COBIT-2019-Design-Toolkit TKT Eng 1218

12/27/2019
COBIT® 2019 Governance System Design Toolkit
COBIT® 2019 Governance System Design Workbook—Instructions
Terms & Definitions
Relative importance Relative importance (of governance and management objectives) is a number that indicates the influence of a certain design factor on the importance of a certain
COBIT governance or management objective as compared to a baseline (standard) situation. The number is calculated as a percentage difference between the
baseline and the current situation, as determined by the values given to the design factor at hand.
Instructions: See COBIT® 2019 Design Guide, Chapter 6
© 2018 ISACA. All rights reserved. 453399426.xlsx Instructions—Page 1

12/27/2019
COBIT® 2019 Governance System Design Workbook—Canvas
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
Sourcing Refined Scope: Concluded Scope:

Enterprise Strategy Enterprise Risk Profile I&T-Related Threat Compliance Req's Role of IT Implementation
Design Factors: Goals Issues
Initial Scope: Governance/
Management Objectives Landscape IT Model Methods Technology Adoption Strategy
Governance/ Adjustment
(between -100 and Reason
Governance/ Suggested Target Agreed Target
Reason
for IT Management Objectives Management Objectives Capability Level Capability Level
Score +100)
Score Priority
Weight 1 1 1 1 1 1 1 1 1 1
EDM01—Ensured Governance Framework Setting & 5 10 -5 -10 ### 0 50 15 35 0 0 25 60 60 3 3

Maintenance
EDM02—Ensured Benefits Delivery 30 35 15 -5 ### 60 0 0 30 0 0 35 65 65 3 3
EDM03—Ensured Risk Optimization 25 -15 10 -10 ### 10 65 25 15 15 0 30 75 75 4 4
EDM04—Ensured Resource Optimization -25 30 -15 5 ### -5 0 0 25 0 0 15 15 15 1 1
EDM05—Ensured Stakeholder Engagement 15 -45 -15 -15 ### -50 30 15 25 0 0 30 20 20 1 1
APO01—Managed I&T Management Framework 0 5 15 -5 ### 10 50 10 25 0 0 40 65 65 3 3
APO02—Managed Strategy -20 35 -5 5 ### 10 0 0 30 0 0 25 35 35 2 2
APO03—Managed Enterprise Architecture -20 30 15 5 ### 25 50 0 20 0 0 50 70 70 3 3
APO04—Managed Innovation -5 40 45 20 ### 80 0 0 40 0 0 25 80 80 4 4
APO05—Managed Portfolio -25 30 -15 -5 ### -10 0 0 30 0 0 40 25 25 2 2
APO06—Managed Budget & Costs -25 -5 -20 -10 ### -50 0 0 25 0 0 -20 -25 -25 1 1
APO07—Managed Human Resources -10 35 15 15 ### 45 30 0 15 0 0 75 85 85 4 4
APO08—Managed Relationships 45 35 40 5 ### 100 0 0 25 0 0 55 95 95 4 4
APO09—Managed Service Agreements 45 30 10 -10 ### 60 30 0 10 15 0 0 60 60 3 3
APO10—Managed Vendors -10 30 -10 -10 ### 0 50 15 5 15 0 40 60 60 3 3
APO11—Managed Quality 50 0 30 -15 ### 50 30 0 15 0 0 0 50 50 3 3
APO12—Managed Risk 30 -10 50 -5 ### 50 65 25 20 10 0 20 95 95 4 4
APO13—Managed Security 35 -15 60 -15 ### 50 65 15 25 0 0 0 80 80 4 4
APO14—Managed Data 0 -35 35 -15 ### -10 50 10 25 0 0 20 40 40 2 2
BAI01—Managed Programs -15 30 15 15 ### 35 0 0 25 0 30 25 60 60 3 3
BAI02—Managed Requirements Definition -5 30 15 0 ### 30 0 0 30 0 60 30 75 75 4 4
BAI03—Managed Solutions Identification & Build -5 30 35 -10 ### 40 0 0 30 0 65 40 90 90 4 4
BAI04—Managed Availability & Capacity 40 25 35 -15 ### 70 30 0 5 0 0 0 55 55 3 3
BAI05—Managed Organizational Change -15 30 45 5 ### 50 0 0 25 0 40 35 80 80 4 4
BAI06—Managed IT Changes 0 30 45 0 ### 60 50 0 5 0 60 20 100 100 4 4
BAI07—Managed IT Change Acceptance and Transitioning 5 30 30 -5 ### 50 0 0 20 0 40 30 70 70 3 3
BAI08—Managed Knowledge -5 40 15 20 ### 55 0 0 25 0 0 30 60 60 3 3
BAI09—Managed Assets 0 -50 20 5 ### -20 0 0 25 0 0 0 0 0 1 1
BAI10—Managed Configuration 0 25 40 0 ### 50 50 0 15 0 15 30 85 85 4 4
BAI11—Managed Projects -20 30 35 10 ### 45 0 0 20 0 45 30 70 70 3 3
DSS01—Managed Operations 15 30 -5 -15 ### 20 0 0 10 0 0 0 15 15 1 1
DSS02—Managed Service Requests & Incidents 50 15 30 -20 ### 60 50 0 15 0 0 0 65 65 3 3
DSS03—Managed Problems 40 15 15 -5 ### 50 30 0 20 0 0 30 70 70 3 3
© 2018 ISACA. All rights reserved. 453399426.xlsx Canvas—Page 2

12/27/2019
COBIT® 2019 Governance System Design Workbook—Canvas
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
Sourcing Refined Scope: Concluded Scope:

Enterprise Strategy Enterprise Risk Profile I&T-Related Threat Compliance Req's Role of IT Implementation
Design Factors: Goals Issues
Initial Scope: Governance/
Management Objectives Landscape IT Model Methods Technology Adoption Strategy
Governance/ Adjustment
(between -100 and Reason
Governance/ Suggested Target Agreed Target
Reason
for IT Management Objectives Management Objectives Capability Level Capability Level
Score +100)
Score Priority
Weight 1 1 1 1 1 1 1 1 1 1
DSS04—Managed Continuity 50 15 15 -15 ### 50 65 15 20 0 0 30 90 90 4 4
DSS05—Managed Security Services 35 -10 20 -15 ### 25 50 25 20 0 0 30 75 75 4 4
DSS06—Managed Business Process Controls 15 20 40 -25 ### 40 50 0 35 0 0 0 65 65 3 3
MEA01—Managed Performance and Conformance Monitoring 0 0 10 -5 ### 5 50 0 25 10 15 35 65 65 3 3
MEA02—Managed System of Internal Control 0 -15 5 -15 ### -20 30 0 25 0 0 0 15 15 1 1
MEA03—Managed Compliance with External Requirements 0 -30 25 -30 ### -30 50 25 15 0 0 0 25 25 2 2
MEA04—Managed Assurance 0 -25 20 -10 ### -10 50 20 25 0 0 0 40 40 2 2
© 2018 ISACA. All rights reserved. 453399426.xlsx Canvas—Page 3

12/27/2019
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Input Section—Importance of Each Enterprise Strategy Archetype Input Section—Importance of Each Enterprise Strategy Archetype
Importance Design Factor 1 Enterprise Strategy

Value (1-5) Baseline
Importance of different strategies (Input)
Growth/Acquisition 1 3
Innovation/Differentiation 2 3
Cost Leadership 1 3
Client Service/Stability 5 3
5
Average 2.25 Strategy

Design Factor 1 Enterprise 4
Stdev
Importance of different strategies
1.64 (Input)
Correction Factor 1.33 3
0 1 2 3 4 5
Growth/Acquisition
1 1
Innovation/Diferentiation
2
Cost Leadership
1
Client Service/Stability
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Resulting Governance/Management Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Objectives Importance Resulting Governance/Management Objectives Importance (Output) Resulting Governance/Management Objectives Importance (Output)
Governance /
Baseline Relative
Management Score EDM02 EDM01 MEA04
Objective Score Importance -100 -75 -50 -25 0 25 50 75 100
EDM03 MEA03
EDM01
EDM04 MEA02
EDM02 100
EDM05 MEA01
EDM03
© 2018 ISACA. All rights reserved. 453399426.xlsx 75 DF1—Page 4
EDM04 APO01 DSS06
EDM05 50
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy 12/27/2019
Resulting Governance/Management Objectives Importance (Output) Resulting Governance/Management Objectives Importance (Output)
-100 -75 -50 -25 Design
0 25Factor
50 1 Enterprise
75 100 Strategy EDM02 EDM01 MEA04Design Factor 1 Enterprise Strategy
EDM03 MEA03
EDM01
EDM01 EDM04 MEA02
12 15 5 EDM02 100
EDM02 23 24 30 EDM05 MEA01
EDM03
EDM03 14 15 25 75
EDM04 APO01 DSS06
EDM04 12.5 22.5 -25 EDM05 50
EDM05 15.5 18 15 APO01 APO02 DSS05
APO01 9 12 0 APO02 25
APO02 17 28.5 -20 APO03 DSS04
APO03 0
APO03 14 24 -20 APO04
APO04 15 21 -5 APO05 APO04 -25 DSS03
APO05 19 33 -25 APO06
-50
APO06 12.5 22.5 -25 APO07 APO05 DSS02
APO07 10 15 -10 APO08 -75
APO08 22.5 21 45 APO09
APO06 -100 DSS01
APO09 24.5 22.5 45 APO10
APO10 14 21 -10 APO11
APO11 24 21 50 APO07 BAI11
APO12
APO12 17.5 18 30 APO13
APO13 16.5 16.5 35 APO14 APO08 BAI10
APO14 9 12 0 BAI01
BAI01 17 27 -15 BAI02 APO09 BAI09
BAI02 9.5 13.5 -5 BAI03
BAI03 9.5 13.5 -5 BAI04 APO10 BAI08
BAI04 19 18 40 BAI05
BAI05 16.5 25.5 -15 BAI06 APO11 BAI07
BAI06 14.5 19.5 0 BAI07
APO12 BAI06
BAI07 14 18 5 BAI08
APO13 BAI05
BAI08 14 19.5 -5 BAI09
APO14 BAI04
BAI09 9 12 0 BAI10 BAI01 BAI02 BAI03
BAI10 9 12 0 BAI11
BAI11 16 27 -20 DSS01
DSS01 11.5 13.5 15 DSS02
DSS02 24 21 50 DSS03
DSS03 19 18 40 DSS04
DSS04 24 21 50 DSS05
DSS05 16.5 16.5 35 DSS06
DSS06 11.5 13.5 15 MEA01
MEA01 9 12 0 MEA02
MEA02 9 12 0 MEA03
MEA03 9 12 0 MEA04
MEA04 9 12 0
© 2018 ISACA. All rights reserved. 453399426.xlsx DF1—Page 5

12/27/2019
Growth / Innovation / Client Service /

DF1 Acquisition Diferentiation Cost Leadership Stability
EDM01 1.0 1.0 1.5 1.5
EDM02 1.5 1.0 2.0 3.5
EDM03 1.0 1.0 1.0 2.0
EDM04 1.5 1.0 4.0 1.0
EDM05 1.5 1.5 1.0 2.0
APO01 1.0 1.0 1.0 1.0
APO02 3.5 3.5 1.5 1.0
APO03 4.0 2.0 1.0 1.0
APO04 1.0 4.0 1.0 1.0
APO05 3.5 4.0 2.5 1.0
APO06 1.5 1.0 4.0 1.0
APO07 2.0 1.0 1.0 1.0
APO08 1.0 1.5 1.0 3.5
APO09 1.0 1.0 1.5 4.0
APO10 1.0 1.0 3.5 1.5
APO11 1.0 1.0 1.0 4.0
APO12 1.0 1.5 1.0 2.5
APO13 1.0 1.0 1.0 2.5
APO14 1.0 1.0 1.0 1.0
BAI01 4.0 2.0 1.5 1.5
BAI02 1.0 1.0 1.5 1.0
BAI03 1.0 1.0 1.5 1.0
BAI04 1.0 1.0 1.0 3.0
BAI05 4.0 2.0 1.0 1.5
BAI06 2.0 2.0 1.0 1.5
BAI07 1.5 2.0 1.0 1.5
BAI08 1.0 3.5 1.0 1.0
BAI09 1.0 1.0 1.0 1.0
BAI10 1.0 1.0 1.0 1.0
BAI11 3.5 3.0 1.5 1.0
DSS01 1.0 1.0 1.0 1.5
© 2018 ISACA. All rights reserved. 453399426.xlsx DF1map—Page 6

12/27/2019
Growth / Innovation / Client Service /

DF1 Acquisition Diferentiation Cost Leadership Stability
DSS02 1.0 1.0 1.0 4.0
DSS03 1.0 1.0 1.0 3.0
DSS04 1.0 1.0 1.0 4.0
DSS05 1.0 1.0 1.0 2.5
DSS06 1.0 1.0 1.0 1.5
MEA01 1.0 1.0 1.0 1.0
MEA02 1.0 1.0 1.0 1.0
MEA03 1.0 1.0 1.0 1.0
MEA04 1.0 1.0 1.0 1.0

12/27/2019
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
Input Section—Importance of Each Enterprise Goal Input Section—Importance of Each Enterprise Goal
Importance
Value (1-5) Baseline
EG01—Portfolio of competitive products and services 4 3 Design Factor 2 Enterprise Goals (Input)
EG02—Managed business risk 2 3
EG03—Compliance with external laws and regulations 2 3 EG01—Portfol i o of competitive products a nd s ervi ces 4
EG04—Quality of financial information 1 3
EG05—Customer-oriented service culture 2 3 EG02—Mana ged bus i ness ri s k 2
EG06—Business-service continuity and availability 3 3
EG07—Quality of management information 2 3 EG03—Compl i a nce wi th externa l l aws a nd regulations 2
EG08—Optimization of internal business process functionality 3 3
EG04—Qua li ty of fina nci a l i nformation 1
EG09—Optimization of business process costs 1 3
EG10—Staff skills, motivation and productivity 4 3
EG05—Customer-ori ented s ervi ce cul ture 2
EG11—Compliance with internal policies 2 3
EG12—Managed digital transformation programs 5 3
EG06—Bus i nes s-s ervi ce continui ty a nd ava i l a bi l i ty 3
EG13—Product and business innovation 5 3
Average 2.77
EG07—Qual i ty of ma na gement information 2
Design Factor 2 Enterprise GoalsStdev
(Input) 1.31
Correction Fac 1.08 EG08—Optimi zation of i nternal bus i nes s proces s functiona l i ty 3
EG09—Optimi zation of bus i ness proces s costs 1

EG01—Portfolio of competitive products and services
EG13—Product and business innovation EG02—Managed business risk EG10—Staff s kil l s , motivation a nd productivi ty 4
5
EG12—Managed digital transformation programs 4 EG03—Compliance with external laws and regulations
3 EG11—Compl i a nce wi th i nterna l pol i ci es 2
2
EG11—Compliance with internal policies 1 EG04—Quality of financial information
© 2018 ISACA. All rights reserved.
0
453399426.xlsx
EG12—Ma naged di gi ta l tra nsformation progra ms 5 DF2—Page 8
EG10—Staf skills, motivation and productivity EG05—Customer-oriented service culture

EG06—Bus i nes s-s ervi ce continui ty a nd ava i l a bi l i ty 3
12/27/2019
EG07—Qual i ty of ma na gement information 2
Design Factor 2 Enterprise Goals (Input)
Design Factor 2 Enterprise Goals EG08—Optimi zation of i nternal bus i nes s proces s functiona l i ty 3 2 Enterprise Goals
Design Factor
EG09—Optimi zation of bus i ness proces s costs 1

EG01—Portfolio of competitive products and services
EG13—Product and business innovation EG02—Managed business risk EG10—Staff s kil l s , motivation a nd productivi ty 4
5
EG12—Managed digital transformation programs 4 EG03—Compliance with external laws and regulations
3 EG11—Compl i a nce wi th i nterna l pol i ci es 2
2
EG11—Compliance with internal policies 1 EG04—Quality of financial information
0 EG12—Ma naged di gi ta l tra nsformation progra ms 5
EG10—Staf skills, motivation and productivity EG05—Customer-oriented service culture EG13—Product a nd bus i nes s i nnovation 5
EG09—Optimization of business process costs EG06—Business-service continuity and availability

EG08—OptimizationEG07—Quality
of internal business
of management
process functionality
information
Resulting Governance/ Management Objectives

Importance
Governance /
Management Score
Baseline Relative Design Factor 2 Enterprise Goals
Score Importance Design Factor 2 Enterprise Goals Resulting Governance/Management Objectives Importance
Objective
Resulting Governance/ Management Objectives Importance
EDM01 99 99 10
EDM02 141 114 35
EDM03 48 63 -15
-100 -75 -50 -25 0 25 50 75 100

© 2018 ISACA. All rights reserved. EDM01 453399426.xlsx DF2—Page 9
EDM02 EDM01 MEA04
EDM02 EDM03 MEA03
COBIT® 2019 Governance System Design Toolkit Design Factor 2 Enterprise Goals 12/27/2019
Design Factor 2 Enterprise Goals Resulting Governance/Management Objectives Importance
Resulting Governance/ Management Objectives Importance
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
EDM04 156 129 30

-100 -75 -50 -25 0 25 50 75 100
EDM05 32 63 -45
EDM01
APO01 174 180 5 EDM02 EDM01 MEA04
EDM02 EDM03 MEA03
APO02 165 132 35 EDM03 EDM04 MEA02
APO03 163 135 30 EDM04
EDM05 MEA01
EDM05 100
APO04 156 120 40
APO01 APO01 DSS06
APO05 168 141 30 APO02
75
APO06 101 117 -5 APO03 APO02 50 DSS05
APO07 136 108 35 APO04
APO05 25
APO08 237 189 35 APO03 DSS04
APO06
APO09 76 63 30 0
APO07
APO10 94 78 30 APO08 APO04 -25 DSS03
APO11 121 132 0 APO09
APO10 -50
APO12 30 36 -10 APO05 DSS02
APO11 -75
APO13 31 39 -15 APO12
APO14 45 78 -35 APO13 APO06 -100 DSS01
BAI01 155 129 30 APO14
BAI02 210 174 30 BAI01
APO07 BAI11
BAI02
BAI03 200 165 30 BAI03
BAI04 79 69 25 BAI04 APO08 BAI10
BAI05 220 183 30 BAI05
BAI06 108 90 30 BAI06
APO09 BAI09
BAI07
BAI07 82 69 30 BAI08
BAI08 172 135 40 BAI09 APO10 BAI08
BAI09 23 51 -50 BAI10
BAI11 APO11 BAI07
BAI10 21 18 25
DSS01
BAI11 165 138 30 APO12 BAI06
DSS02
DSS01 76 63 30 DSS03 APO13 BAI05
DSS02 APO14 BAI04
57 54 15 DSS04 BAI01 BAI02 BAI03
DSS03 57 54 15 DSS05
DSS06
DSS04 57 54 15
MEA01
DSS05 69 81 -10 MEA02
DSS06 114 105 20 MEA03
MEA04

DSS01 APO12 BAI06
DSS02
DSS03 APO13 BAI05
APO14 BAI04 12/27/2019
COBIT® 2019 Governance System Design Toolkit DSS04 BAI01 BAI03
BAI02
DSS05
DSS06
Information & Technology
MEA01 Governance System Design Information & Technology Governance System Design
MEA02 Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
MEA03
MEA01 123 135 0 MEA04
MEA02 108 135 -15
MEA03 26 39 -30
MEA04 79 111 -25

12/27/2019
Agile portfolio of Compliance with external Transparency and Optimization of internal

Customer-oriented service Business service Quality of management Optimization of business Staff skills, motivation and Compliance with internal Managed business Product and business
competitive products and Managed business risks accuracy of financial business process
laws and regulations culture continuity and availability information process costs productivity policies transformation programs innovation
services information functionality
4 2 2 1 2 3 2 3 1 4 2 5 5
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
IT compliance and Security of information, Enablement and Delivery of programs Competent and
Mapping table EG-GA support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business support of business on time, on budget, Quality of IT motivated staff with Knowledge, expertise
compliance with Information related IT-enabled investments related financial in line with business requirements into processing processes by and meeting Management IT compliance with mutual understanding and initiatives for
infrastructure and internal policies
external laws and risks and services portfolio information requirements operational solutions applications Integrating applications requirements and Information of technology and business innovation
regulations and technology quality standards business.
EG01 Portfolio of agile and competitive 0 0 1 0 2 2 0 2 2 0 0 0 2

products and services
EG02 Managed business risks 1 2 0 0 0 0 1 0 0 0 1 0 0

Compliance with external laws and
EG03 regulations
2 0 0 0 0 0 0 0 0 0 2 0 0
EG04 Transparency and accuracy of financial 0 0 0 2 0 0 0 0 0 2 0 0 0

information
EG05 Customer-oriented service culture 0 0 1 0 1 1 0 2 1 0 0 1 0
Business service continuity and

EG06 0 1 0 0 1 0 2 0 0 0 0 0 0
availability
Accuracy (Quality?) of Management
EG07 Information
0 0 0 2 0 0 0 0 0 2 0 0 0
EG08 Optimization of business process 0 0 1 0 1 1 0 1 1 0 0 0 0

functionality
EG09 Optimization of business process costs 0 0 1 2 0 0 0 0 1 1 0 0 0
EG10 Staff skills, motivation and productivity 0 0 0 0 0 0 0 1 0 0 0 2 0
EG11 Compliance with internal policies 1 0 0 0 0 0 0 0 0 0 2 0 0
EG12 Managed business transformation 0 0 2 0 1 1 0 2 2 0 0 0 1

programs
EG13 Product and business innovation 0 0 0 0 0 1 0 1 1 0 0 0 2
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
IT compliance and Enablement and Delivery of programs Competent and

Security of information,
support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business support of business on time, on budget, Quality of IT motivated staff with Knowledge, expertise
compliance with Information related IT-enabled investments related financial in line with business requirements into processing processes by and meeting Management IT compliance with mutual understanding and initiatives for
infrastructure and internal policies
external laws and risks and services portfolio information requirements operational solutions applications Integrating applications requirements and Information of technology and business innovation
regulations and technology quality standards business.
8 7 20 8 21 23 8 34 29 7 10 10 23
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
Managed Managed
Managed Managed IT Managed Managed
Mapping Table AG-GMO Ensured Governance Ensured Resource Ensured Stakeholder Managed IT Management Managed Human Managed Managed Managed Managed Managed Managed Managed Managed Managed Managed Performance Managed Compliance Managed
Requirement Solutions Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed Business System of
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Optimization Managed Strategy Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Resources Managed Relationships Service Managed Risk Information Availability & Organizationa Changes Security & with External Internal Audit
Transparency Framework Agreements Suppliers Quality Data Programs s Definition Identification Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Process
Maintenance Security Capacity l Change Services Conformance Internal Requirement
& Build Transitioning Incidents Controls Monitoring Control s
IT compliance and support for business

AG01 compliance with external laws and 1 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 2 1
regulations
Managed Technology & Information

AG02 related risks 1 0 2 0 0 1 0 0 0 0 0 0 0 0 0 0 2 1 1 0 0 0 0 0 1 1 0 0 0 0 0 1 1 1 2 1 0 1 0 1
Realized benefits from IT-enabled

AG03 2 2 0 1 0 2 1 1 1 2 1 1 1 0 0 1 0 0 0 2 1 1 0 2 0 0 1 0 0 2 0 0 0 0 0 0 1 0 0 0
investments and services portfolio
Quality of technology related financial
AG04 0 0 0 0 1 0 0 0 0 0 2 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 1 0 1
information
Delivery of IT services in line with business
AG05 requirements 0 1 0 1 0 1 1 1 0 2 0 1 2 2 2 1 0 0 0 0 2 2 2 1 1 0 0 0 1 1 2 2 2 2 1 1 2 1 0 1
Agility to turn business requirements into

AG06 operational solutions 0 1 0 1 0 0 1 2 2 1 0 0 2 0 1 0 0 0 0 1 2 2 0 1 2 2 1 0 0 2 0 0 0 0 0 0 0 0 0 0
Security of information, processing

AG07 infrastructure and applications 0 0 2 0 0 1 0 1 0 0 0 0 0 0 0 0 2 2 1 0 0 0 1 0 0 0 0 0 0 0 0 1 1 1 2 1 0 1 0 1
Enablement and support of business

AG08 processes by Integrating applications and 1 1 0 1 0 1 2 2 1 1 0 0 1 1 0 0 0 0 0 1 1 1 0 2 1 0 1 0 0 0 1 0 0 0 0 2 0 0 0 0
technology
Delivery of programs on time, on budget,

AG09 and meeting requirements and quality 0 0 0 2 0 1 0 0 0 1 2 1 1 0 1 2 0 0 0 2 2 2 1 2 0 1 1 0 0 2 0 0 0 0 0 0 1 1 0 0
standards
AG10 Quality of IT Management Information 0 0 0 0 2 1 0 0 0 0 1 0 0 0 0 2 0 0 2 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 2 1 0 1
AG11 IT compliance with internal policies 1 0 1 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 2 1 2
Competent and motivated staff with

AG12 mutual understanding of technology and 0 0 0 0 0 0 1 0 1 0 0 2 2 0 0 0 0 0 0 0 1 0 0 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0
business.
Knowledge, expertise and initiatives for
AG13 business innovation 0 1 0 0 0 0 1 0 2 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
Managed Managed
Managed Managed IT Managed Managed
Ensured Governance Ensured Resource Ensured Stakeholder Managed IT Management Managed Human Managed Managed Managed Managed Managed Managed Managed Managed Managed Managed Performance Managed Compliance Managed
Requirement Solutions Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed Business System of
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Optimization Managed Strategy Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Resources Managed Relationships Service Managed Risk Information Availability & Organizationa Changes Security & with External Internal Audit
Transparency Framework Agreements Suppliers Quality Data Programs s Definition Identification Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Process
Maintenance Security Capacity l Change Services Conformance Internal Requirement
& Build Transitioning Incidents Controls Monitoring Control s
99 141 48 156 32 174 165 163 156 168 101 136 237 76 94 121 30 31 45 155 210 200 79 220 108 82 172 23 21 165 76 57 57 57 69 114 123 108 26 79
Baseline 99 114 63 129 63 180 132 135 120 141 117 108 189 63 78 132 36 39 78 129 174 165 69 183 90 69 135 51 18 138 63 54 54 54 81 105 135 135 39 111
Imp® 0 23 -24 20 -50 -4 25 20 30 19 -14 25 25 20 20 -9 -17 -21 -43 20 20 21 14 20 20 18 27 -55 16 19 20 5 5 5 -15 8 -9 -20 -34 -29

12/27/2019
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
Input Section—Importance of Each Generic IT Risk Category Input Section—Importance of Each Generic IT Risk Category
Risk Scenario Category Impact Likelihood Risk Rating Baseline Design Factor 3 IT Risk Profile
(1-5) (1-5)
Risk Rating of IT Risk Scenario Categories (Input)
IT investment decision making, portfolio definition & 2 2 9 Very High Risk
maintenance 0 5 10 15 20 25
IT i nvestment decis ion making, portfoli o definition & ma intenance
Program & projects life cycle management 4 3 9 High Risk
Progra m & projects l ife cycl e ma nagement
IT cost & oversight 2 2 9 Normal Risk
IT cost & overs ight
IT expertise, skills & behavior 4 4 9 Low Risk
IT expertis e, s kil ls & behavi or
Enterprise/IT architecture 2 2 9
Enterpris e/IT architecture
IT operational infrastructure incidents 3 2 9
Unauthorized actions 3 4 9 IT operational infrastructure incidents
Software adoption/usage problems 4 3 9 Unauthorized actions

Hardware incidents 2 2 9 Softwa re adoption/us age problems
Software failures 3 3 9 Hardware incidents
Logical attacks (hacking, malware, etc.) 4 5 9
Software fai lures
Third-party/supplier incidents 2 2 9
Logi cal atta cks (ha cki ng, mal wa re, etc.)
Noncompliance 3 3 9
Thi rd-pa rty/s uppli er i ncidents
Geopolitical Issues 2 2 9
Noncompli ance
Industrial action 1 3 9
Acts of nature 3 3 9 Geopoli tical Is s ues
Technology-based innovation 5 3 9 Industri al action

Environmental 2 3 9 Acts of nature
Data & information management 4 4 9 Technol ogy-bas ed i nnovation
Environmenta l
Average 8.89
Stdev 5.06 Data & information ma nagement
Correction Factor 1.01

12/27/2019
Resulting Governance/Management
Objectives Importance Design Factor 3 IT Risk Profile Design Factor 3 IT Risk Profile
Resulting Governance/Management Resulting Governance/Management Objectives Importance
Governance / Baseline Relative Objectives Importance
Management Score
Objective Score Importance
EDM01 181 189 -5 -100 -75 -50 -25 0 25 50 75 100

EDM02 152 135 15 EDM01
EDM03 EDM02
180 162 10
EDM04 EDM03
167 198 -15
EDM04
EDM05 156 189 -15
EDM05
APO01 366 324 15
APO01 EDM02 EDM01 MEA04
APO02 134 144 -5 EDM03 MEA03
APO02
APO03 192 171 15 EDM04 MEA02
APO03
APO04 64 45 45 EDM05 MEA01
APO04 100
APO05 118 144 -15 APO05 APO01 DSS06
APO06 118 153 -20 75
APO06
APO07 250 216 15 APO07
APO02 50 DSS05
APO08 213 153 40 APO08
APO03 25 DSS04
APO09 129 117 10 APO09
0
APO10 196 216 -10 APO10
APO11 APO04 -25 DSS03
128 99 30 APO11
APO12 132 90 50 APO12 -50
APO05 DSS02
APO13 155 99 60 APO13
-75
APO14 263 198 35 APO14
APO06 -100 DSS01
BAI01 92 81 15 BAI01
BAI02 134 117 15 BAI02
APO07 BAI11
BAI03 155 117 35 BAI03
BAI04 12 9 35 BAI04
BAI05 APO08 BAI10
BAI05 104 72 45
BAI06 BAI06
192 135 45
BAI07 APO09 BAI09
BAI08
BAI09 APO10 BAI08
BAI10
APO11 BAI07
BAI11
APO14
APO06 -100 DSS01
BAI01
12/27/2019
COBIT® 2019 Governance System Design Toolkit BAI02
BAI03 APO07 BAI11
BAI04
Information & Technology Governance System Design APO08 Information & Technology Governance
BAI10System Design
BAI05
BAI06
BAI07 APO09 BAI09
BAI07 148 117 30
BAI08
BAI08 151 135 15
BAI09 APO10 BAI08
BAI09 42 36 20
BAI10
BAI10 138 99 40 APO11 BAI07
BAI11
BAI11 48 36 35 APO12 BAI06
DSS01
DSS01 128 135 -5 APO13 BAI05
DSS02
DSS02 184 144 30 APO14 BAI04
DSS03 BAI01 BAI02 BAI03
DSS03 125 108 15 DSS04
DSS04 241 216 15 DSS05
DSS05 256 216 20 DSS06
DSS06 196 144 40 MEA01
MEA01 234 216 10 MEA02
MEA02 256 243 5 MEA03
MEA03 186 153 25 MEA04
MEA04 264 225 20

12/27/2019
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
DF3 IT Investment
Decision Making,
Program &
Projects Life IT Cost & IT Expertise,
Skills & Enterprise/ IT Operational
Infrastructure Unauthorized
Software
Adoption/ Hardware Software Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight IT Architecture Actions Usage Incidents Failures Issues Action
Behavior Incidents Malware, etc.) Incidents Innovation Management
Maintenance Management Problems
EDM01 3.0 2.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 2.0 2.0
EDM02 3.0 2.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 3.0 1.0 3.0
EDM03 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 2.0 3.0
EDM04 3.0 0.0 4.0 3.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 2.0 0.0 0.0 2.0 3.0
EDM05 3.0 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 1.0 0.0 1.0 3.0 3.0 0.0 0.0 0.0 2.0 2.0
APO01 2.0 3.0 2.0 0.0 2.0 2.0 4.0 2.0 0.0 2.0 3.0 3.0 3.0 0.0 0.0 0.0 3.0 2.0 3.0
APO02 2.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 1.0 0.0 1.0 2.0 0.0 0.0 0.0 0.0 2.0 2.0 1.0
APO03 2.0 0.0 0.0 0.0 4.0 0.0 0.0 2.0 0.0 2.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 0.0 3.0
APO04 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0
APO05 4.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0
APO06 2.0 3.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0
APO07 0.0 0.0 0.0 4.0 0.0 2.0 3.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 4.0 0.0 2.0 2.0 0.0
APO08 0.0 0.0 0.0 2.0 2.0 0.0 0.0 4.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 2.0
APO09 0.0 0.0 2.0 0.0 0.0 0.0 2.0 3.0 0.0 1.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
APO10 0.0 2.0 3.0 0.0 0.0 0.0 2.0 2.0 3.0 2.0 2.0 4.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0
APO11 0.0 3.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0
APO12 0.0 0.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0
APO13 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 4.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0
APO14 0.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 0.0 3.0 0.0 2.0 4.0 2.0 0.0 4.0
BAI01 0.0 4.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI02 2.0 2.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI03 0.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI04 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI05 0.0 2.0 0.0 2.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 3.0
BAI07 0.0 0.0 0.0 0.0 0.0 2.0 3.0 2.0 0.0 4.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI08 0.0 0.0 0.0 2.0 0.0 3.0 0.0 3.0 0.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 2.0
BAI09 0.0 0.0 0.0 0.0 0.0 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI10 0.0 0.0 0.0 0.0 0.0 2.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI11 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS01 0.0 0.0 0.0 0.0 0.0 4.0 3.0 0.0 4.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0
DSS02 0.0 0.0 0.0 0.0 0.0 3.0 2.0 3.0 2.0 2.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS03 0.0 0.0 0.0 0.0 0.0 3.0 1.0 4.0 0.0 3.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS04 0.0 0.0 0.0 0.0 0.0 3.0 3.0 0.0 3.0 0.0 4.0 0.0 2.0 0.0 3.0 4.0 0.0 0.0 2.0

12/27/2019
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
DF3 IT Investment
Decision Making,
Program &
Projects Life IT Cost & IT Expertise,
Skills & Enterprise/ IT Operational
Infrastructure Unauthorized
Software
Adoption/ Hardware Software Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight IT Architecture Actions Usage Incidents Failures Issues Action
Behavior Incidents Malware, etc.) Incidents Innovation Management
Maintenance Management Problems
DSS05 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 2.0 0.0 4.0 0.0 3.0 0.0 3.0 2.0 0.0 0.0 3.0
DSS06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 2.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0
MEA01 1.0 2.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 2.0 3.0 2.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0
MEA02 1.0 2.0 2.0 0.0 0.0 3.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 3.0 0.0 2.0 0.0 0.0 2.0
MEA03 0.0 1.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 0.0 3.0 2.0 4.0 2.0 0.0 0.0 0.0 0.0 2.0
MEA04 1.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 4.0 0.0 2.0 2.0 0.0 2.0

12/27/2019
Design Factor 4 I&T-Related Issues Design Factor 4 I&T-Related Issues
Input Section—Importance of Each Generic I&T-Related Issue Input Section—Importance of Each Generic I&T-Related Issue
Importance
I&T-Related Issue (1-3) Baseline
business value
Frustration between different IT entities across the organization because
No Issue
tovalue
of a perception of low contribution to business value 2
to business
IT contribution
Frustration between business departments (i.e., the IT customer) and the
contribution
tolow
IT department because of failed initiatives or a perception of low 2 Issue
linked
a perception of
contribution to business value
of low
Design Factor 4 I&T-Related Issues
orbudgets
errors,
Importance of I&T-Related Issues (Input)
a perception
Significant I&T-related incidents, such as data loss, security breaches,
application
approved
2 Serious Issue
initiatives
0 1 2 3
project failure and application errors, linked to IT
problems
because
mechanisms and
of failed of
and
Service delivery problems by the IT outsourcer(s) 2
because
organization
project
ITrequirements failure
service
outsourcer(s)
Failures to meet IT-related regulatory or contractual requirements 2
decision
quality
bydepartment
breaches,
the
IT or
Regular audit findings or other assessment reports about poor IT
the
ITacross
investment
orcontractual
reported
2
security
performance or reported IT quality or service problems
performance
regulatory
wasted
customer)
budget
normal ITresources
problems
entities
and
I&T
forloss,
or
IT the
Substantial hidden and rogue IT spending, that is, I&T spending by user
delivery
burnout/dissatisfaction
diferent
sponsorship
ofas data
departments outside the control of the normal I&T investment decision 2
IT-related
Service
between over
the
such
forms
IT
mechanisms and approved budgets
incidents,
poor
control
late
other
business
Frustration
services)
departments or
tothe (i.e.,
delivered
about
meet IT
of
or
the
Duplications or overlaps between various initiatives, or other forms of
I&T-related
initiatives,
commited staf
reports
2
outside
decisions
languages
Failures
wasted resources
systems
needs
assessment
, departments
asolutions
various
Significant
business
IT-related
diferent
inadequate
operation
lack and
ofskills or
and
Insufficient IT resources, staff with inadequate skills or staff
business
and
2
betweenIT
burnout/dissatisfaction
mechanisms
staf
ITand
Frustration
findings
specialists
engage
spending between
architecture
with
dissatisfaction
overlaps
tobyput
or other
speaking
for
with
user
with
meet in
IT or
IT-enabled changes or projects frequently failing to meet business needs
tofailing
developed
resources,
2
currentor
and delivered late or over budget
decision
management
technology
the
bycost
Regular
being
sources
stems
Insufcient
unclear
that
high IT
is, audit
Duplications
frequently
I&T
fromof IT
Reluctance by board members, executives or senior management to
caused
projects
are
2
spending,
ofen
Excessively
various
and/or
engage with IT, or a lack of committed business sponsorship for IT
ofinformation
across
changes
model
executives
computing,
rogue IT senior
innovations
which
applicationsor that
orand/or
Complex IT operating model and/or unclear decision mechanisms for IT-
data
or
2
operating
IT-enabled
and
the
initiatives
related decisions
hidden
regulations
new
Complex
business
Substantial IT
tocontrol over
end-user
users and
integration
members,
Excessively high cost of IT 2
I&T
by
to
privacy
leads
Reluctance
using board
and
quality
(related
implementation
quality of
Obstructed or failed implementation of new initiatives or innovations
ofdepartment
dataand
2
with
oversight
which
caused by the current IT architecture and systems
other
and
involvement
to exploit
Ignorance
business new
of
of noncompliance
a lack
technologies
Regular
Obstructed
problems)
technical
and/or
the or
enterprise IT
or innovate
failed
knowledge,
issues with
or no(among
Inability
g,between
creating
litle
p
spending,
innovations
which
applications
ofinformation
across
changes or ofen
Excessively
various
and/or
senior
that
orand/or tec
caused
Insufci
projects
mast
uncl
R
t
hi
so
are
12/27/2019
model
executives
computing,
rogue IT
hidden
end-user
regulations
tocontrol
new
Complex
business
Substantial over
users
IT the
initiatives
and
integration
members, data
or
operating
IT-enabled
and
implementation
quality
I&T
by
to
privacy board
and
quality
(related of
ofdepartment
noncompliance
a lack
or
enterprise
technologies failed
knowledge,
issues
IT
or with leads
Reluctance
using
data
with
oversight
which
innovate and
Gap between business and technical knowledge, which leads to business
Regular
Obstructed
problems)
users and information and/or technology specialists speaking different 2
technical
and/or
languages
other
Ignorance
business
or no(among and
involvement
to exploit new
of
of the
Regular issues with data quality and integration of data across various 2
sources
Inability
between
creating
litle
computing,
Gap
High level of end-user computing, creating (among other problems) a lack
with
of oversight and quality control over the applications that are being 2
solutions
level of end-user
developed and put in operation
own information
Business departments implementing their own information solutions with
Business departments implementing theirHigh

little or no involvement of the enterprise IT department (related to end-
user computing, which often stems from dissatisfaction with IT solutions 2 Average 1.85
and services)
Ignorance of and/or noncompliance with privacy regulations 2 Stdev 0.79

Correction
Inability to exploit new technologies or innovate using I&T 2
Factor 1.08
Resulting Governance/ Management Design Factor 4 I&T-Related Issues

Objectives Importance Resulting Governance/ Management Objectives Importance Design Factor 4 I&T-Related Issues
Resulting Governance/Management Objectives Importance
Governance /
Management Baseline Relative
Score Score Importance -100 -75 -50 -25 0 25 50 75 100
Objective
EDM01
EDM01 59.5 70 -10
EDM02
EDM02 61 70 -5 EDM03
EDM03 39 47 -10 EDM04
EDM04 65.5 67 5 EDM05
EDM05 33 41 -15 APO01 EDM02 EDM01 MEA04
EDM03 MEA03
APO01 50 56 -5 APO02 EDM04 MEA02
APO02 48 50 5 APO03
EDM05 100 MEA01
APO03 64.5 66 5 APO04
APO04 35.5 32 20 APO05 APO01 75 DSS06
APO05 61 68 -5 APO06
APO02 50 DSS05
APO06 52 62 -10 APO07
APO08 25
APO09 APO03 DSS04
APO10 0
APO11 APO04 DSS03
-25
APO12
APO01 EDM02 EDM01 MEA04
EDM03 MEA03
APO02 EDM04 MEA02 12/27/2019
COBIT® 2019 Governance System Design Toolkit APO03
EDM05 100 MEA01
APO04
APO05
Information & Technology Governance System Design APO01 Information DSS06 System Design
75 & Technology Governance
APO06
APO07 APO02 50 DSS05
APO07 49 47 15 APO08 25
APO09 APO03 DSS04
APO08 67.5 70 5
APO10 0
APO09 36.5 43 -10
APO11
APO10 33 39 -10 APO04 -25 DSS03
APO12
APO11 34 43 -15
APO13 -50
APO12 44.5 52 -5 APO05 DSS02
APO14
APO13 26.5 33 -15 -75
BAI01
APO14 48.5 60 -15 APO06 -100 DSS01
BAI02
BAI01 37.5 35 15 BAI03
BAI02 47 51 0 BAI04 APO07 BAI11
BAI03 35 41 -10 BAI05
BAI04 18.5 23 -15 BAI06
APO08 BAI10
BAI05 27.5 28 5 BAI07
BAI06 38 42 0 BAI08
BAI07 34 38 -5 BAI09 APO09 BAI09
BAI08 34.5 31 20 BAI10
BAI09 22 23 5 BAI11 APO10 BAI08
BAI10 23 25 0 DSS01
APO11 BAI07
BAI11 46.5 45 10 DSS02
DSS01 21 27 -15 DSS03 APO12 BAI06
DSS02 DSS04
24.5 33 -20 APO13 BAI05
DSS03 DSS05 APO14 BAI04
28 32 -5
DSS04 16.5 21 -15
MEA01
DSS05 22.5 29 -15
MEA02
DSS06 20 29 -25
MEA03
MEA01 52.5 61 -5
MEA04
MEA02 38 48 -15
MEA03 18.5 29 -30
MEA04 47 58 -10

12/27/2019
High level of end-user computing,

Frustration between diferent Frustration between business Significant IT-related Regular audit findings or Substantial hidden and rogue IT Duplications or overlaps Insufcient IT resources, staf IT-enabled changes or Reluctance by board members, Complex IT operating model Obstructed or failed Gap between business and technical creating (among other problems) Business departments implementing
IT entities across the departments (i.e., the IT customer) incidents, such as data loss, Service delivery problems by Failures to meet IT-related other assessment reports spending, that is, IT spending by user between various initiatives with inadequate skills or projects frequently failing to executives or senior management and/or unclear decision implementation of new knowledge, which leads to business Regular issues with data a lack of oversight and quality their own information solutions with Ignorance of and/or Inability to exploit new
DF4 organization because of a and the IT department because of security breaches, project the IT outsourcer(s) regulatory or contractual about poor IT performance departments outside the control of or other forms of wasted staf burnout / meet business needs and to engage with IT, or a lack of mechanisms for IT-related Excessively high cost of IT initiatives or innovations users and information and/or quality and integration of control over the applications that litle or no involvement of the noncompliance with technologies or innovate
perception of low contribution failed initiatives or a perception of failure and application requirements or reported IT quality or the normal IT investment decision resources dissatisfaction delivered late or over commited business sponsorship decisions caused by the current IT technology specialists speaking data across various sources are being developed and put in enterprise IT department privacy regulations using I&T
to business value low contribution to business value errors, linked to IT service problems mechanisms and approved budgets budget for IT architecture and systems diferent languages operation
EDM01 3.0 3.0 1.0 1.0 2.0 2.0 2.0 1.0 1.0 1.0 3.0 3.5 1.0 1.0 1.0 1.0 2.0 3.0 1.5 1.0 35
EDM02 2.5 3.0 1.0 1.0 1.5 2.5 2.0 1.5 0.5 2.5 1.5 1.0 3.0 2.0 1.0 1.0 2.0 2.0 1.0 2.5 35
EDM03 1.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.0 0.0 1.0 1.5 1.0 2.0 1.0 1.0 2.5 1.0 24
EDM04 1.0 1.0 1.0 1.0 1.0 2.0 3.0 3.5 3.5 1.0 1.5 0.0 4.0 2.0 1.0 1.5 2.0 2.5 0.0 1.0 34
EDM05 1.0 1.0 1.0 1.0 1.5 2.0 1.0 1.0 0.0 1.0 3.0 1.5 1.5 0.5 0.0 0.5 1.0 1.0 1.0 0.0 21
APO01 2.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.5 4.0 1.0 2.0 1.0 1.0 1.5 2.0 0.5 1.0 28
APO02 1.5 1.5 1.5 1.5 1.0 1.5 1.0 1.0 0.0 1.0 2.5 0.5 0.5 1.5 1.5 0.5 2.0 2.0 0.0 2.5 25
APO03 1.0 1.5 1.0 2.0 0.5 1.5 2.0 1.5 1.0 3.5 0.5 0.5 1.0 4.0 1.0 3.5 2.0 3.0 0.0 2.0 33
APO04 1.0 1.0 1.0 1.0 0.5 0.5 0.5 0.5 0.0 0.0 0.5 1.0 0.5 2.0 1.0 0.0 0.5 0.5 0.0 4.0 16
APO05 3.0 3.0 1.0 1.5 2.0 2.0 1.5 3.5 0.5 2.0 2.0 1.5 2.0 1.0 0.5 0.0 2.5 2.5 0.0 2.0 34
APO06 3.5 2.0 1.0 1.5 1.5 2.0 4.0 3.0 1.0 2.0 1.0 1.5 4.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 31
APO07 1.5 1.0 1.0 1.0 1.0 1.5 2.0 2.0 4.0 1.0 0.0 0.0 1.0 0.0 3.0 0.0 0.5 0.5 1.5 1.0 24
APO08 2.5 2.0 1.0 2.5 1.5 1.0 2.5 2.0 1.5 1.0 3.0 1.0 0.5 1.0 4.0 1.0 3.0 3.5 0.0 0.5 35
APO09 2.0 1.5 2.0 4.0 1.0 2.5 1.5 2.0 0.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 1.0 1.5 0.0 0.0 22
APO10 1.0 1.0 2.0 4.0 1.5 1.5 1.5 0.0 1.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 0.5 2.0 1.0 0.0 20
APO11 1.0 1.0 3.0 1.5 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.5 0.5 3.0 2.0 2.0 0.0 1.0 22
APO12 1.0 0.5 2.5 1.5 2.0 2.0 1.0 1.0 0.5 1.0 1.0 1.0 1.0 1.0 1.0 2.0 1.0 1.5 2.5 1.0 26
APO13 0.0 0.0 3.5 1.0 2.0 1.0 0.0 1.0 0.0 0.5 0.0 0.0 0.0 0.0 0.0 1.5 2.0 1.0 2.0 1.0 17
APO14 1.0 1.5 3.0 1.0 2.5 1.5 1.0 1.5 0.0 1.5 0.0 0.0 0.5 2.5 0.5 4.0 2.5 2.0 3.0 0.5 30
BAI01 0.0 1.0 1.5 0.0 0.0 0.0 0.0 3.0 1.0 3.5 0.0 0.0 1.5 0.5 1.0 0.0 1.5 2.0 0.0 1.0 18
BAI02 0.0 3.0 0.0 0.0 0.5 2.0 0.0 2.0 0.0 3.5 0.0 1.0 1.0 2.0 2.0 1.5 2.5 3.0 0.5 1.0 26
BAI03 1.0 2.0 2.0 0.0 0.0 2.0 0.0 1.0 0.0 3.0 0.0 0.5 1.0 1.0 1.0 0.5 2.0 2.0 1.0 0.5 21
BAI04 0.5 0.0 2.0 3.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 0.0 1.0 1.0 1.0 0.0 0.5 12
BAI05 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 3.0 1.0 0.0 0.0 0.5 2.0 0.0 0.5 1.5 0.0 1.0 14
BAI06 0.0 0.0 2.5 3.0 0.5 1.5 0.0 1.0 0.0 1.5 0.0 1.0 0.5 1.0 0.5 2.0 2.0 2.0 1.0 1.0 21
BAI07 0.0 1.0 2.0 2.0 0.5 1.5 0.0 0.5 0.0 2.0 0.0 1.0 0.0 1.0 0.5 2.0 2.0 2.0 0.0 1.0 19
BAI08 0.0 0.0 0.0 1.5 0.5 0.5 0.0 1.0 2.0 0.5 0.0 0.5 0.0 1.0 3.0 2.0 1.0 1.5 0.0 0.5 16
BAI09 0.5 0.5 1.0 0.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 0.0 1.0 1.5 0.0 0.0 12
BAI10 0.0 0.0 2.5 2.0 0.5 0.0 0.0 0.5 0.0 0.0 0.0 0.0 1.0 1.5 0.0 1.5 1.0 2.0 0.0 0.0 13
BAI11 1.0 2.0 2.5 0.0 0.0 0.0 2.0 3.0 1.0 4.0 0.0 0.0 1.5 2.0 0.5 0.0 1.0 1.5 0.0 0.5 23

Step 2 Initial Design
Governance and Management Objectives Importance
-100 -80 -60 -40 -20 0 20 40 60 80 100

EDM01 0
EDM02 60
EDM03 10
-5
EDM04
-50 EDM05
APO01 10
APO02 10
APO03 25
APO04 80
-10
APO05
-50 APO06
APO07 45
APO08 100
APO09 60
APO10 0
APO11 50
APO12 50
APO13 50
-10
APO14
BAI01 35
BAI02 30
BAI03 40
BAI04 70
BAI05 50
BAI06 60
BAI07 50
BAI08 55
-20 BAI09
BAI10 50
BAI11 45
DSS01 20
DSS02 60
DSS03 50
DSS04 50
DSS05 25
DSS06 40
MEA01 5
-20 MEA02
-30 MEA03
-10
MEA04
12/27/2019
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
Input Section—Importance of Threat Landscape Input Section—Importance of Threat Landscape
Value Importance (100%) Baseline Page intentionally left blank
High 75% 33%

Normal 25% 67%
Average
Stdev
Design Factor 5 IT Threat Landscape
Correction Factor
1.00
High Normal
25.00%
75.00%

12/27/2019
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
75.00%

Importance Design Factor 5 Threat Landscape
Resulting Governance/Management Objectives Importance
Governance / Baseline Relative Design Factor 5 Threat Landscape
Management Score
Objective
Score Importance Resulting Governance/Management Objectives Importance
EDM01 2.50 1.66 50
EDM02 1.00 1.00 0
EDM03 3.25 1.99 65 -100 -75 -50 -25 0 25 50 75 100
EDM04 1.00 1.00 0 EDM01
EDM05 EDM02
1.75 1.33 30 EDM02 EDM01 MEA04
EDM03 EDM03 MEA03
APO01 2.50 1.66 50
EDM04 EDM04 MEA02
APO02 1.00 1.00 0 EDM05
EDM05 MEA01
APO03 2.50 1.66 50 APO01 100
APO04 1.00 1.00 0 APO02 APO01 75 DSS06
APO05 1.00 1.00 0 APO03
APO06 1.00 1.00 0
APO05
APO07 1.75 1.33 30 APO06 APO03
25
DSS04
APO08 1.00 1.00 0 APO07 0
APO08
APO04 -25 DSS03
APO09
© 2018 ISACA. All rights reserved. APO10 453399426.xlsx -50 DF5—Page 24
APO11 APO05 DSS02
APO12 -75
EDM04 MEA02
EDM05
EDM05 100 MEA01
APO01
12/27/2019
COBIT® 2019 Governance System Design Toolkit APO02 APO01 DSS06
75
APO03
APO05Governance System Design Information & Technology Governance System Design
Design 25
APO06Factor 5 Threat Landscape APO03 Design Factor 5 ThreatDSS04
Landscape
APO07 0
APO09 1.75 1.33 30 APO08
APO04 -25 DSS03
APO10 2.50 1.66 50 APO09
APO11 APO10 -50
1.75 1.33 30
APO11 APO05 DSS02
APO12 3.25 1.99 65 -75
APO12
APO13 3.25 1.99 65 APO13
APO06 -100 DSS01
APO14 2.50 1.66 50 APO14
BAI01 1.00 1.00 0 BAI01
BAI02 APO07 BAI11
BAI02 1.00 1.00 0
BAI03
BAI03 1.00 1.00 0
BAI04 APO08 BAI10
BAI04 1.75 1.33 30 BAI05
BAI05 1.00 1.00 0 BAI06
BAI06 2.50 1.66 50 BAI07 APO09 BAI09
BAI07 1.00 1.00 0 BAI08
BAI09 APO10 BAI08
BAI08 1.00 1.00 0
BAI10
BAI09 1.00 1.00 0 BAI11 APO11 BAI07
BAI10 2.50 1.66 50 DSS01 APO12 BAI06
BAI11 1.00 1.00 0 DSS02
APO13 BAI05
DSS01 1.00 1.00 0 DSS03
APO14 BAI04
DSS02 DSS04 BAI01 BAI03
2.50 1.66 50 BAI02
DSS05
DSS03 1.75 1.33 30 DSS06
DSS04 3.25 1.99 65 MEA01
DSS05 2.50 1.66 50 MEA02
DSS06 2.50 1.66 50 MEA03
MEA01 2.50 1.66 50 MEA04
MEA02 1.75 1.33 30

MEA03 2.50 1.66 50
MEA04 2.50 1.66 50

12/27/2019
DF5 High Normal

EDM01 3.0 1.0
EDM02 1.0 1.0
EDM03 4.0 1.0
EDM04 1.0 1.0
EDM05 2.0 1.0
APO01 3.0 1.0
APO02 1.0 1.0
APO03 3.0 1.0
APO04 1.0 1.0
APO05 1.0 1.0
APO06 1.0 1.0
APO07 2.0 1.0
APO08 1.0 1.0
APO09 2.0 1.0
APO10 3.0 1.0
APO11 2.0 1.0
APO12 4.0 1.0
APO13 4.0 1.0
APO14 3.0 1.0
BAI01 1.0 1.0
BAI02 1.0 1.0
BAI03 1.0 1.0
BAI04 2.0 1.0
BAI05 1.0 1.0
BAI06 3.0 1.0
BAI07 1.0 1.0
BAI08 1.0 1.0
BAI09 1.0 1.0
BAI10 3.0 1.0
BAI11 1.0 1.0
DSS01 1.0 1.0
DSS02 3.0 1.0

12/27/2019
DF5 High Normal

DSS03 2.0 1.0
DSS04 4.0 1.0
DSS05 3.0 1.0
DSS06 3.0 1.0
MEA01 3.0 1.0
MEA02 2.0 1.0
MEA03 3.0 1.0
MEA04 3.0 1.0

12/27/2019
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Input Section—Importance of Compliance Requirements Input Section—Importance of Compliance Requirements
Value Importance Baseline Page intentionally left blank

(100%)
High 25% 0%
Normal 75% 100%
Low 0% 0%
Average
Design Factor 6 Compliance Requirements
Hi gh Norma l Low
25.00%
Stdev
75.00%

12/27/2019
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Correction Facto 1.00
Resulting Governance/ Management

Objectives Importance Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Resulting Governance/Management Resulting Governance/Management Objectives Importance
Governance / Objectives Importance
Management Baseline Relative
Score Score Importance
Objective
-100 -75 -50 -25 0 25 50 75 100
EDM01 2.25 2.00 15 EDM01
EDM02 1.00 1.00 0 EDM02
EDM03 2.50 2.00 25 EDM03
EDM04 1.00 1.00 0 EDM04
EDM05 1.13 1.00 15 EDM05
APO01 APO01 EDM02 EDM01 MEA04
1.63 1.50 10 EDM03 MEA03
APO02 APO02 EDM04 MEA02
1.00 1.00 0
APO03
APO03 1.00 1.00 0 EDM05
100
MEA01
APO04
APO04 1.00 1.00 0 APO01 DSS06
APO05 75
APO05 1.00 1.00 0 APO06
APO02 50 DSS05
APO06 1.00 1.00 0 APO07
APO07 1.00 1.00 0 APO08 APO03 25 DSS04
APO08 1.00 1.00 0 APO09 0
APO09 1.00 1.00 0 APO10
APO04 -25 DSS03
APO10 APO11
1.13 1.00 15
APO12 -50
APO11 1.00 1.00 0 APO05 DSS02
APO13
APO12 2.50 2.00 25 -75
APO14
APO13 1.13 1.00 15 BAI01 APO06 -100 DSS01
APO14 1.63 1.50 10 BAI02
BAI01 1.00 1.00 0 BAI03 APO07 BAI11
BAI02 1.00 1.00 0 BAI04
BAI03 1.00 1.00 0 BAI05 APO08 BAI10
BAI04 1.00 1.00 0 BAI06
BAI07
APO09 BAI09
BAI08
BAI09 APO10 BAI08 DF6—Page 29
© 2018 ISACA. All rights reserved. 453399426.xlsx
BAI10
BAI11 APO11 BAI07
APO13
-75
APO14
BAI01 APO06 -100 DSS01
12/27/2019
BAI02
BAI03 APO07 BAI11
Information & Technology Governance
BAI04 System Design Information & Technology Governance System Design
Design Factor 6 Compliance
BAI05 Requirements APO08 Design Factor 6 Compliance Requirements
BAI10
BAI06
BAI07
BAI05 1.00 1.00 0 APO09 BAI09
BAI08
BAI06 1.00 1.00 0
BAI09 APO10 BAI08
BAI07 1.00 1.00 0 BAI10
BAI08 1.00 1.00 0 BAI11 APO11 BAI07
BAI09 1.00 1.00 0 DSS01 APO12 BAI06
BAI10 1.00 1.00 0 DSS02
APO13 BAI05
BAI11 1.00 1.00 0 DSS03 APO14 BAI04
DSS01 1.00 1.00 0
DSS02 DSS05
1.00 1.00 0
DSS06
DSS03 1.00 1.00 0
MEA01
DSS04 1.13 1.00 15 MEA02
DSS05 1.25 1.00 25 MEA03
DSS06 1.00 1.00 0 MEA04
MEA01 1.00 1.00 0
MEA02 1.00 1.00 0
MEA03 2.50 2.00 25
MEA04 2.38 2.00 20

12/27/2019
DF6 High Normal Low

EDM01 3.0 2.0 1.0
EDM02 1.0 1.0 1.0
EDM03 4.0 2.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.5 1.0 1.0
APO01 2.0 1.5 1.0
APO02 1.0 1.0 1.0
APO03 1.0 1.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.0 1.0
APO08 1.0 1.0 1.0
APO09 1.0 1.0 1.0
APO10 1.5 1.0 1.0
APO11 1.0 1.0 1.0
APO12 4.0 2.0 1.0
APO13 1.5 1.0 1.0
APO14 2.0 1.5 1.0
BAI01 1.0 1.0 1.0
BAI02 1.0 1.0 1.0
BAI03 1.0 1.0 1.0
BAI04 1.0 1.0 1.0
BAI05 1.0 1.0 1.0
BAI06 1.0 1.0 1.0
BAI07 1.0 1.0 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.0 1.0 1.0
BAI11 1.0 1.0 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0

12/27/2019
DF6 High Normal Low

DSS03 1.0 1.0 1.0
DSS04 1.5 1.0 1.0
DSS05 2.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 1.0 1.0 1.0
MEA02 1.0 1.0 1.0
MEA03 4.0 2.0 1.0
MEA04 3.5 2.0 1.0

12/27/2019
Design Factor 7 Role of IT Design Factor 7 Role of IT
Input Section—Importance of Role of IT Input Section—Importance of Role of IT
Value Importance (1-5) Baseline Page intentionally left blank

Support 1 3
Factory 1 3
Turnaround 2 3
Strategic 5 3
Average 2.25
Stdev 1.64
Correction Factor 1.33
Design Factor 7 Role of IT (Input)

0 1 2 3 4 5
Support 1
Factory 1
Turnaround 2
Strategic 5

Support 1
12/27/2019
Factory 1 Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT
Turnaround 2
Strategic 5

Importance Design Factor 7 Role of IT
Governance / Design Factor 7 Role of IT Resulting Governance/Management Objectives Importance
Baseline Relative Resulting Governance/Management Objectives Importance
Management Score Score Importance
Objective
EDM01 26.0 25.5 35
EDM02 22.0 22.5 30 -100 -75 -50 -25 0 25 50 75 100
EDM03 21.0 24.0 15 EDM01
EDM04 14.0 15.0 25 EDM02
EDM05 EDM03
14.0 15.0 25 EDM02 EDM01 MEA04
EDM04 EDM03 MEA03
APO01 18.0 19.5 25
EDM05 EDM04 MEA02
APO02 23.0 24.0 30
APO01 EDM05 MEA01
APO03 16.0 18.0 20 100
APO02
APO04 28.5 27.0 40 APO01 DSS06
APO03 75
APO05 22.0 22.5 30 APO04
APO06 14.0 15.0 25 APO05 APO02 50 DSS05
APO06 25
APO07 APO03 DSS04
© 2018 ISACA. All rights reserved. 453399426.xlsx 0 DF7—Page 34
APO08
APO09 APO04 DSS03
-25
EDM03
EDM02 EDM01 MEA04
EDM04 EDM03 MEA03
EDM05 EDM04 MEA02 12/27/2019
APO01 EDM05 MEA01
100
APO02
APO03 Governance System Design APO01 Information
75 & Technology Governance
DSS06System Design
APO04 Design Factor 7 Role of IT Design Factor 7 Role of IT
APO02 50 DSS05
APO05
APO07 11.5 13.5 15 APO06 25
APO08 18.5 19.5 25 APO07 APO03 DSS04
APO09 16.0 19.5 10 APO08 0
APO10 16.5 21.0 5 APO09 APO04 -25 DSS03
APO11 15.5 18.0 15 APO10
APO12 20.5 22.5 20 APO11 -50
APO05 DSS02
APO13 21.0 22.5 25 APO12
-75
APO14 APO13
18.0 19.5 25
BAI01 18.5 19.5 25
BAI01
BAI02 23.0 24.0 30
BAI02
BAI03 23.0 24.0 30 APO07 BAI11
BAI03
BAI04 16.5 21.0 5 BAI04
BAI05 14.0 15.0 25 BAI05 APO08 BAI10
BAI06 15.5 19.5 5 BAI06
BAI07 16.0 18.0 20 BAI07
APO09 BAI09
BAI08 14.0 15.0 25 BAI08
BAI09 14.0 15.0 25 BAI09
APO10 BAI08
BAI10 14.5 16.5 15 BAI10
BAI11 16.0 18.0 20 BAI11 APO11 BAI07
DSS01 21.5 25.5 10 DSS01
DSS02 APO12 BAI06
DSS02 22.0 25.5 15
DSS03 APO13 BAI05
DSS03 24.5 27.0 20
DSS04 APO14 BAI04
DSS04 24.5 27.0 20 BAI01 BAI02 BAI03
DSS05
DSS05 24.5 27.0 20
DSS06
DSS06 16.5 16.5 35 MEA01
MEA01 14.0 15.0 25 MEA02
MEA02 14.0 15.0 25 MEA03
MEA03 11.5 13.5 15 MEA04
MEA04 14.0 15.0 25

12/27/2019
DF7 Support Factory Turnaround Strategic

EDM01 1.0 2.0 1.5 4.0
EDM02 1.0 1.0 2.5 3.0
EDM03 1.0 3.0 1.0 3.0
EDM04 1.0 1.0 1.0 2.0
EDM05 1.0 1.0 1.0 2.0
APO01 1.0 1.5 1.5 2.5
APO02 1.0 1.0 3.0 3.0
APO03 1.0 1.0 2.0 2.0
APO04 0.5 1.0 3.5 4.0
APO05 1.0 1.0 2.5 3.0
APO06 1.0 1.0 1.0 2.0
APO07 1.0 1.0 1.0 1.5
APO08 1.0 1.0 2.0 2.5
APO09 1.0 2.0 1.5 2.0
APO10 1.0 2.5 1.5 2.0
APO11 1.0 1.5 1.5 2.0
APO12 1.0 2.5 1.0 3.0
APO13 1.0 2.0 1.5 3.0
APO14 1.0 1.5 1.5 2.5
BAI01 1.0 1.0 2.0 2.5
BAI02 1.0 1.0 3.0 3.0
BAI03 1.0 1.0 3.0 3.0
BAI04 1.0 2.5 1.5 2.0
BAI05 1.0 1.0 1.0 2.0
BAI06 1.0 2.5 1.0 2.0
BAI07 1.0 1.0 2.0 2.0
BAI08 1.0 1.0 1.0 2.0
BAI09 1.0 1.0 1.0 2.0
BAI10 1.0 1.5 1.0 2.0
BAI11 1.0 1.0 2.0 2.0
DSS01 1.0 3.5 1.0 3.0
DSS02 1.0 3.0 1.5 3.0

12/27/2019
DF7 Support Factory Turnaround Strategic

DSS03 1.0 3.0 1.5 3.5
DSS04 1.0 3.0 1.5 3.5
DSS05 1.5 2.5 1.5 3.5
DSS06 1.0 1.0 1.0 2.5
MEA01 1.0 1.0 1.0 2.0
MEA02 1.0 1.0 1.0 2.0
MEA03 1.0 1.0 1.0 1.5
MEA04 1.0 1.0 1.0 2.0

12/27/2019
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Input Section—Importance of Sourcing Model for IT Input Section—Importance of Sourcing Model for IT
Value Importance (100%) Baseline

Outsourcing 30% 33% Page intentionally left blank
Cloud 50% 33%
Insourced 20% 34%
Average
Design Factor 8 IT Sourcing Model (Input)
Stdev
Correction Fact 1.00
Outsourcing Cloud Insourced
20.00%
30.00%
50.00%

12/27/2019
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
50.00%

Importance
Governance / Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Baseline Relative Resulting Governance/ Management Objectives Importance
Management Score
Objective
EDM01 1.00 1.00 0
EDM02 1.00 1.00 0
EDM03 1.50 1.33 15 -100 -75 -50 -25 0 25 50 75 100
EDM04 EDM01
1.00 1.00 0
EDM02
EDM05 1.00 1.00 0 EDM02 EDM01 MEA04
EDM03 EDM03 MEA03
APO01 1.00 1.00 0 EDM04 EDM04 MEA02
APO02 1.00 1.00 0 EDM05
EDM05 MEA01
APO01 100
APO03 1.00 1.00 0
APO02 APO01 DSS06
APO04 1.00 1.00 0 75
APO03
APO05 1.00 1.00 0 APO04 APO02 50 DSS05
APO06 1.00 1.00 0 APO05
25
APO07 1.00 1.00 0 APO06 APO03 DSS04
APO08 1.00 1.00 0 APO07 0
APO08
APO09 3.40 2.98 15 APO04 -25 DSS03
APO09
APO10 3.40 2.98 15 APO10 -50
APO11 1.00 1.00 0 APO11 APO05 DSS02
APO12 1.80 1.66 10 APO12 -75
APO13 APO13
1.00 1.00 0 APO06 -100 DSS01
APO14
APO14 1.00 1.00 0 BAI01
BAI01 1.00 1.00 0 BAI02 APO07 BAI11
BAI03
BAI04
APO08 BAI10
© 2018 ISACA. All rights reserved. BAI05 453399426.xlsx DF8—Page 39
BAI06
BAI07 APO09 BAI09
APO10 -50
APO11 APO05 DSS02 12/27/2019
APO12 -75
APO13
Information & Technology Governance System Design APO06 -100
Information & Technology Governance DSS01
System Design
APO14
Design
BAI01 Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
BAI02 APO07 BAI11
BAI02 1.00 1.00 0 BAI03
BAI03 1.00 1.00 0 BAI04
APO08 BAI10
BAI05
BAI04 1.00 1.00 0
BAI06
BAI05 1.00 1.00 0 BAI07 APO09 BAI09
BAI06 1.00 1.00 0 BAI08
BAI07 1.00 1.00 0 BAI09 APO10 BAI08
BAI08 1.00 1.00 0 BAI10
BAI11 APO11 BAI07
BAI09 1.00 1.00 0
DSS01
BAI10 1.00 1.00 0 DSS02 APO12 BAI06
BAI11 1.00 1.00 0 DSS03 APO13 BAI05
DSS01 1.00 1.00 0 DSS04 APO14 BAI04
BAI01 BAI02 BAI03
DSS02 1.00 1.00 0 DSS05
DSS06
DSS03 1.00 1.00 0
MEA01
DSS04 1.00 1.00 0 MEA02
DSS05 1.00 1.00 0 MEA03
DSS06 1.00 1.00 0 MEA04
MEA01 2.60 2.32 10
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

12/27/2019
DF8 Outsourcing Cloud Insourcing

EDM01 1.0 1.0 1.0
EDM02 1.0 1.0 1.0
EDM03 1.0 2.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.0 1.0 1.0
APO01 1.0 1.0 1.0
APO02 1.0 1.0 1.0
APO03 1.0 1.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.0 1.0
APO08 1.0 1.0 1.0
APO09 4.0 4.0 1.0
APO10 4.0 4.0 1.0
APO11 1.0 1.0 1.0
APO12 2.0 2.0 1.0
APO13 1.0 1.0 1.0
APO14 1.0 1.0 1.0
BAI01 1.0 1.0 1.0
BAI02 1.0 1.0 1.0
BAI03 1.0 1.0 1.0
BAI04 1.0 1.0 1.0
BAI05 1.0 1.0 1.0
BAI06 1.0 1.0 1.0
BAI07 1.0 1.0 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.0 1.0 1.0
BAI11 1.0 1.0 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0

12/27/2019
DF8 Outsourcing Cloud Insourcing

DSS03 1.0 1.0 1.0
DSS04 1.0 1.0 1.0
DSS05 1.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 3.0 3.0 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

12/27/2019
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
Input Section—Importance of IT Implementation Methods Input Section—Importance of IT Implementation Methods
Agile 50% 15%
DevOps 10% 10%
Traditional 40% 75%
Design Factor 9 IT Implementation Methods

Agile DevOps Traditional
40.00%
50.00%
10.00%

12/27/2019
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
10.00%

Importance
Design Factor 9 IT Implementation Methods
Governance / Design Factor 9 IT Implementation Methods Resulting Governance/Management Objectives Importance
Baseline Relative Resulting Governance/Management Objectives Importance
Management Score Score Importance
Objective
EDM01 1.00 1.00 0
EDM02 1.00 1.00 0
EDM03 1.00 1.00 0 -100 -75 -50 -25 0 25 50 75 100 EDM02 EDM01 MEA04
EDM04 EDM03 MEA03
1.00 1.00 0 EDM01
EDM04 MEA02
EDM05 1.00 1.00 0 EDM02
APO01 EDM03 EDM05 100 MEA01
1.00 1.00 0
EDM04
APO02 1.00 1.00 0 APO01 75 DSS06
EDM05
APO03 1.10 1.10 0 APO01
1.00 1.00 0 APO02
APO05 1.00 1.00 0 APO03
25
APO04 APO03 DSS04
APO06 1.00 1.00 0 APO05 0
APO07 1.05 1.05 0 APO06
APO08 1.00 1.00 0 APO07 APO04 -25 DSS03
APO09 1.00 1.00 0 APO08
APO09 -50
APO10 1.00 1.00 0 APO10 APO05 DSS02
APO11 -75
APO12
APO14
BAI01
APO02 APO02 DSS05
APO03
25
APO04 APO03 DSS04 12/27/2019
COBIT® 2019 Governance System Design Toolkit APO05 0
APO06
APO07 APO04 -25 & Technology Governance System DSS03
Information & Technology Governance System Design Information Design
APO08
Design Factor
APO09
9 IT Implementation Methods Design
-50
Factor 9 IT Implementation Methods
APO10 APO05 DSS02
APO11 1.00 1.00 0 APO11 -75
APO12 1.05 1.05 0 APO12
APO13 1.00 1.00 0
APO14
APO14 1.00 1.00 0 BAI01
BAI01 1.55 1.20 30 APO07 BAI11
BAI02
BAI02 2.35 1.48 60 BAI03
BAI03 BAI04
2.70 1.65 65 APO08 BAI10
BAI05
BAI04 1.00 1.00 0 BAI06
BAI05 1.80 1.28 40 BAI07 APO09 BAI09
BAI06 2.35 1.48 60 BAI08
BAI07 BAI09
1.90 1.38 40 APO10 BAI08
BAI10
BAI08 1.00 1.00 0 BAI11
BAI09 1.00 1.00 0 DSS01 APO11 BAI07
BAI10 1.35 1.18 15 DSS02
DSS03 APO12 BAI06
BAI11 1.75 1.23 45
DSS04 APO13 BAI05
DSS01 1.15 1.15 0 DSS05 APO14 BAI04
DSS02 1.05 1.05 0 DSS06 BAI01 BAI02 BAI03
DSS03 1.05 1.05 0 MEA01
DSS04 MEA02
1.00 1.00 0
MEA03
DSS05 1.00 1.00 0 MEA04
DSS06 1.00 1.00 0
MEA01 1.30 1.13 15
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

12/27/2019
DF9 Agile DevOps Traditional

EDM01 1.0 1.0 1.0
EDM02 1.0 1.0 1.0
EDM03 1.0 1.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.0 1.0 1.0
APO01 1.0 1.0 1.0
APO02 1.0 1.0 1.0
APO03 1.0 2.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.5 1.0
APO08 1.0 1.0 1.0
APO09 1.0 1.0 1.0
APO10 1.0 1.0 1.0
APO11 1.0 1.0 1.0
APO12 1.0 1.5 1.0
APO13 1.0 1.0 1.0
APO14 1.0 1.0 1.0
BAI01 2.0 1.5 1.0
BAI02 3.5 2.0 1.0
BAI03 4.0 3.0 1.0
BAI04 1.0 1.0 1.0
BAI05 2.5 1.5 1.0
BAI06 3.5 2.0 1.0
BAI07 2.5 2.5 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.5 2.0 1.0
BAI11 2.5 1.0 1.0
DSS01 1.0 2.5 1.0
DSS02 1.0 1.5 1.0

12/27/2019
DF9 Agile DevOps Traditional

DSS03 1.0 1.5 1.0
DSS04 1.0 1.0 1.0
DSS05 1.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 1.5 1.5 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

12/27/2019
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
Input Section—Importance of Technology Adoption Strategy Input Section—Importance of Technology Adoption Strategy
First mover 75% 15%

Follower 15% 70%
Slow adopter 10% 15%
Design Factor 10 Technology Adoption Strategy

First mover Follower Slow adopter
10.00%
15.00%
75.00%

12/27/2019
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy

Importance
Design Factor 10 Technology Adoption Strategy
Governance / Resulting Governance/Management Objectives Importance Design Factor 10 Technology Adoption Strategy
Management Score Baseline Relative
Objective
EDM01 3.15 2.50 25

EDM02 3.53 2.58 35
EDM03 1.38 1.08 30 -100 -75 -50 -25 0 25 50 75 100
EDM04 2.33 2.00 15 EDM01
EDM02 EDM02 EDM01 MEA04
EDM05 1.38 1.08 30 EDM03 MEA03
EDM03
APO01 2.20 1.58 40 EDM04 EDM04 MEA02
APO02 3.60 2.93 25 EDM05 EDM05 MEA01
100
APO03 1.75 1.15 50 APO01
APO04 3.55 2.85 25
APO03
APO05 3.48 2.50 40 APO04 APO02 50 DSS05
APO06 1.08 1.35 -20 APO05 25
APO07 2.13 1.23 75 APO06 APO03 DSS04
APO08 APO07 0
2.58 1.65 55
APO08
APO09 1.45 1.43 0 APO04 -25 DSS03
APO09
APO10 2.20 1.58 40 APO10 -50
APO11 1.45 1.43 0 APO11 APO05 DSS02
APO12 APO12 -75
1.83 1.50 20
APO13
APO13 1.00 1.00 0 APO06 -100 DSS01
APO14
APO14 2.28 1.93 20 BAI01
BAI01 3.60 2.93 25 BAI02 APO07 BAI11
BAI02 3.10 2.43 30 BAI03
BAI04
BAI03 3.48 2.50 40 APO08 BAI10
BAI05
BAI06
BAI07 APO09 BAI09
© 2018 ISACA. All rights reserved. BAI08 453399426.xlsx DF10—Page 49
BAI09
APO10 BAI08
BAI10
APO11 APO05 DSS02
APO12 -75
APO13 12/27/2019
COBIT® 2019 Governance System Design Toolkit APO06 -100 DSS01
APO14
BAI01
BAI02 Governance System Design APO07 Information & Technology Governance System
BAI11 Design
Design Factor BAI03
10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
BAI04
APO08 BAI10
BAI05
BAI04 1.45 1.43 0 BAI06
BAI05 2.65 2.00 35 BAI07 APO09 BAI09
BAI06 2.28 1.93 20 BAI08
BAI09
BAI07 3.10 2.43 30 APO10 BAI08
BAI10
BAI08 1.38 1.08 30 BAI11 APO11 BAI07
BAI09 1.00 1.00 0 DSS01
BAI10 1.38 1.08 30 DSS02 APO12 BAI06
BAI11 DSS03
3.10 2.43 30 APO13 BAI05
DSS04 APO14 BAI04
DSS01 1.00 1.00 0 DSS05 BAI01 BAI03
BAI02
DSS02 1.00 1.00 0 DSS06
DSS03 1.38 1.08 30 MEA01
DSS04 1.38 1.08 30 MEA02
MEA03
DSS05 1.38 1.08 30 MEA04
DSS06 1.00 1.00 0
MEA01 2.65 2.00 35
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

12/27/2019
DF10 First Mover Follower Slow Adopter

EDM01 3.5 2.5 1.5
EDM02 4.0 2.5 1.5
EDM03 1.5 1.0 1.0
EDM04 2.5 2.0 1.5
EDM05 1.5 1.0 1.0
APO01 2.5 1.5 1.0
APO02 4.0 3.0 1.5
APO03 2.0 1.0 1.0
APO04 4.0 3.0 1.0
APO05 4.0 2.5 1.0
APO06 1.0 1.5 1.0
APO07 2.5 1.0 1.0
APO08 3.0 1.5 1.0
APO09 1.5 1.5 1.0
APO10 2.5 1.5 1.0
APO11 1.5 1.5 1.0
APO12 2.0 1.5 1.0
APO13 1.0 1.0 1.0
APO14 2.5 2.0 1.0
BAI01 4.0 3.0 1.5
BAI02 3.5 2.5 1.0
BAI03 4.0 2.5 1.0
BAI04 1.5 1.5 1.0
BAI05 3.0 2.0 1.0
BAI06 2.5 2.0 1.0
BAI07 3.5 2.5 1.0
BAI08 1.5 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.5 1.0 1.0
BAI11 3.5 2.5 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0

12/27/2019
DF10 First Mover Follower Slow Adopter

DSS03 1.5 1.0 1.0
DSS04 1.5 1.0 1.0
DSS05 1.5 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 3.0 2.0 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

Governance and Management Objectives Importance (All Design Factors)
-100 -80 -60 -40 -20 0 20 40 60 80 100

EDM01 60
EDM02 65
EDM03 75
EDM04 15
EDM05 20
APO01 65
APO02 35
APO03 70
APO04 80
APO05 25
-25 APO06
APO07 85
APO08 95
APO09 60
APO10 60
APO11 50
APO12 95
APO13 80
APO14 40
BAI01 60
BAI02 75
BAI03 90
BAI04 55
BAI05 80
BAI06 100
BAI07 70
BAI08 60
BAI09 0
BAI10 85
BAI11 70
DSS01 15
DSS02 65
DSS03 70
DSS04 90
DSS05 75
DSS06 65
MEA01 65
MEA02 15
MEA03 25
MEA04 40
12/27/2019
Design Factor 1 Enterprise Strategy Design Factor 2 Enterprise Goals

Resulting Governance/Management Resulting Governance/ Management Initial Summary—Governance and Management Objectives
Objectives Importance Objectives Importance
-100 -50 0 50 100 150
EDM02EDM01MEA04 EDM01—Ensured Governance Framework Setting & Maintenance 0
EDM03 MEA03 EDM02EDM01MEA04
EDM04 MEA02 EDM03 MEA03
100 EDM04 MEA02 EDM02—Ensured Benefits Delivery 60
EDM05 MEA01 100
EDM05 MEA01
APO01 75 DSS06 EDM03—Ensured Risk Optimization 10
APO01 75 DSS06
50 -5
EDM04—Ensured Resource Optimization
APO02 DSS05 APO02 50 DSS05
25
APO03 DSS04 APO03
25
DSS04
-50
EDM05—Ensured Stakeholder Engagement
0 0
APO01—Managed I&T Management Framework 10
APO04 -25 DSS03 APO04 -25 DSS03
APO02—Managed Strategy 10
-50 -50
APO05 DSS02 APO05 DSS02 APO03—Managed Enterprise Architecture 25
-75 -75
APO06 -100 DSS01 APO06 -100 DSS01 APO04—Managed Innovation 80
APO07 BAI11 -10
APO05—Managed Portfolio
APO07 BAI11
-50 APO06—Managed Budget & Costs
APO08 BAI10
APO08 BAI10
APO07—Managed Human Resources 45
APO09 BAI09
APO09 BAI09 APO08—Managed Relationships 100
APO10 BAI08
APO10 BAI08 APO09—Managed Service Agreements 60
APO11 BAI07
APO11 BAI07 APO10—Managed Vendors 0
APO12 BAI06
APO12 BAI06 APO13 BAI05 APO11—Managed Quality 50
APO13 BAI05 APO14 BAI04
BAI01 BAI02 BAI03
APO14
BAI01 BAI02 BAI03
BAI04 APO12—Managed Risk 50
APO13—Managed Security 50
-10Data
APO14—Managed
Design Factor 3 Risk Profile Design Factor 4 I&T-Related Issues BAI01—Managed Programs 35
Resulting Governance/Management Resulting Governance/Management BAI02—Managed Requirements Definition 30
BAI03—Managed Solutions Identification & Build 40
BAI04—Managed Availability & Capacity 70
EDM02EDM01MEA04
EDM03 MEA03 EDM02EDM01MEA04
EDM04 MEA02
EDM03 MEA03 BAI05—Managed Organizational Change 50
EDM04 MEA02
EDM05 100 MEA01 EDM05 100 MEA01 BAI06—Managed IT Changes 60
APO01 75 DSS06 APO01 75 DSS06 BAI07—Managed IT Change Acceptance and Transitioning 50
APO02 50 DSS05 50
APO02 DSS05
25
BAI08—Managed Knowledge 55
25
APO03 DSS04 APO03 DSS04
0 0
-20
BAI09—Managed Assets
APO04 -25 DSS03 APO04 -25 DSS03 BAI10—Managed Configuration 50
-50 -50 BAI11—Managed Projects 45
-75 -75
DSS01—Managed Operations 20
APO06 -100 DSS01 APO06 -100 DSS01
DSS02—Managed Service Requests & Incidents 60
DSS03—Managed Problems 50
APO08 BAI10 APO08 BAI10 DSS04—Managed Continuity 50
APO09 BAI09
DSS05—Managed Security Services 25
APO09 BAI09
DSS06—Managed Business Process Controls 40
APO11 BAI07
MEA01—Managed Performance and Conformance Monitoring 5
APO11 BAI07
APO12 BAI06 MEA02—Managed System of -20
Internal Control
APO12 BAI06
APO13 BAI05
APO13 BAI05 APO14 BAI04 -30
MEA03—Managed Compliance with External Requirements
APO14 BAI04 BAI01 BAI02 BAI03
BAI01 BAI02 BAI03
-10
MEA04—Managed Assurance
© 2018 ISACA. All rights reserved. 453399426.xlsx Dashboard1—Page 54

12/27/2019
Design Factor 5 Threat Landscape Design Factor 6 Compliance Requirements

Resulting Governance/Management Resulting Governance/Management
Objectives Importance Objectives Importance Governance and Management Objectives Importance (All Design Factors)
EDM01—Ensured Governance Framework Setting & Maintenance 60

EDM02 EDM01 MEA04 EDM02 EDM01 MEA04
EDM05 100 MEA01 EDM05 100 MEA01 EDM02—Ensured Benefits Delivery 65
APO01 75 DSS06 APO01 75 DSS06
APO02 50 DSS05 APO02 50 DSS05 EDM03—Ensured Risk Optimization 75

25 25
0 0 EDM04—Ensured Resource Optimization 15
APO04 -25 DSS03 APO04 -25 DSS03
APO05
-50
DSS02 APO05
-50
DSS02
EDM05—Ensured Stakeholder Engagement 20
-75 -75
APO06 -100 DSS01 APO06 -100 DSS01

APO01—Managed I&T Management Framework 65
APO02—Managed Strategy 35
APO09 BAI09 APO09 BAI09 APO03—Managed Enterprise Architecture 70


APO04—Managed Innovation 80
APO13 BAI05 APO13 BAI05 APO05—Managed Portfolio 25
BAI01 BAI02 BAI03 BAI01 BAI02 BAI03
-25 Budget & Costs

APO06—Managed
APO07—Managed Human Resources 85
Design Factor 7 Role of IT Design Factor 8 Sourcing Model for IT APO08—Managed Relationships 95
Resulting Governance/Management Resulting Governance/Management
APO09—Managed Service Agreements 60
APO10—Managed Vendors 60
EDM03 MEA03
EDM04
EDM03 MEA03
MEA02 EDM04 MEA02 APO11—Managed Quality 50
EDM05 MEA01 EDM05 100 MEA01
100
APO01 75 DSS06 APO01 75 DSS06 APO12—Managed Risk 95
50 APO02 50 DSS05
APO02 DSS05
APO03
25
DSS04 APO03
25
DSS04 APO13—Managed Security 80
0 0
APO04 -25 DSS03

APO04 -25 DSS03 APO14—Managed Data 40
-50 -50
-75 -75
BAI01—Managed Programs 60
APO06 -100 DSS01 APO06 -100 DSS01
APO07 BAI11 APO07 BAI11 BAI02—Managed Requirements Definition 75

APO10 BAI08 APO10 BAI08 BAI04—Managed Availability & Capacity 55

APO12 BAI06 APO12 BAI06 BAI05—Managed Organizational Change 80

© 2018 ISACA. All rights reserved. APO13 BAI05 453399426.xlsx Dashboard2—Page 55
APO13 BAI05
BAI01 BAI02 BAI03
BAI01 BAI02 BAI03
BAI06—Managed IT Changes 100
12/27/2019
APO10 BAI08 APO10 BAI08 BAI04—Managed Availability & Capacity 55
APO12 BAI06 APO12 BAI06 BAI05—Managed Organizational Change 80

BAI01 BAI02 BAI03
BAI01 BAI02 BAI03
BAI06—Managed IT Changes 100
BAI07—Managed IT Change Acceptance and Transitioning 70
BAI08—Managed Knowledge 60
Design Factor 9 IT Implementation Methods Design Factor 10 Technology Adoption Strategy
Resulting Governance/Management Resulting Governance/Management BAI09—Managed Assets 0
BAI10—Managed Configuration 85
BAI11—Managed Projects 70
DSS01—Managed Operations 15
100 100

DSS02—Managed Service Requests & Incidents 65
25 25
0 0 DSS03—Managed Problems 70
APO04 -25 DSS03 APO04 -25 DSS03
-50 -50 DSS04—Managed Continuity 90

-75 -75
APO06 -100 DSS01 APO06 -100 DSS01 DSS05—Managed Security Services 75

DSS06—Managed Business Process Controls 65
APO09 BAI09 APO09 BAI09 MEA01—Managed Performance and Conformance Monitoring 65

APO11 BAI07
MEA02—Managed System of Internal Control 15
APO11 BAI07

APO13 BAI05 APO13 BAI05 MEA03—Managed Compliance with External Requirements 25
BAI01 BAI02 BAI03 BAI01 BAI02 BAI03
MEA04—Managed Assurance 40
© 2018 ISACA. All rights reserved. 453399426.xlsx Dashboard2—Page 56

COBIT-2019-Design-Toolkit TKT Eng 1218

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

COBIT-2019-Design-Toolkit TKT Eng 1218

Загружено:

Авторское право:

Доступные форматы

12/27/2019

COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Terms & Definitions

Instructions: See COBIT® 2019 Design Guide, Chapter 6

© 2018 ISACA. All rights reserved. 453399426.xlsx Instructions—Page 1

COBIT® 2019 Governance System Design Workbook—Canvas

Sourcing Refined Scope: Concluded Scope:

EDM01—Ensured Governance Framework Setting & 5 10 -5 -10 ### 0 50 15 35 0 0 25 60 60 3 3

EDM02—Ensured Benefits Delivery 30 35 15 -5 ### 60 0 0 30 0 0 35 65 65 3 3

EDM03—Ensured Risk Optimization 25 -15 10 -10 ### 10 65 25 15 15 0 30 75 75 4 4

EDM04—Ensured Resource Optimization -25 30 -15 5 ### -5 0 0 25 0 0 15 15 15 1 1

EDM05—Ensured Stakeholder Engagement 15 -45 -15 -15 ### -50 30 15 25 0 0 30 20 20 1 1

APO01—Managed I&T Management Framework 0 5 15 -5 ### 10 50 10 25 0 0 40 65 65 3 3

APO02—Managed Strategy -20 35 -5 5 ### 10 0 0 30 0 0 25 35 35 2 2

APO03—Managed Enterprise Architecture -20 30 15 5 ### 25 50 0 20 0 0 50 70 70 3 3

APO04—Managed Innovation -5 40 45 20 ### 80 0 0 40 0 0 25 80 80 4 4

APO05—Managed Portfolio -25 30 -15 -5 ### -10 0 0 30 0 0 40 25 25 2 2

APO07—Managed Human Resources -10 35 15 15 ### 45 30 0 15 0 0 75 85 85 4 4

APO08—Managed Relationships 45 35 40 5 ### 100 0 0 25 0 0 55 95 95 4 4

APO09—Managed Service Agreements 45 30 10 -10 ### 60 30 0 10 15 0 0 60 60 3 3

APO10—Managed Vendors -10 30 -10 -10 ### 0 50 15 5 15 0 40 60 60 3 3

APO11—Managed Quality 50 0 30 -15 ### 50 30 0 15 0 0 0 50 50 3 3

APO12—Managed Risk 30 -10 50 -5 ### 50 65 25 20 10 0 20 95 95 4 4

APO13—Managed Security 35 -15 60 -15 ### 50 65 15 25 0 0 0 80 80 4 4

APO14—Managed Data 0 -35 35 -15 ### -10 50 10 25 0 0 20 40 40 2 2

BAI01—Managed Programs -15 30 15 15 ### 35 0 0 25 0 30 25 60 60 3 3

BAI02—Managed Requirements Definition -5 30 15 0 ### 30 0 0 30 0 60 30 75 75 4 4

BAI03—Managed Solutions Identification & Build -5 30 35 -10 ### 40 0 0 30 0 65 40 90 90 4 4

BAI04—Managed Availability & Capacity 40 25 35 -15 ### 70 30 0 5 0 0 0 55 55 3 3

BAI05—Managed Organizational Change -15 30 45 5 ### 50 0 0 25 0 40 35 80 80 4 4

BAI06—Managed IT Changes 0 30 45 0 ### 60 50 0 5 0 60 20 100 100 4 4

BAI07—Managed IT Change Acceptance and Transitioning 5 30 30 -5 ### 50 0 0 20 0 40 30 70 70 3 3

BAI08—Managed Knowledge -5 40 15 20 ### 55 0 0 25 0 0 30 60 60 3 3

BAI09—Managed Assets 0 -50 20 5 ### -20 0 0 25 0 0 0 0 0 1 1

BAI10—Managed Configuration 0 25 40 0 ### 50 50 0 15 0 15 30 85 85 4 4

BAI11—Managed Projects -20 30 35 10 ### 45 0 0 20 0 45 30 70 70 3 3

DSS01—Managed Operations 15 30 -5 -15 ### 20 0 0 10 0 0 0 15 15 1 1

DSS02—Managed Service Requests & Incidents 50 15 30 -20 ### 60 50 0 15 0 0 0 65 65 3 3

DSS03—Managed Problems 40 15 15 -5 ### 50 30 0 20 0 0 30 70 70 3 3

© 2018 ISACA. All rights reserved. 453399426.xlsx Canvas—Page 2

COBIT® 2019 Governance System Design Workbook—Canvas

Sourcing Refined Scope: Concluded Scope:

DSS04—Managed Continuity 50 15 15 -15 ### 50 65 15 20 0 0 30 90 90 4 4

DSS05—Managed Security Services 35 -10 20 -15 ### 25 50 25 20 0 0 30 75 75 4 4

DSS06—Managed Business Process Controls 15 20 40 -25 ### 40 50 0 35 0 0 0 65 65 3 3

MEA01—Managed Performance and Conformance Monitoring 0 0 10 -5 ### 5 50 0 25 10 15 35 65 65 3 3

MEA02—Managed System of Internal Control 0 -15 5 -15 ### -20 30 0 25 0 0 0 15 15 1 1

MEA03—Managed Compliance with External Requirements 0 -30 25 -30 ### -30 50 25 15 0 0 0 25 25 2 2

MEA04—Managed Assurance 0 -25 20 -10 ### -10 50 20 25 0 0 0 40 40 2 2

© 2018 ISACA. All rights reserved. 453399426.xlsx Canvas—Page 3

Importance Design Factor 1 Enterprise Strategy

Average 2.25 Strategy

© 2018 ISACA. All rights reserved. 453399426.xlsx DF1—Page 5

Growth / Innovation / Client Service /

© 2018 ISACA. All rights reserved. 453399426.xlsx DF1map—Page 6

Growth / Innovation / Client Service /

© 2018 ISACA. All rights reserved. 453399426.xlsx DF1map—Page 7

EG09—Optimi zation of bus i ness proces s costs 1

EG10—Staf skills, motivation and productivity EG05—Customer-oriented service culture

EG09—Optimi zation of bus i ness proces s costs 1

EG09—Optimization of business process costs EG06—Business-service continuity and availability

Resulting Governance/ Management Objectives