COBIT 5 Framework Patrick Soenen Presentation based on COBIT 5 Exposure Draft 2011 ISACA ISACA has designed COBIT 5 : The Framework as an educational resource for control professionals Reproduction only for academic non commercial use 1
A governance and management framework for information and related technology that starts from stakeholder needs with regard to information and technology. The COBIT 5 framework is intended for all enterprises, including non-profit and public sector. Today enterprises need to achieve increased: Value creation through enterprise IT; Business user satisfaction with IT engagement and services; Compliance with relevant laws, regulations and policies. 2
COBIT evolution Enterprise of IT Evolution Audit Management Control COBIT 5 ties together all ISACA knowledge assets, i.e. COBIT 4.1 Val IT Risk IT Business Model for Information Security (BMIS ) IT Assurance Framework (ITAF ), Taking Forward (TGF), Board Briefing on IT, 2nd Edition. COBIT 1 COBIT 2 COBIT 3 COBIT 4 COBIT 5 1996 1998 2000 2005 2011 3
ISACA Frameworks Included 4
COBIT 5 Principles The COBIT 5 Framework is based on 5 principles 5
COBIT 5 Principles Value creation Stakeholder needs 1. Integrator Framework COBIT 5 is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used. objectives Knowledge base Content filter Product family 6
COBIT 5 Principles 2. The Objective: Stakeholder Value Enterprises exist to create value for their stakeholders, so the governance objective for any enterprise is value creation. Value creation means realising benefits at an optimal resource cost whilst optimising risk 7
COBIT 5 Principles 3. Business and Context Focus focussing on enterprise goals and objectives, by covering all of the critical business elements. Every organisation has its own context determined by external and internal factors Goals cascade to translate into specific IT goals 8
COBIT 5 Principles 4. Approach Enabler Based Main elements of the governance approach : enablers are the organisational resources for governance, such as frameworks, principles, structure, processes and practices, toward which or through which action is directed and objectives can be attained scope: can be applied to the whole enterprise, an entity, a tangible or intangible asset, etc. Roles, Activities and Relationships: It defines who is involved in governance, how they are involved, what they do and how they interact 9
COBIT 5 Principles 5. - and Management structured A clear distinction between governance and management. These two disciplines include different types of activities, require different organisational structures, serve different purposes 10
COBIT 5 Architecture Value creation Stakeholder needs objectives Stakeholder value is based on the stakeholder needs The governance objectives take into account ISACA Guidance Other standards By structuring guidance around enablers CobiT 5 Architecture Knowledge base Content filter Product family Building a consistent knowledge base for all the guidance Filter to build Framework Process reference guide Implementation guide Practice guide 11
Value creation Value creation The governance objective is value creation = Realising benefits at optimal resource cost whilst optimising risk Stakeholder needs objectives Knowledge base Content filter Product family The stakeholders for enterprise IT can be internal (Board, CEO, CFO, business executives, process owners, risk managers, IT users, IT managers, etc ) and External (business partners, suppliers, shareholders, customers, regulators ) They can have different and even conflicting needs 12
Objectives Value creation Stakeholder needs Objectives objectives Knowledge base Content filter Product family objectives are based on the stakeholders needs and the value creation i.e. benefits, resources and risks The existing ISACA guidance is used : CobiT, Val IT, Risk IT, BMIS, ITAF, TGF and Board Briefing Other relevant frameworks : ITIL, TOGAF 13
Goals Cascade Value creation Objectives Stakeholder needs objectives Enterprise Goals IT Goals Mapping Mapping objectives translate into enterprise goals Realising enterprise goals requires IT related goals Knowledge base Content filter Mapping For IT related goals to be achieved, enablers are required Product family 14
Value creation Stakeholder needs objectives Knowledge base Content filter Product family Goals cascade Entreprise goals mapped to Objectives objectives BSC Description Benefits Risk Resource F I 1.Stakeholder value of business investments P N 2.Portfolio of competitive products/services P S A N 3.Managed business risks P S CI 4.Compliance with ext. laws and regulations P A L 5.Financial transparency P S S C U 6.Customer oriented service culture P S ST 7.Business service continuity & availability P O 8.Agile responses to changing environment P S M ER 9.Information based strategic decision making P P P I N TE R N AL L &G 10.Optimisation of service delivery costs P S 11.Optimisat.of business process functionality P P 12.Optimisation of business process costs P P 13.Managed business process changes P P S 14.Operational and staff productivity P P 15.Compliance with internal policies P 16.Skilled and motivated people S S P 17.Product and business innovation culture P 15
Value creation Stakeholder needs objectives Knowledge base Content filter Product family IT related goals Goals cascade BSC Description F I 1. Alignment of IT and business strategy N A 2. IT compliance and support for business compliance with ext. laws & reg. N 3. Commitment of executive management for making IT related decisions CI 4. Managed IT related business risks A L 5. Realised benefits form IT-enabled investments and services portfolio C U ST I N TE R N AL L &G 6. Transparency of IT costs, benefits and risks 7. Delivery of IT services in line with business requirements 8. Adequate use of applications, information and technology structure 9. IT agility 10. Security of information, processing infrastructure and applications 11. Optimisation of IT assets, resources and capabilities 12. Enablement and support of business processes by integration 13. Delivery of programme on time, on budget et on business requirements 14. Availability of reliable and useful information 15. IT compliance with internal policies 16. Competent and motivated IT personnel 17. Knowledge, expertise and initiatives of business motivation 16
Value creation Stakeholder needs objectives Service Capabilities Processes Culture, Ethics, Behaviour Skills & Competencies Organisational Structures Knowledge base Principles & Policies Information Content filter Product family are tangible and intangible elements that make governance and management over enterprise IT work. The enablers are driven by the goal cascade 17
Value creation Stakeholder needs objectives To achieve objectives and to produce output Include infrastructure, technology and applications Knowledge base Required for successful completion of activities and for taking correct decisions Content filter Product family To translate desired behaviour into guidance for day-to-day mgt CobiT is a trademark of the ISACA. Of individuals and of the organisation Key decision making entities Required for keeping the organisation running and well governed 18
Generic enabler model Value creation Stakeholder needs The generic enabler model applies to all CobiT enabler. The generic model has been applied to the Process enabler objectives Knowledge base Content filter Product family CobiT is a trademark of the ISACA. 19
Enabler capability levels The process maturity model of COBIT 4.1 has been replaced with a capability model based on ISO/IEC 15504 Value creation Stakeholder needs objectives Knowledge base Content filter Product family COBIT 4.1 Maturity Model Levels COBIT 5 ISO/IEC 15504 Based Capability Levels 5. Optimised 5. Optimised Continuously improved to meet relevant current and projected enterprise goals. 4. Managed and Measurable 4. Predictable Operates within defined limits to achieve its process outcomes. 3. Defined 3. Established Implemented using a defined process that is capable of achieving its process outcomes. 2. Managed Implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained. N/A Meaning of the COBIT 5 ISO/IEC 15504 Based Capability Levels N/A 1. Performed Process achieves its process purpose. 2. Repeatable 1. Ad Hoc 0. Non-existent 0. Incomplete Not implemented or little or no evidence of any systematic achievement of the process purpose. CobiT is a trademark of the ISACA. Context Enterprise view/ corporate knowledge Instance view/ individual knowledge 20
Knowledge base & products Value creation Stakeholder needs objectives The knowledge base contains all guidance and content Series of products built from the knowledge base Knowledge base Content filter Product family CobiT is a trademark of the ISACA. 21
& management processes COBIT 5 advocates that organisation implement governance and management processes, such that the key areas below are covered 1 governance domain 4 management domains CobiT is a trademark of the ISACA. 22
Process reference model The process reference model is divided into 5 domains : 1 governance domain : EDM 4 management domains : APO,BAI, DSS & MEA Evaluate, Direct & Monitor (EDM) Align, Plan & Organise (APO) Build, Acquire & Implement (BAI) Monitor, Evaluate & Assess (MEA) Deliver, Service & Support (DSS) Processes for Management of Enterprise IT Processes for of Enterprise IT CobiT is a trademark of the ISACA. 23
Process reference model The complete set of 36 processes : 5 governance and 31 management processes CobiT is a trademark of the ISACA. 24
Implementation The 7 phases of the implementation life cycle CobiT is a trademark of the ISACA. 25