IT Governance Frameworks: COBIT® 5 Tutorial
1 COBIT® 5 and Other IT Governance Frameworks
This lesson covers the benefits, format and product architecture of COBIT® 5. This lesson also focuses on mapping COBIT® and other IT Governance Frameworks. Let us begin with the objectives of this lesson in the next screen.
By the end of this lesson, you will be able to: ● Explain the benefits of COBIT® 5 ● Discuss the COBIT® 5 format and its volumes ● Describe the COBIT® 5 product family ● Identify the governance and management processes in COBIT® 5 Let us move on to the next screen to discuss the benefits of COBIT® 5.
3 Benefits of COBIT® 5
The benefits of COBIT® 5 are as follows. It considers stakeholder needs as the starting point of the governance and management activities related to enterprise IT. It acts as a business framework, which enables the business management to communicate with the IT (read as I-T) management. It creates a more consistent, integrated and complete perspective of enterprise governance and IT management. It also provides an end-to-end view on all IT-related matters. It provides a top-down view of the business needs that create a goals cascade, which drives the need to meet the expectations of stakeholders throughout the enterprise. It encourages a common language throughout the enterprise so that the stakeholders understand the IT and IT meets their business needs. It is consistent with the generally accepted corporate governance standards, which helps to meet regulatory requirements. In the next screen, let us look at the COBIT® 5 format.
4 The COBIT® 5 Format
The COBIT® 5 framework follows a simple format. It directly addresses the needs of the viewers from different perspectives. COBIT® 5 comes in 3 volumes, namely, ‘The Framework’, ‘Process Reference Guide’ and ‘Implementation Guide’. COBIT® 5 is also based on certain principles and enablers. Let us proceed to discuss the product family of COBIT® 5 in the next screen.
5 COBIT® 5 Product Family
The image on the screen lists the components of the COBIT® 5 product family. It includes: COBIT® 5: This publication gives an overview of the complete COBIT® 5 framework as well as a summary for executives and other users. COBIT® 5 Enabler Guides: It includes the COBIT® 5 Enablers Processes, COBIT® 5 Enabling Information and other enablers guides. These are detailed reference guides that support the ‘COBIT® 5 Business Framework for the Governance and Management of Enterprise IT’ and the professional guides. The ‘COBIT® 5 Enabler Guides’ acts as the bridge between the COBIT® 5 framework and the COBIT® 5 professional guides. COBIT® 5 Professional Guides: These guides are intended to be used by specific professional practitioners, for example, the auditor would utilise the ’COBIT® 5 for Assurance’ guide to understand and implement COBIT® 5 from the perspective of an auditor. These guides include the COBIT® 5 Implementation guide that is used to get a practical appreciation of how to apply COBIT® 5 to specific business problems, pain points, trigger events and risk scenarios within the organisation. The remaining guides mentioned are all still in development and beyond the scope of this course. They are as follows: COBIT® 5 for Information Security, which was available in July 2012; COBIT® 5 for Assurance; COBIT® 5 for Risk; and Other Professional Guides to be defined based on the needs of the market. The currently available professional guides are: Vendor Management using COBIT® 5 Configuration Management using COBIT® 5 COBIT® 5 Online that will replace the COBIT® 4.1 (read as KOBIT four point one) Online. This tool was to be made available in the beginning of 2014. It will enable registered users to implement and maintain COBIT® 5 through an interactive online system. It is to be noted that the COBIT® Process Assessment Guides are treated as part of a separate product family and is accessed at ISACA through the COBIT® Assessment Programme link on the website. In the next screen, we will discuss the COBIT® 5 mapping summary.
6 COBIT® 5 Mapping Summary
The image on the screen depicts the various frameworks and standards that have influenced COBIT® 5 and can be mapped to it. The five governance and management processes of COBIT® 5 are mapped to various standards and frameworks in the following ways: The Evaluate, Direct and Monitor or EDM (read as E-D-M) governance processes are mapped to the standard for corporate governance of information technology, I-S-O/IEC 38500 (read as I-S-O-I-E-C Thirty Eight Thousand Five Hundred) and the standard for risk management, ISO/IEC 31000 (read as I-S-O-I-E-C Thirty One Thousand), which are essential from the governance perspective. The Align, Plan and Organise or APO (read as A-P-O) management processes are mapped to PRINCE2® (read as Prince Two) and PMBOK® (read as P-M BOK) that are project management frameworks. These processes are also mapped to The Open Group Architecture Framework or TOGAF (read as TOE-GAFF) that is the de facto global standard for Enterprise Architecture. They are also mapped to ISO/IEC 31000 (read as I-S-O-I-E-C Thirty One Thousand), the risk management standard, and ISO/IEC 27000 (read as I-S-O-I-E-C Twenty Seven Thousand), the standard for Information security. They are aligned to the Capability Maturity Model Integration or CMMI (read as C-M-M-I), the capability and process assessment model, the IT Infrastructure Library Framework or ITIL® (read as I-T-I-L) Version 3 2011 framework and the standard for IT Service Management, which is I-S-O/IEC 20000 (read as I-S-O-I-E-C Twenty thousand). The Build, Acquire and Implement or BAI (read as B-A-I) management processes are aligned with the CMMI model along with the ITIL® Version 3 2011 framework and ISO/IEC 20000 (read as I-S-O-I-E-C twenty thousand), the standard for IT Service Management. The other frameworks and standards that contribute to the BAI processes are PRINCE2® or PMBOK® project management frameworks, TOGAF and ISO/IEC 27000, the information security standard. The Deliver, Service and Support or DSS (read as D-S-S) management processes are aligned to the ITIL® Version 3 2011 framework and ISO/IEC 20000. The Monitor, Evaluate and Assess or MEA (read as M-E-A) management processes are aligned to ISO/IEC 27000, the information security standard. In the next screen, we will focus on how COBIT® is integrated with other IT governance frameworks, namely, COSO and ITIL®.
7 COBIT®—Integration with Other IT Governance Frameworks
COSO is an internal control integrated framework. It consists of five interrelated components that provide an effective framework. The framework describes and analyses the internal control system implemented in an organisation mainly to cater to financial regulations requirement. The image on the screen depicts how other IT governance frameworks namely, COSO and ITIL® are represented in COBIT® . These mainly constitute: Committee of Sponsoring Organizations of the Treadway Commission or COSO (read as KO-SO), ISO 27002 (read as I-S-O Twenty Seven Thousand and Two), the standard for information security, the IT Infrastructure Library Framework or ITIL® (read as I-T-I-L) and ISO 9000,the standard for quality. As evident from the image on the screen, COBIT® is integrated with two major frameworks which are COSO and ITIL®. These frameworks are further supported by the two ISO standards which are ISO 27002, the information security standard and ISO 9000, the standard for quality. The flow of information within COBIT®, including how the framework is integrated, is based on the initial framework of COSO whose major focus is on internal controls and governance. These are then built upon as processes using the two major Industry standards of ISO 27002 and ISO 9000 that constitute information security and quality implementation for the governance and management. Finally, the ITIL® framework aids by providing an IT service Management framework to make COBIT® a very robust governance and management framework for enterprise IT. In the next screen, we will understand where COBIT® fits in.
8 Where Does COBIT Fit in
COBIT® is the bridge between business and enterprise governance requirements and specific IT governance practices. The image on the screen depicts the following. The key drivers for any enterprise mainly consisting of performance business goals and conformance requirements such as, Basel II and Sarbanes-Oxley Act or SOX (read as S-O-X). To help achieve the mentioned goals, frameworks such as the Balance Scorecard mainly monitor, measure and help to achieve performance business goals. This along with the COSO framework help to put in place internal controls in the enterprise to achieve conformance with the various regulations. Overall, this assists in enterprise governance. COBIT® framework assists by providing the IT governance help to achieve enterprise governance. COBIT® also adopts the best practice standards like ISO 9000 (read as I-S-O Nine Thousand) for Quality, ISO 27002 for information security, and ISO 20000 (read as I-S-O Twenty Thousand) for IT Service Management. These best practice standards in turn rely on robust processes and procedures such as QA (read as Q-A) procedures, security principles and ITIL® defined processes and functions for ISO 9000, ISO 27002 and ISO 20000 (read as I-S-O Twenty Thousand) respectively. In the next screen, we will discuss the specifics of mapping other IT governance frameworks to COBIT® 5.
9 COBIT® 5 Mapping Specifics
The table on the screen depicts the mapping of other IT governance frameworks to COBIT® 5: The standard for corporate governance of Information Technology, ISO/IEC 38500 (read as I-S-O-I-E-C Thirty Eight Five Hundred), provides the six principles of ISO to map them to COBIT® 5.The principles are responsibility, strategy, acquisition, performance, conformance and human behaviour for good corporate governance of IT. Information Technology Infrastructure Library or ITIL® V3 (read as I-T-I-L Version three) provides the 5 areas and domains’ subset of processes namely, strategy, design, transition, operations and continual service improvement) as inputs to COBIT® 5 in the DSS domain, BAI domain and APO domain. The information security standard or ISO/IEC 27000 (read as I-S-O-I-E-C Twenty Seven Thousand) provides the inputs to the security and IT-related processes in the EDM, APO and DSS domains of COBIT® 5 and also some security monitoring activities in the MEA domain of COBIT® 5. The risk management standard or ISO/IEC 31000 (read as I-S-O-I-E-C Thirty One Thousand) provides inputs to include the risk management related activities in the EDM and APO domains. The Open Group Architecture Framework or TOGAF (read as one word TOGAF) provides inputs to the resource-related processes in the EDM domain, TOGAF components of the architecture board and governance areas and Enterprise Architecture processes of the APO domain. Projects in Controlled Environment or PRINCE2 (read as one word PRINCE two) provides inputs to the programme and project management processes in the BAI domain and portfolio-related processes in the APO domain. Capability Maturity Model Integration or CMMI (read as C-M-M-I) provides inputs to some organisational and quality related processes in the APO domain and application building and acquisition related processes in the BAI domain of COBIT® 5.
Let us summarise what we have learnt in this lesson: COBIT® 5 defines the starting point of the governance and management activities related to enterprise IT as stakeholder needs. COBIT® 5 follows a simplified format and it is available in three volumes, namely, the Framework, Process Reference Guide and Implementation Guide. COBIT® 5 product family includes the COBIT® 5 framework, COBIT® 5 Enabler Guides, COBIT® 5 Professional Guides and COBIT® 5 Online Collaborative Environment. The COBIT® 5 governance and management processes are ‘Evaluate, Direct and Monitor governance’, ‘Align, Plan and Organise management’, ‘Build, Acquire and Implement management’ and ‘Monitor, Evaluate and Assess management’ processes. Next, we will look at a few questions based on the lessons covered so far.
About the On-Demand Webinar
About the Webinar