COBIT 5 ISACA

COBIT 5 ISACAs new framework for IT Governance, Risk,

Security and Auditing
An overview

M. Garsoux
COBIT 5 Licensed Training Provider

COBIT 5 ISACA

Introduction
Principles
Processes
Implementation
Supporting Products
Questions

COBIT 5 ISACA

COBIT 5 ISACA

Evolution of scope

Governance of Enterprise IT
IT Governance
Val IT 2.0

Management

(2008)

Control
Risk IT
(2009)

Audit
COBIT1

1996

COBIT2

1998

COBIT3

2000

COBIT4.0/4.1

2005/7

COBIT 5

2012

A business framework from ISACA, at www.isaca.org/cobit

COBIT 5 ISACA

What is CobiT?
Control Objectives for Information and Related Technology (CobiT)
is a set of best practices for Information Technology management
developed by ISACA (Information Systems Audit & Control Association)
and IT Governance Institute
in 1996.
ISACA develops and maintains the internationally recognized COBIT
framework, helping IT professionals and enterprise leaders fulfil their IT
Governance responsibilities while delivering value to the business.
The latest ISACAs globally accepted framework
COBIT 5 is aimed to provide an end-to-end business
view of the governance of enterprise IT that reflects
the central role of IT in creating value for enterprises
5

COBIT 5 ISACA

Information is a key resource for all enterprises.

Information is created, used, retained, disclosed
and destroyed.
Technology plays a key role in these actions.
Technology is becoming pervasive in all aspects of
business and personal life.
What benefits does information and technology
bring to enterprises?
6

COBIT 5 ISACA

Helps enterprises:
Bring Order to Complex
Standards and Frameworks
Extract Value from Information
Chaos
Address all Stakeholders Needs
and Maximize Value of
Corporate Information
Protect and Drive Enterprise
Value

COBIT 5 ISACA

Enterprises and their executives strive to :

Maintain quality information to support business decisions.
Generate business value from IT-enabled investments, i.e.,
achieve strategic goals and realise business benefits through
effective and innovative use of IT.
Achieve operational excellence through reliable and efficient
application of technology.
Maintain IT-related risk at an acceptable level.
Optimise the cost of IT services and technology.

How can these benefits be realized to create

enterprise stakeholder value?
8

COBIT 5 ISACA

COBIT 5 is a comprehensive framework that helps

enterprises to create optimal value from IT by maintaining a
balance between realising benefits and optimising risk levels
and resource use.
COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the whole
enterprise, taking in the full end-to-end business and
functional areas of responsibility, considering the IT-related
interests of internal and external stakeholders.
The COBIT 5 principles and enablers are generic and useful
for enterprises of all sizes, whether commercial, not-for profit or in the public sector.
9

COBIT 5 ISACA

10

COBIT 5 ISACA

11

COBIT 5 ISACA

Enterprises exist to create value for their stakeholders

12

COBIT 5 ISACA

Stakeholder Value
Delivering enterprise stakeholder value requires good governance
and management of information and technology (IT) assets.
Enterprise boards, executives and management have to embrace
IT like any other significant part of the business.
External legal, regulatory and contractual compliance
requirements related to enterprise use of information and
technology are increasing, threatening value if breached.
COBIT 5 provides a comprehensive framework that assists
enterprises to achieve their goals and deliver value through
effective governance and management of enterprise IT.

13

COBIT 5 ISACA

Goals cascade
Stakeholder needs have to be
transformed into an enterprises
actionable strategy.
The COBIT 5 goals cascade
translates stakeholder needs into
specific, actionable and customised
goals within the context of the
enterprise, IT-related goals and
enabler goals.

14

COBIT 5 ISACA

COBIT 5 entreprise goals

Governance objectives
BSC

Description
F
1.Stakeholder value of business investments
I
N
2.Portfolio of competitive products and services
A
N
3.Managed business risks (safeguarding of assets)
C
I
4.Compliance with external laws and regulations
A
5.Financial transparency
L
6.Customer oriented service culture
C
U
7.Business service continuity and availability
S
T
8.Agile responses to a changing business environment
O
M
9.Information based strategic decision making
E
10.Optimisation of service delivery costs
R
11.Optimisation of business process functionality
I
N
12.Optimisation of business process costs
T
E
13.Managed business change programmes
R
N
14.Operational and staff productivity
A
15.Compliance with internal policies
L
Learning 16.Skilled and motivated people
&Growth 17.Product and business innovation culture

Benefits
P
P

P
P

Risk
P
P
P
S

Resource
S
S
S
S
S

P
P
P
P
P
P
P
P
S
P

P
P
P

S
P
P
P
P
S
P
P

15

COBIT 5 ISACA

COBIT 5 IT-related goals

BSC Description
F 1. Alignment of IT and business strategy
I
N 2. IT compliance and support for business compliance with external laws & regulations
A 3. Commitment of executive management for making IT related decisions
N
C 4. Managed IT related business risks
I
A 5. Realised benefits form IT-enabled investments and services portfolio
L
6. Transparency of IT costs, benefits and risk
C 7. Delivery of IT services in line with business requirements
U
S 8. Adequate use of applications, information and technology structure
T
I
N
T
E
R
N
A
L
L
&G

9. IT agility
10. Security of information, processing infrastructure and applications
11. Optimisation of IT assets, resources and capabilities
12. Enablement and support of business processes by integrating applications and technology
13. Delivery of programme on time, on budget, and meeting requirements and quality standards
14. Availability of reliable and useful information for decision making
15. IT compliance with internal policies
16. Competent and motivated business and IT personnel
17. Knowledge, expertise and initiatives for business innovation

16

COBIT 5 ISACA

Mapping of Enterprise goals into IT-goals

Enterprise Goal

IT -Related Goal
Alignment of IT and
business strategy
Delivery of IT services
Customer 7 in line with business
requirements
Financial 1

Internal

9 IT agility
Competent and
Learning
16 motivated business
and Growth
and IT personnel

Stakeholder Value of Customer - oriented Optimisation of business

Skilled and
Business investments service culture
process functionality
motivated peole
1
6
11
16
Financial
Customer
Internal
Learning and Growth
P

17

COBIT 5 ISACA

Mapping IT goals to processes

IT - Related Goal
Delivery of IT services
Alignment of IT and in line with business
business strategy
requirements
COBIT 5 Process

EDM01

EDM02
Evaluate,
Direct and
Monitor EDM03
EDM0
4

EDM05

Ensure
Governance
Framework
Setting and
Maintenance
Ensure
Benefits
Delivery
Ensure Risk
Optimisation
Ensure
Ressource
Optimisation
Ensure
Stakeholder
Transparency

IT agility

Knowledge, expertise
and initiatives for
business innovation

17

Financial

Customer

Internal

S
S

18

COBIT 5 ISACA

Key components of a
governance system

19

COBIT 5 ISACA

COBIT 5 aligns with the latest relevant other standards and

frameworks used by enterprises:
Enterprise: COSO, COSO ERM, ISO 9000, ISO 31000
IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF, PMBOK/PRINCE2,
CMMI
Etc.

This allows the enterprise to use COBIT 5 as the overarching

governance and management framework integrator.
ISACA plans a capability to facilitate COBIT user mapping of
practices and activities to third-party references.
20

COBIT 5 ISACA

COBIT 5 defines a set of enablers to support the

implementation of a comprehensive governance and
management system for enterprise IT.
COBIT 5 enablers are:
Factors that, individually and collectively, influence
whether something will work
Driven by the goals cascade
Described by the COBIT 5 framework in seven
categories
21

COBIT 5 ISACA

22

COBIT 5 ISACA

1. Principles, policies and frameworksAre the vehicle to translate the desired behaviour
into practical guidance for day-to-day management
2. ProcessesDescribe an organised set of practices and activities to achieve certain
objectives and produce a set of outputs in support of achieving overall IT related goals
3. Organisational structuresAre the key decision-making entities in an organisation
4. Culture, ethics and behaviourOf individuals and of the organisation; very often
underestimated as a success factor in governance and management activities
5. InformationIs pervasive throughout any organisation, i.e., deals with all information
produced and used by the enterprise. Information is required for keeping the
organisation running and well governed, but at the operational level, information is very
often the key product of the enterprise itself.
6. Services, infrastructure and applicationsInclude the infrastructure, technology and
applications that provide the enterprise with information technology processing and
services
7. People, skills and competenciesAre linked to people and are required for successful
completion of all activities and for making correct decisions and taking corrective
actions

23

COBIT 5 ISACA

Governance ensures that enterprise objectives are

achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation and
decision making; and monitoring performance,
compliance and progress against agreed direction and
objectives (EDM)
Management plans, builds, runs and monitors activities
in alignment with the direction set by the governance
body to achieve the enterprise objectives (PBRM)

24

COBIT 5 ISACA

COBIT 5 is not prescriptive, but it advocates that

organisations implement governance and management
processes such that the key areas are covered, as shown.

25

COBIT 5 ISACA

COBIT 5 brings together the five principles that

allow the enterprise to build an effective
governance and management framework based on
a holistic set of seven enablers that optimises
information and technology investment and use for
the benefit of stakeholders.

26

COBIT 5 ISACA

27

COBIT 5 ISACA

28

COBIT 5 ISACA

29

COBIT 5 ISACA

30

COBIT 5 ISACA

31

COBIT 5 ISACA

32

COBIT 5 ISACA

33

COBIT 5 ISACA

Failed IT initiatives
Rising costs
Perception of low business value
for IT investments
Significant incidents related to IT
risk (e.g. data loss)
Service delivery problems
Failure to meet regulatory or
contractual requirements
Audit findings for poor IT
performance or low service levels
Hidden and/or rogue IT spending

Resource waste through duplication

or overlap in IT initiatives
Insufficient IT resources
IT staff burnout / dissatisfaction
IT enabled changes frequently
failing to meet business needs (late
deliveries or budget overruns)
Multiple and complex IT assurance
efforts
Board members or senior managers
that are reluctant to engage with IT

34

COBIT 5 ISACA

Merger, acquisition or divestiture

Shift in the market, economy or
competitive position
Change in business operating
model or sourcing arrangements
New regulatory or compliance
requirements
Significant technology change or
paradigm shift

An enterprise-wide governance focus

or project
A new CIO, CFO, COO or CEO
External audit or consultant
assessments
A new business strategy or priority

By using pain points or trigger events as the

launching point for IT governance initiatives,
the business case for GEIT improvement can
be related to issues being experienced,
which will improve buy-in to the business
case.

35

COBIT 5 ISACA

36

COBIT 5 ISACA

37

COBIT 5 ISACA

38

COBIT 5 ISACA

39