CobiT 5

Preview of COBIT® 5
(Differences between v4.0/4.1 and v5)
December 8, 2011
AGENDA
►
►
►
►
►
►
►
►
Introductions
Quick COBIT® Overview
Drivers of COBIT®5 – Increased focus on Enterprise
Governance
Benefits of COBIT®5
Updated Process Model
Details of the Change
New - COBIT® 5 Process Capability Model
Wrap Up
Page 2
Preview of COBIT5
COBIT® - An Overview
COBIT® 4.1 – The IT governance framework
CCobiT
OBIT
best practices
repository for
•
•
•
•
•
IT Processes
IT Management Processes
IT Governance Processes
•
•
The only IT management •
and control framework
•
that covers the end-to-end
IT life cycle
Page 4
Preview of COBIT5
Internationally accepted
good practices
Management-oriented
Supported by tools and
training
Freely available
Sharing knowledge and
leveraging expert volunteers
Continually evolving
Maintained by reputable notfor-profit organization
Maps strongly to all major
related standards
Is a reference, set of best
practices, not an “off-theshelf” cure
COBIT® history
COBIT® has evolved from an auditor„s tool to an IT
governance framework, used increasingly by IT
management
Governance
Management
Control
Audit
COBIT 1
1996
Page 5
COBIT 2
COBIT 3
COBIT 4
1998
2000
2005
Preview of COBIT5
Introduction to COBIT®
Page 6
Preview of COBIT5
Waterfall model
The control of
IT Processes
that satisfy
Business
Requirements
is enabled by
Control
Statements
considering
Control
Practices
4 Domains - 34 Processes - 210 Control Objectives
Page 7
Preview of COBIT5
Process orientation
Domains
Natural grouping of processes,
often matching an organizational
domain of responsibility
A series of joined activities with
natural control breaks
Processes
Activities
or tasks
Page 8
Actions needed to achieve a
measurable result—activities have
a life cycle whereas tasks are
discrete
Preview of COBIT5
Process Orientation
IT Domains
• Plan and
Organize
• Acquire and
Implement
• Deliver and
Support
• Monitor and
Evaluate
Natural grouping of
processes, often
matching an
organisational domain of
responsibility
Page 9
IT Processes
•
•
•
•
•
•
•
IT strategy
Computer operations
Incident handling
Acceptance testing
Change management
Contingency planning
Problem management
A series of joined
activities with natural
(control) breaks
Preview of COBIT5
Activities
•
•
•
•
•
Record new problem.
Analyse.
Propose solution.
Monitor solution.
Record known
problem.
Actions needed to achieve a
measurable result—
activities have a life cycle
whereas tasks are discrete
COBIT® processes
Planning and
Organizing
Acquire and
Implement
Page 10
PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
Define and IT Strategic Plan
Define the Information Architecture
Determine Technological Direction
Define the IT Processes, Organisation and Relationships
Manage the IT Investment
Communicate Management Aims and Direction
Manage IT Human Resources
Manage Quality
Assess and Manage IT Risks
Manage Projects
AI1
AI2
AI3
AI4
AI5
AI6
AI7
Identify Automated Solutions
Acquire and Maintain Application Software
Acquire and Maintain Technology Infrastructure
Enable Operation and Use
Procure IT Resources
Manage Changes
Install and Accredit Solutions and Changes
Preview of COBIT5
COBIT® processes
Deliver and
Support
Monitor and
Evaluate
Page 11
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Define and Manage Service Levels
Manage Third-party Services
Manage Performance and Capacity
Ensure Continuous Service
Ensure Systems Security
Identify and Allocate Costs
Educate and Train Users
Manage Service Desk and Incidents
Manage the Configuration
Manage Problems
Manage Data
Manage the Physical Environment
Manage Operations
ME1
ME2
ME3
ME4
Monitor and Evaluate IT Performance
Monitor and Evaluate Internal Control
Ensure Regulatory Compliance
Provide IT Governance
Preview of COBIT5
COBIT® framework
Criteria
Business Objectives
IT Resources
Monitor and
Evaluate
•
•
•
•
•
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
Data
Application Systems
Technology
Facilities
People
Plan and
Organise
Deliver and
Support
Page 12
•
•
•
•
•
•
•
Acquire and
Implement
Preview of COBIT5
COBIT® IT processes
PO1
PO2
PO3
PO4
ME1
ME2
ME3
ME4
Monitor and evaluate IT performance.
Monitor and evaluate internal control.
Ensure regulatory compliance.
Provide IT governance.
PO7
PO8
PO9
PO10
Monitor and
Evaluate
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Page 13
Define and manage service levels.
Manage third-party services.
Manage performance and capacity.
Ensure continuous service.
Ensure systems security.
Identify and allocate costs.
Educate and train users.
Manage service desk and incidents.
Manage the configuration.
Manage problems.
Manage data.
Manage the physical environment.
Manage operations.
PO5
PO6
Information
Deliver and
Support
Preview of COBIT5
Define a strategic IT plan.
Define the information architecture.
Determine technological direction.
Define the IT processes,
organisation and relationships.
Manage the IT investment.
Communicate management aims
and direction.
Manage IT human resources.
Manage quality.
Assess and manage IT risks.
Manage projects.
Plan and
Organize
Acquire and
Implement
AI1 Identify automated solutions.
AI2 Acquire and maintain application software.
AI3 Acquire and maintain technology
infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and changes.
Linking business goals to IT goals
Page 14
Preview of COBIT5
Linking IT goals to IT processes
Page 15
Preview of COBIT5
For 34 IT processes you have …
Process
description
IT domain &
Information
indicators
IT goals
Process goals
Key practices
Key metrics
IT governance
& IT resource
Page 16
Preview of COBIT5
Five focus areas of IT governance
aligning with the business and
providing collaborative solutions
2. Value Delivery
focus on IT costs and proof of value
safeguarding assets, business
continuity and compliance
4. Resource Management
IT assets, knowledge, infrastructure
and partners.
5. Performance
Measurement
metrics, IT Scorecards and dashboards
Page 17
Preview of COBIT5
Are we getting
the benefits?
V
ic t D alu
g
eli e
te n
ve
ra me
t
ry
S ign
l
A
IT
ance t
orm
n
Perf sureme
Mea
3. Risk Management
Are we doing
the right
things?
Are we doing
them the right
way?
Governance
Domains
Resource
Management
R
Man isk
agem
ent
FOCUS AREAS
1. Strategic Alignment
Are we
getting them
done well?
Governance lifecycle
Page 18
Preview of COBIT5
COBIT®5 Update
COBIT ®5 initiative
►
The initiative charge from the Board of Directors:
►
►
“tie together and reinforce all ISACA knowledge assets
with COBIT.”
The COBIT 5 Task Force:
►
►
Page 20
experts from ISACA
constituency groups
reports to the Framework Committee
and then the Knowledge Board
Preview of COBIT5
Major
Drivers for COBIT® 5
News
►
►
Increased Focus on Enterprise Governance
Link and reinforce all ISACA‟s Guidance
►
►
►
►
►
►
Primary - VAL IT, Risk IT
Considering BMIS, ITAF, TGF, Board Briefing
Need to connect to other frameworks and standards
(such as, ITIL, PMBOK, Prince2, TOGAF, ISO)
Further guidance in high interest areas
Improve ease of use, consistency in concepts,
terminology, & level of detail
Scope covers full end-to-end business and IT functional
responsibilities
Page 21
Preview of COBIT5
News Focus on Enterprise Governance
Increased
► Concepts
►
►
►
►
►
Page 22
and Objectives
Enterprises exist to deliver value to their
Stakeholders
Achieved within value and risk parameters and use
of resources responsibly
Governance system “steers” via means and
mechanisms within an effective structure
Incident caused and legislative driven need
Governance at the top of the agenda for most
enterprises
Preview of COBIT5
Governance Objective
Page 23
Preview of COBIT5
Responding
Features from COBIT®5
News
►
►
►
►
►
►
►
Practical guidance with consideration of all, unique
stakeholders
Non-technical overarching framework
Clear distinction between governance and management
Scope addressing management and governance of
information
Clear migration guidance from prior versions
Process model updates addressing innovation and
emerging technologies
Addressing governance enablers such as behavior,
skills and decision making
Page 24
Preview of COBIT5
Distinction between Governance and
Management Processes
Page 25
Preview of COBIT5
COBIT ®5 Governance Enablers
Processes
Service
Capabilities
Culture,
Ethics,
Behaviour
Skills &
Competencies
Principles &
Policies
Page 26
Preview of COBIT5
Organisational
Structures
Information
Benefits of Using COBIT® 5
►
►
►
Enterprise wide benefits:
► Increased value creation through effective governance
and management of enterprise information and
technology assets
► Increased business user satisfaction with IT
engagement and services–IT seen as a key enabler.
► Increased compliance with relevant laws, regulations
and policies
IT function becomes more business focused
Increases the COBIT ® 5 users‟ contribution to the
enterprise
Page 27
Preview of COBIT5
Process
News Reference Model
►
►
►
►
►
►
►
Represents all the processes normally found in an enterprise
relating to IT
Provides a common reference model understandable to IT
and business managers.
Provides a common language
Provides a framework for measuring, monitoring IT
performance, communicating with service providers, and
integrating best mgmt. practices
Subdivides governance (1) and management (4) domains.
36 Processes
VAL IT and Risk IT integrated
Page 28
Preview of COBIT5
Process Reference Model
Page 29
Preview of COBIT5
Review
Newsof Process Changes
►
►
4 Domains to 5 Domains (1 Governance & 4 Management)
Domains have 3-character acronyms vs. 2-character
acronyms:
►
►
►
►
►
►
EDM (Evaluate, Direct & Monitor)
APO (Align, Plan & Organization)
BAI (Build, Acquire & Implement)
DSS (Deliver, Service & Support)
MEA (Monitor, Evaluate & Assess)
34 COBIT4.1 processes to 5 Governance processes and
31 Management processes in COBIT 5 = 36 processes
Page 30
Preview of COBIT5
Review
Newsof Process Changes
►
New and modified processes
►
►
►
►
►
►
►
►
►
Page 31
APO3 – Manage Enterprise Architecture (combo of PO2 and PO3)
APO4 – Management Innovation (new)
APO5 – Manage Portfolio (previous PO5 Manage IT Investments)
APO6 – Manage Budget and Costs (previous PO5 IT Investments)
APO8 – Manage Relationships (new)
BAI5 – Enable Organizational Change (new)
BAI8 – Knowledge Management (new)
DSS2 – Manage Assets (new)
DSS8 – Manage Business Process Controls (new)
Preview of COBIT5
Process Enabler Model
Page 32
Preview of COBIT5
Process
News Reference Guide
►
►
A separate publication that expands on the process-enabler
model
Contains full details of the COBIT processes in a similar way to
the process documentation in COBIT 4.1
► Process description and purpose
► Goals cascade (enterprise and IT)
► Process goals and metrics
► Process practices, activities and inputs/Outputs at practice
level
► RACI Chart
► Integrates contents of 4.1, VAL IT and RISK IT
► Mapping between COBIT 5 and Legacy ISACA Frameworks
Page 33
Preview of COBIT5
®5
Most
important
differences
between
COBIT
News
and earlier versions.
►
►
►
►
Architecture changes emphasizing systemic nature of a
governance and management system
Process Model changes
Integration of COBIT, VAL IT, Risk IT with explicit
structural differentiation between governance and
management processes
Framework components reviewed and simplified
Page 34
Preview of COBIT5
Architecture
Change Principles
News
►
Alignment with the most up-to-date views on Governance
as expressed in the Taking Governance Forward initiative
and ISO/IEC 38500, resulting in an overarching
architecture with
o
o
►
Systemic nature of enterprise governance, demonstrated
by
o
o
Stakeholder driven governance and management of enterprise IT.
Governance Objectives being defined in terms of Value, Risk and
Resource Use optimization.
A set of interconnected and interrelated enablers to support
governance of enterprise IT and ensure objectives are achieved
Note: ISO/IEC 38500 Corporate governance of information technology standard,
provides a framework for effective governance of IT to assist those at the highest level of
organizations to understand and fulfill their legal, regulatory, and ethical obligations in
respect of their organizations‟ use of IT.
Page 35
Preview of COBIT5
COBIT
News®5 Architecture
Stakeholder
Needs
Governance
Objectives:
Value
Existing ISACA
Guidance
(Benefits, Risk, Resource)
Risk IT, BMIS, …)
(COBIT, Val IT,
Other
Standards
and
Frameworks
COBIT 5
Enablers
Processes
Culture,
Ethics,
Behaviour
Service
Capabilities
Skills and
Competencies
Principles and
Policies
Organisational
Structures
Information
COBIT 5 Knowledge Base
 Current guidance and contents
 Structure for future contents
Knowledge Base
Content Filter
COBIT 5 Product Family
COBIT 5: The Framework
COBIT 5 Enabler Guides
COBIT 5 : Process Reference Guide
Other Enabler
Guidance
COBIT 5 Practice Guides
COBIT 5 : Framework Implementation
Guide
Other Practice
Guides
COBIT 5 for Security
COBIT 5 Online Collaborative Environment
Page 36
Preview of COBIT5
Process
News Model Change Principles
►
Addition of a separate „Governance‟ domain, which contains
five separate governance processes for enterprise IT (5
Domains)
►
Continuation of the „Management‟ domains concept, where
31 processes are included, spread over four domains.
Domains, although they have now 3- character acronyms
compared to 2-character acronyms in COBIT 4.1. (PO, AI,
DS, ME to EDM, APO, BAI, DSS, MEA)
►
Some of the processes are very similar to their
predecessors, some are a consolidation of processes in
earlier frameworks, and some new processes have been
added.
Page 37
Preview of COBIT5
Framework
News Component Changes
►
The names have been changed from Business Goals to
Enterprise Goals, and from IT Goals to IT Related Goals in
order to better reflect that COBIT ® 5 is intended for all sorts of
enterprises, not only commercial environments, and the fact
that COBIT ® 5 is not only about making sure the IT function is
performing, but also that the business functions assume their
responsibility in providing the right direction, making good use
of IT, and following up on IT investments and use.
►
There are now 17 Enterprise Goals and also 17 IT Related
goals. The goals are now also written more as outcome
statements.
►
The stakeholders for IT are now explicitly named, and there are
also some illustrative stakeholder issues included in the
guidance to show how the framework addresses them.
Page 38
Preview of COBIT5
News Goals
Enterprise
Page 39
Preview of COBIT5
ITNews
Related Goals
Page 40
Preview of COBIT5
NewsStakeholder Needs
Internal
Page 41
Preview of COBIT5
News Stakeholder Needs
External
Page 42
Preview of COBIT5
The NEW COBIT ® 5
News
Process Capability Model
►
Process Capability Model
► Based on ISO/IEC 15504 “Software
Engineering – Process Assessment Std.”
► Different from the COBIT ® 4.1 Maturity Model
in design and use.
► Focus on capability
Page 43
Preview of COBIT5
Process
News Capability Model Characteristics
Six levels of capability including “incomplete”
► Each level can only be achieved only when the
level below is fully achieved
► Level 1 is “largely achieved” and benefits realized
by the organization
► Higher capabilities add differing attributes and
benefits
►
Page 44
Preview of COBIT5
News - COBIT ®5 PCM and COBIT ®4.1 MM
Differences
►
►
►
►
►
Page 45
Naming and meaning of levels are different
Process is described in terms of its purpose and
outcomes
Maturity level in COBIT ®4 and capability level in
COBIT ®5 are not directly comparable and
cannot be used interchangeably or mixed.
Scores in COBIT ®5 will be lower due to
completion of all process capabilities at lower
level
Nine Process Capability Attributes (v5) vs. six
maturity Attributes (v4)
Preview of COBIT5
COBIT 4.1 Maturity Model Comparison to
COBIT 5 Process Capability Levels
Page 46
Preview of COBIT5
Comparison of v4 Maturity Attributes vs.
V5 Process Capability Attributes
Page 47
Preview of COBIT5
News®5 Preview Summary
COBIT
► COBIT ®5
Major changes
Consolidation of frameworks
► Adjustment of domains and processes
►
►
►
►
Page 48
4 to 5 domains
34 to 36 IT Processes
Assessment process changed to focus on
Capability using ISO 15504
Preview of COBIT5
The COBIT® 5 Framework – What will be
delivered?
►
An enterprise wide, “end-to-end” framework addressing
governance and management of information and related
technology
►
The framework structure will include familiar components such as a
domain/process model and other components such as
governance/management practices, RACI charts and inputs/outputs.
►
An initial publication introduces, defines and describes the
components that make up the COBIT®5 Framework
► Principles
► Architecture
► Enablers
► Introduction to implementation guidance and the COBIT
process assessment approach
Page 49
Preview of COBIT5
COBIT® 5 news
• As the initiative progresses throughout 2011 and 2012
there will be periodic updates provided:
 On the ISACA web site, www.isaca.org/COBIT5
 In the COBIT Focus newsletter
 In other ISACA membership communications, events,
marketing materials and PR activities
• Watch these spaces for more news!
Page 50
Preview of COBIT5
Thank you
Contact details:
Ernst & Young’s
IT Risk Management Center of Excellence
Josh Turcotte, CISA
Email:
[email protected]
Phone:
(214) 969 0678 (Dallas)
Stacey Hamaker, CISA CIA
Email:
[email protected]
Phone:
(214) 969 8832 (Dallas)
This presentation contains materials that are property of ISACA and Ernst & Young. All rights reserved.
Page 51
Preview of COBIT5