Professional Documents
Culture Documents
for
IT Audit and Assurance
COBIT is a registered trademark of the Information Systems Audit and Control Association
Disclaimer:
1. The presentation has been prepared from reference material from ISACA and APMG Vanilla Material for ATO. All
copyrights for the material reserved with APMG
2. This material is only prepared purely for this workshop and only for knowledge transfer purpose and not for any
commercial or training purpose.
3. COBIT 5 is a registered trademark of the Information Systems Audit and Control Association
Session Objective
Introduction to COBIT 5
Let us Discuss
Do you think that a process audit
considering the underlying IT systems?
is complete without
Organizations Concern
Auditors Concerns
Operational failures of IT
Increase in number security
incidents
High dependency of Businesses
on IT
Too many IT Standards &
Frameworks
Lack of knowledge of critical
systems
IT not meeting compliance
CIOs Priorities
Evolution of scope
Governance of Enterprise IT
IT Governance
Val IT 2.0
Management
(2008)
Control
Risk IT
(2009)
Audit
COBIT1
1996
COBIT2
1998
COBIT3
2000
COBIT4.0/4.1 COBIT 5
2005/7
2012
Simplified
COBIT 5 directly addresses the needs of the viewer from different
perspectives
Development continues with specific practitioner guides
7 enablers
COBIT 5 Family
COBIT 5 Principles
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance From Management
10
COBIT 5 Enablers
11
12
13
COBIT 5 Processes
14
16
17
18
19
20
21
22
In Summary
23
COBIT 4.1
VS
COBIT 5
COBIT is a registered trademark of the Information Systems Audit and Control Association
Primary Transition
COBIT 5 builds on previous versions of COBIT (and Val IT and Risk IT) and so
enterprises can also build on what they have developed using earlier versions.
COBIT 5 clarifies management level processes and integrated COBIT 4.1, Val IT
and Risk IT content into one process reference model.
25
Criteria
Applications
Information
Infrastructure
COBIT 4.1
CUBE
Domains
People
IT Resources
IT Processes
Processes
Activities
26
Control Objectives
Governance &
Management
Practices
Control Practices
Activities
Practices in Risk IT
& Val IT
27
28
RACI Charts
30
COBIT 5 - Process
Assessment Model(PAM)
COBIT is a registered trademark of the Information Systems Audit and Control Association
31
32
The COBIT PAM adapts the existing COBIT 4.1 content into
an ISO 15504 compliant process assessment model
33
Whats different?
But dont we already have maturity models for COBIT 4.1 processes?
The COBIT PAM uses the capability scale from ISO/IEC 15504, whereas the existing COBIT
maturity models uses a scale derived from SEI\CMM
A PAM level 3 is NOT the same as a CMM level 3
Assessments done under the PAM are likely to result in lower scores
PAM assessments are based on more fully defined and defensible attributes
COBIT 4.1 Process
Maturity Level
5 Optimised
35
Capability Level
5 Optimizing
4 Managed and
measurable
3 Defined
4 Predictable
2 Repeatable but
intuitive
2 Managed
3 Established
1 Initial/ad hoc
1 Performed
2013
Member Firm (Middle East Region)
0 Protiviti
Non-existent
0 Incomplete
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
Assessment Overview
Process Assessment
Model
Assessment Process
36
Base Practices
(BPs)
Number
PO1-WP1
PO1-WP4
PO2-WP5
PO5-WP3
AI2-WP4
AI3-WP7
DS4-WP5
ME1-WP1
Number
DS1-WP1
DS1-WP2
DS1-WP3
DS1-WP4
DS1-WP5
DS1-WP6
37
DS1
Define and Manage Service Levels
Satisfy the business requirement of ensuring the alignment of key IT services with the business needs.
Number
Description
DS1-O1
A service management framework is in place to define the organisational structure for service level management, covering the base
definitions of services, roles, tasks and responsibilities of internal and external service providers and customers.
DS1-O2
Internal and external SLAs are formalised in line with customer requirements and delivery capabilities.
DS1-O3
Operating level agreements (OLAs) are developed to specify the technical processes required to support SLAs.
DS1-O4
Processes are in place to monitor (and periodically review) SLAs and achievements.
Number
Description
Supports
DS1-BP1
Create a framework for defining IT services.
DS1-O1
DS1-BP2
Build an IT service catalogue.
DS1-O1, O2
DS1-BP3
Define SLAs for critical IT services.
DS1-O2
DS1-BP4
Define OLAs for meeting SLAs.
DS1-O3
DS1-BP5
Monitor and report end-to-end service level performance.
DS1-O4
DS1-BP6
Review SLAs and underpinning contracts.
DS1-O4
DS1-BP7
Review and update the IT service catalogue.
DS1-O1
DS1-BP8
Create a service improvement plan.
DS1-O1
Work Products (WPs)
Inputs
Description
Supports
Strategic IT plan
DS1-O1, O2, O3, O4
IT service portfolio
DS1-O1, O2, O3, O4
Assigned data classifications
DS1-O1
Updated IT service portfolio
DS1-O4
Initial planned SLAs
DS1-O3
Initial planned OLAs
DS1-O3
Disaster service requirements, including roles and responsibilities
DS1-O1
Performance input to IT planning
DS1-O1, O2
Outputs
Description
Input To
Supports
Contract review report
DS2
DS1-O1, O4
Process performance reports
ME1
DS1-O4
New/updated service requirements
PO1
DS1-O2, O3
SLAs
AI1, DS2, DS3, DS4, DS6, DS8, DS13
DS1-O2
OLAs
DS4 to DS8, DS11, DS13
DS1-O3
Updated IT service portfolio
PO1
DS1-O1, O4
Base Practices
(BPs)
Number
PO1-WP1
PO1-WP4
PO2-WP5
PO5-WP3
AI2-WP4
AI3-WP7
DS4-WP5
ME1-WP1
Number
DS1-WP1
DS1-WP2
DS1-WP3
DS1-WP4
DS1-WP5
DS1-WP6
38
DS1
Define and Manage Service Levels
Satisfy the business requirement of ensuring the alignment of key IT services with the business needs.
Number
Description
DS1-O1
A service management framework is in place to define the organisational structure for service level management, covering the base definitions
of services, roles, tasks and responsibilities of internal and external service providers and customers.
DS1-O2
Internal and external SLAs are formalised in line with customer requirements and delivery capabilities.
DS1-O3
Operating level agreements (OLAs) are developed to specify the technical processes required to support SLAs.
DS1-O4
Processes are in place to monitor (and periodically review) SLAs and achievements.
Number
Description
Supports
DS1-BP1
Create a framework for defining IT services.
DS1-O1
DS1-BP2
Build an IT service catalogue.
DS1-O1, O2
DS1-BP3
Define SLAs for critical IT services.
DS1-O2
DS1-BP4
Define OLAs for meeting SLAs.
DS1-O3
DS1-BP5
Monitor and report end-to-end service level performance.
DS1-O4
DS1-BP6
Review SLAs and underpinning contracts.
DS1-O4
DS1-BP7
Review and update the IT service catalogue.
DS1-O1
DS1-BP8
Create a service improvement plan.
DS1-O1
Work Products (WPs)
Inputs
Description
Supports
Strategic IT plan
DS1-O1, O2, O3, O4
IT service portfolio
DS1-O1, O2, O3, O4
Assigned data classifications
DS1-O1
Updated IT service portfolio
DS1-O4
Initial planned SLAs
DS1-O3
Initial planned OLAs
DS1-O3
Disaster service requirements, including roles and responsibilities
DS1-O1
Performance input to IT planning
DS1-O1, O2
Outputs
Description
Input To
Supports
Contract review report
DS2
DS1-O1, O4
Process performance reports
ME1
DS1-O4
New/updated service requirements
PO1
DS1-O2, O3
SLAs
AI1, DS2, DS3, DS4, DS6, DS8, DS13
DS1-O2
OLAs
DS4 to DS8, DS11, DS13
DS1-O3
Updated IT service portfolio
PO1
DS1-O1, O4
39
40
Assessment Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
41
Optimizing
The process is continuously improved to meet relevant
current and projected business goals
Predictable
The process is enacted consistently
within defined limits
PA 5.1
PA 5.2
Established
A defined process is used based on a
standard process
Managed
The process is managed and work
products are established,
controlled and maintained
Performed
The process is implemented and
achieves its process purpose
Incomplete
The process is not implemented or fails to
achieve its purpose
Measurement Framework
COBIT assessment process measures the extent to which a given process
achieves specific attributes relative to that process process attributes
44
Level 5 - Optimizing
PA 5.2 Optimization
PA 5.1 Innovation
PA 4.2 Control
Level 4 - Predictable
PA 4.1 Measurement
PA 3.2 Deployment
Level 3 - Established
PA 3.1 Definition
PA 2.2 Work product management
Level 2 - Managed
PA 2.1 Performance management
Level 1 - Performed
Level 0 - Incomplete
45
L
/
F
L F
/
F
L F F
/
F
L F F F
/
F
L F F F F
PA 1.1 Process performance /
F
L/F = Largely or Fully F= Fully
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
46
ISO
Established
Managed
Performed
Incomplete
COBIT
47
48
Base Practices
(BPs)
Number
PO1-WP1
PO1-WP4
PO2-WP5
PO5-WP3
AI2-WP4
AI3-WP7
DS4-WP5
ME1-WP1
Number
DS1-WP1
DS1-WP2
DS1-WP3
DS1-WP4
DS1-WP5
DS1-WP6
50
DS1
Define and Manage Service Levels
Satisfy the business requirement of ensuring the alignment of key IT services with the business needs.
Number
Description
DS1-O1
A service management framework is in place to define the organisational structure for service level management, covering the base
definitions of services, roles, tasks and responsibilities of internal and external service providers and customers.
DS1-O2
Internal and external SLAs are formalised in line with customer requirements and delivery capabilities.
DS1-O3
Operating level agreements (OLAs) are developed to specify the technical processes required to support SLAs.
DS1-O4
Processes are in place to monitor (and periodically review) SLAs and achievements.
Number
Description
Supports
DS1-BP1
Create a framework for defining IT services.
DS1-O1
DS1-BP2
Build an IT service catalogue.
DS1-O1, O2
DS1-BP3
Define SLAs for critical IT services.
DS1-O2
DS1-BP4
Define OLAs for meeting SLAs.
DS1-O3
DS1-BP5
Monitor and report end-to-end service level performance.
DS1-O4
DS1-BP6
Review SLAs and underpinning contracts.
DS1-O4
DS1-BP7
Review and update the IT service catalogue.
DS1-O1
DS1-BP8
Create a service improvement plan.
DS1-O1
Work Products (WPs)
Inputs
Description
Supports
Strategic IT plan
DS1-O1, O2, O3, O4
IT service portfolio
DS1-O1, O2, O3, O4
Assigned data classifications
DS1-O1
Updated IT service portfolio
DS1-O4
Initial planned SLAs
DS1-O3
Initial planned OLAs
DS1-O3
Disaster service requirements, including roles and responsibilities
DS1-O1
Performance input to IT planning
DS1-O1, O2
Outputs
Description
Input To
Supports
Contract review report
DS2
DS1-O1, O4
Process performance reports
ME1
DS1-O4
New/updated service requirements
PO1
DS1-O2, O3
SLAs
AI1, DS2, DS3, DS4, DS6, DS8, DS13
DS1-O2
OLAs
DS4 to DS8, DS11, DS13
DS1-O3
Updated IT service portfolio
PO1
DS1-O1, O4
51
Production of an object
N
P
L
F
52
Not achieved
Partially achieved
Largely achieved
Fully achieved
0
> 15 %
> 50 %
> 85 %
to 15 % achievement
to 50 % achievement
to 85 % achievement
to 100 % achievement.
N Not achieved
53
to 15 % achievement
P Partially achieved
> 15 % to 50 % achievement
L Largely achieved
> 50 % to 85 % achievement
F Fully achieved
a. Have requirements for the work products of the process been defined?
b. Have requirements for documentation and control of the work products
been defined?
54
to 15 % achievement
P Partially achieved
> 15 % to 50 % achievement
L Largely achieved
> 50 % to 85 % achievement
F Fully achieved
PA 5.1 Innovation
PA 5.2 Optimisation
55
Partially
Largely
Fully
56
57
Overview
58
59
PA 1.1
Process A
Target Capability
Level 2
Level 3
Assessed
Process B
Target Capability
Assessed
Process C
Target Capability
Assessed
60
Assessor Certification
COBIT process assessment roles:
61
And so Goodbye . . .
COBIT Assessment Programme: www.isaca.org/cobit-assessment-programme
Contact Information: research@isaca.org
62