COBIT 5 PAM

(Process Assessment Model)

by
Greet VOLDERS
Voquals N.V. - Belgium
 COBIT PAM – The Model
The goal of COBIT PAM :

COBIT PAM provides the basis for an assessment of an enterprise’s

IT processes against COBIT 4.1 or COBIT 5 and
enables process capability assessments to support improvement.

The assessment is evidence-based to ensure a

reliable, consistent and repeatable assessment process
in the area of governance and management of IT.

2
 COBIT PAM – The Presentation
The goal of this presentation :

To understand the concepts of the COBIT PAM

(Process Assessment Model)
and to learn how to execute a
Capability Assessment
in an efficient and effective way.

3
 COBIT PAM – Agenda
• What is the PAM
• Different parts of the PAM
• How to scope an assessment
• How to start an improvement program

4
What is the COBIT Assessment Process ?
• Brings together two proven heavyweights in
the IT arena, ISO and ISACA.
– COBIT 4.1 and COBIT 5
• widely used framework for IT governance, risk
management and control
– ISO15504
• a reference model/standard for assessing process
capability
What is the COBIT Assessment Process ?
• The COBIT Assessment process consists of:
– COBIT Process Assessment Model (PAM)
• PAM COBIT 4.1
• PAM COBIT 5
– COBIT Assessment Process Guide for Certified Assessors
– Self Assessment Guide
What is the COBIT Assessment Process ?
• The COBIT PAM adapts the existing COBIT content into an
ISO 15504 compliant process assessment model.
 COBIT PAM – Agenda
• What is the PAM
• Different parts of the PAM
• How to scope an assessment
• How to start an improvement program

8
Assessment Overview
Process Reference Model = PRM
PRM Based on COBIT 4.1
PRM Based
on COBIT 5
PRM Based on COBIT 5
PRM Based on COBIT 5
Assessment Overview
Process capability levels
Process Attribute Ratings and Capability Levels
 Measurement Framework
• COBIT Assessment Process measures the extent to which a given process achieves
specific attributes relative to that process – “Process Attributes”
• 9 Process Attributes (based on ISO/IEC 15504-2)
– PA1.1 – process performance
– PA2.1 – work product management
– PA2.2 – performance management
– PA3.1 – process definition
– PA3.2 – process deployment
– PA4.1 – process measurement
– PA4.2 – process control
– PA5.1 – process innovation
– PA5.2 – continuous optimization
Process Attributes: PA1.1 - Process performance
– The process performance attribute is a measure of the extent to which the
process purpose is achieved.
– As a result of full achievement of this attribute the process achieves its
defined outcomes

 Example : outcomes of BAI01 – Manage Programmes & projects

Process Attributes: PA 2.1 Performance Management
a measure of the extent to which the performance of the process is managed
– As a result of full achievement of this attribute:
• Objectives for the performance of the process are identified
• Performance of the process is planned and monitored
• Performance of the process is adjusted to meet plans
• Responsibilities and authorities for performing the process are defined, assigned
and communicated
• Resources and information necessary for performing the process are identified,
made available, allocated and used
• Interfaces between the involved parties are managed to ensure effective
communication and clear assignment of responsibility
Process Attributes: PA 2.2 Work Product Management
a measure of the extent to which the work products produced by the
process are appropriately managed
– As a result of full achievement of this attribute:
• Requirements for the work products of the process are defined.
• Requirements for documentation and control of the work products are
defined.
• Work products are appropriately identified, documented and controlled.
• Work products are reviewed in accordance with planned arrangements
and adjusted as necessary to meet requirements.
 Process Attributes Rating Scale
COBIT Assessment Process measures the extent to which a
given process achieves the “Process Attributes”

N Not achieved 0 to 15 % achievement

P Partially achieved > 15 % to 50 % achievement
L Largely achieved > 50 % to 85% achievement
F Fully achieved > 85 % to 100 % achievement

22
 Process Attributes Rating Scale
N Not achieved 0 to 15 % achievement
There is little or no evidence of achievement of the defined attribute in the assessed process
P Partially achieved > 15 % to 50 % achievement
There is some evidence of an approach to, and some achievement of, the defined attribute in
the assessed process. Some aspects of achievement of the attribute may be unpredictable
L Largely achieved > 50 % to 85% achievement
There is evidence of a systematic approach to, and significant achievement of, the
defined attribute in the assessed process. Some weakness related to this attribute may exist in
the assessed process
F Fully achieved > 85 % to 100 % achievement
There is evidence of a complete and systematic approach to, and full achievement of, the
defined attribute in the assessed process. No significant weaknesses related to this attribute
exist in the assessed process

23
Assessing Attribute Achievement

24
COBIT Assessment Process

25
Process Attributes and Capability Levels

26
 Very much the
same for COBIT
4.1 and COBIT 5

Process
Attributes
and
Capability
Levels
Specific for
COBIT 4.1 and COBIT 5

This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at
www.iso.org. Copyright remains with ISO.
27
COBIT Assessment Process

28
Assessment Process Activities
1 Initiation
2 Planning
3 Briefing
4 Data collection
5 Data validation
6 Process attributes rating, and
7 Assessment reporting

29
 COBIT PAM – Agenda
• What is the PAM
• Different parts of the PAM
• How to scope an assessment
• The enterprise’s needs and value of performing an
IT process assessment
• Scoping the process assessment
• How to start an improvement program

30
Assessment Process Activities
1 Initiation
2 Planning
Scoping
3 Briefing
4 Data collection
5 Data validation
6 Process attributes rating, and
7 Assessment reporting

31
 Scoping 1/3
• The aim of the scoping for the assessment & improvement of COBIT
Processes is to focus the processes & process-optimisation
on the business needs of the organization.
This reduces the overall effort involved the evaluating & improving
processes.
• One of the benefits of using COBIT® is that it has extensive validated
mappings from Business Objectives, and IT Objectives to the
IT processes.
– COBIT® 4.1 : Appendix 1
– COBIT® 5 : Appendix B & C.
– These are available in the tool kit.
 Scoping 2/3
• There is a 6 Step Selection Process:
 Step 1 Identify relevant business drivers for the IT processes
 Step 2 Prioritize the enterprise’s IT processes.
 Step 3 Perform a preliminary selection of target processes, based on the
above prioritization
 Step 4 Confirm the preliminary selection of target processes with the Project
Sponsor and key Stakeholders.
 Step 5 Finalize the list of processes.
 Step 6 Document the scoping methodology in the assessment records.
 Scoping 3/3
Available Mappings
• COBIT 5
 Mapping Enterprise Goals to IT-related Goals
 Mapping IT-related Goals to IT-related processes
• COBIT 4.1
 Mapping IT processes to IT governance focus areas and COSO
 US Sarbanes-Oxley Act
 Cloud Computing
 Self Diagnostic
Scoping Toolkit
Scoping Toolkit : 1. Table of Content
• Short explanation of the documents available in the
toolkit
Scoping Toolkit : 2. Assessment Scoping Tool
• An Excel® file that brings together various existing mappings related
to COBIT 4.1 in a hierarchical tree format, including:
– Mapping of COBIT 4.1 processes to the five IT governance focus areas
– Mapping of COBIT 4.1 processes to IT goals to business goals to IT balanced
scorecard
– Mapping COBIT 4.1 processes to IT goals (subset of information contained in
the item above)
– Cloud computing
– Sarbanes-Oxley Tool Kit 27Oct 2011\2. COBIT 4
1 Assessment Scoping Tool.xlsx
– Self-diagnostic tool

37
Scoping Toolkit : 3. Assessment Report Template
• A Word® file containing an example of a Process Capability
Assessment Report for an example company, performed
using the COBIT assessment programme methodology.
– Appendix of the Assessors’ Guide
Tool Kit 27Oct 2011\3.
Assessment Report Template
(Appendix D3).docx

38
Scoping Toolkit : 3. Assessment Report Template
COBIT Process
Capability
Assessment Report

39
Scoping Toolkit : 4. Assessment Template
• Summary of Results Template
(Assessor Guide Report Example)
– Templates to help you to collect data and
analyse the assessment levels
• Consist of 3 sheets : Tool Kit 27Oct
– Summary Results 2011\4.
– Process Ratings and Attributes Assessment
Templates.xlsx
– Example Data Collection Level 1

40
Scoping Toolkit : 5. COBIT Assessor Presentation
Techniques
• A PowerPoint® file
• Containing sample templates and examples
• To be used to support the assessment
activities described in the publication
COBIT® 4.1 Assessors Guide: Using COBIT® Tool Kit 27Oct
4.1, 2011\5. COBIT 4 1
Assessmnt Present.
• Especially process improvement and board Techniques.pptx
presentations.

41
Scoping Toolkit : 6. Assessment Programme
Introduction
• A PowerPoint file that provide:
– An understanding of the new COBIT assessment
programme
– An understanding of the relationship to ISO/IEC Tool Kit 27Oct 2011\6.
15504 and why ISACA selected this standard Assessment
– A walk through with one of the key COBIT 4.1 Programme
processes Introduction.pptx
DS1 Define and manage service levels

42
Scoping Toolkit : 7. Self-assessment Templates
• An Excel file with separate evaluation
sheets for all 34 COBIT 4.1 processes. Tool Kit 27Oct 2011\7.
Self-assessment
Templates.xlsx

• An excel file with all COBIT5 processes

is available, which can support your 10 COBIT5-Governance-
self-assessment for all 37 COBIT 5 and-Management-
processes. Practices-Activities

43
 Scoping 3/3
Available Mappings
• COBIT 5
 Mapping Enterprise Goals to IT-related Goals
 Mapping IT-related Goals to IT-related processes
• COBIT 4.1
 Mapping IT processes to IT governance focus areas and COSO
 US Sarbanes-Oxley Act
 Cloud Computing
 Self Diagnostic
 Scoping 2/3
• There is a 6 Step Selection Process:
 Step 1 Identify relevant business drivers for the IT processes
 Step 2 Prioritize the enterprise’s IT processes.
 Step 3 Perform a preliminary selection of target processes, based on the
above prioritization
 Step 4 Confirm the preliminary selection of target processes with the Project
Sponsor and key Stakeholders.
 Step 5 Finalize the list of processes.
 Step 6 Document the scoping methodology in the assessment records
COBIT 5
Principles
COBIT 5
Principles
COBIT Process Capability Assessment Report

Based on
Stakeholders Needs

48
 Scoping ..2
• There is a 6 Step Selection Process:
 Step 1 Identify relevant business drivers for the IT processes
 Step 2 Prioritize the enterprise’s IT processes.
 Step 3 Perform a preliminary selection of target processes, based on the
above prioritization
 Step 4 Confirm the preliminary selection of target processes with the
Project Sponsor and key Stakeholders.
 Step 5 Finalize the list of processes.
 Step 6 Document the scoping methodology in the assessment records
Goals cascade

50
Goals cascade

51
COBIT 5 Enterprise Goals
COBIT 5 Enterprise Goals
Mapping the
2 selected
Enterprise Goals
to IT-related Goals
Mapping IT-related Goals to IT-related
Processes
Selected COBIT Processes
• EDM
– EDM02 - EDM03 - EDM04 - EDM05
• APO
– APO01 - APO03 - APO04 - APO05 - APO06 - APO07 - APO011
• BAI
– BAI01 - BAI04 - BAI09 - BAI010
• DSS
– DSS01 – DSS03
• MEA
– MEA01
COBIT Process Capability Assessment Report
 COBIT PAM – Agenda
• What is the PAM
• Different parts of the PAM
• How to scope an assessment
• How to start an improvement program

62
COBIT Process Capability Assessment Report
 Finding & Recommendations
 Recommendations resulting from the assessment.
 Ensure that each recommendation can be traced to
o the related process,
o capability attribute and
o process outcome/work product

 BE OBJECTIVE & REPEATABLE

64
 Finding & Recommendations
 Propose a program based on the findings & recommendations
o Combine the results across multiple processes
(all in the scope of the assessment ! )
o Propose a target process capability level for the processes based on
o Benchmarks
o COBIT Online
and indicate the degree of achievement….

65
 Recommendations
 Consider the Seven Phases
to develop an
implementation proposal

66
 Recommendations
 With attention for the
3 Components of the
Life Cycle

67
 COBIT PAM – What have we learned?
• How to evaluate the enterprises' need and value of performing
an IT process assessment
• The concepts of PAM, with the PRM and the rating scale
• How using the COBIT Assessment Process approach adds value
to satisfy enterprise’s needs by correctly scoping the assessment
• Understand the steps for planning and executing the assessment
in an efficient and effective way
• Use the outcome of the assessment to propose and/or launch an
improvement program
More Information

Voquals N.V.
Greet Volders
Genebroek 34
2450 Meerhout
Phone +32 14 22 54 04
Mobile +32 475 63 45 06

Gvolders@voquals.be
www.voquals.be

COBIT 5 - Greet Volders Slide 69

 ISACA’s IT Professional
Networking and Knowledge Center
Where networking and knowledge intersect.

For more information on this and other Euro CACS / ISRM Topics or to network
with others interested in this topic, please visit ISACA’s
IT and Professional Networking and Knowledge Center:
http://www.isaca.org/Knowledge-Center

WE NEED YOUR FEEDBACK!

Use the Mobile App to give us your feedback for each
session you attend. You can also complete these
surveys through Survey Link from any computer.