Itg-253 2.00 Eng Newhorizons Cobit5 Fo Is

CobiT 5 Foundation with Case Study
[ITG-253 v2.00]
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -1- New Horizons

CobiT 5 Foundation with Case Study (ITG-253 v2.00)
1
Introduction
APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
Module
Introduction
1 CobiT 5 Foundation with Case Study (ITG-253 v2.00)
Overview modules
Module 1 - Introduction
Module 2 - Overview
Module 3 - Principles
Module 4 - Enablers
Module 5 - Implementation
Module 6 - Process capability
APMG 2012; 2012 ISACA. All Rights Reserved. Slide 2

Module
Introduction
Course schedule
Day 1 Introduction, Principles, Enablers

Day 2 Enablers, Implementation
Day 3 Process capability, exam

Module
Introduction
Facilities

Module
Introduction
Introduce yourself in 1 minute
What is your name?

What is your role?
What are your expectations of
this training?
Tell me something about YOU

Module
Introduction
Purpose of the Cobit 5 Foundation course
Basic knowledge of Cobit 5

Pass the foundation exam
How to use Cobit5 in real life
Share experiences
Have some fun!

Module
Introduction
High level learning outcomes
IT management issues and challenges

The drivers for the development of Cobit 5 framework
The Cobit 5 framework & product family
Cobit 5 key principles
How Cobit 5 enables IT to be governed and managed
Cobit 5 processes and Process Reference Model (PRM)

Module
Introduction
Exam requirements
Exam requirements:
50 questions
40 minutes
50% pass rate
Closed book
Exam preparation:
Approximately hrs
Test questions
Self study

Module
Introduction
Questions?

2
Overview
Module
Overview
Top 10 challenges of the CIO 2013
Business challenges Technology challenges

1. Increasing enterprise growth 1. Analytics and business intelligence
2. Delivering operational results 2. Mobile technologies
3. Reducing enterprise costs
3. Cloud computing (SaaS, IaaS,
4. Attracting and retaining new
PaaS)
customers
5. Improving IT applications 4. Collaboration technologies
and infrastructure (workflow)
6. Creating new products and services 5. Legacy modernization
(innovation) 6. IT management
7. Improving efficiency
7. CRM
8. Attracting and retaining
the workforce 8. Virtualization
9. Implementing analytics and big data 9. Security
10. Expanding into new markets 10. ERP Applications
and geographies
Top 10 challenges of the CIO 2013
Information is the business currency of the 21st century

Information has a life cycle: it is created, used, retained, disclosed and destroyed
Technology plays a key role in these actions
Technology is becoming pervasive in all aspects of business and personal life
Every form of enterprise needs to be able to rely on quality information to support quality
executive decisions.

Module
Overview
Sample: make or making the news?
Source: http://edition.cnn.com/2013/08/14/tech/web/new-york-times
Sample: make or making the news?
IT Management remains an issue for many organizations. Outages still occur. Some examples of
major IT disruptions (with considerable impact on the organization):
ING internet banking failure (feb 2013): ING customers are unable to withdraw money
from ATMs, account balance inquiries show wrong amounts. Big headlines on the TV news,
newspaper, trending topic on Twitter etc. -> Serious loss of business reputation for ING
NYSE Euronext trading impossible. Trading opening postponed for an hour due to technical
errors (6 june 2013)
Failures at Baggage handling systems at opening day of Heathrows T5 terminal (mar 2008):
flights cancelled, serious delays of departures and arrivals, thousands of customers unable to
collect their luggage for days. -> Special report by House of Commons Transport Committee
13 August 2013, the website of the New York Times was down for 3 hours following
scheduled maintenance. Rather then reporting the news (at the time breaking news about the
Egyptian police and army trying to break up protests resulting in reportedly- hundreds of
casualties) the NY Times made the news itself, e.g. on CNN.

Module
Overview
Sample: websites tracking your outages
Source:http://downdetector.com/status/att/archive
Sample: websites tracking your outages
Even if you do not monitor your own performance as a company, your (disgruntled) customers will
do it for you. For instance this website keeps track of the outages of the all problems and outages
of AT&T services in the US.
And do not think its a typically American phenomenon:

allestoringen.be
allestoringen.nl
allestrungen.de
aussieoutages.com
caiutudo.com
canadianoutages.com
detectordefallos.es
detectordefallos.mx
downdetector.co.kr
downdetector.co.uk
downdetector.co.za
downdetector.com

Module
Overview
Governance
Enterprise
Governance
Corporate Business
Governance Governance
(conformance) (performance)
Value creation
Accountability
Resource
Assurance
Utilization
Governance
Definition of enterprise governance: a set of responsibilities and practices exercised by the board
and executive management with the goals of providing strategic direction, ensuring that objectives
are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises
resources are used responsibly.
Conformance is also called corporate governance and covers issues such as board structure, roles
and executive remuneration. Codes and/or standards can generally address this dimension with
compliance being subject to assurance / audit. The conformance view takes a historical view (what
has happened?).
Performance, also called business governance, focuses on strategy and value creation, and on
helping the board make strategic decisions , understand its appetite for risk and its key drivers
of performance and identify its key points of decision making. This is not easy to encorporate in a
business code or standard and subsequently audited. Here typically instruments such as best
practices are widely used. The performance view looks forward (what do we want to happen?).

Module
Overview
Six key assets to govern
1. Human assets
2. Financial assets
3. Physical assets
4. IP assets Governance
5. Information and IT assets of Enterprise
6. Relationship assets IT (GEIT)
Six key assets to govern
Weill and Ross (IT Governance How top performers manage IT decision rights for superior results)

Module
Overview
Governance of enterprise IT
IT Governance (Ross & Weil, 2004): IT Governance is about

specifying the decision rights and accountability framework to
encourage desirable behavior in the use of IT
GEIT (ISACA, 2012): A governance view that ensures
that information and related technology support and enable
the enterprise strategy and the achievement of enterprise
objectives. It also includes the functional governance of
IT, i.e., ensuring that IT capabilities are provided efficiently
and effectively.

Module
Overview
Enterprise IT objectives
Maintain high-quality information to support

business decisions
Generate business value from IT-enabled investments
Achieve operational excellence through the reliable and
efficient application of technology
Maintain IT-related risk at an acceptable level
Optimise the cost of IT services and technology
Comply with ever-increasing relevant laws, regulations,
contractual agreements and policies
Enterprise IT objectives'
Cobit 5 recognises 17 enterprise goals, all contributing to the enterprise objectives. These enterprise
goals will return in the goals cascade in module 2, principle 1 Meeting stakeholder needs.
1. Stakeholder value of business investments
2. Portfolio of competitive products and services
3. Managed business risk (safeguarding of assets)
4. Compliance with external laws and regulations
5. Financial transparency
6. Customer-oriented service culture
7. Business service continuity and availability
8. Agile responses to a changing business environment
9. Information-based strategic decision making
10. Optimisation of service delivery costs
11. Optimisation of business process functionality
12. Optimisation of business process costs
13. Managed business change programmes
14. Operational and staff productivity

Module
Overview
Cobit 5
Cobit 5 is a business framework for the governance and

management of enterprise IT
Cobit 5 objective: to support enterprise executives and
management in their definition and achievement of business
goals and related IT goals.
Cobit 5
Requirements to create stakeholder value:

Good governance and management of information and technology (IT) assets.
Enterprise boards, executives and management have to embrace IT like any other significant
part of the business.
External legal, regulatory and contractual compliance requirements related to enterprise use of
information and technology are increasing, threatening value if breached.
COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and
deliver value through effective governance and management of enterprise IT.

Module
Overview
Drivers for developing a framework
Provide guidance in areas with high interest

Provide guidance in innovation and emerging technologies
Cover the full end-to-end business and IT functional
responsibilities
Increase control over increasing user-initiated and user-
controlled IT solutions
Drivers for developing a framework
Provide guidance in areas with high interest, such as:

enterprise architecture
Provide guidance in asset and service management
Provide guidance in emerging sourcing and organisation models
A need to provide further guidance in the area of innovation and emerging technologies
this is about creativity, inventiveness
developing new products
making the existing products more compelling to customers and reaching new types
of customers
Innovation also implies streamlining product development, manufacturing and supply
chain processes to deliver products to market with increasing levels of efficiency, speed
and quality.
A need to cover the full end-to-end business and IT functional responsibilities, and a need to
cover all aspects that lead to effective governance and management of enterprise IT, such as
organizational structures, policies, culture, etc., over and above processes.
A need to get better control over increasing user-initiated and user-controlled IT solutions.

Module
Overview
Additional drivers
Improved relationship between business needs and IT objectives;
Better value creation through effective and innovative use of
enterprise IT;
Increased financial return from the governance over enterprise IT by
obtaining the greatest value from investments in technology;
Increased business user satisfaction with IT engagement
and services;
Increased compliance with relevant laws, regulations and policies ;
Connection to, and, where relevant , alignment with, other major
frameworks and standards in the marketplace.
Additional drivers
Connection to, and, where relevant , alignment with, other major frameworks and standards in the
marketplace, such as:
Information Technology Infrastructure Library (ITIL)
The Open Group Architecture Forum (TOGAF)
Project Management Body of Knowledge (PMBOK)
Projects IN Controlled Environments 2 (PRINCE2)
Committee of Sponsoring Organisations (COSO)
International Organization for Standardisation (ISO) standards

Module
Overview
Reasons for developing Cobit 5
Tie together and reinforce all ISACA knowledge assets

with COBIT;
Provide a renewed and authoritative governance and
management framework;
Integrate all other major ISACA frameworks and guidance;
Align with other major frameworks and standards in
the marketplace.
Reasons for developing Cobit 5
Integrate all other major ISACA frameworks and guidance such as:
Val IT
Risk IT
BMIS
ITAF
Board Briefing on IT Governance
Taking Governance Forward

Module
Overview
Benefits of using Cobit 5
Starting point of governance and management activities

Consistency with corporate governance standards
Providing a holistic, integrated and complete view of
governance and management of IT
Focus on stakeholder needs
Coverage of the enterprise from end to end
Encouragement of a common language
Benefits of using Cobit 5
COBIT 5 defines the starting point of governance and management activities with the
stakeholder needs related to enterprise IT.
COBIT 5 is consistent with generally accepted corporate governance standards, and thus
helps to meet regulatory requirements.
COBIT 5 focuses initially on the needs of the stakeholder. One of the key benefits of COBIT
5 is that it is first and foremost a business framework. Business management have something
to enable them to have that business conversation with IT management.
COBIT 5 is a top- down view of business needs that create a goals cascade. This goal
cascade drives the need to meet the expectations of the stakeholder right through the
enterprise.
COBIT 5 also encourages a common language throughout the enterprise so that
stakeholders understand IT and IT meets their business need.

Module
Overview
The evolution of Cobit
Governance of Enterprise IT
IT Governance
BMIS
Evolution
(2010)
Management
Val IT 2.0
(2008)
Control
Risk IT
(2009)
Audit
COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT5
1996 1998 2000 2005/7 2012
The evolution of Cobit
Control objectives for IT (COBIT)
Inital focus on audit, control and security (remember that ISACA has it roots in assurance ITAF,
CISA and security BMIS , CISM), evolving to management and governance. However Cobit
4.1 was not complete for governance, one also had to include other ISACA models, especially
RiskIT and ValIT.

3
Principles
Module
Principles
5 principles
1. Meeting
Stakeholder
Needs
5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Module
Principles
Principle 1
Meeting stakeholder needs
1. Meeting
Stakeholder
Needs
5. Separating
From Enterprise
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Module
Principles
1. Meeting
Stakeholder
Needs
Goals cascade 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Stakeholder Drivers
Step 1
Stakeholder Needs
Benefits Risk Resource
Realisation Optimisation Optimisation
Step 2
Enterprise Goals
Step 3
IT Related Goals
Step 4
Enabler Goals
Goals cascade
Translating the stakeholder needs into enterprise goals requires an actionable strategy.

Module
Principles
1. Meeting
Stakeholder
Needs
Stakeholder needs 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Stakeholder
Needs
Drive
Governance Objective: Value Creation

Stakeholder needs
Enterprises exist to create value for their stakeholders. Consequently, any enterprise commercial
or not-for-profit will have value creation as a governance objective. Value creation means realsing
benefits at an optimal resource cost while optimising risk. Benefits do not necessarily have to be
financial (e.g. revenue or profit). They can also be public service (for government organisations).
An organisation has multiple stakeholders, the most important value for one stakeholder does not
necessarily have to be the most important value for another stakeholder. So many stakeholders, so
many needs. These needs may even be conflicting. Governance has to balance between stakeholder
needs; negotiating and deciding amongst different stakeholders value interests. The governance
system therefore must consider all stakeholders and their respective needs.

Module
Principles
Governance and management questions on IT
Questions of Questions of
internal stakeholders external stakeholders
How do I get value from the use How do I know the enterprises
of IT? operations are secure and reliable?
How do I manage performance How do I know the enterprise is
of IT? compliant with applicable rules
How can I best exploit and regulations?
new technology for new How do I know the enterprise is
strategic opportunities? maintaining an effective system of
How do I best build and structure internal control?
my IT department? etc.
etc.

Module
Principles
1. Meeting
Stakeholder
Needs
Stakeholder needs and enterprise goals 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Module
Principles
1. Meeting
Stakeholder
Needs
Cobit 5 enterprise goals structured 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
according to Balanced Score 4. Enabling a

Holistic
Approach
3. Applying a
Single
Integrated
Framework
Card dimensions
Financial Customer
1. Stakeholder value of business investments 6. Customer oriented service culture
2. Portfolio of competitive products and services 7. Business service continuity and availability
3. Managed business risk (safeguarding of assets) 8. Agile responses to a changing business environment
4. Compliance with external laws and regulations 9. Information based strategic decision making
5. Financial transparency 10. Optimisation of service delivery costs
Internal Learning and growth

11. Optimisation of business process functionality 16. Skilled and motivated people
12. Optimisation of business process costs 17. Product and business innovation culture
13. Managed business change programmes
14. Operational and staff productivity
15. Compliance with internal policies

Module
Principles
1. Meeting
Stakeholder
Needs
Enterprise goals cascade to 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
IT-related goals 4. Enabling a

Holistic
Approach
3. Applying a
Single
Integrated
Framework
Enterprise Goal
Compliance with external
Optimisation of business
Optimisation of business
Compliance with internal

continuity and availability
(safeguarding of assets)
Optimisation of service
Portfolio of competitive
Managed business risk
Financial transparency
products and services
Product and business

business investments
Skilled and motivated

Operational and staff
process functionality
change programmes
laws and regulations
a changing business
Stakeholder value of
Managed business
Customer oriented
Agile responses to
strategic decision
innovation culture
Business service
Information-base
service culture
process costs
delivery costs
environment
productivity
policies
making
people
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Learning and
IT-related Goal Financial Customer Internal
Growth
01 Alignment of IT and business strategy P P S P S P P S P S P S S
IT compliance and support for business compliance with external
02 S P P
Financial
03 Commitment of executive management for making IT-related decisions P S S S S S P S S

04 Managed IT-related business risk P S P S P S S S
05 Realised benefits from IT-enabled investments and services portfolio P P S S S S P S S
06 Transparancy of IT costs, benefits and risk S S P S P P
Customer
07 Delivery of IT services in line with business requirements P P S S P S P S P S S S S
08 Adequate use of applications, information and technology solutions S S S S S S S P S P S S

Internal
09 IT agility S P S S P P S S S P
10 Security of information, processing infrustructure and applications P P P P
Excerpt; for the complete table refer to Appendix B (p. 50) of the
Cobit 5 Framework

Module
Principles
1. Meeting
Stakeholder
Needs
Cobit 5 IT-related goals structured 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
according to BSC dimensions 4. Enabling a

Holistic
Approach
3. Applying a
Single
Integrated
Framework
Financial Customer
1. Alignment of IT and business strategy 7. Delivery of IT services in line with
2. IT compliance and support for business business requirements
compliance with external rules and regulations 8. Adequate use of applications, information and
3. Commitment of executive management for making technology solutions
IT-related decisions
4. Managed IT-related business risk
5. Realised benefits from IT-enabled investments and
services portfolio
6. Transparency of IT costs, benefits and risks
Internal Learning and growth

9. IT agility 16. Competent and motivated business and
10. Security of information, processing infrastructure IT personnel
and applications 17. Knowledge, expertise and initiatives for
11. Optimisation of IT assets, resources and capabilities business innovation
12. Enablement and support of business processes
by integrating applications and technology into
business processes
13. Delivery of programmes delivering benefits, on time, on
budget and meeting requirements and quality standards
14. Availability of reliable and useful information for
decision making
15. IT compliance with internal policies

Module
Principles
1. Meeting
Stakeholder
Needs
IT-related goals mapped to 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
IT-related processes 4. Enabling a

Holistic
Approach
3. Applying a
Single
Integrated
Framework
IT-related Goal
useful information for decision

Adequate use of applications,
processing infrastructure and

for business compliance with
Alignment of IT and business
external laws and regulations
Managed IT-related business
Delivery of IT services in line
deliveriing benefits, on time,

integrating applications and
with business requirements
IT-enabled investments and
information and technology

IT compliance and support
IT compliance with Internal
business and IT personnel

resources and capabilities
Competent and motivated
Knowledge, expertise and

of business processes by
Optimisation of IT assets,
Commitment of executive
Availability of reliable and

Transparency of IT costs,
technology into business

Enablement and support
requirements and quality

management for making
on budget, and meeting

Delivery of programmes
Security of information,
Realised benefits from
initiatives for business

services portfolio
benefits and risk
applications
processes
innovation
standards
solutions
IT agility
strategy
policies
making
risk
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
IT-related Goal Financial Customer Internal Learning and

Growth
Alignment of IT and
EDM01 P S P S S S P S S S S S S S S S
business strategy
IT compliance and
support for business
Evaluate, Direct and Monitor
EDM02 P S P P P S S S S S S P
compliance with external
Commitment of executive
EDM03 management for making S S S P P S S P S S P S S
Managed IT-related
EDM04 S S S S S S S P P S P S
business risk
Realised benefits from

EDM05 IT-enabled investments S S P P P S S S S
and services portfolio
IT-related goals mappedto IT-related processes
Achieving IT-related goals requires the successful application and use of a number of enablers.
The enabler concept is explained in detail in Module 4. Enablers include processes, organisational
structures and information, and for each enabler a set of specific relevant goals can be defined in
support of the IT-related goals.
Processes are one of the enablers, and Cobit 5, a business framework for the governance and
management of enterprise IT (appendix C) contains a mapping between IT-related goals and the
relevant COBIT 5 processes, which then contain related process goals. Similarly goals must be
defined for the other enablers.
[examples, e.g. for organisation structure]

Module
Principles
Exercise 1
Refer to case Paper Inc

Create the goals cascade: from enterprise goals to IT goals
Use the tables in ISACA Cobit 5 Framework
Present your groups findings (10 min.):

Identify relevant stakeholders and their needs
Present the top 3 enterprise goals
Present the most relevant IT goals (max. 5)

Module
Principles
Principle 2
Covering the enterprise end-to-end
1. Meeting
Stakeholder
Needs
5. Separating
From Enterprise
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Principle 2
End-to-end:
Cobit 5 integrates GEIT into enterprise governance
Cobit 5 covers all functions and processes required to govern and manage enterprise
information and related technology wherever the information is processed
Cobit 5 addresses all relevant internal and external IT services as well as internal and external
business processes

Module
Principles
1. Meeting
Stakeholder
Needs
Governance system:key components 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Governance Objective: Value Creation

Governance Governance
Enablers Scope
Roles, Activities and Relationships

Module
Principles
1. Meeting
Stakeholder
Needs
Roles, activities and relationships 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Governance
Instruct and
Delegate Set Direction
Align
Owners and Governing Operations
Management
Stakeholders Body and Execution
Accountable Monitor Report
Management
Roles, activities and relationships
The roles, activities and relationships define

Who is involved in governance?
How are they involved?
What do they do?
How do they interact?
You can see here that principle 5, separating governance from management, is reflected in the roles,
activities and relationships. Governance (the governing body) deals with owners and stakeholders,
management deals with operations and execution.

Module
Principles
Principle 3
Applying a single integrated framework
1. Meeting
Stakeholder
Needs
5. Separating
From Enterprise
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Module
Principles
1. Meeting
Stakeholder
Needs
A single integrated framework 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Aligns with other latest relevant standards

and frameworks
Is complete in enterprise coverage
Provides a simple (framework) architecture
Integrates all knowledge previously dispersed over different
ISACA frameworks

Module
Principles
1. Meeting
Stakeholder
Needs
Other standards and frameworks 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
ISO/IEC 38500
ISO/IEC 31000
Align, Plan and Organize TOGAF
ISO/IEC 27000
Prince2/PMBOK
CMMI
Build, Acquire and Implement
ITIL V3 2011 AND ISO/IEC 20000 Monitor,

Evaluate and
Deliver, Service and Support Assess
Other standards and frameworks
ISO/IEC 38500 is the standard for corporate governance of information technology. It is based on
6 principles:
1. Responsibility
2. Strategy
3. Acquisition
4. Performance
5. Conformance
6. Human behaviour
Comparison with other standards: typically these standards cover parts of one or more of the five
COBIT 5 (process) domains. These domains will be explained in detail in Module 4 Enablers.
ITIL v3 2011 and ISO/IEC 20000

A subset of processes in the Decision, Service and Support (DSS) domain
A subset of processes in the Build, Acquire and Implement (BAI) domain
Some processes in the Align, Plan and Organise (APO) domain
ISO/IEC 27000 series Information security
Security and risk related processes in the Evaluate, Direct and Monitor (EDM) domain

Module
Principles
1. Meeting
Stakeholder
Needs
Cobit 5 product family 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
COBIT 5 (General Documents)
COBIT 5 COBIT 5:
(framework) Assessment program
COBIT 5 Enabler Guides
COBIT 5: COBIT 5: Other

Enabling Processes Enabling Information Guides TBD
COBIT 5 Professional Guides
COBIT 5 COBIT 5 COBIT 5: Other

COBIT 5 for Information for
COBIT 5 Assessment
Implementation
Security Assurance
for Risk
program Guides TBD
Cobit 5 product family
Translations of the COBIT 5 framework are available in Spanish, Chinese, Japanese, German,
Romanian, Russian, Arabic, French, Lithuanian, Hebrew, Thai, Turkish and Italian.

Module
Principles
Principle 4
Enabling a holistic approach
1. Meeting
Stakeholder
Needs
5. Separating
From Enterprise
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Module
Principles
1. Meeting
Stakeholder
Needs
COBIT 5 Enablers 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
7 categories of enablers
3. Organizational 4. Culture, Ethics

2. Processes
Structure and Behaviour
1. Principles, Policies and Frameworks
6. Services, 7. People, Skills and

5. Information Infrastructure and Competencies
Applications
Resources
COBIT 5 Enablers
Enablers are factors that, individually and collectively, influence whether something will workin this
case, governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e.
the enabler goals are based on the IT-related goals (which are based on the enterprise goals refer
to Principle 1: meeting stakeholder needs).
Principles, policies and frameworks are the vehicle to translate the desired behavior into
practical guidance for day-to-day management.
Processes describe an organized set of practices and activities to achieve certain objectives
and produce a set of outputs in support of achieving overall IT-related goals.
Organizational structures are the key decision-making entities in an enterprise.
Culture, ethics and behavior of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
Information is pervasive throughout any organization and includes all information produced
and used by the enterprise. Information is required for keeping the organization running and
well governed, but at the operational level, information is very often the key product of the
enterprise itself.
Services, infrastructure and applications include the infrastructure, technology and
applications that provide the enterprise with information technology processing and services.

Module
Principles
Principle 5
Separating governance from management
1. Meeting
Stakeholder
Needs
5. Separating
From Enterprise
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Module
Principles
1. Meeting
Stakeholder
Needs
Governance and management 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Governance
Ensure that stakeholder needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives to
be achieved
setting direction through prioritisation and decision making
Monitoring performance and compliance against agreed-on direction
and objectives
Management:
Plans, builds, runs and monitors activities in alignment with
the direction set by the governance body to achieve the
enterprise objectives

Module
Principles
1. Meeting
Stakeholder
Needs
Governance - Management interaction 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Use the enablers to define governance

management interfaces
Use all enablers to facilitate governance
management interaction
Governance - Management interaction
1. Principles, policies and frameworks: the vehicles to institutionalise governance decisions

2. Process: process interfaces, RACI charts
3. Organisational structures: organisational structures can be in governance or management
space, depending on their composition and scope of decisions
4. Culture, ethics and behavior: Behaviour is set at the top of the organisation, so leading by
example is an important instrument for interaction
5. Information: information exchange between governance and management processes
6. Services, infrastructure and applications: Services are required (supported by applications
and infrastructure) to provide the governance body members with adequate information to
support Evaluate, Direct and Monitor
7. People, skills and competencies: Both governance body members and management have to
understand governance tasks and management tasks (and the difference between these two)

Module
Principles
1. Meeting
Stakeholder
Needs
Governance and management key areas 5. Separating

Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Business Needs
Governance Domain
Evaluate
Direct Management Monitor

Feedback
Management
Domain
Plan Build Run Monitor

(APO) (BAI) (DSS) (MEA)
Governance and management key areas
An enterprise can organise its processes as it sees fit, as long as all necessary governance and
management objectives are covered. Smaller enterprises may have fewer processes; larger and
more complex enterprises may have many processes, all to cover the same objectives.
COBIT 5 includes a process reference model. This reference model clearly distinguishes governance
processes and management processes. The processes are grouped in 5 domains.
All governance processes are in the EDM (Evaluate, Direct and Monitor) domain
The management processes are distributed over the 4 PBRM domains: Plan (APO), Build (BAO),
Run (DSS) and Monitor (MEA).
Each domain contains a number of processes.
This will be elaborated in Module 4 Enablers

4
Enablers
Module
Enablers
What is an enabler?
Enablers are factors that, individually and collectively,

influence whether something will work

Module
Enablers
Generic enabler dimensions
Stakeholders
Goals
Life cycle
Good practices
Generic enabler dimensions
Generic enabler dimensions help to:

Provide a common, simple and structured way to deal with enablers
Allow an entity to manage the complex interactions between enablers
Facilitate successful outcomes of the enablers
There a 4 (generic) enabler dimensions:

Stakeholders - Each enabler has stakeholders (parties who play an active role and/or have
an interest in the enabler). For example, processes have different parties who execute process
activities and/or who have an interest in the process outcomes; organisational structures
have stakeholders, each with his/her own roles and interests, that are part of the structures.
Stakeholders can be internal or external to the enterprise, all having their own, sometimes
conflicting, interests and needs. Stakeholders needs translate to enterprise goals, which in
turn translate to IT-related goals for the enterprise.
Goals - Each enabler has a number of goals, and enablers provide value by the achievement
of these goals. Goals can be defined in terms of:
Expected outcomes of the enabler
Application or operation of the enabler itself

Module
Enablers
Enabler performance management
}
Are stakeholder needs addressed? Lag
Are enabler goals achieved? indicators
Is the enabler life cycle managed?

Are good practices applied? } Lead
indicators
Enabler performance management
Enterprises expect positive outcomes from the application and use of enablers. To manage
performance of the enablers, the
following questions will have to be monitored and thereby subsequently answeredbased on

metricson a regular basis:
Are stakeholder needs addressed?
Are enabler goals achieved?
Is the enabler life cycle managed?
Are good practices applied?
The first two bullets deal with the actual outcome of the enabler. They are also called outcome
measures and represent the consequences of actions previously taken. Outcome measures
frequently focus on results at the end of a time period and characterize historical performance. They
are also referred to as key goal indicators (KGIs) and are used to indicate whether goals have been
met. These can be measured only after the fact and, therefore, are called lag indicators.
The last two bullets deal with the actual functioning of the enabler itself. They are also called
performance drivers and are measures that are considered the drivers of the lag indicators. They
can be measured before the outcome is clear and, therefore, are called lead indicators. There is
an assumed relationship between the two that suggests that improved performance in a leading

Module
Enablers
Enablers overview
Enabler Dimension
Stakeholder Goals ,IFE#YCLE Good Practices

s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN s7ORK0RODUCTS
s%XTERNAL (Relevance, s"UILD!CQUIRE )NPUTS/UTPUTS
Stakeholders %FFECTIVENESS #REATE)MPLEMENT
s!CCESSIBILITYAND s5SE/PERATE
3ECURITY s%VALUATE-ONITOR
s5PDATE$ISPOSE
Enabler Performance
Are Stakeholders
Are Enabler Goals )S,IFE#YCLE Are Good Practices
Management
Needs
Achieved? Managed? Applied?
Addressed?
Metrics for Application of Goals Metrics for Application of Practice

,AG)NDICATORS ,EAD)NDICATORS

Module
Enablers
7 categories of enterprise enablers

2. Processes

Applications
Resources
7 categories of enterprise enablers
Enablers are factors that, individually and collectively, influence whether something will workin this
case, governance and management over enterprise IT. Enablers are driven by the goals cascade,
i.e., higher-level IT-related goals define what the different enablers should achieve.
Principles, policies and frameworks are the vehicle to translate the desired behavior into
practical guidance for day-to-day management.
Processes describe an organized set of practices and activities to achieve certain objectives
and produce a set of outputs in support of achieving overall IT-related goals.
Organizational structures are the key decision-making entities in an enterprise.
Culture, ethics and behavior of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
Information is pervasive throughout any organization and includes all information produced
and used by the enterprise. Information is required for keeping the organization running and
well governed, but at the operational level, information is very often the key product of the
enterprise itself.
Services, infrastructure and applications include the infrastructure, technology and
applications that provide the enterprise with information technology processing and services.
People, skills and competencies are linked to people and are required for successful
completion of all activities and for making correct decisions and taking corrective actions.

Module
Enablers

2. Processes
Enabler 1: Principles, policies & 5. Information

6. Services,
Infrastructure and
7. People, Skills and
Competencies
frameworks
Applications
Resources
Enabler Dimension

s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES #ONTROL
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN Framework,
s%XTERNAL (Relevance, s"UILD!CQUIRE 0RINCEIPLES0OLICY
#REATE)MPLEMENT
Stakeholders %FFECTIVENESS s5SE/PERATE Framework,
s!CCESSIBILITYAND s%VALUATE-ONITOR 3COPE6ALIDITY
3ECURITY s5PDATE$ISPOSE s7ORK0RODUCTS
)NPUTS/UTPUTS
0OLICY3TATEMENTS
Enabler Performance
Are Stakeholders
Management
Needs
Addressed?

Enabler 1:Principles, policies & frameworks
Links and relationships between principles, policies and frameworks and other enablers:
Principles, policies and frameworks reflect the culture, ethics and values of the enterprise.
They influence and direct behavior.
Processes are the most important vehicle for executing policiesExamples: architectural
policies (defined in
Organizational structures can define and implement policies
Policies are part of information

Module
Enablers

2. Processes
Stakeholders 5. Information
6. Services,
Infrastructure and
Competencies
Applications
Resources
Internal stakeholders
Board
Executive management
Compliance officers
Risk managers
External stakeholders
Regulatory agencies
Shareholders
Service providers and customers
External auditors
Stakeholders
Stakeholders for principles and policies can be internal and external to the enterprise.
The stakes are twofold: Some stakeholders define and set policies, others have to align to, and
comply with, policies.

Module
Enablers

2. Processes
Goals 5. Information
6. Services,
Infrastructure and
Competencies
Applications
Resources
Communicate the rules of the enterprise
Policies &RAMEWORKS
Principles s#OMPREHENSIVE
s%FFECTIVE
s,IMITEDINNUMBER s/PENFLEXIBLE
s%FFICIENT
s3IMPLE s#URRENT
s.ON INTRUSIVE
s!VAILABLEACCESSIBLE
$ECISIONMAKING
Goals
Principles, policies and frameworks are instruments to communicate the rules of the enterprise,
in support of the governance objectives and enterprise values, as defined by the board and
executive management.
Principles need to be:

Limited in number
Put in simple language, expressing as clearly as possible the core values of the enterprise
Policies provide more detailed guidance on how to put principles into practice and they influence
how decision making aligns with the principles. Good policies are:
EffectiveThey achieve the stated purpose.
EfficientThey ensure that principles are implemented in the most efficient way.
Non-intrusiveThey appear logical for those who have to comply with them, i.e., they do not
create unnecessary resistance.
Example:
Principle: We want to be an independent company, avoiding interdependence on other companies

such as suppliers
Policy (sourcing policy): We pursue a deliberate multi-vendor policy to prevent vendor lock-in.

Module
Enablers

2. Processes
Life cycle 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources
Agenda setting
Monitoring Analysis
Implementation Policy creation
Life cycle
Policies have a life cycle that has to support the achievement of the defined goals. Frameworks are
key because they provide a structure to define consistent guidance. For example, a policy framework
provides the structure in which a consistent set of policies can be created and maintained, and it
also provides an easy point of navigation within and between individual policies.
Depending on the external environment in which the enterprise operates, there can be varying
degrees of regulatory requirements for strong internal control and, as a consequence, a strong policy
framework. A key attention point to be taken into account regarding frameworks and policies is the
currency of policiesIf and when policies are reviewed and updated, are there strong mechanisms in
place to ensure that people are aware of these updates, that the newest version is easily accessible
(see previous point), and that obsolete information is properly archived or disposed?
Agenda setting: there may be a need to consult on issues that for the engagement purposes
are still at an 'open-ended' stage, in that the consultation owners do not want the dialogue to
be shaped by specific policy statements.
Analysis: Define the agenda, state a position relating to the items on that agenda, and seek
evidence and knowledge from others.
Creating the policy: There is a draft document for formal consultation, potentially greater
need to target and identify specific stakeholders/participants, and possibly with options to be
assessed in more detail e.g. through simulation of decision-making, or risk analysis.

Module
Enablers

2. Processes
Good practices 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources
Well-defined scope of policies and frameworks

Consequences of failing to comply with the policy
How to handle exceptions?
Monitor, review, revalidate and revise policies
Good practices
Policies should be part of an overall governance and management framework, providing a

(hierarchical) structure into which all policies fit and clearly make the link to the underlying principles.
As part of the policy framework, the following items need to be described:

Scope and validity
The consequences of failing to comply with the policy
The means for handling exceptions
The manner in which compliance with the policy will be checked and measured
Generally recognized governance and management frameworks can provide valuable guidance on
the actual statements to be included in policies.
Policies should be aligned with the enterprises risk appetite. Policies are a key component of an
enterprises system of internal control, whose purpose it is to manage and contain risk. As part of
risk governance activities, the enterprises risk appetite is defined, and this risk appetite should be
reflected in the policies. A risk-averse enterprise has stricter policies than a risk-aggressive enterprise.
Policies need to be revalidated and/or updated at regular intervals.

Module
Enablers

2. Processes
Relationships with other enablers 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources

2. Processes

Applications
Resources
Relationships with other enablers
The links with other enablers include:

Principles, policies and frameworks should reflect the culture and ethical values of the
enterprise, and they should encourage the desired behaviour; hence, there is a strong link with
the culture, ethics and behaviour enabler.
Process practices and activities are the most important vehicle for executing policies.
Organisational structures can define and implement policies within their span of control, and
their activities are also defined by policies.
Policies are also information, so all good practices applying to information apply to policies
as well.

Module
Enablers

2. Processes
Enabler 2: Processes 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources
Enabler Dimension

s)NTERNAL s)NTRINSIC1UALITY s0LAN s0ROCESS0RACTICES
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN Activities,
s%XTERNAL (Relevance, s"UILD!CQUIRE Detailed Activities
#REATE)MPLEMENT
Stakeholders %FFECTIVENESS s5SE/PERATE s7ORK0RODUCTS
s!CCESSIBILITYAND s%VALUATE-ONITOR )NPUTS/UTPUTS
3ECURITY s5PDATE$ISPOSE
Generic Practices for
Processes
Enabler Performance
Are Stakeholders
Management
Needs
Addressed?


Module
Enablers

2. Processes
Cobit 5 definition of process 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources
A process is defined as a collection of practices influenced by

the enterprises policies and procedures that takes inputs from a
number of sources (including other processes), manipulates the
inputs and produces outputs (e.g., products, services).
Inputs Activities Outputs
Feedback

Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Board
Management (all levels)
Staff
Customers
Business partners
Service providers
Stakeholders
Processes have internal and external stakeholders, with their own roles; stakeholders and their
responsibility levels are documented in RACI charts.
External stakeholders may include customers, business partners (especially when producing goods
and/or services in a value chain e.g. companies such as Nike, car manufacturers etc.), service
providers (especially when IT and/or business process are outsourced) and regulators.
Internal stakeholders may include the board, management, staff and volunteers.

Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Process goals describe the desired outcome of a process

SMART metrics are defined to measure the extent to which
goals are achieved
Goals
Process goals are defined as a statement describing the desired outcome of a process. An outcome
can be an artefact, a significant change of a state or a significant capability improvement of other
processes. They are part of the goals cascade, i.e., process goals support IT-related goals, which in
turn support enterprise goals.
At each level of the goals cascade, hence also for processes, metrics are defined to measure the
extent to which goals are achieved. Metrics can be defined as a quantifiable entity that allows
the measurement of the achievement of a process goal. Metrics should be SMARTspecific,
measurable, actionable, relevant and timely.
To manage the enabler effectively and efficiently, metrics need to be defined to measure the
extent to which the expected outcomes are achieved. In addition, a second aspect of performance
management of the enabler describes the extent to which good practice is applied. Here also,
associated metrics can be defined to help with the management of the enabler.

Module
Enablers

2. Processes
Process goal categories 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources
Intrinsic goals
Contextual goals
Accessibility and security goals
Process goal categories
Intrinsic goals Does the process have intrinsic quality? Is it accurate and in line with good
practice? Is it compliant with internal and external rules?
Contextual goals Is the process customised and adapted to the enterprises specific situation?
Is the process relevant, understandable, easy to apply?
Accessibility and security goals The process remains confidential, when required, and is
known and accessible to those who need it.

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Defined Created Operated Monitored Retired
Adjusted
Life cycle
Life cycle Each process has a life cycle. It is defined, created, operated, monitored, and adjusted/
updated or retired. Generic process practices such as those defined in the COBIT process
assessment model based on ISO/IEC 15504 can assist with defining, running, monitoring and
optimising processes.
In this case, the process managers would need to design and define the process first. They can
use several elements from COBIT 5: Enabling Processes to design processes, i.e., to define
responsibilities and to break the process down into practices and activities, and define process
work products (inputs and outputs). In a later stage, the process needs to be made more robust and
efficient, and for that purpose the process managers can raise the capability level of the process. The
ISO/IEC 15504-inspired COBIT 5 Process Capability Model and the process capability attributes
can be used for that purpose such as:
Process capability level 2 requires the achievement of two attributes: Performance
Management and Work Product Management. The first attribute requires a number of
planning-phase-related activities:
Objectives for the performance of the process are defined.
Performance of the process is planned.
Responsibilities for performing the process are defined.
Resources are identified.
Etc.

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
For each process a complete set of high-level requirements

is available
For each process the activities are defined as key governance
practices or key management practices
Detailed activities can be obtained from good practices such
as ITIL, ISO/IEC 27000, PRINCE2 etc.
Good practices
Practices:
For each COBIT 5 process, the governance/management practices provide a complete set of
high-level requirements for effective and practical governance and management of enterprise
IT. They are:
Statements of actions to deliver benefits, optimise the level of risk and optimise the use
of resources
Aligned with relevant generally accepted standards and good practices
Generic and therefore needing to be adapted for each enterprise
Covering business and IT role players in the process (end-to-end)
The enterprise governance body and management need to make choices relative to these
governance and management practices by:
Selecting those that are applicable and deciding on those that will be implemented
Adding and/or adapting practices where required
Defining and adding non-IT-related practices for integration in business processes
Choosing how to implement them (frequency, span, automation, etc.)
Accepting the risk of not implementing those that may apply

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Good practices
How to use the RACI chart?

R (Responsible) who is getting the tasks done? This can be one or a number of roles
A (Accountable) who accounts for the success of the tasks? There can only be one
role responsible
C (Consulted) who must be consulted prior to decision making and/or performing a task?
I (Informed) who must be informed after the decision has been made and/or the tasks
were performed?

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources

Module
Enablers

2. Processes
The COBIT 5 Process Reference Model 5. Information

6. Services,
Infrastructure and
Competencies
(PRM)
Applications
Resources
Business Needs
Governance Domain
Evaluate
Direct Management Monitor

Feedback
Management
Domain
Plan Build Run Monitor

(APO) (BAI) (DSS) (MEA)
The COBIT 5 Process Reference Model (PRM)
One of the guiding principles in COBIT is the distinction made between governance and management.
In line with this principle, every enterprise would be expected to implement a number of governance
processes and a number of management processes to provide comprehensive governance and
management of enterprise IT.
When considering processes for governance and management in the context of the enterprise, the
difference between types of processes lies within the objectives of the processes:
Governance processes Governance processes deal with the stakeholder governance
objectivesvalue delivery, risk optimisation and resource optimisationand include practices
and activities aimed at evaluating strategic options, providing direction to IT and monitoring
the outcome (EDMin line with the ISO/IEC 38500 standard concepts).
Management processes In line with the definition of management, practices and activities
in management processes cover the responsibility areas of PBRM (an evolution of the COBIT
4.1 domains) enterprise IT, and they have to provide end-to-end coverage of IT.
Although the outcome of both types of processes is different and intended for a different audience,
internally, from the context of the process itself, all processes require planning, building or
implementation, execution and monitoring activities within the process.

Module
Enablers

2. Processes
The COBIT 5 Process Reference Model 5. Information

6. Services,
Infrastructure and
Competencies
(PRM)
Applications
Resources
Process for Governance of Enterprise IT

EDM01 EDM02 EDM05
Ensure Governance Ensure Benefits EDM03 EDM04 Ensure Stakeholder
Framework Setting Delivery Ensure Risk Ensure Resource
Transparency
and Maintenancce Optimisation Optimisation
Align, Plan and Organize Monitor, Evaluate and

APO01 APO03 Assess
Manage the IT
APO02 Manage Enterprise
APO04 APO05 APO06 APO07
Manage Strategy Manage Innovation Manage Portfolio Manage Budget Manage Human
Management Architecture MEA01
and Costs Resources
Framework Monitor, Evaluate and
Assess Performance and
APO08 APO09 APO10 APO11 APO12 APO13 Conformance
Manage Manage Service Manage Suppliers
Manage Quality Manage Risk Manage Security
Relationships Agreements
Build, Acquire and Implement

BAI01 BAI02 BAI03 BAI04 BAI05 BAI07
Manage Manage Manage Solutions Manage Availability Manage Organizational BAI06 Manage
Programmes and Requirements Identification and Build and Capacity Change Enablement Manage Change Acceptance and MEA02
Projects Definitions Transitioning Monitor, Evaluate and
BAI09 Assess the System of
BAI08 Manage
BAI10 Internal Control
Manage Manage
Requirements
Knowledge Configuration
Definition
Deliver, Service and Support MEA03

DSS01 DSS02 DSS04 DSS06 Monitor, Evaluate and
Manage Service DSS03 DSS05 Manage Business Assess Compliance With
Manage Operations Manage Continuity Manage Security
Requests and Manage Problems Process Control External Requirements
Services
Incidents
Processes for Management of Enterprise IT

Module
Enablers

2. Processes
Relationships with other enablers 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources

2. Processes

Applications
Resources
Relationships with other enablers
Links between processes and the other enabler categories exist through the following relationships:
Processes need information (as one of the types of inputs) and can produce information (as a
work product)
Processes need organisational structures and roles to operate, as expressed through RACI
charts (e.g. IT steering committee, enterprise risk committee, board, audit, CIO, CEO)
Processes produce, and also require, service capabilities (infrastructure, applications, etc.)
Processes can, and will, depend on other processes
Processes produce, or need, policies and procedures to ensure consistent implementation
and execution
Cultural and behavioural aspects determine how well processes are executed

Module
Enablers

2. Processes
Enabler 3: Organisational structures 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources
Enabler Dimension

s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES /PERATING
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN Principles, Span of
s%XTERNAL (Relevance, s"UILD!CQUIRE #ONTROL3COPE ,EVEL
#REATE)MPLEMENT OF!UTHORITY$ELEGATION
Stakeholders %FFECTIVENESS s5SE/PERATE OF!UTHORITY%SCALATION
s!CCESSIBILITYAND s%VALUATE-ONITOR 0ROCEDURES
3ECURITY s5PDATE$ISPOSE s7ORK0RODUCTS
)NPUTS/UTPUTS
Decisions
Enabler Performance
Are Stakeholders
Management
Needs
Addressed?


Module
Enablers

2. Processes
Roles/structures 5. Information
6. Services,
Infrastructure and
Competencies
Applications
Resources
Roles/structures
The organisation structure includes more than the org chart.
In addition organisational sub-entities (such as business units, departments or teams), decision

making bodies such as Boards and Committees are also part of the organisation structure.
According to Mintzberg the organisation structure is the sum total of the ways in which the
organisation divides its labour into distinct tasks and then achieves coordination among them.
The organisation then has 5 coordination mechanisms to form the organisation structure:
Mutual adjustment
Direct supervision
Standardisation of processes
Standardisation of output
Standardisation of skills
Some of these mechanisms are more suited to a certain stage in the organisation (structure)
life cycle.

Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Individual members of the structure
Organisational entities (e.g. departments, business units etc.)
Staff
Customers
Business partners
Service providers
Stakeholders
Stakeholders Organisational structures stakeholders can be internal and external to the

enterprise, and they include the individual members of the structure, other structures, organisational
entities, clients, suppliers and regulators.
Their roles vary, and include decision making, influencing and advising. The stakes of each of the
stakeholders also vary, i.e., what interest do they have in the decisions made by the structure?

Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Proper mandate
Well-defined operating principles
(application of good practices)

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Organisation life cycle

Entrepreneurial stage -> Crisis: Need for leadership
Collectivity stage -> Crisis: Need for delegation
Formalization stage -> Crisis: Too much red tape
Elaboration stage -> Crisis: Need for revitalization
Different stages in the organisational life require different
organisation structures
Source: R.L. Daft, Organizational theory and design, 2006
Life cycle
Daft (2007) distinguishes four stages in the organisational life cycle:

1. Entrepreneurial stage
2. Collectivity stage
3. Formalization stage
4. Elaboration stage
Different structures are typically used during each stage in the organisational life cycle:
Entrepreneurial stage: organization is informal and non-bureaucratic. Control is based on the
owners personal supervision. Creativity causes growth. Crisis: Need for leadership. As the
organization starts to grow, the larger number of employees causes problems. Entrepreneurs
must either adjust the structure of the organization to accommodate continued growth or else
bring in strong managers.
Collectivity stage: the provision of clear direction causes growth. Crisis: the need for
delegation with control. Lower-level employees find themselves restricted by the strong
top-down control. The organization needs to find mechanisms to control and coordinate
departments without direct supervision from the top.
Formalisation stage: he addition of internal systems (rules, procedures and control systems)
causes growth. Crisis: Too much red tape. The organization seems bureaucratized. Middle

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Operating principles
Composition
Span of control
Level of authority / decision rights
Delegation of authority
Escalation procedures
Good practices
A number of good practices for organisational structures can be distinguished such as:
Operating principlesThe practical arrangements regarding how the structure will operate,
such as frequency of meetings, documentation and housekeeping rules
CompositionStructures have members, who are internal or external stakeholders.
Span of controlThe boundaries of the organisational structures decision rights
Level of authority/decision rightsThe decisions that the structure is authorised to take
Delegation of authorityThe structure can delegate (a subset of) its decision rights to other
structures reporting to it.
Escalation proceduresThe escalation path for a structure describes the required actions in
case of problems in making decisions.

Module
Enablers

2. Processes
Relationship withother enablers 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources

2. Processes

Applications
Resources
Relationship withother enablers

RACI charts link process activities to organisational structures and/or individual roles in the
enterprise. They describe the level of involvement of each role for each process practice.
Culture, ethics and behaviour determine the efficiency and effectiveness of organisational
structures and their decisions. Organisations with an extensive, multi layered hierarchy will fail
when the culture of the organisation is entrepreneurial and rather informal.
People, skills and competencies: composition of organisational structures should take into
account and require the appropriate skill set of its members, e.g. an organization with highly
skilled, relatively autonomous professionals requires a different organisation structure than a
blue collar factory-like set-up with strict and standardised processes, procedures.
The mandate and operating principles of organisational structures are guided by the policy
framework in place (Principles, policies and frameworks)
A structure, especially the decision making bodies there-in, requires inputs (typically
information) before it can make decisions, and it produces outputs, e.g., decisions, other
information, or requests for additional inputs.

Module
Enablers

2. Processes
Enabler 4: Culture, ethics and behaviour 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources
Enabler Dimension

s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN #OMMUNICATION
s%XTERNAL (Relevance, s"UILD!CQUIRE - Enforcement
#REATE)MPLEMENT )NCENTIVESAND2EWARDS
Stakeholders %FFECTIVENESS s5SE/PERATE !WARENESS
s!CCESSIBILITYAND s%VALUATE-ONITOR 2ULESAND.ORMS
3ECURITY s5PDATE$ISPOSE #HAMPIONS
s7ORK0RODUCTS
)NPUTS/UTPUTS
Enabler Performance
Are Stakeholders
Management
Needs
Addressed?


Module
Enablers

2. Processes
Culture drives behaviour 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources
Visible organisational
structures and processes (hard Artefacts
to decipher)
Strategies, goals, philosophies Espoused beliefs

(espoused justifications) and values
Unconscious, taken-for-granted
beliefs, perceptions, thoughts Underlying
and feelings (ultimate source of assumptions
values and actions)
Source: E.H. Schein, Organizational culture and leadership, 2004
Culture drives behaviour
The culture of a group can be defined as a pattern of shared basic assumptions that was learned
by a group as it solved its problems of external adaptation and internal integration, that has worked
well enough to be considered valid and, therefore, to be taught to new members as the correct
way to perceive, think, and feel in relation to those problems. (Schein, Organizational culture and
leadership, 2004).
Behaviour is derivative, not central. The above definition of culture emphasises that (overt)
behaviour is always determined both by the he cultural predisposition (the perceptions, thoughts,
and feelings that are patterned) and by the situational contingencies that arise from the immediate
external environment.

Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Executive and non-executive board members
HR Managers
Remuneration board
All organisation members

External auditors
Regulatory agencies
Stakeholders
As with Principles, policies and frameworks the stakes are twofold: some stakeholders, e.g.,
legal officers, risk managers, HR managers, remuneration boards and officers, deal with defining,
implementing and enforcing desired behaviours, and others have to align with the defined rules
and norms.

Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Behaviour drives culture
Behaviour towards
taking risk
Behaviour towards Individual

following policy behaviours
Behaviour towards Organisational

Individual ethics
negative outcomes culture
Organisational
ethics
Goals
Goals for the culture, ethics and behaviour enabler relate to:
Organisational ethics, determined by the values by which the enterprise wants to live
Individual ethics, determined by the personal values of each individual in the enterprise and
depending to an important extent on external factors such as religion, ethnicity, socioeconomic
background, geography and personal experiences
Individual behaviours, which collectively determine the culture of an enterprise. Many
factors, such as the external factors mentioned above, but also interpersonal relationships in
enterprises, personal objectives and ambitions, drive behaviours. Some types of behaviours
that can be relevant in this context include:
Behaviour towards taking risk - How much risk does the enterprise feel it can absorb and
which risk is it willing to take?
Behaviour towards following policy - To what extent will people embrace and/or comply
with policy?
Behaviour towards negative outcomes - How does the enterprise deal with negative
outcomes, i.e., loss events or missed opportunities? Will it learn from them and try to
adjust, or will blame be assigned without treating the root cause?

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
As an organisation progresses through the organisation life

cycle, the culture needs to change accordingly
Therefore plan, design, implement, evaluate and adapt the
culture constantly.
Life cycle
An organisational culture, ethical stance and individual behaviours, etc., all have their life cycles.
Starting from an existing culture, an enterprise can identify required changes and work towards their
implementation. Several toolsdescribed in the good practicescan be used.

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Communicate the desired behaviour

Create awareness of the desired behaviour
Incentivise the desired behaviour
Instate rules and norms to guide the desired behaviour
Good practices
Good practices for creating, encouraging and maintaining desired behaviour throughout the
enterprise include:
Communication throughout the enterprise of desired behaviours and the underlying
corporate values
Awareness of desired behaviour, strengthened by the example behaviour exercised by senior
management and other champions
Incentives to encourage and deterrents to enforce desired behaviour. There is a clear link
between individual behaviour and the HR reward scheme that an enterprise puts in place.
Rules and norms, which provide more guidance on desired organisational behaviour. This links
very clearly to the principles and policies that an enterprise puts in place.

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources

2. Processes

Applications
Resources
Relationship withother enablers

Processes can be designed to a level of perfection, but if the stakeholders of the process do
not wish to execute the process activities as intendedi.e., if their behaviour is one of non-
complianceprocess outcomes will not be achieved.
Likewise, organisational structures can be designed and built according to the textbook,
but if their decisions are not implementedfor reasons of different personal agendas, lack of
incentives, etc.they will not result in decent governance and management of enterprise IT.
Principles and policies are a very important communication mechanism for corporate values
and the desired behaviour.

Module
Enablers

2. Processes
Exercise 2 5. Information
6. Services,
Infrastructure and
Competencies
Applications
Resources
Based on the defined IT-related goals (exercise 1):

Define the enabler goals for the 4 enablers covered so far
Describe the how you can use these enablers to reinforce
one another

Module
Enablers

2. Processes
Enabler 5: Information 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources
Enabler Dimension

s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES $EFINE)NFORMATION!TTRIBUTES
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN 0HYSICAL#ARRIER-EDIA
s%XTERNAL (Relevance, s"UILD!CQUIRE %MPIRICAL5SER)NTERFACE
Stakeholders %FFECTIVENESS #REATE)MPLEMENT 3YNTACTIC,ANGUAGE&ORMAT
s!CCESSIBILITYAND s5SE/PERATE 3EMANTIC-EANING 4YPE#URRENCY
3ECURITY s%VALUATE-ONITOR ,EVEL
s5PDATE$ISPOSE 0RAGMATIC5SE )NCLUDES2ETENTION
3TATUS#ONTINGENCY.OVELTY
3OCIAL#ONTEXT
Enabler Performance
Are Stakeholders
Management
Needs
Addressed?


Module
Enablers

2. Processes
The information cycle 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources
Generate and Business Process

Process Drive
IT Processes
Data Value
Information Knowledge
Transform Transform Create
The information cycle
Information can be considered as being one stage in the information cycle of an enterprise. In
the information cycle business processes generate and process data, transforming them into
information and knowledge, and ultimately generating value for the enterprise. The scope of the
information enabler mainly concerns the information phase in the information cycle, but the aspects
of data and knowledge are also covered in COBIT 5.

Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Categories of roles:
Specific data or information roles
Generic roles (meta level)
Stakeholders
Can be internal or external to the enterprise. The generic model also suggests that, apart from
identifying the stakeholders, their stakes need to be identified, i.e., why they care or are interested
in the information. With respect to which information stakeholders exist, different categories of roles
in dealing with information are possible, ranging from detailed proposalse.g., suggesting specific
data or information roles such as architect, owner, steward, trustee, supplier, beneficiary, modeller,
quality manager, security managerto more general proposalsfor instance, distinguishing amongst
information producers, information custodians and information consumers:
Information producer, responsible for creating the information
Information custodian, responsible for storing and maintaining the information
Information consumer, responsible for using the information
These categories refer to specific activities with regard to the information resource. Activities
depend on the life cycle phase of the information; therefore, to find a category of roles that has
an appropriate level of granularity for the IM, the information life cycle dimension of the IM can be
used. This means that information stakeholder roles can be defined in terms of information life cycle
phases, e.g., information planners, information obtainers, information users.
At the same time, this means that the information stakeholder dimension is not an independent
dimension; different life cycle phases have different stakeholders.

Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Intrinsic quality
accuracy, objectivity, believability, reputation
Contextual and representational quality:
relevancy, completeness, currency, appropriate amount
of information, concise, consistent, interpretability,
understandability, ease of manipulation
Security / accessibility quality:
availability / timeliness, restricted access
Goals
The goals of information are divided into three subdimensions of quality:

Intrinsic quality The extent to which data values are in conformance with the actual or true
values. It includes:
Accuracy The extent to which information is correct and reliable
Objectivity The extent to which information is unbiased, unprejudiced and impartial
Believability The extent to which information is regarded as true and credible
Reputation The extent to which information is highly regarded in terms of its source
or content
Contextual and representational quality The extent to which information is applicable
to the task of the information user and is presented in an intelligible and clear manner,
recognising that information quality depends on the context of use. It includes:
Relevancy The extent to which information is applicable and helpful for the task at hand
Completeness The extent to which information is not missing and is of sufficient depth
and breadth for the task at hand
Currency The extent to which information is sufficiently up to date for the task at hand
Appropriate amount of information The extent to which the volume of information is
appropriate for the task at hand

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Plan
Design
Build / acquire / create / implement
Use / operate
Store
Share
Use
Evaluate / monitor
Update / dispose
Life cycle
The full life cycle of information needs to be considered, and different approaches may be required
for information in different phases of the life cycle. The COBIT 5 information enabler distinguishes
the following phases:
Plan The phase in which the creation and use of the information resource is prepared.
Activities in this phase may refer to the identification of objectives, the planning of the
information architecture, and the development of standards and definitions, e.g., data
definitions, data collection procedures.
Design
Build/acquire/Create/Implement The phase in which the information resource is
acquired. Activities in this phase may refer to the creation of data records, the purchase of
data and the loading of external files.
Use/operate, which includes:
Store The phase in which information is held electronically or in hard copy (or even
just in human memory). Activities in this phase may refer to the storage of information in
electronic form (e.g., electronic files, databases, data warehouses) or as hard copy (e.g.,
paper documents).
Share The phase in which information is made available for use through a distribution
method. Activities in this phase may refer to the processes involved in getting the

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Define properties of information (on 6 layers)

1. Physical world layer
2. Empiric layer
3. Syntactic layer
4. Semantic layer
5. Pragmatic layer
6. Social world layer
Investments in information and related technology are based

on business cases
Good practices
Cobit 5 distinguishes six levels or layers to define and describe properties of information. These
six levels present a continuum of attributes, ranging from the physical world of information, where
attributes are linked to information technologies and media for information capturing, storing,
processing, distribution and presentation, to the social world of information use, comprehension
and action.
Physical world layer: The world where all phenomena that can be empirically observed
take place
Information carrier/media The attribute that identifies the physical carrier of the
information, e.g., paper, electric signals, sound waves
Empiric layer: The empirical observation of the signs used to encode information and their
distinction from each other and from background noise
Information access channel The attribute that identifies the access channel of the
information, e.g., user interfaces
Syntactic layer The rules and principles for constructing sentences in natural or artificial
languages. Syntax refers to the form of information.
Code/language Attribute that identifies the representational language/format used for
encoding the information and the rules for combining the symbols of the language to form
syntactic structures.

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources

2. Processes

Applications
Resources

Module
Enablers

2. Processes
Enabler 6: Services, infrastructure 5. Information

6. Services,
Infrastructure and
Competencies
and applications
Applications
Resources
Enabler Dimension

s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES Definition of
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN !RCHITECTURE0RINCIPLES
s%XTERNAL (Relevance, s"UILD!CQUIRE !RCHITECTURE6IEWPOINTS
Stakeholders %FFECTIVENESS #REATE)MPLEMENT 3ERVICE,EVELS
Applications, s5SE/PERATE s7ORK0RODUCTS
)NFRASTRUCTURE s%VALUATE-ONITOR )NPUTS/UTPUTS
4ECHNOLOGY3ERVICE s5PDATE$ISPOSE 2EFERENCE2EPOSITORY
,EVELS !RCHITECTURE4ARGET
s!CCESSIBILITYAND3ECURITY 4RANSITION"ASELINE
Enabler Performance
Are Stakeholders
Management
Needs
Addressed?


Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
The Service Provider can be internal or external

Users of services can also be internal or external
Stakeholders
Service capabilities (the combined term for services, infrastructure and applications) stakeholders
can be internal and external. The service owner is an important internal stakeholder. Important
external stakeholders may be compliancy and regulatory overseers.
Services can be delivered by internal or external partiesinternal IT departments, operations

managers, outsourcing providers.
Users of services can also be internal business usersand external to the enterprisepartners,
clients, suppliers.
The stakes of each of the stakeholders need to be identified and will either be focussed on delivering
adequate services or on receiving requested services from providers.

Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Express goals in terms of:

Services
Service levels
Goals
Goals of the service level capability will be expressed in terms of servicesapplications, infrastructure,
technologyand service levels, considering which services and service levels are most economical
for the enterprise. Again, goals will relate to the services and how they are provided, as well as their
outcomes, i.e., contribution towards successfully supported business processes.

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Plan
Design
Build / acquire / create / implement
Use / operate
Evaluate / monitor
Update / dispose
Life cycle
Service capabilities have a life cycle. The future or planned service capabilities are typically
described in a target architecture. It covers the building blocks, such as future applications and
the target infrastructure model, and also describes the linkages and relationships amongst these
building blocks.

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Define the architecture principles

Define enterprise specific architecture viewpoints
Have an architecture repository
Define the service requirements
Define the service levels
Good practices
Good practice for service capabilities includes:

Definition of architecture principles Architecture principles are overall guidelines that govern
the implementation and use of IT-related resources within the enterprise. Examples of potential
architecture principles are:
Reuse Common components of the architecture should be used when designing and
implementing solutions as part of the target or transition architectures.
Buy vs. build Solutions should be purchased unless there is an approved rationale for
developing them internally.
Simplicity The enterprise architecture should be designed and maintained to be as
simple as possible while still meeting enterprise requirements.
Agility The enterprise architecture should incorporate agility to meet changing
business needs in an effective and efficient manner.
Openness The enterprise architecture should leverage open industry standards.
The enterprises definition of the most appropriate architecture viewpoints to meet the needs
of different stakeholders. These are the models, catalogues and matrices used to describe the
baseline, target or transition architectures; for example, an application architecture could be
described through an application interface diagram, which shows the applications in use (or
planned) and the interfaces amongst them.

Module
Enablers

2. Processes
Relationship with other enablers 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources

2. Processes

Applications
Resources
Relationship with other enablers

Information is one of the service capabilities, and service capabilities are leveraged through
processes to deliver internal and external services.
Cultural and behavioural aspects are also relevant when a service-oriented culture needs to
be built.
Within COBIT 5, the inputs and outputs of the management practices and activities could
include service capabilities, which are required as inputs or delivered as outputs.

Module
Enablers

2. Processes
Enabler 7: People, skills 5. Information

6. Services,
Infrastructure and
Competencies
and competencies
Applications
Resources
Enabler Dimension

s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES Define Role
Stakeholders %DUCATIONAND1UALIFICATIONS s$ESIGN 3KILL2EQUIREMENTS3KILL
s%XTERNAL Technical Skills s"UILD!CQUIRE ,EVELS3KILL#ATEGORIES
Stakeholders s#ONTEXTUAL1UALITY #REATE)MPLEMENT s7ORK0RODUCTS
2ELEVANCE%FFECTIVENESS s5SE/PERATE )NPUTS/UTPUTS
%XPERIENCE+NOWLEDGE s%VALUATE-ONITOR Skill Definitions
"EHAVIOURAL3KILL!VAILABILITY s5PDATE$ISPOSE
4URNOVER
s!CCESSIBILITYAND3ECURITY
Enabler Performance
Are Stakeholders
Management
Needs
Addressed?


Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Business managers
Project managers
Recruiters
Staff (systems developers, technical IT specialists, etc.)
Partners
Competitors
Trainers
Stakeholders
Skills and competencies stakeholders are internal and external to the enterprise. Different
stakeholders assume different rolesbusiness managers, project managers, partners, competitors,
recruiters, trainers, developers, technical IT specialists, etc.and each role requires a distinct skill set.

Module
Enablers

2. Processes
6. Services,
Infrastructure and
Competencies
Applications
Resources
Goals related to skills and competencies:

Education and qualification levels
Technical skills
Experience levels
Knowledge and behavioral skills
Goals related to people:

Correct level of staff availability
Correct level of staff skills and competencies
Turnover rate
Absenteeism
Goals
Goals for skills and competencies relate to education and qualification levels, technical skills,
experience levels, knowledge and behavioural skills required to provide and perform successfully
process activities, organisational roles, etc. Goals for people include correct levels of staff availability
and turnover rate.

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Assess the current skill base

Current skills
Required skills
Develop or acquire skills and competencies

Deploy skills and competencies within the
organisational structure
Dispose of obsolete skills
Periodically reassess the skill base
Life cycle
Skills and competencies have a life cycle. An enterprise has to know what its current skill base
is, and plan what it needs to be. This is influenced by (amongst other issues) the strategy and
goals of the enterprise. Skills need to be developed (e.g., through training) or acquired (e.g.,
through recruitment) and deployed in the various roles within the organisational structure.
Skills may need to be disposed of, e.g., if an activity is automated or outsourced.
Periodically, such as on an annual basis, the enterprise needs to assess the skill base to
understand the evolution that has occurred, which will feed into the planning process for the
next period.
This assessment can also feed into the reward and recognition process for human resources.

Module
Enablers

2. Processes

6. Services,
Infrastructure and
Competencies
Applications
Resources
Differentiate skill requirements to activities and categories

Use external sources such as Skills Framework for the
Information Age (SFIA)
Examples of potential skill categories mapped to Cobit5
process domains:
%$-
'OVERNANCEOF%NTERPRISE)4
APO "!) $33 -%!

s)4POLICYFORMATION s"USINESSANALYSIS s!VAILABILITY s#OMPLIANCEREVIEW
s)4STRATEGY s0ROJECTMANAGEMENT MANAGEMENT s0ERFORMANCE
s%NTERPRISEARCHITECTURE s5SABILITYEVALUATION s0ROBLEMMANAGEMENT MONITORING
s)NNOVATION s2EQUIREMENTS s3ERVICEDESKAND s#ONTROLSAUDIT
s&INANCIALMANAGEMENT DEFINITIONAND INCIDENTMANAGEMENT
s0ORTFOLIOMANAGEMENT MANAGEMENT s3ECURITYADMINISTRATION
s0ROGRAMMING s)4OPERATIONS
s3OFTWARE s$ATABASE
DECOMMISSIONING ADMINISTRATION
Good practices
Define the need for objective skill requirements for each role played by the various
stakeholders. This can be described through different skill levels in different skill categories.
For each appropriate skill level in each skill category, a skill definition should be available.
The skill categories correspond with the IT-related activities undertaken, e.g., information
management, business analysis.
Use external sources of good practice, such as the Skills Framework for the Information Age
(SFIA),17 which provides comprehensive skill definitions.
Examples of potential skill categories, mapped to COBIT 5 process domains can be found in
the Cobit Framework, figure 39 (p. 88).
Note: the skill categories and competencies mentioned here are primarily based on content skills.
Bear in mind that behavioral skills are at least as important as these content skills.

Module
Enablers

2. Processes
Relationship with other enablers 5. Information

6. Services,
Infrastructure and
Competencies
Applications
Resources

2. Processes

Applications
Resources
Relationship with other enablers

Skills and competence are required to perform process activities and take decisions in
organisational structures. Conversely, some processes are aimed at supporting the life cycle
of skills and competencies.
There is also a link to culture, ethics and behaviour through behavioural skills, which drive
individual behaviour and are influenced by individual ethics and organisational ethics.
Skills definitions are also information, for which best practices of the information enabler need
to be considered.

5
Implementation
Module
Implementation
Implementing change succesfully
Each implementation approach will need to address the

specific challenges of an organization
Succes depends on adaptation to the context
The context changes continuously
Succesfull implementation of enterprise governance requires
an approach of continual improvement.

Module
Implementation
Considering the enterprise context

Design the implementation plan depending on internal and external
factors such as:
Ethics and culture
Applicable laws, regulations and policies
Mission, vision and values
Governance policies and practices
Business plan and strategic intentions
Operating model and level of maturity
Management style
Risk appetite
Capabilities and available resources
Industry practices
etc.

Module
Implementation
Key success factors for successful implementation
Top management commitment

All relevant parties supporting the governance and
management processes
Effective communication
Enablement of necessary changes
Tailoring COBIT (and other good practices / standards)
Realise quick wins
Prioritise the low hanging fruit
Key success factors for successful implementation
Key success factors for successful implementation include:

Top management providing the direction and mandate for the initiative, as well as visible
ongoing commitment and support
All parties supporting the governance and management processes to understand the
business and IT objectives
Ensuring effective communication and enablement of the necessary changes
Tailoring COBIT and other supporting good practices and standards to fit the unique context
of the enterprise
Focusing on quick wins and prioritising the most beneficial improvements that are easiest
to implement

Module
Implementation
Creating the appropriate environment
Ensure support and direction from key stakeholders

Address real business needs and issues
Initiate a change programme
Establish and maintain structures and processes for oversight
and direction
Visible support from key stakeholders
Creating the appropriate environment
To ensure that real business needs and issues are addressed, it helps to create a business case
outline. Presenting a business case (outline) to the responsible business managers ensures the
focus on actual solutions for the business.
Key actions when initiating a change programme are:

Define and assign key programme roles and responsibilities
Allocate adequate resources
Maintain stakeholder commitment on an ongoing basis

Module
Implementation
Examples of pain points (1):

Business frustration with failed initiatives, raising IT costs and a
perception of low business value
Significant incidents related to IT risk
Outsourced service delivery problems
Failure to meet regulatory or contractual requirements
IT limiting the enterprises innovation capabilities and business agility
Regular audit findings about poor IT performance
In addition to pain points it is possible to use trigger events to create the appropriate environment
for implementation and change. The pain points refer to the content (why should we start
the implementation) whereas the trigger events refer to the timing (when should we start the
implementation).
Trigger events will covered later in this module.

Module
Implementation
Examples of pain points (2):

Hidden and rogue IT spending
Duplication or overlap between initiatives or wasting resources
Insufficient IT resources, staff with inadequate skills or staff burnout/
dissatisfaction
IT-enabled changes failing to meet business needs, delivered late or
over budget
Reluctant, non-committal board members, managers and
business sponsors

Module
Implementation
Business case
A business case evolves through time

Start with a high level (strategic) outline
Add details later
A business case must be updated and managed through time
Business case
The business case is not a one-time static document, but a dynamic operational tool that must be
continually updated to
reflect the current view of the future so that a view of the viability of the programme can be maintained.
It can be difficult to quantify the benefits of implementation or improvement initiatives, and care
should be taken to commit only to benefits that are realistic and achievable.

Module
Implementation
Business case content
Targeted business benefits

Required business changes
Required investments
Ongoing IT and business costs
Expected benefits
Risks, constraints and dependencies
Roles, responsibilities and accountabilities
How the investment and value creation will be measured
and monitored
Business case content
The business case is a valuable tool available to management in guiding the creation of business
value. At a minimum, the business case should include the following:
The business benefits targeted, their alignment with business strategy and the associated
business owner (who in the business will be responsible for securing them). This could be
based on pain points and trigger events.
The business changes needed to create the envisioned value. This could be based on health
checks and capability gap analyses and should clearly state both what is in scope and what is
out of scope.
The investments needed (one-off costs) to make the governance and management of
enterprise IT changes (based on estimates of projects required)
The ongoing IT and business costs
The expected benefits of operating in the changed way. Note that these benefits must
contribute substantially to the targeted business benefits but do not have to be identical
necessarily. You may not be able to realise all targeted business changes on the one hand,
and there may be collateral benefits (i.e. additional benefits) on the other hand.
The risk inherent in the previous bullets, including any constraints and dependencies (based
on challenges and success factors)

Module
Implementation
Initiating the implementation
Use (business recognisable) trigger events

Trigger events can occur in the internal and external
environment of the enterprise

Module
Implementation
Examples of trigger events
Merger, acquisition or divesture

A shift in the market, economy or competitive position
Change in business operating model or
sourcing arrangements
New regulatory or compliance requirements
An enterprise wide governance focus or project
A new CEO, CFO, CIO, etc.
External audit or consultant assessments
A new business strategy or priority
Desire to significantly improve the value to be gained from IT

Module
Implementation
Enabling change
Successful implementation
implementing the appropriate change
in the appropriate way
Ensure stakeholder commitment

Enforce compliance
Enabling change
Successful implementation depends on implementing the appropriate change in the appropriate

way. Typically focus is on the appropriate change, e.g. by designing the enablers such as structures
and processes. Much less attention goes to managing the human, behavioural and cultural aspects
of change and to (continuously) motivating all stakeholders to buy into the change.
It should not be assumed that the various stakeholders involved in, or impacted by, new or revised
enablers will readily accept and adopt the change. The possibility of ignorance and/or resistance
to change needs to be addressed through a structured and proactive approach. Also, optimal
awareness of the implementation programme should be achieved through a communication plan
that defines what will be communicated, in what way and by whom, throughout the various phases
of the programme.
Sustainable improvement can be achieved either by gaining the commitment of the stakeholders
(investment in winning hearts and minds, the leaders time, and in communicating and responding
to the workforce) or, where still required, by enforcing compliance (investment in processes to
administer, monitor and enforce). In other words, human, behavioural and cultural barriers need
to be overcome so that there is a common interest to properly adopt change, instil a will to adopt
change, and to ensure the ability to adopt change.

Module
Implementation
Implementation life cycle
Core components of the Implementation life cycle:

Core continual improvement
Enablement of change
Management of the programme
The implementation life cycle provides a way for enterprises to use COBIT to address the complexity
and challenges
typically encountered during implementations. The three interrelated components of the life cycle
are the:
1. Core continual improvement life cycleThis is not a one-off project.
2. Enablement of changeAddressing the behavioural and cultural aspects
3. Management of the programme

Module
Implementation
Phases of the Implementation life cycle:

1. What are the drivers?
2. Where are we now?
3. Where do we want to be?
4. What needs to be done?
5. How do we get there?
6. Did we get there?
7. How do we keep the momentum going?

Module
Implementation
The
eep 1. Wha
W e K Going? t Are
Th
Do ntum Initia eD
ow e iew te P riv
H om Rev veness rog er
s
M cti ra
7.
fe m
?
Ef Establ
is
To C h D
in
sta ha es
ng ir
Su
2.
?
De Oppo
ere
Wh Problems and
e
its
fin
Reco
itor
t Th
ere
on Nee gnis
nef
e
M Andate d
Act To e
Im Team
Approac ew
alu
hes
6. Did We Ge
Are W
Realise Be
ple
Ev Program Management
Embed N
Form
rtunities
menta n
(Outer Ring)
And e
Assrrent
re
Cu tate
Operat
Measu
e Now?
ess
tio
Change Enablement
(Middle Ring)
I m en
ta g e t e
I m men
m ro
pl
e
r in
t -
e
p
m e te
ef
te
D a Continual Improvement Life Cycle
B e?
v
ts -
co ica
T
Op Re
B u il d
An
S
5. H
p
I m pr o v- (Inner Ring)
ut u n
Ma
er u
d
Ex
t To
te e m e nts
a
m
ow
ec
se m
ad
Co O an
ut
Do
Ro
W
I d e n tif y R ol d
e
la
W
e
e
n fi n
W
P lay ers
e
et
De
G
Th D
e re
re
?
Pla n
Program me he
W
4. W 3.
hat N ne?
eeds To B e Do

Module
Implementation
What are the drivers?
1. Programme management
Initiate a programme
2. Change management
Establish desire to change
3. Continual improvement
Recognize the need to act
What are the drivers?
If a person does not see the necessity of change, there will be no change. This goes beyond
(rationally) understanding the need for change, it has to be felt. And change must be effected soon:
there must be a sense of urgency. Change Management guru Kotter suggests that for change to be
successful, 75% of a company's management needs to "buy into" the change. In other words, you
have to work really hard on Phase 1, and spend significant time and energy building urgency, before
moving onto the next steps. Don't panic and jump in too fast because you don't want to risk further
short-term losses if you act without proper preparation, you could be in for a very bumpy ride.
This isn't simply a matter of showing people poor performance statistics or talking about audit
findings. Open an honest and convincing dialogue about what's happening in the enterprise and
the environment. If many people start talking about the change you propose, the urgency can build
and feed on itself.
What you can do:

Identify potential threats, and develop scenarios showing what could happen in the future
(pain points).
Examine opportunities that should be, or could be, exploited (trigger events).
Start honest discussions, and give dynamic and convincing reasons to get people talking
and thinking.
Request support from customers, outside stakeholders and industry people to strengthen
your argument.

Module
Implementation
Where are we now?
Define problems and opportunities
Form implementation team
Assess current state

Module
Implementation
Where do we want to be?
Define road map
Communicate outcome
Define target state

Module
Implementation
What needs to be done?
Plan programme
Identify role players
Build improvements

Module
Implementation
How do we get there?
Execute plan
Operate and use
Implement improvements

Module
Implementation
Did we get there?
Realise benefits
Embed new approaches
Operate and measure

Module
Implementation
How do we keep themomentum going?
Review effectiveness
Sustain
Monitor and evaluate

6
Process Capability
Module
Process Capability
Assessment approach (overview)
Process Reference Measurement

Model Framework
(COBIT5) (ISO 15504)
Process Assessment
Model
What: Foundation
How: Assessor
Initial Input Assessment Process Output
Roles and
Responsibilities
Assessment approach (overview)
Process Reference Model provides the:

Domain and scope
Process purpose
Process outcome
Measurement framework provides the

Capability levels
Process attributes
Rating scale
Initial input of the assessment:

Purpose
Scope
Constraints
Identities
Approach
Assessor competence criteria
Additional information

Module
Process Capability
Based on ISO15504
What is ISO 15504?

The reference model for Process Maturity
Originates from SPICE
Based on ISO15504
Cobit5 Process Capability Assessment is based on the ISO 15504 (standard reference model for
process maturity).
SPICE: Software Improvement and Capability Determination

Module
Process Capability
ISO 15504 - Glossary
Process assessment model (PAM)

Process purpose
Process outcome
Process capability
Process capability level
Process capability level rating
Process attribute
ISO 15504 - Glossary
Process assessment model (PAM) A model suitable for the purpose of determining
process capability, based on one or more process reference model (PRM)
Process purpose The high-level measurable objectives of performing the process and the
likely outcomes of effective implementation of the process
Process outcome An observable result of a process (Note: an outcome is an artefact, a
significant change of state or the meeting of specified constraints)
Process capability A characterization of the ability of a process to meet current or
projected business goals
Process capability level A point on the six-point ordinal scale (of process capability)
that represents the capability of the process; each level builds on the capability of the
level below
Process capability level rating A representation of the achieved process capability
level derived from the process attribute ratings for an assessed process
Process attribute A measurable characteristic of capability applicable to any process

Module
Process Capability
ISO 15504- Glossary (ctd)
Performance indicator (process specific)

Base practices (BP)
Work products (WP)
Capability indicator
Generic practices (GP)
Generic work products (GWP)
ISO 15504- Glossary (ctd)
Process attributes measured by / based on:

Performance indicators A set of metrics designed to measure the extent to which
performance objectives are being achieved on an on-going basis (Note: performance
indicators are process specific)
Base practice An activity that, when consistently performed, contributes to achieving a
specific process purpose
Work product (WP)An artefact associated with the execution of a process
Capability indicatorAssessment indicator that supports the judgement of the process
capability of a specific process (Note: the capability indicators based on generic practices
and generic work products)
Generic practice (GP)An activity that, when consistently performed, contributes to the
achievement of specific process attributes
Generic work product (GWP)An artefact associated with the execution of a process
that is commonly stated, or general in nature

Module
Process Capability
Capability levels
5 Capability Level based on 9 process attributes
PA 5.1 Process innovation

Level 5: Optimizing process
PA 5.2 Process optimization
PA 4.1 Process measurement

Level 4: Predictable process
PA 4.2 Process control
PA 3.1 Process definition

Level 3: Established process
PA 3.2 Process deployment
PA 2.1Performance management
Level 2: Managed process
PA 2.2 Work product management
Level 1 Performed process PA 1.1 Process performance
Level 0: Incomplete process
Capability levels
Optimizing: the process is continuously improved to meet relevant current and projected
business goals
Predictable: the process is enacted consistently within defined limits
Established: a defined process is used based on a standard process
Managed: the process is managed and work products are established, controlled
and maintained
Performed: the processes is implemented and achieves its process purpose
Incomplete: the process is not implemented or fails to achieve its purpose

Module
Process Capability
Capability level rating

Abbreviation Description Percentage achieved
N Not achieved 0 to 15% achieved
P Partially achieved 16 to 50% achieved
L Largely achieved 51 to 85% achieved
F Fully achieved 86 to 100% achieved
To achieve a capability level, a process must:

Largely or fully achieve the current level
Fully achieve the underlying level(s)
Capability level rating
Each capability level can be achieved only when the level below has been fully achieved. For
example, a process capability level 3 (established process) requires the process definition and
process deployment attributes to be largely achieved, on top of full achievement of the attributes for
a process capability level 2 (managed process).
N Not achieved (0 to 15% achievement) - There is little or no evidence of achievement of the
defined attribute in the assessed process.
P Partially achieved (>15% to 50% achievement) - There is evidence of an approach to
and some achievement of the defined attribute in the assessment approach. Some aspects of
achievement of the attribute may be unpredictable.
L Largely achieved (>50% to 85% achievement) - There is evidence of a systematic
approach to, and significant achievement of, the defined attribute in the assessed process.
Some weakness related to this attribute may exist in the assessed process.
F Fully achieved (>85% to 100% achievement) - There is evidence of a complete and
systematic approach to and full achievement of the defined attribute in the assessed process.
No significant weakness related to this attribute exist in the assessed process.

Module
Process Capability
PAM ISO 15504
CAPABILITY
Dimension
Level 5: Optimizing
Level 4: Predictable
Level 3: Established
Level 2: Managed
Level 1: Performed
Level 0: Incomplete
PROCESS
Dimension
(depe Proc
nding
on Pro esses A
cess R Z
eferen
ce Mo
del us
ed)
PAM ISO 15504
Note on the Process Reference Model (PRM):
Remember that ISO15504 is generic, so you may use any PRM. For Cobit it can be either Cobit 5
PRM or Cobit 4.1 PRM. However it does not have to be restricted to Cobit!
It was actually developed in Software Development / Software Improvement area -> PRM used
ISO12207 (for Software Development) or ISO15288 (Systems Engineering)

Module
Process Capability
PAM Cobit 5
CAPABILITY
Dimension
Level 5: Optimizing PA 5.1 + PA 5.2
Level 4: Predictable PA 4.1 + PA 4.2
Level 3: Established PA 3.1 + PA 3.2
Level 2: Managed PA 2.1 + PA 2.2
Level 1: Performed PA 1.1 + Process performance indicators
Level 0: Incomplete
PROCESS
EDM Dimension
APO
BAI
DSS
Cobit
5 PR M
MEA
PAM Cobit 5
There is a significant distinction between process capability level 1 and the higher capability levels.
Process capability level 1 achievement requires the process performance attribute to be largely
achieved, which actually means that the process is being successfully performed and the required
outcomes obtained by the enterprise. The higher capability levels then add different attributes to
it. In this assessment scheme, achieving a capability level 1, even on a scale to 5, is already an
important achievement for an enterprise. Note that each individual enterprise shall choose (based
on cost-benefit and feasibility reasons) its target or desired level, which very seldom will happen to
be one of the highest.

Module
Process Capability
Process capability model (summarised)
Generic Process Capability
PA 2.1 PA 2.2 PA 3.1 PA 3.2 PA 4.1 PA 4.2 PA 5.1 PA 5.2

Performance Attribute (PA)
Performance Work Product Process Process Process Process Process Process
1.1 Process Performance
Management Management $ElNITION Deployment Management Control Innovation Optimisation
Incomplete Performed Managed Established Predictable Optimizing

Process Process Process Process Process Process
0 1 2 3 4 5
COBIT5 Process
COBIT5 Process Assessment Model -
Assessment Model -
Capability Indicators
Performance Indicators
Process Outcomes
Base Practices Generic Practices Generic Resources Generic Work Products

Work Products
(Management/
(Inputs/Outputs)
Governance Practices)

Module
Process Capability
Performing capability assessments
Capability assessments can be performed

For various purposes
With various degrees of rigor
Potential assessment objectives:

Benchmark process capability
Enable as is and to be health checks
Provide gap analysis and improvement planning information
Provide ratings to measure and monitor current capabilities
Performing capability assessments
The ISO/IEC 15504 standard specifies that process capability assessments can be performed
for various purposes and with varying degrees of rigour. Purposes can be internal, with a focus on
comparisons between enterprise areas and/or process improvement for internal benefit, or they can
be external, with a focus on formal assessment, reporting and certification.
The COBIT 5 ISO/IEC 15504-based assessment approach continues to facilitate the following
objectives that have been a key COBIT approach since 2000 to:
Enable the governance body and management to benchmark process capability
Enable high-level as is and to be health checks to support the governance body and
management investment decision making with regard to process improvement
Provide gap analysis and improvement planning information to support definition of justifiable
improvement projects
Provide the governance body and management with assessment ratings to measure and
monitor current capabilities

Module
Process Capability
Steps to assess capability level 1
1. Review the process outcomes and rate to which degree each

process objective is achieved
2. Assess the (governance or management) practices
3. Consider the work products
Steps to assess capability level 1
Assessing whether the process achieves its goalsor, in other words, achieves capability level 1
can be done by:
1. Reviewing the process outcomes as they are described for each process in the detailed
process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what
degree each objective is achieved. This scale consists of the following ratings:
N (Not achieved)There is little or no evidence of achievement of the defined attribute in
the assessed process. (0 to 15 percent achievement)
P (Partially achieved)There is some evidence of an approach to, and some achievement
of, the defined attribute in the assessed process. Some aspects of achievement of the
attribute may be unpredictable. (15 to 50 percent achievement)
L (Largely achieved)There is evidence of a systematic approach to, and significant
achievement of, the defined attribute in the assessed process. Some weakness related to
this attribute may exist in the assessed process. (50 to 85 percent achievement)
F (Fully achieved)There is evidence of a complete and systematic approach to, and full
achievement of, the defined attribute in the assessed process. No significant weaknesses
related to this attribute exist in the assessed process. (85 to 100 percent achievement)
2. In addition, the process (governance or management) practices can be assessed using the
same rating scale, expressing the extent to which the base practices are applied.

Module
Process Capability
Example: BAI06 Manage changes
Step 1: Review the process outcomes

Module
Process Capability
Example: BAI06 Manage changes (ctd)
Step 2: assess the base practices

Module
Process Capability
Example: BAI06 Manage changes (ctd)
Step 3: consider the work products

Module
Process Capability
Assessing capability levels 2 5
Use the generic practices and generic work products

GP 2.1.1 Identify the objectives
GP 2.1.2 Plan and monitor the performance
GP 2.1.3 Adjust the performance
GP 2.1.1 Identify the objectives Level 5: Optimizing Process GWP 6.0 Performance
Improvement Plan
GP 2.1.4 Define responsibilities GP 2.1.2 Plan and monitor the performance
GP 2.1.3 Adjust the performance
The process is continuously improved to meet
relevant current and projected business goals
GWP 9.0 Process Performance
Records
'0n$ElNERESPONSIBILITIESAND
and authorities authorities
Level 4: Predictable Process
GWP 1.0 Process Documentation
GP 2.1.5 Identify and make available GWP 6.0 Performance Improvement Plan
resources The process is executed consistently GWP 7.0 Process Measurement Plan
WITHINDElNEDLIMITS GWP 8.0 Process Control Plan
GP 2.1.5 Identify and make GP 2.1.6 Manage the interfaces GWP 9.0 Process Performance Records
Example of generic GWP 1.0 Process Documentation
available resources practices
(for Process Attribute
Level 3: Established Process
!DElNEDPROCESSISUSEDBASEDONA
GWP 2.0 Process Plan
GWP 4.0 Quality Records
2.1 Performance standard process GWP 5.0 Policies and Standards
Management) GWP 9.0 Process Performance Records
GP 2.1.6 Manage the interfaces GWP 1.0 Process Documentation
Level 2: Managed Process
GWP 2.0 Process Plan
The process is managed and word products GWP 3.0 Quality Plan
are established, controlled and maintained
Example of generic practices GWP 4.0 Quality Records
Level 1: Performed Process Overview of

(for Process Attribute 2.1 The process is implemented and
achieves its process purpose
generic work
products
Performance Management)
Overview of generic work products

Itg-253 2.00 Eng Newhorizons Cobit5 Fo Is

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Itg-253 2.00 Eng Newhorizons Cobit5 Fo Is

Uploaded by

Copyright:

Available Formats

CobiT 5 Foundation with Case Study

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -1- New Horizons

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 2

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -29- New Horizons

Day 1 Introduction, Principles, Enablers

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 3

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -30- New Horizons

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 4

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -31- New Horizons

Introduce yourself in 1 minute

What is your name?

Tell me something about YOU

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 5

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -32- New Horizons

Purpose of the Cobit 5 Foundation course

Basic knowledge of Cobit 5

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 6

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -33- New Horizons

High level learning outcomes

IT management issues and challenges

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 7

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -34- New Horizons

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 8

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -35- New Horizons

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 9

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -36- New Horizons

Top 10 challenges of the CIO 2013

Business challenges Technology challenges

Top 10 challenges of the CIO 2013

Information is the business currency of the 21st century

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -39- New Horizons

Sample: make or making the news?

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 3

Sample: make or making the news?

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -40- New Horizons

Sample: websites tracking your outages

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 4

Sample: websites tracking your outages

And do not think its a typically American phenomenon:

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -41- New Horizons

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 5

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -43- New Horizons

Six key assets to govern

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 6

Six key assets to govern

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -44- New Horizons

IT Governance (Ross & Weil, 2004): IT Governance is about

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 7

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -45- New Horizons

Maintain high-quality information to support

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 8

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -46- New Horizons

Cobit 5 is a business framework for the governance and

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 9

Requirements to create stakeholder value:

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -48- New Horizons

Drivers for developing a framework

Provide guidance in areas with high interest

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 10

Drivers for developing a framework

Provide guidance in areas with high interest, such as:

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -49- New Horizons

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 11

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -50- New Horizons