COBIT 5 - Principles.pdf

AN ISA ISACA CA COB COBIT IT SE SERIE RIES S WHI WHITE TE PAP APER ER

COBIT 5 PRINCIPLES: WHERE DID THEY COME FROM?

Governance and management of enterprise information and related technology (GEIT) is ultimately the board of directors’ (or other governing entity’s) responsibility. The board sets the direction for management to achieve the enterprise objectives and is accountable to the enterprise stakeholders. COBIT 5 is an internationally accepted business GEIT framework from ISACA that was developed by, and for, practitioners and includes insights from IT and general management literature. This white paper helps practitioners to better understand the COBIT 5 principles and, therefore, be more efficient and effective in the application of the COBIT 5 GEIT framework to their enterprises. This paper clearly explains how the principles of COBIT 5 are built on sound, accepted IT and general governance and management guidance and practices.

COBIT ® 5 Principles: Where Did They Come From?

3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443

ISACA ® With more than 115,000 constituents in 180 countries, ISACA ( www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established i n

Email: [email protected]

1969, ISACA is the trusted source of knowledge, standards, networking, and ca reer development

Web site: www.isaca.org

for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA oers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity

Provide feedback: www.isaca.org/COBIT5-Principles

professionals, and COBIT ®, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances a nd validates business-critical ski lls

Participate in the ISACA

and knowledge through the globally respected Certied Information Systems Auditor® (CISA ®),

Knowledge Center: www.isaca.org/knowledge-center

Certied Information Security Manager ® (CISM ®), Certied in the Governance of Enterprise IT ®

Follow ISACA on Twitter: https://twitter.com/ISACANews Join ISACA on LinkedIn:

ISACA (Ocial), http://linkd.in/ISACAOfcial Like ISACA on Facebook:

www.facebook.com/ISACAHQ

(CGEIT ®) and Certie d in Risk and Information Systems Control™ (CRISC™) credentials. The association has more than 200 cha pters worldwide.

DISCLAIMER ISACA has designed and created COBIT ® 5 Principles: Where Did They Come From? white paper (the “Work”) primarily as an educational resource for assurance, governance, risk and security professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specic information, procedure or test, assurance, governance, risk and security professionals should apply their own professional judgment to the specic circumstances presented by the particular systems or information technology environment.

© 2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse.


ACKNOWLEDGMENTS Development Team

Ramses Gallego

Steven De Haes Ph.D.

CISM, CGEIT, CCSK, CISSP, SCPM,

University of Antwerp—Antwerp Management School, Belgium

Roger Debreceny Ph.D. CGEIT, FCPA, University of Hawaii at Manoa, USA

Wim Van Grembergen Ph.D. University of Antwerp—Antwerp Management School, Belgium

Expert Reviewers Steven A. Babb CGEIT, CRISC, ITIL, Vodafone, UK

Six Sigma Black Belt, Dell, Spain, Vice President

Theresa Grafenstine CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President

Vittal R. Raj

Pfizer, UK

Ivan Sanchez Lopez CISA, CISM, ISO 27001 LA, CISSP, DHL Global Forwarding & Freight, Germany

Australia, Past International President

Debbie A. Lew

CISM, BCMM Assessor Konica Minolta Business Solutions, All Covered Financial Services Division, USA

CISA, CRISC, Erns t & Young LLP, USA, Director

Jimmy Heschl

CISA, CIA, FHKCS, FHKIoD,

CISA, CISM, CGEIT, ITIL Expert, bwin.party digital entertainment plc, Austria

Focus Strategic Group Inc., Hong Kong, Director

USA, Past International President

Frank K.M. Yam

Alexander Zapata Lenis

CGEIT, CRISC, APIT Informatica, Brazil

CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V.,

Paras Kesharichand Shah

Mexico, Director

Knowledge Board Steven A. Babb CGEIT, CRISC, ITIL, Vodafone, UK, Chairman

CGEIT, CRISC, CA,

Rosemary M. Amato

USA, International President

CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands

CGEIT, CRISC, ITIL, Vodafone, UK, Vice President

Garry J. Barnes CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President

Robert A. Clyde CISM, Adaptive Computing, USA, Vice President

CGEIT, ITIL V3, MSP, PRINCE2,

CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government,

Joanne De Vito De Palma

Steven A. Babb

CISA, Viacom, USA

Tony Hayes

CISA, The Dow Chemical Co.,

Robert E Stroud

Anthony P. Noble

India, Vice President

Gregory T. Grocholski

ISACA Board of Directors

CGEIT, CPA, KPMG LLP, USA

Jamie Pasfeld

CGEIT, Edutech Enterprises, Singapore

CISA, CGEIT, CRISC, CA, Vital Interacts, Australia

Phil J. Lageschulte

CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj,

Sushil Chatterji

Andre Pitkowski

Sushil Chatterji CGEIT, Edutech Enterprises, Singapore

Neil Patrick Barlow CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK

Framework Committee Sushil Chatterji CGEIT, Edutech Enterprises, Singapore, Chairman David Cau GRCP, ITIL V3, MSP, Deloitte, Luxembourg Joanne De Vito De Palma CISM, BCMM Assessor, Konica Minolta Business Solutions, All Covered Financial Services Division, USA Jimmy Heschl CISA, CISM, CGEIT, ITIL Expert, bwin.party digital entertainment plc, Austria Katherine McIntosh CISA, CIA, Central Hudson Gas & Electric Corp., USA Andre Pitkowski CGEIT, CRISC, APIT, Informatica, Brazil Paras Kesharichand Shah CISA, CGEIT, CRISC, CA, Vital Interacts, Australia

Charlie Blanchard

Sylvia Tosar CGEIT, PMP, Uruguay

CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, Amgen Inc., USA

Tichaona Zororo CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT | Enterprise Governance of IT (PTY) LTD., South Africa Steven A. Babb CGEIT, CRISC, ITIL, Vodafone, UK (2013-2014) Frank J. Cindrich CGEIT, CIPP, CIPP/G, Deloitte & Touche LLP, USA (2013-1014)

3

© 2014 ISACA. All rights reserved.


INTRODUCTION COBIT 5 is an internationally accepted governance and management of enterprise information and related technology (GEIT) framework from ISACA that was developed by, and for, practitioners and includes insights from IT and general management literature. This white paper helps practitioners to better understand the COBIT 5 principles (gure 1) and, therefore, be more ecient and eective in the application of the COBIT 5 GEIT framework to their enterprises. This paper clearly explains how the principles of COBIT 5 are built on sound, accepted IT and general gover nance and management guidance and practices.

Figure 1—The Five COBIT 5 Principles

Source: COBIT ® 5 (the framework), ISACA, USA, 2012, gure 2

4



PRINCIPLE 1

MEETING STAKEHOLDER NEEDS

The rst principle addresses the need to align individual and departmental objectives and priorities with enterprise and stakeholder needs. The main purpose of GEIT is to achieve strategic alignment of information and related technology with the goals of the enterprise. However, a continuing challenge for enterprises is how to achieve and maintain this alignment as stakeholder needs and enterprise goals change. To assist enterprises with establishing and maintaining strategic alignment, ISACA undertook research to provide guidance for understanding how enterprise goals drive ITrelated goals and vice versa. From this research, developers recorded generic enterprise goals and IT-related goals and represented their interrelationships in the COBIT 5 goals cascade (gure 2).

Figure 2—COBIT 5 Goals Cascade

This cascade constitutes the “top-down” entry point to COBIT 5 for enterprises that are considering the alignment of their information and related technology assets and resources. The goals cascade indicates that the rst step that enterprises should take to analyze their business/IT strategic alignment is to dene and link enterprise goals and IT-related goals in support of stakeholder needs. To facilitate a comprehensive approach to governing and managing the alignment of IT performance with enterprise goals, ISACA built on the balanced scorecard (BSC) concepts.1,2,3 The BSC is an approach to strategic planning and management that is accepted by many enterprises. The COBIT 5 enterprise goals and IT-related goals are grouped into the following BSC business perspectives: • • • •

Financial Customer Internal Learning and Growth

COBIT 5 provides detailed mappings of enterprise goals to IT-related goals and detailed mappings of IT-related goals to IT-related processes, in addition to general outcome metrics to measure each of those goals and to build a scorecard for IT-related activities.


1

Kaplan, R.; D. Norton; “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review, USA, 1992 Van Grembergen, W.; R. Saul; S. De Haes; “Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial Group,” Journal for Information Technology Cases and Applications, USA, 2003 3 Balanced Scorecard Institute, a Strategy Management Group company, USA, 1998-2014, https://balancedscorecard.org 2

5



PRINCIPLE 2

COVERING THE ENTERPRISE END-TO-END

The governance system for enterprise IT ( GEIT) proposed by COBIT 5 integrates seamlessly in any enterprise governance system. COBIT 5 aligns with the latest views on enterprise governance. COBIT 5 covers all functions and processes within the enterprise, not only the IT function, as was sometimes perceived to be the case with earlier COBIT versions. COBIT 5 considers information and related technologies to be assets and resources and treats them the same as other assets within the enterprise—an approach termed “IT savvy” by Weill and Ross.4 Business managers are required to take on the accountability for governing and managing the IT-related assets within their own organizational units and functions—in the same way that they take on the accountability for other assets such as physical plant, nancial and human resource assets. Business managers must take ownership of, and be accountable for, governing the use of IT while creating value from IT-enabled business investments—business managers must become more IT savvy.5 COBIT provides a common, nontechnical business language framework of guidance for business managers to use when engaging with their IT professional colleagues and advisors to make IT-related business decisions—supporting IT savviness.

This principle implies a crucial shift in the minds of business and IT management; it comprises a move from managing IT as a cost to managing IT as an asset. This shift is an essential element of business value creation. “If senior managers do not accept accountability for IT, the company will inevitably throw its IT money to multiple tactical initiatives with no clear impact on the organizational capabilities. IT becomes a liability instead of a strategic asset.”6 COBIT 5 covers both IT and IT-related business accountabilities and responsibilities. Specically, charts that show who is responsible, accountable, consulted and informed (RACI) for both business and IT function roles are provided in the COBIT ® 5: Enabling Processes guide (gure 3). RACI charts indicate that, for every COBIT 5 process, both business and IT function roles have accountabilities and responsibilities.

The second principle recognizes that the need for business managers to assume accountability for eectively governing and managing their use of IT is increasingly critical to enable the enterprise to achieve the goal of satisfying stakeholder needs. Decisions on IT asset and resource use (e.g., outsourced service selection and acquisition via cloud solution providers and bring your own device [BYOD]) are being made increasingly by business managers. These decisions must be made within the overall GEIT arrangements of the enterprise, to create optimum value for stakeholders.

4

Weill, P.; J. Ross; IT Savvy: What Top Executives Must Know to Go From Pain to Gain, Harvard Business Press, USA, 2009 Ibid. 6 Ibid. 5

6



PRINCIPLE 2 COVERING THE ENTERPRISE END-TO-END (CONT.)

Figure 3—COBIT 5 RACI Chart Example Business roles

IT Function roles

APO01 RACI Chart

Key Management Practice

d r a o B

APO01.01 Define the organisational structure.

r e c i f f O e v i t u c e x E f e i h C

r e c i f f O l a i c n a n i F f e i h C

r e c i f f O g n i t a r e p O f e i h C

s e v i t u c e x E s s e n i s u B

C

C

C

C

APO01.02 Establish roles and responsibilities. APO01.03 Maintain the enablers of the management system.

C

s r e n w O s s e c o r P s s e n i s u B

e e t t i m m o C e v i t u c e x E y g e t a r t S

I

I

C

A

C

R

C

C

I

APO01.04 Communicate management objectives and direction.

A

R

R

R

I

R

APO01.05 Optimise the placement of the IT function.

C

C

C

C

APO01.06 Define information (data) and system ownership.

I

I

C

A

APO01.07 Manage continual improvement of processes. APO01.08 Maintain compliance with policies and procedures.

A

A

e e t t i m m o C ) s t c e j o r P / s e m m a r g o r P ( g n i r e e t S

A

I

e c i f f O t n e m e g a n a M t c e j o r P

e c i f f O t n e m e g a n a M e u l a V

r e c i f f O k s i R f e i h C

r e c i f f O y t i r u c e S n o i t a m r o f n I f e i h C

d r a o B e r u t c e t i h c r A

e e t t i m m o C k s i R e s i r p r e t n E

s e c r u o s e R n a m u H d a e H

r e c i f f O n o i t a e m r c o n f a i n l I p i t f e m d i o u h C A C

t c e t i h c r A d a e H

t n e m p o l e v e D d a e H

s n o i t a r e p O T I d a e H

n o i t a r t s i n i m d A T I d a e H

r e g a n a M e c i v r e S

r e g a n a M y t i r u c e S n o i t a m r o f n I

r e g a n a M y t i u n i t n o C s s e n i s u B

r e c i f f O y c a v i r P

C

R

I

I

A

C

C

C

R

C

C

C

C

C

C

C

A

C

C

C

R

C

C

C

C

C

C

R

I

I

I

R

I

I

I

I

I

I

I

I

C

C

C

R

C

C

C

R

C

C

C

C

C

C

C

C

I

I

C

C

C

C

R

R

I

I

C

R

R

C

R

R

C

I

C

C

R

R

R

R

R

R

R

R

R

R

R

R

C

I

R

R

R

R

R

R

R

R

C

Source: COBIT ® 5: Enabling Processes, ISACA, USA, 2012, page 52

7



PRINCIPLE 3 APPLYING A SINGLE INTEGRATED FRAMEWORK

The third principle highlights the need to use an overall single, integrated GEIT framework to deliver the optimum value from the IT assets and resources used. COBIT 5 aligns with other relevant standards and frameworks at a high level and, thus, can serve as the overarching framework for GEIT (gure 4). ISACA made a major investment over the years to align COBIT with other standards and frameworks, including:

• • • • • •

• • • • •

ISO/IEC 38500:20087 ISO/IEC 27001:20138 ISO/IEC 200009 ISO 31000 series10 ISO 9001:200811 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework12 IT Infrastructure Library® (ITIL® V3)13 Project Management Body of Knowledge (PMBOK® )14 Data Management Body of Knowledge (DMBOK)15 The Open Group Architecture Framework (TOGAF® 9)16 Projects in Controlled Environments (PRINCE2® )17

Many of the processes in COBIT 5 are inspired by the guidance in these standards and frameworks, which are used by IT professionals worldwide. As such, many of the processes and practices in COBIT 5 relate to, and align with, one or more detailed standards or frameworks that are used by enterprises to govern and manage their IT assets and resources. To help enterprises to work eectively with COBIT 5 and other standards and frameworks, COBIT ® 5: Enabling Processes and the COBIT 5 professional guides contain high-level mappings of COBIT 5 processes to the major related standards and frameworks. COBIT 5 also integrates and harmonizes the Risk IT and Val IT framework guidance, which ISACA published previously, into a single framework, making COBIT 5 a “one-stop shop” for overall GEIT guidance. COBIT 5 includes in its scope previous guidance from ISACA and guidance from other standards and frameworks in the eld. Further, COBIT 5 provides a single overarching framework that serves as a consistent and integrated source of guidance in a nontechnical, technology-agnostic common language. This source can be eectively used as the basis for more detailed guidance on addressing specic GEIT aspects including information security/cybersecurity, risk, assurance, vendor management, conguration management, cloud controls, etc., in an eective way.

7

ISO, “ISO/IEC 38500:2008 Corporate governance of information technology,” Switzerland, 2008, www.iso.org ISO, “ISO/IEC:27001:2013 Information technology—Security techniques—Information security management systems – Requirements,“ Switzerland, 2013, www.iso.org 9 ISO, “ISO/IEC 20000-1:2011 Information technology—Service management—Part 1: Service management system requirements,” Switzerland, 2011, www.iso.org 10 ISO, “ISO 31000:2009 Risk management – Principles and guidelines,“ Switzerland, 2009, www.iso.org 11 ISO, “ISO 9001:2008 Quality management systems—Requirements,” Switzerland, 2008, www.iso.org 12 Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control—Integrated Framework (2013),” USA, 2013, www.coso.org/IC.htm 13 ITIL® Home, “Welcome to the Ocial ITIL ® Website,” UK,” www.itil-ofcialsite.com 14 Project Management Institute, A Guide to the Project Management Body of Knowledge ( PMBOK ® ), USA, 2008 15 Data Management Association International (DAMA), The DAMA Guide to the Data Management Body of Knowledge (DMBOK), USA, 2009 16 The Open Group, TOGAF® 9, UK, 2009, www.opengroup.org/togaf 17 PRINCE2—Projects In Controlled Environments Home, “Welcome to the Ocial PRINCE2® Website,” UK, www.prince-ofcialsite.com 8

8



PRINCIPLE 3 APPLYING A SINGLE INTEGRATED FRAMEWORK (CONT.)

Figure 4—COBIT 5 Coverage of Other Standards and Frameworks


9



PRINCIPLE 4

ENABLING A HOLISTIC APPROACH

The fourth principle emphasizes that ecient and eective implementation of GEIT requires a holistic approach that takes into account several interacting components or mechanisms—termed “enablers” in COBIT—because they interact to support governance and management of enterprise activities and are interdependent.

Figure 5—COBIT 5 Enablers

The challenge of implementing a holistic approach is related to the need for an organizational system, which is described in strategic management literature as the way a rm gets its people to work together to carry out the business.18 Such organizational systems require the denition and application, in a holistic manner, of structures (e.g., organizational units and functions) and processes (to ensure that tasks are coordinated and integrated), and attention to people and relational aspects (e.g., culture, values, joint beliefs). Enterprises are applying this organizational system theory to GEIT implementation by using a holistic mixture of structures, processes and other components or mechanisms.19,20 COBIT 5 builds on these systemic insights with the concept of enablers. Enablers are dened as factors that individually and collectively inuence whether something will work—in this case, governance and management over enterprise IT. The COBIT 5 framework describes seven categories of enablers (gure 5)—of which Processes; Organisational Structures; and Culture, Ethics and Behaviour are most closely related to the organizational systems concept. COBIT 5 complements these organizational systems enablers with other important enablers: Principles, Policies and Frameworks; Information; Services, Infrastructure and Applications; and People, Skills and Competencies.

18 19 20

10


De Wit, B.; R. Meyer; Strategy Synthesis: Revolving Strategy Paradoxes to Create Competitive Advantage, Cengage Learning EMEA, USA, 2005 Peterson, R.; “Crafting Information Technology Governance,” Information Systems Management , USA, 2004 De Haes, S.; W. Van Grembergen; “An Exploratory Study Into IT Governance Implementations and Its Impact on Business/IT Alignment,” Information Systems Management , USA, 2009 © 2014 ISACA. All rights reserved.


PRINCIPLE 5 SEPARATING GOVERNANCE FROM MANAGEMENT

Finally, COBIT 5 makes a distinction between governance and management. This distinction aligns with the following guidance in ISO/IEC 38500:2008: Directors should govern IT through three main tasks:

a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans. 21

In COBIT 5, ISACA states for the rst time that GEIT processes encompass dierent types of activities. The gover nance processes are organized following the evaluate, direct and monitor (EDM) model, as proposed by ISO/IEC 38500. IT governance processes ensure that enterprise goals are achieved by evaluating stakeholder needs; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against plans. Based on the results, guidance and output from these governance activities, business and IT management plans, builds, runs and monitors activities (PBRM) to ensure alignment with the direction that was set by the governance body and, thus, achieve the enterprise objectives (gure 6).

Figure 6—COBIT 5 Governance and Management Key Areas

Business Needs

Governance Evaluate

Direct

Management Feedback

Monitor

Management Plan (APO)

Build (BAI)

RUN (DSS)

MONITOR (MEA)


21

11

ISO, “ISO/IEC 38500:2008 Corporate governance of information technology,” Switzerland, 2008, www.iso.org © 2014 ISACA. All rights reserved.


CONCLUSION GEIT is the board’s accountability and responsibility, and the execution of the set direction is management’s accountability and responsibility.22 COBIT 5 is primarily a business GEIT framework made by, and for, practitioners and includes insights from IT and general management literature, including concepts and models such as strategic alignment, balanced scorecard, IT savviness and organizational systems. The core elements of COBIT 5 are built on these IT and general management insights. Practitioners can use the insights in this white paper and its references to apply COBIT 5 principles and guidance in their enterprises.

22

12

Van Grembergen, W.; S. De Haes; Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, USA, 2009 © 2014 ISACA. All rights reserved.

COBIT 5 - Principles.pdf

Recommend Documents