Documente Academic
Documente Profesional
Documente Cultură
by
Greet VOLDERS
Voquals N.V. - Belgium
COBIT PAM – The Model
The goal of COBIT PAM :
2
COBIT PAM – The Presentation
The goal of this presentation :
3
COBIT PAM – Agenda
• What is the PAM
• Different parts of the PAM
• How to scope an assessment
• How to start an improvement program
4
What is the COBIT Assessment Process ?
• Brings together two proven heavyweights in
the IT arena, ISO and ISACA.
– COBIT 4.1 and COBIT 5
• widely used framework for IT governance, risk
management and control
– ISO15504
• a reference model/standard for assessing process
capability
What is the COBIT Assessment Process ?
• The COBIT Assessment process consists of:
– COBIT Process Assessment Model (PAM)
• PAM COBIT 4.1
• PAM COBIT 5
– COBIT Assessment Process Guide for Certified Assessors
– Self Assessment Guide
What is the COBIT Assessment Process ?
• The COBIT PAM adapts the existing COBIT content into an
ISO 15504 compliant process assessment model.
COBIT PAM – Agenda
• What is the PAM
• Different parts of the PAM
• How to scope an assessment
• How to start an improvement program
8
Assessment Overview
Process Reference Model = PRM
PRM Based on COBIT 4.1
PRM Based
on COBIT 5
PRM Based on COBIT 5
PRM Based on COBIT 5
Assessment Overview
Process capability levels
Process Attribute Ratings and Capability Levels
Measurement Framework
• COBIT Assessment Process measures the extent to which a given process achieves
specific attributes relative to that process – “Process Attributes”
• 9 Process Attributes (based on ISO/IEC 15504-2)
– PA1.1 – process performance
– PA2.1 – work product management
– PA2.2 – performance management
– PA3.1 – process definition
– PA3.2 – process deployment
– PA4.1 – process measurement
– PA4.2 – process control
– PA5.1 – process innovation
– PA5.2 – continuous optimization
Process Attributes: PA1.1 - Process performance
– The process performance attribute is a measure of the extent to which the
process purpose is achieved.
– As a result of full achievement of this attribute the process achieves its
defined outcomes
22
Process Attributes Rating Scale
N Not achieved 0 to 15 % achievement
There is little or no evidence of achievement of the defined attribute in the assessed process
P Partially achieved > 15 % to 50 % achievement
There is some evidence of an approach to, and some achievement of, the defined attribute in
the assessed process. Some aspects of achievement of the attribute may be unpredictable
L Largely achieved > 50 % to 85% achievement
There is evidence of a systematic approach to, and significant achievement of, the
defined attribute in the assessed process. Some weakness related to this attribute may exist in
the assessed process
F Fully achieved > 85 % to 100 % achievement
There is evidence of a complete and systematic approach to, and full achievement of, the
defined attribute in the assessed process. No significant weaknesses related to this attribute
exist in the assessed process
23
Assessing Attribute Achievement
24
COBIT Assessment Process
25
Process Attributes and Capability Levels
26
Very much the
same for COBIT
4.1 and COBIT 5
Process
Attributes
and
Capability
Levels
Specific for
COBIT 4.1 and COBIT 5
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at
www.iso.org. Copyright remains with ISO.
27
COBIT Assessment Process
28
Assessment Process Activities
1 Initiation
2 Planning
3 Briefing
4 Data collection
5 Data validation
6 Process attributes rating, and
7 Assessment reporting
29
COBIT PAM – Agenda
• What is the PAM
• Different parts of the PAM
• How to scope an assessment
• The enterprise’s needs and value of performing an
IT process assessment
• Scoping the process assessment
• How to start an improvement program
30
Assessment Process Activities
1 Initiation
2 Planning
Scoping
3 Briefing
4 Data collection
5 Data validation
6 Process attributes rating, and
7 Assessment reporting
31
Scoping 1/3
• The aim of the scoping for the assessment & improvement of COBIT
Processes is to focus the processes & process-optimisation
on the business needs of the organization.
This reduces the overall effort involved the evaluating & improving
processes.
• One of the benefits of using COBIT® is that it has extensive validated
mappings from Business Objectives, and IT Objectives to the
IT processes.
– COBIT® 4.1 : Appendix 1
– COBIT® 5 : Appendix B & C.
– These are available in the tool kit.
Scoping 2/3
• There is a 6 Step Selection Process:
Step 1 Identify relevant business drivers for the IT processes
Step 2 Prioritize the enterprise’s IT processes.
Step 3 Perform a preliminary selection of target processes, based on the
above prioritization
Step 4 Confirm the preliminary selection of target processes with the Project
Sponsor and key Stakeholders.
Step 5 Finalize the list of processes.
Step 6 Document the scoping methodology in the assessment records.
Scoping 3/3
Available Mappings
• COBIT 5
Mapping Enterprise Goals to IT-related Goals
Mapping IT-related Goals to IT-related processes
• COBIT 4.1
Mapping IT processes to IT governance focus areas and COSO
US Sarbanes-Oxley Act
Cloud Computing
Self Diagnostic
Scoping Toolkit
Scoping Toolkit : 1. Table of Content
• Short explanation of the documents available in the
toolkit
Scoping Toolkit : 2. Assessment Scoping Tool
• An Excel® file that brings together various existing mappings related
to COBIT 4.1 in a hierarchical tree format, including:
– Mapping of COBIT 4.1 processes to the five IT governance focus areas
– Mapping of COBIT 4.1 processes to IT goals to business goals to IT balanced
scorecard
– Mapping COBIT 4.1 processes to IT goals (subset of information contained in
the item above)
– Cloud computing
– Sarbanes-Oxley Tool Kit 27Oct 2011\2. COBIT 4
1 Assessment Scoping Tool.xlsx
– Self-diagnostic tool
37
Scoping Toolkit : 3. Assessment Report Template
• A Word® file containing an example of a Process Capability
Assessment Report for an example company, performed
using the COBIT assessment programme methodology.
– Appendix of the Assessors’ Guide
Tool Kit 27Oct 2011\3.
Assessment Report Template
(Appendix D3).docx
38
Scoping Toolkit : 3. Assessment Report Template
COBIT Process
Capability
Assessment Report
39
Scoping Toolkit : 4. Assessment Template
• Summary of Results Template
(Assessor Guide Report Example)
– Templates to help you to collect data and
analyse the assessment levels
• Consist of 3 sheets : Tool Kit 27Oct
– Summary Results 2011\4.
– Process Ratings and Attributes Assessment
Templates.xlsx
– Example Data Collection Level 1
40
Scoping Toolkit : 5. COBIT Assessor Presentation
Techniques
• A PowerPoint® file
• Containing sample templates and examples
• To be used to support the assessment
activities described in the publication
COBIT® 4.1 Assessors Guide: Using COBIT® Tool Kit 27Oct
4.1, 2011\5. COBIT 4 1
Assessmnt Present.
• Especially process improvement and board Techniques.pptx
presentations.
41
Scoping Toolkit : 6. Assessment Programme
Introduction
• A PowerPoint file that provide:
– An understanding of the new COBIT assessment
programme
– An understanding of the relationship to ISO/IEC Tool Kit 27Oct 2011\6.
15504 and why ISACA selected this standard Assessment
– A walk through with one of the key COBIT 4.1 Programme
processes Introduction.pptx
DS1 Define and manage service levels
42
Scoping Toolkit : 7. Self-assessment Templates
• An Excel file with separate evaluation
sheets for all 34 COBIT 4.1 processes. Tool Kit 27Oct 2011\7.
Self-assessment
Templates.xlsx
43
Scoping 3/3
Available Mappings
• COBIT 5
Mapping Enterprise Goals to IT-related Goals
Mapping IT-related Goals to IT-related processes
• COBIT 4.1
Mapping IT processes to IT governance focus areas and COSO
US Sarbanes-Oxley Act
Cloud Computing
Self Diagnostic
Scoping 2/3
• There is a 6 Step Selection Process:
Step 1 Identify relevant business drivers for the IT processes
Step 2 Prioritize the enterprise’s IT processes.
Step 3 Perform a preliminary selection of target processes, based on the
above prioritization
Step 4 Confirm the preliminary selection of target processes with the Project
Sponsor and key Stakeholders.
Step 5 Finalize the list of processes.
Step 6 Document the scoping methodology in the assessment records
COBIT 5
Principles
COBIT 5
Principles
COBIT Process Capability Assessment Report
Based on
Stakeholders Needs
48
Scoping ..2
• There is a 6 Step Selection Process:
Step 1 Identify relevant business drivers for the IT processes
Step 2 Prioritize the enterprise’s IT processes.
Step 3 Perform a preliminary selection of target processes, based on the
above prioritization
Step 4 Confirm the preliminary selection of target processes with the
Project Sponsor and key Stakeholders.
Step 5 Finalize the list of processes.
Step 6 Document the scoping methodology in the assessment records
Goals cascade
50
Goals cascade
51
COBIT 5 Enterprise Goals
COBIT 5 Enterprise Goals
Mapping the
2 selected
Enterprise Goals
to IT-related Goals
Mapping IT-related Goals to IT-related
Processes
Selected COBIT Processes
• EDM
– EDM02 - EDM03 - EDM04 - EDM05
• APO
– APO01 - APO03 - APO04 - APO05 - APO06 - APO07 - APO011
• BAI
– BAI01 - BAI04 - BAI09 - BAI010
• DSS
– DSS01 – DSS03
• MEA
– MEA01
COBIT Process Capability Assessment Report
COBIT PAM – Agenda
• What is the PAM
• Different parts of the PAM
• How to scope an assessment
• How to start an improvement program
62
COBIT Process Capability Assessment Report
Finding & Recommendations
Recommendations resulting from the assessment.
Ensure that each recommendation can be traced to
o the related process,
o capability attribute and
o process outcome/work product
64
Finding & Recommendations
Propose a program based on the findings & recommendations
o Combine the results across multiple processes
(all in the scope of the assessment ! )
o Propose a target process capability level for the processes based on
o Benchmarks
o COBIT Online
and indicate the degree of achievement….
65
Recommendations
Consider the Seven Phases
to develop an
implementation proposal
66
Recommendations
With attention for the
3 Components of the
Life Cycle
67
COBIT PAM – What have we learned?
• How to evaluate the enterprises' need and value of performing
an IT process assessment
• The concepts of PAM, with the PRM and the rating scale
• How using the COBIT Assessment Process approach adds value
to satisfy enterprise’s needs by correctly scoping the assessment
• Understand the steps for planning and executing the assessment
in an efficient and effective way
• Use the outcome of the assessment to propose and/or launch an
improvement program
More Information
Voquals N.V.
Greet Volders
Genebroek 34
2450 Meerhout
Phone +32 14 22 54 04
Mobile +32 475 63 45 06
Gvolders@voquals.be
www.voquals.be
For more information on this and other Euro CACS / ISRM Topics or to network
with others interested in this topic, please visit ISACA’s
IT and Professional Networking and Knowledge Center:
http://www.isaca.org/Knowledge-Center