integrated it governance series - cobit 5
TRANSCRIPT
-
8/13/2019 Integrated IT Governance Series - COBIT 5
1/15
Integrated IT Governance Series COBIT 5
Overview
COBIT 5 is the latest version of ISACAs (www.isaca.org) guidance of the enterrise governance and
!anage!ent of IT" u#lished in $%&$. COBIT 5 rovides a fra!ewor' for oti!ising the value that organisations
o#tain fro! their invest!ents in IT # #alancing the three ele!ents of realising #enefits" !anaging ris' andconsu!ing resources.
hilst COBIT 5 #uilds uon revious versions" it does reresent a significant restructure of the guidance. This
!a !ean so!e effort for organisations alread using COBIT *.&" #ut we #elieve that it offers significant
oortunities to organisations alread using or considering incororating COBIT rinciles and concets into an
integrated governance aroach to the rovision of IT services.
There are !ultile sources of good ractice guidance and suorting fra!ewor's to assist IT service roviders to
design and deliver end+to+end services that are aligned to the needs of their custo!er" whether the are internal"
e,ternal or a !i,ture of #oth. The different sources cover various asects and stages of the service lifeccle fro!
architecture" through rogra!!e- roect and ris' !anage!ent" IT service !anage!ent" cororate governance
of IT to s'ills definition and !anage!ent.
This #rief is one of a series that descri#es the 'e concets of so!e of the !aor sources of good ractice and
-
8/13/2019 Integrated IT Governance Series - COBIT 5
2/15
2
Integrated IT Governance
Series COBIT 5
how the can #e alied # service roviders to i!rove service design and deliver. It is /roActives view thatorganisations should avoid
an either-or aroach when considering fra!ewor's. 0ach has its areas of focus and strengths" #ut no one
source would clai! to have all the answers. In fact" each organisation has to oerate within its own conte,t and
with its own uni1ue set of caa#ilities. 2ood ractice should not #e seen as dog!a that should #e rigorousl
adhered to without an areciation of the conte,t within which activit occurs. e find that the different
fra!ewor's usuall rovide co!le!entar guidance and organisations can and should #e aware of what is
availa#le" how relevant the guidance is to the! and to incororate ele!ents fro! !ultile fra!ewor's as
necessar to achieve their o#ectives.
-
8/13/2019 Integrated IT Governance Series - COBIT 5
3/15
Co!!ercial in Confidence /age 3 of &5
Integrated IT Governance
Series COBIT 5
The Evolution of COBIT
ith earlier versions there was a focus on defining what needed to #e achieved to rovide effective governance
and !anage!ent of the infor!ation assets of an organisation. 4or each descri#ed rocess" a set of control
o#ectives docu!ented this what to achieve" along with !anage!ent guidelines with s'eletal 6ACI charts and
suggested !etrics. hile this was ver useful to adoters" ISACA also started to roduce co!le!entar guidance
on how the o#ectives !ight #e achieved and on assurance guidance on !easuring the effectiveness of controls.
ISACA also develoed the 7alIT and 6is'IT fra!ewor's to loo' at realising value and !anaging ris'. There was also
a growing recognition that !an organisations were still struggling with the concet that governance and
!anage!ent are different activities and that the should #e searated.
COBIT 5 Principles
The develo!ent of COBIT 5 was #ased on five 'e rinciles8
1. Meeting stakeholder needsOrganisations need to oti!ise value for their sta'eholders # achieving an aroriate #alance #etween
realising #enefits" !anaging ris' effectivel and using resources efficientl and effectivel. COBIT 5
descri#es a set of rocesses and ena#lers that suort this o#ective.
2. Covering the enterprise end-to-endCOBIT 5 is designed to integrate IT governance into overall enterrise governance. Its scoe covers all
infor!ation and related technolog assets" wherever the !a #e in an organisation" and includes internal
and e,ternal roviders.
. Single integrated !ra"e#orkCOBIT is aligned to other relevant standards and good ractice fra!ewor's. It also incororates the
guidance of 7alIT and 6is'IT.
$. %olistic approachCOBIT defines a set of seven ena#lers to suort the i!le!entation of governance and !anage!ent of
an organisations IT. These are covered in the ne,t section.
5. Separation o! governance !ro" "anage"entCOBIT 5 introduces an additional rocess do!ain for governance rocess as distinct fro! !anage!ent
ones and this do!ain aligns to the Evaluate, Direct and Monitorconcets of ISO-I0C 395%% : Cororate
governance of IT&
-
8/13/2019 Integrated IT Governance Series - COBIT 5
4/15
Co!!ercial in Confidence /age * of &5
Integrated IT Governance
Series COBIT 5
COBIT 5 &na'lers
One of the COBIT 5 rinciles is the adotion of a holistic aroach to the esta#lish!ent of effective governance
and !anage!ent of IT. Seven ena#lers are identified as deicted in 4igure $$.
1. (rinciples) (olicies and *ra"e#orksThese rovide the !eans of ensuring that the desired #ehaviour is articulated through ractical guidance
for use # !anage!ent and staff. /eole are !ore li'el to co!l if the understand wh such #ehaviour
is necessar.
2. (rocessesCOBIT descri#es 3; rocesses within five do!ains that each incororate a structured set of governance or
!anage!ent ractices to achieve o#ectives that suort IT and enterrise goals.
. Organisational Str+ct+resThese rovide sta#ilit to an organisation and suort the delegation of resonsi#ilities and decision+
!a'ing. There is no one organisational structure that will suit ever situation. Structures are influences #
the enterrise culture" revious e,erience and the s'ills and caa#ilities of staff.
$. C+lt+re) &thics and Behavio+rThese are 'e influencers on the success of governance and !anage!ent activities at #oth the
organisational and individual level.
-
8/13/2019 Integrated IT Governance Series - COBIT 5
5/15
Co!!ercial in Confidence /age 5 of &5
Integrated IT Governance
Series COBIT 5
of IT. Conversel" neglecting an of the! during an i!le!entation rogra!!e could have a significant adverse
i!act on success. The last three ena#lers are also referred to as resources and this is a concet carried forward
fro! COBIT *.&.
The COBIT 5 Process Reference Model
/rocesses for! one of the seven COBIT ena#lers and the reference !odel defines 3; rocesses in the five do!ains
of8
0valuate" =irect and >onitor (0=>) Align" /lan and Organise (A/O) Build" Ac1uire and I!le!ent (BAI) =eliver" Service and Suort (=SS) >onitor" 0valuate and Assess (>0A)
The first of these is a new do!ain created to hold the secific governance (as distinct fro! !anage!ent)
rocesses. The other four are ver si!ilar to the rocess do!ains of COBIT *.& and are #ased on the stages of lan"
#uild" run and !onitor" although there has #een so!e reallocation of rocesses #etween do!ains. This structure
aligns 1uite well with the service lifeccle aroach adoted # ITI? since the $%%; edition of the guidance.
The COBIT 5 rocess reference !odel is shown in 4igure 3 on the ne,t age. The !odel is descri#ed in detail in
COBIT 5 0na#ling /rocesses
3
. The 'e infor!ation rovided # COBIT for each rocess will #e su!!arised in a latersection.
0ach rocess has a uni1ue five+character identifier co!rised of8 the three character do!ain identifier (0=>" A/O"
BAI" =SS" or >0A) followed # a two digit nu!#er to distinguish it fro! other rocesses in the sa!e do!ain. The
five+character rocess identifier is also used in the governance or !anage!ent ractices that are docu!ented for
each rocess" so that each ractice is #oth uni1uel identified and easil locata#le. 2overnance and !anage!ent
ractices are a further develo!ent of the control o#ectives and control ractices fro! COBIT *.&.
The COBIT 5 rocess reference !odel incororates the 7alIT and 6is'IT fra!ewor's into a single unified fra!ewor'.
-
8/13/2019 Integrated IT Governance Series - COBIT 5
6/15
Co!!ercial in Confidence /age @ of &5
Integrated IT Governance
Series COBIT 5
*ig+re 1 The COBIT 5 (rocess /e!erence Model
-
8/13/2019 Integrated IT Governance Series - COBIT 5
7/15
Co!!ercial in Confidence /age ; of &5
Integrated IT Governance
Series COBIT 5
The COBIT Goals Cascade
One of the strengths of COBIT 5 is the lin'age of sta'eholder needs through enterrise and IT+related goals to
ena#ler goals. A set of generic enterrise and IT+related goals is sulied in the COBIT 5 4ra!ewor' u#lication*
with the re!inder that organisations will need to adat the! to !eet their secific re1uire!ents. 0ach set of goals
is arranged in a #alanced scorecard for!at with the enterrise goals also having an indication of the contri#ution
that the !a'e to the three governance drivers of #enefits realisation" ris' oti!isation and resource oti!isation.
The sa!e docu!ent also rovides !aing of8
a generic set of sta'eholder needs onto the enterrise goals
enterrise goals to IT related goals and
IT+related goals to the 3; rocesses in the rocess reference !odel and.
4inall" the rocess reference !odel suggests !etrics that !ight #e useful to udge how well each rocess is
suorting the relevant IT+related goals. The goals cascade rovides tracea#ilit #etween sta'eholder drivers and
the ICT rocesses that act as a 'e ena#ler. This rovides a !eans to identif" where a secific sta'eholder need or
enterrise goal is not #eing fulfilled" the underling ICT rocesses that !a #e undererfor!ing and target
i!rove!ent activit where it will realise the greatest value for the enterrise and its sta'eholders.
The goals cascade is shown in 4igure * on the following age. The references to the right of the figure refer to artsof the COBIT 5 4ra!ewor' docu!ent.
-
8/13/2019 Integrated IT Governance Series - COBIT 5
8/15
Co!!ercial in Confidence /age 9 of &5
Integrated IT Governance
Series COBIT 5
*ig+re 2 The COBIT 5 Goals Cascade
-
8/13/2019 Integrated IT Governance Series - COBIT 5
9/15
Co!!ercial in Confidence /age of &5
Integrated IT Governance
Series COBIT 5
COBIT 5 Process Information
In a si!ilar !anner to earlier versions" COBIT 5 rovides infor!ation on each rocess in its reference !odel. This is
contained in Chater 5 of the 0na#ling /rocesses docu!ent5. The infor!ation for each rocess is structured in the
sa!e wa and" at first glance" there aear to #e significant differences to the structure used in COBIT *.&@. In
realit" !an of the concets and useful infor!ation are carried forward fro! the earlier version and enhanced.
COBIT 5 rocess infor!ation is structured as follows8
Ite" 0escription COBIT $.1 &+ivalent
/rocess identification Process label (do!ain refi, and two+digit
nu!#er)
Process name
Area: governance or !anage!ent
Domain: 0=>" A/O" BAI" =SS or >0A
The Process Descriptionage rovides
si!ilar infor!ation
/rocess descrition An overview of what the rocess does
/rocess urose state!ent The overall urose of the rocess
2oals cascade infor!ation The IT+related goals that the rocess
ri!aril suorts and suggested !etrics to
!easure how well those goals are achieved
/rovided at the IT level in the Goals and
Metricssection on the Management
Guidelinesage
/rocess goals and !etrics A set of rocess goals and a li!ited set of
ea"ple!etrics
/rovided at the rocess level in the Goals
and Metricssection on the Management
Guidelinesage
6ACI chart A suggested set of assign!ent of rocessractices to different roles and structures.
The chart distinguishes enterrise roles fro!
those in IT.
Management Guidelinesinclude a 6ACIchart with 'e activities that do not !a
clearl onto control o#ectives.
=etailed descritions of rocess ractices A set of governance or !anage!ent
ractices that are re1uired to esta#lish
effective rocess control. 0ach ractice
Includes8
Practice label: The five+character rocess
la#el followed # a two+digit nu!#er to
uni1uel identif the ractice
Practice title and description: The ractice
na!e and a descrition of what needs to #e
done to esta#lish it
Practice inputs and outputs:These include
details of inut sources and outut
destinations.
Process activities: 4urther guidance on the
activities that are re1uired to esta#lish and
!aintain the ractice
/rocess ractices reresent further
develo!ent of the Control Objectives
listed for each rocess and the suorting
Control Practices that were docu!ented in
a searate docu!ent;.
In COBIT *.&" inuts and oututs are
docu!ented at the overall rocess level"
rather than the o#ective-ractice level.
6elated guidance 6eferences to other standards and sources of
guidance
/rovided at an overall level in Aendi, I7
of the COBIT *.& docu!ent and e,anded
in a nu!#er of !aing docu!ents
u#lished # ISACA.
-
8/13/2019 Integrated IT Governance Series - COBIT 5
10/15
Co!!ercial in Confidence /age &% of &5
Integrated IT Governance
Series COBIT 5
There are other o'vio+s di!!erences 'et#een COBIT 5 and $.1
Infor!ation criteria are now generall incororated into goals for the COBIT 5 Informationena#ler and>aturit !odels are no longer included in the reference !odel #ut covered in a searate rocess
assess!ent !odel that confor!s with the re1uire!ents of the IT rocess assess!ent standard ISO+I0C
&55%*+$9
The Value of COBIT 5
e #elieve that COBIT 5 can rovide significant value to organisations wishing to adot an integrated governance
aroach to the rovision of IT services. In articular" COBIT rovides8
Clear lin'age of ICT rocesses to enterrise goals and sta'eholder needs through the goals cascade
Searation of governance and !anage!ent rocesses
A #road scoe that can lin' other fra!ewor's such as ITI?" /3O" /6IC0 $" TO2A4 and relevant
international standards
A well+defined set of governance and !anage!ent ractices that rovide a control fra!ewor' to oti!ise
value # delivering the re1uired #enefits to sta'eholders while !anaging ris's and resources effectivel
and
A set of suggested goals and suorting !etrics that organisations should adat to !eet their secific
needs
0ach #est ractice fra!ewor' co!es with its own set of strengths and a udicious co!#ination of fra!ewor's can
ena#le effective governance while oti!ising align!ent" effectiveness and efficienc of IT services to !eet the
needs of the organisation and its custo!ers. COBIT can !a'e an i!ortant contri#ution to governance and version
5 is a significant udate that should !a'e it !ore attractive and easier to use in organisations that see' greater
levels of governance and control in IT service rovision. e see COBIT as ver co!le!entar with ITI?" with the
for!er focusing on the ractices re1uired to esta#lish effective governance and !anage!ent and the latter
roviding !ore infor!ation on how to esta#lish the rocesses within each stage of the service lifeccle.
-
8/13/2019 Integrated IT Governance Series - COBIT 5
11/15
Co!!ercial in Confidence /age && of &5
Integrated IT Governance
Series COBIT 5
Appendix A: IT Governance
The diagra! #elow shows at the high level the governance 1uestions that !ost IT leaders are faced with. /roActive
can hel IT leaders answer those 1uestions" using an IT service driven aroach as e!#odied in fra!ewor's that
include ITI?" Co#iT" /3>3 (/ortfolio" /rogra!!e and /roect >anage!ent)" ISO-I0C$%%%%" Software Asset
>anage!ent" TO2A4 and ISO$;%%&. 0ach solution roosed ta'es into account these 'e 1uestions and as such"
ensures that consideration is ta'en for the #igger icture.
*ig+re 3e4 IT governance +estions
4igure &$ + #ased on!e information Parado" # $eali%ing t!e &usiness &enefits of Information ec!nolog'(, )o!n !orp *ritten
jointl' *it! +ujitsu, --. and revised /001, McGra*23ill, Canada4
re #e doing the right things6
To answer this 1uestion the correct strategies are re1uired" so that we can deliver ICT services that !eet the needs
of the #usiness as regards8+
o 4unctionalito Caa#ilito Ongoing invest!ent
-
8/13/2019 Integrated IT Governance Series - COBIT 5
12/15
Co!!ercial in Confidence /age &$ of &5
Integrated IT Governance
Series COBIT 5
This !eans that ou need to have8+
o A !easure of the custo!ers 1ualit of e,erience with e,isting ICT services and an understanding of ITService 7alue >anage!ent
o Dnderstand gas in IT + Business align!ento 6elevant IT strategies to deliver the right IT services including an overall ICT strateg" IT Service Strateg"
ITS> strateg" Technolog road!as" Sourcing strateg etc
o /ortfolio >anage!ent caa#ilit underinned # a Business Service Catalogueo A #ench!ar' of the caa#ilit of our IT organisationo An understanding of the fra!ewor's we should #e using" eg ITI?" Co#iT" TO2A4" /3>3
re #e doing the" the right #a46To answer this 1uestion re1uired are8+
o A lifeccle aroach to the deliver of ICT services that is integratedo An 0nterrise Architectureo A /ortfolio" /rogra!!e and /roect 4ra!ewor'o A 6is' and Securit !ethodolog
This !eans ou need to have8+
o 2overnance ?ifeccle 4ra!ewor'o Dnderstand the gas in the 1ualit of 'e ICT services and IT caa#ilit shortfallso Tactical /lans for /eole" /rocess" /artners" /roductso
>anage!ent of Organisational Change caa#ilito The a#ilit to ut the a#ove into effect through a Caa#ilit I!rove!ent ourne
re #e getting the" done #ell6
This !eans ou have to have8+
o 0ffective and discilined !anage!ent of the whole lifeccleo 0ffective rocesseso Co!etent resources availa#le to rovide8+
o the re1uired caa#ilitieso the organisational changes re1uired to leverage the caa#ilities
To ut this into effect ou need to effect8+
o A Caa#ilit I!rove!ent Eourneo To have converted the 'e re1uire!ents into an oerational Conte,to To i!le!ent the li'es of Fnowledge Centred Suort (FCS) for Fnowledge to i!rove efficienc and
effectiveness
o To #e using 56ills +rame*or6 for t!e Information Age(S4IA) and S4IAplusto roerl define 6oles and to#e a#le to identif and address s'ills gas
o Integration of rocess and caa#ilities covering /eole" /roducts" /rocesses and /artners
-
8/13/2019 Integrated IT Governance Series - COBIT 5
13/15
Co!!ercial in Confidence /age &3 of &5
Integrated IT Governance
Series COBIT 5
Appendix B: About ProActive
0sta#lished in Australasia in &9;" /roActive has a co!rehensive suite of services that includes integrating all IT
2overnance that underins the IT Service lifeccle. In &5" /roActive introduced the ITI? #est ractice guidance to
Australia and ew Gealand" and has rovided thought leadershi in Service >anage!ent ever since.
/roActive are Australia and ew GealandHs longest Service >anage!ent education rovider" and have trained in
e,cess of 39"%%% students. In addition to our e,tensive consultanc services and we# #ased caa#ilit
assess!ent-surve tools" /roActive is a BCS accredited training organisation for ITI? training" an accredited
rovider of Fnowledge Centred Suort (FCSS>) training" a S4IA accredited artner.
II78 is a registered rade Mar6 of t!e 9 Cabinet Office in t!e 9 and ot!er countries4 C55M
is a servicemar6 of t!e
Consortium for 5ervice Innovation5M
4 5+IA8is a registered trademar6 of t!e 5+IA +oundation4
O+r (eople
/roActive consultants are highl s'illed #usiness rocess analsts with e,tensive ractical e,erience co!#ined
with in+deth 'nowledge of a nu!#er of governance fra!ewor's. All consultants have !an ears ractical"
hands+on e,erience of ITI? i!le!entation in organisations throughout Australia" ew Gealand and
internationall.
The all hold the highest level of accreditation in their fields" including ITI? 73 (0,ert level)" Co#iT" /rince$" ISO-I0C
$%%%%" Software Asset >anage!ent" and FCS.
>ore secificall the have8
a thorough 'nowledge of Service >anage!ent rocesses
e,tensive 'nowledge and e,erience of industr standards and ractices in these rocesses
considera#le 'nowledge and understanding of a range of the leading IT software solutions for these rocesses
e,tensive 'nowledge of how the rocesses ulti!atel translate into IT sste! wor' ractices
the s'ills and !aturit to la a facilitating and influencing role at all levels.
7hat #e do
/roActive can assist organisations via our consulting and education services in all asects of service and rocess
i!rove!ent #ased on our fle,i#le /roActive Services Caa#ilit I!rove!ent Eourne !ethodolog. e can also
hel to sustain this change and ensure continual service i!rove!ent.
Organisations #e #ork #ith
e have wor'ed e,tensivel with Australian and ew Gealand IT organisations of all sies across the rivate" state
and federal govern!ent sectors. A sa!le of the organisations we wor' with includes8
AG Ban' Aurora 0nerg
-
8/13/2019 Integrated IT Governance Series - COBIT 5
14/15
Co!!ercial in Confidence /age &* of &5
Integrated IT Governance
Series COBIT 5
Aurecon /t ?td
IA2
>inistr of 0cono!ic =evelo!ent
Dniversit of >el#ourne
AB
S Businesslin'
S Co!!unities
Otus Co!!unications
Origin 0nerg
Jueensland =eart!ent of the CIO
Ta#cor otor Cororation Australia
7ictoria Dniversit of ellington
estac Ban'ing Cororation
Certi!ication and ccreditation
/roActive achieved and have !aintained ISO %%& certification for over &% ears" with our !ost
recent audit ta'ing lace in Octo#er $%&%. Certification covers the deliver of Service
>anage!ent consultanc and education services.
/roActive are also accredited # the following organisations to deliver education services8
Infor!ation Sste!s 0,a!ination Board8 ITI? training.
A/>28 COBIT
Consortiu! for Service Innovation8 FCS
-
8/13/2019 Integrated IT Governance Series - COBIT 5
15/15
Co!!ercial in Confidence /age &5 of &5
Integrated IT Governance
Series COBIT 5
& ISO ($%%9)" I5O;IEC 1.