DISCUSS THIS ARTICLE

Implementing an ISO-integrated
Management System Using COBIT 5
By Opeyemi Onifade, CISA, CISM, CGEIT, COBIT Certified Assessor, CISSP, ISO 20000 Practitioner, ISO
27001 LA/LI, PRINCE2 (P)

COBIT Focus | 2 March 2015

The Central Bank of Nigeria issued a compliance document titled Nigeria Financial Services IT Standards Blueprint
1
in May 2013. The blueprint, which includes time lines, is the main driver for the implementation of IT-related

standards such as COBIT 5, ISO/IEC 27001:2013, ISO/IEC 20000:2011 and ISO/IEC 22301:2012 in banks and IT
service provider organizations in Nigeria today. The blueprint was developed by Accenture for the regulatory body
prior to the publication of COBIT 5. The revised edition, which is in the works, will reference COBIT 5 specifically.
The implementation of these good practices is expected to result in improved operational effectiveness, uptime and
availability, service quality, enterprise control and management, risk management and assurance, regulatory
reporting, and business continuity.
The compliance blueprint also provides information about the compliance priority (figure 1), time lines, scope and
capability/maturity levels for each requirement. However, the compliance obligations extend beyond commercial
banks to include their service providers, suppliers and vendors.

ISO 8583 & ISO 20022

PCI DSS & ISO 27001

COBIT & ISO 38500

PRINCE2/ PMBOK
SFIA

XBRL

Priority 3

ITIL and ISO 20000

Priority 2

Priority 1-

Figure 1Compliance Domains

Data Centre Tier 3/4
ISO 22301
TOGAF
OHSAS
ISO 15504/CMMI

Source: IT Standards Adoption Roadmap, www.cbn.gov.ng/ITStandards/Roadmap.asp

1|Page

This case study explains how an IT service provider (the client) to the central bank leveraged COBIT 5 principles and
implementation guidance to implement ISO 27001 and ISO 20000 standards as an integrated management system.

Understanding the Structure of New ISO Management System

Requirements
In April 2012, ISO updated its directives. The overall goal is to make it easier to create integrated management
systems and to adapt management system standards to the nature and culture of organizations. Figure 2 includes
the high-level structure for all new and revised management system standards.

Figure 2High-level Structure for All New and Revised Management System Standards
0
1
2
3
4

Introduction
Scope
Normative references
Terms and definitions
Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested
parties
4.3 Determining the scope of the XXX management system
4.4 XXX management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy

5.3 Organization roles, responsibilities and authorities

6 Planning

6.1 Actions to address risks and opportunities

6.2 XXX objectives and planning to achieve them
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
8 Operation
8.1 Operational planning and control
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement

Source: ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2014, appendix 2,

http://isotc.iso.org/livelink/livelink/fetch/2000/2122/4230450/4230452/ISO_IEC_Directives_Part_1_and_Consolidated_ISO_Supplement_%2D_2014_%285th_
edition%29_%2D_PDF.pdf?nodeid=16578881&vernum=-2

Afenoid Enterprise Limited was contracted in 2013 by the service provider to the Central Bank of Nigeria,
MicroAccess Limited (the client) to implement two of the top priority standards that applyISO 27001 and ISO
20000as part of the clients service strategy positioning. The major constraint Afenoid needed to address as
implementation consultants was the complexity of implementing two management system standards at the same
time within a tight schedule and in a business environment with an inadequate IT governance culture.
The release of a new edition of ISO 27001 in October 2013 introduced a new challenge as the client decided to
update the implementation to meet the new requirements of ISO 27001:2013 while integrating with ISO
2|Page

20000:2011. The project director was able to leverage his accredited COBIT 5 training (COBIT Foundation, COBIT
Implementation and COBIT Assessor credentials) to help the client pioneer the compliance and certification to the
ISO 27001:2013 standard. After a third-party audit, the British Standards Institution (BSI) issued the certificate of
compliance to the client in February 2014.

Leveraging COBIT 5 Principles to Implement ISO 27001:2013 and

ISO 20000:2012
To address the complexity and challenges to the implementation of the certification program, the client relied on
COBIT 5 guidance on program management, change enablement and continual improvement to integrate the
standards. The client leveraged COBIT 5 principles (figure 3) to guide it through the phases having divided the
implementation program into the following phases: training and awareness, gap assessment, implementation
design, and program management.

Figure 3COBIT 5 Principles

Source: ISACA, COBIT

5, 2012

High-level Mapping of COBIT 5 to the New Management Systems

Requirements
Figure 4 shows how the client drew guidance from COBIT 5 to establish an integrated management system for ISO
27001 and ISO 20000.

Figure 4High-level Mapping of ISO Requirement to COBIT 5 Guidance

Clause No,

Management System Requirements

COBIT 5 Guidance
3|Page

4. Context of the organization

4.1 Understanding the organization and
its context
4.2 Understanding the needs and
expectations of interested parties

Pain points, trigger events,

stakeholder drivers,
enterprise goals, IT-related
goals and information on
related guidance

4.3 Determining the scope of the

information security and service
management systems
4.4 ISO 27001 and ISO 20000
management systems
5

5. Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organization roles, responsibilities
and authorities

Responsible, Accountable,
Consulted and Informed
(RACI) chart from EDM 0105 processes
RACI chart from APO 06,
APO 08, APO 09, APO 10,
APO 12, APO 13, BAI 04, BAI
06, BAI 07, BAI 09, BAI 10,
DSS 01, DSS 02, DSS 03, DSS
04, DSS 05
Framework Principle and
PoliciesAppendix G,
COBIT 5 Framework

6. Planning
6.1 Actions to address risk and
opportunities
6.2 ISO 27001 and ISO 20000 objectives
and planning to achieve them

7. Support
7.1 Resources

Management practices
from APO 06, APO 08, APO
09, APO 10, APO 12, APO
13, BAI 04, BAI 06, BAI 07,
BAI 09, BAI 10, DSS 01, DSS
02, DSS 03, DSS 04, DSS 05
Enabler: People, Skills and
Competencies

7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented
4|Page

information
8

8. Operation

BAI 05

8.1 Operational planning and control

9

9. Performance evaluation
9.1 Monitoring, measurement, analysis
and evaluation

Lag and lead indicators

EDM 05, MEA 01, MEA 02,
MEA 03

9.2 Internal audit

9.3 Management review
10

10. Improvement
10.1 Nonconformity and corrective
action

MEA 01, MEA 02, MEA 03,

Process goals and metrics

10.2 Continual improvement

Figure 5 shows the practical steps taken to leverage COBIT 5.

Figure 5Afenoids Implementation Approach

Implementation Phases
Training and awareness

COBIT 5 Principle and

Guidance Applied
Meeting stakeholders
needs
Covering the enterprise
end to end
COBIT 5 Implementation
phase 4 success factors
(Educate and train in
COBIT 5, other related
standards and good
practices)

Gap assessment and

implementation design

Applying single
integrated framework
Enabling a holistic
approach

Actions Taken
COBIT 5 Foundation training
for top management team
across all business units, ITIL
Foundation for all IT service
provider staff, and ISO 27001
and ISO 20000 certification
training for process managers
and process owners

COBIT 5 Implementation
phase 4 success factors
(Educate and train in COBIT 5,
other related standards and
good practices)
COBIT 5 guidance to design
compliance to most of the
ISO management system
requirement clauses,
especially clauses 4, 5, 6, 7, 9
and 10
The related guidance of
each of the 32 COBIT 5
processes in the
5|Page

management domain, to
determine the processes that
are specifically related to ISO
27001 and ISO 20000
Implementation design

Applying single
integrated framework
Enabling a holistic
approach
Separating governance
from management

Programme management

Separating governance
from management
Enabling a holistic
approach

COBIT 5 for stakeholder

identification as well as
stakeholder needs and
expectations (Who is
receiving benefits? Who is
bearing risk? Who is providing
resources?); scope of
management system;
organizational roles,
responsibilities and
authorities; performance
evaluation; and internal audit

The COBIT 5 : Enabling

Processes product to help
determine the critical
integration points with the
extensive guidance on
process inputs, base
practices, process outputs,
process managers and
process owners (as per RACI
charts)

Source: Afenoid, Project Initiation Document. Reprinted with permission.

Conclusion

One of the five principles of COBIT 5 is Applying a Single, Integrated Framework. Leveraging this principle helped
Afenoids client, MicroAcces Limited-a service provider to the Central Bank of Nigeria, to attain and maintain its
certification to ISO 27001:2013 and ISO 20000:2011 through the continual improvement guidelines in COBIT 5. The
subsequent successful surveillance audits by the Registered Certification Body, British Standard Institute, proves
COBIT 5 to be highly recommended as an integrator of multiple IT-related management system standards.

Opeyemi Onifade, CISA, CISM, CGEIT, COBIT Certified Assessor, CISSP, ISO 20000 Practitioner, ISO 27001
LA/LI, PRINCE2 (P)
Is the Principal Consultant at Afenoid Enterprise Limited, an IT management and assurance firm. He works out of

Abuja, the federal capital territory of Nigeria. He is also the ISACA Abuja (Nigeria) Chapter President. He can be
reached at opeyemi@afenoid.com.

Endnote
1

Central Bank of Nigeria, Nigeria

ISACA, COBIT

Financial Services IT Standards Blueprint , May 2013

5, 2012, pg. 14
6|Page