You are on page 1of 147

CobiT 5 Foundation with Case Study

[ITG-253 v2.00]

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -1- New Horizons


CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1
Introduction

APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -27- New Horizons
Module
Introduction
1 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Overview modules

Module 1 - Introduction
Module 2 - Overview
Module 3 - Principles
Module 4 - Enablers
Module 5 - Implementation
Module 6 - Process capability

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 2

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -29- New Horizons


Module
Introduction
1 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Course schedule

Day 1 Introduction, Principles, Enablers


Day 2 Enablers, Implementation
Day 3 Process capability, exam

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 3

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -30- New Horizons


Module
Introduction
1 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Facilities

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 4

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -31- New Horizons


Module
Introduction
1 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Introduce yourself in 1 minute

What is your name?


What is your role?
What are your expectations of
this training?

Tell me something about YOU

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 5

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -32- New Horizons


Module
Introduction
1 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Purpose of the Cobit 5 Foundation course

Basic knowledge of Cobit 5


Pass the foundation exam
How to use Cobit5 in real life
Share experiences
Have some fun!

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 6

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -33- New Horizons


Module
Introduction
1 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

High level learning outcomes

IT management issues and challenges


The drivers for the development of Cobit 5 framework
The Cobit 5 framework & product family
Cobit 5 key principles
How Cobit 5 enables IT to be governed and managed
Cobit 5 processes and Process Reference Model (PRM)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 7

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -34- New Horizons


Module
Introduction
1 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Exam requirements

Exam requirements:
50 questions
40 minutes
50% pass rate
Closed book

Exam preparation:
Approximately hrs
Test questions
Self study

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 8

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -35- New Horizons


Module
Introduction
1 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Questions?

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 9

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -36- New Horizons


CobiT 5 Foundation with Case Study (ITG-253 v1.20)

2
Overview

APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -37- New Horizons
Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Top 10 challenges of the CIO 2013

Business challenges Technology challenges


1. Increasing enterprise growth 1. Analytics and business intelligence
2. Delivering operational results 2. Mobile technologies
3. Reducing enterprise costs
3. Cloud computing (SaaS, IaaS,
4. Attracting and retaining new
PaaS)
customers
5. Improving IT applications 4. Collaboration technologies
and infrastructure (workflow)
6. Creating new products and services 5. Legacy modernization
(innovation) 6. IT management
7. Improving efficiency
7. CRM
8. Attracting and retaining
the workforce 8. Virtualization
9. Implementing analytics and big data 9. Security
10. Expanding into new markets 10. ERP Applications
and geographies
APMG 2012; 2012 ISACA. All Rights Reserved. Slide 2

Top 10 challenges of the CIO 2013

Information is the business currency of the 21st century


Information has a life cycle: it is created, used, retained, disclosed and destroyed
Technology plays a key role in these actions
Technology is becoming pervasive in all aspects of business and personal life
Every form of enterprise needs to be able to rely on quality information to support quality
executive decisions.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -39- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Sample: make or making the news?

Source: http://edition.cnn.com/2013/08/14/tech/web/new-york-times

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 3

Sample: make or making the news?

IT Management remains an issue for many organizations. Outages still occur. Some examples of
major IT disruptions (with considerable impact on the organization):
ING internet banking failure (feb 2013): ING customers are unable to withdraw money
from ATMs, account balance inquiries show wrong amounts. Big headlines on the TV news,
newspaper, trending topic on Twitter etc. -> Serious loss of business reputation for ING
NYSE Euronext trading impossible. Trading opening postponed for an hour due to technical
errors (6 june 2013)
Failures at Baggage handling systems at opening day of Heathrows T5 terminal (mar 2008):
flights cancelled, serious delays of departures and arrivals, thousands of customers unable to
collect their luggage for days. -> Special report by House of Commons Transport Committee
13 August 2013, the website of the New York Times was down for 3 hours following
scheduled maintenance. Rather then reporting the news (at the time breaking news about the
Egyptian police and army trying to break up protests resulting in reportedly- hundreds of
casualties) the NY Times made the news itself, e.g. on CNN.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -40- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Sample: websites tracking your outages

Source:http://downdetector.com/status/att/archive

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 4

Sample: websites tracking your outages

Even if you do not monitor your own performance as a company, your (disgruntled) customers will
do it for you. For instance this website keeps track of the outages of the all problems and outages
of AT&T services in the US.

And do not think its a typically American phenomenon:


allestoringen.be
allestoringen.nl
allestrungen.de
aussieoutages.com
caiutudo.com
canadianoutages.com
detectordefallos.es
detectordefallos.mx
downdetector.co.kr
downdetector.co.uk
downdetector.co.za
downdetector.com

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -41- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Governance

Enterprise
Governance

Corporate Business
Governance Governance
(conformance) (performance)

Value creation
Accountability
Resource
Assurance
Utilization

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 5

Governance

Definition of enterprise governance: a set of responsibilities and practices exercised by the board
and executive management with the goals of providing strategic direction, ensuring that objectives
are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises
resources are used responsibly.

Conformance is also called corporate governance and covers issues such as board structure, roles
and executive remuneration. Codes and/or standards can generally address this dimension with
compliance being subject to assurance / audit. The conformance view takes a historical view (what
has happened?).

Performance, also called business governance, focuses on strategy and value creation, and on
helping the board make strategic decisions , understand its appetite for risk and its key drivers
of performance and identify its key points of decision making. This is not easy to encorporate in a
business code or standard and subsequently audited. Here typically instruments such as best
practices are widely used. The performance view looks forward (what do we want to happen?).

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -43- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Six key assets to govern

1. Human assets
2. Financial assets
3. Physical assets
4. IP assets Governance
5. Information and IT assets of Enterprise
6. Relationship assets IT (GEIT)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 6

Six key assets to govern

Weill and Ross (IT Governance How top performers manage IT decision rights for superior results)

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -44- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Governance of enterprise IT

IT Governance (Ross & Weil, 2004): IT Governance is about


specifying the decision rights and accountability framework to
encourage desirable behavior in the use of IT
GEIT (ISACA, 2012): A governance view that ensures
that information and related technology support and enable
the enterprise strategy and the achievement of enterprise
objectives. It also includes the functional governance of
IT, i.e., ensuring that IT capabilities are provided efficiently
and effectively.

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 7

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -45- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Enterprise IT objectives

Maintain high-quality information to support


business decisions
Generate business value from IT-enabled investments
Achieve operational excellence through the reliable and
efficient application of technology
Maintain IT-related risk at an acceptable level
Optimise the cost of IT services and technology
Comply with ever-increasing relevant laws, regulations,
contractual agreements and policies

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 8

Enterprise IT objectives'

Cobit 5 recognises 17 enterprise goals, all contributing to the enterprise objectives. These enterprise
goals will return in the goals cascade in module 2, principle 1 Meeting stakeholder needs.
1. Stakeholder value of business investments
2. Portfolio of competitive products and services
3. Managed business risk (safeguarding of assets)
4. Compliance with external laws and regulations
5. Financial transparency
6. Customer-oriented service culture
7. Business service continuity and availability
8. Agile responses to a changing business environment
9. Information-based strategic decision making
10. Optimisation of service delivery costs
11. Optimisation of business process functionality
12. Optimisation of business process costs
13. Managed business change programmes
14. Operational and staff productivity

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -46- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Cobit 5

Cobit 5 is a business framework for the governance and


management of enterprise IT
Cobit 5 objective: to support enterprise executives and
management in their definition and achievement of business
goals and related IT goals.

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 9

Cobit 5

Requirements to create stakeholder value:


Good governance and management of information and technology (IT) assets.
Enterprise boards, executives and management have to embrace IT like any other significant
part of the business.
External legal, regulatory and contractual compliance requirements related to enterprise use of
information and technology are increasing, threatening value if breached.
COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and
deliver value through effective governance and management of enterprise IT.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -48- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Drivers for developing a framework

Provide guidance in areas with high interest


Provide guidance in innovation and emerging technologies
Cover the full end-to-end business and IT functional
responsibilities
Increase control over increasing user-initiated and user-
controlled IT solutions

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 10

Drivers for developing a framework

Provide guidance in areas with high interest, such as:


enterprise architecture
Provide guidance in asset and service management
Provide guidance in emerging sourcing and organisation models
A need to provide further guidance in the area of innovation and emerging technologies
this is about creativity, inventiveness
developing new products
making the existing products more compelling to customers and reaching new types
of customers
Innovation also implies streamlining product development, manufacturing and supply
chain processes to deliver products to market with increasing levels of efficiency, speed
and quality.
A need to cover the full end-to-end business and IT functional responsibilities, and a need to
cover all aspects that lead to effective governance and management of enterprise IT, such as
organizational structures, policies, culture, etc., over and above processes.
A need to get better control over increasing user-initiated and user-controlled IT solutions.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -49- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Additional drivers
Improved relationship between business needs and IT objectives;
Better value creation through effective and innovative use of
enterprise IT;
Increased financial return from the governance over enterprise IT by
obtaining the greatest value from investments in technology;
Increased business user satisfaction with IT engagement
and services;
Increased compliance with relevant laws, regulations and policies ;
Connection to, and, where relevant , alignment with, other major
frameworks and standards in the marketplace.

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 11

Additional drivers

Connection to, and, where relevant , alignment with, other major frameworks and standards in the
marketplace, such as:
Information Technology Infrastructure Library (ITIL)
The Open Group Architecture Forum (TOGAF)
Project Management Body of Knowledge (PMBOK)
Projects IN Controlled Environments 2 (PRINCE2)
Committee of Sponsoring Organisations (COSO)
International Organization for Standardisation (ISO) standards

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -50- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Reasons for developing Cobit 5

Tie together and reinforce all ISACA knowledge assets


with COBIT;
Provide a renewed and authoritative governance and
management framework;
Integrate all other major ISACA frameworks and guidance;
Align with other major frameworks and standards in
the marketplace.

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 12

Reasons for developing Cobit 5

Integrate all other major ISACA frameworks and guidance such as:
Val IT
Risk IT
BMIS
ITAF
Board Briefing on IT Governance
Taking Governance Forward

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -51- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Benefits of using Cobit 5

Starting point of governance and management activities


Consistency with corporate governance standards
Providing a holistic, integrated and complete view of
governance and management of IT
Focus on stakeholder needs
Coverage of the enterprise from end to end
Encouragement of a common language

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 13

Benefits of using Cobit 5

COBIT 5 defines the starting point of governance and management activities with the
stakeholder needs related to enterprise IT.
COBIT 5 is consistent with generally accepted corporate governance standards, and thus
helps to meet regulatory requirements.
COBIT 5 focuses initially on the needs of the stakeholder. One of the key benefits of COBIT
5 is that it is first and foremost a business framework. Business management have something
to enable them to have that business conversation with IT management.
COBIT 5 is a top- down view of business needs that create a goals cascade. This goal
cascade drives the need to meet the expectations of the stakeholder right through the
enterprise.
COBIT 5 also encourages a common language throughout the enterprise so that
stakeholders understand IT and IT meets their business need.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -52- New Horizons


Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

The evolution of Cobit

Governance of Enterprise IT

IT Governance
BMIS
Evolution

(2010)
Management
Val IT 2.0
(2008)
Control
Risk IT
(2009)
Audit

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT5

1996 1998 2000 2005/7 2012

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 14

The evolution of Cobit

Control objectives for IT (COBIT)

Inital focus on audit, control and security (remember that ISACA has it roots in assurance ITAF,
CISA and security BMIS , CISM), evolving to management and governance. However Cobit
4.1 was not complete for governance, one also had to include other ISACA models, especially
RiskIT and ValIT.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -53- New Horizons


CobiT 5 Foundation with Case Study (ITG-253 v2.00)

3
Principles

APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -55- New Horizons
Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

5 principles

1. Meeting
Stakeholder
Needs

5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end

COBIT 5
Principles

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 2

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -57- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Principle 1

Meeting stakeholder needs

1. Meeting
Stakeholder
Needs

5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end

COBIT 5
Principles

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 3

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -58- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Goals cascade 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Stakeholder Drivers

Step 1

Stakeholder Needs
Benefits Risk Resource
Realisation Optimisation Optimisation

Step 2

Enterprise Goals

Step 3

IT Related Goals

Step 4

Enabler Goals

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 4

Goals cascade

Translating the stakeholder needs into enterprise goals requires an actionable strategy.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -59- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Stakeholder needs 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Stakeholder
Needs

Drive
Governance Objective: Value Creation

Benefits Risk Resource


Realisation Optimisation Optimisation

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 5

Stakeholder needs

Enterprises exist to create value for their stakeholders. Consequently, any enterprise commercial
or not-for-profit will have value creation as a governance objective. Value creation means realsing
benefits at an optimal resource cost while optimising risk. Benefits do not necessarily have to be
financial (e.g. revenue or profit). They can also be public service (for government organisations).

An organisation has multiple stakeholders, the most important value for one stakeholder does not
necessarily have to be the most important value for another stakeholder. So many stakeholders, so
many needs. These needs may even be conflicting. Governance has to balance between stakeholder
needs; negotiating and deciding amongst different stakeholders value interests. The governance
system therefore must consider all stakeholders and their respective needs.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -60- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Governance and management questions on IT

Questions of Questions of
internal stakeholders external stakeholders
How do I get value from the use How do I know the enterprises
of IT? operations are secure and reliable?
How do I manage performance How do I know the enterprise is
of IT? compliant with applicable rules
How can I best exploit and regulations?
new technology for new How do I know the enterprise is
strategic opportunities? maintaining an effective system of
How do I best build and structure internal control?
my IT department? etc.
etc.

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 6

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -61- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Stakeholder needs and enterprise goals 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 7

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -62- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Cobit 5 enterprise goals structured 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

according to Balanced Score 4. Enabling a


Holistic
Approach
3. Applying a
Single
Integrated
Framework

Card dimensions
Financial Customer
1. Stakeholder value of business investments 6. Customer oriented service culture
2. Portfolio of competitive products and services 7. Business service continuity and availability
3. Managed business risk (safeguarding of assets) 8. Agile responses to a changing business environment
4. Compliance with external laws and regulations 9. Information based strategic decision making
5. Financial transparency 10. Optimisation of service delivery costs

Internal Learning and growth


11. Optimisation of business process functionality 16. Skilled and motivated people
12. Optimisation of business process costs 17. Product and business innovation culture
13. Managed business change programmes
14. Operational and staff productivity
15. Compliance with internal policies

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 8

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -63- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Enterprise goals cascade to 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

IT-related goals 4. Enabling a


Holistic
Approach
3. Applying a
Single
Integrated
Framework

Enterprise Goal

Compliance with external

Optimisation of business

Optimisation of business

Compliance with internal


continuity and availability
(safeguarding of assets)

Optimisation of service
Portfolio of competitive

Managed business risk

Financial transparency
products and services

Product and business


business investments

Skilled and motivated


Operational and staff
process functionality

change programmes
laws and regulations

a changing business
Stakeholder value of

Managed business
Customer oriented

Agile responses to

strategic decision

innovation culture
Business service

Information-base
service culture

process costs
delivery costs
environment

productivity

policies
making

people
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Learning and
IT-related Goal Financial Customer Internal
Growth
01 Alignment of IT and business strategy P P S P S P P S P S P S S
IT compliance and support for business compliance with external
02 S P P
laws and regulations
Financial

03 Commitment of executive management for making IT-related decisions P S S S S S P S S


04 Managed IT-related business risk P S P S P S S S
05 Realised benefits from IT-enabled investments and services portfolio P P S S S S P S S
06 Transparancy of IT costs, benefits and risk S S P S P P
Customer

07 Delivery of IT services in line with business requirements P P S S P S P S P S S S S

08 Adequate use of applications, information and technology solutions S S S S S S S P S P S S


Internal

09 IT agility S P S S P P S S S P

10 Security of information, processing infrustructure and applications P P P P

Excerpt; for the complete table refer to Appendix B (p. 50) of the
Cobit 5 Framework
APMG 2012; 2012 ISACA. All Rights Reserved. Slide 9

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -64- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Cobit 5 IT-related goals structured 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

according to BSC dimensions 4. Enabling a


Holistic
Approach
3. Applying a
Single
Integrated
Framework

Financial Customer
1. Alignment of IT and business strategy 7. Delivery of IT services in line with
2. IT compliance and support for business business requirements
compliance with external rules and regulations 8. Adequate use of applications, information and
3. Commitment of executive management for making technology solutions
IT-related decisions
4. Managed IT-related business risk
5. Realised benefits from IT-enabled investments and
services portfolio
6. Transparency of IT costs, benefits and risks

Internal Learning and growth


9. IT agility 16. Competent and motivated business and
10. Security of information, processing infrastructure IT personnel
and applications 17. Knowledge, expertise and initiatives for
11. Optimisation of IT assets, resources and capabilities business innovation
12. Enablement and support of business processes
by integrating applications and technology into
business processes
13. Delivery of programmes delivering benefits, on time, on
budget and meeting requirements and quality standards
14. Availability of reliable and useful information for
decision making
15. IT compliance with internal policies

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 10

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -65- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

IT-related goals mapped to 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

IT-related processes 4. Enabling a


Holistic
Approach
3. Applying a
Single
Integrated
Framework

IT-related Goal

useful information for decision


Adequate use of applications,

processing infrastructure and


for business compliance with
Alignment of IT and business

external laws and regulations

Managed IT-related business

Delivery of IT services in line

deliveriing benefits, on time,


integrating applications and
with business requirements
IT-enabled investments and

information and technology


IT compliance and support

IT compliance with Internal

business and IT personnel


resources and capabilities

Competent and motivated

Knowledge, expertise and


of business processes by
Optimisation of IT assets,
Commitment of executive

Availability of reliable and


Transparency of IT costs,

technology into business


Enablement and support

requirements and quality


management for making

on budget, and meeting


Delivery of programmes
Security of information,
Realised benefits from

initiatives for business


IT-related decisions

services portfolio

benefits and risk

applications

processes

innovation
standards
solutions

IT agility
strategy

policies
making
risk
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

IT-related Goal Financial Customer Internal Learning and


Growth

Alignment of IT and
EDM01 P S P S S S P S S S S S S S S S
business strategy

IT compliance and
support for business
Evaluate, Direct and Monitor

EDM02 P S P P P S S S S S S P
compliance with external
laws and regulations

Commitment of executive
EDM03 management for making S S S P P S S P S S P S S
IT-related decisions

Managed IT-related
EDM04 S S S S S S S P P S P S
business risk

Realised benefits from


EDM05 IT-enabled investments S S P P P S S S S
and services portfolio

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 11

IT-related goals mappedto IT-related processes

Achieving IT-related goals requires the successful application and use of a number of enablers.
The enabler concept is explained in detail in Module 4. Enablers include processes, organisational
structures and information, and for each enabler a set of specific relevant goals can be defined in
support of the IT-related goals.

Processes are one of the enablers, and Cobit 5, a business framework for the governance and
management of enterprise IT (appendix C) contains a mapping between IT-related goals and the
relevant COBIT 5 processes, which then contain related process goals. Similarly goals must be
defined for the other enablers.

[examples, e.g. for organisation structure]

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -66- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Exercise 1

Refer to case Paper Inc


Create the goals cascade: from enterprise goals to IT goals
Use the tables in ISACA Cobit 5 Framework

Present your groups findings (10 min.):


Identify relevant stakeholders and their needs
Present the top 3 enterprise goals
Present the most relevant IT goals (max. 5)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 12

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -67- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Principle 2

Covering the enterprise end-to-end

1. Meeting
Stakeholder
Needs

5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end

COBIT 5
Principles

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 13

Principle 2

End-to-end:
Cobit 5 integrates GEIT into enterprise governance
Cobit 5 covers all functions and processes required to govern and manage enterprise
information and related technology wherever the information is processed
Cobit 5 addresses all relevant internal and external IT services as well as internal and external
business processes

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -68- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Governance system:key components 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Governance Objective: Value Creation

Benefits Risk Resource


Realisation Optimisation Optimisation

Governance Governance
Enablers Scope

Roles, Activities and Relationships

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 14

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -69- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Roles, activities and relationships 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Governance

Instruct and
Delegate Set Direction
Align
Owners and Governing Operations
Management
Stakeholders Body and Execution
Accountable Monitor Report

Management

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 15

Roles, activities and relationships

The roles, activities and relationships define


Who is involved in governance?
How are they involved?
What do they do?
How do they interact?

You can see here that principle 5, separating governance from management, is reflected in the roles,
activities and relationships. Governance (the governing body) deals with owners and stakeholders,
management deals with operations and execution.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -70- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Principle 3

Applying a single integrated framework

1. Meeting
Stakeholder
Needs

5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end

COBIT 5
Principles

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 16

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -71- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

A single integrated framework 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Aligns with other latest relevant standards


and frameworks
Is complete in enterprise coverage
Provides a simple (framework) architecture
Integrates all knowledge previously dispersed over different
ISACA frameworks

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 17

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -72- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Other standards and frameworks 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Evaluate, Direct and Monitor

ISO/IEC 38500

ISO/IEC 31000
Align, Plan and Organize TOGAF
ISO/IEC 27000
Prince2/PMBOK

CMMI

Build, Acquire and Implement

ITIL V3 2011 AND ISO/IEC 20000 Monitor,


Evaluate and
Deliver, Service and Support Assess

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 18

Other standards and frameworks

ISO/IEC 38500 is the standard for corporate governance of information technology. It is based on
6 principles:
1. Responsibility
2. Strategy
3. Acquisition
4. Performance
5. Conformance
6. Human behaviour

Comparison with other standards: typically these standards cover parts of one or more of the five
COBIT 5 (process) domains. These domains will be explained in detail in Module 4 Enablers.

ITIL v3 2011 and ISO/IEC 20000


A subset of processes in the Decision, Service and Support (DSS) domain
A subset of processes in the Build, Acquire and Implement (BAI) domain
Some processes in the Align, Plan and Organise (APO) domain
ISO/IEC 27000 series Information security
Security and risk related processes in the Evaluate, Direct and Monitor (EDM) domain

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -73- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Cobit 5 product family 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

COBIT 5 (General Documents)

COBIT 5 COBIT 5:
(framework) Assessment program

COBIT 5 Enabler Guides

COBIT 5: COBIT 5: Other


Enabling Processes Enabling Information Guides TBD

COBIT 5 Professional Guides

COBIT 5 COBIT 5 COBIT 5: Other


COBIT 5 for Information for
COBIT 5 Assessment
Implementation
Security Assurance
for Risk
program Guides TBD

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 19

Cobit 5 product family

Translations of the COBIT 5 framework are available in Spanish, Chinese, Japanese, German,
Romanian, Russian, Arabic, French, Lithuanian, Hebrew, Thai, Turkish and Italian.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -75- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Principle 4

Enabling a holistic approach

1. Meeting
Stakeholder
Needs

5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end

COBIT 5
Principles

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 20

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -76- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

COBIT 5 Enablers 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

7 categories of enablers

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

1. Principles, Policies and Frameworks

6. Services, 7. People, Skills and


5. Information Infrastructure and Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 21

COBIT 5 Enablers

Enablers are factors that, individually and collectively, influence whether something will workin this
case, governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e.
the enabler goals are based on the IT-related goals (which are based on the enterprise goals refer
to Principle 1: meeting stakeholder needs).

Principles, policies and frameworks are the vehicle to translate the desired behavior into
practical guidance for day-to-day management.
Processes describe an organized set of practices and activities to achieve certain objectives
and produce a set of outputs in support of achieving overall IT-related goals.
Organizational structures are the key decision-making entities in an enterprise.
Culture, ethics and behavior of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
Information is pervasive throughout any organization and includes all information produced
and used by the enterprise. Information is required for keeping the organization running and
well governed, but at the operational level, information is very often the key product of the
enterprise itself.
Services, infrastructure and applications include the infrastructure, technology and
applications that provide the enterprise with information technology processing and services.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -77- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Principle 5

Separating governance from management

1. Meeting
Stakeholder
Needs

5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end

COBIT 5
Principles

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 22

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -79- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Governance and management 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Governance
Ensure that stakeholder needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives to
be achieved
setting direction through prioritisation and decision making
Monitoring performance and compliance against agreed-on direction
and objectives

Management:
Plans, builds, runs and monitors activities in alignment with
the direction set by the governance body to achieve the
enterprise objectives

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 23

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -80- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Governance - Management interaction 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Use the enablers to define governance


management interfaces
Use all enablers to facilitate governance
management interaction

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 24

Governance - Management interaction

1. Principles, policies and frameworks: the vehicles to institutionalise governance decisions


2. Process: process interfaces, RACI charts
3. Organisational structures: organisational structures can be in governance or management
space, depending on their composition and scope of decisions
4. Culture, ethics and behavior: Behaviour is set at the top of the organisation, so leading by
example is an important instrument for interaction
5. Information: information exchange between governance and management processes
6. Services, infrastructure and applications: Services are required (supported by applications
and infrastructure) to provide the governance body members with adequate information to
support Evaluate, Direct and Monitor
7. People, skills and competencies: Both governance body members and management have to
understand governance tasks and management tasks (and the difference between these two)

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -81- New Horizons


Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

1. Meeting
Stakeholder
Needs

Governance and management key areas 5. Separating


Governance
From
Management
COBIT 5
Principles
2. Covering the
Enterprise
End-to-end

3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework

Business Needs

Governance Domain
Evaluate

Direct Management Monitor


Feedback

Management
Domain

Plan Build Run Monitor


(APO) (BAI) (DSS) (MEA)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 25

Governance and management key areas

An enterprise can organise its processes as it sees fit, as long as all necessary governance and
management objectives are covered. Smaller enterprises may have fewer processes; larger and
more complex enterprises may have many processes, all to cover the same objectives.

COBIT 5 includes a process reference model. This reference model clearly distinguishes governance
processes and management processes. The processes are grouped in 5 domains.

All governance processes are in the EDM (Evaluate, Direct and Monitor) domain

The management processes are distributed over the 4 PBRM domains: Plan (APO), Build (BAO),
Run (DSS) and Monitor (MEA).

Each domain contains a number of processes.

This will be elaborated in Module 4 Enablers

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -82- New Horizons


CobiT 5 Foundation with Case Study (ITG-253 v1.20)

4
Enablers

APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -83- New Horizons
Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

What is an enabler?

Enablers are factors that, individually and collectively,


influence whether something will work

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 2

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -85- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Generic enabler dimensions

Stakeholders
Goals
Life cycle
Good practices

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 3

Generic enabler dimensions

Generic enabler dimensions help to:


Provide a common, simple and structured way to deal with enablers
Allow an entity to manage the complex interactions between enablers
Facilitate successful outcomes of the enablers

There a 4 (generic) enabler dimensions:


Stakeholders - Each enabler has stakeholders (parties who play an active role and/or have
an interest in the enabler). For example, processes have different parties who execute process
activities and/or who have an interest in the process outcomes; organisational structures
have stakeholders, each with his/her own roles and interests, that are part of the structures.
Stakeholders can be internal or external to the enterprise, all having their own, sometimes
conflicting, interests and needs. Stakeholders needs translate to enterprise goals, which in
turn translate to IT-related goals for the enterprise.
Goals - Each enabler has a number of goals, and enablers provide value by the achievement
of these goals. Goals can be defined in terms of:
Expected outcomes of the enabler
Application or operation of the enabler itself

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -86- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Enabler performance management

}
Are stakeholder needs addressed? Lag
Are enabler goals achieved? indicators

Is the enabler life cycle managed?


Are good practices applied? } Lead
indicators

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 4

Enabler performance management

Enterprises expect positive outcomes from the application and use of enablers. To manage
performance of the enablers, the

following questions will have to be monitored and thereby subsequently answeredbased on


metricson a regular basis:
Are stakeholder needs addressed?
Are enabler goals achieved?
Is the enabler life cycle managed?
Are good practices applied?

The first two bullets deal with the actual outcome of the enabler. They are also called outcome
measures and represent the consequences of actions previously taken. Outcome measures
frequently focus on results at the end of a time period and characterize historical performance. They
are also referred to as key goal indicators (KGIs) and are used to indicate whether goals have been
met. These can be measured only after the fact and, therefore, are called lag indicators.

The last two bullets deal with the actual functioning of the enabler itself. They are also called
performance drivers and are measures that are considered the drivers of the lag indicators. They
can be measured before the outcome is clear and, therefore, are called lead indicators. There is
an assumed relationship between the two that suggests that improved performance in a leading

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -88- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

Enablers overview
Enabler Dimension

Stakeholder Goals ,IFE#YCLE Good Practices


s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN s7ORK0RODUCTS
s%XTERNAL (Relevance, s"UILD!CQUIRE )NPUTS/UTPUTS
Stakeholders %FFECTIVENESS #REATE)MPLEMENT
s!CCESSIBILITYAND s5SE/PERATE
3ECURITY s%VALUATE-ONITOR
s5PDATE$ISPOSE
Enabler Performance

Are Stakeholders
Are Enabler Goals )S,IFE#YCLE Are Good Practices
Management

Needs
Achieved? Managed? Applied?
Addressed?

Metrics for Application of Goals Metrics for Application of Practice


,AG)NDICATORS ,EAD)NDICATORS

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 5

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -90- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

7 categories of enterprise enablers

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

1. Principles, Policies and Frameworks

6. Services, 7. People, Skills and


5. Information Infrastructure and Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 6

7 categories of enterprise enablers

Enablers are factors that, individually and collectively, influence whether something will workin this
case, governance and management over enterprise IT. Enablers are driven by the goals cascade,
i.e., higher-level IT-related goals define what the different enablers should achieve.
Principles, policies and frameworks are the vehicle to translate the desired behavior into
practical guidance for day-to-day management.
Processes describe an organized set of practices and activities to achieve certain objectives
and produce a set of outputs in support of achieving overall IT-related goals.
Organizational structures are the key decision-making entities in an enterprise.
Culture, ethics and behavior of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
Information is pervasive throughout any organization and includes all information produced
and used by the enterprise. Information is required for keeping the organization running and
well governed, but at the operational level, information is very often the key product of the
enterprise itself.
Services, infrastructure and applications include the infrastructure, technology and
applications that provide the enterprise with information technology processing and services.
People, skills and competencies are linked to people and are required for successful
completion of all activities and for making correct decisions and taking corrective actions.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -91- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Enabler 1: Principles, policies & 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies

frameworks
Applications

Resources
Enabler Dimension

Stakeholder Goals ,IFE#YCLE Good Practices


s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES #ONTROL
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN Framework,
s%XTERNAL (Relevance, s"UILD!CQUIRE 0RINCEIPLES 0OLICY
#REATE)MPLEMENT
Stakeholders %FFECTIVENESS s5SE/PERATE Framework,
s!CCESSIBILITYAND s%VALUATE-ONITOR 3COPE 6ALIDITY
3ECURITY s5PDATE$ISPOSE s7ORK0RODUCTS
)NPUTS/UTPUTS
0OLICY3TATEMENTS
Enabler Performance

Are Stakeholders
Are Enabler Goals )S,IFE#YCLE Are Good Practices
Management

Needs
Achieved? Managed? Applied?
Addressed?

Metrics for Application of Goals Metrics for Application of Practice


,AG)NDICATORS ,EAD)NDICATORS

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 7

Enabler 1:Principles, policies & frameworks

Links and relationships between principles, policies and frameworks and other enablers:
Principles, policies and frameworks reflect the culture, ethics and values of the enterprise.
They influence and direct behavior.
Processes are the most important vehicle for executing policiesExamples: architectural
policies (defined in
Organizational structures can define and implement policies
Policies are part of information

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -93- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Stakeholders 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Internal stakeholders
Board
Executive management
Compliance officers
Risk managers

External stakeholders
Regulatory agencies
Shareholders
Service providers and customers
External auditors

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 8

Stakeholders

Stakeholders for principles and policies can be internal and external to the enterprise.

The stakes are twofold: Some stakeholders define and set policies, others have to align to, and
comply with, policies.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -94- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Goals 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Communicate the rules of the enterprise

Policies &RAMEWORKS
Principles s#OMPREHENSIVE
s%FFECTIVE
s,IMITEDINNUMBER s/PENFLEXIBLE
s%FFICIENT
s3IMPLE s#URRENT
s.ON INTRUSIVE
s!VAILABLEACCESSIBLE

$ECISIONMAKING

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 9

Goals

Principles, policies and frameworks are instruments to communicate the rules of the enterprise,
in support of the governance objectives and enterprise values, as defined by the board and
executive management.

Principles need to be:


Limited in number
Put in simple language, expressing as clearly as possible the core values of the enterprise

Policies provide more detailed guidance on how to put principles into practice and they influence
how decision making aligns with the principles. Good policies are:
EffectiveThey achieve the stated purpose.
EfficientThey ensure that principles are implemented in the most efficient way.
Non-intrusiveThey appear logical for those who have to comply with them, i.e., they do not
create unnecessary resistance.

Example:

Principle: We want to be an independent company, avoiding interdependence on other companies


such as suppliers
Policy (sourcing policy): We pursue a deliberate multi-vendor policy to prevent vendor lock-in.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -95- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Life cycle 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Agenda setting

Monitoring Analysis

Implementation Policy creation

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 10

Life cycle

Policies have a life cycle that has to support the achievement of the defined goals. Frameworks are
key because they provide a structure to define consistent guidance. For example, a policy framework
provides the structure in which a consistent set of policies can be created and maintained, and it
also provides an easy point of navigation within and between individual policies.

Depending on the external environment in which the enterprise operates, there can be varying
degrees of regulatory requirements for strong internal control and, as a consequence, a strong policy
framework. A key attention point to be taken into account regarding frameworks and policies is the
currency of policiesIf and when policies are reviewed and updated, are there strong mechanisms in
place to ensure that people are aware of these updates, that the newest version is easily accessible
(see previous point), and that obsolete information is properly archived or disposed?
Agenda setting: there may be a need to consult on issues that for the engagement purposes
are still at an 'open-ended' stage, in that the consultation owners do not want the dialogue to
be shaped by specific policy statements.
Analysis: Define the agenda, state a position relating to the items on that agenda, and seek
evidence and knowledge from others.
Creating the policy: There is a draft document for formal consultation, potentially greater
need to target and identify specific stakeholders/participants, and possibly with options to be
assessed in more detail e.g. through simulation of decision-making, or risk analysis.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -97- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Well-defined scope of policies and frameworks


Consequences of failing to comply with the policy
How to handle exceptions?
Monitor, review, revalidate and revise policies

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 11

Good practices

Policies should be part of an overall governance and management framework, providing a


(hierarchical) structure into which all policies fit and clearly make the link to the underlying principles.

As part of the policy framework, the following items need to be described:


Scope and validity
The consequences of failing to comply with the policy
The means for handling exceptions
The manner in which compliance with the policy will be checked and measured

Generally recognized governance and management frameworks can provide valuable guidance on
the actual statements to be included in policies.

Policies should be aligned with the enterprises risk appetite. Policies are a key component of an
enterprises system of internal control, whose purpose it is to manage and contain risk. As part of
risk governance activities, the enterprises risk appetite is defined, and this risk appetite should be
reflected in the policies. A risk-averse enterprise has stricter policies than a risk-aggressive enterprise.

Policies need to be revalidated and/or updated at regular intervals.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -99- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Relationships with other enablers 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

1. Principles, Policies and Frameworks

6. Services, 7. People, Skills and


5. Information Infrastructure and Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 12

Relationships with other enablers

The links with other enablers include:


Principles, policies and frameworks should reflect the culture and ethical values of the
enterprise, and they should encourage the desired behaviour; hence, there is a strong link with
the culture, ethics and behaviour enabler.
Process practices and activities are the most important vehicle for executing policies.
Organisational structures can define and implement policies within their span of control, and
their activities are also defined by policies.
Policies are also information, so all good practices applying to information apply to policies
as well.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -100- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Enabler 2: Processes 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources
Enabler Dimension

Stakeholder Goals ,IFE#YCLE Good Practices


s)NTERNAL s)NTRINSIC1UALITY s0LAN s0ROCESS0RACTICES
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN Activities,
s%XTERNAL (Relevance, s"UILD!CQUIRE Detailed Activities
#REATE)MPLEMENT
Stakeholders %FFECTIVENESS s5SE/PERATE s7ORK0RODUCTS
s!CCESSIBILITYAND s%VALUATE-ONITOR )NPUTS/UTPUTS
3ECURITY s5PDATE$ISPOSE
Generic Practices for
Processes
Enabler Performance

Are Stakeholders
Are Enabler Goals )S,IFE#YCLE Are Good Practices
Management

Needs
Achieved? Managed? Applied?
Addressed?

Metrics for Application of Goals Metrics for Application of Practice


,AG)NDICATORS ,EAD)NDICATORS

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 13

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -101- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Cobit 5 definition of process 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

A process is defined as a collection of practices influenced by


the enterprises policies and procedures that takes inputs from a
number of sources (including other processes), manipulates the
inputs and produces outputs (e.g., products, services).

Inputs Activities Outputs

Feedback

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 14

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -102- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Stakeholders 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Internal stakeholders
Board
Management (all levels)
Staff

External stakeholders
Customers
Business partners
Service providers

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 15

Stakeholders

Processes have internal and external stakeholders, with their own roles; stakeholders and their
responsibility levels are documented in RACI charts.

External stakeholders may include customers, business partners (especially when producing goods
and/or services in a value chain e.g. companies such as Nike, car manufacturers etc.), service
providers (especially when IT and/or business process are outsourced) and regulators.

Internal stakeholders may include the board, management, staff and volunteers.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -103- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Goals 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Process goals describe the desired outcome of a process


SMART metrics are defined to measure the extent to which
goals are achieved

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 16

Goals

Process goals are defined as a statement describing the desired outcome of a process. An outcome
can be an artefact, a significant change of a state or a significant capability improvement of other
processes. They are part of the goals cascade, i.e., process goals support IT-related goals, which in
turn support enterprise goals.

At each level of the goals cascade, hence also for processes, metrics are defined to measure the
extent to which goals are achieved. Metrics can be defined as a quantifiable entity that allows
the measurement of the achievement of a process goal. Metrics should be SMARTspecific,
measurable, actionable, relevant and timely.

To manage the enabler effectively and efficiently, metrics need to be defined to measure the
extent to which the expected outcomes are achieved. In addition, a second aspect of performance
management of the enabler describes the extent to which good practice is applied. Here also,
associated metrics can be defined to help with the management of the enabler.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -104- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Process goal categories 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Intrinsic goals
Contextual goals
Accessibility and security goals

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 17

Process goal categories

Intrinsic goals Does the process have intrinsic quality? Is it accurate and in line with good
practice? Is it compliant with internal and external rules?

Contextual goals Is the process customised and adapted to the enterprises specific situation?
Is the process relevant, understandable, easy to apply?

Accessibility and security goals The process remains confidential, when required, and is
known and accessible to those who need it.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -105- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Life cycle 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Defined Created Operated Monitored Retired

Adjusted

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 18

Life cycle

Life cycle Each process has a life cycle. It is defined, created, operated, monitored, and adjusted/
updated or retired. Generic process practices such as those defined in the COBIT process
assessment model based on ISO/IEC 15504 can assist with defining, running, monitoring and
optimising processes.

In this case, the process managers would need to design and define the process first. They can
use several elements from COBIT 5: Enabling Processes to design processes, i.e., to define
responsibilities and to break the process down into practices and activities, and define process
work products (inputs and outputs). In a later stage, the process needs to be made more robust and
efficient, and for that purpose the process managers can raise the capability level of the process. The
ISO/IEC 15504-inspired COBIT 5 Process Capability Model and the process capability attributes
can be used for that purpose such as:
Process capability level 2 requires the achievement of two attributes: Performance
Management and Work Product Management. The first attribute requires a number of
planning-phase-related activities:
Objectives for the performance of the process are defined.
Performance of the process is planned.
Responsibilities for performing the process are defined.
Resources are identified.
Etc.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -106- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

For each process a complete set of high-level requirements


is available
For each process the activities are defined as key governance
practices or key management practices
Detailed activities can be obtained from good practices such
as ITIL, ISO/IEC 27000, PRINCE2 etc.

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 19

Good practices

Practices:
For each COBIT 5 process, the governance/management practices provide a complete set of
high-level requirements for effective and practical governance and management of enterprise
IT. They are:
Statements of actions to deliver benefits, optimise the level of risk and optimise the use
of resources
Aligned with relevant generally accepted standards and good practices
Generic and therefore needing to be adapted for each enterprise
Covering business and IT role players in the process (end-to-end)
The enterprise governance body and management need to make choices relative to these
governance and management practices by:
Selecting those that are applicable and deciding on those that will be implemented
Adding and/or adapting practices where required
Defining and adding non-IT-related practices for integration in business processes
Choosing how to implement them (frequency, span, automation, etc.)
Accepting the risk of not implementing those that may apply

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -108- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 20

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -110- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 21

Good practices

How to use the RACI chart?


R (Responsible) who is getting the tasks done? This can be one or a number of roles
A (Accountable) who accounts for the success of the tasks? There can only be one
role responsible
C (Consulted) who must be consulted prior to decision making and/or performing a task?
I (Informed) who must be informed after the decision has been made and/or the tasks
were performed?

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -111- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 22

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -112- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 23

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -113- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

The COBIT 5 Process Reference Model 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies

(PRM)
Applications

Resources

Business Needs

Governance Domain
Evaluate

Direct Management Monitor


Feedback

Management
Domain

Plan Build Run Monitor


(APO) (BAI) (DSS) (MEA)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 24

The COBIT 5 Process Reference Model (PRM)

One of the guiding principles in COBIT is the distinction made between governance and management.
In line with this principle, every enterprise would be expected to implement a number of governance
processes and a number of management processes to provide comprehensive governance and
management of enterprise IT.

When considering processes for governance and management in the context of the enterprise, the
difference between types of processes lies within the objectives of the processes:
Governance processes Governance processes deal with the stakeholder governance
objectivesvalue delivery, risk optimisation and resource optimisationand include practices
and activities aimed at evaluating strategic options, providing direction to IT and monitoring
the outcome (EDMin line with the ISO/IEC 38500 standard concepts).
Management processes In line with the definition of management, practices and activities
in management processes cover the responsibility areas of PBRM (an evolution of the COBIT
4.1 domains) enterprise IT, and they have to provide end-to-end coverage of IT.

Although the outcome of both types of processes is different and intended for a different audience,
internally, from the context of the process itself, all processes require planning, building or
implementation, execution and monitoring activities within the process.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -114- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

The COBIT 5 Process Reference Model 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies

(PRM)
Applications

Resources

Process for Governance of Enterprise IT


Evaluate, Direct and Monitor
EDM01 EDM02 EDM05
Ensure Governance Ensure Benefits EDM03 EDM04 Ensure Stakeholder
Framework Setting Delivery Ensure Risk Ensure Resource
Transparency
and Maintenancce Optimisation Optimisation

Align, Plan and Organize Monitor, Evaluate and


APO01 APO03 Assess
Manage the IT
APO02 Manage Enterprise
APO04 APO05 APO06 APO07
Manage Strategy Manage Innovation Manage Portfolio Manage Budget Manage Human
Management Architecture MEA01
and Costs Resources
Framework Monitor, Evaluate and
Assess Performance and
APO08 APO09 APO10 APO11 APO12 APO13 Conformance
Manage Manage Service Manage Suppliers
Manage Quality Manage Risk Manage Security
Relationships Agreements

Build, Acquire and Implement


BAI01 BAI02 BAI03 BAI04 BAI05 BAI07
Manage Manage Manage Solutions Manage Availability Manage Organizational BAI06 Manage
Programmes and Requirements Identification and Build and Capacity Change Enablement Manage Change Acceptance and MEA02
Projects Definitions Transitioning Monitor, Evaluate and
BAI09 Assess the System of
BAI08 Manage
BAI10 Internal Control
Manage Manage
Requirements
Knowledge Configuration
Definition

Deliver, Service and Support MEA03


DSS01 DSS02 DSS04 DSS06 Monitor, Evaluate and
Manage Service DSS03 DSS05 Manage Business Assess Compliance With
Manage Operations Manage Continuity Manage Security
Requests and Manage Problems Process Control External Requirements
Services
Incidents

Processes for Management of Enterprise IT

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 25

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -116- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Relationships with other enablers 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

1. Principles, Policies and Frameworks

6. Services, 7. People, Skills and


5. Information Infrastructure and Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 26

Relationships with other enablers

Links between processes and the other enabler categories exist through the following relationships:
Processes need information (as one of the types of inputs) and can produce information (as a
work product)
Processes need organisational structures and roles to operate, as expressed through RACI
charts (e.g. IT steering committee, enterprise risk committee, board, audit, CIO, CEO)
Processes produce, and also require, service capabilities (infrastructure, applications, etc.)
Processes can, and will, depend on other processes
Processes produce, or need, policies and procedures to ensure consistent implementation
and execution
Cultural and behavioural aspects determine how well processes are executed

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -117- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Enabler 3: Organisational structures 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources
Enabler Dimension

Stakeholder Goals ,IFE#YCLE Good Practices


s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES /PERATING
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN Principles, Span of
s%XTERNAL (Relevance, s"UILD!CQUIRE #ONTROL3COPE ,EVEL
#REATE)MPLEMENT OF!UTHORITY $ELEGATION
Stakeholders %FFECTIVENESS s5SE/PERATE OF!UTHORITY %SCALATION
s!CCESSIBILITYAND s%VALUATE-ONITOR 0ROCEDURES
3ECURITY s5PDATE$ISPOSE s7ORK0RODUCTS
)NPUTS/UTPUTS
Decisions
Enabler Performance

Are Stakeholders
Are Enabler Goals )S,IFE#YCLE Are Good Practices
Management

Needs
Achieved? Managed? Applied?
Addressed?

Metrics for Application of Goals Metrics for Application of Practice


,AG)NDICATORS ,EAD)NDICATORS

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 27

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -118- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Roles/structures 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 28

Roles/structures

The organisation structure includes more than the org chart.

In addition organisational sub-entities (such as business units, departments or teams), decision


making bodies such as Boards and Committees are also part of the organisation structure.

According to Mintzberg the organisation structure is the sum total of the ways in which the
organisation divides its labour into distinct tasks and then achieves coordination among them.

The organisation then has 5 coordination mechanisms to form the organisation structure:
Mutual adjustment
Direct supervision
Standardisation of processes
Standardisation of output
Standardisation of skills

Some of these mechanisms are more suited to a certain stage in the organisation (structure)
life cycle.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -119- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Stakeholders 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Internal stakeholders
Individual members of the structure
Organisational entities (e.g. departments, business units etc.)
Staff

External stakeholders
Customers
Business partners
Service providers

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 29

Stakeholders

Stakeholders Organisational structures stakeholders can be internal and external to the


enterprise, and they include the individual members of the structure, other structures, organisational
entities, clients, suppliers and regulators.

Their roles vary, and include decision making, influencing and advising. The stakes of each of the
stakeholders also vary, i.e., what interest do they have in the decisions made by the structure?

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -120- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Goals 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Proper mandate
Well-defined operating principles
(application of good practices)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 30

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -121- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Life cycle 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Organisation life cycle


Entrepreneurial stage -> Crisis: Need for leadership
Collectivity stage -> Crisis: Need for delegation
Formalization stage -> Crisis: Too much red tape
Elaboration stage -> Crisis: Need for revitalization
Different stages in the organisational life require different
organisation structures

Source: R.L. Daft, Organizational theory and design, 2006

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 31

Life cycle

Daft (2007) distinguishes four stages in the organisational life cycle:


1. Entrepreneurial stage
2. Collectivity stage
3. Formalization stage
4. Elaboration stage

Different structures are typically used during each stage in the organisational life cycle:
Entrepreneurial stage: organization is informal and non-bureaucratic. Control is based on the
owners personal supervision. Creativity causes growth. Crisis: Need for leadership. As the
organization starts to grow, the larger number of employees causes problems. Entrepreneurs
must either adjust the structure of the organization to accommodate continued growth or else
bring in strong managers.
Collectivity stage: the provision of clear direction causes growth. Crisis: the need for
delegation with control. Lower-level employees find themselves restricted by the strong
top-down control. The organization needs to find mechanisms to control and coordinate
departments without direct supervision from the top.
Formalisation stage: he addition of internal systems (rules, procedures and control systems)
causes growth. Crisis: Too much red tape. The organization seems bureaucratized. Middle

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -122- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Operating principles
Composition
Span of control
Level of authority / decision rights
Delegation of authority
Escalation procedures

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 32

Good practices

A number of good practices for organisational structures can be distinguished such as:
Operating principlesThe practical arrangements regarding how the structure will operate,
such as frequency of meetings, documentation and housekeeping rules
CompositionStructures have members, who are internal or external stakeholders.
Span of controlThe boundaries of the organisational structures decision rights
Level of authority/decision rightsThe decisions that the structure is authorised to take
Delegation of authorityThe structure can delegate (a subset of) its decision rights to other
structures reporting to it.
Escalation proceduresThe escalation path for a structure describes the required actions in
case of problems in making decisions.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -124- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Relationship withother enablers 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

1. Principles, Policies and Frameworks

6. Services, 7. People, Skills and


5. Information Infrastructure and Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 33

Relationship withother enablers

The links with other enablers include:


RACI charts link process activities to organisational structures and/or individual roles in the
enterprise. They describe the level of involvement of each role for each process practice.
Culture, ethics and behaviour determine the efficiency and effectiveness of organisational
structures and their decisions. Organisations with an extensive, multi layered hierarchy will fail
when the culture of the organisation is entrepreneurial and rather informal.
People, skills and competencies: composition of organisational structures should take into
account and require the appropriate skill set of its members, e.g. an organization with highly
skilled, relatively autonomous professionals requires a different organisation structure than a
blue collar factory-like set-up with strict and standardised processes, procedures.
The mandate and operating principles of organisational structures are guided by the policy
framework in place (Principles, policies and frameworks)
A structure, especially the decision making bodies there-in, requires inputs (typically
information) before it can make decisions, and it produces outputs, e.g., decisions, other
information, or requests for additional inputs.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -125- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Enabler 4: Culture, ethics and behaviour 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources
Enabler Dimension

Stakeholder Goals ,IFE#YCLE Good Practices


s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN #OMMUNICATION
s%XTERNAL (Relevance, s"UILD!CQUIRE - Enforcement
#REATE)MPLEMENT )NCENTIVESAND2EWARDS
Stakeholders %FFECTIVENESS s5SE/PERATE !WARENESS
s!CCESSIBILITYAND s%VALUATE-ONITOR 2ULESAND.ORMS
3ECURITY s5PDATE$ISPOSE #HAMPIONS
s7ORK0RODUCTS
)NPUTS/UTPUTS
Enabler Performance

Are Stakeholders
Are Enabler Goals )S,IFE#YCLE Are Good Practices
Management

Needs
Achieved? Managed? Applied?
Addressed?

Metrics for Application of Goals Metrics for Application of Practice


,AG)NDICATORS ,EAD)NDICATORS

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 34

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -126- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Culture drives behaviour 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Visible organisational
structures and processes (hard Artefacts
to decipher)

Strategies, goals, philosophies Espoused beliefs


(espoused justifications) and values

Unconscious, taken-for-granted
beliefs, perceptions, thoughts Underlying
and feelings (ultimate source of assumptions
values and actions)

Source: E.H. Schein, Organizational culture and leadership, 2004

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 35

Culture drives behaviour

The culture of a group can be defined as a pattern of shared basic assumptions that was learned
by a group as it solved its problems of external adaptation and internal integration, that has worked
well enough to be considered valid and, therefore, to be taught to new members as the correct
way to perceive, think, and feel in relation to those problems. (Schein, Organizational culture and
leadership, 2004).

Behaviour is derivative, not central. The above definition of culture emphasises that (overt)
behaviour is always determined both by the he cultural predisposition (the perceptions, thoughts,
and feelings that are patterned) and by the situational contingencies that arise from the immediate
external environment.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -127- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Stakeholders 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Internal stakeholders
Executive and non-executive board members
HR Managers
Remuneration board

All organisation members


External stakeholders
External auditors
Regulatory agencies

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 36

Stakeholders

As with Principles, policies and frameworks the stakes are twofold: some stakeholders, e.g.,
legal officers, risk managers, HR managers, remuneration boards and officers, deal with defining,
implementing and enforcing desired behaviours, and others have to align with the defined rules
and norms.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -128- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Goals 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Behaviour drives culture

Behaviour towards
taking risk

Behaviour towards Individual


following policy behaviours

Behaviour towards Organisational


Individual ethics
negative outcomes culture

Organisational
ethics

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 37

Goals

Goals for the culture, ethics and behaviour enabler relate to:
Organisational ethics, determined by the values by which the enterprise wants to live
Individual ethics, determined by the personal values of each individual in the enterprise and
depending to an important extent on external factors such as religion, ethnicity, socioeconomic
background, geography and personal experiences
Individual behaviours, which collectively determine the culture of an enterprise. Many
factors, such as the external factors mentioned above, but also interpersonal relationships in
enterprises, personal objectives and ambitions, drive behaviours. Some types of behaviours
that can be relevant in this context include:
Behaviour towards taking risk - How much risk does the enterprise feel it can absorb and
which risk is it willing to take?
Behaviour towards following policy - To what extent will people embrace and/or comply
with policy?
Behaviour towards negative outcomes - How does the enterprise deal with negative
outcomes, i.e., loss events or missed opportunities? Will it learn from them and try to
adjust, or will blame be assigned without treating the root cause?

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -129- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Life cycle 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

As an organisation progresses through the organisation life


cycle, the culture needs to change accordingly
Therefore plan, design, implement, evaluate and adapt the
culture constantly.

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 38

Life cycle

An organisational culture, ethical stance and individual behaviours, etc., all have their life cycles.
Starting from an existing culture, an enterprise can identify required changes and work towards their
implementation. Several toolsdescribed in the good practicescan be used.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -130- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Communicate the desired behaviour


Create awareness of the desired behaviour
Incentivise the desired behaviour
Instate rules and norms to guide the desired behaviour

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 39

Good practices

Good practices for creating, encouraging and maintaining desired behaviour throughout the
enterprise include:
Communication throughout the enterprise of desired behaviours and the underlying
corporate values
Awareness of desired behaviour, strengthened by the example behaviour exercised by senior
management and other champions
Incentives to encourage and deterrents to enforce desired behaviour. There is a clear link
between individual behaviour and the HR reward scheme that an enterprise puts in place.
Rules and norms, which provide more guidance on desired organisational behaviour. This links
very clearly to the principles and policies that an enterprise puts in place.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -131- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Relationship withother enablers 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

1. Principles, Policies and Frameworks

6. Services, 7. People, Skills and


5. Information Infrastructure and Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 40

Relationship withother enablers

The links with other enablers include:


Processes can be designed to a level of perfection, but if the stakeholders of the process do
not wish to execute the process activities as intendedi.e., if their behaviour is one of non-
complianceprocess outcomes will not be achieved.
Likewise, organisational structures can be designed and built according to the textbook,
but if their decisions are not implementedfor reasons of different personal agendas, lack of
incentives, etc.they will not result in decent governance and management of enterprise IT.
Principles and policies are a very important communication mechanism for corporate values
and the desired behaviour.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -132- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Exercise 2 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Based on the defined IT-related goals (exercise 1):


Define the enabler goals for the 4 enablers covered so far
Describe the how you can use these enablers to reinforce
one another

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 41

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -133- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Enabler 5: Information 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources
Enabler Dimension

Stakeholder Goals ,IFE#YCLE Good Practices


s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES $EFINE)NFORMATION!TTRIBUTES
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN 0HYSICAL#ARRIER -EDIA
s%XTERNAL (Relevance, s"UILD!CQUIRE %MPIRICAL5SER)NTERFACE
Stakeholders %FFECTIVENESS #REATE)MPLEMENT 3YNTACTIC,ANGUAGE &ORMAT
s!CCESSIBILITYAND s5SE/PERATE 3EMANTIC-EANING 4YPE #URRENCY
3ECURITY s%VALUATE-ONITOR ,EVEL
s5PDATE$ISPOSE 0RAGMATIC5SE )NCLUDES2ETENTION
3TATUS #ONTINGENCY .OVELTY
3OCIAL#ONTEXT
Enabler Performance

Are Stakeholders
Are Enabler Goals )S,IFE#YCLE Are Good Practices
Management

Needs
Achieved? Managed? Applied?
Addressed?

Metrics for Application of Goals Metrics for Application of Practice


,AG)NDICATORS ,EAD)NDICATORS

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 42

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -134- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

The information cycle 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Generate and Business Process


Process Drive

IT Processes

Data Value

Information Knowledge
Transform Transform Create

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 43

The information cycle

Information can be considered as being one stage in the information cycle of an enterprise. In
the information cycle business processes generate and process data, transforming them into
information and knowledge, and ultimately generating value for the enterprise. The scope of the
information enabler mainly concerns the information phase in the information cycle, but the aspects
of data and knowledge are also covered in COBIT 5.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -135- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Stakeholders 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Internal stakeholders
External stakeholders
Categories of roles:
Specific data or information roles
Generic roles (meta level)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 44

Stakeholders

Can be internal or external to the enterprise. The generic model also suggests that, apart from
identifying the stakeholders, their stakes need to be identified, i.e., why they care or are interested
in the information. With respect to which information stakeholders exist, different categories of roles
in dealing with information are possible, ranging from detailed proposalse.g., suggesting specific
data or information roles such as architect, owner, steward, trustee, supplier, beneficiary, modeller,
quality manager, security managerto more general proposalsfor instance, distinguishing amongst
information producers, information custodians and information consumers:
Information producer, responsible for creating the information
Information custodian, responsible for storing and maintaining the information
Information consumer, responsible for using the information

These categories refer to specific activities with regard to the information resource. Activities
depend on the life cycle phase of the information; therefore, to find a category of roles that has
an appropriate level of granularity for the IM, the information life cycle dimension of the IM can be
used. This means that information stakeholder roles can be defined in terms of information life cycle
phases, e.g., information planners, information obtainers, information users.

At the same time, this means that the information stakeholder dimension is not an independent
dimension; different life cycle phases have different stakeholders.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -136- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Goals 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Intrinsic quality
accuracy, objectivity, believability, reputation
Contextual and representational quality:
relevancy, completeness, currency, appropriate amount
of information, concise, consistent, interpretability,
understandability, ease of manipulation
Security / accessibility quality:
availability / timeliness, restricted access

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 45

Goals

The goals of information are divided into three subdimensions of quality:


Intrinsic quality The extent to which data values are in conformance with the actual or true
values. It includes:
Accuracy The extent to which information is correct and reliable
Objectivity The extent to which information is unbiased, unprejudiced and impartial
Believability The extent to which information is regarded as true and credible
Reputation The extent to which information is highly regarded in terms of its source
or content
Contextual and representational quality The extent to which information is applicable
to the task of the information user and is presented in an intelligible and clear manner,
recognising that information quality depends on the context of use. It includes:
Relevancy The extent to which information is applicable and helpful for the task at hand
Completeness The extent to which information is not missing and is of sufficient depth
and breadth for the task at hand
Currency The extent to which information is sufficiently up to date for the task at hand
Appropriate amount of information The extent to which the volume of information is
appropriate for the task at hand

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -137- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Life cycle 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Plan
Design
Build / acquire / create / implement
Use / operate
Store
Share
Use

Evaluate / monitor
Update / dispose

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 46

Life cycle

The full life cycle of information needs to be considered, and different approaches may be required
for information in different phases of the life cycle. The COBIT 5 information enabler distinguishes
the following phases:
Plan The phase in which the creation and use of the information resource is prepared.
Activities in this phase may refer to the identification of objectives, the planning of the
information architecture, and the development of standards and definitions, e.g., data
definitions, data collection procedures.
Design
Build/acquire/Create/Implement The phase in which the information resource is
acquired. Activities in this phase may refer to the creation of data records, the purchase of
data and the loading of external files.
Use/operate, which includes:
Store The phase in which information is held electronically or in hard copy (or even
just in human memory). Activities in this phase may refer to the storage of information in
electronic form (e.g., electronic files, databases, data warehouses) or as hard copy (e.g.,
paper documents).
Share The phase in which information is made available for use through a distribution
method. Activities in this phase may refer to the processes involved in getting the

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -139- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Define properties of information (on 6 layers)


1. Physical world layer
2. Empiric layer
3. Syntactic layer
4. Semantic layer
5. Pragmatic layer
6. Social world layer

Investments in information and related technology are based


on business cases

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 47

Good practices

Cobit 5 distinguishes six levels or layers to define and describe properties of information. These
six levels present a continuum of attributes, ranging from the physical world of information, where
attributes are linked to information technologies and media for information capturing, storing,
processing, distribution and presentation, to the social world of information use, comprehension
and action.
Physical world layer: The world where all phenomena that can be empirically observed
take place
Information carrier/media The attribute that identifies the physical carrier of the
information, e.g., paper, electric signals, sound waves
Empiric layer: The empirical observation of the signs used to encode information and their
distinction from each other and from background noise
Information access channel The attribute that identifies the access channel of the
information, e.g., user interfaces
Syntactic layer The rules and principles for constructing sentences in natural or artificial
languages. Syntax refers to the form of information.
Code/language Attribute that identifies the representational language/format used for
encoding the information and the rules for combining the symbols of the language to form
syntactic structures.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -141- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Relationship withother enablers 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

1. Principles, Policies and Frameworks

6. Services, 7. People, Skills and


5. Information Infrastructure and Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 48

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -143- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Enabler 6: Services, infrastructure 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies

and applications
Applications

Resources
Enabler Dimension

Stakeholder Goals ,IFE#YCLE Good Practices


s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES Definition of
Stakeholders s#ONTEXTUAL1UALITY s$ESIGN !RCHITECTURE0RINCIPLES
s%XTERNAL (Relevance, s"UILD!CQUIRE !RCHITECTURE6IEWPOINTS
Stakeholders %FFECTIVENESS  #REATE)MPLEMENT 3ERVICE,EVELS
Applications, s5SE/PERATE s7ORK0RODUCTS
)NFRASTRUCTURE s%VALUATE-ONITOR )NPUTS/UTPUTS 
4ECHNOLOGY 3ERVICE s5PDATE$ISPOSE 2EFERENCE2EPOSITORY
,EVELS !RCHITECTURE4ARGET
s!CCESSIBILITYAND3ECURITY 4RANSITION "ASELINE
Enabler Performance

Are Stakeholders
Are Enabler Goals )S,IFE#YCLE Are Good Practices
Management

Needs
Achieved? Managed? Applied?
Addressed?

Metrics for Application of Goals Metrics for Application of Practice


,AG)NDICATORS ,EAD)NDICATORS

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 49

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -144- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Stakeholders 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

The Service Provider can be internal or external


Users of services can also be internal or external

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 50

Stakeholders

Service capabilities (the combined term for services, infrastructure and applications) stakeholders
can be internal and external. The service owner is an important internal stakeholder. Important
external stakeholders may be compliancy and regulatory overseers.

Services can be delivered by internal or external partiesinternal IT departments, operations


managers, outsourcing providers.

Users of services can also be internal business usersand external to the enterprisepartners,
clients, suppliers.

The stakes of each of the stakeholders need to be identified and will either be focussed on delivering
adequate services or on receiving requested services from providers.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -145- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Goals 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Express goals in terms of:


Services
Service levels

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 51

Goals

Goals of the service level capability will be expressed in terms of servicesapplications, infrastructure,
technologyand service levels, considering which services and service levels are most economical
for the enterprise. Again, goals will relate to the services and how they are provided, as well as their
outcomes, i.e., contribution towards successfully supported business processes.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -146- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Life cycle 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Plan
Design
Build / acquire / create / implement
Use / operate
Evaluate / monitor
Update / dispose

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 52

Life cycle

Service capabilities have a life cycle. The future or planned service capabilities are typically
described in a target architecture. It covers the building blocks, such as future applications and
the target infrastructure model, and also describes the linkages and relationships amongst these
building blocks.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -147- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Define the architecture principles


Define enterprise specific architecture viewpoints
Have an architecture repository
Define the service requirements
Define the service levels

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 53

Good practices

Good practice for service capabilities includes:


Definition of architecture principles Architecture principles are overall guidelines that govern
the implementation and use of IT-related resources within the enterprise. Examples of potential
architecture principles are:
Reuse Common components of the architecture should be used when designing and
implementing solutions as part of the target or transition architectures.
Buy vs. build Solutions should be purchased unless there is an approved rationale for
developing them internally.
Simplicity The enterprise architecture should be designed and maintained to be as
simple as possible while still meeting enterprise requirements.
Agility The enterprise architecture should incorporate agility to meet changing
business needs in an effective and efficient manner.
Openness The enterprise architecture should leverage open industry standards.
The enterprises definition of the most appropriate architecture viewpoints to meet the needs
of different stakeholders. These are the models, catalogues and matrices used to describe the
baseline, target or transition architectures; for example, an application architecture could be
described through an application interface diagram, which shows the applications in use (or
planned) and the interfaces amongst them.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -148- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Relationship with other enablers 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

1. Principles, Policies and Frameworks

6. Services, 7. People, Skills and


5. Information Infrastructure and Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 54

Relationship with other enablers

The links with other enablers include:


Information is one of the service capabilities, and service capabilities are leveraged through
processes to deliver internal and external services.
Cultural and behavioural aspects are also relevant when a service-oriented culture needs to
be built.
Within COBIT 5, the inputs and outputs of the management practices and activities could
include service capabilities, which are required as inputs or delivered as outputs.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -150- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Enabler 7: People, skills 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies

and competencies
Applications

Resources
Enabler Dimension

Stakeholder Goals ,IFE#YCLE Good Practices


s)NTERNAL s)NTRINSIC1UALITY s0LAN s0RACTICES Define Role
Stakeholders %DUCATIONAND1UALIFICATIONS s$ESIGN 3KILL2EQUIREMENTS 3KILL
s%XTERNAL Technical Skills s"UILD!CQUIRE ,EVELS 3KILL#ATEGORIES
Stakeholders s#ONTEXTUAL1UALITY #REATE)MPLEMENT s7ORK0RODUCTS
2ELEVANCE %FFECTIVENESS  s5SE/PERATE )NPUTS/UTPUTS 
%XPERIENCE +NOWLEDGE s%VALUATE-ONITOR Skill Definitions
"EHAVIOURAL3KILL !VAILABILITY s5PDATE$ISPOSE
4URNOVER
s!CCESSIBILITYAND3ECURITY
Enabler Performance

Are Stakeholders
Are Enabler Goals )S,IFE#YCLE Are Good Practices
Management

Needs
Achieved? Managed? Applied?
Addressed?

Metrics for Application of Goals Metrics for Application of Practice


,AG)NDICATORS ,EAD)NDICATORS

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 55

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -151- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Stakeholders 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Internal stakeholders
Business managers
Project managers
Recruiters
Staff (systems developers, technical IT specialists, etc.)

External stakeholders
Partners
Competitors
Trainers

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 56

Stakeholders

Skills and competencies stakeholders are internal and external to the enterprise. Different
stakeholders assume different rolesbusiness managers, project managers, partners, competitors,
recruiters, trainers, developers, technical IT specialists, etc.and each role requires a distinct skill set.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -152- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Goals 5. Information
1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Goals related to skills and competencies:


Education and qualification levels
Technical skills
Experience levels
Knowledge and behavioral skills

Goals related to people:


Correct level of staff availability
Correct level of staff skills and competencies
Turnover rate
Absenteeism

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 57

Goals

Goals for skills and competencies relate to education and qualification levels, technical skills,
experience levels, knowledge and behavioural skills required to provide and perform successfully
process activities, organisational roles, etc. Goals for people include correct levels of staff availability
and turnover rate.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -153- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Life cycle 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Assess the current skill base


Current skills
Required skills

Develop or acquire skills and competencies


Deploy skills and competencies within the
organisational structure
Dispose of obsolete skills
Periodically reassess the skill base

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 58

Life cycle

Skills and competencies have a life cycle. An enterprise has to know what its current skill base
is, and plan what it needs to be. This is influenced by (amongst other issues) the strategy and
goals of the enterprise. Skills need to be developed (e.g., through training) or acquired (e.g.,
through recruitment) and deployed in the various roles within the organisational structure.
Skills may need to be disposed of, e.g., if an activity is automated or outsourced.
Periodically, such as on an annual basis, the enterprise needs to assess the skill base to
understand the evolution that has occurred, which will feed into the planning process for the
next period.
This assessment can also feed into the reward and recognition process for human resources.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -154- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Good practices 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

Differentiate skill requirements to activities and categories


Use external sources such as Skills Framework for the
Information Age (SFIA)
Examples of potential skill categories mapped to Cobit5
process domains:
%$-
'OVERNANCEOF%NTERPRISE)4

APO "!) $33 -%!


s)4POLICYFORMATION s"USINESSANALYSIS s!VAILABILITY s#OMPLIANCEREVIEW
s)4STRATEGY s0ROJECTMANAGEMENT MANAGEMENT s0ERFORMANCE
s%NTERPRISEARCHITECTURE s5SABILITYEVALUATION s0ROBLEMMANAGEMENT MONITORING
s)NNOVATION s2EQUIREMENTS s3ERVICEDESKAND s#ONTROLSAUDIT
s&INANCIALMANAGEMENT DEFINITIONAND INCIDENTMANAGEMENT
s0ORTFOLIOMANAGEMENT MANAGEMENT s3ECURITYADMINISTRATION
s0ROGRAMMING s)4OPERATIONS
s3OFTWARE s$ATABASE
DECOMMISSIONING ADMINISTRATION

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 59

Good practices

Define the need for objective skill requirements for each role played by the various
stakeholders. This can be described through different skill levels in different skill categories.
For each appropriate skill level in each skill category, a skill definition should be available.
The skill categories correspond with the IT-related activities undertaken, e.g., information
management, business analysis.
Use external sources of good practice, such as the Skills Framework for the Information Age
(SFIA),17 which provides comprehensive skill definitions.
Examples of potential skill categories, mapped to COBIT 5 process domains can be found in
the Cobit Framework, figure 39 (p. 88).

Note: the skill categories and competencies mentioned here are primarily based on content skills.
Bear in mind that behavioral skills are at least as important as these content skills.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -155- New Horizons


Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

Relationship with other enablers 5. Information


1. Principles, Policies and Frameworks

6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications

Resources

3. Organizational 4. Culture, Ethics


2. Processes
Structure and Behaviour

1. Principles, Policies and Frameworks

6. Services, 7. People, Skills and


5. Information Infrastructure and Competencies
Applications

Resources

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 60

Relationship with other enablers

The links with other enablers include:


Skills and competence are required to perform process activities and take decisions in
organisational structures. Conversely, some processes are aimed at supporting the life cycle
of skills and competencies.
There is also a link to culture, ethics and behaviour through behavioural skills, which drive
individual behaviour and are influenced by individual ethics and organisational ethics.
Skills definitions are also information, for which best practices of the information enabler need
to be considered.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -156- New Horizons


CobiT 5 Foundation with Case Study (ITG-253 v2.00)

5
Implementation

APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -157- New Horizons
Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Implementing change succesfully

Each implementation approach will need to address the


specific challenges of an organization
Succes depends on adaptation to the context
The context changes continuously
Succesfull implementation of enterprise governance requires
an approach of continual improvement.

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 2

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -159- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Considering the enterprise context


Design the implementation plan depending on internal and external
factors such as:
Ethics and culture
Applicable laws, regulations and policies
Mission, vision and values
Governance policies and practices
Business plan and strategic intentions
Operating model and level of maturity
Management style
Risk appetite
Capabilities and available resources
Industry practices
etc.

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 3

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -160- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Key success factors for successful implementation

Top management commitment


All relevant parties supporting the governance and
management processes
Effective communication
Enablement of necessary changes
Tailoring COBIT (and other good practices / standards)
Realise quick wins
Prioritise the low hanging fruit

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 4

Key success factors for successful implementation

Key success factors for successful implementation include:


Top management providing the direction and mandate for the initiative, as well as visible
ongoing commitment and support
All parties supporting the governance and management processes to understand the
business and IT objectives
Ensuring effective communication and enablement of the necessary changes
Tailoring COBIT and other supporting good practices and standards to fit the unique context
of the enterprise
Focusing on quick wins and prioritising the most beneficial improvements that are easiest
to implement

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -161- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Creating the appropriate environment

Ensure support and direction from key stakeholders


Address real business needs and issues
Initiate a change programme
Establish and maintain structures and processes for oversight
and direction
Visible support from key stakeholders

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 5

Creating the appropriate environment

To ensure that real business needs and issues are addressed, it helps to create a business case
outline. Presenting a business case (outline) to the responsible business managers ensures the
focus on actual solutions for the business.

Key actions when initiating a change programme are:


Define and assign key programme roles and responsibilities
Allocate adequate resources
Maintain stakeholder commitment on an ongoing basis

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -162- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Address real business needs and issues

Examples of pain points (1):


Business frustration with failed initiatives, raising IT costs and a
perception of low business value
Significant incidents related to IT risk
Outsourced service delivery problems
Failure to meet regulatory or contractual requirements
IT limiting the enterprises innovation capabilities and business agility
Regular audit findings about poor IT performance

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 6

Address real business needs and issues

In addition to pain points it is possible to use trigger events to create the appropriate environment
for implementation and change. The pain points refer to the content (why should we start
the implementation) whereas the trigger events refer to the timing (when should we start the
implementation).

Trigger events will covered later in this module.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -163- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Address real business needs and issues

Examples of pain points (2):


Hidden and rogue IT spending
Duplication or overlap between initiatives or wasting resources
Insufficient IT resources, staff with inadequate skills or staff burnout/
dissatisfaction
IT-enabled changes failing to meet business needs, delivered late or
over budget
Reluctant, non-committal board members, managers and
business sponsors

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 7

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -164- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Business case

A business case evolves through time


Start with a high level (strategic) outline
Add details later

A business case must be updated and managed through time

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 8

Business case

The business case is not a one-time static document, but a dynamic operational tool that must be
continually updated to

reflect the current view of the future so that a view of the viability of the programme can be maintained.

It can be difficult to quantify the benefits of implementation or improvement initiatives, and care
should be taken to commit only to benefits that are realistic and achievable.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -165- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Business case content

Targeted business benefits


Required business changes
Required investments
Ongoing IT and business costs
Expected benefits
Risks, constraints and dependencies
Roles, responsibilities and accountabilities
How the investment and value creation will be measured
and monitored

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 9

Business case content

The business case is a valuable tool available to management in guiding the creation of business
value. At a minimum, the business case should include the following:

The business benefits targeted, their alignment with business strategy and the associated
business owner (who in the business will be responsible for securing them). This could be
based on pain points and trigger events.
The business changes needed to create the envisioned value. This could be based on health
checks and capability gap analyses and should clearly state both what is in scope and what is
out of scope.
The investments needed (one-off costs) to make the governance and management of
enterprise IT changes (based on estimates of projects required)
The ongoing IT and business costs
The expected benefits of operating in the changed way. Note that these benefits must
contribute substantially to the targeted business benefits but do not have to be identical
necessarily. You may not be able to realise all targeted business changes on the one hand,
and there may be collateral benefits (i.e. additional benefits) on the other hand.
The risk inherent in the previous bullets, including any constraints and dependencies (based
on challenges and success factors)

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -166- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Initiating the implementation

Use (business recognisable) trigger events


Trigger events can occur in the internal and external
environment of the enterprise

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 10

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -168- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Examples of trigger events

Merger, acquisition or divesture


A shift in the market, economy or competitive position
Change in business operating model or
sourcing arrangements
New regulatory or compliance requirements
An enterprise wide governance focus or project
A new CEO, CFO, CIO, etc.
External audit or consultant assessments
A new business strategy or priority
Desire to significantly improve the value to be gained from IT
APMG 2012; 2012 ISACA. All Rights Reserved. Slide 11

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -169- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Enabling change

Successful implementation
implementing the appropriate change
in the appropriate way

Ensure stakeholder commitment


Enforce compliance

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 12

Enabling change

Successful implementation depends on implementing the appropriate change in the appropriate


way. Typically focus is on the appropriate change, e.g. by designing the enablers such as structures
and processes. Much less attention goes to managing the human, behavioural and cultural aspects
of change and to (continuously) motivating all stakeholders to buy into the change.

It should not be assumed that the various stakeholders involved in, or impacted by, new or revised
enablers will readily accept and adopt the change. The possibility of ignorance and/or resistance
to change needs to be addressed through a structured and proactive approach. Also, optimal
awareness of the implementation programme should be achieved through a communication plan
that defines what will be communicated, in what way and by whom, throughout the various phases
of the programme.

Sustainable improvement can be achieved either by gaining the commitment of the stakeholders
(investment in winning hearts and minds, the leaders time, and in communicating and responding
to the workforce) or, where still required, by enforcing compliance (investment in processes to
administer, monitor and enforce). In other words, human, behavioural and cultural barriers need
to be overcome so that there is a common interest to properly adopt change, instil a will to adopt
change, and to ensure the ability to adopt change.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -170- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Implementation life cycle

Core components of the Implementation life cycle:


Core continual improvement
Enablement of change
Management of the programme

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 13

Implementation life cycle

The implementation life cycle provides a way for enterprises to use COBIT to address the complexity
and challenges

typically encountered during implementations. The three interrelated components of the life cycle
are the:
1. Core continual improvement life cycleThis is not a one-off project.
2. Enablement of changeAddressing the behavioural and cultural aspects
3. Management of the programme

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -171- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Implementation life cycle

Phases of the Implementation life cycle:


1. What are the drivers?
2. Where are we now?
3. Where do we want to be?
4. What needs to be done?
5. How do we get there?
6. Did we get there?
7. How do we keep the momentum going?

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 14

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -172- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Implementation life cycle

The
eep 1. Wha
W e K Going? t Are
Th
Do ntum Initia eD
ow e iew te P riv
H om Rev veness rog er
s
M cti ra
7.

fe m

?
Ef Establ
is
To C h D
in
sta ha es
ng ir
Su

2.
?

De Oppo
ere

Wh Problems and
e
its

fin
Reco
itor
t Th

ere
on Nee gnis
nef

e
M Andate d
Act To e

Im Team
Approac ew

alu
hes
6. Did We Ge

Are W
Realise Be

ple
Ev Program Management
Embed N

Form

rtunities
menta n
(Outer Ring)
And e

Assrrent
re

Cu tate
Operat
Measu

e Now?
ess

tio
Change Enablement
(Middle Ring)
I m en

ta g e t e
I m men
m ro
pl

e
r in

t -
e
p

m e te
ef

te

D a Continual Improvement Life Cycle

B e?
v
ts -
co ica
T
Op Re

B u il d
An

S
5. H

p
I m pr o v- (Inner Ring)
ut u n

Ma
er u
d
Ex

t To
te e m e nts
a

m
ow

ec

se m
ad
Co O an
ut
Do

Ro

W
I d e n tif y R ol d
e

la
W

e
e

n fi n
W

P lay ers
e

et
De
G

Th D
e re
re
?
Pla n
Program me he
W
4. W 3.
hat N ne?
eeds To B e Do

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 15

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -173- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

What are the drivers?

1. Programme management
Initiate a programme

2. Change management
Establish desire to change

3. Continual improvement
Recognize the need to act

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 16

What are the drivers?

If a person does not see the necessity of change, there will be no change. This goes beyond
(rationally) understanding the need for change, it has to be felt. And change must be effected soon:
there must be a sense of urgency. Change Management guru Kotter suggests that for change to be
successful, 75% of a company's management needs to "buy into" the change. In other words, you
have to work really hard on Phase 1, and spend significant time and energy building urgency, before
moving onto the next steps. Don't panic and jump in too fast because you don't want to risk further
short-term losses if you act without proper preparation, you could be in for a very bumpy ride.

This isn't simply a matter of showing people poor performance statistics or talking about audit
findings. Open an honest and convincing dialogue about what's happening in the enterprise and
the environment. If many people start talking about the change you propose, the urgency can build
and feed on itself.

What you can do:


Identify potential threats, and develop scenarios showing what could happen in the future
(pain points).
Examine opportunities that should be, or could be, exploited (trigger events).
Start honest discussions, and give dynamic and convincing reasons to get people talking
and thinking.
Request support from customers, outside stakeholders and industry people to strengthen
your argument.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -174- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Where are we now?

1. Programme management
Define problems and opportunities

2. Change management
Form implementation team

3. Continual improvement
Assess current state

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 17

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -175- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Where do we want to be?

1. Programme management
Define road map

2. Change management
Communicate outcome

3. Continual improvement
Define target state

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 18

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -176- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

What needs to be done?

1. Programme management
Plan programme

2. Change management
Identify role players

3. Continual improvement
Build improvements

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 19

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -177- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

How do we get there?

1. Programme management
Execute plan

2. Change management
Operate and use

3. Continual improvement
Implement improvements

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 20

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -178- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Did we get there?

1. Programme management
Realise benefits

2. Change management
Embed new approaches

3. Continual improvement
Operate and measure

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 21

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -179- New Horizons


Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

How do we keep themomentum going?

1. Programme management
Review effectiveness

2. Change management
Sustain

3. Continual improvement
Monitor and evaluate

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 22

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -180- New Horizons


CobiT 5 Foundation with Case Study (ITG-253 v2.00)

6
Process Capability

APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -181- New Horizons
Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Assessment approach (overview)

Process Reference Measurement


Model Framework
(COBIT5) (ISO 15504)

Process Assessment
Model

What: Foundation

How: Assessor

Initial Input Assessment Process Output

Roles and
Responsibilities

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 2

Assessment approach (overview)

Process Reference Model provides the:


Domain and scope
Process purpose
Process outcome

Measurement framework provides the


Capability levels
Process attributes
Rating scale

Initial input of the assessment:


Purpose
Scope
Constraints
Identities
Approach
Assessor competence criteria
Additional information

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -183- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Based on ISO15504

What is ISO 15504?


The reference model for Process Maturity
Originates from SPICE

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 3

Based on ISO15504

Cobit5 Process Capability Assessment is based on the ISO 15504 (standard reference model for
process maturity).

SPICE: Software Improvement and Capability Determination

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -185- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

ISO 15504 - Glossary

Process assessment model (PAM)


Process purpose
Process outcome
Process capability
Process capability level
Process capability level rating

Process attribute

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 4

ISO 15504 - Glossary

Process assessment model (PAM) A model suitable for the purpose of determining
process capability, based on one or more process reference model (PRM)
Process purpose The high-level measurable objectives of performing the process and the
likely outcomes of effective implementation of the process
Process outcome An observable result of a process (Note: an outcome is an artefact, a
significant change of state or the meeting of specified constraints)
Process capability A characterization of the ability of a process to meet current or
projected business goals
Process capability level A point on the six-point ordinal scale (of process capability)
that represents the capability of the process; each level builds on the capability of the
level below
Process capability level rating A representation of the achieved process capability
level derived from the process attribute ratings for an assessed process
Process attribute A measurable characteristic of capability applicable to any process

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -186- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

ISO 15504- Glossary (ctd)

Performance indicator (process specific)


Base practices (BP)
Work products (WP)

Capability indicator
Generic practices (GP)
Generic work products (GWP)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 5

ISO 15504- Glossary (ctd)

Process attributes measured by / based on:


Performance indicators A set of metrics designed to measure the extent to which
performance objectives are being achieved on an on-going basis (Note: performance
indicators are process specific)
Base practice An activity that, when consistently performed, contributes to achieving a
specific process purpose
Work product (WP)An artefact associated with the execution of a process
Capability indicatorAssessment indicator that supports the judgement of the process
capability of a specific process (Note: the capability indicators based on generic practices
and generic work products)
Generic practice (GP)An activity that, when consistently performed, contributes to the
achievement of specific process attributes
Generic work product (GWP)An artefact associated with the execution of a process
that is commonly stated, or general in nature

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -187- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Capability levels
5 Capability Level based on 9 process attributes

PA 5.1 Process innovation


Level 5: Optimizing process
PA 5.2 Process optimization

PA 4.1 Process measurement


Level 4: Predictable process
PA 4.2 Process control

PA 3.1 Process definition


Level 3: Established process
PA 3.2 Process deployment

PA 2.1Performance management
Level 2: Managed process
PA 2.2 Work product management

Level 1 Performed process PA 1.1 Process performance

Level 0: Incomplete process

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 6

Capability levels

Optimizing: the process is continuously improved to meet relevant current and projected
business goals
Predictable: the process is enacted consistently within defined limits
Established: a defined process is used based on a standard process
Managed: the process is managed and work products are established, controlled
and maintained
Performed: the processes is implemented and achieves its process purpose
Incomplete: the process is not implemented or fails to achieve its purpose

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -188- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Capability level rating


Abbreviation Description Percentage achieved

N Not achieved 0 to 15% achieved

P Partially achieved 16 to 50% achieved

L Largely achieved 51 to 85% achieved

F Fully achieved 86 to 100% achieved

To achieve a capability level, a process must:


Largely or fully achieve the current level
Fully achieve the underlying level(s)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 7

Capability level rating

Each capability level can be achieved only when the level below has been fully achieved. For
example, a process capability level 3 (established process) requires the process definition and
process deployment attributes to be largely achieved, on top of full achievement of the attributes for
a process capability level 2 (managed process).
N Not achieved (0 to 15% achievement) - There is little or no evidence of achievement of the
defined attribute in the assessed process.
P Partially achieved (>15% to 50% achievement) - There is evidence of an approach to
and some achievement of the defined attribute in the assessment approach. Some aspects of
achievement of the attribute may be unpredictable.
L Largely achieved (>50% to 85% achievement) - There is evidence of a systematic
approach to, and significant achievement of, the defined attribute in the assessed process.
Some weakness related to this attribute may exist in the assessed process.
F Fully achieved (>85% to 100% achievement) - There is evidence of a complete and
systematic approach to and full achievement of the defined attribute in the assessed process.
No significant weakness related to this attribute exist in the assessed process.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -189- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

PAM ISO 15504

CAPABILITY
Dimension

Level 5: Optimizing

Level 4: Predictable

Level 3: Established

Level 2: Managed

Level 1: Performed

Level 0: Incomplete

PROCESS
Dimension
(depe Proc
nding
on Pro esses A
cess R Z
eferen
ce Mo
del us
ed)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 8

PAM ISO 15504

Note on the Process Reference Model (PRM):

Remember that ISO15504 is generic, so you may use any PRM. For Cobit it can be either Cobit 5
PRM or Cobit 4.1 PRM. However it does not have to be restricted to Cobit!

It was actually developed in Software Development / Software Improvement area -> PRM used
ISO12207 (for Software Development) or ISO15288 (Systems Engineering)

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -190- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

PAM Cobit 5

CAPABILITY
Dimension

Level 5: Optimizing PA 5.1 + PA 5.2

Level 4: Predictable PA 4.1 + PA 4.2

Level 3: Established PA 3.1 + PA 3.2

Level 2: Managed PA 2.1 + PA 2.2

Level 1: Performed PA 1.1 + Process performance indicators

Level 0: Incomplete

PROCESS
EDM Dimension
APO
BAI
DSS
Cobit
5 PR M
MEA

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 9

PAM Cobit 5

There is a significant distinction between process capability level 1 and the higher capability levels.
Process capability level 1 achievement requires the process performance attribute to be largely
achieved, which actually means that the process is being successfully performed and the required
outcomes obtained by the enterprise. The higher capability levels then add different attributes to
it. In this assessment scheme, achieving a capability level 1, even on a scale to 5, is already an
important achievement for an enterprise. Note that each individual enterprise shall choose (based
on cost-benefit and feasibility reasons) its target or desired level, which very seldom will happen to
be one of the highest.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -191- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Process capability model (summarised)

Generic Process Capability

PA 2.1 PA 2.2 PA 3.1 PA 3.2 PA 4.1 PA 4.2 PA 5.1 PA 5.2


Performance Attribute (PA)
Performance Work Product Process Process Process Process Process Process
1.1 Process Performance
Management Management $ElNITION Deployment Management Control Innovation Optimisation

Incomplete Performed Managed Established Predictable Optimizing


Process Process Process Process Process Process
0 1 2 3 4 5

COBIT5 Process
COBIT5 Process Assessment Model -
Assessment Model -
Capability Indicators
Performance Indicators

Process Outcomes

Base Practices Generic Practices Generic Resources Generic Work Products


Work Products
(Management/
(Inputs/Outputs)
Governance Practices)

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 10

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -192- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Performing capability assessments

Capability assessments can be performed


For various purposes
With various degrees of rigor

Potential assessment objectives:


Benchmark process capability
Enable as is and to be health checks
Provide gap analysis and improvement planning information
Provide ratings to measure and monitor current capabilities

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 11

Performing capability assessments

The ISO/IEC 15504 standard specifies that process capability assessments can be performed
for various purposes and with varying degrees of rigour. Purposes can be internal, with a focus on
comparisons between enterprise areas and/or process improvement for internal benefit, or they can
be external, with a focus on formal assessment, reporting and certification.

The COBIT 5 ISO/IEC 15504-based assessment approach continues to facilitate the following
objectives that have been a key COBIT approach since 2000 to:
Enable the governance body and management to benchmark process capability
Enable high-level as is and to be health checks to support the governance body and
management investment decision making with regard to process improvement
Provide gap analysis and improvement planning information to support definition of justifiable
improvement projects
Provide the governance body and management with assessment ratings to measure and
monitor current capabilities

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -193- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Steps to assess capability level 1

1. Review the process outcomes and rate to which degree each


process objective is achieved
2. Assess the (governance or management) practices
3. Consider the work products

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 12

Steps to assess capability level 1

Assessing whether the process achieves its goalsor, in other words, achieves capability level 1
can be done by:
1. Reviewing the process outcomes as they are described for each process in the detailed
process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what
degree each objective is achieved. This scale consists of the following ratings:
N (Not achieved)There is little or no evidence of achievement of the defined attribute in
the assessed process. (0 to 15 percent achievement)
P (Partially achieved)There is some evidence of an approach to, and some achievement
of, the defined attribute in the assessed process. Some aspects of achievement of the
attribute may be unpredictable. (15 to 50 percent achievement)
L (Largely achieved)There is evidence of a systematic approach to, and significant
achievement of, the defined attribute in the assessed process. Some weakness related to
this attribute may exist in the assessed process. (50 to 85 percent achievement)
F (Fully achieved)There is evidence of a complete and systematic approach to, and full
achievement of, the defined attribute in the assessed process. No significant weaknesses
related to this attribute exist in the assessed process. (85 to 100 percent achievement)
2. In addition, the process (governance or management) practices can be assessed using the
same rating scale, expressing the extent to which the base practices are applied.

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -194- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Example: BAI06 Manage changes

Step 1: Review the process outcomes

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 13

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -196- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Example: BAI06 Manage changes (ctd)

Step 2: assess the base practices

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 14

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -197- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Example: BAI06 Manage changes (ctd)

Step 3: consider the work products

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 15

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -198- New Horizons


Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)

Assessing capability levels 2 5

Use the generic practices and generic work products


GP 2.1.1 Identify the objectives
GP 2.1.2 Plan and monitor the performance
GP 2.1.3 Adjust the performance
GP 2.1.1 Identify the objectives Level 5: Optimizing Process GWP 6.0 Performance
Improvement Plan
GP 2.1.4 Define responsibilities GP 2.1.2 Plan and monitor the performance
GP 2.1.3 Adjust the performance
The process is continuously improved to meet
relevant current and projected business goals
GWP 9.0 Process Performance
Records
'0n$ElNERESPONSIBILITIESAND
and authorities authorities
Level 4: Predictable Process
GWP 1.0 Process Documentation
GP 2.1.5 Identify and make available GWP 6.0 Performance Improvement Plan
resources The process is executed consistently GWP 7.0 Process Measurement Plan
WITHINDElNEDLIMITS GWP 8.0 Process Control Plan
GP 2.1.5 Identify and make GP 2.1.6 Manage the interfaces GWP 9.0 Process Performance Records
Example of generic GWP 1.0 Process Documentation
available resources practices
(for Process Attribute
Level 3: Established Process
!DElNEDPROCESSISUSEDBASEDONA
GWP 2.0 Process Plan
GWP 4.0 Quality Records
2.1 Performance standard process GWP 5.0 Policies and Standards
Management) GWP 9.0 Process Performance Records
GP 2.1.6 Manage the interfaces GWP 1.0 Process Documentation
Level 2: Managed Process
GWP 2.0 Process Plan
The process is managed and word products GWP 3.0 Quality Plan
are established, controlled and maintained
Example of generic practices GWP 4.0 Quality Records

Level 1: Performed Process Overview of


(for Process Attribute 2.1 The process is implemented and
achieves its process purpose
generic work
products

Performance Management)
Overview of generic work products

APMG 2012; 2012 ISACA. All Rights Reserved. Slide 16

T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -199- New Horizons