COBIT

Control Objectives for Information and Related

Technologies
(Bilgi ve lgili Teknolojiler in Kontrol Hedefleri)

ISE501
Foundations in IT Management
Eda TOPALOLU
120510001

Emriye COKUN
120510004

Faruk TFTKC
120501004

What is COBIT?
Provide us understanding of IT
We can decide more efficiently about IT
By using it, we can understand and manage IT

investments
Identifies the major IT resources
Defines the management control objectives
Organises IT activities
Better quality IT services

What is COBIT?

increase the value

reduce related
of IT
risks
COBIT helps to banagers, controller, IT users to

reachs to their goals

COBIT is focused on what is required to achieve

What is differences
between the COBIT 4.1
and COBIT 5 ?

New GEIT Principles

Increased Focus on Enablers
New Process Reference Model
New and Modified Processes
Practices and Activities
Goals and Metrics
Inputs and Outputs
RACI Charts
Process Capability Maturity Models and
Assessments

1. New GEIT Principles

COBIT 5 is based on five key principles

1.1. Meeting Stakeholder

Needs
Enterprises exist to create value for their

stakeholders.
Enterprises have many
stakeholders.
Value creation means
realising benefits at an
optimal resource cost
while optimising risk.
The governance system should consider

allstakeholders when making benefit,

resource and risk assessment decisions.

1.1. Meeting Stakeholder

Needs
Stakeholder needs have to

be transformed into an
enterprises actionable
strategy.
The COBIT 5 goals cascade

is the mechanism to
translate stakeholder
needs into specific,
actionable and customised
enterprise goals.

1.2. Covering the Enterprise

End-to-End
COBIT 5 addresses the governance and

management of information and related

technology from an enterprise-wide, end-toend perspective.
This means that COBIT 5:
Integrates governance of enterprise IT
intoenterprise governance.
Covers all functions and processes within the
enterprise.

1.2. Covering the Enterprise

End-to-End

1.3. Applying a Single Integrated

Framework
COBIT 5 is a single and integrated

framework, because;
it aligns with other latestrelevant standards and

frameworks used by enterprises

it provides a simple architecture for structuring
guidance materials
it integrates different ISACA frameworks such as
Val IT, Risk IT, BMIS

This allows the enterprise to use COBIT 5 as

the governance and management framework

integrator

1.3. Applying a Single Integrated

Framework
The following frameworks, standards and

other guidance were used as reference

material and input for the development of
COBIT
ITIL 5;
TOGAF
ISO
FEA (Federal Enterprise Architecture)
CEAF (The Commission Enterprise IT Architecture

Framework)
APM (Association for Project Management)
etc.

1.3. Applying a Single Integrated

Framework

1.4. Enabling a Holistic Approach

The COBIT 5 framework describes seven

categories of enablers
1.Principles, policies and frameworks
2.Processes
3.Organisational structures
4.Culture, ethics and behaviour
5.Information
6.Services, infrastructure and

applications
7.People, skills and competencies

1.4. Enabling a Holistic Approach

1.4.1. Principles,policies and

frameworks
Principles, policies and frameworks are

the vehicle to translate the desired behaviour

into practical guidance for day-to-day
management

1.4.2. Processes
Processes describe an organised set of

practices.
Processes describe the activities to achieve
certain objectives and produce a set of
outputs

1.4.3. Organisational
Structures
Organisational structures are the decision

mechanism in an enterprises

1.4.4. Culture, ethics and

behaviour
Culture, ethics and behaviour of

individuals are very often ignored in

governance and management activities

1.4.5. Information
Information is pervasive throughout any

organisation. Information is required for

keeping the organisation running

1.4.6 Services, infrastructure

and applications
Services, infrastructure and applications

include the infrastructure, technology and

applications that provide the enterprise with
information technology

1.4.7. Organisational
Structures
People, skills and competencies are

linked to people and are required for

successful completion of all activities and for
making correct decisions and taking
corrective actions.

1.5. Separating Governance from

Management
The COBIT 5 framework makes a

cleardistinction between governance and

management
These
two disciplines;
Encompass
different types of activities
Require different organisational structures
Serve different purposes

1.5. Separating Governance from

Management
Governance : In most enterprises,

governance is the responsibility of the board

of directors under the leadership of the
chairperson.
Management : In most

enterprises, management
is the responsibility of the
executive management
under the leadership of
the CEO.

1.5. Separating Governance from

Management
Governance : Governance ensures that

stakeholder needs, conditions and options are

evaluated to determine balanced.
Management :

Management plans, builds,

runs and monitors
activities to achieve the
enterprise objectives.

1.5. Separating Governance from

Management

22

Val IT and Risk IT frameworks are principles-based

COBIT 5 includes RiskIT and ValIT

Risk IT
IT riskis a part of business risk
Provides an end-to-end, comprehensive view

of all risks
Understand how to manage the risk
Risk can be categorised;
-IT Benefit/Value enabler
-IT Operation and Service Delivery
-IT Programme/Project delivery

Val IT
Is a governance framework that can be used

to create business value from IT investments

This framework is used to valuable
investments

2. Increased Focus on
Enablers
COBIT 4.1 did not have enablers
Information, infrastructure, applications

(services) and people (people, skills and

competencies) were COBIT 4.1 resources
This part is related Enabling a Holistic
Approach

3. New Process
Reference Model
COBIT 5 is based on a revised process

reference model with a new governance

domain and several new and modified
processes that now cover enterprise activities
end-to-end, i.e., business and IT function
areas.
COBIT 5 consolidates COBIT 4.1, Val IT and
Risk IT into one framework

3. New Process
Reference Model

4. New and Modified

Processes
COBIT 5 introduces five new governance

processes that have leveraged and improved

COBIT 4.1, Val IT and Risk IT governance
approaches.
This guidance:
Helps enterprises to further refine and strengthen
executive management-level GEIT practices and
activities

4. New and Modified

Processes
There are several new and modified processes
that reflect current thinking, in particular:
APO03 Manage enterprise architecture.
APO04 Manage innovation.
APO05 Manage portfolio.
APO06 Manage budget and costs.
APO08 Manage relationships.
APO13 Manage security.
BAI05 Manage organisational change
enablement.
BAI08 Manage knowledge.
BAI09 Manage assets.
DSS05 Manage security service.

4. New and Modified

Processes
COBIT 5 processes now cover end-to-end

business and IT activities, i.e., a full

enterprise-level view.
This provides for a more holistic and complete
coverage of practices reflecting the pervasive
enterprise wide nature of IT use.

5. Practices and
Activities
The COBIT 5 governance or management

practices are equivalent to the COBIT 4.1

control objectives and Val IT and Risk IT
processes.
The COBIT 5 activities are equivalent to the COBIT 4.1
control practices and Val IT and Risk IT management
practices

6. Goals and Metrics

COBIT 5 follows the same goal and metric

concepts as COBIT 4.1, Val IT and Risk IT, but

these are renamed enterprise goals, IT-related
goals and process goals reflecting an
enterprise level view.
COBIT 5 provides a revised goals cascade
based on enterprise goals driving IT-related
goals and then supported by critical
processes.

7. Inputs and Outputs

COBIT 5 provides inputs and outputs for every

management practice, whereas COBIT 4.1

only provided these at the process level.
This provides additional detailed guidance for
designing processes to include essential work
products and to assist with interprocess
integration.

8. RACI Charts
COBIT 5 provides RACI charts describing roles

and responsibilities in a similar way to COBIT

4.1, Val IT and Risk IT.
COBIT 5 provides a more complete, detailed
and clearer range of generic business and IT
role players and charts than COBIT 4.1 for
each management practice, enabling better
definition of role player responsibilities or level
of involvement when designing and
implementing processes.

8. RACI Charts

Source:COBIT4.1,page39.2007ITGovernanceInstituteAllrightsreserved.

Source:COBIT 5: Enabling Processes,page31.2012ISACAAllrightsreserved.

9. Process Capability
Models and Assessments

COBIT 5 discontinues the COBIT 4.1, Val IT

and Risk IT CMM-based capability maturity
modelling approach.
COBIT 5 will be supported by a new process
capability assessment approach based on
ISO/IEC 15504, and the COBIT Assessment
Programme has already been established for
COBIT 4.1 as an alternative to the CMM
approach.

9. Process Capability
Models and Assessments

9. Process Capability
Models and Assessments

The COBIT Assessment Programme approach

is considered by ISACA to be more robust,
reliable and repeatable as a process capability
assessment method.
The COBIT Assessment Programme supports:
Formal assessments by accredited
assessors (assessor training is being
developed)
Less rigorous self-assessments for internal
gap analysis and process improvement
planning

9. Process Capability
Models and Assessments

COBIT 4.1, Val IT and Risk IT users wishing to

move to the new COBIT Assessment
Programme approach will need to realign their
previous ratings, adopt and learn the new
method, and initiate a new set of assessments
in order to gain the benefits of the new
approach.
Although some of the information gathered
from previous assessments may be reusable,
care will be needed in migrating this
information forward because there are
significant differences in requirements.

COBIT 5 FRAMEWORK

DEFINITION
COBIT 5 is a governance and management

framework for information and related

technology that starts from stakeholder
needs with regard to information and
technology.
The COBIT 5 framework is intended for all
enterprises, including nonprofit and public
sector.

COBIT 5 Framework - 5
Principles
The cobit 5 framework based on 5 principles.

COBIT 5 is an integrator
framework since it:
Brings together existing
ISACA guidance on
governance and
management of enterprise IT
Aligns with the latest relevant
other standards and
frameworks
Provides a simple
architecture for structuring
guidance materials and
producing a consistent
product set

Principle 1: Integrator
Framework

Enterprises exist to create value for their

stakeholders, so the governance objective for

any enterprise is value creation.
Vaue creation: realising benefits at an
optimal resource cost whilst optimising
risk

2. The Governance Objective:

3. Business & Context

Focus
focussing on enterprise goals and objectives,

by covering all of the critical business

elements
every organisation operates in a different
context; this context is determined by
external factors
requires that every organisation builds their
own, customised governance and
management system.

4. The COBIT 5 Governance Approach

Enablerbased

4. The COBIT 5 Governance Approach

Enablerbased
Governance Enablers:They are the organisational

resources for governance, such as frameworks,

principles,structure, processes and practices, toward or
through which action is directed and objectives can be
attained.
Governance Scope: Governance can be applied to the
whole enterprise, an entity, a tangible or intangible asset.

4. The COBIT 5 Governance Approach

Enablerbased
Roles, Activities and Relationships:

how they are involved

what they do
how they interact

5. Governance and Management

structured
Cobit 5 frameworks makes a clear

distinction between governence and

management.
These two disciplines include:
different types of activities
require different organisational structures
serve different purposes

5. Governance and Management

structured
Gonernance: It ensures that stakeholder needs, conditions

& options are evaluated to determine:

balance, agreed-on enterprise objectives to be
achieved;
setting direction through prioritisation & decision
making;
monitoring performance, compliance
compliance against agreed-on direction & objectives
Management: It plans, builts, runs & monitors

activities in alignment with the direction set by thev

governance body to achieve the enterprise objectives .

COBIT 5 Architecture

COBIT 5 Architecture
The Governance Objectives
Existing ISACA guidance (COBIT 4.1, Val IT 2, Risk IT,

BMIS, etc.
Other relevant standards and frameworks
Cobit 5 Enablers
Processes, Culture Ethics
Behavior, Organizational Structure
Information
Principles & Policies
Skills & Competencies
Service Capabilities

COBIT 5 Architecture
Cobit 5 Knowledge Base:
Current guidance and content
Structure for future contents

Cobit 5 Product Family

COBIT 5: The Framework(this volume)
COBIT 5: Process Reference Guide
COBIT 5: Implementation Guide
COBIT 5: Practice guide

Value criation

The governance objective is value creation means

realising benefits at an optimal resource cost whilst

optimising risk.
The stakeholders for enterprice IT can be
Internal
External

Governance
Objectives

Governance objectives are based on the stakeholders needs

and the value criation( benefits, resources and risks )

The existing ISACA guidance is used: COBIT 4.1, Val IT,
Risk IT, BMIS, ITAF, TGF, Board Briefing.
Other relevant frameworks: ITIL, TOGAF

Goals Cascade
Governance objectives translate into enterprise goals
Realising enterprise goals requires IT related goals
For IT related goals to be achieved, enablers are required

Goals Cascade

Enterprise goals mapped to Governance

Objectives

Goals Cascade
IT related goals

Enablers
Enablers are tangible and intangible elements that make

governance and management over enterprise IT work. The

enablers are driven by the goal cascade.

Generic Enabler Model

This model is a key component of the COBIT 5 framework

because it is the basic structure for all seven categories of

enablers.
The generic model identifies a number of components that
are common for each enabler:

Enabler Capability
Levels

The process maturity model of COBIT 4.1 has been replaced

with a capability model based on ISO/IEC 15504.

Knowledge based &

products the knowledge base
The knowledge base contains all guidance and

content

Series of products built from

Governance & Management

Cobit 5 defend an opinion that organization implement governance and
Processes
management processes, such that the key areas above are covered.
The GOVERNANCE domain, contains five governance processes; within each

process; within each process, evaluate, direct and

monitor practices are defined
The 4 MANAGEMENT domains, in line with the responsibility areas of plan,
build, run and monitor provides an endtoend coverage of IT.

Process Reference
MEA
Model

1 governance domain: EDM

4 management domains: APO, BAI, DDS,

Process Reference
.
Model

The complete set of 36 processes: 5 governance & 36

management processes

Implementation

The 7 phases of the implementataion life cycle

COBIT 4.1 MAPPING

ITIL
v3
Every organisation
needs to adapt the use of
standards and practices to suit its individual
requirements.
COBIT helps to define what should be done
and ITIL provides the how for service
management aspects.

COBIT 4.1 MAPPING

ITIL v3

Typical uses for the standards and practices are:

To support governance by:
Providing a management policy and control framework
Enabling process ownership, clear responsibility and accountability
for IT activities
Aligning IT objectives with business objectives, setting priorities and
allocating resources
Ensuring return on investments and optimizing costs
Making sure that significant risks have been identified and are
transparent to management, responsibility for risk management has
been assigned and embedded in the organisation, and assurance that
effective controls are in place has been provided to management
Ensuring resources have been organised efficiently and sufficient
capability (technical infrastructure, process and skills) exists to
execute the IT strategy
Making sure that critical IT activities can be monitored and
measured, so problems can be identified and corrective action can be
taken

COBIT 4.1 MAPPING

ITIL v3

To define requirements in service and project definitions,

internally and with service providers. For example:
Improving IT service and business process alignment and
integration
Setting clear, business-related IT objectives and metrics
Defining services and projects in end-user terms
Creating SLAs and contracts that can be monitored by customers
Making sure that customer requirements have been cascaded
properly into technical IT operational requirements
Considering services and project portfolios collectively so relative
priorities can be set and resources can be allocated on an
equitable and achievable basis

COBIT 4.1 MAPPING

ITIL v3
To verify provider capability or demonstrate

competence to the market by:

Independent third-party assessments and audits
Contractual commitments
Attestations and certifications

COBIT 4.1 MAPPING

ITIL v3
To facilitate continuous improvement by:

Maturity assessments Gap analyses

Benchmarking
Improvement planning
Avoidance of reinventing already-proven good approaches

COBIT 4.1 MAPPING

ITILthrough:
v3

As a framework for audit/assessment and an external

view

Objective and mutually understood criteria

Benchmarking to justify weaknesses and
gaps in control
Increasing the depth and value of
recommendations by following generally
accepted preferred approaches

HIGH LEVEL MAPPING

STRUCTURAL
COMPARISON

COVERAGE OF IT GOVERNANCE
FOCUS AREAS

COVERAGE OF IT GOVERNANCE FOCUS AREAS ( Cont.)

COVERAGE OF IT GOVERNANCE FOCUS AREAS ( Cont.)

COVERAGE OF IT GOVERNANCE FOCUS AREAS

( Cont.)

COVERAGE OF IT GOVERNANCE FOCUS AREAS

( Cont.)

DETAILED MAPPING
COBIT TO ITIL

DETAILED MAPPING COBIT TO ITIL

DETAILED MAPPING COBIT TO ITIL

DETAILED MAPPING COBIT TO ITIL

DETAILED MAPPING COBIT TO ITIL

COBIT & ITIL

MAPPING

Incident Management
ITIL v3: part of Service Operation
COBIT : part of Deliver & Support
Major tasks:

Identify and track incidents in a timely manner.

Classify the incident and provide initial support.
Localise potential causes of the incident.
Recover the services and manage closure.
Take ownership of the incident.
Monitor, track and communicate the execution

Problem Management
ITIL v3: part of Service Operation
COBIT : part of Deliver & Support
Major tasks:

Identify and record problems.

Classify the problem, focused on the impact
on the
business.
Investigate the root cause of the problem.
Resolve the cause of the problem.
Close the problem.

Configuration
Management
ITIL v3: part of Service Transition
COBIT : part of Deliver & Support
Major tasks:

Identify the demand for relevant information (purpose, scope,

objectives, policies and procedures for sound configuration).
With the owner, identify and label configuration items (CI),
available documentation, versions and interrelationships.
Document CIs in a central configuration management
database (CMDB).
Establish procedures and documentation standards to ensure
that only authorised and identifiable CIs are recorded and
historical,
traceable information is available.
Ensure permanent accountability of data (status accounting).
Verify and audit the physical existence of CIs recorded in the
CMDB.

Change Management

ITIL v3: part of Service Transition

COBIT : part of Acquire & Implement
Major tasks:

Record, log and filter requests for change (RFCs).

Prioritise and categorise the RFC.
Assess the impact of the RFC on the infrastructure and other
services as well as on non-IT processes (e.g., information security)
and effects of not implementing the RFC.
Identify required resources for implementing the RFC.
Obtain approval for the RFC.
Schedule the implementation.
Implement the RFC.
Review the implementation of the RFC.
Establish an entity in charge of the authorisation process of those
RFCs identified with major impact; this entity is called the change
advisory board (CAB)

Capacity Management
ITIL v3: part of Service Delivery
COBIT : part of Deliver & Support

Major tasks:

Define, plan and manage the requirements.

Provide resources for the services.
Monitor the performance of resources and
adjust if necessary.
Plan and implement improvements.
Establish and maintain a capacity plan.23

What are DS3-DS4-DS8-DS9-DS10-DS11DS13-A16-ME1 items?

DS-3
DS3- MANAGE PERFORMANCE & CAPACITY
Require a process to periodically review current
performance and capacity of IT resources
Include forecasting future needs based on
workload, storage and contingency requirements
Provide assurance that information resources
supporting business requirements are
continually available

DS3has5principles.
DS3.1 Performance and Capacity Planning
Establish a planning process for the review of
performance and capacity of IT resources
Leverage appropriate modeling techniques to
produce a model of the current and forecasted
performance, capacity and throughput of the
IT resources.

DS3.2 Current Performance and Capacity

Determine if sufficient capacity and
performance exist to deliver against agreedupon service levels.
DS3.3 Future Performance and Capacity
Conduct performance and capacity
forecasting of IT resources at regular intervals
to minimize the risk of service disruptions
Identify workload trends and determine
forecasts to be input to performance and
capacity plans.

DS3.4 IT Resources Availability

Provide the required capacity and
performance, taking into account aspects
Plans properly address availability, capacity
and performance of individual IT resources.
DS3.5 Monitoring and Reporting
Maintain and tune current performance within
IT and address
To report delivered service availability to the
business, as required by the SLAs

DS-4
DS4 ENSURE CONTINUOUS SERVICE
Provide continuous IT services requires
developing, maintaining and testing IT
continuity plans
Minimize the probability and impact of a
major IT service interruption on key business
functions and processes.

DS4has10principles.
DS4.1 IT Continuity Framework
Develop a framework for IT continuity to support
enterprise wide business continuity management
using a consistent process.
Adress the organizational structure for continuity
management, covering the roles, tasks and
responsibilities of internal and external service
providers, their management and their customers,
and the planning processes

DS4.2 IT Continuity Plans

Develop IT continuity plans based on the

framework and designed to reduce the

impact of a major disruption
Cover usage guidelines, roles and
responsibilities, procedures,
communication processes, and the testing
approach.

DS4.3 Critical IT Resources

Build in resilience and establish priorities in
recovery situations
Avoid the distraction of recovering less-critical
items and ensure response
Consider resilience, response and recovery
requirements for different tiers
DS4.4 Maintenance of the IT Continuity Plan
Encourage IT management to define and
execute change control procedures
Communicate changes in procedures and
responsibilities clearly and in a timely manner.

DS4.5 Testing of the IT Continuity Plan

Test the IT continuity plan on a regular basis
Require careful preparation, documentation,
reporting of test results and, according to the
results, implementation of an action plan
DS4.6 IT Continuity Plan Training
Provide all concerned parties with regular
training sessions regarding the procedures
and their roles and responsibilities in case of
an incident or disaster.

DS4.7 Distribution of the IT Continuity Plan

Determine a defined and managed distribution
strategy that are properly and securely distributed
and available to authorized interested parties
DS4.8 IT Services Recovery and Resumption
Plan the actions to be taken for the period when IT
is recovering and resuming services
Include activation of backup sites, initiation of
alternative processing, customer and stakeholder
communication, and resumption procedures

DS4.9 Offsite Backup Storage

Store offsite all critical backup media,
documentation and other IT resources necessary
for IT recovery and business continuity plans
Determine the content of backup storage in
collaboration between business process owners
and IT personnel
DS4.10 Post-resumption Review
Determine whether IT management has
established procedures for assessing the
adequacy of the plan and update the plan
accordingly.

DS-8
DS8 MANAGE SERVICE DESK AND INCIDENTS
Timely and effective response to IT user queries
and problems requires a well-designed and wellexecuted service desk and incident
management process
Include setting up a service desk function with
registration, incident escalation, trend and root
cause analysis, and resolution
Include increased productivity through quick
resolution of user queries

DS8has5principles.
DS8.1 Service Desk
Establish a service desk function
Include monitoring and escalation procedures
based on agreed-upon service levels
DS8.2 Registration of Customer Queries
Establish a function and system to allow logging
and tracking of calls, incidents, service requests
and information needs
Work such processes as incident management,
problem management, change management,
capacity management and availability
management.

DS8.3 Incident Escalation

Establish service desk procedures

Ensure that incident ownership and life

cycle monitoring remain with the service

desk for user-based incidents, regardless
which IT group is working on resolution
activities.

DS8.4 Incident Closure

Establish procedures for the timely monitoring
of clearance of customer queries.
When the incident has been resolved, the
service desk records the resolution steps
DS8.5 Reporting and Trend Analysis
Produce reports of service desk activity to
enable management to measure service
performance and service response times
Identify trends or recurring problems

DS-9
DS9 MANAGE THE CONFIGURATION

Require the establishment and

maintenance of an accurate and complete

configuration repository
Include collecting initial configuration
information, establishing baselines,
verifying and auditing configuration
information, and updating the
configuration repository as needed

DS9has3principles.
DS9.1 Configuration Repository and
Baseline
Establish a supporting tool and a central
repository to contain all relevant information
on configuration items
Monitor and record all assets and changes to
assets.
Maintain a baseline of configuration items for
every system and service as a checkpoint to
which to return after changes

DS9.2 Identification and Maintenance of

Configuration Items
Establish configuration procedures to support
management and logging of all changes to
the configuration repository
DS9.3 Configuration Integrity Review
Periodically review the configuration data to
verify and confirm the integrity of the current
and historical configuration
Periodically review installed software against
the policy for software usage

DS-10
DS10 MANAGE PROBLEMS
Require the identification and classification of
problems, root cause analysis and resolution of
problems
Include the formulation of recommendations for
improvement, maintenance of problem records
and review of the status of corrective actions
Maximize system availability, improves service
levels, reduces costs, and improves customer
convenience and satisfaction

DS10has4principles.
DS10.1 Identification and Classification of
Problems

Implement processes to report and classify

problems that have been identified as part

of incident management.
Categorize problems as appropriate into
related groups or domains (e.g., hardware,
software, support software)

DS10.2 Problem Tracking and Resolution

Allow tracking, analyzing and determining the root
cause of all reported problems considering:
All associated configuration items
Outstanding problems and incidents
Known and suspected errors
Tracking of problem trends
DS10.3 Problem Closure
Put in place a procedure to close problem records
either after confirmation of successful elimination
of the known error or after agreement

DS10.4 Integration of Configuration,

Incident and Problem Management
Integrate the related processes of
configuration, incident and problem
management to ensure effective
management of problems and enable
improvements.

DS-11
DS11 MANAGE DATA
Require identifying data requirements
Include the establishment of effective
procedures to manage the media library,
backup and recovery of data, and proper
disposal of media
Helps ensure the quality, timeliness and
availability of business data

DS10has6principles.
DS11.1 Business Requirements for Data
Management
Verify that all data expected for processing are
received and processed completely
Support restart and reprocessing needs
DS11.2 Storage and Retention
Arrangements
Define and implement procedures for effective
and efficient data storage, retention and
archiving to meet business objectives, the
organizations security policy and regulatory
requirements

DS11.3 Media Library Management

System
Define and implement procedures to
maintain an inventory of stored and archived
media to ensure their usability and integrity
DS11.4 Disposal
Define and implement procedures to ensure
that business requirements for protection of
sensitive data and software are met when
data and hardware are disposed or
transferred

DS11.5 Backup and Restoration

Define and implement procedures for backup
and restoration of systems, applications, data
and documentation in line with business
requirements and the continuity plan
DS11.6 Security Requirements for Data
Management
Define and implement policies and
procedures to identify and apply security
requirements

DS-13
DS13 MANAGE OPERATIONS
Complete and accurate processing of data
requires effective management of data
processing procedures and diligent
maintenance of hardware.
Includes defining operating policies and
procedures for effective management
Helps maintain data integrity and reduces
business delays and IT operating costs.

DS13 has 5 principles.

DS13.1 Operations Procedures and
Instructions
Define, implement and maintain procedures for IT
operations
Cover shift handover (formal handover of activity,
status updates, operational problems, escalation
procedures and reports on current responsibilities)
DS13.2 Job Scheduling
Organize the scheduling of jobs, processes and
tasks into the most efficient sequence,
maximizing throughput and utilization to meet
business requirements

DS13.3 IT Infrastructure Monitoring

Define and implement procedures to monitor the IT
infrastructure and related events
DS13.4 Sensitive Documents and Output
Devices
Establish appropriate physical safeguards,
accounting practices and inventory management
over sensitive IT assets
DS13.5 Preventive Maintenance for Hardware
Define and implement procedures to ensure timely
maintenance of infrastructure to reduce the
frequency and impact of failures or performance
degradation

ME-1
ME1 MONITOR AND EVALUATE IT
PERFORMANCE
Effective IT performance management
requires a monitoring process
Include defining relevant performance
indicators, systematic and timely reporting of
performance, and prompt acting upon
deviations

ME1has6principles.
ME1.1 Monitoring Approach
Establish a general monitoring framework and
approach to define the scope, methodology
and process
Integrate the framework with the corporate
performance management system

ME1.2 Definition and Collection of

MonitoringData
Work with the business to define a balanced
set of performance targets
Have them approved by the business and
other relevant stakeholders
Define benchmarks with which to compare
the targets, and identify available data to be
collected to measure the targets
Establish processes to collect timely and
accurate data to report on progress against
targets.

ME1.3 Monitoring Method

Deploy a performance monitoring method
Capture measurements
Provide a succinct, all-around view of IT
performance
ME1.4 Performance Assessment
Periodically review performance against
targets
Analyze the cause of any deviations
Initiate remedial action to address the
underlying causes

ME1.5 Board and Executive Reporting

Develop senior management reports on ITs
contribution to the business
Include in status reports the extent to which
planned objectives have been achieved,
budgeted resources used, set performance
targets met and identified risks mitigated

ME1.6 Remedial Actions

Identify and initiate remedial actions based on
performance monitoring, assessment and
reporting
Include follow-up of all monitoring, reporting
and assessments through:
Review, negotiation and establishment of
management responses
Assignment of responsibility for remediation
Tracking of the results of actions committed

AI-6
AI6- MANAGE CHANGES
All changes, including emergency
maintenance and patches, relating to
infrastructure and applications within the
production environment are formally managed
in a controlled manner
Provide mitigation of the risks of negatively
impacting the stability or integrity of the
production environment.

A16has5principles.
AI6.1 Change Standards and Procedures
Set up formal change management procedures to
handle in a standardized manner all requests
AI6.2 Impact Assessment, Prioritization and
Authorization
Assess all requests for change in a structured way
to determine the impact on the operational
system and its functionality

AI6.3 Emergency Changes

Establish a process for defining, raising, testing,
documenting, assessing and authorizing
emergency changes
AI6.4 Change Status Tracking and Reporting
Establish a tracking and reporting system to
document rejected changes
Communicate the status of approved and inprocess changes, and complete changes
AI6.5 Change Closure and Documentation
Whenever changes are implemented, update the
associated system and user documentation and
procedures accordingly

References
http://www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf
http://www.isaca.org/Knowledge-Center/cobit/Documents/CobiT-4.1-

Brochure.pdf
http://en.wikipedia.org/wiki/COBIT
http://www.google.com.tr/url?

sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&sqi=2&ved=0CCIQFj
AA&url=http%3A%2F%2Fwww.isaca.org%2FCOBIT%2FDocuments
%2FCOBIT5-Compare-With4.1.ppt&ei=Ta17UKyeKYrCswaN74HoBg&usg=AFQjCNEf4XzkLoXZxfFYQLKO
HICaXSlESg&sig2=i1HTIOC97nMm4k1kMmk1jQ
http://www.bpmwatch.com/columns/changing-role-of-governance-in-

outsourcing-contract/

References
COBIT5-Framework-ED-27JUNE2011.pdf
Miha.ef.uni-lj.si/_dokumenti3plus2/192073/ITIL-COBIT_nov.pdf
COBIT%20Mapping%202nd%20Edition[1].pdf
Scillani%20Article%20Combining%20ITIL%20with%20Cobit%20and

%2017799[1].pdf
COBIT%20Mapping%202nd%20Edition[1].pdf
itgovernance.co.uk/files/ITIL-COBiT-ISO17799JointFramework.pdf
www.financialexecutives.org/COBIT5-Update-Research-.pptx
http://www.qualified-auditpartners.be/user_files/QECB_IIA_COBIT5_EN_Overview_201111.pdf
http://www.slideshare.net/Billy82/microsoft-powerpoint-marrying-cobit-and-itil-foreffective#btnNext
http://www.mitsm.de/itil-wiki/process-descriptions-english/incident-management
http://www.slideshare.net/hafeezi/business-it-management-intro-to-cobit-itil9568869#btnNext
http://www.isaca.org/Education/Conferences/Documents/EuroCACSPresentations/323.pdf