Beruflich Dokumente
Kultur Dokumente
Implementing an ISO-integrated
Management System Using COBIT 5
By Opeyemi Onifade, CISA, CISM, CGEIT, COBIT Certified Assessor, CISSP, ISO 20000 Practitioner, ISO
27001 LA/LI, PRINCE2 (P)
The Central Bank of Nigeria issued a compliance document titled Nigeria Financial Services IT Standards Blueprint
1
in May 2013. The blueprint, which includes time lines, is the main driver for the implementation of IT-related
standards such as COBIT 5, ISO/IEC 27001:2013, ISO/IEC 20000:2011 and ISO/IEC 22301:2012 in banks and IT
service provider organizations in Nigeria today. The blueprint was developed by Accenture for the regulatory body
prior to the publication of COBIT 5. The revised edition, which is in the works, will reference COBIT 5 specifically.
The implementation of these good practices is expected to result in improved operational effectiveness, uptime and
availability, service quality, enterprise control and management, risk management and assurance, regulatory
reporting, and business continuity.
The compliance blueprint also provides information about the compliance priority (figure 1), time lines, scope and
capability/maturity levels for each requirement. However, the compliance obligations extend beyond commercial
banks to include their service providers, suppliers and vendors.
XBRL
Priority 3
Priority 2
Priority 1-
1|Page
This case study explains how an IT service provider (the client) to the central bank leveraged COBIT 5 principles and
implementation guidance to implement ISO 27001 and ISO 20000 standards as an integrated management system.
Figure 2High-level Structure for All New and Revised Management System Standards
0
1
2
3
4
Introduction
Scope
Normative references
Terms and definitions
Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested
parties
4.3 Determining the scope of the XXX management system
4.4 XXX management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy
Afenoid Enterprise Limited was contracted in 2013 by the service provider to the Central Bank of Nigeria,
MicroAccess Limited (the client) to implement two of the top priority standards that applyISO 27001 and ISO
20000as part of the clients service strategy positioning. The major constraint Afenoid needed to address as
implementation consultants was the complexity of implementing two management system standards at the same
time within a tight schedule and in a business environment with an inadequate IT governance culture.
The release of a new edition of ISO 27001 in October 2013 introduced a new challenge as the client decided to
update the implementation to meet the new requirements of ISO 27001:2013 while integrating with ISO
2|Page
20000:2011. The project director was able to leverage his accredited COBIT 5 training (COBIT Foundation, COBIT
Implementation and COBIT Assessor credentials) to help the client pioneer the compliance and certification to the
ISO 27001:2013 standard. After a third-party audit, the British Standards Institution (BSI) issued the certificate of
compliance to the client in February 2014.
5, 2012
COBIT 5 Guidance
3|Page
5. Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organization roles, responsibilities
and authorities
Responsible, Accountable,
Consulted and Informed
(RACI) chart from EDM 0105 processes
RACI chart from APO 06,
APO 08, APO 09, APO 10,
APO 12, APO 13, BAI 04, BAI
06, BAI 07, BAI 09, BAI 10,
DSS 01, DSS 02, DSS 03, DSS
04, DSS 05
Framework Principle and
PoliciesAppendix G,
COBIT 5 Framework
6. Planning
6.1 Actions to address risk and
opportunities
6.2 ISO 27001 and ISO 20000 objectives
and planning to achieve them
7. Support
7.1 Resources
Management practices
from APO 06, APO 08, APO
09, APO 10, APO 12, APO
13, BAI 04, BAI 06, BAI 07,
BAI 09, BAI 10, DSS 01, DSS
02, DSS 03, DSS 04, DSS 05
Enabler: People, Skills and
Competencies
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented
4|Page
information
8
8. Operation
BAI 05
9. Performance evaluation
9.1 Monitoring, measurement, analysis
and evaluation
10. Improvement
10.1 Nonconformity and corrective
action
Applying single
integrated framework
Enabling a holistic
approach
Actions Taken
COBIT 5 Foundation training
for top management team
across all business units, ITIL
Foundation for all IT service
provider staff, and ISO 27001
and ISO 20000 certification
training for process managers
and process owners
COBIT 5 Implementation
phase 4 success factors
(Educate and train in COBIT 5,
other related standards and
good practices)
COBIT 5 guidance to design
compliance to most of the
ISO management system
requirement clauses,
especially clauses 4, 5, 6, 7, 9
and 10
The related guidance of
each of the 32 COBIT 5
processes in the
5|Page
management domain, to
determine the processes that
are specifically related to ISO
27001 and ISO 20000
Implementation design
Applying single
integrated framework
Enabling a holistic
approach
Separating governance
from management
Programme management
Separating governance
from management
Enabling a holistic
approach
Conclusion
One of the five principles of COBIT 5 is Applying a Single, Integrated Framework. Leveraging this principle helped
Afenoids client, MicroAcces Limited-a service provider to the Central Bank of Nigeria, to attain and maintain its
certification to ISO 27001:2013 and ISO 20000:2011 through the continual improvement guidelines in COBIT 5. The
subsequent successful surveillance audits by the Registered Certification Body, British Standard Institute, proves
COBIT 5 to be highly recommended as an integrator of multiple IT-related management system standards.
Opeyemi Onifade, CISA, CISM, CGEIT, COBIT Certified Assessor, CISSP, ISO 20000 Practitioner, ISO 27001
LA/LI, PRINCE2 (P)
Is the Principal Consultant at Afenoid Enterprise Limited, an IT management and assurance firm. He works out of
Abuja, the federal capital territory of Nigeria. He is also the ISACA Abuja (Nigeria) Chapter President. He can be
reached at opeyemi@afenoid.com.
Endnote
1
5, 2012, pg. 14
6|Page