September 17, 2012 Pittsburgh ISACA Chapter

Similar documents
Selftestengine COBIT5 36q

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

Braindumps COBIT5 50q

COBIT 5. COBIT 5 Online Collaborative Environment

COBIT 5. COBIT 5 Online Collaborative Environment

If It s not a Business Initiative, It s not COBIT 5

COBIT 5: IT is complicated. IT governance does not have to be

COBIT 5. COBIT 5 Online Collaborative Environment

Portfolio, Program and Project Management Using COBIT 5

CGEIT Certification Job Practice

COBIT 5. COBIT 5 Online Collaborative Environment

COBIT 5 Foundation Exam

An IT Governance Journey April Disclaimer: opinion being those of presenter(s) and not necessarily State Farm

IT Audit Process. Prof. Mike Romeu. February 13, IT Audit Process. Prof. Mike Romeu

Changes Reviewed by Date. JO Technology Manager - Samer Huwwari JO Manager, Risk & Control Technology: Issa Laty. CIO, Jordan- Mohammad Aburoub

IT Management & Governance Tool Assess the importance and effectiveness of your core IT processes

Purposing the entirety of COBIT5 for the Assurance Professional. Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates

ISO/IEC Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Governance and Management of Information and Related Technologies Guide. Prepared for Jordan Ahli Bank

The Value of IT Frameworks

Proposed IT Governance at Hospital Based on COBIT 5 Framework

Education Quality Development for Excellence Performance with Higher Education by Using COBIT 5

Governance SPICE. Using COSO and COBIT Process Assessment Models BPM GOSPEL

Evidence Management for the COBIT 5 Assessment Programme By Jorge E. Barrera N., CISA, CGEIT, CRISC, COBIT (F), ITIL V3F, PMP

Log of Changes Implemented to the COBIT 5 Product Family

IT Assurance Services And Role Of CA In BPO-KPO. IT Enabled Services And Emerging Technologies

Applying Integrated Assurance Management Scenarios for Governance Capability Assessment

ECQA Certified Profession. Governance SPICE Model. Internal Financial Control Assessor Training Programme

COBIT 5 for Business Benefits Realization: A Preview. Sushil Chatterji, CGEIT

COBIT 5. Isaca - COBIT 5 COBIT 5 Foundation Version: 4.0

Contents. viii. List of figures. List of tables. OGC s foreword. 6 Organizing for Service Transition 177. Chief Architect s foreword.

EVALUATION OF INFRASTRUCTURE INFORMATION TECHNOLOGY GOVERNANCE USING COBIT 4.1 FRAMEWORK

ISACA. The recognized global leader in IT governance, control, security and assurance

Inside of a ring or out, ain t nothing wrong with going down. It s staying down that s wrong. Muhammad Ali

Index. client-supplier paradigm 202

Enterprise Risk Management: Developing a Model for Organizational Success. White Paper

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

Contents An Introductory Overview of ITIL Service Lifecycle: concept and overview...3 I. Service strategy...6 The 4 P's of ITIL Service

Auditing Open Source Applications by Using COBIT 4.1

MBA BADM559 Enterprise IT Governance 12/15/2008. Enterprise Architecture is a holistic view of an enterprise s processes, information and

FROM ERP TO COBIT MOVING TOWARD MATURE OF- THE-SHELF INFORMATION SYSTEMS. A Toy Example A Small Detergent Manufacturing Co.

NOAALink and the CSI Process

IS STRATEGY & ICT GOVERNANCE PLAN FOR VICROADS

Call for Articles. By Sudarsan Jayaraman, CISA, CISM, BS LA, COBIT (F), ITIL V3 Expert, ISO LA, ISO LA, ISO 9001 LA

Measuring Operational Management Information Technology: COBIT 5.0 and Capability Level

TECHNOLOGY AND AUDIT: A MUTUAL FUTURE THERESA GRAFENSTINE CHAIR, ISACA BOARD OF DIRECTORS 2/15/2018

The IBM Rational Software Development Platform

PRM - IT IBM Process Reference Model for IT

Internal Audit of ICT Governance in WFP. Office of the Inspector General Internal Audit Report AR/15/11

Term Project. Sarbanes-Oxley Act (SOX) Hiroshi Tachibana (MBA 2 nd )

A Risk Management Process for Information Security and Business Continuity

KING III IT GOVERNANCE ALIGNED TO. Simon Liell-Cock Julio Graham Peter Hill CISA CISM CGEIT

MATURITY LEVEL MEASUREMENTS OF THE EIS ACADEMIC SYSTEM IN IMPROVING CUSTOMER ORIENTATION AND SERVICES USING COBIT 4

CORROSION MANAGEMENT MATURITY MODEL

Enhancement of etom Assurance Domain by Integration with COBIT5 Framework

Introduction and Key Concepts Study Group Session 1

IS Audit Considerations in Respect of Current Economic Environment

A META-MODEL FOR THE SPATIAL CAPABILITY ARCHITECTURE

Business Context of ISO conform Internal Financial Control Assessment

PROCESS LED TRANSFORMATION & SUSTAINABILITY

CSR / Sustainability Governance and Management Assessment By Coro Strandberg President, Strandberg Consulting

Information Security Governance and Internal Audits: A Processual Model

ISO Standards in Strengthening Organizational Resilience, Mitigating Risk & Addressing Sustainability Concerns

The SAM Optimization Model. Control. Optimize. Grow SAM SOFTWARE ASSET MANAGEMENT

COBIT 5: a bridge too far or a giant leap forward? A view from the field

INTEGRATED APPLICATION LIFECYCLE MANAGEMENT

Passit4Sure.OG Questions. TOGAF 9 Combined Part 1 and Part 2

Existing interactions within COBIT 5 and their driving forces

Managing Successful Programmes 2011 Glossary of Terms and Definitions

Selecting the Best. How to Realize the Goals of Contemporary IT Service Management Frameworks. IT Services Management Framework BEST PRACTICES

Collaborative Planning Methodology (CPM) Overview

The Case for the SIO. A guide to navigate the new challenges of Service Management. kpmg.ca

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

ITIL Foundation Instructor-led Live Online Training Program

Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013

INFORMATION SERVICES FY 2018 FY 2020

BUSINESS CPA EXAM REVIEW V 3.0. For Exams Scheduled After March 31, 2017

A Vision of an ISO Compliant Company by Bruce Hawkins, MRG, Inc.

Fraud Risk Management

Data Governance Implementation

Enterprise Risk Management: Aligning Risk with Strategy & Performance June 26, :45 p.m. 4:45 p.m.

Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see

An Overview of the AWS Cloud Adoption Framework

Improving the RFP and Contracts Process With COBIT 5

STRATEGIC PLANNING. Building on its prior strategic planning work, the Board during a workshop in April, 2013, affirmed:

AUDITING. Auditing PAGE 1

Overview. Understand the concepts of Audit. Understand the need for Controls and internal controls. Understand and apply the principles of audit

npliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for

Risk & Compliance. the way we do it. QualityData Advantage. for Basel Compliance

PRINCE Update. Changes to the manual. AXELOS.com. April 2017 PUBLIC

Information technology Security techniques Information security management systems Overview and vocabulary

CORPORATE GOVERNANCE THEORY, SCOPE AND IMPORTANCE

EXIN ITIL Exam Questions & Answers

ISO Standards in Strengthening Organizational Resilience and Mitigating Risk while Addressing Quality and Sustainability

INTEGRATING ISO 9000 METHODOLOGIES WITH PROJECT QUALITY MANAGEMENT

Five Guiding Principles of a Successful Center of Excellence

Transformation: The bridge to an enterprise s future

SOX 404 & IT Controls

A Model for CAS Self Assessment

Transcription:

September 17, 2012 Pittsburgh ISACA Chapter

What is COBIT? Control Objectives for Information and related Technologies ISACA s guidance on the enterprise governance and management of IT. Builds on more than 15 years of practical usage and application of COBIT by many enterprises and users from business, IT, risk, security and assurance communities. Connect to, and, where relevant, align with, other major frameworks and standards in the marketplace, such as Information Technology Infrastructure Library (ITIL ) The Open Group Architecture Forum (TOGAF ) Project Management Body of Knowledge (PMBOK ) PRojects IN Controlled Environments 2 (PRINCE2 ) Committee of Sponsoring Organizations of the Treadway Commission (COSO) International Organization for Standardization (ISO) standards.

What is COBIT? COBIT 5 brings together the five principles that allow the organizations to build an effective governance and management framework based on a holistic set of seven enablers that optimizes information and technology investment and use for the benefit of stakeholders.

What you need to remember All models are wrong, some models are useful George Box or W. Edwards Deming Thus, when adopting COBIT, a certain degree of adaptation also needs to occur in order for it to be of value. Incorporate an operation model and a common language for all parts of the enterprise involved in IT activities Leverage the Appendices for Model navigation Adapt to each unique organization

Why Version 5? Provide more stakeholders a say Address the increasing dependency on external business and IT parties Deal with the amount of information, which has increased significantly Deal with much more pervasive IT Provide further guidance in the area of innovation and emerging technologies Less about audit and more about governance

Why Version 5? All previous content from these 3 models are integrated and updated into COBIT 5

COBIT begins with Information Information is a key resource. Information is created, used, modified, retained, disclosed and destroyed. Technology plays a key role in these actions. Technology is pervasive in all aspects of business. What benefits do information and technology bring to organizations?

Enterprise Benefits Organizations and their leaders strive to: Maintain quality information to support business decisions. Generate business value from IT-enabled investments, i.e., achieve strategic goals and realize business benefits through effective and innovative use of IT. Achieve operational excellence through reliable and efficient application of technology. Maintain IT-related risk at an acceptable level. Optimize the cost of IT services and technology. How can these benefits be realized to create enterprise stakeholder value?

Stakeholder Value Delivering organizational stakeholder value requires good governance and management of information and technology (IT) assets. Corporate boards, executives and management have to embrace IT like any other significant part of the business. External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.

The COBIT 5 Framework COBIT 5 helps organizations create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire organization, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for organizations of all sizes, whether commercial, not-for-profit or in the public sector.

COBIT Structure COBIT provides cascading guidance to align the complex relationship between business and IT goals by depicting a cascading relationship between the sets of goals and enablers. COBIT provides the What for defining best practices and their subsequent measures.

COBIT 5 Principles Source: COBIT 5, 2012 ISACA

Goals Cascade The COBIT 5 Goals Cascade is the mechanism to translate stakeholder needs into specific, actionable and customized enterprise goals, IT-related goals and enabler goals. Source: COBIT 5. 2012 ISACA

COBIT Stakeholder Drivers & Needs A governance system should consider all stakeholders when making benefit, risk and resource assessment decisions. For each decision, the following questions can and should be asked: For whom are the benefits? Who bears the risk? What resources are required?

Stakeholders Needs These questions point us towards Enterprise Goal focus Source: COBIT 5. 2012 ISACA

Stakeholder Needs These questions point us towards Enterprise Goal focus Source: COBIT 5. 2012 ISACA

COBIT Enterprise Goals COBIT provides 17 general enterprise goals These goals are categorized into four domains: Financial Customer Internal Learning and Growth

COBIT Enterprise Goals Source: COBIT 5. 2012 ISACA Primary & Secondary

COBIT 5 Model P stands for primary, when there is an important relationship and is primary support for the achievement of a COBIT object (e.g. goal). S stands for secondary, when there is still a strong, but less important, relationship.

COBIT Enterprise Goals - Metrics Source: COBIT 5. 2012 ISACA

COBIT Enterprise Goals - Metrics Source: COBIT 5. 2012 ISACA

COBIT IT Goals COBIT provides 17 Generic IT Goals Enterprise Goals Traceability IT Goals Enterprise Goals translate into these IT Goals The IT Goals require the successful application and use of a number of enablers.

COBIT IT Goals Source: COBIT 5. 2012 ISACA

COBIT IT Goals - Metrics Source: COBIT 5. 2012 ISACA

COBIT IT Goals - Metrics Source: COBIT 5. 2012 ISACA

COBIT IT Goals - Metrics Source: COBIT 5. 2012 ISACA All rights reserved.

Mapping of Goals Understanding the alignment of Enterprise Goals with IT Goals is critical to leveraging COBIT 5. Source: COBIT 5. 2012 ISACA All rights reserved.

COBIT 5 Enablers Source: COBIT 5. 2012 ISACA

COBIT Enablers Enablers are factors that, individually and collectively, influence whether something will work in this case, governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve.

COBIT Enablers 1. Principles, policies and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management. 2. Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals. 3. Organizational structures are the key decision-making entities in an enterprise. 4. Culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities. 5. Information is pervasive throughout any organization and includes all information produced and used by the enterprise. Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 6. Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services. 7. People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions.

COBIT Enablers Some of the enablers defined previously are also enterprise resources that need to be managed and governed as well. This applies to: Information, which needs to be managed as a resource. Some information, such as management reports and business intelligence information, are important enablers for the governance and management of the enterprise. Service, infrastructure and applications People, skills and competencies

COBIT Enablers Interconnected Each enabler needs the input of other enablers to be fully effective; For Example: processes need information organizational structures need skills and behavior And delivers output to the benefit of other enablers. For Example : processes deliver information, skills and behavior make processes efficient. This means that to deal with any stakeholder need, all interrelated enablers have to be analyzed for relevance and addressed if required.

COBIT 5 Enablers 33 Source: COBIT 5. 2012 ISACA

COBIT Enablers All enablers have a set of common dimensions. This set of common dimensions: Provides a common, simple and structured way to deal with enablers Allows an entity to manage its complex interactions Facilitates successful outcomes of the enablers

COBIT Enabler Dimensions Source: COBIT 5. 2012 ISACA

COBIT Information Criteria COBIT 5 information model allows definition of an additional set of criteria, hence adding value to the COBIT 4.1 criteria.

COBIT: Enabling Processes

COBIT: Enabling Processes A process is defined as a collection of practices influenced by the enterprise s policies and procedures that takes inputs from a number of sources (including other processes), manipulates the inputs and produces outputs (e.g., products, services).

COBIT: Enabling Processes The processes model shows: Stakeholders - Processes have internal and external stakeholders, with their own roles; stakeholders and their responsibility levels are documented in RACI charts. External stakeholders include customers, business partners, shareholders and regulators. Internal stakeholders include the board, management, staff and volunteers. Goals - process goals are defined as a statement describing the desired outcome of a process. An outcome can be an artifact, a significant change of a state or a significant capability improvement of other processes. They are part of the goals cascade, i.e., process goals support IT-related goals, which in turn support enterprise goals.

Process Goals Process goals can be categorized as: Intrinsic goals Does the process have intrinsic quality? Is it accurate and in line with good practice? Is it compliant with internal and external rules? Contextual goals Is the process customized and adapted to the enterprise s specific situation? Is the process relevant, understandable, easy to apply? Accessibility and security goals The process remains confidential, when required, and is known and accessible those who need it.

Process Goal Metrics At each level of the goals cascade, metrics are defined to measure the extent to which goals are achieved. Metrics can be defined as a quantifiable entity that allows the measurement of the achievement of a process goal. Metrics should be SMART specific, measurable, actionable, relevant and timely. To manage the enabler effectively and efficiently, metrics need to be defined to measure the extent to which the expected outcomes are achieved.

Process Life cycle Life cycle Each process has a life cycle. It is defined, created, operated, monitored, and adjusted/updated or retired. Generic process practices such as those defined in the COBIT process assessment model based on ISO/IEC 15504 can assist with defining, running, monitoring and optimizing processes.

Good Practices Good practices COBIT 5: Enabling Processes contains a process reference model, in which process internal good practices are described in growing levels of detail: practices, activities and detailed activities.

COBIT Enabling Processes COBIT provides 37 IT Processes segmented into 5 domains Evaluate, Direct and Monitor (EDM) Align, Plan and Organize (APO) Build, Acquire and Implement (BAI) Delver, Service and Support (DSS) Monitor, Evaluate and Assess (MEA)

COBIT Enabling Processes Although, as described previously, most of the processes require planning, implementation, execution and monitoring activities within the process or within the specific issue being addressed (e.g., quality, security), they are placed in domains in line with what is generally the most relevant area of activity when regarding IT at the enterprise level. In COBIT 5, the processes also cover the full scope of business and IT activities related to the governance and management of enterprise IT, thus making the process model truly enterprise-wide.

Governance and Management Governance ensures that organizational objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against agreed-upon direction and objectives. Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the organizational objectives. 46

Source: COBIT 5. 2012 ISACA

Evaluate, Direct and Monitor (EDM) Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).

Evaluate, Direct and Monitor (EDM) EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM03 EDM04 Ensure Risk Optimization Ensure Resource Optimization EDM05 Ensure Stakeholder Transparency

Align, Plan and Organize (APO) The Align, Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.

Align, Plan and Organize (APO) APO01 Manage the IT Management Framework APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 Manage Strategy Manage Enterprise Architecture Manage Innovation Manage Portfolio Manage Budget and Costs Manage Human Relations Manage Relationships Manage Service Agreements Manage Suppliers Manage Quality Manage Risk Manage Security

Build, Acquire and Implement (BAI) The Build, Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company s current business processes.

Build, Acquire and Implement (BAI) BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 Manage Programs and Projects Manage Requirements Definition Manage Solutions Identification and Build Manage Availability and Capacity Manage Organizational Change Enablement Manage Changes Manage Changes Acceptance and Transitioning Manage Knowledge Manage Assets Manage Configuration

Deliver, Service and Support (DSS) The Deliver, Service and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems.

Deliver, Service and Support (DSS) DSS01 DSS02 DSS03 DSS04 DSS05 Manage Operations Manage Service Requests and Incidents Manage Problems Manage Continuity Manage Security Services DSS06 Manage Business Process Controls

Monitor, Evaluate and Assess (MEA) The Monitor, Evaluate and Assess domain deals with a company s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company s control processes by internal and external auditors

Monitor, Evaluate and Assess (MEA) MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Asses the System of Internal Control MEA03 Evaluate and Assess Compliance with External Requirements

Governance & Management Source: COBIT 5. 2012 ISACA

IT Process to IT Goal Mapping Source: COBIT 5. 2012 ISACA

IT Process to IT Goal Mapping Source: COBIT 5. 2012 ISACA

COBIT Enabling Process Example Walkthrough: APO 02 Manage Strategy Process Label Domain Prefix and Number Process Name Area of the Process Governance or Management

APO 02 Manage Strategy Description What it does and accomplishes Purpose Statement Overall purpose description Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy Goal Cascade Related IT Goals Generic Metrics Measure achievement of IT Goals Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy Process Goals Process Metrics Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy RACI Chart Responsible Who is getting the task done? Accountable - Who accounts for the success of the task? Consulted Who is providing input? Informed Who is receiving information?

APO 02 Manage Strategy Detailed description Activities Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA

Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA

APO 02 Manage Strategy Related guidance from external sources Source: COBIT 5. 2012 ISACA

Generic Guidance for Processes Source: COBIT 5. 2012 ISACA

New & Modified Processes 5 new Governance Processes EDM 01 Ensure Governance Framework Setting and Maintenance EDM 02 Ensure Benefits Delivery EDM 03 Ensure Risk Optimization EDM 04 Ensure Resource Optimization EDM 05 Ensure Stakeholder Transparency

New & Modified Processes Summary of changes between COBIT 4.1 and COBIT 5 Processes in CobiT 4.1 that are merged in CobiT 5 DS7 is merged with PO7 (Education and Human Resources) PO6 is merged with PO1 (Management Communications and Management) PO2 is merged with PO3 (Information and Technical Architectures) AI2 is merged with AI3 (Application Software and Infrastructure Components) DS12 is merged with DS5 (Physical Environment and Information Security)

New & Modified Processes Entirely new processes in COBIT EDM1 Set and Maintain Governance Framework APO1 Define the Management Framework APO4 Manage Innovation (partly PO3) APO8 Manage Relationships BAI8 Knowledge Management DSS2 Manage Assets (partly DS9) DSS8 Manage Business Process Controls.

New & Modified Processes Processes in COBIT 4.1 that are reassigned in COBIT 5 ME4 to EDM1, 2, 3, 4, 5 (Governance) Processes in COBIT 4.1 that are relocated in COBIT 5 PO1 to APO2 (Strategic Planning) PO4 to APO1 (Organization, Relationships and Processes)

Putting this all together Enterprise Goals IT Goals Enabler Goals Processes Activities

COBIT Capability

COBIT Process Capability Model Source: COBIT 5. 2012 ISACA

COBIT Process Capability Model Source: COBIT 5. 2012 ISACA

COBIT Process Capability Model There are six levels of capability that a process can achieve, including an incomplete process designation if the practices in it do not achieve the intended purpose of the process: 0 Incomplete process The process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the process purpose. 1 Performed process (one attribute) The implemented process achieves its process purpose. 2 Managed process (two attributes) The previously described performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained. 3 Established process (two attributes) The previously described managed process is now implemented using a defined process that is capable of achieving its process outcomes. 4 Predictable process (two attributes) The previously described established process now operates within defined limits to achieve its process outcomes. 5 Optimizing process (two attributes) The previously described predictable process is continuously improved to meet relevant current and projected business goals.

COBIT Process Capability Model Assessing whether the process achieves its goals or, in other words, achieves capability level 1 can be done by: 1. Reviewing the process outcomes as they are described for each process in the detailed process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what degree each objective is achieved. This scale consists of the following ratings: N (Not achieved) There is little or no evidence of achievement of the defined attribute in the assessed process. (0 to 15 percent achievement) P (Partially achieved) There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable. (15 to 50 percent achievement) L (Largely achieved) There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process. (50 to 85 percent achievement) F (Fully achieved) There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process. (85 to 100 percent achievement) 2. In addition, the process (governance or management) practices can be assessed using the same rating scale, expressing the extent to which the base practices are applied. 3. To further refine the assessment, the work products also may be taken into consideration to determine the extent to which a specific assessment attribute has been achieved.

Auditor Tips Evidence of activities (as well as inputs/outputs) are critical in assessing the existence of controls Information, metrics/measurements are key to any critical IT process.

Remaining Thoughts COBIT has evolved to provide the overarching framework for organizations to achieve IT Governance while leveraging other industry best practices, frameworks, and models to provide prescriptive actions. COBIT promotes tight alignment with IT processes and enterprise goals. COBIT is a useful tool beyond just the standard audit guidance.

Questions? Thank you

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback