Preview of COBIT 5

(Differences between v4.0/4.1 and v5)

December 8, 2011
AGENDA

Introductions
Quick COBIT Overview
Drivers of COBIT5 Increased focus on Enterprise
Governance
Benefits of COBIT5
Updated Process Model
Details of the Change
New - COBIT 5 Process Capability Model
Wrap Up

Page 2 Preview of COBIT5

COBIT - An Overview
COBIT 4.1 The IT governance framework
Internationally accepted

CCobiT
OBIT
good practices
Management-oriented
best practices
Supported by tools and
repository for training
Freely available
Sharing knowledge and
IT Processes leveraging expert volunteers
IT Management Processes Continually evolving
IT Governance Processes Maintained by reputable not-
for-profit organization
The only IT management Maps strongly to all major
and control framework related standards
Is a reference, set of best
that covers the end-to-end practices, not an off-the-
IT life cycle shelf cure

Page 4 Preview of COBIT5

COBIT history

COBIT has evolved from an auditors tool to an IT

governance framework, used increasingly by IT
management

Governance

Management

Control

Audit

COBIT 1 COBIT 2 COBIT 3 COBIT 4

1996 1998 2000 2005

Page 5 Preview of COBIT5
Introduction to COBIT

Page 6 Preview of COBIT5

Waterfall model

The control of

IT Processes that satisfy

Business
Requirements is enabled by
Control
Statements considering
Control
Practices

4 Domains - 34 Processes - 210 Control Objectives

Page 7 Preview of COBIT5

 Process orientation

Natural grouping of processes,

often matching an organizational
Domains domain of responsibility

A series of joined activities with

natural control breaks
Processes

Actions needed to achieve a

measurable resultactivities have
a life cycle whereas tasks are
Activities discrete
or tasks

Page 8 Preview of COBIT5

 Process Orientation
IT Domains
Plan and
Organize IT Processes
Acquire and IT strategy
Implement Computer operations Activities
Deliver and Incident handling Record new problem.
Support Acceptance testing Analyse.
Monitor and Change management Propose solution.
Evaluate Contingency planning Monitor solution.
Problem management Record known
Natural grouping of problem.
processes, often
A series of joined
matching an
activities with natural Actions needed to achieve a
organisational domain of
(control) breaks measurable result
responsibility
activities have a life cycle
whereas tasks are discrete

Page 9 Preview of COBIT5

 COBIT processes
PO1 Define and IT Strategic Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
Planning and PO4 Define the IT Processes, Organisation and Relationships
Organizing PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects

AI1 Identify Automated Solutions

Acquire and AI2 Acquire and Maintain Application Software
Implement AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes
Page 10 Preview of COBIT5
 COBIT processes
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
Deliver and DS6 Identify and Allocate Costs
Support DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations

ME1 Monitor and Evaluate IT Performance

Monitor and ME2 Monitor and Evaluate Internal Control
Evaluate ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance

Page 11 Preview of COBIT5

COBIT framework
Criteria
Effectiveness
Business Objectives

Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
Data
Application Systems
Technology
Facilities
Monitor and People
Evaluate
Plan and
Organise

Deliver and
Support Acquire and
Implement

Page 12 Preview of COBIT5

 COBIT IT processes
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes,
organisation and relationships.
PO5 Manage the IT investment.
ME1 Monitor and evaluate IT performance. Information PO6 Communicate management aims
and direction.
ME2 Monitor and evaluate internal control.
PO7 Manage IT human resources.
ME3 Ensure regulatory compliance.
PO8 Manage quality.
ME4 Provide IT governance.
PO9 Assess and manage IT risks.
PO10 Manage projects.
Monitor and
Evaluate Plan and
Organize

Deliver and
Support
DS1 Define and manage service levels. Acquire and AI1 Identify automated solutions.
DS2 Manage third-party services. Implement AI2 Acquire and maintain application software.
DS3 Manage performance and capacity. AI3 Acquire and maintain technology
DS4 Ensure continuous service. infrastructure.
DS5 Ensure systems security. AI4 Enable operation and use.
DS6 Identify and allocate costs. AI5 Procure IT resources.
DS7 Educate and train users. AI6 Manage changes.
DS8 Manage service desk and incidents. AI7 Install and accredit solutions and changes.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.

Page 13 Preview of COBIT5

Linking business goals to IT goals

Page 14 Preview of COBIT5

Linking IT goals to IT processes

Page 15 Preview of COBIT5

For 34 IT processes you have
Process
description

IT domain &
Information
indicators

IT goals
Process goals

Key practices

Key metrics

IT governance
& IT resource

Page 16 Preview of COBIT5

 Five focus areas of IT governance

1. Strategic Alignment
aligning with the business and Are we doing Are we getting
FOCUS AREAS

providing collaborative solutions the right the benefits?

things?

2. Value Delivery V
g ic t D alu
focus on IT costs and proof of value te n eli e
tra me ve
ry
S ign
A l
IT
3. Risk Management Governance

ent
Perf sureme
Mea
safeguarding assets, business Domains

agem
orm

Man isk
continuity and compliance

R
ance t
Resource
4. Resource Management

n
Management
IT assets, knowledge, infrastructure
and partners. Are we doing Are we
them the right getting them
way? done well?
5. Performance
Measurement
metrics, IT Scorecards and dashboards

Page 17 Preview of COBIT5

Governance lifecycle

Page 18 Preview of COBIT5

COBIT5 Update
 COBIT 5 initiative

The initiative charge from the Board of Directors:

tie together and reinforce all ISACA knowledge assets
with COBIT.

The COBIT 5 Task Force:

experts from ISACA
constituency groups
reports to the Framework Committee
and then the Knowledge Board

Page 20 Preview of COBIT5

News
Major Drivers for COBIT 5

Increased Focus on Enterprise Governance

Link and reinforce all ISACAs Guidance
Primary - VAL IT, Risk IT
Considering BMIS, ITAF, TGF, Board Briefing
Need to connect to other frameworks and standards
(such as, ITIL, PMBOK, Prince2, TOGAF, ISO)
Further guidance in high interest areas
Improve ease of use, consistency in concepts,
terminology, & level of detail
Scope covers full end-to-end business and IT functional
responsibilities

Page 21 Preview of COBIT5

 News Focus on Enterprise Governance
Increased

Concepts and Objectives

Enterprises exist to deliver value to their
Stakeholders
Achieved within value and risk parameters and use
of resources responsibly
Governance system steers via means and
mechanisms within an effective structure
Incident caused and legislative driven need
Governance at the top of the agenda for most
enterprises

Page 22 Preview of COBIT5

Governance Objective

Page 23 Preview of COBIT5

News
Responding Features from COBIT5

Practical guidance with consideration of all, unique

stakeholders
Non-technical overarching framework
Clear distinction between governance and management
Scope addressing management and governance of
information
Clear migration guidance from prior versions
Process model updates addressing innovation and
emerging technologies
Addressing governance enablers such as behavior,
skills and decision making

Page 24 Preview of COBIT5

Distinction between Governance and
Management Processes

Page 25 Preview of COBIT5

COBIT 5 Governance Enablers

Processes

Culture,
Service Ethics,
Capabilities Behaviour

Skills & Organisational

Competencies Structures

Principles & Information

Policies

Page 26 Preview of COBIT5

Benefits of Using COBIT 5

Enterprise wide benefits:

Increased value creation through effective governance
and management of enterprise information and
technology assets
Increased business user satisfaction with IT
engagement and servicesIT seen as a key enabler.
Increased compliance with relevant laws, regulations
and policies
IT function becomes more business focused
Increases the COBIT 5 users contribution to the
enterprise

Page 27 Preview of COBIT5

News Reference Model
Process

Represents all the processes normally found in an enterprise

relating to IT
Provides a common reference model understandable to IT
and business managers.
Provides a common language
Provides a framework for measuring, monitoring IT
performance, communicating with service providers, and
integrating best mgmt. practices
Subdivides governance (1) and management (4) domains.
36 Processes
VAL IT and Risk IT integrated

Page 28 Preview of COBIT5

Process Reference Model

Page 29 Preview of COBIT5

 Newsof Process Changes
Review
4 Domains to 5 Domains (1 Governance & 4 Management)
Domains have 3-character acronyms vs. 2-character
acronyms:
EDM (Evaluate, Direct & Monitor)
APO (Align, Plan & Organization)
BAI (Build, Acquire & Implement)
DSS (Deliver, Service & Support)
MEA (Monitor, Evaluate & Assess)
34 COBIT4.1 processes to 5 Governance processes and
31 Management processes in COBIT 5 = 36 processes

Page 30 Preview of COBIT5

 Newsof Process Changes
Review
New and modified processes
APO3 Manage Enterprise Architecture (combo of PO2 and PO3)
APO4 Management Innovation (new)
APO5 Manage Portfolio (previous PO5 Manage IT Investments)
APO6 Manage Budget and Costs (previous PO5 IT Investments)
APO8 Manage Relationships (new)
BAI5 Enable Organizational Change (new)
BAI8 Knowledge Management (new)
DSS2 Manage Assets (new)
DSS8 Manage Business Process Controls (new)

Page 31 Preview of COBIT5

Process Enabler Model

Page 32 Preview of COBIT5

 News Reference Guide
Process

A separate publication that expands on the process-enabler

model
Contains full details of the COBIT processes in a similar way to
the process documentation in COBIT 4.1
Process description and purpose
Goals cascade (enterprise and IT)
Process goals and metrics
Process practices, activities and inputs/Outputs at practice
level
RACI Chart
Integrates contents of 4.1, VAL IT and RISK IT
Mapping between COBIT 5 and Legacy ISACA Frameworks

Page 33 Preview of COBIT5

Most important differences between COBIT 5
News
and earlier versions.

Architecture changes emphasizing systemic nature of a

governance and management system
Process Model changes
Integration of COBIT, VAL IT, Risk IT with explicit
structural differentiation between governance and
management processes
Framework components reviewed and simplified

Page 34 Preview of COBIT5

 News
Architecture Change Principles
Alignment with the most up-to-date views on Governance
as expressed in the Taking Governance Forward initiative
and ISO/IEC 38500, resulting in an overarching
architecture with
o Stakeholder driven governance and management of enterprise IT.
o Governance Objectives being defined in terms of Value, Risk and
Resource Use optimization.
Systemic nature of enterprise governance, demonstrated
by
o A set of interconnected and interrelated enablers to support
governance of enterprise IT and ensure objectives are achieved

o Note: ISO/IEC 38500 Corporate governance of information technology standard,

provides a framework for effective governance of IT to assist those at the highest level of
organizations to understand and fulfill their legal, regulatory, and ethical obligations in
respect of their organizations use of IT.

Page 35 Preview of COBIT5

 News5 Architecture
COBIT
Governance Existing ISACA Other
Stakeholder Objectives: Guidance Standards
Value (COBIT, Val IT, and
Needs (Benefits, Risk, Resource) Risk IT, BMIS, ) Frameworks

COBIT 5
Enablers

Processes

Service Culture,
Capabilities Ethics,
Behaviour

Skills and
Competencies Organisational
Structures

Principles and Information

Policies

COBIT 5 Knowledge Base

Current guidance and contents

Structure for future contents

Knowledge Base
Content Filter

COBIT 5 Product Family

COBIT 5: The Framework

COBIT 5 Enabler Guides

Other Enabler
COBIT 5 : Process Reference Guide
Guidance

COBIT 5 Practice Guides

COBIT 5 : Framework Implementation
Guide Other Practice
Guides

COBIT 5 for Security

COBIT 5 Online Collaborative Environment

Page 36 Preview of COBIT5

 News Model Change Principles
Process
Addition of a separate Governance domain, which contains
five separate governance processes for enterprise IT (5
Domains)

Continuation of the Management domains concept, where

31 processes are included, spread over four domains.
Domains, although they have now 3- character acronyms
compared to 2-character acronyms in COBIT 4.1. (PO, AI,
DS, ME to EDM, APO, BAI, DSS, MEA)

Some of the processes are very similar to their

predecessors, some are a consolidation of processes in
earlier frameworks, and some new processes have been
added.

Page 37 Preview of COBIT5

 News Component Changes
Framework
The names have been changed from Business Goals to
Enterprise Goals, and from IT Goals to IT Related Goals in
order to better reflect that COBIT 5 is intended for all sorts of
enterprises, not only commercial environments, and the fact
that COBIT 5 is not only about making sure the IT function is
performing, but also that the business functions assume their
responsibility in providing the right direction, making good use
of IT, and following up on IT investments and use.

There are now 17 Enterprise Goals and also 17 IT Related

goals. The goals are now also written more as outcome
statements.

The stakeholders for IT are now explicitly named, and there are
also some illustrative stakeholder issues included in the
guidance to show how the framework addresses them.

Page 38 Preview of COBIT5

 News Goals
Enterprise

Page 39 Preview of COBIT5

ITNews
Related Goals

Page 40 Preview of COBIT5

 NewsStakeholder Needs
Internal

Page 41 Preview of COBIT5

 News Stakeholder Needs
External

Page 42 Preview of COBIT5

 The NEW COBIT 5
News
Process Capability Model

Process Capability Model

Based on ISO/IEC 15504 Software
Engineering Process Assessment Std.
Different from the COBIT 4.1 Maturity Model
in design and use.
Focus on capability

Page 43 Preview of COBIT5

 News Capability Model Characteristics
Process

Six levels of capability including incomplete

Each level can only be achieved only when the
level below is fully achieved
Level 1 is largely achieved and benefits realized
by the organization
Higher capabilities add differing attributes and
benefits

Page 44 Preview of COBIT5

 News - COBIT 5 PCM and COBIT 4.1 MM
Differences

Naming and meaning of levels are different

Process is described in terms of its purpose and
outcomes
Maturity level in COBIT 4 and capability level in
COBIT 5 are not directly comparable and
cannot be used interchangeably or mixed.
Scores in COBIT 5 will be lower due to
completion of all process capabilities at lower
level
Nine Process Capability Attributes (v5) vs. six
maturity Attributes (v4)

Page 45 Preview of COBIT5

 COBIT 4.1 Maturity Model Comparison to
COBIT 5 Process Capability Levels

Page 46 Preview of COBIT5

 Comparison of v4 Maturity Attributes vs.
V5 Process Capability Attributes

Page 47 Preview of COBIT5

 News5 Preview Summary
COBIT

COBIT 5 Major changes

Consolidation of frameworks
Adjustment of domains and processes
4 to 5 domains
34 to 36 IT Processes
Assessment process changed to focus on
Capability using ISO 15504

Page 48 Preview of COBIT5

The COBIT 5 Framework What will be
delivered?
An enterprise wide, end-to-end framework addressing
governance and management of information and related
technology
The framework structure will include familiar components such as a
domain/process model and other components such as
governance/management practices, RACI charts and inputs/outputs.
An initial publication introduces, defines and describes the
components that make up the COBIT5 Framework
Principles
Architecture
Enablers
Introduction to implementation guidance and the COBIT
process assessment approach

Page 49 Preview of COBIT5

 COBIT 5 news

As the initiative progresses throughout 2011 and 2012

there will be periodic updates provided:
On the ISACA web site, www.isaca.org/COBIT5
In the COBIT Focus newsletter
In other ISACA membership communications, events,
marketing materials and PR activities
Watch these spaces for more news!

Page 50 Preview of COBIT5

Thank you

Contact details:
Ernst & Youngs
IT Risk Management Center of Excellence

Josh Turcotte, CISA

Email: Josh.Turcotte@ey.com
Phone: (214) 969 0678 (Dallas)

Stacey Hamaker, CISA CIA

Email: Stacey.Hamaker@ey.com
Phone: (214) 969 8832 (Dallas)
This presentation contains materials that are property of ISACA and Ernst & Young. All rights reserved.

Page 51 Preview of COBIT5