Volume 3, July 2013

In This Issue:

Call for Articles

How are you using COBIT® at your enterprise?

We welcome articles on your

experiences with this framework. Deadline to submit copy for

volume 4, 2013: 4 September 2013

Submit articles for

peer review to: publication@isaca.org

Case Studies

Visit the COBIT Recognition and

Case Studies pages to read more COBIT 5 and COBIT 4.1

case studies.

• Why, When and How to Migrate to COBIT 5 • COBIT 5 for Assurance Available Now • Risk Assessment Management Using COBIT 5 • Top 5 Reasons COBIT 5 Training Is Critical • Evidence Management for the COBIT 5 Assessment Programme

Why, When and How to Migrate to COBIT 5 By Sudarsan Jayaraman, CISA, CISM, BS 25999 LA, COBIT (F), ITIL V3 Expert, ISO 20000 LA, ISO 27001 LA, ISO 9001 LA With the release of COBIT® 5, a new evolution in the thinking process of managing and governing IT has taken shape. The question to answer is whether organizations that have invested in the implementation of the earlier versions of COBIT have to migrate to COBIT 5. If yes, the question becomes: why, when and how does an organization migrate to the new framework?

Migrating to COBIT 5 is not the same as migration of software or hardware or a platform. Instead, this should be considered as a transition of the way work is done to meet the requirements of stakeholders. That said, was this not being done in the earlier versions of COBIT? That is, how different is COBIT 5 from COBIT® 4.1 and what are the benefits an organization can realize from this new release?

Why Migrate to COBIT 5? COBIT 4.1, while a popular framework, is considered by many to be an IT framework, not an enterprise framework. COBIT 4.1 addresses the IT requirement more as an operation model and a good practice guideline related to IT processes. After going through COBIT 5, one may get a feeling that COBIT 4.1 was lacking the governance view toward the organization and was more process-oriented. However, COBIT 4.1 does bring in the view of business-IT alignment by way of mapping enterprise goals with IT goals and finally with the IT process goals.

COBIT 5 has further built on the process model and has clearly demarcated the governance and management processes separately. A new governance domain is introduced as a part of the COBIT 5 process reference model; this is a major improvement that provides clarity on the management and governance functions within an organization.

A major improvement in COBIT 5 is the introduction of the five key principles and

Come join the discussion! Sudarsan Jayaraman will respond to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 22 July 2013.

Volume 3, July 2013 Page 2

Research Update

Recently Released COBIT 5 Materials

• COBIT® 5 for Assurance • COBIT 5 Implementation

Training and Certificate

Upcoming Third Quarter 2013 COBIT 5 Releases

• COBIT® 5: Enabling Information

• COBIT® 5 for Risk • COBIT/COSO white paper • COBIT 5 Assessor Training

and Certificate • COBIT Certified Assessor

Additional COBIT 5 Initiatives in Development

• COBIT® 5 Online: - Access to publications in

the COBIT 5 product family (tentative release fourth quarter 2013)

- Access to other non-COBIT ISACA content and current, relevant GEIT material (tentative release first quarter 2014)

- Ability to customize COBIT with multiple-user access (tentative release third quarter 2014)

For more information on COBIT publications and training, visit the COBIT 5 page of the ISACA

web site.

COBIT 5 translations are available on the COBIT Product

Family page.

seven enablers, which form the pillar of the framework. With these additions, COBIT 5 has aligned itself closely with the ISO 38500 framework.

COBIT 5 has retained the goal cascading model of COBIT 4.1; however, it has gone further by including the stakeholder needs as the starting point of the mapping, which then cascades to enterprise goals, IT goals and finally to enabler goals.

The other key difference to point out is that a new process assessment model (PAM) has been introduced. The COBIT PAM is aligned with the ISO 15504 standards requirement. This means more stringent and accurate assessment of the relevant processes.

In brief, the key benefits of COBIT 5 for enterprises can be summarized as follows: • Aligning business and IT more closely by taking into account the stakeholder

needs as the starting point. This provides more business focus with due consideration of internal and external stakeholders’ needs.

• Introducing the seven enablers as a more efficient and effective way of using resources to meet business requirements

• Showing the entire organization as responsible for governance of IT through the holistic inclusion of enhanced role descriptions in the RACI chart

• Helping the organization to understand business perspective more clearly by mapping the goals and objectives to a business scorecard model

Thus, for organizations that have implemented COBIT 4.1, migrating to the new framework is a natural process of progression under which the organization will extend its coverage of IT governance to an enterprisewide governance initiative.

When to Migrate to COBIT 5? At this current age of economic stagnation, is it wise to reinvest and migrate to the COBIT 5 framework? When is the right time to consider migration to COBIT 5?

There is no single answer to this question. However, if the organization is still in the process of completing the COBIT 4.1 process implementation, it is advisable to continue the implementation before considering a migration to the new framework since any COBIT 4.1 implementation would have been typically initiated to respond to business requirements for improvements or to address specific pain points encountered by the organization. Since the respective controls to treat such issues would have been identified from the earlier version of COBIT, it is better to continue implementation and monitor whether the key goals are being accomplished, before migrating to COBIT 5.

If the organization has implemented most of the COBIT 4.1 controls and has reached what it believes to be a reasonable degree of maturity, it is time to consider migration to COBIT 5, as COBIT 5 brings in the key differentiating aspect of segregating governance from management, which is important to consider and is a new addition with COBIT 5. Also, when using COBIT 5, the IT governance setup, which had been typically more inward-focused, will transition into the model of governance of enterprise IT (GEIT), in which involvement of enterprise stakeholders plays an imperative role.

The following is a list of triggers that would suggest it is time to migrate to COBIT 5: • Repeated failure of critical IT process results in issues related to the delivery of

committed services by the business. • Risk to the business has not been reduced considerably and IT risk does not align

to enterprise risk. • Controls implemented are more IT-oriented and do not span the enterprise.

Volume 3, July 2013 Page 3

There are other pain triggers that may lead to migration to COBIT 5. Figure 1 provides an overview of pain points and typical COBIT 5 processes that can be used to mitigate the issue.

How to Initiate Migration? Before initiating a migration to the new framework, it is recommended to clearly set the objective of migration. That is, what are the business benefits the organization will achieve by adopting the new framework? If a tangible and measurable goal is set as the baseline, achievement can be measured and success of adoption can be demonstrated.

The key to a successful migration is to commence the activity by addressing the key pain areas within the organization. Once the pain areas are identified, the following steps can be followed: • Initiate an assessment to identify the status and maturity of the processes that are currently implemented, if any. • Prepare a migration strategy by identifying the processes and the required enablers from COBIT 5 to be implemented. • Identify the affected departments, section and services that will be impacted by this migration. • Ensure that a project management plan with time lines is created and a budget is allocated for this effort. • Remember to run the migration activity through the change management process. • Address the organization change impact that will be created by this migration and have a transitional plan to roll out the

migration. • Market and communicate the positive impact that will be achieved by this migration to get buy-in from top management.

Once the above initial steps are performed, the organization is ready to commence the journey. It is recommended to break the entire migration into smaller scope areas that are manageable, because quick wins will motivate the migration team and the organization to continue the journey.

Sudarsan Jayaraman, CISA, CISM, BS 25999 LA, COBIT (F), ITIL V3 Expert, ISO 20000 LA, ISO 27001 LA, ISO 9001 LA Is a director of technology risk services at Protiviti Member Firm (Middle East). He has more than 20 years of experience in IT advisory and consultancy services, focusing predominately in IT governance, IT service management and information security management. Jayaraman has successfully managed and facilitated ISO 27001 and ISO 20000 certification at a number of large and prestigious companies in the Middle East.

Figure 1—Pain Points and COBIT 5 Mitigations

Target Processes Pain Areas

Support From Suppliers

Lack of Automation Tools

Accountability Among IT Staff

Target Processes Pain Areas

APO10 Manage Suppliers

BAI02 and BAI03 Requirements Definition

and Solutions Identification

APO09Manage Service

Agreements (OLAs)

End-user Responsibilities

APO09Manage Service

Agreements

Communication Within IT Division

Failed Projects

Ad hoc Initiatives/ Planning

APO09Manage Service

Agreements

BAI01 Manage Programs and

Projects

APO01 and APO02 IT Mgmt. Framework

and Strategy

Management ReportingMEA01 and MEA02Performance and Internal Control

Volume 3, July 2013 Page 4

COBIT 5 for Assurance Available Now By Anthony Noble, CISA COBIT® 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT (GEIT). Simply stated, it helps enterprises to create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking into account the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.

COBIT® 5 for Assurance builds on the COBIT 5 framework. Focused on assurance, it provides more detailed and practical guidance for assurance professionals and other interested parties at all levels of the enterprise on how to use COBIT 5 to support a variety of IT assurance activities. If an enterprise is already using COBIT 5 as its framework for the governance and management of enterprise IT, COBIT 5 for Assurance enables the enterprise to leverage COBIT 5 when planning and performing assurance reviews, so that the business, IT and assurance professionals are aligned around a common framework and common objectives. However, the enterprise does not have to be currently using COBIT 5 to use COBIT 5 for Assurance.

The main drivers for assurance include: • Providing interested parties substantiated opinions on GEIT according to agreed-upon assurance objectives • Defining assurance objectives in line with enterprise objectives, thus maximizing the value of assurance initiatives • Satisfying regulatory or contractual requirements for enterprises to provide assurance over their IT arrangements

Assurance means that, pursuant to an accountability relationship among two or more parties, an IT audit or assurance professional may be engaged to issue written communication expressing a conclusion about the subject matter to the accountable party or another interested party. Assurance refers to a number of related activities designed to provide the reader or user of the report with a level of assurance or comfort over the subject matter. For example, assurance engagements could include support for audited financial statements; assessment of value provided by IT to the enterprise; reviews of controls; compliance with required standards and practices; and compliance with agreements, licenses, legislation and regulations.

An assurance initiative consists of five components, as illustrated in figure 1.

Figure 1—Assurance Components

Source: ISACA, COBIT 5 for Assurance, USA, 2013, p. 15

Volume 3, July 2013 Page 5

Subject matter is the specific information, practices or controls (e.g., any of the seven COBIT 5 enablers) that are the subject of an audit or assurance professional’s review, examination and report. This subject matter can include the design or operation of internal controls and management practices over any aspect of the enterprise, or compliance with privacy practices, standards, or specified laws and regulations.

Criteria are the standards and benchmarks (e.g., COBIT 5) used to measure and present the subject matter and against which the practitioner evaluates the subject matter. Criteria can be formal or less formal. There can be different criteria for the same subject matter. Suitable criteria are required for reasonably consistent evaluation or measurement of a subject matter within the context of professional judgment. Suitable criteria must have the necessary goal attributes as defined in the COBIT 5 Information model—objectivity, measurability, understandability, completeness and relevance.

When undertaking an assurance activity, the assurance professional executes the assignment by following a structured approach, dependent on other enablers, to reach a conclusion on the evaluation of the subject matter.

The process of evaluating the results of audit or assurance testing, after confirmation, to arrive at conclusions and recommendations can be complex. What appears to be a problem may, in fact, be the effect of a problem, not the cause. Therefore, it is important for the assurance professional to follow the conclusion process—from confirming facts with key individuals in the areas being audited to determining root causes. The individual findings can then be used to provide examples that support higher-level analysis: • Developing various scenarios leading to potential recommendations • Selecting an appropriate recommendation that is practical and achievable • Identifying steps necessary to ensure the buy-in of key stakeholders

Indeed, audit and assurance professionals should obtain an adequate understanding of the subject matter and its business environment. They should see the bigger picture, link the impact of the issues/findings to the overall organizational strategic goals and objectives to tell the story behind the story, and communicate valuable insights. Executives are not very interested in knowing the observations; they need to understand the insights behind the findings.

The basics of a generic assurance process include the four components described here. That is, it defines a scope relating to the subject matter, it sets suitable criteria based on a sound reference model, it executes the assignment and then it issues a conclusion to the user.

To address the assurance drivers, COBIT 5 for Assurance: • Provides guidance on how to use the COBIT 5 framework to establish and sustain assurance provisioning and an

assurance function for the enterprise • Provides a structured approach on how to provide assurance over enablers (all of COBIT 5’s defined enablers, e.g.,

processes, information, organizational structures) • Illustrates the structured approach with a number of concrete examples of audit/assurance programs

A major benefit of COBIT 5 for Assurance is that users can rely on the consistency, structure, context and vocabulary of the COBIT 5 framework and its related products. The COBIT 5 framework addresses GEIT, helping to align business and IT management and providing a basis for improving IT performance. If assurance professionals base their reviews on the same framework as that used by business and IT managers who are improving value of IT for the enterprise, everyone involved will be using a common language, and it will be easier to agree on and implement control improvements as necessary.

This guide can be used by assurance professionals for many different purposes, including: • Obtaining a view (based on COBIT 5 concepts such as the enablers) on current good practices of assurance • Learning how to use different COBIT 5 components and related concepts for planning, scoping, executing and reporting

on various types of IT assurance initiatives • Obtaining a view of the extent to which the value objective of the enterprise—delivering benefits while optimizing risk and

resource use—is achieved

The target audience for COBIT 5 for Assurance is broad and includes: • Assurance professionals at various governance and management levels • Boards and audit committees, as stakeholders who commission assurance activities • Business and IT management, as responsible parties • External stakeholders, including external auditors, regulators and customers

Volume 3, July 2013 Page 6

Although this guide is aimed primarily at assurance professionals, it may also be of interest to IT professionals and advisors. COBIT 5 for Assurance may be most useful to experienced professionals, as it is not intended to provide a tutorial on IT assurance.

Anthony Noble, CISA Is the New York-based vice president of IT audit for Viacom Inc. He has 30-plus years of IT experience and 20 years of experience as an IT auditor. He is a member of ISACA’s Knowledge Board and was the chair of the COBIT 5 for Assurance Guide Task Force.

Risk Assessment Management Using COBIT 5 By Vince Londini, CSPO As a regional US grocery chain based in a major metropolitan area, FamilyGrocer (name changed) had experienced rapid growth through new store openings and acquisitions. With a focus on supply-chain efficiencies, FamilyGrocer distributes most products to its stores through a warehouse facility that also houses key offices and IT resources. In light of the risk associated with such a consolidated operation, the IT organization received a mandate from its board of directors to formally manage IT-related risk. The mandate specifically called for an initial high-level assessment of IT organizational risk, drawing largely from internal expertise. The board also requested that the IT organization demonstrate an ongoing program to manage risk.

The IT organization enjoyed a membership with Info-Tech Research group to access its best-practices research and vendor-selection guidance. Engaging with Info-Tech to conduct a COBIT-based operations workshop on risk management was a natural next step.

Info-Tech based the workshop on COBIT® 5 because of COBIT 5’s clear and concise framework for capturing key IT processes (along with process interplay and documentation requirements). COBIT is a trusted framework used by IT auditors and other IT professionals, particularly in the strategy, security and risk areas of practice.

Throughout the week-long workshop, key members of the IT management team, as well as the chief information officer (CIO), worked with the facilitator to document their insights and understanding, using COBIT to draw out their knowledge of IT risk and arrange it in a manner suitable for analysis.

The risk assessment began by examining COBIT 5’s EDM03 and APO12 management practices, from the Evaluate, Direct and Monitor (EDM) and Align, Plan and Organize (APO) COBIT domains, respectively, and conducting a simple self-assessment to ascertain process capability. The IT organization identified that it had no functioning IT risk management processes in place and, thus, assigned level zero to its process capability. The team set a goal to achieve level two (managed process) capability with performance and work-product management attributes achieved. The IT organization leveraged the Info-Tech facilitator and methodology to conduct high-level team brainstorming with key team members, aimed at identifying IT risk factors relevant to the client organization.

The team then dug in to brainstorm and document risk events, identifying actors and threat type. A prioritization rubric was developed and applied to sort the risk events. The team documented (where programs were in progress) or identified (net-new programs) the resources/time needed to mitigate the priority risk factors.

Finally, the team made critical decisions to determine the shape of the IT organization’s ongoing risk management. These included definitions of roles and responsibilities, management activities, information-gathering activities, and communication plans.

As the decisions were achieved, each was codified in the relevant program manuals, standard operating procedures, assessment tools, project requests, and templates for policies and communication.

Come join the discussion! Vince Londini will respond to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 22 July 2013.

Volume 3, July 2013 Page 7

The key outputs from this workshop included: 1. A catalog of IT risk events—As described previously, this catalog not only documented risk events but also the high-

level mitigation strategies, initiating IT project requests as needed for items not already on their project calendar. 2. An IT risk management program guide—This document captured critical decisions, including the team’s rubrics for

assessing risk event severity and risk event likelihood. The document described the ongoing IT risk management steering committee process to which the team committed during the workshop.

3. A presentation to the firm’s board on the IT risk management assessment and program—This presentation described the progress made during the workshop, highlighted key risk factors and remediation, requested additional budget, and summarized the ongoing risk management program to the board.

FamilyGrocer emerged from the workshop with all of the process documentation required to begin executing the process the following Monday, along with the relevant to-do items needed to mitigate the identified technology, people and process gaps. The following week, the CIO presented the workshop summary to the board, which noted the thoroughness of the initial IT risk assessment and the ongoing risk management program that was designed during the workshop. Two months later, progress toward risk remediation remains strong, and IT leaders remain committed to the ongoing risk management program.

Vince Londini, CSPO Serves as practice leader with Info-Tech Research Group. His recent work includes applying Info-Tech’s COBIT-based workshop methodologies to help clients in the US and Canada improve their IT risk management, project portfolio management, change management and service desk processes.

Top 5 Reasons COBIT 5 Training Is Critical By Mark Thomas When organizations are looking to adopt COBIT® 5, many questions arise. Does the enterprise fully understand what governance and management of enterprise IT (GEIT) means? Do the enterprise’s IT governance professionals know how to effectively assess the current state of enterprise IT with the objective of scoping what aspects of COBIT 5 to implement? Is the enterprise able to complete an assessment to determine the capability of a defined process?

COBIT 5 training is an important component in ensuring IT governance professionals have the answers to these questions and are becoming skilled, competent and proficient COBIT professionals. While many concepts may be familiar to those who are in the IT space, this evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models. The need for a proper training program for IT and business professionals on what COBIT is and how it can be used and implemented is critical.

COBIT training is intended for business management, chief executives, IT/IS auditors, internal auditors, information security and IT practitioners, consultants, and members of IT/IS management who are looking to gain insight into GEIT.

Key Benefits to COBIT 5 Training Investing in COBIT 5 training is beneficial for the individual as well as for the enterprise. The key benefits include: 1. Increased efficiencies and productivity—COBIT 5 training courses provide the tools and knowledge that are essential

for the successful use of COBIT. By applying what they learn during the course, professionals will better understand what GEIT means and how it may be applied to their enterprise. In addition, each individual will have a more practical appreciation of how to apply COBIT 5 to specific business problems, pain points, trigger events and risk scenarios. As a result, the individual’s roles and responsibilities within the organization as they relate to COBIT will be clearly defined, resulting in increased productivity and efficiencies in the enterprise.

2. Building trust in and value from information systems—COBIT 5 training courses provide individuals with the key concepts and principles so that they can begin to uncover how they will need to assess the current state of their enterprise IT, with the objective of scoping what aspects of COBIT 5 would be appropriate to implement. Trust originates from the fact that the individual will have carved a reputation for having the tools and skills necessary to implement and assess COBIT effectively in their enterprise.

3. Setting oneself apart from the others—In a governance role, the professional’s knowledge of COBIT will set him/her apart from the rest and speaks to his/her level of commitment to the profession. The courses equip the participants with

Volume 3, July 2013 Page 8

unmatched knowledge in the form of concepts, principles and processes. This knowledge is crucial in implementing and assessing COBIT. In addition, commitment to COBIT training allows the professional to be on the cutting edge of knowledge and practice.

4. Increased confidence and capability—Individuals can sharpen their capabilities and enhance confidence by understanding the levels of IT-related risk and making informed decisions to reduce information security incidents. Delivering this understanding and risk awareness to improve prevention, detection and recovery within an enterprise is vital. The trained COBIT professional is able to provide tools for organizations to maintain high-quality information to support business decisions as well as to help the enterprise meet regulatory, statutory or governmental requirements.

5. Credibility—Training organizations and individuals who offer COBIT 5 training and exams must first go through a meticulous accreditation process. Individuals who attend training with an accredited training provider can be certain they are receiving the highest quality training. Exams are rigorous, challenging and consistent, and, as a result, individuals can be proud of their achievement. In addition, employers will have the confidence of knowing their employees’ COBIT credentials come from a reputable and reliable source.

COBIT 5 Training Paths There are two training paths: • The implementation path is for those interested in learning how to apply the COBIT 5 framework and COBIT 5:

Enabling Processes and how to analyze the results. Upon completion of the training and exam, attendees are able to apply COBIT 5’s good-practice, continual-improvement, life-cycle approach to GEIT, tailored to suit the needs of a specific enterprise, and implement, or advise an enterprise on implementing, a framework for the governance and management of enterprise IT using COBIT 5.

• The assessor path is for individuals interested in performing COBIT 5-based assessments using the ISO/IEC 15504 approach. This training provides the main guidance on performing a process capability assessment; the roles, responsibilities and competencies required; and the key steps, from assessment initiation to assessment results reporting. The assessor course and exam is practitioner-level training that focuses on how to apply the COBIT® 5 Process Assessment Model (PAM) and how to analyze the results. Upon successful completion of the assessor course and exam and upon meeting specific knowledge requirements, candidates are able to apply to ISACA to be designated as a COBIT Certified Assessor. This designation is the only globally accepted certification for COBIT assessors.

Both training paths require first passing the COBIT Foundation exam.

COBIT 5 Examinations The COBIT Foundation exam focuses on robust testing of the knowledge and comprehension of the foundation concepts and principles of COBIT. The following describes the COBIT Foundation exam format: • Multiple-choice questions • 50 questions per exam • 50 percent (25/50) pass mark • 40-minute duration • Closed book

The COBIT Implementation and COBIT Assessor exams are practitioner-level and follow an objective testing environment (OTE) format.

The COBIT Implementation exam format is as follows: • Four OTE questions (20 marks per question) • 150 minutes • Open book (only COBIT® 5 Implementation is permitted) • 50 percent (40/80) pass mark

The COBIT Assessor exam format is as follows: • Eight OTE questions (10 marks per question) • 150 minutes • Open book (only COBIT® 5 Assessor Guide: Using COBIT 5 and COBIT® Process Assessment Model (PAM): Using

COBIT® 5 are permitted) • 50 percent (40/80) pass mark

Volume 3, July 2013 Page 9

Learn more about taking the COBIT 5 exam, the COBIT 5 training qualification scheme and COBIT 5 training providers on the ISACA web site.

Mark Thomas Is president of Escoute Consulting in Olathe, Kansas, USA, and a trainer for ISACA. Thomas is a nationally known ITIL and COBIT expert with more than 20 years of professional experience. His background spans leadership roles from chief information officer to management and IT consulting. A consultative trainer and speaker in several disciplines, Thomas provides training services for major training firms and consulting clients in disciplines including business analysis, ITIL, COBIT, MOF, ISO 20000, TOGAF and IT strategy.

Evidence Management for the COBIT 5 Assessment Programme By Jorge E. Barrera N., CISA, CGEIT, CRISC, COBIT (F), ITIL V3F, PMP This article presents a proposal based on the COBIT 5 Assessment Programme1, 2, 3, 4 for a quick and consistent start to the implementation of COBIT® 5 in any IT environment, whether currently based on COBIT® 4.1 or not.

From a conceptual point of view, COBIT 5 is fascinating for its incorporated principles and its generic model of enablers.5 Besides that, its assessment program helps IT leaders provide a business view of IT’s ability to create value and support enterprise goals through effective IT processes. The results of this program provide a determination of process capability and can be used for: • Delivering value to the business. This is viewed as an incremental achievement of strategic goals and a clear

realization of business benefits through effective and innovative use of IT. • Developing IT process improvement. Periodic measurement of IT processes supports the definition of effective

governance of enterprise IT (GEIT) road maps to drive continuous improvement. • Measuring the achievement of business goals. Each business goal can be evaluated every time the related GEIT

processes are evaluated. To do so, one can use COBIT 5’s matrix with relationships between business goals and GEIT processes.

• Generating consistent reports. Reports on the state of the organization’s GEIT are derived from the assessment process, which is supported by the COBIT® Assessment Programme methodology and tools, using the COBIT® Process Assessment Model (PAM): Using COBIT® 5 (COBIT 5 PAM) and COBIT 5: Assessor Guide, makes the results consistent and reliable.

• Ensuring organizational compliance. All kinds of laws and regulations, which can affect the organization’s GEIT, fall under the definition of inputs of the COBIT 5 framework and PAM for facilitating their compliance.

• Benchmarking. Periodic measurement of GEIT process capabilities allows for constructive and ongoing comparison between businesses employing the same or equivalent industry best practices.

In addition to these benefits generated by the implementation of the COBIT 5 Assessment Programme, this article adds the following short-term benefits: • Substantial improvement of GEIT understanding in practice • Consolidated understanding of the need to use COBIT 5 as a GEIT umbrella • Integrated and effective use of GEIT frames and standards through the alignment provided by COBIT 5 as the umbrella

framework • Appropriate support to the natural complexity of managing all work products related to the COBIT 5 framework and PAM • Standardized treatment of all former GEIT achievements by transitioning them to a COBIT 5 environment in practice, as a

result of the first assessment

The magnitude of these benefits greatly depends on the mode with which evaluations are made. A measurement can be

Come join the discussion! Jorge E. Barrera N. will respond to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 22 July 2013.

Volume 3, July 2013 Page 10

based on personal judgments, judgments based on formal guidance or judgments based on formal guidance with defined evidence requirements. Measurements based on judgments alone may suffer from a high degree of uncertainty that applies to the business case and action plans derived from it. These drawbacks can be obviated if assessments based on judgments are considered, as posed in COBIT® Self-assessment Guide: Using COBIT® 5, as a precursor to more rigorous evaluations based on evidence.

The evidence management model presented in this article therefore responds to a real need; its main parts are: • Taxonomy of the evidence management • Relationships between elements of the COBIT 5 PAM • Alignment and integration of the frameworks for GEIT around COBIT 5 • GEIT artifacts baseline or GEIT evidence baseline • A method for qualifying the level/degree of evidence • Life Cycle of Evidence Management Model

The primary objective of this article is to motivate readers to decide to initiate or improve their GEIT implementations using COBIT 5 as the umbrella framework. Assessing the IT environment of the organization based on PAM and an evidence management model, such as the one presented in this article, provides a good foundation for this purpose.

Taxonomy of Evidence Management The predominant entities for managing evidence are grouped as: • Elements of the COBIT 5 PAM Model: IT process, capability level, attribute, result, work product, generic work product,

generic practice, outcome, content, base practice, output, input and rating level. The definition of these terms is in section 1.7 of the COBIT 5 PAM.

• Derived elements from GEIT frameworks: Called artifacts, the elements of this group can be distinguished in the following 12 categories: - Cat01 Inputs from outside of COBIT 5 - Cat02 Outputs or work products of COBIT 5 processes - Cat03 Outputs of ITIL V3 processes and other aligned frameworks - Cat04 Outputs of auditing and monitoring frames - Cat05 Guides and other documents derived from COBIT 5 processes - Cat06 Guides and other documents derived from aligned frameworks - Cat07 Guides and other documents derived from monitoring frames - Cat08 Guides derived from COBIT® 5 Implementation - Cat09 Deliverables generated by continual improvement projects - Cat10 Artifacts related with deliverables - Cat11 Support bibliography - Cat12 Guides and other documents derived from the controlled evolution of the proposal presented in this article

(G2eTIC Project)

The elements of these 12 artifact categories generally correspond to frameworks’ specific topic documents. These documents are related among them. The elements of output categories may also correspond to services or other results.

Frameworks that can be aligned to COBIT 5 by the proposal of this article are ITIL V3, ISO 2700X, The Open Group Architecture Framework (TOGAF), ArchiMate, the Project Management Body of Knowledge (PMBOK), the Capability Maturity Model Integration (CMMI), Microsoft Operations Framework (MOF) and ad hoc regulatory frameworks for monitoring and control.

Relationships Among Elements of COBIT 5 PAM An analysis of the figures and contents of COBIT 5 PAM results in the following semantic relationships: • Each process has its specific outcomes. • Level 1 of each process must be evaluated according to the current state of its outcomes. • Levels 2 to 5 of each process have two attributes each. • For levels 2 to 5, each attribute defines several results. • Each result requires a single generic practice. • The generic practices apply to levels 2 to 5 of all COBIT processes.

Volume 3, July 2013 Page 11

• The generic practices apply equally to the results of the attributes of the levels of each COBIT process and the generic work products (GWP).

• The COBIT 5 PAM base practices are the same governance and management practices defined in COBIT® 5: Enabling Processes.

• The COBIT 5 PAM work products are the same outputs that are defined in COBIT 5: Enabling Processes, in which they are defined for each governance and management practice of the process. The inputs are defined in the same manner.

• COBIT 5 PAM relates the outcomes of each process with the base practices and the inputs and outputs of each process. • COBIT 5 PAM relates the GWP of the processes directly with the capability levels of the processes; therefore, it is not

possible to evaluate the capability levels of the attributes based on GWP. However, a useful perspective is to assess directly the capability level of the process by the GWP concept.

These semantic considerations help in understanding COBIT 5 PAM and are the foundation of its practical application.

Alignment and Integration of GEIT Frameworks Around COBIT 5 Figure 1 presents the role of COBIT 5 as the umbrella framework that defines the conceptual spectrum of GEIT; the other frameworks/standards operate as contributors. For example, ITIL V3 covers just under 30 percent of GEIT and ISO/IEC 27001 covers just under another 15 percent.6 As figure 1 illustrates, the scopes of ITIL V3 and ISO 27001 are part of the larger GEIT picture—focusing on them in isolation when addressing the overall GEIT picture raises a risk that relationships with the rest of the GEIT spectrum cannot be optimally understood or justified. As such, a major part of the GEIT spectrum would remain outside the respective business case of the organization.

It is necessary to take into account in an integrated way COBIT 5, ITIL V3, ISO/IEC 27001 and other related standards and

Figure 1—COBIT 5 Coverage of Other Standards and Frameworks

Source: ISACA, COBIT 5, 2012, figure 25

Volume 3, July 2013 Page 12

frameworks in implementing GEIT. The following structure of activities and results defines a strategy for alignment and integration between frameworks: • Stage one—Domains of COBIT, ITIL V3 books, ISO 27001 domains, core and phases of TOGAF, and domains of other

frameworks • Stage two—Processes of COBIT, ITIL V3 book chapters, control objectives of ISO 27001, artifact categories of TOGAF

and second stages of other frameworks, such as CMMI constellations • Stage three—COBIT governance practices, processes/functions/activities of ITIL, ISO 27001 controls and processes of

other frameworks. This stage includes the diagrams, catalogs and TOGAF matrices. • Stage four—Outputs of COBIT governance practices and of processes of aligned frameworks. This stage also includes

defined activities or tasks of different frameworks.

The proposed alignment and integration of this article, based on COBIT 5 as the umbrella framework and GEIT at the hypocenter of the third and the fourth stages of the structure, is grounded on the following statements: • The GEIT implementation unit is the governance or management practice of COBIT 5. In terms of PMBOK, this is to say,

as a general guide, that each work package of IT projects is a governance practice of COBIT 5 to be implemented or improved with its respective outputs.

• Processes of aligned frameworks are selected for implementation with their own identity when they generate outputs equivalent to COBIT 5 work products. This amounts to saying that the selected process makes a primary contribution to GEIT.

• Detailed analysis concluded that all processes, functions and activities of ITIL V3 and 112 controls of ISO/IEC 27001 deserve implementation with proper identity. This represents less than 50 percent of GEIT. The remaining 21 controls of ISO/IEC 27001 make secondary contributions to GEIT.

• Processes of other frameworks, such as TOGAF, PMBOK, CMMI and MOF, that generate outputs equivalent to the work products of COBIT 5 and are not covered by ITIL V3 and ISO/IEC 27001 can be implemented with their own identities.

• Governance and management practices of COBIT 5 that are not represented by processes of other frameworks should be implemented directly with their own identities. This should draw upon the secondary contributions from other frameworks.

• All catalogs, matrices and diagrams proposed by TOGAF are considered elements that must be taken into account by processes of COBIT 5 and processes of aligned frameworks that are being implemented.

• The more than 440 outputs of governance practices defined by COBIT 5 and the 208 outputs defined by COBIT® 5 for Information Security should be treated in an integrated manner by each governance and management practice. This statement also applies for the outputs defined in the future by forthcoming COBIT 5 guides.

• The GEIT contribution that an element of the aligned framework makes is considered primary when it is sufficient to optimally support the functionality covered by its scope. Otherwise, this contribution, if it exists, is considered secondary.

An ITIL V3 process is implemented, then oriented, to determine each work product of COBIT 5 that applies to it. The definition of activities; inputs; outputs; the Responsible, Accountable, Consulted and Informed (RACI) matrix; goals; and metrics should be guided by the architecture of COBIT 5 processes. However, this definition must use and leverage the ITIL V3 contribution. The same applies for any ISO 27001 control and any process of aligned frameworks that was chosen for implementation.

The alignment and integration strategy proposed in this article allows, for example, for the initial use of TOGAF by mapping to the catalogs, matrices and diagrams proposed. These elements are generated from the umbrella of COBIT 5 without the need to understand the whole philosophy of TOGAF in order to achieve its benefits.

This initial use without preamble of TOGAF opens the doors to TOGAF’s ArchiMate ally, which is a standard that facilitates the management of elements defining enterprise architectures and the relationships among these elements.

The use of COBIT, ITIL, ISO/IEC standards, TOGAF, ArchiMate and PMBOK elements, as well as those of other GEIT frameworks and standards, must apply intellectual property rights defined by each of the respective owners.

GEIT Artifacts Baseline or GEIT Evidence Baseline All elements of GEIT frameworks implemented in the organization—the 12 artifact categories defined previously—constitute the evidence to support the assessment of COBIT 5 processes at the beginning of the GEIT program and in its entire existence in the organization.

Registering GEIT artifacts that are operating is performed in the baseline of GEIT artifacts of the organization. This baseline must support the release management and the distribution management of the organization’s

Volume 3, July 2013 Page 13

artifacts. In the management of this baseline of artifacts, the following four recording aspects are distinguished: • Single record of artifacts—The use of the alignment and integration structure of frameworks, described previously,

enables the definition of a single identification code structure of artifacts with the following stages of GEIT: 1. Category of artifacts 2. Framework that is valid in the category 3. Domains of the framework 4. Processes for COBIT 5 (or identifier level for other frameworks) 5. Governance or management practices for COBIT 5 (or process for other frameworks) 6. Outputs or work products for COBIT 5 (or process activity for other frameworks) 7. Version of work products or activities 8. Repetitions for outputs for COBIT 5 (or improvements for other frameworks)

When the third stage is set to “000,” all lower stages take the same value “000” to indicate that the artifact applies, in a generalized way, its content to that stage and to the dependent stages.

• Relationships of COBIT 5 PAM model elements—These elements were listed in the definition of the taxonomy of the evidence management described previously. This article emphasizes the following relationships among GEIT work products and: - Outcomes of each COBIT 5 process - Results of attributes at each capability level of the COBIT 5 processes - Generic work products of each COBIT 5 process

The first two items give support to evidence-based assessments using the COBIT 5 PAM as illustrated in figure 2. The third item supports the evaluation, also with evidence, of the state of the generic work products of each COBIT 5 process.

Figure 2—Link Between the Evidence Model and PAM

The process attributes provide the measurable

characteristics of process capability. GEIT Artifacts Records

Evidence per Each Result

Results per Each Attribute

Evidence per Each Outcome

Process’s Outcomes

Volume 3, July 2013 Page 14

• Umbrella-type relationships—Other frameworks/standards correspond based on the governance and management practices in COBIT 5 that are defined for alignment of the frameworks: - To and from elements derived from the application of frameworks aligned like ITIL V3, ISO 27001 and others - To and from elements derived from the application of frameworks oriented to verification and monitoring - To and from elements derived from the application of regulations specific to the organization and its environment

Several benefits can be realized from this mapping, such as: - A gap analysis between the implemented GEIT framework and the COBIT 5 framework guidance - A quality assessment of the implemented artifacts - A statement of applicability for each governance and management practice, with due justification for its inclusion or

exclusion - A gap analysis of the implemented governance and management practices and those that are rigorously necessary - Road maps at the governance and management practices and processes levels of COBIT 5 for the short, medium

and long term • Other relationships for assessment purposes—Relationships among the following fall into this category:

- Inputs and outputs defined by the continual improvement life cycle approach for each of its phases7 - Enablers defined in COBIT 5 - Enterprise goals and their metrics - IT-related goals and their metrics - Goals of COBIT 5 processes and their metrics - All other metrics proposed by COBIT 5 and adopted by the organization

Therefore, this GEIT artifacts baseline supports the record of all work products related to the COBIT 5 PAM and the management among them of relationships that are required by its assessment processes.

Method for Qualifying the Level/Degree of Evidence The method for qualifying the level/degree of evidence is based on figure 2, which includes figure 4 of the COBIT 5 PAM and the fragment of the evidence model’s entity relationship diagram with which it is paired.

From the single record of artifacts described previously, the steps for evaluating the capability level of each COBIT 5 process selected for assessment follow.

• Step 1: Use the respective Microsoft Excel spreadsheets provided in the COBIT® 5 Implementation tool kit and customize

them with the changes illustrated in figures 3 and 4.

Figure 3 illustrates the macro diagram of the matrix used for the evaluation of specific outcomes of each COBIT 5 process. Figure 4 illustrates the macro diagram of the matrix used for the assessment of levels 2 to 5 of the process. For a record of the evidence of every outcome and every result, one needs to insert two columns with the following registration purposes:

- ART: For codes of artifacts that represent evaluation criteria. This column of figure 3 corresponds to the “Evidence per Each Outcome” entity of figure 2. In figure 4, this column corresponds to the “Evidence per Each Result” entity of figure 2.

- JUST: For justification of the assigned percent • Step 2: For each outcome, one must identify the documentary

artifacts that represent it in reality and therefore constitute its

Figure 3—Assessment of Level 1

LEVEL ATTRIBUTE OUTCOME

CALCULATION: LEVEL 1 ONLY

CALCULATION: ATTRIBUTE

OUTCOME

OUTCOME

OUTCOME

AS

%

%

%

%

%

EVIDENCE

ART + JUST

ART + JUST

ART + JUST

Figure 4—Assessment of Levels 2 to 5

AS

%

%

%

%

%

%

%

LEVEL ATTRIBUTE RESULTS

CALCULATION: LEVEL

CALCULATION: ATTRIBUTE

RESULT

RESULT

CALCULATION: ATTRIBUTE

RESULT

RESULT

CALCULATION: LEVEL %

EVIDENCE

ART + JUST

ART + JUST

ART + JUST

ART + JUST

Volume 3, July 2013 Page 15

evidence. Evaluate the percent of quality and completeness that this support provides to the outcome. To do so, enter the respective codes of artifacts in the ART column, analyze the evidence that these documents provide to the outcome, and then enter in the AS column the percent value that one assigns to the outcome. After that, enter in the JUST column the concrete justification based on evidence about the assigned percent value. The Excel sheet should calculate the average percent corresponding to attribute and level 1. The allocation of the percent should be in accordance with the rating levels that are indicated in figure 4 of the COBIT 5 PAM.

• Step 3: For each attribute’s result of the process, one must proceed equivalently as done in step 2. The Excel spreadsheet shall provide the calculations of the average percent corresponding to the attributes of levels 2 to 5 of the process, and it shall calculate the average percent of these levels, as well.

• Step 4: For allocating the process capability level, one should proceed as is indicated in Figure 5—Levels and Necessary Ratings of COBIT® Self-assessment Guide: Using COBIT® 5.

As an additional advantage of semantic relationships of the COBIT 5 PAM, which are described previously, further evaluation of the 2-5 capability levels based on the GWP is proposed. Figures 5 and 6 illustrate the macro diagrams of the respective matrices.

In columns marked “ART + JUST” in figure 5, one should proceed in an equivalent manner as one did for these columns in figure 3. The Excel sheet of figure 5 should calculate the percent value for each GWP. One must bring all GWPs’ percent values from figure 5 to figure 6. The Excel sheet of figure 6 will calculate the percent values for levels 2 to 5.

One should note that the calculation of average percent by the Excel sheet in figure 6 for each capability level does not consider attributes. The outcome of this assessment should be consistent with the assessment of levels 2 to 5, as shown in figure 4.

Life Cycle of Evidence Management Model The following steps are proposed as part of the actual and effective beginning of GEIT implementation in an organization: 1. Inventory current GEIT documentation—It employs a matrix with the following columns: ID code of the document,

version, name, description, format, owner area, responsible person, stakeholders and frameworks. The inventory should cover all actual documents related with IT management in the organization, even those not formally authorized but in operation. Special care must be taken with artifacts related with documents that come from outside of COBIT 5 and are defined in COBIT® 5 for Information Security.

2. Categorize documents—Each document identified in the inventory must be mapped to the 12 categories of artifacts of frameworks proposed in this article. The same matrix from step 1 can be used, adding 12 columns, or a new and specific matrix can be developed for this purpose.

3. Map COBIT 5 processes—Several relationships among documents or artifacts and the GEIT processes should be documented in a matrix. This exercise reinforces the knowledge of COBIT 5 and must be supported by the COBIT® 5 Enabling Processes guide.

4. Complete nonrigorous evaluation of COBIT 5 processes—COBIT® Assessment Programme Tool Kit: Using COBIT® 5 should be used to evaluate COBIT 5 processes and the matrices of the previous steps. The respective assessment reports should be prepared and distributed as established by the organization in order to gain approbation and encouragement for the next steps.

5. Map outputs to the documents—The outputs or work products of COBIT 5 processes could be taken from figure 7 and

Figure 5—Assessment of GWPs

GWP CONTENT

CONTENT

CONTENT

CALCULATION: GWP

CONTENT

CONTENT

CALCULATION: GWP

AS

%

%

%

%

%

%

EVIDENCE

ART + JUST

ART + JUST

ART + JUST

ART + JUST

Figure 6—Direct Assessment of Levels 2 to 5

LEVEL GWP AS

GWP %

GWP %

CALCULATION: LEVEL %

GWP %

GWP %

CALCULATION: LEVEL %

Volume 3, July 2013 Page 16

appendix B.2 of the COBIT 5 PAM, but it is more useful to pick them from the level of governance practice in COBIT 5: Enabling Processes and COBIT® 5 for Information Security. The work products are located in the rows of the matrix to be used for mapping, and for each of them, the related documents should be identified. Several benefits can be derived from this mapping, such as those enumerated previously in this article regarding the umbrella type relationship.

6. Complete first version of the baseline of GEIT artifacts—The categories of artifacts CAT02, CAT03 and CAT04 represent work products. All documents recorded in the inventory of the 12 categories defined should be modularized in terms of work products, either by direct conversion or by mapping matrices. This exercise does not involve redoing, but decomposing into parts the artifacts that are in operation. It can be done in parallel with step 5. As part of the exercise, it also standardizes and allocates codes to the modularized artifacts. This new registration of standardized artifacts and their relationships is the first version of the baseline of GEIT artifacts.

7. Complete standard evaluation using evidence support—The baseline of GEIT artifacts constitutes the adequate evidence for the COBIT 5 Assessment Programme. The method outlined previously in this article for each selected process to be evaluated should be followed. The respective assessment reports should be prepared and distributed as established by the organization. These reports can then be categorized and recorded in the baseline of GEIT artifacts because they are, by themselves, implementation evidence of some work products of COBIT 5 processes.

8. Complete business case and project development—Evaluations proposed in this article support the precise definition of the GEIT business case and its respective definition of projects. See sample of business cases in COBIT 5 Implementation.

9. Update the baseline of GEIT artifacts—This baseline is updated by: • Laws and other regulations that affect the GEIT of the organization • The operation of GEIT every day. This refers to categories of artifacts:

- Outputs of COBIT 5 processes that are in operation - Outputs of aligned frameworks that are in operation - Outputs from monitoring and control frameworks

• Results from GEIT projects, always oriented to continual improvement. They are artifacts of the other nine categories. 10. Return to step 7.

This sequence of steps corresponds to an evidence management perspective in measuring capability levels of processes. The implementation of this life cycle should be adapted depending on the orientation that each organization takes from COBIT® 5 Implementation and COBIT® Assessor Guide: Using COBIT® 5.

A self-learning exercise is suggested in the business case sample presented in COBIT® 5 Implementation, and the evaluation of GEIT processes should be supported by the tools defined in the appendices of COBIT® Assessor Guide and its critical success factors.

Expectations and Conclusions The potential of mappings that are supported by the baseline of GEIT artifacts opens the doors to an effective implementation, as it generates knowledge and confidence to stakeholders and, thus, facilitates the obtaining of necessary management support.

The mappings from artifacts to COBIT 5 processes, combined with the mapping of IT process goals to IT-related goals and on to enterprise goals, provide the necessary support to make bottom-up assessments on the cascade of COBIT 5 goals. This mapping supports a positive effect on the management of the GEIT balanced scorecard of the organization—linking IT process capability improvement opportunities directly with enterprise goals.

It is estimated that the first record with total quality of the GEIT evidence and an initial evaluation of COBIT 5 processes may take no more than three months, depending on the size and location of the organization, the defined scope, and the resources allocated to this purpose.

Acknowledgment The content of this article is the result of work done by the G2eTIC Project, which was conceived with an academic and business orientation. References to documents of COBIT 5 and the use of its content are made in accordance with the respective license agreement between ISACA® and the author of this article. G2eTIC has the conceptual bracket, methodological tools and complementary tools corresponding to the proposal presented in this article.

Volume 3, July 2013 Page 17

Framework Committee Steven A. Babb, CGEIT, CRISC, UK, chair David Cau, ITIL, MSP, Prince2, France Sushil Chatterji, CGEIT, Singapore Frank Cindrich, CGEIT, CIPP, CIPP/G, USA Joanne De Vito De Palma, USA Jimmy Heschl, CISA, CISM, CGEIT, ITIL, Austria Katherine McIntosh, CISA, USA Andre Pitkowski, CGEIT, CRISC, OCTAVE, Brazil Paras Shah, CISA, CGEIT, CRISC, CA, Australia

Editorial Content Comments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at jhajigeorgiou@isaca.org.

COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors’ content.

© ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at jfullerton@isaca.org.

Jorge E. Barrera N., CISA, CGEIT, CRISC, COBIT (F), ITIL V3F, PMP Is an independent consultant in governance and management of IT in the enterprise and author of the Project G2eTIC, which develops a set of seminars and tools for practical learning and integrated use of COBIT 5. Barrera can be reached at jorgeebarrera@yahoo.com.

Endnotes 1 ISACA, COBIT® Process Assessment Model (PAM): Using COBIT® 5, 2012 2 ISACA, COBIT® Assessor Guide: Using COBIT® 5, 2012 3 ISACA, COBIT® Self-assessment Guide: Using COBIT® 5, 2012 4 ISACA, COBIT® Assessment Programme Tool Kit: Using COBIT® 5, 2012 5 ISACA, COBIT® 5: A Business Framework for the Governance and Management of Enterprise IT, 2012 6 Ibid. 7 ISACA, COBIT® 5 Implementation, 2012

©2013 ISACA. All rights reserved.