose Maintain service availability, efficient management of resources and optimisation of system performance through prediction of future performance and capacity requirements Prepare and commit stakeholders for business change and reduce the risk of failure Enable fast and reliable delivery of change to the business and mitigation of the risk of negatively impacting the stability or integrity of the changed environment

65 The COBIT 5 Process Reference Guide Process Reference Model BAI 7 Build, Acquire & Implement BAI1 Manage Programmes And Projects BAI2 Manage Requirements Definition BAI3 Manage Solutions Identification & Build BAI4 Manage Availability & Capacity BAI5 Manage Organisational Change Enablement BAI6 Manage Changes BAI7 Manage Changes Acceptance and Transitioning BAI8 Manage Knowledge BAI9 Manage Assets BAI10 Manage Configuration Processes for Management of Enterprise IT Process BAI07 Manage Changes, Acceptance and Transitioning BAI08 Manage Knowledge BAI09 Manage Assets BAI10 Manage Configuration Process Purpose Implement solutions safely and in line with the agreed-on expectations and outcomes Provide the knowledge required to support all staff in their work activities and for informed decision making and enhanced productivity Account for all IT assets and optimise the value provided by these assets Provide sufficient information about service assets to enable the service to be effectively managed, to assess the impact of changes and to deal with service incidents.

66 The COBIT 5 Process Reference Guide Process Reference Model DSS 7 Deliver, Service & Support DSS1 Manage Operations DSS2 Manage Service Requests & Incidents DSS3 Manage Problems DSS4 Manage Continuity DSS5 Manage Security Services DSS6 Manage Business Process Controls Processes for Management of Enterprise IT Process DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems Process Purpose Deliver IT operational service outcomes as planned Achieve increased productivity and minimise disruptions through quick resolution of user queries and incidents Increase availability, improve service levels, reduce costs, and improve customer convenience and satisfaction, by reducing the number of operational problems

67 The COBIT 5 Process Reference Guide Process Reference Model DSS 7 Deliver, Service & Support DSS1 Manage Operations DSS2 Manage Service Requests & Incidents DSS3 Manage Problems DSS4 Manage Continuity DSS5 Manage Security Services DSS6 Manage Business Process Controls Processes for Management of Enterprise IT Process DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls Process Purpose Continue critical business operations and maintain availability of information at a level acceptable to the enterprise in the event of a significant disruption Maintain information integrity and the security of information assets handled within business processes in the enterprise or outsourced

68 The COBIT 5 Process Reference Guide Process Reference Model MEA 7 Monitor, Evaluate & Assess MEA1 Monitor, Evaluate and Assess Performance and Conformance MEA2 Monitor, Evaluate and Assess the System of Internal Control MEA3 Monitor, Evaluate and Assess Compliance with External Requirements Processes for Management of Enterprise IT Process MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance with External Requirements Process Purpose Provide transparency of performance and conformance and drive achievement of goals Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk The enterprise is compliant with all applicable external requirements

69 1. 8. COBIT 5 Implementation Guide

70 COBIT 5 Implementation 8 COBIT 5: Implementation covers the following subjects: Positioning GEIT within an enterprise Taking the first steps towards improving GEIT Implementation challenges and success factors Enabling GEIT-related organisational and behavioural change Implementing continual improvement that includes change enablement and programme management Using COBIT 5 and its components

71 Migrate to COBIT 5 or stay with COBIT 4? Some considerations... 8 COBIT 4.1 COBIT 5

72 Migrate to COBIT 5 or stay with COBIT 4? Some considerations 8 COBIT 5 because we have to do it COBIT 5 because we want to do it

73 Roadmap to COBIT 5 If you adopt COBIT 5: It s the enablers 8 Recap: it s the enablers that make governance work. So: roadmap to COBIT implies working on all these enablers: Defining and implementing processes Putting in place effective organisational structures Defining the right information streams Developing the right culture and associated behaviours Having the right skills, competences and (number of) people

74 COBIT 5 Implementation Roadmap 8

75 Roadmap to COBIT 5 Step 1: Why would we do it? 8 What are the drivers for a COBIT 5 implementation? Are there any existing pains? Lack of control? Growing number of loose ends? Uncertain ROI of investments? Any important trigger events Major new project? External pressure? Regulatory pressure? Questions: Are these issues real? If not, in theory no need to act urgently If real issues exist, is the Board convinced that something needs to be done here?

76 Roadmap to COBIT 5 Step 2: Where are we now? 8 Assess the Current Situation: Determine based on existing pains, the relevant areas for you in COBIT 5 Diagnosis/High-Level Review of selected governance enablers should be made, resulting in Capability score of processes Evaluations of other enablers

77 Roadmap to COBIT 5 Step 3: Where do we want to be? 8 Express target levels for capability of enablers This applies to processes, but also to other enablers Remember: Raising your level of governance capability: Requires resources, including time Has to be subject to a business case!

78 Success Factors 8 Some key success factors, without which failure is guaranteed Continuous top management support and committment Resources Regular success stories & quick wins Understanding key objectives (see next slide)

79 Governance often perceived as this Before 5 After Benefits Risk Resources 0 Benefits Risk Resources

80 Governance could also result (preferably) in this 8 5 Before 5 After Benefits Risk Resources 0 Benefits Risk Resources

81 Some quotes recorded during COBIT 5 development 8

82 Some quotes recorded during COBIT 5 development 8 Quote 1 COBIT 5 is not a framework for the IT people Quote 2 Organisations have the IT they deserve

83 1. 9. Additional COBIT 5 Publications - COBIT 5 for Information Security - COBIT Assessment Programme

84 Additional Publications COBIT 5 for Information Security 9 This is an extended view of COBIT 5 It explains each component of COBIT 5 from an information security perspective It provides security professionals detailed guidance for using COBIT 5 as they establish, implement and maintain information security in the business policies, processes and structures of an enterprise

85 Additional Publications COBIT Assessment Programme 9 This enables the evaluation of selected IT processes a view on process capability Process improvement, delivering business value, measuring the achievement of business goals, benchmarking, consistent reporting, etc Processes can be assessed individually or alternatively in groups. Scoping areas include: Capability of processes to support cloud services Capability of processes to support achievement of IT and business goals Capability of processes to support SOX compliance Capability of processes to support the enterprise governance of IT

86 Upcoming COBIT 5 Publications - COBIT 5 for Assurance - COBIT 5 for Risk

87 COBIT 5 for Assurance 10 This creates an information assurance view of COBIT 5 It provides guidance for ISACA s information assurance constituents It should be considered as the assurance equivalent of COBIT 5 for Information Security It is scheduled to be available in the second quarter of 2013 currently proposed to be launched at Insights 2013

88 COBIT 5 for Assurance 10 In COBIT 5, governance/management practices are the replacements for the COBIT 4.1 control objectives The Val IT and Risk IT practices In COBIT 5, the focus is on enabler goals Achievement of enabler goals can be assessed: Are goals achieved associated metrics at various levels in the cascade Is appropriate good practice applied (design question) Are process activities (which include control activities) adequately performed? Is the process capability level adequate or fit for purpose?

89 COBIT 5 for Risk 10 This creates an information risk view of COBIT 5 It will serve as the information risk specific guidance for ISACA s information risk constituents It should be considered as the risk focused equivalent of COBIT 5 for Information Security It is scheduled to be available in the second quarter of 2013 currently proposed to be launched at Insights 2013

90 Some more migrating implementation considerations. How to put COBIT 5 to use in practice?

91 COBIT 5 Has Arrived Now What? Meeting Stakeholder Needs Are they? 11 Example Stakeholder question: How do I get value from IT? Do I get value from IT? COBIT 5: Value is the key driver for all enablers; COBIT 5 describes the organisational structures, processes, behaviours, information flows etc. that are needed to have IT deliver value to the enterprise; COBIT 5 also describes the mechanisms to analyse performance of all enablers, and includes a roadmap for a Governance improvement project COBIT 5 contains specific processes and other enablers for value management, e.g.. EDM02, APO05 and the linked organisational structures, information flows etc.

92 COBIT 5 Has Arrived Now What? Meeting Stakeholder Needs Are they? 11 Example Stakeholder question: How do I manage performance of IT? Am I running an efficient and resilient IT operation? How do I best build and structure my IT department? COBIT 5 defines a set of interacting enablers that when working and interacting well provide a performing IT for the enterprise; COBIT 5 includes a generic enabler model with a performance management module. Using this model to assess all enablers systematically will provide accurate and useful performance data; COBIT 5 contains metrics associated with goals at various levels these metrics can be included in a performance mgmnt system Dealing with the efficiency and resilience questions can be done by putting appropriate emphasis and priority on specific processes and other enablers

93 COBIT 5 Has Arrived Now What? Meeting Stakeholder Needs Are they? 11 Example Stakeholder question: How do I know if I m compliant with all applicable regulations? Am I? COBIT 5 includes a number of processes that specifically deal with compliance from identifying compliance requirements, over implementing appropriate controls to (independent) evaluation of compliance; the goals cascade include several compliance related goals at various levels COBIT 5 extends towards business processes, ensuring that compliance requirements are taken care of consistently throughout the enterprise The mechanisms to assess performance of these processes and other enablers can be used to manage performance of the compliance system

94 COBIT 5 Has Arrived Now What? Meeting Stakeholder Needs Are they? 11 Example Stakeholder question: Did I address all IT related risks? COBIT 5 includes several IT risk related goals at various levels, which when prioritised correctly will identify relevant processes and other enablers to manage risk Specific processes at governance and management level deal with risk management, e.g. EDM03, APO12, APO13, MEA domain Same for organisational structures, specific skills etc. Again, the built-in performance system allows to monitor performance and outcome of all enablers, providing an accurate view on current status In case improvements are needed, the Implementation Guide provides a roadmap towards enhanced governance practices

95 Finally one word on complexity 11 >32 definitions of complexity exist Is COBIT 5 complex? YES, because: It covers a complex matter and provides a model to deal with this complexity! Models are a simplification of reality to the level where the model still is relevant simplification but not simplistic! Is COBIT 5 complex? NO, because: If complex is defined as time needed to understand (for normal person) then we could argue that it is not very complex 5 principles, seven enablers with each four dimensions

96 Some final advice The Basic equation A Framework is a Framework COBIT 5 is comprehensive in its vision on governance BUT: a lot remains to be done by yourselves, based on individual circumstances We already posess the most important tool required for that shown at the right

97 Q & A