cobit5 assessor participant handbook
DESCRIPTION
ÂTRANSCRIPT
COBIT® 5 Assessor | Participant Handbook
1 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
Follow Us
Before you start the course, please take a moment to:
“Like us” on Facebook
http://www.facebook.com/ITpreneurs
“Follow us” on Twitter
http://twitter.com/ITpreneurs
"Add us in your circle" on Google Plus
http://gplus.to/ITpreneurs
"Link with us" on Linkedin
http://www.linkedin.com/company/ITpreneurs
"Watch us" on YouTube
http://www.youtube.com/user/ITpreneurs
Sample
Mate
rial –
Not
for R
eprin
t
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 2
© APMG 2013
COBIT is a registered trademark of ISACA and COBIT content is used under licence.
© Copyright 2012 by ITpreneurs Nederland B.V. All rights reserved.
Service Operation
Unit 3 : Service Operation Processes ─ Part 1r3.0.0
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
COBIT 5 Assessor Course
release 1.0.0
®
This product includes COBIT® 5, used by permission of ISACA®. ©2012 ISACA®. All rights reserved
© APMG 2013
COBIT 5 Assessor
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
3 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
1.0 Introduction
“The Assessor Guide: Using COBIT 5” provides the main guidance on performing a process capability assessment, the roles, responsibilities and competences required and the key steps required, from assessment initiation to reporting of the assessment results. “The Process Assessment Model (PAM): using COBIT 5 which is the model used by assessor to perform an assessment is used by candidate to reference the process content to be used in the assessment.
The Syllabus is based on these two guides. Note that foundation questions based on the COBIT PAM will not be retested.
The Assessor training and certification is a ‘Practitioner-Level training and certification course’ that focuses on ‘how’ to apply the PAM and ‘how’ to analyse the results.
It is a mandatory requirement for all candidates to have passed the Foundation Exam before applying for and attending this training and certification exam.
© APMG 2013
Target Audience
The target audience for this training certificate is:
Internal & external Auditors who want to add process capability assessments to the scope of their audits.
IT auditors who want to add process capability assessments to the scope of their audits.
Consultants who want to be allowed to perform independent process assessments on behalf of their clients.
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 4
© APMG 2013
High Level Performance Definition of a successful COBIT 5 Assessor certification candidate.
Upon the successful completion of this training course, candidates will know:
How to perform a process capability assessment using the Assessor Guide: using COBIT 5
How to apply the Process Assessment Model (The PAM) in performing a process capability assessment. Specifically:
To use the Process Reference Model, in particular to be able to apply the 37 processes outlined in the PRMTo apply and analyse the measurement model in assessing process capability levels.To apply and analyse the capability dimension using generic criteria outlined in the PAM
Be able to identify and assess the roles and responsibilities in the process capability assessment process
Be able to perform and assess the 7 steps outlined in the Assessor Guide specifically how to:Initiate a process assessmentScope an assessment, using the tools provided and the PAM for the selection of the appropriate processesPlan & Brief the teamsCollect & Validate the dataDo a process attribute ratingReport the findings of the assessment.
© APMG 2013
Assessor Certification
Upon the successful completion of the exam, APMG will be setting up a ‘registration process’ for those candidates who feel they have the necessary competences and experience to apply for full certification from ISACA. (See introduction statement above)
Proof of taking the training course and the results of the exam will be sent to ISACA.
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
5 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
Plan Day 1
© APMG 2013
Plan Day 2
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 6
© APMG 2013
COBIT 5 Repeat – Remind - Reinforce
© APMG 2013
How we look at things determines what we see!
Uncertainty! Risks!Opportunities!
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
7 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
“There are few things as useless, if not as dangerous, as the right answer to the wrong question.”
“There are no such things as the one right organization.There are only organisations, each of which has distinct strengths, distinct limitations and specific applications.
A given organisation structure fits certain tasks,in certain conditions and at certain times.”
Peter Drucker
© APMG 2013
Models – Frameworks – Good Practices help us make sense of the context and the challenges we face …..they provide Roadmaps
Route maps or plans reflect the choices we make to guide our organisations to our selected and defined destination
The Challenges of Complexity, Detail and Time
One generation’s Good Practice soon becomes the baseline for the next!
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 8
© APMG 2013
Governance of Enterprise IT
COBIT 5
COBIT 5 Principles1. Meeting Stakeholder Needs2. Covering the Enterprise End to End3. Applying a Single Integrated Framework4. Enabling a Holistic Approach5. Separating Governance From Management
2005/7
COBIT4.0/4.1
Audit
COBIT1
2000
Evol
utio
n
2012
The Five Focus AreasStrategic AlignmentValue DeliveryRisk Management Resource ManagementPerformance Measurement2001/3 2003
Val IT 2.0(2008)
Risk IT(2009)
BMIS(2010)
Time
Management
COBIT3
Control
COBIT2
19981996
Audit
COBIT1
IT Governance
© APMG 2013
The People and the Process
Owners and Stakeholders
Accountable Delegate
Governing Body
Monitor Set Direction
Management
Operations and Execution
Instruct and Align
Report
Stakeholder Drivers(Environment, Technology
Evolution, ...)
BenefitsRealisation
Resource Optimisation
Risk Optimisation
Stakeholder Needs
Enabler Goals
IT-related Goals
Enterprise Goals
C4.1 Mapping Appendix A
Roles & Descriptions for
RACIs (pages 76-77)
RACI
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
9 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
COBIT 5 Enterprise Goals
BSC Dimension
Relation to Governance Objectives
Financial
Enterprise GoalBenefits
RealisationRisk
OptimisationResource
Optimisation
Customer
Internal
Learning and Growth
1. Stakeholder value of business investments
2. Portfolio of competitive products and services
15. Compliance with internal policies
4. Compliance with external laws and regulations
5. Financial transparency
6. Customer-oriented service culture
7. Business service continuity and availability
8. Agile responses to a changing business environment
9. Information-based strategic decision making
10. Optimisation of service delivery costs
11. Optimisation of business process functionality
12. Optimisation of business process costs
13. Managed business change programmes
14. Operational and staff productivity
3. Managed business risk (safeguarding of assets)
16. Skilled and motivated people
17. Product and business innovation culture
P
P
P
P
P S
P P
P P
P P
P P
P P S
P P
S P P
P
P
P S
P S
P
S S
S
P
P
S
© APMG 2013
COBIT 5 Enterprise Goals
ITBSC Dimension
Financial
Information and Related Technology Goal
Customer
Internal
Learning and Growth
Alignment of IT and business strategy
Transparency of IT costs, benefits and risk
Optimisation of IT assets, resources and capabilities
IT compliance and support for business compliance with external laws and regulations
IT compliance with internal policies
Managed IT-related business risk
Realised benefits from IT-enabled investments and services portfolio
Delivery of IT services in line with business requirements
Adequate use of applications, information and technology solutions
IT agility
Security of information, processing infrastructure and applications
Enablement and support of business processes by integrating applications and technology into business processes Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards Availability of reliable and useful information for decision making
Commitment of executive management for making IT-related decisions
Competent and motivated business and IT personnel
Knowledge, expertise and initiatives for business innovation
10
11
12
13
14
16
15
17
02
03
04
05
06
07
09
08
01
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 10
© APMG 2013
Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting EDM03 Ensure Risk Optimisation
and Maintenance EDM04 Ensure Resource Optimisation EDM02 Ensure Benefits Delivery EDM05 Ensure Stakeholder Transparency
Processes for Governance of Enterprise IT
Align, Plan and OrganiseAPO01 Manage the IT Management Framework APO08 Manage Relationships APO02 Manage Strategy APO09 Manage Service AgreementsAPO03 Manage Enterprise Architecture APO10 Manage Suppliers APO04 Manage Innovation APO11 Manage Quality APO05 Manage Portfolio APO12 Manage Risk APO06 Manage Budget and Costs APO13 Manage SecurityAPO07 Manage Human Resources
Processes for Management of Enterprise IT
Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI07 Manage Change Acceptance BAI02 Manage Requirements Definition and Transitioning BAI03 Manage Solutions Identification and Build BAI08 Manage KnowledgeBAI04 Manage Availability and Capacity BAI09 Manage AssetsBAI05 Manage Organisational Change Enablement BAI010 Manage Configuration BAI06 Manage Changes
Deliver, Service and SupportDSS01 Manage Operations DSS04 Manage ContinuityDSS02 Manage Service Requests and Incidents DSS05 Manage Security Services DSS03 Manage Problems DSS06 Manage Business Process
Controls
Monitor, Evaluateand Assess
MEA01 Monitor,Evaluate and Assess
Performance andConformance
MEA02 Monitor,Evaluate and Assess
the System of InternalControl
MEA03 Monitor,Evaluate and Assess
Compliance WithExternal
Requirements
© APMG 2013
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
11 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
Process Name Area:Domain:
Process Purpose Statement
Process Description
Delegate Activity 1 – 45 mins
© APMG 2013
Management Practices
Activities
Inputs Outputs
From Description DescriptionFrom
RACI Chart:
The process supports the achievement of a set of primary IT-related goals:
IT-related Goal Related Metrics
Process Goals and Metrics
Process Goal Related Metrics
Process Name Area:Domain:
Process Purpose Statement
Process Description
Related Guidance
Related Standard Detailed Reference
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 12
© APMG 2013
Activities
Management Practices
Activities
RACI Chart:
The process supports the ...
IT-related Goal
Process Goals and Metrics
Process Goal
Process Name
Process Purpose Statement
Process Description
Related Guidance
Related Standard & Reference
Process Name:DSS04 Manage Continuity
Process DescriptionEstablish and maintain a plan to enable the business and IT to respond to incidents and disruptions in order to continue operation of critical businessprocesses and required IT services and maintain availability of information at a level acceptable to the enterprise..
Process Purpose StatementContinue critical business operations and maintain availability of information at a level acceptable to the enterprise in the event of a significant disruption.
Management Practices
Inputs OutputsDSS04.01 Define the business continuity policy, objectives and
scope. 4DSS04.02 Maintain a continuity strategy. 9DSS04.03 Develop and implement a business continuity
response. 8DSS04.04 Exercise, test and review the BCP. 6DSS04.05 Review, maintain and improve the continuity plan. 4DSS04.06 Conduct continuity plan training. 3DSS04.07 Manage backup arrangements. 5DSS04.08 Conduct post-resumption review. 4
© APMG 2013
From Key Practices
Information security risk treatment plan
Outputs to all Processes
Output Description
APO13.02
COBIT 5 Outputs
Destination
All EDM; All APO; All BAI; All DSS; All MEA
Outputs to all Governance Processes
From Key Practices
DestinationOutput Description
Outputs to all Management Processes
From Key Practices
Output Description Destination
All EDM
Decision-making model
Enterprise governance guiding principles
Feedback on governance effectiveness and performance
EDM01.01
EDM01.01
EDM01.01
EDM01.02
EDM01.03
Authority levels
Enterprise governance communications
All EDM
All EDM
All EDM
All EDM
All APO; All BAI; All DSS; All MEACommunication ground rulesAPO01.01
APO01.03
APO01.04
APO01.07
APO02.06
IT-related policies
Communications on IT objectives
Process improvement opportunities
Communications package
All APO; All BAI; All DSS; All MEA
All APO; All BAI; All DSS; All MEA
All APO; All BAI; All DSS; All MEA
All APO; All BAI; All DSS; All MEA
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
13 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
The People and the Process
Owners and Stakeholders
Accountable Delegate
Governing Body
Monitor Set Direction
Management
Operations and Execution
Instruct and Align
Report
Stakeholder Drivers(Environment, Technology
Evolution, ...)
BenefitsRealisation
Resource Optimisation
Risk Optimisation
Stakeholder Needs
Process and Enabler Goals
IT-related Goals
Enterprise Goals
C4.1 Mapping Appendix A
Roles & Descriptions for
RACIs (pages 76-77)
RACI
© APMG 2013
Chie
f Exe
cutiv
e O
ffic
erBo
ard
Stee
ring
(Pro
gram
mes
/Pro
ject
s) C
omm
ittee
Valu
e M
anag
emen
t Off
ice
Chie
f Ope
ratin
g O
ffic
erBu
sine
ss E
xecu
tives
Busi
ness
Pro
cess
Ow
ners
Stra
tegy
Exe
cutiv
e Co
mm
ittee
Proj
ect M
anag
emen
t Off
ice
Chie
f Fin
anci
al O
ffic
er
Chie
f Ris
k O
ffic
erCh
ief I
nfor
mat
ion
Secu
rity
Off
icer
Arc
hite
ctur
e Bo
ard
Ente
rpri
se R
isk
Com
mitt
eeH
ead
Hum
an R
esou
rces
Com
plia
nce
Aud
itCh
ief I
nfor
mat
ion
Off
icer
Hea
d A
rchi
tect
Hea
d D
evel
opm
ent
Hea
d IT
Ope
ratio
nsH
ead
IT A
dmin
istr
atio
nSe
rvic
e M
anag
erIn
form
atio
n Se
curi
ty M
anag
erBu
sine
ss C
ontin
uity
Man
ager
Priv
acy
Off
icer
Generic Process RACI Chart:
Management Practice 1
Management Practice 2
Management Practice 3
Management Practice ..n
The Roles and Organisational Structures used in the process RACI charts for each Key Management Practice are defined/described on pages 75-77 of the COBIT 5 Framework
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 14
© APMG 2013
Delegate Activity -2 35 mins
We have just looked at the layout of a COBIT 5 RACI chart. I am we have all experienced situations where job titles have proved misleading.
We will give each of you a list of the job role descriptions / definitions for you to reflect upon where responsibility lies within your organisation for these activities.
After 15mins we will provide each of you with a copy of the COBIT 5 RACI roles and their descriptions / definitions to compare with your input
After a further 10 mins we will spend 10 mins discussing the exercise and your experience in comparing / contrasting and challenging your organisation and COBIT 5.
© APMG 2013
Delegate Activity –2
Sam
ple M
ateria
l – N
ot for
Rep
rint
COBIT® 5 Assessor | Participant Handbook
15 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
COBIT 5 Roles and Organisation Structures
Role/Structure
Board
Definition/Description
The group of the most senior executives and/or non-executive directors of the enterprise who are accountable for the governance of the enterprise and have overall control of its resources
CEO The highest-ranking officer who is in charge of the total management of the enterprise
CFO The most senior official of the enterprise who is accountable for all aspects of financial management, including financial risk and controls and reliable and accurate accounts
Chief Operating Officer (COO)
The most senior official of the enterprise who is accountable for the operation of the enterprise
CRO The most senior official of the enterprise who is accountable for all aspects of risk management across the enterprise. An IT risk officer function may be established to oversee IT-related risk.
CIO The most senior official of the enterprise who is responsible for aligning IT and business strategies and accountable for planning, resourcing and managing the delivery of IT services and solutions to support enterprise objectives
Chief Information SecurityOfficer (CISO))
The most senior official of the enterprise who is accountable for the security of enterprise information in all its forms
Business Executive
A senior management individual accountable for the operation of a specific business unit or subsidiary
Business Process Owner
An individual accountable for the performance of a process in realising its objectives, driving process improvement and approving process changes
© APMG 2013
COBIT 5 Roles and Organisation Structures
Role/Structure Definition/Description
Strategy (IT Executive)Committee
A group of senior executives appointed by the board to ensure that the board is involved in, and kept informed of, major IT-related matters and decisions. The committee is accountable for managing the portfolios of IT-enabled investments, IT services and IT assets, ensuring that value is delivered and risk is managed. The committee is normally chaired by a board member, not by the CIO.
(Project and Programme)Steering Committees
A group of stakeholders and experts who are accountable for guidance of programmes and projects, including management and monitoring of plans, allocation of resources, delivery of benefits and value, and management of programme and project risk
Architecture Board
A group of stakeholders and experts who are accountable for guidance on enterprise architecture-related matters and decisions, and for setting architectural policies and standards
Enterprise Risk Committee
The group of executives of the enterprise who are accountable for the enterprise-level collaboration and consensus required to support enterprise risk management (ERM) activities and decisions. An IT risk council may be established to consider IT risk in more detail and advise the enterprise risk committee.
Head of HR The most senior official of an enterprise who is accountable for planning and policies with respect to all human resources in that enterprises
Compliancee The function in the enterprise responsible for guidance on legal, regulatory and contractual compliance
Audit The function in the enterprise responsible for provision of internal audits
Head of Architecture
A senior individual accountable for the enterprise architecture process
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 16
© APMG 2013
COBIT 5 Roles and Organisation Structures
Role/Structure Definition/Description
Information SecurityManager
The function responsible for supporting programme and project managers, and gathering, assessing and reporting information about the conduct of their programmes and constituent projects
Head of Development
A senior individual accountable for IT-related solution development processes
Head of IT Operations
A senior individual accountable for the IT operational environments and infrastructure
Head of IT Administration
A senior individual accountable for IT-related records and responsible for supporting IT-related administrative matters
Programme and ProjectManagement Office (PMO)
The function that acts as the secretariat for managing investment and service portfolios, including assessing and advising on investment opportunities and business cases, recommending value governance/management methods and controls, and reporting on progress on sustaining and creating value from investments and services
Value Management Office(VMO)
An individual who manages, designs, oversees and/or assesses an enterprise’s information security
Service Manager An individual who manages the development, implementation, evaluation and ongoing management of new and existing products and services for a specific customer (user) or group of customers (users)
© APMG 2013
COBIT 5 Roles and Organisation Structures
Role/Structure Definition/Description
Business Continuity Manager
An individual who manages, designs, oversees and/or assesses an enterprise’s business continuity capability, to ensure that the enterprise’s critical functions continue to operate following disruptive events
Privacy Officer An individual who is responsible for monitoring the risk and business impacts of privacy laws and for guiding and co-ordinating the implementation of policies and activities that will ensure that the privacy directives are met. Also called data protection officer.
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
17 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
The People and the Process
Owners and Stakeholders
Accountable Delegate
Governing Body
Monitor Set Direction
Management
Operations and Execution
Instruct and Align
Report
Stakeholder Drivers(Environment, Technology
Evolution, ...)
BenefitsRealisation
Resource Optimisation
Risk Optimisation
Stakeholder Needs
Process and Enabler Goals
IT-related Goals
Enterprise Goals
C4.1 Mapping Appendix A
Roles & Descriptions for
RACIs (pages 76-77)
RACI
Governance & Management
Questions on IT (page 22)
Mapping to Goals (Appendix D)
© APMG 2013
Governance and Management Questions on IT
Internal StakeholdersBoardChief executive officer (CEO)Chief financial officer (CFO)Chief information officer (CIO)Chief risk officer (CRO)Business executivesBusiness process ownersBusiness managersRisk managersSecurity managersService managersHuman resource (HR)managersInternal auditPrivacy officersIT usersIT managersEtc.•
Internal Stakeholder Questions
How do I get value from the use of IT? Are end users satisfied with the quality of the IT service?
How do I manage performance of IT?
How can I best exploit new technology for new strategic opportunities?
How do I best build and structure my IT department?
How dependent am I on external providers? How well are IT outsourcing agreements being managed? How do I obtain assurance over external providers?
What are the (control) requirements for information?
Did I address all IT-related risk?
Am I running an efficient and resilient IT operation?
How do I control the cost of IT? How do I use IT resources in the most effective and efficient manner?
What are the most effective and efficient sourcing options?
Do I have enough people for IT? How do I develop and maintain their skills, and how do I manage their performance?
How do I improve business agility through a more flexible IT environment?•External Stakeholders
External Stakeholder Questions
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 18
© APMG 2013
Governance &
© APMG 2013
COBIT 5 Generic Enterprise Enablers
1. Principles, Policies and Frameworks
3. Organisational Structures
4. Culture, Ethics and Behaviour
2. Processes
5. Information
Resources
6. Services, Infrastructure and
Applications
7. People, Skills and Competencies
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
19 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
Enab
ler
Per
form
ance
Man
agem
ent Are Stakeholder
Needs Addressed?
Goals
• Intrinsic Quality• Contextual Quality
(Relevance,Effectiveness)
• Accessibility andSecurity
Stakeholders
• InternalStakeholders
• ExternalStakeholders
Enab
ler
Dim
ensi
on
Are Enabler Goals Achieved?
Life Cycle
• Plan• Design• Build/Acquire/
Create/Implement• Use/Operate• Evaluate/Monitor• Update/Dispose
Is life Cycle Managed?
Good Practices
• Practices• Work products
(Inputs/Outputs)
Are Good Practices Applied?
Metrics for Achievement of Goals(Lag Indicators)
Metrics for Application of Practice(Lead Indicators)
The COBIT 5 Generic Enabler Model
© APMG 2013
The Business Case
“Enterprises should follow existing internal business case and investment justification approaches, if they exist, and use this example and the guidance in the COBIT 5 Implementation Guide to help focus on all of the issues that should be addressed. Further guidance on developing business cases can be found in COBIT 5 process APO05 and in the The Business Case Guide: Using Val ITTM 2.0.”
Governance and
Enab
lers
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 20
© APMG 2013
© APMG 2013
COBIT 5 Assessor
Sam
ple M
ateria
l – N
ot for
Rep
rint
COBIT® 5 Assessor | Participant Handbook
21 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
The People and the Process
Owners and Stakeholders
Accountable Delegate
Governing Body
Monitor Set Direction
Management
Operations and Execution
Instruct and Align
Report
Stakeholder Drivers(Environment, Technology
Evolution, ...)
BenefitsRealisation
Resource Optimisation
Risk Optimisation
Stakeholder Needs
Enabler Goals
IT-related Goals
Enterprise Goals
Governance & Management Questions on IT (page 22)
Pain Points & Trigger Events (pages 21-22)
© APMG 2013
Process Reference Model (PRM)
Measurement Framework
Assessment Process
The Process Assessment Model (PAM)Appendix B. Generic and Level 1 Output Work
Products
2.0 Overview of the COBIT 5 Process AssessmentModel (PAM)
3.0 Process Dimension and Process PerformanceIndicators
4.0 Process Capability Indicators
Appendix A. Conformity of the COBIT 5 ProcessAssessment Model
1.0 Introduction
1.1 Purpose1.2 Scope1.3 Assessment Domain1.4 Normative Reference1.5 The COBIT 5 Process Assessment
Model1.6 Comparison of the COBIT 4.1 PAM
to the COBIT 5 PAM1.7 Terms and Definitions
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 22
© APMG 2013
Process Reference Model
• Domain and Scope• Process Purpose• Process Outcomes
ProcessAssessment Model
• Scope• Indicators• Mapping• Translation
Measurement Framework
• Capability Levels• Process Attributes• Rating Scale
INITIAL INPUT
• Purpose• Scope• Constraints• Identities• Approach• Assessor
Competence Criteria• Additional Information
OUTPUT
• Date• Assessment Input• Identification of
Evidence• Assessment
Process Used• Process Profiles• Additional Information
ASSESSMENT PROCESS
• Planning• Data Collection• Data Validation• Process Attribute Rating• Reporting
Roles and Responsibilities
• Sponsor• Competent Assessor• Assessors
© APMG 2013
Terms and DefinitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 15504-1 apply. Key definitions include:• Attribute indicator—An assessment indicator that supports the judgement of the extent of
achievement of a specific process attribute (ISO/IEC 15504:1, 3.16)
• Base practice—An activity that, when consistently performed, contributes to achieving a specific process purpose (ISO/IEC 15504:1, 3.17)
• Capability dimension—The set of elements in a process assessment model explicitly related to the Measurement Framework for Process Capability (ISO/IEC 15504:1, 3.18)
• Capability indicator—An assessment indicator that supports the judgement of the process capability of a specific process (ISO/IEC 15504:1, 3.19)
• Generic practice—An activity that, when consistently performed, contributes to the achievement of a specific process attribute (ISO/IEC 15504:1, 3.22)
• Performance indicator—An assessment indicator that supports the judgement of the process performance of a specific process (ISO/IEC 15504:1, 3 26)Note: A performance indicator is an attribute indicator for Process Attribute 1.1 for a specific process. (ISO/IEC 15504:2)
• Process assessment model—A model suitable for the purpose of assessing process capability, based on one or more process reference models (ISO/IEC 15504:1, 3.33)
• Process attribute—A measurable characteristic of process capability applicable to any process (ISO/IEC 15504:1, 3.31)
Sam
ple M
ateria
l – N
ot for
Rep
rint
COBIT® 5 Assessor | Participant Handbook
23 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
Terms and Definitions• Process attribute rating—A judgement of the degree of achievement of the process attribute for the assessed process (ISO/IEC 15504:1, 3.32)
• Process capability—A characterisation of the ability of a process to meet current or projected business goals (ISO/IEC 15504:1, 3.33)
• Process capability level—A point on the six-point ordinal scale (of process capability) that represents the capability of the process, each level building on the capability of the level below (ISO/IEC 15504:1, 3.36)
• Process capability level rating—A representation of the achieved process capability level derived from the process attribute ratings for an assessed process (ISO/IEC 15504:1, 3.37)
• Process outcome—An observable result of a process (ISO/IEC 15504:1, 3.44)Note: An outcome is an artefact, a significant change of state or the meeting of specified constraints.
• Process purpose—The high-level measurable objectives of performing the process and the likely outcomes of effective implementation of the process (ISO/IEC 15504:1, 3.47)
• Process reference model—A model composed of definitions of processes in a life cycle described in terms of process purpose and outcomes, together with an architecture describing the relationships amongst the processes (ISO/IEC 15504:1, 3.48)
• Work product—An artefact associated with the execution of a process (ISO/IEC 15504:1, 3.55)
© APMG 2013
Process Reference Model (PRM)
Measurement Framework
Assessment Process
The Process Assessment Model (PAM)Appendix B. Generic and Level 1 Output Work
Products
2.0 Overview of the COBIT 5 ProcessAssessment Model (PAM)
3.0 Process Dimension and Process PerformanceIndicators
4.0 Process Capability Indicators
Appendix A. Conformity of the COBIT 5 ProcessAssessment Model
2.1 Introduction2.2 The Process Dimension – COBIT 5
Processes2.3 The Capability Dimension2.4 Assessment Indicators2.5 Rating Scale
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 24
© APMG 2013
Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting EDM03 Ensure Risk Optimisation
and Maintenance EDM04 Ensure Resource Optimisation EDM02 Ensure Benefits Delivery EDM05 Ensure Stakeholder Transparency
Processes for Governance of Enterprise IT
Align, Plan and OrganiseAPO01 Manage the IT Management Framework APO08 Manage Relationships APO02 Manage Strategy APO09 Manage Service AgreementsAPO03 Manage Enterprise Architecture APO10 Manage Suppliers APO04 Manage Innovation APO11 Manage Quality APO05 Manage Portfolio APO12 Manage Risk APO06 Manage Budget and Costs APO13 Manage SecurityAPO07 Manage Human Resources
Processes for Management of Enterprise IT
Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI07 Manage Change Acceptance BAI02 Manage Requirements Definition and Transitioning BAI03 Manage Solutions Identification and Build BAI08 Manage KnowledgeBAI04 Manage Availability and Capacity BAI09 Manage AssetsBAI05 Manage Organisational Change Enablement BAI010 Manage Configuration BAI06 Manage Changes
Deliver, Service and SupportDSS01 Manage Operations DSS04 Manage ContinuityDSS02 Manage Service Requests and Incidents DSS05 Manage Security Services DSS03 Manage Problems DSS06 Manage Business Process
Controls
Monitor, Evaluateand Assess
MEA01 Monitor,Evaluate and Assess
Performance andConformance
MEA02 Monitor,Evaluate and Assess
the System of InternalControl
MEA03 Monitor,Evaluate and Assess
Compliance WithExternal
Requirements
© APMG 2013
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0Capa
bilit
y D
imen
sion
Optimizing process (2 attributes)
Incomplete process
Performed process (2 attributes)
Managed process (2 attributes)
Established process (2 attributes)
Predictable process (2 attributes)
Based on ISO /IEC 15504 - 2
Evaluate, Direct & Monitor (EDM) 5Align, Plan & Organise (APO) 13Build, Acquire & Implement (BAI) 10Deliver, Service & Support (DSS) 6Monitor, Evaluate & Assess (MEA) 3
37
Overview of the Process Assessment Model (PAM)
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
25 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0Capa
bilit
y D
imen
sion
Additional performance indicators Level 1 based on :- BP : Base practices- WP : Work products
Based on (Level 1 to 5) Process Attribute Indicators (PAI):- GP : Generic Practice-GWP : Generic Work Product
PA5.2 Continuous optimisationPA5.1 Process innovationPA4.2 Process controlPA4.1 Process measurementPA3.2 Process deploymentPA3.1 Process definitionPA2.2 Performance managementPA2.1 Work product management
PA1.1 Process performance
Evaluate, Direct & Monitor (EDM) 5Align, Plan & Organise (APO) 13Build, Acquire & Implement (BAI) 10Deliver, Service & Support (DSS) 6Monitor, Evaluate & Assess (MEA) 3
37
Process Attributes and Assessment Indicators
© APMG 2013
ISO/IEC Measurement Scale
Level 0: Incomplete
Level 5: Optimising Process
PA 5.1 Process InnovationPA 5.2 Process Optimization
OptimizingThe process is continuously improved to meet current and projected business goals.
PA 4.1 Process MeasurementPA 4.2 Process Control
Level 4: Predictable Process PredictableThe process is executed consistently withindefined limits.
PA 3.1 Process DefinitionPA 3.2 Process Deployment
Level 3: Established Process EstablishedA standard process is defined and usedthroughout the organization.
Level 2: Managed
PA 2.1 Performance ManagementPA 2.2 Work Product Management
ManagedThe process is managed and results are specified, controlled and maintained.
PA1.1 Process Performance
Level 1: PerformedPerformedThe process is performed and achieves its purpose.
IncompleteThe process is not implemented or fails to achieve its purpose.
This figure is reproduced from ISO/IEC 15504-2, with the permission of ISO/IEC at www.iso.org. Copyright remains with ISO/IEC.
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 26
© APMG 2013
ISO/IEC Process Capability Levels and Process Attributes
Level 0: Incomplete
Level 5: Optimising Process
PA 5.1 Process InnovationPA 5.2 Process Optimization
OptimizingThe process is continuously improved to meet current and projected business goals.
PA 4.1 Process MeasurementPA 4.2 Process Control
Level 4: Predictable Process PredictableThe process is executed consistently withindefined limits.
PA 3.1 Process DefinitionPA 3.2 Process Deployment
Level 3: Established Process EstablishedA standard process is defined and usedthroughout the organization.
Level 2: Managed
PA 2.1 Performance ManagementPA 2.2 Work Product Management
ManagedThe process is managed and results are specified, controlled and maintained.
PA1.1 Process Performance
Level 1: PerformedPerformedThe process is performed and achieves its purpose.
IncompleteThe process is not implemented or fails to achieve its purpose.
This figure is reproduced from ISO/IEC 15504-2, with the permission of ISO/IEC at www.iso.org. Copyright remains with ISO/IEC.
6 Process Capability
Levels9 Process Attributes
© APMG 2013
What is a Process Assessment Model?
Process Reference ModelDomains and ScopeProcesses with Purposes and Outcomes
Capa
bilit
y Sc
ale
Process entities
Measurement FrameworkCapability LevelsProcess AttributesRating Scale
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
27 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
© APMG 2013
Process Reference Model (PRM)
Measurement Framework
Assessment Process
The Process Assessment Model (PAM)Appendix B. Generic and Level 1 Output Work
Products
3.0 Process Dimension and ProcessPerformance Indicators
4.0 Process Capability Indicators
Appendix A. Conformity of the COBIT 5 ProcessAssessment Model
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 28
© APMG 2013
Management Practices
Activities
Inputs Outputs
From Description DescriptionFrom
RACI Chart:
The process supports the achievement of a set of primary IT-related goals:
IT-related Goal Related Metrics
Process Goals and Metrics
Process Goal Related Metrics
Process Name Area:Domain:
Process Purpose Statement
Process Description
Related Guidance
Related Standard Detailed Reference
© APMG 2013
Management Practices
Base Practices (BPs)
RACI Chart:
NOT IN PAM
The process supports the ...
IT-related Goal
Process Goals and Metrics
Process Goal
Outcomes (Os)
Process Name
Process Purpose Statement
Process Description
Related Guidance
Related Standard
NOT IN PAM
Activities
NOT IN PAM
Inputs Outputs
The COBIT 5 Process and the PAMProcess ID
Outcomes (Os)
Process Purpose Statement
Process Name
Process Description
Process Goals
Base Practices (BPs)
Management Practices
Work Products (WPs)
Inputs
Description SupportsNumber
Outputs
Description SupportsNumber Input to
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
29 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
Is there a processwith this purpose?
Process ID BAI02
Process Name
ProcessDescription
Manage Requirements Definition
Identify solutions and analyse requirements before acquisition or creation to ensure that they are in line with enterprise strategic requirements covering business processes, applications, information/data, infrastructure and services. Co-ordinate with affected stakeholders the review of feasible options including relative costs and benefits, risk analysis, and approval of requirements and proposed solutions.
Process Purpose Statement
Create feasible optimal solutions that meet enterprise needs while minimising risk.
Outcomes (Os)
Number Description
Are these outcomes being achieved?
BAI02-01Business functional and technical requirements reflect enterprise needs and expectations.
The proposed solution satisfies business functional, technical and compliance requirements.Risk associated with the requirements has been addressed in the proposed solution.
Requirements and proposed solutions meet business case objectives (value expected and likely costs).
BAI02-02
BAI02-03
BAI02-04
© APMG 2013
Process ID BAI02
Process Name Manage Requirements Definition
Supports
Base Practices (BPs)
Number Description
BAI02-BP1
Define and maintain business functional and technical requirements.Based on the business case, identify, prioritise, specify and agree on business information, functional, technical and control requirements covering the scope/understanding of all initiatives required toachieve the expected outcomes of the proposed IT-enabled business solution.
BAI02-O1
BAI02-BP2
BAI02-BP3
BAI02-BP4
Define and maintain business functional and technical requirements.Based on the business case, identify, prioritise, specify and agree on business information, functional, technical and control requirements covering the scope/understanding of all initiatives required toachieve the expected outcomes of the proposed IT-enabled business solution.
Manage requirements risk.Identify, document, prioritise and mitigate functional, technical and information processing-related risks associated with the enterprise requirements and proposed solution.
Obtain approval of requirements and solutions.Co-ordinate feedback from affected stakeholders and, at predetermined key stages, obtain business sponsor or product owner approval and sign-off on functional and technical requirements, feasibility studies, risk analyses and recommended solutions.
BAI02-O2/O4
BAI02-O1
BAI02-O3
“Is there evidence that appropriate
base practices are
being undertaken?”
Sample
Mate
rial –
Not
for R
eprin
t
Participant Handbook | COBIT® 5 Assessor
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 30
© APMG 2013
BAI02-01 -Business functional and technical requirements reflect enterprise needs and expectations.
BAI02-02 The proposed solution satisfies business functional, technical and compliance requirements
BAI02 03 - Risk associated with the requirements has been addressed in the proposed solution.
BAI02-04 Requirements and proposed solutions meet business case objectives (value expected and likely costs).
BAI02-BP1 Define and maintain business functional and technical requirements
BAI02-BP2 Perform a feasibility study and formulate alternative solutions.
BAI02-BP3 Manage requirements risk.
BAI02-BP2 Perform a feasibility study and formulate alternative solutions.
BAI02-BP4 Obtain approval of requirements and solutions.
Details on PAM page Details on PAM page
BAI02 Manage Requirements Definition
Process Purpose: Create feasible optimal solutions that meet enterprise needs while minimising risk.
Work Products (WPs)Inputs
Base Practices (BPs) Work Products (WPs)Outputs
Outcomes (Os)
© APMG 2013
BAI02-01 Business functional and technical requirements reflect enterprise needs and expectations
BAI02-BP1 Define and maintain business functional and technical requirements.
BAI02-BP4 Obtain approval of requirements and solutions.
BAI02 Manage Requirements Definition
Process Purpose: Create feasible optimal solutions that meet enterprise needs while minimising risk.
Work Products (WPs)Inputs
Base Practices (BPs) Work Products (WPs)Outputs
Outcomes (Os)
APO01-WP14 Data classification guidelinesAPO01-WP15 Data security and control guidelinesAPO01-WP16 Data integrity proceduresAPO03-WP2 Architecture principlesAPO03-WP4 Baseline domain descriptions and architecture definitionAPO03-WP6 Information architecture modelAPO03-WP12 Solution development guidanceAPO10-WP11 Supplier RFIs and RFPsAPO11-WP6 Acceptance criteria
BAI01-WP17 Quality management plan
BAI02-WP1 Requirements definition repository
BAI02-WP8 Sponsor approvals of requirements and proposed solutionsBAI02-WP9 Approved quality reviews
BAI02-WP2 Confirmed acceptance of requirements from stakeholders
BAI02-WP3 Record of requirement change requests
Sample
Mate
rial –
Not
for R
eprin
t
COBIT® 5 Assessor | Participant Handbook
31 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.
© APMG 2013
BAI02 Manage Requirements Definition
Process Purpose: Create feasible optimal solutions that meet enterprise needs while minimising risk.
Work Products (WPs)Inputs
Base Practices (BPs) Work Products (WPs)Outputs
Outcomes (Os)
BAI02-02 The proposed solution satisfies business functional, technical and compliance requirements
BAI02-03 Risk associated with the requirements has been addressed in the proposed solution.
BAI02-BP2 Perform a feasibility study and formulate alternative solutions.
BAI02-BP3 Manage requirements risk.
APO03-WP12 Solution development guidanceAPO10-WP2 Supplier catalogueAPO10-WP12 RFI and RFP evaluationsAPO10-WP13 Decision results of supplier evaluationsAPO11-WP6 Acceptance criteria
BAI02-WP6 Requirements risk register
BAI02-WP7 Risk mitigation actions
BAI02-WP4 Feasibility study report
BAI02-WP5 High-level acquisition/development plan
© APMG 2013
BAI02 Manage Requirements Definition
Process Purpose: Create feasible optimal solutions that meet enterprise needs while minimising risk.
Work Products (WPs)Inputs
Base Practices (BPs) Work Products (WPs)Outputs
Outcomes (Os)
BAI02-04 Requirements and proposed solutions meet business case objectives (value expected and likely costs).
BAI02-BP2 Perform a feasibility study and formulate alternative solutions.
APO03-WP12 Solution development guidance
APO10-WP2 Supplier catalogue
APO10-WP12 RFI and RFP evaluations
APO10-WP13 Decision results of supplier evaluations
APO11-WP6 Acceptance criteria
BAI02-WP4 Feasibility study report
BAI02-WP5 High-level acquisition/development plan
Sample
Mate
rial –
Not
for R
eprin
t