IT Governance Using

COBIT 5:
An Introduction
BY :

A QEL M. AQEL
AC C R E D I T E D T RA I N E R BY A P M G

E-mail: aqel.aqel@gmail.com
T U E SD AY 28-A P RI L -
201 5
1
Aqel Mohammed Aqel, CISA, MBA, CSSGB,
COBIT5
Information Technology & Management
Consultant
Information Systems Audit & Control Association Riyadh Chapter
CISA Coordinator and Research Director

Certified information System Auditor

Master of Business Administration- UK
Certified as Lean Six Sigma Green Built
Certified COBIT-5 Trainer (Foundation)
P. O. B OX 40 496 11 499
Member of Association for Strategic Planning
http://www.linkedin.com/in/aqelmaqel

http://www.facebook.com/aqel.m.aqel Ri y adh - S au d i Ar abi a

aq e l. aqe l@ gm a il. co m
https://www.youtube.com/channel/UCR0wCpIHdhu5TBsWn-Ar5YA

+ 966 -502 -10 4-00 7

2
Topics for tonight
session
Overview: COBIT, the past and present
The Five Principles
COBIT Processes
Enablers
Process Assessment Model (PAM)
Implementation Overview
Closure

3
Why Develop COBIT 5?
ISACA want Tie together and reinforce all ISACA
knowledge assets with COBIT.

Provide a renewed and authoritative governance and

management framework for enterprise information and
related technology

Integrate all other major ISACA frameworks and guidance

Align with other major frameworks and standards

4
The Evolution of COBIT
5
Governance of Enterprise IT

IT Governance
BMIS
(2010)

Management
Evolution

Val IT 2.0
(2008)

Control

Audit Risk IT
(2009)

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5

1996 1998 2000 2005/7 2012

5
Drivers for the development
of a Framework
Provide guidance in:
Enterprise architecture
Asset and service management
Emerging sourcing and organization models
Innovation and emerging technologies
End to end business and IT responsibilities
Controls for user-initiated and user-controlled IT solutions
A need for the enterprise to:
Achieve increased value creation
Obtain business user satisfaction
Achieve compliance with relevant laws, regulations and policies

6
COBIT 5 Product Family

S O U RC E : C O B I T 5 , I S AC A

7
COBIT and Other IT
Governance
Frameworks
COSO

COBIT
ISO 27002
ISO 9000

WHAT ITIL HOW

SCOPE OF COVERAGE

8
COBIT 5 Mapping
Specifics ..1
ISO/IEC 38500
o ISOs 6 principles map to COBIT 5
o ITIL v3 The following 5 areas and domains are covered by ITIL
v3:
o A subset of process in the DSS domain
o A sunset of processes in the BAI domain
o Some process in the APO domain

ISO/IEC 27000
o Security and IT-related processes in domains EDM, APO and DSS
o Some monitoring of security monitoring activities in MEA

ISO/IEC 31000
o Risk management related activities in EDM and APO

9
COBIT 5 Mapping
Specifics ..2
TOGAF (The Open Group Architecture Framework)
o Resource-related processes in EDM
o TOGAF components of the architecture board and governance areas
o Enterprise architecture processes of APO

PRINCE2
o Programme and project management processes in the BAI domain
o Portfolio related processes in the APO domain

CMMI ISO 15504

o Some organisational and quality-related processes in the APO domain
o Application building and acquisition related processes in BAI

10
COBIT Principles

11
 COBIT 5 Principles
A Principlegeneral truth, that helps
people determine the appropriate
decision, given the circumstance at
hand. They are guidelines that provide
an indication of what to do, but not how
to do it. For example:
Team members ensure they are in
attendance when they feel responsibility
for the success of the team
Policies or Proceduresdefine
specifically what and how to do
something - they define specific actions
or behaviors. For example:
Team Members who attend late, on more
than three occasions, will receive a formal
warning.
S O U RC E : C O B I T 5 , I S A C

12
Principle 1:
Meeting Stakeholder Needs
Enterprises have many stakeholders
Governance is about
Negotiating, & Deciding amongst different stakeholders value interests
Considering all stakeholders when making benefit, resource and risk
assessment decisions

For each decision, ask:

For whom are the benefits?
Who bears the risk?
What resources are required?

13
 Principle 1:
Meeting Stakeholder Needs
Enterprises exist
to create value
for their
stakeholders

Value creation:
realizing
benefits at an
optimal resource
cost while
optimizing risk.

S O U RC E : C O B I T 5 , I S A C

14
Principle 1: Meeting Stakeholder
Needs

S O U RC E : C O B I T 5 , I S AC A

15
Principle 1 Cascade steps
Figure 5

16
Principle 1 Cascade Steps

17
Principle 2:
Covering the Enterprise EndtoEnd

S O U RC E : C O B I T 5 , I S AC A

18
Principle 2:
Covering the Enterprise EndtoEnd
Main elements of the governance approach:
Governance Enablers comprising
The organizational resources for governance
The enterprises resources
A lack of resources or enablers may affect the ability
of the enterprise to create value
Governance Scope comprising
The whole enterprise
An entity, a tangible or intangible asset, etc.

19
Principle 2:
Covering the Enterprise EndtoEnd
Governance roles, activities and relationships
Define Who is involved in governance
How they are involved
What they do and
How they interact
COBIT 5 defines the difference between governance and
management activities in principle 5

20
Principle 3:
Applying a Single Integrated
Framework
COBIT 5:
Aligns with the latest relevant standards and frameworks
Is complete in enterprise coverage
Provides a basis to integrate effectively other frameworks,
standards and practices used
Integrates all knowledge previously dispersed over different
ISACA frameworks
Provides a simple architecture for structuring guidance
materials and producing a consistent product set

21
Principle 4:
Enabling a Holistic Approach
COBIT 5 defines a set of enablers to support the
implementation of a comprehensive governance and
management system for enterprise IT.

COBIT 5 enablers are:

Factors that, individually and collectively, influence whether
something will work
Driven by the goals cascade
Described by the COBIT 5 framework in seven categories

22
Principle 4:
Enabling a Holistic Approach

S O U RC E : C O B I T 5 , I S AC

23
Principle 4:
Enabling a Holistic Approach
Enablers:
1. Principles, policies and frameworks
2. Processes
3. Organizational structures
4. Culture, ethics and behaviour
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies

24
Principle 4:
Enabling a Holistic Approach
COBIT 5 enabler dimensions:
All enablers have a set of common dimensions that:
Provide a common, simple and structured way to deal
with enablers
Allow an entity to manage its complex interactions
Facilitate successful outcomes of the enablers

25
 Principle 5:
Separating Governance from
Management

S O U RC E : C O B I T 5 , I S A C

26
 Principle 5:
Separating Governance from
Management
The COBIT 5 framework makes a clear distinction between
governance and management

Governance and management

Encompass different types of activities
Require different organizational structures
Serve different purposes

COBIT 5: Enabling Processes differentiates the activities

associated with each

27
Principle 5:
Separating Governance from
Management
Governance ensures that stakeholder needs, conditions and
options are:
Evaluated to determine balanced, agreed-on enterprise objectives to be
achieved
Setting direction through prioritization and decision making
Monitoring performance, compliance and progress against agreed
direction and objectives (EDM)

Management plans, builds, runs and monitors activities in

alignment with the direction set by the governance body to achieve
the enterprise objectives (PBRM)

28
COBIT 5 Processes

29
Concept
Based on PLAN-DO-CHECK-ACT
Integrated 5 sets of processes that which covers
Governance and management of Enterprise IT:
1. Evaluate, Plan and Monitor
2. Align, Plan and Organize
3. Build, Acquire and Implement
4. Deliver, Service and Support
5. Monitor, Evaluate and Assess

30
COBIT 5 Process Reference
Model

2012 ISACA. All Rights Reserved.

S O U RC E : C O B I T 5 , I S

31
The COBIT 5 Enterprise Enablers

S O U RC E : C O B I T 5 , I S AC

32
Recap Principle 4:
Enabling a Holistic Approach
COBIT 5 enabler dimensions:

33
Enabler 1 Principles, Policies &
Frameworks1
The purpose: to convey the governing bodys and
managements direction and instructions.
They are instruments to communicate the rules of the
enterprise, in support of the governance objectives and
enterprise.
o Differences between principles and policies
o Principles need to be limited in number
o Put in simple language, expressing as clearly as possible the core values of
the enterprise
o Policies are more detailed guidance on how to put principles into practice

34
Enabler 1 Principles, Policies &
Frameworks2
The characteristics of good policies; they should
o Be effective achieve their purpose
o Be efficient especially when implementing them
o Non-intrusive Should make sense and be logical to those who have to comply with them.

Policies should have a mechanism (framework) in place

where they can be effectively managed and users know
where to go. Specifically they should be:
o Comprehensive, covering all required areas
o Open and flexible allowing for easy adaptation and change.
o Current and up to date

The purpose of a policy life cycle is that it must support

a policy framework in order to achieve defined goals.

35
Enabler 2: Processes

COBIT 5 Enablers: Processes complements

COBIT 5 and contains a detailed reference
guide to the processes that are defined in the
COBIT 5 process reference model:
The COBIT 5 goals cascade is recapitulated and complemented
with a set of example metrics for the enterprise goals and the
IT-related goals. An example is given in the appendix
The COBIT 5 process model is explained and its components
defined.
The Enabler process guide which is referenced in this module
contains the detailed process information for all 37 COBIT 5
processes shown in the process reference model.

36
Enabler 2 Process continued
PRM Structure2
Each process is divided into :
o Process Description
o Process Purpose statement
o IT-related Goals (from the Goals cascade see example in the Appendix)
o Each IT-related goal is associated with a set of generic related metrics
o Process Goals (Also from the Goals cascade mechanism and is referred to as
Enabler Goals.
o Each Process Goal is associated or related with a set of generic metrics.
o Each Process contains a set of Management Practices
o These are associated with a generic RACI chart (Responsible, Accountable,
Consulted, Informed)
o Each management practices contains a set of inputs and outputs (called work
products in module PC)
o Each management Practice is associated with a set of activities

37
Enabler 3 Organisational
Structures
A number of Good Practices of organisational structure can
be distinguished such as:
o Operating principles The practical arrangements regarding how the
structure will operate, such as meeting frequency documentation and
other rules
o Span of control The boundaries of the organisation structures decision
rights.
o Level of authority The decisions that the structure is authorised to take.
o Delegation of responsibility The structure can delegate a subset of its
decision rights to other structures reporting to it.
o Escalation procedures The escalation path for a structure describes the
required actions in case of problems in making decisions.

38
Enabler 4 Culture, Ethics and
Behaviour
Good practices for creating, encouraging and
maintaining desired behaviour throughout the
enterprise include:
o Communication throughout the enterprise of desired
behaviours and corporate values.
o Awareness of desired behaviour, strengthened by senior
management example.
o senior management and the executives walk the talk so to
speak.
o Incentives to encourage and deterrents to enforce desired
behaviour.
o Rules and norms which provide more guidance and will
typically be found in a Code of Ethics

39
Enabler 5 Information
Importance of the Information Quality categories and
dimensions;
o The concept of information criteria was introduced in COBIT 3 rd edition in
2000 and played a key role in COBIT 4.1; these were very important to be
able show how to meet business requirements.

Importance of Information Criteria

o COBIT 4.1 introduced us to the concept of 7 Key Information criteria to
meet Business requirements. This concept has been retained but
translated differently in Figure 9 below: Figure 26 Appendix F.

40
Enabler 6 Services,
Infrastructure and Applications
The five architecture principles that govern the
implementation and use of IT-Related resources
o Architecture Principles are overall guidelines that govern the implementation
and use of IT-related resources within the enterprise. Examples of such
principles:
o Reuse Common components of the architecture should be used when
designing and implementing solutions as part of the target or transition
architectures.
o Buy vs. build Solutions should be purchased unless there is an approved
rationale for developing them internally.
o Simplicity The enterprise architecture should be designed and maintained to
be simple as possible while still meeting enterprise requirements.
o Agility The enterprise architecture should incorporate agility to meet
changing business needs in an effective and efficient manner.
o Openness - The enterprise architecture should leverage open industry
standards.

41
Enabler 6 Services, Infrastructure
and Applications Cont.
Relationship To other Enablers
o Information is a service capability that is leveraged through processes to
deliver internal and external services.
o Cultural and behavioural aspects relevant when a service-oriented culture
needs to be built
o Process inputs and outputs Most of the inputs and outputs (work products) of
the process management practices and activities in the PRM include service
capabilities.

Consider other frameworks such as:

o ITIL 3
o TOGAF (www.opengroup.org/togaf ) which provides an integrated information
infrastructure reference model.

42
Enabler 7 People, Skills and
Competencies
Identify the good practices of people, Skills and
Competencies, specifically:
o Described by different skill levels for different roles.
o Defining Skill requirements for each role
o Mapping skill categories to COBIT 5 process domains (APO;
BAI etc.)
o These correspond to the IT-related activities undertaken, e.g.
business analysis, information management etc.
o Using external sources for good practices such as:
The Skills Framework for the information age (SFIA)

43
Process Assessment

44
What is a Process
Assessment
Process assessment: an activity that can be performed
either as part of a process improvement initiative or as
part of a capability determination
Source: ISO/IEC 15504-4 approach

Purpose: to continually improve the enterprises

effectiveness and efficiency
It provides an understandable, logical, repeatable,
reliable and robust methodology for assessing the
capability of IT processes.
COBIT 5 switched to ISO 15504 Approach rather than
CMMI.

45
Advantages of the ISO 15504
Approach
A robust assessment process based on ISO 15504
An alignment of COBITs maturity model scale with the
international standard
A new capability-based assessment model which
includes:
o Specific process requirements derived from COBIT 4.1& COBIT 5
o Ability to achieve process attributes based on ISO 15504
o Evidence requirements

Assessor qualifications and experiential requirements

Results in a more robust, objective and repeatable
assessment

46
Key ISO 15504
definitions
ISO 15504 defines the following key terms:
Process purpose The high-level measurable objectives of
performing the process and the likely outcomes of effective
implementation of the process.
Process outcomes - An observable result of a process (Note:
An outcome is an artefact, a significant change of state or
the meeting of specified constraints.)
Base practices The activities that, when consistently
performed, contribute to achieving the process purpose
Work product - An artefact associated with the execution of
a process defined in terms of process inputs and process
outputs.

47
Differences between the
Capability & Process Dimension
ISO 15504 defines two levels:
o A Capability Dimension which focuses on the process
capability dimension (levels 1 to 5) based on process
attribute indicators (PAI) that are solely deals with Generic
attributes
o A Process dimension that contains additional indicators for
process for process performance assessment based on very
specific performance indicators.
o ** Note that the PRM or process reference model is used only
for this dimension at LEVEL 1. Levels 2 to 5 focuses only on
the Capability dimension based on generic attributes. The
next slide demonstrates this concept.

48
Process capability levels
Optimizing Level
Level 5
5 Optimizing
Optimizing
The process is continuously improved to meet
relevant current and projected business goals process
process
PA.5.1
PA.5.1 Process
ProcessInnovation
Innovationattribute
attribute
Predictable
The process is enacted Level
Level 4
4 Predictable
PA.5.2
PA.5.2 Process Optimizationattribute
Predictable Process Optimization attribute

consistently within defined limits Process

Process
PA.4.1
PA.4.1 Process
ProcessMeasurement
Measurementattribute
attribute
Established
A defined process is used based Level
Level 3
3 Established
PA.4.2
PA.4.2 Process
EstablishedProcessControl
Controlattribute
attribute
on a standard process.
Process
Process
PA.3.1
PA.3.1 Process
ProcessDefinition
Definitionattribute
attribute
DeploymentManaged
Level
Level 2
2 Managed
Managed
PA.3.2
PA.3.2 Process
ProcessDeployment attribute
attribute
The process is managed i.e. (planned,
Process
Process monitored and adjusted) work products
are appropriately established,
PA.2.1
PA.2.1 Performance
PerformanceManagement
Management controlled & maintained.
attribute
Level
Level 1
1 Performed
attribute
Performed
PA.2.2
PA.2.2 Work
WorkProduct
ProductManagement
Management
Performed
The process is implemented
process
process attribute
attribute
and achieves its process
PA.1.1
PA.1.1 Process
ProcessPerformance
Performanceattribute
attribute purpose
Incomplete
Level
Level 0
0 The process is not implemented or
Incomplete
Incomplete fails to achieve its purpose 49

process
process

49
Assessment Process
Activities
1
Initiation
2 Planning the
Assessment
3 Briefing

4 Data Collection
5 Data
Validation
6 Process Rating

7 Reporting

50

50
Implementation

51
COBIT 5 Implementation

S O U RC E : C O B I T 5 , I S AC A

52
 For Further Questions,
Thank Please Communicate With
Aqel:

you aqel.aqel@gmail.com
+966-502-104-007

For Arabic lectures about IT Governance -

https://www.youtube.com/watch?v=itKgLtT4Les

53