COBIT 4 to 5 Mapping

CobiT 4.1 to COBIT 5 mapping 1

CobiT 4.1 Control objectives COBIT 5 process /practice Ids

AC1 AC1 Source Data Preparation and Authorisation DSS06.02

AC1 AC1 Source Data Preparation and Authorisation DSS06.03

AC1 AC1 Source Data Preparation and Authorisation BAI03.02




AC2 AC2 Source Data Collection and Entry DSS06.02

AC3 AC3 Accuracy, Completeness and Authenticity Checks DSS06.02

AC4 AC4 Processing Integrity and validity DSS06.02

AC5 AC5 Output Review, Reconciliation and Error Handling DSS06.02

AC6 AC6 Transaction Authentication and Integrity DSS06.02

PO1.1 PO1.1 IT Value Management EDM02

PO1.2 PO1.2 Business-IT Alignment APO02.01

PO1.3 PO1.3 Assessment of Current Capability and Performance APO02.02

PO1.4 PO1.4 IT Strategic Plan APO02.03



PO1.5 PO1.5 IT Tactical Plans APO02.05

PO1.6 PO1.6 IT Portfolio Management APO05.05

PO2.1 PO2.1 Enterprise Information Architecture Model APO03.02

PO2.2 PO2.2 Enterprise Data Dictionary and Data Syntax Rules APO03.02

PO2.3 PO2.3 Data Classification Scheme APO03.02

PO2.4 PO2.4 Integrity Management APO01.06

PO3.1 PO3.1 Technological Direction Planning APO02.03

PO3.1 PO3.1 Technological Direction Planning APO04.03

PO3.2 PO3.2 Technical Infrastructure Plan APO02.03






PO3.3 PO3.3 Monitor Future Trends and Regulations EDM01.01

PO3.3 PO3.3 Monitor Future Trends and Regulations APO04.03

PO3.4 PO3.4 Technology Standards APO03.05


PO3.5 PO3.5 IT Architecture Board APO01.01

PO4.1 PO4.1 IT Process Framework APO01.03

PO4.1 PO4.1 IT Process Framework APO01.07

PO4.2 PO4.2 IT Strategy Committee APO01.01

PO4.3 PO4.3 IT Steering Committee APO01.01

PO4.4 PO4.4 Organisational Placement of the IT Function APO01.05

PO4.5 PO4.5 IT Organisational Structure APO01.01

PO4.6 PO4.6 Establishment of Roles and Responsibilities APO01.02

PO4.7 PO4.7 Responsibility for IT Quality Assurance APO11.01

PO4.8 PO4.8 Responsibility for Risk, Security and Compliance Deleted—these specific roles are no longer explicitly specified as a practice.

PO4.9 PO4.9 Data and System Ownership APO01.06

PO4.10 PO4.10 Supervision APO01.02

PO4.11 PO4.11 Segregation of Duties APO01.02

PO4.11 PO4.11 Segregation of Duties DSS08.02

PO4.12 PO4.12 IT Staffing APO07.01

PO4.13 PO4.13 Key IT Personnel APO07.02

PO4.14 PO4.14 Contracted Staff Policies and Procedures APO07.06

PO4.15 PO4.15 Relationships APO01.01

PO5.1 PO5.1 Financial Management Framework APO06.01

PO5.2 PO5.2 Prioritisation Within IT Budget APO06.02

PO5.3 PO5.3 IT Budgeting APO06.03

PO5.4 PO5.4 Cost Management APO06.04

PO5.4 PO5.4 Cost Management APO06.05

PO5.5 PO5.5 Benefit Management APO05.06

PO6.1 PO6.1 IT Policy and Control Environment APO01.03

PO6.2 PO6.2 Enterprise IT Risk and Control Framework EDM03.02

PO6.2 PO6.2 Enterprise IT Risk and Control Framework APO01.03

PO6.3 PO6.3 IT Policies Management APO01.03

PO6.3 PO6.3 IT Policies Management APO01.08

PO6.4 PO6.4 Policy, Standards and Procedures Rollout APO01.03

PO6.4 PO6.4 Policy, Standards and Procedures Rollout APO01.08

PO6.5 PO6.5 Communication of IT Objectives and Direction APO01.04

PO7.1 PO7.1 Personnel Recruitment and Retention APO07.01

PO7.2 PO7.1 Personnel Recruitment and Retention APO07.05

PO7.2 PO7.2 Personnel Competencies APO07.03

PO7.3 PO7.3 Staffing of Roles APO01.02


PO7.3 PO7.3 Staffing of Roles APO07.01

PO7.4 PO7.4 Personnel Training APO07.03

PO7.5 PO7.5 Dependence Upon Individuals APO07.02

PO7.6 PO7.6 Personnel Clearance Procedures APO07.01

PO7.6 PO7.6 Personnel Clearance Procedures APO07.06

PO7.7 PO7.7 Employee Job Performance Evaluation APO07.04

PO7.8 PO7.8 Job Change and Termination APO07.01

PO8.1 PO8.1 Quality Management System APO11.01

PO8.2 PO8.2 IT Standards and Quality Practices APO11.02

PO8.3 PO8.3 Development and Acquisition Standards ; APO11.02

PO8.3 PO8.3 Development and Acquisition Standards ; APO11.05

PO8.4 PO8.4 Customer Focus APO11.03 APO11.03

PO8.5 PO8.5 Continuous Improvement APO11.06 APO11.06

PO8.6 PO8.6 Quality Measurement, Monitoring and Review APO11.04

PO9.1 PO9.1 IT Risk Management Framework EDM03.02

PO9.1 PO9.1 IT Risk Management Framework APO01.03

PO9.2 PO9.2 Establishment of Risk Context APO12.03

PO9.3 PO9.3 Event Identification APO12.01

PO9.3 PO9.3 Event Identification APO12.03

PO9.4 PO9.4 Risk Assessment APO12.02

PO9.4 PO9.4 Risk Assessment APO12.04

PO9.5 PO9.5 Risk Response APO12.06

PO9.6 PO9.6 Maintenance and Monitoring of a Risk Action Plan APO12.04

PO9.6 PO9.6 Maintenance and Monitoring of a Risk Action Plan APO12.05

PO10.1 PO10.1 Programme Management Framework BAI01.01

PO10.2 PO10.2 Project Management Framework BAI01.01

PO10.3 PO10.3 Project Management Approach BAI01.01

PO10.4 PO10.4 Stakeholder Commitment BAI01.03

PO10.5 PO10.5 Project Scope Statement BAI01.07

PO10.6 PO10.6 Project Phase Initiation BAI01.07

PO10.7 PO10.7 Integrated Project Plan BAI01.08

PO10.8 PO10.8 Project 5esources BAI01.08

PO10.9 PO10.9 Project Risk Management BAI01.10

PO10.10 PO10.10 Project Quality Plan BAI01.09

PO10.11 PO10.11 Project Change control BAI01.11

PO10.12 PO10.12 Project Planning of Assurance Methods BAI01.08


PO10.13 PO10.13 Project Performance Measurement, Reporting and Monitoring BAI01.06

PO10.13 PO10.13 Project Performance Measurement, Reporting and Monitoring BAI01.11

PO10.14 PO10.14 Project Closure BAI01.13

AI1.1 AI1.1 Definition and Maintenance of Business Functional and Technical RequirementsBAI02.01

AI1.2 AI1.2 Risk Analysis Report BAI02.03

AI1.3 AI1.3 Feasibility Study and Formulation of Alternative Courses of Action BAI02.02

AI1.4 AI1.4 Requirements and Feasibility Decision and Approval BAI02.04

AI2.1 AI2.1 High-level Design BAI03.01

AI2.2 AI2.2 Detailed Design BAI03.02

AI2.3 AI2.3 Application Control and Auditability BAI03.05

AI2.4 AI2.4 Application Security and Availability ; BAI03.01




AI2.5 AI2.5 Configuration and Implementation of Acquired Application Software BAI03.03

AI2.5 AI2.5 Configuration and Implementation of Acquired Application Software BAI03.05

AI2.6 AI2.6 Major Upgrades to Existing Systems BAI03.10

AI2.7 AI2.7 Development of Application Software BAI03.03

AI2.7 AI2.7 Development of Application Software BAI03.04

AI2.8 AI2.8 Software Quality Assurance BAI03.06

AI2.9 AI2.9 Applications Requirements Management BAI03.09

AI2.10 AI2.10 Application Software Maintenance BAI03.10

AI3.1 AI3.1 Technological Infrastructure Acquisition Plan BAI03.04

AI3.2 AI3.2 Infrastructure Resource Protection and Availability BAI03.03

AI3.2 AI3.2 Infrastructure Resource Protection and Availability DSS02.03

AI3.3 AI3.3 Infrastructure Maintenance BAI03.10

AI3.4 AI3.4 Feasibility Test Environment BAI03.07

AI3.4 AI3.4 Feasibility Test Environment BAI03.08

AI4.1 AI4.1 Planning for Operational Solutions BAI05.05

AI4.2 AI4.2 Knowledge Transfer to Business Management BAI08.01




AI4.3 AI4.3 Knowledge Transfer to End Users BAI08.01





AI4.4 AI4.4 Knowledge Transfer to Operations and Support Staff BAI08.01




AI5.1 AI5.1 Procurement Control BAI03.04

AI5.2 AI5.2 Supplier Contract Management APO10.01

AI5.2 AI5.2 Supplier Contract Management APO10.03

AI5.3 AI5.3 Supplier Selection APO10.02

AI5.4 AI5.4 IT Resources Acquisition APO10.03

AI6.1 AI6.1 Change Standards and Procedures BAI06.01




AI6.2 AI6.2 Impact Assessment, Prioritisation and Authorisation BAI06.01

AI6.3 AI6.3 Emergency Changes BAI06.02

AI6.4 AI6.4 Change Status Tracking and Reporting BAI06.03

AI6.5 AI6.5 Change Closure and Documentation BAI06.04

AI7.1 AI7.1 Training BAI05.05

AI7.2 AI7.2 Test Plan BAI07.01

AI7.2 AI7.2 Test Plan BAI07.03

AI7.3 AI7.3 Implementation Plan BAI07.01

AI7.4 AI7.4 Test Environment BAI07.04

AI7.5 AI7.5 System and Data Conversion BAI07.02

AI7.6 AI7.6 Testing of Changes BAI07.05

AI7.7 AI7.7 Final Acceptance Test BAI07.05

AI7.8 AI7.8 Promotion to Production BAI07.06

AI7.9 AI7.9 Post-implementation Review BAI07.08

DS1.1 DS1.1 Service Level Management Framework APO09.01






DS1.2 DS1.2 Definition of Services APO09.01




DS1.3 DS1.3 Service Level Agreements APO09.04

DS1.4 DS1.4 Operating Level Agreements APO09.04

DS1.5 DS1.5 Monitoring and Reporting of Service Level Achievements APO09.05

DS1.6 DS1.6 Review of Service Level Agreements and Contracts APO09.06

DS2.1 DS2.1 Identification of All Supplier Relationships APO10.01

DS2.2 DS2.2 Supplier Relationship Management APO10.03

DS2.3 DS2.3 Supplier Risk Management APO10.04

DS2.4 DS2.4 Supplier Performance Monitoring APO10.05

DS3.1 DS3.1 Performance and Capacity Planning BAI04.03

DS3.2 DS3.2 Current Performance and Capacity BAI04.01

DS3.2 DS3.2 Current Performance and Capacity BAI04.02

DS3.3 DS3.3 Future Performance and Capacity BAI04.01

DS3.4 DS3.4 IT Resources Availability BAI04.05

DS3.5 DS3.5 Monitoring and Reporting BAI04.04

DS4.1 DS4.1 IT Continuity Framework DSS04.01

DS4.1 DS4.1 IT Continuity Framework DSS04.02

DS4.2 DS4.2 IT Continuity Plans DSS04.03

DS4.3 DS4.3 Critical IT Resources DSS04.04

DS4.4 DS4.4 Maintenance of the IT Continuity Plan DSS04.02

DS4.4 DS4.4 Maintenance of the IT Continuity Plan DSS04.06

DS4.5 DS4.5 Testing of the IT Continuity Plan DSS04.05

DS4.6 DS4.6 IT Continuity Plan Training DSS04.07

DS4.7 DS4.7 Distribution of the IT Continuity Plan DSS04.03

DS4.8 DS4.8 IT Services Recovery and Resumption DSS04.04

DS4.9 DS4.9 Offsite Backup Storage DSS04.08

DS4.10 DS4.10 Post-resumption Review DSS04.09

DS5.1 DS5.1 Management of IT Security APO13.01

DS5.1 DS5.1 Management of IT Security APO13.03

DS5.2 DS5.2 IT Security Plan APO13.02

DS5.3 DS5.3 Identity Management DSS05.04

DS5.4 DS5.4 User Account Management DSS05.04

DS5.5 DS5.5 Security Testing, Surveillance and Monitoring DSS05.07

DS5.6 DS5.6 Security Incident Definition DSS02.01

DS5.7 DS5.7 Protection of Security Technology DSS05.05

DS5.8 DS5.8 Cryptographic Key Management DSS05.03


DS5.9 DS5.9 Malicious Software Prevention, Detection and Correction DSS05.01

DS5.10 DS5.10 Network Security DSS05.02

DS5.11 DS5.11 Exchange of Sensitive Data DSS05.02


DS6.2 DS6.2 IT Accounting APO06.01

DS6.3 DS6.3 Cost Modelling and Charging APO06.04

DS6.4 DS6.4 Cost Model Maintenance APO06.04

DS7.1 DS7.1 Identification of Education and Training Needs APO07.03

DS7.2 DS7.2 Delivery of Training and Education APO07.03

DS7.3 DS7.3 Evaluation of Training Received APO07.03

DS8.1 DS8.1 Service Desk Deleted

DS8.2 DS8.2 Registration of Customer Queries DSS02.01



DS8.3 DS8.3 Incident Escalation DSS02.04

DS8.4 DS8.4 Incident Closure DSS02.05

DS8.4 DS8.4 Incident Closure DSS02.06

DS8.5 DS8.5 Reporting and Trend Analysis DSS02.07

DS9.1 DS9.1 Configuration Repository and Baseline BAI10.01



DS9.1 DS9.1 Configuration Repository and Baseline DSS02.01

DS9.2 DS9.2 Identification and Maintenance of Configuration Items BAI10.03

DS9.3 DS9.3 Configuration Integrity Review BAI10.04

DS9.3 DS9.3 Configuration Integrity Review BAI10.05

DS9.3 DS9.3 Configuration Integrity Review DSS02.05

DS10.1 DS10.1 Identification and Classification of Problems DSS03.01

DS10.2 DS10.2 Problem Tracking and Resolution DSS03.02

DS10.3 DS10.3 Problem Closure DSS03.03

DS10.3 DS10.3 Problem Closure DSS03.04

DS10.4 DS10.4 Integration of Configuration, Incident and Problem Management DSS03.05

DS11.1 DS11.1 Business Requirements for Data Management DSS01.01

DS11.2 DS11.2 Storage and Retention Arrangements DSS04.08

DS11.2 DS11.2 Storage and Retention Arrangements DSS06.04

DS11.3 DS11.3 Media Library Management System DSS04.08

DS11.4 DS11.4 Disposal DSS05.08


DS11.5 DS11.5 Backup and Restoration DSS04.08

DS11.6 DS11.6 Security Requirements for Data Management DSS01.01



DS12.1 DS12.1 Site Selection and Layout DSS01.04



DS12.2 DS12.2 Physical Security Measures DSS05.05

DS12.3 DS12.3 Physical Access DSS05.05

DS12.4 DS12.4 Protection Against Environmental Factors DSS01.04

DS12.5 DS12.5 Physical Facilities Management DSS01.05

DS13.1 DS13.1 Operations Procedures and Instructions DSS01.01

DS13.2 DS13.2 Job Scheduling DSS01.01

DS13.3 DS13.3 IT Infrastructure Monitoring DSS01.03

DS13.4 DS13.4 Sensitive Documents and Output Devices DSS05.06

DS13.5 DS13.5 Preventive Maintenance for Hardware BAI09.02

ME1.1 ME1.1 Monitoring Approach MEA01.01

ME1.2 ME1.2 Definition and Collection of Monitoring Data MEA01.02

ME1.2 ME1.2 Definition and Collection of Monitoring Data MEA01.03

ME1.3 ME1.3 Monitoring Method MEA01.03

ME1.4 ME1.4 Performance Assessment MEA01.04

ME1.5 ME1.5 Board and Executive Reporting MEA01.04

ME1.6 ME1.6 Remedial Actions MEA01.05

ME2.1 ME2.1 Monitoring of Internal Control Framework MEA02.01

ME2.1 ME2.1 Monitoring of Internal Control Framework MEA02.02

ME2.2 ME2.2 Supervisory Review MEA02.01

ME2.3 ME2.3 Control Exceptions MEA02.04

ME2.4 ME2.4 Control Self-assessment MEA02.03

ME2.5 ME2.5 Assurance of Internal Control MEA02.06



ME2.6 ME2.6 Internal Control at Third Parties MEA02.01

ME2.7 ME2.7 Remedial Actions MEA02.04

ME3.1ME3.1 Identification of External Legal, Regulatory and Contractual Compliance

RequirementsMEA03.01

ME3.2 ME3.2 Optimisation of Response to External Requirements MEA03.02


ME3.3 ME3.3 Evaluation of Compliance With External Requirements MEA03.03

ME3.4 ME3.4 Positive Assurance of Compliance MEA03.04

ME3.5 ME3.5 Integrated Reporting MEA03.04

ME4.1 ME4.1 Establishment of an IT Governance Framework EDM01

ME4.2 ME4.2 Strategic Alignment Deleted—In COBIT 5, alignment is considered to be the result of all governance and

management activities.

ME4.3 ME4.3 Value Delivery EDM02

ME4.4 ME4.4 Resource Management EDM04

ME4.5 ME4.5 Risk Management EDM03

ME4.6 ME4.6 Performance Measurement EDM01.03;



ME4.6 ME4.6 Performance Measurement EDM04.03

ME4.7 ME4.7 Independent Assurance MEA02.05



ME4.7 ME4.7 Independent Assurance MEA02-08

COBIT 5 to CobiT 4 mapping 10

CobiT 5 Key Governance/Management Practice CobiT 4.1. Control ObjectiveAPO01 Manage the IT Management Framework

APO01.01 Define the organisational structure PO3.5 PO3.5 IT Architecture Board

APO01.01 Define the organisational structure PO4.2 PO4.2 IT Strategy Committee

APO01.01 Define the organisational structure PO4.3 PO4.3 IT Steering Committee

APO01.01 Define the organisational structure PO4.5 PO4.5 IT Organisational Structure

APO01.01 Define the organisational structure PO4.15 PO4.15 Relationships

APO01.02 Establish roles and responsibilities. PO4.6 PO4.6 Establishment of Roles and Responsibilities

APO01.02 Establish roles and responsibilities. PO4.10 PO4.10 Supervision

APO01.02 Establish roles and responsibilities. PO4.11 PO4.11 Segregation of Duties

APO01.02 Establish roles and responsibilities. PO7.3 PO7.3 Staffing of Roles

APO01.03 Maintain the enablers of the management system. PO4.1 PO4.1 IT Process Framework

APO01.03 Maintain the enablers of the management system. PO6.1 PO6.1 IT Policy and Control Environment

APO01.03 Maintain the enablers of the management system. PO6.2 PO6.2 Enterprise IT Risk and Control Framework

APO01.03 Maintain the enablers of the management system. PO6.3 PO6.3 IT Policies Management

APO01.03 Maintain the enablers of the management system. PO6.4 PO6.4 Policy, Standards and Procedures Rollout

APO01.03 Maintain the enablers of the management system. PO9.1 PO9.1 IT Risk Management Framework

APO01.04 Communicate management objectives and direction PO6.5 PO6.5 Communication of IT Objectives and Direction

APO01.05 Optimise the placement of the IT function PO4.4 PO4.4 Organisational Placement of the IT Function

APO01.06 Define information (data) and system ownership PO2.4 PO2.4 Integrity Management

APO01.06 Define information (data) and system ownership PO4.9 PO4.9 Data and System Ownership

APO01.07 Manage continual improvement of processes. PO4.1 PO4.1 IT Process Framework

APO01.08 Maintain compliance with policies and procedures. PO6.3 PO6.3 IT Policies Management

APO01.08 Maintain compliance with policies and procedures. PO6.4 PO6.4 Policy, Standards and Procedures Rollout

APO02 Manage Strategy

APO02.01 Understand enterprise direction. PO1.2 PO1.2 Business-IT Alignment

APO02.02 Assess the current environment, capabilities and performance PO1.3 PO1.3 Assessment of Current Capability and Performance

APO02.03 Define the target IT capabilities PO1.4 PO1.4 IT Strategic Plan

APO02.03 Define the target IT capabilities PO3.1 PO3.1 Technological Direction Planning

APO02.03 Define the target IT capabilities PO3.2 PO3.2 Technical Infrastructure Plan

APO02.04 Conduct a gap analysis PO1.4 PO1.4 IT Strategic Plan

APO02.04 Conduct a gap analysis PO3.2 PO3.2 Technical Infrastructure Plan

APO02.05 Define the strategic plan and road map. PO1.4 PO1.4 IT Strategic Plan

APO02.05 Define the strategic plan and road map. PO1.5 PO1.5 IT Tactical Plans

APO02.05 Define the strategic plan and road map. PO3.2 PO3.2 Technical Infrastructure Plan

APO02.06 Communicate the IT strategy and direction.

APO03 Manage Enterprise Architecture

APO03.01 Develop the enterprise architecture vision.

APO03.02 Define reference architecture PO2.1 PO2.1 Enterprise Information Architecture Model

APO03.02 Define reference architecture PO2.2 PO2.2 Enterprise Data Dictionary and Data Syntax Rules

APO03.02 Define reference architecture PO2.3 PO2.3 Data Classification Scheme

APO03.03 Select opportunities and solutions

APO03.04 Define architecture implementation.


APO03.05 Provide enterprise architecture services. PO3.4 PO3.4 Technology Standards

APO04 Manage Innovation

APO04.01 Create an environment conducive to innovation.

APO04.02 Maintain an understanding of the enterprise environment

APO04.03 Monitor and scan the technology environment PO3.1 PO3.1 Technological Direction Planning

APO04.03 Monitor and scan the technology environment PO3.2 PO3.2 Technical Infrastructure Plan

APO04.03 Monitor and scan the technology environment PO3.3 PO3.3 Monitor Future Trends and Regulations

APO04.04 Assess the potential of emerging technologies and innovation ideas. PO3.2 PO3.2 Technical Infrastructure Plan

APO04.05 Recommend appropriate further initiatives. PO3.2 PO3.2 Technical Infrastructure Plan

APO04.06 Monitor the implementation and use of innovation.

APO05 Manage Portfolio

APO05.01 Establish the target investment mix.

APO05.02 Determine the availability and sources of funds.

APO05.03 Evaluate and select programmes to fund.

APO05.04 Monitor, optimise and report on investment portfolio performance

APO05.05 Maintain portfolios. PO1.6 PO1.6 IT Portfolio Management

APO05.06 Manage benefits achievement. PO5.5 PO5.5 Benefit Management

APO06 Manage Budget and Costs

APO06.01 Manage finance and accounting PO5.1 PO5.1 Financial Management Framework

APO06.01 Manage finance and accounting DS6.2 DS6.2 IT Accounting

APO06.02 Prioritise resource allocation PO5.2 PO5.2 Prioritisation Within IT Budget

APO06.03 Create and maintain budgets. PO5.3 PO5.3 IT Budgeting

APO06.04 Model and allocate costs. PO5.4 PO5.4 Cost Management

APO06.04 Model and allocate costs. DS6.1 DS6.1 Definition of Services

APO06.04 Model and allocate costs. DS6.3 DS6.3 Cost Modelling and Charging

APO06.04 Model and allocate costs. DS6.4 DS6.4 Cost Model Maintenance

APO06.05 Model and allocate costs. PO5.4 PO5.4 Cost Management

APO07 Manage Human Resources

APO07.01 Maintain adequate and appropriate staffing. PO4.12 PO4.12 IT Staffing

APO07.01 Maintain adequate and appropriate staffing. PO7.1 PO7.1 Personnel Recruitment and Retention

APO07.01 Maintain adequate and appropriate staffing. PO7.3 PO7.3 Staffing of Roles

APO07.01 Maintain adequate and appropriate staffing. PO7.6 PO7.6 Personnel Clearance Procedures

APO07.01 Maintain adequate and appropriate staffing. PO7.8 PO7.8 Job Change and Termination

APO07.02 Identify key IT personnel. PO4.13 PO4.13 Key IT Personnel

APO07.02 Identify key IT personnel. PO7.5 PO7.5 Dependence Upon Individuals

APO07.03 Maintain the skills and competencies of personnel. PO7.2 PO7.2 Personnel Competencies

APO07.03 Maintain the skills and competencies of personnel. PO7.4 PO7.4 Personnel Training

APO07.03 Maintain the skills and competencies of personnel. DS7.1 DS7.1 Identification of Education and Training Needs

APO07.03 Maintain the skills and competencies of personnel. DS7.2 DS7.2 Delivery of Training and Education

APO07.03 Maintain the skills and competencies of personnel. DS7.3 DS7.3 Evaluation of Training Received

APO07.04 Evaluate employee job performance. PO7.7 PO7.7 Employee Job Performance Evaluation

APO07.05 Plan and track the usage of IT and business human resources. PO7.2 PO7.1 Personnel Recruitment and Retention

APO07.06 Manage contract staff PO4.14 PO4.14 Contracted Staff Policies and Procedures


APO07.06 Manage contract staff PO7.6 PO7.6 Personnel Clearance Procedures

APO08 Manage Relationships

APO08.01 Understand business expectations.

APO08.02 Identify opportunities, risk and constraints for IT to enhance the business.

APO08.03 Manage the business relationship.

APO08.04 Co-ordinate and communicate.

APO08.05 Provide input to the continual improvement of services.

APO09 Manage Service Agreements

APO09.01 Identify IT services. DS1.1 DS1.1 Service Level Management Framework

APO09.01 Identify IT services. DS1.2 DS1.2 Definition of Services



APO09.02 Catalogue IT-enabled services. DS1.1 DS1.1 Service Level Management Framework

APO09.03 Define and prepare service agreements. DS1.1 DS1.1 Service Level Management Framework

APO09.04 Monitor and report service levels. DS1.1 DS1.1 Service Level Management Framework

APO09.04 Monitor and report service levels. DS1.3 DS1.3 Service Level Agreements

APO09.04 Monitor and report service levels. DS1.4 DS1.4 Operating Level Agreements

APO09.05 Review service agreements and contracts. DS1.1 DS1.1 Service Level Management Framework

APO09.05 Review service agreements and contracts. DS1.5 DS1.5 Monitoring and Reporting of Service Level Achievements

APO09.06 DS1.1 DS1.1 Service Level Management Framework

APO09.06 DS1.6 DS1.6 Review of Service Level Agreements and Contracts

APO10 Manage Suppliers

APO10.01 Identify and evaluate supplier relationships and contracts. AI5.2 AI5.2 Supplier Contract Management

APO10.01 Identify and evaluate supplier relationships and contracts. DS2.1 DS2.1 Identification of All Supplier Relationships

APO10.02 Select suppliers. AI5.3 AI5.3 Supplier Selection

APO10.03 Manage supplier relationships and contracts. AI5.2 AI5.2 Supplier Contract Management

APO10.03 Manage supplier relationships and contracts. AI5.4 AI5.4 IT Resources Acquisition

APO10.03 Manage supplier relationships and contracts. DS2.2 DS2.2 Supplier Relationship Management

APO10.04 Manage supplier risk. DS2.3 DS2.3 Supplier Risk Management

APO10.05 Monitor supplier performance and compliance. DS2.4 DS2.4 Supplier Performance Monitoring

APO11 Manage Quality

APO11.01 Establish a quality management system (QMS). PO4.7 PO4.7 Responsibility for IT Quality Assurance

APO11.01 Establish a quality management system (QMS). PO8.1 PO8.1 Quality Management System

APO11.02 Define and manage quality standards, practices and procedures. PO8.2 PO8.2 IT Standards and Quality Practices

APO11.02 Define and manage quality standards, practices and procedures. PO8.3 PO8.3 Development and Acquisition Standards ;

APO11.03 Focus quality management on customers. PO8.4 PO8.4 Customer Focus

APO11.04 Perform quality monitoring, control and reviews. PO8.6 PO8.6 Quality Measurement, Monitoring and Review

APO11.05 Integrate quality management into solutions for development and service delivery. PO8.3 PO8.3 Development and Acquisition Standards ;

APO11.06 Maintain continuous improvement. PO8.5 PO8.5 Continuous Improvement

APO12 Manage Risk

APO12.01 Collect data. PO9.3 PO9.3 Event Identification

APO12.02 Analyse risk. PO9.4 PO9.4 Risk Assessment


APO12.03 Maintain a risk profile. PO9.2 PO9.2 Establishment of Risk Context

APO12.03 Maintain a risk profile. PO9.3 PO9.3 Event Identification

APO12.04 Articulate risk. PO9.4 PO9.4 Risk Assessment

APO12.04 Articulate risk. PO9.6 PO9.6 Maintenance and Monitoring of a Risk Action Plan

APO12.05 Define a risk management action portfolio. PO9.6 PO9.6 Maintenance and Monitoring of a Risk Action Plan

APO12.06 Respond to risk. PO9.5 PO9.5 Risk Response

APO13 Manage Security

APO13.01 Establish and maintain an ISMS DS5.1 DS5.1 Management of IT Security

APO13.02 Define and manage an information security risk treatment plan. DS5.2 DS5.2 IT Security Plan

APO13.03 Monitor and review the ISMS DS5.1 DS5.1 Management of IT Security

BAI01.01 Maintain a standard approach for programme and project management PO10.1 PO10.1 Programme Management Framework

BAI01.01 Maintain a standard approach for programme and project management PO10.2 PO10.2 Project Management Framework

BAI01.01 Maintain a standard approach for programme and project management PO10.3 PO10.3 Project Management Approach

BAI01.02 Initiate a programme.

BAI01.03 Manage stakeholder engagement. PO10.4 PO10.4 Stakeholder Commitment

BAI01.04 Develop and maintain the programme plan.

BAI01.05 Launch and execute the programme.

BAI01.06 Monitor, control and report on the programme outcomes. PO10.13PO10.13 Project Performance Measurement, Reporting and

Monitoring

BAI01.07 Start up and initiate projects within a programme. PO10.5 PO10.5 Project Scope Statement

BAI01.07 Start up and initiate projects within a programme. PO10.6 PO10.6 Project Phase Initiation

BAI01.08 Plan projects PO10.7 PO10.7 Integrated Project Plan

BAI01.08 Plan projects PO10.8 PO10.8 Project 5esources

BAI01.08 Plan projects PO10.12 PO10.12 Project Planning of Assurance Methods

BAI01.09 Manage programme and project quality PO10.10 PO10.10 Project Quality Plan

BAI01.10 Manage programme and project risk PO10.9 PO10.9 Project Risk Management

BAI01.11 Monitor and control projects PO10.11 PO10.11 Project Change control

BAI01.11 Monitor and control projects PO10.13PO10.13 Project Performance Measurement, Reporting and

Monitoring

BAI01.12 Manage project resources and work packages.

BAI01.13 Close a project or iteration PO10.14 PO10.14 Project Closure

BAI01.14 Close a programme.

BAI02.01 Define and maintain business functional and technical requirements. AI1.1AI1.1 Definition and Maintenance of Business Functional and

Technical Requirements

BAI02.02 Perform a feasibility study and formulate alternative solutions AI1.3AI1.3 Feasibility Study and Formulation of Alternative Courses of

Action

BAI02.03 Manage requirements risk. AI1.2 AI1.2 Risk Analysis Report

BAI02.04 Obtain approval of requirements and solutions. AI1.4 AI1.4 Requirements and Feasibility Decision and Approval

BAI03.01 Design high-level solutions AI2.1 AI2.1 High-level Design

BAI03.01 Design high-level solutions AI2.4 AI2.4 Application Security and Availability ;

BAI03.02 Design detailed solution components AC1 AC1 Source Data Preparation and Authorisation

BAI03.02 Design detailed solution components AI2.2 AI2.2 Detailed Design

BAI03.02 Design detailed solution components AI2.4 AI2.4 Application Security and Availability ;


BAI03.03 Develop solution components. AC1 AC1 Source Data Preparation and Authorisation

BAI03.03 Develop solution components. AI2.4 AI2.4 Application Security and Availability ;

BAI03.03 Develop solution components. AI2.5AI2.5 Configuration and Implementation of Acquired Application

Software

BAI03.03 Develop solution components. AI2.7 AI2.7 Development of Application Software

BAI03.03 Develop solution components. AI3.2 AI3.2 Infrastructure Resource Protection and Availability

BAI03.04 Procure solution components. AI2.7 AI2.7 Development of Application Software

BAI03.04 Procure solution components. AI3.1 AI3.1 Technological Infrastructure Acquisition Plan

BAI03.04 Procure solution components. AI5.1 AI5.1 Procurement Control

BAI03.05 Build solutions. AC1 AC1 Source Data Preparation and Authorisation

BAI03.05 Build solutions. AI2.3 AI2.3 Application Control and Auditability

BAI03.05 Build solutions. AI2.4 AI2.4 Application Security and Availability ;

BAI03.05 Build solutions. AI2.5AI2.5 Configuration and Implementation of Acquired Application

Software

BAI03.06 Perform quality assurance. AI2.8 AI2.8 Software Quality Assurance

BAI03.07 Prepare for solution testing. AC1 AC1 Source Data Preparation and Authorisation

BAI03.07 Prepare for solution testing. AI3.4 AI3.4 Feasibility Test Environment

BAI03.08 Execute solution testing. AI3.4 AI3.4 Feasibility Test Environment

BAI03.09 Manage changes to requirements. AI2.9 AI2.9 Applications Requirements Management

BAI03.10 Maintain solutions. AI2.6 AI2.6 Major Upgrades to Existing Systems

BAI03.10 Maintain solutions. AI2.10 AI2.10 Application Software Maintenance

BAI03.10 Maintain solutions. AI3.3 AI3.3 Infrastructure Maintenance

BAI03.11 Define IT services and maintain the service portfolio.

BAI04.01 Assess current availability, performance and capacity and create a baseline. DS3.2 DS3.2 Current Performance and Capacity

BAI04.01 Assess current availability, performance and capacity and create a baseline. DS3.3 DS3.3 Future Performance and Capacity

BAI04.02 Assess business impact DS3.2 DS3.2 Current Performance and Capacity

BAI04.03 Plan for new or changed service requirements. DS3.1 DS3.1 Performance and Capacity Planning

BAI04.04 Monitor and review availability and capacity. DS3.5 DS3.5 Monitoring and Reporting

BAI04.05 Investigate and address availability, performance and capacity issues. DS3.4 DS3.4 IT Resources Availability

BAI05 Manage Organisational Change Enablement

BAI05.01 Establish the desire to change

BAI05.02 Form an effective implementation team.

BAI05.03 Communicate desired vision.

BAI05.04 Empower role players and identify short-term wins.

BAI05.05 Enable operation and use. AI4.1 AI4.1 Planning for Operational Solutions

BAI05.05 Enable operation and use. AI7.1 AI7.1 Training

BAI05.06 Embed new approaches.

BAI05.07 Sustain changes.

BAI06 Manage Changes

BAI06.01 Evaluate, prioritise and authorise change requests. AI6.1 AI6.1 Change Standards and Procedures

BAI06.01 Evaluate, prioritise and authorise change requests. AI6.2 AI6.2 Impact Assessment, Prioritisation and Authorisation

BAI06.02 Manage emergency changes. AI6.1 AI6.1 Change Standards and Procedures

BAI06.02 Manage emergency changes. AI6.3 AI6.3 Emergency Changes


BAI06.03 Track and report change status. AI6.1 AI6.1 Change Standards and Procedures

BAI06.03 Track and report change status. AI6.4 AI6.4 Change Status Tracking and Reporting

BAI06.04 Close and document the changes. AI6.1 AI6.1 Change Standards and Procedures

BAI06.04 Close and document the changes. AI6.5 AI6.5 Change Closure and Documentation

BAI07 Manage Change Acceptance and Transitioning

BAI07.01 Establish an implementation plan. AI7.2 AI7.2 Test Plan

BAI07.01 Establish an implementation plan. AI7.3 AI7.3 Implementation Plan

BAI07.02 Plan business process, system and data conversion. AI7.5 AI7.5 System and Data Conversion

BAI07.03 Plan acceptance tests. AI7.2 AI7.2 Test Plan

BAI07.04 Establish a test environment. AI7.4 AI7.4 Test Environment

BAI07.05 Perform acceptance tests. AI7.6 AI7.6 Testing of Changes

BAI07.05 Perform acceptance tests. AI7.7 AI7.7 Final Acceptance Test

BAI07.06 Promote to production and manage releases. AI7.8 AI7.8 Promotion to Production

BAI07.07 Provide early production support.

BAI07.08 Perform a post-implementation review AI7.9 AI7.9 Post-implementation Review

BAI08 Manage Knowledge

BAI08.01 Nurture and facilitate a knowledge-sharing culture. AI4.2 AI4.2 Knowledge Transfer to Business Management

BAI08.01 Nurture and facilitate a knowledge-sharing culture. AI4.3 AI4.3 Knowledge Transfer to End Users

BAI08.01 Nurture and facilitate a knowledge-sharing culture. AI4.4 AI4.4 Knowledge Transfer to Operations and Support Staff

BAI08.02 Identify and classify sources of information. AI4.2 AI4.2 Knowledge Transfer to Business Management

BAI08.02 Identify and classify sources of information. AI4.3 AI4.3 Knowledge Transfer to End Users

BAI08.02 Identify and classify sources of information. AI4.4 AI4.4 Knowledge Transfer to Operations and Support Staff

BAI08.03 Organise and contextualise information into knowledge. AI4.2 AI4.2 Knowledge Transfer to Business Management

BAI08.03 Organise and contextualise information into knowledge. AI4.3 AI4.3 Knowledge Transfer to End Users

BAI08.03 Organise and contextualise information into knowledge. AI4.4 AI4.4 Knowledge Transfer to Operations and Support Staff

BAI08.04 Use and share knowledge AI4.2 AI4.2 Knowledge Transfer to Business Management

BAI08.04 Use and share knowledge AI4.3 AI4.3 Knowledge Transfer to End Users

BAI08.04 Use and share knowledge AI4.4 AI4.4 Knowledge Transfer to Operations and Support Staff

BAI08.05 Evaluate and retire information.

BAI09 Manage Assets

BAI09.01 Identify and record current assets.

BAI09.02 Manage critical assets DS13.5 DS13.5 Preventive Maintenance for Hardware

BAI09.03 Manage the asset life cycle

BAI09.04 Optimise asset costs.

BAI09.05 Optimise asset costs.

BAI10 Manage Configuration

BAI10.01 Establish and maintain a configuration model. DS9.1 DS9.1 Configuration Repository and Baseline

BAI10.02 Establish and maintain a configuration repository and baseline. DS9.1 DS9.1 Configuration Repository and Baseline

BAI10.03 Maintain and control configuration items. DS9.2 DS9.2 Identification and Maintenance of Configuration Items

BAI10.04 Produce status and configuration reports. DS9.1 DS9.1 Configuration Repository and Baseline

BAI10.04 Produce status and configuration reports DS9.3 DS9.3 Configuration Integrity Review

BAI10.05 Verify and review integrity of the configuration repository. DS9.3 DS9.3 Configuration Integrity Review

DSS01 Manage Operations


DSS01.01 Perform operational procedures. DS11.1 DS11.1 Business Requirements for Data Management

DSS01.01 Perform operational procedures. DS11.6 DS11.6 Security Requirements for Data Management

DSS01.01 Perform operational procedures. DS13.1 DS13.1 Operations Procedures and Instructions

DSS01.01 Perform operational procedures. DS13.2 DS13.2 Job Scheduling

DSS01.02 Manage outsourced IT services

DSS01.03 Monitor IT infrastructure DS13.3 DS13.3 IT Infrastructure Monitoring

DSS01.04 Manage the environment DS12.1 DS12.1 Site Selection and Layout

DSS01.04 Manage the environment DS12.4 DS12.4 Protection Against Environmental Factors

DSS01.05 Manage facilities. DS12.1 DS12.1 Site Selection and Layout

DSS01.05 Manage facilities. DS12.5 DS12.5 Physical Facilities Management

DSS02 Manage Service Requests and Incidents

DSS02.01 Define incident and service request classification schemes. DS5.6 DS5.6 Security Incident Definition

DSS02.01 Define incident and service request classification schemes. DS8.2 DS8.2 Registration of Customer Queries

DSS02.01 Define incident and service request classification schemes. DS9.1 DS9.1 Configuration Repository and Baseline

DSS02.02 Record, classify and prioritise requests and incidents. DS8.2 DS8.2 Registration of Customer Queries

DSS02.03 Verify, approve and fulfil service requests. AI3.2 AI3.2 Infrastructure Resource Protection and Availability

DSS02.03 Verify, approve and fulfil service requests. DS8.2 DS8.2 Registration of Customer Queries

DSS02.04 Investigate, diagnose and allocate incidents. DS8.3 DS8.3 Incident Escalation

DSS02.05 Resolve and recover from incidents. DS8.4 DS8.4 Incident Closure

DSS02.05 Resolve and recover from incidents. DS9.3 DS9.3 Configuration Integrity Review

DSS02.06 Close service requests and incidents. DS8.4 DS8.4 Incident Closure

DSS02.07 Track status and produce reports. DS8.5 DS8.5 Reporting and Trend Analysis

DSS03 Manage Problems

DSS03.01 Identify and classify problems. DS10.1 DS10.1 Identification and Classification of Problems

DSS03.02 Investigate and diagnose problems. DS10.2 DS10.2 Problem Tracking and Resolution

DSS03.03 Raise known errors. DS10.3 DS10.3 Problem Closure

DSS03.04 Resolve and close problems. DS10.3 DS10.3 Problem Closure

DSS03.05 Perform proactive problem management. DS10.4DS10.4 Integration of Configuration, Incident and Problem

Management

DSS04 Manage Continuity

DSS04.01 Define the business continuity policy, objectives and scope DS4.1 DS4.1 IT Continuity Framework

DSS04.02 Maintain a continuity strategy. DS4.1 DS4.1 IT Continuity Framework

DSS04.02 Maintain a continuity strategy. DS4.4 DS4.4 Maintenance of the IT Continuity Plan

DSS04.03 Develop and implement a business continuity response. DS4.2 DS4.2 IT Continuity Plans

DSS04.03 Develop and implement a business continuity response. DS4.7 DS4.7 Distribution of the IT Continuity Plan

DSS04.04 Exercise, test and review the BCP. DS4.3 DS4.3 Critical IT Resources

DSS04.04 Exercise, test and review the BCP. DS4.8 DS4.8 IT Services Recovery and Resumption

DSS04.05 Review, maintain and improve the continuity plan DS4.5 DS4.5 Testing of the IT Continuity Plan

DSS04.06 Conduct continuity plan training DS4.4 DS4.4 Maintenance of the IT Continuity Plan

DSS04.07 Manage backup arrangements DS4.6 DS4.6 IT Continuity Plan Training

DSS04.08 Conduct post-resumption review. DS4.9 DS4.9 Offsite Backup Storage

DSS04.08 Conduct post-resumption review. DS11.2 DS11.2 Storage and Retention Arrangements

DSS04.08 Conduct post-resumption review. DS11.3 DS11.3 Media Library Management System


DSS04.08 Conduct post-resumption review. DS11.5 DS11.5 Backup and Restoration

DSS04.09 DS4.10 DS4.10 Post-resumption Review

DSS05 Manage Security Services

DSS05.01 Protect against malware. DS5.9 DS5.9 Malicious Software Prevention, Detection and Correction

DSS05.02 Manage network and connectivity security. DS5.10 DS5.10 Network Security

DSS05.02 Manage network and connectivity security. DS5.11 DS5.11 Exchange of Sensitive Data

DSS05.03 Manage endpoint security. DS5.8 DS5.8 Cryptographic Key Management

DSS05.04 Manage user identity and logical access. DS5.3 DS5.3 Identity Management

DSS05.04 Manage user identity and logical access. DS5.4 DS5.4 User Account Management

DSS05.05 Manage physical access to IT assets. DS5.7 DS5.7 Protection of Security Technology

DSS05.05 Manage physical access to IT assets. DS12.1 DS12.1 Site Selection and Layout

DSS05.05 Manage physical access to IT assets. DS12.2 DS12.2 Physical Security Measures

DSS05.05 Manage physical access to IT assets. DS12.3 DS12.3 Physical Access

DSS05.06 Manage sensitive documents and output devices. DS13.4 DS13.4 Sensitive Documents and Output Devices

DSS05.07 Monitor the infrastructure for security-related events. DS5.5 DS5.5 Security Testing, Surveillance and Monitoring

DSS05.08 DS11.4 DS11.4 Disposal

DSS05.08 DS11.6 DS11.6 Security Requirements for Data Management

DSS06 Manage Business Process Controls

DSS06.01 Align control activities embedded in business processes with enterprise objectives

DSS06.02 Control the processing of information. AC1 AC1 Source Data Preparation and Authorisation

DSS06.02 Control the processing of information. AC2 AC2 Source Data Collection and Entry

DSS06.02 Control the processing of information. AC3 AC3 Accuracy, Completeness and Authenticity Checks

DSS06.02 Control the processing of information. AC4 AC4 Processing Integrity and validity

DSS06.02 Control the processing of information. AC5 AC5 Output Review, Reconciliation and Error Handling

DSS06.02 Control the processing of information. AC6 AC6 Transaction Authentication and Integrity

DSS06.03 Manage roles, responsibilities, access privileges and levels of authority AC1 AC1 Source Data Preparation and Authorisation

DSS06.04 Manage errors and exceptions. DS11.2 DS11.2 Storage and Retention Arrangements

DSS06.05 Ensure traceability of information events DS11.6 DS11.6 Security Requirements for Data Management

DSS06.06 Secure information assets.

DSS08.02 PO4.11 PO4.11 Segregation of Duties

EDM01 Ensure Governance Framework Setting and Maintenance

EDM01.01 Evaluate the governance system. ME4.1 ME4.1 Establishment of an IT Governance Framework

EDM01.01 Evaluate the governance system PO3.3 PO3.3 Monitor Future Trends and Regulations



EDM01.03 Monitor the governance system ME4.6 ME4.6 Performance Measurement

EDM02 Ensure Benefits Delivery

EDM02.01 Evaluate value optimisation PO1.1 PO1.1 IT Value Management

EDM02.02 Direct value optimisation PO1.1 PO1.1 IT Value Management

EDM02.03 Monitor value optimisation PO1.1 PO1.1 IT Value Management

EDM02.01 Evaluate value optimisation ME4.3 ME4.3 Value Delivery

EDM02.02 Direct value optimisation ME4.3 ME4.3 Value Delivery


EDM02.03 Monitor value optimisation ME4.3 ME4.3 Value Delivery

EDM02.03 Monitor value optimisation ME4.6 ME4.6 Performance Measurement

EDM03 Ensure Risk Optimisation

EDM03.01 Evaluate risk management ME4.5 ME4.5 Risk Management

EDM03.02 Direct risk management ME4.5 ME4.5 Risk Management

EDM03.03 Monitor risk management ME4.5 ME4.5 Risk Management

EDM03.02 Direct risk management PO9.1 PO9.1 IT Risk Management Framework

EDM03.02 Direct risk management PO6.2 PO6.2 Enterprise IT Risk and Control Framework

EDM03.03 Monitor risk management ME4.6 ME4.6 Performance Measurement

EDM04 Ensure Resource Optimisation

EDM04.01 Evaluate resource management ME4.4 ME4.4 Resource Management

EDM04.02 Direct resource management ME4.4 ME4.4 Resource Management

EDM04.03 Monitor resource management ME4.4 ME4.4 Resource Management

EDM04.03 Monitor resource management ME4.6 ME4.6 Performance Measurement

EDM05 Ensure Stakeholder Transparency

EDM05.01 Evaluate stakeholder reporting requirements.

EDM05.02 Direct stakeholder communication and reporting.

EDM05.03 Monitor stakeholder communication.

MEA01 Monitor, Evaluate and Assess Performance and Conformance

MEA01.01 Establish a monitoring approach. ME1.1 ME1.1 Monitoring Approach

MEA01.02 Set performance and conformance targets ME1.2 ME1.2 Definition and Collection of Monitoring Data

MEA01.03 Collect and process performance and conformance data. ME1.2 ME1.2 Definition and Collection of Monitoring Data

MEA01.03 Collect and process performance and conformance data. ME1.3 ME1.3 Monitoring Method

MEA01.04 Analyse and report performance ME1.4 ME1.4 Performance Assessment

MEA01.04 Analyse and report performance ME1.5 ME1.5 Board and Executive Reporting

MEA01.05 Ensure the implementation of corrective actions. ME1.6 ME1.6 Remedial Actions

MEA02 Monitor, Evaluate and Assess the System of Internal Control

MEA02.01 Monitor internal controls ME2.1 ME2.1 Monitoring of Internal Control Framework

MEA02.01 Monitor internal controls ME2.2 ME2.2 Supervisory Review

MEA02.01 Monitor internal controls ME2.6 ME2.6 Internal Control at Third Parties

MEA02.02 Review business process controls effectiveness ME2.1 ME2.1 Monitoring of Internal Control Framework

MEA02.03 Perform control self-assessments. ME2.4 ME2.4 Control Self-assessment

MEA02.04 Identify and report control deficiencies. ME2.3 ME2.3 Control Exceptions

MEA02.04 Identify and report control deficiencies. ME2.7 ME2.7 Remedial Actions

MEA02.05 Ensure that assurance providers are independent and qualified. ME4.7 ME4.7 Independent Assurance

MEA02.06 Plan assurance initiatives. ME2.5 ME2.5 Assurance of Internal Control

MEA02.06 Plan assurance initiatives. ME4.7 ME4.7 Independent Assurance

MEA02.07 Scope assurance initiatives. ME2.5 ME2.5 Assurance of Internal Control

MEA02.07 Scope assurance initiatives. ME4.7 ME4.7 Independent Assurance

MEA02.08 Execute assurance initiatives. ME2.5 ME2.5 Assurance of Internal Control

MEA02-08 Execute assurance initiatives. ME4.7 ME4.7 Independent Assurance

MEA03 Monitor, Evaluate and Assess Compliance with External Requirements


MEA03.01 Identify external compliance requirements. ME3.1ME3.1 Identification of External Legal, Regulatory and Contractual

Compliance Requirements

MEA03.02 Optimise response to external requirements. ME3.2 ME3.2 Optimisation of Response to External Requirements

MEA03.03 Confirm external compliance ME3.3 ME3.3 Evaluation of Compliance With External Requirements

MEA03.04 Obtain assurance of external compliance. ME3.4 ME3.4 Positive Assurance of Compliance

MEA03.04 Obtain assurance of external compliance. ME3.5 ME3.5 Integrated Reporting

PO4.8 PO4.8 Responsibility for Risk, Security and Compliance

DS8.1 DS8.1 Service Desk

ME4.2 ME4.2 Strategic Alignment

COBIT 4.1 MM Level

Capability Levels

Berdasarkan ISO/IEC

15504

Arti dari Capability Level Berdasarkan

ISO/IEC 15504

5 -- Optimizing 5 -- Optimized

Peningkatan secara terus menerus sampai

mencapai tujuan yang relevan pada keadaan

terkini dan berpedoman pada enterprise goal.

4 -- Manage and

measurable 4 -- Predictable

Beroperasi pada limit/batasan yang telah

didefinisikan untuk mencapai process outcome

yang diinginkan.

3 -- Defined 3 -- Established

Diimplementasikan menggunakan proses

yangterdefinisi yang berpotensi untuk meraih

process outcome yang diinginkan

N/A 2 -- Managed

Diimplementasikan dalam proses yang teratur

(perencanaan, pemantauan dan penyesuaian)

yang dibangun secara benar untuk mengontrol

dan memeilihara hasil pekerjaan.

N/A 1 -- Performed Peraihan tujuan dari proses

2 -- Repetable

1 -- Ad hoc

0 --Non-existent 0 --Incomplite

Belum di implementasikan atau belum

ada/sedikit bukti telah adanya peraihan secara

sistematis dari tujuan adanya proses.

Istilah-istilah yang digunakan pada Process Maturity/Capability

Konteks

Sudut pandang

enterprise /

Pengetahuan corporate

Sudut pandang

individu/ pengathuan

individual

Istilah-istilah yang digunakan pada Process Maturity/Capability