Sudarsan Jayaraman - MIgrating To COBIT 5 PDF

Migrating to COBIT 5
for
IT Audit and Assurance
COBIT is a registered trademark of the Information Systems Audit and Control Association
Disclaimer:
1. The presentation has been prepared from reference material from ISACA and APMG Vanilla Material for ATO. All
copyrights for the material reserved with APMG
2. This material is only prepared purely for this workshop and only for knowledge transfer purpose and not for any
commercial or training purpose.
3. COBIT 5 is a registered trademark of the Information Systems Audit and Control Association
2013 Protiviti Member Firm (Middle East Region)

2
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
Session Objective
Introduction to COBIT 5
Key differences between 4.1 and 5
Audit and Assessment using COBIT PAM
Walk through of assessment on one of the selected processes.

3
Let us Discuss
Do you think that a process audit is complete without

considering the underlying IT systems?
Can there be a critical business process implemented without an

IT System?
Do you consider automation of business process a risk - as no

clear visibility is available to auditors.
Share your thoughts

4
Organizations Concern
Auditors Concerns CIOs Priorities
Inadequate view of IT functioning Delivering projects to meet

business growth
Operational failures of IT
Demonstrating value to business
Increase in number security
incidents Tightening security and privacy
controls
High dependency of Businesses
on IT Improving business continuity
readiness
Too many IT Standards &
Frameworks Improving quality of IT service
delivery
Lack of knowledge of critical
systems Applying metrics to IS organization
and services
IT not meeting compliance
Demonstration of Compliance
Too many Audits (Internal /
External)

5
Drivers for COBIT 5
A need for the enterprise to:

Achieve increased value creation
Obtain business user satisfaction
Achieve compliance with relevant laws, regulations and policies
Improve the relation between business and IT
Increase the return of governance over enterprise IT
Connect and align with other major frameworks and standards

6
COBIT 5: Now One Complete IT - Business Framework
Governance of Enterprise IT
Evolution of scope
IT Governance
Val IT 2.0
Management (2008)
Control
Risk IT
(2009)
Audit
COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5
1996 1998 2000 2005/7 2012
An business framework from ISACA, at www.isaca.org/cobit

7
The COBIT 5 Format
Simplified
COBIT 5 directly addresses the needs of the viewer from different
perspectives
Development continues with specific practitioner guides
COBIT 5 is initially in 3 volumes:
1. The Framework Free Download
2. Process Reference Guide Free to Members
3. Implementation Guide - Free to Members
COBIT 5 is based on:
5 principles and
7 enablers

8
COBIT 5 Family

9
COBIT 5 Principles
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance From Management

10
COBIT 5 Enablers
Source: COBIT 5 Framework

11
Meeting Stakeholder Needs
Stakeholder needs have to be transformed

into an enterprises actionable strategy.
The COBIT 5 goals cascade translates

stakeholder needs into specific, actionable
and customized goals within the context of
the enterprise, IT-related goals and enabler
goals.

12
Separating Governance from Management

13
COBIT 5 Processes

14
Process Example Walk Through
COBIT 5 Governance Processes

16

17

18

19

20

21
COBIT 5 Where does it fit in?

22
In Summary
COBIT 5 brings together the five principles that allow the

enterprise to build an effective governance and management
framework based on a holistic set of seven enablers that
optimises information and technology investment and use for
the benefit of stakeholders.

23
COBIT 4.1
VS
COBIT 5
Primary Transition
COBIT 5 builds on previous versions of COBIT (and Val IT and Risk IT) and so
enterprises can also build on what they have developed using earlier versions.
COBIT 5 clarifies management level processes and integrated COBIT 4.1, Val IT
and Risk IT content into one process reference model.

25
Renewed focus on Enablers
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
Criteria
Applications
Information
Infrastructure
COBIT 4.1 People
CUBE
IT Resources
Domains
IT Processes
Processes
Activities

26
Practices & Activities
Control Objectives
Governance &
Management
Practices
Val IT & Risk IT
Processes
Control Practices
Activities
Practices in Risk IT
& Val IT

27
Process Reference Model

28
New / Modified Processes
Below are the new / modified processes to reflect this:

APO03 Manage enterprise architecture deviation from Information to
Enterprise
APO04 Manage innovation New governance process
APO05 Manage portfolio (Val IT)
APO08 Manage relationships (BRM from ISO 20000)
APO13 Manage security Segregation from typical security (covered in DSS)
BAI05 Manage organizational change enablement.
BAI08 Manage knowledge ITIL v3
BAI09 Manage assets.
DSS05 Manage security service.
DSS06 Manage business process controls.
29
RACI Charts

30
COBIT 5 - Process
Assessment Model(PAM)
31
What is A Process Assessment?
ISO/IEC 15504-4 identifies process assessment as an
activity that can be performed either as part of a
process improvement initiative or as part of a
capability determination approach
The purpose of process improvement is to
continually improve the enterprises
effectiveness and efficiency
The purpose of process capability determination
is to identify the strengths, weaknesses and risk
of selected processes
It provides an understandable, logical,

repeatable, reliable and robust methodology for
assessing the capability of IT processes

32
What is the new COBIT Assessment Programme?
The COBIT Assessment Programme includes:
COBIT Process Assessment Model (PAM): Using COBIT 4.1
COBIT Assessor Guide: Using COBIT 4.1
COBIT Self Assessment Guide: Using COBIT 4.1
The COBIT PAM brings together two proven heavyweights in

the IT arena, ISO and ISACA
The COBIT PAM adapts the existing COBIT 4.1 content into
an ISO 15504 compliant process assessment model

33
Whats different?
But dont we already have maturity models for COBIT 4.1 processes?
The new COBIT assessment programme is:
A robust assessment process based on ISO 15504
An alignment of COBITs maturity model scale with the international
standard
A new capability-based assessment model which includes:
Specific process requirements derived from COBIT 4.1
Ability to achieve process attributes based on ISO 15504
Evidence requirements
Assessor qualifications and experiential requirements
Results in a more robust, objective and repeatable assessment
Assessment results will likely vary from existing COBIT maturity models!
34
Differences to COBIT Maturity Model
The COBIT 4.1 PAM uses a measurement framework that is similar in terminology to the existing
maturity models in COBIT 4.1
While the words are similar the scales are NOT the same:
The COBIT PAM uses the capability scale from ISO/IEC 15504, whereas the existing COBIT
maturity models uses a scale derived from SEI\CMM
A PAM level 3 is NOT the same as a CMM level 3
Assessments done under the PAM are likely to result in lower scores
PAM assessments are based on more fully defined and defensible attributes
COBIT 4.1 Process ISO/IEC 15504 Process
Maturity Level Capability Level Attribute
5 Optimised 5 Optimizing PA 5.1 Process innovation
PA 5.2 Process optimization
4 Managed and 4 Predictable PA 4.1 Process measurement
measurable PA 4.2 Process control
3 Defined 3 Established PA 3.1 Process definition
PA 3.2 Process deployment
2 Repeatable but 2 Managed PA 2.1Performance management
intuitive PA 2.2 Work product management
1 Initial/ad hoc 1 Performed PA 1.1 Process performance
35 0 Protiviti
2013 Non-existent
Member Firm (Middle East Region) 0 Incomplete
Assessment Overview
Process Assessment
Model
Assessment Process

36
PRM Based on COBIT 4.1
Process ID DS1
Process Name Define and Manage Service Levels
Purpose Satisfy the business requirement of ensuring the alignment of key IT services with the business needs.
Outcomes (Os) Number Description
DS1-O1 A service management framework is in place to define the organisational structure for service level management, covering the base
definitions of services, roles, tasks and responsibilities of internal and external service providers and customers.
DS1-O2 Internal and external SLAs are formalised in line with customer requirements and delivery capabilities.
DS1-O3 Operating level agreements (OLAs) are developed to specify the technical processes required to support SLAs.
DS1-O4 Processes are in place to monitor (and periodically review) SLAs and achievements.
Base Practices Number Description Supports
(BPs) DS1-BP1 Create a framework for defining IT services. DS1-O1
DS1-BP2 Build an IT service catalogue. DS1-O1, O2
DS1-BP3 Define SLAs for critical IT services. DS1-O2
DS1-BP4 Define OLAs for meeting SLAs. DS1-O3
DS1-BP5 Monitor and report end-to-end service level performance. DS1-O4
DS1-BP6 Review SLAs and underpinning contracts. DS1-O4
DS1-BP7 Review and update the IT service catalogue. DS1-O1
DS1-BP8 Create a service improvement plan. DS1-O1
Work Products (WPs)
Inputs
Number Description Supports
PO1-WP1 Strategic IT plan DS1-O1, O2, O3, O4
PO1-WP4 IT service portfolio DS1-O1, O2, O3, O4
PO2-WP5 Assigned data classifications DS1-O1
PO5-WP3 Updated IT service portfolio DS1-O4
AI2-WP4 Initial planned SLAs DS1-O3
AI3-WP7 Initial planned OLAs DS1-O3
DS4-WP5 Disaster service requirements, including roles and responsibilities DS1-O1
ME1-WP1 Performance input to IT planning DS1-O1, O2
Outputs
Number Description Input To Supports
DS1-WP1 Contract review report DS2 DS1-O1, O4
DS1-WP2 Process performance reports ME1 DS1-O4
DS1-WP3 New/updated service requirements PO1 DS1-O2, O3
DS1-WP4 SLAs AI1, DS2, DS3, DS4, DS6, DS8, DS13 DS1-O2
DS1-WP5 OLAs DS4 to DS8, DS11, DS13 DS1-O3
DS1-WP6 Updated IT service portfolio PO1 DS1-O1, O4

37
PRM Based on COBIT 4.1
Process ID DS1
DS1-O1 A service management framework is in place to define the organisational structure for service level management, covering the base definitions
of services, roles, tasks and responsibilities of internal and external service providers and customers.
Work Products (WPs)
Inputs
Outputs

38
The high-level measurable objectives of performing the process

and the likely outcomes of effective implementation of the process

39
An observable result of a process - an artefact, a significant change

of state or the meeting of specified constraints
The activities that, when consistently performed, contribute to

achieving the process purpose
The artefacts associated with the

execution of a process defined in
terms or process inputs and process
outputs

40
Assessment Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
41
Process Capability Levels
Optimizing Level 5 Optimizing process

The process is continuously improved to meet relevant PA 5.1 Process innovation attribute
current and projected business goals PA 5.2 Process optimization attribute
Predictable Level 4 Predictable process

The process is enacted consistently
PA 4.1 Process measurement attribute
within defined limits
PA 4.2 Process control attribute
Established
A defined process is used based on a Level 3 Established process
standard process PA 3.1 Process definition attribute
PA 3.2 Process deployment attribute
Level 2 Managed process Managed

The process is managed and work
PA 2.1 Performance management attribute
products are established,
PA 2.2 Work product management attribute
controlled and maintained
Level 1 Performed process Performed
PA 1.1 Process performance attribute The process is implemented and
achieves its process purpose
Incomplete
Level 0 Incomplete process The process is not implemented or fails to
achieve its purpose
42
Measurement Framework
COBIT assessment process measures the extent to which a given process
achieves specific attributes relative to that process process attributes
COBIT assessment process defines 9 process attributes (based on ISO/IEC
15504-2)
PA 1.1 Process performance
PA 2.1 Performance management
PA 2.2 Work product management
PA 3.1 Process definition
PA 3.2 Process deployment
PA 4.1 Process measurement
PA 4.2 Process control
PA 5.1 Process innovation
PA 5.2 Continuous optimization
43
Process Attribute Rating Scale
COBIT assessment process measures the extent to which a given process

achieves the process attributes
N Not achieved0 to 15% achievement
There is little or no evidence of achievement of the defined attribute in the assessed
process
P Partially achieved> 15% to 50% achievement

There is some evidence of an approach to, and some achievement of, the defined
attribute in the assessed process. Some aspects of achievement of the attribute may
be unpredictable
L Largely achieved> 50% to 85% achievement

There is evidence of a systematic approach to, and significant achievement of,
the defined attribute in the assessed process. Some weakness related to this
attribute may exist in the assessed process
F Fully achieved> 85% to 100% achievement

There is evidence of a complete and systematic approach to, and full achievement
of, the defined attribute in the assessed process. No significant weaknesses related
to this attribute exist in the assessed process
44
Process Attribute Ratings and
Capability Levels
1 2 3 4 5
PA 5.2 Optimization L
Level 5 - Optimizing /
PA 5.1 Innovation F
PA 4.2 Control L F
Level 4 - Predictable /
PA 4.1 Measurement F
PA 3.2 Deployment L F F
Level 3 - Established /
PA 3.1 Definition F
PA 2.2 Work product management L F F F

Level 2 - Managed /
PA 2.1 Performance management F
L F F F F
Level 1 - Performed PA 1.1 Process performance /
F
Level 0 - Incomplete L/F = Largely or Fully F= Fully
45
COBIT Assessment Process Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
46
Process Attributes and Capability Levels
Optimizing
Predictable
ISO Established 9 Process Attributes Process Attribute Indicators

(PAI)
Managed
Performed
Incomplete
COBIT

47
Process Attribute Rating
Assessment indicators in the PAM are used to support the assessors

judgement in rating process attributes:
Provide the basis for repeatability across assessments
A rating is assigned based on objective, validated evidence for each process
attribute
Traceability needs to be maintained between an attribute rating and the
objective evidence used in determining that rating

48
Example from COBIT 4.1:
DS1 Define and manage service levels
Process Reference Model - Example DS1
Process ID DS1
DS1-O1 A service management framework is in place to define the organisational structure for service level management, covering the base
definitions of services, roles, tasks and responsibilities of internal and external service providers and customers.
Work Products (WPs)
Inputs
Outputs
50
COBIT Assurance Tool-Kit

51
Process Reference Model - Example DS1
Does the process achieve its defined outcomes (PA1.1)?
As evidenced by:
Production of an object
A significant change of state;
Meeting of specified constraints, e.g., requirements, goals

Figure 6PA1.1 Process Performance
Result of Full Achievement of Base Practices (BPs) Work Products (WPs)
the Attribute
The process achieves its defined BP 1.1.1 Achieve the process Work products are produced that
outcomes. outcomes. There is evidence that the provide evidence of process outcomes,
intent of base practice is being as outlined in section 3.
performed.
N Not achieved 0 to 15 % achievement

P Partially achieved > 15 % to 50 % achievement
L Largely achieved > 50 % to 85 % achievement
F Fully achieved > 85 % to 100 % achievement.

52
Assessing Process Capability

a. Have objectives for the performance of the process been identified?
b. Is performance of the process planned and monitored?
c. Is performance of the process adjusted to meet plans?
d. Are responsibilities and authorities for performing the process defined, assigned and
communicated?
e. Are resources and information necessary for performing the process identified, made
available, allocated and used?
f. Are interfaces between the involved parties managed to ensure effective communication and
clear assignment of responsibility?

F Fully achieved > 85 % to 100 % achievement.
53
Assessing Process Capability

a. Have requirements for the work products of the process been defined?
b. Have requirements for documentation and control of the work products
been defined?
c. Are work products appropriately identified, documented and controlled?
d. Are work products reviewed in accordance with planned arrangements
and adjusted as necessary to meet requirements?

F Fully achieved > 85 % to 100 % achievement

54
Assessing Attribute Achievement
Attribute Achievement
Not Partially Largely Fully
PA 1.1 Process performance
PA 3.2 Deployment
PA 3.1 Definition
PA 4.1 Measurement
PA 4.2 Control
PA 5.1 Innovation
PA 5.2 Optimisation

55
Consequence of Capability Gaps
Figure A.3Consequence of Gaps at Various Capability Levels

56
Capability Gaps and Risk
Figure A.4Risk Associated With Each Capability Level

57
Overview

58
Assessment Process Activities
1 Initiation
2 Planning the Assessment
3 Briefing
4 Data Collection
5 Data Validation
6 Process Attribute Rating
7 Reporting the Results

59
Reporting the Results
Level 1 Level 2 Level 3
PA 1.1 PA 2.1 PA 2.2 PA 3.1 PA 3.2
Process A Target Capability L
Assessed
Process B Target Capability F L L
Assessed
Process C Target Capability F F F L L
Assessed

60
Assessor Certification
COBIT process assessment roles:

Lead assessora competent assessor responsible for overseeing the
assessment activities
Assessoran individual, developing assessor competencies, who performs
the assessment activities
Assessor competencies:
Knowledge, skills and experience:
With the process reference model; process assessment model,
methods and tools; and rating processes
With the processes/domains being assessed
Personal attributes that contribute to effective performance
A training and certification scheme is being developed for COBIT 4.1 and COBIT 5

61
And so Goodbye . . .
COBIT Assessment Programme: www.isaca.org/cobit-assessment-programme
Contact Information: research@isaca.org

62

Sudarsan Jayaraman - MIgrating To COBIT 5 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sudarsan Jayaraman - MIgrating To COBIT 5 PDF

Uploaded by

Copyright:

Available Formats

Migrating to COBIT 5

2013 Protiviti Member Firm (Middle East Region)

Key differences between 4.1 and 5

Audit and Assessment using COBIT PAM

Walk through of assessment on one of the selected processes.

2013 Protiviti Member Firm (Middle East Region)

Do you think that a process audit is complete without

Can there be a critical business process implemented without an

Do you consider automation of business process a risk - as no

Share your thoughts

2013 Protiviti Member Firm (Middle East Region)

Auditors Concerns CIOs Priorities

Inadequate view of IT functioning Delivering projects to meet

2013 Protiviti Member Firm (Middle East Region)

A need for the enterprise to:

2013 Protiviti Member Firm (Middle East Region)

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5

1996 1998 2000 2005/7 2012

An business framework from ISACA, at www.isaca.org/cobit

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

1. Meeting Stakeholder Needs

2. Covering the Enterprise End-to-end

3. Applying a Single Integrated Framework

4. Enabling a Holistic Approach

5. Separating Governance From Management

2013 Protiviti Member Firm (Middle East Region)

Source: COBIT 5 Framework

2013 Protiviti Member Firm (Middle East Region)

Stakeholder needs have to be transformed

The COBIT 5 goals cascade translates

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

COBIT 5 brings together the five principles that allow the

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

Below are the new / modified processes to reflect this:

2013 Protiviti Member Firm (Middle East Region)

It provides an understandable, logical,

2013 Protiviti Member Firm (Middle East Region)

The COBIT PAM brings together two proven heavyweights in

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

2013 Protiviti Member Firm (Middle East Region)

The high-level measurable objectives of performing the process

2013 Protiviti Member Firm (Middle East Region)

An observable result of a process - an artefact, a significant change

The activities that, when consistently performed, contribute to

The artefacts associated with the

2013 Protiviti Member Firm (Middle East Region)