Академический Документы
Профессиональный Документы
Культура Документы
Abstract
The release of COBIT 5 developed by ISACA truly represents a next-generation evolution of the well-known
and highly regarded COBIT framework. It is a departure from the previous edition, COBIT 4.1, because COBIT
5 enables information and related technology to be governed and managed in a holistic manner for the entire
enterprise. It takes in the full end-to-end business and functional areas of responsibility, considering the IT-related
interests of all internal and external stakeholders. COBIT 5 can now be the framework for all of the frameworks
and standards employed in the enterprise. Because COBIT 5 considers the full enterprise view, it offers guidance
for both governance and management activities. To explain the sweeping changes and the enhanced benefits
of COBIT 5, this whitepaper will detail the specific differences between 4.1 and 5 as well as the thinking behind
these important changes. Central to COBIT 5 is the governance objective of value creation.
Introduction
Since 1996, the COBIT framework has undergone multiple functions and processes that establish the governance of
evolutions, as it adapts to the needs of a changing marketplace. enterprise IT (GEIT) into overall enterprise governance and from
The original COBIT and later its 2nd edition from 1998 were a business perspective. COBIT 5 is not meant to replace any
known as IT audit and control frameworks. The focus was of these frameworks or standards. It is intended to emphasize
placed on control objectives. In 2000, COBITs 3rd edition what governance and management elements and practices
debuted as an IT management framework, featuring newly are required to create value from information and technology in
added management guidelines. When COBIT 4.0 and COBIT support of enterprise business goals.
4.1 were released in 2005 and 2007, respectively, more
adjustments were made. The assurance processes were To assure the high quality of COBIT 5, several measures
removed. In return, governance and compliance processes were taken, most important:
were added, making COBIT 4.1 an IT governance framework. The entire research process was overseen by both
ISACAs Knowledge Board and Framework Committee,
COBIT 5 represents a culmination of these previous releases, which were responsible for overseeing all ISACA
as well as the incorporation of numerous other standards and framework research development.
frameworks, into the ultimate framework for the governance
The detailed research results and deliverables
and management of enterprise IT.
were quality-controlled throughout the development
COBIT 4.1, Val IT, Risk IT and BMIS users who are already process by a dedicated task force of experienced
engaged in governance of enterprise IT (GEIT) implementation volunteer professionals.
activities can transition to COBIT 5 and benefit from the latest A draft design document was issued for public exposure,
and improved guidance that it provides during the next iterations and the feedback was integrated into the development
of their enterprises improvement life cycle. Since COBIT 5 builds work to produce the final COBIT 5 products. Before being
on previous versions of COBIT (and Val IT, Risk IT and BMIS), issued, the draft development products were distributed to
enterprises can also build on what they have developed using more than 100 subject matter experts around the world to
earlier versions. obtain their professional review.
Most enterprise stakeholders and executive management Once ready, draft versions of COBIT 5 and COBIT 5:
are aware of the importance of the general control Enabling Processes were made available to the public for
frameworks with respect to their fiduciary responsibility, review. Workshops were held in London and Washington
such as Committee of Sponsoring Organizations of the DC; more than 650 people contributed their feedback.
Treadway Commission (COSO), Code of Connection (CoCo), Many good comments were received, suggesting further
the UK Corporate Governance Code, King III, etc.; however, improvements for consideration. Survey questions
enterprise stakeholders and executive management may not concerning the level of satisfaction of the work at the draft
necessarily be aware of the details of each framework. In stage were included in the public exposure activity, with
addition, enterprise managers are increasingly aware of the 79 percent of the responses being positive. Based on the
more technical security guidance, such as the ISO/IEC review comments, the development team made changes as
27000 series, and service delivery guidance, such as ITIL. appropriate.
Although the aforementioned standard and framework The final product was reviewed by COBIT 5 Task
emphasize business control and IT security and service Force members, the Framework Committee and the
management and delivery issues in specific areas of Knowledge Board.
enterprise IT-related activity, only COBIT 5 integrates all
1 Kaplan, Robert S.; Norton, David P.; The Balanced Scorecard: Translating Strategy into Action, Harvard University Press, USA, 1996)
COBIT 5 PRINCIPLES
COBIT 5 also has clarified management level processes APO13 Manage security
and integrated COBIT 4.1, Val IT and Risk IT content into
BAI05 Manage organizational change enablement
one process reference model. There are several new and
modified management processes that reflect current thinking, BAI08 Manage knowledge
in particular:
BAI09 Manage assets
APO03 Manage enterprise architecture
DSS05 Manage security service
APO04 Manage innovation
DSS06 Manage business process controls
APO05 Manage portfolio
APO06 Manage budget and costs COBIT 5 processes now cover end-to-end business and IT
activities (i.e., a full enterprise-level view). This provides for a
APO08 Manage relationships
more holistic and complete coverage of practices reflecting
RACI CHART
SOURCE: COBIT 5: Enabling Processes, page 31. 2016 ISACA All rights reserved.
Process Capability Model: COBIT 5 discontinues the COBIT In addition, the COBIT Assessment Program approach is
4.1, Val IT and Risk IT CMM-based capability maturity modeling supported by these materials:
approach. COBIT 5 is supported by a new process capability COBIT Process Assessment Model: Using COBIT 5
assessment approach based on ISO/IEC 15504.
COBIT Assessor Guide: Using COBIT 5
The COBIT Assessment Program approach is considered COBIT Self-Assessment Guide: Using COBIT 5
by ISACA to be more robust, reliable and repeatable as a
process capability assessment method. The assessment
COBIT 4.1, Val IT and Risk IT users wishing to move to the new
objective is to understand the level of capability that is present
COBIT Assessment Program approach will need to realign their
and the level that is appropriate for a given process, based
previous ratings, adopt and learn the new method, and initiate
on business requirements, and to understand the nature of
a new set of assessments in order to gain the benefits of the
any gaps so that any significant weaknesses in the process
new approach. Although some of the information gathered from
can be identified and improved. The COBIT Assessment
previous assessments may be reusable, care will be needed in
Program supports:
migrating this information forward because there are significant
Formal assessments by accredited assessors
differences in requirements and in what is being measured.
Less rigorous self-assessments for internal gap analysis and
process improvement planning