Академический Документы
Профессиональный Документы
Культура Документы
Come join the discussion! Jorge E. Barrera N. will respond to questions in the discussion area of the
COBIT 5—Use It Effectively topic beginning 22 July 2013.
In addition to these benefits generated by the implementation of the COBIT 5 Assessment Programme, this article adds the
following short-term benefits:
Substantial improvement of GEIT understanding in practice
Consolidated understanding of the need to use COBIT 5 as a GEIT umbrella
Integrated and effective use of GEIT frames and standards through the alignment provided by COBIT 5 as the umbrella
framework
Appropriate support to the natural complexity of managing all work products related to the COBIT 5 framework and PAM
Standardized treatment of all former GEIT achievements by transitioning them to a COBIT 5 environment in practice, as a
result of the first assessment
The magnitude of these benefits greatly depends on the mode with which evaluations are made. A measurement can be
based on personal judgments, judgments based on formal guidance or judgments based on formal guidance with defined
evidence requirements. Measurements based on judgments alone may suffer from a high degree of uncertainty that applies to
the business case and action plans derived from it. These drawbacks can be obviated if assessments based on judgments
® ®
are considered, as posed in COBIT Self-assessment Guide: Using COBIT 5, as a precursor to more rigorous evaluations
based on evidence.
The evidence management model presented in this article therefore responds to a real need; its main parts are:
Taxonomy of the evidence management
Relationships between elements of the COBIT 5 PAM
Alignment and integration of the frameworks for GEIT around COBIT 5
GEIT artifacts baseline or GEIT evidence baseline
A method for qualifying the level/degree of evidence
Life Cycle of Evidence Management Model
The primary objective of this article is to motivate readers to decide to initiate or improve their GEIT implementations using
COBIT 5 as the umbrella framework. Assessing the IT environment of the organization based on PAM and an evidence
management model, such as the one presented in this article, provides a good foundation for this purpose.
The elements of these 12 artifact categories generally correspond to frameworks’ specific topic documents. These documents
are related among them. The elements of output categories may also correspond to services or other results.
Frameworks that can be aligned to COBIT 5 by the proposal of this article are ITIL V3, ISO 2700X, The Open Group
Architecture Framework (TOGAF), ArchiMate, the Project Management Body of Knowledge (PMBOK), the Capability Maturity
Model Integration (CMMI), Microsoft Operations Framework (MOF) and ad hoc regulatory frameworks for monitoring and
control.
Processes.
The COBIT 5 PAM work products are the same outputs that are defined in COBIT 5: Enabling Processes, in which they
are defined for each governance and management practice of the process. The inputs are defined in the same manner.
These semantic considerations help in understanding COBIT 5 PAM and are the foundation of its practical application.
It is necessary to take into account in an integrated way COBIT 5, ITIL V3, ISO/IEC 27001 and other related standards and
frameworks in implementing GEIT. The following structure of activities and results defines a strategy for alignment and
integration between frameworks:
Stage one—Domains of COBIT, ITIL V3 books, ISO 27001 domains, core and phases of TOGAF, and domains of other
frameworks
Stage two—Processes of COBIT, ITIL V3 book chapters, control objectives of ISO 27001, artifact categories of TOGAF
The proposed alignment and integration of this article, based on COBIT 5 as the umbrella framework and GEIT at the
hypocenter of the third and the fourth stages of the structure, is grounded on the following statements:
The GEIT implementation unit is the governance or management practice of COBIT 5. In terms of PMBOK, this is to say,
as a general guide, that each work package of IT projects is a governance practice of COBIT 5 to be implemented or
improved with its respective outputs.
Processes of aligned frameworks are selected for implementation with their own identity when they generate outputs
equivalent to COBIT 5 work products. This amounts to saying that the selected process makes a primary contribution to
GEIT.
Detailed analysis concluded that all processes, functions and activities of ITIL V3 and 112 controls of ISO/IEC 27001
deserve implementation with proper identity. This represents less than 50 percent of GEIT. The remaining 21 controls of
ISO/IEC 27001 make secondary contributions to GEIT.
Processes of other frameworks, such as TOGAF, PMBOK, CMMI and MOF, that generate outputs equivalent to the work
products of COBIT 5 and are not covered by ITIL V3 and ISO/IEC 27001 can be implemented with their own identities.
Governance and management practices of COBIT 5 that are not represented by processes of other frameworks should be
implemented directly with their own identities. This should draw upon the secondary contributions from other frameworks.
All catalogs, matrices and diagrams proposed by TOGAF are considered elements that must be taken into account by
processes of COBIT 5 and processes of aligned frameworks that are being implemented.
The more than 440 outputs of governance practices defined by COBIT 5 and the 208 outputs defined by COBIT 5 for
®
Information Security should be treated in an integrated manner by each governance and management practice. This
statement also applies for the outputs defined in the future by forthcoming COBIT 5 guides.
The GEIT contribution that an element of the aligned framework makes is considered primary when it is sufficient to
optimally support the functionality covered by its scope. Otherwise, this contribution, if it exists, is considered secondary.
An ITIL V3 process is implemented, then oriented, to determine each work product of COBIT 5 that applies to it. The definition
of activities; inputs; outputs; the Responsible, Accountable, Consulted and Informed (RACI) matrix; goals; and metrics should
be guided by the architecture of COBIT 5 processes. However, this definition must use and leverage the ITIL V3 contribution.
The same applies for any ISO 27001 control and any process of aligned frameworks that was chosen for implementation.
The alignment and integration strategy proposed in this article allows, for example, for the initial use of TOGAF by mapping to
the catalogs, matrices and diagrams proposed. These elements are generated from the umbrella of COBIT 5 without the need
to understand the whole philosophy of TOGAF in order to achieve its benefits.
This initial use without preamble of TOGAF opens the doors to TOGAF’s ArchiMate ally, which is a standard that facilitates
the management of elements defining enterprise architectures and the relationships among these elements.
The use of COBIT, ITIL, ISO/IEC standards, TOGAF, ArchiMate and PMBOK elements, as well as those of other GEIT
frameworks and standards, must apply intellectual property rights defined by each of the respective owners.
Registering GEIT artifacts that are operating is performed in the baseline of GEIT artifacts of the organization.
This baseline must support the release management and the distribution management of the organization’s
artifacts. In the management of this baseline of artifacts, the following four recording aspects are distinguished:
Single record of artifacts—The use of the alignment and integration structure of frameworks, described previously,
enables the definition of a single identification code structure of artifacts with the following stages of GEIT:
1. Category of artifacts
2. Framework that is valid in the category
When the third stage is set to “000,” all lower stages take the same value “000” to indicate that the artifact applies, in a
generalized way, its content to that stage and to the dependent stages.
Relationships of COBIT 5 PAM model elements—These elements were listed in the definition of the taxonomy of the
evidence management described previously. This article emphasizes the following relationships among GEIT work
products and:
- Outcomes of each COBIT 5 process
- Results of attributes at each capability level of the COBIT 5 processes
- Generic work products of each COBIT 5 process
The first two items give support to evidence-based assessments using the COBIT 5 PAM as illustrated in figure 2. The
third item supports the evaluation, also with evidence, of the state of the generic work products of each COBIT 5 process.
Process’s Outcomes
Therefore, this GEIT artifacts baseline supports the record of all work products related to the COBIT 5 PAM and the
management among them of relationships that are required by its assessment processes.
This sequence of steps corresponds to an evidence management perspective in measuring capability levels of processes.
The implementation of this life cycle should be adapted depending on the orientation that each organization takes from
® ® ®
COBIT 5 Implementation and COBIT Assessor Guide: Using COBIT 5.
®
A self-learning exercise is suggested in the business case sample presented in COBIT 5 Implementation, and the evaluation
®
of GEIT processes should be supported by the tools defined in the appendices of COBIT Assessor Guide and its critical
success factors.
The mappings from artifacts to COBIT 5 processes, combined with the mapping of IT process goals to IT-related goals and on
to enterprise goals, provide the necessary support to make bottom-up assessments on the cascade of COBIT 5 goals. This
mapping supports a positive effect on the management of the GEIT balanced scorecard of the organization—linking IT
process capability improvement opportunities directly with enterprise goals.
It is estimated that the first record with total quality of the GEIT evidence and an initial evaluation of COBIT 5 processes may
take no more than three months, depending on the size and location of the organization, the defined scope, and the resources
allocated to this purpose.
Acknowledgment
The content of this article is the result of work done by the G2eTIC Project, which was conceived with an academic and
business orientation. References to documents of COBIT 5 and the use of its content are made in accordance with the
®
respective license agreement between ISACA and the author of this article. G2eTIC has the conceptual bracket,
methodological tools and complementary tools corresponding to the proposal presented in this article.
Jorge E. Barrera N., CISA, CGEIT, CRISC, COBIT (F), ITIL V3F, PMP
Endnotes
1
ISACA, COBIT® Process Assessment Model (PAM): Using COBIT® 5, 2012
2
ISACA, COBIT® Assessor Guide: Using COBIT® 5, 2012
3
ISACA, COBIT® Self-assessment Guide: Using COBIT® 5, 2012
4
ISACA, COBIT® Assessment Programme Tool Kit: Using COBIT® 5, 2012
5
ISACA, COBIT® 5: A Business Framework for the Governance and Management of Enterprise IT, 2012
6
Ibid.
7
ISACA, COBIT® 5 Implementation, 2012