Professional Documents
Culture Documents
Implemetation Approaches:
Implementing Cobit 5 In A
Week
Kaya Kazmirci CISA, CISM, CISSP, Cobit 5 Foundations
Kazmirci Associates
kaya@kayakazmirci.com
+90 532 487 7756
Kaya Kazmirci
Founder ISACA Istanbul Chapter
Education Committee Chair and Past Chapter President
Chair Cobit 5/CISA Translation Committees
Cobit Evangelist (Regulatory Consultant & Trainer)
IT Governance and Cyber Security Expert
Kazmirci Associates MD
Mountain Biker & Sailor
Kaya.kazmirci@isaca-istanbul.org
Kaya@kayakazmirci.com
As-Is To-Be
C5 Training (2
2 Exercises
Reporting
Days) (1 Day)
(2 Days)
Kickoff!
How do you eat an elephant?
Governance is about
Negotiating
201
2012 ISACA. All rights reserved.
13
Cost of non-
Fire Wall
Credit Card #s compliance
Breaches
Lost (fines,
Discovered
settlements)
Practices (Critical)
)+% )
)+% *
" ""$
"
#$
Outcomes (Combine/
)+% + ""$
#
$
Reformat)
)+%
()
&("%&
!
)+$ )
!#$"
#
" #
)+%
(*
&("%'!
)+$ *
"
"
!
"
!"
$
"
)+%
(+
&("%( "
"#
#
)+$ )& +
" $"
# $%
$
"
Process Format/Content
,.),
& #! !"!#
,.(
,
$#
,.(
,
,.)-
""###
+,(+-'
+1(+. !"!#
,.(
,
$#
,.(
,
,.). !#"$!#&!"#!## '
'' !"!#
,.(
-
' $#
,.(
-
,.)/ !#"$!#&$"""""
+-(+0 !"!#
,.(
-
$#
,.(
-
,.)0
$#!!#" +-(+, !"!#
,.(
.
$#
,.(
,*
.
,.)1 #"!!%#
#! !"!#
,.(
.
$#
,.(
,*
.
RACI Charts There Is A Lot (Too Much?)
Use what you need and nothing else!
Outsourcing: APO09, 10
Security: APO13, DSS05
HR (Security): APO07, APO08
PM: APO05, 6, BAI01
SW/HW Development: BAI02,
3, 6, 7, 10
Data Center: DSS01
Help Desk: DSS02, 03
Engine Room: BAI04, DSS04
New and Modified Processes:
APO03 Manage enterprise architecture. (TOGAF)
APO04 Manage innovation. (Nice to Have)
APO05 Manage portfolio. (PMBOK, Prince2)
APO06 Manage budget and costs. (Activity Based Costing/Accounting)
APO08 Manage relationships. (Security Impact)
APO13 Manage security. (Critical)
BAI05 Manage organisational change enablement. (Nice to Have)
BAI08 Manage knowledge. (DS10 Manage Data in v3 more useful)
BAI09 Manage assets. (Nice to Have)
DSS05 Manage security service. (Critical)
DSS06 Manage business process controls. (Controversial)
Cobit 5 Capability
Less is more
Satisfying Cobit 5 Attributes Improves Capability
Level 3 Established Process
' PA.3.1 Process Definition attribute
PA.3.2 Process Deployment attribute
Level 0 Incomplete process
!
2012 ISACA All rights reserved.
24
Process Attribute Rating Scale
Cobit Capability scores 3 at a 2.5!
25
Level 1
Some Management/Governance (M/G) Practices, Some Work Products
Level 2
All M/G Practices, Work Product, Process Goals & Targets defined, RACI
Level 3
Process commonly implemented, Inputs/Outputs (Training/Sourcing needs) defined, IT Related
Goals defined/collected/analyzed
Level 4
Process Metrics reported consistently, Goals set, Low performance reviewed
Level 5
Improvement Goals set, Improvement Opportunities: Identified, Planned, Tested, Implemented &
Post Implemented
Still Confused? More Practical Guidance
CMMI Maturity seems to map well as it is based on 15504
Level 2
All of the Practices Implemented
Level 3
All Activities implemented
ISO 27001 -> APO13 Mange Security, DSS05 Manage Security Services
ISO 22301 -> DSS04 Manage Continuity
ISO 9001 -> APO11 Manage Quality
ISO 20000 -> DSS01 Manage Operations, DSS02 Manage Service Requests & Incidents, DSS03 Manage Problems
ISO 10002 -> DSS02 (Customer Complaints)
ISO 13485 -> APO11 Manage Quality
ISO 31000 -> APO12 Manage Risk
Independent Audit Financial Reporting Effective Control -> BAI06, 07
Level 4
Common enterprise wide Process Performance and Output metrics
Level 5
Consistent Metric based Goals and Improvement Implementation
Program Management
Day to day PM
Enablement of change
Addressing the behavioural
and cultural aspects
Core Continual
improvement
this is not a one-off project
Customer
6. Customer-oriented service culture
7. Business service continuity and availability
8. Agile responses to a changing business environment
9. Information-based strategic decision making
10. Optimisation of service delivery costs
$%
(
!
!
!
"
#
&
&
&
&
&
&
!
&
!
!
'
! ! ! '
"
#
Case Study II
Case Study IIProcess Assessment40 minutes preparation, 20 minutes presentation and
discussion
the Company has recognised enterprise governance implementation is a priority to enable
effective corporate and IT management. After reviewing your previous presentation, the BoD
has decided to implement Cobit 5 one process at a time and has asked you to complete an
assessment regarding how the most critical process that you presented operates at the
Company.
In this exercise, you will first select a process (from those examined in Case Study I) and then
assess how it operates at the Company.
1. Using what you and your teammates know and referring to the COBIT 5 Enabling Processes,
consider the process and assess whether it presently fulfils the defined management/governance
practices and related activities as well as delivers the defined outputs. Document any missing
outputs.
2. Decide which missing practices would add value if implemented, then list and prioritize the
most important 5 of them.
3. Discuss the related Cobit 5 process/IT related metrics and assess whether the presently used
metrics are adequate. Feel free to suggest 3 metrics that you feel would better meet the
Company's needs but be aware that implementing new metrics requires resources so focus on
cost effective suggestions.
Gary Hardy
Case Study III
Case Study IIICapability Assessment40 minutes preparation, 20 minutes
presentation
The objective of this exercise is to understand how to use the capability models in
COBIT 5 to perform a capability assessment of a critical process.
Use the process from Case Study II and assess its present capability at the
Company. Based on its present capability, list what additional attributes need
development in order for it to mature to the next level of capability.
Hint: Go easy on yourselves as far as documentation requirements go. Partially (P)
fullfiled attributes are ok.
Work in the same group, and have a workshop as if you are the management team.
One person should act as the facilitator gaining consensus as a group on what the
critical attributes are and, using the COBIT capability models, considering the
current level. Prepare to report the present capability as well what needs to be
done to go to the next level.
Prepare a short presentation to explain your results.
Gary Hardy
Goals Cascade
Appendix 3
Figure 24Mapping COBIT 5 Enterprise Goals to Governance and Management Questions
Figure 24Mapping COBIT 5 Enterprise Goals to Governance and Management Questions (cont.)
Figure 22Mapping COBIT 5 Enterprise Goals to IT-related Goals