Sunteți pe pagina 1din 18
DISCUSS THIS ARTICLE COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy By Christopher Oparaugo,

COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy

By Christopher Oparaugo, CISM, CGEIT, CRISC

COBIT Focus | 5 December 2016

In recent years, (as demonstrated in my previous article titled ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance), 1 the balanced scorecard (BSC) 2, 3, 4 has been applied to enterprise IT and the first real-life IT security governance application has been developed based on mapping the control objectives from the International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) ISO/IEC 27001:2013 standard to COBIT ® 4.1 process and IT governance focus areas. 5 As a further exercise, the relationships and similarities between ISO/IEC 27001:2013, COBIT 4.1 and COBIT ® 5 can be explored to provide data values, insights and results that will help in strategic management discussions.

What is driving the need for this mapping exercise?

The need to integrate IT governance with overall business governance

The need for effective deployment, governance and management of enterprise IT

The exercise will help in establishing enterprise IT strategy through control objective linkages

Key performance indicators (KPIs) can be derived for individuals or business unit

This article explains how an exercise in instituting controls can be used to establish IT strategy, which is shown in the resultant enterprise and IT goals BSC values and outcomes applied in COBIT 5. In so doing, it showcases the IT/business governance and alignment processes as derived from mapping ISO/IEC 27001 and COBIT 4.1 controls and processes further to COBIT 5 governance and management processes.

Brief Understanding of ISO/IEC 27001:2013

An executive brief from ISO/IEC 27001:2013 sheds more light on the essence of having controls in an enterprise IT organization. 6 Organizations of all types and sizes collect, process, store and transmit information in many forms. This information is valuable to an organization’s business and operations. In today’s interconnected and mobile world, information is processed using systems and networks that employ state-of-the-art technology. It is vital to protect this information against both deliberate and accidental threats and vulnerabilities. ISO/IEC 27001 helps organizations keep their information assets and those of their customers secure. Effective information security assures management and other stakeholders that the organization’s assets are safe, thereby acting as a business enabler.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process, which reassures interested parties that risk factors are adequately managed. It is important for the information security management system to be part of, and integrated with, the

1

|

P

a g e

organization’s processes and overall management structure and for information security to be considered in the design of processes, information systems and controls.7 The information security risk assessment and treatment process in this international standard aligns with the principles and generic guidelines provided in ISO 31000. 8

What Is the Essence of Having Controls?

Enterprise security is no longer solely the realm of the IT department. Within the Internet of Things (IoT) and in the world, data is recognized as a core business asset, valuable to companies and cybercriminals alike. Therefore, the enterprise risk caused by cyber security threats to data requires a holistic approach9 to security; oversight of security compliance and controls must be a senior management, C-suite and boardroom responsibility because security oversight is risk management oversight and, therefore, a corporation’s business oversight.

Risk management aims to identify the risk a company faces and ways of mitigating it to a bearable level determined by the company’s risk appetite.10 It is recognized that risk exists due to the confluence of assets, threats and vulnerabilities. Accordingly, employing mitigating controls that reduce one or all of these factors reduces the overall risk exposure of the organization.

As data risk encompasses the risk of financial losses; business disruption; the loss or compromise of assets and information; the failure to meet legal, regulatory or contractual requirements; and reputational damage, effective oversight of IT security is essential to enterprise or corporate oversight of risk management. The need for information security requires a number of policies and procedures to be created and put in place. These policies, in turn, require a number of security-related standards and practices to be implemented. However, if the enterprise’s and personnel’s culture and ethics are not appropriate, enforcing information security processes (the policy controls) and procedures will not be effective.11 An exercise in instituting controls can be used to establish IT strategy, which will be shown in the resultant enterprise and IT goals BSC values and outcomes applied to COBIT 5 governance and management processes.

The resultant summation from the control questions is shown in figure 1 and figure 2 for control domains and security control areas. With these values from the exercise, low values can be potential areas of security breaches (i.e., backup, redundancies) leading to business continuity issues. Data security is no longer a cost of doing business, but a core component of remaining in business. Resources must, therefore, be appropriately allocated to meet these risk factors. Budgeting must enable the company to deploy, train and develop the right people and processes and employ technology to truly address the company’s security needs. 12

Figure 1Resulting ISO/IEC 27001:2013 Compliance Data by Domain

Security Control Domains

Status (%)

A.5 Information Security Policies

90.50

A.6 Organization of Information Security

86.43

A.7 Human resource security

88.19

A.8 Asset management

83.29

A.9 Access control

85.71

A.10 Cryptography

82.33

A.11 Physical and Environmental Security

82.26

A.12 Operations Security

82.74

A.13 Communications Security

81.72

A.14 System Acquisition, Development and Maintenance

81.48

A.15 Supplier Relationships

83.40

A.16 Information Security incident management

80.20

A.17 Information Security aspects of Business Continuity Management

80.69

A.18 Compliance

82.47

Source: Christopher Oparaugo. Reprinted with permission

Figure 2Resulting ISO/IEC 27001:2013 Compliance Data by Controls and Domains

Control Domains

Security Control Areas

Control Domains Security Control Areas

A.5 Information Security Policies

Management direction for information security

90.50

A.6 Organization of Information Security Internal Organization Mobile devices and teleworking 87.72 85.14
A.6 Organization of Information Security Internal Organization Mobile devices and teleworking 87.72 85.14
A.6 Organization of Information Security Internal Organization Mobile devices and teleworking 87.72 85.14

A.6 Organization of Information Security

Internal Organization

Mobile devices and teleworking

87.72

85.14

Mobile devices and teleworking 87.72 85.14   Prior to employment 86.25 A.7 Human resource
 

Prior to employment

86.25

A.7 Human resource security

During employment

90.00

Termination and change of employment

88.33

90.00 Termination and change of employment 88.33   Responsibility for assets 83.75 A.8 Asset
90.00 Termination and change of employment 88.33   Responsibility for assets 83.75 A.8 Asset
90.00 Termination and change of employment 88.33   Responsibility for assets 83.75 A.8 Asset
90.00 Termination and change of employment 88.33   Responsibility for assets 83.75 A.8 Asset
 

Responsibility for assets

83.75

A.8 Asset management

Information classification

81.39

Media handling

84.72

 

Business requirements of access control

86.25

A.9 Access control

User access management

88.26

User responsibilities

85.00

 

System and application access control

83.33

  System and application access control 83.33 A.10 Cryptography Cryptographic controls 82.33 A.11
  System and application access control 83.33 A.10 Cryptography Cryptographic controls 82.33 A.11
  System and application access control 83.33 A.10 Cryptography Cryptographic controls 82.33 A.11
  System and application access control 83.33 A.10 Cryptography Cryptographic controls 82.33 A.11
  System and application access control 83.33 A.10 Cryptography Cryptographic controls 82.33 A.11
  System and application access control 83.33 A.10 Cryptography Cryptographic controls 82.33 A.11

A.10 Cryptography

Cryptographic controls

82.33

A.11 Physical and Environmental Security

Secure areas

Equipment

83.38

81.15

Secure areas Equipment 83.38 81.15   Operational procedures and responsibilities 85.21
Secure areas Equipment 83.38 81.15   Operational procedures and responsibilities 85.21
Secure areas Equipment 83.38 81.15   Operational procedures and responsibilities 85.21
Secure areas Equipment 83.38 81.15   Operational procedures and responsibilities 85.21
 

Operational procedures and responsibilities

85.21

Protection from malware

82.50

Backup

76.67

A.12 Operations Security

Logging and monitoring

81.87

Control of operational software

80.00

Technical Vulnerability Management

89.59

Information Systems Audit considerations

83.34

A.13 Communications Security

Network Security Management

Information transfer

83.24

80.21

Management Information transfer 83.24 80.21 A.14 System Acquisition, Development and Maintenance
Management Information transfer 83.24 80.21 A.14 System Acquisition, Development and Maintenance
Management Information transfer 83.24 80.21 A.14 System Acquisition, Development and Maintenance
Management Information transfer 83.24 80.21 A.14 System Acquisition, Development and Maintenance

A.14 System Acquisition, Development and

Maintenance

Security requirements of information systems

81.20

Security in development and support processes

83.24

Test data

80.00

A.15 Supplier Relationships

Information security in supplier relationships

Supplier service delivery management

83.89

82.92

80.20 A.16 Information Security incident management Management of information security incidents and improvements
80.20 A.16 Information Security incident management Management of information security incidents and improvements
80.20 A.16 Information Security incident management Management of information security incidents and improvements

80.20

A.16 Information Security incident

management

Management of information security incidents and

improvements

A.17 Information Security aspects of Business

Information Security Continuity

81.39

Continuity Management

Redundancies

80.00

A.18 Compliance Compliance with Legal and Contractual requirements Information Security reviews 81.33
A.18 Compliance Compliance with Legal and Contractual requirements Information Security reviews 81.33
A.18 Compliance Compliance with Legal and Contractual requirements Information Security reviews

A.18 Compliance

Compliance with Legal and Contractual requirements

Information Security reviews

81.33

83.61

Source: Christopher Oparaugo. Reprinted with permission.

Understanding COBIT 5 in Relation to Governance and Strategy

COBIT 5 provides the next generation of ISACA’s guidance on the enterprise governance and management of IT. It

builds on more than 15 years of practical usage and application of COBIT ® by many enterprises and users from the business, IT, risk, security and assurance communities. 13 COBIT has evolved from an auditing framework to controls, from being a control framework to an IT governance framework that can be mapped to other international standards, and now to a governance for enterprise IT (GEIT) framework, showing a management strategy for enterprise IT.

Key Concepts

Information is a key resource for all enterprises, and from the time that information is created to the moment that it is destroyed, technology plays a significant role. IT is increasingly advanced and has become pervasive in enterprises and in social, public and business environments. 14

As a result, today, more than ever, enterprises and their executives strive to:

Maintain high-quality information to support business decisions

Generate business value from IT-enabled investments, i.e., achieve strategic goals and realize business benefits through effective and innovative use of IT

Achieve operational excellence through the reliable and efficient application of technology

Maintain IT-related risk at an acceptable level

Optimize the cost of IT services and technology

Comply with ever-increasing relevant laws, regulations, contractual agreements and policies15

COBIT 5 is not prescriptive, but it advocates that organizations implement governance and management processes such that the key areas are covered, as shown in figure 3.

Figure 3Separating Governance From Management

3 . Figure 3 — Separating Governance From Management Source: ISACA, COBIT ® 5 , USA,

Source: ISACA, COBIT ® 5, USA, 2012

COBIT 5 provides a comprehensive framework that helps enterprises achieve their goals and deliver value through effective governance and management of enterprise IT. Successful enterprises have recognized that the board of directors (BoD) needs to embrace IT just like any other significant part of doing business. Corporate boards and business management (in both the enterprise and IT functions) must collaborate and work together so that IT is included within the governance and management functions.

In addition, 2 core components of GEIT (controls and compliance) must be overseen at the highest levels of management to confirm that they are customized for the enterprise standards and are not applied generically:

ControlsThe organization’s systems, procedures and processes for protecting data

ComplianceAn organization’s program for ensuring adherence to and enforcement of enterprise security policies and relevant external privacy and data protection laws and regulations. Department’s policies, standards and procedures are often disconnected from operational practices, and technology infrastructures that are not tailored specifically to the company operations become worthless effort and ineffective. 16

The COBIT 5 framework makes a clear distinction between governance and management. These 2 disciplines encompass different types of activities, require different organizational structures and serve different purposes.

The COBIT 5 view on this key distinction between governance and management is:

GovernanceGovernance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. In most enterprises, governance is the responsibility of the BoD under the leadership of the chairperson.

ManagementManagement plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve enterprise objectives. In most enterprises, it is the responsibility of the executive management, under the leadership of the chief executive officer (CEO). 17

This article presents a mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013 using a previous article’s (ISO 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance,”) control data values and a target value for differentiation. It has been designed for guidance purposes and discussion.

Further, this article extends the mapping from COBIT 4.1 processes to COBIT 5 processes using input control data from ISO/IEC 27001:2013 as designed to bring out the BSC dimensions for a strategic guide and measurement system.

Adopting the Lean Management theory’s 5 Whys approach, the process of continually asking questions until you get to the root cause, 18 enabled the validation of the assessment results to get closer to a problem or low value until the real issue is understood. The 5 Whys method helps managers eliminate waste and aids executives in figuring out which projects or controls to pursue and which to address to find solutions to underperforming areas in a controlled environment to aid enforcement of the policy. Productivity and strategy mean different things to different people, but, at their core, the meaning is how effective an organization’s decisions are in delivering subsequent results.

COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective (figure 4). 19

Figure 4Covering the Enterprise End-to-end

Source: ISACA, COBIT ® 5 , USA, 2012 The questions help stakeholders understand whether the

Source: ISACA, COBIT ® 5, USA, 2012

The questions help stakeholders understand whether the set objectives were achieved based on the results and backward reviews of the elements contributing to these results. These results also show IT governance pain points to be addressed. In addition to these activities, COBIT 5 suggests accountabilities and responsibilities for enterprise roles and governance/management structures (responsible, accountable, consulted and informed [RACI] charts) for each process and Capability Maturity Model Integration (CMMI) scores help stakeholders see the picture and values of control activities.

These resultant data from the exercise were further employed as COBIT information criteria for primary and secondary grouping. The resultant values of the ISO/IEC 27001:2013 mapping to COBIT 4.1 processes are linked with the defined IT governance areas.

The value inputs of 0% to 100% from the ISO/IEC 27001:2013 control objectives security control questions are mapped to COBIT 4.1 domains and processes, and further mapping is done from COBIT 4.1 to COBIT 5 related processes. These are linked to the IT focus areas as exercise results showing the values from the data mapping outputs, illustrated in figure 5.

Figure 5Results Showing Mapping of ISO/IEC 27001:2013 Data to COBIT Processes

COBIT 4.1 Domains and Processes Risk Rank IT GOVERNANCE FOCUS AREAS Strategic Value Resource Risk
COBIT 4.1 Domains and Processes Risk Rank IT GOVERNANCE FOCUS AREAS Strategic Value Resource Risk
COBIT 4.1 Domains and Processes Risk Rank

COBIT 4.1 Domains and Processes

Risk

Rank

IT GOVERNANCE FOCUS AREAS Strategic Value Resource Risk Performance ISO Status Alignment Delivery

IT GOVERNANCE FOCUS AREAS

IT GOVERNANCE FOCUS AREAS Strategic Value Resource Risk Performance ISO Status Alignment Delivery

Strategic

Value

Resource

Risk

Performance

ISO

Status

Alignment

Delivery

Mgt

Mgt

Management

27001:2013

(%)

ISO Status Alignment Delivery Mgt Mgt Management 27001:2013 (%) Plan and Organise Mapping
ISO Status Alignment Delivery Mgt Mgt Management 27001:2013 (%) Plan and Organise Mapping

Plan and OrganiseRisk Performance ISO Status Alignment Delivery Mgt Mgt Management 27001:2013 (%) Mapping

Mapping

80.69 81% 84.33 84% 85.25 85% 86.33 86% 84.40 84% 89.20 89% 81.67 82%

80.69

81%

84.33

84%

85.25

85%

86.33

86%

84.40

84%

89.20

89%

81.67

82%

83.03

83%

90.00

90%

 

85%

84% 82% 84% 84% 81% 87% 85% 84%

84%

82%

84%

84%

81%

87%

85%

84%

83.82

82.22

84.37

83.61

80.83

86.50

85.00

82.92

81.95

80.00

84.00

84.48

83.33

80.32

81.39

80.00

80.22

82.17

82.25

83% 82% 80% 84% 84% 90% 83% 80% 81% 80% 80% 82% 82% 83%

83%

82%

80%

84%

84%

90%

83%

80%

81%

80%

80%

82%

82%

83%

83% 82% 80% 84% 84% 90% 83% 80% 81% 80% 80% 82% 82% 83%

PO2

PO3

PO4

PO5

PO6

PO7

PO8

PO9

PO10

2

AI1

AI2

AI3

AI4

AI5

AI6

AI7

3

DS1

DS2

DS3

DS4

DS5

DS6

DS7

DS8

DS9

DS10

DS11

DS12

DS13

4

ME1

ME2

ME3

ME4

PO1

Define a Strategic IT Plan

H

P

S

S

88.33

88%

Define the Information Architecture

L

P

S

P

S

 

Determine Technological Direction

M

S

S

P

S

 

Define the IT Processes, Organisation and Relationships

L

S

 

P

P

 

Manage the IT Investment

M

S

P

S

 

S

Communicate Management Aims and Direction

M

P

   

P

 

Manage IT Human Resources

L

P

 

P

S

S

Manage Quality

M

P

S

 

S

 

Assess and Manage IT Risks

H

P

   

P

 

Manage Projects

H

P

S

S

S

S

  Assess and Manage IT Risks H P     P   Manage Projects H P

Acquire and Implement

Acquire and Implement
Acquire and Implement
Acquire and Implement
Acquire and Implement
Acquire and Implement
Acquire and Implement
Acquire and Implement
Acquire and Implement
Acquire and Implement
Acquire and Implement
Acquire and Implement

Identify Automated Solutions

M

P

P

S

S

 

Acquire and Maintain Application Software

M

P

P

 

S

 

Acquire and Maintain Technology Infrastructure

L

   

P

   

Enable Operation and Use

L

S

P

S

S

 

Procure IT Resources.

M

 

S

P

   

Manage Changes.

H

 

P

S

   

Install and Accredit Solutions and Changes

M

S

P

S

S

S

Deliver and Support

Deliver and Support
Deliver and Support
Deliver and Support
Deliver and Support
Deliver and Support
Deliver and Support
Deliver and Support

Define and Manage Service Levels

M

P

P

P

 

P

Manage Third-party Services

L

 

P

S

P

S

Manage Performance and Capacity

L

S

S

P

S

S

Ensure Continuous Service

M

S

P

S

P

S

Ensure Systems Security

H

     

P

 

Identify and Allocate Costs

L

S

P

S

Educate and Train Users

M

S

P

 

S

 

Manage Service Desk and Incidents

M

S

P

   

S

Manage the Configuration

M

 

P

 

S

 

Manage Problems

M

 

P

 

S

 

Manage Data

H

 

P

P

P

 

Manage the Physical Environment

L

   

S

P

 

Manage Operations

L

   

P

   
90.00

90.00

Monitor and Evaluate

Monitor and Evaluate
Monitor and Evaluate
Monitor and Evaluate
Monitor and Evaluate
Monitor and Evaluate
Monitor and Evaluate
Monitor and Evaluate
Monitor and Evaluate
Monitor and Evaluate

Monitor and Evaluate IT Performance.

H

 

P

80.28

80%

Monitor and Evaluate Internal Control.

M

 

P

P

84.10

84%

Ensure Regulatory Compliance.

H

P

P

84.21

84%

Provide IT Governance.

H

P

P

P

P

P

86.99

87%

Compliance. H P P 84.21 84% Provide IT Governance. H P P P P P 86.99
Compliance. H P P 84.21 84% Provide IT Governance. H P P P P P 86.99
Compliance. H P P 84.21 84% Provide IT Governance. H P P P P P 86.99
Compliance. H P P 84.21 84% Provide IT Governance. H P P P P P 86.99
84%

84%

PERCENTAG Future E Score COMPLIANC State COBIT4.1 Domains and Processes E 85% 90% 95% Plan
PERCENTAG
Future
E
Score
COMPLIANC
State
COBIT4.1 Domains and Processes
E
85%
90%
95%
Plan and Organise
84%
90%
93%
Acquire and Implement
83%
90%
92%
Deliver and Support
84%
90%
93%
Monitor and Evaluate
84%
90%
93%

Source (table): ISACA, Mapping COBIT 4.1 to ISO /IEC 27001, USA, 2005 Source (numeric values): Christopher Oparaugo. Reprinted with permission.

The results in figure 6 are a comparison of COBIT 4.1 domain results from the previous mapping of ISO/IEC 27001:2005 to ISO/IEC 27001:2013 data that was then mapped to COBIT 4.1

The new target exercise (having different data input values for comparison) represents values directly from the mapping of ISO/IEC 27001:2013 to COBIT 4.1.

The previous results were Plan and Organize (55%), Acquire and Implement (64%), Deliver and Support (55%), and Monitor and Evaluate (64%). There is a remarkable increase in the values generated through this realignment from ISO 27001:2005 to ISO 27001:2013.

Figure 6Comparing Sample Results Showing Mapping of ISO/IEC 27001:2005 From the Previous Article’s Exercise and New ISO/IEC 27001:2013 Data to COBIT 4.1 Control Objectives

New ISO/IEC 27001:2013 Data to COBIT 4.1 Control Objectives Using the scores from previous exercises of

Using the scores from previous exercises of ISO 27001:2005 now mapped to ISO 27001:2013 producing the mapped results for COBIT 4.1 domains, showing compliance to future state.

for COBIT 4.1 domains, showing compliance to future state. New target exercise scores for ISO 27001:2013

New target exercise scores for ISO 27001:2013 are mapped to COBIT 4.1 domains and processes, showing compliance to future state.

Source:

Christopher Oparaugo. Reprinted with permission.

Having done this comparison, the focus is now to determine a relationship and understanding of how these scores and values map to COBIT 5.

The COBIT 5 process reference model divides the governance and management processes of enterprise IT into 2 main process domains:

GovernanceContains 1 domain with 5 governance processes; Evaluate, Direct and Monitor (EDM) consisting of 5 processes in COBIT 5.

ManagementThe management principles of COBIT 5, having evolved from the Plan, Do, Check and Act (PDCA) maxim, follows the functional responsibility areas of plan, build, run and monitor (PBRM) creating a new, elaborate set of 4 domains, and provides end-to-end coverage of IT. These domains are an evolution of the COBIT 4.1 domain and process structure as shown below:

o Align, Plan and Organize (APO) consisting of 13 processes

o

Build, Acquire and Implement (BAI) consisting of 10 processes

o

Deliver, Service and Support (DSS) consisting of 6 processes

o

Monitor, Evaluate and Assess (MEA) consisting of 3 processes

Useful COBIT 5 Governance and Management Interactions

Principles, policies and frameworksThe vehicle by which governance decisions are institutionalized within the enterprise. For that reason, they are an interaction between governance decisions (direction setting) and management (execution of decisions). Services, infrastructure and applicationsServices are required and are supported by applications and infrastructure to provide the governance body with adequate information and to support the governance activities of evaluating, setting direction and monitoring. ProcessesIn the illustrative COBIT 5 process model (COBIT ® 5: Enabling Processes), a distinction is made between governance and management processes, including specific sets of practices and activities for each. The process model also includes RACI charts, describing the responsibilities of different organizational structures and roles within the enterprise. EnablersFactors that individually and collectively influence whether something will workin this case, governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e., higher-level IT- related goals define what the different enablers should achieve.20 To achieve success in enterprise governance and management, the COBIT 5 enablers must be interconnected and interrelated to deliver on the enterprise and IT goals. This will help the organization develop a 360-degree vision of cyber security.

These resultant data from the exercise are further employed as COBIT information criteria for primary and secondary grouping. The resultant values of the ISO/IEC 27001:2013 mapping into COBIT 5 processes are linked with the defined IT BSC dimension information and related technology goals. Exercise results showing the values from the data mapping outputs are shown in figure 7.

Figure 7Results Showing Mapping Data Values of COBIT 4.1 Control Objectives (Using Input Data From ISO/IEC 27001:2013) to COBIT 5 Governance and Management Practices

COBIT 5 Domains and Processes IT BSC Dimension Information and Related Technology Goal
COBIT 5 Domains and Processes
IT BSC Dimension Information and Related Technology Goal
COBIT 5 Process 01 02 03 04 05 06 07 08 09 10 11 12
COBIT 5 Process
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
Status
Learning
COBIT4.1
(%)
Financial
Customer
Internal
and
Mapping
1
Evaluate, Direct and Monitor
Growth
Ensure Governance Framework
86%
EDM01
P
S
P
S
S
S
P
S
S
S
S
S
S
S
S
S
85.66
Setting and Maintenance
Ensure Benefits Delivery
88%
EDM02
P
S
P
P
P
S
S
S
S
S
S
S
P
87.66
Ensure Risk Optimisation
85%
EDM03
S
S
S
P
P
S
S
P
S
S
P
S
S
84.81
87%
EDM04
Ensure Resource Optimisation
S
S
S
S
S
S
S
P
P
S
P
S
86.99
0%
Ensure Stakeholder Transparency
EDM05
S
S
P
P
P
S
S
S
S
-
69%
2
Align, Plan and Organise
Manage the IT Management
84%
APO01
P
P
S
S
S
P
S
P
S
S
S
P
P
P
Framework
84.48
Manage Strategy
86%
APO02
P
S
S
S
P
S
S
S
S
S
S
S
S
P
86.33
Manage Enterprise Architecture
83%
APO03
P
S
S
S
S
S
S
P
S
P
S
S
S
82.51
Manage Innovation
84%
APO04
S
S
P
P
P
P
S
S
P
84.33
Manage Portfolio
87%
APO05
P
S
S
P
S
S
S
S
S
P
S
87.33
Manage Budget and Costs
88%
APO06
S
S
S
P
P
S
S
S
S
88.17
Manage Human Resources
86%
APO07
P
S
S
S
S
S
S
P
P
S
P
P
85.93
Manage Relationships
0%
APO08
P
S
S
S
S
P
S
S
P
S
S
S
P
-
Manage Service Agreements
83%
APO09
S
S
S
S
P
S
S
S
S
S
P
S
82.92
Manage Suppliers
81%
APO10
S
P
S
S
P
S
P
S
S
S
S
S
S
81.39
Manage Quality
83%
APO11
S
S
S
P
P
S
S
S
P
S
S
S
S
83.46
Manage Risk
83%
APO12
P
P
P
S
S
S
P
P
S
S
S
S
83.03
Manage Security
84%
APO13
P
P
P
S
S
P
P
84.48
78%
3
Build, Acquire and Implement
Manage Programmes and Projects
90%
BAI01
P
S
P
P
S
S
S
S
P
S
S
90.00
Manage Requirements Definition
84%
BAI02
P
S
S
S
S
P
S
S
S
S
P
S
S
S
83.82
Manage Solutions Identification and
82%
BAI03
S
S
S
P
S
S
S
S
S
S
Build
82.48
Manage Availability and Capacity
80%
BAI04
S
S
P
S
S
P
S
P
S
80.00
Manage Organisational Change
84%
BAI05
S
S
S
S
P
S
S
S
P
P
Enablement
84.31
Manage Changes
87%
BAI06
S
P
S
P
S
S
P
S
S
S
S
S
S
86.50
Manage Change Acceptance and
85%
BAI07
S
S
S
P
S
P
S
S
S
S
Transitioning
85.00
Manage Knowledge
84%
BAI08
S
S
S
S
P
S
S
S
S
P
83.61
Manage Assets
82%
BAI09
S
S
P
S
S
S
P
S
S
82.25
Manage Configuration
81%
BAI10
P
S
S
S
S
S
P
P
S
81.39
84%
4
Deliver, Service and Support
Manage Operations
82%
DSS01
S
P
S
P
S
S
S
P
S
S
S
S
81.62
Manage Service Requests and
83%
DSS02
P
P
S
S
S
S
S
Incidents
82.64
Manage Problems
80%
DSS03
S
P
S
P
S
S
P
S
P
S
S
80.00
Manage Continuity
82%
DSS04
S
S
P
S
P
S
S
S
S
S
P
S
S
S
82.11
Manage Security Services
82%
DSS05
S
P
P
S
S
P
S
S
S
S
82.28
Manage Business Process Controls
80%
DSS06
S
P
P
S
S
S
S
S
S
S
S
80.22
81%
5
Monitor, Evaluate and Assess
Monitor, Evaluate and Assess
80%
S
S
S
P
S
S
P
S
S
S
P
S
S
P
S
S
Performance and Conformance
MEA01
80.28
Monitor, Evaluate and Assess the System
86%
P
P
S
S
S
S
S
P
S
of Internal Control
MEA02
85.54
Monitor, Evaluate and Assess Compliance
84%
MEA03
P
P
S
S
S
S
S
With External Requirements
84.21
83%
IT BSC Dimension Information and Related
77
84
43
83
87
73
74
85
84
84
83
56
86
82
84
86
75
Technology Goal
Alignment of IT and business strategy
IT compliance and support for business
compliance with external laws and regulations
Commitment of executive management for
making IT-related decisions
Managed IT-Related Business Risk
Realised benefits from IT-enabled
investments and services portfolio
Transparency of IT costs, benefits and risk
Delivery of IT services in line with business
requirements
Adequate use of applications, information
and technology solutions
IT Agility
Security of information, processing
infrastructure and applications
Optimisation of IT assets, resources and
capabilities
Enablement and support of business
processes by integrating applications and
technology into business processes
Delivery of programmes delivering benefits,
on time, on budget, and meeting
requirements and quality standards
Availability of reliable and useful information
for decision making
IT compliance with internal policies
Competent and motivated business and IT
personnel
Knowledge, expertise and initiatives for
business innovation

Legend:

In the columns, all 17 generic IT-related goals, grouped in IT BSC dimensions

In the rows, all 37 COBIT 5 processes, grouped by domain

Source (table): ISACA, COBIT ® 5, USA, 2012 Source (numerical data values): Christopher Oparaugo. Reprinted with permission.

The mapped data values of COBIT 4.1 control objectives (using input data from ISO/IEC 27001:2013) to COBIT 5 governance and management practices shows how an IT-related goal is supported by a COBIT 5 IT-related process. This mapping is expressed using the following scale:

"P" stands for primary, indicating there is an important relationship, i.e., the COBIT 5 process is a primary support for the achievement of an IT-related goal.

S" stands for secondary, indicating there is still a strong, but less important, relationship, i.e., the COBIT 5 process is a secondary support for the IT-related goal. 21

The compared results in figure 8 show that Evaluate, Direct and Monitor (EDM) (the governance area for enterprise IT) was lowest in all the cases as the bulk of the alignment was related to COBIT 4.1 in the other 4 domains of COBIT 5 governance and management practices (i.e., core enterprise IT management area).

Figure 8Comparing Sample Results of ISO/IEC 27001:2005, ISO/IEC 27001:2013, COBIT 4.1 and COBIT 5 Mappings

8 — Comparing Sample Results of ISO/IEC 27001:2005, ISO/IEC 27001:2013, COBIT 4.1 and COBIT 5 Mappings

12 | P a g e

Source: Christopher Oparaugo. Reprinted with permission.

These results confirm that the bedrock of GEIT under COBIT 5 is in the BAI domain, which has taken on many elements of the COBIT 4.1 domains of Plan and Organize (PO), Acquire and Implement (AI) and Deliver and Support (DS).

Using the Balanced Scorecard as a Strategic Management System

The BSC revolutionized conventional thinking about performance metrics. When the concept was first introduced in 1992, companies were busy transforming themselves to compete in the world of information; their ability to exploit intangible assets was becoming more developed than their ability to manage physical assets.

The authors of the BSC describe how it addresses a serious deficiency in traditional management systems: the inability to link a company’s long-term strategy with its short-term financial goals. The scorecard lets managers introduce 4 new processes (in the 3 rd -generation edition) that help companies make that important link.22

The first processtranslating the vision—helps managers build a consensus concerning a company’s strategy and express it in terms that can guide action at the local level. The secondcommunicating and linkingcalls for communicating a strategy at all levels of the organization and linking it with unit and individual goals. The thirdbusiness planningenables companies to integrate their business plans with their financial plans. The fourthfeedback and learninggives companies the capacity for strategic learning, which consists of gathering feedback, testing the hypotheses on which a strategy is based and making necessary adjustments.23

In addition, while traditional measures report on what happened last period without indicating how managers can improve performance in the next, the scorecard functions as the cornerstone of a company’s current and future success.24

The information from the 4 perspectives provides balance between external measures such as operating income and internal measures such as new product development and innovation. This balanced set of measures both reveals the trade-offs that managers have already made among performance measures and encourages them to achieve their goals in the future without making trade-offs among key success factors.25

The assumptions made for using the primary (P) values related to the COBIT 5 processes and IT-related goals are based on information from COBIT 5:

The COBIT 5 process is a primary support for the achievement of an IT-related goal.

It is primary when there is an important relationship between the COBIT 5 process and IT-related goals.

Achieving IT-related goals requires the successful application and use of a number of enablers. 26

There is relationship to the 3 main governance objectivesbenefits realization, risk optimization and resource optimization. 27

This understanding from the BSC perspective and a focus on the primary values shows the COBIT 5 governance and management practices that are a primary (P) support for the achievement of an IT-related goal. Applying these criteria and assumptions for IT-related goal 01, Alignment of IT and business strategy, which has 10 P values, the average cumulative score is 77%. The P values and the related COBIT 5 score entries for each of the 17 generic IT- related goals are added to get a cumulative average score for the particular IT-related goal as represented in figure 9. (See scores related to the 10 P values for IT-related goal 01, Alignment of IT and business strategy in figure 7 assigned to the COBIT 5 processes column COBIT 4.1 Mapping. The average of these [85.66+ 87.66+…+90.00+83.82] scores is 77.37, approximated to 77 %.)

Figure 9Results Showing Mapping COBIT 5 Data Values From IT-related Goals to Enterprise Goals

BSC Dimension Mapping COBIT 5 Enterprise Goals to IT-related Goals Average COBIT 5 Related Process
BSC Dimension Mapping COBIT 5 Enterprise Goals to IT-related Goals
Average COBIT 5
Related Process
scores with Primary
support to the IT-
related goal
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
COBIT5 -
Learning
Status
IT Goals
IT BSC Dimension Information and Related
(%)
Financial
Customer
Internal
and
Scores
Technology Goal
Growth
77%
P
P
S
P
S
P
P
S
P
S
P
S
S
77.37
1 Alignment of IT and business strategy
IT compliance and support for business
84%
2 compliance with external laws and
S
P
P
83.63
regulations
Commitment of executive management for
43%
3
making IT-related decisions
P
S
S
S
S
S
P
S
S
42.83
4 Managed IT-related business risk
83%
P
S
P
S
P
S
S
S
83.27
Realised benefits fromIT-enabled
87%
5
investments and services portfolio
P
P
S
S
S
S
P
S
S
86.82
73%
6 Transparency of IT costs, benefits and risk
S
S
P
S
P
P
72.91
74%
Delivery of IT services in line with
74%
7
business requirements
P
P
S
S
P
S
P
S
P
S
S
S
S
73.73
Adequate use of applications, information
85%
8
and technology solutions
S
S
S
S
S
S
S
P
S
P
S
S
85.04
79%
9 IT Agility
84%
S
P
S
S
P
P
S
S
S
P
83.89
Security of information, processing
84%
10
infrastructure and applications
P
P
P
P
84.22
Optimisation of IT assets, resources and
83%
11
capabilities
P
S
S
P
S
P
S
S
S
82.71
Enablement and support of business
56%
12 processes by integrating applications and
S
P
S
S
S
S
P
S
S
S
S
56.27
technology into business processes
Delivery of programmes delivering
86%
13
benefits, on time, on budget, and meeting
P
S
S
S
S
S
P
85.68
requirements and quality standards
Availability of reliable and useful
82%
14
information for decision making
S
S
S
S
P
P
S
82.09
15 IT compliance with internal policies
84%
S
S
P
83.78
80%
Competent and motivated business and IT
86%
16
S
S
P
S
S
P
P
S
85.80
personnel
Knowledge, expertise and initiatives for
75%
17
S
P
S
P
S
S
S
S
P
74.58
business innovation
Enterprise Goals by BSC
74.86
75.44
84.43
83.93
72.91
75.55
83.19
77.39
79.73
79.63
75.26
80.82
68.63
85.42
83.88
85.80
79.23
80%
75%
75%
84%
84%
73%
76%
83%
77%
80%
80%
75%
81%
69%
85%
84%
86%
79%
Enterprise Goals Status (%)
78%
79%
79%
83%
Learning
and
FinancialCustomerInternal
Growth
Stakeholder value of business
investments
Portfolio of competitive products
and services
Managed business risk
(safeguarding of assets)
Compliance with external laws and
regulations
Financial transparency
Customer-oriented service culture
Business service continuity and
availability
Agile responses to a changing
business environment
Information-based strategic
decision making
Optimisation of service delivery
costs
Optimisation of business process
functionality
Optimisation of business process
costs
Managed business change
programmes
Operational and staff productivity
Compliance with internal policies
Skilled and motivated people
Product and business innovation
culture

Legend:

The purpose of this mapped table in Figure 9 is to demonstrate how enterprise goals are supported by or translate into IT-related goals showing the values for compliance purposes.

For that reason, the table contains the following information:

• In the columns, all 17 generic enterprise goals defined in COBIT 5, grouped by BSC dimension

• In the rows, all 17 IT-related goals, grouped in IT BSC dimensions

• A mapping of how each enterprise goal is supported by IT-related goals. This mapping is expressed using the following scale: Pstands for

primary, indicating there is an important relationship, i.e., the IT-related goal is a primary support for the enterprise goal. Sstands for secondary, indicating there is still a strong, but less important, relationship, i.e., the IT-related goal is a secondary support for the enterprise

goal.

Source (table): ISACA, COBIT ® 5, USA, 2012 Source (numeric data values): Christopher Oparaugo. Reprinted with permission.

Having completed these exercises and reviewed the outcomes, it is important to distil the values by making assumptions in using the legend’s primary values of the BSC related to the enterprise goals mapping to COBIT 5 and IT-related goals based on the information from ISACA COBIT 5 framework as follows:

The IT-related goal is a primary support for the enterprise goal.

It is primary when there is an important relationship between enterprise and IT-related goals.

Achieving IT-related goals and enterprise goals requires the successful application and use of a number of enablers.

There is relationship to the 3 main governance objectivesbenefits realization, risk optimization and resource optimization. 28

With this understanding from a BSC perspective and focusing on the Pvalues that show that the COBIT 5 governance and management practices are a primary support for the achievement of an IT-related goal. Applying these criteria and assumptions, for IT-related goal 01Alignment of IT and business strategythat has 10 P values, the result is an average score of 77% (from figure 7 data). For the enterprise goal 1 of Stakeholder value of business investments which has 6 P values, the result is an average score of 75%. This is achieved by calculating the cumulative average of the IT-related goals (column COBIT 5 - IT Goals Score) aligned/mapped to the enterprise goals with P values/fields.

The P values and the related enterprise goals score entries for each of all 17 generic IT-related goals are added to get a cumulatively average score for the particular enterprise related/mapped goal.

The BSC can serve as the fulcrum, defining and communicating priorities to managers, employees, investors and even customers. The scorecard is a strategic measurement system, not a measure of strategy that is reviewed every month or modified for weekly meetings. The 6 IT scorecard implementation cycles can be reviewed in line with the outcome of the exercises and effected.

The aim or objectives of the BSC should be:

Improvement/alignment of processes and removal of enterprise operation bottlenecks

Increased financial usage/return on investment/capital employed

Greater customer satisfaction and loyalty

Motivated/educated employees

Enhanced information systems/employees understanding the business

Successful realization of the strategic plan/vision

Monitored activities and progress visibility

Instituting controls enable the enterprise to build effective governance and management results that optimize information and technology investment and use for the benefit of stakeholders through an on-the-ground assessment based on controls using a BSC approach. These results also show IT governance pain points to be addressed. In addition to these activities, COBIT 5 suggests accountabilities and responsibilities for enterprise roles

15 | P a g e

and

governance/management structures. 29

The final outcome on these exercises is shown in figure 10. If there were great deviations or skewed results, further reviews and employing the 5 Whys would be called into play to determine the elements from the ISO 27001 control questions that impacted these outcomes negatively and caused the deviations. Keep in mind that for a BSC to be established, all the criteria (the aim/objectives) should be met based on these 4 perspectives:

Financial

Customer

Internal

Learning and growth

This article highlights the importance of proper mapping to process and domains for both ISO and COBIT to achieve these results.

Figure 10Results Showing Mapped COBIT 5 Data Values to Achieve IT-related Goals, BSC and Enterprise Goals BSC

IT Goals BSC Mapping to COBIT 5 Financial Perspective Customer Perspective Score  

IT Goals BSC Mapping to COBIT 5

Financial Perspective

Customer Perspective

Score

 
Internal Perspective Learning and Growth Perspective 80% 80% 78%
Internal Perspective Learning and Growth Perspective 80% 80% 78%

Internal Perspective

Learning and Growth Perspective

Internal Perspective Learning and Growth Perspective 80% 80% 78%
Internal Perspective Learning and Growth Perspective 80% 80% 78%

80%

80%

78%

Learning and Growth Perspective 80% 80% 78% Enterprise Goals BSC Mapping to COBIT 5 and IT

Enterprise Goals BSC Mapping to

COBIT 5 and IT Goals

Financial Perspective

Score

78%

Customer Perspective

79%

Internal Perspective

79%

Learning and Growth Perspective

83%

Score 78% Customer Perspective 79% Internal Perspective 79% Learning and Growth Perspective 83%
80%

80%

80%
80%

Source: Christopher Oparaugo. Reprinted with permission.

Conclusion

IT governance is not an isolated discipline. It is an integral part of overall enterprise governance that drives the business in these days of IoT. This helps successful business enterprises understand the IT risk and exploit the benefits of IT, and find ways to deal with aligning IT strategy with the business strategy, incorporating IT strategy and goals into the fabrics of enterprise businesses and insisting that an IT control framework be adopted and implemented. 30 This understanding and discipline cuts across government and public and private business entities for effective deployment, governance and management of the enterprise IT.

Having gone through these exercises of mapping ISO/IEC 27001:2005 controls to ISO/IEC 27001:2013 controls and getting the results from COBIT 4.1 data mapped to COBIT 5, it can be deduced that when these controls are properly mapped, the end results shows an evenly distributed BSC for APO, BAI, DSS and MEA (the core operation/enterprise IT management areas in COBIT 5), while EDM is more of a governance area and has a lower

score in all outcomes.

Enterprises that understand the risk and exploit the benefits of IT and cascade IT strategy and goals down to the enterprise business will insist that IT control framework be adopted and implemented, as IT governance is not an isolated discipline in an organization.

The need to integrate IT governance with overall business governance is similar to the need for IT to be an integral part of the business. Organizations recognize that risk exists due to the confluence of assets, threats and vulnerabilities and, accordingly, employing mitigating controls that reduce one or all of these factors will reduce the overall risk exposure of the organization.

Enterprise security is no longer a concern for only the IT department. Today’s IoT world means that data are a core business asset, valuable to companies and cybercriminals or Internet hackers alike.

Christopher Oparaugo, CISM, CGEIT, CRISC

Is the chief technology officer at KATEC Consulting Ltd. He has also worked in various positions in the telecommunication and banking industries in West Africa. Prior to joining KATEC Consulting Ltd, he was an information security consultant with IBM Global Business Services. Oparaugo has contributed to the ISACA ® Certified Information Security Manager ® , Certified in the Governance of Enterprise IT ® and Certified in Risk and Information Systems Controlexaminations. He has also participated in ISACA certification projects and has been part of the ISACA Test Enhancement Committee since 2005, setting exam questions and reviewing exam manuals.

Endnotes

COBIT Focus, 14 December, 2015, figure 10

2 Kaplan, R.; D. Norton; Using the Balanced Scorecard as a Strategic Management System ,Harvard Business Review,

January-February 1996, p. 75-85

3 Van Grembergen, W.; The Balanced Scorecard and IT Governance,Information Systems Control Journal, vol. 2, 2000

4 Op cit, Oparaugo

5 Ibid.

6 International Organization for Standardization, ISO/IEC 27001Information Security Management 7 Op cit, Oparaugo

8 Op cit, ISO/IEC 27001

10 Ibid.

11 Ibid.

12 Ibid.

13 ISACA, COBIT ® 5, USA, 2012

14 Ibid.

15 Ibid.

16 Op cit, IT Governance.com

17 Op cit, COBIT 5

18 Gold, C.; “Total Quality Management in Information Services—IS Measures: A Balancing Act,” Ernst & Young Center for Information Technology and Strategy, research note, 1992

19 Op cit, COBIT 5

20 Ibid.

21 Ibid.

22 Lawrie, G.J.G.; I. Cobbold; J. Marshall; “Corporate Performance Management System in a Devolved UK

p. 353370

A Case Study,” International Journal of Productivity and Performance Management, vol. 53, no. 4, 2004,

23 Op cit, Kaplan and Norton

24 Ibid.

25 Ibid.

26 Op cit, COBIT 5

28 Ibid.

29 Ibid.

30 Op cit, Oparaugo