Sudarsan Jayaraman - MIgrating To COBIT 5

Migrating to COBIT 5
for
IT Audit and Assurance
COBIT is a registered trademark of the Information Systems Audit and Control Association
Disclaimer:
1. The presentation has been prepared from reference material from ISACA and APMG Vanilla Material for ATO. All
copyrights for the material reserved with APMG
2. This material is only prepared purely for this workshop and only for knowledge transfer purpose and not for any
commercial or training purpose.
3. COBIT 5 is a registered trademark of the Information Systems Audit and Control Association
2013 Protiviti Member Firm (Middle East Region)

CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
Session Objective
Introduction to COBIT 5
Key differences between 4.1 and 5
Audit and Assessment using COBIT PAM
Walk through of assessment on one of the selected processes.

Let us Discuss
Do you think that a process audit
considering the underlying IT systems?
is complete without
Can there be a critical business process implemented without an

IT System?
Do you consider automation of business process a risk - as no
clear visibility is available to auditors.
Share your thoughts

4

Organizations Concern
Auditors Concerns
Inadequate view of IT functioning
Operational failures of IT
Increase in number security
incidents
High dependency of Businesses
on IT
Too many IT Standards &
Frameworks
Lack of knowledge of critical
systems
IT not meeting compliance
CIOs Priorities
Delivering projects to meet

business growth
Demonstrating value to business
Tightening security and privacy
controls
Improving business continuity
readiness
Improving quality of IT service
delivery
Applying metrics to IS organization
and services
Demonstration of Compliance
Too many Audits (Internal /
External)

Drivers for COBIT 5
A need for the enterprise to:

Achieve increased value creation
Obtain business user satisfaction
Achieve compliance with relevant laws, regulations and policies
Improve the relation between business and IT

Increase the return of governance over enterprise IT
Connect and align with other major frameworks and standards

COBIT 5: Now One Complete IT - Business Framework
Evolution of scope
Governance of Enterprise IT
IT Governance
Val IT 2.0
Management
(2008)
Control
Risk IT
(2009)
Audit
COBIT1
1996
COBIT2
1998
COBIT3
2000
COBIT4.0/4.1 COBIT 5
2005/7
2012
An business framework from ISACA, at www.isaca.org/cobit

The COBIT 5 Format
Simplified
COBIT 5 directly addresses the needs of the viewer from different
perspectives
Development continues with specific practitioner guides
COBIT 5 is initially in 3 volumes:

1. The Framework Free Download
2. Process Reference Guide Free to Members
3. Implementation Guide - Free to Members

COBIT 5 is based on:
5 principles and
7 enablers

COBIT 5 Family

COBIT 5 Principles
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance From Management
10

COBIT 5 Enablers
Source: COBIT 5 Framework
11

Meeting Stakeholder Needs

Stakeholder needs have to be transformed
into an enterprises actionable strategy.
The COBIT 5 goals cascade translates
stakeholder needs into specific, actionable
and customized goals within the context of
the enterprise, IT-related goals and enabler
goals.
12

Separating Governance from Management
13

COBIT 5 Processes
14

Process Example Walk Through
COBIT 5 Governance Processes
16

17

18

19

20

21

COBIT 5 Where does it fit in?
22

In Summary
COBIT 5 brings together the five principles that allow the

enterprise to build an effective governance and management
framework based on a holistic set of seven enablers that
optimises information and technology investment and use for

the benefit of stakeholders.
23

COBIT 4.1
VS
COBIT 5
Primary Transition
COBIT 5 builds on previous versions of COBIT (and Val IT and Risk IT) and so
enterprises can also build on what they have developed using earlier versions.
COBIT 5 clarifies management level processes and integrated COBIT 4.1, Val IT
and Risk IT content into one process reference model.
25

Renewed focus on Enablers

Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
Criteria
Applications
Information
Infrastructure
COBIT 4.1
CUBE
Domains
People
IT Resources
IT Processes
Processes
Activities
26

Practices & Activities
Control Objectives
Val IT & Risk IT

Processes
Governance &
Management
Practices
Control Practices
Activities
Practices in Risk IT
& Val IT
27

Process Reference Model
28

New / Modified Processes

Below are the new / modified processes to reflect this:
APO03 Manage enterprise architecture deviation from Information to

Enterprise
APO04 Manage innovation New governance process
APO05 Manage portfolio (Val IT)

APO08 Manage relationships (BRM from ISO 20000)
APO13 Manage security Segregation from typical security (covered in DSS)
BAI05 Manage organizational change enablement.

BAI08 Manage knowledge ITIL v3
BAI09 Manage assets.
DSS05 Manage security service.

DSS06 Manage business process controls.
29

RACI Charts
30

COBIT 5 - Process
Assessment Model(PAM)
31

What is A Process Assessment?

ISO/IEC 15504-4 identifies process assessment as an
activity that can be performed either as part of a
process improvement initiative or as part of a
capability determination approach
The purpose of process improvement is to

continually improve the enterprises
effectiveness and efficiency
The purpose of process capability determination
is to identify the strengths, weaknesses and risk
of selected processes
It provides an understandable, logical,
repeatable, reliable and robust methodology for
assessing the capability of IT processes
32

What is the new COBIT Assessment Programme?

The COBIT Assessment Programme includes:
COBIT Process Assessment Model (PAM): Using COBIT 4.1
COBIT Assessor Guide: Using COBIT 4.1
COBIT Self Assessment Guide: Using COBIT 4.1
The COBIT PAM brings together two proven heavyweights in
the IT arena, ISO and ISACA
The COBIT PAM adapts the existing COBIT 4.1 content into
an ISO 15504 compliant process assessment model
33

Whats different?
But dont we already have maturity models for COBIT 4.1 processes?
The new COBIT assessment programme is:

A robust assessment process based on ISO 15504
An alignment of COBITs maturity model scale with the international
standard
A new capability-based assessment model which includes:
Specific process requirements derived from COBIT 4.1
Ability to achieve process attributes based on ISO 15504

Evidence requirements
Assessor qualifications and experiential requirements
Results in a more robust, objective and repeatable assessment

Assessment results will likely vary from existing COBIT maturity models!
34

Differences to COBIT Maturity Model

The COBIT 4.1 PAM uses a measurement framework that is similar in terminology to the existing
maturity models in COBIT 4.1
While the words are similar the scales are NOT the same:
The COBIT PAM uses the capability scale from ISO/IEC 15504, whereas the existing COBIT
maturity models uses a scale derived from SEI\CMM
A PAM level 3 is NOT the same as a CMM level 3
Assessments done under the PAM are likely to result in lower scores
PAM assessments are based on more fully defined and defensible attributes
COBIT 4.1 Process
Maturity Level
5 Optimised
35
Capability Level
5 Optimizing
4 Managed and
measurable
3 Defined
4 Predictable
2 Repeatable but
intuitive
2 Managed
3 Established
1 Initial/ad hoc
1 Performed
2013
Member Firm (Middle East Region)
0 Protiviti
Non-existent
0 Incomplete
ISO/IEC 15504 Process

Attribute
PA 5.1 Process innovation
PA 5.2 Process optimization
PA 4.1 Process measurement
PA 4.2 Process control
PA 3.1 Process definition
PA 3.2 Process deployment
PA 2.1Performance management
PA 2.2 Work product management
PA 1.1 Process performance
Assessment Overview
Process Assessment
Model
Assessment Process
36

PRM Based on COBIT 4.1

Process ID
Process Name
Purpose
Outcomes (Os)
Base Practices
(BPs)
Number
PO1-WP1
PO1-WP4
PO2-WP5
PO5-WP3
AI2-WP4
AI3-WP7
DS4-WP5
ME1-WP1
Number
DS1-WP1
DS1-WP2
DS1-WP3
DS1-WP4
DS1-WP5
DS1-WP6
37
DS1
Define and Manage Service Levels
Satisfy the business requirement of ensuring the alignment of key IT services with the business needs.
Number
Description
DS1-O1
A service management framework is in place to define the organisational structure for service level management, covering the base
definitions of services, roles, tasks and responsibilities of internal and external service providers and customers.
DS1-O2
Internal and external SLAs are formalised in line with customer requirements and delivery capabilities.
DS1-O3
Operating level agreements (OLAs) are developed to specify the technical processes required to support SLAs.
DS1-O4
Processes are in place to monitor (and periodically review) SLAs and achievements.
Number
Description
Supports
DS1-BP1
Create a framework for defining IT services.
DS1-O1
DS1-BP2
Build an IT service catalogue.
DS1-O1, O2
DS1-BP3
Define SLAs for critical IT services.
DS1-O2
DS1-BP4
Define OLAs for meeting SLAs.
DS1-O3
DS1-BP5
Monitor and report end-to-end service level performance.
DS1-O4
DS1-BP6
Review SLAs and underpinning contracts.
DS1-O4
DS1-BP7
Review and update the IT service catalogue.
DS1-O1
DS1-BP8
Create a service improvement plan.
DS1-O1
Work Products (WPs)
Inputs
Description
Supports
Strategic IT plan
DS1-O1, O2, O3, O4
IT service portfolio
DS1-O1, O2, O3, O4
Assigned data classifications
DS1-O1
Updated IT service portfolio
DS1-O4
Initial planned SLAs
DS1-O3
Initial planned OLAs
DS1-O3
Disaster service requirements, including roles and responsibilities
DS1-O1
Performance input to IT planning
DS1-O1, O2
Outputs
Description
Input To
Supports
Contract review report
DS2
DS1-O1, O4
Process performance reports
ME1
DS1-O4
New/updated service requirements
PO1
DS1-O2, O3
SLAs
AI1, DS2, DS3, DS4, DS6, DS8, DS13
DS1-O2
OLAs
DS4 to DS8, DS11, DS13
DS1-O3
PO1
DS1-O1, O4

PRM Based on COBIT 4.1

Process ID
Process Name
Purpose
Outcomes (Os)
Base Practices
(BPs)
Number
PO1-WP1
PO1-WP4
PO2-WP5
PO5-WP3
AI2-WP4
AI3-WP7
DS4-WP5
ME1-WP1
Number
DS1-WP1
DS1-WP2
DS1-WP3
DS1-WP4
DS1-WP5
DS1-WP6
38
DS1
Number
Description
DS1-O1
A service management framework is in place to define the organisational structure for service level management, covering the base definitions
of services, roles, tasks and responsibilities of internal and external service providers and customers.
DS1-O2
DS1-O3
DS1-O4
Number
Description
Supports
DS1-BP1
DS1-O1
DS1-BP2
DS1-O1, O2
DS1-BP3
DS1-O2
DS1-BP4
DS1-O3
DS1-BP5
DS1-O4
DS1-BP6
DS1-O4
DS1-BP7
DS1-O1
DS1-BP8
DS1-O1
Work Products (WPs)
Inputs
Description
Supports
Strategic IT plan
DS1-O1, O2, O3, O4
DS1-O1, O2, O3, O4
DS1-O1
DS1-O4
DS1-O3
DS1-O3
DS1-O1
DS1-O1, O2
Outputs
Description
Input To
Supports
DS2
DS1-O1, O4
ME1
DS1-O4
PO1
DS1-O2, O3
SLAs
DS1-O2
OLAs
DS1-O3
PO1
DS1-O1, O4


The high-level measurable objectives of performing the process
and the likely outcomes of effective implementation of the process
39

An observable result of a process - an artefact, a significant change

of state or the meeting of specified constraints
The activities that, when consistently performed, contribute to
achieving the process purpose
The artefacts associated with the

execution of a process defined in
terms or process inputs and process
outputs
40

Assessment Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
41

Process Capability Levels

Level 5 Optimizing process
Optimizing
The process is continuously improved to meet relevant
current and projected business goals
Predictable
The process is enacted consistently
within defined limits
PA 5.1
PA 5.2
Level 4 Predictable process

PA 4.1
PA 4.2
Established
A defined process is used based on a
standard process
Process measurement attribute

Process control attribute
Level 3 Established process

PA 3.1
PA 3.2
Process definition attribute

Process deployment attribute
Level 2 Managed process

PA 2.1
PA 2.2
Performance management attribute

Work product management attribute
Level 1 Performed process

PA 1.1
Process performance attribute
Level 0 Incomplete process

42
Process innovation attribute

Process optimization attribute

Managed
The process is managed and work
products are established,
controlled and maintained
Performed
The process is implemented and
achieves its process purpose
Incomplete
The process is not implemented or fails to
achieve its purpose
Measurement Framework
COBIT assessment process measures the extent to which a given process
achieves specific attributes relative to that process process attributes
COBIT assessment process defines 9 process attributes (based on ISO/IEC

15504-2)
PA 2.1 Performance management
PA 3.1 Process definition
PA 3.2 Process deployment
PA 4.1 Process measurement
PA 4.2 Process control
PA 5.1 Process innovation
PA 5.2 Continuous optimization
43

Process Attribute Rating Scale

COBIT assessment process measures the extent to which a given process
achieves the process attributes
N Not achieved0 to 15% achievement
There is little or no evidence of achievement of the defined attribute in the assessed
process
44
Partially achieved> 15% to 50% achievement

There is some evidence of an approach to, and some achievement of, the defined
attribute in the assessed process. Some aspects of achievement of the attribute may
be unpredictable
Largely achieved> 50% to 85% achievement

There is evidence of a systematic approach to, and significant achievement of,
the defined attribute in the assessed process. Some weakness related to this
attribute may exist in the assessed process
Fully achieved> 85% to 100% achievement

There is evidence of a complete and systematic approach to, and full achievement
of, the defined attribute in the assessed process. No significant weaknesses related
to this attribute exist in the assessed process

Process Attribute Ratings and

Capability Levels
1 2 3 4 5
Level 5 - Optimizing
PA 5.2 Optimization
PA 5.1 Innovation
PA 4.2 Control
Level 4 - Predictable
PA 4.1 Measurement
PA 3.2 Deployment
Level 3 - Established
PA 3.1 Definition
Level 2 - Managed
Level 1 - Performed
Level 0 - Incomplete
45

L
/
F
L F
/
F
L F F
/
F
L F F F
/
F
L F F F F
PA 1.1 Process performance /
F
L/F = Largely or Fully F= Fully
COBIT Assessment Process Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
46

Process Attributes and Capability Levels

Optimizing
Predictable
ISO
Established
9 Process Attributes Process Attribute Indicators

(PAI)
Managed
Performed
Incomplete
COBIT
47

Process Attribute Rating

Assessment indicators in the PAM are used to support the assessors
judgement in rating process attributes:
Provide the basis for repeatability across assessments
A rating is assigned based on objective, validated evidence for each process
attribute
Traceability needs to be maintained between an attribute rating and the
objective evidence used in determining that rating
48

Example from COBIT 4.1:

DS1 Define and manage service levels
Process Reference Model - Example DS1

Process ID
Process Name
Purpose
Outcomes (Os)
Base Practices
(BPs)
Number
PO1-WP1
PO1-WP4
PO2-WP5
PO5-WP3
AI2-WP4
AI3-WP7
DS4-WP5
ME1-WP1
Number
DS1-WP1
DS1-WP2
DS1-WP3
DS1-WP4
DS1-WP5
DS1-WP6
50
DS1
Number
Description
DS1-O1
A service management framework is in place to define the organisational structure for service level management, covering the base
definitions of services, roles, tasks and responsibilities of internal and external service providers and customers.
DS1-O2
DS1-O3
DS1-O4
Number
Description
Supports
DS1-BP1
DS1-O1
DS1-BP2
DS1-O1, O2
DS1-BP3
DS1-O2
DS1-BP4
DS1-O3
DS1-BP5
DS1-O4
DS1-BP6
DS1-O4
DS1-BP7
DS1-O1
DS1-BP8
DS1-O1
Work Products (WPs)
Inputs
Description
Supports
Strategic IT plan
DS1-O1, O2, O3, O4
DS1-O1, O2, O3, O4
DS1-O1
DS1-O4
DS1-O3
DS1-O3
DS1-O1
DS1-O1, O2
Outputs
Description
Input To
Supports
DS2
DS1-O1, O4
ME1
DS1-O4
PO1
DS1-O2, O3
SLAs
DS1-O2
OLAs
DS1-O3
PO1
DS1-O1, O4

COBIT Assurance Tool-Kit
51

Process Reference Model - Example DS1

Does the process achieve its defined outcomes (PA1.1)?
As evidenced by:
Production of an object
A significant change of state;
Meeting of specified constraints, e.g., requirements, goals
Figure 6PA1.1 Process Performance
Result of Full Achievement of

the Attribute
Base Practices (BPs)
Work Products (WPs)
The process achieves its defined

outcomes.
BP 1.1.1 Achieve the process

outcomes. There is evidence that the
intent of base practice is being
performed.
Work products are produced that

provide evidence of process outcomes,
as outlined in section 3.
N
P
L
F
52
Not achieved
Partially achieved
Largely achieved
Fully achieved

0
> 15 %
> 50 %
> 85 %
to 15 % achievement
to 50 % achievement
to 85 % achievement
to 100 % achievement.
Assessing Process Capability

a. Have objectives for the performance of the process been identified?
b. Is performance of the process planned and monitored?
c. Is performance of the process adjusted to meet plans?
d. Are responsibilities and authorities for performing the process defined, assigned and
communicated?
e. Are resources and information necessary for performing the process identified, made
available, allocated and used?
f. Are interfaces between the involved parties managed to ensure effective communication and
clear assignment of responsibility?
N Not achieved
53
to 15 % achievement
P Partially achieved
> 15 % to 50 % achievement
L Largely achieved
F Fully achieved
> 85 % to 100 % achievement.

Assessing Process Capability

a. Have requirements for the work products of the process been defined?
b. Have requirements for documentation and control of the work products
been defined?
c. Are work products appropriately identified, documented and controlled?

d. Are work products reviewed in accordance with planned arrangements
and adjusted as necessary to meet requirements?
N Not achieved
54
to 15 % achievement
P Partially achieved
L Largely achieved
F Fully achieved

Assessing Attribute Achievement

Attribute Achievement
Not

PA 3.2 Deployment
PA 3.1 Definition
PA 4.1 Measurement
PA 4.2 Control
PA 5.1 Innovation
PA 5.2 Optimisation
55

Partially
Largely
Fully
Consequence of Capability Gaps
Figure A.3Consequence of Gaps at Various Capability Levels
56

Capability Gaps and Risk

Figure A.4Risk Associated With Each Capability Level
57

Overview
58

Assessment Process Activities

1 Initiation
2 Planning the Assessment
3 Briefing
4 Data Collection
5 Data Validation
6 Process Attribute Rating
7 Reporting the Results
59

Reporting the Results

Level 1
PA 1.1
Process A
Target Capability
Level 2
Level 3
PA 2.1 PA 2.2 PA 3.1 PA 3.2
Assessed
Process B
Target Capability
Assessed
Process C
Target Capability
Assessed
60

Assessor Certification
COBIT process assessment roles:
Lead assessora competent assessor responsible for overseeing the

assessment activities
Assessoran individual, developing assessor competencies, who performs
the assessment activities
Assessor competencies:
Knowledge, skills and experience:
With the process reference model; process assessment model,
methods and tools; and rating processes
With the processes/domains being assessed
Personal attributes that contribute to effective performance
A training and certification scheme is being developed for COBIT 4.1 and COBIT 5
61

And so Goodbye . . .
COBIT Assessment Programme: www.isaca.org/cobit-assessment-programme
Contact Information: research@isaca.org
62


Sudarsan Jayaraman - MIgrating To COBIT 5

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sudarsan Jayaraman - MIgrating To COBIT 5

Uploaded by

Copyright:

Available Formats

Migrating to COBIT 5

2013 Protiviti Member Firm (Middle East Region)

Key differences between 4.1 and 5

Audit and Assessment using COBIT PAM

Walk through of assessment on one of the selected processes.

2013 Protiviti Member Firm (Middle East Region)

Can there be a critical business process implemented without an

Share your thoughts

2013 Protiviti Member Firm (Middle East Region)

Inadequate view of IT functioning

Delivering projects to meet

2013 Protiviti Member Firm (Middle East Region)

Drivers for COBIT 5

A need for the enterprise to:

Improve the relation between business and IT

2013 Protiviti Member Firm (Middle East Region)

COBIT 5: Now One Complete IT - Business Framework

An business framework from ISACA, at www.isaca.org/cobit

2013 Protiviti Member Firm (Middle East Region)

The COBIT 5 Format

COBIT 5 is initially in 3 volumes:

3. Implementation Guide - Free to Members

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

Source: COBIT 5 Framework

2013 Protiviti Member Firm (Middle East Region)

Meeting Stakeholder Needs

2013 Protiviti Member Firm (Middle East Region)

Separating Governance from Management

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

Process Example Walk Through

COBIT 5 Governance Processes

2013 Protiviti Member Firm (Middle East Region)

COBIT 5 Governance Processes

2013 Protiviti Member Firm (Middle East Region)

COBIT 5 Governance Processes

2013 Protiviti Member Firm (Middle East Region)

COBIT 5 Governance Processes

2013 Protiviti Member Firm (Middle East Region)

COBIT 5 Governance Processes

2013 Protiviti Member Firm (Middle East Region)

COBIT 5 Governance Processes

2013 Protiviti Member Firm (Middle East Region)

COBIT 5 Where does it fit in?

2013 Protiviti Member Firm (Middle East Region)

COBIT 5 brings together the five principles that allow the

optimises information and technology investment and use for

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

Renewed focus on Enablers

2013 Protiviti Member Firm (Middle East Region)

Practices & Activities

Val IT & Risk IT

2013 Protiviti Member Firm (Middle East Region)

Process Reference Model

2013 Protiviti Member Firm (Middle East Region)

New / Modified Processes

APO03 Manage enterprise architecture deviation from Information to

APO05 Manage portfolio (Val IT)

BAI05 Manage organizational change enablement.

DSS05 Manage security service.