Preview of COBIT 5

(Differences between v4.0/4.1 and v5)

December 8, 2011

AGENDA

Introductions
Quick COBIT Overview
Drivers of COBIT5 Increased focus on Enterprise
Governance
Benefits of COBIT5
Updated Process Model
Details of the Change
New - COBIT 5 Process Capability Model
Wrap Up

Page 2

Preview of COBIT5

COBIT - An Overview

COBIT 4.1 The IT governance framework

CCobiT
OBIT
best practices
repository for

IT Processes
IT Management Processes
IT Governance Processes

The only IT management

and control framework

that covers the end-to-end

IT life cycle
Page 4

Preview of COBIT5

Internationally accepted
good practices
Management-oriented
Supported by tools and
training
Freely available
Sharing knowledge and
leveraging expert volunteers
Continually evolving
Maintained by reputable notfor-profit organization
Maps strongly to all major
related standards
Is a reference, set of best
practices, not an off-theshelf cure

COBIT history
COBIT has evolved from an auditors tool to an IT
governance framework, used increasingly by IT
management
Governance
Management
Control
Audit
COBIT 1
1996
Page 5

COBIT 2

COBIT 3

COBIT 4

1998

2000

2005

Preview of COBIT5

Introduction to COBIT

Page 6

Preview of COBIT5

Waterfall model
The control of
IT Processes

that satisfy

Business
Requirements

is enabled by

Control
Statements

considering
Control
Practices

4 Domains - 34 Processes - 210 Control Objectives

Page 7

Preview of COBIT5

Process orientation

Domains

Natural grouping of processes,

often matching an organizational
domain of responsibility
A series of joined activities with
natural control breaks

Processes

Activities
or tasks
Page 8

Actions needed to achieve a

measurable resultactivities have
a life cycle whereas tasks are
discrete

Preview of COBIT5

Process Orientation
IT Domains
Plan and

Organize
Acquire and
Implement
Deliver and
Support
Monitor and
Evaluate
Natural grouping of
processes, often
matching an
organisational domain of
responsibility

Page 9

IT Processes

IT strategy
Computer operations
Incident handling
Acceptance testing
Change management
Contingency planning
Problem management
A series of joined
activities with natural
(control) breaks

Preview of COBIT5

Activities

Record new problem.

Analyse.
Propose solution.
Monitor solution.
Record known
problem.

Actions needed to achieve a

measurable result
activities have a life cycle
whereas tasks are discrete

COBIT processes
Planning and
Organizing

Acquire and
Implement

Page 10

PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10

Define and IT Strategic Plan

Define the Information Architecture
Determine Technological Direction
Define the IT Processes, Organisation and Relationships
Manage the IT Investment
Communicate Management Aims and Direction
Manage IT Human Resources
Manage Quality
Assess and Manage IT Risks
Manage Projects

AI1
AI2
AI3
AI4
AI5
AI6
AI7

Identify Automated Solutions

Acquire and Maintain Application Software
Acquire and Maintain Technology Infrastructure
Enable Operation and Use
Procure IT Resources
Manage Changes
Install and Accredit Solutions and Changes
Preview of COBIT5

COBIT processes

Deliver and
Support

Monitor and
Evaluate

Page 11

DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13

Define and Manage Service Levels

Manage Third-party Services
Manage Performance and Capacity
Ensure Continuous Service
Ensure Systems Security
Identify and Allocate Costs
Educate and Train Users
Manage Service Desk and Incidents
Manage the Configuration
Manage Problems
Manage Data
Manage the Physical Environment
Manage Operations

ME1
ME2
ME3
ME4

Monitor and Evaluate IT Performance

Monitor and Evaluate Internal Control
Ensure Regulatory Compliance
Provide IT Governance

Preview of COBIT5

COBIT framework

Criteria

Business Objectives

IT Resources

Monitor and
Evaluate

Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability

Data
Application Systems
Technology
Facilities
People

Plan and
Organise

Deliver and
Support

Page 12

Acquire and
Implement
Preview of COBIT5

COBIT IT processes
PO1
PO2
PO3
PO4

ME1
ME2
ME3
ME4

Monitor and evaluate IT performance.

Monitor and evaluate internal control.
Ensure regulatory compliance.
Provide IT governance.

PO7
PO8
PO9
PO10

Monitor and
Evaluate

DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13

Page 13

Define and manage service levels.

Manage third-party services.
Manage performance and capacity.
Ensure continuous service.
Ensure systems security.
Identify and allocate costs.
Educate and train users.
Manage service desk and incidents.
Manage the configuration.
Manage problems.
Manage data.
Manage the physical environment.
Manage operations.

PO5
PO6

Information

Deliver and
Support

Preview of COBIT5

Define a strategic IT plan.

Define the information architecture.
Determine technological direction.
Define the IT processes,
organisation and relationships.
Manage the IT investment.
Communicate management aims
and direction.
Manage IT human resources.
Manage quality.
Assess and manage IT risks.
Manage projects.

Plan and
Organize

Acquire and
Implement

AI1 Identify automated solutions.

AI2 Acquire and maintain application software.
AI3 Acquire and maintain technology
infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and changes.

Linking business goals to IT goals

Page 14

Preview of COBIT5

Linking IT goals to IT processes

Page 15

Preview of COBIT5

For 34 IT processes you have

Process
description
IT domain &
Information
indicators

IT goals

Process goals
Key practices
Key metrics
IT governance
& IT resource
Page 16

Preview of COBIT5

Five focus areas of IT governance

aligning with the business and
providing collaborative solutions

2. Value Delivery

focus on IT costs and proof of value

safeguarding assets, business

continuity and compliance

4. Resource Management
IT assets, knowledge, infrastructure
and partners.

5. Performance
Measurement

metrics, IT Scorecards and dashboards

Page 17

Preview of COBIT5

Are we getting
the benefits?

V
ic t D alu
g
eli e
te n
ve
ra me
t
ry
S ign
l
A
IT

ance t
orm
n
Perf sureme
Mea

3. Risk Management

Are we doing
the right
things?

Are we doing
them the right
way?

Governance
Domains

Resource
Management

R
Man isk
agem
ent

FOCUS AREAS

1. Strategic Alignment

Are we
getting them
done well?

Governance lifecycle

Page 18

Preview of COBIT5

COBIT5 Update

COBIT 5 initiative

The initiative charge from the Board of Directors:

tie together and reinforce all ISACA knowledge assets

with COBIT.

The COBIT 5 Task Force:

Page 20

experts from ISACA

constituency groups
reports to the Framework Committee
and then the Knowledge Board

Preview of COBIT5

Major
Drivers for COBIT 5
News

Increased Focus on Enterprise Governance

Link and reinforce all ISACAs Guidance

Primary - VAL IT, Risk IT

Considering BMIS, ITAF, TGF, Board Briefing

Need to connect to other frameworks and standards

(such as, ITIL, PMBOK, Prince2, TOGAF, ISO)
Further guidance in high interest areas
Improve ease of use, consistency in concepts,
terminology, & level of detail
Scope covers full end-to-end business and IT functional
responsibilities

Page 21

Preview of COBIT5

News Focus on Enterprise Governance

Increased
Concepts

Page 22

and Objectives

Enterprises exist to deliver value to their

Stakeholders
Achieved within value and risk parameters and use
of resources responsibly
Governance system steers via means and
mechanisms within an effective structure
Incident caused and legislative driven need
Governance at the top of the agenda for most
enterprises

Preview of COBIT5

Governance Objective

Page 23

Preview of COBIT5

Responding
Features from COBIT5
News

Practical guidance with consideration of all, unique

stakeholders
Non-technical overarching framework
Clear distinction between governance and management
Scope addressing management and governance of
information
Clear migration guidance from prior versions
Process model updates addressing innovation and
emerging technologies
Addressing governance enablers such as behavior,
skills and decision making

Page 24

Preview of COBIT5

Distinction between Governance and

Management Processes

Page 25

Preview of COBIT5

COBIT 5 Governance Enablers

Processes

Service
Capabilities

Culture,
Ethics,
Behaviour

Skills &
Competencies

Principles &
Policies

Page 26

Preview of COBIT5

Organisational
Structures

Information

Benefits of Using COBIT 5

Enterprise wide benefits:

Increased value creation through effective governance
and management of enterprise information and
technology assets
Increased business user satisfaction with IT
engagement and servicesIT seen as a key enabler.
Increased compliance with relevant laws, regulations
and policies
IT function becomes more business focused
Increases the COBIT 5 users contribution to the
enterprise

Page 27

Preview of COBIT5

Process
News Reference Model

Represents all the processes normally found in an enterprise

relating to IT
Provides a common reference model understandable to IT
and business managers.
Provides a common language
Provides a framework for measuring, monitoring IT
performance, communicating with service providers, and
integrating best mgmt. practices
Subdivides governance (1) and management (4) domains.
36 Processes
VAL IT and Risk IT integrated

Page 28

Preview of COBIT5

Process Reference Model

Page 29

Preview of COBIT5

Review
Newsof Process Changes

4 Domains to 5 Domains (1 Governance & 4 Management)

Domains have 3-character acronyms vs. 2-character
acronyms:

EDM (Evaluate, Direct & Monitor)

APO (Align, Plan & Organization)
BAI (Build, Acquire & Implement)
DSS (Deliver, Service & Support)
MEA (Monitor, Evaluate & Assess)

34 COBIT4.1 processes to 5 Governance processes and

31 Management processes in COBIT 5 = 36 processes

Page 30

Preview of COBIT5

Review
Newsof Process Changes

New and modified processes

Page 31

APO3 Manage Enterprise Architecture (combo of PO2 and PO3)

APO4 Management Innovation (new)
APO5 Manage Portfolio (previous PO5 Manage IT Investments)
APO6 Manage Budget and Costs (previous PO5 IT Investments)
APO8 Manage Relationships (new)
BAI5 Enable Organizational Change (new)
BAI8 Knowledge Management (new)
DSS2 Manage Assets (new)
DSS8 Manage Business Process Controls (new)

Preview of COBIT5

Process Enabler Model

Page 32

Preview of COBIT5

Process
News Reference Guide

A separate publication that expands on the process-enabler

model
Contains full details of the COBIT processes in a similar way to
the process documentation in COBIT 4.1
Process description and purpose
Goals cascade (enterprise and IT)
Process goals and metrics
Process practices, activities and inputs/Outputs at practice
level
RACI Chart
Integrates contents of 4.1, VAL IT and RISK IT
Mapping between COBIT 5 and Legacy ISACA Frameworks

Page 33

Preview of COBIT5

5
Most
important
differences
between
COBIT
News
and earlier versions.

Architecture changes emphasizing systemic nature of a

governance and management system
Process Model changes
Integration of COBIT, VAL IT, Risk IT with explicit
structural differentiation between governance and
management processes
Framework components reviewed and simplified

Page 34

Preview of COBIT5

Architecture
Change Principles
News

Alignment with the most up-to-date views on Governance

as expressed in the Taking Governance Forward initiative
and ISO/IEC 38500, resulting in an overarching
architecture with
o
o

Systemic nature of enterprise governance, demonstrated

by
o

Stakeholder driven governance and management of enterprise IT.

Governance Objectives being defined in terms of Value, Risk and
Resource Use optimization.

A set of interconnected and interrelated enablers to support

governance of enterprise IT and ensure objectives are achieved

Note: ISO/IEC 38500 Corporate governance of information technology standard,

provides a framework for effective governance of IT to assist those at the highest level of
organizations to understand and fulfill their legal, regulatory, and ethical obligations in
respect of their organizations use of IT.

Page 35

Preview of COBIT5

COBIT
News5 Architecture
Stakeholder
Needs

Governance
Objectives:
Value

Existing ISACA
Guidance

(Benefits, Risk, Resource)

Risk IT, BMIS, )

(COBIT, Val IT,

Other
Standards
and
Frameworks

COBIT 5
Enablers
Processes
Culture,
Ethics,
Behaviour

Service
Capabilities

Skills and
Competencies

Principles and
Policies

Organisational
Structures

Information

COBIT 5 Knowledge Base

Current guidance and contents
Structure for future contents

Knowledge Base
Content Filter

COBIT 5 Product Family

COBIT 5: The Framework
COBIT 5 Enabler Guides
COBIT 5 : Process Reference Guide

Other Enabler
Guidance

COBIT 5 Practice Guides

COBIT 5 : Framework Implementation
Guide

Other Practice
Guides

COBIT 5 for Security

COBIT 5 Online Collaborative Environment

Page 36

Preview of COBIT5

Process
News Model Change Principles

Addition of a separate Governance domain, which contains

five separate governance processes for enterprise IT (5
Domains)

Continuation of the Management domains concept, where

31 processes are included, spread over four domains.
Domains, although they have now 3- character acronyms
compared to 2-character acronyms in COBIT 4.1. (PO, AI,
DS, ME to EDM, APO, BAI, DSS, MEA)

Some of the processes are very similar to their

predecessors, some are a consolidation of processes in
earlier frameworks, and some new processes have been
added.

Page 37

Preview of COBIT5

Framework
News Component Changes

The names have been changed from Business Goals to

Enterprise Goals, and from IT Goals to IT Related Goals in
order to better reflect that COBIT 5 is intended for all sorts of
enterprises, not only commercial environments, and the fact
that COBIT 5 is not only about making sure the IT function is
performing, but also that the business functions assume their
responsibility in providing the right direction, making good use
of IT, and following up on IT investments and use.

There are now 17 Enterprise Goals and also 17 IT Related

goals. The goals are now also written more as outcome
statements.

The stakeholders for IT are now explicitly named, and there are
also some illustrative stakeholder issues included in the
guidance to show how the framework addresses them.

Page 38

Preview of COBIT5

News Goals
Enterprise

Page 39

Preview of COBIT5

ITNews
Related Goals

Page 40

Preview of COBIT5

NewsStakeholder Needs
Internal

Page 41

Preview of COBIT5

News Stakeholder Needs

External

Page 42

Preview of COBIT5

The NEW COBIT 5

News
Process Capability Model

Process Capability Model

Based on ISO/IEC 15504 Software
Engineering Process Assessment Std.
Different from the COBIT 4.1 Maturity Model
in design and use.
Focus on capability

Page 43

Preview of COBIT5

Process
News Capability Model Characteristics
Six levels of capability including incomplete
Each level can only be achieved only when the
level below is fully achieved
Level 1 is largely achieved and benefits realized
by the organization
Higher capabilities add differing attributes and
benefits

Page 44

Preview of COBIT5

News - COBIT 5 PCM and COBIT 4.1 MM

Differences

Page 45

Naming and meaning of levels are different

Process is described in terms of its purpose and
outcomes
Maturity level in COBIT 4 and capability level in
COBIT 5 are not directly comparable and
cannot be used interchangeably or mixed.
Scores in COBIT 5 will be lower due to
completion of all process capabilities at lower
level
Nine Process Capability Attributes (v5) vs. six
maturity Attributes (v4)
Preview of COBIT5

COBIT 4.1 Maturity Model Comparison to

COBIT 5 Process Capability Levels

Page 46

Preview of COBIT5

Comparison of v4 Maturity Attributes vs.

V5 Process Capability Attributes

Page 47

Preview of COBIT5

News5 Preview Summary

COBIT
COBIT 5

Major changes

Consolidation of frameworks
Adjustment of domains and processes

Page 48

4 to 5 domains
34 to 36 IT Processes

Assessment process changed to focus on

Capability using ISO 15504

Preview of COBIT5

The COBIT 5 Framework What will be

delivered?

An enterprise wide, end-to-end framework addressing

governance and management of information and related
technology

The framework structure will include familiar components such as a

domain/process model and other components such as
governance/management practices, RACI charts and inputs/outputs.

An initial publication introduces, defines and describes the

components that make up the COBIT5 Framework
Principles
Architecture
Enablers
Introduction to implementation guidance and the COBIT
process assessment approach

Page 49

Preview of COBIT5

COBIT 5 news
As the initiative progresses throughout 2011 and 2012
there will be periodic updates provided:
On the ISACA web site, www.isaca.org/COBIT5
In the COBIT Focus newsletter
In other ISACA membership communications, events,
marketing materials and PR activities
Watch these spaces for more news!

Page 50

Preview of COBIT5

Thank you
Contact details:
Ernst & Youngs
IT Risk Management Center of Excellence

Josh Turcotte, CISA

Email:
Josh.Turcotte@ey.com
Phone:
(214) 969 0678 (Dallas)
Stacey Hamaker, CISA CIA
Email:
Stacey.Hamaker@ey.com
Phone:
(214) 969 8832 (Dallas)
This presentation contains materials that are property of ISACA and Ernst & Young. All rights reserved.

Page 51

Preview of COBIT5