You are on page 1of 4

COBITAssessmentProgrammeFrequentlyAskedQuestions(FAQs)

ISACA2012 Allrightsreserved. Page1


1. WhydidISACAselectISO15504?
ISO15504effectivelydealswithacapabilityprocessassessment.Itprovidesan
understandable,logical,repeatable,reliableandrobustmethodologyforassessingthe
capabilityofITprocesses(evidentiaryrequirements).

2. WhatisthemajorvalueofusingthenewCOBITAssessmentProgramme?
a. Thevaluederivedfromassessmentsusingthisapproachincludesreliableresults
thatfocustheenterpriseonthebenefitsandresourceimplicationsarisingfromthe
performanceandcapabilityofitsITprocesses,andprovideasoundbasisfor
benchmarkingandimprovement,prioritizationandplanning.
b. ThereareanumberofspecificbenefitsforCOBITusersintakingthisapproach:
- Focusfirstonconfirmingthataprocessisachievingitsintendedpurposeand
deliveringitsrequiredoutcomesasexpected.
- Simplificationofthecontentsupportingprocessassessment.
- Improvedreliabilityandrepeatabilityofprocesscapabilityassessmentactivities
andevaluations,reduceddebatesanddisagreementsbetweenstakeholderson
assessmentresults.
- Increasedusabilityofprocesscapabilityassessmentresults,asthenew
approachestablishesabasisformoreformal,rigorousassessmentstobe
performed,forbothinternalandpotentialexternalpurposessuchas
benchmarking.
- Compliancewithagenerallyacceptedprocessassessmentstandard(ISO15504)
andthereforestrongsupportforprocessassessmentapproachinthemarket.

3. Isthissimplyawaytopushmorecertificationstoconsultants?
No,becauseISO15504identifiestheneedforbothindependentandcompetent
assessorstoperformanassessment.ISACAhasidentifiedanumberofkeycompetencies
andexperiencerequirements.Thisnecessitatesacomprehensivetrainingprogramme
withanexamthatrequiresacertificateuponthesuccessfulcompletionoftheexam.
Thistypeofcertificationismoreaproductbasedratherthanaprofessionalbased
certificationprogramsuchasCISAorCPA.

4. Weknowwhereourstrengthsandweaknesseslie.WhyundertakeaCOBITprocess
assessment?
Manyorganizationsbelievetheyhavesomeideaoftheirstrengthsandweaknesses.
However,theycanoftenbesurprisedwhenaparticularprocessfailstoperformas
expectedbecauseitisnotrobustenoughtodealwitheitherorganizationalchangeor
differentcircumstances.

5. WhydoIneedamorerigorousassessment?Istheselfassessmentprocessnot
sufficient?
a. Aselfassessmentcanbeusedbyorganizationstoperformalessrigorous
assessmentofthecapabilityofITprocesses.Thismaybeaprecursortoundertaking
COBITAssessmentProgrammeFrequentlyAskedQuestions(FAQs)

ISACA2012 Allrightsreserved. Page2


amorerigorous,evidencebasedassessment.Itisintendedasastandalone
processwiththeminimumoftrainingandnotrequiringacertifiedassessor.
b. Aselfassessmentisbasedmoreonjudgementoftheindividualorindividuals
makingtheassessment.Itwillbesubjectivewithoutarequirementforevidence.As
aresult,theassessmentwillbeindicativeoftheprocesscapability.Experiencehas
shownthatsuchassessmentsareoftenoptimistic,showingabetterresultthan
wouldbeshowninamoreformal,evidencebasedassessment.Theyaregenerally
notrepeatableorobjective.Forarepeatable,objectiveassessment,afull
assessmentusingtheCOBITPAMandassessorguide(withtraining)isrequired.

6. DoesthenewCOBITAssessmentProgrammeapproachreplacetheexistingCOBIT4.1
CMMapproach?
a. No,itdoesnot;itisadifferentapproachtoassessingprocesscapabilitythatISACA
hasselectedtouse.COBIT4.1CMMremainsaspublishedandtheoptionofapplying
aCOBITAssessmentProgrammeapproachasanalternativehasbeenmade
available.
b. However,TheCMMapproachwillnotbeofferedinCOBIT5becausethenewISO
15504approachiscoretoperformingacapabilityprocessassessmentusingCOBIT5
content.

7. WhatisthedifferencebetweentheCOBIT4.1CMMandthenewCOBITAssessment
Programmeapproach?
a. Thecapabilitylevelscaleisthesame,i.e.,0to5andsomeofthelevelnamesare
verysimilar,butthatiswherethesimilaritiesend.Theattributesassessedand
measuredineachapproachareNOTthesamenoristhereacleancutrelationship
betweenthetwosetsofattributes.
b. Therearenospecificrequirementstoprovideevidentiarysupportforassessment
resultsintheexistingCOBIT4.1CMMapproach,butthisismandatoryintheISO
15504approach.Providingsuchevidenceinsupportoftheassessmentproduces
morerobust,repeatableanddefensibleresults.
c. TheassessmentdoneundertheoldCOBIT4.1CMMapproachwilllikelyresultin
higherscores,duetothesubjectiveaveragingapproachadopted,andalsodueto
themorerigorousISO15504requirementsforlevel1inthenewapproach

8. WillCOBIT5havethesameprocesscapabilityassessmentapproachusingISO15504?
Andhowwillitdiffer?
a. COBIT5hasbeendesignedtakingintoaccountalloftheISO15504process
capabilityassessmentrequirements.Asaresulttheconsistencyofcontentbetween
theCOBIT5processcontentandtheCOBIT5PAMwillbeimprovedoverthoseof
COBIT4.1.
b. ForthepurposesofapplyingtheCOBITAssessmentProgrammeapproach,theonly
differencebetweenCOBIT4.1andCOBIT5willbethelevel1contentwhichis
specificanduniquetoeachframeworkversion.Assessmentlevels2to5focuson
COBITAssessmentProgrammeFrequentlyAskedQuestions(FAQs)

ISACA2012 Allrightsreserved. Page3


genericprocessattributes(asdefinedinISO15504)andarethereforethesamefor
bothframeworks.

9. WhywouldyouwanttodoaCOBITprocesscapabilityassessmentusingCOBIT4.1
whenCOBIT5willbeavailableinearly2012?
EnterpriseshaveinvestedinusingCOBIT4.1andwillcontinuetouseitforanumberof
yearsuntiladriverisencounteredforthemtoconsideratransitiontoCOBIT5.During
thistimeaformalprocesscapabilityassessmentagainstCOBIT4.1willbeofvalueto
them.

10. WhataboutenterprisesnotusingCOBIT4.1?
ThoseorganizationswhohavenotyetimplementedCOBITareencouragedtousethe
COBIT5PAMbecauseoftheaddedvaluethattheexpandedCOBIT5frameworkscope
bringstotheenterprise.

11. Howisassessingclouddifferentfromassessingotherservices?
Thereisnodifference,cloudservicesareasubsetofITservices,Infrastructureasa
Service(IaaS),PlatformasaService(PaaS)andSoftwareasaService(SaaS).Regardless
ofthedeploymentmodel,private,publicetc,cloudcomputingisadeliveryofaservice
inthesamewayasanyotherITservicedelivery;ISACAcloudpublicationsprovidea
predefinedselectionofCOBITprocesses;theassessmentoftheprocessesitselfwillbe
thesameforcloudasforanyotherITservicedelivered..Formoreinformationon
ISACAscloudpublicationsvisit:www.isaca.org/cloud

12. Whatothermodels,frameworksandapproacheshavebeenalignedtoISO15504?
a. ITIL3hasbeenmappedtoISO15504butonlyatlevel1;i.e.,aProcessReference
Model(PRM)hasbeendevelopedandreleasedviaaTudorpublication.However,to
ourknowledgenofullPAMhasbeendeveloped.
b. TheISOgroupresponsibleforISO20000onITservicemanagementisalsointhe
processofdevelopinganISO15504PAM
c. COSOhasalsodevelopedanISO15504PRM(level1only)butnotafullPAM.

13. Whatqualificationsandexperiencewillberequiredtobeacertifiedassessor?
CertificationandcompetencyrequirementsarestillbeingdevelopedbutISACAseesthe
followingaslikelyrequirements:
a. ExperienceMinimumoffiveyearsexperienceinbusinessmanagement,IT
managementormanagementconsultancy.Twoyearscanbesubstitutedbyhavinga
CertifiedInformationSystemsAuditor(CISA);orequivalent/relevantauditingor
assessmentcertification.
b. Training:
- Foundationleveltraining,examandcertificate(todemonstratecoreknowledge
ofCOBIT)
- Processleveltraining,examandcertificate
- Assessortraining,examandcertificationtobecomeacertifiedassessor
COBITAssessmentProgrammeFrequentlyAskedQuestions(FAQs)

ISACA2012 Allrightsreserved. Page4

14. Howwilltrainingandcertificationbeprovided?
ISACAisintheprocessofdevelopingworldwidetrainingandcertificationforthe
accreditationoftrainingorganizations.
15. HowlongonaveragedoesaCOBITAssessmenttaketoexecute?
a. Thereisnospecificanswertothisasitdependsonthescopeoftheassessment;3
processesvs.34/37.Itdependsonthebusinessneedandwhatprocesses
managementwouldliketoseeassessed/improved.
b. ISACAhasprovidedascopingtoolaspartofitstoolkittoassistorganizationsin
selectingprocessestoscope.(Seetoolkitlinkonthewebsite.)

16. WilltheISOrevisedstandardISO33000whichwillbethereplacementtoISO15504
haveanimpactonthemodeljustdevelopedforbothCOBIT4.1andCOBIT5?
a. Yes,inthatanychangestotheprocesscapabilityassessmentapproachrequiredby
thenewstandardwhenpublishedwillneedtobeconsideredintotheCOBIT
AssessmentProgrammeapproachandsupportingmaterialsatsomepoint.
b. ISACAhasstudiedthedraftproposalsforthenewstandardbeingdevelopedand
concludedthatthebigimprovementsproposedforISO33000willaffectmainlythe
enterprisematurityassessmentthatisbasedcurrentlyonISO155047guide,which
ISACAhasnotimplemented,preferringinsteadtoconcentrateonaprocess
capabilityassessmentbecausethisactivitymustbecompletedfirstbeforean
enterpriselevelmaturityassessmentcanbeundertaken.

17. Ifallofthework(heavylifting)isdonetoachievelevel1,whichisdeemedtobea
majorachievement,whatistheincentivetogotofurtherlevelsofcapability?Isitnot
anicetohave?
a. Thereisalwaysacost/benefittradeoffinhowhighacapabilitylevelanorganization
wantstoachieveandindeedmanyorganizationshavefocusedalotoftheir
attentionatlevel1becausethisisamajorachievementtoshowthatyourprocesses
aremeetingfullytheirpurpose.
b. Level3isseenbyISACAasthelevelthatenterprisesshouldaspiretoforconsistency
intheperformanceoftheirprocessesirrespectiveofthestaffinvolved.
c. Levels4and5willdependontheindustryandproductsector,soforexampleto
meetagovernmentcontracttoprovidedefensetechnologyanorganizationmaybe
requiredtoshowalevel5capability,i.e.,theirprocessesareoptimized.

18. Whattoolsareavailabletoassistassessorsinperformingtheseprocesscapability
assessments?
a. ISACAhasprovidedatoolkitforboththeassessorandtheselfassessmentguide.
b. TherearealsocommercialorganizationsthatprovideISOassessmenttoolsboth
onlineandviasoftwaredownloadthatcanbetailoredtoaspecificorganizations
needs.