Mapping of PMBOK With COBIT 4.0
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 IT Governance Institute The IT Governance Institute (ITGI TM ) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise s information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. ITGI offers original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities. Disclaimer The IT Governance Institute (the Owner ) and the author have designed and created this publication, titled COBIT Mapping: Mapping of PMBOK With COBIT 4.0 (the Work ), primarily as an educational resource for control professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or information technology environment. Disclosure 2006 IT Governance Institute. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of ITGI. Reproduction of selections of this publication for internal and noncommercial or academic use only is permitted and must include full attribution of the material s source. No other right or permission is granted with respect to this work. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide) Third Edition, Project Management Institute Inc., 2004. Copyright and all rights reserved. Material from this publication has been reproduced with the permission of PMI. IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.590.7491 Fax: +1.847.253.1443 E-mail: info@itgi.org Web site: www.itgi.org ISBN 1-933284-48-X COBIT Mapping: Mapping of PMBOK With COBIT 4.0 Printed in the United States of America 2
ACKNOWLEDGEMENTS ACKNOWLEDGEMENTS From the Publisher IT Governance Institute wishes to recognise: The Researcher Maxwell J. Shanahan, CISA, FCPA, Max Shanahan & Associates, Australia ITGI Board of Trustees Everett C. Johnson, CPA, Deloitte & Touche (retired), USA, International President Abdul Hamid Bin Abdullah, CISA, CPA, Auditor General s Office, Singapore, Vice President William C. Boni, CISM, Motorola, USA, Vice President Jean-Louis Leignel, MAGE Conseil, France, Vice President Lucio Augusto Molina Focazzio, CISA, Colombia, Vice President Howard Nicholson, CISA, City of Salisbury, Australia, Vice President Bent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice President Frank Yam, CISA, CIA, CCP, CFE, CFSA, FFA, FHKCS, FHKIoD, Focus Strategic Group, Hong Kong, Vice President Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President Robert S. Roussey, CPA, University of Southern California, USA, Past International President Emil D Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi, USA, Trustee Ronald Saull, CSP, Great-West Life and IGM Financial, Canada, Trustee Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium, Advisor to the Board The ITGI Committee William C. Boni, CISM, Motorola, USA, Chair Jean-Louis Leignel, MAGE Conseil, France, Vice Chair Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium Tony Hayes, FCPA, Queensland Government, Australia Anil Jogani, CISA, FCA, Tally Solutions Limited, UK John W. Lainhart IV, CISA, CISM, IBM, USA Michael Schirmbrand, CISA, CISM, CPA, KPMG LLP, Austria Eddy Schuermans, CISA, PricewaterhouseCoopers LLP, Belgium Ronald Saull, CSP, Great-West Life and IGM Financial, Canada Expert Reviewers Mark Adler, CISA, CISM, CIA, CFSA, CISSP, Allstate Insurance Company, USA Kelvin J. Arcelay, CISM, CISSP, PMP, Citas Group LLC, USA Max Blecher, Virtual Alliance, South Africa Dirk Bruyndonckx, CISA, CISM, KPMG Advisory, Belgium Peter De Bruyne, CISA, BANKSYS, Belgium Monique Garsoux, Dexia Bank, Belgium Jimmy Heschl, CISA, CISM, KPMG, Austria Linda Kostic, CISA, CPA, E*TRADE Financial, USA Mario Micaleff, CPAA, FIA, National Australia Bank Group, Australia Peter Van Mol, CISA, Helios-IT NV, Belgium Greet Volders, Voquals NV, Belgium Members of the ISACA Atlanta (Georgia, USA) COBIT Development Group Expert Reviewers Kelvin Arcelay, CISM, CISSP, PMP, Citas Group LLC, USA Keith Braddock, Knowledge Institute, USA Ngy Ea, Citas Group LLC, USA Reid Eastburn, Eastburn Associates Inc., USA Kevin Morgan, CISA, CFE, MSIS, Arris Group, USA Barry Sievers, Citas Group LLC, USA Donnie Sievers, Citas Group LLC, USA Phyllis St. John, PMP, Affinia Group Inc., USA 3
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 The ITGI Affiliates and Sponsors ISACA chapters American Institute of Certified Public Accountants ASIS International The Center for Internet Security Commonwealth Association of Corporate Governance Inc. Information Security Forum The Information Systems Security Association Institut de la Gouvernance des Systèmes d Information Institute of Management Accountants ISACA Solvay Business School University of Antwerp Management School CA Hewlett-Packard IBM LogLogic Inc. Phoenix Business and Systems Process Inc. Symantec Corporation Wolcott Systems Group World Pass IT Solutions ACKNOWLEDGEMENTS cont. 4
TABLE OF CONTENTS TABLE OF CONTENTS 1. Purpose of the Document...6 2. Methodology for the Mapping...8 3. COBIT Overview...9 4. PMBOK Overview...18 5. High-level Mapping...25 6. Detailed Mapping...29 7. References...41 5
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 1. PURPOSE OF THE DOCUMENT In 1996, the Information Systems Audit and Control Foundation (ISACF ) created Control Objectives for Information and related Technology (COBIT ). The second edition, containing enhancements and additional content, followed in 1998. In 1998, ITGI was founded for the purpose of conducting research into the increasingly important area of IT governance, with a special focus on the COBIT framework, processes, control objectives and maturity models. In time, ISACF and ITGI became one entity, and that organisation issued a third edition of COBIT in 2000, followed by COBIT 4.0 in 2005. The COBIT framework enables CIOs to help stakeholders better understand IT processes and services and easily integrate different standards. For their part, stakeholders can use COBIT as an instrument to govern the information provided by IT to support business processes. COBIT does not operate in a vacuum. Today, several other standards and collections of best practices are available that prescribe how to manage specific facets of the IT function within organisations. Guidance has been published by international standards organisations as well as several private or partially private organisations. However, no common framework has been available for comparing these various guidance documents. This publication provides a framework to make those comparisons and, as a result, coherently drive process compliance and improvement. When detailed comparisons can be made, management of the IT function can be enhanced and, consequently, better decisions can be made. Given the importance of IT within enterprises and the plethora of guidance on its governance, management and control, it is clear that there is a need for a reference that can answer questions such as: What should be defined? What is an appropriate level of detail? What should be measured? What should be automated? What is good practice? Is there a certification available? Although many of these questions can be addressed using the openly available COBIT guidance, several have remained unresolved, until now. This project addresses the gaps by undertaking to map the most important and commonly used standards 1 and guidance to the COBIT processes and control objectives. The project consists of two components: 1. High-level overview of a variety of international standards and guidance. COBIT Mapping: Overview of International IT Guidance, 2 nd Edition is posted on the ISACA web site at www.isaca.org/downloads. 2. A series of more detailed mapping documents focusing on individual standards or guidance. The following mapping documents are posted for ISACA members at www.isaca.org/downloads: COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, 2 nd Edition COBIT Mapping: Mapping of SEI s CMM for Software With COBIT 4.0 Other planned detailed mappings for ISACA members include: COBIT Mapping: Mapping ISO 17799:2005 With COBIT 4.0 COBIT Mapping: Mapping PRINCE2 With COBIT 4.0 COBIT Mapping: Mapping ITIL With COBIT 4.0 COBIT Mapping: Mapping NIST FISMA With COBIT 4.0 COBIT Mapping: Mapping IT Baseline Protection Manual With COBIT 4.0 COBIT Mapping: Mapping TOGAF With COBIT 4.0 This publication contains a detailed mapping of A Guide to the Project Management Body of Knowledge (PMBOK Guide) Third Edition (2004), with COBIT 4.0 as well as the classification of the standards discussed in this paper as presented in COBIT Mapping: Overview of International IT Guidance, 2 nd Edition. A brief overview of the standards mapped against each other in this document is as follows: COBIT Originally released as an IT process and control framework linking IT to business requirements, COBIT was initially used mainly by the assurance community in conjunction with business and IT process owners. With the addition of management guidelines in 1998, COBIT is now used increasingly as a framework for IT governance, providing management tools such as metrics and maturity models to complement the control framework. In 2005, ITGI published COBIT 4.0. 1 The term standard is used in this document to encompass guidance publications. 6
1. PURPOSE OF THE DOCUMENT PMBOK Guide Described as the sum of knowledge within the profession of project management, and published by Project Management Institute (PMI), it is an American National Standard ANSI/PMI 99-001-2004. The processes and techniques described in PMBOK are applicable to all projects. However, while they are applicable to projects involving IT, they do not specifically address IT technical, IT management and IT governance issues. PMBOK is aimed at providing a foundational reference for anyone interested in the profession of project management. This document does not contain all of the details of PMBOK. It was agreed with the PMI to include references as they are provided in their publication, but it is recommended that a copy be obtained of the original document from PMI to implement project management in a sound manner. The document is available from the PMI web site, www.pmi.org. OVERVIEW COBIT identifies the IT processes that should exist to ensure that IT is aligned with and supports the business in an effective manner. COBIT and its supporting publications identify control objectives, techniques and practices commonly required for each processes. An overview of COBIT is provided in section 3, COBIT Overview. PMBOK identifies the best practice process for project management, together with the knowledge and techniques required for those processes to be effective. PMBOK can be designed to be applied to any industry, including IT. An overview of PMBOK is provided in section 4, PMBOK Overview. While the two frameworks are at different levels of focus and detail, they overlap and can be used to support each other, as shown in figure 1. Figure 1 Overlap of COBIT and PMBOK COBIT identifies project management as a process of IT but does not deal with project management in the same detail as PMBOK. Thus, when implementing process improvements using COBIT, IT process owners can make use of PMBOK as a source of best practice. Controls Required for IT Projects COBIT PMBOK Project Management Best Practice COBIT highlights specific IT practices that should be considered when applying PMBOK to projects involving IT. The primary purpose of this mapping is to provide guidance to IT process owners by identifying the COBIT processes for which PMBOK provides more detailed guidance and to highlight the areas of PMBOK that should be considered for each process. Therefore, the mapping highlights how the processes in PMBOK can support COBIT. A secondary objective of the mapping is to provide guidance to those using PMBOK as the basis for project management practices as to the areas of COBIT they should be considering when applying the practices to projects involving IT. The mapping also identifies the COBIT control objectives that should be applied during various PMBOK processes. The methodology of the mapping is provided in section 2, a high-level mapping in section 5 and the detailed mapping in section 6. 7
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 2. METHODOLOGY FOR THE MAPPING The broad approach adopted for the mapping between the two frameworks involved identifying the normative statements in each and mapping those statements to determine areas of alignment and areas in which there were gaps. The normative parts of any standard or framework are those that specify to what best practices should conform. Non-normative parts consist of examples, extended explanations, and other matters not dealing directly with the specifications. COBIT s normative statements are expressed as high-level control objectives within IT process areas. PMBOK s normative statements outlined in the core of the document, chapters 4 through 12, describe the best practice for managing a project, unless there are reasons otherwise. PMBOK chapters 1 to 3 are of a descriptive nature and set the scene of context for chapters 4 to 12. The steps taken in the detailed mapping process are specified in figure 2. Figure 2 Detailed Mapping Process Step Description 1 The processes in chapters 4 to 12 of the PMBOK Guide were mapped to one or more COBIT control objectives and documented in the detailed mapping in figure 10. PMBOK s chapters 1 to 3 were also mapped to COBIT when they provided guidance for the implementation of the COBIT processes. They were labelled as informative. 2 COBIT processes in the Acquire and Implement (AI) domain and some aspects of the Deliver and Support (DS) domain represent components of the project life cycle. The control practices in AI2 should be considered when planning projects involving IT. These were identified and mapped as a COBIT-to-PMBOK mapping. 3 A high-level mapping or summary of COBIT-to-PMBOK mapping was prepared and included in section 5, High-level Mapping. The coverage of the mapped information requirements is noted in four different levels: E The requirements stated in PMBOK exceed the requirements of COBIT; therefore, PMBOK should be seen as a primary source for further information and guidance to improve the process or control objective. C The requirements of the control objective are covered by the mapped requirements of the guidance in PMBOK. A Some aspects of the control objectives are addressed by PMBOK, but the requirements of the control objective are not covered completely. NA There is no match between the requirements of COBIT and PMBOK. The following example is to depict the process of the detailed mapping: PMBOK requires in chapter 8 that quality management processes include Quality Planning. This involves identifying which quality standards are relevant to the project and determining how to satisfy them. This requirement was mapped to COBIT control objective PO10.10 Project quality plan and classified as C, since the requirements of the control objective are covered by the mapped requirements of the guidance in PMBOK. The requirement was more generally mapped to PO10.12 Project planning of assurance methods, PO 8.1 Quality management system, PO8.2 IT standards and quality practices, PO8.4 Customer focus and PO8.5 Continuous improvement. These were classified as A, since some aspects of the control objectives are addressed by PMBOK, but the control objective s specific IT requirements are not covered completely. 8
3. COBIT OVERVIEW DOCUMENT TAXONOMY 3. COBITOVERVIEW COBIT represents a collection of documents that can be classified as generally accepted best practice for IT governance, control and assurance. ISSUER The first edition of COBIT was issued by ISACF in 1996. In 1998, the second edition was published with additional control objectives and the Implementation Tool Set. The third edition was issued by ITGI in 2000, and included the management guidelines and several other detailed control objectives. In 2005, the ITGI finalised a complete rework of the COBIT content and published the current version, COBIT 4.0. GOAL OF THE PUBLICATION The COBIT mission is: To research, develop, publicise and promote an authoritative, up-to-date, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals. 2 BUSINESS DRIVERS FOR IMPLEMENTING THE GUIDANCE, INCLUDING TYPICAL SITUATIONS COBIT is usually implemented subject to one or more of the following business cases: There is a need for IT governance. Services delivered by IT are to be aligned with business goals. IT processes are to be standardised/automated. A framework for overall IT processes is needed. IT processes are to be unified. A framework is needed for a quality management system for IT. A structured IT audit approach is to be defined. Mergers and acquisitions are occurring with an IT impact. IT cost-control initiatives are desired. Part or all of the IT function is to be outsourced. Compliance with external requirements (e.g., regulators, organisations or third parties) is of concern. RELATED RISKS OF NON-COMPLIANCE Risks of not implementing COBIT include: Misaligned IT services, divergence Weak support of business goals due to misalignment Wasted opportunities due to misalignment Persistence of the perception of IT as a black box Shortfall between management s measurements and expectations Know-how tied to key individuals, not to the organisation Excessive IT cost and overhead Erroneous investment decisions and projections Dissatisfaction of business users with IT services supplied Regulatory breaches with potential significant financial penalties on organisations, restrictions on operating licences, and fiduciary liability on directors and officers if deemed not to have exercised due care and responsibility 2 IT Governance Institute, COBIT 4.1, USA, 2006 (in development) 9
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 TARGET AUDIENCE All types of organisations, public and private companies, and external assurance and advisory professionals form the relevant target group. Within organisations, three levels are addressed: management, IT users and professionals, and assurance professionals. Primary and secondary audiences are identified in figure 3. TIMELINESS Activities Figure 4 Chart of COBIT Audiences Functions: Primary (P), Secondary (S) to the pertinence of COBIT to that particular audience. Chief Executive Officer (CEO) Chief Financial Officer (CFO) COBIT S S P P P S S S S S P Business Executive Chief Information Officer (CIO) Business Process Owner Head Operations Chief Architect Head Development Head IT Administration Project Management Office (PMO) Compliance,Audit, Risk and Security The core content of COBIT was updated in November 2005, resulting in COBIT 4.0. The research conducted for the update addressed components of the control objectives and management guidelines. Some specific areas that were addressed: COBIT IT governance bottom-up and top-down alignment COBIT and other detailed standards Detailed mapping between COBIT and ITIL, CMM, COSO, PMBOK, ISF and ISO 17799 to enable harmonisation with those standards in language, definitions and concepts Key goal indicator (KGI) and key performance indicator (KPI) causal relationships analysis Review of the quality of the KGIs/KPIs/critical success factors (CSFs) Based on the KPI/KGI causal relationship analysis, splitting CSFs into what you need from others and what you need to do yourself. CSFs were replaced by process inputs (success factors needed from others) and activity goals that the process owner must address. Detailed analysis of metrics concepts Detailed development with metrics experts to enhance the metrics concepts, building up a cascade of process-it-business metrics and defining quality criteria for metrics Linking of business goals, IT goals and IT processes Detailed research in eight different industries resulting in a more detailed insight into how COBIT processes support the achievement of specific IT goals and, by extension, business goals Review of maturity model contents Ensured consistency and quality of maturity levels amongst and within processes, including better definitions of maturity model attributes Enhancements to COBIT at the time of this publication include: COBIT Quickstart COBIT Online IT Governance Implementation Guide Control practices COBIT Foundation Course IT Control Objectives for Sarbanes-Oxley COBIT Security Baseline Aligning COBIT, ITIL and ISO 17799 for Business Benefit COBIT Mapping: Overview of International IT Guidance, 2 nd Edition COBIT Mapping: Mapping ISO/IEC 17799:2000 With COBIT, 2 nd Edition COBIT Mapping: Mapping SEI s CMM for Software With COBIT CERTIFICATION OPPORTUNITIES The audit guidelines from COBIT 3 rd Edition contain information for auditing and self-assessment against the control objectives, but there is no certification for organisations. However, the COBIT framework is used frequently by Certified Public Accountants (CPAs) and Chartered Accountants (CAs), when performing a Statement on Auditing Standards (SAS) No. 70 service organisations review, SysTrust certification or Sarbanes-Oxley compliance. At the time of this writing, the IT Assurance Guide aligned with COBIT 4.0 is in development to update the information for auditing and self-assessment against the control objectives; it will replace the third edition s audit guidelines. 10
3. COBIT OVERVIEW For certification of individuals, the COBIT Foundation Course is offered. Non-COBIT certification is available through ISACA, ITGI s affiliated association, in the form of the Certified Information Systems Auditor TM (CISA ) and Certified Information Security Manager (CISM ) certifications. CIRCULATION COBIT is used worldwide. In addition to the English version, it has been translated into French, German, Hungarian, Italian, Japanese, Korean, Portuguese and Spanish. COMPLETENESS COBIT addresses a broad spectrum of duties in IT management. It includes the most significant parts of IT management, including those covered by other standards. Although no technical details have been included, the necessary tasks for complying with the control objectives are self-explanatory. Therefore, it is classified as relatively high level, aiming to be generically complete but not specific. AVAILABILITY COBIT is open and readily accessible for complimentary electronic download on the ITGI or ISACA web sites, www.itgi.org or www.isaca.org/cobit. COBIT Online can be purchased at www.isaca.org/cobitonline. COBIT Online allows users to customise a version of COBIT just right for their own enterprise, then store and manipulate that version as desired. It offers online, real-time surveys and benchmarking. COBIT 3 rd Edition s audit guidelines are posted for complimentary download for ISACA members. The print version of COBIT 4.0 can be purchased from the ISACA Bookstore, www.isaca.org/bookstore. COBIT PROCESSES ADDRESSED 1 2 Plan and Organise 3 4 5 6 7 8 9 10 Monitor and Evaluate 1 2 3 4 1 COBIT processes addressed by COBIT 2 3 4 5 6 7 8 9 10 11 12 13 Deliver and Support Acquire and Implement 1 2 3 4 5 6 7 Note: The chart is not a comparison; this is COBIT itself. INFORMATION CRITERIA ADDRESSED Information Criteria + Effectiveness + Efficiency + Confidentiality + Integrity + Availability + Compliance + Reliability (+) Frequently addressed (o) Moderately addressed (-) Not or rarely addressed Note: The chart is not a comparison; this is COBIT itself. 11
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 IT RESOURCES CONCERNED IT Resources + Applications + Information + Infrastructure + People (+) Frequently addressed (o) Moderately addressed (-) Not or rarely addressed Note: The chart is not a comparison; this is COBIT itself. DESCRIPTION OF THE GUIDANCE AND ITS CONTENT Enterprise governance (the system by which organisations are governed and controlled) and IT governance (the system by which the organisation s IT is governed and controlled) are from a COBIT point of view highly interdependent. Enterprise governance is inadequate without IT governance and vice versa. IT can extend and influence the performance of the organisation, but it has to be subject to adequate governance. On the other hand, business processes require information from the IT processes, and this interrelationship has to be governed as well. In this subject matter, the plan-do-check-act (PDCA) cycle becomes evident. The concept of the PDCA cycle is usually used in structured problem-solving and continuous improvement processes. The PDCA cycle is also known as the Deming cycle or the Deming wheel of a continuous improvement process. Both the information need (corporate governance) and the information offer (IT governance) have to be planned with measurable and constructive indicators (plan). The information and, possibly, information systems have to be implemented, delivered and used (do). The outcome of the information delivered and used is measured against the indicators defined in the planning phase (check). Deviation is investigated and corrective action is taken (act). Considering these interdependencies, it is apparent that the IT processes are not an end in themselves; instead, they are a means to an end that is highly integrated with the management of business processes. ITGI has defined IT governance as follows: IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation s IT sustains and extends the organisation s strategies and objectives. 3 COBIT Framework Organisations must satisfy the quality, fiduciary and security requirements for their information, as for all assets. Management must also optimise the use of available IT resources, including information, applications, infrastructure and people. To discharge these responsibilities and achieve its objectives, management should understand the status of its enterprise architecture for IT and decide what governance and control it should provide. COBIT defines IT activities in a generic process model within four domains: Plan and Organise (PO) Acquire and Implement (AI) Deliver and Support (DS) Monitor and Evaluate (ME) The framework provides a reference process model and common language to view and manage IT activities. COBIT s good practices represent the consensus of experts. They are focused strongly on control and less on execution. They help optimise IT-enabled investments and provide a measure against which to judge when things do go wrong. 3 ITGI, Board Briefing on IT Governance, 2 nd Edition, 2003, p. 10 12
3. COBIT OVERVIEW Control Objectives COBIT provides a set of 34 high-level control objectives, one for each of the IT processes, grouped into the four domains. This structure covers all aspects of information and the technology that supports it. By addressing these 34 high-level control objectives, the business process owner can ensure that an adequate control system is provided for the IT environment. Each high-level control objective has a number of detailed control objectives. As a whole, they are the characteristics of a wellmanaged process. In addition to the detailed control objectives, each COBIT process has generic control requirements that are identified by a process control number (PCn). They should be considered with the detailed process control objectives to have a complete view of control requirements. Management Guidelines COBIT 4.0 contains updated management guidelines. A basic need for every enterprise is to understand the status of its own IT systems and decide what level of management and control the enterprise should provide. Obtaining an objective view of an enterprise s own performance level is not easy. What should be measured and how? Enterprises need to measure where they are and where improvement is required, and implement a management tool kit to monitor this improvement. To determine the right level, management should ask itself: How far should we go in controlling IT? Is the cost justified by the benefit? COBIT deals with these issues by providing: Maturity models to enable benchmarking and identification of necessary capability improvements Performance goals and metrics for the IT processes, demonstrating how processes meet business and IT goals and are used for measuring internal process performance based on balanced scorecard principles Activity goals for enabling effective process performance Maturity Models Maturity modelling for management and control over IT processes is based on a method of self-evaluation by the organisation. A maturity model has been defined for each of the 34 COBIT IT processes, providing an incremental measurement scale from 0, non-existent, through 5, optimised. Using the maturity models developed for each IT process, management can identify: The actual performance of the enterprise Where the enterprise is today The current status of the industry The comparison The enterprise s target for improvement Where the enterprise wants to be Control Practices Control practices were developed for COBIT 3 rd Edition to expand the capabilities of COBIT by providing the practitioner with an additional level of detail. The COBIT IT processes, business requirements and detailed control objectives define what needs to be done to implement an effective control structure. The IT control practices provide the more detailed how and why needed by management, service providers, end users and control professionals to implement highly specific controls based on an analysis of operational and IT risks. At the time of this writing, they are in the process of being updated to align with COBIT 4.0 and will be available in the upcoming publication IT Governance Implementation Guide Using COBIT and Val IT TM, 2 nd Edition. Audit Guidelines To achieve the desired goals and objectives, the enterprise must constantly and consistently audit its procedures. The audit guidelines in COBIT 3 rd Edition outline and suggest actual assessment activities to be performed, corresponding to each of the 34 high-level IT control objectives, to evaluate control processes, assess compliance and substantiate the risk of control objectives not being met. At the time of this writing, the IT Assurance Guide is in development to update the information for auditing and self-assessment against the control objectives in COBIT 4.0. 13
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 COBIT Quickstart This special version of COBIT is a baseline for use by many small to medium enterprises and other entities where IT is not mission-critical or essential for survival. It can also serve as a starting point for other enterprises in their move toward an appropriate level of control and governance of IT. For purposes of the publication, small to medium enterprises have not been defined according to any financial or staffing measurement. Instead, the strategic nature of IT to the business is evaluated, a self-assessment form has been developed, and exceptions are reviewed. Those enterprises for which the strategic nature of IT is relatively low, that fall within certain ranges on the self-assessment and that do not have any of the exceptions that might indicate a higher level of dependence on IT are considered small to medium enterprises. This publication was developed in response to comments that COBIT, in its complete form, can be a bit overwhelming. Those who operate with a small IT staff often do not have the resources to implement all of COBIT. This version of COBIT constitutes a subset of the entire COBIT volume. Only the control objectives considered the most critical are included, so that implementation of COBIT s fundamental principles can take place easily, effectively and relatively quickly. COBIT Online This online version of COBIT allows users to customise a version of COBIT for their own enterprise, then store and manipulate that version as desired. It offers online, real-time surveys, benchmarking and a discussion facility for sharing experiences and questions. IT Governance Implementation Guide The objective of the IT Governance Implementation Guide is to provide readers with a methodology for implementing and improving IT governance, using COBIT. The guide is focused on a generic methodology for implementing IT governance, covering the following subjects: Why IT governance is important and why organisations should implement it The IT governance life cycle The COBIT framework How COBIT is linked to IT governance and enables its implementation The stakeholders who have an interest in IT governance A road map for implementing IT governance using COBIT A second edition is in development at the time of this writing. THE COBIT IT PROCESSES The processes are grouped into four domains, as indicated in figure 4. Any service delivered by IT and all services provided to the core processes must be integrated into the IT service life cycle, as indicated in figure 4. Plans and organisational structures already developed could be adopted, depending on the significance of each service, rather than developing a new plan for the IT service. Services are subsequently implemented, and all necessary precautions for ongoing service, delivery and monitoring are to be considered. From the IT governance point of view, single services are merely in the background. The focus must be on the PDCA cycle discussed previously for the sum of services delivered by and with IT. The strict top-down approach of COBIT is depicted in figure 5. 14
3. COBIT OVERVIEW Figure 4 COBIT IT Processes Defined Within the Four Domains BUSINESS OBJECTIVES GOVERNANCE OBJECTIVES COBIT ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure regulatory compliance. ME4 Provide IT governance. MONITOR AND EVALUATE INFORMATION Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT RESOURCES PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. PLAN AND ORGANISE Applications Information Infrastructure People DELIVER AND SUPPORT ACQUIRE AND IMPLEMENT DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. 15
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 Each process is described by using the following information: High-level control objective Detailed control objectives Information criteria affected by the process IT resources used by the process IT governance focus areas Inputs and outputs Responsible, Accountable, Consulted and Informed (RACI) chart Goals and metrics, including KPIs and KGIs INFORMATION CRITERIA Figure 5 Top-down Approach Domains Processes Information delivered to the core business processes has to fulfill certain criteria, which are summarily characterised as follows: Quality requirements: Effectiveness Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Efficiency Concerns the provision of information through the optimal (most productive and economical) use of resources Security requirements: Confidentiality Concerns the protection of sensitive information from unauthorised disclosure Integrity Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Availability Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Fiduciary requirements: Compliance Deals with complying with the laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria, as well as internal policies Reliability Relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities IT RESOURCES Activities/ Tasks Following the COBIT definition, the resources used by IT are identified as follows: Applications are automated user systems and manual procedures that process the information. Information is the data in all their forms input, processed and output by the information systems in whatever form is used by the business. Infrastructure is the technology and facilities (hardware, operating systems, database management systems, networking, multimedia, etc., and the environment that houses and supports them) that enable the processing of the applications. People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required. 16
3. COBIT OVERVIEW COBIT CUBE The previously mentioned components (IT processes, business requirements of information and resources) are three-dimensional, thus illustrating the IT function. These dimensions, as shown in figure 6, represent the COBIT cube. IT GOVERNANCE USING COBIT Effectiveness Figure 6 COBIT Cube Efficiency Confidentiality Integrity Business Requirements Availability Compliance Reliability IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise s IT sustains and extends the organisation s strategies and objectives. COBIT supports IT governance by providing a framework to ensure that: IT is aligned with the business IT enables the business and maximises benefits IT resources are used responsibly IT risks are managed appropriately Performance measurement is essential for IT governance. It is supported by COBIT and includes setting and monitoring measurable objectives of what IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). IT Processes DOMAINS PROCESSES ACTIVITIES Applications Information Infrastructure People IT Resources FURTHER REFERENCES Internet ISACA www.isaca.org/cobit ITGI www.itgi.org 17
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 DOCUMENT TAXONOMY 4. PMBOK OVERVIEW The PMBOK Guide is described as the sum of knowledge within the profession of project management. PBMOK is an American National Standard ANSI/PMI 99-001-2004. ISSUER PMBOK Guide, published by PMI, is a basic reference for anyone interested in project management. GOAL OF THE GUIDANCE The primary purpose of PMBOK Guide is to identify that subset of the Project Management Body of Knowledge that is generally recognised as good practice. The PMBOK Guide also provides and promotes a common lexicon for discussing, writing and applying project management. BUSINESS DRIVER FOR IMPLEMENTING THE GUIDANCE The main business driver for implementing PMBOK in an organisation is the achievement of consistent project success through the implementation of a common framework for all enterprise projects. PMBOK is usually selected as the basis for that framework because it considered a worldwide standard for project management that identifies the processes required for project management, based on industry best practice. RELATED RISKS OF NON-COMPLIANCE Inconsistent or inadequate project management practices will increase the risk of project failure. Symptoms of project failure include: Different project management approaches within the organisation Inconsistent reporting of the organisation s reporting structure Scope creep Reduced quality of deliverables Late projects and unachieved milestones Unexpected issues that impact delivery Budget overruns Projects failing to meet objectives TARGET AUDIENCE PMBOK is aimed at providing a foundational reference for anyone interested in managing projects, as shown in figure 7. Figure 7 Chart of PMBOKAudiences Activities Functions: Primary (P), Secondary (S) to the pertinence of PMBOK to the particular audience Chief Executive Officer (CEO) Chief Financial Officer (CFO) PMBOK S S P P S S S S S P S Business Executive Chief Information Officer (CIO) Business Process Owner Head Operations Chief Architect Head Development Head IT Administration Project Management Office (PMO) Compliance,Audit, Risk and Security 18
4. PMBOK OVERVIEW TIMELINESS PMBOK has been subject to periodic review and update by PMI since it was initially developed and published in 1983. The current edition is A Guide to the Project Management Body of Knowledge, Third Edition, published in 2004. CERTIFICATION OPPORTUNITIES PMI offers the Project Management Professional (PMP ) certification program for project managers. This is based on a PMP Examination Specification for the examination, describing the tasks (competencies) that PMPs perform, and the project management knowledge and skill that PMPs use to complete each task. PMI also offers the Certified Associate in Project Management (CAPM ) certification, which is designed for project team members and entry-level project managers, as well as qualified undergraduate and graduate students who want a credential to recognise their value to project team performance. CIRCULATION PMBOK Guide is used internationally and is available in Arabic, Chinese, English, French, German, Italian, Japanese, Korean, Portuguese, Russian and Spanish. COMPLETENESS PMBOK Guide provides more detail about the practices and techniques required to address the requirements of sound project management. It describes aspects of programme and portfolio management but is not a standard for such activities. This is dealt with in a separate document, Organisational Project Management Maturity Model (OPM3). AVAILABILITY PMBOK Guide is available for purchase in paperback and on CD-ROM from PMI. COBIT PROCESSES ADDRESSED Plan and Organise 1 2 3 4 5 6 7 8 9 10 Monitor and Evaluate 1 2 3 4 COBIT processes addressed by PMBOK 1 2 3 4 5 6 7 8 9 10 11 12 13 Deliver and Support Acquire and Implement 1 2 3 4 5 6 7 19
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 INFORMATION CRITERIA ADDRESSED Information Criteria + Effectiveness + Efficiency - Confidentiality - Integrity - Availability - Compliance - Reliability (+) Frequently addressed (o) Moderately addressed (-) Not or rarely addressed IT RESOURCES CONCERNED IT Resources - Applications - Information - Infrastructure + People (+) Frequently addressed (o) Moderately addressed (-) Not or rarely addressed DESCRIPTION OF THE GUIDANCE AND ITS CONTENT Project Management Framework Chapters 1 and 2 of PMBOK Guide provide a description of the project management framework and the context in which it operates. This includes: 1. Introduction 1.1 Purpose of the PMBOK Guide 1.2 What Is a Project? 1.3 What Is Project Management 1.4 The PMBOK Guide Structure 1.4 Areas of Expertise 1.6 Project Management Context 2. Project Lifecycle and Organisation 2.1 The Project Lifecycle 2.2 Project Stakeholders 2.3 Organisational Influences The Standard for Project Management Chapter 3 of the guide identifies the project management processes, segmented into five process groups with 44 processes. The high-level process groups interactions are illustrated in figure 8. The five process groups are: 1. Initiating process group Defines and authorises the project or a project phase 2. Planning process group Defines and refines objectives, and plans the courses of action required to attain the objectives and scope that the project was undertaken to address 3. Executing process group Integrates people and other resources to carry out the project management plan for the project 4. Controlling process group Regularly measures and monitors progress to identify variances from the project management plan so that corrective action can be taken when necessary to meet project objectives 5. Closing process group Formalises acceptance of the product, service or result and brings the project or project phase to an orderly end 20
4. PMBOK OVERVIEW Figure 8 High-level Summary of Process Groups Interactions Enterprise Environmental Factors Organisation s culture Project management information system Human resource pool Initiating Process Group Statement of work Contract Project Initiator of Sponsor Organisational Process Assets Policies, procedures, standards, guidelines Defined processes Historical information Lessons learned Project Charter Preliminary Project Scope Statement Planning Process Group Project Management Plan Executing Process Group Deliverables Requested Changes Implemented Change Requests Implemented Corrective Actions Implemented Preventive Actions Implemented Defect Repair Work Performance Information Monitoring and Controlling Process Group Approved Change Requests Rejected Change Requests Approved Corrective Actions Approved Preventive Actions Approved Defect Repair Project Management Plan (updates) Project Scope Statement (updates) Recommended Corrective Actions Recommended Prevention Actions Performance Reports Recommended Defect Repair Forecasts Validated Defect Repair Approved Deliverables Organizational process assets (updates) Customer Final product, service, result Closing Process Group Administrative Closure Procedure Contract Closure Procedure Source: Project Management Institute Inc., A Guide to the Project Management Body of Knowledge (PMBOK Guide), Third Edition, 2004. All rights reserved. 21
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 The Project Management Knowledge Areas Nine knowledge areas and 44 processes that represent best practice in project management are identified in chapters 4 through 12 of the PMBOK Guide, as shown in figure 9. Each process is further described in terms of its inputs, outputs, and tools and techniques. Figure 9 Overview of Project Management Knowledge Areas and Project Management Processes PROJECT MANAGEMENT 4. Project Integration Management 4.1 Develop Project Charter 4.2 Develop Preliminary Project Scope Statement 4.3 Develop Project Management Plan 4.4 Direct and Manage Project Execution 4.5 Monitor and Control Project Work 4.6 Integrated Change Control 4.7 Close Project 5. Project Scope Management 5.1 Scope Planning 5.2 Scope Definition 5.3 Create WBS 5.4 Scope Verification 5.5 Scope Control 6. Project Time Management 6.1 Activity Definition 6.2 Activity Sequencing 6.3 Activity Resource Estimating 6.4 Activity Duration Estimating 6.5 Schedule Development 6.6 Schedule Control 7. Project Cost Management 7.1 Cost Estimating 7.2 Cost Budgeting 7.3 Cost Control 8. Project Quality Management 8.1 Quality Planning 8.2 Perform Quality Assurance 8.3 Perform Quality Control 9. Project Human Resource Management 9.1 Human Resouce Planning 9.2 Acquire Project Team 9.3 Develop Project Team 9.4 Manage Project Team 10. Project Communications Management 10.1 Communications Planning 10.2 Information Distribution 10.3 Performance Reporting 10.4 Manage Stakeholders 11. Project Risk Management 11.1 Risk Management Planning 11.2 Risk Identification 11.3 Qualitative Risk Analysis 11.4 Quantitative Risk Analysis 11.5 Risk Response Planning 11.6 Risk Monitoring and Control 12. Project Procurement Resource Management 12.1 Plan Purchase and Acquisitions 12.2 Plan Contracting 12.3 Request Seller Responses 12.4 Select Sellers 12.5 Contract Administration 12.6 Contract Closure Source: PMI, A Guide to the Project Management Body of Knowledge (PMBOK Guide), Third Edition, 2004. All rights reserved. 22
4. PMBOK OVERVIEW The knowledge areas as presented in chapters 4 to 12 of PMBOK are: 4. Project Integration Management The processes and activities that integrate the various elements of project management, which are identified, defined, combined, unified and co-ordinated within the project management process groups. It consists of: 4.1 Develop Project Charter 4.2 Develop Preliminary Project Scope Statement 4.3 Develop Project Management Plan 4.4 Direct and Manage Project Execution 4.5 Monitor and Control Project Work 4.6 Integrated Change Control 4.7 Close Project 5. Project Scope Management The processes involved in ascertaining that the project includes all the work required, and only the work required, to complete the project successfully. It consists of: 5.1 Scope Planning 5.2 Scope Definition 5.3 Create WBS 5.4 Scope Verification 5.5 Scope Control 6. Project Time Management The processes concerning the timely completion of the project. It consists of: 6.1 Activity Definition 6.2 Activity Sequencing 6.3 Activity Resource Estimating 6.4 Activity Duration Estimating 6.5 Schedule Development 6.6 Schedule Control 7. Project Cost Management The processes involved in planning, estimating, budgeting and controlling costs so that the project is completed within the approved budget. It consists of: 7.1 Cost Estimating 7.2 Cost Budgeting 7.3 Cost Control 8. Project Quality Management The processes involved in assuring that the project will satisfy the needs for which it was undertaken. It consists of: 8.1 Quality Planning 8.2 Perform Quality Assurance 8.3 Perform Quality Control 9. Project Human Resource Management The processes that organise and manage the project team. It consists of: 9.1 Human Resource Planning 9.2 Acquire Project Team 9.3 Develop Project Team 9.4 Manage Project Team 10. Project Communications Management The processes concerning the timely and appropriate generation, collection, dissemination, storage and ultimate disposition of project information. It consists of : 10.1 Communications Planning 10.2 Information Distribution 10.3 Performance Reporting 10.4 Manage Stakeholders 11. Project Risk Management The processes concerned with conducting risk management on a project. It consists of: 11.1 Risk Management Planning 11.2 Risk Identification 11.3 Qualitative Risk Analysis 11.4 Quantitative Risk Analysis 11.5 Risk Response Planning 11.6 Risk Monitoring and Control 12. Project Procurement Resource Management The processes that purchase or acquire products, services or results, as well as contract management processes. It consists of: 12.1 Plan Purchases and Acquisitions 12.2 Plan Contracting 12.3 Request Seller Responses 12.4 Select Sellers 12.5 Contract Administration 12.6 Contract Closure 23
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 The relationships amongst the project management processes and knowledge areas as described in PMBOK Guide is shown in figure 10. Figure 10 Mapping of the Project Management Processes to the Process Groups and Knowledge Areas Project Management Process Groups Knowledge Initiating Planning Executing Monitoring and Closing Area Process Process Process Controlling Process Process Processes Group Group Group Group Group Project integration Develop Project Charter Develop Project Direct and Manage Monitor and Control Close Project management 3.2.1.1 (4.1) Management Plan Project Execution Project Work 3.2.5.1 (4.7) Develop Preliminary 3.2.2.1 (4.3) 3.2.3.1(4.4) 3.2.4.1 (4.5) Project Scope Integrated Change Statement 3.2.1.2 (4.2) Control 3.2.4.2 (4.6) Project scope Scope Planning Scope Verification management 3.2.2.2 (5.1) 3.2.4.3 (5.4) Scope Definition Scope Control 3.2.2.3 (5.2) 3.2.4.4 (5.5) Create WBS 3.2.2.4 (5.3) Project time Activity Definition Schedule Control management 3.2.2.5 (6.1) 3.2.4.5 (6.6) Activity Sequencing 3.2.2.6 (6.2) Activity Resource Estimating 3.2.2.7 (6.3) Activity Duration Estimating 3.2.2.8 (6.4) Schedule Development 3.2.2.9 (6.5) Project cost Cost Estimating Cost Control management 3.2.2.10 (7.1) 3.2.4.6 (7.3) Cost Budgeting 3.2.2.11 (7.2) Project quality Quality Planning Perform Quality Perform Quality management 3.2.2.12 (8.1) Assurance 3.2.3.2 (8.2) Control 3.2.4.7 (8.3) Project human Human Resource Acquire Project Team Manage Project Team resource Planning 3.2.2.13 (9.1) 3.2.3.3 (9.2) 3.2.4.8 (9.4) management Develop Project Team 3.2.3.4 (9.3) Project Communications Information Performance Reporting communications Planning Distribution 3.2.4.9 (10.3) management 3.2.2.1.4 (10.1) 3.2.3.5 (10.2) Manage Stakeholders 3.2.4.10 (10.4) Project risk Risk Management Risk Monitoring management Planning 3.2.2.15 (11.1) and Control Risk Identification 3.2.4.11 (11.6) 3.2.2.16 (11.2) Qualitative Risk Analysis 3.2.2.17 (11.3) Quantative Risk Analysis 3.2.2.18 (11.4) Risk Response Planning 3.2.2.19 (11.5) Project Plan Purchases and Request Seller Contract Administration Contract Closure procurement Acquisitions Responses 3.2.4.12 (12.5) 3.2.5.2 (12.6) resource 3.2.2.20 (12.1) 3.2.3.6 (12.3) management Plan Contracting Select Sellers 3.2.2.21 (12.2) 3.2.3.7 (12.4) Source: PMI, A Guide to the Project Management Body of Knowledge (PMBOK Guide), Third Edition, 2004, table 3-45. All rights reserved. FURTHER REFERENCES Internet PMI www.pmi.org 24
5. HIGH-LEVEL MAPPING OVERVIEW 5. HIGH-LEVEL MAPPING This section holds a summary of the objectives found in PMBOK that were mapped to the high-level control objectives/processes of COBIT, an overview of the results is in figure 12. The objectives and the following explanatory information are taken from the original standard and are copyright-protected by PMI and reprinted here with its permission. A copy of the standard can be obtained from PMI at www.pmi.org. (+) Significant match (more than one process was fully mapped to a CoBIT process) (o) Minor match (more than five processes were partially mapped to a CoBIT process) (-) Unrelated focus (less than five processes were partially mapped to a CoBIT process) (\) COBIT control process does not exist. PLAN AND ORGANISE Figure 12 PMBOK Processes Mapped to High-level COBIT Processes COBIT 4.0 Processes and Domains 1 2 3 4 5 6 7 8 9 10 11 12 13 Plan and Organise - - - - - - - - o + Acquire and Implement - o - - o - o Deliver and Support - - - - - - - - - - - - - Monitor and Evaluate o - - - PO1 Define a Strategic IT Plan One section of PMBOK guidance is mapped to PO1 as an informative mapping. While PMBOK does not specifically address the processes for portfolio management, it provides some limited guidance on portfolio management practices and identifies the need for a project charter, which is developed externally to the projects as part of programme or portfolio management. Programme and portfolio management practices are addressed in more detail in a separate publication the Project Management Maturity Model (OPM3). PO2 Define the Information Architecture No PO2 control objectives are covered by PMBOK. Whilst the availability of an information architecture as a basis for system development can be critical to ensuring that developed or acquired IT systems or services integrate with other systems of business processes, there is no direct mapping between PMBOK and COBIT. PO3 Determine Technological Direction No PO3 control objectives are covered by PMBOK. Whilst the existence of a technology plan can be critical to ensuring that the organisation obtains the most cost-effective, long-term solution to its needs, there is no direct mapping between PMBOK and COBIT. PO4 Define the IT Processes, Organisation and Relationship Three PMBOK processes are partially mapped to PO4 including one partial mapping and two informative mappings. The PMBOK process Human Resources Planning provides guidance and tools for specifying project structures and responsibilities, including project management offices. In addition, PMBOK guidance areas (chapters 1 and 2) were mapped to PO4.1 IT process framework and PO4.5 IT organisational structure, as informative mappings, since PMBOK as a whole enunciates the requirements of a project management framework and the structures required. PO5 Manage the IT Investment Four PMBOK processes are partially mapped to PO5, including one informative mapping. PMBOK s Project Cost Management process provides guidance and tools for establishing a financial management framework for project management. These tools and guidance can be considered when establishing the financial management framework, the IT budgeting processes and cost management. PMBOK chapter 1 also provides some discussion on the prioritisation of IT projects as part of the context for project management. 25
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 PO6 Communicate Management Aims and Direction Two PMBOK processes are partially mapped to PO6, including one informative mapping. PMBOK s Project Communications Management process provides guidance on the establishment of the performance reporting information that should feed into an IT risk and internal control framework. Overall, PMBOK also provides a framework for project management that can be used in the development of policies for IT management. PO7 Manage IT Human Resources Five PMBOK processes are partially mapped to PO7, including one informative mapping. PMBOK s Project Resource Management process provides guidance and tools for establishing roles and teams for projects. Whilst it does not address the IT-specific knowledge requirements appropriate for managing IT-related projects, the identified practices are applicable to IT-related projects and can be used when considering personal competencies, staffing of roles, training and job performance evaluation processes. In addition, PMBOK chapter 1 (section 1.5) outlines the project-specific knowledge and competencies required for project management and is mapped to PO7 as an informative mapping. PO8 Manage Quality Three PMBOK processes are partially mapped to PO8 in that PMBOK s Project Quality Management process provides guidance on tools and techniques for quality management and assurance in a project environment. Whilst they are not IT-specific, the requirements should be considered when establishing organisational quality assurance system and practices. PO9 Assess and Manage IT Risk Seven PMBOK processes are partially mapped to PO9. PMBOK s Project Risk Management process provides guidance on tools and techniques for risk assessment, management and assurance. Whilst generic for projects, such practices are applicable to IT-related risk management. In addition, risk identified in the PMBOK risk management group should be reported as part of project communications if they have an impact on the organisation, and should be assessed as part of the IT risk assessment. PO10 Manage Projects Thirty-one PMBOK processes are fully mapped and six are partially mapped to PO10. PMBOK provides a model for project management that, whilst not IT-specific, addresses the requirements of PO10. COBIT complements PMBOK by providing IT-specific control requirements that address PMBOK process requirements at a more detailed level. In addition, seven sections of PMBOK s guidance area were mapped to PO10 as informative mappings. ACQUIRE AND IMPLEMENT AI1 Identify Automated Solutions Four PMBOK processes are partially mapped to AI1. AI1 to AI7 may represent components of the project life cycle, and the control practices in AI1 should be considered when planning projects involving IT. The requirement for AI1 processes and control objectives should be considered during the Develop Project Management Plan processes of PMBOK. In addition, relevant COBIT processes should be considered during scope and quality planning. AI2 Acquire and Maintain Application Software Eight PMBOK processes are partially mapped to AI2. AI1 to AI7 may represent components of the project life cycle, and the control practices in AI2 should be considered when planning projects involving IT. COBIT also provides specific guidance on the requirement for software quality assurance and application requirements management that are IT-specific requirements of PMBOK s quality and scope management processes. AI3 Acquire and Maintain Technology Infrastructure One PMBOK process is partially mapped to AI3. The control practices in AI3 should be considered when planning projects involving IT. AI4 Enable Operation and Use One PMBOK process is partially mapped to AI4. The AI4 control objectives represent deliverables that should be considered during PMBOK planning processes. 26
5. HIGH-LEVEL MAPPING AI5 Procure IT Resources All AI5 control objectives are mapped to PMBOK. Six PMBOK processes are partially mapped to AI5. PMBOK provides guidance on tools and techniques for procurement. Whilst these do not address any specific requirements for the acquisition of software, development resources and infrastructures, the practices are generally applicable. AI6 Manage Changes One PMBOK process is partially mapped to AI6. The requirement to set up formal change management procedures to manage changes should be considered during the Develop Project Management Plan process of PMBOK. AI7 Install and Accredit Solutions and Changes Seven PMBOK processes are partially mapped to AI7. PMBOK requires quality assurance and acceptance of all products. COBIT s AI7.7 Final acceptance test for IT products is one element of that process. A number of the AI7 control objectives represent deliverables that should be considered during PMBOK planning processes. DELIVER AND SUPPORT DS1 Define and Manage Service Levels One PMBOK process is partially mapped to DS1. The requirements for service and operational agreements should be recognised and planned for during PMBOK planning processes. DS2 Manage Third-party Services Four PMBOK processes are partially mapped to DS2. PMBOK s procurement processes provide generic guidance on how to establish and manage procurement in a project environment. DS3 Manage Performance and Capacity Whilst performance and capacity planning will be initiated by the development of service level agreements prepared as a planned part of a project (DS1), DS3 relates to undergoing operations, and there is no direct mapping between PMBOK and COBIT. DS4 Ensure Continuous Service One PMBOK process is partially mapped to DS4. The requirement for a new or revised IT continuity should be recognised and planned for during PMBOK planning processes. DS5 Ensure Systems Security One PMBOK process is partially mapped to DS5. The requirement for a new or revised IT security plan should be recognised and planned for during PMBOK planning processes. DS6 Identify and Allocate Costs One PMBOK process is partially mapped to DS5. The need to identify the costs associated with the ongoing operation of a new or changed system should be recognised, and the development of a new cost model should be planned for during PMBOK planning processes. DS7 Educate and Train Users One PMBOK process is partially mapped to DS7. The requirement for a new or revised training strategy or plan should be recognised and planned for during the PMBOK planning processes. DS8 Manage Service Desk and Incidents Whilst the knowledge required to provide service desk help and incident handling for any new IT will have to be transferred to the service desk as a planned part of a project (AI4.4), DS8 relates to ongoing operations and there is no direct mapping between PMBOK and COBIT. DS9 Manage the Configuration Two PMBOK process are partially mapped to DS9. The requirement to establish or update a configuration repository should be recognised and planned for during PMBOK planning and scope control processes. 27
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 DS10 Manage Problems One PMBOK process is partially mapped to DS10. The requirement for identification of problems consistent with existing organisation policies during the project and after implementation should be recognised and planned for as part of the PMBOK planning processes. DS11 Manage Data One PMBOK process is partially mapped to DS11. The requirement for data management consistent with business requirements and organisation policies should be recognised and planned for as part of the PMBOK planning processes. DS12 Manage the Physical Environment One PMBOK process is partially mapped to DS12. The requirement for new sites or changes to sites should be recognised and planned for as part of the PMBOK planning processes. DS13 Manage Operations Whilst the knowledge required to provide ongoing operations has to be transferred (AI4.4), this process relates to ongoing operations and there is no direct mapping between PMBOK and COBIT. MONITOR AND EVALUATE ME1 Monitor and Evaluate IT Performance Eight PMBOK processes are partially mapped to ME1. PMBOK processes require the establishment of clear processes for monitoring and evaluating individual performance. These include planning communications requirements as part of project planning, the collection of information through project control processes, and the assessment and reporting of project performance together with remedial actions. ME2 Monitor and Evaluate Internal Control There is no mapping between PMBOK and COBIT. ME3 Ensure Regulatory Compliance There is no mapping between PMBOK and COBIT. ME4 Provide IT Goverance There is no mapping between PMBOK and COBIT. 28
6. DETAILED MAPPING 6. DETAILED MAPPING As stated previously, the detailed mapping consists of the processes in PMBOK that were mapped to each COBIT control objective. The structure follows the domains, processes and control objectives of COBIT. The title of the COBIT control objective is provided to give an overview of the aim of the specific part of COBIT. An abstract of the information requirement mapped to the control objective is provided in the section PMBOK Requirements/References. The abstract is focused on the requirement of the specific COBIT control objective and does not contain all requirements of the clause referenced. There is also a reference to the PMBOK clause provided in brackets. Note that mapping cannot always be one on one because in some aspects COBIT control objectives operate at a higher level than PMBOK, addressing in one objective more issues than PMBOK. In other areas COBIT operates at a lower level than PMBOK, addressing the application of PMBOK process requirements to IT. Due to copyright and usability restriction, it is not possible to reproduce the whole original text of the mapped section of PMBOK, so the relevant requirement of the standard is mentioned in the explanation of the mapping result. If there were two independent matches in the same section, they are provided separately. Figure 13 contains the detailed mapping of PMBOK to COBIT. The coverage legend is: E Exceeded C Complete coverage A Some aspects addressed NA Not addressed Figure 13 Detailed Mapping of PMBOK With COBIT COBIT Control Objective Coverage PMBOK Requirements/References Plan and Organise PO1 Define a strategic plan. 1.1 IT value management NA 1.2 Business-IT alignment NA 1.3 Assessment of current performance NA 1.4 IT strategic plan NA 1.5 IT tactical plans NA 1.6 IT portfolio management A Informative PMBOK has a limited discussion of the relationship of project management to the broader context that includes program management, portfolio management and project management office. Frequently, there is a hierarchy of strategic plan, portfolio, program, project and subproject, in which a program consisting of several associated projects will contribute to the achievement of a strategic plan. (1.6) PO2 Define the information architecture. 2.1 Enterprise information architecture model NA 2.2 Enterprise data dictionary and data syntax rules NA 2.3 Data classification scheme NA 2.4 Integrity management NA PO3 Determine technological directions. 3.1 Technological direction planning NA 3.2 Technological infrastructure plan NA 3.3 Monitoring of future trends and regulations NA 3.4 Technology standards NA 3.5 IT architecture board NA 29
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References PO4 Define the IT processes, organisation and relationships. 4.1 IT process framework A Informative PMBOK enunciates the requirements of a project management framework, which should be implemented as part of the IT process framework. This includes 44 project management processes and nine knowledge areas. (1.3) 4.2 IT strategy committee NA 4.3 IT steering committee NA 4.4 Organisational placement of the IT function NA 4.5 IT organisational structure A Informative The role and functions of a PMO are identified as part of the project management context. (1.6) The relationship of project management with organisational structures, including project-based organisations, is also identified. (2.3) 4.6 Roles and responsibilities A Tools for human resource planning for projects are identified. These include organisation charts and matrix-based charts. (9.1) 4.7 Responsibility for IT quality assurance NA 4.8 Responsibility for risk, security and compliance NA 4.9 Data and system ownership NA 4.10 Supervision NA 4.11 Segregation of duties NA 4.12 IT staffing NA 4.13 Key IT personnel NA 4.14 Contracts staff policies and procedures NA 4.15 Relationship NA PO5 Manage the IT investment. 5.1 Financial management framework A Tools and techniques that can be used for cost estimation, cost budgeting and cost control in a project environment are identified. (7.1, 7.2, 7.3) 5.2 Prioritisation within IT budget A Informative The role of the project management project prioritisation is mentioned as part of the project management context. (1.6) 5.3 IT budgeting process A Tools and techniques that can be used for cost estimation, cost budgeting and cost control in a project environment are identified. (7.2) 5.4 Cost management A Tools and techniques that can be used for cost control in a project environment are identified. (7.3) 5.5 Benefit management A While PMBOK does not specifically address benefits management, the project charter and scope statements are recognised as key controlling documents. (4.1) PO6 Communicate management aims and direction. 6.1 IT policy and control environment NA 6.2 Enterprise IT risk and internal A The requirements for information to flow from the performance reports as control framework required in PMBOK performance reporting processes should be considered in the development of the enterprise IT risk and internal control framework. (10.3) 6.3 IT policies management A Informative PMBOK describes a framework for project management that can be used in the development of policies for IT management. (1.3) 6.4 Policy rollout NA 6.5 Communication of IT objectives and direction NA PO7 Manage IT human resources. 7.1 Personnel recruitment and retention NA 7.2 Personnel competencies A Informative PMBOK provides details of the project-specific knowledge required for project management. This includes the project management body of knowledge, application area knowledge, standards and regulations, understanding of the project environment, general management knowledge and skills, and interpersonal skills. (1.5) 7.3 Staffing of roles A The processes, tools and techniques for planning human resource requirements in a project environment are identified. (9.1) The processes, tools and techniques for acquiring project teams are addressed. (9.2) 7.4 Personnel training A The processes, tools and techniques for developing project teams are addressed. This includes training, team building, and recognition and awards. (9.3) 30
6. DETAILED MAPPING Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References PO7 Manage IT human resources. (cont.) 7.5 Dependence upon individuals A The processes, tools and techniques for managing project teams are addressed. This includes awards, assignments and staff management plans. (9.4) 7.6 Personnel clearance procedures NA 7.7 Employee job performance evaluation A The processes, tools and techniques for managing project teams are addressed. This includes performance assessment and reporting. (9.4) 7.8 Job change and termination NA PO8 Manage quality. 8.1 Quality management system A Processes, tools and techniques that can be used for quality planning, assurance and quality control in a project environment are identified. (8.1, 8.2, 8.3) 8.2 IT standards and quality practices A Tools and techniques that can be used for quality management in a project environment are identified. They are not IT specific. (8.1, 8.2, 8.3) 8.3 Development and acquisition standards NA 8.4 Customer focus A Tools and techniques that can be used for quality planning in a project environment are identified. They are not IT specific but include mechanisms such as scope statement, project plan and quality management planning for determining customers requirements and aligning them to the IT standards and practices. (8.1) 8.5 Continuous improvement A Tools and techniques for quality planning in a project environment are addressed. They are not IT specific but include a PDCA approach that is the basis for continuous improvement. (8.1, 8.2, 8.3) 8.6 Quality measurement, monitoring and review A The tools and techniques for measuring quality as well as the requirements for quality control measurement in a project environment are identified. (8.3) PO9 Assess and manage IT risks. 9.1 IT and business risk management alignment A If the risk identified in the PMBOK risk management group has an impact on the organisation and assessment as part of the IT risks, it should be reported as part of the project communications. This requires that the planning of project reporting should consider the approach to risk reporting. (10.1) PMBOK provides guidance on tools and techniques for risk assessment, management and assurance that are applicable when establishing IT-related risk management. Risk management planning involves consideration of an enterprise s environmental factors as well as its approach to risk management. (11.1) 9.2 Establishment of risk context A Tools and techniques for risk management planning in projects are addressed including such things as definitions of probability and impact to be used in project risk management. (11.1) 9.3 Event identification A Tools and techniques for risk identification in projects are addressed, including such things as information gathering techniques, checklists, assumption analysis and risk registers. (11.2) 9.4 Risk assessment A Tools and techniques for both qualitative and quantitative risk analysis in projects are addressed. (11.3, 11.4) 9.5 Risk response A Tools and techniques for risk response planning in projects are addressed. This includes such things as risk management plan and risk response planning. (11.5) 9.6 Maintenance and monitoring of a risk A Tools and techniques for risk monitoring and control in projects are addressed. action plan This includes such things as risk reassessments, risk audits and status meetings. (11.6) PO10 Manage projects. 10.1 Programme management framework A Informative Portfolio and programme management are identified in PMBOK as part of the context for project management. (1.6) 10.2 Project management framework A Informative PMBOK provides a framework for project management, describing relevant groups of processes together with the activities within those process groups and deliverables. (3.2, 3.3, 3.4) 10.3 Project management approach A While PMBOK does not provide guidance on governance structures, including steering committees, the role of project sponsors is defined within PMBOK with emphasis on their role in issuing charters, providing statements of work, defining key events as part of schedule development, accepting changes as part of Integrated Change Control through involvement in a change control board, accepting deliverables as part of Scope Verification, and project closure. (2.2, 4.1, 4.6, 4.7, 5.4) 31
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References 10.3 Project management approach A Informative PMBOK defines the role of a project manager as the person cont. responsible for accomplishing the project objectives. The assigned project manager and authority level are documented in the project charter. (1.3, 4.1) Informative Phases are a key element within PMBOK. Project managers can divide projects into phases to provide better management control Collectively, these phases are known as the project life cycle; completion and approval of one or more deliverables characterises a project phase. (2.1) Informative Phases also provide project control, with authorisation required to close a phase and initiate the subsequent one. Phase-end reviews are also called phase exits, phase gates or kill points. (2.2) 10.4 Stakeholder commitment C The PMBOK initiating process group identifies the processes that facilitate the formal authorisation to start a new project or project phase. This includes the Develop Project Charter process, which outlines the mechanisms concerned with authorising the project or, in a multiphase project, a project phase. A business case is an input into this process. (4.1, 4.2) Project Communications Management involves communications planning and information distribution to appropriate stakeholders as well as managing stakeholders expectations and addressing any issues raised. (10.1, 10.4) 10.5 Project scope statement C The processes involved in determining the scope of the project are addressed in Project Scope Management. It includes Scope Planning, Scope Definition, and Creation of Work Breakdown Structures, Scope Verification, and Scope Control processes. (5.1, 5.2, 5.3, 5.4, 5.5) 10.6 Project phase initiation C PMBOK advocates the use of phases as key approval points. There is also a formal process for review and acceptance of deliverables as part of Scope Verification. (5.4) PMBOK has clearly defined initiation processes with the development of a project charter as a basis for authorisation and the development of a preliminary project scope statement as a basis for more detailed planning. The charter should link to the programme or portfolio management.(4.1, 4.2) 10.7 Integrated project plan C A project management plan is developed to state how work will be performed. (4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7 ) Project Integration Management has, as inputs, information derived in other processes such as: Work breakdown structures and scope baselines out of Scope Control Project schedules from Schedule Control (6.6) Cost estimates and forecast completions from Cost Control (5.5, 6.6, 7.3) 10.8. Project resources C Project Human Resource Management includes the processes required to organise and manage a project team. (9.1, 9.2, 9.3, 9.4) Project Procurement Management includes the processes required to purchase or acquire the products, services or results needed from outside the project team. (12.1, 12.2, 12.3, 12.4, 12.5, 12.6) 10.9 Project risk management C Project Risk Management includes the processes concerned with conducting risk management. A risk register is a component of the project plan to document identified risks and identify risk management action. (11.1, 11.2, 11.3, 11.4, 11.5, 11.6) 10.10 Project quality plan C Project Quality Management includes the activities required to determine quality policies, objectives and responsibilities, so that the project satisfies the needs for which it is undertaken. An output from Quality Planning is a quality management plan. (8.1, 8.2, 8.3) 32
6. DETAILED MAPPING Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References 10.11 Project change control C Change management is an integral part of PMBOK processes. Integrated Change Control processes are to be performed from project inception through completion. (4.6) A configuration management system is a subsystem of the overall project management system and includes the process for submitting proposed changes, tracking systems for reviewing and approving proposed changes, defining approval levels for authorising changes, and providing a method to validate changes. It is noted that in most application areas change control is part of configuration management. (4.3, 5.4, 5.5) 10.12 Project planning of assurance methods A Enterprise environment factors, such as regulations, rules, standards and guidelines specific to the application areas, should be an input to the Quality Planning process. (8.1) PMBOK is not IT specific and does not specifically mention the accreditation of new systems. However, the requirement for the accreditation of new systems would be identified either as part of Project Risk Management processes or during Quality Planning (8.1) 10.13 Project performance measurement, reporting C Monitoring is an aspect of Project Integration Management performed and monitoring throughout the project. Monitoring includes collecting, measuring and disseminating performance information, and assessing measurements and trends to effect process improvement. Control aspects are addressed in most processes: Scope Control as an element of Project Scope Management (5.5) Schedule Control as an element of Project Time Management (6.6) Cost Control as an element of Project Cost Management (7.3) Perform Quality Control as an element of Project Quality Management (8.3) Project Communications Management involves communications planning and information distribution. (10.1, 10.2, 10.3, 10.4) 10.14 Project closure C The Close Project process is part of Project Integration Management. It involves the procedures to verify, document and accept the project s deliverables both for phases in a multiphase project and a project as a whole. This includes administrative closure and contract closure procedures. (4.7) Acquire and Implement AI1 Identify automated solutions. 1.1 Definition and maintenance of business A COBIT to PMBOK mapping AI1 to AI7 processes may represent components functional and technical requirements of the project life cycle for IT projects, and the control practices in AI1 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) The quality criteria and processes for verification and validation of various interim phases should be addressed as part of Quality Planning. (8.1) The methods for requirement management should be defined as part of Scope Planning and how formal verification and acceptance will be obtained should be included in a project scope management plan as part of Scope Planning. (5.1) 1.2 Risk analysis report A COBIT to PMBOK mapping AI1 to AI7 processes may represent components of the project life cycle for IT projects, and the control practices in AI1 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) 1.3 Feasibility study and formulation of alternative A COBIT to PMBOK mapping AI1 to AI7 processes may represent components courses of action of the project life cycle for IT projects, and the control practices in AI1 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) A feasibility study may be undertaken as part of the process of developing a project charter. (4.1) 1.4 Requirements and feasibility decision A COBIT to PMBOK mapping AI1 to AI7 processes may represent components and approval of the project life cycle for IT projects, and the control practices in AI1 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) The requirement for approval for key products should be part of the project plan. (4.3) 33
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 34 Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References AI2 Acquire and maintain application software. 2.1 High-level design A COBIT to PMBOK mapping AI1 to AI7 processes may represent components of the project life cycle for IT projects, and the control practices in AI2 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) The quality criteria and processes for verification and validation of various interim phases should be addressed as part of Quality Planning. (8.1) 2.2 Detailed design A COBIT to PMBOK mapping AI1 to AI7 processes may represent components of the project life cycle for IT projects, and the control practices in AI2 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) The quality criteria and processes for verification and validation of various interim phases should be addressed as part of Quality Planning. (8.1) 2.3 Application control and auditability A COBIT to PMBOK mapping AI1 to AI7 processes may represent components of the project life cycle for IT projects, and the control practices in AI2 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) The quality criteria and processes for verification and validation of various interim phases should be addressed as part of Quality Planning. (8.1) 2.4 Application security and availability A COBIT to PMBOK mapping AI1 to AI7 processes may represent components of the project life cycle for IT projects, and the control practices in AI2 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) The quality criteria and processes for verification and validation of various interim phases should be addressed as part of Quality Planning. (8.1) 2.5 Configuration and implementation of acquired A COBIT to PMBOK mapping AI1 to AI7 processes may represent components application software of the project life cycle for IT projects, and the control practices in AI2 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) The quality criteria and processes for verification and validation of various interim phases should be addressed as part of Quality Planning. (8.1) 2.6 Major upgrades to existing systems A COBIT to PMBOK mapping AI1 to AI7 processes may represent components of the project life cycle for IT projects, and the control practices in AI2 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) The quality criteria and processes for verification and validation of various interim phases should be addressed as part of Quality Planning. (8.1) 2.7 Development of application software A COBIT to PMBOK mapping AI1 to AI7 processes may represent components of the project life cycle for IT projects, and the control practices in AI2 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) The quality criteria and processes for verification and validation of various interim phases should be addressed as part of Quality Planning. (8.1) 2.8 Software quality assurance A COBIT to PMBOK mapping Project quality management requires a planned, systematic approach to quality assurance as well as the monitoring of specific results as part of project control. Whilst not addressed specifically in PMBOK, software quality assurance is a subset of that process required for software development activities. (8.3) 2.9 Applications requirements management A COBIT to PMBOK mapping Whilst not addressed specifically in PMBOK, applications requirement management should be addressed as part of Integrated Change Control, which requires the maintenance of project plan, project scope and other deliverables. Changes must be reviewed and, if accepted, incorporated into a revised baseline. (4.6) Application requirements management should also be addressed with PMBOK s Project Scope Management so that the scope of the project is defined, and the project is broken into manageable deliverables based on verified and controlled requirements. (5.2, 5.3, 5.4, 5.5)
6. DETAILED MAPPING Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References 2.10 Application software maintenance A COBIT to PMBOK mapping For IT projects, the strategy for maintaining the software after implementation should be a project deliverable and identified as part of project planning. AI1 to AI7 processes may represent components of the project life cycle for IT projects, and the control practices in AI2 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) AI3 Acquire and maintain technology infrastructure. 3.1 Technological infrastructure acquisition plan A COBIT to PMBOK mapping AI1 to AI7 processes may represent components of the project life cycle for IT projects, and the control practices in AI3 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) 3.2 Infrastructure resource protection A COBIT to PMBOK mapping AI1 to AI7 processes may represent components of and availability the project life cycle for IT projects, and the control practices in AI3 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) 3.3 Infrastructure maintenance A COBIT to PMBOK mapping For IT projects, the strategy for maintaining the infrastructure after implementation should be a project deliverable and identified as part of project planning. AI1 to AI7 processes may represent components of the project life cycle for IT projects, and the control practices in AI2 should be considered during the Develop Project Management Plan process of PMBOK. (4.3) 3.4 Feasibility test environment A COBIT to PMBOK mapping The requirement for a test environment should be considered and, if necessary, planned for during the Develop Project Management Plan process of PMBOK. (4.3) AI4 Enable operation and use. 4.1 Planning for operational solutions A COBIT to PMBOK mapping The need to transfer knowledge to the business, end users, and operational and support staff should be considered and planned for during the Develop Project Management Plan process of PMBOK. (4.3) 4.2 Knowledge transfer to business management A COBIT to PMBOK mapping The need to transfer knowledge to the business should be considered and planned for during the Develop Project Management Plan process of PMBOK. (4.3) This includes planning and developing guidance and training to allow business management to take ownership of the system. 4.3 Knowledge transfer to end users A COBIT to PMBOK mapping The need to transfer knowledge to end users should be considered and planned for during the Develop Project Management Plan process of PMBOK. (4.3) This includes planning for training to address initial and ongoing training as well as support material, service desk, etc. 4.4 Knowledge transfer to operations and A COBIT to PMBOK mapping The need to transfer knowledge to the business support staff should be operational and should support staff during the Develop Project Management Plan process of PMBOK. (4.3) This includes planning for training to address initial and ongoing training as well as support materials, etc. AI5 Procure IT resources. 5.1 Procurement control A Project Procurement Management identifies the processes to procure the products, services or results needed from outside the project team to perform the work. These are generic rather than IT specific. (12.1, 12.2, 12.3, 12.4, 12.5, 12.6) 5.2 Supplier contract management A Project Procurement Management specifies, at a generic level, inputs, outputs and techniques that can be used for supplier contract management. (12.2, 12.5, 12.6) 5.3 Supplier selection A Project Procurement Management specifies, at a generic level, inputs, outputs and techniques that can be used for supplier selection. However, the broad principles and approach do apply. (12.3, 12.4) 5.4 Software acquisition A Because PMBOK is not IT specific, the specific requirements for software acquisition are not addressed. However, the broad principles for procurement are specified and do apply. (12.1, 12.2, 12.3, 12.4, 12.5, 12.6) 5.5 Acquisition of development resources A Because PMBOK is not IT specific, the specific requirements for the acquisition of development resources are not addressed. However, the broad principles are specified and do apply. (12.1, 12.2, 12.3, 12.4, 12.5, 12.6) 5.6 Acquisition of infrastructure, facilities and A Because PMBOK is not IT specific, the specific requirements for the acquisition related services of infrastructure, facilities and related services are not addressed. However, the broad principles and approach do apply. (12.1, 12.2, 12.3, 12.4, 12.5, 12.6) 35
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References AI6 Manage changes. 6.1 Change standards and procedures A COBIT to PMBOK mapping The requirement to set up formal change management procedures to handle in a standardised manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms should be considered during the Develop Project Management Plan process of PMBOK. (4.3) 6.2 Impact assessment, prioritisation and N/A authorisation 6.3 Emergency changes N/A 6.4 Change status tracking and reporting N/A 6.5 Change closure and documentation N/A AI7 Install and accredit solutions and changes. 7.1 Training A COBIT to PMBOK mapping The requirement for end-user training should be considered during the Develop Project Management Plan process of PMBOK. (4.3) 7.2 Test plan A COBIT to PMBOK mapping The quality criteria and processes for verification and validation of various interim phases should be addressed as part of Quality Planning. (8.1) The timing and resourcing of testing should be considered during the Develop Project Management Plan process of PMBOK. (4.3) 7.3 Implementation plan A COBIT to PMBOK mapping The planning for implementation should be considered during the Develop Project Management Plan process of PMBOK. (4.3) 7.4 Test environment A COBIT to PMBOK mapping The establishment of a test environment should be considered during the Develop Project Management Plan process of PMBOK. (4.3) 7.5 System and data conversion A COBIT to PMBOK mapping The requirement for system and data conversion should be considered during the Develop Project Management Plan process of PMBOK. (4.3) 7.6 Testing of changes A COBIT to PMBOK mapping The establishment of a change and release management strategy that ensures all changes are tested before going into production should be considered during the Develop Project Management Plan process of PMBOK. (4.3) This should take into account the organisation s policies and practices for change management. 7.7 Final acceptance test A COBIT to PMBOK mapping Project Quality Management requires a planned, systematic approach to quality assurance. While not addressed specifically in PMBOK, a final acceptance test should be a component of all quality assurance activities required for IT solutions with the results reported as part of project control. (8.3 ) Scope Verification processes include a final acceptance test. This should also take into account any agreed-upon changes to scope. (5.4, 5.5) The Close Project process should consider the results of the final acceptance test when determining what is required for contracts to be closed. (4.7, 12.6) 7.8 Promotion to production A COBIT to PMBOK mapping The establishment of formal procedures for handover of system from development to testing to operations should be considered during the Develop Project Management Plan process of PMBOK. (4.3) This should take into account the organisation s policies and practices for change and release management. 7.9 Software release A COBIT to PMBOK mapping The establishment of formal procedures for handover of the system from development to testing to operations should be considered during the Develop Project Management Plan process of PMBOK. (4.3) This should take into account the organisation s policies and practices for change and release management. 7.10 System distribution A COBIT to PMBOK mapping The establishment of formal procedures for the distribution of any configuration items should be considered during the Develop Project Management Plan process of PMBOK. (4.3) This should take into account the organisation s policies and practices for change and release management. 36
6. DETAILED MAPPING Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References 7.11 Recording and tracking of changes N/A 7.12 Post-implementation review N/A Deliver and Support DS1 Define and manage service levels. 1.1 Service level management framework N/A 1.2 Definition of services N/A 1.3 Service level agreements A COBIT to PMBOK mapping The requirement for service level agreements based on a business requirement to be developed as a project deliverable should be recognised and planned for in the Develop Project Management Plan process of PMBOK. (4.3) 1.4 Operating level agreements A COBIT to PMBOK mapping The requirement for operational agreements to be developed as a project deliverable should be recognised and planned for in the Develop Project Management Plan process of PMBOK. (4.3) 1.5 Monitoring and reporting of service level N/A achievements 1.6 Review of service level agreements and N/A contracts DS2 Manage third-party services. 2.1 Identification of all supplier relationships A Project Procurement Management identifies which project needs can be met by purchasing or acquiring products, goods and services. This includes consideration of contract types. (12.1) 2.2 Supplier relationship management A Project Procurement Management specifies, at a generic level, inputs, outputs and techniques that can be used for supplier relationship management. (12.2, 12.5, 12.6) 2.3 Supplier risk management A Project Procurement Management specifies, at a generic level, techniques that can be used for supplier risk management, including risk registers and riskrelated contracts as well as change management, inspection, audit and payment systems. (12.2, 12.5) 2.4 Supplier performance monitoring A The Project Procurement Management process specifies, at a generic level, techniques that can be used for supplier performance monitoring, including contract statements of work and work performance reviews. (12.2, 12.5) DS3 Manage performance and capacity. 3.1 Performance and capacity planning N/A 3.2 Current capacity and performance N/A 3.3 Future capacity and performance N/A 3.4 IT resources availability N/A 3.5 Monitoring and reporting N/A DS4 Ensure continuous service. 4.1 IT continuity framework N/A 4.2 IT continuity plans A COBIT to PMBOK mapping The requirement for IT continuity plans based on business requirement to be developed or amended as a project deliverable should be recognised and planned for in the Develop Project Management Plan process of PMBOK. (4.3) 4.3 Critical IT resources N/A 4.4 Maintenance of the IT continuity plan N/A 4.5 Testing of the IT continuity plan N/A 4.6 IT continuity plan training N/A 4.7 Distribution of the IT continuity plan N/A 4.8 IT services recovery and resumption N/A 4.9 Offsite backup storage N/A 4.10 Post-resumption review N/A 37
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References DS5 Ensure systems security. 5.1 Management of IT security N/A 5.2 IT security plan A COBIT to PMBOK mapping The requirement for an IT security plan based on a business requirement to be developed or amended as a project deliverable should be recognised and planned for in the Develop Project Management Plan process of PMBOK. (4.3) 5.3 Identity management N/A 5.4 User account management N/A 5.5 Security testing, surveillance and monitoring N/A 5.6 Security incident definition N/A 5.7 Protection of security technology N/A 5.8 Cryptographic key management N/A 5.9 Malicious software prevention, detection N/A and correction 5.10 Network security N/A 5.11 Exchange of sensitive data N/A DS6 Identify and allocate costs. 6.1 Definition of services A COBIT to PMBOK mapping The need to identify the costs associated with the ongoing operation of a new or changed service should be recognised, and the development of a new cost model should be planned for as part of the Develop Project Management Plan process of PMBOK. (4.3) 6.2 IT accounting N/A 6.3 Cost modelling and charging N/A 6.4 Cost model maintenance N/A DS7 Educate and train users. 7.1 Identification of education and training needs A COBIT to PMBOK mapping The requirements for training strategy and plans on a business requirement to be developed or amended as a project deliverable should be recognised and planned for in the Develop Project Management Plan process of PMBOK. (4.3) (See also AI4.) 7.2 Delivery of training and education N/A 7.3 Evaluation of training received N/A DS8 Manage service desk and incidents. 8.1 Service desk N/A 8.2 Registration of customer queries N/A 8.3 Incident escalation N/A 8.4 Incident closure N/A 8.5 Trend analysis N/A DS9 Manage the configuration. 9.1 Configuration repository and baseline A COBIT to PMBOK mapping The need to establish or update a configuration repository should be considered when setting up Scope Planning (5.1) and should be part of defined Scope Control processes. (5.5) 9.2 Identification and maintenance of N/A configuration items 9.3 Configuration integrity review N/A DS10 Manage problems. 10.1 Identification and classification of problems A PMBOK identifies an issue log as part of the Manage Stakeholders process. (10.4) COBIT to PMBOK mapping The requirement for identification of problems consistent with existing organisational practices during the project and after implementation should be recognised and planned for as part of the Develop Project Management Plan process of PMBOK. (4.3) 10.2 Problem tracking and resolution A COBIT to PMBOK mapping The requirement for problem tracking and resolution during the project life cycle consistent with existing organisational practices during the project and after implementation should be recognised and planned for as part of the Develop Project Management Plan process of PMBOK. (4.3) 38
6. DETAILED MAPPING Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References 10.3 Problem closure A COBIT to PMBOK mapping The requirement for problem closure consistent with existing organisational practices during the project and after implementation should be recognised and planned for as part of the Develop Project Management Plan process of PMBOK. (4.3) 10.4 Integration of change, configuration and A COBIT to PMBOK mapping The requirement for identification of problems problem management consistent with existing organisational practices during the project and after implementation should be recognised and planned for as part of the Develop Project Management Plan process of PMBOK. (4.3) DS11 Manage data. 11.1 Business requirements for data management A COBIT to PMBOK mapping The requirement for data management consistent with business requirements and organisational policies should be recognised and planned for as part of the Develop Project Management Plan process of PMBOK. (4.3) 11.2 Storage and retention arrangements N/A 11.3 Media library management system N/A 11.4 Disposal N/A 11.5 Backup and restoration N/A 11.6 Security requirements for data management N/A DS12 Manage the physical environment. 12.1 Site selection and layout A COBIT to PMBOK mapping Any requirement for a new or changed site consistent with business requirements and organisational policies should be recognised and planned for as part of the Develop Project Management Plan process of PMBOK. (4.3) 12.2 Physical security measures N/A 12.3 Physical access N/A 12.4 Protection against environmental factors N/A 12.5 Physical facilities management N/A DS13 Manage operations. 13.1 Operations procedures and instructions N/A 13.2 Job scheduling N/A 13.3 IT infrastructure monitoring N/A 13.4 Sensitive documents and output devices N/A 13.5 Preventive maintenance for hardware N/A Monitor and Evaluate ME1 Monitor and evaluate IT performance. 1.1 Monitoring approach A The Communications Planning process involves determining the information needs of stakeholders and developing a communication plan that describes how a project will be monitored. (10.1) 1.2 Definition and collection of monitoring data A The Monitor and Control Project Work process advocates techniques, including the use of a project management methodology, project management information systems and earned value to assist project teams to monitor and control work. (4.5) Information to support monitoring should be collected from the various processes. Scope Control as an element of Project Scope Management (5.5) Schedule Control as an element of Project Time Management (6.6) Cost Control as an element of Project Cost Management (7.3) Perform Quality control as an element of Project Quality Management (8.3) The approach to monitoring and reporting quality for each project is determined as part of Quality Planning, and the results are reported as an output of Perform Quality Control. (8.1, 8.3) The Performance Reporting process involves the collection of all baseline data and the distribution of performance information to stakeholders. (10.3) 39
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 Figure 13 Detailed Mapping of PMBOK With COBIT cont. COBIT Control Objective Coverage PMBOK Requirements/References 1.3 Monitoring method A Tools and techniques that can be used for monitoring projects are identified in Project Communications Management. They are not IT specific. (10.3) 1.4 Performance assessment A The PMBOK Monitor and Control Project Work process is performed to monitor project processes associated with initiation, planning, executing and closing of individual projects. This process includes assessment of performance against plans and provision of performance information to support status reporting, progress reporting and forecasting. (4.5) 1.5 Board and executive reporting A The information required for board and executive reporting should be defined as part of Communications Planning. (10.1) The Information Distribution process makes information available to project stakeholders, according to an information management plan. (10.2) 1.6 Remedial actions A The PMBOK Direct and Manage Project Execution process includes the identification of remedial and preventive actions in respect to project performance. (4.4) ME2 Monitor and evaluate internal control. 2.1 Monitoring of internal control framework N/A 2.2 Supervisory review N/A 2.3 Control exceptions N/A 2.4 Control self-assessment N/A 2.5 Assurance of internal control N/A 2.6 Internal control at third parties N/A 2.7 Remedial actions N/A ME3 Ensure regulatory compliance. 3.1 Identification of laws and regulations having N/A potential impact on IT 3.2 Optimisation of response to regulatory N/A requirements 3.3 Evaluation of compliance with regulatory N/A requirements 3.4 Positive assurance of compliance N/A 3.5 Integrated reporting N/A ME4 Provide IT governance. 4.1 Establishment of an IT governance framework N/A 4.2 Strategic alignment N/A 4.3 Value delivery N/A 4.4 Resource management N/A 4.5 Risk management N/A 4.6 Performance measurement N/A 4.7 Independent assurance N/A 40
7. REFERENCES 7. REFERENCES IT Governance Institute, COBIT 4.0, USA, 2005 Project Management Institute Inc., A Guide to the Project Management Body of Knowledge (PMBOK Guide), Third Edition, 2004 Project Management Institute Inc., Organisational Project Management Maturity Model (OPM3), 2003 41
COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 42 OTHER COBITMATERIALS COBIT Online 4.0 (2006) COBIT Online is, as its name suggests, an online offering of COBIT, including full browsing and searching capabilities, benchmarking functions, downloads, a discussion area, and the capacity to customise and create the user s own version of COBIT. COBIT 4.0 (2005) COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organisations. It emphasises regulatory compliance, helps organisations to increase the value attained from IT, and enables alignment. COBIT Mapping: Overview of International IT Guidance, 2 nd Edition (2006) This publication focuses on the business drivers for implementing, as well as the risks of non-compliance with, the COBIT guidance. It contains a classification, short overview of the content, and an explanation of how the following guidance aligns or maps to COBIT: COSO ITIL ISO/IEC 17799:2005 FIPS PUB 200 ISO/IEC TR 13335 ISO/IEC 15408:2005/Common Criteria/ITSEC PRINCE2 PMBOK TickIT CMMI TOGAF 8.1 IT Baseline Protection Manual NIST 800-14 COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, 2 nd Edition (2006) This publication contains a detailed mapping of ISO/IEC 17799:2000 to COBIT, as well as the classification of the standard as presented in COBIT Mapping: Overview of International IT Guidance, 2 nd Edition. COBIT Mapping: Mapping of SEI s CMM for Software With COBIT 4.0 (2006) This publication contains a detailed mapping of the Capability Maturity Model (CMM) to COBIT, as well as the classification of the standards as presented in COBIT Mapping: Overview of International IT Guidance, 2 nd Edition. Information Security Governance: Guidance for Boards of Directors and Executive Management, 2 nd Edition (2006) This book discusses why information security governance is increasingly important and outlines questions to ask and steps to take to ensure an effective information security governance programme within an enterprise. Aligning COBIT, ITIL and ISO 17799 for Business Benefit (2005) This management briefing is the result of a joint study initiated by the ITGI and UK Office of Government Commerce (OGC), in response to the growing significance of best practices to the IT industry and the need for senior business and IT managers to better understand the value of IT best practices and how to implement them. The briefing suggests how implementation should be tailored, prioritised and planned to achieve effective use. To achieve alignment of best practices to business requirements, it is recommended that COBIT be used at the highest level, providing an overall control framework based on an IT process model that should generically suit every organisation. Specific practices and standards, such as ITIL and ISO 17799, cover discrete areas and can be mapped to the COBIT framework, thus providing a hierarchy of guidance materials. COBIT Security Baseline (2004) COBIT covers security in addition to all the other risks that can occur with the use of IT. Using the COBIT framework, this guide focusses on the specific risk of IT security in a way that is simple to follow and implement for the home user or the user in small to medium enterprises, as well as for the executives and board members of larger organisations. It provides the following elements: Useful background reading: COBIT -based security baseline of key controls Information security survival kits, providing essential awareness messages for six categories of users An appendix containing a summary of technical security risks A second edition is expected in the fourth quarter 2006.
OTHER COBIT MATERIALS Board Briefing on IT Governance, 2 nd Edition (2003) The Board Briefing on IT Governance is based on COBIT. It is addressed to boards of directors, supervisory boards, audit committees, CEOs, CIOs and other executive management, and is designed to help these individuals understand why IT governance is important, what its issues are and what their responsibility is for managing it. The document covers: A summarised background on governance Where IT governance fits in the larger context of enterprise governance A simple framework with which to think about IT governance Questions board members should ask Good practices and CSFs Performance measures board members can track A maturity model against which to benchmark one s own organisation IT Governance Implementation Guide (2003) This guide provides readers with a methodology for implementing and improving IT governance, using COBIT. The guide is focussed on a generic methodology for implementing IT governance, covering the following subjects: Why IT governance is important and why organisations should implement it The IT governance life cycle The COBIT framework How COBIT is linked to IT governance and how COBIT enables the implementation of IT governance The stakeholders who have an interest in IT governance A road map for implementing IT governance using COBIT A second edition is expected in the fourth quarter of 2006. COBIT Quickstart (2003) COBIT Quickstart is based on a selection of COBIT s control objectives from the majority of COBIT s IT processes, together with the major CSFs and the most important metrics that can be used to monitor performance and the achievement of goals. Quickstart provides a baseline for control over IT in small to medium enterprises (SMEs) and other entities where IT is less strategic and not as critical for survival. Because it is a baseline, Quickstart generally is viewed as common sense and a powerful reminder and checklist of those things that ought to be directed and controlled in IT as a minimum. From a top management perspective, it helps organisations first to focus scarce resources on the basics potentially the easier-to-tackle areas providing a starting point and efficient tool for initiating IT governance, without committing large amounts of resources or significant investments. A second edition is expected in the fourth quarter of 2006. 43
3701 ALGONQUIN ROAD, SUITE 1010 ROLLING MEADOWS, IL 60008 USA PHONE: +1.847.590.7491 FAX: +1.847.253.1443 E-MAIL: info@itgi.org WEB SITE: www.itgi.org