Student Handbook For COBIT5 Implementation Training

COBIT5:Implementation
ABusinessFrameworkfortheGovernance
andManagementofEnterpriseIT
COBIT5isaregisteredtrademarkofISACA.
Nopartofthisdocumentmaybereproducedinanyformwithouttheexplicitwrittenpermissionofboththe4PAdvisoryServicesandISACA.Trademarks,acknowledged.
Corporate Training, Consulting, Examinations, Process
Improvements, Assessments
Module 0:
Introduction
Nopartofthisdocumentmaybereproducedinanyformwithouttheexplicitwrittenpermissionofboththe4PAdvisoryServicesandISACA.Trademarks,acknowledged. 2
0 Introduction COBIT5Implementation
4PAdvisoryServices
Module0:Agenda
Administration
CopyrightandAcknowledgement
Dos andDonts
Administration
CourseInformation
ParticipantIntroduction
LearningObjectives
CourseTopics
ExaminationInformation,ProceduresandTips
4PAdvisoryServices
Copyright&Acknowledgements
COBIT5 is a registered trademark of AXELOS Limited

This document is exclusively created for and by 4P Advisory Services, an ISACA
Partner through Peoplecert. No part of this documents can be directly
/indirectly copied in any form.
Any one doing so is legally liable for financial damages to be paid to and the
Author of this document.
Anyone informing the breach may suitably be rewarded.
Feedback & Inquiries: info@4pa.in
4PAdvisoryServices
DosandDonts
DO DONT
Getinvolved UseLaptops,Tablets,Smartphones,
SmartWatches
Askquestions Talk tothecolleaguesintheclass
Shareexperiences Leadtoirrelevantoutofscope
discussions
Keepanopenmind Bedisruptive
Takecallsoutsidetheroom Notdo homework
Agree todisagree!
4PAdvisoryServices
Administration
Firesafety
Plannedfirealarmtests
Evacuationproceduresandfireexits
Toilets/Washrooms
Securityofbelongings
Coursetimingsandbreaks
Mobiles/blackberries
PhotoIDandpencilsforexaminations
Lotsofquestions/discussionplease!
4PAdvisoryServices
CourseInformation
CourseStructureandApproach
Presentationsessions
Groupexercises
CaseStudies
Exampreparation
CourseMaterials@(www.isaca.org)
COBIT5Kitcanbedownloaded.
COBIT5ImplementationGuidecanbedownloaded.
4PAdvisoryServices
CourseSyllabusInformation
The syllabus is presented by syllabus areas. This is the unit of learning which may
relate to a chapter from the manual/guidance or several concepts commonly
grouped together in a training course module. The following syllabus areas are
identified.
IP Initiate the program (What are the drivers? Phase 1)
DP Define Problems & Opportunities (Where are we now and where do we
want to be? Phases 2 & 3)
PE Plan & Execute the program (What needs to be done & How do we get
there? Phases 4 & 5)
RB Realize Benefits and Review effectiveness (Did we get there and how do we
keep the momentum going? Phases 6 & 7)
4PAdvisoryServices
CourseReferenceInformation
ReferenceMaterial:
COBIT5ImplementationGuide
COBIT5EnablingProcessesGuide
TheCOBIT5Toolkit(containstoolsthatwillbereferencedandusedinthe
training)
4PAdvisoryServices
COBIT5Publications
COBIT5Publications:
COBIT5*
COBIT5Implementation
COBIT5:EnablingProcesses
COBIT5:EnablingInformation
COBIT5ProfessionalGuides
COBIT5forInformationSecurity
COBIT5forAssurance
COBIT5forRisk
COBIT5AssessmentProgrammePublications
ProcessAssessmentModel
SelfAssessmentGuide
AssessorGuide
*TheCOBIT5Framework
4PAdvisoryServices
ExamInformation
COBIT5Implementation:
DeliveryComputer(web)orPaperbased
Type4Multiplechoicequestions(20itemseach)
Singleresponse,oneoffourpossibleanswers
Multipleresponse,XofYpossibleanswers
Matchingresponse
Assertionresponse
Eachquestionisawardedone(1)mark
Duration150minutes
PassMark50%(40ormoremarks)
OpenBook:COBIT5Implementationbookonly
PrerequisitesCOBIT5FoundationCertificate
4PAdvisoryServices
ParticipantIntroductions
TrainersIntroduction
ParticipantsIntroduction
Name
Role&experienceintheITGovernancedomain
Professionalexperience
Currentrole&correspondingresponsibilities
Whatyouknowaboutthetopicsundercoverage?
Whatyouexpectfromthesession?
4PAdvisoryServices
LearningObjective
Analysetheenterprisedrivers
Applytheimplementationchallenges,theirrootcausesandsuccessfactors
Assesscurrentprocesscapability
Determinetargetprocesscapability
Scopeandplanimprovements
Considerpracticalimplementationfactors
Identifyandavoidpotentialpitfalls
Leveragethelatestgoodpractices
4PAdvisoryServices
CourseModules:1of2
Module1 Module3
IntroductiontoCOBIT IPInitiatetheprogram(Whatarethe
drivers? Phase1)
Module2 Module4
IntroductiontoCOBIT5and DP:DPDefineProblems&
ImplementationPractices Opportunities
ICIntroductiontoCOBIT Principles, Module3.1DPDefineProblems&
Enablers,ProcessesandPRM Opportunities(Wherearewenow
(ProcessReferenceModel) Phase2)
CSCaseStudyandDiscussions Module3.2DPDefineProblems&
PMCSIModelandProgram Opportunities(Wheredowewantto
ManagementforCOBIT be? Phases3)
Implementation
4PAdvisoryServices
CourseModules:2of2
Module5 Module6
PE:PEPlan&Executethe RB:RealizeBenefitsandReview
program effectiveness
4.1PEPlan&Executethe 5.1RBRealizeBenefitsandReview
program(Whatneedstobe effectiveness(Didwegetthere?
done? Phase4) Change Phase6)
Enablement? 5.2RBRealizeBenefitsandReview
effectiveness(Howdowekeepthe
4.2PEPlan&Executethe momentumgoing? Phase7)
program(Howdowegetthere? Module7
Phase5) CE&CIChangeEnablementand
ContinuousImprovement
Module8
COBIT5AssessmentSteps
4PAdvisoryServices
AboutISACA
ISACA (www.isaca.org) is a leading global provider of knowledge, certifications,

community, advocacy and education on information systems (IS) assurance and
security, enterprise governance and management of IT, and ITrelated risk and
compliance. Founded in 1969, the nonprofit, independent, ISACA hosts
international conferences, publishes the ISACA Journal, and develops
international IS auditing and control standards, which help its constituents ensure
trust in, and value from, information systems.
It also advances and attests IT skills and knowledge through the globally
respected Certified Information Systems Auditor (CISA), Certified Information
Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT)
and Certified in Risk and Information Systems Control (CRISCTM) designations.
ISACA continually updates COBIT, which helps IT professionals and enterprise
leaders fulfil their IT governance and management responsibilities, particularly in
the areas of assurance, security, risk and control, and deliver value to the
business.
Module 1:
Introduction to Governance
and COBIT5
1 IntroductiontoCOBIT
Introduction COBIT5Implementation
4PAdvisoryServices
CorporateGovernancevs.ITGovernance
Corporate governance is the set of processes, customs, policies, laws,

management practices and institutions affecting the way an entity is
controlled and managed. It incorporates all the relationships among the many
stakeholders involved and aims to organise them to meet the goals of the
organisation in the most effective and efficient manner possible. An effective
corporate governance strategy allows an organisation to manage all aspects
of its business in order to meet its objectives.
Information technology governance, however, is a subset discipline of

Corporate Governance. Although it is sometimes mistaken as a field of study
on its own, IT Governance is actually a part of the overall Corporate
Governance Strategy of an organisation.
4PAdvisoryServices
LearningOutcomes
Understandtheconceptsrelatingtothestructureandformatofthe
framework,thedriversandbusinessbenefitsofusingtheCOBIT5
framework,Specificallytoidentify:
o ThedriversforthedevelopmentofCOBIT5,specificallytheneedsfor
thenextgenerationofISACAsguidanceontheenterprisegovernance
andmanagementofIT.
o ThebenefitstotheenterprisestakeholdersbyusingtheCOBIT5
framework
4PAdvisoryServices
DefiningGovernance
Governance ensures that enterprise objectives are achieved by evaluating

stakeholder needs, conditions and options; setting direction through
Prioritisation and decision making; and monitoring performance, compliance
and progress a against agreed direction and objectives
GovernanceisaboutNegotiatinganddecidingamongstdifferentstakeholders
valueinterests.
Wikipedia:Governancerefersto"allprocessesofgoverning,whether
undertakenbyagovernment,marketornetwork,whetheroverafamily,
tribe,formalorinformalorganizationorterritoryandwhetherthroughlaws,
norms,powerorlanguage.
ISACA:GovernanceExerciseofauthority;control;government;arrangement
4PAdvisoryServices
DefiningManagement
Management plans, builds, runs and monitors activities in alignment with

the direction set by the governance body to achieve the enterprise
objectives
4PAdvisoryServices
PurposeofGovernance&Management
Exercising governance and management effectively in practice requires

appropriately using all enablers. The COBIT5 process reference model allows
us to focus easily on the relevant enterprise activities.
Purpose of a Governance Framework like COBIT5: To help enterprises create
optimal value from IT by maintaining a balance between realizing benefits
and optimizing risk levels
Key Activities of Governance :
Set principles and policies.
Sets direction and is responsible to the Owners and stakeholders
Key component of a Governance System: Setting up the Governance
Framework
GovernanceIn most enterprises, governance is the responsibility of the board of
directors under the leadership of the chairperson.
ManagementIn most enterprises, management is the responsibility of the executive
management under the leadership of the CEO.
4PAdvisoryServices
WhyCOBIT5Developed?
COBIT 5:
ISACA Board of Directors directive: Tie together and reinforce all ISACA
knowledge assets with COBIT.
Provide a renewed and authoritative governance and management

framework for enterprise information and related technology
Integrate all other major ISACA frameworks and guidance
Align with other major frameworks and standards
4PAdvisoryServices
TheEvolutionofCOBIT5
GovernanceofEnterpriseIT
ITGovernance
BMIS
(2010)
Evolution
Management
ValIT2.0
(2008)
Control
Audit RiskIT
(2009)
COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT5
1996 1998 2000 2005/7 2012
4PAdvisoryServices
COBIT5Scope
Not simply IT; not only for big business!

COBIT 5 is about governing and managing information
Whatever medium is used
End to end throughout the enterprise
Information is equally important to:
Global, multinational business
National and local government
Charities and not for profit enterprises
Small to medium enterprises and
Clubs and associations
4PAdvisoryServices
Benefits
Information is the business currency of the 21st Century

Information has a life cycle: it is created, used, retained, disclosed and
destroyed
Technology plays a key role in these actions.
Technology is becoming pervasive in all aspects of business and personal
life
Every form of enterprise needs to be able to rely on quality information
to support quality executive decisions!
4PAdvisoryServices
EnterpriseBenefits
Enterprises and their executives strive to:

Maintain quality information to support business decisions.
Generate business value from ITenabled investments, i.e., achieve strategic
goals and realise business benefits through effective and innovative use of IT.
Achieve operational excellence through reliable and efficient application of
technology.
Maintain ITrelated risk at an acceptable level.
Optimise the cost of IT services and technology.
How can these benefits be realised to create enterprise stakeholder value?
4PAdvisoryServices
StakeholderValue
Delivering enterprise stakeholder value requires good governance and

management of information and technology (IT) assets.
Enterprise boards, executives and management have to embrace IT like any
other significant part of the business.
External legal, regulatory and contractual compliance requirements related
to enterprise use of information and technology are increasing, threatening
value if breached.
COBIT 5 provides a comprehensive framework that assists enterprises to
achieve their goals and deliver value through effective governance and
management of enterprise IT.
4PAdvisoryServices
Benefits...
COBIT 5 :
Defines the starting point of governance and management activities with the
stakeholder needs related to enterprise IT
Creates a more holistic, integrated and complete view of enterprise
governance and management of IT that is consistent, provides an endtoend
view on all ITrelated matters and provides a holistic view
Creates a common language between IT and business for the enterprise
governance and management of IT
Is consistent with generally accepted corporate governance standards, and
thus helps to meet regulatory requirements
4PAdvisoryServices
Examples:Factors,whichmayindicateaneedfortheimproved
governanceofenterpriseIT:
SignificantincidentsrelatedtoITrisk,suchasdatalossorprojectfailure,
havebeenexperienced.
LackofconfidenceinITmanagement
ITinvestmentsandriskswerebeingmanagedbyvariousITdepartmentsin
isolation,resultinginduplicatedeffortsinsomeareasandgapsinothers.
LackofinformationconsistencyandaccountabilityacrossallITgroups.
ITgoalsandperspectivesnotclearlyalignedtotheorganizationalgoals.
4PAdvisoryServices
TheCOBIT5Format
Simplified
COBIT5directlyaddressestheneedsoftheviewerfromdifferent
perspectives
Developmentcontinueswithspecificpractitionerguides
COBIT5isinitiallyin3volumes:
1. TheFramework
2. ProcessReferenceGuide
3. ImplementationGuide
COBIT5isbasedon:
5principlesand
7enablers
4PAdvisoryServices
COBIT5:Principles
4PAdvisoryServices
Principle1:MeetingStakeholderNeeds
The COBIT 5 goals cascade allows the definition of priorities for

Implementation
Improvement
Assurance of enterprise governance of IT
In practice, the goals cascade:
Defines relevant and tangible goals and objectives at various levels of
responsibility
Filters the knowledge base of COBIT 5, based on enterprise goals to
extract relevant guidance for inclusion in specific implementation,
improvement or assurance projects
Clearly identifies and communicates how enablers are used to achieve
enterprise goals
4PAdvisoryServices
Principle2:CoveringtheEnterpriseEndtoEnd
4PAdvisoryServices
Principle3 SingleIntegratedFramework.
OneSimple
Architecture
Integrationof
Completenessin Knowledgeacross
Enterprise domains
Coverage Single
Integrated
Framework
Alignmentwith
otherrelevant ISO/IEC15504for
frameworks& Assessment
Standards
4PAdvisoryServices
Principle4:EnablingaHolisticApproach
4PAdvisoryServices
Principle5 GovernanceandManagementDefined
4PAdvisoryServices
COBIT5ProductFamily
4PAdvisoryServices
TheCOBIT5IntegratorModellinksCOBIT5toexisting
COBITandOtherITGovernanceFrameworks
COSO
COBIT
ISO 27002
ISO 9000
ISACAguidancepublications.
WHAT ITIL 2011 HOW
SCOPE OF COVERAGE
Source ISACA
4PAdvisoryServices
COBIT5MappingSpecifics..1
ISO/IEC 38500
o ISOs 6 principles map to COBIT 5
The following areas and domains are covered by ITIL 2011:
o A subset of process in the DSS domain
o A subset of processes in the BAI domain
o Some processes in the APO domain
ISO/IEC 27000 (currently 27001:2013)
o Security and ITrelated processes in domains EDM, APO and DSS
o Some monitoring of security monitoring activities in MEA
ISO/IEC 31000
o Risk management related activities in EDM and APO
4PAdvisoryServices
COBIT5MappingSpecifics..2
TOGAF (The Open Group Architecture Framework)

o Resourcerelated processes in EDM
o TOGAF components of the architecture board and governance areas
o Enterprise architecture processes of APO
PRINCE2
o Programme and project management processes in the BAI domain
o Portfolio related processes in the APO domain
CMMI
o Some Organizational and qualityrelated processes in the APO domain
o Application building and acquisition related processes in BAI
Module 2:
An Introduction to COBIT5
Implementation
2 AnIntroductiontoCOBIT5 COBIT5Implementation
ImplementationPractices 4PAdvisoryServices
ISACA has developed the COBIT5 framework to help enterprises implement

sound governance enablers. Indeed, implementing good GEIT is almost
impossible without engaging an effective governance framework. Best
practices and standards are also available to underpin COBIT5.
However, frameworks, best practices and standards are useful only if they are
adopted and adapted effectively. There are challenges that need to be
overcome and issues that need to be addressed if GEIT is to be implemented
successfully.
COBIT 5 Implementation Guide provides the guidance on how to do this.
COBIT5Ver2Implementation.pdf
COBIT5Implementationcont.
The COBIT 5 Implementation Guide was released at the same time as the
COBIT 5 Framework and COBIT 5 Enabling Processes
Information and information technology are increasingly part of every
aspect of business.
The need to drive more value from IT investments and manage an increasing
array of ITrelated risk has never been greater
Increasing regulation and legislation is also raising awareness of the
importance of good governance
ChallengestoSuccess
Whatarethedrivers?
Wherearewenowandwheredowewanttobe?
Whatneedstobedone?
Howdowegetthere?
Didwegetthereandhowdowekeepthemomentumgoing?
2012ISACA.AllRightsReserved.
RolesinCreatinganAppropriateEnvironment
RACIchartforCreatinganAppropriateEnvironment
ComponentsoftheLifecycle
ProgramManagement
1. Initiateprogram
2. Defineproblemsand
opportunities
3. Defineroadmap
4. Developprogramplan
5. Executeplan
6. Realizebenefits
7. Reviewprogram
effectiveness
8. Sustain
EnterpriseInternalandExternalfactors
UnderstandingtheEnterpriseInternalandexternalfactorsastheyapplyto
changemanagementsuchas:
o Ethicsandculture
o Applicablelaws,regulationsandpolicies
o Mission,visionandvalues
o Governancepoliciesandpractices
o Businessplansandstrategicintentions
o OperatingModel
o Managementstyle
o Riskappetite
o Capabilitiesandavailableresources
o Industrypractices
KeySuccessFactors
TopManagementprovidingthedirectionandmandatefortheinitiativeas
wellasongoingcommitment
Allpartiessupportingthegovernanceandmanagementprocessesto
understandthebusinessandITobjectives.
Ensuringeffectivecommunicationandenablementofthenecessarychanges
TailoringCOBITandothersupportinggoodpracticesandstandardstofitthe
uniquecontextoftheenterpriseand
Focusingonquickwinsandprioritisingthemostbeneficialimprovements
thatareeasiesttoimplement.
ContinuousImprovementthrough7enablers
CaseStudyScenario:ITGovernanceInitiative
A major financial services organization has recently been purchased by a large

overseas competitor and is now subject to new overseas compliance regulations.
Following the takeover the local organization is now known as the local office and the
purchaser is known as the Overseas Head Office.
CaseStudyScenario:BackgroundandCurrentIssues
Theorganizationcurrentlyisexperiencingissueswithchangemanagement.Asa
resultofthetakeover,furtherchangesarebeingintroducedwhichtheexistingprocesses
cannothandle.Theproblemsarebeingexacerbatedbythesizeandthevolumeofthe
requiredchanges.
Althoughthetakeoverfromtheoverseascompanyisrecent,OverseasRegulators
arealreadyseekingvisibilityofcompliance.
PriortobeingtakenoverthecurrentBoardhadongoingconcernswithITsecurity.
Theseconcernsareexpectedtoincreasegiventhedemandsofpassinginformationoverseas
tothenewOverseasHeadOffice.
Alsopriortothetakeover,relationshipsbetweenITandtheEnterprisewerenot
goodduetopreviousITprojectfailuresandlackofvisibilityofprojectbenefits.
Staffmoralehasbeenverylowwithanaboveaveragestaffturnover.Duetothe
recenttakeover,therehavebeenseniormanagementchangesandafurtherincreaseinstaff
turnoverduetothejobuncertainty.
TheorganizationhasanewandinexperiencedteaminITGovernance.
CaseStudyScenario:Currentprojectsinplace
Therearetwoexistingprojectsunderway:
HRProject ThereiscurrentlyaHRprojectinprogresstoaddressthehighlevelofstaff
turnover.Itsobjectiveistoreducethecurrentturnoverlevels.
ITSecurity Thelocalofficehasrecentlyengagedateamofexternalsecurityspecialiststo
reviewthecurrentlevelofITsecurityandtorecommendappropriatesolutions.
CaseStudyScenario:RolesandResponsibilities
AnextractoftheorganizationalstructureoftheFinancialServicesOrganisation (notincluding
theOverseasHeadOffice)isgivenbelow.
ITManagementconsistsoftheCIOandhisdirectreports.
TheAuditManagerisfromtheOverseasHeadOfficeandisresponsibleforthelocalAuditteam
TheITGovernance,RiskandCompliance(ITGRC)Managerisnewlyappointedandhasrecentlyattendeda
COBIT5course.
TheTechnicalSupportManagerhasbeenwiththeenterpriseforover20yearsandtakesaveryhandson
approach.Thisroleisresponsibleforensuringtheongoingavailabilityofthenetworkinfrastructure.
CaseStudyScenario:ITGovernanceInitiativeStartup
AsaresultoftheoverseascomplianceregulationstheITGovernance,Riskand
Compliance(ITGRC)ManagerhasdecidedtolaunchamajorITGovernanceInitiative.
Theinitiativewillincorporatethecompliancerequirementsmandatedbythe
OverseasHeadOfficeinadditiontoimprovementsingovernanceandchangemanagement.
Theexistingprojectswillbeincludedwithinthescope.
TheOverseasHeadOfficewillsponsortheprogramme andtheITGRCManagerhas
beenappointedastheProgramme Manager.However,someproblemshavealreadybeen
experienced:
AlthoughtheITGRCManagerhaslaunchedaninitiativeitisnotclearwhois
supportingtheinitiativeandwhichprocessesarerequiredtobetargeted.
CurrentattemptsbytheITGRCManagertogettheinitiativeoffthegroundhave
currentlybeenunsuccessful.
CaseStudyScenario:MappingofProcessestoIssues
TheITGRCManagercompletedasmallassessmentoftheissuesfacingtheneworganisation
includingthetwoexistingprojectsonHRandSecurityandareportsummarising theirsecurity
issues.HediscoveredmoreissuesrelatedtotheexistingchangemanagementandHRand
Securityproblems.HehasmappedthesetorisksandrecommendedthefollowingCOBIT
processestobeincludedintheimprovementprogramme inordertoassistandleveragebest
practiceforthefollowingIssuesandProblemareas:
PROBLEMS & ISSUES RISKS COBIT PROCESSES

1.HRISSUESAPO07 APO07
Highturnover. DepartureorunavailabilityofkeyIT APO07
staff.
Skills&competencesnot Lackofbusinessunderstandingby APO07
matchedtobusiness ITstaff
requirements. LackoformismatchofITrelated
skills.
No process for contract staff. Contractualobligationsby APO07
contractorsnotmet.
2. Security Issues
Accessbyexternal Users circumventing logical access rights DSS05; DSS04
contractorspoorlycontrolled Users obtaining access to unauthorized
information.
NopolicyandprocessforEnd Loss/disclosure of portable media, lap DSS05
Pointsecurityincludingmobile tops mobile devices etc.
devices. Accidental disclosure of sensitive
information.
3.ChangeManagementIssues BAI05
Neworganisationcannotcope Business managers not involved in important BAI05
withchangerequestsfor It investment decision making regarding new
processes. applications, prioritisations or new
technology opportunities
4.ProjectDeliveryIssues BAI01/ BAI02

Poorprojectdeliveryinterms Projects failing due to cost delays, scope BAI01
ofontimeandtobudget. creep or changed business priorities
Insufficient quality of project deliverables
due to software, documentation or
compliance with functional requirements.
Failuretounderstandbusiness BusinessnotassumingaccountabilityoverIT BAI02
requirements. areassuchasfunctionalrequirements.
CaseStudyScenario:PlanandExecutetheProgram
Awarenessofthebusinessfrustrationaboutthelackofvisibilityofthecompliance
programhasreachedtheOverseasHeadOffice.Asaresultofthis,theOverseasHeadOffice
hasinstructedtheFinancialServicesOrganizationtoquicklysolvethisissuerelatingtothe
poorrelationshipsbetweenITandthebusiness.TheinstructionhascomedownforITto
solvethisaspartoftheGovernanceInitiative.
TheITGRCManagerisalreadyoverloadedwithworkandhencehasaskedoneof
hisjuniormembersofhisteamtotakeownershipofthetask.
Hehastoldthejuniormemberthatthesolutiontothisissuewillbetoinclude
informationrelatingtothecomplianceprogramontheFinancialServicesOrganizations
existingIntranet.AccesstothisIntranetisalreadyavailabletothebusiness.Duetobudget
constraints,therewillbealimitontheamountofinformationthatcanbeaddedtothe
Intranet.Thisworkmustbedoneinhouse.
Module 3:
IP Initiate the program
3 IP:Initiatetheprogram(Whatarethe COBIT5Implementation
drivers? Phase1) 4PAdvisoryServices
ContinualImprovementLifecyclePhase1
Ref.Figure15
RolesinPhase1
Ref.Figure16
Phase1Description(1/4)
Ref.Figure17
Ref.Figure17
Ref.Figure17
Ref.Figure17
Phase1RACIChart
Ref.Figure18
Phase1 WhatAretheDrivers?
TheBasics
InitiatetheProgramme
Establishdesiretochange:
Recogniseneedtoact
Phase1 WhatAretheDrivers?
Need for new or improved IT governance organization is usually

recognized by pain points and/or trigger events
Board and executive management should:
Analyze pain points to identify root cause
Look for opportunities during trigger events
The goal of this phase of the lifecycle includes:
Outlining the business case
Identification of stakeholders and roles & responsibilities
IT governance program wakeup call and kickoff communications
Phase1 SWOT?
Phase1 TypicalPainPoints
FailedITinitiatives Resourcewastethrough
Risingcosts duplicationoroverlapinIT
Perceptionoflowbusinessvalue initiatives
forITinvestments InsufficientITresources
SignificantincidentsrelatedtoIT ITstaffburnout/dissatisfaction
risk(e.g.dataloss) ITenabledchangesfrequently
Servicedeliveryproblems failingtomeetbusinessneeds
Failuretomeetregulatoryor (latedeliveriesorbudget
contractualrequirements overruns)
AuditfindingsforpoorIT MultipleandcomplexITassurance
performanceorlowservice efforts
levels Boardmembersorsenior
Hiddenand/orrogueITspending managersthatarereluctantto
engagewithIT
Phase1 RelevantTriggerEvents
Merger,acquisitionordivestiture Anenterprisewidegovernance
Shiftinthemarket,economyor focusorproject
competitiveposition AnewCIO,CFO,COOorCEO
Externalauditorconsultant
Changeinbusinessoperating
assessments
modelorsourcingarrangements
Anewbusinessstrategyor
Newregulatoryorcompliance priority
requirements
Significanttechnologychangeor
paradigmshift
Byusingpainpointsortriggereventsasthelaunchingpoint
forITgovernanceinitiatives,thebusinesscase forGEIT
improvementcanberelatedtoissuesbeingexperienced,
whichwillimprovebuyintothebusinesscase.
CaseStudyScenario:AdditionalPhase1Information
IntryingtounderstandwheretheFinancialServicesOrganizationcurrentlystandsin
respecttoGovernance,theITGRCManagerhasidentifiedanumberofissues:
ThelocalofficemanagementisconfusedaboutwhattheInitiativeistryingtoachieveand
doesntappeartobefullyengaged
Concernshavealsobeenexpressedastothepotentialcostoftheproposed
Initiativeforwhatappearstobeverylittlebenefit.Suggestionshaveevenbeenmadethatif
theOverseasHeadOfficewantstheworkcompletingthenitshouldpayforit
Additionally,thelongstandingrelationshipissuebetweenITandBusiness
Managementcausedbypreviousprojectfailuresisstillverymuchinexistence
Exercise001
1. Which reason is a root cause for a lack of Senior Management buyin to an improvement initiative
according to the COBIT 5 Implementation Guide?
A. Lack of dedicated resources.
B. Poor perception of the credibility of the IT function.
C. Best practices are copied and are NOT adopted.
D. Continual improvement is NOT part of the culture.
2.WhichreasonisarootcauseofwhyITcouldhavedifficultyingettingtherequiredbusiness
participationaccordingtotheCOBIT5ImplementationGuide?
A.BarriersbetweenITandthebusinessinhibitparticipation.
B.ITbudgetcommittedtoinfrastructure.
C.Prioritiesincorrectlyallocated.
D.Fearofrevealinginadequatepractices.
3.Whichreasonisarootcauseforthelackofcurrententerprisepolicyanddirectionwithinan
organizationaccordingtotheCOBIT5ImplementationGuide?
A.ITbudgetcommittedtoinfrastructure.
B.BestpracticesarecopiedandareNOTadopted.
C.Overlyoptimisticgoals.
D.Weakenterpriseriskmanagement.
Exercise001
4.Which2documentsareInputstoPhase1?
A.OutlineBusinessCasefortheGovernanceInitiative.
B.Reportsshowingthevolumeofchangessincethetakeover.
C.AreportfromHRonstaffturnover.
D.AlistofstakeholdersatthelocalofficeandOverseasHeadOffice.
E.DocumentedapprovalfromtheCEOtoproceed.
5.Which2documentsareOutputsfromPhase1?
A.AprocessforengaginglocalManagementabouttheGovernanceInitiative.
B.Areportshowingthelocalofficescapabilitytocopewiththerequiredamountofprocesschangeasaresultof
theGovernanceInitiative.
C.AnagreedlistofthelocalofficesRolesandResponsibilitiesfortheGovernanceInitiative.
D.Reportsshowingthevolumeofchangessincethetakeover.
E.ReportontheSecurityissues.
6.Which2activitiesareProgramme ManagementtasksperformedduringPhase1?
A.UnderstandfullimpactoftheGovernanceInitiative.
B.Raiseawarenessofcomplianceissueswiththelocaloffice.
C.ObtainbuyinandapprovalfromtheCEOtoproceed.
D.ProduceoutlineGovernanceInitiativebusinesscase.
E.IdentifyotherprojectdependenciessuchastheSecurityandHRprojects.
Exercise001
7.Which2activitiesareChangeEnablementtasksperformedduringPhase1?
A.ObtainapprovalfromtheCEOtoproceed.
B.ProduceoutlineGovernanceInitiativebusinesscase.
C.UnderstandfullimpactoftheGovernanceInitiative.
D.Raiseawarenessofcomplianceissueswiththelocaloffice.
Issuethechangeplanbasedontheoverseascompliancerequirements.
8.Which2activitiesareContinualImprovementtasksperformedduringPhase1?
A.EnsuretheunderstandingoftheOverseasHeadOfficescompliancerequirementsforthelocalofficeis
correct.
B.UnderstandfullimpactoftheGovernanceInitiative.
C.Raiseawarenessofcomplianceissueswiththelocaloffice.
D.IdentifyotherprojectdependenciessuchastheSecurityandHRprojects.
E.RaiselocalManagementsawarenessoftheimportanceoftheInitiative.
Module 4:
DP Define Problems &
Opportunities
Module 4.1: Phase 2

Where are we now?
4.1 DPDefineProblems&Opportunities COBIT5Implementation
(WherearewenowPhase2) 4PAdvisoryServices
ContinualImprovementLifeCyclePhase2
Ref.Figure19
RolesinPhase2
Ref.Figure20
Ref.Figure21
Ref.Figure21
Ref.Figure21
Ref.Figure21
Ref.Figure21
Phase2RACIChart
Ref.Figure22
Phase2 WhereareWeNow?
Define the problems and opportunities [Programme Management]

o Understand the pain points that have been identified as governance
problems
o Take advantage of trigger events that provide opportunity for
improvement
Form a powerful guiding team [Change Enablement]
o Knowledge of the business environment
o Insight into influencing factors
Assess the current state [Continual Improvement Life cycle attribute]
o Identify the IT goals in respect to enterprise goals
o Identify the most important processes
o Understand management risk appetite
o Understand the maturity of existing governance
o Related processes
Module 4.2: Phase 3

Where do we want to be?
(Wheredowewanttobe? Phase3) 4PAdvisoryServices
Ref.Figure23
RolesinPhase3
Ref.Figure24
Ref.Figure25
Ref.Figure25
Ref.Figure25
Ref.Figure25
Ref.Figure25
Phase3RACIChart
Ref.Figure26
Phase3 WhereDoWeWanttoBe?
Definetheroadmap
o Describethehighlevelchangeenablementplanandobjectives
Communicatedesiredvision
o Developacommunicationstrategy
o Communicatethevision
o Articulatetherationaleandbenefitsofthechange
o Setthetoneatthetop
Definetargetstateandperformgapanalysis
o Definethetargetforimprovement
o Analyzethegaps
o Identifypotentialimprovements
9
99
4 DPDefineProblems&Opportunities COBIT5Implementation
4PAdvisoryServices
CaseStudyScenario:AdditionalPhase2&3Information
TheCIOapproachedtheITGRCmanagerandisnotconvincedthathehascapturedallofthe
COBITprocessesneededtomitigatetherisksassociatedwiththeirissues.
4PAdvisoryServices
Exercise002
1.Which2reasonsarerootcausesoftheinabilitytogainthebackingoflocalbusinessmanagement,accordingto
theCOBIT5ImplementationGuide?
A. Therecenttakeoverhasleftuncertaintyandthethreatoffurtherchanges.
B. TheprioritiesoftheInitiativeareNOTinlinewiththeobjectivesofthelocaloffice.
C. ThereispoorcommunicationabouttheexpectedsuccessesoftheInitiative.
D. Morechangeisbeingenforcedandthecurrentprocessesareunabletocopewiththeexistingamountof
change.
E. Theimplementationsolutionappearstohavetoomanymanualworkarounds.
2.Which2reasonsarerootcausesofwhythecostoftheITGovernanceInitiativeappearstoexceedanybenefitat
thelocaloffice,accordingtotheCOBIT5ImplementationGuide?
A. Thereisaperceptionthatthereisalackofrequiredcomplianceskillsatthelocaloffice.
B. StructureoftheITGovernanceInitiativedoesNOTdemonstratewhatthebenefitswillbeatthisstageofthe
programme.
C. Therecenttakeoverhasleftuncertaintyandthethreatoffurtherchanges.
D. Budgetfundshavealreadybeenspentonthetakeoverandthisisseenasafurtherdrainonresources.
E. ThereispoorcommunicationabouttheexpectedsuccessesoftheInitiative.
4PAdvisoryServices
Exercise002
3.Which2actionsaresuccessfactorswhichshouldhelpresolvethecurrentlackoftrustbetweenthelocalofficeIT
functionandBusinessManagement,accordingtotheCOBIT5ImplementationGuide?
A. ProduceaRACImatrixforGovernancerelatedrolesforthelocaloffice.
B. EducatethebusinessbyrunningaCOBIT5trainingcourse.
C. Produceaplanofexpectedchangesfortheyearaheadwhichtakeaccountofthecompliancerequirements.
D. Onlyimplementimprovementsthataddvaluetothelocaloffice.
E. EnsureallresourcesarefulltimeanddedicatedtotheGovernanceInitiative.
4.Which2actionsaresuccessfactorsshouldhelpresolvetheinabilitytogainsupportfromthelocaloffices
businessmanagement,accordingtotheCOBIT5ImplementationGuide?
B. Onlyimplementimprovementsthataddvaluetothelocaloffice.
C. ExpresstheGovernanceInitiativeintermsthatarerelevanttobusinessmanagement.
D. SetuparegularComplianceforumwhichincludesmembersofbothlocalandOverseasBusinessManagement
andlocalITManagement.
E. EnsureallresourcesarefulltimeanddedicatedtotheGovernanceInitiative
4PAdvisoryServices
Exercise002
5.Which2actionsaresuccessfactorsshouldhelpresolvetheconcernsthatthelocalofficehasregardingthecost
ofimprovementsoutweighinganypotentialbenefits,accordingtotheCOBIT5ImplementationGuide?
A. LiaisewithBusinessManagementtoidentifyinitiativesthatcanberesolvedquickly.
B. Securesecondments*ofcompliancestafffromtheoverseasoffice.
C. EnsureallresourcesarefulltimeanddedicatedtotheGovernanceInitiative.
D. Onlyimplementimprovementsthataddvaluetothelocaloffice.
E. FocusonthechangeprocessasanareatobetackledbytheInitiative.
6.ThereisacurrentlackofownershipforboththebusinessandITinrespectofwhohasaroletoplayinthis
GovernanceInitiative. WhichCEtaskisexecutedtoaddresstheconcernoflackofownershipfortheGovernance
InitiativeatthelocalofficeduringPhase2?
A. EngagewithHRaboutproducingacommunicationsplanaboutthefuturebenefitsoftheInitiative.
B. Developanescalationprocess.
C. ElectkeyrepresentativesfromthelocalofficeandtheOverseasHeadOffice.
D. CreatesteeringcommitteesforrelevantpartsoftheInitiative.
*Secondment:Atemporarytransferofanofficialorworkertoanotherpositionoremployment.
Module 5: PE Plan &

Execute the program
Module 5.1: Phase 4

What needs to be done?
5.1 PEPlan&Executetheprogram COBIT5Implementation
(Whatneedstobedone? Phase4) 4PAdvisoryServices
Ref.Figure27
RolesInPhase4
Ref.Figure28
Ref.Figure29
Ref.Figure29
Ref.Figure29
Ref.Figure29
Ref.Figure29
Phase4RACIChart
Ref.Figure30
Phase4 WhatNeedstoBeDone?
Developprogramplan
Prioritizepotentialinitiatives
Developformalandjustifiableprojects
Useplansthatincludecontributionandprogramobjectives
Empowerroleplayersandidentifyquickwins
Highbenefit,easyimplementationsshouldcomefirst
Obtainbuyinbykeystakeholdersaffectedbythechange
Identifystrengthsinexistingprocessesandleverageaccordingly
Designandbuildimprovements
Plotimprovementsontoagridtoassistwithprioritization
Considerapproach,deliverables,resourcesneeded,costs,estimated
timescales,projectdependenciesandrisks
Module 5.2: Phase 5

How do we get there?
(Howdowegetthere? Phase5) 4PAdvisoryServices
Ref.Figure31
RolesinPhase5
Ref.Figure32
Phase5Description
Ref.Figure33
Phase5Description
Ref.Figure33
Phase5Description
Ref.Figure33
Phase5Description
Ref.Figure33
Phase5RACIChart
Ref.Figure34
Phase5 HowDoWeGetThere?
Executetheplan
Executeprojectsaccordingtoanintegratedprogramplan
Provideregularupdatereportstostakeholders
Documentandmonitorthecontributionofprojectswhilemanaging
risksidentified
Enableoperationanduse
Buildonthemomentumandcredibilityofquickwins
Planculturalandbehavioralaspectsofthebroadertransition
Definemeasuresofsuccess
Implementimprovements
Adoptandadaptbestpracticestosuittheenterprisesapproachto
policiesandprocesschanges
5 PEPlan&Executetheprogram COBIT5Implementation
4PAdvisoryServices
TheCIOapproachedtheITGRCmanagerandisnotconvincedthathehascapturedallofthe
COBITprocessesneededtomitigatetherisksassociatedwiththeirissues
4PAdvisoryServices
Exercise003
1.Which2additionalprocessesshouldbeselectedtohelpmitigatealloftherisksassociated
withthesecurityissues(issue2)?
A. APO07
B. DSS01
C. BAI06
D. APO01
E. APO08
2.Which2additionalprocessesshouldbeselectedtohelpmitigatetherisksofprojectsfailing
duetocost,delays,scopecreeporchangedbusinessprioritiesassociatedwiththeprojectdeliveryissues
(issue4)?
A. BAI03
B. APO03
C. EDM04
D. MEA01
E. APO06
4PAdvisoryServices
UsingtheScenario,answerthefollowingquestionsaboutchangeenablementtasks.The
projectisnowatPhase4Whatneedstobedone?TheITGRCManagercalledaProject
planningmeetinganddecidedonsomeChangeEnablementobjectivesinordertogetthings
moving.DecidewhethertheactiontakenbytheITGRCManagertoaddresseachobjectiveis
anappropriatePhase4ChangeEnablement(CE)taskandselecttheresponsethatsupports
yourdecision.
4PAdvisoryServices
Exercise003
3.Objective1: Obtainbuyinfromthelocaloffice.Action:TheITGRCManagerhasheldaworkshop
withkeymembersofbusinessandITtoreviewandconfirmtheproposedchangemanagementprocess?Isthis
actionanappropriatePhase4CEtaskforObjectiveNo1?
A. No,becauseanyrequiredchangeswillbeenforcedthroughlocalmanagementortheOverseasHeadOffice.
B. No,becausethecommitmenttomakethechangeshouldhavebeenobtainedinPhase3.
C. Yes,becauseconsultingaffectedstakeholderswillhelpmakethemresponsibletoacceptresults.
D. Yes,becausethiswillensurethechangemanagementprocessisimplementedasaquickwin.
4.Objective2: SpeeduptheimplementationforanewChangeprocesswhichwillapplytoboththe
businessandIT.Action:TheITGRCManagerhasdecidedtoimplementanITversionofthechangeresponseplans.
IsthisactionanappropriatePhase4CEtasktoaddressObjectiveNo2?
A. No,becauseengagementshouldhavebeenmadewithallaffectedareaspriortotheimplementatione.g.the
businessmanagement.
B. No,becausetheimplementationofthechangeresponseplanshouldhavebeenperformedatPhase3.
C. Yes,becauseaPhase4CEtaskisaboutunderstandingwhatITsolutionswillbeneededtosupporttheOverseas
HeadOfficecompliancerequirements.
D. Yes,becauseaPhase4CEtaskistoprioritizeandselectimprovements.
4PAdvisoryServices
Exercise003
5.Objective3: BuildonPhase2Wherearewenowandidentifytasksthatdonttakelongto
implement.Action:TheITGRCManagerhasdecidedtogoaheadandimplementquickwinsinasshortastimeas
possiblewithoutimmediateconsultationwiththebusiness.IsthisactionanappropriatePhase4CEtasktoaddress
ObjectiveNo3?
A. No,becausechangestoexistingprocessesatthelocalofficeshouldbedesignedduringPhase1.
B. No,becausevisibilityofthechangesbymethodssuchasaworkshopisneeded.
C. Yes,becauseprovidingtheconceptofthechangehasbeenproven.
D. Yes,becauseaPhase4activityistoperformagapanalysistoidentifytheimprovementsneededtothechange
managementprocess.
6.Objective4: Leverageexistingprocesses(fromtheOverseasHeadOffice).Action:TheITGRC
ManagerhasobtaineddetailsofanumberofcompliancerelatedprocessesfromtheOverseasHeadOfficewhich
areusedsuccessfullytomanageCompliance.Theplanistoadapttheseprocessesforuseatthelocaloffice.Isthis
actionanappropriatePhase4CEtasktoaddressObjectivesNo4?
A. No,becausechangestoexistingprocessesatthelocalofficeshouldhavebeendesignedduringPhase1.
B. No,becausetheprocessesshouldbeimplementedasisiftheyhavebeenusedsuccessfullyattheOverseas
HeadOffice.
C. Yes,becauseaPhase4CEtaskistoidentifyexistingstrengths.
D. Yes,becauseidentifyingworkalreadyperformedintheorganisation preventsduplicationofeffortand
encouragesreuse.
Module 6: RB: Realize

benefits and review
effectiveness
Module 6.1: Phase 6

Did we get there?
6.1 RB:RealizeBenefitsandReview
effectiveness(Didwegetthere? Phase6)
4PAdvisoryServices
Ref.Figure35
4PAdvisoryServices
RolesinPhase6
Ref.Figure36
4PAdvisoryServices
Ref.Figure37
4PAdvisoryServices
Ref.Figure37
4PAdvisoryServices
Ref.Figure37
4PAdvisoryServices
Phase6RACIChart
Ref.Figure38
4PAdvisoryServices
Phase6 DidWeGetThere?
Realizebenefits
o Monitortheoverallperformanceoftheprogramagainstbusinesscase
objectives
o Monitorandmeasuretheinvestmentperformance
Embednewapproaches
o Providetransitionfromprojectmodetobusinessasusualmode
o Monitorwhethernewrolesandresponsibilitieshavebeentakenon
o Trackandassessobjectivesofthechangeresponseplans
o Maintaincommunicationandensurecommunicationbetween
appropriatestakeholderscontinues
Operateandmeasure
o Settargetsforeachmetric
o Measuremetricsagainsttargets
o Communicateresultsandadjusttargetsasnecessary
Module 6.2: Phase 7

How do we keep the
momentum going?
RB:RealizeBenefitsandRevieweffectiveness
6.2 (Howdowekeepthemomentumgoing? Phase7)
4PAdvisoryServices
Ref.Figure39
4PAdvisoryServices
RolesinPhase7
Ref.Figure40
4PAdvisoryServices
Ref.Figure41
4PAdvisoryServices
Ref.Figure41
4PAdvisoryServices
Ref.Figure41
4PAdvisoryServices
Phase7RACIChart
Ref.Figure42
4PAdvisoryServices
Phase7 HowDoWeKeepMomentum?
Continualimprovements keepingthemomentumiscriticalto
sustainmentofthelifecycle
Reviewtheprogrambenefits
o Reviewprogrameffectivenessthroughaprogramreviewgate
Sustain
o Consciousreinforcement(rewardachievers)
o Ongoingcommunicationcampaign(feedbackonperformance)
o Continuoustopmanagementcommitment
Monitorandevaluate
o Identifynewgovernanceobjectivesbasedonprogramexperience
o Communicatelessonslearnedandfurtherimprovementrequirements
forthenextiterationofthecycle
6 RB:RealizeBenefitsandReview
effectiveness
4PAdvisoryServices
Thefollowingquestionsabouttherootcausesofthechallengesencounteredwhen
identifyingwhethertheimplementationhasmetitsobjectives.TheITGRCManagerdecided
tospeaktoanumberofkeymembersofthelocalofficeManagementtogaugefeedbackon
theGovernanceInitiative.Thefollowingissueswereobtainedfromvariousmembersoflocal
officestaff:
Thechangemanagementprocessisseenastoohardtounderstandandhasresultedin
lowusageoftheprocesswithinthelocaloffice.Additionallytherewasfeedbackthatthe
solutionlookedlikeitwasadirectcopyoftheOverseasHeadOfficeprocesswithout
considerationoflocalfactors.
TheITstaffworkingontheInitiativeisdemotivatedastheyfelttheyhadbeenleftto
managetheprojectwithlittleornoassistancefromtheBusinessManagement.
Alotoffeedbackwasaskingthequestionwhathaveweachieved?astherewasabelief
thatverylittlehadchangedandconcernswereraisedastotheoverallvalueofthe
Initiative.
effectiveness
4PAdvisoryServices
Exercise004
1.Which2actionsaresuccessfactorsthatshouldhelptoresolvethelackoftakeupofthechangemanagement
process?
A. ObtaincomplianceinputfromtheOverseasHeadOfficeauditors.
B. Involvethebusinessprocessownersinthefuturerefinementofthechangeprocess.
C. EnsureallresourcesarefulltimeanddedicatedtotheGovernanceInitiative.
D. Arrangeatrainingcourseforusersofthechangeprocess.
E. ProduceaRACImatrixforGovernancerelatedrolesforthelocaloffice.
2.Which2actionsaresuccessfactorsthatshouldhelptoresolvethedemotivationoftheITstaffworkingonthe
GovernanceInitiative?
B. SeektosecondaComplianceresourcefromtheOverseasHeadOffice.
C. Organise aroadshowwiththeBusinessManagement Revisitingstakeholders.
D. EnsureallresourcesarefulltimeanddedicatedtotheGovernanceInitiative.
E. Arrangeatrainingcourseforusersofthechangeprocess.
effectiveness
4PAdvisoryServices
Exercise004
3.Which2actionsaresuccessfactorsthatshouldhelptoresolvetheconcernraisedovertheoverallvalueofthe
GovernanceInitiative?
A. IssueaCompliancehealthcheckshowingprogressmade.
B. Arrangeatrainingcourseforusersofthechangeprocess.
C. SeektosecondacomplianceresourcefromtheOverseasHeadOffice.
D. IssueacompliancearticleontheIntranetsiteinbusinessterms.
E. ProduceaRACImatrixforGovernancerelatedrolesforthelocaloffice.
4.Which2documentsareInputstothePhase6reviewoftheChangeManagementprocess?
A. Revisedprocessdocumentation.
B. AsignedoffcopyoftheChangeManagementProcedure.
C. ITandbusinessmeasuresaddedintotheongoingmonitoringofthechangeprocess,(post project).
D. AcopyoftheChangeManagementprocessbeforetheimplementation.
E. AcopyoftheBenefitsoftheChangeProcess.
effectiveness
4PAdvisoryServices
Exercise004
5.Which2documentsareOutputsofthePhase6reviewoftheChangeManagementprocess?
A. AsignedoffcopyoftheBusinessCase.
B. Revisedprocessdocumentation.
C. BusinessandITagreedmeasurestomonitorthechangeprocess.
D. AsignedoffcopyoftheChangeManagementProcedure.
E. IdentificationoftheappropriateChangeagentswithinthelocaloffice.
6.Which2activitiesareProgramme ManagertaskstobeperformedduringthePhase6reviewoftheChange
Managementprocess?
A. ReviewiftheChangeManagementprocessismeetingitsoriginalintentions.
B. Understandwhatwentwellandwhatdidnt.
C. DevelopanescalationproceduretoManagement.
D. CommunicatetheresultsoftheChangeManagementproceduretorelevantBusinessandITparties.
E. ProduceareportofthesuccessfactorsrequiredtobemetforasuccessfulimplementationoftheChange
Managementprocess.
Module 7:
The Inner Layers:
Change Enablement and
Continuous Improvement
CE&CIChangeEnablementand
7 ContinuousImprovement
4PAdvisoryServices
TheRelationship:IMPL Prg M CE CI
4PAdvisoryServices
ChangeenablementrelationshipstoProgrammemanagement
Steps
Thesevenphasesandshownastheprogrammanagementstepstheyrelateto.Thebelowtableoutlines
thesevenenablers(thesecondorredcircle)andtherelationshiptothesevenprogrammanagement
steps(theouterringordarkbluering).:
PHASE&PROGRAMME STEP CHANGE ENABLERRELATED CONTINUAL IMPROVEMENT

TOTHATSTEP LIFECYCLE
InitiateProgram EstablishDesire tochange Recogniseneedtoact
DefineProblems&Opportunities FormImplementationTeam Assess currentstate
DefineRoadMap CommunicateOutcome Definetargetstate
Plan Programme Identifyroleplayers Buildimprovement
ExecutePlan Operate anduse Implement Improvements
RealiseBenefits Embednewapproaches Operateand Measure
Review Effectiveness Sustain MonitorandEvaluate
4PAdvisoryServices
MakingtheBusinessCase
ie.:JustificationtotheBoard
The characteristics of a good business case:

o The importance of a business case cannot be over stated. An appropriate
level of urgency needs to be instilled and the key stakeholders should be
aware of the risk of not taking action. An initiative should be owned by a
sponsor (senior), involve all key stakeholders, and be based on a business
case.
o Initially this can be a highlevel business case dealing with the strategic
benefits and costs and then progress to a more detailed business case. It
is a valuable tool available to management in guiding the creation of
business value.
4PAdvisoryServices
CharacteristicsofGoodBusinessCase
At a minimum a Business case should include:

o The business benefits that will be realized
o The business changes required
o The investments needed
o The ongoing IT operating costs
o Constraints and dependencies derived from the risk assessment
o Roles, responsibilities and accountabilities relative to other initiative
o How the investment and value creation will be monitored throughout the
economic life cycle
4PAdvisoryServices
Exercise005
MakeaprojectPlanfortheCOBIT5Implementationwith
typicaltimelines.
Allocateteamstherelevantroles
DecideandHighlighttheTargetStatemetrics,comparedto
thecurrentones.
Module 8:
Process Assessment /
Verification
8 ProcessAssessment/Verification
4PAdvisoryServices
Overview
4PAdvisoryServices
COBIT5ProcessReferenceModel
4PAdvisoryServices
ComponentsofISO/IEC15504ProcessAssessment
4PAdvisoryServices
AssessmentProcessActivities
1 Initiation
2 PlanningtheAssessment
3 Briefing
4 DataCollection
5 DataValidation
6 ProcessAttributeRating
7 ReportingtheResults
4PAdvisoryServices
1.Initiation
Identify the sponsor and define the purpose of the assessment

why it is being carried out
Define the scope of the assessment
which processes are being assessed
what constraints, if any, apply to the assessment
Identify any additional information that needs to be gathered,
Select the assessment participants, the assessment team and define the roles
of team members,
Define assessment inputs and outputs
Have them approved by the sponsor
161
4PAdvisoryServices
2.PlanningtheAssessment
An assessment plan describing all activities performed in conducting the

assessment is
developed and
documented together with
an assessment schedule
Identify the project scope,
Secure the necessary resources to perform the assessment
Determine the method of collating, reviewing, validating and documenting
the information required for the assessment
Coordinate assessment activities with the Organizational Unit being
assessed
162
4PAdvisoryServices
3.Briefing
The Assessment Team Leader ensures that the assessment team

understands the assessment
input,
process and
output
Brief the Organizational Unit on the performance of the assessment
PAM, assessment scope, scheduling, constraints, roles and
responsibilities, resource requirements, etc.
163
4PAdvisoryServices
4.DataCollection
Theassessorobtains(anddocuments)anunderstandingoftheprocess(es)
includingprocesspurpose,inputs,outputsandworkproducts,sufficientto
enableandsupporttheassessment
Datarequiredforevaluatingtheprocesseswithinthescopeofthe
assessmentiscollectedinasystematicmanner
Thestrategyandtechniques fortheselection,collection,analysisof
dataandjustificationoftheratingsareexplicitlyidentifiedand
demonstrable
Eachprocessidentifiedintheassessmentscopeisassessedonthebasisof
objectiveevidence
Theobjectiveevidencegatheredforeachattributeofeachprocessassessedmustbe
sufficienttomeettheassessmentpurposeandscope
Objectiveevidencethatsupportstheassessorsjudgementofprocessattributeratingsis
recordedandmaintainedintheAssessmentRecord.
ThisRecordprovidesevidencetosubstantiatetheratingsandtoverifycompliance
withtherequirements.
164
4PAdvisoryServices
5.DataValidation
Actionsaretakentoensurethatthedataisaccurateandsufficientlycovers
theassessmentscope,including
seekinginformationfromfirsthand,independentsources;
usingpastassessmentresults;and
holdingfeedbacksessionstovalidatetheinformationcollected.
Somedatavalidationmayoccurasthedataisbeingcollected
165
4PAdvisoryServices
6.ProcessAttributeRating
Foreachprocessassessed,aratingisassignedforeachprocessattributeup
toandincludingthehighestcapabilityleveldefinedintheassessmentscope
Theratingisbasedondatavalidatedinthepreviousactivity
Traceabilityshallbemaintainedbetweentheobjectiveevidence
collectedandtheprocessattributeratingsassigned
Foreachprocessattributerated,therelationshipbetweentheindicatorsand
theobjectiveevidenceisrecorded
166
4PAdvisoryServices
7.ReportingtheResults
Theresultsoftheassessmentareanalysedandpresentedinareport
Thereportalsocoversanykeyissuesraisedduringtheassessmentsuchas:
observedareasofstrengthandweakness
findingsofhighrisk
i.e.magnitudeofgapbetweenassessedcapabilityand
desired/requiredcapability
167

Student Handbook For COBIT5 Implementation Training

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Student Handbook For COBIT5 Implementation Training

Загружено:

Авторское право:

Доступные форматы

COBIT5:Implementation

COBIT5 is a registered trademark of AXELOS Limited

Askquestions Talk tothecolleaguesintheclass

Takecallsoutsidetheroom Notdo homework

ISACA (www.isaca.org) is a leading global provider of knowledge, certifications,

Corporate governance is the set of processes, customs, policies, laws,

Information technology governance, however, is a subset discipline of

Governance ensures that enterprise objectives are achieved by evaluating

Management plans, builds, runs and monitors activities in alignment with

Exercising governance and management effectively in practice requires

Provide a renewed and authoritative governance and management

Integrate all other major ISACA frameworks and guidance

Align with other major frameworks and standards

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT5

1996 1998 2000 2005/7 2012

Not simply IT; not only for big business!

Information is the business currency of the 21st Century

Enterprises and their executives strive to:

How can these benefits be realised to create enterprise stakeholder value?

Delivering enterprise stakeholder value requires good governance and

The COBIT 5 goals cascade allows the definition of priorities for

WHAT ITIL 2011 HOW

TOGAF (The Open Group Architecture Framework)

ISACA has developed the COBIT5 framework to help enterprises implement

A major financial services organization has recently been purchased by a large

PROBLEMS & ISSUES RISKS COBIT PROCESSES

4.ProjectDeliveryIssues BAI01/ BAI02

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

Need for new or improved IT governance organization is usually

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

drivers? Phase1) 4PAdvisoryServices

Module 4.1: Phase 2

Define the problems and opportunities [Programme Management]

Module 4.2: Phase 3

(Wheredowewanttobe? Phase3) 4PAdvisoryServices

(Wheredowewanttobe? Phase3) 4PAdvisoryServices

(Wheredowewanttobe? Phase3) 4PAdvisoryServices

(Wheredowewanttobe? Phase3) 4PAdvisoryServices

(Wheredowewanttobe? Phase3) 4PAdvisoryServices

(Wheredowewanttobe? Phase3) 4PAdvisoryServices

(Wheredowewanttobe? Phase3) 4PAdvisoryServices

(Wheredowewanttobe? Phase3) 4PAdvisoryServices

(Wheredowewanttobe? Phase3) 4PAdvisoryServices

Module 5: PE Plan &

Module 5.1: Phase 4

(Whatneedstobedone? Phase4) 4PAdvisoryServices

(Whatneedstobedone? Phase4) 4PAdvisoryServices

(Whatneedstobedone? Phase4) 4PAdvisoryServices

(Whatneedstobedone? Phase4) 4PAdvisoryServices

(Whatneedstobedone? Phase4) 4PAdvisoryServices