cobit5 assessor participant handbook

COBIT® 5 Assessor | Participant Handbook

1 | Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

Follow Us

Before you start the course, please take a moment to:

“Like us” on Facebook

http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus

http://gplus.to/ITpreneurs

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

"Watch us" on YouTube

http://www.youtube.com/user/ITpreneurs

Sample

Mate

rial –

Not

for R

eprin

t

Sample

Mate

rial –

Not

for R

eprin

t

Participant Handbook | COBIT® 5 Assessor

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. | 2

© APMG 2013

COBIT is a registered trademark of ISACA and COBIT content is used under licence.

© Copyright 2012 by ITpreneurs Nederland B.V. All rights reserved.

Service Operation

Unit 3 : Service Operation Processes ─ Part 1r3.0.0

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

COBIT 5 Assessor Course

release 1.0.0

®

This product includes COBIT® 5, used by permission of ISACA®. ©2012 ISACA®. All rights reserved

© APMG 2013

COBIT 5 Assessor

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

1.0 Introduction

“The Assessor Guide: Using COBIT 5” provides the main guidance on performing a process capability assessment, the roles, responsibilities and competences required and the key steps required, from assessment initiation to reporting of the assessment results. “The Process Assessment Model (PAM): using COBIT 5 which is the model used by assessor to perform an assessment is used by candidate to reference the process content to be used in the assessment.

The Syllabus is based on these two guides. Note that foundation questions based on the COBIT PAM will not be retested.

The Assessor training and certification is a ‘Practitioner-Level training and certification course’ that focuses on ‘how’ to apply the PAM and ‘how’ to analyse the results.

It is a mandatory requirement for all candidates to have passed the Foundation Exam before applying for and attending this training and certification exam.

© APMG 2013

Target Audience

The target audience for this training certificate is:

Internal & external Auditors who want to add process capability assessments to the scope of their audits.

IT auditors who want to add process capability assessments to the scope of their audits.

Consultants who want to be allowed to perform independent process assessments on behalf of their clients.

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

High Level Performance Definition of a successful COBIT 5 Assessor certification candidate.

Upon the successful completion of this training course, candidates will know:

How to perform a process capability assessment using the Assessor Guide: using COBIT 5

How to apply the Process Assessment Model (The PAM) in performing a process capability assessment. Specifically:

To use the Process Reference Model, in particular to be able to apply the 37 processes outlined in the PRMTo apply and analyse the measurement model in assessing process capability levels.To apply and analyse the capability dimension using generic criteria outlined in the PAM

Be able to identify and assess the roles and responsibilities in the process capability assessment process

Be able to perform and assess the 7 steps outlined in the Assessor Guide specifically how to:Initiate a process assessmentScope an assessment, using the tools provided and the PAM for the selection of the appropriate processesPlan & Brief the teamsCollect & Validate the dataDo a process attribute ratingReport the findings of the assessment.

© APMG 2013

Assessor Certification

Upon the successful completion of the exam, APMG will be setting up a ‘registration process’ for those candidates who feel they have the necessary competences and experience to apply for full certification from ISACA. (See introduction statement above)

Proof of taking the training course and the results of the exam will be sent to ISACA.

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Plan Day 1

© APMG 2013

Plan Day 2

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

COBIT 5 Repeat – Remind - Reinforce

© APMG 2013

How we look at things determines what we see!

Uncertainty! Risks!Opportunities!

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

“There are few things as useless, if not as dangerous, as the right answer to the wrong question.”

“There are no such things as the one right organization.There are only organisations, each of which has distinct strengths, distinct limitations and specific applications.

A given organisation structure fits certain tasks,in certain conditions and at certain times.”

Peter Drucker

© APMG 2013

Models – Frameworks – Good Practices help us make sense of the context and the challenges we face …..they provide Roadmaps

Route maps or plans reflect the choices we make to guide our organisations to our selected and defined destination

The Challenges of Complexity, Detail and Time

One generation’s Good Practice soon becomes the baseline for the next!

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Governance of Enterprise IT

COBIT 5

COBIT 5 Principles1. Meeting Stakeholder Needs2. Covering the Enterprise End to End3. Applying a Single Integrated Framework4. Enabling a Holistic Approach5. Separating Governance From Management

2005/7

COBIT4.0/4.1

Audit

COBIT1

2000

Evol

utio

n

2012

The Five Focus AreasStrategic AlignmentValue DeliveryRisk Management Resource ManagementPerformance Measurement2001/3 2003

Val IT 2.0(2008)

Risk IT(2009)

BMIS(2010)

Time

Management

COBIT3

Control

COBIT2

19981996

Audit

COBIT1

IT Governance

© APMG 2013

The People and the Process

Owners and Stakeholders

Accountable Delegate

Governing Body

Monitor Set Direction

Management

Operations and Execution

Instruct and Align

Report

Stakeholder Drivers(Environment, Technology

Evolution, ...)

BenefitsRealisation

Resource Optimisation

Risk Optimisation

Stakeholder Needs

Enabler Goals

IT-related Goals

Enterprise Goals

C4.1 Mapping Appendix A

Roles & Descriptions for

RACIs (pages 76-77)

RACI

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

COBIT 5 Enterprise Goals

BSC Dimension

Relation to Governance Objectives

Financial

Enterprise GoalBenefits

RealisationRisk

OptimisationResource

Optimisation

Customer

Internal

Learning and Growth

1. Stakeholder value of business investments

2. Portfolio of competitive products and services

15. Compliance with internal policies

4. Compliance with external laws and regulations

5. Financial transparency

6. Customer-oriented service culture

7. Business service continuity and availability

8. Agile responses to a changing business environment

9. Information-based strategic decision making

10. Optimisation of service delivery costs

11. Optimisation of business process functionality

12. Optimisation of business process costs

13. Managed business change programmes

14. Operational and staff productivity

3. Managed business risk (safeguarding of assets)

16. Skilled and motivated people

17. Product and business innovation culture

P

P

P

P

P S

P P

P P

P P

P P

P P S

P P

S P P

P

P

P S

P S

P

S S

S

P

P

S

© APMG 2013

COBIT 5 Enterprise Goals

ITBSC Dimension

Financial

Information and Related Technology Goal

Customer

Internal

Learning and Growth

Alignment of IT and business strategy

Transparency of IT costs, benefits and risk

Optimisation of IT assets, resources and capabilities

IT compliance and support for business compliance with external laws and regulations

IT compliance with internal policies

Managed IT-related business risk

Realised benefits from IT-enabled investments and services portfolio

Delivery of IT services in line with business requirements

Adequate use of applications, information and technology solutions

IT agility

Security of information, processing infrastructure and applications

Enablement and support of business processes by integrating applications and technology into business processes Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards Availability of reliable and useful information for decision making

Commitment of executive management for making IT-related decisions

Competent and motivated business and IT personnel

Knowledge, expertise and initiatives for business innovation

10

11

12

13

14

16

15

17

02

03

04

05

06

07

09

08

01

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting EDM03 Ensure Risk Optimisation

and Maintenance EDM04 Ensure Resource Optimisation EDM02 Ensure Benefits Delivery EDM05 Ensure Stakeholder Transparency

Processes for Governance of Enterprise IT

Align, Plan and OrganiseAPO01 Manage the IT Management Framework APO08 Manage Relationships APO02 Manage Strategy APO09 Manage Service AgreementsAPO03 Manage Enterprise Architecture APO10 Manage Suppliers APO04 Manage Innovation APO11 Manage Quality APO05 Manage Portfolio APO12 Manage Risk APO06 Manage Budget and Costs APO13 Manage SecurityAPO07 Manage Human Resources

Processes for Management of Enterprise IT

Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI07 Manage Change Acceptance BAI02 Manage Requirements Definition and Transitioning BAI03 Manage Solutions Identification and Build BAI08 Manage KnowledgeBAI04 Manage Availability and Capacity BAI09 Manage AssetsBAI05 Manage Organisational Change Enablement BAI010 Manage Configuration BAI06 Manage Changes

Deliver, Service and SupportDSS01 Manage Operations DSS04 Manage ContinuityDSS02 Manage Service Requests and Incidents DSS05 Manage Security Services DSS03 Manage Problems DSS06 Manage Business Process

Controls

Monitor, Evaluateand Assess

MEA01 Monitor,Evaluate and Assess

Performance andConformance


the System of InternalControl


Compliance WithExternal

Requirements

© APMG 2013

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Process Name Area:Domain:

Process Purpose Statement

Process Description

Delegate Activity 1 – 45 mins

© APMG 2013

Management Practices

Activities

Inputs Outputs

From Description DescriptionFrom

RACI Chart:

The process supports the achievement of a set of primary IT-related goals:

IT-related Goal Related Metrics

Process Goals and Metrics

Process Goal Related Metrics



Process Description

Related Guidance

Related Standard Detailed Reference

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Activities


Activities

RACI Chart:

The process supports the ...

IT-related Goal


Process Goal

Process Name


Process Description

Related Guidance

Related Standard & Reference

Process Name:DSS04 Manage Continuity

Process DescriptionEstablish and maintain a plan to enable the business and IT to respond to incidents and disruptions in order to continue operation of critical businessprocesses and required IT services and maintain availability of information at a level acceptable to the enterprise..

Process Purpose StatementContinue critical business operations and maintain availability of information at a level acceptable to the enterprise in the event of a significant disruption.


Inputs OutputsDSS04.01 Define the business continuity policy, objectives and

scope. 4DSS04.02 Maintain a continuity strategy. 9DSS04.03 Develop and implement a business continuity

response. 8DSS04.04 Exercise, test and review the BCP. 6DSS04.05 Review, maintain and improve the continuity plan. 4DSS04.06 Conduct continuity plan training. 3DSS04.07 Manage backup arrangements. 5DSS04.08 Conduct post-resumption review. 4

© APMG 2013

From Key Practices

Information security risk treatment plan

Outputs to all Processes

Output Description

APO13.02

COBIT 5 Outputs

Destination

All EDM; All APO; All BAI; All DSS; All MEA

Outputs to all Governance Processes

From Key Practices

DestinationOutput Description

Outputs to all Management Processes

From Key Practices

Output Description Destination

All EDM

Decision-making model

Enterprise governance guiding principles

Feedback on governance effectiveness and performance

EDM01.01

EDM01.01

EDM01.01

EDM01.02

EDM01.03

Authority levels

Enterprise governance communications

All EDM

All EDM

All EDM

All EDM

All APO; All BAI; All DSS; All MEACommunication ground rulesAPO01.01

APO01.03

APO01.04

APO01.07

APO02.06

IT-related policies

Communications on IT objectives

Process improvement opportunities

Communications package

All APO; All BAI; All DSS; All MEA




Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013




Governing Body


Management


Instruct and Align

Report


Evolution, ...)

BenefitsRealisation


Risk Optimisation

Stakeholder Needs

Process and Enabler Goals

IT-related Goals

Enterprise Goals



RACIs (pages 76-77)

RACI

© APMG 2013

Chie

f Exe

cutiv

e O

ffic

erBo

ard

Stee

ring

(Pro

gram

mes

/Pro

ject

s) C

omm

ittee

Valu

e M

anag

emen

t Off

ice

Chie

f Ope

ratin

g O

ffic

erBu

sine

ss E

xecu

tives

Busi

ness

Pro

cess

Ow

ners

Stra

tegy

Exe

cutiv

e Co

mm

ittee

Proj

ect M

anag

emen

t Off

ice

Chie

f Fin

anci

al O

ffic

er

Chie

f Ris

k O

ffic

erCh

ief I

nfor

mat

ion

Secu

rity

Off

icer

Arc

hite

ctur

e Bo

ard

Ente

rpri

se R

isk

Com

mitt

eeH

ead

Hum

an R

esou

rces

Com

plia

nce

Aud

itCh

ief I

nfor

mat

ion

Off

icer

Hea

d A

rchi

tect

Hea

d D

evel

opm

ent

Hea

d IT

Ope

ratio

nsH

ead

IT A

dmin

istr

atio

nSe

rvic

e M

anag

erIn

form

atio

n Se

curi

ty M

anag

erBu

sine

ss C

ontin

uity

Man

ager

Priv

acy

Off

icer

Generic Process RACI Chart:

Management Practice 1



Management Practice ..n

The Roles and Organisational Structures used in the process RACI charts for each Key Management Practice are defined/described on pages 75-77 of the COBIT 5 Framework

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Delegate Activity -2 35 mins

We have just looked at the layout of a COBIT 5 RACI chart. I am we have all experienced situations where job titles have proved misleading.

We will give each of you a list of the job role descriptions / definitions for you to reflect upon where responsibility lies within your organisation for these activities.

After 15mins we will provide each of you with a copy of the COBIT 5 RACI roles and their descriptions / definitions to compare with your input

After a further 10 mins we will spend 10 mins discussing the exercise and your experience in comparing / contrasting and challenging your organisation and COBIT 5.

© APMG 2013

Delegate Activity –2

Sam

ple M

ateria

l – N

ot for

Rep

rint



© APMG 2013

COBIT 5 Roles and Organisation Structures

Role/Structure

Board

Definition/Description

The group of the most senior executives and/or non-executive directors of the enterprise who are accountable for the governance of the enterprise and have overall control of its resources

CEO The highest-ranking officer who is in charge of the total management of the enterprise

CFO The most senior official of the enterprise who is accountable for all aspects of financial management, including financial risk and controls and reliable and accurate accounts

Chief Operating Officer (COO)

The most senior official of the enterprise who is accountable for the operation of the enterprise

CRO The most senior official of the enterprise who is accountable for all aspects of risk management across the enterprise. An IT risk officer function may be established to oversee IT-related risk.

CIO The most senior official of the enterprise who is responsible for aligning IT and business strategies and accountable for planning, resourcing and managing the delivery of IT services and solutions to support enterprise objectives

Chief Information SecurityOfficer (CISO))

The most senior official of the enterprise who is accountable for the security of enterprise information in all its forms

Business Executive

A senior management individual accountable for the operation of a specific business unit or subsidiary

Business Process Owner

An individual accountable for the performance of a process in realising its objectives, driving process improvement and approving process changes

© APMG 2013


Role/Structure Definition/Description

Strategy (IT Executive)Committee

A group of senior executives appointed by the board to ensure that the board is involved in, and kept informed of, major IT-related matters and decisions. The committee is accountable for managing the portfolios of IT-enabled investments, IT services and IT assets, ensuring that value is delivered and risk is managed. The committee is normally chaired by a board member, not by the CIO.

(Project and Programme)Steering Committees

A group of stakeholders and experts who are accountable for guidance of programmes and projects, including management and monitoring of plans, allocation of resources, delivery of benefits and value, and management of programme and project risk

Architecture Board

A group of stakeholders and experts who are accountable for guidance on enterprise architecture-related matters and decisions, and for setting architectural policies and standards

Enterprise Risk Committee

The group of executives of the enterprise who are accountable for the enterprise-level collaboration and consensus required to support enterprise risk management (ERM) activities and decisions. An IT risk council may be established to consider IT risk in more detail and advise the enterprise risk committee.

Head of HR The most senior official of an enterprise who is accountable for planning and policies with respect to all human resources in that enterprises

Compliancee The function in the enterprise responsible for guidance on legal, regulatory and contractual compliance

Audit The function in the enterprise responsible for provision of internal audits

Head of Architecture

A senior individual accountable for the enterprise architecture process

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013



Information SecurityManager

The function responsible for supporting programme and project managers, and gathering, assessing and reporting information about the conduct of their programmes and constituent projects

Head of Development

A senior individual accountable for IT-related solution development processes

Head of IT Operations

A senior individual accountable for the IT operational environments and infrastructure

Head of IT Administration

A senior individual accountable for IT-related records and responsible for supporting IT-related administrative matters

Programme and ProjectManagement Office (PMO)

The function that acts as the secretariat for managing investment and service portfolios, including assessing and advising on investment opportunities and business cases, recommending value governance/management methods and controls, and reporting on progress on sustaining and creating value from investments and services

Value Management Office(VMO)

An individual who manages, designs, oversees and/or assesses an enterprise’s information security

Service Manager An individual who manages the development, implementation, evaluation and ongoing management of new and existing products and services for a specific customer (user) or group of customers (users)

© APMG 2013



Business Continuity Manager

An individual who manages, designs, oversees and/or assesses an enterprise’s business continuity capability, to ensure that the enterprise’s critical functions continue to operate following disruptive events

Privacy Officer An individual who is responsible for monitoring the risk and business impacts of privacy laws and for guiding and co-ordinating the implementation of policies and activities that will ensure that the privacy directives are met. Also called data protection officer.

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013




Governing Body


Management


Instruct and Align

Report


Evolution, ...)

BenefitsRealisation


Risk Optimisation

Stakeholder Needs

Process and Enabler Goals

IT-related Goals

Enterprise Goals



RACIs (pages 76-77)

RACI

Governance & Management

Questions on IT (page 22)

Mapping to Goals (Appendix D)

© APMG 2013

Governance and Management Questions on IT

Internal StakeholdersBoardChief executive officer (CEO)Chief financial officer (CFO)Chief information officer (CIO)Chief risk officer (CRO)Business executivesBusiness process ownersBusiness managersRisk managersSecurity managersService managersHuman resource (HR)managersInternal auditPrivacy officersIT usersIT managersEtc.•

Internal Stakeholder Questions

How do I get value from the use of IT? Are end users satisfied with the quality of the IT service?

How do I manage performance of IT?

How can I best exploit new technology for new strategic opportunities?

How do I best build and structure my IT department?

How dependent am I on external providers? How well are IT outsourcing agreements being managed? How do I obtain assurance over external providers?

What are the (control) requirements for information?

Did I address all IT-related risk?

Am I running an efficient and resilient IT operation?

How do I control the cost of IT? How do I use IT resources in the most effective and efficient manner?

What are the most effective and efficient sourcing options?

Do I have enough people for IT? How do I develop and maintain their skills, and how do I manage their performance?

How do I improve business agility through a more flexible IT environment?•External Stakeholders

External Stakeholder Questions

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Governance &

© APMG 2013

COBIT 5 Generic Enterprise Enablers

1. Principles, Policies and Frameworks

3. Organisational Structures

4. Culture, Ethics and Behaviour

2. Processes

5. Information

Resources

6. Services, Infrastructure and

Applications

7. People, Skills and Competencies

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Enab

ler

Per

form

ance

Man

agem

ent Are Stakeholder

Needs Addressed?

Goals

• Intrinsic Quality• Contextual Quality

(Relevance,Effectiveness)

• Accessibility andSecurity

Stakeholders

• InternalStakeholders

• ExternalStakeholders

Enab

ler

Dim

ensi

on

Are Enabler Goals Achieved?

Life Cycle

• Plan• Design• Build/Acquire/

Create/Implement• Use/Operate• Evaluate/Monitor• Update/Dispose

Is life Cycle Managed?

Good Practices

• Practices• Work products

(Inputs/Outputs)

Are Good Practices Applied?

Metrics for Achievement of Goals(Lag Indicators)

Metrics for Application of Practice(Lead Indicators)

The COBIT 5 Generic Enabler Model

© APMG 2013

The Business Case

“Enterprises should follow existing internal business case and investment justification approaches, if they exist, and use this example and the guidance in the COBIT 5 Implementation Guide to help focus on all of the issues that should be addressed. Further guidance on developing business cases can be found in COBIT 5 process APO05 and in the The Business Case Guide: Using Val ITTM 2.0.”

Governance and

Enab

lers

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

© APMG 2013

COBIT 5 Assessor

Sam

ple M

ateria

l – N

ot for

Rep

rint



© APMG 2013




Governing Body


Management


Instruct and Align

Report


Evolution, ...)

BenefitsRealisation


Risk Optimisation

Stakeholder Needs

Enabler Goals

IT-related Goals

Enterprise Goals

Governance & Management Questions on IT (page 22)

Pain Points & Trigger Events (pages 21-22)

© APMG 2013

Process Reference Model (PRM)

Measurement Framework

Assessment Process

The Process Assessment Model (PAM)Appendix B. Generic and Level 1 Output Work

Products

2.0 Overview of the COBIT 5 Process AssessmentModel (PAM)

3.0 Process Dimension and Process PerformanceIndicators

4.0 Process Capability Indicators

Appendix A. Conformity of the COBIT 5 ProcessAssessment Model

1.0 Introduction

1.1 Purpose1.2 Scope1.3 Assessment Domain1.4 Normative Reference1.5 The COBIT 5 Process Assessment

Model1.6 Comparison of the COBIT 4.1 PAM

to the COBIT 5 PAM1.7 Terms and Definitions

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Process Reference Model

• Domain and Scope• Process Purpose• Process Outcomes

ProcessAssessment Model

• Scope• Indicators• Mapping• Translation


• Capability Levels• Process Attributes• Rating Scale

INITIAL INPUT

• Purpose• Scope• Constraints• Identities• Approach• Assessor

Competence Criteria• Additional Information

OUTPUT

• Date• Assessment Input• Identification of

Evidence• Assessment

Process Used• Process Profiles• Additional Information

ASSESSMENT PROCESS

• Planning• Data Collection• Data Validation• Process Attribute Rating• Reporting

Roles and Responsibilities

• Sponsor• Competent Assessor• Assessors

© APMG 2013

Terms and DefinitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 15504-1 apply. Key definitions include:• Attribute indicator—An assessment indicator that supports the judgement of the extent of

achievement of a specific process attribute (ISO/IEC 15504:1, 3.16)

• Base practice—An activity that, when consistently performed, contributes to achieving a specific process purpose (ISO/IEC 15504:1, 3.17)

• Capability dimension—The set of elements in a process assessment model explicitly related to the Measurement Framework for Process Capability (ISO/IEC 15504:1, 3.18)

• Capability indicator—An assessment indicator that supports the judgement of the process capability of a specific process (ISO/IEC 15504:1, 3.19)

• Generic practice—An activity that, when consistently performed, contributes to the achievement of a specific process attribute (ISO/IEC 15504:1, 3.22)

• Performance indicator—An assessment indicator that supports the judgement of the process performance of a specific process (ISO/IEC 15504:1, 3 26)Note: A performance indicator is an attribute indicator for Process Attribute 1.1 for a specific process. (ISO/IEC 15504:2)

• Process assessment model—A model suitable for the purpose of assessing process capability, based on one or more process reference models (ISO/IEC 15504:1, 3.33)

• Process attribute—A measurable characteristic of process capability applicable to any process (ISO/IEC 15504:1, 3.31)

Sam

ple M

ateria

l – N

ot for

Rep

rint



© APMG 2013

Terms and Definitions• Process attribute rating—A judgement of the degree of achievement of the process attribute for the assessed process (ISO/IEC 15504:1, 3.32)

• Process capability—A characterisation of the ability of a process to meet current or projected business goals (ISO/IEC 15504:1, 3.33)

• Process capability level—A point on the six-point ordinal scale (of process capability) that represents the capability of the process, each level building on the capability of the level below (ISO/IEC 15504:1, 3.36)

• Process capability level rating—A representation of the achieved process capability level derived from the process attribute ratings for an assessed process (ISO/IEC 15504:1, 3.37)

• Process outcome—An observable result of a process (ISO/IEC 15504:1, 3.44)Note: An outcome is an artefact, a significant change of state or the meeting of specified constraints.

• Process purpose—The high-level measurable objectives of performing the process and the likely outcomes of effective implementation of the process (ISO/IEC 15504:1, 3.47)

• Process reference model—A model composed of definitions of processes in a life cycle described in terms of process purpose and outcomes, together with an architecture describing the relationships amongst the processes (ISO/IEC 15504:1, 3.48)

• Work product—An artefact associated with the execution of a process (ISO/IEC 15504:1, 3.55)

© APMG 2013



Assessment Process


Products

2.0 Overview of the COBIT 5 ProcessAssessment Model (PAM)

3.0 Process Dimension and Process PerformanceIndicators



2.1 Introduction2.2 The Process Dimension – COBIT 5

Processes2.3 The Capability Dimension2.4 Assessment Indicators2.5 Rating Scale

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting EDM03 Ensure Risk Optimisation

and Maintenance EDM04 Ensure Resource Optimisation EDM02 Ensure Benefits Delivery EDM05 Ensure Stakeholder Transparency

Processes for Governance of Enterprise IT

Align, Plan and OrganiseAPO01 Manage the IT Management Framework APO08 Manage Relationships APO02 Manage Strategy APO09 Manage Service AgreementsAPO03 Manage Enterprise Architecture APO10 Manage Suppliers APO04 Manage Innovation APO11 Manage Quality APO05 Manage Portfolio APO12 Manage Risk APO06 Manage Budget and Costs APO13 Manage SecurityAPO07 Manage Human Resources

Processes for Management of Enterprise IT

Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI07 Manage Change Acceptance BAI02 Manage Requirements Definition and Transitioning BAI03 Manage Solutions Identification and Build BAI08 Manage KnowledgeBAI04 Manage Availability and Capacity BAI09 Manage AssetsBAI05 Manage Organisational Change Enablement BAI010 Manage Configuration BAI06 Manage Changes

Deliver, Service and SupportDSS01 Manage Operations DSS04 Manage ContinuityDSS02 Manage Service Requests and Incidents DSS05 Manage Security Services DSS03 Manage Problems DSS06 Manage Business Process

Controls

Monitor, Evaluateand Assess


Performance andConformance


the System of InternalControl


Compliance WithExternal

Requirements

© APMG 2013

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0Capa

bilit

y D

imen

sion

Optimizing process (2 attributes)

Incomplete process

Performed process (2 attributes)

Managed process (2 attributes)

Established process (2 attributes)

Predictable process (2 attributes)

Based on ISO /IEC 15504 - 2

Evaluate, Direct & Monitor (EDM) 5Align, Plan & Organise (APO) 13Build, Acquire & Implement (BAI) 10Deliver, Service & Support (DSS) 6Monitor, Evaluate & Assess (MEA) 3

37

Overview of the Process Assessment Model (PAM)

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0Capa

bilit

y D

imen

sion

Additional performance indicators Level 1 based on :- BP : Base practices- WP : Work products

Based on (Level 1 to 5) Process Attribute Indicators (PAI):- GP : Generic Practice-GWP : Generic Work Product

PA5.2 Continuous optimisationPA5.1 Process innovationPA4.2 Process controlPA4.1 Process measurementPA3.2 Process deploymentPA3.1 Process definitionPA2.2 Performance managementPA2.1 Work product management

PA1.1 Process performance

Evaluate, Direct & Monitor (EDM) 5Align, Plan & Organise (APO) 13Build, Acquire & Implement (BAI) 10Deliver, Service & Support (DSS) 6Monitor, Evaluate & Assess (MEA) 3

37

Process Attributes and Assessment Indicators

© APMG 2013

ISO/IEC Measurement Scale

Level 0: Incomplete

Level 5: Optimising Process

PA 5.1 Process InnovationPA 5.2 Process Optimization

OptimizingThe process is continuously improved to meet current and projected business goals.

PA 4.1 Process MeasurementPA 4.2 Process Control

Level 4: Predictable Process PredictableThe process is executed consistently withindefined limits.

PA 3.1 Process DefinitionPA 3.2 Process Deployment

Level 3: Established Process EstablishedA standard process is defined and usedthroughout the organization.

Level 2: Managed

PA 2.1 Performance ManagementPA 2.2 Work Product Management

ManagedThe process is managed and results are specified, controlled and maintained.

PA1.1 Process Performance

Level 1: PerformedPerformedThe process is performed and achieves its purpose.

IncompleteThe process is not implemented or fails to achieve its purpose.

This figure is reproduced from ISO/IEC 15504-2, with the permission of ISO/IEC at www.iso.org. Copyright remains with ISO/IEC.

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

ISO/IEC Process Capability Levels and Process Attributes

Level 0: Incomplete

Level 5: Optimising Process

PA 5.1 Process InnovationPA 5.2 Process Optimization

OptimizingThe process is continuously improved to meet current and projected business goals.

PA 4.1 Process MeasurementPA 4.2 Process Control

Level 4: Predictable Process PredictableThe process is executed consistently withindefined limits.

PA 3.1 Process DefinitionPA 3.2 Process Deployment

Level 3: Established Process EstablishedA standard process is defined and usedthroughout the organization.

Level 2: Managed

PA 2.1 Performance ManagementPA 2.2 Work Product Management

ManagedThe process is managed and results are specified, controlled and maintained.

PA1.1 Process Performance

Level 1: PerformedPerformedThe process is performed and achieves its purpose.

IncompleteThe process is not implemented or fails to achieve its purpose.

This figure is reproduced from ISO/IEC 15504-2, with the permission of ISO/IEC at www.iso.org. Copyright remains with ISO/IEC.

6 Process Capability

Levels9 Process Attributes

© APMG 2013

What is a Process Assessment Model?

Process Reference ModelDomains and ScopeProcesses with Purposes and Outcomes

Capa

bilit

y Sc

ale

Process entities

Measurement FrameworkCapability LevelsProcess AttributesRating Scale

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

© APMG 2013



Assessment Process


Products

3.0 Process Dimension and ProcessPerformance Indicators



Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013


Activities

Inputs Outputs

From Description DescriptionFrom

RACI Chart:

The process supports the achievement of a set of primary IT-related goals:

IT-related Goal Related Metrics


Process Goal Related Metrics



Process Description

Related Guidance

Related Standard Detailed Reference

© APMG 2013


Base Practices (BPs)

RACI Chart:

NOT IN PAM

The process supports the ...

IT-related Goal


Process Goal

Outcomes (Os)

Process Name


Process Description

Related Guidance

Related Standard

NOT IN PAM

Activities

NOT IN PAM

Inputs Outputs

The COBIT 5 Process and the PAMProcess ID

Outcomes (Os)


Process Name

Process Description

Process Goals



Work Products (WPs)

Inputs

Description SupportsNumber

Outputs

Description SupportsNumber Input to

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

Is there a processwith this purpose?

Process ID BAI02

Process Name

ProcessDescription

Manage Requirements Definition

Identify solutions and analyse requirements before acquisition or creation to ensure that they are in line with enterprise strategic requirements covering business processes, applications, information/data, infrastructure and services. Co-ordinate with affected stakeholders the review of feasible options including relative costs and benefits, risk analysis, and approval of requirements and proposed solutions.


Create feasible optimal solutions that meet enterprise needs while minimising risk.

Outcomes (Os)

Number Description

Are these outcomes being achieved?

BAI02-01Business functional and technical requirements reflect enterprise needs and expectations.

The proposed solution satisfies business functional, technical and compliance requirements.Risk associated with the requirements has been addressed in the proposed solution.

Requirements and proposed solutions meet business case objectives (value expected and likely costs).

BAI02-02

BAI02-03

BAI02-04

© APMG 2013

Process ID BAI02

Process Name Manage Requirements Definition

Supports


Number Description

BAI02-BP1

Define and maintain business functional and technical requirements.Based on the business case, identify, prioritise, specify and agree on business information, functional, technical and control requirements covering the scope/understanding of all initiatives required toachieve the expected outcomes of the proposed IT-enabled business solution.

BAI02-O1

BAI02-BP2

BAI02-BP3

BAI02-BP4

Define and maintain business functional and technical requirements.Based on the business case, identify, prioritise, specify and agree on business information, functional, technical and control requirements covering the scope/understanding of all initiatives required toachieve the expected outcomes of the proposed IT-enabled business solution.

Manage requirements risk.Identify, document, prioritise and mitigate functional, technical and information processing-related risks associated with the enterprise requirements and proposed solution.

Obtain approval of requirements and solutions.Co-ordinate feedback from affected stakeholders and, at predetermined key stages, obtain business sponsor or product owner approval and sign-off on functional and technical requirements, feasibility studies, risk analyses and recommended solutions.

BAI02-O2/O4

BAI02-O1

BAI02-O3

“Is there evidence that appropriate

base practices are

being undertaken?”

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013

BAI02-01 -Business functional and technical requirements reflect enterprise needs and expectations.

BAI02-02 The proposed solution satisfies business functional, technical and compliance requirements

BAI02 03 - Risk associated with the requirements has been addressed in the proposed solution.

BAI02-04 Requirements and proposed solutions meet business case objectives (value expected and likely costs).

BAI02-BP1 Define and maintain business functional and technical requirements

BAI02-BP2 Perform a feasibility study and formulate alternative solutions.

BAI02-BP3 Manage requirements risk.


BAI02-BP4 Obtain approval of requirements and solutions.

Details on PAM page Details on PAM page

BAI02 Manage Requirements Definition

Process Purpose: Create feasible optimal solutions that meet enterprise needs while minimising risk.

Work Products (WPs)Inputs

Base Practices (BPs) Work Products (WPs)Outputs

Outcomes (Os)

© APMG 2013

BAI02-01 Business functional and technical requirements reflect enterprise needs and expectations

BAI02-BP1 Define and maintain business functional and technical requirements.

BAI02-BP4 Obtain approval of requirements and solutions.





Outcomes (Os)

APO01-WP14 Data classification guidelinesAPO01-WP15 Data security and control guidelinesAPO01-WP16 Data integrity proceduresAPO03-WP2 Architecture principlesAPO03-WP4 Baseline domain descriptions and architecture definitionAPO03-WP6 Information architecture modelAPO03-WP12 Solution development guidanceAPO10-WP11 Supplier RFIs and RFPsAPO11-WP6 Acceptance criteria

BAI01-WP17 Quality management plan

BAI02-WP1 Requirements definition repository

BAI02-WP8 Sponsor approvals of requirements and proposed solutionsBAI02-WP9 Approved quality reviews

BAI02-WP2 Confirmed acceptance of requirements from stakeholders

BAI02-WP3 Record of requirement change requests

Sample

Mate

rial –

Not

for R

eprin

t



© APMG 2013





Outcomes (Os)

BAI02-02 The proposed solution satisfies business functional, technical and compliance requirements

BAI02-03 Risk associated with the requirements has been addressed in the proposed solution.


BAI02-BP3 Manage requirements risk.

APO03-WP12 Solution development guidanceAPO10-WP2 Supplier catalogueAPO10-WP12 RFI and RFP evaluationsAPO10-WP13 Decision results of supplier evaluationsAPO11-WP6 Acceptance criteria

BAI02-WP6 Requirements risk register

BAI02-WP7 Risk mitigation actions

BAI02-WP4 Feasibility study report

BAI02-WP5 High-level acquisition/development plan

© APMG 2013





Outcomes (Os)

BAI02-04 Requirements and proposed solutions meet business case objectives (value expected and likely costs).


APO03-WP12 Solution development guidance

APO10-WP2 Supplier catalogue

APO10-WP12 RFI and RFP evaluations

APO10-WP13 Decision results of supplier evaluations

APO11-WP6 Acceptance criteria

BAI02-WP4 Feasibility study report

BAI02-WP5 High-level acquisition/development plan

Sample

Mate

rial –

Not

for R

eprin

t

cobit5 assessor participant handbook

Documents

cobit pam

assessor copyright

successful cobit

cobit content

assessor training

process assessment model

process capability assessments

process content