Practical Cobit

Implemetation Approaches:
Implementing Cobit 5 In A
Week
Kaya Kazmirci CISA, CISM, CISSP, Cobit 5 Foundations
Kazmirci Associates
kaya@kayakazmirci.com
+90 532 487 7756

Kaya Kazmirci
Founder ISACA Istanbul Chapter
Education Committee Chair and Past Chapter President
Chair Cobit 5/CISA Translation Committees
Cobit Evangelist (Regulatory Consultant & Trainer)
IT Governance and Cyber Security Expert
Kazmirci Associates MD
Mountain Biker & Sailor

Kaya.kazmirci@isaca-istanbul.org
Kaya@kayakazmirci.com

+90-532 487 7756

 Project Plan: Short and Sweet
Cobit 5 Implementations must build on existing knowledge

Training and practical group work

Previously completed certifications and documentation (e.g. Cobit 4.1)

Motivated team (regulatory/financial pressure and/or visionary leadership)

Divide and create value (one process/capability improvement/metric at a time)

As-Is To-Be
C5 Training (2
2 Exercises
Reporting
Days) (1 Day)
(2 Days)

Kickoff!
How do you eat an elephant?

Critical Cobit 5 Content

Critical Cobit 5 Content: One bite at a time

COBIT 5 is based on:

5 principles
7 enablers
Goals Cascade
37 Processes in 5 Domains
Implementation Approach
Capability Model (Formerly Maturity Model)

COBIT 5 Principles: Start with the tastiest bits

2012 ISACA All rights reserved.

6
 Principle 1: Meeting Stakeholder Needs
Enterprises have many
stakeholders

Governance is about
Negotiating

Deciding amongst different stakeholders

value interests

Considering all stakeholders when

making benefit, resource and risk
assessment decisions

For each decision, ask:

For whom are the benefits?

Who bears the risk?

What resources are required?

How Do You Use The BSC?

Does it predict the future?

Does it correlate with future customer orders?

How to measure it (surveys, consultants, standards, frameworks, metrics, maturity/capability)?

Can BSCs be trusted?

It costs resources to implement, does it generate ROI?

Base employee bonuses on it?

Complexity?
Principal 1 Cascade Steps (Figure 5)
What is the primary Enterprise Goal?

Principal 1 Cascade Steps (Figure 6)

Enterprise Goals To IT Related Goals
 Mapping IT Related Goals to
C5 Processes: Less is More

ITRGs map to C5 Processes

Primary/Secondary Support
Adopt it to your organization
Keep scope narrow
Focus on problem areas

Principle 4: Enabling a Holistic Approach

Enabler 2: Processes

201
2012 ISACA. All rights reserved.
13

Lead and Lag Metrics: Explicit In C4.1

Process Goals (formerly KPI):
How the process
p delivers value to IT

Cost of non-
Fire Wall
Credit Card #s compliance
Breaches
Lost (fines,
Discovered
settlements)

IT Related Goal (formerly KGI):

A measure of how IT is supporting the enterprise
nte
erprise
 Process Format/Content


 
&(


 
!

 




"


"

Process: 










"

!

'


 $
Name/Description/Purpose


# $
Management/Governance   

Practices (Critical) 
)+% )

)+% *


"






 "



"
$


"



 #





$
Outcomes (Combine/ 
)+% +

"





"


$



#
$
Reformat)    

)+%
()

&("%&
 




!


)+$ )

!
#$"
 





 

#



   "   #  




)+%
(*

&("%'





!



)+$ *

"



"


 
!


"







!


"



$






"          




)+%
(+

&("%(




" 



"



#


#

)+$ )& +


"
 $


"


 

#

 

 


$

%


 
$





"


Process Format/Content






Work Product   

   
 +-)0 ""

!!#"
#"

"!%
! $"#" "
!#

,.(+.

$#"

Inputs (Nice to Have) 
,.(
,*
.

$#"


#!!"
"$!#&
! "
!#

,.(+,

$#

Outputs (Combine/ 
,.(
,

+-)2 "

"
! $!
#
!"
#!#
#& "
!#

,.(+-

$#

Reformat) 
,.(
-

+.)/

+.(+-
)
"

"!#"

!##$!
# "
!#

,.(+-

$#

Supports (Nice to Have) 
,.(
-

,-),.

,-(+0
)

!#
!""
!
!$
!" "
!#

,.(+-

$#


,.(
-

  
   
 


,.),

& #! !
"
!#

,.(
,


$#

,.(
,

,.)-

"
"###

+,(+-'
 +1(+. !
"
!#

,.(
,


$#

,.(
,

,.).

!#
"$!#&
!"
#!##


 '


'

'

!
"
!#

,.(
-


 '

 $#

,.(
-

,.)/
!#
"$!#&
$"""
""

+-(+0 !
"
!#

,.(
-


$#

,.(
-

,.)0

$#
!!#"
+-(+, !
"
!#

,.(
.


$#

,.(
,*
.

,.)1
#"
!
!%
#
 #! !
"
!#

,.(
.


$#

,.(
,*
.
 RACI Charts There Is A Lot (Too Much?)
Use what you need and nothing else!

2012ISACA. All rights reserved.

Cobit 5 Process Reference Model

Choose Carefully!

Outsourcing: APO09, 10
Security: APO13, DSS05
HR (Security): APO07, APO08
PM: APO05, 6, BAI01
SW/HW Development: BAI02,
3, 6, 7, 10
Data Center: DSS01
Help Desk: DSS02, 03
Engine Room: BAI04, DSS04
 New and Modified Processes:

APO03 Manage enterprise architecture. (TOGAF)

APO04 Manage innovation. (Nice to Have)

APO05 Manage portfolio. (PMBOK, Prince2)

APO06 Manage budget and costs. (Activity Based Costing/Accounting)

APO08 Manage relationships. (Security Impact)

APO13 Manage security. (Critical)

BAI05 Manage organisational change enablement. (Nice to Have)

BAI08 Manage knowledge. (DS10 Manage Data in v3 more useful)

BAI09 Manage assets. (Nice to Have)

DSS05 Manage security service. (Critical)

DSS06 Manage business process controls. (Controversial)

2012ISACA. All rights reserved.

Whats Missing (Next)?

We Want a Camel Now
Cobit Framework Suggestions
Framework Committee, We have a problem
How do we implement Agile/Scrum in C5?
Documentation requirements?
Which C5 Processes to include?
How do we integrate simultaneous multiple processes so they operate smoothly?
Capability scores (C5) seem lower than maturity scores (C4.1 and earlier)
Clients have spent LOTS improving C4.1 maturity (C5 conversion is a hard sell)
Regulators can penalize for low (<3) maturity, where do we set the bar?
Capability is not as clear as Maturity (nor as easy to implement)
C5 capability is not prescriptive (lets create guidance)
What is the value for improved Capability?
DSS06 Manage Business Process Controls?
What does it mean and how do we implement it in a practical sense
ETOM for Telecom, Other sector based guidance would be helpful

Cobit 5 Capability

Less is more
Satisfying Cobit 5 Attributes Improves Capability

How Do We Measure Capability?

 
Level 5 Optimizing process

 

  $
! 

 
  ! 
PA.5.1 Process Innovation attribute
  

  

 
 
PA.5.2 Process Optimization attribute

 
Level 4 Predictable Process


 

  
 $
PA.4.1 Process Measurement attribute
"
  



PA.4.2 Process Control attribute




  
 

 

 


Level 3 Established Process
  
 '
PA.3.1 Process Definition attribute
PA.3.2 Process Deployment attribute

Level 2 Managed Process 

PA.2.1 Performance Management attribute 
 

   

"

PA.2.2 Work Product Management attribute
 


 &
 


   '

Level 1 Performed process 

PA.1.1 Process Performance attribute 
 

   



 ! 

 
 

 

Level 0 Incomplete process 
 


   

 


 !

 

2012 ISACA All rights reserved.
24
Process Attribute Rating Scale
Cobit Capability scores 3 at a 2.5!

N Not achieved 0 to 15 % achievement

There is little or no evidence of achievement of the defined attribute in the assessed
process
P Partially achieved > 15 % to 50 % achievement
There is some evidence of an approach to, and some achievement of, the defined
attribute in the assessed process. Some aspects of achievement of the attribute may be
unpredictable
L Largely achieved > 50 % to 85% achievement
There is evidence of a systematic approach to, and significant achievement of,
the defined attribute in the assessed process. Some weakness related to this attribute
may exist in the assessed process
F Fully achieved > 85 % to 100 % achievement
There is evidence of a complete and systematic approach to, and full achievement of,
the defined attribute in the assessed process. No significant weaknesses related to this
attribute exist in the assessed process

25

What Does That Mean? (Practical Guidance)

Level 1
Some Management/Governance (M/G) Practices, Some Work Products
Level 2
All M/G Practices, Work Product, Process Goals & Targets defined, RACI
Level 3
Process commonly implemented, Inputs/Outputs (Training/Sourcing needs) defined, IT Related
Goals defined/collected/analyzed
Level 4
Process Metrics reported consistently, Goals set, Low performance reviewed
Level 5
Improvement Goals set, Improvement Opportunities: Identified, Planned, Tested, Implemented &
Post Implemented
 Still Confused? More Practical Guidance
CMMI Maturity seems to map well as it is based on 15504

Level 2
All of the Practices Implemented
Level 3
All Activities implemented
ISO 27001 -> APO13 Mange Security, DSS05 Manage Security Services
ISO 22301 -> DSS04 Manage Continuity
ISO 9001 -> APO11 Manage Quality
ISO 20000 -> DSS01 Manage Operations, DSS02 Manage Service Requests & Incidents, DSS03 Manage Problems
ISO 10002 -> DSS02 (Customer Complaints)
ISO 13485 -> APO11 Manage Quality
ISO 31000 -> APO12 Manage Risk
Independent Audit Financial Reporting Effective Control -> BAI06, 07
Level 4
Common enterprise wide Process Performance and Output metrics
Level 5
Consistent Metric based Goals and Improvement Implementation

Capability and Gap Analysis: Logistics Provider

 Capability and Gap Analysis: NPL Collector

Traditional COBIT 5 Implementation

Program Management
Day to day PM

Enablement of change
Addressing the behavioural
and cultural aspects

Core Continual
improvement
this is not a one-off project

2012 ISACA. All Rights Reserved.

Use The Goals Cascade
to Scope Which
Processes To Focus On
Appendix 1
 Start with BSC category step 1

Balanced Enterprise IT Related

Scorecard Goals Goal (ITRG) COBIT Process
Financial
Customer
Internal
Learning

Customer
6. Customer-oriented service culture
7. Business service continuity and availability
8. Agile responses to a changing business environment
9. Information-based strategic decision making
10. Optimisation of service delivery costs

2012 ISACA. All rights reserved.

33

Step 2 Select Enterprise Goal, IT related Goal, and

Processes
Customer
6. Customer-oriented service culture
7. Business service continuity and availability
ITRG 07 Delivery of IT services in line with business requirements
ITRG 08 Adequate use of applications, information and technology solutions
ITRG 01 Alignment of IT and business strategy
ITRG 04 Managed IT-related business risk
ITRG 10 Security of information, processing infrastructure and applications
ITRG 14 Availability of reliable and useful information for decision making

PROCESSES PRIMARY IMPORTANCE OR

IMPACT
APO09 Manage Service Agreements P

APO13 Manage Security P

BAI04 Manage Availability and Capacity P

BAI08 Manage Knowledge P

BAI10 Manage Configuration P

DSS03 Manage Problems P

DSS04 Manage Continuity P

2012 ISACA. All rights reserved.

34
 Step .3
Example APO09 Examine Metrics

 
  $%
 
 

 

 

( 
 
 ! 

 !
 ! 
"
 
 

#  &
 
  &
  &
 &

&
  &



  

 ! &
 !
 ! 

  
 '

 
  
 

 ! 

 !
 ! 
 
  

  
 
 '

 
"
#

   RELATED METRICS

)-(* The number of business processes with unidentified service

 ! 

  &
  

   


 
 '
agreements
)-(+  !
  
  
 
 


 
 

' % of live IT services covered by service Agreements
% of Customers satisfied that service delivery meets agreed-on
)-(, 
 ! 
 

   

 !
  ' levels
Number & severity of service breaches
% of services being monitored to service levels
% of service targets being met

2012 ISACA. All rights reserved.

35

Case Studies To Support

Training and Group Work
Appendix 2
 Case Study I
Case Study IIdentification of IT Governance Issues40 minutes preparation, 20 minutes discussion
The objective of this exercise is to become familiar with IT governance issues and be able to explain them to
executive management.
Imagine that you are the newly hired CIO/IT director of the Company, and you realise that much needs to be
done to improve the way IT is managed, if all the IT requirements are to be successfully delivered. You
know that you were hired to sort these matters out but you feel that the board should focus on IT and they
do not really know much about why it is important, what problems exist and what their responsibilities
should be. You are worried that you might not be able to succeed without their full appreciation of the
current issues and their support to improve the way IT is managed. You recently heard about COBIT and
then discovered ITGI and ISACA on the Internet, and downloaded the Cobit 5 Enabling Processes. You
have decided to use this standard to help raise awareness with the board and get them on your side
working with you to fix the IT problems.
Review the present situation at the Company with your group using the Goals Cascade documents as a
guideline. Select Enterprise Goals and IT-Related Goals that your group feels are important to the Company.
Pay particular attention to areas that you feel may be presently underserviced. Use the results of your
discussion and the IT-Related Goals to Cobit 5 processes map to select 6 Cobit 5 processes which, if
improved, would add significant enterprise value to the Company
Your task is to work together with the rest of the IT management team (the rest of your course group) to
prepare items to go into a presentation which conveys: What the processes are, why you choose them and
what value their implementation will add to the Company. Select a spokesperson to present your group
work.
Gary Hardy

Case Study II
Case Study IIProcess Assessment40 minutes preparation, 20 minutes presentation and
discussion
the Company has recognised enterprise governance implementation is a priority to enable
effective corporate and IT management. After reviewing your previous presentation, the BoD
has decided to implement Cobit 5 one process at a time and has asked you to complete an
assessment regarding how the most critical process that you presented operates at the
Company.
In this exercise, you will first select a process (from those examined in Case Study I) and then
assess how it operates at the Company.
1. Using what you and your teammates know and referring to the COBIT 5 Enabling Processes,
consider the process and assess whether it presently fulfils the defined management/governance
practices and related activities as well as delivers the defined outputs. Document any missing
outputs.
2. Decide which missing practices would add value if implemented, then list and prioritize the
most important 5 of them.
3. Discuss the related Cobit 5 process/IT related metrics and assess whether the presently used
metrics are adequate. Feel free to suggest 3 metrics that you feel would better meet the
Company's needs but be aware that implementing new metrics requires resources so focus on
cost effective suggestions.
Gary Hardy
Case Study III
Case Study IIICapability Assessment40 minutes preparation, 20 minutes
presentation
The objective of this exercise is to understand how to use the capability models in
COBIT 5 to perform a capability assessment of a critical process.
Use the process from Case Study II and assess its present capability at the
Company. Based on its present capability, list what additional attributes need
development in order for it to mature to the next level of capability.
Hint: Go easy on yourselves as far as documentation requirements go. Partially (P)
fullfiled attributes are ok.
Work in the same group, and have a workshop as if you are the management team.
One person should act as the facilitator gaining consensus as a group on what the
critical attributes are and, using the COBIT capability models, considering the
current level. Prepare to report the present capability as well what needs to be
done to go to the next level.
Prepare a short presentation to explain your results.

Gary Hardy

Goals Cascade

Appendix 3
 Figure 24Mapping COBIT 5 Enterprise Goals to Governance and Management Questions

Figure 24Mapping COBIT 5 Enterprise Goals to Governance and Management Questions (cont.)
Figure 22Mapping COBIT 5 Enterprise Goals to IT-related Goals

Figure 23Mapping COBIT 5 IT-related Goals to Processes

Figure 23Mapping COBIT 5 IT-related Goals to Processes (cont.)