COBIT 5. ISACA Malta Chapter Steven Babb Dirk Steuperaert

Similar documents
Presented by. Denis Darveau CISM, CISA, CRISC, CISSP

COBIT 5 Introduction. 28 February 2012

Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK

Chayuth Singtongthumrongkul

Revised October 2013

INFORMATION TECHNOLOGY FLASH REPORT

IT Governance Implementation Workshop

Roles, Activities and Relationships

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

for Information Security

COBIT 5 Foundation Workshop. COBIT is a trademark of the Information Systems Audit and Control Association and the IT Governance Institute

COBIT 5 ISACA s new framework for IT Governance, Risk, Security and Auditing. An overview

COBIT Helps Organizations Meet Performance and Compliance Requirements

IS Audit and Assurance Guideline 2202 Risk Assessment in Planning

Sound Transit Internal Audit Report - No

Auditors Need to Know June 13th, ISACA COBIT 5 for Assurance

CLOUD SECURITY THROUGH COBIT, ISO ISMS CONTROLS, ASSURANCE AND COMPLIANCE

Governance and Management of Information Security

Understanding COBIT 5. based on ISACA Materials Prepared by: Deb Mallette, CGEIT, CISA, CSSBB, IMG BSMS EPDM, Process Consultant

COBIT 5 Implementation Certification Course

White Paper. COBIT 5 & BiSL

S11 - Implementing IT Governance An Introduction Debra Mallette

COBIT 5 Process Assessment Method (PAM) Debra Mallette, CGEIT, CISA, CSSBB Governance Risk and Compliance -G22

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

COBIT 4.1 TABLE OF CONTENTS

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Increasing IT Value and Reducing Risk. More for Less with COBIT5. IT Governance and Strategy

IS Audit and Assurance Guideline 2402 Follow-up Activities

Assessing & Managing IT Risks: Using ISACA's CobiT & Risk IT Frameworks

Information Security Management Systems

2009 Solvay Brussels School and IT Governance institute

Risk Management & Business Continuity Manual

Confident in our Future, Risk Management Policy Statement and Strategy

WEST COAST DISTRICT MUNICIPALITY IT GOVERNANCE FRAMEWORK IT CHARTER

AN APPROACH TO DESIGN SERVICES KEY PERFORMANCE INDICATOR USING COBIT5 AND ITIL V3

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA

COBIT 5 Implementation Certifi cate. Training Course & Exam

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

Enabling Information PREVIEW VERSION

CONCEPTUAL MODEL OF IT GOVERNANCE FOR HIGHER EDUCATION BASED ON COBIT 5 FRAMEWORK

A Managed Storage Service on a Hybrid Cloud

TITOLO V - Capitolo 9 - LA CONTINUITÀ OPERATIVA Accountable: Board

KPMG Advisory. Microsoft Dynamics CRM. Advisory, Design & Delivery Services. A KPMG Service for G-Cloud V. April 2014

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

ISO 21500: Did we need it? A Consultant's Point of View after a first experience. Session EM13TLD04

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

The Cadence Partnership Service Definition

ISACA Roundtable. Cobit and 7 september 2015

INFORMATION SECURITY & GOVERNANCE SYSTEMS AND IT INFRASTRUCTURE INFOSEC & TECHNOLOGY TRAINING. forebrook

Was muss ein Unternehmen im Griff haben, wenn es IT einsetzt? Jimmy Heschl

Gobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI

ENTERPRISE RISK MANAGEMENT POLICY

JOE MOROLONG LOCAL MUNICIPALITY IT GOVERNANCE FRAMEWORK

This article describes how these seven enablers have contributed towards better information security management at HDFC Bank.

WINS QMS Quality Management System Manual. WINS PROPRIETARY INFORMATION Rev.12.0

Domain 1 The Process of Auditing Information Systems

IS Management, ITIL, ISO, COBIT...

PwC Luxembourg. Models for the governance of your investments with Portfolio Management September 2009

Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see

Need to protect your business from potential disruption? Prepare for the unexpected with ISO

APPENDIX 50. Enterprise risk management - Risk management overview

An Implementation Roadmap

How To Use Risk It

LESSONS LEARNED REPORT

INTERMEDIATE QUALIFICATION

fmswhitepaper Why community-based financial institutions should practice enterprise risk management.

Setting goals and measuring the value of Enterprise IT Architecture using COBIT 5 framework

G13 USE OF RISK ASSESSMENT IN AUDIT PLANNING

the role of the head of internal audit in public service organisations 2010

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Preparing yourself for ISO/IEC

V1.0 - Eurojuris ISO 9001:2008 Certified

Information Security Management Systems

TOGAF. TOGAF & Major IT Frameworks, Architecting the Family. by Danny Greefhorst, MSc., Director of ArchiXL. IT Governance and Strategy

Presentation on COBIT Education

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained

Board of Member States ERN implementation strategies

Governance. as a tool for Architects. Tuesday, 6 November, 12

Governing and optimising the design, build and run of new generation IT services

Enterprise Security Architecture

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Phil Marshall Black Duck Software ISACA Webinar Program ISACA. All rights reserved.

The ITIL v.3. Foundation Examination

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

ISO Gap Analysis - Case Study

<Business Case Name> <Responsible Entity> <Date>

How To Transform It Risk Management

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

Sound Transit Internal Audit Report - No

Somewhere Today, A Project is Failing

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

Relationship Manager (Banking) Assessment Plan

Anatomy of an Enterprise Software Delivery Project

IT Governance Regulatory. P.K.Patel AGM, MoF

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

Transcription:

COBIT 5 ISACA Malta Chapter Steven Babb Dirk Steuperaert

Steven Babb Education 1 st Class BSc (Hons) Computing (1996) BS7799 Lead Auditor, ITIL Service Manager Prince 2 Certified Practitioner CGEIT, CRISC Professional Career International Brewer, various roles (1991-1996) KPMG, Head of IT Risk (1996-2012) Betfair, Head of Governance, Risk & Assurance (2012- ) Professional Organisations RiskIT Task Force, COBIT 5 Task Force, Cloud Computing Task Force Framework Committee Chair, COBIT for Risk Chair Contact steven.babb@betfair.com

Dirk Steuperaert Education Master Engineering (Ugent, 1986) Master Computer Auditing (UAMS, 1995) CISA (1995), CGEIT (2009), CRISC (2011) Professional Career Software Engineer (SWIFT) (1988-1992) IT Auditor (SWIFT, BBL, Cedel) (1992-1997) Consultant (PwC, 1997-2008) Independent Consultant (IT In Balance, 2008 - ) Professional Organisations ISACA (COBIT Steering Committee, Lead Developer of Risk IT, Project Manager of COBIT 5 Development, Project Manager for COBIT 5 for Risk, COBIT 5 for Assurance) Contact dirk.steuperaert@it-in-balance.be

Objectives for this session To provide you with: An overview of the development approach behind COBIT 5 and a brief history of COBIT An understanding of the key principles underpinning the COBIT 5 framework Key considerations on how to implement COBIT 5 Additional COBIT 5 publications what is here now and what is coming next Thoughts on migration from legacy to COBIT 5

Agenda 1. COBIT 5 Drivers 2. COBIT 5 Framework COBIT 5 Principles 3. COBIT 5 Framework Enablers 4. COBIT 5 Framework Process Capability Model 5. COBIT 5 Enabling Processes Introduction 6. COBIT 5 Enabling Processes Structure 7. COBIT 5 Enabling Processes Overview of COBIT 5 Process Domains and Processes 8. COBIT 5 Implementation Guide 9. Additional Pubs: COBIT 5 for Security, COBIT 5 PAM 10. Upcoming Pubs: COBIT 5 for Assurance, COBIT 5 for Risk 11. Migrating to COBIT 5 some more things to consider 12. Q&A Steven Steven Steven Dirk Dirk Dirk Dirk Dirk Steven Steven Dirk

1. 1. Introduction & COBIT 5 Drivers

Introduction The Basic Equation 1 A Framework definition: Framework Standard Framework Complete Solution Framework Ready-to-use Solution Framework Structures and components Framework Way of thinking Framework Basis that needs customisation

COBIT The Word 1 The very original acronym COBIT stood for Control Objectives for Information and Related Technology The control objectives are gone now well, at least the name has But Information and Related Technology stand! Information is a key resource for all enterprises Information is created, used, retained, disclosed and destroyed Technology plays a key role in these actions Technology is becoming pervasive in all aspects of business and personal life

COBIT Enterprise Context and Benefits 1 Today, enterprises and their executives have to: Maintain high-quality information Generate business value from IT-enabled investments Achieve operational excellence Maintain IT-related risk at an acceptable level Optimise the cost of IT services and technology Comply with ever-increasing relevant laws, regulations, contractual agreements and policies COBIT 5 provides the framework to fulfill these requirements

Drivers for COBIT 5: Changing World 1 The world has moved on since COBIT 4.1 and related ISACA Guidance were published: Importance of information Role of technology Technology landscape Views on governance and standards landscape Economic context Regulatory context Need for rationalisation of various ISACA guidance

Drivers for COBIT 5: Stakeholder Value 1 Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets Enterprise boards, executives and management have to embrace IT like any other significant part of the business COBIT 5 provides the comprehensive framework for enterprises to: achieve their goals deliver value through effective governance and management of enterprise IT

The COBIT 5 Framework 1 Simply stated: COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector

Evolution of scope COBIT: Its development history 1 Governance of Enterprise IT IT Governance Management Val IT 2.0 (2008) Control Audit Risk IT (2009) COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5 1996 1998 2000 2005/7 2012 A business framework from ISACA, at www.isaca.org/cobit

COBIT 5: Timeline 1 mei-10 First SME Development Workshop aug-10 Second SME Development Workshop sep-09 Joint FC-C5TF Kick-Off Meeting apr-10 C5TF Meeting dec-10 C5TF Meeting mei-11 C5TF Meeting nov-11 Final C5TF Meeting nov-09 Start of Design feb-10 Dev Team Meeting okt-10 Dev Team Meeting jan-11 End of Design jan-12 End of Development 1/01/2010 1/01/2011 1/01/2012 3/09/2009 10/04/2012 20/03/2010 Public Exposure COBIT 5 Architecture Blueprint 29/03/2011 SME Exposure COBIT 5 1/07/2011 Public Exposure COBIT 5 Framework and Process Guide 10/04/2012 Publication COBIT 5

1. 2. COBIT 5 Framework (1) COBIT 5 Principles

The COBIT 5 Framework 2 The main, overarching COBIT 5 product Contains the executive summary and the full description of all of the COBIT 5 framework components: The COBIT 5 principles there are 5 of them! The seven COBIT 5 enablers An introduction to the implementation guidance (COBIT 5 Implementation) An introduction to the COBIT Assessment Programme (not specific to COBIT 5)

The COBIT 5 Principles 2

The COBIT 5 Principles 1. Meeting Stakeholder Needs 2 Enterprises exist to create value for their stakeholders. Therefore: Governance Objective = Value Creation Governance objectives driven by stakeholder needs Value is the interaction and combination of three components 18

The COBIT 5 Principles 1. Meeting Stakeholder Needs 2 Enterprises exist to create value for their stakeholders Therefore: Governance objectives need to be translated into manageable goals This is the COBIT 5 goals cascade This translates stakeholder needs into specific, actionable and customised goals

The COBIT 5 Principles 2. Covering the Enterprise End-to-End 2 COBIT 5: Integrates governance of enterprise IT into enterprise governance Covers all functions and processes within the enterprise Key components of a governance system: Governance Enablers the organisational resources for governance Governance Scope the entity to which governance is applied

The COBIT 5 Principles 2. Covering the Enterprise End-to-End 2 Third component: the governance roles, activities and relationships. defines who is involved in governance, how they are involved, what they do and how they interact, within the scope of any governance system

The COBIT 5 Principles 3. Integrated Framework 2 COBIT 5 aligns with the latest relevant other standards and frameworks: Enterprise: COSO, COSO ERM, ISO 9000, ISO 31000 IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF, PMBOK/PRINCE2, CMMI, This allows COBIT 5 to be used as the overarching governance and management framework integrator COBIT 5 also integrates all major ISACA guidance: COBIT 4.1, Risk IT, Val IT, BMIS, ITAF One consistent knowledge-base to build the COBIT 5 Product Family on

The COBIT 5 Principles 3. Integrated Framework 2

The COBIT 5 Principles 4. Enabling a Holistic Approach 2 Enablers are factors that, individually and collectively, influence whether something will work Enablers are driven by the goals cascade The COBIT 5 framework describes seven categories of enablers

The COBIT 5 Principles 5. Separating Governance from Management 2 Governance: Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives [EDM] Management: Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives [PBRM]

The COBIT 5 Principles 5. Separating Governance from Management 2

1. 3. COBIT 5 Framework (2) COBIT 5 Enablers and the Enabler Model

The COBIT 5 Enablers 3

The COBIT 5 Enabler Model 3

The COBIT 5 Enabler Model 3 This generic enabler model is repeated for each of the seven enablers, adding more specific details, guidance and some simple examples

The COBIT 5 Enabler Model Performance Management 3

1. 4. COBIT 5 Framework (3) COBIT 5 Process Capability Model

The COBIT 5 Framework Process Capability Model 4 COBIT 5 is supported by a new process capability assessment approach based on ISO/IEC 15504: the COBIT Assessment Programme. The COBIT 4.1, Val IT and Risk IT CMM-based approaches are not considered compatible with the ISO/IEC 15504 approach as the methods use different attributes and measurement scales In Practice In general, ratings of a process will be lower with the new capability assessment approach (but are not comparable anyway) COBIT 5 does not include a specific maturity model per process

Recap of Process Evaluation Methods: COBIT 4.1 4

Recap of Process Evaluation Methods: Risk IT 4

The COBIT 5 Framework Process Capability Model 4

Recap of Process Evaluation Methods Rationale for change 4 The COBIT Assessment Programme approach is considered by ISACA to be more robust, reliable and repeatable as a process capability assessment method The COBIT Assessment Programme supports formal assessments by accredited assessors (assessor training is being developed) less rigorous self-assessments for internal gap analysis and process improvement planning The COBIT Assessment Programme, in the future, will also potentially enable an enterprise to obtain an independent and certified assessments aligned to the ISO standard

Recap of Process Evaluation Methods Rationale for change 4 COBIT4.1, Val IT and Risk IT users wishing to move to the new COBIT Assessment Programme approach: realign their previous ratings, adopt and learn the new method, and initiate a new set of assessments in order to gain the benefits of the new approach Information gathered from previous assessments may be reusable, but needed as there are significant differences in requirements COBIT 4.1, Val IT and Risk IT users wishing to continue with the CMM-based approach, either as an interim or on-going approach, can use the COBIT 5 guidance, but must use the COBIT4.1 generic attribute table without the high-level maturity models

Recap of Enabler Performance Management

Assessing Other Enablers 4 The ISO15504 based approach is a process assessment scheme The generic enabler performance model aligns quite well with the 15504 approach same basic questions asked So performance of other enablers can be assessed in a similar manner BUT: COBIT 5 as it stands does not elaborate this explicitly as it does for processes

1. 5. COBIT 5 Enabling Processes Introduction

COBIT 5 Enabling Processes Detailed Process Guidance 5 COBIT 5 goals cascade complemented with example metrics for the enterprise goals and the IT-related goals COBIT 5 process model is explained and its components defined Process reference model of 37 processes with detailed information for all processes

COBIT 5 Enabling Processes COBIT 5 Process Model 5

COBIT 5 Enabling Processes Process Reference Model 5

1. 6. COBIT 5 Enabling Processes Structure

COBIT 5 Enabling Processes Detailed Process Guidance 6

COBIT 5 Enabling Processes Detailed Process Guidance 6 COBIT 5 provides a revised goals cascade based on Enterprise goals (previously: Business Goals) driving IT-related goals (previously: IT Goals) and then supported by critical Enablers (previously: Processes) COBIT 5 provides examples of goals and metrics at the enterprise, IT related and process levels This is a change to COBIT 4.1, Val IT and Risk IT which went down one level lower but did not have the higher level

COBIT 5 Enabling Processes Detailed Process Guidance 6 Each process starts with: Header information Process description Process Purpose Statement

COBIT 5 Enabling Processes Detailed Process Guidance 6 Goals cascade information: IT Related goals supported by this process + related metrics Process Goals + related metrics

COBIT 5 Enabling Processes Detailed Process Guidance 6

COBIT 5 Enabling Processes Detailed Process Guidance 6 Process Practices, with Inputs & outputs Process activities RACI chart

COBIT 5 Enabling Processes Detailed Process Guidance 6

COBIT 5 Enabling Processes Detailed Process Guidance 6

COBIT 5 Enabling Processes Detailed Process Guidance 6 Related guidance

1. 7. COBIT 5 Enabling Processes Process Domains and Processes

The COBIT 5 Process Reference Guide Process Reference Model 7

The COBIT 5 Process Reference Guide Process Reference Model EDM 7 Evaluate, Direct & Monitor Processes for Governance of Enterprise IT EDM1 Ensure Governance Framework Setting and Maintenance EDM2 Ensure Benefits Delivery EDM3 Ensure Risk Optimisation EDM4 Ensure Resource Optimisation EDM5 Ensure Stakeholder Transparency Process Process Purpose EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the enterprise s strategies and objectives, IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements are confirmed, and the governance requirements for board members are met Secure optimal value from IT-enabled initiatives services and assets, cost-efficient delivery of solutions and services, and a reliable and accurate picture of costs and likely benefits so that business needs are supported effectively and efficiently

The COBIT 5 Process Reference Guide Process Reference Model EDM 7 Evaluate, Direct & Monitor Processes for Governance of Enterprise IT EDM1 Ensure Governance Framework Setting and Maintenance EDM2 Ensure Benefits Delivery EDM3 Ensure Risk Optimisation EDM4 Ensure Resource Optimisation EDM5 Ensure Stakeholder Transparency Process Process Purpose EDM03 Ensure Risk Optimisation EDM04 Ensure Resource Optimisation EDM05 Ensure Stakeholder Transparency Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised Ensure that the resource needs of the enterprise are met in the most optimal manner, IT costs are optimised, and there is an increased likelihood of benefit realisation and readiness for future change Make sure that the communication to stakeholders is effective and timely and the basis for reporting is established to increase performance, identify areas for improvement, and confirm that IT-related objectives and strategies are in line with the enterprise s strategy

The COBIT 5 Process Reference Guide Process Reference Model APO 7 Align, Plan & Organise APO1 Manage the IT Management Framework APO2 - Manage Strategy APO3 Manage Enterprise Architecture APO4 Manage Innovation APO5 - Manage Portfolio APO6 Manage Budget & Costs APO7 Manage Human Resources APO8 Manage Relationships APO9 Manage Service Agreements APO10 - Manage Suppliers APO11 - Manage Quality APO12 Manage Risk APO13 Manage Security Processes for Management of Enterprise IT Process Process Purpose APO01 Manage the IT Management Framework APO02 Manage Strategy APO03 Manage Enterprise Architecture Provide a consistent management approach to enable the enterprise governance requirements to be met, covering management processes, organisational structures, roles and responsibilities, reliable and repeatable activities, and skills and competencies Align strategic IT plans with business objectives, clearly communicate the objectives and associated accountabilities so they are understood by all, with the IT strategic options identified, structured and integrated with the business plans Represent the different building blocks that make up the enterprise and their interrelationships as well as the principles guiding their design and evolution over time, enabling a standard, responsive and efficient delivery of operational and strategic objectives

The COBIT 5 Process Reference Guide Process Reference Model APO 7 Align, Plan & Organise APO1 Manage the IT Management Framework APO2 - Manage Strategy APO3 Manage Enterprise Architecture APO4 Manage Innovation APO5 - Manage Portfolio APO6 Manage Budget & Costs APO7 Manage Human Resources APO8 Manage Relationships APO9 Manage Service Agreements APO10 - Manage Suppliers APO11 - Manage Quality APO12 Manage Risk APO13 Manage Security Processes for Management of Enterprise IT Process APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs Process Purpose Achieve competitive advantage, business innovation, and improved operational effectiveness and efficiency by exploiting information technology developments Optimise the performance of the overall portfolio of programmes in response to programme and service performance and changing enterprise priorities and demands Enable the effective and efficient use of IT-related resources and provide transparency and accountability of the cost and business value of solutions and services. Enable the enterprise to make informed decisions regarding the use of IT solutions and services

The COBIT 5 Process Reference Guide Process Reference Model APO 7 Align, Plan & Organise APO1 Manage the IT Management Framework APO2 - Manage Strategy APO3 Manage Enterprise Architecture APO4 Manage Innovation APO5 - Manage Portfolio APO6 Manage Budget & Costs APO7 Manage Human Resources APO8 Manage Relationships APO9 Manage Service Agreements APO10 - Manage Suppliers APO11 - Manage Quality APO12 Manage Risk APO13 Manage Security Processes for Management of Enterprise IT Process APO07 Manage Human Resources APO08 Manage Relationships APO09 Manage Service Agreements Process Purpose Optimise human resources capabilities to meet enterprise objectives Create improved outcomes, increased confidence, and trust in IT and effective use of resources IT services and service levels meet current and future enterprise needs

The COBIT 5 Process Reference Guide Process Reference Model APO 7 Align, Plan & Organise APO1 Manage the IT Management Framework APO2 - Manage Strategy APO3 Manage Enterprise Architecture APO4 Manage Innovation APO5 - Manage Portfolio APO6 Manage Budget & Costs APO7 Manage Human Resources APO8 Manage Relationships APO9 Manage Service Agreements APO10 - Manage Suppliers APO11 - Manage Quality APO12 Manage Risk APO13 Manage Security Processes for Management of Enterprise IT Process APO10 Manage Suppliers APO11 Manage Quality APO12 Manage Risk APO13 Manage Security Process Purpose Minimise the risk associated with non-performing suppliers and ensure competitive pricing Consistent delivery of solutions and services to meet the quality requirements of the enterprise and satisfy stakeholder needs Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk Keep the impact and occurrence of information security incidents within the enterprise s risk appetite levels

The COBIT 5 Process Reference Guide Process Reference Model BAI 7 Build, Acquire & Implement BAI1 Manage Programmes And Projects BAI2 Manage Requirements Definition BAI3 Manage Solutions Identification & Build BAI4 Manage Availability & Capacity BAI5 Manage Organisational Change Enablement BAI6 Manage Changes BAI7 Manage Changes Acceptance and Transitioning BAI8 Manage Knowledge BAI9 Manage Assets BAI10 Manage Configuration Processes for Management of Enterprise IT Process BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build Process Purpose Realise business benefits and reduce the risk of unexpected delays, costs and value erosion, ensuring the value and quality of project deliverables, and maximising their contribution to the investment and services portfolio Create feasible optimal solutions that meet enterprise needs while minimising risk Establish timely and cost-effective solutions capable of supporting enterprise strategic and operational objectives

The COBIT 5 Process Reference Guide Process Reference Model BAI 7 Build, Acquire & Implement BAI1 Manage Programmes And Projects BAI2 Manage Requirements Definition BAI3 Manage Solutions Identification & Build BAI4 Manage Availability & Capacity BAI5 Manage Organisational Change Enablement BAI6 Manage Changes BAI7 Manage Changes Acceptance and Transitioning BAI8 Manage Knowledge BAI9 Manage Assets BAI10 Manage Configuration Processes for Management of Enterprise IT Process BAI04 Manage Availability and Capacity BAI05 Manage Organisational Change Enablement BAI06 Manage Changes Process Purpose Maintain service availability, efficient management of resources and optimisation of system performance through prediction of future performance and capacity requirements Prepare and commit stakeholders for business change and reduce the risk of failure Enable fast and reliable delivery of change to the business and mitigation of the risk of negatively impacting the stability or integrity of the changed environment

The COBIT 5 Process Reference Guide Process Reference Model BAI 7 Build, Acquire & Implement BAI1 Manage Programmes And Projects BAI2 Manage Requirements Definition BAI3 Manage Solutions Identification & Build BAI4 Manage Availability & Capacity BAI5 Manage Organisational Change Enablement BAI6 Manage Changes BAI7 Manage Changes Acceptance and Transitioning BAI8 Manage Knowledge BAI9 Manage Assets BAI10 Manage Configuration Processes for Management of Enterprise IT Process BAI07 Manage Changes, Acceptance and Transitioning BAI08 Manage Knowledge BAI09 Manage Assets BAI10 Manage Configuration Process Purpose Implement solutions safely and in line with the agreed-on expectations and outcomes Provide the knowledge required to support all staff in their work activities and for informed decision making and enhanced productivity Account for all IT assets and optimise the value provided by these assets Provide sufficient information about service assets to enable the service to be effectively managed, to assess the impact of changes and to deal with service incidents.

The COBIT 5 Process Reference Guide Process Reference Model DSS 7 Deliver, Service & Support DSS1 Manage Operations DSS2 Manage Service Requests & Incidents DSS3 Manage Problems DSS4 Manage Continuity DSS5 Manage Security Services DSS6 Manage Business Process Controls Processes for Management of Enterprise IT Process DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems Process Purpose Deliver IT operational service outcomes as planned Achieve increased productivity and minimise disruptions through quick resolution of user queries and incidents Increase availability, improve service levels, reduce costs, and improve customer convenience and satisfaction, by reducing the number of operational problems

The COBIT 5 Process Reference Guide Process Reference Model DSS 7 Deliver, Service & Support DSS1 Manage Operations DSS2 Manage Service Requests & Incidents DSS3 Manage Problems DSS4 Manage Continuity DSS5 Manage Security Services DSS6 Manage Business Process Controls Processes for Management of Enterprise IT Process DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls Process Purpose Continue critical business operations and maintain availability of information at a level acceptable to the enterprise in the event of a significant disruption Maintain information integrity and the security of information assets handled within business processes in the enterprise or outsourced

The COBIT 5 Process Reference Guide Process Reference Model MEA 7 Monitor, Evaluate & Assess MEA1 Monitor, Evaluate and Assess Performance and Conformance MEA2 Monitor, Evaluate and Assess the System of Internal Control MEA3 Monitor, Evaluate and Assess Compliance with External Requirements Processes for Management of Enterprise IT Process MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance with External Requirements Process Purpose Provide transparency of performance and conformance and drive achievement of goals Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk The enterprise is compliant with all applicable external requirements

1. 8. COBIT 5 Implementation Guide

COBIT 5 Implementation 8 COBIT 5: Implementation covers the following subjects: Positioning GEIT within an enterprise Taking the first steps towards improving GEIT Implementation challenges and success factors Enabling GEIT-related organisational and behavioural change Implementing continual improvement that includes change enablement and programme management Using COBIT 5 and its components

Migrate to COBIT 5 or stay with COBIT 4? Some considerations... 8 COBIT 4.1 COBIT 5

Migrate to COBIT 5 or stay with COBIT 4? Some considerations 8 COBIT 5 because we have to do it COBIT 5 because we want to do it

Roadmap to COBIT 5 If you adopt COBIT 5: It s the enablers 8 Recap: it s the enablers that make governance work. So: roadmap to COBIT implies working on all these enablers: Defining and implementing processes Putting in place effective organisational structures Defining the right information streams Developing the right culture and associated behaviours Having the right skills, competences and (number of) people

COBIT 5 Implementation Roadmap 8

Roadmap to COBIT 5 Step 1: Why would we do it? 8 What are the drivers for a COBIT 5 implementation? Are there any existing pains? Lack of control? Growing number of loose ends? Uncertain ROI of investments? Any important trigger events Major new project? External pressure? Regulatory pressure? Questions: Are these issues real? If not, in theory no need to act urgently If real issues exist, is the Board convinced that something needs to be done here?

Roadmap to COBIT 5 Step 2: Where are we now? 8 Assess the Current Situation: Determine based on existing pains, the relevant areas for you in COBIT 5 Diagnosis/High-Level Review of selected governance enablers should be made, resulting in Capability score of processes Evaluations of other enablers

Roadmap to COBIT 5 Step 3: Where do we want to be? 8 Express target levels for capability of enablers This applies to processes, but also to other enablers Remember: Raising your level of governance capability: Requires resources, including time Has to be subject to a business case!

Success Factors 8 Some key success factors, without which failure is guaranteed Continuous top management support and committment Resources Regular success stories & quick wins Understanding key objectives (see next slide)

Governance often perceived as this... 8 5 Before 5 After 4 4 3 3 2 2 1 1 0 Benefits Risk Resources 0 Benefits Risk Resources

Governance could also result (preferably) in this 8 5 Before 5 After 4 4 3 3 2 2 1 1 0 Benefits Risk Resources 0 Benefits Risk Resources

Some quotes recorded during COBIT 5 development 8

Some quotes recorded during COBIT 5 development 8 Quote 1 COBIT 5 is not a framework for the IT people Quote 2 Organisations have the IT they deserve

1. 9. Additional COBIT 5 Publications - COBIT 5 for Information Security - COBIT Assessment Programme

Additional Publications COBIT 5 for Information Security 9 This is an extended view of COBIT 5 It explains each component of COBIT 5 from an information security perspective It provides security professionals detailed guidance for using COBIT 5 as they establish, implement and maintain information security in the business policies, processes and structures of an enterprise

Additional Publications COBIT Assessment Programme 9 This enables the evaluation of selected IT processes a view on process capability Process improvement, delivering business value, measuring the achievement of business goals, benchmarking, consistent reporting, etc Processes can be assessed individually or alternatively in groups. Scoping areas include: Capability of processes to support cloud services Capability of processes to support achievement of IT and business goals Capability of processes to support SOX compliance Capability of processes to support the enterprise governance of IT

1. 10. Upcoming COBIT 5 Publications - COBIT 5 for Assurance - COBIT 5 for Risk

COBIT 5 for Assurance 10 This creates an information assurance view of COBIT 5 It provides guidance for ISACA s information assurance constituents It should be considered as the assurance equivalent of COBIT 5 for Information Security It is scheduled to be available in the second quarter of 2013 currently proposed to be launched at Insights 2013

COBIT 5 for Assurance 10 In COBIT 5, governance/management practices are the replacements for the COBIT 4.1 control objectives The Val IT and Risk IT practices In COBIT 5, the focus is on enabler goals Achievement of enabler goals can be assessed: Are goals achieved associated metrics at various levels in the cascade Is appropriate good practice applied (design question) Are process activities (which include control activities) adequately performed? Is the process capability level adequate or fit for purpose?

COBIT 5 for Risk 10 This creates an information risk view of COBIT 5 It will serve as the information risk specific guidance for ISACA s information risk constituents It should be considered as the risk focused equivalent of COBIT 5 for Information Security It is scheduled to be available in the second quarter of 2013 currently proposed to be launched at Insights 2013

1. 11. Some more migrating implementation considerations. How to put COBIT 5 to use in practice?

COBIT 5 Has Arrived Now What? Meeting Stakeholder Needs Are they? 11 Example Stakeholder question: How do I get value from IT? Do I get value from IT? COBIT 5: Value is the key driver for all enablers; COBIT 5 describes the organisational structures, processes, behaviours, information flows etc. that are needed to have IT deliver value to the enterprise; COBIT 5 also describes the mechanisms to analyse performance of all enablers, and includes a roadmap for a Governance improvement project COBIT 5 contains specific processes and other enablers for value management, e.g.. EDM02, APO05 and the linked organisational structures, information flows etc.

COBIT 5 Has Arrived Now What? Meeting Stakeholder Needs Are they? 11 Example Stakeholder question: How do I manage performance of IT? Am I running an efficient and resilient IT operation? How do I best build and structure my IT department? COBIT 5 defines a set of interacting enablers that when working and interacting well provide a performing IT for the enterprise; COBIT 5 includes a generic enabler model with a performance management module. Using this model to assess all enablers systematically will provide accurate and useful performance data; COBIT 5 contains metrics associated with goals at various levels these metrics can be included in a performance mgmnt system Dealing with the efficiency and resilience questions can be done by putting appropriate emphasis and priority on specific processes and other enablers

COBIT 5 Has Arrived Now What? Meeting Stakeholder Needs Are they? 11 Example Stakeholder question: How do I know if I m compliant with all applicable regulations? Am I? COBIT 5 includes a number of processes that specifically deal with compliance from identifying compliance requirements, over implementing appropriate controls to (independent) evaluation of compliance; the goals cascade include several compliance related goals at various levels COBIT 5 extends towards business processes, ensuring that compliance requirements are taken care of consistently throughout the enterprise The mechanisms to assess performance of these processes and other enablers can be used to manage performance of the compliance system

COBIT 5 Has Arrived Now What? Meeting Stakeholder Needs Are they? 11 Example Stakeholder question: Did I address all IT related risks? COBIT 5 includes several IT risk related goals at various levels, which when prioritised correctly will identify relevant processes and other enablers to manage risk Specific processes at governance and management level deal with risk management, e.g. EDM03, APO12, APO13, MEA domain Same for organisational structures, specific skills etc. Again, the built-in performance system allows to monitor performance and outcome of all enablers, providing an accurate view on current status In case improvements are needed, the Implementation Guide provides a roadmap towards enhanced governance practices

Finally one word on complexity 11 >32 definitions of complexity exist Is COBIT 5 complex? YES, because: It covers a complex matter and provides a model to deal with this complexity! Models are a simplification of reality to the level where the model still is relevant simplification but not simplistic! Is COBIT 5 complex? NO, because: If complex is defined as time needed to understand (for normal person) then we could argue that it is not very complex 5 principles, seven enablers with each four dimensions

Some final advice... 11 The Basic equation A Framework is a Framework COBIT 5 is comprehensive in its vision on governance BUT: a lot remains to be done by yourselves, based on individual circumstances We already posess the most important tool required for that shown at the right

Q & A

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information