DISCUSS THIS ARTICLE ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance By Christopher Oparaugo, CISM, CGEIT, CRISC COBIT Focus 14 December 2015 The balanced scorecard (BSC) initially developed by Kaplan and Norton 1, 2, 3, 4 is a performance management system that should allow enterprises to drive their strategies on measurement and follow-up. In recent years, the BSC has been applied to IT and, currently, the first real-life IT security governance application has been developed based on mapping International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 control objectives to COBIT 4.1 process areas and IT governance focus areas. As a further exercise, the relationships and similarities of COBIT 4.1 and COBIT 5 can be explored to create a mapping for COBIT 5 in future publications. This article explains how an exercise in instituting controls can be used to establish the IT BSC, which can be linked to the business BSC and, in so doing, can support the IT/business governance and alignment processes as derived from mapping ISO/IEC 27001 and COBIT 4.1 controls. Balanced Scorecard Introduction Kaplan and Norton introduced the BSC at the enterprise level. Their basic idea is that the evaluation of an organization should not be restricted to a traditional financial evaluation, but should be supplemented with measures concerning customer satisfaction, internal processes and the ability to innovate. These additional measures should assure future financial results and drive the organization toward its strategic goals while keeping all 4 perspectives in balance. Kaplan and Norton proposed a triple-layered structure for the 4 perspectives: mission (e.g., to become the customers most preferred supplier), objectives (e.g., to provide the customers with new products) and measures (e.g., percentage of turnover generated by new products). The BSC can be applied to the IT function and its processes. 5,, 7, 8 This article transformed previous visions into actions that can be used to correct any lapses and reduce value in the BSC results. The use of the BSC can also be applied to IT risk management. 9 IT Governance Through Controls This article illustrates how a cascade of scorecards can be instrumental in the development of IT/business 1 P a g e
governance processes and how this hierarchy of scorecards can support the alignment of business and IT strategy. The IT development BSC and the IT controls/operational BSC are introduced as enablers for the strategic BSC, which, in turn, is the enabler of the business BSC (figure 1). Governance is established through compliance to standards and control objectives. Figure 1 IT Balanced Scorecard as a Business Enabler Source: Christopher Oparaugo. Reprinted with permission. Controls Through Compliance to Standards IT governance is part of corporate governance and has to provide the organizational structures to enable the creation of business value through IT, the assurance that there are no IT investments in bad projects and that there are adequate IT control mechanisms established through compliance to the control objectives of COBIT and ISO/IEC 27001. The methodology of the BSC is a measurement and management system that is suitable for supporting the IT governance process and the IT-business alignment process. Figure 2 shows sample cumulative average scores for the ISO/IEC 27001 control objectives and questions showing inputs for the security policy domain used in the exercise for mapping ISO/IEC 27001 to COBIT 4.1. Figure 2 Sample Cumulative Average Scores for the ISO/IEC 27001 Control Objectives and Questions Showing Inputs for Security Policy Domain Reference ISO/IEC 27001 Control Objective and Question Results Checklist Standard Section Control Question Status (%) Security Policy 1.1 5.1 Information Security Policy 1.1.1 5.1.1 Information security policy document Whether there exists an information security policy, which is approved by the management, published and communicated as appropriate 93.33 2 P a g e
to all employees? Whether the policy states management commitment and sets out the organizational approach to managing information security? 83.33 Whether the information security policy is reviewed at planned intervals, or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness? 8.33 1.1.2 5.1.2 Review of informational security policy Whether the information security policy has an owner who has approved management responsibility for development, review and evaluation of the security policy? Whether any defined information security policy review procedures exist and whether they include requirements for the management review? 100.00 93.33 Whether the results of the management review are taken into account? 80.00 Whether management approval is obtained for the revised policy? 9.7 Source: Christopher Oparaugo. Reprinted with permission. Figure 3 shows sample cumulative domain scores for the ISO/IEC 27001 control objectives. These results are computed by domain as used in the exercise for mapping ISO/IEC 27001 to COBIT 4.1. The future state results are arbitrary figures that are being aspired to as targets for the exercise. Figure 3 Resulting ISO/IEC 27001 Compliance Data by Domain 3 P a g e
Objecives Status (%) Security Policy Information security policy 88% Domain Organization of Information Security Internal organization 72% External parties 40% Asset Management Responsibilities for assets 74% Information classification 37% Human Resources Security Prior to employment 74% During employment 70% Termination or change of employment 77% Physical and Environmental Security Secure areas 42% Equipment security % Communication and Operations Management Operational procedures and responsibilities 9% Third-party service delivery management 57% System planning and acceptance 58% Protection against malicious and mobile code 73% Backup 57% Network security management 4% Media handling 57% Exchange of information 5% Electronic commerce services 71% Monitoring 54% Access Control Business control for access control 78% User access management 8% User responsibilities 59% Network access control 0% Operating system access control 78% Application and information access control 57% Mobile computing and telecommuting 5% Information System Acquisition, Development and Maintenance Information Security Incident Management Security requirements of information systems 58% Correct processing in applications 71% Cryptographic controls 78% Security of system files 72% Security in development and support services 70% Technical vulnerability management 74% Reporting information security events and weaknesses 3% Management of information security incidents 73% 4 P a g e
% Compliance By Domain and improvements Business Continuity Management Information security aspects of Business continuity management 53% Compliance Source: Christopher Oparaugo. Reprinted with permission. Compliance with legal requirements 58% Compliance with technical policies and standards and technical compliance 0% Information system audit considerations 3% Figure 4 is the bar chart representation of the ISO/IEC 27001 results. Figure 4 ISO/IEC 27001 Compliance Data by Domain Result in Bar Chart Format Domain Status (%) 100.00 90.00 87.8 80.00 70.00 0.00 50.00 5.20 55.28 73.1 5.49 2.31 4. 70.50 7.74 52.7 0.10 40.00 30.00 20.00 10.00 0.00 Source: Christopher Oparaugo. Reprinted with permission. The generic maturity model score was derived from the data of the assessment based on the values that are mapped to the COBIT 4.1 domains (figure 5). These scores are used to create the charts in figures and 7 for maturity benchmark results by domains. 5 P a g e
Figure 5 Compliance Output Data to Generic Future Desired State With Generic Maturity Model Source: Christopher Oparaugo. Reprinted with permission. Figure ISO/IEC 27001 Compliance Data Results to Generic Future Desired State P a g e
Source: Christopher Oparaugo. Reprinted with permission. Figure 7 COBIT Compliance to Generic Future Desired State Source: Christopher Oparaugo. Reprinted with permission. The value inputs of 0% to 100% from the ISO control objectives, sections and control questions are mapped to COBIT 4.1 domains and processes. These are linked to the IT focus areas as shown in figure 8. Figure 8 Sample Results Showing Mapping of ISO/IEC 27001 Data to COBIT Processes 7 P a g e
COBIT 4.1 Domains and Processes IT Governance Focus Areas Mapped COBIT4.1 processes cumulative average scores from ISO/IEC 27001 Assessment results Res ourc e Ri sk R a n k Strat egic Align men t Val ue Deli ver y Resou rce Mana geme nt Risk Mana geme nt Perfor manc e Mana geme nt ISO/IE C 27001 Stat us (%) 1 Plan and Organize Res ourc e ISO/IEC 27001 Mapped cumulative average results => Mappe d Result PO1 Define a strategic IT plan H P S S - 0% PO2 Define the information architecture L P S P S 9.85 70% PO3 Determine technological direction M S S P S.78 7% PO4 Define the IT processes, organization and relationships L S P P 4.09 4% PO5 Manage the IT investment M S P S S 8.7 87% PO Communicate management aims and direction M P P.78 7% PO7 Manage IT human resources L P P S S 73.75 74% PO8 Manage quality M P S S 1.7 2% PO9 Assess and manage IT risk H P P 4.58 5% PO10 Manage projects H P S S S S - 0% 55% 2 Acquire and Implement Res ourc e 8 P a g e AI1 Identify automated solutions M P P S S 53%
53.33 AI2 Acquire and maintain application software M P P S 4.29 4% AI3 Acquire and maintain technology infrastructure L P.90 7% AI4 Enable operation and use L S P S S 5.19 5% AI5 Procure IT resources M S P 5.00 5% AI Manage changes H P S 73.47 73% AI7 Install and accredit solutions and changes M S P S S S 70.3 70% 4% 3 Deliver and Support Res ourc e DS1 Define and manage service levels. M P P P P 47.50 48% DS2 Manage third-party services L P S P S 2.9 3% DS3 Manage performance and capacity L S S P S S 0.00 0% DS4 Ensure continuous service M S P S P S 55.83 5% DS5 Ensure systems security H P.29 % DS Identify and allocate costs L S P S - 0% DS7 Educate and train users M S P S 43.33 43% DS8 Manage service desk and incidents M S P S 3.82 4% DS9 Manage the configuration M P S 5.44 5% 9 P a g e
DS10 Manage problems M P S 75.00 75% DS11 Manage data H P P P 5.44 5% DS12 Manage the physical environment L S P.85 7% DS13 Manage operations L P 73.33 73% 55% 4 Monitor and Evaluate Res ourc e ME1 Monitor and evaluate IT performance H P 5.22 5% ME2 Monitor and evaluate internal control M P P 9.00 9% ME3 Ensure regulatory compliance H P P 2.58 3% ME4 Provide IT governance H P P P P P 9.37 9% 4% Source: ISACA, Mapping COBIT 4.1 to ISO /IEC 27001, USA, 2005 These resultant data from the exercise are further employed as COBIT information criteria for primary and secondary grouping. The resultant values of the ISO/IEC 27001 mapping into COBIT processes are linked with the defined IT goals. Exercise results showing the values from the data mapping outputs are shown in figure 9. Figure 9 Linking COBIT Processes Data Results to IT Goals Showing the Information Criteria for Governance Activities COBIT's Domains and Processes IT GOVERNANCE FOCUS AREAS Resource Risk Rank Strategic Alignment Value Delivery Resource Mgt Risk Mgt Perfor mance Manag ement 2 1 Plan and Organise Resource M n 10 P a g e
PO1 Define a strategic IT plan H P S S - PO2 Define the information architecture L P S P S PO3 Determine technological direction M S S P S PO4 Define the IT processes, organisation and relationships L S P P PO5 Manage the IT investment M S P S S 8 PO Communicate management aims and direction M P P PO7 Manage IT human resources L P P S S 7 PO8 Manage quality M P S S PO9 Assess and manage IT risk H P P PO10 Manage projects H P S S S S - 2 Acquire and Implement Resource AI1 Identify automated solutions M P P S S 5 AI2 Acquire and maintain application software M P P S AI3 Acquire and maintain technology infrastructure L P AI4 Enable operation and use L S P S S 5 AI5 Procure IT resources M S P AI Manage changes H P S 7 AI7 Install and accredit solutions and changes M S P S S S 7 11 P a g e
3 Deliver and Support Resource DS1 Define and manage service levels M P P P P 4 DS2 Manage third-party services L P S P S DS3 Manage performance and capacity L S S P S S DS4 Ensure continuous service M S P S P S 5 DS5 Ensure systems security H P DS Identify and allocate costs L S P S - DS7 Educate and train users M S P S 4 DS8 Manage service desk and incidents M S P S DS9 Manage the configuration M P S DS10 Manage problems M P S 7 DS11 Manage data H P P P 5 DS12 Manage the physical environment L S P DS13 Manage operations L P 7 4 Monitor and Evaluate Resource ME1 Monitor and evaluate IT performance H P 5 ME2 Monitor and evaluate internal control M P P ME3 Ensure regulatory compliance H P P 12 P a g e
Effectiveness Efficiency Confidentiality Integrity Availability Compliance ME4 Provide IT governance H P P P P P Source: Christopher Oparaugo. Reprinted with permission. Based on the data values from the COBIT process linking to IT goals, the IT goals to business goals are derived and the elements of the BSC are developed. Figure 10 shows the results of these links. Figure 10 Data Linking IT Goals to Business Goals Linking IT Goals To Business Goals Legend COBIT Information Criteria = Used; Blank=Not Used Business Goals IT Goals 1 Expand market share 25 28 2 Increase revenue 25 28 Financial Perspective 3 Return on investment 24 4 Optimize asset utilization 14 5 Manage business risk 2 14 17 18 19 20 21 22 Improve customer orientation and service 3 23 Customer Perspective 7 Offer competitive products and services 5 24 8 Service availability 10 1 22 23 9 Agility in responding to changing business requirements (time to market) 1 5 25 13 P a g e
10 Cost optimization of service delivery 7 8 10 24 11 12 Automate and integrate the enterprise value chain 7 8 11 Improve and maintain business process functionality 7 11 Internal Business Perspective 13 Lower process costs 7 8 13 15 24 14 Compliance with external laws and regulations 2 19 20 21 22 2 27 15 Transparency 2 18 1 17 Compliance with internal policies 2 13 Improve and maintain operational and staff productivity 7 8 11 13 Learning and Growth Perspective 18 19 20 21 Product/business innovation 5 25 28 Obtain reliable and useful information for strategic decision making 2 4 12 20 2 Increase in value delivery per employee 9 15 24 Acquire and maintain skilled and motivated personnel 9 28 Source: ISACA, COBIT 4.1: Framework for IT Governance and Control and IT Governance Institute Information Security Governance Balanced Scorecard The BSC is a management system (not only a measurement system) that enables organizations to clarify their vision 14 P a g e
and strategy and translate those into action. It provides feedback around both the internal business processes and external outcomes in order to continuously improve strategic performance and results. When fully deployed, the BSC transforms strategic planning from an academic exercise into the nerve center of an enterprise. The BSC uses 4 perspectives, develops metrics, collects data and analyzes the data relative to each of these perspectives: 1. Financial To succeed financially, how should we appear to our shareholders? 52.38% 2. Customer To achieve our vision, how should we appear to our customers? 59.40% 3. Internal business To satisfy our shareholders and customers, at what business process must we excel? 1.31% 4. Learning and growth To achieve our vision, how will we sustain our ability to change and improve? 55.54% Conclusion The vision and strategy driver scores are achieved from the mapping exercise of ISO/IEC 27001 to COBIT 4.1 and these can be used in determinig key permormance indicator (KPI) scores for a department and be drilled down to an individual s contribution in the overall department success. The results from linking IT goals to business goals and reviewing with the COBIT information criteria helps form a better perspective of the BSC. The assessment results can be drilled and backward review of the mapping values used in determining the root cause of having low values from a set of mapped data in ISO/IEC 27001 control objectives and questions; this will form a basis for developing an action plan as needed by the business. Successful enterprises understand the risk and exploit the benefits of IT, and find ways to deal with aligning IT strategy with the business strategy, cascading IT strategy and goals down into the enterprise and insisting that an IT control framework be adopted and implemented. IT governance is not an isolated discipline. It is an integral part of overall enterprise governance that drives the business in these days of the Internet of Things. The need to integrate IT governance with overall business governance is similar to the need for IT to be an integral part of the enterprise business. Christopher Oparaugo, CISM, CGEIT, CRISC Is the chief technology officer of KATEC Consulting Ltd. He has worked for IBM Global Business Services as an information security consultant. He has also worked in the telecommunication and banking industries in West Africa. Oparaugo has contributed to the ISACA CISM, CGEIT and CRISC Certification Project and Test Enhancement Committee since 2005, setting exam questions and reviewing the manuals. Endnotes 1 Kaplan, R.; D. Norton; The Balanced Scorecard Measures That Drive Performance, Harvard Business Review. January-February 1992, p. 71-79 2 Kaplan, R.; D. Norton; Putting the Balanced Scorecard to Work, Harvard Business Review. September-October 1993, p. 134-142 3 Kaplan, R.;D. Norton; Using the Balanced Scorecard as a Strategic Management System, Harvard Business Review. January-February 199, p. 75-85 4 Kaplan, R.; D. Norton; The Balanced Scorecard: Translating Vision Into Action, Harvard Business School Press, Boston, 199. 5 Gold, C.; Total Quality Management in Information Services IS Measures: A Balancing Act, research note, Ernst & Young Center for Information Technology and Strategy, USA, 1992 Gold, C.; US Measures A Balancing Act, Ernst &Young Center for Business Innovation, USA, 1994. 7 Willcocks, L.; Information Management, The Evaluation of Information Systems Investments, Chapman & Hall, UK, 1995 8 Van Grembergen, W.; D. Timmerman; Monitoring the IT Process Through the Balanced Scorecard, Proceedings of the 9 th Information Resources Management (IRMA) International Conference, USA, May 1998, p. 105-11 15 P a g e
9 Van Grembergen, W.; The Balanced Scorecard and IT Governance, Information Systems Control Journal, vol.2, 2000 1 P a g e