Volume 3, July 2013

Come join the discussion! Jorge E. Barrera N. will respond to questions in the discussion area of the
COBIT 5—Use It Effectively topic beginning 22 July 2013.

Evidence Management for the COBIT 5 Assessment Programme

By Jorge E. Barrera N., CISA, CGEIT, CRISC, COBIT (F), ITIL V3F, PMP
1, 2, 3, 4
This article presents a proposal based on the COBIT 5 Assessment Programme for a quick and consistent start to the
® ®
implementation of COBIT 5 in any IT environment, whether currently based on COBIT 4.1 or not.
5
From a conceptual point of view, COBIT 5 is fascinating for its incorporated principles and its generic model of enablers.
Besides that, its assessment program helps IT leaders provide a business view of IT’s ability to create value and support
enterprise goals through effective IT processes. The results of this program provide a determination of process capability and
can be used for:
 Delivering value to the business. This is viewed as an incremental achievement of strategic goals and a clear
realization of business benefits through effective and innovative use of IT.
 Developing IT process improvement. Periodic measurement of IT processes supports the definition of effective
governance of enterprise IT (GEIT) road maps to drive continuous improvement.
 Measuring the achievement of business goals. Each business goal can be evaluated every time the related GEIT
processes are evaluated. To do so, one can use COBIT 5’s matrix with relationships between business goals and GEIT
processes.
 Generating consistent reports. Reports on the state of the organization’s GEIT are derived from the assessment
® ®
process, which is supported by the COBIT Assessment Programme methodology and tools, using the COBIT Process
®
Assessment Model (PAM): Using COBIT 5 (COBIT 5 PAM) and COBIT 5: Assessor Guide, makes the results
consistent and reliable.
 Ensuring organizational compliance. All kinds of laws and regulations, which can affect the organization’s GEIT, fall
under the definition of inputs of the COBIT 5 framework and PAM for facilitating their compliance.
 Benchmarking. Periodic measurement of GEIT process capabilities allows for constructive and ongoing comparison
between businesses employing the same or equivalent industry best practices.

In addition to these benefits generated by the implementation of the COBIT 5 Assessment Programme, this article adds the
following short-term benefits:
 Substantial improvement of GEIT understanding in practice
 Consolidated understanding of the need to use COBIT 5 as a GEIT umbrella
 Integrated and effective use of GEIT frames and standards through the alignment provided by COBIT 5 as the umbrella
framework
 Appropriate support to the natural complexity of managing all work products related to the COBIT 5 framework and PAM
 Standardized treatment of all former GEIT achievements by transitioning them to a COBIT 5 environment in practice, as a
result of the first assessment

The magnitude of these benefits greatly depends on the mode with which evaluations are made. A measurement can be
based on personal judgments, judgments based on formal guidance or judgments based on formal guidance with defined
evidence requirements. Measurements based on judgments alone may suffer from a high degree of uncertainty that applies to
the business case and action plans derived from it. These drawbacks can be obviated if assessments based on judgments
® ®
are considered, as posed in COBIT Self-assessment Guide: Using COBIT 5, as a precursor to more rigorous evaluations
based on evidence.
The evidence management model presented in this article therefore responds to a real need; its main parts are:
 Taxonomy of the evidence management
 Relationships between elements of the COBIT 5 PAM
 Alignment and integration of the frameworks for GEIT around COBIT 5
 GEIT artifacts baseline or GEIT evidence baseline
 A method for qualifying the level/degree of evidence
 Life Cycle of Evidence Management Model

The primary objective of this article is to motivate readers to decide to initiate or improve their GEIT implementations using
COBIT 5 as the umbrella framework. Assessing the IT environment of the organization based on PAM and an evidence
management model, such as the one presented in this article, provides a good foundation for this purpose.

Taxonomy of Evidence Management

The predominant entities for managing evidence are grouped as:
 Elements of the COBIT 5 PAM Model: IT process, capability level, attribute, result, work product, generic work product,
generic practice, outcome, content, base practice, output, input and rating level. The definition of these terms is in section
1.7 of the COBIT 5 PAM.
 Derived elements from GEIT frameworks: Called artifacts, the elements of this group can be distinguished in the
following 12 categories:
- Cat01 Inputs from outside of COBIT 5
- Cat02 Outputs or work products of COBIT 5 processes
- Cat03 Outputs of ITIL V3 processes and other aligned frameworks
- Cat04 Outputs of auditing and monitoring frames
- Cat05 Guides and other documents derived from COBIT 5 processes
- Cat06 Guides and other documents derived from aligned frameworks
- Cat07 Guides and other documents derived from monitoring frames
®
- Cat08 Guides derived from COBIT 5 Implementation
- Cat09 Deliverables generated by continual improvement projects
- Cat10 Artifacts related with deliverables
- Cat11 Support bibliography
- Cat12 Guides and other documents derived from the controlled evolution of the proposal presented in this article
(G2eTIC Project)

The elements of these 12 artifact categories generally correspond to frameworks’ specific topic documents. These documents
are related among them. The elements of output categories may also correspond to services or other results.

Frameworks that can be aligned to COBIT 5 by the proposal of this article are ITIL V3, ISO 2700X, The Open Group
Architecture Framework (TOGAF), ArchiMate, the Project Management Body of Knowledge (PMBOK), the Capability Maturity
Model Integration (CMMI), Microsoft Operations Framework (MOF) and ad hoc regulatory frameworks for monitoring and
control.

Relationships Among Elements of COBIT 5 PAM

An analysis of the figures and contents of COBIT 5 PAM results in the following semantic relationships:
 Each process has its specific outcomes.
 Level 1 of each process must be evaluated according to the current state of its outcomes.
 Levels 2 to 5 of each process have two attributes each.
 For levels 2 to 5, each attribute defines several results.
 Each result requires a single generic practice.
 The generic practices apply to levels 2 to 5 of all COBIT processes.
 The generic practices apply equally to the results of the attributes of the levels of each COBIT process and the generic
work products (GWP).
 The COBIT 5 PAM base practices are the same governance and management practices defined in COBIT 5: Enabling
®

Processes.
 The COBIT 5 PAM work products are the same outputs that are defined in COBIT 5: Enabling Processes, in which they
are defined for each governance and management practice of the process. The inputs are defined in the same manner.

Volume 2, April 2013 Page 2

 COBIT 5 PAM relates the outcomes of each process with the base practices and the inputs and outputs of each process.
 COBIT 5 PAM relates the GWP of the processes directly with the capability levels of the processes; therefore, it is not
possible to evaluate the capability levels of the attributes based on GWP. However, a useful perspective is to assess
directly the capability level of the process by the GWP concept.

These semantic considerations help in understanding COBIT 5 PAM and are the foundation of its practical application.

Alignment and Integration of GEIT Frameworks Around COBIT 5

Figure 1 presents the role of COBIT 5 as the umbrella framework that defines the conceptual spectrum of GEIT; the other
frameworks/standards operate as contributors. For example, ITIL V3 covers just under 30 percent of GEIT and ISO/IEC
6
27001 covers just under another 15 percent. As figure 1 illustrates, the scopes of ITIL V3 and ISO 27001 are part of the
larger GEIT picture—focusing on them in isolation when addressing the overall GEIT picture raises a risk that relationships
with the rest of the GEIT spectrum cannot be optimally understood or justified. As such, a major part of the GEIT spectrum
would remain outside the respective business case of the organization.

It is necessary to take into account in an integrated way COBIT 5, ITIL V3, ISO/IEC 27001 and other related standards and

Figure 1—COBIT 5 Coverage of Other Standards and Frameworks

Source: ISACA, COBIT 5, 2012, figure 25

frameworks in implementing GEIT. The following structure of activities and results defines a strategy for alignment and
integration between frameworks:
 Stage one—Domains of COBIT, ITIL V3 books, ISO 27001 domains, core and phases of TOGAF, and domains of other
frameworks
 Stage two—Processes of COBIT, ITIL V3 book chapters, control objectives of ISO 27001, artifact categories of TOGAF

Volume 2, April 2013 Page 3

 and second stages of other frameworks, such as CMMI constellations
 Stage three—COBIT governance practices, processes/functions/activities of ITIL, ISO 27001 controls and processes of
other frameworks. This stage includes the diagrams, catalogs and TOGAF matrices.
 Stage four—Outputs of COBIT governance practices and of processes of aligned frameworks. This stage also includes
defined activities or tasks of different frameworks.

The proposed alignment and integration of this article, based on COBIT 5 as the umbrella framework and GEIT at the
hypocenter of the third and the fourth stages of the structure, is grounded on the following statements:
 The GEIT implementation unit is the governance or management practice of COBIT 5. In terms of PMBOK, this is to say,
as a general guide, that each work package of IT projects is a governance practice of COBIT 5 to be implemented or
improved with its respective outputs.
 Processes of aligned frameworks are selected for implementation with their own identity when they generate outputs
equivalent to COBIT 5 work products. This amounts to saying that the selected process makes a primary contribution to
GEIT.
 Detailed analysis concluded that all processes, functions and activities of ITIL V3 and 112 controls of ISO/IEC 27001
deserve implementation with proper identity. This represents less than 50 percent of GEIT. The remaining 21 controls of
ISO/IEC 27001 make secondary contributions to GEIT.
 Processes of other frameworks, such as TOGAF, PMBOK, CMMI and MOF, that generate outputs equivalent to the work
products of COBIT 5 and are not covered by ITIL V3 and ISO/IEC 27001 can be implemented with their own identities.
 Governance and management practices of COBIT 5 that are not represented by processes of other frameworks should be
implemented directly with their own identities. This should draw upon the secondary contributions from other frameworks.
 All catalogs, matrices and diagrams proposed by TOGAF are considered elements that must be taken into account by
processes of COBIT 5 and processes of aligned frameworks that are being implemented.
 The more than 440 outputs of governance practices defined by COBIT 5 and the 208 outputs defined by COBIT 5 for
®

Information Security should be treated in an integrated manner by each governance and management practice. This
statement also applies for the outputs defined in the future by forthcoming COBIT 5 guides.
 The GEIT contribution that an element of the aligned framework makes is considered primary when it is sufficient to
optimally support the functionality covered by its scope. Otherwise, this contribution, if it exists, is considered secondary.

An ITIL V3 process is implemented, then oriented, to determine each work product of COBIT 5 that applies to it. The definition
of activities; inputs; outputs; the Responsible, Accountable, Consulted and Informed (RACI) matrix; goals; and metrics should
be guided by the architecture of COBIT 5 processes. However, this definition must use and leverage the ITIL V3 contribution.
The same applies for any ISO 27001 control and any process of aligned frameworks that was chosen for implementation.

The alignment and integration strategy proposed in this article allows, for example, for the initial use of TOGAF by mapping to
the catalogs, matrices and diagrams proposed. These elements are generated from the umbrella of COBIT 5 without the need
to understand the whole philosophy of TOGAF in order to achieve its benefits.

This initial use without preamble of TOGAF opens the doors to TOGAF’s ArchiMate ally, which is a standard that facilitates
the management of elements defining enterprise architectures and the relationships among these elements.

The use of COBIT, ITIL, ISO/IEC standards, TOGAF, ArchiMate and PMBOK elements, as well as those of other GEIT
frameworks and standards, must apply intellectual property rights defined by each of the respective owners.

GEIT Artifacts Baseline or GEIT Evidence Baseline

All elements of GEIT frameworks implemented in the organization—the 12 artifact categories defined previously—constitute
the evidence to support the assessment of COBIT 5 processes at the beginning of the GEIT program and in its entire
existence in the organization.

Registering GEIT artifacts that are operating is performed in the baseline of GEIT artifacts of the organization.
This baseline must support the release management and the distribution management of the organization’s
artifacts. In the management of this baseline of artifacts, the following four recording aspects are distinguished:
 Single record of artifacts—The use of the alignment and integration structure of frameworks, described previously,
enables the definition of a single identification code structure of artifacts with the following stages of GEIT:
1. Category of artifacts
2. Framework that is valid in the category

Volume 2, April 2013 Page 4

 3. Domains of the framework
4. Processes for COBIT 5 (or identifier level for other frameworks)
5. Governance or management practices for COBIT 5 (or process for other frameworks)
6. Outputs or work products for COBIT 5 (or process activity for other frameworks)
7. Version of work products or activities
8. Repetitions for outputs for COBIT 5 (or improvements for other frameworks)

When the third stage is set to “000,” all lower stages take the same value “000” to indicate that the artifact applies, in a
generalized way, its content to that stage and to the dependent stages.
 Relationships of COBIT 5 PAM model elements—These elements were listed in the definition of the taxonomy of the
evidence management described previously. This article emphasizes the following relationships among GEIT work
products and:
- Outcomes of each COBIT 5 process
- Results of attributes at each capability level of the COBIT 5 processes
- Generic work products of each COBIT 5 process

The first two items give support to evidence-based assessments using the COBIT 5 PAM as illustrated in figure 2. The
third item supports the evaluation, also with evidence, of the state of the generic work products of each COBIT 5 process.

Figure 2—Link Between the Evidence Model and PAM

Process’s Outcomes

Evidence per Each

Outcome

Results per Each

Attribute

Evidence per Each

Result

The process attributes provide the measurable GEIT Artifacts Records

characteristics of process capability.

Volume 2, April 2013 Page 5

 Umbrella-type relationships—Other frameworks/standards correspond based on the governance and management
practices in COBIT 5 that are defined for alignment of the frameworks:
- To and from elements derived from the application of frameworks aligned like ITIL V3, ISO 27001 and others
- To and from elements derived from the application of frameworks oriented to verification and monitoring
- To and from elements derived from the application of regulations specific to the organization and its environment

Several benefits can be realized from this mapping, such as:

- A gap analysis between the implemented GEIT framework and the COBIT 5 framework guidance
- A quality assessment of the implemented artifacts
- A statement of applicability for each governance and management practice, with due justification for its inclusion or
exclusion
- A gap analysis of the implemented governance and management practices and those that are rigorously necessary
- Road maps at the governance and management practices and processes levels of COBIT 5 for the short, medium
and long term
 Other relationships for assessment purposes—Relationships among the following fall into this category:
7
- Inputs and outputs defined by the continual improvement life cycle approach for each of its phases
- Enablers defined in COBIT 5
- Enterprise goals and their metrics
- IT-related goals and their metrics
- Goals of COBIT 5 processes and their metrics
- All other metrics proposed by COBIT 5 and adopted by the organization

Therefore, this GEIT artifacts baseline supports the record of all work products related to the COBIT 5 PAM and the
management among them of relationships that are required by its assessment processes.

Method for Qualifying the Level/Degree of Evidence

The method for qualifying the level/degree of evidence is based on Figure 3—Assessment of Level 1
figure 2, which includes figure 4 of the COBIT 5 PAM and the
fragment of the evidence model’s entity relationship diagram with LEVEL ATTRIBUTE OUTCOME EVIDENCE AS
which it is paired. CALCULATION: LEVEL 1 ONLY %
From the single record of artifacts described previously, the steps CALCULATION: ATTRIBUTE %
for evaluating the capability level of each COBIT 5 process
OUTCOME ART + JUST %
selected for assessment follow.
OUTCOME ART + JUST %
 Step 1: Use the respective Microsoft Excel spreadsheets
® OUTCOME ART + JUST %
provided in the COBIT 5 Implementation tool kit and customize

them with the changes illustrated in figures 3 and 4.

Figure 4—Assessment of Levels 2 to 5
Figure 3 illustrates the macro diagram of the matrix used
for the evaluation of specific outcomes of each COBIT 5 LEVEL ATTRIBUTE RESULTS EVIDENCE AS
process.
CALCULATION: LEVEL %
Figure 4 illustrates the macro diagram of the matrix used
for the assessment of levels 2 to 5 of the process. For a CALCULATION: ATTRIBUTE %
record of the evidence of every outcome and every result,
one needs to insert two columns with the following RESULT ART + JUST %
registration purposes: RESULT ART + JUST %
- ART: For codes of artifacts that represent evaluation
criteria. This column of figure 3 corresponds to the CALCULATION: ATTRIBUTE %
“Evidence per Each Outcome” entity of figure 2. In
RESULT ART + JUST %
figure 4, this column corresponds to the “Evidence per
Each Result” entity of figure 2. RESULT ART + JUST %
- JUST: For justification of the assigned percent
 Step 2: For each outcome, one must identify the documentary CALCULATION: LEVEL %
artifacts that represent it in reality and therefore constitute its

Volume 2, April 2013 Page 6

 evidence. Evaluate the percent of quality and completeness Figure 5—Assessment of GWPs
that this support provides to the outcome. To do so, enter the
respective codes of artifacts in the ART column, analyze the
evidence that these documents provide to the outcome, and GWP CONTENT EVIDENCE AS
then enter in the AS column the percent value that one assigns
to the outcome. After that, enter in the JUST column the
CALCULATION: GWP %
concrete justification based on evidence about the assigned
CONTENT ART + JUST %
percent value. The Excel sheet should calculate the average
percent corresponding to attribute and level 1. The allocation
CONTENT ART + JUST %
of the percent should be in accordance with the rating levels
that are indicated in figure 4 of the COBIT 5 PAM.
CALCULATION: GWP %
 Step 3: For each attribute’s result of the process, one must
proceed equivalently as done in step 2. The Excel spreadsheet CONTENT ART + JUST %
shall provide the calculations of the average percent
corresponding to the attributes of levels 2 to 5 of the process, CONTENT ART + JUST %
and it shall calculate the average percent of these levels, as
well.
 Step 4: For allocating the process capability level, one should
proceed as is indicated in Figure 5—Levels and Necessary Figure 6—Direct Assessment of Levels 2 to 5
® ®
Ratings of COBIT Self-assessment Guide: Using COBIT 5.
LEVEL GWP AS
As an additional advantage of semantic relationships of the COBIT
5 PAM, which are described previously, further evaluation of the 2-
5 capability levels based on the GWP is proposed. Figures 5 and
CALCULATION: LEVEL %
6 illustrate the macro diagrams of the respective matrices.
GWP %
In columns marked “ART + JUST” in figure 5, one should proceed
in an equivalent manner as one did for these columns in figure 3. GWP %
The Excel sheet of figure 5 should calculate the percent value for
each GWP. One must bring all GWPs’ percent values from figure CALCULATION: LEVEL %
5 to figure 6. The Excel sheet of figure 6 will calculate the percent
values for levels 2 to 5. GWP %
One should note that the calculation of average percent by the GWP %
Excel sheet in figure 6 for each capability level does not consider
attributes. The outcome of this assessment should be consistent
with the assessment of levels 2 to 5, as shown in figure 4.

Life Cycle of Evidence Management Model

The following steps are proposed as part of the actual and effective beginning of GEIT implementation in an organization:
1. Inventory current GEIT documentation—It employs a matrix with the following columns: ID code of the document,
version, name, description, format, owner area, responsible person, stakeholders and frameworks. The inventory should
cover all actual documents related with IT management in the organization, even those not formally authorized but in
operation. Special care must be taken with artifacts related with documents that come from outside of COBIT 5 and are
®
defined in COBIT 5 for Information Security.
2. Categorize documents—Each document identified in the inventory must be mapped to the 12 categories of artifacts of
frameworks proposed in this article. The same matrix from step 1 can be used, adding 12 columns, or a new and specific
matrix can be developed for this purpose.
3. Map COBIT 5 processes—Several relationships among documents or artifacts and the GEIT processes should be
®
documented in a matrix. This exercise reinforces the knowledge of COBIT 5 and must be supported by the COBIT 5
Enabling Processes guide.
® ®
4. Complete nonrigorous evaluation of COBIT 5 processes—COBIT Assessment Programme Tool Kit: Using COBIT
5 should be used to evaluate COBIT 5 processes and the matrices of the previous steps. The respective assessment
reports should be prepared and distributed as established by the organization in order to gain approbation and
encouragement for the next steps.
5. Map outputs to the documents—The outputs or work products of COBIT 5 processes could be taken from figure 7 and

Volume 2, April 2013 Page 7

 appendix B.2 of the COBIT 5 PAM, but it is more useful to pick them from the level of governance practice in COBIT 5:
®
Enabling Processes and COBIT 5 for Information Security. The work products are located in the rows of the matrix to be
used for mapping, and for each of them, the related documents should be identified. Several benefits can be derived from
this mapping, such as those enumerated previously in this article regarding the umbrella type relationship.
6. Complete first version of the baseline of GEIT artifacts—The categories of artifacts CAT02, CAT03 and CAT04
represent work products. All documents recorded in the inventory of the 12 categories defined should be modularized in
terms of work products, either by direct conversion or by mapping matrices. This exercise does not involve redoing, but
decomposing into parts the artifacts that are in operation. It can be done in parallel with step 5. As part of the exercise, it
also standardizes and allocates codes to the modularized artifacts. This new registration of standardized artifacts and
their relationships is the first version of the baseline of GEIT artifacts.
7. Complete standard evaluation using evidence support—The baseline of GEIT artifacts constitutes the adequate
evidence for the COBIT 5 Assessment Programme. The method outlined previously in this article for each selected
process to be evaluated should be followed. The respective assessment reports should be prepared and distributed as
established by the organization. These reports can then be categorized and recorded in the baseline of GEIT artifacts
because they are, by themselves, implementation evidence of some work products of COBIT 5 processes.
8. Complete business case and project development—Evaluations proposed in this article support the precise definition
of the GEIT business case and its respective definition of projects. See sample of business cases in COBIT 5
Implementation.
9. Update the baseline of GEIT artifacts—This baseline is updated by:
 Laws and other regulations that affect the GEIT of the organization
 The operation of GEIT every day. This refers to categories of artifacts:
- Outputs of COBIT 5 processes that are in operation
- Outputs of aligned frameworks that are in operation
- Outputs from monitoring and control frameworks
 Results from GEIT projects, always oriented to continual improvement. They are artifacts of the other nine categories.
10. Return to step 7.

This sequence of steps corresponds to an evidence management perspective in measuring capability levels of processes.
The implementation of this life cycle should be adapted depending on the orientation that each organization takes from
® ® ®
COBIT 5 Implementation and COBIT Assessor Guide: Using COBIT 5.
®
A self-learning exercise is suggested in the business case sample presented in COBIT 5 Implementation, and the evaluation
®
of GEIT processes should be supported by the tools defined in the appendices of COBIT Assessor Guide and its critical
success factors.

Expectations and Conclusions

The potential of mappings that are supported by the baseline of GEIT artifacts opens the doors to an effective implementation,
as it generates knowledge and confidence to stakeholders and, thus, facilitates the obtaining of necessary management
support.

The mappings from artifacts to COBIT 5 processes, combined with the mapping of IT process goals to IT-related goals and on
to enterprise goals, provide the necessary support to make bottom-up assessments on the cascade of COBIT 5 goals. This
mapping supports a positive effect on the management of the GEIT balanced scorecard of the organization—linking IT
process capability improvement opportunities directly with enterprise goals.

It is estimated that the first record with total quality of the GEIT evidence and an initial evaluation of COBIT 5 processes may
take no more than three months, depending on the size and location of the organization, the defined scope, and the resources
allocated to this purpose.

Acknowledgment
The content of this article is the result of work done by the G2eTIC Project, which was conceived with an academic and
business orientation. References to documents of COBIT 5 and the use of its content are made in accordance with the
®
respective license agreement between ISACA and the author of this article. G2eTIC has the conceptual bracket,
methodological tools and complementary tools corresponding to the proposal presented in this article.

Jorge E. Barrera N., CISA, CGEIT, CRISC, COBIT (F), ITIL V3F, PMP

Volume 2, April 2013 Page 8

Is an independent consultant in governance and management of IT in the enterprise and author of the Project G2eTIC, which
develops a set of seminars and tools for practical learning and integrated use of COBIT 5. Barrera can be reached at
jorgeebarrera@yahoo.com.

Endnotes
1
ISACA, COBIT® Process Assessment Model (PAM): Using COBIT® 5, 2012
2
ISACA, COBIT® Assessor Guide: Using COBIT® 5, 2012
3
ISACA, COBIT® Self-assessment Guide: Using COBIT® 5, 2012
4
ISACA, COBIT® Assessment Programme Tool Kit: Using COBIT® 5, 2012
5
ISACA, COBIT® 5: A Business Framework for the Governance and Management of Enterprise IT, 2012
6
Ibid.
7
ISACA, COBIT® 5 Implementation, 2012

©2013 ISACA. All rights reserved.

Volume 2, April 2013 Page 9