Why, When and How to Migrate to COBIT 5

Transcription

Why, When and How to Migrate to COBIT 5
Volume 3, July 2013
Come join the discussion! Sudarsan Jayaraman will respond to questions in the discussion area of the COBIT
5—Use It Effectively topic beginning 22 July 2013.
Why, When and How to Migrate to COBIT 5
By Sudarsan Jayaraman, CISA, CISM, BS 25999 LA, COBIT (F), ITIL V3 Expert, ISO 20000 LA, ISO 27001
LA, ISO 9001 LA
®
With the release of COBIT 5, a new evolution in the thinking process of managing and governing IT has taken shape. The
question to answer is whether organizations that have invested in the implementation of the earlier versions of COBIT have to
migrate to COBIT 5. If yes, the question becomes: why, when and how does an organization migrate to the new framework?
Migrating to COBIT 5 is not the same as migration of software or hardware or a platform. Instead, this should be considered
as a transition of the way work is done to meet the requirements of stakeholders. That said, was this not being done in the
®
earlier versions of COBIT? That is, how different is COBIT 5 from COBIT 4.1 and what are the benefits an organization can
realize from this new release?
Why Migrate to COBIT 5?
COBIT 4.1, while a popular framework, is considered by many to be an IT framework, not an enterprise framework. COBIT 4.1
addresses the IT requirement more as an operation model and a good practice guideline related to IT processes. After going
through COBIT 5, one may get a feeling that COBIT 4.1 was lacking the governance view toward the organization and was
more process-oriented. However, COBIT 4.1 does bring in the view of business-IT alignment by way of mapping enterprise
goals with IT goals and finally with the IT process goals.
COBIT 5 has further built on the process model and has clearly demarcated the governance and management processes
separately. A new governance domain is introduced as a part of the COBIT 5 process reference model; this is a major
improvement that provides clarity on the management and governance functions within an organization.
A major improvement in COBIT 5 is the introduction of the five key principles and seven enablers, which form the pillar of the
framework. With these additions, COBIT 5 has aligned itself closely with the ISO 38500 framework.
COBIT 5 has retained the goal cascading model of COBIT 4.1; however, it has gone further by including the stakeholder
needs as the starting point of the mapping, which then cascades to enterprise goals, IT goals and finally to enabler goals.
The other key difference to point out is that a new process assessment model (PAM) has been introduced. The COBIT PAM
is aligned with the ISO 15504 standards requirement. This means more stringent and accurate assessment of the relevant
processes.
In brief, the key benefits of COBIT 5 for enterprises can be summarized as follows:
 Aligning business and IT more closely by taking into account the stakeholder needs as the starting point. This provides
more business focus with due consideration of internal and external stakeholders’ needs.
 Introducing the seven enablers as a more efficient and effective way of using resources to meet business requirements
 Showing the entire organization as responsible for governance of IT through the holistic inclusion of enhanced role
descriptions in the RACI chart
 Helping the organization to understand business perspective more clearly by mapping the goals and objectives to a
business scorecard model
Thus, for organizations that have implemented COBIT 4.1, migrating to the new framework is a natural process of progression
under which the organization will extend its coverage of IT governance to an enterprisewide governance initiative.
When to Migrate to COBIT 5?
At this current age of economic stagnation, is it wise to reinvest and migrate to the COBIT 5 framework? When is the right
time to consider migration to COBIT 5?
There is no single answer to this question. However, if the organization is still in the process of completing the COBIT 4.1
process implementation, it is advisable to continue the implementation before considering a migration to the new framework
since any COBIT 4.1 implementation would have been typically initiated to respond to business requirements for
improvements or to address specific pain points encountered by the organization. Since the respective controls to treat such
issues would have been identified from the earlier version of COBIT, it is better to continue implementation and monitor
whether the key goals are being accomplished, before migrating to COBIT 5.
If the organization has implemented most of the COBIT 4.1 controls and has reached what it believes to be a reasonable
degree of maturity, it is time to consider migration to COBIT 5, as COBIT 5 brings in the key differentiating aspect of
segregating governance from management, which is important to consider and is a new addition with COBIT 5. Also, when
using COBIT 5, the IT governance setup, which had been typically more inward-focused, will transition into the model of
governance of enterprise IT (GEIT), in which involvement of enterprise stakeholders plays an imperative role.
The following is a list of triggers that would suggest it is time to migrate to COBIT 5:
 Repeated failure of critical IT process results in issues related to the delivery of committed services by the business.
 Risk to the business has not been reduced considerably and IT risk does not align to enterprise risk.
 Controls implemented are more IT-oriented and do not span the enterprise.
Figure 1—Pain Points and COBIT 5 Mitigations
Pain Areas
Target Processes
Pain Areas
Target Processes
Failed Projects
BAI01
Manage Programs and
Projects
End-user
Responsibilities
APO09
Manage Service
Agreements
Ad hoc Initiatives/
Planning
APO01 and APO02
IT Mgmt. Framework
and Strategy
Support From
Suppliers
APO10
Manage Suppliers
Communication Within
IT Division
APO09
Manage Service
Agreements
Lack of Automation
Tools
BAI02 and BAI03
Requirements Definition
and Solutions Identification
Management Reporting
MEA01 and MEA02
Performance and
Internal Control
Accountability Among IT
Staff
APO09
Manage Service
Agreements (OLAs)
There are other pain triggers that may lead to migration to COBIT 5. Figure 1 provides an overview of pain points and typical
COBIT 5 processes that can be used to mitigate the issue.
How to Initiate Migration?
Before initiating a migration to the new framework, it is recommended to clearly set the objective of migration. That is, what
are the business benefits the organization will achieve by adopting the new framework? If a tangible and measurable goal is
set as the baseline, achievement can be measured and success of adoption can be demonstrated.
Volume 2, April 2013
Page 2
The key to a successful migration is to commence the activity by addressing the key pain areas within the organization. Once
the pain areas are identified, the following steps can be followed:
 Initiate an assessment to identify the status and maturity of the processes that are currently implemented, if any.
 Prepare a migration strategy by identifying the processes and the required enablers from COBIT 5 to be implemented.
 Identify the affected departments, section and services that will be impacted by this migration.
 Ensure that a project management plan with time lines is created and a budget is allocated for this effort.
 Remember to run the migration activity through the change management process.
 Address the organization change impact that will be created by this migration and have a transitional plan to roll out the
migration.
 Market and communicate the positive impact that will be achieved by this migration to get buy-in from top management.
Once the above initial steps are performed, the organization is ready to commence the journey. It is recommended to break
the entire migration into smaller scope areas that are manageable, because quick wins will motivate the migration team and
the organization to continue the journey.
Sudarsan Jayaraman, CISA, CISM, BS 25999 LA, COBIT (F), ITIL V3 Expert, ISO 20000 LA, ISO 27001 LA,
ISO 9001 LA
Is a director of technology risk services at Protiviti Member Firm (Middle East). He has more than 20 years of experience in IT
advisory and consultancy services, focusing predominately in IT governance, IT service management and information security
management. Jayaraman has successfully managed and facilitated ISO 27001 and ISO 20000 certification at a number of
large and prestigious companies in the Middle East.
©2013 ISACA. All rights reserved.
Volume 2, April 2013
Page 3