INFORMATION TECHNOLOGY FLASH REPORT



Similar documents
Presented by. Denis Darveau CISM, CISA, CRISC, CISSP

COBIT 5 Introduction. 28 February 2012

Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK

Roles, Activities and Relationships

Revised October 2013

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

COBIT 4.1 TABLE OF CONTENTS

for Information Security

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Chayuth Singtongthumrongkul

Understanding COBIT 5. based on ISACA Materials Prepared by: Deb Mallette, CGEIT, CISA, CSSBB, IMG BSMS EPDM, Process Consultant

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

COBIT 5 ISACA s new framework for IT Governance, Risk, Security and Auditing. An overview

Somewhere Today, A Project is Failing

COBIT Helps Organizations Meet Performance and Compliance Requirements

COBIT 5 Foundation Workshop. COBIT is a trademark of the Information Systems Audit and Control Association and the IT Governance Institute

PROTIVITI FLASH REPORT

IT Governance Implementation Workshop

CLOUD SECURITY THROUGH COBIT, ISO ISMS CONTROLS, ASSURANCE AND COMPLIANCE

White Paper. COBIT 5 & BiSL

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

COBIT 5 and the Process Capability Model. Improvements Provided for IT Governance Process

ARCHITECTURE SERVICES. G-CLOUD SERVICE DEFINITION.

Maximizing Your IT Value with Well-Aligned Governance August 3, 2012

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see

How To Transform It Risk Management

ITIL Service Lifecycles and the Project Manager

IS Audit and Assurance Guideline 2202 Risk Assessment in Planning

HR Business Partnering A Custom Approach

Exposure Draft: Improving the Structure of the Code of Ethics for Professional Accountants Phase 1

CobiT Strategy and Long Term Vision

Enabling Information PREVIEW VERSION

TOGAF. TOGAF & Major IT Frameworks, Architecting the Family. by Danny Greefhorst, MSc., Director of ArchiXL. IT Governance and Strategy

IT Governance Regulatory. P.K.Patel AGM, MoF

Public Service Corporate Governance of Information and Communication Technology Policy Framework

Increasing IT Value and Reducing Risk. More for Less with COBIT5. IT Governance and Strategy

Auditors Need to Know June 13th, ISACA COBIT 5 for Assurance

ITIL : the basics. Valerie Arraj, Compliance Process Partners LLC. White Paper July 2013

Certified Information Security Manager (CISM)

Benchmark of controls over IT activities Report. ABC Ltd

This article describes how these seven enablers have contributed towards better information security management at HDFC Bank.

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

ISO 21500: Did we need it? A Consultant's Point of View after a first experience. Session EM13TLD04

Developing organisational capability in programme & project management. David Trevitt, IVI Senior Advisor 16 th October 2014

TOGAF TOGAF & Major IT Frameworks, Architecting the Family

Moving Forward with IT Governance and COBIT

G13 USE OF RISK ASSESSMENT IN AUDIT PLANNING

G11 EFFECT OF PERVASIVE IS CONTROLS

Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained

A Changing Commission: How it affects you - Issue 1

Setting goals and measuring the value of Enterprise IT Architecture using COBIT 5 framework

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

Schedule 46 SAO Certificate FAQs

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

Collaborative development of evaluation capacity and tools for natural resource management

The Asset Management Landscape

Governance, Risk and Compliance (GRC) software Business needs and market trends

Payment Card Industry Data Security Standards

Literature Review of Business Process Improvement Methodologies: Executive Summary

ALIGNING ECONOMIC SUBSTANCE AND TAX ESTAR: ECONOMIC SUBSTANCE TAX REVIEW

Information Governance

FINANCIAL SERVICES FLASH REPORT

Asset Management Policy March 2014

How To Use Risk It

Process Control Optimisation with SAP

Board of Member States ERN implementation strategies

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

PwC Luxembourg. Models for the governance of your investments with Portfolio Management September 2009

CRO Forum Paper on the Own Risk and Solvency Assessment (ORSA): Leveraging regulatory requirements to generate value. May 2012.

CHArTECH BOOkS MANAgEMENT SErIES INTrODuCINg ITSM AND ITIL A guide TO IT SErvICE MANAgEMENT

Getting In-Control - Combining CobiT and ITIL for IT Governance and Process Excellence. Executive Summary: What is the business problem?

In the launch of this series, Information Security Management

Frameworks for IT Management

Information Technology Auditing for Non-IT Specialist

Governance. as a tool for Architects. Tuesday, 6 November, 12

The Compliance Universe

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

EA vs ITSM. itsmf

ITAG RESEARCH INSTITUTE

IRCA Briefing note ISO/IEC : 2011

Company size matters: Perspectives on IT Governance

Finance Effectiveness Efficiency

Executive's Guide to

FINANCIAL SERVICES FLASH REPORT

The linchpin between Corporate Governance and IT Governance

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Integrated Information Management Systems

IT Compliance After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM)

Transcription:

INFORMATION TECHNOLOGY FLASH REPORT ISACA Releases COBIT 5: Updated Framework for the Governance and Management of IT May 18, 2012 In April, ISACA released COBIT 5 as a replacement for its current globally accepted business framework, COBIT 4.1. This framework has gained broad acceptance and has been used widely over the last 15 years to provide guidance on the governance and management of IT to users from business, IT, risk, security and assurance functions. COBIT continues to be recognised as a leading framework for purposes of providing guidance on the design and evaluation of IT governance processes and controls. Several business-related events and failures over the last decade, many on a global scale, have heightened the focus on governance as stakeholder expectations have evolved. There has been greater attention to risk and risk-based approaches, increased reliance on new and more complex technologies, the introduction of more complex organisational structures (including outsourcing), constant changes in regulatory requirements, and rising security threats. Successful organisations that have survived the challenges of the last decade have demonstrated the importance of good governance, which has moved this to the top of the agenda at all levels of the enterprise. Drivers for Change Organisations operating in today s challenging and dynamic business environment have driven the need for this change. Stakeholders require an increased understanding of how IT investments create value for the organisation. Business users are demanding improved engagement for IT services and there is an ever-increasing demand for compliance with relevant laws, regulations and policies. Other drivers cited by ISACA in its release of COBIT 5 include: The requirement to help stakeholders better understand how various frameworks, good practices and standards are positioned relative to each other and how they can be used together and could augment each other. A need to ensure that the scope covers the full end-to-end business and IT functional responsibilities, as well as a need to cover all aspects that lead to effective governance and management of enterprise IT such as organisational structures, policies and culture over and above the current processes. This is especially important given the increasing pervasiveness of IT and helps increase transparency.

A need to provide further guidance in areas of high interest, such as enterprise architecture, asset and service management, management of IT innovation and emerging technologies. A need to link together and reinforce all major ISACA research, frameworks and guidance, with a primary focus on COBIT, Val IT and Risk IT, but also considering, amongst others, Business Model for Information Security (BMIS), Information Technology Assurance Framework (ITAF), Board Briefing on IT Governance, and Taking Governance Forward. A need to connect to and, where relevant, align with other major frameworks and standards, such as Information Technology Infrastructure Library (ITIL ), The Open Group Architecture Forum (TOGAF), Project Management Body of Knowledge (PMBOK), PRojects IN Controlled Environments 2 (PRINCE2) and the International Organisation for Standardisation (ISO) standards. Recognition that there are many current and potential users who wish to focus on specific topics, and who find it difficult to navigate current material and identify content that will satisfy their requirements. There is also a general need to improve ease of use and navigation and to bring consistency in concepts, terminology and the level of detail provided by ISACA. What has changed for COBIT 5? ISACA has revisited and restructured the COBIT framework design to ensure complete coverage for all major aspects related to the governance and management of enterprise IT. Five new governance processes are introduced in the updated framework, which builds and expands on COBIT 4.1. Other major frameworks, standards and resources are now integrated into COBIT 5, including ISACA s Val IT and Risk IT, the Information Technology Infrastructure Library (ITIL ), TOGAF and ISO/IEC 27001. The intention of COBIT 5 is to provide a full enterprise-level view of business practices that actively reflects the current pervasive enterprisewide nature of IT use. To achieve this, the process reference model outlined in COBIT 4.1 has been revised and a new governance domain has been introduced together with several new and amended processes. COBIT 5 also makes more explicit and transparent the IT involvement, responsibilities and accountability of business stakeholders. ISACA believes this new framework will help enterprises achieve strategic goals and operational efficiency through maintaining high-quality and low-risk information technology services. ISACA has produced a detailed document comparing COBIT 5 with COBIT 4.1 that identifies nine of the major differences. This forms the basis of the following summary. 1 The new framework is based on five key principles: 1. A focus on meeting stakeholder needs COBIT 5 includes new guidance on the required processes and enablers to support business value creation through the use of IT. The focus on Stakeholder Needs emphasises the need to maintain balance between benefits realisation and the optimisation of risk and resources. COBIT 5 1 To view the full document or request a copy of this comparison document (Comparing COBIT 4.1 with COBIT 5.0), visit the ISACA website: http://www.isaca.org/cobit/documents/cobit5-compare-with-4.1.ppt. Protiviti 2

provides an approach that can be tailored to suit the needs of an enterprise through a revised goals cascade, which interprets high-level enterprise goals into specified ITrelated goals that can be mapped to specific processes and principles for implementation. The revised goals cascade is based on enterprise goals driving ITrelated goals and critical processes. Example goals and metrics at the enterprise, process and management practice levels are provided to assist management with assessing whether alignment of goals has been achieved. 2. Covering the enterprise end-to-end COBIT 5 follows the same goal and metric concepts as COBIT 4.1 but integrates the governance of enterprise IT into enterprise governance. The updated framework integrates and updates the previous content into a new model with an enterprise-level view that makes it easier for users to understand, and hence implement, improvement. Information and related technologies are treated as assets that need to be managed by all users and cover all functions and processes within an enterprise, not just those specific to an IT function. COBIT 5 s revised process reference model subdivides the IT elements of an enterprise into two principle domains Governance and Management that now cover enterprise business and IT activities end-to-end. As with the former framework, this model can be used as a guide for adjusting the enterprise s own process model. Additionally, COBIT 5 provides more robust guidance for management pertaining to the inputs and outputs required to develop good practice management standards, while COBIT 4.1 only provided inputs and outputs at the highest level. This assists with inter-process integration by providing additional detailed guidance for designing processes that include essential work products. As a result, COBIT 5 can be more exhaustive than its predecessor. 3. Applying a single integrated framework The number of organisations that use or rely on technology has grown substantially since the release of COBIT 4.1, as has the extent to which technology is used across the enterprise. During this time, there have been many IT-related standards and good practice frameworks developed that provide guidance on a range of IT activities. The updated framework aligns with other relevant standards and frameworks at a high level and can therefore be used as an overarching framework for the governance and management of IT across the enterprise. COBIT 5 activities are equivalent to the COBIT 4.1 control practices and Val IT and Risk IT management practices. These practices have been aligned, integrated and updated into a single model that makes it easier for users to understand and use the material when implementing improvements. Additionally, several new and modified processes have been added, including innovation, organisational change enablement, security services and managing assets, to name a few. 4. Enabling a holistic approach The new framework emphasises an increased focus on Enablers, which help to achieve the objectives of the enterprise. Processes that were explicitly or implicitly included in COBIT 4.1 have been brought to the fore with COBIT 5 and rebranded. A set of seven enablers is designed to support the implementation of a more holistic governance and management system for enterprise IT. These are: 2 a. Processes b. Principles, Policies and Frameworks c. Organisational Structures d. People, Skills and Competencies e. Culture, Ethics and Behaviour 2 http://www.isaca.org/about-isaca/press-room/news-releases/2012/pages/isaca-issues-cobit-5-governance- Framework.aspx. Protiviti 3

f. Services, Infrastructure and Applications g. Information 5. Separating governance from management The new framework provides an expanded discussion on governance relating to the board of directors, the needs of stakeholders, and the balance with enterprise direction and objectives. It also provides a key distinction between governance and management of IT, clearly separating the responsibility at the board and executive management levels and describing different types of organisational structures and activities required at each level. Other changes The updated framework also details a more complete RACI (Responsible, Accountable, Consulted and/or Informed) chart to help clarify responsibility and provides a more complete, detailed and clearer range of generic business and IT role players and charts than COBIT 4.1. This enables better definition of role player responsibilities or level of involvement when designing and implementing processes. COBIT 5 discontinues the capability maturity modelling (CMM) approach (as used by COBIT 4.1, Val IT and Risk IT). A new process capability assessment approach, based on ISO/IEC and the COBIT Assessment Programme (a COBIT-based approach that enables the evaluation of selected IT processes and can be used to help determine process capability), has already been established for COBIT 5 as an alternative to the CMM approach. This approach is considered by ISACA to be more robust, reliable and repeatable as a process capability assessment method. COBIT 4.1, Val IT and Risk IT users wishing to move to the new COBIT Assessment Programme approach will need to realign their previous ratings, adopt the new method and initiate a new set of assessments in order to gain the benefits of the new approach. Summary Executives reviewing the governance and management of enterprise IT are advised to review the new COBIT framework and consider its application to their organisations. To request your copy of COBIT 5 or obtain additional information, please visit ISACA s website: http://www.isaca.org/cobit. Protiviti 4

About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. Contacts David Brand Jonathan Wyatt Mark Peters Managing Director Managing Director Director Chicago, IL London, UK London, UK +1.312.476.6401 +44.207.0247.522 +44.207.389.0413 david.brand@protiviti.com jonathan.wyatt@protiviti.co.uk mark.peters@protiviti.co.uk 2012 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information