COBIT

COBIT 5
What's New and Innovative
and of Extreme Value !
Robert E Stroud CGEIT CRISC
ISACA Strategic Advisory Council
Vice President Strategy & Innovation CA
Technologies

Robert E Stroud CRISC CGEIT

Vice President, Strategy & Innova<on
Cloud Compu<ng, Service Management &
Governance Evangelist CA Technologies
Co-Chair INSIGHTS 2012
ISACA Strategic Advisory Council
Contributor COBIT, VALIT and RISK IT
Immediate Past Executive Board itSMF Intl.
Treasurer and Director Audit Standards
& compliance
Former Board Member USA itSMF
15 years Banking Experience
Author, Public Speaker & Industry GeeK

 2012 ISACA. All Rights

How many controls are enough?

our world is transitioning

evolu&on, not revolu&on!

Evolution of scope

Governance of Enterprise IT
IT Governance
Val IT 2.0

Management

(2008)

Control
Risk IT
(2009)

Audit
COBIT1

1996

COBIT2

1998

COBIT3

2000

COBIT4.0/4.1 COBIT 5

2005/7

2012

An business framework from ISACA, at www.isaca.org/cobit

7

2012 ISACA All rights reserved.

COBIT 5 Product Family

Source: COBIT 5, figure 11. 2012 ISACA All rights reserved.

Major changes in COBIT 5 content

New GEIT Principles
Increased Focus on Enablers
New Process Reference Model
New and Modified Processes
Practices and Activities
Goals and Metrics
Inputs and Outputs
RACI Charts
Process Capability Assessments

COBIT 5
Future Supporting Products

10

COBIT 5 Framework

COBIT 5 Framework
The main, overarching COBIT 5 product
Contains the executive summary and the full description of all
of the COBIT 5 framework components:

The five COBIT 5 principles

The seven COBIT 5 enablers plus
An introduction to the implementation guidance
provided by ISACA (COBIT 5 Implementation)

12

COBIT 5 Principles

Source: COBIT 5, figure 2. 2012 ISACA All rights reserved.

Mee&ng Stakeholder Needs

Principle 1. Meeting Stakeholder Needs
Enterprises exist to
create value for
their stakeholders.

Source: COBIT 5, figure 3. 2012 ISACA All rights reserved.

Stakeholder Value and Business

Objec&ves

15
Source: COBIT 5, figure 5. 2012 ISACA All rights reserved.

Mee&ng Stakeholder Needs

Source: COBIT 5, figure 4. 2012 ISACA All rights reserved.

Covering the Enterprise End-to-end

Key components of a governance system

Source: COBIT 5, figure 8. 2012 ISACA All rights reserved.

Covering the Enterprise End-to-end

Source: COBIT 5, figure 9. 2012 ISACA All rights reserved.

Single Integrated Framework

COBIT 5 aligns with the latest relevant other standards and
frameworks used by enterprises:
Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC
31000
IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series,
TOGAF, PMBOK/PRINCE2, CMMI
Etc.
COBIT 5 the overarching governance and management
framework integrator
ISACA plans a capability to facilitate COBIT user mapping
of practices and activities to third-party references

Enabling a Holis&c Approach

COBIT 5 enablers
Factors that, individually and
collectively, influence whether
something will workin the case
of COBIT, governance and
management over enterprise IT
Driven by the goals cascade, i.e.,
higher-level IT-related goals define
what the different enablers should
achieve
Described by the COBIT 5 framework
in seven categories
20

Governance and Management

Governance ensures that enterprise objectives are achieved by
evaluating stakeholder needs, conditions and options; setting
direction through prioritisation and decision making; and
monitoring performance, compliance and progress against
agreed-on direction and objectives (EDM).
Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives (PBRM).

21

Enabling a Holis&c Approach

Source: COBIT 5, figure 13. 2012 ISACA All rights reserved.

COBIT 5 Enablers

Source: COBIT 5, figure 12. 2012 ISACA All rights reserved.

Separa&ng Governance and Management

Governance ensures that stakeholders needs, conditions and
options are evaluated to determine balanced, agreed-on
enterprise objectives to be achieved; setting direction through
prioritisation and decision making; and monitoring
performance and compliance against agreed-on direction and
objectives (EDM).
Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives (PBRM).

24

Separa&ng Governance and Management

Source: COBIT 5, figure 15. 2012 ISACA All rights reserved.

26

COBIT 5: Enabling Processes

COBIT 5: Enabling Processes

COBIT 5: Enabling Processes complements COBIT 5 and contains a
detailed reference guide to the processes that are defined in the COBIT 5
process reference model:

In Chapter 2, the COBIT 5 goals cascade is recapitulated and

complemented with a set of example metrics for the enterprise
goals and the IT-related goals.
In Chapter 3, the COBIT 5 process model is explained and its
components defined.
Chapter 4 shows the diagram of this process reference model.
Chapter 5 contains the detailed process information for all 37
COBIT 5 processes in the process reference model.
Appendix provides initial mapping

COBIT 5: Enabling Processes

29
Source: COBIT 5, figure 29. 2012 ISACA All rights reserved.

COBIT 5: Enabling Processes (cont.)

Source: COBIT 5, figure 16. 2012 ISACA All rights reserved.

30

Evaluate, Direct and Monitor

Source: COBIT 5, figure 16. 2012 ISACA All rights reserved.

31

Management
Source: COBIT 5, figure 16. 2012 ISACA All rights reserved.

32

New and Modied Processes

Five new governance processes that have leveraged and
improved COBIT 4.1, Val IT and Risk IT governance
approaches
This guidance:

Helps enterprises to further refine and strengthen

executive management-level GEIT practices and
activities
Supports GEIT integration with existing enterprise
governance practices and is aligned with
ISO/IEC 38500

New and Modied Processes

New and modified processes:

APO03 Manage enterprise architecture

APO04 Manage innovation
APO05 Manage portfolio
APO06 Manage budget and costs
APO08 Manage relationships
APO13 Manage security
BAI05 Manage organisational change enablement
BAI08 Manage knowledge
BAI09 Manage assets
DSS05 Manage security service
DSS06 Manage business process controls

Prac&ces and Ac&vi&es

The COBIT 5 governance or management practices are related
to the COBIT 4.1 control objectives and Val IT and Risk IT
processes
www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/
Where-Have-All-the-Control-Objectives-Gone.aspx
The COBIT 5 activities are related to the COBIT 4.1 control
practices and Val IT and Risk IT management practices
COBIT 5 integrates and updates all of the previous content into
the one new model, making it easier for users to understand and
use this material when implementing improvements

Goals and Metrics

COBIT 5 follows the same goal and metric concepts as COBIT
4.1, Val IT and Risk IT, but these are renamed enterprise goals,
IT-related goals and process goals reflecting an enterprise level
view
COBIT 5 provides a revised goals cascade based on enterprise
goals driving IT-related goals and then supported by critical
processes
COBIT 5 provides examples of goals and metrics at the
enterprise, process and management practice levels. This is a
change to COBIT 4.1, Val IT and Risk IT, which went down
one level lower

RACI

Source: COBIT 4.1, page 39. 2007 IT Governance Institute All rights reserved.

37

Source: COBIT 5: Enabling Processes, page 31. 2012 ISACA All rights reserved.

RACI

38
Source: COBIT 5: Enabling Processes, page 31. 2012 ISACA All rights reserved.

COBIT 5 Implementa&on

COBIT 5 Implementa&on
The improvement of the governance of enterprise IT (GEIT) is
an essential part of enterprise governance.
Information and the pervasiveness of information technology
are increasingly part of every aspect of business and public life.
The need to drive more value from IT investments and manage
an increasing array of IT-related risk has never been greater.
Increasing regulation and legislation over business use of
information is also driving heightened awareness of the
importance of a well-governed and managed IT environment.

COBIT 5 Implementa&on
ISACA has developed the COBIT 5 framework to help
enterprises implement sound governance enablers. Indeed,
implementing good GEIT is almost impossible without
engaging an effective governance framework. Best practices
and standards are also available to underpin COBIT 5.
Frameworks, best practices and standards are useful only if
they are adopted and adapted effectively. There are challenges
that need to be overcome and issues that need to be addressed
if GEIT is to be implemented successfully.
COBIT 5: Implementation provides guidance on how to do
this.

COBIT 5 Implementa&on
Positioning GEIT within an enterprise
Taking the first steps towards improving GEIT
Implementation challenges and success factors
Enabling GEIT-related organisational and
behavioural change
Implementing continual improvement that
includes change enablement and programme
management
Using COBIT 5 and its components

COBIT 5 Implementa&on

43
Source: COBIT 5, figure 17. 2012 ISACA All rights reserved.

COBIT 5
This is only the beginning

COBIT 5 Product Family

Source: COBIT 5, figure 11. 2012 ISACA All rights reserved.

COBIT 5 Future Suppor&ng Products

Professional Guides:
COBIT 5 for Information Security
COBIT 5 for Assurance
COBIT 5 for Risk

Enabler Guides:
COBIT 5: Enabling Information

COBIT Online Replacement

COBIT Assessment Programme:
Process Assessment Model (PAM):
Using COBIT 5
Assessor Guide: Using COBIT 5
Self-assessment Guide: Using COBIT 5

COBIT 5 delivers value!

COBIT 5 helps enterprises create optimal value from IT by

maintaining a balance between realising benefits and
optimising risk levels and resource use.
COBIT 5 enables information and related technology to be
governed and managed in a holistic manner
The COBIT 5 principles and enablers are generic generally
applicable!
A series of publications, education and online collaboration
will drive COBIT forward!

control is important especially

when you dont have it!

embrace COBIT to drive

Trust in, and value from,
information systems

COBIT 5

embrace with knowledge

COBIT 5 Security
Coming at INSIGHTS 2012


ques&ons
Robert E Stroud CGEIT CRISC
Robert.Stroud@ca.com
Twitter @robertestroud
Blogs
http://community.ca.com/blogs/ITIL
http://community.ca.com/blogs/ppm