Cópia de 12.COBIT5 Governance and Management Practices Activities - April2014

2012 ISACA. All rights reserved. No part of this publication may be used copied reproduced modi!
ed distributed displayed
stored in a retrieval system or transmitted in any form by any means "electronic mechanical photocopying recording or other#ise$
#ithout the prior #ritten authorisation of ISACA. %se of this publication is permitted solely for personal use and must include full
attribution of the material&s source. No other right or permission is granted #ith respect to this #or'.
2012 ISACA. All rights reserved. No part of this publication may be used copied reproduced modi!ed distributed displayed
stored in a retrieval system or transmitted in any form by any means "electronic mechanical photocopying recording or other#ise$
#ithout the prior #ritten authorisation of ISACA. %se of this publication is permitted solely for personal use and must include full
attribution of the material&s source. No other right or permission is granted #ith respect to this #or'.
( of (01
Listed below are the practices associated with each of the governance and management processes in COBIT 5.
)rocesses* (+
Area Domain Process Process Description Process Prpose !tatement "ew In #.$
,overnance -./01
,overnance -./02
,overnance -./0(
,overnance -./00
,overnance -./01
/anagement A)201
The practices are sorted in the order in which the% appear in COBIT 5: Enabling Processes.
Process
ID
-valuate
.irect and
/onitor
-nsure
,overnance
3rame#or'
Setting and
/aintenance
Analyse and articulate the
re4uirements for the governance of
enterprise I5 and put in place and
maintain e6ective enabling structures
principles processes and practices
#ith clarity of responsibilities and
authority to achieve the enterprise&s
mission goals and ob7ectives.
)rovide a consistent approach integrated
and aligned #ith the enterprise governance
approach. 5o ensure that I58related decisions
are made in line #ith the enterprise&s
strategies and ob7ectives ensure that I58
related processes are overseen e6ectively
and transparently compliance #ith legal
and regulatory re4uirements is con!rmed
and the governance re4uirements for board
members are met.
-valuate
.irect and
/onitor
-nsure 9ene!ts
.elivery
2ptimise the value contribution to the
business from the business processes
I5 services and I5 assets resulting from
investments made by I5 at acceptable
costs.
Secure optimal value from I58enabled
initiatives services and assets: cost8e;cient
delivery of solutions and services: and a
reliable and accurate picture of costs and
li'ely bene!ts so that business needs are
supported e6ectively and e;ciently.
-valuate
.irect and
/onitor
-nsure <is'
2ptimisation
-nsure that the enterprise&s ris'
appetite and tolerance are understood
articulated and communicated and
that ris' to enterprise value related to
the use of I5 is identi!ed and
managed.
-nsure that I58related enterprise ris' does
not e=ceed ris' appetite and ris' tolerance
the impact of I5 ris' to enterprise value is
identi!ed and managed and the potential
for compliance failures is minimised.
-valuate
.irect and
/onitor
-nsure <esource
2ptimisation
-nsure that ade4uate and su;cient I58
related capabilities "people process
and technology$ are available to
support enterprise ob7ectives
e6ectively at optimal cost.
-nsure that the resource needs of the
enterprise are met in the optimal manner I5
costs are optimised and there is an
increased li'elihood of bene!t realisation
and readiness for future change.
-valuate
.irect and
/onitor
-nsure
Sta'eholder
5ransparency
-nsure that enterprise I5 performance
and conformance measurement and
reporting are transparent #ith
sta'eholders approving the goals and
metrics and the necessary remedial
actions.
/a'e sure that the communication to
sta'eholders is e6ective and timely and the
basis for reporting is established to increase
performance identify areas for
improvement and con!rm that I58related
ob7ectives and strategies are in line #ith the
enterprise&s strategy.
Align )lan
and 2rganise
/anage the I5
/anagement
3rame#or'
Clarify and maintain the governance of
enterprise I5 mission and vision.
Implement and maintain mechanisms
and authorities to manage information
and the use of I5 in the enterprise in
support of governance ob7ectives in
line #ith guiding principles and
policies.
)rovide a consistent management approach
to enable the enterprise governance
re4uirements to be met covering
management processes organisational
structures roles and responsibilities reliable
and repeatable activities and s'ills and
competencies.
0 of (01
Process
ID
/anagement A)202 /anage Strategy
/anagement A)20( >es
/anagement A)200 >es
/anagement A)201 /anage )ortfolio >es
/anagement A)20? >es
Align )lan
and 2rganise
)rovide a holistic vie# of the current
business and I5 environment the
future direction and the initiatives
re4uired to migrate to the desired
future environment. @everage
enterprise architecture building bloc's
and components including e=ternally
provided services and related
capabilities to enable nimble reliable
and e;cient response to strategic
ob7ectives.
Align strategic I5 plans #ith business
ob7ectives. Clearly communicate the
ob7ectives and associated accountabilities
so they are understood by all #ith the I5
strategic options identi!ed structured and
integrated #ith the business plans.
Align )lan
and 2rganise
/anage
-nterprise
Architecture
-stablish a common architecture
consisting of business process
information data application and
technology architecture layers for
e6ectively and e;ciently realising
enterprise and I5 strategies by
creating 'ey models and practices that
describe the baseline and target
architectures. .e!ne re4uirements for
ta=onomy standards guidelines
procedures templates and tools and
provide a lin'age for these
components. Improve alignment
increase agility improve 4uality of
information and generate potential
cost savings through initiatives such as
re8use of building bloc' components.
<epresent the di6erent building bloc's that
ma'e up the enterprise and their inter8
relationships as #ell as the principles
guiding their design and evolution over
time enabling a standard responsive and
e;cient delivery of operational and
strategic ob7ectives.
Align )lan
and 2rganise
/anage
Innovation
/aintain an a#areness of information
technology and related service trends
identify innovation opportunities and
plan ho# to bene!t from innovation in
relation to business needs. Analyse
#hat opportunities for business
innovation or improvement can be
created by emerging technologies
services or I58enabled business
innovation as #ell as through e=isting
established technologies and by
business and I5 process innovation.
InAuence strategic planning and
enterprise architecture decisions.
Achieve competitive advantage business
innovation and improved operational
e6ectiveness and e;ciency by e=ploiting
information technology developments.
Align )lan
and 2rganise
-=ecute the strategic direction set for
investments in line #ith the enterprise
architecture vision and the desired
characteristics of the investment and
related services portfolios and
consider the di6erent categories of
investments and the resources and
funding constraints. -valuate prioritise
and balance programmes and services
managing demand #ithin resource and
funding constraints based on their
alignment #ith strategic ob7ectives
enterprise #orth and ris'. /ove
selected programmes into the active
services portfolio for e=ecution.
/onitor the performance of the overall
portfolio of services and programmes
proposing ad7ustments as necessary in
response to programme and service
performance or changing enterprise
priorities.
2ptimise the performance of the overall
portfolio of programmes in response to
programme and service performance and
changing enterprise priorities and demands.
Align )lan
and 2rganise
/anage 9udget
and Costs
/anage the I58related !nancial
activities in both the business and I5
functions covering budget cost and
bene!t management and prioritisation
of spending through the use of formal
budgeting practices and a fair and
e4uitable system of allocating costs to
the enterprise. Consult sta'eholders to
identify and control the total costs and
bene!ts #ithin the conte=t of the I5
strategic and tactical plans and
initiate corrective action #here
needed.
3oster partnership bet#een I5 and
enterprise sta'eholders to enable the
e6ective and e;cient use of I58related
resources and provide transparency and
accountability of the cost and business
value of solutions and services. -nable the
enterprise to ma'e informed decisions
regarding the use of I5 solutions and
services.
1 of (01
Process
ID
/anagement A)20+
/anagement A)20B >es
/anagement A)20C
/anagement A)210
/anagement A)211 /anage Duality
/anagement A)212 /anage <is'
Align )lan
and 2rganise
/anage Euman
<esources
)rovide a structured approach to
ensure optimal structuring placement
decision rights and s'ills of human
resources. 5his includes
communicating the de!ned roles and
responsibilities learning and gro#th
plans and performance e=pectations
supported #ith competent and
motivated people.
2ptimise human resources capabilities to
meet enterprise ob7ectives.
Align )lan
and 2rganise
/anage
<elationships
/anage the relationship bet#een the
business and I5 in a formalised and
transparent #ay that ensures a focus
on achieving a common and shared
goal of successful enterprise outcomes
in support of strategic goals and #ithin
the constraint of budgets and ris'
tolerance. 9ase the relationship on
mutual trust using open and
understandable terms and common
language and a #illingness to ta'e
o#nership and accountability for 'ey
decisions.
Create improved outcomes increased
con!dence trust in I5 and e6ective use of
resources.
Align )lan
and 2rganise
/anage Service
Agreements
Align I58enabled services and service
levels #ith enterprise needs and
e=pectations including identi!cation
speci!cation design publishing
agreement and monitoring of I5
services service levels and
performance indicators.
-nsure that I5 services and service levels
meet current and future enterprise needs.
Align )lan
and 2rganise
/anage
Suppliers
/anage I58related services provided by
all types of suppliers to meet
enterprise re4uirements including the
selection of suppliers management of
relationships management of
contracts and revie#ing and
monitoring of supplier performance for
e6ectiveness and compliance.
/inimise the ris' associated #ith non8
performing suppliers and ensure
competitive pricing.
Align )lan
and 2rganise
.e!ne and communicate 4uality
re4uirements in all processes
procedures and the related enterprise
outcomes including controls ongoing
monitoring and the use of proven
practices and standards in continuous
improvement and e;ciency e6orts.
-nsure consistent delivery of solutions and
services to meet the 4uality re4uirements of
the enterprise and satisfy sta'eholder
needs.
Align )lan
and 2rganise
Continually identify assess and reduce
I58related ris' #ithin levels of tolerance
set by enterprise e=ecutive
management.
Integrate the management of I58related
enterprise ris' #ith overall -</ and
balance the costs and bene!ts of managing
I58related enterprise ris'.
? of (01
Process
ID
/anagement A)21( /anage Security >es
/anagement 9AI01
/anagement 9AI02
/anagement 9AI0(
/anagement 9AI00
/anagement 9AI01 >es
Align )lan
and 2rganise
.e!ne operate and monitor a system
for information security management.
Feep the impact and occurrence of
information security incidents #ithin the
enterprise&s ris' appetite levels.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage all programmes and pro7ects
from the investment portfolio in
alignment #ith enterprise strategy and
in a co8ordinated #ay. Initiate plan
control and e=ecute programmes and
pro7ects and close #ith a post8
implementation revie#.
<ealise business bene!ts and reduce the
ris' of une=pected delays costs and value
erosion by improving communications to
and involvement of business and end users
ensuring the value and 4uality of pro7ect
deliverables and ma=imising their
contribution to the investment and services
portfolio.
9uild
Ac4uire and
Implement
/anage
<e4uirements
.e!nition
Identify solutions and analyse
re4uirements before ac4uisition or
creation to ensure that they are in line
#ith enterprise strategic re4uirements
covering business processes
applications informationGdata
infrastructure and services. Co8
ordinate #ith a6ected sta'eholders the
revie# of feasible options including
relative costs and bene!ts ris'
analysis and approval of re4uirements
and proposed solutions.
Create feasible optimal solutions that meet
enterprise needs #hile minimising ris'.
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
-stablish and maintain identi!ed
solutions in line #ith enterprise
re4uirements covering design
development procurementGsourcing
and partnering #ith suppliersGvendors.
/anage con!guration test
preparation testing re4uirements
management and maintenance of
business processes applications
informationGdata infrastructure and
services.
-stablish timely and cost8e6ective solutions
capable of supporting enterprise strategic
and operational ob7ectives.
9uild
Ac4uire and
Implement
/anage
Availability and
Capacity
9alance current and future needs for
availability performance and capacity
#ith cost8e6ective service provision.
Include assessment of current
capabilities forecasting of future
needs based on business
re4uirements analysis of business
impacts and assessment of ris' to
plan and implement actions to meet
the identi!ed re4uirements.
/aintain service availability e;cient
management of resources and optimisation
of system performance through prediction of
future performance and capacity
re4uirements.
9uild
Ac4uire and
Implement
/anage
2rganisational
Change
-nablement
/a=imise the li'elihood of successfully
implementing sustainable
enterprise#ide organisational change
4uic'ly and #ith reduced ris' covering
the complete life cycle of the change
and all a6ected sta'eholders in the
business and I5.
)repare and commit sta'eholders for
business change and reduce the ris' of
failure.
+ of (01
Process
ID
/anagement 9AI0? /anage Changes
/anagement 9AI0+
/anagement 9AI0B >es
/anagement 9AI0C /anage Assets >es
/anagement 9AI10
/anagement .SS01
9uild
Ac4uire and
Implement
/anage all changes in a controlled
manner including standard changes
and emergency maintenance relating
to business processes applications
and infrastructure. 5his includes
change standards and procedures
impact assessment prioritisation and
authorisation emergency changes
trac'ing reporting closure and
documentation.
-nable fast and reliable delivery of change
to the business and mitigation of the ris' of
negatively impacting the stability or
integrity of the changed environment.
9uild
Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
3ormally accept and ma'e operational
ne# solutions including
implementation planning system and
data conversion acceptance testing
communication release preparation
promotion to production of ne# or
changed business processes and I5
services early production support and
a post8implementation revie#.
Implement solutions safely and in line #ith
the agreed8on e=pectations and outcomes.
9uild
Ac4uire and
Implement
/anage
Fno#ledge
/aintain the availability of relevant
current validated and reliable
'no#ledge to support all process
activities and to facilitate decision
ma'ing. )lan for the identi!cation
gathering organising maintaining use
and retirement of 'no#ledge.
)rovide the 'no#ledge re4uired to support
all sta6 in their #or' activities and for
informed decision ma'ing and enhanced
productivity.
9uild
Ac4uire and
Implement
/anage I5 assets through their life
cycle to ma'e sure that their use
delivers value at optimal cost they
remain operational "!t for purpose$
they are accounted for and physically
protected and those assets that are
critical to support service capability
are reliable and available. /anage
soft#are licences to ensure that the
optimal number are ac4uired retained
and deployed in relation to re4uired
business usage and the soft#are
installed is in compliance #ith licence
agreements.
Account for all I5 assets and optimise the
value provided by these assets.
9uild
Ac4uire and
Implement
/anage
Con!guration
.e!ne and maintain descriptions and
relationships bet#een 'ey resources
and capabilities re4uired to deliver I58
enabled services including collecting
con!guration information establishing
baselines verifying and auditing
con!guration information and
updating the con!guration repository.
)rovide su;cient information about service
assets to enable the service to be e6ectively
managed assess the impact of changes and
deal #ith service incidents.
.eliver
Service and
Support
/anage
2perations
Co8ordinate and e=ecute the activities
and operational procedures re4uired to
deliver internal and outsourced I5
services including the e=ecution of
pre8de!ned standard operating
procedures and the re4uired
monitoring activities.
.eliver I5 operational service outcomes as
planned.
B of (01
Process
ID
/anagement .SS02
/anagement .SS0( /anage )roblems
/anagement .SS00
/anagement .SS01 >es
/anagement .SS0? >es
.eliver
Service and
Support
/anage Service
<e4uests and
Incidents
)rovide timely and e6ective response
to user re4uests and resolution of all
types of incidents. <estore normal
service: record and ful!l user re4uests:
and record investigate diagnose
escalate and resolve incidents.
Achieve increased productivity and minimise
disruptions through 4uic' resolution of user
4ueries and incidents.
.eliver
Service and
Support
Identify and classify problems and their
root causes and provide timely
resolution to prevent recurring
incidents. )rovide recommendations
for improvements.
Increase availability improve service levels
reduce costs and improve customer
convenience and satisfaction by reducing
the number of operational problems.
.eliver
Service and
Support
/anage
Continuity
-stablish and maintain a plan to
enable the business and I5 to respond
to incidents and disruptions in order to
continue operation of critical business
processes and re4uired I5 services and
maintain availability of information at a
level acceptable to the enterprise.
Continue critical business operations and
maintain availability of information at a level
acceptable to the enterprise in the event of
a signi!cant disruption.
.eliver
Service and
Support
/anage Security
Services
)rotect enterprise information to
maintain the level of information
security ris' acceptable to the
enterprise in accordance #ith the
security policy. -stablish and maintain
information security roles and access
privileges and perform security
monitoring.
/inimise the business impact of operational
information security vulnerabilities and
incidents.
.eliver
Service and
Support
/anage 9usiness
)rocess Controls
.e!ne and maintain appropriate
business process controls to ensure
that information related to and
processed by in8house or outsourced
business processes satis!es all
relevant information control
re4uirements. Identify the relevant
information control re4uirements and
manage and operate ade4uate
controls to ensure that information and
information processing satisfy these
re4uirements.
/aintain information integrity and the
security of information assets handled
#ithin business processes in the enterprise
or outsourced.
C of (01
Process
ID
/anagement /-A01
/anagement /-A02
/anagement /-A0(
/onitor
-valuate and
Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Collect validate and evaluate
business I5 and process goals and
metrics. /onitor that processes are
performing against agreed8on
performance and conformance goals
and metrics and provide reporting that
is systematic and timely.
)rovide transparency of performance and
conformance and drive achievement of
goals.
/onitor
-valuate and
Assess
/onitor -valuate
and Assess the
System of
Internal Control
Continuously monitor and evaluate the
control environment including self8
assessments and independent
assurance revie#s. -nable
management to identify control
de!ciencies and ine;ciencies and to
initiate improvement actions. )lan
organise and maintain standards for
internal control assessment and
assurance activities.
2btain transparency for 'ey sta'eholders on
the ade4uacy of the system of internal
controls and thus provide trust in
operations con!dence in the achievement
of enterprise ob7ectives and an ade4uate
understanding of residual ris'.
/onitor
-valuate and
Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
-valuate that I5 processes and I58
supported business processes are
compliant #ith la#s regulations and
contractual re4uirements. 2btain
assurance that the re4uirements have
been identi!ed and complied #ith and
integrate I5 compliance #ith overall
enterprise compliance.
-nsure that the enterprise is compliant #ith
all applicable e=ternal re4uirements.
10 of (01
Listed below are the practices associated with each of the governance and management processes in COBIT 5.
)rocesses* (+
)ractices* -rr*102
Area Domain Process Process Description Process Prpose !tatement Practice "ame
/anagement 9AI01 9AI01.01
/anagement 9AI01 9AI01.0(
The practices are sorted in the order in which the% appear in COBIT 5: Enabling Processes.
Process
ID
Practice
ID
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage all programmes and pro7ects
from the investment portfolio in
alignment #ith enterprise strategy and
in a co8ordinated #ay. Initiate plan
control and e=ecute programmes and
pro7ects and close #ith a post8
implementation revie#.
<ealise business bene!ts and reduce the
ris' of une=pected delays costs and value
erosion by improving communications to
and involvement of business and end users
ensuring the value and 4uality of pro7ect
deliverables and ma=imising their
contribution to the investment and services
portfolio.
/aintain a
standard approach
for programme
and pro7ect
management.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
Initiate a
programme.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage
sta'eholder
engagement.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
.evelop and
maintain the
programme plan.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
@aunch and
e=ecute the
programme.
11 of (01
Process
ID
Practice
ID
/anagement 9AI01 9AI01.0?
/anagement 9AI01 9AI01.0+
/anagement 9AI01 9AI01.0B )lan pro7ects.
/anagement 9AI01 9AI01.0C
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor control
and report on the
programme
outcomes.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
Start up and
initiate pro7ects
#ithin a
programme.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage
programme and
pro7ect 4uality.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage
programme and
pro7ect ris'.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and
control pro7ects.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage pro7ect
resources and
#or' pac'ages.
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
Close a pro7ect or
iteration.
12 of (01
Process
ID
Practice
ID
/anagement 9AI0( 9AI0(.01
9uild
Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
Close a
programme.
9uild
Ac4uire and
Implement
/anage
<e4uirements
.e!nition
Identify solutions and analyse
re4uirements before ac4uisition or
creation to ensure that they are in line
#ith enterprise strategic re4uirements
covering business processes
applications informationGdata
infrastructure and services. Co8
ordinate #ith a6ected sta'eholders the
revie# of feasible options including
relative costs and bene!ts ris'
analysis and approval of re4uirements
and proposed solutions.
Create feasible optimal solutions that meet
enterprise needs #hile minimising ris'.
.e!ne and
maintain business
functional and
technical
re4uirements.
9uild
Ac4uire and
Implement
/anage
<e4uirements
.e!nition
)erform a
feasibility study
and formulate
alternative
solutions.
9uild
Ac4uire and
Implement
/anage
<e4uirements
.e!nition
/anage
re4uirements ris'.
9uild
Ac4uire and
Implement
/anage
<e4uirements
.e!nition
2btain approval of
re4uirements and
solutions.
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
-stablish and maintain identi!ed
solutions in line #ith enterprise
re4uirements covering design
development procurementGsourcing
and partnering #ith suppliersGvendors.
/anage con!guration test
preparation testing re4uirements
management and maintenance of
business processes applications
informationGdata infrastructure and
services.
-stablish timely and cost8e6ective solutions
capable of supporting enterprise strategic
and operational ob7ectives.
.esign high8level
solutions.
1( of (01
Process
ID
Practice
ID
/anagement 9AI0( 9AI0(.0(
/anagement 9AI0( 9AI0(.01 9uild solutions.
/anagement 9AI0( 9AI0(.0?
/anagement 9AI0( 9AI0(.0+
/anagement 9AI0( 9AI0(.0B
/anagement 9AI0( 9AI0(.0C
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
solution
components.
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.evelop solution
components.
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)rocure solution
components.
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)erform 4uality
assurance.
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)repare for
solution testing.
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
-=ecute solution
testing.
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
/anage changes
to re4uirements.
10 of (01
Process
ID
Practice
ID
/anagement 9AI0( 9AI0(.10 /aintain solutions.
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild
Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.e!ne I5 services
and maintain the
service portfolio.
9uild
Ac4uire and
Implement
/anage
Availability and
Capacity
9alance current and future needs for
availability performance and capacity
#ith cost8e6ective service provision.
Include assessment of current
capabilities forecasting of future
needs based on business
re4uirements analysis of business
impacts and assessment of ris' to
plan and implement actions to meet
the identi!ed re4uirements.
/aintain service availability e;cient
management of resources and optimisation
of system performance through prediction of
future performance and capacity
re4uirements.
Assess current
availability
performance and
capacity and
create a baseline.
9uild
Ac4uire and
Implement
/anage
Availability and
Capacity
Assess business
impact.
9uild
Ac4uire and
Implement
/anage
Availability and
Capacity
)lan for ne# or
changed service
re4uirements.
9uild
Ac4uire and
Implement
/anage
Availability and
Capacity
/onitor and revie#
availability and
capacity.
9uild
Ac4uire and
Implement
/anage
Availability and
Capacity
Investigate and
address
availability
performance and
capacity issues.
9uild
Ac4uire and
Implement
/anage
2rganisational
Change
-nablement
/a=imise the li'elihood of successfully
implementing sustainable
enterprise#ide organisational change
4uic'ly and #ith reduced ris' covering
the complete life cycle of the change
and all a6ected sta'eholders in the
business and I5.
)repare and commit sta'eholders for
business change and reduce the ris' of
failure.
-stablish the
desire to change.
11 of (01
Process
ID
Practice
ID
/anagement 9AI01 9AI01.0+ Sustain changes.
/anagement 9AI0? /anage Changes 9AI0?.01
9uild
Ac4uire and
Implement
/anage
2rganisational
Change
-nablement
3orm an e6ective
implementation
team.
9uild
Ac4uire and
Implement
/anage
2rganisational
Change
-nablement
Communicate
desired vision.
9uild
Ac4uire and
Implement
/anage
2rganisational
Change
-nablement
-mpo#er role
players and
identify short8term
#ins.
9uild
Ac4uire and
Implement
/anage
2rganisational
Change
-nablement
-nable operation
and use.
9uild
Ac4uire and
Implement
/anage
2rganisational
Change
-nablement
-mbed ne#
approaches.
9uild
Ac4uire and
Implement
/anage
2rganisational
Change
-nablement
9uild
Ac4uire and
Implement
/anage all changes in a controlled
manner including standard changes
and emergency maintenance relating
to business processes applications
and infrastructure. 5his includes
change standards and procedures
impact assessment prioritisation and
authorisation emergency changes
trac'ing reporting closure and
documentation.
-nable fast and reliable delivery of change
to the business and mitigation of the ris' of
negatively impacting the stability or
integrity of the changed environment.
-valuate prioritise
and authorise
change re4uests.
9uild
Ac4uire and
Implement
/anage
emergency
changes.
1? of (01
Process
ID
Practice
ID
/anagement 9AI0? /anage Changes 9AI0?.0(
/anagement 9AI0+ 9AI0+.01
/anagement 9AI0+ 9AI0+.0(
/anagement 9AI0+ 9AI0+.0?
/anagement 9AI0+ 9AI0+.0+
9uild
Ac4uire and
Implement
5rac' and report
change status.
9uild
Ac4uire and
Implement
Close and
document the
changes.
9uild
Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
3ormally accept and ma'e operational
ne# solutions including
implementation planning system and
data conversion acceptance testing
communication release preparation
promotion to production of ne# or
changed business processes and I5
services early production support and
a post8implementation revie#.
Implement solutions safely and in line #ith
the agreed8on e=pectations and outcomes.
-stablish an
implementation
plan.
9uild
Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)lan business
process system
and data
conversion.
9uild
Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)lan acceptance
tests.
9uild
Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish a test
environment.
9uild
Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform
acceptance tests.
9uild
Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)romote to
production and
manage releases.
9uild
Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)rovide early
production
support.
1+ of (01
Process
ID
Practice
ID
/anagement 9AI0+ 9AI0+.0B
/anagement 9AI0B 9AI0B.01
/anagement 9AI0B 9AI0B.0(
/anagement 9AI0C /anage Assets 9AI0C.01
9uild
Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform a post8
implementation
revie#.
9uild
Ac4uire and
Implement
/anage
Fno#ledge
/aintain the availability of relevant
current validated and reliable
'no#ledge to support all process
activities and to facilitate decision
ma'ing. )lan for the identi!cation
gathering organising maintaining use
and retirement of 'no#ledge.
)rovide the 'no#ledge re4uired to support
all sta6 in their #or' activities and for
informed decision ma'ing and enhanced
productivity.
Nurture and
facilitate a
'no#ledge8sharing
culture.
9uild
Ac4uire and
Implement
/anage
Fno#ledge
Identify and
classify sources of
information.
9uild
Ac4uire and
Implement
/anage
Fno#ledge
2rganise and
conte=tualise
information into
'no#ledge.
9uild
Ac4uire and
Implement
/anage
Fno#ledge
%se and share
'no#ledge.
9uild
Ac4uire and
Implement
/anage
Fno#ledge
-valuate and retire
information.
9uild
Ac4uire and
Implement
/anage I5 assets through their life
cycle to ma'e sure that their use
delivers value at optimal cost they
remain operational "!t for purpose$
they are accounted for and physically
protected and those assets that are
critical to support service capability
are reliable and available. /anage
soft#are licences to ensure that the
optimal number are ac4uired retained
and deployed in relation to re4uired
business usage and the soft#are
installed is in compliance #ith licence
agreements.
Account for all I5 assets and optimise the
value provided by these assets.
Identify and record
current assets.
9uild
Ac4uire and
Implement
/anage critical
assets.
1B of (01
Process
ID
Practice
ID
/anagement 9AI0C /anage Assets 9AI0C.0(
/anagement 9AI0C /anage Assets 9AI0C.01 /anage licences.
9uild
Ac4uire and
Implement
/anage the asset
life cycle.
9uild
Ac4uire and
Implement
2ptimise asset
costs.
9uild
Ac4uire and
Implement
9uild
Ac4uire and
Implement
/anage
Con!guration
.e!ne and maintain descriptions and
relationships bet#een 'ey resources
and capabilities re4uired to deliver I58
enabled services including collecting
con!guration information establishing
baselines verifying and auditing
con!guration information and
updating the con!guration repository.
)rovide su;cient information about service
assets to enable the service to be e6ectively
managed assess the impact of changes and
deal #ith service incidents.
-stablish and
maintain a
con!guration
model.
9uild
Ac4uire and
Implement
/anage
Con!guration
-stablish and
maintain a
con!guration
repository and
baseline.
9uild
Ac4uire and
Implement
/anage
Con!guration
/aintain and
control
con!guration
items.
9uild
Ac4uire and
Implement
/anage
Con!guration
)roduce status and
con!guration
reports.
9uild
Ac4uire and
Implement
/anage
Con!guration
Herify and revie#
integrity of the
con!guration
repository.
1C of (01
&overnance Practice
/aintain a standard approach for programme and pro7ect
management that enables governance and management
revie# and decision ma'ing and delivery management
activities focussed on achieving value and goals
"re4uirements ris' costs schedule 4uality$ for the
business in a consistent manner.
Initiate a programme to con!rm the e=pected bene!ts
and obtain authorisation to proceed. 5his includes
agreeing on programme sponsorship con!rming the
programme mandate through approval of the conceptual
business case appointing programme board or
committee members producing the programme brief
revie#ing and updating the business case developing a
bene!ts realisation plan and obtaining approval from
sponsors to proceed.
/anage sta'eholder engagement to ensure an active
e=change of accurate consistent and timely information
that reaches all relevant sta'eholders. 5his includes
planning identifying and engaging sta'eholders and
managing their e=pectations.
3ormulate a programme to lay the initial ground#or' and
to position it for successful e=ecution by formalising the
scope of the #or' to be accomplished and identifying the
deliverables that #ill satisfy its goals and deliver value.
/aintain and update the programme plan and business
case throughout the full economic life cycle of the
programme ensuring alignment #ith strategic ob7ectives
and reAecting the current status and updated insights
gained to date.
@aunch and e=ecute the programme to ac4uire and direct
the resources needed to accomplish the goals and
bene!ts of the programme as de!ned in the programme
plan. In accordance #ith stage8gate or release revie#
criteria prepare for stage8gate iteration or release
revie#s to report on the progress of the programme and
to be able to ma'e the case for funding up to the
follo#ing stage8gate or release revie#.
20 of (01
&overnance Practice
/onitor and control programme "solution delivery$ and
enterprise "valueGoutcome$ performance against plan
throughout the full economic life cycle of the investment.
<eport this performance to the programme steering
committee and the sponsors.
.e!ne and document the nature and scope of the pro7ect
to con!rm and develop amongst sta'eholders a common
understanding of pro7ect scope and ho# it relates to
other pro7ects #ithin the overall I58enabled investment
programme. 5he de!nition should be formally approved
by the programme and pro7ect sponsors.
-stablish and maintain a formal approved integrated
pro7ect plan "covering business and I5 resources$ to guide
pro7ect e=ecution and control throughout the life of the
pro7ect. 5he scope of pro7ects should be clearly de!ned
and tied to building or enhancing business capability.
)repare and e=ecute a 4uality management plan
processes and practices aligned #ith the D/S that
describes the programme and pro7ect 4uality approach
and ho# it #ill be implemented. 5he plan should be
formally revie#ed and agreed on by all parties concerned
and then incorporated into the integrated programme
and pro7ect plans.
-liminate or minimise speci!c ris' associated #ith
programmes and pro7ects through a systematic process
of planning identifying analysing responding to and
monitoring and controlling the areas or events that have
the potential to cause un#anted change. <is' faced by
programme and pro7ect management should be
established and centrally recorded.
/easure pro7ect performance against 'ey pro7ect
performance criteria such as schedule 4uality cost and
ris'. Identify any deviations from the e=pected. Assess
the impact of deviations on the pro7ect and overall
programme and report results to 'ey sta'eholders.
/anage pro7ect #or' pac'ages by placing formal
re4uirements on authorising and accepting #or'
pac'ages and assigning and co8ordinating appropriate
business and I5 resources.
At the end of each pro7ect release or iteration re4uire
the pro7ect sta'eholders to ascertain #hether the pro7ect
release or iteration delivered the planned results and
value. Identify and communicate any outstanding
activities re4uired to achieve the planned results of the
pro7ect and the bene!ts of the programme and identify
and document lessons learned for use on future pro7ects
releases iterations and programmes.
21 of (01
&overnance Practice
<emove the programme from the active investment
portfolio #hen there is agreement that the desired value
has been achieved or #hen it is clear it #ill not be
achieved #ithin the value criteria set for the programme.
9ased on the business case identify prioritise specify
and agree on business information functional technical
and control re4uirements covering the
scopeGunderstanding of all initiatives re4uired to achieve
the e=pected outcomes of the proposed I58enabled
business solution.
)erform a feasibility study of potential alternative
solutions assess their viability and select the preferred
option. If appropriate implement the selected option as a
pilot to determine possible improvements.
Identify document prioritise and mitigate functional
technical and information processing8related ris'
associated #ith the enterprise re4uirements and
proposed solution.
Co8ordinate feedbac' from a6ected sta'eholders and at
predetermined 'ey stages obtain business sponsor or
product o#ner approval and sign8o6 on functional and
technical re4uirements feasibility studies ris' analyses
and recommended solutions.
.evelop and document high8level designs using agreed8
on and appropriate phased or rapid agile development
techni4ues. -nsure alignment #ith the I5 strategy and
enterprise architecture. <eassess and update the designs
#hen signi!cant issues occur during detailed design or
building phases or as the solution evolves. -nsure that
sta'eholders actively participate in the design and
approve each version.
22 of (01
&overnance Practice
.evelop document and elaborate detailed designs
progressively using agreed8on and appropriate phased or
rapid agile development techni4ues addressing all
components "business processes and related automated
and manual controls supporting I5 applications
infrastructure services and technology products and
partnersGsuppliers$. -nsure that the detailed design
includes internal and e=ternal S@As and 2@As.
.evelop solution components progressively in
accordance #ith detailed designs follo#ing development
methods and documentation standards 4uality
assurance "DA$ re4uirements and approval standards.
-nsure that all control re4uirements in the business
processes supporting I5 applications and infrastructure
services services and technology products and
partnersGsuppliers are addressed.
)rocure solution components based on the ac4uisition
plan in accordance #ith re4uirements and detailed
designs architecture principles and standards and the
enterprise&s overall procurement and contract
procedures DA re4uirements and approval standards.
-nsure that all legal and contractual re4uirements are
identi!ed and addressed by the supplier.
Install and con!gure solutions and integrate #ith
business process activities. Implement control security
and auditability measures during con!guration and
during integration of hard#are and infrastructural
soft#are to protect resources and ensure availability and
data integrity. %pdate the services catalogue to reAect
the ne# solutions.
.evelop resource and e=ecute a DA plan aligned #ith
the D/S to obtain the 4uality speci!ed in the
re4uirements de!nition and the enterprise&s 4uality
policies and procedures.
-stablish a test plan and re4uired environments to test
the individual and integrated solution components
including the business processes and supporting services
applications and infrastructure.
-=ecute testing continually during development
including control testing in accordance #ith the de!ned
test plan and development practices in the appropriate
environment. -ngage business process o#ners and end
users in the test team. Identify log and prioritise errors
and issues identi!ed during testing.
5rac' the status of individual re4uirements "including all
re7ected re4uirements$ throughout the pro7ect life cycle
and manage the approval of changes to re4uirements.
2( of (01
&overnance Practice
.evelop and e=ecute a plan for the maintenance of
solution and infrastructure components. Include periodic
revie#s against business needs and operational
re4uirements.
.e!ne and agree on ne# or changed I5 services and
service level options. .ocument ne# or changed service
de!nitions and service level options to be updated in the
services portfolio.
Assess availability performance and capacity of services
and resources to ensure that cost87usti!able capacity and
performance are available to support business needs and
deliver against S@As. Create availability performance and
capacity baselines for future comparison.
Identify important services to the enterprise map
services and resources to business processes and
identify business dependencies. -nsure that the impact
of unavailable resources is fully agreed on and accepted
by the customer. -nsure that for vital business functions
the S@A availability re4uirements can be satis!ed.
)lan and prioritise availability performance and capacity
implications of changing business needs and service
re4uirements.
/onitor measure analyse report and revie# availability
performance and capacity. Identify deviations from
established baselines. <evie# trend analysis reports
identifying any signi!cant issues and variances initiating
actions #here necessary and ensuring that all
outstanding issues are follo#ed up.
Address deviations by investigating and resolving
identi!ed availability performance and capacity issues.
%nderstand the scope and impact of the envisioned
change and sta'eholder readinessG#illingness to change.
Identify actions to motivate sta'eholders to accept and
#ant to ma'e the change #or' successfully.
20 of (01
&overnance Practice
-stablish an e6ective implementation team by
assembling appropriate members creating trust and
establishing common goals and e6ectiveness measures.
Communicate the desired vision for the change in the
language of those a6ected by it. 5he communication
should be made by senior management and include the
rationale for and bene!ts of the change the impacts of
not ma'ing the change: and the vision the road map and
the involvement re4uired of the various sta'eholders.
-mpo#er those #ith implementation roles by ensuring
that accountabilities are assigned providing training and
aligning organisational structures and E< processes.
Identify and communicate short8term #ins that can be
realised and are important from a change enablement
perspective.
)lan and implement all technical operational and usage
aspects such that all those #ho are involved in the future
state environment can e=ercise their responsibility.
-mbed the ne# approaches by trac'ing implemented
changes assessing the e6ectiveness of the operation
and use plan and sustaining ongoing a#areness through
regular communication. 5a'e corrective measures as
appropriate #hich may include enforcing compliance.
Sustain changes through e6ective training of ne# sta6
ongoing communication campaigns continued top
management commitment adoption monitoring and
sharing of lessons learned across the enterprise.
-valuate all re4uests for change to determine the impact
on business processes and I5 services and to assess
#hether change #ill adversely a6ect the operational
environment and introduce unacceptable ris'. -nsure
that changes are logged prioritised categorised
assessed authorised planned and scheduled.
Carefully manage emergency changes to minimise
further incidents and ma'e sure the change is controlled
and ta'es place securely. Herify that emergency changes
are appropriately assessed and authorised after the
change.
21 of (01
&overnance Practice
/aintain a trac'ing and reporting system to document
re7ected changes communicate the status of approved
and in8process changes and complete changes. /a'e
certain that approved changes are implemented as
planned.
Ihenever changes are implemented update accordingly
the solution and user documentation and the procedures
a6ected by the change.
-stablish an implementation plan that covers system and
data conversion acceptance testing criteria
communication training release preparation promotion
to production early production support a
fallbac'Gbac'out plan and a post8implementation revie#.
2btain approval from relevant parties.
)repare for business process I5 service data and
infrastructure migration as part of the enterprise&s
development methods including audit trails and a
recovery plan should the migration fail.
-stablish a test plan based on enterprise#ide standards
that de!ne roles responsibilities and entry and e=it
criteria. -nsure that the plan is approved by relevant
parties.
.e!ne and establish a secure test environment
representative of the planned business process and I5
operations environment performance and capacity
security internal controls operational practices data
4uality and privacy re4uirements and #or'loads.
5est changes independently in accordance #ith the
de!ned test plan prior to migration to the live operational
environment.
)romote the accepted solution to the business and
operations. Ihere appropriate run the solution as a pilot
implementation or in parallel #ith the old solution for a
de!ned period and compare behaviour and results. If
signi!cant problems occur revert bac' to the original
environment based on the fallbac'Gbac'out plan. /anage
releases of solution components.
)rovide early support to the users and I5 operations for
an agreed8on period of time to deal #ith issues and help
stabilise the ne# solution.
2? of (01
&overnance Practice
Conduct a post8implementation revie# to con!rm
outcome and results identify lessons learned and
develop an action plan. -valuate and chec' the actual
performance and outcomes of the ne# or changed
service against the predicted performance and outcomes
"i.e. the service e=pected by the user or customer$.
.evise and implement a scheme to nurture and facilitate
a 'no#ledge8sharing culture.
Identify validate and classify diverse sources of internal
and e=ternal information re4uired to enable e6ective use
and operation of business processes and I5 services.
2rganise information based on classi!cation criteria.
Identify and create meaningful relationships bet#een
information elements and enable use of information.
Identify o#ners and de!ne and implement levels of
access to 'no#ledge resources.
)ropagate available 'no#ledge resources to relevant
sta'eholders and communicate ho# these resources can
be used to address di6erent needs "e.g. problem solving
learning strategic planning and decision ma'ing$.
/easure the use and evaluate the currency and
relevance of information. <etire obsolete information.
/aintain an up8to8date and accurate record of all I5
assets re4uired to deliver services and ensure alignment
#ith con!guration management and !nancial
management.
Identify assets that are critical in providing service
capability and ta'e steps to ma=imise their reliability and
availability to support business needs.
2+ of (01
&overnance Practice
/anage assets from procurement to disposal to ensure
that assets are utilised as e6ectively and e;ciently as
possible and are accounted for and physically protected.
<egularly revie# the overall asset base to identify #ays
to optimise costs and maintain alignment #ith business
needs.
/anage soft#are licences so that the optimal number of
licences is maintained to support business re4uirements
and the number of licences o#ned is su;cient to cover
the installed soft#are in use.
-stablish and maintain a logical model of the services
assets and infrastructure and ho# to record con!guration
items "CIs$ and the relationships amongst them. Include
the CIs considered necessary to manage services
e6ectively and to provide a single reliable description of
the assets in a service.
-stablish and maintain a con!guration management
repository and create controlled con!guration baselines.
/aintain an up8to8date repository of con!guration items
by populating #ith changes.
.e!ne and produce con!guration reports on status
changes of con!guration items.
)eriodically revie# the con!guration repository and verify
completeness and correctness against the desired target.
2B of (01
Listed below are the activities associated with each of the governance and management practices in COBIT 5.
Activities* -rr*102
Area Domain Process Practice ID Practice "ame
,overnance -./01 -./01.01
,overnance -./01 -./01.01
,overnance -./01 -./01.01
,overnance -./01 -./01.01
,overnance -./01 -./01.01
,overnance -./01 -./01.01
The activities are sorted in the order in which the% appear in COBIT 5: Enabling Processes
Process
ID
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
-valuate the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
-valuate the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
-valuate the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
-valuate the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
-valuate the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
-valuate the
governance system.
2C of (01
Process
ID
,overnance -./01 -./01.01
,overnance -./01 -./01.01
,overnance -./01 -./01.02
,overnance -./01 -./01.02
,overnance -./01 -./01.02
,overnance -./01 -./01.02
,overnance -./01 -./01.02
,overnance -./01 -./01.02
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
-valuate the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
-valuate the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
.irect the governance
system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
system.
(0 of (01
Process
ID
,overnance -./01 -./01.0(
,overnance -./01 -./01.0(
,overnance -./01 -./01.0(
,overnance -./01 -./01.0(
,overnance -./01 -./01.0(
,overnance -./01 -./01.0(
,overnance -./02 -./02.01
,overnance -./02 -./02.01
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
/onitor the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
/onitor the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
/onitor the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
/onitor the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
/onitor the
governance system.
-valuate .irect
and /onitor
-nsure ,overnance
3rame#or' Setting
and /aintenance
/onitor the
governance system.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
-valuate value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
-valuate value
optimisation.
(1 of (01
Process
ID
,overnance -./02 -./02.01
,overnance -./02 -./02.01
,overnance -./02 -./02.01
,overnance -./02 -./02.01
,overnance -./02 -./02.01
,overnance -./02 -./02.01
,overnance -./02 -./02.02
,overnance -./02 -./02.02
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
-valuate value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
-valuate value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
-valuate value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
-valuate value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
-valuate value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
-valuate value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
.irect value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
.irect value
optimisation.
(2 of (01
Process
ID
,overnance -./02 -./02.02
,overnance -./02 -./02.02
,overnance -./02 -./02.02
,overnance -./02 -./02.02
,overnance -./02 -./02.02
,overnance -./02 -./02.0(
,overnance -./02 -./02.0(
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
.irect value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
.irect value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
.irect value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
.irect value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
.irect value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
/onitor value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
/onitor value
optimisation.
(( of (01
Process
ID
,overnance -./02 -./02.0(
,overnance -./02 -./02.0(
,overnance -./02 -./02.0(
,overnance -./0( -./0(.01
,overnance -./0( -./0(.01
,overnance -./0( -./0(.01
,overnance -./0( -./0(.01
,overnance -./0( -./0(.01
,overnance -./0( -./0(.01
,overnance -./0( -./0(.02
,overnance -./0( -./0(.02
,overnance -./0( -./0(.02
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
/onitor value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
/onitor value
optimisation.
-valuate .irect
and /onitor
-nsure 9ene!ts
.elivery
/onitor value
optimisation.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
-valuate ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
-valuate ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
-valuate ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
-valuate ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
-valuate ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
-valuate ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
.irect ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
.irect ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
.irect ris'
management.
(0 of (01
Process
ID
,overnance -./0( -./0(.02
,overnance -./0( -./0(.02
,overnance -./0( -./0(.02
,overnance -./0( -./0(.0(
,overnance -./0( -./0(.0(
,overnance -./0( -./0(.0(
,overnance -./0( -./0(.0(
,overnance -./00 -./00.01
,overnance -./00 -./00.01
,overnance -./00 -./00.01
,overnance -./00 -./00.01
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
.irect ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
.irect ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
.irect ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
/onitor ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
/onitor ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
/onitor ris'
management.
-valuate .irect
and /onitor
-nsure <is'
2ptimisation
/onitor ris'
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
-valuate resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
-valuate resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
-valuate resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
-valuate resource
management.
(1 of (01
Process
ID
,overnance -./00 -./00.01
,overnance -./00 -./00.02
,overnance -./00 -./00.02
,overnance -./00 -./00.02
,overnance -./00 -./00.02
,overnance -./00 -./00.02
,overnance -./00 -./00.0(
,overnance -./00 -./00.0(
,overnance -./00 -./00.0(
,overnance -./01 -./01.01
,overnance -./01 -./01.01
,overnance -./01 -./01.01
,overnance -./01 -./01.02
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
-valuate resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
.irect resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
.irect resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
.irect resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
.irect resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
.irect resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
/onitor resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
/onitor resource
management.
-valuate .irect
and /onitor
-nsure <esource
2ptimisation
/onitor resource
management.
-valuate .irect
and /onitor
-nsure Sta'eholder
5ransparency
-valuate sta'eholder
reporting
re4uirements.
-valuate .irect
and /onitor
-nsure Sta'eholder
5ransparency
reporting
re4uirements.
-valuate .irect
and /onitor
-nsure Sta'eholder
5ransparency
reporting
re4uirements.
-valuate .irect
and /onitor
-nsure Sta'eholder
5ransparency
.irect sta'eholder
communication and
reporting.
(? of (01
Process
ID
,overnance -./01 -./01.02
,overnance -./01 -./01.02
,overnance -./01 -./01.02
,overnance -./01 -./01.0(
,overnance -./01 -./01.0(
,overnance -./01 -./01.0(
/anagement A)201 A)201.01
-valuate .irect
and /onitor
-nsure Sta'eholder
5ransparency
.irect sta'eholder
communication and
reporting.
-valuate .irect
and /onitor
-nsure Sta'eholder
5ransparency
.irect sta'eholder
communication and
reporting.
-valuate .irect
and /onitor
-nsure Sta'eholder
5ransparency
.irect sta'eholder
communication and
reporting.
-valuate .irect
and /onitor
-nsure Sta'eholder
5ransparency
/onitor sta'eholder
communication.
-valuate .irect
and /onitor
-nsure Sta'eholder
5ransparency
/onitor sta'eholder
communication.
-valuate .irect
and /onitor
-nsure Sta'eholder
5ransparency
/onitor sta'eholder
communication.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
(+ of (01
Process
ID
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne the
organisational
structure.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
-stablish roles and
responsibilities.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
-stablish roles and
responsibilities.
(B of (01
Process
ID
/anagement A)201 A)201.0(
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
-stablish roles and
responsibilities.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
-stablish roles and
responsibilities.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
-stablish roles and
responsibilities.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
-stablish roles and
responsibilities.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
-stablish roles and
responsibilities.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/aintain the enablers
of the management
system.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
of the management
system.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
of the management
system.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
of the management
system.
(C of (01
Process
ID
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
of the management
system.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
of the management
system.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
of the management
system.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
of the management
system.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
of the management
system.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
Communicate
management
ob7ectives and
direction.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
Communicate
management
ob7ectives and
direction.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
Communicate
management
ob7ectives and
direction.
00 of (01
Process
ID
/anagement A)201 A)201.0?
/anagement A)201 A)201.0+
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
2ptimise the
placement of the I5
function.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
2ptimise the
placement of the I5
function.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
2ptimise the
placement of the I5
function.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne information
"data$ and system
o#nership.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne information
"data$ and system
o#nership.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne information
"data$ and system
o#nership.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
.e!ne information
"data$ and system
o#nership.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/anage continual
improvement of
processes.
01 of (01
Process
ID
/anagement A)201 A)201.0B
/anagement A)202 /anage Strategy A)202.01
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/anage continual
improvement of
processes.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/anage continual
improvement of
processes.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/anage continual
improvement of
processes.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/anage continual
improvement of
processes.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/aintain compliance
#ith policies and
procedures.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/aintain compliance
#ith policies and
procedures.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/aintain compliance
#ith policies and
procedures.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/aintain compliance
#ith policies and
procedures.
Align )lan and
2rganise
/anage the I5
/anagement
3rame#or'
/aintain compliance
#ith policies and
procedures.
Align )lan and
2rganise
%nderstand enterprise
direction.
02 of (01
Process
ID
Align )lan and
2rganise
direction.
Align )lan and
2rganise
direction.
Align )lan and
2rganise
direction.
Align )lan and
2rganise
direction.
Align )lan and
2rganise
direction.
Align )lan and
2rganise
Assess the current
environment
capabilities and
performance.
Align )lan and
2rganise
Assess the current
environment
capabilities and
performance.
Align )lan and
2rganise
Assess the current
environment
capabilities and
performance.
Align )lan and
2rganise
Assess the current
environment
capabilities and
performance.
0( of (01
Process
ID
/anagement A)202 /anage Strategy A)202.0(
Align )lan and
2rganise
.e!ne the target I5
capabilities.
Align )lan and
2rganise
.e!ne the target I5
capabilities.
Align )lan and
2rganise
.e!ne the target I5
capabilities.
Align )lan and
2rganise
.e!ne the target I5
capabilities.
Align )lan and
2rganise
.e!ne the target I5
capabilities.
Align )lan and
2rganise
.e!ne the target I5
capabilities.
Align )lan and
2rganise
Conduct a gap
analysis.
Align )lan and
2rganise
Conduct a gap
analysis.
Align )lan and
2rganise
Conduct a gap
analysis.
Align )lan and
2rganise
Conduct a gap
analysis.
Align )lan and
2rganise
.e!ne the strategic
plan and road map.
Align )lan and
2rganise
.e!ne the strategic
plan and road map.
00 of (01
Process
ID
/anagement A)202 /anage Strategy A)202.0?
/anagement A)20( A)20(.01
Align )lan and
2rganise
.e!ne the strategic
plan and road map.
Align )lan and
2rganise
.e!ne the strategic
plan and road map.
Align )lan and
2rganise
.e!ne the strategic
plan and road map.
Align )lan and
2rganise
.e!ne the strategic
plan and road map.
Align )lan and
2rganise
.e!ne the strategic
plan and road map.
Align )lan and
2rganise
Communicate the I5
strategy and direction.
Align )lan and
2rganise
Communicate the I5
Align )lan and
2rganise
Communicate the I5
Align )lan and
2rganise
Communicate the I5
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
architecture vision.
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
01 of (01
Process
ID
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
.evelop the
enterprise
0? of (01
Process
ID
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne reference
architecture.
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne reference
architecture.
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne reference
architecture.
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne reference
architecture.
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne reference
architecture.
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne reference
architecture.
0+ of (01
Process
ID
/anagement A)20( A)20(.0(
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne reference
architecture.
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne reference
architecture.
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne reference
architecture.
Align )lan and
2rganise
/anage -nterprise
Architecture
Select opportunities
and solutions.
Align )lan and
2rganise
/anage -nterprise
Architecture
and solutions.
Align )lan and
2rganise
/anage -nterprise
Architecture
and solutions.
Align )lan and
2rganise
/anage -nterprise
Architecture
and solutions.
Align )lan and
2rganise
/anage -nterprise
Architecture
and solutions.
0B of (01
Process
ID
Align )lan and
2rganise
/anage -nterprise
Architecture
and solutions.
Align )lan and
2rganise
/anage -nterprise
Architecture
and solutions.
Align )lan and
2rganise
/anage -nterprise
Architecture
and solutions.
Align )lan and
2rganise
/anage -nterprise
Architecture
and solutions.
Align )lan and
2rganise
/anage -nterprise
Architecture
and solutions.
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne architecture
implementation.
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne architecture
implementation.
Align )lan and
2rganise
/anage -nterprise
Architecture
.e!ne architecture
implementation.
Align )lan and
2rganise
/anage -nterprise
Architecture
)rovide enterprise
architecture services.
Align )lan and
2rganise
/anage -nterprise
Architecture
)rovide enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
)rovide enterprise
0C of (01
Process
ID
/anagement A)200 /anage Innovation A)200.01
Align )lan and
2rganise
/anage -nterprise
Architecture
)rovide enterprise
Align )lan and
2rganise
/anage -nterprise
Architecture
)rovide enterprise
Align )lan and
2rganise
Create an
environment
conducive to
innovation.
Align )lan and
2rganise
Create an
environment
conducive to
innovation.
Align )lan and
2rganise
Create an
environment
conducive to
innovation.
Align )lan and
2rganise
Create an
environment
conducive to
innovation.
Align )lan and
2rganise
Create an
environment
conducive to
innovation.
Align )lan and
2rganise
/aintain an
understanding of the
enterprise
environment.
10 of (01
Process
ID
/anagement A)200 /anage Innovation A)200.0(
Align )lan and
2rganise
/aintain an
enterprise
environment.
Align )lan and
2rganise
/aintain an
enterprise
environment.
Align )lan and
2rganise
/onitor and scan the
technology
environment.
Align )lan and
2rganise
technology
environment.
Align )lan and
2rganise
technology
environment.
Align )lan and
2rganise
technology
environment.
Align )lan and
2rganise
Assess the potential of
emerging
technologies and
innovation ideas.
Align )lan and
2rganise
emerging
technologies and
innovation ideas.
Align )lan and
2rganise
emerging
technologies and
innovation ideas.
11 of (01
Process
ID
/anagement A)200 /anage Innovation A)200.0?
Align )lan and
2rganise
emerging
technologies and
innovation ideas.
Align )lan and
2rganise
emerging
technologies and
innovation ideas.
Align )lan and
2rganise
<ecommend
appropriate further
initiatives.
Align )lan and
2rganise
<ecommend
appropriate further
initiatives.
Align )lan and
2rganise
<ecommend
appropriate further
initiatives.
Align )lan and
2rganise
<ecommend
appropriate further
initiatives.
Align )lan and
2rganise
/onitor the
implementation and
use of innovation.
Align )lan and
2rganise
/onitor the
implementation and
use of innovation.
Align )lan and
2rganise
/onitor the
implementation and
use of innovation.
Align )lan and
2rganise
/onitor the
implementation and
use of innovation.
12 of (01
Process
ID
/anagement A)201 /anage )ortfolio A)201.01
/anagement A)201 /anage )ortfolio A)201.0(
Align )lan and
2rganise
-stablish the target
investment mi=.
Align )lan and
2rganise
investment mi=.
Align )lan and
2rganise
investment mi=.
Align )lan and
2rganise
investment mi=.
Align )lan and
2rganise
investment mi=.
Align )lan and
2rganise
.etermine the
availability and
sources of funds.
Align )lan and
2rganise
.etermine the
availability and
sources of funds.
Align )lan and
2rganise
.etermine the
availability and
sources of funds.
Align )lan and
2rganise
-valuate and select
programmes to fund.
1( of (01
Process
ID
Align )lan and
2rganise
-valuate and select
programmes to fund.
Align )lan and
2rganise
-valuate and select
programmes to fund.
Align )lan and
2rganise
-valuate and select
programmes to fund.
Align )lan and
2rganise
-valuate and select
programmes to fund.
Align )lan and
2rganise
-valuate and select
programmes to fund.
Align )lan and
2rganise
/onitor optimise and
report on investment
portfolio performance.
Align )lan and
2rganise
10 of (01
Process
ID
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
11 of (01
Process
ID
/anagement A)201 /anage )ortfolio A)201.01 /aintain portfolios.
/anagement A)201 /anage )ortfolio A)201.0?
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
/anage bene!ts
achievement.
Align )lan and
2rganise
/anage bene!ts
achievement.
Align )lan and
2rganise
/anage bene!ts
achievement.
1? of (01
Process
ID
/anagement A)20? A)20?.01
Align )lan and
2rganise
/anage 9udget and
Costs
/anage !nance and
accounting.
Align )lan and
2rganise
/anage 9udget and
Costs
/anage !nance and
accounting.
Align )lan and
2rganise
/anage 9udget and
Costs
/anage !nance and
accounting.
Align )lan and
2rganise
/anage 9udget and
Costs
/anage !nance and
accounting.
Align )lan and
2rganise
/anage 9udget and
Costs
/anage !nance and
accounting.
Align )lan and
2rganise
/anage 9udget and
Costs
)rioritise resource
allocation.
1+ of (01
Process
ID
/anagement A)20? A)20?.0(
Align )lan and
2rganise
/anage 9udget and
Costs
)rioritise resource
allocation.
Align )lan and
2rganise
/anage 9udget and
Costs
)rioritise resource
allocation.
Align )lan and
2rganise
/anage 9udget and
Costs
)rioritise resource
allocation.
Align )lan and
2rganise
/anage 9udget and
Costs
Create and maintain
budgets.
Align )lan and
2rganise
/anage 9udget and
Costs
Create and maintain
budgets.
Align )lan and
2rganise
/anage 9udget and
Costs
Create and maintain
budgets.
Align )lan and
2rganise
/anage 9udget and
Costs
Create and maintain
budgets.
1B of (01
Process
ID
Align )lan and
2rganise
/anage 9udget and
Costs
Create and maintain
budgets.
Align )lan and
2rganise
/anage 9udget and
Costs
Create and maintain
budgets.
Align )lan and
2rganise
/anage 9udget and
Costs
Create and maintain
budgets.
Align )lan and
2rganise
/anage 9udget and
Costs
/odel and allocate
costs.
Align )lan and
2rganise
/anage 9udget and
Costs
/odel and allocate
costs.
Align )lan and
2rganise
/anage 9udget and
Costs
/odel and allocate
costs.
Align )lan and
2rganise
/anage 9udget and
Costs
/odel and allocate
costs.
Align )lan and
2rganise
/anage 9udget and
Costs
/odel and allocate
costs.
Align )lan and
2rganise
/anage 9udget and
Costs
/odel and allocate
costs.
1C of (01
Process
ID
/anagement A)20? A)20?.01 /anage costs.
Align )lan and
2rganise
/anage 9udget and
Costs
Align )lan and
2rganise
/anage 9udget and
Costs
Align )lan and
2rganise
/anage 9udget and
Costs
Align )lan and
2rganise
/anage 9udget and
Costs
Align )lan and
2rganise
/anage 9udget and
Costs
Align )lan and
2rganise
/anage 9udget and
Costs
Align )lan and
2rganise
/anage 9udget and
Costs
?0 of (01
Process
ID
/anagement A)20+ A)20+.01
Align )lan and
2rganise
/anage 9udget and
Costs
Align )lan and
2rganise
/anage 9udget and
Costs
Align )lan and
2rganise
/anage Euman
<esources
/aintain ade4uate
and appropriate
sta;ng.
Align )lan and
2rganise
/anage Euman
<esources
/aintain ade4uate
and appropriate
sta;ng.
Align )lan and
2rganise
/anage Euman
<esources
/aintain ade4uate
and appropriate
sta;ng.
Align )lan and
2rganise
/anage Euman
<esources
/aintain ade4uate
and appropriate
sta;ng.
Align )lan and
2rganise
/anage Euman
<esources
/aintain ade4uate
and appropriate
sta;ng.
Align )lan and
2rganise
/anage Euman
<esources
Identify 'ey I5
personnel.
?1 of (01
Process
ID
/anagement A)20+ A)20+.0(
Align )lan and
2rganise
/anage Euman
<esources
Identify 'ey I5
personnel.
Align )lan and
2rganise
/anage Euman
<esources
Identify 'ey I5
personnel.
Align )lan and
2rganise
/anage Euman
<esources
Identify 'ey I5
personnel.
Align )lan and
2rganise
/anage Euman
<esources
/aintain the s'ills and
competencies of
personnel.
Align )lan and
2rganise
/anage Euman
<esources
competencies of
personnel.
Align )lan and
2rganise
/anage Euman
<esources
competencies of
personnel.
Align )lan and
2rganise
/anage Euman
<esources
competencies of
personnel.
Align )lan and
2rganise
/anage Euman
<esources
competencies of
personnel.
Align )lan and
2rganise
/anage Euman
<esources
competencies of
personnel.
Align )lan and
2rganise
/anage Euman
<esources
competencies of
personnel.
Align )lan and
2rganise
/anage Euman
<esources
-valuate employee
7ob performance.
?2 of (01
Process
ID
Align )lan and
2rganise
/anage Euman
<esources
-valuate employee
7ob performance.
Align )lan and
2rganise
/anage Euman
<esources
-valuate employee
7ob performance.
Align )lan and
2rganise
/anage Euman
<esources
-valuate employee
7ob performance.
Align )lan and
2rganise
/anage Euman
<esources
-valuate employee
7ob performance.
Align )lan and
2rganise
/anage Euman
<esources
-valuate employee
7ob performance.
Align )lan and
2rganise
/anage Euman
<esources
-valuate employee
7ob performance.
Align )lan and
2rganise
/anage Euman
<esources
-valuate employee
7ob performance.
Align )lan and
2rganise
/anage Euman
<esources
)lan and trac' the
usage of I5 and
business human
resources.
Align )lan and
2rganise
/anage Euman
<esources
)lan and trac' the
usage of I5 and
business human
resources.
?( of (01
Process
ID
/anagement A)20+ A)20+.0? /anage contract sta6.
Align )lan and
2rganise
/anage Euman
<esources
)lan and trac' the
usage of I5 and
business human
resources.
Align )lan and
2rganise
/anage Euman
<esources
)lan and trac' the
usage of I5 and
business human
resources.
Align )lan and
2rganise
/anage Euman
<esources
Align )lan and
2rganise
/anage Euman
<esources
Align )lan and
2rganise
/anage Euman
<esources
Align )lan and
2rganise
/anage Euman
<esources
Align )lan and
2rganise
/anage Euman
<esources
Align )lan and
2rganise
/anage Euman
<esources
Align )lan and
2rganise
/anage Euman
<esources
?0 of (01
Process
ID
/anagement A)20B A)20B.01
Align )lan and
2rganise
/anage Euman
<esources
Align )lan and
2rganise
/anage
<elationships
%nderstand business
e=pectations.
Align )lan and
2rganise
/anage
<elationships
%nderstand business
e=pectations.
Align )lan and
2rganise
/anage
<elationships
%nderstand business
e=pectations.
Align )lan and
2rganise
/anage
<elationships
%nderstand business
e=pectations.
Align )lan and
2rganise
/anage
<elationships
%nderstand business
e=pectations.
Align )lan and
2rganise
/anage
<elationships
%nderstand business
e=pectations.
Align )lan and
2rganise
/anage
<elationships
%nderstand business
e=pectations.
Align )lan and
2rganise
/anage
<elationships
Identify opportunities
ris' and constraints
for I5 to enhance the
business.
?1 of (01
Process
ID
/anagement A)20B A)20B.0(
Align )lan and
2rganise
/anage
<elationships
business.
Align )lan and
2rganise
/anage
<elationships
business.
Align )lan and
2rganise
/anage
<elationships
business.
Align )lan and
2rganise
/anage
<elationships
business.
Align )lan and
2rganise
/anage
<elationships
/anage the business
relationship.
Align )lan and
2rganise
/anage
<elationships
/anage the business
relationship.
Align )lan and
2rganise
/anage
<elationships
/anage the business
relationship.
?? of (01
Process
ID
Align )lan and
2rganise
/anage
<elationships
/anage the business
relationship.
Align )lan and
2rganise
/anage
<elationships
/anage the business
relationship.
Align )lan and
2rganise
/anage
<elationships
Co8ordinate and
communicate.
Align )lan and
2rganise
/anage
<elationships
Co8ordinate and
communicate.
Align )lan and
2rganise
/anage
<elationships
Co8ordinate and
communicate.
Align )lan and
2rganise
/anage
<elationships
Co8ordinate and
communicate.
Align )lan and
2rganise
/anage
<elationships
)rovide input to the
continual
improvement of
services.
Align )lan and
2rganise
/anage
<elationships
continual
improvement of
services.
Align )lan and
2rganise
/anage
<elationships
continual
improvement of
services.
?+ of (01
Process
ID
/anagement A)20C A)20C.01 Identify I5 services.
/anagement A)20C A)20C.02
/anagement A)20C A)20C.0(
Align )lan and
2rganise
/anage Service
Agreements
Align )lan and
2rganise
/anage Service
Agreements
Align )lan and
2rganise
/anage Service
Agreements
Align )lan and
2rganise
/anage Service
Agreements
Align )lan and
2rganise
/anage Service
Agreements
Align )lan and
2rganise
/anage Service
Agreements
Align )lan and
2rganise
/anage Service
Agreements
Catalogue I58enabled
services.
Align )lan and
2rganise
/anage Service
Agreements
services.
Align )lan and
2rganise
/anage Service
Agreements
services.
Align )lan and
2rganise
/anage Service
Agreements
.e!ne and prepare
service agreements.
?B of (01
Process
ID
/anagement A)210 /anage Suppliers A)210.01
Align )lan and
2rganise
/anage Service
Agreements
.e!ne and prepare
service agreements.
Align )lan and
2rganise
/anage Service
Agreements
.e!ne and prepare
service agreements.
Align )lan and
2rganise
/anage Service
Agreements
.e!ne and prepare
service agreements.
Align )lan and
2rganise
/anage Service
Agreements
.e!ne and prepare
service agreements.
Align )lan and
2rganise
/anage Service
Agreements
/onitor and report
service levels.
Align )lan and
2rganise
/anage Service
Agreements
/onitor and report
service levels.
Align )lan and
2rganise
/anage Service
Agreements
/onitor and report
service levels.
Align )lan and
2rganise
/anage Service
Agreements
/onitor and report
service levels.
Align )lan and
2rganise
/anage Service
Agreements
/onitor and report
service levels.
Align )lan and
2rganise
/anage Service
Agreements
<evie# service
agreements and
contracts.
Align )lan and
2rganise
Identify and evaluate
supplier relationships
and contracts.
Align )lan and
2rganise
and contracts.
?C of (01
Process
ID
/anagement A)210 /anage Suppliers A)210.02 Select suppliers.
Align )lan and
2rganise
and contracts.
Align )lan and
2rganise
and contracts.
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
+0 of (01
Process
ID
/anagement A)210 /anage Suppliers A)210.0(
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
/anage supplier
relationships and
contracts.
Align )lan and
2rganise
/anage supplier
relationships and
contracts.
Align )lan and
2rganise
/anage supplier
relationships and
contracts.
Align )lan and
2rganise
/anage supplier
relationships and
contracts.
+1 of (01
Process
ID
/anagement A)210 /anage Suppliers A)210.00 /anage supplier ris'.
/anagement A)210 /anage Suppliers A)210.00 /anage supplier ris'.
Align )lan and
2rganise
/anage supplier
relationships and
contracts.
Align )lan and
2rganise
/anage supplier
relationships and
contracts.
Align )lan and
2rganise
/anage supplier
relationships and
contracts.
Align )lan and
2rganise
/anage supplier
relationships and
contracts.
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
/onitor supplier
performance and
compliance.
Align )lan and
2rganise
/onitor supplier
performance and
compliance.
Align )lan and
2rganise
/onitor supplier
performance and
compliance.
+2 of (01
Process
ID
/anagement A)211 /anage Duality A)211.01
Align )lan and
2rganise
/onitor supplier
performance and
compliance.
Align )lan and
2rganise
/onitor supplier
performance and
compliance.
Align )lan and
2rganise
/onitor supplier
performance and
compliance.
Align )lan and
2rganise
-stablish a 4uality
management system
"D/S$.
Align )lan and
2rganise
-stablish a 4uality
management system
"D/S$.
Align )lan and
2rganise
-stablish a 4uality
management system
"D/S$.
Align )lan and
2rganise
-stablish a 4uality
management system
"D/S$.
Align )lan and
2rganise
-stablish a 4uality
management system
"D/S$.
Align )lan and
2rganise
-stablish a 4uality
management system
"D/S$.
Align )lan and
2rganise
-stablish a 4uality
management system
"D/S$.
Align )lan and
2rganise
-stablish a 4uality
management system
"D/S$.
+( of (01
Process
ID
/anagement A)211 /anage Duality A)211.0(
Align )lan and
2rganise
.e!ne and manage
4uality standards
practices and
procedures.
Align )lan and
2rganise
.e!ne and manage
4uality standards
practices and
procedures.
Align )lan and
2rganise
3ocus 4uality
management on
customers.
Align )lan and
2rganise
3ocus 4uality
management on
customers.
Align )lan and
2rganise
3ocus 4uality
management on
customers.
Align )lan and
2rganise
3ocus 4uality
management on
customers.
Align )lan and
2rganise
3ocus 4uality
management on
customers.
Align )lan and
2rganise
3ocus 4uality
management on
customers.
+0 of (01
Process
ID
Align )lan and
2rganise
)erform 4uality
monitoring control
and revie#s.
Align )lan and
2rganise
)erform 4uality
monitoring control
and revie#s.
Align )lan and
2rganise
)erform 4uality
monitoring control
and revie#s.
Align )lan and
2rganise
)erform 4uality
monitoring control
and revie#s.
Align )lan and
2rganise
)erform 4uality
monitoring control
and revie#s.
Align )lan and
2rganise
)erform 4uality
monitoring control
and revie#s.
Align )lan and
2rganise
)erform 4uality
monitoring control
and revie#s.
Align )lan and
2rganise
Integrate 4uality
management into
solutions for
development and
service delivery.
Align )lan and
2rganise
Integrate 4uality
management into
solutions for
development and
service delivery.
+1 of (01
Process
ID
/anagement A)211 /anage Duality A)211.0?
/anagement A)212 /anage <is' A)212.01 Collect data.
Align )lan and
2rganise
Integrate 4uality
management into
solutions for
development and
service delivery.
Align )lan and
2rganise
/aintain continuous
improvement.
Align )lan and
2rganise
/aintain continuous
improvement.
Align )lan and
2rganise
/aintain continuous
improvement.
Align )lan and
2rganise
/aintain continuous
improvement.
Align )lan and
2rganise
/aintain continuous
improvement.
Align )lan and
2rganise
/aintain continuous
improvement.
Align )lan and
2rganise
/aintain continuous
improvement.
Align )lan and
2rganise
/aintain continuous
improvement.
Align )lan and
2rganise
+? of (01
Process
ID
/anagement A)212 /anage <is' A)212.02 Analyse ris'.
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
++ of (01
Process
ID
/anagement A)212 /anage <is' A)212.0( /aintain a ris' pro!le.
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
+B of (01
Process
ID
/anagement A)212 /anage <is' A)212.00 Articulate ris'.
/anagement A)212 /anage <is' A)212.01
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
.e!ne a ris'
management action
portfolio.
+C of (01
Process
ID
/anagement A)212 /anage <is' A)212.0? <espond to ris'.
/anagement A)21( /anage Security A)21(.01
Align )lan and
2rganise
.e!ne a ris'
management action
portfolio.
Align )lan and
2rganise
.e!ne a ris'
management action
portfolio.
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
Align )lan and
2rganise
-stablish and maintain
an IS/S.
Align )lan and
2rganise
an IS/S.
Align )lan and
2rganise
an IS/S.
B0 of (01
Process
ID
Align )lan and
2rganise
an IS/S.
Align )lan and
2rganise
an IS/S.
Align )lan and
2rganise
an IS/S.
Align )lan and
2rganise
an IS/S.
Align )lan and
2rganise
.e!ne and manage an
information security
ris' treatment plan.
Align )lan and
2rganise
.e!ne and manage an
Align )lan and
2rganise
.e!ne and manage an
Align )lan and
2rganise
.e!ne and manage an
Align )lan and
2rganise
.e!ne and manage an
B1 of (01
Process
ID
/anagement A)21( /anage Security A)21(.0(
Align )lan and
2rganise
.e!ne and manage an
Align )lan and
2rganise
.e!ne and manage an
Align )lan and
2rganise
/onitor and revie#
the IS/S.
Align )lan and
2rganise
/onitor and revie#
the IS/S.
Align )lan and
2rganise
/onitor and revie#
the IS/S.
Align )lan and
2rganise
/onitor and revie#
the IS/S.
Align )lan and
2rganise
/onitor and revie#
the IS/S.
B2 of (01
Process
ID
/anagement 9AI01 9AI01.02 Initiate a programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/aintain a standard
approach for
programme and
pro7ect management.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/aintain a standard
approach for
programme and
pro7ect management.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
B( of (01
Process
ID
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage sta'eholder
engagement.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage sta'eholder
engagement.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage sta'eholder
engagement.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage sta'eholder
engagement.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
.evelop and maintain
the programme plan.
B0 of (01
Process
ID
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
the programme plan.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
the programme plan.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
the programme plan.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
the programme plan.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
the programme plan.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
the programme plan.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
@aunch and e=ecute
the programme.
B1 of (01
Process
ID
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
@aunch and e=ecute
the programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
@aunch and e=ecute
the programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
@aunch and e=ecute
the programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
@aunch and e=ecute
the programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor control and
report on the
programme outcomes.
B? of (01
Process
ID
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor control and
report on the
programme outcomes.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor control and
report on the
programme outcomes.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor control and
report on the
programme outcomes.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor control and
report on the
programme outcomes.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor control and
report on the
programme outcomes.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor control and
report on the
programme outcomes.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
Start up and initiate
pro7ects #ithin a
programme.
B+ of (01
Process
ID
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
pro7ects #ithin a
programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
pro7ects #ithin a
programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
pro7ects #ithin a
programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
pro7ects #ithin a
programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
pro7ects #ithin a
programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
BB of (01
Process
ID
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage programme
and pro7ect 4uality.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage programme
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage programme
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage programme
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage programme
and pro7ect ris'.
BC of (01
Process
ID
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage programme
and pro7ect ris'.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage programme
and pro7ect ris'.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage programme
and pro7ect ris'.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage programme
and pro7ect ris'.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage programme
and pro7ect ris'.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and control
pro7ects.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and control
pro7ects.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and control
pro7ects.
C0 of (01
Process
ID
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and control
pro7ects.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and control
pro7ects.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and control
pro7ects.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and control
pro7ects.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and control
pro7ects.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and control
pro7ects.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/onitor and control
pro7ects.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage pro7ect
resources and #or'
pac'ages.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage pro7ect
resources and #or'
pac'ages.
C1 of (01
Process
ID
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage pro7ect
resources and #or'
pac'ages.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage pro7ect
resources and #or'
pac'ages.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage pro7ect
resources and #or'
pac'ages.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage pro7ect
resources and #or'
pac'ages.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
/anage pro7ect
resources and #or'
pac'ages.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
Close a pro7ect or
iteration.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
Close a pro7ect or
iteration.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
Close a pro7ect or
iteration.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
Close a pro7ect or
iteration.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
Close a pro7ect or
iteration.
C2 of (01
Process
ID
/anagement 9AI01 9AI01.10 Close a programme.
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
)rogrammes and
)ro7ects
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
.e!ne and maintain
business functional
and technical
re4uirements.
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
.e!ne and maintain
business functional
and technical
re4uirements.
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
.e!ne and maintain
business functional
and technical
re4uirements.
C( of (01
Process
ID
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
.e!ne and maintain
business functional
and technical
re4uirements.
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
.e!ne and maintain
business functional
and technical
re4uirements.
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
.e!ne and maintain
business functional
and technical
re4uirements.
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
.e!ne and maintain
business functional
and technical
re4uirements.
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
.e!ne and maintain
business functional
and technical
re4uirements.
C0 of (01
Process
ID
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
)erform a feasibility
study and formulate
alternative solutions.
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
study and formulate
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
study and formulate
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
study and formulate
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
/anage re4uirements
ris'.
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
/anage re4uirements
ris'.
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
/anage re4uirements
ris'.
C1 of (01
Process
ID
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
2btain approval of
re4uirements and
solutions.
9uild Ac4uire and
Implement
/anage
<e4uirements
.e!nition
2btain approval of
re4uirements and
solutions.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign high8level
solutions.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign high8level
solutions.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign high8level
solutions.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign high8level
solutions.
C? of (01
Process
ID
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
solution components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
C+ of (01
Process
ID
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.esign detailed
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.evelop solution
components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.evelop solution
components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.evelop solution
components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.evelop solution
components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.evelop solution
components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.evelop solution
components.
CB of (01
Process
ID
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)rocure solution
components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)rocure solution
components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)rocure solution
components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)rocure solution
components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)rocure solution
components.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
CC of (01
Process
ID
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)erform 4uality
assurance.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)erform 4uality
assurance.
100 of (01
Process
ID
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)erform 4uality
assurance.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)erform 4uality
assurance.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
)repare for solution
testing.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
testing.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
testing.
101 of (01
Process
ID
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
-=ecute solution
testing.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
-=ecute solution
testing.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
-=ecute solution
testing.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
-=ecute solution
testing.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
-=ecute solution
testing.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
/anage changes to
re4uirements.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
/anage changes to
re4uirements.
102 of (01
Process
ID
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
/anage changes to
re4uirements.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
10( of (01
Process
ID
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
.e!ne I5 services and
maintain the service
portfolio.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
portfolio.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
portfolio.
9uild Ac4uire and
Implement
/anage Solutions
Identi!cation and
9uild
portfolio.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess current
availability
performance and
capacity and create a
baseline.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess current
availability
performance and
baseline.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess current
availability
performance and
baseline.
100 of (01
Process
ID
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess current
availability
performance and
baseline.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess business
impact.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess business
impact.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess business
impact.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess business
impact.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess business
impact.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess business
impact.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Assess business
impact.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
)lan for ne# or
changed service
re4uirements.
101 of (01
Process
ID
9uild Ac4uire and
Implement
/anage Availability
and Capacity
)lan for ne# or
changed service
re4uirements.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
)lan for ne# or
changed service
re4uirements.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
)lan for ne# or
changed service
re4uirements.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
)lan for ne# or
changed service
re4uirements.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
/onitor and revie#
availability and
capacity.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
/onitor and revie#
availability and
capacity.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
/onitor and revie#
availability and
capacity.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
/onitor and revie#
availability and
capacity.
10? of (01
Process
ID
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Investigate and
address availability
performance and
capacity issues.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Investigate and
performance and
capacity issues.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Investigate and
performance and
capacity issues.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Investigate and
performance and
capacity issues.
9uild Ac4uire and
Implement
/anage Availability
and Capacity
Investigate and
performance and
capacity issues.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
-stablish the desire to
change.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
change.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
change.
10+ of (01
Process
ID
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
change.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
3orm an e6ective
implementation team.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
3orm an e6ective
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
3orm an e6ective
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
Communicate desired
vision.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
Communicate desired
vision.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
Communicate desired
vision.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
Communicate desired
vision.
10B of (01
Process
ID
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
Communicate desired
vision.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
-mpo#er role players
and identify short8
term #ins.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
and identify short8
term #ins.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
and identify short8
term #ins.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
and identify short8
term #ins.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
and identify short8
term #ins.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
and identify short8
term #ins.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
-nable operation and
use.
10C of (01
Process
ID
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
-nable operation and
use.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
-mbed ne#
approaches.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
-mbed ne#
approaches.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
-mbed ne#
approaches.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
-mbed ne#
approaches.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
-mbed ne#
approaches.
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
110 of (01
Process
ID
9uild Ac4uire and
Implement
/anage
2rganisational
Change -nablement
9uild Ac4uire and
Implement
-valuate prioritise
and authorise change
re4uests.
9uild Ac4uire and
Implement
-valuate prioritise
re4uests.
9uild Ac4uire and
Implement
-valuate prioritise
re4uests.
9uild Ac4uire and
Implement
-valuate prioritise
re4uests.
9uild Ac4uire and
Implement
-valuate prioritise
re4uests.
111 of (01
Process
ID
9uild Ac4uire and
Implement
-valuate prioritise
re4uests.
9uild Ac4uire and
Implement
-valuate prioritise
re4uests.
9uild Ac4uire and
Implement
/anage emergency
changes.
9uild Ac4uire and
Implement
/anage emergency
changes.
9uild Ac4uire and
Implement
/anage emergency
changes.
9uild Ac4uire and
Implement
/anage emergency
changes.
9uild Ac4uire and
Implement
5rac' and report
change status.
112 of (01
Process
ID
9uild Ac4uire and
Implement
5rac' and report
change status.
9uild Ac4uire and
Implement
5rac' and report
change status.
9uild Ac4uire and
Implement
5rac' and report
change status.
9uild Ac4uire and
Implement
Close and document
the changes.
9uild Ac4uire and
Implement
Close and document
the changes.
9uild Ac4uire and
Implement
Close and document
the changes.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish an
implementation plan.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish an
11( of (01
Process
ID
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish an
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish an
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish an
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)lan business process
system and data
conversion.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
system and data
conversion.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
system and data
conversion.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
system and data
conversion.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
system and data
conversion.
110 of (01
Process
ID
/anagement 9AI0+ 9AI0+.0( )lan acceptance tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
system and data
conversion.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
system and data
conversion.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
system and data
conversion.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
system and data
conversion.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
111 of (01
Process
ID
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
11? of (01
Process
ID
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish a test
environment.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish a test
environment.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish a test
environment.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish a test
environment.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
-stablish a test
environment.
11+ of (01
Process
ID
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
11B of (01
Process
ID
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform acceptance
tests.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)romote to production
and manage releases.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
11C of (01
Process
ID
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)rovide early
production support.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)rovide early
production support.
120 of (01
Process
ID
/anagement 9AI0B /anage Fno#ledge 9AI0B.01
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform a post8
implementation
revie#.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform a post8
implementation
revie#.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform a post8
implementation
revie#.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform a post8
implementation
revie#.
9uild Ac4uire and
Implement
/anage Change
Acceptance and
5ransitioning
)erform a post8
implementation
revie#.
9uild Ac4uire and
Implement
Nurture and facilitate
a 'no#ledge8sharing
culture.
9uild Ac4uire and
Implement
a 'no#ledge8sharing
culture.
121 of (01
Process
ID
/anagement 9AI0B /anage Fno#ledge 9AI0B.0(
9uild Ac4uire and
Implement
a 'no#ledge8sharing
culture.
9uild Ac4uire and
Implement
a 'no#ledge8sharing
culture.
9uild Ac4uire and
Implement
a 'no#ledge8sharing
culture.
9uild Ac4uire and
Implement
Identify and classify
sources of
information.
9uild Ac4uire and
Implement
sources of
information.
9uild Ac4uire and
Implement
sources of
information.
9uild Ac4uire and
Implement
sources of
information.
9uild Ac4uire and
Implement
2rganise and
conte=tualise
information into
'no#ledge.
9uild Ac4uire and
Implement
2rganise and
conte=tualise
information into
'no#ledge.
122 of (01
Process
ID
9uild Ac4uire and
Implement
2rganise and
conte=tualise
information into
'no#ledge.
9uild Ac4uire and
Implement
2rganise and
conte=tualise
information into
'no#ledge.
9uild Ac4uire and
Implement
%se and share
'no#ledge.
9uild Ac4uire and
Implement
%se and share
'no#ledge.
9uild Ac4uire and
Implement
%se and share
'no#ledge.
9uild Ac4uire and
Implement
-valuate and retire
information.
9uild Ac4uire and
Implement
-valuate and retire
information.
9uild Ac4uire and
Implement
Identify and record
current assets.
9uild Ac4uire and
Implement
Identify and record
current assets.
9uild Ac4uire and
Implement
Identify and record
current assets.
9uild Ac4uire and
Implement
Identify and record
current assets.
12( of (01
Process
ID
/anagement 9AI0C /anage Assets 9AI0C.02 /anage critical assets.
9uild Ac4uire and
Implement
Identify and record
current assets.
9uild Ac4uire and
Implement
Identify and record
current assets.
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
120 of (01
Process
ID
/anagement 9AI0C /anage Assets 9AI0C.00 2ptimise asset costs.
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
/anage the asset life
cycle.
9uild Ac4uire and
Implement
cycle.
9uild Ac4uire and
Implement
cycle.
9uild Ac4uire and
Implement
cycle.
9uild Ac4uire and
Implement
cycle.
9uild Ac4uire and
Implement
cycle.
9uild Ac4uire and
Implement
cycle.
9uild Ac4uire and
Implement
cycle.
9uild Ac4uire and
Implement
cycle.
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
121 of (01
Process
ID
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
9uild Ac4uire and
Implement
/anage
Con!guration
a con!guration model.
12? of (01
Process
ID
9uild Ac4uire and
Implement
/anage
Con!guration
a con!guration model.
9uild Ac4uire and
Implement
/anage
Con!guration
a con!guration
repository and
baseline.
9uild Ac4uire and
Implement
/anage
Con!guration
a con!guration
repository and
baseline.
9uild Ac4uire and
Implement
/anage
Con!guration
/aintain and control
con!guration items.
9uild Ac4uire and
Implement
/anage
Con!guration
con!guration items.
9uild Ac4uire and
Implement
/anage
Con!guration
con!guration items.
9uild Ac4uire and
Implement
/anage
Con!guration
con!guration items.
9uild Ac4uire and
Implement
/anage
Con!guration
)roduce status and
con!guration reports.
9uild Ac4uire and
Implement
/anage
Con!guration
)roduce status and
12+ of (01
Process
ID
/anagement .SS01 /anage 2perations .SS01.01
9uild Ac4uire and
Implement
/anage
Con!guration
)roduce status and
9uild Ac4uire and
Implement
/anage
Con!guration
Herify and revie#
integrity of the
con!guration
repository.
9uild Ac4uire and
Implement
/anage
Con!guration
Herify and revie#
integrity of the
con!guration
repository.
9uild Ac4uire and
Implement
/anage
Con!guration
Herify and revie#
integrity of the
con!guration
repository.
9uild Ac4uire and
Implement
/anage
Con!guration
Herify and revie#
integrity of the
con!guration
repository.
9uild Ac4uire and
Implement
/anage
Con!guration
Herify and revie#
integrity of the
con!guration
repository.
.eliver Service
and Support
)erform operational
procedures.
.eliver Service
and Support
)erform operational
procedures.
.eliver Service
and Support
)erform operational
procedures.
12B of (01
Process
ID
/anagement .SS01 /anage 2perations .SS01.0(
.eliver Service
and Support
)erform operational
procedures.
.eliver Service
and Support
)erform operational
procedures.
.eliver Service
and Support
/anage outsourced I5
services.
.eliver Service
and Support
services.
.eliver Service
and Support
services.
.eliver Service
and Support
services.
.eliver Service
and Support
/onitor I5
infrastructure.
.eliver Service
and Support
/onitor I5
infrastructure.
12C of (01
Process
ID
.eliver Service
and Support
/onitor I5
infrastructure.
.eliver Service
and Support
/onitor I5
infrastructure.
.eliver Service
and Support
/onitor I5
infrastructure.
.eliver Service
and Support
/onitor I5
infrastructure.
.eliver Service
and Support
/anage the
environment.
.eliver Service
and Support
/anage the
environment.
.eliver Service
and Support
/anage the
environment.
.eliver Service
and Support
/anage the
environment.
.eliver Service
and Support
/anage the
environment.
1(0 of (01
Process
ID
/anagement .SS01 /anage 2perations .SS01.01 /anage facilities.
.eliver Service
and Support
/anage the
environment.
.eliver Service
and Support
/anage the
environment.
.eliver Service
and Support
/anage the
environment.
.eliver Service
and Support
.eliver Service
and Support
.eliver Service
and Support
.eliver Service
and Support
1(1 of (01
Process
ID
/anagement .SS02 .SS02.01
.eliver Service
and Support
.eliver Service
and Support
.eliver Service
and Support
.eliver Service
and Support
.eliver Service
and Support
.eliver Service
and Support
.eliver Service
and Support
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
.e!ne incident and
service re4uest
classi!cation
schemes.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
.e!ne incident and
service re4uest
classi!cation
schemes.
1(2 of (01
Process
ID
/anagement .SS02 .SS02.0(
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
.e!ne incident and
service re4uest
classi!cation
schemes.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
.e!ne incident and
service re4uest
classi!cation
schemes.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
.e!ne incident and
service re4uest
classi!cation
schemes.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
<ecord classify and
prioritise re4uests and
incidents.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
<ecord classify and
incidents.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
<ecord classify and
incidents.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
Herify approve and
ful!l service re4uests.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
Herify approve and
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
Herify approve and
1(( of (01
Process
ID
/anagement .SS02 .SS02.0?
/anagement .SS02 .SS02.0+
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
Investigate diagnose
and allocate incidents.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
<esolve and recover
from incidents.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
<esolve and recover
from incidents.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
<esolve and recover
from incidents.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
<esolve and recover
from incidents.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
Close service re4uests
and incidents.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
Close service re4uests
and incidents.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
5rac' status and
produce reports.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
5rac' status and
produce reports.
1(0 of (01
Process
ID
/anagement .SS0( /anage )roblems .SS0(.01
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
5rac' status and
produce reports.
.eliver Service
and Support
/anage Service
<e4uests and
Incidents
5rac' status and
produce reports.
.eliver Service
and Support
problems.
.eliver Service
and Support
problems.
.eliver Service
and Support
problems.
.eliver Service
and Support
problems.
.eliver Service
and Support
problems.
.eliver Service
and Support
problems.
1(1 of (01
Process
ID
/anagement .SS0( /anage )roblems .SS0(.0( <aise 'no#n errors.
/anagement .SS0( /anage )roblems .SS0(.0( <aise 'no#n errors.
.eliver Service
and Support
Investigate and
diagnose problems.
.eliver Service
and Support
Investigate and
diagnose problems.
.eliver Service
and Support
Investigate and
diagnose problems.
.eliver Service
and Support
.eliver Service
and Support
.eliver Service
and Support
<esolve and close
problems.
.eliver Service
and Support
<esolve and close
problems.
.eliver Service
and Support
<esolve and close
problems.
.eliver Service
and Support
<esolve and close
problems.
.eliver Service
and Support
<esolve and close
problems.
1(? of (01
Process
ID
.eliver Service
and Support
<esolve and close
problems.
.eliver Service
and Support
)erform proactive
problem
management.
.eliver Service
and Support
)erform proactive
problem
management.
.eliver Service
and Support
)erform proactive
problem
management.
.eliver Service
and Support
)erform proactive
problem
management.
.eliver Service
and Support
)erform proactive
problem
management.
.eliver Service
and Support
)erform proactive
problem
management.
1(+ of (01
Process
ID
/anagement .SS00 /anage Continuity .SS00.01
.eliver Service
and Support
.e!ne the business
continuity policy
ob7ectives and scope.
.eliver Service
and Support
.e!ne the business
continuity policy
.eliver Service
and Support
.e!ne the business
continuity policy
.eliver Service
and Support
.e!ne the business
continuity policy
.eliver Service
and Support
/aintain a continuity
strategy.
.eliver Service
and Support
strategy.
.eliver Service
and Support
strategy.
.eliver Service
and Support
strategy.
.eliver Service
and Support
strategy.
1(B of (01
Process
ID
/anagement .SS00 /anage Continuity .SS00.0(
.eliver Service
and Support
strategy.
.eliver Service
and Support
strategy.
.eliver Service
and Support
strategy.
.eliver Service
and Support
.evelop and
implement a business
continuity response.
.eliver Service
and Support
.evelop and
.eliver Service
and Support
.evelop and
.eliver Service
and Support
.evelop and
.eliver Service
and Support
.evelop and
1(C of (01
Process
ID
.eliver Service
and Support
.evelop and
.eliver Service
and Support
.evelop and
.eliver Service
and Support
.evelop and
.eliver Service
and Support
-=ercise test and
revie# the 9C).
.eliver Service
and Support
-=ercise test and
revie# the 9C).
.eliver Service
and Support
-=ercise test and
revie# the 9C).
.eliver Service
and Support
-=ercise test and
revie# the 9C).
.eliver Service
and Support
-=ercise test and
revie# the 9C).
.eliver Service
and Support
-=ercise test and
revie# the 9C).
.eliver Service
and Support
<evie# maintain and
improve the continuity
plan.
100 of (01
Process
ID
/anagement .SS00 /anage Continuity .SS00.0?
.eliver Service
and Support
<evie# maintain and
plan.
.eliver Service
and Support
<evie# maintain and
plan.
.eliver Service
and Support
<evie# maintain and
plan.
.eliver Service
and Support
Conduct continuity
plan training.
.eliver Service
and Support
Conduct continuity
plan training.
.eliver Service
and Support
Conduct continuity
plan training.
101 of (01
Process
ID
/anagement .SS00 /anage Continuity .SS00.0+
/anagement .SS00 /anage Continuity .SS00.0B
.eliver Service
and Support
/anage bac'up
arrangements.
.eliver Service
and Support
/anage bac'up
arrangements.
.eliver Service
and Support
/anage bac'up
arrangements.
.eliver Service
and Support
/anage bac'up
arrangements.
.eliver Service
and Support
/anage bac'up
arrangements.
.eliver Service
and Support
Conduct post8
resumption revie#.
.eliver Service
and Support
Conduct post8
resumption revie#.
102 of (01
Process
ID
.eliver Service
and Support
Conduct post8
resumption revie#.
.eliver Service
and Support
Conduct post8
resumption revie#.
.eliver Service
and Support
/anage Security
Services
)rotect against
mal#are.
.eliver Service
and Support
/anage Security
Services
)rotect against
mal#are.
.eliver Service
and Support
/anage Security
Services
)rotect against
mal#are.
.eliver Service
and Support
/anage Security
Services
)rotect against
mal#are.
.eliver Service
and Support
/anage Security
Services
)rotect against
mal#are.
.eliver Service
and Support
/anage Security
Services
)rotect against
mal#are.
.eliver Service
and Support
/anage Security
Services
/anage net#or' and
connectivity security.
.eliver Service
and Support
/anage Security
Services
/anage net#or' and
.eliver Service
and Support
/anage Security
Services
/anage net#or' and
.eliver Service
and Support
/anage Security
Services
/anage net#or' and
10( of (01
Process
ID
.eliver Service
and Support
/anage Security
Services
/anage net#or' and
.eliver Service
and Support
/anage Security
Services
/anage net#or' and
.eliver Service
and Support
/anage Security
Services
/anage net#or' and
.eliver Service
and Support
/anage Security
Services
/anage net#or' and
.eliver Service
and Support
/anage Security
Services
/anage net#or' and
.eliver Service
and Support
/anage Security
Services
/anage endpoint
security.
.eliver Service
and Support
/anage Security
Services
/anage endpoint
security.
.eliver Service
and Support
/anage Security
Services
/anage endpoint
security.
.eliver Service
and Support
/anage Security
Services
/anage endpoint
security.
.eliver Service
and Support
/anage Security
Services
/anage endpoint
security.
.eliver Service
and Support
/anage Security
Services
/anage endpoint
security.
.eliver Service
and Support
/anage Security
Services
/anage endpoint
security.
.eliver Service
and Support
/anage Security
Services
/anage endpoint
security.
.eliver Service
and Support
/anage Security
Services
/anage endpoint
security.
.eliver Service
and Support
/anage Security
Services
/anage user identity
and logical access.
100 of (01
Process
ID
.eliver Service
and Support
/anage Security
Services
and logical access.
.eliver Service
and Support
/anage Security
Services
and logical access.
.eliver Service
and Support
/anage Security
Services
and logical access.
.eliver Service
and Support
/anage Security
Services
and logical access.
.eliver Service
and Support
/anage Security
Services
and logical access.
.eliver Service
and Support
/anage Security
Services
and logical access.
.eliver Service
and Support
/anage Security
Services
and logical access.
.eliver Service
and Support
/anage Security
Services
/anage physical
access to I5 assets.
101 of (01
Process
ID
.eliver Service
and Support
/anage Security
Services
/anage physical
.eliver Service
and Support
/anage Security
Services
/anage physical
.eliver Service
and Support
/anage Security
Services
/anage physical
.eliver Service
and Support
/anage Security
Services
/anage physical
.eliver Service
and Support
/anage Security
Services
/anage physical
.eliver Service
and Support
/anage Security
Services
/anage physical
.eliver Service
and Support
/anage Security
Services
/anage sensitive
documents and output
devices.
.eliver Service
and Support
/anage Security
Services
/anage sensitive
devices.
.eliver Service
and Support
/anage Security
Services
/anage sensitive
devices.
.eliver Service
and Support
/anage Security
Services
/anage sensitive
devices.
10? of (01
Process
ID
/anagement .SS0? .SS0?.01
.eliver Service
and Support
/anage Security
Services
/anage sensitive
devices.
.eliver Service
and Support
/anage Security
Services
/onitor the
infrastructure for
security8related
events.
.eliver Service
and Support
/anage Security
Services
/onitor the
infrastructure for
security8related
events.
.eliver Service
and Support
/anage Security
Services
/onitor the
infrastructure for
security8related
events.
.eliver Service
and Support
/anage Security
Services
/onitor the
infrastructure for
security8related
events.
.eliver Service
and Support
/anage Security
Services
/onitor the
infrastructure for
security8related
events.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
Align control activities
embedded in business
processes #ith
enterprise ob7ectives.
10+ of (01
Process
ID
.eliver Service
and Support
/anage 9usiness
)rocess Controls
processes #ith
.eliver Service
and Support
/anage 9usiness
)rocess Controls
processes #ith
.eliver Service
and Support
/anage 9usiness
)rocess Controls
processes #ith
.eliver Service
and Support
/anage 9usiness
)rocess Controls
processes #ith
.eliver Service
and Support
/anage 9usiness
)rocess Controls
Control the processing
of information.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
of information.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
of information.
10B of (01
Process
ID
/anagement .SS0? .SS0?.0(
.eliver Service
and Support
/anage 9usiness
)rocess Controls
of information.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
of information.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
of information.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
of information.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
of information.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage roles
responsibilities
access privileges and
levels of authority.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage roles
responsibilities
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage roles
responsibilities
10C of (01
Process
ID
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage roles
responsibilities
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage roles
responsibilities
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage roles
responsibilities
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage errors and
e=ceptions.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage errors and
e=ceptions.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage errors and
e=ceptions.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage errors and
e=ceptions.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
/anage errors and
e=ceptions.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
-nsure traceability of
information events
and accountabilities.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
information events
110 of (01
Process
ID
/anagement .SS0? .SS0?.0?
/anagement /-A01 /-A01.01
.eliver Service
and Support
/anage 9usiness
)rocess Controls
information events
.eliver Service
and Support
/anage 9usiness
)rocess Controls
Secure information
assets.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
Secure information
assets.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
Secure information
assets.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
Secure information
assets.
.eliver Service
and Support
/anage 9usiness
)rocess Controls
Secure information
assets.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
-stablish a monitoring
approach.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
approach.
111 of (01
Process
ID
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
approach.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
approach.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
approach.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
approach.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
approach.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Set performance and
conformance targets.
112 of (01
Process
ID
/anagement /-A01 /-A01.0(
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Set performance and
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Set performance and
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Set performance and
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Collect and process
performance and
conformance data.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Collect and process
performance and
conformance data.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Collect and process
performance and
conformance data.
11( of (01
Process
ID
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Collect and process
performance and
conformance data.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Collect and process
performance and
conformance data.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Analyse and report
performance.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Analyse and report
performance.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Analyse and report
performance.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Analyse and report
performance.
110 of (01
Process
ID
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Analyse and report
performance.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
Analyse and report
performance.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
-nsure the
implementation of
corrective actions.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
-nsure the
implementation of
corrective actions.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
-nsure the
implementation of
corrective actions.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
)erformance and
Conformance
-nsure the
implementation of
corrective actions.
111 of (01
Process
ID
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
/onitor internal
controls.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
/onitor internal
controls.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
/onitor internal
controls.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
/onitor internal
controls.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
/onitor internal
controls.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
/onitor internal
controls.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
/onitor internal
controls.
11? of (01
Process
ID
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
<evie# business
process controls
e6ectiveness.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
<evie# business
process controls
e6ectiveness.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
<evie# business
process controls
e6ectiveness.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
<evie# business
process controls
e6ectiveness.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
<evie# business
process controls
e6ectiveness.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
)erform control self8
assessments.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
assessments.
11+ of (01
Process
ID
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
assessments.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
assessments.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
assessments.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
assessments.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
assessments.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Identify and report
control de!ciencies.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Identify and report
11B of (01
Process
ID
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Identify and report
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Identify and report
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Identify and report
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Identify and report
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
-nsure that assurance
providers are
independent and
4uali!ed.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
providers are
independent and
4uali!ed.
11C of (01
Process
ID
/anagement /-A02 /-A02.0?
/anagement /-A02 /-A02.0+
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
providers are
independent and
4uali!ed.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
)lan assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
)lan assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
)lan assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Scope assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Scope assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Scope assurance
initiatives.
1?0 of (01
Process
ID
/anagement /-A02 /-A02.0B
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Scope assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
Scope assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
-=ecute assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
-=ecute assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
-=ecute assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
-=ecute assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
-=ecute assurance
initiatives.
1?1 of (01
Process
ID
/anagement /-A0( /-A0(.01
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
-=ecute assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
-=ecute assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess the
System of Internal
Control
-=ecute assurance
initiatives.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
Identify e=ternal
compliance
re4uirements.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
Identify e=ternal
compliance
re4uirements.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
Identify e=ternal
compliance
re4uirements.
1?2 of (01
Process
ID
/anagement /-A0( /-A0(.0(
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
Identify e=ternal
compliance
re4uirements.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
Identify e=ternal
compliance
re4uirements.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
Identify e=ternal
compliance
re4uirements.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
2ptimise response to
e=ternal re4uirements.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
2ptimise response to
e=ternal re4uirements.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
Con!rm e=ternal
compliance.
1?( of (01
Process
ID
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
Con!rm e=ternal
compliance.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
Con!rm e=ternal
compliance.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
Con!rm e=ternal
compliance.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
2btain assurance of
e=ternal compliance.
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
2btain assurance of
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
2btain assurance of
1?0 of (01
Process
ID
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
2btain assurance of
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
2btain assurance of
/onitor -valuate
and Assess
/onitor -valuate
and Assess
Compliance #ith
-=ternal
<e4uirements
2btain assurance of
1?1 of (01
Listed below are the activities associated with each of the governance and management practices in COBIT 5.
Activit%
COBIT 5: Enabling Processes.
1. Analyse and identify the internal and e=ternal environmental
factors "legal regulatory and contractual obligations$ and
trends in the business environment that may inAuence
governance design.
2. .etermine the signi!cance of I5 and its role #ith respect to
the business.
(. Consider e=ternal regulations la#s and contractual
obligations and determine ho# they should be applied #ithin
the governance of enterprise I5.
0. Align the ethical use and processing of information and its
impact on society natural environment and internal and
e=ternal sta'eholder interests #ith the enterprise&s direction
goals and ob7ectives.
1. .etermine the implications of the overall enterprise control
environment #ith regard to I5.
?. Articulate principles that #ill guide the design of governance
and decision ma'ing of I5.
1?? of (01
Activit%
+. %nderstand the enterprise&s decision8ma'ing culture and
determine the optimal decision8ma'ing model for I5.
B. .etermine the appropriate levels of authority delegation
including threshold rules for I5 decisions.
1. Communicate governance of I5 principles and agree #ith
e=ecutive management on the #ay to establish informed and
committed leadership.
2. -stablish or delegate the establishment of governance
structures processes and practices in line #ith agreed8on
design principles.
(. Allocate responsibility authority and accountability in line
#ith agreed8on governance design principles decision8ma'ing
models and delegation.
0. -nsure that communication and reporting mechanisms
provide those responsible for oversight and decision8ma'ing
#ith appropriate information.
1. .irect that sta6 follo# relevant guidelines for ethical and
professional behaviour and ensure that conse4uences of non8
compliance are 'no#n and enforced.
?. .irect the establishment of a re#ard system to promote
desirable cultural change.
1?+ of (01
Activit%
1. Assess the e6ectiveness and performance of those
sta'eholders given delegated responsibility and authority for
governance of enterprise I5.
2. )eriodically assess #hether agreed8on governance of I5
mechanisms "structures principles processes etc.$ are
established and operating e6ectively.
(. Assess the e6ectiveness of the governance design and
identify actions to rectify any deviations found.
0. /aintain oversight of the e=tent to #hich I5 satis!es
obligations "regulatory legislation common la# contractual$
internal policies standards and professional guidelines.
1. )rovide oversight of the e6ectiveness of and compliance
#ith the enterprise&s system of control.
?. /onitor regular and routine mechanisms for ensuring that
the use of I5 complies #ith relevant obligations "regulatory
legislation common la# contractual$ standards and
guidelines.
1. %nderstand sta'eholder re4uirements: strategic I5 issues
such as dependence on I5: and technology insights and
capabilities regarding the actual and potential signi!cance of I5
for the enterprise&s strategy.
2. %nderstand the 'ey elements of governance re4uired for the
reliable secure and cost8e6ective delivery of optimal value
from the use of e=isting and ne# I5 services assets and
resources.
1?B of (01
Activit%
(. %nderstand and regularly discuss the opportunities that
could arise from enterprise change enabled by current ne# or
emerging technologies and optimise the value created from
those opportunities.
0. %nderstand #hat constitutes value for the enterprise and
consider ho# #ell it is communicated understood and applied
throughout the enterprise&s processes.
1. -valuate ho# e6ectively the enterprise and I5 strategies
have been integrated and aligned #ithin the enterprise and
#ith enterprise goals for delivering value.
?. %nderstand and consider ho# e6ective current roles
responsibilities accountabilities and decision8ma'ing bodies
are in ensuring value creation from I58enabled investments
services and assets.
+. Consider ho# #ell the management of I58enabled
investments services and assets aligns #ith enterprise value
management and !nancial management practices.
B. -valuate the portfolio of investments services and assets
for alignment #ith the enterprise&s strategic ob7ectives:
enterprise #orth both !nancial and non8!nancial: ris' both
delivery ris' and bene!ts ris': business process alignment:
e6ectiveness in terms of usability availability and
responsiveness: and e;ciency in terms of cost redundancy
and technical health.
1. .e!ne and communicate portfolio and investment types
categories criteria and relative #eightings to the criteria to
allo# for overall relative value scores.
2. .e!ne re4uirements for stage8gates and other revie#s for
signi!cance of the investment to the enterprise and associated
ris' programme schedules funding plans and the delivery of
'ey capabilities and bene!ts and ongoing contribution to value.
1?C of (01
Activit%
(. .irect management to consider potential innovative uses of
I5 that enable the enterprise to respond to ne# opportunities
or challenges underta'e ne# business increase
competitiveness or improve processes.
0. .irect any re4uired changes in assignment of
accountabilities and responsibilities for e=ecuting the
investment portfolio and delivering value from business
processes and services.
1. .e!ne and communicate enterprise8level value delivery
goals and outcome measures to enable e6ective monitoring.
?. .irect any re4uired changes to the portfolio of investments
and services to realign #ith current and e=pected enterprise
ob7ectives andGor constraints.
+. <ecommend consideration of potential innovations
organisational changes or operational improvements that could
drive increased value for the enterprise from I58enabled
initiatives.
1. .e!ne a balanced set of performance ob7ectives metrics
targets and benchmar's. /etrics should cover activity and
outcome measures including lead and lag indicators for
outcomes as #ell as an appropriate balance of !nancial and
non8!nancial measures. <evie# and agree on them #ith the I5
and other business functions and other relevant sta'eholders.
2. Collect relevant timely complete credible and accurate
data to report on progress in delivering value against targets.
2btain a succinct high8level all8around vie# of portfolio
programme and I5 "technical and operational capabilities$
performance that supports decision ma'ing and ensure that
e=pected results are being achieved.
1+0 of (01
Activit%
(. 2btain regular and relevant portfolio programme and I5
"technological and functional$ performance reports. <evie# the
enterprise&s progress to#ards identi!ed goals and the e=tent to
#hich planned ob7ectives have been achieved deliverables
obtained performance targets met and ris' mitigated.
0. %pon revie# of reports ta'e appropriate management
action as re4uired to ensure that value is optimised.
1. %pon revie# of reports ensure that appropriate
management corrective action is initiated and controlled.
1. .etermine the level of I58related ris' that the enterprise is
#illing to ta'e to meet its ob7ectives "ris' appetite$.
2. -valuate and approve proposed I5 ris' tolerance thresholds
against the enterprise&s acceptable ris' and opportunity levels.
(. .etermine the e=tent of alignment of the I5 ris' strategy to
enterprise ris' strategy.
0. )roactively evaluate I5 ris' factors in advance of pending
strategic enterprise decisions and ensure that ris'8a#are
enterprise decisions are made.
1. .etermine that I5 use is sub7ect to appropriate ris'
assessment and evaluation as described in relevant
international and national standards.
?. -valuate ris' management activities to ensure alignment
#ith the enterprise&s capacity for I58related loss and
leadership&s tolerance of it.
1. )romote an I5 ris'8a#are culture and empo#er the
enterprise to proactively identify I5 ris' opportunity and
potential business impacts.
2. .irect the integration of the I5 ris' strategy and operations
#ith the enterprise strategic ris' decisions and operations.
(. .irect the development of ris' communication plans
"covering all levels of the enterprise$ as #ell as ris' action
plans.
1+1 of (01
Activit%
0. .irect implementation of the appropriate mechanisms to
respond 4uic'ly to changing ris' and report immediately to
appropriate levels of management supported by agreed8on
principles of escalation "#hat to report #hen #here and ho#$.
1. .irect that ris' opportunities issues and concerns may be
identi!ed and reported by anyone at any time. <is' should be
managed in accordance #ith published policies and procedures
and escalated to the relevant decision ma'ers.
?. Identify 'ey goals and metrics of ris' governance and
management processes to be monitored and approve the
approaches methods techni4ues and processes for capturing
and reporting the measurement information.
1. /onitor the e=tent to #hich the ris' pro!le is managed
#ithin the ris' appetite thresholds.
2. /onitor 'ey goals and metrics of ris' governance and
management processes against targets analyse the cause of
any deviations and initiate remedial actions to address the
underlying causes.
(. -nable 'ey sta'eholders& revie# of the enterprise&s progress
to#ards identi!ed goals.
0. <eport any ris' management issues to the board or
e=ecutive committee.
1. -=amine and ma'e 7udgement on the current and future
strategy options for providing I5 resources and developing
capabilities to meet current needs and future needs "including
sourcing options$.
2. .e!ne the principles for guiding the allocation and
management of resources and capabilities so that I5 can meet
the needs of the enterprise #ith the re4uired capability and
capacity according to the agreed8on priorities and budgetary
constraints.
(. <evie# and approve the resource plan and enterprise
architecture strategies for delivering value and mitigating ris'
#ith the allocated resources.
0. %nderstand re4uirements for aligning resource management
#ith enterprise !nancial and human resources "E<$ planning.
1+2 of (01
Activit%
2. Assign responsibilities for e=ecuting resource management.
0. -stablish principles related to safeguarding resources.
1. .e!ne principles for the management and control of the
enterprise architecture.
1. Communicate and drive the adoption of the resource
management strategies principles and agreed8on resource
plan and enterprise architecture strategies.
(. .e!ne 'ey goals measures and metrics for resource
management.
1. Align resource management #ith enterprise !nancial and E<
planning.
1. /onitor the allocation and optimisation of resources in
accordance #ith enterprise ob7ectives and priorities using
agreed8on goals and metrics.
2. /onitor I5 sourcing strategies enterprise architecture
strategies I5 resources and capabilities to ensure that current
and future needs of the enterprise can be met.
(. /onitor resource performance against targets analyse the
cause of deviations and initiate remedial action to address the
underlying causes.
1. -=amine and ma'e a 7udgement on the current and future
mandatory reporting re4uirements relating to the use of I5
#ithin the enterprise "regulation legislation common la#
contractual$ including e=tent and fre4uency.
2. -=amine and ma'e a 7udgement on the current and future
reporting re4uirements for other sta'eholders relating to the
use of I5 #ithin the enterprise including e=tent and conditions.
(. /aintain principles for communication #ith e=ternal and
internal sta'eholders including communication formats and
communication channels and for sta'eholder acceptance and
sign8o6 of reporting.
1. .irect the establishment of the communication strategy for
e=ternal and internal sta'eholders.
1+( of (01
Activit%
0. -stablish reporting escalation mechanisms.
2. .irect the implementation of mechanisms to ensure that
information meets all criteria for mandatory I5 reporting
re4uirements for the enterprise.
(. -stablish mechanisms for validation and approval of
mandatory reporting.
1. )eriodically assess the e6ectiveness of the mechanisms for
ensuring the accuracy and reliability of mandatory reporting.
2. )eriodically assess the e6ectiveness of the mechanisms for
and outcomes from communication #ith e=ternal and internal
sta'eholders.
(. .etermine #hether the re4uirements of di6erent
sta'eholders are met.
1. .e!ne the scope internal and e=ternal functions internal
and e=ternal roles and capabilities and decision rights
re4uired including those I5 activities performed by third
parties.
2. Identify decisions re4uired for the achievement of enterprise
outcomes and the I5 strategy and for the management and
e=ecution of I5 services.
(. -stablish the involvement of sta'eholders #ho are critical to
decision ma'ing "accountable responsible consulted or
informed$.
0. Align the I58related organisation #ith enterprise architecture
organisational models.
1. .e!ne the focus roles and responsibilities of each function
#ithin the I58related organisational structure.
?. .e!ne the management structures and relationships to
support the functions and roles of management and e=ecution
in alignment #ith the governance direction set.
1+0 of (01
Activit%
+. -stablish an I5 strategy committee "or e4uivalent$ at the
board level. 5his committee should ensure that governance of
I5 as part of enterprise governance is ade4uately addressed:
advise on strategic direction: and revie# ma7or investments on
behalf of the full board.
B. -stablish an I5 steering committee "or e4uivalent$ composed
of e=ecutive business and I5 management to determine
prioritisation of I58enabled investment programmes in line #ith
the enterprise&s business strategy and priorities: trac' status of
pro7ects and resolve resource conAicts: and monitor service
levels and service improvements.
C. )rovide guidelines for each management structure
"including mandate ob7ectives meeting attendees timing
trac'ing supervision and oversight$ as #ell as re4uired inputs
for and e=pected outcomes of meetings.
10. .e!ne ground rules for communication by identifying
communication needs and implementing plans based on those
needs considering top8do#n bottom8up and horiJontal
communication.
11. -stablish and maintain an optimal co8ordination
communication and liaison structure bet#een the business and
I5 functions #ithin the enterprise and #ith entities outside the
enterprise.
12. <egularly verify the ade4uacy and e6ectiveness of the
organisational structure.
1. -stablish agree on and communicate I58related roles and
responsibilities for all personnel in the enterprise in alignment
#ith business needs and ob7ectives. Clearly delineate
responsibilities and accountabilities especially for decision
ma'ing and approvals.
2. Consider re4uirements from enterprise and I5 service
continuity #hen de!ning roles including sta6 bac'8up and
cross8training re4uirements.
1+1 of (01
Activit%
(. .erive and integrate I5 principles #ith business principles.
(. )rovide input to the I5 service continuity process by
maintaining up8to8date contact information and role
descriptions in the enterprise.
0. Include in role and responsibility descriptions adherence to
management policies and procedures the code of ethics and
professional practices.
1. Implement ade4uate supervisory practices to ensure that
roles and responsibilities are properly e=ercised to assess
#hether all personnel have su;cient authority and resources
to e=ecute their roles and responsibilities and to generally
revie# performance. 5he level of supervision should be in line
#ith the sensitivity of the position and e=tent of responsibilities
assigned.
?. -nsure that accountability is de!ned through roles and
responsibilities.
+. Structure roles and responsibilities to reduce the possibility
for a single role to compromise a critical process.
1. 2btain an understanding of the enterprise vision direction
and strategy.
2. Consider the enterprise&s internal environment including
management culture and philosophy ris' tolerance security
ethical values code of conduct accountability and
re4uirements for management integrity.
0. Align the I5 control environment #ith the overall I5 policy
environment I5 governance and I5 process frame#or's and
e=isting enterprise8level ris' and control frame#or's. Assess
industry8speci!c good practices or re4uirements "e.g. industry8
speci!c regulations$ and integrate them #here appropriate.
1+? of (01
Activit%
1. Align #ith any applicable national and international
governance and management standards and codes of practice
and evaluate available good practices such as C2S2&s Internal
ControlIntegrated Framework and C2S2&s Enterprise Risk
ManagementIntegrated Framework.
?. Create a set of policies to drive the I5 control e=pectations
on relevant 'ey topics such as 4uality security con!dentiality
internal controls usage of I5 assets ethics and intellectual
property rights.
+. -valuate and update the policies at least yearly to
accommodate changing operating or business environments.
B. <oll out and enforce I5 policies to all relevant sta6 so they
are built into and are an integral part of enterprise operations.
C. -nsure that procedures are in place to trac' compliance #ith
policies and de!ne the conse4uences of non8compliance.
1. Continuously communicate I5 ob7ectives and direction.
-nsure that communications are supported by e=ecutive
management in action and #ords using all available channels.
2. -nsure that the information communicated encompasses a
clearly articulated mission service ob7ectives security internal
controls 4uality code of ethicsGconduct policies and
procedures roles and responsibilities etc. Communicate the
information at the appropriate level of detail for the respective
audiences #ithin the enterprise.
(. )rovide su;cient and s'illed resources to support the
communication process.
1++ of (01
Activit%
(. .e!ne placement of the I5 function and obtain agreement.
1. %nderstand the conte=t for the placement of the I5 function
including an assessment of the enterprise strategy and
operating model "centralised federated decentralised
hybrid$ importance of I5 and sourcing situation and options.
2. Identify evaluate and prioritise options for organisational
placement sourcing and operating models.
1. )rovide policies and guidelines to ensure appropriate and
consistent enterprise#ide classi!cation of information "data$.
2. .e!ne maintain and provide appropriate tools techni4ues
and guidelines to provide e6ective security and controls over
information and information systems in collaboration #ith the
o#ner.
(. Create and maintain an inventory of information "systems
and data$ that includes a listing of o#ners custodians and
classi!cations. Include systems that are outsourced and those
for #hich o#nership should stay #ithin the enterprise.
0. .e!ne and implement procedures to ensure the integrity
and consistency of all information stored in electronic form
such as databases data #arehouses and data archives.
1. Identify business8critical processes based on performance
and conformance drivers and related ris'. Assess process
capability and identify improvement targets. Analyse gaps in
process capability and control. Identify options for
improvement and redesign of the process. )rioritise initiatives
for process improvement based on potential bene!ts and
costs.
1+B of (01
Activit%
0. Apply 4uality management practices to update the process.
1. <etire outdated processes process components or enablers.
1. 5rac' compliance #ith policies and procedures.
2. Implement agreed8on improvements operate as normal
business practice and set performance goals and metrics to
enable monitoring of process improvements.
(. Consider #ays to improve e;ciency and e6ectiveness "e.g.
through training documentation standardisation and
automation of the process$.
2. Analyse non8compliance and ta'e appropriate action "this
could include changing re4uirements$.
(. Integrate performance and compliance into individual sta6
members& performance ob7ectives.
0. <egularly assess the performance of the frame#or'&s
enablers and ta'e appropriate action.
1. Analyse trends in performance and compliance and ta'e
appropriate action.
1. .evelop and maintain an understanding of enterprise
strategy and ob7ectives as #ell as the current enterprise
operational environment and challenges.
1+C of (01
Activit%
1. Ascertain priorities for strategic change.
2. .evelop and maintain an understanding of the e=ternal
environment of the enterprise.
(. Identify 'ey sta'eholders and obtain insight on their
re4uirements.
0. Identify and analyse sources of change in the enterprise and
e=ternal environments.
?. %nderstand the current enterprise architecture and #or'
#ith the enterprise architecture process to determine any
potential architectural gaps.
1. .evelop a baseline of the current business and I5
environment capabilities and services against #hich future
re4uirements can be compared. Include the relevant high8level
detail of the current enterprise architecture "business
information data applications and technology domains$
business processes I5 processes and procedures the I5
organisation structure e=ternal service provision governance
of I5 and enterprise#ide I5 related s'ills and competencies.
2. Identify ris' from current potential and declining
technologies.
(. Identify gaps bet#een current business and I5 capabilities
and services and reference standards and best practices
competitor business and I5 capabilities and comparative
benchmar's of best practice and emerging I5 service provision.
0. Identify issues strengths opportunities and threats in the
current environment capabilities and services to understand
current performance. Identify areas for improvement in terms
of I5&s contribution to enterprise ob7ectives.
1B0 of (01
Activit%
1. Consider validated emerging technology or innovation ideas.
2. Identify threats from declining current and ne#ly ac4uired
technologies.
(. .e!ne high8level I5 ob7ectivesGgoals and ho# they #ill
contribute to the enterprise&s business ob7ectives.
0. .e!ne re4uired and desired business process and I5
capabilities and I5 services and describe the high8level
changes in the enterprise architecture "business information
data applications and technology domains$ business and I5
processes and procedures the I5 organisation structure I5
service providers governance of I5 and I5 s'ills and
competencies.
1. Align and agree #ith the enterprise architect on proposed
enterprise architecture changes.
?. .emonstrate traceability to the enterprise strategy and
re4uirements.
1. Identify all gaps and changes re4uired to realise the target
environment.
2. Consider the high8level implications of all gaps. Consider the
value of potential changes to business and I5 capabilities I5
services and enterprise architecture and the implications if no
changes are realised.
(. Assess the impact of potential changes on the business and
I5 operating models I5 research and development capabilities
and I5 investment programmes.
0. <e!ne the target environment de!nition and prepare a value
statement #ith the bene!ts of the target environment.
1. .e!ne the initiatives re4uired to close gaps and migrate
from the current to the target environment including
investmentGoperational budget funding sources sourcing
strategy and ac4uisition strategy.
2. Identify and ade4uately address ris' costs and implications
of organisational changes technology evolution regulatory
re4uirements business process re8engineering sta;ng
insourcing and outsourcing opportunities etc. in the planning
process.
1B1 of (01
Activit%
(. .etermine dependencies overlaps synergies and impacts
amongst initiatives and prioritise the initiatives.
0. Identify resource re4uirements schedule and
investmentGoperational budgets for each of the initiatives.
1. Create a road map indicating the relative scheduling and
interdependencies of the initiatives.
?. 5ranslate the ob7ectives into outcome measures represented
by metrics "#hat$ and targets "ho# much$ that can be related
to enterprise bene!ts.
+. 3ormally obtain support from sta'eholders and obtain
approval for the plan.
1. .evelop and maintain a net#or' for endorsing supporting
and driving the I5 strategy.
2. .evelop a communication plan covering the re4uired
messages target audiences communication
mechanismsGchannels and schedules.
(. )repare a communication pac'age that delivers the plan
e6ectively using available media and technologies.
0. 2btain feedbac' and update the communication plan and
delivery as re4uired.
1. Identify the 'ey sta'eholders and their concernsGob7ectives
and de!ne the 'ey enterprise re4uirements to be addressed as
#ell as the architecture vie#s to be developed to satisfy the
various sta'eholder re4uirements.
2. Identify the enterprise goals and strategic drivers of the
enterprise and de!ne the constraints that must be dealt #ith
including enterprise#ide constraints and pro7ect8speci!c
constraints "time schedule resources etc.$.
(. Align architecture ob7ectives #ith strategic programme
priorities.
1B2 of (01
Activit%
1. Assess the enterprise&s readiness for change.
0. %nderstand the capabilities and desires of the business
then identify options to realise those capabilities.
?. .e!ne #hat is inside and #hat is outside the scope of the
baseline architecture and target architecture e6orts
understanding that the baseline and target need not be
described at the same level of detail.
+. Con!rm and elaborate architecture principles including
enterprise principles. -nsure that any e=isting de!nitions are
current and clarify any areas of ambiguity.
B. %nderstand the current enterprise strategic goals and
ob7ectives and #or' #ith the strategic planning process to
ensure that I58related enterprise architecture opportunities are
leveraged in the development of the strategic plan.
C. 9ased on sta'eholder concerns business capability
re4uirements scope constraints and principles create the
architecture vision* a high8level vie# of the baseline and target
architectures.
10. .e!ne the target architecture value propositions goals and
metrics.
11. Identify the enterprise change ris' associated #ith the
architecture vision assess the initial level of ris' "e.g. critical
marginal or negligible$ and develop a mitigation strategy for
each signi!cant ris'.
12. .evelop an enterprise architecture concept business case
outline plans and statement of architecture #or' and secure
approval to initiate a pro7ect aligned and integrated #ith the
enterprise strategy.
1B( of (01
Activit%
1. /aintain an architecture repository containing standards
reusable components modelling artefacts relationships
dependencies and vie#s to enable uniformity of architectural
organisation and maintenance.
2. Select reference vie#points from the architecture repository
that #ill enable the architect to demonstrate ho# sta'eholder
concerns are being addressed in the architecture.
(. 3or each vie#point select the models needed to support the
speci!c vie# re4uired using selected tools or methods and the
appropriate level of decomposition.
0. .evelop baseline architectural domain descriptions using
the scope and level of detail necessary to support the target
architecture and to the e=tent possible identifying relevant
architecture building bloc's from the architecture repository.
1. /aintain a process architecture model as part of the
baseline and target domain descriptions. Standardise the
descriptions and documentation of processes. .e!ne the roles
and responsibilities of the process decision ma'ers process
o#ner process users process team and any other process
sta'eholders #ho should be involved.
?. /aintain an information architecture model as part of the
baseline and target domain descriptions consistent #ith the
enterprise&s strategy to enable optimal use of information for
decision ma'ing. /aintain an enterprise data dictionary that
promotes a common understanding and a classi!cation
scheme that includes details about data o#nership de!nition
of appropriate security levels and data retention and
destruction re4uirements.
1B0 of (01
Activit%
+. Herify the architecture models for internal consistency and
accuracy and perform a gap analysis bet#een the baseline and
target. )rioritise gaps and de!ne ne# or modi!ed components
that must be developed for the target architecture. <esolve
potential impacts such as incompatibilities inconsistencies or
conAicts #ithin the envisioned architecture.
B. Conduct a formal sta'eholder revie# by chec'ing the
proposed architecture against the original motivation for the
architecture pro7ect and the statement of architecture #or'.
C. 3inalise business information data applications and
technology domain architectures and create an architecture
de!nition document.
1. .etermine and con!rm 'ey enterprise change attributes
including the enterprise&s culture and ho# this #ill impact
enterprise architecture implementation as #ell as the
enterprise&s transition capabilities.
2. Identify any enterprise drivers that #ould constrain the
se4uence of implementation including a revie# of the
enterprise and line of business strategic and business plans
and consideration of the current enterprise architecture
maturity.
(. <evie# and consolidate the gap analysis results bet#een the
baseline and target architectures and assess their implications
#ith respect to potential solutionsGopportunities
interdependencies and alignment #ith current I58enabled
programmes.
0. Assess the re4uirements gaps solutions and factors to
identify a minimal set of functional re4uirements #hose
integration into #or' pac'ages #ould lead to a more e;cient
and e6ective implementation of the target architecture.
1. <econcile the consolidated re4uirements #ith potential
solutions.
1B1 of (01
Activit%
?. <e!ne the initial dependencies ensuring that any
constraints on the implementation and migration plans are
identi!ed and consolidate them into a dependency analysis
report.
+. Con!rm the enterprise&s readiness for and the ris'
associated #ith enterprise transformation.
B. 3ormulate a high8level implementation and migration
strategy that #ill guide the target architecture implementation
and structure the transition architectures in alignment #ith
enterprise strategic ob7ectives and time scales.
C. Identify and group ma7or #or' pac'ages into a coherent set
of programmes and pro7ects respecting the enterprise
strategic implementation direction and approach.
10. .evelop a series of transition architectures as necessary
#here the scope of change re4uired to realise the target
architecture re4uires an incremental approach.
1. -stablish #hat the implementation and migration plan
should include as part of programme and pro7ect planning and
ensure that it is aligned #ith the re4uirements of applicable
decision ma'ers.
2. Con!rm transition architecture increments and phases and
update the architecture de!nition document.
(. .e!ne architecture implementation governance
re4uirements.
1. Con!rm scope and priorities and provide guidance for
solution development and deployment.
2. /anage the portfolio of enterprise architecture services to
ensure alignment #ith strategic ob7ectives and solution
development.
(. /anage enterprise architecture re4uirements and support
#ith architectural principles models and building bloc's.
1B? of (01
Activit%
0. Identify and align enterprise architecture priorities to value
drivers. .e!ne and collect value metrics and measure and
communicate enterprise architecture value.
1. -stablish a technology forum to provide architectural
guidelines advice on pro7ects and guidance on the selection of
technology. /easure compliance #ith these standards and
guidelines including compliance #ith e=ternal re4uirements
and their business relevance.
1. Create an innovation plan that includes ris' appetite the
envisioned budget to spend on innovation initiatives and
innovation ob7ectives.
2. )rovide infrastructure that can be an enabler for innovation
such as collaboration tools for enhancing #or' bet#een
geographic locations and divisions.
(. Create an environment that is conducive to innovation by
maintaining relevant E< initiatives such as innovation
recognition and re#ard programmes appropriate 7ob rotation
and discretionary time for e=perimentation.
0. /aintain a programme enabling sta6 to submit innovation
ideas and create an appropriate decision8ma'ing structure to
assess and ta'e these ideas for#ard.
1. -ncourage innovation ideas from customers suppliers and
business partners.
1. /aintain an understanding of the business drivers
enterprise strategy industry drivers enterprise operations and
other issues so that the potential value8add of technologies or
I5 innovation can be identi!ed.
1B+ of (01
Activit%
2. Conduct regular meetings #ith business units divisions
andGor other sta'eholder entities to understand current
business problems process bottlenec's or other constraints
#here emerging technologies or I5 innovation can create
opportunities.
(. %nderstand enterprise investment parameters for innovation
and ne# technologies so appropriate strategies are developed.
1. %nderstand the enterprise&s interest and potential for
adopting ne# technology innovations and focus a#areness
e6orts on the most opportunistic technology innovations.
2. )erform research and scanning of the e=ternal environment
including appropriate #eb sites 7ournals and conferences to
identify emerging technologies.
(. Consult #ith third8party e=perts #here needed to con!rm
research !ndings or as a source of information on emerging
technologies.
0. Capture sta6 members& I5 innovation ideas and analyse
them for potential implementation.
1. -valuate identi!ed technologies considering aspects such
as time to reach maturity inherent ris' of ne# technologies
"including potential legal implications$ !t #ith the enterprise
architecture and potential to provide additional value.
2. Identify any issues that may need to be resolved or proven
through a proof8of8concept initiative.
(. Scope the proof8of8concept initiative including desired
outcomes re4uired budget time frames and responsibilities.
1BB of (01
Activit%
0. 2btain approval for the proof8of8concept initiative.
2. Capture lessons learned and opportunities for improvement.
(. Ad7ust the innovation plan if re4uired.
1. Conduct proof8of8concept initiatives to test emerging
technologies or other innovation ideas identify any issues and
determine #hether further implementation or roll8out should
be considered based on feasibility and potential <2I.
1. .ocument proof8of8concept results including guidance and
recommendations for trends and innovation programmes.
2. Communicate viable innovation opportunities into the I5
strategy and enterprise architecture processes.
(. 3ollo# up on proof8of8concept initiatives to measure the
degree to #hich they have been leveraged in actual
investment.
0. Analyse and communicate reasons for re7ected proof8of8
concept initiatives.
1. Assess the implementation of the ne# technologies or I5
innovations adopted as part of I5 strategy and enterprise
architecture developments and their realisation during
programme management of initiatives.
0. Identify and evaluate the potential value to be realised from
the use of innovation.
1BC of (01
Activit%
1. Halidate that I58enabled investments and current I5 services
are aligned #ith enterprise vision enterprise principles
strategic goals and ob7ectives enterprise architecture vision
and priorities.
2. 2btain a common understanding bet#een I5 and the other
business functions on the potential opportunities for I5 to drive
and support the enterprise strategy.
(. Create an investment mi= that achieves the right balance
amongst a number of dimensions including an appropriate
balance of short8 and long8term returns !nancial and non8
!nancial bene!ts and high8 and lo#8ris' investments.
0. Identify the broad categories of information systems
applications data I5 services infrastructure I5 assets
resources s'ills practices controls and relationships needed
to support the enterprise strategy.
1. Agree on an I5 strategy and goals ta'ing into account the
inter8relationships bet#een the enterprise strategy and the I5
services assets and other resources. Identify and leverage
synergies that can be achieved.
1. %nderstand the current availability and commitment of
funds the current approved spending and the actual amount
spent to date.
2. Identify options for obtaining additional funds for I58enabled
investments internally and from e=ternal sources.
(. .etermine the implications of the funding source on the
investment return e=pectations.
1. <ecognise investment opportunities and classify them in line
#ith the investment portfolio categories. Specify e=pected
enterprise outcome"s$ all initiatives re4uired to achieve the
e=pected outcomes costs dependencies and ris' and ho# all
#ould be measured.
1C0 of (01
Activit%
2. )erform detailed assessments of all programme business
cases evaluating strategic alignment enterprise bene!ts ris'
and availability of resources.
(. Assess the impact on the overall investment portfolio of
adding candidate programmes including any changes that
might be re4uired to other programmes.
0. .ecide #hich candidate programmes should be moved to
the active investment portfolio. .ecide #hether re7ected
programmes should be held for future consideration or
provided #ith some seed funding to determine #hether the
business case can be improved or discarded.
1. .etermine the re4uired milestones for each selected
programme&s full economic life cycle. Allocate and reserve total
programme funding per milestone. /ove the programme into
the active investment portfolio.
?. -stablish procedures to communicate the cost bene!t and
ris'8related aspects of these portfolios to the budget
prioritisation cost management and bene!t management
processes.
1. <evie# the portfolio on a regular basis to identify and e=ploit
synergies eliminate duplication bet#een programmes and
identify and mitigate ris'.
2. Ihen changes occur re8evaluate and reprioritise the
portfolio to ensure that the portfolio is aligned #ith the
business strategy and the target mi= of investments is
maintained so the portfolio is optimising overall value. 5his
may re4uire programmes to be changed deferred or retired
and ne# programmes to be initiated.
1C1 of (01
Activit%
(. Ad7ust the enterprise targets forecasts budgets and if
re4uired the degree of monitoring to reAect the e=penditures
to be incurred and enterprise bene!ts to be realised by
programmes in the active investment portfolio. Incorporate
programme e=penditures into chargebac' mechanisms.
0. )rovide an accurate vie# of the performance of the
investment portfolio to all sta'eholders.
1. )rovide management reports for senior management&s
revie# of the enterprise&s progress to#ards identi!ed goals
stating #hat still needs to be spent and accomplished over
#hat time frames.
?. Include in the regular performance monitoring information
on the e=tent to #hich planned ob7ectives have been achieved
ris' mitigated capabilities created deliverables obtained and
performance targets met.
+. Identify deviations for*
K 9udget control bet#een actual and budget
K 9ene!t management of*
L Actual vs. targets for investments for solutions possibly
e=pressed in terms of <2I N)H or internal rate of return "I<<$
L 5he actual trend of service portfolio cost for service delivery
productivity improvements
B. .evelop metrics for measuring I5&s contribution to the
enterprise and establish appropriate performance targets
reAecting the re4uired I5 and enterprise capability targets. %se
guidance from e=ternal e=perts and benchmar' data to
develop metrics.
1C2 of (01
Activit%
1. Create and maintain portfolios of I58enabled investment
programmes I5 services and I5 assets #hich form the basis for
the current I5 budget and support the I5 tactical and strategic
plans.
2. Ior' #ith service delivery managers to maintain the service
portfolios and #ith operations managers and architects to
maintain the asset portfolios. )rioritise portfolios to support
investment decisions.
(. <emove the programme from the active investment portfolio
#hen the desired enterprise bene!ts have been achieved or
#hen it is clear that bene!ts #ill not be achieved #ithin the
value criteria set for the programme.
1. %se the agreed8on metrics and trac' ho# bene!ts are
achieved ho# they evolve throughout the life cycle of
programmes and pro7ects ho# they are being delivered from
I5 services and ho# they compare to internal and industry
benchmar's. Communicate results to sta'eholders.
2. Implement corrective action #hen achieved bene!ts
signi!cantly deviate from e=pected bene!ts. %pdate the
business case for ne# initiatives and implement business
process and service improvements as re4uired.
(. Consider obtaining guidance from e=ternal e=perts industry
leaders and comparative benchmar'ing data to test and
improve the metrics and targets.
1C( of (01
Activit%
1. .e!ne processes inputs and outputs and responsibilities in
alignment #ith the enterprise budgeting and cost accounting
policies and approach to systematically drive I5 budgeting and
costing: enable fair transparent repeatable and comparable
estimation of I5 costs and bene!ts for input to the portfolio of
I58enabled business programmes: and ensure that budgets and
costs are maintained in the I5 asset and services portfolios.
2. .e!ne a classi!cation scheme to identify all I58related cost
elements ho# they are allocated across budgets and services
and ho# they are captured.
(. %se !nancial and portfolio information to provide input to
business cases for ne# investments in I5 assets and services.
0. .e!ne ho# to analyse report "to #hom and ho#$ and use
the budget control and bene!t management processes.
1. -stablish and maintain practices for !nancial planning
investment management and decision ma'ing and the
optimisation of recurring operational costs to deliver ma=imum
value to the enterprise for the least e=penditure.
1. -stablish a decision8ma'ing body for prioritising business
and I5 resources including use of e=ternal service providers
#ithin the high8level budget allocations for I58enabled
programmes I5 services and I5 assets as established by the
strategic and tactical plans. Consider the options for buying or
developing capitalised assets and services vs. e=ternally
utilised assets and services on a pay8for8use basis.
1C0 of (01
Activit%
2. <an' all I5 initiatives based on business cases and strategic
and tactical plans and establish procedures to determine
budget allocations and cut8o6. -stablish a procedure to
communicate budget decisions and revie# them #ith the
business unit budget holders.
(. Identify communicate and resolve signi!cant impacts of
budget decisions on business cases portfolios and strategy
plans "e.g. #hen budgets may re4uire revision due to
changing enterprise circumstances #hen they are not
su;cient to support strategic ob7ectives or business case
ob7ectives$.
0. 2btain rati!cation from the e=ecutive committee for the
overall I5 budget changes that negatively impact the entity&s
strategic or tactical plans and o6er suggested actions to
resolve these impacts.
1. Implement a formal I5 budget including all e=pected I5
costs of I58enabled programmes I5 services and I5 assets as
directed by the strategy programmes and portfolios.
2. Ihen creating the budget consider the follo#ing
components*
K Alignment #ith the business
K Alignment #ith the sourcing strategy
K Authorised sources of funding
K Internal resource costs including personnel information
assets and accommodations
K 5hird8party costs including outsourcing contracts
consultants and service providers
K Capital and operational e=penses
K Cost elements that depend on the #or'load
(. .ocument the rationale to 7ustify contingencies and revie#
them regularly.
0. Instruct process service and programme o#ners as #ell as
pro7ect and asset managers to plan budgets.
1C1 of (01
Activit%
1. <evie# the budget plans and ma'e decisions about budget
allocations. Compile and ad7ust the budget based on changing
enterprise needs and !nancial considerations.
?. <ecord maintain and communicate the current I5 budget
including committed e=penditures and current e=penditures
considering I5 pro7ects recorded in the I58enabled investment
portfolios and operation and maintenance of asset and service
portfolios.
+. /onitor the e6ectiveness of the di6erent aspects of
budgeting and use the results to implement improvements to
ensure that future budgets are more accurate reliable and
cost8e6ective.
1. Categorise all I5 costs appropriately including those relating
to service providers according to the enterprise management
accounting frame#or'.
2. Inspect service de!nition catalogues to identify services
sub7ect to user chargebac' and those that are shared services.
(. .e!ne and agree on a model that*
K Supports the calculation of chargebac' rates per service
K .e!nes ho# I5 costs #ill be calculatedGcharged
K Is di6erentiated #here and #hen appropriate
K Is aligned #ith the I5 budget
0. .esign the cost model to be transparent enough to allo#
users to identify their actual usage and charges and to better
enable predictability of I5 costs and e;cient and e6ective
utilisation of I5 resources.
1. After revie# #ith user departments obtain approval and
communicate the I5 costing model inputs and outputs to the
management of user departments.
?. Communicate changes in the costGchargebac' model #ith
enterprise process o#ners.
1C? of (01
Activit%
1. -nsure proper authority and independence bet#een I5
budget holders and the individuals #ho capture analyse and
report !nancial information.
2. -stablish time scales for the operation of the cost
management process in line #ith budgeting and accounting
re4uirements.
(. .e!ne a method for the collection of relevant data to
identify deviations for*
K 9udget control bet#een actual and budget
K 9ene!t management of*
L Actual vs. targets for investments for solutions: possibly
e=pressed in terms of <2I N)H or I<<
L 5he actual trend of service cost for cost optimisation of
services "e.g. de!ned as cost per user$
L Actual vs. budget for responsiveness and predictability
improvements of solutions delivery
K Cost distribution bet#een direct and indirect "absorbed and
unabsorbed$ costs
0. .e!ne ho# costs are consolidated for the appropriate levels
in the enterprise and ho# they #ill be presented to the
sta'eholders. 5he reports provide information to enable the
timely identi!cation of re4uired corrective actions.
1. Instruct those responsible for cost management to capture
collect and consolidate the data and present and report the
data to the appropriate budget o#ners. 9udget analysts and
o#ners 7ointly analyse deviations and compare performance to
internal and industry benchmar's. 5he result of the analysis
provides an e=planation of signi!cant deviations and the
suggested corrective actions.
?. -nsure that the appropriate levels of management revie#
the results of the analysis and approve suggested corrective
actions.
+. Align I5 budgets and services to the I5 infrastructure
enterprise processes and o#ners #ho use them.
1C+ of (01
Activit%
B. -nsure that changes in cost structures and enterprise needs
are identi!ed and budgets and forecasts are revised as
re4uired.
C. At regular intervals and especially #hen budgets are cut
due to !nancial constraints identify #ays to optimise costs and
introduce e;ciencies #ithout 7eopardising services.
1. -valuate sta;ng re4uirements on a regular basis or upon
ma7or changes to ensure that the*
K I5 function has su;cient resources to ade4uately and
appropriately support enterprise goals and ob7ectives
K -nterprise has su;cient resources to ade4uately and
appropriately support business processes and controls and I58
enabled initiatives
2. /aintain business and I5 personnel recruitment and
retention processes in line #ith the overall enterprise&s
personnel policies and procedures.
(. Include bac'ground chec's in the I5 recruitment process for
employees contractors and vendors. 5he e=tent and fre4uency
of these chec's should depend on the sensitivity andGor
criticality of the function.
0. -stablish Ae=ible resource arrangements to support
changing business needs such as the use of transfers e=ternal
contractors and third8party service arrangements.
1. -nsure that cross8training ta'es place and there is bac'up to
'ey sta6 to reduce single8person dependency.
1. /inimise reliance on a single individual performing a critical
7ob function through 'no#ledge capture "documentation$
'no#ledge sharing succession planning sta6 bac'up cross8
training and 7ob rotation initiatives.
1CB of (01
Activit%
0. <egularly test sta6 bac'up plans.
2. As a security precaution provide guidelines on a minimum
time of annual vacation to be ta'en by 'ey individuals.
(. 5a'e e=pedient actions regarding 7ob changes especially 7ob
terminations.
1. .e!ne the re4uired and currently available s'ills and
competencies of internal and e=ternal resources to achieve
enterprise I5 and process goals.
2. )rovide formal career planning and professional
development to encourage competency development
opportunities for personal advancement and reduced
dependence on 'ey individuals.
(. )rovide access to 'no#ledge repositories to support the
development of s'ills and competencies.
0. Identify gaps bet#een re4uired and available s'ills and
develop action plans to address them on an individual and
collective basis such as training "technical and behavioural
s'ills$ recruitment redeployment and changed sourcing
strategies.
1. .evelop and deliver training programmes based on
organisational and process re4uirements including
re4uirements for enterprise 'no#ledge internal control ethical
conduct and security.
?. Conduct regular revie#s to assess the evolution of the s'ills
and competencies of the internal and e=ternal resources.
<evie# succession planning.
+. <evie# training materials and programmes on a regular
basis to ensure ade4uacy #ith respect to changing enterprise
re4uirements and their impact on necessary 'no#ledge s'ills
and abilities.
1. Consider functionalGenterprise goals as the conte=t for
setting individual goals.
1CC of (01
Activit%
(. Compile (?08degree performance evaluation results.
0. Implement and communicate a disciplinary process.
2. Set individual goals aligned #ith the relevant process goals
so that there is a clear contribution to I5 and enterprise goals.
9ase goals on S/A<5 ob7ectives "speci!c measurable
achievable relevant and time8bound$ that reAect core
competencies enterprise values and s'ills re4uired for the
role"s$.
1. )rovide speci!c instructions for the use and storage of
personal information in the evaluation process in compliance
#ith applicable personal data and employment legislation.
?. )rovide timely feedbac' regarding performance against the
individual&s goals.
+. Implement a remunerationGrecognition process that re#ards
appropriate commitment competency development and
successful attainment of performance goals. -nsure that the
process is applied consistently and in line #ith organisational
policies.
B. .evelop performance improvement plans based on the
results of the evaluation process and identi!ed training and
s'ills development re4uirements.
1. Create and maintain an inventory of business and I5 human
resources.
2. %nderstand the current and future demand for human
resources to support the achievement of I5 ob7ectives and to
deliver services and solutions based on the portfolio of current
I58related initiatives the future investment portfolio and day8
to8day operational needs.
200 of (01
Activit%
(. Identify shortfalls and provide input into sourcing plans as
#ell as enterprise and I5 recruitment processes. Create and
revie# the sta;ng plan 'eeping trac' of actual usage.
0. /aintain ade4uate information on the time spent on
di6erent tas's assignments services or pro7ects.
1. Implement policies and procedures that describe #hen ho#
and #hat type of #or' can be performed or augmented by
consultants andGor contractors in accordance #ith the
organisation&s enterprise#ide I5 procurement policy and the I5
control frame#or'.
2. 2btain formal agreement from contractors at the
commencement of the contract that they are re4uired to
comply #ith the enterprise&s I5 control frame#or' such as
policies for security clearance physical and logical access
control use of facilities information con!dentiality
re4uirements and non8disclosure agreements.
(. Advise contractors that management reserves the right to
monitor and inspect all usage of I5 resources including email
voice communications and all programs and data !les.
0. )rovide contractors #ith a clear de!nition of their roles and
responsibilities as part of their contracts including e=plicit
re4uirements to document their #or' to agreed8on standards
and formats.
1. <evie# contractors& #or' and base the approval of
payments on the results.
?. .e!ne all #or' performed by e=ternal parties in formal and
unambiguous contracts.
+. Conduct periodic revie#s to ensure that contract sta6 have
signed and agreed on all necessary agreements.
201 of (01
Activit%
B. Conduct periodic revie#s to ensure that contractors& roles
and access rights are appropriate and in line #ith agreements.
1. Identify business sta'eholders their interests and their
areas of responsibilities.
2. <evie# current enterprise direction issues strategic
ob7ectives and alignment #ith enterprise architecture.
(. /aintain an a#areness of business processes and associated
activities and understand demand patterns that relate to
service volumes and use.
0. Clarify business e=pectations for I58enabled services and
solutions and ensure that re4uirements are de!ned #ith
associated business acceptance criteria and metrics.
1. Con!rm agreement of business e=pectations acceptance
criteria and metrics to relevant parts of I5 by all sta'eholders.
?. /anage e=pectations by ensuring that business units
understand priorities dependencies !nancial constraints and
the need to schedule re4uests.
+. %nderstand the current business environment process
constraints or issues geographical e=pansion or contraction
and industryGregulatory drivers.
1. %nderstand technology trends and ne# technologies and
ho# these can be applied innovatively to enhance business
process performance.
202 of (01
Activit%
2. )lay a proactive role in identifying and communicating #ith
'ey sta'eholders on opportunities ris' and constraints. 5his
includes current and emerging technologies services and
business process models.
(. Collaborate in agreeing on ne=t steps for ma7or ne#
initiatives in co8operation #ith portfolio management including
business case development.
0. -nsure that the business and I5 understand and appreciate
the strategic ob7ectives and enterprise architecture vision.
1. Co8ordinate #hen planning ne# I5 initiatives to ensure
integration and alignment #ith the enterprise architecture.
1. Assign a relationship manager as a single point of contact
for each signi!cant business unit. -nsure that a single
counterpart is identi!ed in the business organisation and the
counterpart has business understanding su;cient technology
a#areness and the appropriate level of authority.
2. /anage the relationship in a formalised and transparent #ay
that ensures a focus on achieving a common and shared goal
of successful enterprise outcomes in support of strategic goals
and #ithin the constraint of budgets and ris' tolerance.
(. .e!ne and communicate a complaints and escalation
procedure to resolve any relationship issues.
20( of (01
Activit%
0. )lan speci!c interactions and schedules based on mutually
agreed8on ob7ectives and common language "service and
performance revie# meetings revie# of ne# strategies or
plans etc.$.
1. -nsure that 'ey decisions are agreed on and approved by
relevant accountable sta'eholders.
1. Co8ordinate and communicate changes and transition
activities such as pro7ect or change plans schedules release
policies release 'no#n errors and training a#areness.
2. Co8ordinate and communicate operational activities roles
and responsibilities including the de!nition of re4uest types
hierarchical escalation ma7or outages "planned and
unplanned$ and contents and fre4uency of service reports.
(. 5a'e o#nership of the response to the business for ma7or
events that may inAuence the relationship #ith the business.
)rovide direct support if re4uired.
0. /aintain an end8to8end communication plan that de!nes the
content fre4uency and recipients of service delivery
information including status of value delivered and any ris'
identi!ed.
1. )erform customer and provider satisfaction analysis. -nsure
that issues are actioned and report results and status.
2. Ior' together to identify communicate and implement
improvement initiatives.
(. Ior' #ith service management and process o#ners to
ensure that I58enabled services and service management
processes are continually improved and the root causes of any
issues are identi!ed and resolved.
200 of (01
Activit%
1. Assess current I5 services and service levels to identify gaps
bet#een e=isting services and the business activities they
support. Identify areas for improvement of e=isting services
and service level options.
2. Analyse study and estimate future demand and con!rm
capacity of e=isting I58enabled services.
(. Analyse business process activities to identify the need for
ne# or redesigned I5 services.
0. Compare identi!ed re4uirements to e=isting service
components in the portfolio. If possible pac'age e=isting
service components "I5 services service level options and
service pac'ages$ into ne# service pac'ages to meet identi!ed
business re4uirements.
1. Ihere possible match demands to service pac'ages and
create standardised services to obtain overall e;ciencies.
?. <egularly revie# the portfolio of I5 services #ith portfolio
management and business relationship management to
identify obsolete services. Agree on retirement and propose
change.
1. )ublish in catalogues relevant live I58enabled services
service pac'ages and service level options from the portfolio.
2. Continually ensure that the service components in the
portfolio and the related service catalogues are complete and
up to date.
(. Inform business relationship management of any updates to
the service catalogues.
1. Analyse re4uirements for ne# or changed service
agreements received from business relationship management
to ensure that the re4uirements can be matched. Consider
aspects such as service times availability performance
capacity security continuity compliance and regulatory
issues usability and demand constraints.
201 of (01
Activit%
2. .raft customer service agreements based on the services
service pac'ages and service level options in the relevant
service catalogues.
(. .etermine agree on and document internal operational
agreements to underpin the customer service agreements if
applicable.
0. @iaise #ith supplier management to ensure that appropriate
commercial contracts #ith e=ternal service providers underpin
the customer service agreements if applicable.
1. 3inalise customer service agreements #ith business
relationship management.
1. -stablish and maintain measures to monitor and collect
service level data.
2. -valuate performance and provide regular and formal
reporting of service agreement performance including
deviations from the agreed8on values. .istribute this report to
business relationship management.
(. )erform regular revie#s to forecast and identify trends in
service level performance.
0. )rovide the appropriate management information to aid
performance management.
1. Agree on action plans and remediations for any performance
issues or negative trends.
1. <egularly revie# service agreements according to the
agreed8on terms to ensure that they are e6ective and up to
date and changes in re4uirements I58enabled services service
pac'ages or service level options are ta'en into account #hen
appropriate.
1. -stablish and maintain criteria relating to type signi!cance
and criticality of suppliers and supplier contracts enabling a
focus on preferred and important suppliers.
2. -stablish and maintain supplier and contract evaluation
criteria to enable overall revie# and comparison of supplier
performance in a consistent #ay.
20? of (01
Activit%
(. Identify record and categorise e=isting suppliers and
contracts according to de!ned criteria to maintain a detailed
register of preferred suppliers that need to be managed
carefully.
0. )eriodically evaluate and compare the performance of
e=isting and alternative suppliers to identify opportunities or a
compelling need to reconsider current supplier contracts.
1. <evie# all <3Is and <3)s to ensure that they*
K Clearly de!ne re4uirements
K Include a procedure to clarify re4uirements
K Allo# vendors su;cient time to prepare their proposals
K Clearly de!ne a#ard criteria and the decision process
2. -valuate <3Is and <3)s in accordance #ith the approved
evaluation processGcriteria and maintain documentary
evidence of the evaluations. Herify the references of candidate
vendors.
(. Select the supplier that best !ts the <3). .ocument and
communicate the decision and sign the contract.
0. In the speci!c case of soft#are ac4uisition include and
enforce the rights and obligations of all parties in the
contractual terms. 5hese rights and obligations may include
o#nership and licensing of intellectual property maintenance
#arranties arbitration procedures upgrade terms and !t for
purpose including security escro# and access rights.
20+ of (01
Activit%
1. In the speci!c case of ac4uisition of development resources
include and enforce the rights and obligations of all parties in
the contractual terms. 5hese rights and obligations may
include o#nership and licensing of intellectual property: !t for
purpose including development methodologies: testing:
4uality management processes including re4uired
performance criteria: performance revie#s: basis for payment:
#arranties: arbitration procedures: human resource
management: and compliance #ith the enterprise&s policies.
?. 2btain legal advice on resource development ac4uisition
agreements regarding o#nership and licensing of intellectual
property.
+. In the speci!c case of ac4uisition of infrastructure facilities
and related services include and enforce the rights and
obligations of all parties in the contractual terms. 5hese rights
and obligations may include service levels maintenance
procedures access controls security performance revie#
basis for payment and arbitration procedures.
1. Assign relationship o#ners for all suppliers and ma'e them
accountable for the 4uality of service"s$ provided.
2. Specify a formal communication and revie# process
including supplier interactions and schedules.
(. Agree on manage maintain and rene# formal contracts
#ith the supplier. -nsure that contracts conform to enterprise
standards and legal and regulatory re4uirements.
0. Iithin contracts #ith 'ey service suppliers include
provisions for the revie# of supplier site and internal practices
and controls by management or independent third parties.
20B of (01
Activit%
1. -valuate the e6ectiveness of the relationship and identify
necessary improvements.
?. .e!ne communicate and agree on #ays to implement
re4uired improvements to the relationship.
+. %se established procedures to deal #ith contract disputes
!rst using #herever possible e6ective relationships and
communications to overcome service problems.
B. .e!ne and formalise roles and responsibilities for each
service supplier. Ihere several suppliers combine to provide a
service consider allocating a lead contractor role to one of the
suppliers to ta'e responsibility for an overall contract.
1. Identify monitor and #here appropriate manage ris'
relating to the supplier&s ability to deliver service e;ciently
e6ectively securely reliably and continually.
2. Ihen de!ning the contract provide for potential service ris'
by clearly de!ning service re4uirements including soft#are
escro# agreements alternative suppliers or standby
agreements to mitigate possible supplier failure: security and
protection of intellectual property "I)$: and any legal or
regulatory re4uirements.
1. .e!ne and document criteria to monitor supplier
performance aligned #ith service level agreements and ensure
that the supplier regularly and transparently reports on agreed8
on criteria.
2. /onitor and revie# service delivery to ensure that the
supplier is providing an acceptable 4uality of service meeting
re4uirements and adhering to contract conditions.
(. <evie# supplier performance and value for money to ensure
that they are reliable and competitive compared #ith
alternative suppliers and mar'et conditions.
20C of (01
Activit%
0. <e4uest independent revie#s of supplier internal practices
and controls if necessary.
1. <ecord and assess revie# results periodically and discuss
them #ith the supplier to identify needs and opportunities for
improvement.
?. /onitor and evaluate e=ternally available information about
the supplier.
1. -nsure that the I5 control frame#or' and the business and I5
processes include a standard formal and continuous approach
to 4uality management that is aligned #ith enterprise
re4uirements. Iithin the I5 control frame#or' and the
business and I5 processes identify 4uality re4uirements and
criteria "e.g. based on legal re4uirements and re4uirements
from customers$.
2. .e!ne roles tas's decision rights and responsibilities for
4uality management in the organisational structure.
(. .e!ne 4uality management plans for important processes
pro7ects or ob7ectives in alignment #ith enterprise 4uality
management criteria and policies. <ecord 4uality data.
0. /onitor and measure the e6ectiveness and acceptance of
4uality management and improve them #hen needed.
1. Align I5 4uality management #ith an enterprise#ide 4uality
system to encourage a standardised and continuous approach
to 4uality.
?. 2btain input from management and e=ternal and internal
sta'eholders on the de!nition of 4uality re4uirements and
4uality management criteria.
+. -6ectively communicate the approach "e.g. through regular
formal 4uality training programmes$.
B. <egularly revie# the continued relevance e;ciency and
e6ectiveness of speci!c 4uality management processes.
/onitor the achievement of 4uality ob7ectives.
210 of (01
Activit%
2. Consider the bene!ts and costs of 4uality certi!cations.
?. Capture 4uality acceptance criteria for inclusion in S@As.
1. .e!ne the 4uality management standards practices and
procedures in line #ith the I5 control frame#or'&s
re4uirements. %se industry best practices for reference #hen
improving and tailoring the enterprise&s 4uality practices.
1. 3ocus 4uality management on customers by determining
internal and e=ternal customer re4uirements and ensuring
alignment of the I5 standards and practices. .e!ne and
communicate roles and responsibilities concerning conAict
resolution bet#een the userGcustomer and the I5 organisation.
2. /anage the business needs and e=pectations for each
business process I5 operational service and ne# solutions and
maintain their 4uality acceptance criteria. Capture 4uality
acceptance criteria for inclusion in S@As.
(. Communicate customer re4uirements and e=pectations
throughout the business and I5 organisation.
0. )eriodically obtain customer vie#s on business process and
service provisioning and I5 solution delivery to determine the
impact on I5 standards and practices and to ensure that
customer e=pectations are met and are acted upon.
1. <egularly monitor and revie# the D/S against agreed8on
acceptance criteria. Include feedbac' from customers users
and management. <espond to discrepancies in revie# results
to continuously improve the D/S.
211 of (01
Activit%
2. )repare and conduct 4uality revie#s.
+. Analyse overall 4uality management performance results.
1. /onitor the 4uality of processes and services on an ongoing
and systematic basis by describing measuring analysing
improvingGengineering and controlling the processes.
(. <eport the revie# results and initiate improvements #here
appropriate.
0. /onitor 4uality of processes as #ell as the value 4uality
provides. -nsure that measurement monitoring and recording
of information is used by the process o#ner to ta'e appropriate
corrective and preventive actions.
1. /onitor goal8driven 4uality metrics aligned to overall 4uality
ob7ectives covering the 4uality of individual pro7ects and
services.
?. -nsure that management and process o#ners regularly
revie# 4uality management performance against de!ned
4uality metrics.
1. Integrate 4uality management practices in solutions
development processes and practices.
2. Continuously monitor service levels and incorporate 4uality
management practices in the service delivery processes and
practices.
212 of (01
Activit%
1. )romote a culture of 4uality and continual improvement.
(. Identify and document root causes for non8conformance and
communicate !ndings to I5 management and other
sta'eholders in a timely manner to enable remedial action to
be ta'en. Ihere appropriate perform follo#8up revie#s.
1. /aintain and regularly communicate the need for and
bene!ts of continuous improvement.
2. -stablish a platform to share best practices and to capture
information on defects and mista'es to enable learning from
them.
(. Identify recurring e=amples of 4uality defects determine
their root cause evaluate their impact and result and agree on
improvement actions #ith the service and pro7ect delivery
teams.
0. Identify e=amples of e=cellent 4uality delivery processes
that can bene!t other services or pro7ects and share these
#ith the service and pro7ect delivery teams to encourage
improvement.
?. -stablish a feedbac' loop bet#een 4uality management and
problem management.
+. )rovide employees #ith training in the methods and tools of
continual improvement.
B. 9enchmar' the results of the 4uality revie#s against internal
historical data industry guidelines standards and data from
similar types of enterprises.
1. -stablish and maintain a method for the collection
classi!cation and analysis of I5 ris'8related data
accommodating multiple types of events multiple categories
of I5 ris' and multiple ris' factors.
21( of (01
Activit%
2. <ecord relevant data on the enterprise&s internal and
e=ternal operating environment that could play a signi!cant
role in the management of I5 ris'.
(. Survey and analyse the historical I5 ris' data and loss
e=perience from e=ternally available data and trends industry
peers through industry8based event logs databases and
industry agreements for common event disclosure.
0. <ecord data on ris' events that have caused or may cause
impacts to I5 bene!tGvalue enablement I5 programme and
pro7ect delivery andGor I5 operations and service delivery.
Capture relevant data from related issues incidents problems
and investigations.
1. 3or similar classes of events organise the collected data and
highlight contributing factors. .etermine common contributing
factors across multiple events.
?. .etermine the speci!c conditions that e=isted or #ere
absent #hen ris' events occurred and the #ay the conditions
a6ected event fre4uency and loss magnitude.
+. )erform periodic event and ris' factor analysis to identify
ne# or emerging ris' issues and to gain an understanding of
the associated internal and e=ternal ris' factors.
1. .e!ne the appropriate breadth and depth of ris' analysis
e6orts considering all ris' factors and the business criticality
of assets. Set the ris' analysis scope after performing a cost8
bene!t analysis.
2. 9uild and regularly update I5 ris' scenarios including
compound scenarios of cascading andGor coincidental threat
types and develop e=pectations for speci!c control activities
capabilities to detect and other response measures.
210 of (01
Activit%
(. -stimate the fre4uency and magnitude of loss or gain
associated #ith I5 ris' scenarios. 5a'e into account all
applicable ris' factors evaluate 'no#n operational controls
and estimate residual ris' levels.
0 Compare residual ris' to acceptable ris' tolerance and
identify e=posures that may re4uire a ris' response.
1. Analyse cost8bene!t of potential ris' response options such
as avoid reduceGmitigate transferGshare and accept and
e=ploitGseiJe. )ropose the optimal ris' response.
?. Specify high8level re4uirements for pro7ects or programmes
that #ill implement the selected ris' responses. Identify
re4uirements and e=pectations for appropriate 'ey controls for
ris' mitigation responses.
+. Halidate the ris' analysis results before using them in
decision ma'ing con!rming that the analysis aligns #ith
enterprise re4uirements and verifying that estimations #ere
properly calibrated and scrutinised for bias.
1. Inventory business processes including supporting
personnel applications infrastructure facilities critical manual
records vendors suppliers and outsourcers and document the
dependency on I5 service management processes and I5
infrastructure resources.
2. .etermine and agree on #hich I5 services and I5
infrastructure resources are essential to sustain the operation
of business processes. Analyse dependencies and identify
#ea' lin's.
(. Aggregate current ris' scenarios by category business line
and functional area.
0. 2n a regular basis capture all ris' pro!le information and
consolidate it into an aggregated ris' pro!le.
211 of (01
Activit%
1. 9ased on all ris' pro!le data de!ne a set of ris' indicators
that allo# the 4uic' identi!cation and monitoring of current
ris' and ris' trends.
?. Capture information on I5 ris' events that have materialised
for inclusion in the I5 ris' pro!le of the enterprise.
+. Capture information on the status of the ris' action plan for
inclusion in the I5 ris' pro!le of the enterprise.
1. <eport the results of ris' analysis to all a6ected sta'eholders
in terms and formats useful to support enterprise decisions.
Iherever possible include probabilities and ranges of loss or
gain along #ith con!dence levels that enable management to
balance ris'8return.
2. )rovide decision ma'ers #ith an understanding of #orst8
case and most8probable scenarios due diligence e=posures
and signi!cant reputation legal or regulatory considerations.
(. <eport the current ris' pro!le to all sta'eholders including
e6ectiveness of the ris' management process control
e6ectiveness gaps inconsistencies redundancies
remediation status and their impacts on the ris' pro!le.
0. <evie# the results of ob7ective third8party assessments
internal audit and 4uality assurance revie#s and map them to
the ris' pro!le. <evie# identi!ed gaps and e=posures to
determine the need for additional ris' analysis.
1. 2n a periodic basis for areas #ith relative ris' and ris'
capacity parity identify I58related opportunities that #ould
allo# the acceptance of greater ris' and enhanced gro#th and
return.
1. /aintain an inventory of control activities that are in place to
manage ris' and that enable ris' to be ta'en in line #ith ris'
appetite and tolerance. Classify control activities and map
them to speci!c I5 ris' statements and aggregations of I5 ris'.
21? of (01
Activit%
2. .etermine #hether each organisational entity monitors ris'
and accepts accountability for operating #ithin its individual
and portfolio tolerance levels.
(. .e!ne a balanced set of pro7ect proposals designed to
reduce ris' andGor pro7ects that enable strategic enterprise
opportunities considering costGbene!ts e6ect on current ris'
pro!le and regulations.
1. )repare maintain and test plans that document the speci!c
steps to ta'e #hen a ris' event may cause a signi!cant
operational or development incident #ith serious business
impact. -nsure that plans include path#ays of escalation
across the enterprise.
2. Categorise incidents and compare actual e=posures against
ris' tolerance thresholds. Communicate business impacts to
decision ma'ers as part of reporting and update the ris'
pro!le.
(. Apply the appropriate response plan to minimise the impact
#hen ris' incidents occur.
0. -=amine past adverse eventsGlosses and missed
opportunities and determine root causes. Communicate root
cause additional ris' response re4uirements and process
improvements to appropriate decision ma'ers and ensure that
the cause response re4uirements and process improvement
are included in ris' governance processes.
1. .e!ne the scope and boundaries of the IS/S in terms of the
characteristics of the enterprise the organisation its location
assets and technology. Include details of and 7usti!cation for
any e=clusions from the scope.
2. .e!ne an IS/S in accordance #ith enterprise policy and
aligned #ith the enterprise the organisation its location
assets and technology.
(. Align the IS/S #ith the overall enterprise approach to the
management of security.
21+ of (01
Activit%
+. Communicate the IS/S approach.
0. 2btain management authorisation to implement and
operate or change the IS/S.
1. )repare and maintain a statement of applicability that
describes the scope of the IS/S.
?. .e!ne and communicate Information security management
roles and responsibilities.
1. 3ormulate and maintain an information security ris'
treatment plan aligned #ith strategic ob7ectives and the
enterprise architecture. -nsure that the plan identi!es the
appropriate and optimal management practices and security
solutions #ith associated resources responsibilities and
priorities for managing identi!ed information security ris'.
2. /aintain as part of the enterprise architecture an inventory
of solution components that are in place to manage security8
related ris'.
(. .evelop proposals to implement the information security
ris' treatment plan supported by suitable business cases
#hich include consideration of funding and allocation of roles
and responsibilities.
0. )rovide input to the design and development of
management practices and solutions selected from the
information security ris' treatment plan.
1. .e!ne ho# to measure the e6ectiveness of the selected
management practices and specify ho# these measurements
are to be used to assess e6ectiveness to produce comparable
and reproducible results.
21B of (01
Activit%
2. Conduct internal IS/S audits at planned intervals.
?. <ecommend information security training and a#areness
programmes.
+. Integrate the planning design implementation and
monitoring of information security procedures and other
controls capable of enabling prompt prevention detection of
security events and response to security incidents.
1. %nderta'e regular revie#s of the e6ectiveness of the IS/S
including meeting IS/S policy and ob7ectives and revie# of
security practices. 5a'e into account results of security audits
incidents results from e6ectiveness measurements
suggestions and feedbac' from all interested parties.
(. %nderta'e a management revie# of the IS/S on a regular
basis to ensure that the scope remains ade4uate and
improvements in the IS/S process are identi!ed.
0. )rovide input to the maintenance of the security plans to
ta'e into account the !ndings of monitoring and revie#ing
activities.
1. <ecord actions and events that could have an impact on the
e6ectiveness or performance of the IS/S.
21C of (01
Activit%
1. /aintain and enforce a standard approach to programme
and pro7ect management aligned to the enterprise&s speci!c
environment and #ith good practice based on de!ned process
and use of appropriate technology. -nsure that the approach
covers the full life cycle and disciplines to be follo#ed
including the management of scope resources ris' cost
4uality time communication sta'eholder involvement
procurement change control integration and bene!t
realisation.
2. %pdate the programme and pro7ect management approach
based on lessons learned from its use.
1. Agree on programme sponsorship and appoint a programme
boardGcommittee #ith members #ho have strategic interest in
the programme have responsibility for the investment decision
ma'ing #ill be signi!cantly impacted by the programme and
#ill be re4uired to enable delivery of the change.
2. Con!rm the programme mandate #ith sponsors and
sta'eholders. Articulate the strategic ob7ectives for the
programme potential strategies for delivery improvement and
bene!ts that are e=pected to result and ho# the programme
!ts #ith other initiatives.
(. .evelop a detailed business case for a programme if
#arranted. Involve all 'ey sta'eholders to develop and
document a complete understanding of the e=pected
enterprise outcomes ho# they #ill be measured the full scope
of initiatives re4uired the ris' involved and the impact on all
aspects of the enterprise. Identify and assess alternative
courses of action to achieve the desired enterprise outcomes.
220 of (01
Activit%
0. Analyse sta'eholder interests and re4uirements.
0. .evelop a bene!ts realisation plan that #ill be managed
throughout the programme to ensure that planned bene!ts
al#ays have o#ners and are achieved sustained and
optimised.
1. )repare and submit for in8principle approval the initial
"conceptual$ programme business case providing essential
decision8ma'ing information regarding purpose contribution to
business ob7ectives e=pected value created time frames etc.
?. Appoint a dedicated manager for the programme #ith the
commensurate competencies and s'ills to manage the
programme e6ectively and e;ciently.
1. )lan ho# sta'eholders inside and outside the enterprise #ill
be identi!ed analysed engaged and managed through the life
cycle of the pro7ects.
2. Identify engage and manage sta'eholders by establishing
and maintaining appropriate levels of co8ordination
communication and liaison to ensure that they are involved in
the programmeGpro7ect.
(. /easure the e6ectiveness of sta'eholder engagement and
ta'e remedial actions as re4uired.
1. .e!ne and document the programme plan covering all
pro7ects including #hat is needed to bring about changes to
the enterprise: its image products and services: business
processes: people s'ills and numbers: relationships #ith
sta'eholders customers suppliers and others: technology
needs: and organisational restructuring re4uired to achieve the
programme&s e=pected enterprise outcomes.
221 of (01
Activit%
2. Specify re4uired resources and s'ills to e=ecute the pro7ect
including pro7ect managers and pro7ect teams as #ell as
business resources. Specify funding cost schedule and inter8
dependencies of multiple pro7ects. Specify the basis for
ac4uiring and assigning competent sta6 members andGor
contractors to the pro7ects. .e!ne the roles and responsibilities
for all team members and other interested parties.
(. Assign accountability clearly and unambiguously for each
pro7ect including achieving the bene!ts controlling the costs
managing the ris' and co8ordinating the pro7ect activities.
0. -nsure that there is e6ective communication of programme
plans and progress reports amongst all pro7ects and #ith the
overall programme. -nsure that any changes made to
individual plans are reAected in the other enterprise
programme plans.
1. /aintain the programme plan to ensure that it is up to date
and reAects alignment #ith current strategic ob7ectives actual
progress and material changes to outcomes bene!ts costs
and ris'. Eave the business drive the ob7ectives and prioritise
the #or' throughout to ensure that the programme as
designed #ill meet enterprise re4uirements. <evie# progress
of individual pro7ects and ad7ust the pro7ects as necessary to
meet scheduled milestones releases.
?. %pdate and maintain throughout the programme&s economic
life the business case and a bene!ts register to identify and
de!ne 'ey bene!ts arising from underta'ing the programme.
+. )repare a programme budget that reAects the full economic
life cycle costs and the associated !nancial and non8!nancial
bene!ts.
1. )lan resource and commission the necessary pro7ects
re4uired to achieve the programme results based on funding
revie# and approvals at each stage8gate revie#.
222 of (01
Activit%
2. -stablish agreed8on stages of the development process
"development chec'points$. At the end of each stage facilitate
formal discussions of approved criteria #ith the sta'eholders.
After successful completion of functionality performance and
4uality revie#s and before !nalising stage activities obtain
formal approval and sign8o6 from all sta'eholders and the
sponsorGbusiness process o#ner.
(. %nderta'e a bene!ts realisation process throughout the
programme to ensure that planned bene!ts al#ays have
o#ners and are li'ely to be achieved sustained and optimised.
/onitor bene!ts delivery and report against performance
targets at the stage8gate or iteration and release revie#s.
)erform root cause analysis for deviations from the plan and
identify and address any necessary remedial actions.
0. /anage each programme or pro7ect to ensure that decision
ma'ing and delivery activities are focussed on value by
achieving bene!ts for the business and goals in a consistent
manner addressing ris' and achieving sta'eholder
re4uirements.
1. Set up programmeGpro7ect management o;ce"s$ and plan
audits 4uality revie#s phaseGstage8gate revie#s and revie#s
of realised bene!ts.
1. /onitor and control the performance of the overall
programme and the pro7ects #ithin the programme including
contributions of the business and I5 to the pro7ects and report
in a timely complete and accurate fashion. <eporting may
include schedule funding functionality user satisfaction
internal controls and acceptance of accountabilities.
22( of (01
Activit%
2. /onitor and control performance against enterprise and I5
strategies and goals and report to management on enterprise
changes implemented bene!ts realised against the bene!ts
realisation plan and the ade4uacy of the bene!ts realisation
process.
(. /onitor and control I5 services assets and resources created
or changed as a result of the programme. Note implementation
and in8service dates. <eport to management on performance
levels sustained service delivery and contribution to value.
0. /anage programme performance against 'ey criteria "e.g.
scope schedule 4uality bene!ts realisation costs ris'
velocity$ identify deviations from the plan and ta'e timely
remedial action #hen re4uired.
1. /onitor individual pro7ect performance related to delivery of
the e=pected capabilities schedule bene!ts realisation costs
ris' or other metrics to identify potential impacts on
programme performance. 5a'e timely remedial action #hen
re4uired.
?. %pdate operational I5 portfolios reAecting changes that
result from the programme in the relevant I5 service asset or
resource portfolios.
+. In accordance #ith stage8gate release or iteration revie#
criteria underta'e revie#s to report on the progress of the
programme so that management can ma'e goGno8go or
ad7ustment decisions and approve further funding up to the
follo#ing stage8gate release or iteration.
1. 5o create a common understanding of pro7ect scope amongst
sta'eholders provide to the sta'eholders a clear #ritten
statement de!ning the nature scope and bene!t of every
pro7ect.
220 of (01
Activit%
2. -nsure that each pro7ect has one or more sponsors #ith
su;cient authority to manage e=ecution of the pro7ect #ithin
the overall programme.
(. -nsure that 'ey sta'eholders and sponsors #ithin the
enterprise and I5 agree on and accept the re4uirements for the
pro7ect including de!nition of pro7ect success "acceptance$
criteria and 'ey performance indicators "F)Is$.
0. -nsure that the pro7ect de!nition describes the re4uirements
for a pro7ect communication plan that identi!es internal and
e=ternal pro7ect communications.
1. Iith the approval of sta'eholders maintain the pro7ect
de!nition throughout the pro7ect reAecting changing
re4uirements.
?. 5o trac' the e=ecution of a pro7ect put in place mechanisms
such as regular reporting and stage8gate release or phase
revie#s in a timely manner #ith appropriate approval.
1. .evelop a pro7ect plan that provides information to enable
management to control pro7ect progress progressively. 5he
plan should include details of pro7ect deliverables and
acceptance criteria re4uired internal and e=ternal resources
and responsibilities clear #or' brea'do#n structures and #or'
pac'ages estimates of resources re4uired milestonesGrelease
planGphases 'ey dependencies and identi!cation of a critical
path.
2. /aintain the pro7ect plan and any dependent plans "e.g. ris'
plan 4uality plan bene!ts realisation plan$ to ensure that they
are up to date and reAect actual progress and approved
material changes.
(. -nsure that there is e6ective communication of pro7ect plans
and progress reports amongst all pro7ects and #ith the overall
programme. -nsure that any changes made to individual plans
are reAected in the other plans.
221 of (01
Activit%
0. .etermine the activities interdependencies and re4uired
collaboration and communication among multiple pro7ects
#ithin a programme.
1. -nsure that each milestone is accompanied by a signi!cant
deliverable re4uiring revie# and sign8o6.
?. -stablish a pro7ect baseline "e.g. cost schedule scope
4uality$ that is appropriately revie#ed approved and
incorporated into the integrated pro7ect plan.
1. Identify assurance tas's and practices re4uired to support
the accreditation of ne# or modi!ed systems during
programme and pro7ect planning and include them in the
integrated plans. -nsure that the tas's provide assurance that
internal controls and security solutions meet the de!ned
re4uirements.
2. 5o provide 4uality assurance for the pro7ect deliverables
identify o#nership and responsibilities 4uality revie#
processes success criteria and performance metrics.
(. .e!ne any re4uirements for independent validation and
veri!cation of the 4uality of deliverables in the plan.
0. )erform 4uality assurance and control activities in
accordance #ith the 4uality management plan and D/S.
1. -stablish a formal pro7ect ris' management approach
aligned #ith the -</ frame#or'. -nsure that the approach
includes identifying analysing responding to mitigating
monitoring and controlling ris'.
22? of (01
Activit%
1. Identify o#ners for actions to avoid accept or mitigate ris'.
2. Assign to appropriately s'illed personnel the responsibility
for e=ecuting the enterprise&s pro7ect ris' management process
#ithin a pro7ect and ensuring that this is incorporated into the
solution development practices. Consider allocating this role to
an independent team especially if an ob7ective vie#point is
re4uired or a pro7ect is considered critical.
(. )erform the pro7ect ris' assessment of identifying and
4uantifying ris' continuously throughout the pro7ect. /anage
and communicate ris' appropriately #ithin the pro7ect
governance structure.
0. <eassess pro7ect ris' periodically including at initiation of
each ma7or pro7ect phase and as part of ma7or change re4uest
assessments.
?. /aintain and revie# a pro7ect ris' register of all potential
pro7ect ris' and a ris' mitigation log of all pro7ect issues and
their resolution. Analyse the log periodically for trends and
recurring problems to ensure that root causes are corrected.
1. -stablish and use a set of pro7ect criteria including but not
limited to scope schedule 4uality cost and level of ris'.
2. /easure pro7ect performance against 'ey pro7ect
performance criteria. Analyse deviations from established 'ey
pro7ect performance criteria for cause and assess positive and
negative e6ects on the programme and its component
pro7ects.
(. <eport to identi!ed 'ey sta'eholders pro7ect progress #ithin
the programme deviations from established 'ey pro7ect
performance criteria and potential positive and negative
e6ects on the programme and its component pro7ects.
22+ of (01
Activit%
0. /onitor changes to the programme and revie# e=isting 'ey
pro7ect performance criteria to determine #hether they still
represent valid measures of progress.
1. .ocument and submit any necessary changes to the
programme&s 'ey sta'eholders for their approval before
adoption. Communicate revised criteria to pro7ect managers for
use in future performance reports.
?. <ecommend and monitor remedial action #hen re4uired in
line #ith the programme and pro7ect governance frame#or'.
+. ,ain approval and sign8o6 on the deliverables produced in
each iteration release or pro7ect phase from designated
managers and users in the a6ected business and I5 functions.
B. 9ase the approval process on clearly de!ned acceptance
criteria agreed on by 'ey sta'eholders prior to #or'
commencing on the pro7ect phase or iteration deliverable.
C. Assess the pro7ect at agreed8on ma7or stage8gates releases
or iterations and ma'e formal goGno8go decisions based on
predetermined critical success criteria.
10. -stablish and operate a change control system for the
pro7ect so that all changes to the pro7ect baseline "e.g. cost
schedule scope 4uality$ are appropriately revie#ed approved
and incorporated into the integrated pro7ect plan in line #ith
the programme and pro7ect governance frame#or'.
1. Identify business and I5 resource needs for the pro7ect and
clearly map appropriate roles and responsibilities #ith
escalation and decision8ma'ing authorities agreed on and
understood.
2. Identify re4uired s'ills and time re4uirements for all
individuals involved in the pro7ect phases in relation to de!ned
roles. Sta6 the roles based on available s'ills information "e.g.
I5 s'ills matri=$.
22B of (01
Activit%
(. %tilise e=perienced pro7ect management and team leader
resources #ith s'ills appropriate to the siJe comple=ity and
ris' of the pro7ect.
0. Consider and clearly de!ne the roles and responsibilities of
other involved parties including !nance legal procurement
E< internal audit and compliance.
1. Clearly de!ne and agree on the responsibility for
procurement and management of third8party products and
services and manage the relationships.
?. Identify and authorise the e=ecution of the #or' according to
the pro7ect plan.
+. Identify pro7ect plan gaps and provide feedbac' to the
pro7ect manager to remediate.
1. .e!ne and apply 'ey steps for pro7ect closure including
post8implementation revie#s that assess #hether a pro7ect
attained desired results and bene!ts.
2. )lan and e=ecute post8implementation revie#s to determine
#hether pro7ects delivered e=pected bene!ts and to improve
the pro7ect management and system development process
methodology.
(. Identify assign communicate and trac' any uncompleted
activities re4uired to achieve planned programme pro7ect
results and bene!ts.
0. <egularly and upon completion of the pro7ect collect from
the pro7ect participants the lessons learned. <evie# them and
'ey activities that led to delivered bene!ts and value. Analyse
the data and ma'e recommendations for improving the current
pro7ect as #ell as pro7ect management method for future
pro7ects.
1. 2btain sta'eholder acceptance of pro7ect deliverables and
transfer o#nership.
22C of (01
Activit%
1. 9ring the programme to an orderly closure including formal
approval disbanding of the programme organisation and
supporting function validation of deliverables and
communication of retirement.
2. <evie# and document lessons learned. 2nce the programme
is retired remove it from the active investment portfolio.
(. )ut accountability and processes in place to ensure that the
enterprise continues to optimise value from the service asset
or resources. Additional investments may be re4uired at some
future time to ensure that this occurs.
1. .e!ne and implement a re4uirements de!nition and
maintenance procedure and a re4uirements repository that are
appropriate for the siJe comple=ity ob7ectives and ris' of the
initiative that the enterprise is considering underta'ing.
2. -=press business re4uirements in terms of ho# the gap
bet#een current and desired business capabilities needs to be
addressed and ho# a role #ill interact #ith and use the
solution.
(. 5hroughout the pro7ect elicit analyse and con!rm that all
sta'eholder re4uirements including relevant acceptance
criteria are considered captured prioritised and recorded in a
#ay that is understandable to the sta'eholders business
sponsors and technical implementation personnel recognising
that the re4uirements may change and #ill become more
detailed as they are implemented.
2(0 of (01
Activit%
0. Specify and prioritise the information functional and
technical re4uirements based on the con!rmed sta'eholder
re4uirements. Include information control re4uirements in the
business processes automated processes and I5 environments
to address information ris' and to comply #ith la#s
regulations and commercial contracts.
1. Halidate all re4uirements through approaches such as peer
revie# model validation or operational prototyping.
?. Con!rm acceptance of 'ey aspects of the re4uirements
including enterprise rules information controls business
continuity legal and regulatory compliance auditability
ergonomics operability and usability safety and supporting
documentation.
+. 5rac' and control scope re4uirements and changes through
the life cycle of the solution throughout the pro7ect as
understanding of the solution evolves.
B. Consider re4uirements relating to enterprise policies and
standards enterprise architecture strategic and tactical I5
plans in8house and outsourced business and I5 processes
security re4uirements regulatory re4uirements people
competencies organisational structure business case and
enabling technology.
2(1 of (01
Activit%
1. .e!ne and e=ecute a feasibility study pilot or basic #or'ing
solution that clearly and concisely describes the alternative
solutions that #ill satisfy the business and functional
re4uirements. Include an evaluation of their technological and
economic feasibility.
2. Identify re4uired actions for solution ac4uisition or
development based on the enterprise architecture and ta'e
into account scope andGor time andGor budget limitations.
(. <evie# the alternative solutions #ith all sta'eholders and
select the most appropriate one based on feasibility criteria
including ris' and cost.
0. 5ranslate the preferred course of action into a high8level
ac4uisitionGdevelopment plan identifying resources to be used
and stages re4uiring a goGno8go decision.
1. Involve the sta'eholders to create a list of potential 4uality
functional and technical re4uirements and ris' related to
information processing "due to e.g. lac' of user involvement
unrealistic e=pectations developers adding unnecessary
functionality$.
2. Analyse and prioritise the re4uirements ris' according to
probability and impact. If applicable determine budget and
schedule impacts.
(. Identify #ays to control avoid or mitigate the re4uirements
ris' in order of priority.
2(2 of (01
Activit%
1. -nsure that the business sponsor or product o#ner ma'es
the !nal decision #ith respect to the choice of solution
ac4uisition approach and high8level design according to the
business case. Co8ordinate feedbac' from a6ected
sta'eholders and obtain sign8o6 from appropriate business and
technical authorities "e.g. business process o#ner enterprise
architect operations manager security$ for the proposed
approach.
2. 2btain 4uality revie#s throughout and at the end of each
'ey pro7ect stage iteration or release to assess the results
against the original acceptance criteria. Eave business
sponsors and other sta'eholders sign o6 on each successful
4uality revie#.
1. -stablish a high8level design speci!cation that translates the
proposed solution into business processes supporting services
applications infrastructure and information repositories
capable of meeting business and enterprise architecture
re4uirements.
2. Involve appropriately 4uali!ed and e=perienced users and I5
specialists in the design process to ma'e sure that the design
provides a solution that optimally uses the proposed I5
capabilities to enhance the business process.
(. Create a design that is compliant #ith the organisation&s
design standards at a level of detail that is appropriate for the
solution and development method and consistent #ith
business enterprise and I5 strategies the enterprise
architecture security plan and applicable la#s regulations
and contracts.
0. After 4uality assurance approval submit the !nal high8level
design to the pro7ect sta'eholders and the sponsorGbusiness
process o#ner for approval based on agreed8on criteria. 5his
design #ill evolve throughout the pro7ect as understanding
gro#s.
2(( of (01
Activit%
1. .esign data storage location retrieval and recoverability.
?. .esign appropriate redundancy recovery and bac'up.
1. .esign progressively the business process activities and
#or' Ao#s that need to be performed in con7unction #ith the
ne# application system to meet the enterprise ob7ectives
including the design of the manual control activities.
2. .esign the application processing steps including
speci!cation of transaction types and business processing
rules automated controls data de!nitionsGbusiness ob7ects
use cases e=ternal interfaces design constraints and other
re4uirements "e.g. licensing legal standards and
internationalisationGlocalisation$.
(. Classify data inputs and outputs according to enterprise
architecture standards. Specify the source data collection
design documenting the data inputs "regardless of source$ and
validation for processing transactions as #ell as the methods
for validation. .esign the identi!ed outputs including data
sources.
0. .esign systemGsolution interface including any automated
data e=change.
+. .esign the interface bet#een the user and the system
application so that it is easy to use and self8documenting.
B. Consider the impact of the solution&s need for infrastructure
performance being sensitive to the number of computing
assets band#idth intensity and time sensitivity of the
information.
2(0 of (01
Activit%
C. )roactively evaluate for design #ea'nesses "e.g.
inconsistencies lac' of clarity potential Aa#s$ throughout the
life cycle identifying improvements #hen re4uired.
10. )rovide an ability to audit transactions and identify root
causes of processing errors.
1. .evelop business processes supporting services
applications and infrastructure and information repositories
based on agreed8on speci!cations and business functional and
technical re4uirements.
2. Ihen third8party providers are involved #ith the solution
development ensure that maintenance support development
standards and licensing are addressed and adhered to in
contractual obligations.
(. 5rac' change re4uests and design performance and 4uality
revie#s ensuring active participation of all impacted
sta'eholders.
0. .ocument all solution components according to de!ned
standards and maintain version control over all developed
components and associated documentation.
1. Assess the impact of solution customisation and
con!guration on the performance and e;ciency of ac4uired
solutions and on inter8operability #ith e=isting applications
operating systems and other infrastructure. Adapt business
processes as re4uired to leverage the application capability.
?. -nsure that responsibilities for using high security or
restricted access infrastructure components are clearly de!ned
and understood by those #ho develop and integrate
infrastructure components. 5heir use should be monitored and
evaluated.
2(1 of (01
Activit%
1. Create and maintain a plan for the ac4uisition of solution
components considering future Ae=ibility for capacity
additions transition costs ris' and upgrades over the lifetime
of the pro7ect.
2. <evie# and approve all ac4uisition plans considering ris'
costs bene!ts and technical conformance #ith enterprise
architecture standards.
(. Assess and document the degree to #hich ac4uired
solutions re4uire adaptation of business process to leverage
the bene!ts of the ac4uired solution.
0. 3ollo# re4uired approvals at 'ey decision points during the
procurement processes.
1. <ecord receipt of all infrastructure and soft#are ac4uisitions
in an asset inventory.
1. Integrate and con!gure business and I5 solution components
and information repositories in line #ith detailed speci!cations
and 4uality re4uirements. Consider the role of users business
sta'eholders and the process o#ner in the con!guration of
business processes.
2. Complete and update business process and operational
manuals #here necessary to account for any customisation or
special conditions uni4ue to the implementation.
(. Consider all relevant information control re4uirements in
solution component integration and con!guration including
implementation of business controls #here appropriate into
automated application controls such that processing is
accurate complete timely authorised and auditable.
2(? of (01
Activit%
0. Implement audit trails during con!guration and integration
of hard#are and infrastructural soft#are to protect resources
and ensure availability and integrity.
1. Consider #hen the e6ect of cumulative customisations and
con!gurations "including minor changes that #ere not
sub7ected to formal design speci!cations$ re4uire a high8level
reassessment of the solution and associated functionality.
?. -nsure the interoperability of solution components #ith
supporting tests preferably automated.
+. Con!gure ac4uired application soft#are to meet business
processing re4uirements.
B. .e!ne service catalogues for relevant internal and e=ternal
target groups based on business re4uirements.
1. .e!ne a DA plan and practices including e.g. speci!cation
of 4uality criteria validation and veri!cation processes
de!nition of ho# 4uality #ill be revie#ed necessary
4uali!cations of 4uality revie#ers and roles and
responsibilities for the achievement of 4uality.
2. 3re4uently monitor the solution 4uality based on pro7ect
re4uirements enterprise policies adherence to development
methodologies 4uality management procedures and
acceptance criteria.
2(+ of (01
Activit%
(. -mploy code inspection test8driven development practices
automated testing continuous integration #al'8throughs and
testing of applications as appropriate. <eport on outcomes of
the monitoring process and testing to the application soft#are
development team and I5 management.
0. /onitor all 4uality e=ceptions and address all corrective
actions. /aintain a record of all revie#s results e=ceptions
and corrections. <epeat 4uality revie#s #here appropriate
based on the amount of re#or' and corrective action.
1. Create an integrated test plan and practices commensurate
#ith the enterprise environment and strategic technology
plans that #ill enable the creation of suitable testing and
simulation environments to help verify that the solution #ill
operate successfully in the live environment and deliver the
intended results and that controls are ade4uate.
2. Create a test environment that supports the full scope of the
solution and reAects as closely as possible real8#orld
conditions including the business processes and procedures
range of users transaction types and deployment conditions.
(. Create test procedures that align #ith the plan and practices
and allo# evaluation of the operation of the solution in real8
#orld conditions. -nsure that the test procedures evaluate the
ade4uacy of the controls based on enterprise#ide standards
that de!ne roles responsibilities and testing criteria and are
approved by pro7ect sta'eholders and the sponsorGbusiness
process o#ner.
2(B of (01
Activit%
1. %nderta'e testing of solutions and their components in
accordance #ith the testing plan. Include testers independent
from the solution team #ith representative business process
o#ners and end users. -nsure that testing is conducted only
#ithin the development and test environments.
2. %se clearly de!ned test instructions as de!ned in the test
plan and consider the appropriate balance bet#een
automated scripted tests and interactive user testing.
(. %nderta'e all tests in accordance #ith the test plan and
practices including the integration of business processes and I5
solution components and of non8functional re4uirements "e.g.
security interoperability usability$.
0. Identify log and classify "e.g. minor signi!cant and
mission8critical$ errors during testing. <epeat tests until all
signi!cant errors have been resolved. -nsure that an audit trail
of test results is maintained.
1. <ecord testing outcomes and communicate results of testing
to sta'eholders in accordance #ith the test plan.
1. Assess the impact of all solution change re4uests on the
solution development the original business case and the
budget and categorise and prioritise them accordingly.
2. 5rac' changes to re4uirements enabling all sta'eholders to
monitor revie# and approve the changes. -nsure that the
outcomes of the change process are fully understood and
agreed on by all the sta'eholders and the sponsorGbusiness
process o#ner.
2(C of (01
Activit%
(. Apply change re4uests maintaining the integrity of
integration and con!guration of solution components. Assess
the impact of any ma7or solution upgrade and classify it
according to agreed8on ob7ective criteria "such as enterprise
re4uirements$ based on the outcome of analysis of the ris'
involved "such as impact on e=isting systems and processes or
security$ cost8bene!t 7usti!cation and other re4uirements.
1. .evelop and e=ecute a plan for the maintenance of solution
components that includes periodic revie#s against business
needs and operational re4uirements such as patch
management upgrade strategies ris' vulnerabilities
assessment and security re4uirements.
2. Assess the signi!cance of a proposed maintenance activity
on current solution design functionality andGor business
processes. Consider ris' user impact and resource availability.
-nsure that the business process o#ners understand the e6ect
of designating changes as maintenance.
(. In the event of ma7or changes to e=isting solutions that
result in signi!cant change in current designs andGor
functionality andGor business processes follo# the
development process used for ne# systems. 3or maintenance
updates use the change management process.
0. -nsure that the pattern and volume of maintenance
activities are analysed periodically for abnormal trends
indicating underlying 4uality or performance problems
costGbene!t of ma7or upgrade or replacement in lieu of
maintenance.
1. 3or maintenance updates use the change management
process to control all maintenance re4uests.
200 of (01
Activit%
1. )ropose de!nitions of the ne# or changed I5 services to
ensure that the services are !t for purpose. .ocument the
proposed service de!nitions in the portfolio list of services to
be developed.
2. )ropose ne# or changed service level options "service times
user satisfaction availability performance capacity security
continuity compliance and usability$ to ensure that the I5
services are !t for use. .ocument the proposed service options
in the portfolio.
(. Interface #ith business relationship management and
portfolio management to agree on the proposed service
de!nitions and service level options.
0. If service change falls #ithin agreed8on approval authority
build the ne# or changed I5 services or service level options.
2ther#ise pass the service change to portfolio management
for investment revie#.
1. Consider the follo#ing "current and forecasted$ in the
assessment of availability performance and capacity of
services and resources* customer re4uirements business
priorities business ob7ectives budget impact resource
utilisation I5 capabilities and industry trends.
2. /onitor actual performance and capacity usage against
de!ned thresholds supported #here necessary #ith
automated soft#are.
(. Identify and follo# up on all incidents caused by inade4uate
performance or capacity.
201 of (01
Activit%
0. <egularly evaluate the current levels of performance for all
processing levels "business demand service capacity and
resource capacity$ by comparing them against trends and
S@As ta'ing into account changes in the environment.
1. Identify only those solutions or services that are critical in
the availability and capacity management process.
2. /ap the selected solutions or services to application"s$ and
infrastructure "I5 and facility$ on #hich they depend to enable
a focus on critical resources for availability planning.
(. Collect data on availability patterns from logs of past failures
and performance monitoring. %se modelling tools that help
predict failures based on past usage trends and management
e=pectations of ne# environment or user conditions.
0. Create scenarios based on the collected data describing
future availability situations to illustrate a variety of potential
capacity levels needed to achieve the availability performance
ob7ective.
1. .etermine the li'elihood that the availability performance
ob7ective #ill not be achieved based on the scenarios.
?. .etermine the impact of the scenarios on the business
performance measures "e.g. revenue pro!t customer
services$. -ngage the business line functional "especially
!nance$ and regional leaders to understand their evaluation of
impact.
+. -nsure that business process o#ners fully understand and
agree to the results of this analysis. 3rom the business o#ners
obtain a list of unacceptable ris' scenarios that re4uire a
response to reduce ris' to acceptable levels.
1. <evie# availability and capacity implications of service trend
analysis.
202 of (01
Activit%
0. )rovide capacity reports to the budgeting processes.
2. Identify availability and capacity implications of changing
business needs and improvement opportunities. %se modelling
techni4ues to validate availability performance and capacity
plans.
(. )rioritise needed improvements and create cost87usti!able
availability and capacity plans.
0. Ad7ust the performance and capacity plans and S@As based
on realistic ne# proposed andGor pro7ected business
processes and supporting services applications and
infrastructure changes as #ell as revie#s of actual
performance and capacity usage including #or'load levels.
1. -nsure that management performs comparisons of actual
demand on resources #ith forecasted supply and demand to
evaluate current forecasting techni4ues and ma'e
improvements #here possible.
1. -stablish a process for gathering data to provide
management #ith monitoring and reporting information for
availability performance and capacity #or'load of all
information8related resources.
2. )rovide regular reporting of the results in an appropriate
form for revie# by I5 and business management and
communication to enterprise management.
(. Integrate monitoring and reporting activities in the iterative
capacity management activities "monitoring analysis tuning
and implementations$.
20( of (01
Activit%
1. 2btain guidance from vendor product manuals to ensure an
appropriate level of performance availability for pea'
processing and #or'loads.
2. Identify performance and capacity gaps based on monitoring
current and forecasted performance. %se the 'no#n
availability continuity and recovery speci!cations to classify
resources and allo# prioritisation.
(. .e!ne corrective actions "e.g. shifting #or'load prioritising
tas's or adding resources #hen performance and capacity
issues are identi!ed$.
0. Integrate re4uired corrective actions into the appropriate
planning and change management processes.
1. .e!ne an escalation procedure for s#ift resolution in case of
emergency capacity and performance problems.
1. Assess the scope and impact of the envisioned change the
various sta'eholders #ho are a6ected the nature of the impact
on and involvement re4uired from each sta'eholder group and
the current readiness and ability to adopt the change.
2. Identify leverage and communicate current pain points
negative events ris' customer dissatisfaction and business
problems as #ell as initial bene!ts future opportunities and
re#ards and competitor advantages as a foundation for
establishing the desire to change.
(. Issue 'ey communications from the e=ecutive committee or
C-2 to demonstrate the commitment to the change.
200 of (01
Activit%
0. )rovide visible leadership from senior management to
establish direction and to align motivate and inspire
sta'eholders to desire the change.
1. Identify and assemble an e6ective core implementation
team that includes appropriate members from business and I5
#ith the capacity to spend the re4uired amount of time and
contribute 'no#ledge and e=pertise e=perience credibility
and authority. Consider including e=ternal parties such as
consultants to provide an independent vie# or to address s'ill
gaps. Identify potential change agents #ithin di6erent parts of
the enterprise #ith #hom the core team can #or' to support
the vision and cascade changes do#n.
2. Create trust #ithin the core implementation team through
carefully planned events #ith e6ective communication and
7oint activities.
(. .evelop a common vision and goals that support the
1. .evelop a vision communication plan to address the core
audience groups their behavioural pro!les and information
re4uirements communication channels and principles.
2. .eliver the communication at appropriate levels of the
enterprise in accordance #ith the plan.
(. <einforce the communication through multiple forums and
repetition.
0. Chec' understanding of the desired vision and respond to
any issues highlighted by sta6.
201 of (01
Activit%
1. /a'e all levels of leadership accountable for demonstrating
the vision.
1. Identify organisational structures compatible #ith the vision:
if re4uired ma'e changes to ensure alignment.
2. )lan the training sta6 needs to develop the appropriate s'ills
and attitudes to feel empo#ered.
(. Align E< processes and measurement systems "e.g.
performance evaluation compensation decisions promoting
decisions recruiting and hiring$ to support the vision.
0. Identify and manage leaders #ho continue to resist needed
change.
1. Identify prioritise and deliver opportunities for 4uic' #ins.
5hese could be related to current 'no#n areas of di;culty or
e=ternal factors that need to be addressed urgently.
?. @everage delivered 4uic' #ins by communicating the
bene!ts to those impacted to sho# the vision is on trac'. 3ine8
tune the vision 'eep leaders on board and build momentum.
1. .evelop a plan for operation and use of the change that
communicates and builds on realised 4uic' #ins addresses
behavioural and cultural aspects of the broader transition and
increases buy8in and engagement. -nsure that the plan covers
a holistic vie# of the change and provides documentation "e.g.
procedures$ mentoring training coaching 'no#ledge
transfer enhanced immediate post8go8live support and
ongoing support.
20? of (01
Activit%
2. Implement the operation and use plan. .e!ne and trac'
success measures including hard business measures and
perception measures that indicate ho# people feel about a
change ta'ing remedial action as necessary.
1. Celebrate successes and implement re#ard and recognition
programmes to reinforce the change.
2. %se performance measurement systems to identify root
causes for lo# adoption and ta'e corrective action.
(. /a'e process o#ners accountable for normal day8to8day
operations.
0. Conduct compliance audits to identify root causes for lo#
adoption and recommend corrective action.
1. )rovide ongoing a#areness through regular communication
of the change and its adoption.
1. )rovide mentoring training coaching and 'no#ledge
transfer to ne# sta6 to sustain the change.
2. Sustain and reinforce the change through regular
communication demonstrating top management commitment.
(. )erform periodic revie#s of the operation and use of the
change and identify improvements.
20+ of (01
Activit%
0. Capture lessons learned relating to implementation of the
change and share 'no#ledge across the enterprise.
1. %se formal change re4uests to enable business process
o#ners and I5 to re4uest changes to business process
infrastructure systems or applications. /a'e sure that all such
changes arise only through the change re4uest management
process.
2. Categorise all re4uested changes "e.g. business process
infrastructure operating systems net#or's application
systems purchasedGpac'aged application soft#are$ and relate
a6ected con!guration items.
(. )rioritise all re4uested changes based on the business and
technical re4uirements resources re4uired and the legal
regulatory and contractual reasons for the re4uested change.
0. )lan and evaluate all re4uests in a structured fashion.
Include an impact analysis on business process infrastructure
systems and applications business continuity plans "9C)s$ and
service providers to ensure that all a6ected components have
been identi!ed. Assess the li'elihood of adversely a6ecting the
operational environment and the ris' of implementing the
change. Consider security legal contractual and compliance
implications of the re4uested change. Consider also inter8
dependencies amongst changes. Involve business process
o#ners in the assessment process as appropriate.
1. 3ormally approve each change by business process o#ners
service managers and I5 technical sta'eholders as
appropriate. Changes that are lo#8ris' and relatively fre4uent
should be pre8approved as standard changes.
20B of (01
Activit%
?. )lan and schedule all approved changes.
0. .e!ne #hat constitutes an emergency change.
+. Consider the impact of contracted services providers "e.g.
of outsourced business processing infrastructure application
development and shared services$ on the change management
process including integration of organisational change
management processes #ith change management processes
of service providers and the impact on contractual terms and
S@As.
1. -nsure that a documented procedure e=ists to declare
assess give preliminary approval authorise after the change
and record an emergency change.
2. Herify that all emergency access arrangements for changes
are appropriately authorised documented and revo'ed after
the change has been applied.
(. /onitor all emergency changes and conduct post8
implementation revie#s involving all concerned parties. 5he
revie# should consider and initiate corrective actions based on
root causes such as problems #ith business process
application system development and maintenance
development and test environments documentation and
manuals and data integrity.
1. Categorise change re4uests in the trac'ing process "e.g.
re7ected approved but not yet initiated approved and in
process and closed$.
20C of (01
Activit%
2. Implement change status reports #ith performance metrics
to enable management revie# and monitoring of both the
detailed status of changes and the overall state "e.g. aged
analysis of change re4uests$. -nsure that status reports form
an audit trail so changes can subse4uently be trac'ed from
inception to eventual disposition.
(. /onitor open changes to ensure that all approved changes
are closed in a timely fashion depending on priority.
0. /aintain a trac'ing and reporting system for all change
re4uests.
1. Include changes to documentation "e.g. business and I5
operational procedures business continuity and disaster
recovery documentation con!guration information application
documentation help screens and training materials$ #ithin the
change management procedure as an integral part of the
change.
2. .e!ne an appropriate retention period for change
documentation and pre8 and post8change system and user
documentation.
(. Sub7ect documentation to the same level of revie# as the
actual change.
1. Create an implementation plan that reAects the broad
implementation strategy the se4uence of implementation
steps resource re4uirements inter8dependencies criteria for
management acceptance of the production implementation
installation veri!cation re4uirements transition strategy for
production support and update of 9C)s.
2. Con!rm that all implementation plans are approved by
technical and business sta'eholders and revie#ed by internal
audit as appropriate.
210 of (01
Activit%
0. Identify and document the fallbac' and recovery process.
(. 2btain commitment from e=ternal solution providers to their
involvement in each step of the implementation.
1. 3ormally revie# the technical and business ris' associated
#ith implementation and ensure that the 'ey ris' is considered
and addressed in the planning process.
1. .e!ne a business process I5* service data and infrastructure
migration plan. Consider for e=ample hard#are net#or's
operating systems soft#are transaction data master !les
bac'ups and archives interfaces #ith other systems "both
internal and e=ternal$ possible compliance re4uirements
business procedures and system documentation in the
development of the plan.
2. Consider all necessary ad7ustments to procedures including
revised roles and responsibilities and control procedures in the
business process conversion plan.
(. Incorporate in the data conversion plan methods for
collecting converting and verifying data to be converted and
identifying and resolving any errors found during conversion.
Include comparing the original and converted data for
completeness and integrity.
0. Con!rm that the data conversion plan does not re4uire
changes in data values unless absolutely necessary for
business reasons. .ocument changes made to data values
and secure approval from the business process data o#ner.
1. <ehearse and test the conversion before attempting a live
conversion.
211 of (01
Activit%
?. Consider the ris' of conversion problems business
continuity planning and fallbac' procedures in the business
process data and infrastructure migration plan #here there are
ris' management business needs or regulatoryGcompliance
re4uirements.
+. Co8ordinate and verify the timing and completeness of the
conversion cutover so there is a smooth continuous transition
#ith no loss of transaction data. Ihere necessary in the
absence of any other alternative freeJe live operations.
B. )lan to bac' up all systems and data ta'en at the point prior
to conversion. /aintain audit trails to enable the conversion to
be retraced and ensure that there is a recovery plan covering
rollbac' of migration and fallbac' to previous processing
should the migration fail.
C. )lan retention of bac'up and archived data to conform to
business needs and regulatory or compliance re4uirements.
1. .evelop and document the test plan #hich aligns to the
programme and pro7ect 4uality plan and relevant
organisational standards. Communicate and consult #ith
appropriate business process o#ners and I5 sta'eholders.
2. -nsure that the test plan reAects an assessment of ris' from
the pro7ect and that all functional and technical re4uirements
are tested. 9ased on assessment of the ris' of system failure
and faults on implementation the plan should include
re4uirements for performance stress usability pilot and
security testing.
(. -nsure that the test plan addresses the potential need for
internal or e=ternal accreditation of outcomes of the test
process "e.g. !nancial regulatory re4uirements$.
212 of (01
Activit%
0. -nsure that the test plan identi!es necessary resources to
e=ecute testing and evaluate the results. -=amples of
resources include construction of test environments and use of
sta6 time for the test group including potential temporary
replacement of test sta6 in the production or development
environments. -nsure that sta'eholders are consulted on the
resource implications of the test plan.
1. -nsure that the test plan identi!es testing phases
appropriate to the operational re4uirements and environment.
-=amples of such testing phases include unit test system test
integration test user acceptance test performance test stress
test data conversion test security test operational readiness
test and bac'up and recovery tests.
?. Con!rm that the test plan considers test preparation
"including site preparation$ training re4uirements installation
or an update of a de!ned test environment
planningGperformingGdocumentingGretaining test cases error
and problem handling correction and escalation and formal
approval.
+. -nsure that the test plan establishes clear criteria for
measuring the success of underta'ing each testing phase.
Consult the business process o#ners and I5 sta'eholders in
de!ning the success criteria. .etermine that the plan
establishes remediation procedures #hen the success criteria
are not met "e.g. in a case of signi!cant failures in a testing
phase the plan provides guidance on #hether to proceed to
the ne=t phase stop testing or postpone implementation$.
21( of (01
Activit%
B. Con!rm that all test plans are approved by sta'eholders
including business process o#ners and I5 as appropriate.
-=amples of such sta'eholders are application development
managers pro7ect managers and business process end users.
1. Create a database of test data that are representative of the
production environment. Sanitise data used in the test
environment from the production environment according to
business needs and organisational standards "e.g. consider
#hether compliance or regulatory re4uirements oblige the use
of sanitised data$.
2. )rotect sensitive test data and results against disclosure
including access retention storage and destruction. Consider
the e6ect of interaction of organisational systems #ith those of
third parties.
(. )ut in place a process to enable proper retention or disposal
of test results media and other associated documentation to
enable ade4uate revie# and subse4uent analysis as re4uired
by the test plan. Consider the e6ect of regulatory or
compliance re4uirements.
0. -nsure that the test environment is representative of the
future business and operational landscape including business
process procedures and roles li'ely #or'load stress operating
systems necessary application soft#are database
management systems and net#or' and computing
infrastructure found in the production environment.
1. -nsure that the test environment is secure and incapable of
interacting #ith production systems.
210 of (01
Activit%
1. <evie# the categorised log of errors found in the testing
process by the development team verifying that all errors
have been remediated or formally accepted.
2. -valuate the !nal acceptance against the success criteria
and interpret the !nal acceptance testing results. )resent them
in a form that is understandable to business process o#ners
and I5 so an informed revie# and evaluation can ta'e place.
(. Approve the acceptance #ith formal sign8o6 by the business
process o#ners third parties "as appropriate$ and I5
sta'eholders prior to promotion to production.
0. -nsure that testing of changes is underta'en in accordance
#ith the testing plan. -nsure that the testing is designed and
conducted by a test group independent from the development
team. Consider the e=tent to #hich business process o#ners
and end users are involved in the test group. -nsure that
testing is conducted only #ithin the test environment.
1. -nsure that the tests and anticipated outcomes are in
accordance #ith the de!ned success criteria set out in the
testing plan.
?. Consider using clearly de!ned test instructions "scripts$ to
implement the tests. -nsure that the independent test group
assesses and approves each test script to con!rm that it
ade4uately addresses test success criteria set out in the test
plan. Consider using scripts to verify the e=tent to #hich the
system meets security re4uirements.
+. Consider the appropriate balance bet#een automated
scripted tests and interactive user testing.
211 of (01
Activit%
B. %nderta'e tests of security in accordance #ith the test plan.
/easure the e=tent of security #ea'nesses or loopholes.
Consider the e6ect of security incidents since construction of
the test plan. Consider the e6ect on access and boundary
controls.
C. %nderta'e tests of system and application performance in
accordance #ith the test plan. Consider a range of
performance metrics "e.g. end8user response times and
database management system update performance$.
10. Ihen underta'ing testing ensure that the fallbac' and
rollbac' elements of the test plan have been addressed.
11. Identify log and classify "e.g. minor signi!cant mission8
critical$ errors during testing. -nsure that an audit trail of test
results is available. Communicate results of testing to
sta'eholders in accordance #ith the test plan to facilitate bug
!=ing and further 4uality enhancement.
1. )repare for transfer of business procedures and supporting
services applications and infrastructure from testing to the
production environment in accordance #ith organisational
change management standards.
2. .etermine the e=tent of pilot implementation or parallel
processing of the old and ne# systems in line #ith the
(. )romptly update relevant business process and system
documentation con!guration information and contingency
plan documents as appropriate.
21? of (01
Activit%
0. -nsure that all media libraries are updated promptly #ith the
version of the solution component being transferred from
testing to the production environment. Archive the e=isting
version and its supporting documentation. -nsure that
promotion to production of systems application soft#are and
infrastructure is under con!guration control.
1. Ihere distribution of solution components is conducted
electronically control automated distribution to ensure that
users are noti!ed and distribution occurs only to authorised
and correctly identi!ed destinations. Include in the release
process bac'out procedures to enable the distribution of
changes to be revie#ed in the event of a malfunction or error.
?. Ihere distribution ta'es physical form 'eep a formal log of
#hat items have been distributed to #hom #here they have
been implemented and #hen each has been updated.
1. )rovide additional resources as re4uired to end users and
support personnel until the release has stabilised.
2. )rovide additional I5 systems resources as re4uired until
the release is in a stable operational environment.
21+ of (01
Activit%
1. -stablish procedures to ensure that post8implementation
revie#s identify assess and report on the e=tent to #hich*
K -nterprise re4uirements have been met.
K -=pected bene!ts have been realised.
K 5he system is considered usable.
K Internal and e=ternal sta'eholder e=pectations are met.
K %ne=pected impacts on the enterprise have occurred.
K Fey ris' is mitigated.
K 5he change management installation and accreditation
processes #ere performed e6ectively and e;ciently.
2. Consult business process o#ners and I5 technical
management in the choice of metrics for measurement of
success and achievement of re4uirements and bene!ts.
(. Conduct the post8implementation revie# in accordance #ith
the organisational change management process. -ngage
business process o#ners and third parties as appropriate.
0. Consider re4uirements for post8implementation revie#
arising from outside business and I5 "e.g. internal audit -</
compliance$.
1. Agree on and implement an action plan to address issues
identi!ed in the post8implementation revie#. -ngage business
process o#ners and I5 technical management in the
development of the action plan.
1. )roactively communicate the value of 'no#ledge to
encourage 'no#ledge creation use re8use and sharing.
2. -ncourage the sharing and transfer of 'no#ledge by
identifying and leveraging motivational factors.
21B of (01
Activit%
(. Create an environment tools and artefacts that support the
sharing and transfer of 'no#ledge.
0. -mbed 'no#ledge management practices into other I5
processes.
1. Set management e=pectations and demonstrate appropriate
attitude regarding the usefulness of 'no#ledge and the need
to share enterprise 'no#ledge.
1. Identify potential 'no#ledge users including o#ners of
information #ho may need to contribute and approve
'no#ledge. 2btain 'no#ledge re4uirements and sources of
information from identi!ed users.
2. Consider content types "procedures processes structures
concepts policies rules facts classi!cations$ artefacts
"documents records video voice$ and structured and
unstructured information "e=perts social media email voice
mail <SS feeds$.
(. Classify sources of information based on a content
classi!cation scheme "e.g. information architecture model$.
/ap sources of information to the classi!cation scheme.
0. Collect collate and validate information sources based on
information validation criteria "e.g. understandability
relevance importance integrity accuracy consistency
con!dentiality currency and reliability$.
1. Identify shared attributes and match sources of information
creating relationships bet#een information sets "information
tagging$.
2. Create vie#s to related data sets considering sta'eholder
and organisational re4uirements.
21C of (01
Activit%
(. .evise and implement a scheme to manage unstructured
'no#ledge not available through formal sources "e.g. e=pert
'no#ledge$.
0. )ublish and ma'e 'no#ledge accessible to relevant
sta'eholders based on roles and access mechanisms.
1. Identify potential 'no#ledge users by 'no#ledge
classi!cation.
2. 5ransfer 'no#ledge to 'no#ledge users based on a needs
gap analysis and e6ective learning techni4ues and access
tools.
(. -ducate and train users on available 'no#ledge access to
'no#ledge and use of 'no#ledge access tools.
1. /easure the use and evaluate the usefulness relevance and
value of 'no#ledge elements. Identify related information that
is no longer relevant to the enterprise&s 'no#ledge
re4uirements.
2. .e!ne the rules for 'no#ledge retirement and retire
'no#ledge accordingly.
1. Identify all o#ned assets in an asset register that records
current status. /aintain alignment #ith the change
management and con!guration management processes the
con!guration management system and the !nancial
accounting records.
2. Identify legal regulatory or contractual re4uirements that
need to be addressed #hen managing the asset.
(. Herify the e=istence of all o#ned assets by performing
regular physical and logical inventory chec's and reconciliation
including the use of soft#are discovery tools.
0. Herify that the assets are !t for purpose "i.e. in a useful
condition$.
2?0 of (01
Activit%
?. -nsure accounting for all assets.
1. .etermine on a regular basis #hether each asset continues
to provide value and if so estimate the e=pected useful life for
delivering value.
1. Identify assets that are critical in providing service capability
by referencing re4uirements in service de!nitions S@As and
the con!guration management system.
2. /onitor performance of critical assets by e=amining incident
trends and #here necessary ta'e action to repair or replace.
(. 2n a regular basis consider the ris' of failure or need for
replacement of each critical asset.
0. /aintain the resilience of critical assets by applying regular
preventive maintenance monitoring performance and if
re4uired providing alternative andGor additional assets to
minimise the li'elihood of failure.
1. -stablish a preventive maintenance plan for all hard#are
considering cost8bene!t analysis vendor recommendations
ris' of outage 4uali!ed personnel and other relevant factors.
?. -stablish maintenance agreements involving third8party
access to organisational I5 facilities for on8site and o68site
activities "e.g. outsourcing$. -stablish formal service contracts
containing or referring to all necessary security conditions
including access authorisation procedures to ensure
compliance #ith the organisational security policies and
standards.
+. Communicate to a6ected customers and users the e=pected
impact "e.g. performance restrictions$ of maintenance
activities.
B. -nsure that remote access services and user pro!les "or
other means used for maintenance or diagnosis$ are active
only #hen re4uired.
2?1 of (01
Activit%
C. Incorporate planned do#ntime in an overall production
schedule and schedule the maintenance activities to minimise
the adverse impact on business processes.
1. )rocure all assets based on approved re4uests and in
accordance #ith the enterprise procurement policies and
practices.
2. Source receive verify test and record all assets in a
controlled manner including physical labelling as re4uired.
(. Approve payments and complete the process #ith suppliers
according to agreed8on contract conditions.
0. .eploy assets follo#ing the standard implementation life
cycle including change management and acceptance testing.
1. Allocate assets to users #ith acceptance of responsibilities
and sign8o6 as appropriate.
?. <eallocate assets #henever possible #hen they are no
longer re4uired due to a change of user role redundancy
#ithin a service or retirement of a service.
+. .ispose of assets #hen they serve no useful purpose due to
retirement of all related services obsolete technology or lac'
of users.
B. .ispose of assets securely considering e.g. the permanent
deletion of any recorded data on media devices and potential
damage to the environment.
C. )lan authorise and implement retirement8related activities
retaining appropriate records to meet ongoing business and
regulatory needs.
1. 2n a regular basis revie# the overall asset base
considering #hether it is aligned #ith business re4uirements.
2. Assess maintenance costs consider reasonableness and
identify lo#er8cost options including #here necessary
replacement #ith ne# alternatives.
2?2 of (01
Activit%
(. <evie# #arranties and consider value for money and
replacement strategies to determine lo#est8cost options.
0. <evie# the overall base to identify opportunities for
standardisation single sourcing and other strategies that may
lo#er procurement support and maintenance costs.
1. %se capacity and utilisation statistics to identify
underutilised or redundant assets that could be considered for
disposal or replacement to lo#er costs.
?. <evie# the overall state to identify opportunities to leverage
emerging technologies or alternative sourcing strategies to
reduce costs or increase value for money.
1. /aintain a register of all purchased soft#are licences and
associated licence agreements.
2. 2n a regular basis conduct an audit to identify all instances
of installed licensed soft#are.
(. Compare the number of installed soft#are instances #ith the
number of licences o#ned.
0. Ihen instances are lo#er than the number o#ned decide
#hether there is a need to retain or terminate licences
considering the potential to save on unnecessary maintenance
training and other costs.
1. Ihen instances are higher than the number o#ned
consider !rst the opportunity to uninstall instances that are no
longer re4uired or 7usti!ed and then if necessary purchase
additional licences to comply #ith the licence agreement.
?. 2n a regular basis consider #hether better value can be
obtained by upgrading products and associated licences.
1. .e!ne and agree on the scope and level of detail for
con!guration management "i.e. #hich services assets and
infrastructure con!gurable items to include$.
2?( of (01
Activit%
1. <egularly identify all changes to con!guration items.
2. -stablish and maintain a logical model for con!guration
management including information on con!guration item
types con!guration item attributes relationship types
relationship attributes and status codes.
1. Identify and classify con!guration items and populate the
repository.
2. Create revie# and formally agree on con!guration baselines
of a service application or infrastructure.
2. <evie# proposed changes to con!guration items against the
baseline to ensure completeness and accuracy.
(. %pdate con!guration details for approved changes to
con!guration items.
0. Create revie# and formally agree on changes to
con!guration baselines #henever needed.
1. Identify status changes of con!guration items and report
against the baseline.
2. /atch all con!guration changes #ith approved re4uests for
change to identify any unauthorised changes. <eport
unauthorised changes to change management.
2?0 of (01
Activit%
(. Identify reporting re4uirements from all sta'eholders
including content fre4uency and media. )roduce reports
according to the identi!ed re4uirements.
1. )eriodically verify live con!guration items against the
con!guration repository by comparing physical and logical
con!gurations and using appropriate discovery tools as
re4uired.
2. <eport and revie# all deviations for approved corrections or
action to remove any unauthorised assets.
(. )eriodically verify that all physical con!guration items as
de!ned in the repository physically e=ist. <eport any
deviations to management.
0. Set and periodically revie# the target for completeness of
the con!guration repository based on business need.
1. )eriodically compare the degree of completeness and
accuracy against targets and ta'e remedial action as
necessary to improve the 4uality of the repository data.
1. .evelop and maintain operational procedures and related
activities to support all delivered services.
2. /aintain a schedule of operational activities perform the
activities and manage the performance and throughput of the
scheduled activities.
(. Herify that all data e=pected for processing are received and
processed completely accurately and in a timely manner.
.eliver output in accordance #ith enterprise re4uirements.
Support restart and reprocessing needs. -nsure that users are
receiving the right outputs in a secure and timely manner.
2?1 of (01
Activit%
0. -nsure that applicable security standards are met for the
receipt processing storage and output of data in a #ay that
meets enterprise ob7ectives the enterprise&s security policy
and regulatory re4uirements.
1. Schedule ta'e and log bac'ups in accordance #ith
established policies and procedures.
1. -nsure that the enterprise&s re4uirements for security of
information processes are adhered to in accordance #ith
contracts and S@As #ith third parties hosting or providing
services.
2. -nsure that the enterprise&s operational business and I5
processing re4uirements and priorities for service delivery are
adhered to in accordance #ith contracts and S@As #ith third
parties hosting or providing services.
(. Integrate critical internal I5 management processes #ith
those of outsourced service providers covering e.g.
performance and capacity planning change management
con!guration management service re4uest and incident
management problem management security management
business continuity and the monitoring of process
performance and reporting.
0. )lan for independent audit and assurance of the operational
environments of outsourced providers to con!rm that agreed8
on re4uirements are being ade4uately addressed.
1. @og events identifying the level of information to be
recorded based on a consideration of ris' and performance.
2. Identify and maintain a list of infrastructure assets that need
to be monitored based on service criticality and the
relationship bet#een con!guration items and services that
depend on them.
2?? of (01
Activit%
(. .e!ne and implement rules that identify and record
threshold breaches and event conditions. 3ind a balance
bet#een generating spurious minor events and signi!cant
events so event logs are not overloaded #ith unnecessary
information.
0. )roduce event logs and retain them for an appropriate
period to assist in future investigations.
1. -stablish procedures for monitoring event logs and conduct
regular revie#s.
?. -nsure that incident tic'ets are created in a timely manner
#hen monitoring identi!es deviations from de!ned thresholds.
1. Identify natural and man8made disasters that might occur in
the area #ithin #hich the I5 facilities are located. Assess the
potential e6ect on the I5 facilities.
2. Identify ho# I5 e4uipment including mobile and o68site
e4uipment is protected against environmental threats. -nsure
that the policy limits or e=cludes eating drin'ing and smo'ing
in sensitive areas and prohibits storage of stationery and other
supplies posing a !re haJard #ithin computer rooms.
(. Situate and construct I5 facilities to minimise and mitigate
susceptibility to environmental threats.
0. <egularly monitor and maintain devices that proactively
detect environmental threats "e.g. !re #ater smo'e
humidity$.
1. <espond to environmental alarms and other noti!cations.
.ocument and test procedures #hich should include
prioritisation of alarms and contact #ith local emergency
response authorities and train personnel in these procedures.
2?+ of (01
Activit%
?. Compare measures and contingency plans against insurance
policy re4uirements and report results. Address points of non8
compliance in a timely manner.
+. -nsure that I5 sites are built and designed to minimise the
impact of environmental ris' "e.g. theft air !re smo'e #ater
vibration terror vandalism chemicals e=plosives$. Consider
speci!c security Jones andGor !reproof cells "e.g. locating
production and development environmentsGservers a#ay from
each other$.
B. Feep the I5 sites and server rooms clean and in a safe
condition at all times "i.e. no mess no paper or cardboard
bo=es no !lled dustbins no Aammable chemicals or
materials$.
1. -=amine the I5 facilities& re4uirement for protection against
po#er Auctuations and outages in con7unction #ith other
business continuity planning re4uirements. )rocure suitable
uninterruptible supply e4uipment "e.g. batteries generators$
to support business continuity planning.
2. <egularly test the uninterruptible po#er supply&s
mechanisms and ensure that po#er can be s#itched to the
supply #ithout any signi!cant e6ect on business operations.
(. -nsure that the facilities housing the I5 systems have more
than one source for dependent utilities "e.g. po#er
telecommunications #ater gas$. Separate the physical
entrance of each utility.
0. Con!rm that cabling e=ternal to the I5 site is located
underground or has suitable alternative protection. .etermine
that cabling #ithin the I5 site is contained #ithin secured
conduits and #iring cabinets have access restricted to
authorised personnel. )roperly protect cabling against damage
caused by !re smo'e #ater interception and interference.
2?B of (01
Activit%
1. -nsure that cabling and physical patching "data and phone$
are structured and organised. Cabling and conduit structures
should be documented "e.g. blueprint building plan and #iring
diagrams$.
?. Analyse the facilities housing&s high8availability systems for
redundancy and fail8over cabling re4uirements "e=ternal and
internal$.
+. -nsure that I5 sites and facilities are in ongoing compliance
#ith relevant health and safety la#s regulations guidelines
and vendor speci!cations.
B. -ducate personnel on a regular basis on health and safety
la#s regulations and relevant guidelines. -ducate personnel
on !re and rescue drills to ensure 'no#ledge and actions ta'en
in case of !re or similar incidents.
C. <ecord monitor manage and resolve facilities incidents in
line #ith the I5 incident management process. /a'e available
reports on facilities incidents #here disclosure is re4uired in
terms of la#s and regulations.
10. -nsure that I5 sites and e4uipment are maintained
according to the supplier&s recommended service intervals and
speci!cations. 5he maintenance must be carried out only by
authorised personnel.
11. Analyse physical alterations to I5 sites or premises to
reassess the environmental ris' "e.g. !re or #ater damage$.
<eport results of this analysis to business continuity and
facilities management.
1. .e!ne incident and service re4uest classi!cation and
prioritisation schemes and criteria for problem registration to
ensure consistent approaches for handling informing users
about and conducting trend analysis.
2. .e!ne incident models for 'no#n errors to enable e;cient
and e6ective resolution.
2?C of (01
Activit%
(. .e!ne service re4uest models according to service re4uest
type to enable self8help and e;cient service for standard
re4uests.
0. .e!ne incident escalation rules and procedures especially
for ma7or incidents and security incidents.
1. .e!ne incident and re4uest 'no#ledge sources and their
use.
1. @og all service re4uests and incidents recording all relevant
information so that they can be handled e6ectively and a full
historical record can be maintained.
2. 5o enable trend analysis classify service re4uests and
incidents by identifying type and category.
(. )rioritise service re4uests and incidents based on S@A
service de!nition of business impact and urgency.
1. Herify entitlement for service re4uests using #here possible
a prede!ned process Ao# and standard changes.
2. 2btain !nancial and functional approval or sign8o6 if
re4uired or prede!ned approvals for agreed8on standard
changes.
(. 3ul!l the re4uests by performing the selected re4uest
procedure using #here possible self8help automated menus
and prede!ned re4uest models for fre4uently re4uested items.
2+0 of (01
Activit%
(. )erform recovery actions if re4uired.
2. Close service re4uests and incidents.
1. Identify and describe relevant symptoms to establish the
most probable causes of the incidents. <eference available
'no#ledge resources "including 'no#n errors and problems$ to
identify possible incident resolutions "temporary #or'arounds
andGor permanent solutions$.
2. If a related problem or 'no#n error does not already e=ist
and if the incident satis!es agreed8on criteria for problem
registration log a ne# problem.
(. Assign incidents to specialist functions if deeper e=pertise is
needed and engage the appropriate level of management
#here and if needed.
1. Select and apply the most appropriate incident resolutions
"temporary #or'around andGor permanent solution$.
2. <ecord #hether #or'arounds #ere used for incident
resolution.
0. .ocument incident resolution and assess if the resolution
can be used as a future 'no#ledge source.
1. Herify #ith the a6ected users "if agreed on$ that the service
re4uest has been satisfactory ful!lled or the incident has been
satisfactory resolved.
1. /onitor and trac' incident escalations and resolutions and
re4uest handling procedures to progress to#ards resolution or
completion.
2. Identify information sta'eholders and their needs for data or
reports. Identify reporting fre4uency and medium.
2+1 of (01
Activit%
(. Analyse incidents and service re4uests by category and type
to establish trends and identify patterns of recurring issues
S@A breaches or ine;ciencies. %se the information as input to
continual improvement planning.
0. )roduce and distribute timely reports or provide controlled
access to online data.
1. Identify problems through the correlation of incident reports
error logs and other problem identi!cation resources.
.etermine priority levels and categorisation to address
problems in a timely manner based on business ris' and
service de!nition.
2. Eandle all problems formally #ith access to all relevant data
including information from the change management system
and I5 con!gurationGasset and incident details.
(. .e!ne appropriate support groups to assist #ith problem
identi!cation root cause analysis and solution determination to
support problem management. .etermine support groups
based on pre8de!ned categories such as hard#are net#or'
soft#are applications and support soft#are.
0. .e!ne priority levels through consultation #ith the business
to ensure that problem identi!cation and root cause analysis
are handled in a timely manner according to the agreed8on
S@As. 9ase priority levels on business impact and urgency.
1. <eport the status of identi!ed problems to the service des'
so customers and I5 management can be 'ept informed.
?. /aintain a single problem management catalogue to
register and report problems identi!ed and to establish audit
trails of the problem management processes including the
status of each problem "i.e. open reopen in progress or
closed$.
2+2 of (01
Activit%
1. Identify problems that may be 'no#n errors by comparing
incident data #ith the database of 'no#n and suspected errors
"e.g. those communicated by e=ternal vendors$ and classify
problems as a 'no#n error.
2. Associate the a6ected con!guration items to the
establishedG'no#n error.
(. )roduce reports to communicate the progress in resolving
problems and to monitor the continuing impact of problems not
solved. /onitor the status of the problem8handling process
throughout its life cycle including input from change and
con!guration management.
1. As soon as the root causes of problems are identi!ed create
'no#n8error records and develop a suitable #or'around.
2. Identify evaluate prioritise and process "via change
management$ solutions to 'no#n errors based on a cost8
bene!t business case and business impact and urgency.
1. Close problem records either after con!rmation of successful
elimination of the 'no#n error or after agreement #ith the
business on ho# to alternatively handle the problem.
2. Inform the service des' of the schedule of problem closure
e.g. the schedule for !=ing the 'no#n errors the possible
#or'around or the fact that the problem #ill remain until the
change is implemented and the conse4uences of the approach
ta'en. Feep a6ected users and customers informed as
appropriate.
(. 5hroughout the resolution process obtain regular reports
from change management on progress in resolving problems
and errors.
0. /onitor the continuing impact of problems and 'no#n errors
on services.
1. <evie# and con!rm the success of resolutions of ma7or
problems.
2+( of (01
Activit%
?. /a'e sure the 'no#ledge learned from the revie# is
incorporated into a service revie# meeting #ith the business
customer.
1. Capture problem information related to I5 changes and
incidents and communicate it to 'ey sta'eholders. 5his
communication could ta'e the form of reports to and periodic
meetings amongst incident problem change and con!guration
management process o#ners to consider recent problems and
potential corrective actions.
2. -nsure that process o#ners and managers from incident
problem change and con!guration management meet
regularly to discuss 'no#n problems and future planned
changes.
(. 5o enable the enterprise to monitor the total costs of
problems capture change e6orts resulting from problem
management process activities "e.g. !=es to problems and
'no#n errors$ and report on them.
0. )roduce reports to monitor the problem resolution against
the business re4uirements and S@As. -nsure the proper
escalation of problems e.g. escalation to a higher
management level according to agreed8on criteria contacting
e=ternal vendors or referring to the change advisory board to
increase the priority of an urgent re4uest for change "<3C$ to
implement a temporary #or'around.
1. 5o optimise the use of resources and reduce #or'arounds
trac' problem trends.
?. Identify and initiate sustainable solutions "permanent !=$
addressing the root cause and raise change re4uests via the
established change management processes.
2+0 of (01
Activit%
1. Identify internal and outsourced business processes and
service activities that are critical to the enterprise operations
or necessary to meet legal andG or contractual obligations.
2. Identify 'ey sta'eholders and roles and responsibilities for
de!ning and agreeing on continuity policy and scope.
(. .e!ne and document the agreed8on minimum policy
ob7ectives and scope for business continuity and embed the
need for continuity planning in the enterprise culture.
0. Identify essential supporting business processes and related
I5 services.
1. Identify potential scenarios li'ely to give rise to events that
could cause signi!cant disruptive incidents.
2. Conduct a business impact analysis to evaluate the impact
over time of a disruption to critical business functions and the
e6ect that a disruption #ould have on them.
(. -stablish the minimum time re4uired to recover a business
process and supporting I5 based on an acceptable length of
business interruption and ma=imum tolerable outage.
0. Assess the li'elihood of threats that could cause loss of
business continuity and identify measures that #ill reduce the
li'elihood and impact through improved prevention and
increased resilience.
1. Analyse continuity re4uirements to identify the possible
strategic business and technical options.
2+1 of (01
Activit%
?. .etermine the conditions and o#ners of 'ey decisions that
#ill cause the continuity plans to be invo'ed.
+. Identify resource re4uirements and costs for each strategic
technical option and ma'e strategic recommendations.
10. 2btain e=ecutive business approval for selected strategic
options.
1. .e!ne the incident response actions and communications to
be ta'en in the event of disruption. .e!ne related roles and
responsibilities including accountability for policy and
implementation.
2. .evelop and maintain operational 9C)s containing the
procedures to be follo#ed to enable continued operation of
critical business processes andGor temporary processing
arrangements including lin's to plans of outsourced service
providers.
(. -nsure that 'ey suppliers and outsource partners have
e6ective continuity plans in place. 2btain audited evidence as
re4uired.
0. .e!ne the conditions and recovery procedures that #ould
enable resumption of business processing including updating
and reconciliation of information databases to preserve
information integrity.
1. .e!ne and document the resources re4uired to support the
continuity and recovery procedures considering people
facilities and I5 infrastructure.
2+? of (01
Activit%
?. .e!ne and document the information bac'up re4uirements
re4uired to support the plans including plans and paper
documents as #ell as data !les and consider the need for
security and o68site storage.
+. .etermine re4uired s'ills for individuals involved in
e=ecuting the plan and procedures.
B. .istribute the plans and supporting documentation securely
to appropriately authorised interested parties and ma'e sure
they are accessible under all disaster scenarios.
1. .e!ne ob7ectives for e=ercising and testing the business
technical logistical administrative procedural and operational
systems of the plan to verify completeness of the 9C) in
meeting business ris'.
2. .e!ne and agree on #ith sta'eholders e=ercises that are
realistic validate continuity procedures and include roles and
responsibilities and data retention arrangements that cause
minimum disruption to business processes.
(. Assign roles and responsibilities for performing continuity
plan e=ercises and tests.
0. Schedule e=ercises and test activities as de!ned in the
continuity plan.
1. Conduct a post8e=ercise debrie!ng and analysis to consider
the achievement.
?. .evelop recommendations for improving the current
continuity plan based on the results of the revie#.
1. <evie# the continuity plan and capability on a regular basis
against any assumptions made and current business
operational and strategic ob7ectives.
2++ of (01
Activit%
2. Consider #hether a revised business impact assessment
may be re4uired depending on the nature of the change.
(. <ecommend and communicate changes in policy plans
procedures infrastructure and roles and responsibilities for
management approval and processing via the change
management process.
0. <evie# the continuity plan on a regular basis to consider the
impact of ne# or ma7or changes to* enterprise organisation
business processes outsourcing arrangements technologies
infrastructure operating systems and application systems.
1. .e!ne and maintain training re4uirements and plans for
those performing continuity planning impact assessments ris'
assessments media communication and incident response.
-nsure that the training plans consider fre4uency of training
and training delivery mechanisms.
2. .evelop competencies based on practical training including
participation in e=ercises and tests.
(. /onitor s'ills and competencies based on the e=ercise and
test results.
2+B of (01
Activit%
0. <oll out 9C) a#areness and training.
1. )eriodically test and refresh archived and bac'up data.
1. Assess adherence to the documented 9C).
1. 9ac' up systems applications data and documentation
according to a de!ned schedule considering*
K 3re4uency "monthly #ee'ly daily etc.$
K /ode of bac'up "e.g. dis' mirroring for real8time bac'ups vs.
.H.8<2/ for long8term retention$
K 5ype of bac'up "e.g. full vs. incremental$
K 5ype of media
K Automated online bac'ups
K .ata types "e.g. voice optical$
K Creation of logs
K Critical end8user computing data "e.g. spreadsheets$
K )hysical and logical location of data sources
K Security and access rights
K -ncryption
2. -nsure that systems applications data and documentation
maintained or processed by third parties are ade4uately
bac'ed up or other#ise secured. Consider re4uiring return of
bac'ups from third parties. Consider escro# or deposit
arrangements.
(. .e!ne re4uirements for on8site and o68site storage of
bac'up data that meet the business re4uirements. Consider
the accessibility re4uired to bac' up data.
2. .etermine the e6ectiveness of the plan continuity
capabilities roles and responsibilities s'ills and competencies
resilience to the incident technical infrastructure and
organisational structures and relationships.
2+C of (01
Activit%
0. -ncrypt information in transit according to its classi!cation.
(. Identify #ea'nesses or omissions in the plan and capabilities
and ma'e recommendations for improvement.
0. 2btain management approval for any changes to the plan
and apply via the enterprise change control process.
1. Communicate malicious soft#are a#areness and enforce
prevention procedures and responsibilities.
2. Install and activate malicious soft#are protection tools on all
processing facilities #ith malicious soft#are de!nition !les
that are updated as re4uired "automatically or semi8
automatically$.
(. .istribute all protection soft#are centrally "version and
patch8level$ using centralised con!guration and change
management.
0. <egularly revie# and evaluate information on ne# potential
threats "e.g. revie#ing vendors& products and services security
advisories$.
1. 3ilter incoming tra;c such as email and do#nloads to
protect against unsolicited information "e.g. spy#are phishing
emails$.
?. Conduct periodic training about mal#are in email and
Internet usage. 5rain users to not install shared or unapproved
soft#are.
1. 9ased on ris' assessments and business re4uirements
establish and maintain a policy for security of connectivity.
2. Allo# only authorised devices to have access to corporate
information and the enterprise net#or'. Con!gure these
devices to force pass#ord entry.
(. Implement net#or' !ltering mechanisms such as !re#alls
and intrusion detection soft#are #ith appropriate policies to
control inbound and outbound tra;c.
2B0 of (01
Activit%
1. Apply approved security protocols to net#or' connectivity.
?. Con!gure net#or' e4uipment in a secure manner.
1. Con!gure operating systems in a secure manner.
2. Implement device loc'do#n mechanisms.
(. -ncrypt information in storage according to its classi!cation.
0. /anage remote access and control.
1. /anage net#or' con!guration in a secure manner.
?. Implement net#or' tra;c !ltering on endpoint devices.
+. )rotect system integrity.
B. )rovide physical protection of endpoint devices.
C. .ispose of endpoint devices securely.
+. -stablish trusted mechanisms to support the secure
transmission and receipt of information.
B. Carry out periodic penetration testing to determine
ade4uacy of net#or' protection.
C. Carry out periodic testing of system security to determine
ade4uacy of system protection.
1. /aintain user access rights in accordance #ith business
function and process re4uirements. Align the management of
identities and access rights to the de!ned roles and
responsibilities based on least8privilege need8to8have and
need8to8'no# principles.
2B1 of (01
Activit%
1. Segregate and manage privileged user accounts.
2. %ni4uely identify all information processing activities by
functional roles co8ordinating #ith business units to ensure
that all roles are consistently de!ned including roles that are
de!ned by the business itself #ithin business process
applications.
(. Authenticate all access to information assets based on their
security classi!cation co8ordinating #ith business units that
manage authentication #ithin applications used in business
processes to ensure that authentication controls have been
properly administered.
0. Administer all changes to access rights "creation
modi!cations and deletions$ to ta'e e6ect at the appropriate
time based only on approved and documented transactions
authorised by designated management individuals.
?. )erform regular management revie# of all accounts and
related privileges.
+. -nsure that all users "internal e=ternal and temporary$ and
their activity on I5 systems "business application I5
infrastructure system operations development and
maintenance$ are uni4uely identi!able. %ni4uely identify all
information processing activities by user.
B. /aintain an audit trail of access to information classi!ed as
highly sensitive.
1. /anage the re4uesting and granting of access to the
computing facilities. 3ormal access re4uests are to be
completed and authorised by management of the I5 site and
the re4uest records retained. 5he forms should speci!cally
identify the areas to #hich the individual is granted access.
2B2 of (01
Activit%
+. Conduct regular physical security a#areness training.
2. -nsure that access pro!les remain current. 9ase access to I5
sites "server rooms buildings areas or Jones$ on 7ob function
and responsibilities.
(. @og and monitor all entry points to I5 sites. <egister all
visitors including contractors and vendors to the site.
0. Instruct all personnel to display visible identi!cation at all
times. )revent the issuance of identity cards or badges #ithout
proper authorisation.
1. <e4uire visitors to be escorted at all times #hile on8site. If
an unaccompanied unfamiliar individual #ho is not #earing
sta6 identi!cation is identi!ed alert security personnel.
?. <estrict access to sensitive I5 sites by establishing perimeter
restrictions such as fences #alls and security devices on
interior and e=terior doors. -nsure that the devices record
entry and trigger an alarm in the event of unauthorised access.
-=amples of such devices include badges or 'ey cards
'eypads closed8circuit television and biometric scanners.
1. -stablish procedures to govern the receipt use removal and
disposal of special forms and output devices into #ithin and
out of the enterprise.
2. Assign access privileges to sensitive documents and output
devices based on the least8privilege principle balancing ris'
and business re4uirements.
(. -stablish an inventory of sensitive documents and output
devices and conduct regular reconciliations.
0. -stablish appropriate physical safeguards over special forms
and sensitive devices.
2B( of (01
Activit%
(. <egularly revie# the event logs for potential incidents.
1. .estroy sensitive information and protect output devices
"e.g. degaussing of electronic media physical destruction of
memory devices ma'ing shredders or loc'ed paper bas'ets
available to destroy special forms and other con!dential
papers$.
1. @og security8related events reported by infrastructure
security monitoring tools identifying the level of information to
be recorded based on a consideration of ris'. <etain them for
an appropriate period to assist in future investigations.
2. .e!ne and communicate the nature and characteristics of
potential security8related incidents so they can be easily
recognised and their impacts understood to enable a
commensurate response.
0. /aintain a procedure for evidence collection in line #ith
local forensic evidence rules and ensure that all sta6 are made
a#are of the re4uirements.
1. -nsure that security incident tic'ets are created in a timely
manner #hen monitoring identi!es potential security incidents.
1. Identify and document control activities of 'ey business
processes to satisfy control re4uirements for strategic
operational reporting and compliance ob7ectives
2B0 of (01
Activit%
(. -nsure o#nership of 'ey control activities.
2. )rioritise control activities based on the inherent ris' to the
business and identify 'ey controls.
0. Continually monitor control activities on an end8to8end basis
to identify opportunities for improvement.
1. Continually improve the design and operation of business
process controls.
1. Create transactions by authorised individuals follo#ing
established procedures including #here appropriate
ade4uate segregation of duties regarding the origination and
approval of these transactions.
2. Authenticate the originator of transactions and verify that
heGshe has the authority to originate the transaction.
(. Input transactions in a timely manner. Herify that
transactions are accurate complete and valid. Halidate input
data and edit or #here applicable send bac' for correction as
close to the point of origination as possible.
2B1 of (01
Activit%
0. Correct and resubmit data that #ere erroneously input
#ithout compromising original transaction authorisation levels.
Ihere appropriate for reconstruction retain original source
documents for the appropriate amount of time.
1. /aintain the integrity and validity of data throughout the
processing cycle. -nsure that detection of erroneous
transactions does not disrupt processing of valid transactions.
?. /aintain the integrity of data during une=pected
interruptions in business processing and con!rm data integrity
after processing failures.
+. Eandle output in an authorised manner deliver to the
appropriate recipient and protect the information during
transmission. Herify the accuracy and completeness of the
output.
B. 9efore passing transaction data bet#een internal
applications and businessGoperational functions "inside or
outside the enterprise$ chec' for proper addressing
authenticity of origin and integrity of content. /aintain
authenticity and integrity during transmission or transport.
1. Allocate roles and responsibilities based on approved 7ob
descriptions and allocated business process activities.
2. Allocate levels of authority for approval of transactions
limits and any other decisions relating to the business process
based on approved 7ob roles.
(. Allocate access rights and privileges based on only #hat is
re4uired to perform 7ob activities based on pre8de!ned 7ob
roles. <emove or revise access rights immediately if the 7ob
role changes or a sta6 member leaves the business process
area. )eriodically revie# to ensure that the access is
appropriate for the current threats ris' technology and
business need.
2B? of (01
Activit%
2. <evie# errors e=ceptions and deviations.
0. /aintain evidence of remedial actions.
0. Allocate roles for sensitive activities so that there is a clear
segregation of duties.
1. )rovide a#areness and training regarding roles and
responsibilities on a regular basis so that everyone
understands their responsibilities: the importance of controls:
and the integrity con!dentiality and privacy of company
information in all its forms.
?. )eriodically revie# access control de!nitions logs and
e=ception reports to ensure that all access privileges are valid
and aligned #ith current sta6 members and their allocated
roles.
1. .e!ne and maintain procedures to assign o#nership correct
errors override errors and handle out8of8balance conditions.
(. 3ollo# up correct approve and resubmit source documents
and transactions.
1. <eport relevant business information process errors in a
timely manner to perform root cause and trending analysis.
1. .e!ne retention re4uirements based on business
re4uirements to meet operational !nancial reporting and
compliance needs.
2. Capture source information supporting evidence and the
record of transactions.
2B+ of (01
Activit%
2. )rovide acceptable use a#areness and training.
(. .ispose of source information supporting evidence and the
record of transactions in accordance #ith the retention policy.
1. Apply data classi!cation and acceptable use and security
policies and procedures to protect information assets under the
control of the business.
(. <estrict use distribution and physical access of information
according to its classi!cation.
0. Identify and implement processes tools and techni4ues to
reasonably verify compliance.
1. <eport to business and other sta'eholders on violations and
deviations.
1. Identify sta'eholders "e.g. management process o#ners
and users$.
2. -ngage #ith sta'eholders and communicate the enterprise
re4uirements and ob7ectives for monitoring aggregating and
reporting using common de!nitions "e.g. enterprise glossary
metadata and ta=onomy$ baselining and benchmar'ing.
2BB of (01
Activit%
(. Align and continually maintain the monitoring and
evaluation approach #ith the enterprise approach and the tools
to be used for data gathering and enterprise reporting "e.g.
business intelligence applications$.
0. Agree on the goals and metrics "e.g. conformance
performance value ris'$ ta=onomy "classi!cation and
relationships bet#een goals and metrics$ and data "evidence$
retention.
1. Agree on a life cycle management and change control
process for monitoring and reporting. Include improvement
opportunities for reporting metrics approach baselining and
benchmar'ing.
?. <e4uest prioritise and allocate resources for monitoring
"consider appropriateness e;ciency e6ectiveness and
con!dentiality$.
+. )eriodically validate the approach used and identify ne# or
changed sta'eholders re4uirements and resources.
1. .e!ne and periodically revie# #ith sta'eholders the goals
and metrics to identify any signi!cant missing items and de!ne
reasonableness of targets and tolerances.
2BC of (01
Activit%
2. Communicate proposed changes to performance and
conformance targets and tolerances "relating to metrics$ #ith
'ey due diligence sta'eholders "e.g. legal audit E< ethics
compliance !nance$.
(. )ublish changed targets and tolerances to users of this
information.
0. -valuate #hether the goals and metrics are ade4uate i.e.
speci!c measurable achievable relevant and time8bound
"S/A<5$.
1. Collect data from de!ned processesMautomated #here
possible.
2. Assess e;ciency "e6ort in relation to insight provided$ and
appropriateness "usefulness and meaning$ and validate
integrity "accuracy and completeness$ of collected data.
(. Aggregate data to support measurement of agreed8on
metrics.
2C0 of (01
Activit%
0. .istribute reports to the relevant sta'eholders.
0. Align aggregated data to the enterprise reporting approach
and ob7ectives.
1. %se suitable tools and systems for the processing and
format of data for analysis.
1. .esign process performance reports that are concise easy
to understand and tailored to various management needs and
audiences. 3acilitate e6ective timely decision ma'ing "e.g.
scorecards tra;c light reports$ and ensure that the cause and
e6ect bet#een goals and metrics are communicated in an
understandable manner.
2. Compare the performance values to internal targets and
benchmar's and #here possible to e=ternal benchmar's
"industry and 'ey competitors$.
(. <ecommend changes to the goals and metrics #here
appropriate.
2C1 of (01
Activit%
(. 5rac' the results of actions committed.
0. <eport the results to the sta'eholders.
1. Analyse the cause of deviations against targets initiate
remedial actions assign responsibilities for remediation and
follo# up. At appropriate times revie# all deviations and
search for root causes #here necessary. .ocument the issues
for further guidance if the problem recurs. .ocument results.
?. Ihere feasible lin' achievement of performance targets to
the organisational re#ard compensation system.
1. <evie# management responses options and
recommendations to address issues and ma7or deviations.
2. -nsure that the assignment of responsibility for corrective
action is maintained.
2C2 of (01
Activit%
1. )erform internal control monitoring and evaluation activities
based on organisational governance standards and industry8
accepted frame#or's and practices. Include monitoring and
evaluation of the e;ciency and e6ectiveness of managerial
supervisory revie#s.
2. Consider independent evaluations of the internal control
system "e.g. by internal audit or peers$.
(. Identify the boundaries of the I5 internal control system
"e.g. consider ho# organisational I5 internal controls ta'e into
account outsourced andGor o6shore development or production
activities$.
0. -nsure that control activities are in place and e=ceptions are
promptly reported follo#ed up and analysed and appropriate
corrective actions are prioritised and implemented according to
the ris' management pro!le "e.g. classify certain e=ceptions
as a 'ey ris' and others as a non8'ey ris'$.
1. /aintain the I5 internal control system considering ongoing
changes in business and I5 ris' the organisational control
environment relevant business and I5 processes and I5 ris'. If
gaps e=ist evaluate and recommend changes.
?. <egularly evaluate the performance of the I5 control
frame#or' benchmar'ing against industry accepted standards
and good practices. Consider formal adoption of a continuous
improvement approach to internal control monitoring.
+. Assess the status of e=ternal service providers& internal
controls and con!rm that service providers comply #ith legal
and regulatory re4uirements and contractual obligations.
2C( of (01
Activit%
1. %nderstand and prioritise ris' to organisational ob7ectives.
1. /aintain evidence of control e6ectiveness.
2. Identify 'ey controls and develop a strategy suitable for
validating controls.
(. Identify information that #ill persuasively indicate #hether
the internal control environment is operating e6ectively.
0. .evelop and implement cost8e6ective procedures to
determine that persuasive information is based on the
information criteria.
1. /aintain plans and scope and identify evaluation criteria for
conducting self8assessments. )lan the communication of
results of the self8assessment process to business I5 and
general management and the board. Consider internal audit
standards in the design of self8assessments.
2. .etermine the fre4uency of periodic self8assessments
considering the overall e6ectiveness and e;ciency of ongoing
monitoring.
2C0 of (01
Activit%
(. Assign responsibility for self8assessment to appropriate
individuals to ensure ob7ectivity and competence.
0. )rovide for independent revie#s to ensure ob7ectivity of the
self8assessment and enable the sharing of internal control good
practices from other enterprises.
1. Compare the results of the self8assessments against industry
standards and good practices.
?. Summarise and report outcomes of self8assessments and
benchmar'ing for remedial actions.
+. .e!ne an agreed8on consistent approach for performing
control self8assessments and co8ordinating #ith internal and
e=ternal auditors.
1. Identify report and log control e=ceptions and assign
responsibility for resolving them and reporting on the status.
2. Consider related enterprise ris' to establish thresholds for
escalation of control e=ceptions and brea'do#ns.
2C1 of (01
Activit%
2. -stablish independence of assurance providers.
(. Communicate procedures for escalation of control
e=ceptions root cause analysis and reporting to process
o#ners and I5 sta'eholders.
0. .ecide #hich control e=ceptions should be communicated to
the individual responsible for the function and #hich
e=ceptions should be escalated. Inform a6ected process
o#ners and sta'eholders.
1. 3ollo# up on all e=ceptions to ensure that agreed8on actions
have been addressed.
?. Identify initiate trac' and implement remedial actions
arising from control assessments and reporting.
1. -stablish adherence to applicable codes of ethics and
standards "e.g. Code of )rofessional -thics of ISACA$ and
"industry8 and geography8speci!c$ assurance standards e.g. I5
Audit and Assurance Standards of ISACA and the International
Auditing and Assurance Standards 9oard&s "IAAS9&s$
International 3rame#or' for Assurance -ngagements "IAAS9
Assurance 3rame#or'$.
2C? of (01
Activit%
2. .e!ne the engagement plan and resource re4uirements.
(. -stablish competency and 4uali!cation of assurance
providers.
1. .etermine the intended users of the assurance initiative
output and the ob7ect of the revie#.
2. )erform a high8level ris' assessment andGor assessment of
process capability to diagnose ris' and identify critical I5
processes.
(. Select customise and reach agreement on the control
ob7ectives for critical processes that #ill be the basis for the
control assessment.
1. .e!ne the actual scope by identifying the enterprise and I5
goals for the environment under revie# the set of I5 processes
and resources and all the relevant auditable entities #ithin the
enterprise and e=ternal to the enterprise "e.g. service
providers$ if applicable.
(. .e!ne practices for gathering and evaluating information
from process"es$ under revie# to identify controls to be
validated and current !ndings "both positive assurance and
any de!ciencies$ for ris' evaluation.
2C+ of (01
Activit%
1. <e!ne the understanding of the I5 assurance sub7ect.
1. .ocument the impact of control #ea'nesses.
0. .e!ne practices to validate control design and outcomes
and determine #hether the level of e6ectiveness supports
acceptable ris' "re4uired by organisational or process ris'
assessment$.
1. Ihere control e6ectiveness is not acceptable de!ne
practices to identify residual ris' "in preparation for reporting$.
2. <e!ne the scope of 'ey control ob7ectives for the I5
assurance sub7ect.
(. 5est the e6ectiveness of the control design of the 'ey control
ob7ectives.
0. AlternativelyGadditionally test the outcome of the 'ey control
ob7ectives.
2CB of (01
Activit%
?. Communicate #ith management during e=ecution of the
initiative so that there is a clear understanding of the #or'
performed and agreement on and acceptance of the
preliminary !ndings and recommendations.
+. Supervise the assurance activities and ma'e sure the #or'
done is complete meets ob7ectives and is of an acceptable
4uality.
B. )rovide management #ith a report "aligned #ith the terms
of reference scope and agreed8on reporting standards$ that
supports the results of the initiative and enables a clear focus
on 'ey issues and important actions.
1. Assign responsibility for identifying and monitoring any
changes of legal regulatory and other e=ternal contractual
re4uirements relevant to the use of I5 resources and the
processing of information #ithin the business and I5 operations
of the enterprise.
2. Identify and assess all potential compliance re4uirements
and the impact on I5 activities in areas such as data Ao#
privacy internal controls !nancial reporting industry8speci!c
regulations intellectual property health and safety.
(. Assess the impact of I58related legal and regulatory
re4uirements on third8party contracts related to I5 operations
service providers and business trading partners.
2CC of (01
Activit%
0. 2btain independent counsel #here appropriate on changes
to applicable la#s regulations and standards.
1. /aintain an up8to8date log of all relevant legal regulatory
and contractual re4uirements their impact and re4uired
actions.
?. /aintain a harmonised and integrated overall register of
e=ternal compliance re4uirements for the enterprise.
1. <egularly revie# and ad7ust policies principles standards
procedures and methodologies for their e6ectiveness in
ensuring necessary compliance and addressing enterprise ris'
using internal and e=ternal e=perts as re4uired.
2. Communicate ne# and changed re4uirements to all relevant
personnel.
1. <egularly evaluate organisational policies standards
procedures and methodologies in all functions of the enterprise
to ensure compliance #ith relevant legal and regulatory
re4uirements in relation to the processing of information.
(00 of (01
Activit%
2. Address compliance gaps in policies standards and
procedures on a timely basis.
(. )eriodically evaluate business and I5 processes and
activities to ensure adherence to applicable legal regulatory
and contractual re4uirements.
0. <egularly revie# for recurring patterns of compliance
failures. Ihere necessary improve policies standards
procedures methodologies and associated processes and
activities.
1. 2btain regular con!rmation of compliance #ith internal
policies from business and I5 process o#ners and unit heads.
2. )erform regular "and #here appropriate independent$
internal and e=ternal revie#s to assess levels of compliance.
(. If re4uired obtain assertions from third8party I5 service
providers on levels of their compliance #ith applicable la#s
and regulations.
(01 of (01
Activit%
0. If re4uired obtain assertions from business partners on
levels of their compliance #ith applicable la#s and regulations
as they relate to intercompany electronic transactions.
1. /onitor and report on non8compliance issues and #here
necessary investigate the root cause.
?. Integrate reporting on legal regulatory and contractual
re4uirements at an enterprise#ide level involving all business
units.

Cópia de 12.COBIT5 Governance and Management Practices Activities - April2014

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cópia de 12.COBIT5 Governance and Management Practices Activities - April2014

Загружено:

Авторское право:

Доступные форматы

2012 ISACA. All rights reserved. No part of this publication may be used copied reproduced modi!

Вам также может понравиться