Professional Documents
Culture Documents
A Business Framework for the Governance
and Management of Enterprise IT
COBIT5® is a registered trademark of ISACA.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
Module 0:
Introduction
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 2
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Module 0: Agenda
• Administration
• Copyright and Acknowledgement
• “Do’”s and “Don’t”s
• Administration
• Course Information
• Participant Introduction
• Learning Objectives
• Course Topics
• Examination Information, Procedures and Tips
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 3
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Copyright & Acknowledgements
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 4
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Do’s and Don’ts
DO DON’T
Get involved Use Laptops, Tablets, Smart phones,
Smart Watches
Share experiences Lead to irrelevant out of scope
discussions
Keep an open mind Be disruptive
Agree to disagree!
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 5
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Administration
Fire safety
Planned fire alarm tests
Evacuation procedures and fire exits
Toilets/ Washrooms
Security of belongings
Course timings and breaks
Mobiles/blackberries
Photo ID and pencils for examinations
Lots of questions/discussion please!
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 6
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Course Information
Course Structure and Approach
Presentation sessions
Group exercises
Case Studies
Exam preparation
Course Materials @ (www.isaca.org)
– COBIT5® Kit can be downloaded.
– COBIT5® Implementation Guide can be downloaded.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 7
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Course Syllabus Information
The syllabus is presented by syllabus areas. This is the unit of learning which may
relate to a chapter from the manual/guidance or several concepts commonly
grouped together in a training course module. The following syllabus areas are
identified.
• IP Initiate the program (What are the drivers? ‐Phase 1)
• DP Define Problems & Opportunities (Where are we now and where do we
want to be? ‐Phases 2 & 3)
• PE Plan & Execute the program (What needs to be done & How do we get
there? ‐Phases 4 & 5)
• RB Realize Benefits and Review effectiveness (Did we get there and how do we
keep the momentum going? ‐Phases 6 & 7)
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 8
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Course Reference Information
Reference Material:
• COBIT 5 Implementation Guide
• COBIT 5 Enabling Processes Guide
• The COBIT 5 Toolkit (contains tools that will be referenced and used in the
training)
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 9
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
COBIT5 Publications
COBIT 5 Publications:
COBIT 5*
COBIT 5 Implementation
COBIT 5: Enabling Processes
COBIT 5: Enabling Information
COBIT 5 Professional Guides
COBIT 5 for Information Security
COBIT 5 for Assurance
COBIT 5 for Risk
COBIT5 Assessment Programme Publications
Process Assessment Model
Self‐Assessment Guide
Assessor Guide
*The COBIT5 Framework
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 10
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Exam Information
• COBIT 5 Implementation:
Delivery Computer (web) or Paper based
Type 4 Multiple choice questions (20 items each)
Single response, one of four possible answers
Multiple response, X of Y possible answers
Matching response
Assertion response
Each question is awarded one (1) mark
Duration 150 minutes
Pass Mark 50% (40 or more marks)
Open Book : ‘COBIT 5 Implementation’ book only
Prerequisites COBIT 5 Foundation Certificate
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 11
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Participant Introductions
• Trainer’s Introduction
• Participant’s Introduction
• Name
• Role & experience in the IT Governance domain
• Professional experience
• Current role & corresponding responsibilities
• What you know about the topics under coverage?
• What you expect from the session?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 12
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Learning Objective
• Analyse the enterprise drivers
• Apply the implementation challenges, their root causes and success factors
• Assess current process capability
• Determine target process capability
• Scope and plan improvements
• Consider practical implementation factors
• Identify and avoid potential pitfalls
• Leverage the latest good practices
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 13
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Course Modules :1 of 2
Module 1 Module 3
Introduction to COBIT IP Initiate the program (What are the
drivers? ‐ Phase 1)
Module 2 Module 4
Introduction to COBIT5 and DP: DP Define Problems &
Implementation Practices Opportunities
IC Introduction to COBIT‐ Principles, Module 3.1 DP Define Problems &
Enablers, Processes and PRM Opportunities (Where are we now
(Process Reference Model) Phase 2)
CS Case Study and Discussions Module 3.2 DP Define Problems &
PM CSI Model and Program Opportunities (Where do we want to
Management for COBIT be? ‐ Phases 3)
Implementation
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 14
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
Course Modules: 2 of 2
Module 5 Module 6
PE: PE Plan & Execute the RB: Realize Benefits and Review
program effectiveness
4.1 PE Plan & Execute the 5.1 RB Realize Benefits and Review
program (What needs to be effectiveness (Did we get there? ‐
done? – Phase 4) – Change Phase 6)
Enablement? 5.2 RB Realize Benefits and Review
effectiveness (How do we keep the
4.2 PE Plan & Execute the momentum going? – Phase 7)
program (How do we get there? Module 7
– Phase 5) CE&CI Change Enablement and
Continuous Improvement
Module 8
COBIT 5 Assessment Steps
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 15
COBIT5: Implementation
0 Introduction COBIT5 Implementation
4P Advisory Services
About ISACA
Module 1:
Introduction to Governance
and COBIT5
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 17
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Corporate Governance vs. IT Governance
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 18
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Learning Outcomes
Understand the concepts relating to the structure and format of the
framework, the drivers and business benefits of using the COBIT 5
framework, Specifically to identify:
o The drivers for the development of COBIT 5, specifically the needs for
the next generation of ISACA’s guidance on the enterprise governance
and management of IT.
o The benefits to the enterprise stakeholders by using the COBIT 5
framework
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 19
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Defining Governance
Governance is about Negotiating and deciding amongst different stakeholders’
value interests.
Wikipedia: Governance refers to "all processes of governing, whether
undertaken by a government, market or network, whether over a family,
tribe, formal or informal organization or territory and whether through laws,
norms, power or language.“
ISACA: Governance—Exercise of authority; control; government; arrangement
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 20
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Defining Management
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 21
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Purpose of Governance & Management
4P Advisory Services
Why COBIT 5 Developed?
COBIT 5:
ISACA Board of Directors directive: “Tie together and reinforce all ISACA
knowledge assets with COBIT.”
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 23
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
The Evolution of COBIT 5
Governance of Enterprise IT
IT Governance
BMIS
(2010)
Evolution
Management
Val IT 2.0
(2008)
Control
Audit Risk IT
(2009)
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 24
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
COBIT 5 Scope
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 25
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Benefits
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 26
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Enterprise Benefits
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 27
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Stakeholder Value
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 28
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Benefits . . .
COBIT 5 :
Defines the starting point of governance and management activities with the
stakeholder needs related to enterprise IT
Creates a more holistic, integrated and complete view of enterprise
governance and management of IT that is consistent, provides an end‐to‐end
view on all IT‐related matters and provides a holistic view
Creates a common language between IT and business for the enterprise
governance and management of IT
Is consistent with generally accepted corporate governance standards, and
thus helps to meet regulatory requirements
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 29
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Examples: Factors, which may indicate a need for the improved
governance of enterprise IT:
Significant incidents related to IT risk, such as data loss or project failure,
have been experienced.
Lack of confidence in IT management
IT investments and risks were being managed by various IT departments in
isolation, resulting in duplicated efforts in some areas and gaps in others.
Lack of information consistency and accountability across all IT groups.
IT goals and perspectives not clearly aligned to the organizational goals.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 30
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
The COBIT 5 Format
Simplified
COBIT 5 directly addresses the needs of the viewer from different
perspectives
Development continues with specific practitioner guides
COBIT 5 is initially in 3 volumes:
1. The Framework
2. Process Reference Guide
3. Implementation Guide
COBIT 5 is based on:
5 principles and
7 enablers
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 31
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
COBIT5: Principles
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 32
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Principle 1: Meeting Stakeholder Needs
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 33
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Principle 2: Covering the Enterprise End–to–End
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 34
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Principle 3 ‐ Single Integrated Framework.
One Simple
Architecture
Integration of
Completeness in Knowledge across
Enterprise domains
Coverage Single
Integrated
Framework
Alignment with
other relevant ISO/ IEC 15504 for
framework s & Assessment
Standards
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 35
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Principle 4: Enabling a Holistic Approach
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 36
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
Principle 5 ‐ Governance and Management Defined
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 37
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
COBIT 5 Product Family
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 38
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
The COBIT5 Integrator Model links COBIT 5 to existing
COBIT and Other IT Governance Frameworks
COSO
COBIT
ISO 27002
ISO 9000
ISACA guidance publications.
SCOPE OF COVERAGE
Source ISACA
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 39
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
COBIT 5 Mapping Specifics ..1
ISO/IEC 38500
o ISO’s 6 principles map to COBIT 5
The following areas and domains are covered by ITIL 2011:
o A subset of process in the DSS domain
o A subset of processes in the BAI domain
o Some processes in the APO domain
ISO/IEC 27000 (currently 27001:2013)
o Security and IT‐related processes in domains EDM, APO and DSS
o Some monitoring of security monitoring activities in MEA
ISO/IEC 31000
o Risk management related activities in EDM and APO
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 40
COBIT5: Implementation
1 Introduction to COBIT
Introduction COBIT5 Implementation
4P Advisory Services
COBIT 5 Mapping Specifics ..2
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 41
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
Module 2:
An Introduction to COBIT5
Implementation
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 42
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
COBIT 5 Implementation
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 43
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
COBIT 5 Implementation cont.
The COBIT 5 Implementation Guide was released at the same time as the
COBIT 5 Framework and COBIT 5 Enabling Processes
Information and information technology are increasingly part of every
aspect of business.
The need to drive more value from IT investments and manage an increasing
array of IT‐related risk has never been greater
Increasing regulation and legislation is also raising awareness of the
importance of good governance
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 44
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Challenges to Success
What are the drivers?
Where are we now and where do we want to be?
What needs to be done?
How do we get there?
Did we get there and how do we keep the momentum going?
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 45
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Roles in Creating an Appropriate Environment
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 46
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
RACI chart for Creating an Appropriate Environment
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 47
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Components of the Lifecycle
Program Management
1. Initiate program
2. Define problems and
opportunities
3. Define roadmap
4. Develop program plan
5. Execute plan
6. Realize benefits
7. Review program
effectiveness
8. Sustain
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 48
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
COBIT 5 Implementation
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 49
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Enterprise Internal and External factors
Understanding the Enterprise Internal and external factors as they apply to
change management such as:
o Ethics and culture
o Applicable laws, regulations and policies
o Mission, vision and values
o Governance policies and practices
o Business plans and strategic intentions
o Operating Model
o Management style
o Risk appetite
o Capabilities and available resources
o Industry practices
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 50
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Key Success Factors
Top Management providing the direction and mandate for the initiative as
well as on‐going commitment
All parties supporting the governance and management processes to
understand the business and IT objectives.
Ensuring effective communication and enablement of the necessary changes
Tailoring COBIT and other supporting good practices and standards to fit the
unique context of the enterprise and
Focusing on quick wins and prioritising the most beneficial improvements
that are easiest to implement.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 51
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Continuous Improvement through 7 enablers
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 52
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Case Study Scenario: IT Governance Initiative
Following the takeover the local organization is now known as the ‘local office’ and the
purchaser is known as the ‘Overseas Head Office’.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 53
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Case Study Scenario: Background and Current Issues
The organization currently is experiencing issues with change management. As a
result of the takeover, further changes are being introduced which the existing processes
cannot handle. The problems are being exacerbated by the size and the volume of the
required changes.
Although the takeover from the overseas company is recent, Overseas Regulators
are already seeking visibility of compliance.
Prior to being taken over the current Board had on‐going concerns with IT security.
These concerns are expected to increase given the demands of passing information overseas
to the new Overseas Head Office.
Also prior to the takeover, relationships between IT and the Enterprise were not
good due to previous IT project failures and lack of visibility of project benefits.
Staff morale has been very low with an above average staff turnover. Due to the
recent takeover, there have been senior management changes and a further increase in staff
turnover due to the job uncertainty.
The organization has a new and inexperienced team in IT Governance.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 54
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Case Study Scenario: Current projects in place
There are two existing projects underway:
HR Project ‐ There is currently a HR project in progress to address the high level of staff
turnover. Its objective is to reduce the current turnover levels.
IT Security – The local office has recently engaged a team of external security specialists to
review the current level of IT security and to recommend appropriate solutions.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 55
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Case Study Scenario: Roles and Responsibilities
An extract of the organizational structure of the Financial Services Organisation (not including
the Overseas Head Office) is given below.
IT Management consists of the CIO and his direct reports.
The Audit Manager is from the Overseas Head Office and is responsible for the local Audit team
The IT Governance, Risk and Compliance (IT GRC) Manager is newly appointed and has recently attended a
COBIT 5 course.
The Technical Support Manager has been with the enterprise for over 20 years and takes a very ‘hands on’
approach. This role is responsible for ensuring the ongoing availability of the network infrastructure.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 56
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Case Study Scenario: IT Governance Initiative Start‐up
As a result of the overseas compliance regulations the IT Governance, Risk and
Compliance (IT GRC) Manager has decided to launch a major IT Governance Initiative.
The initiative will incorporate the compliance requirements mandated by the
Overseas Head Office in addition to improvements in governance and change management.
The existing projects will be included within the scope.
The Overseas Head Office will sponsor the programme and the IT GRC Manager has
been appointed as the Programme Manager. However, some problems have already been
experienced:
• Although the IT GRC Manager has launched an initiative it is not clear who is
supporting the initiative and which processes are required to be targeted.
• Current attempts by the IT GRC Manager to get the initiative off the ground have
currently been unsuccessful.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 57
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Case Study Scenario: Mapping of Processes to Issues
The IT GRC Manager completed a small assessment of the issues facing the new organisation
including the two existing projects on HR and Security and a report summarising their security
issues. He discovered more issues related to the existing change management and HR and
Security problems. He has mapped these to risks and recommended the following COBIT
processes to be included in the improvement programme in order to assist and leverage best
practice for the following Issues and Problem areas:
Implementation Practices 4P Advisory Services
Case Study Scenario: Mapping of Processes to Issues
PROBLEMS & ISSUES RISKS COBIT PROCESSES
2. Security Issues
‐ Access by external Users circumventing logical access rights ‐ DSS05; DSS04
contractors poorly controlled Users obtaining access to unauthorized
information.
‐No policy and process for End ‐Loss/disclosure of portable media, lap DSS05
Point security including mobile tops mobile devices etc.
devices. ‐ Accidental disclosure of sensitive
information.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 59
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Case Study Scenario: Mapping of Processes to Issues
PROBLEMS & ISSUES RISKS COBIT PROCESSES
3. Change Management Issues BAI05
‐ New organisation cannot cope Business managers not involved in important BAI05
with change requests for It investment decision making regarding new
processes. applications, prioritisations or new
technology opportunities
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 60
COBIT5: Implementation
2 An Introduction to COBIT5 COBIT5 Implementation
Implementation Practices 4P Advisory Services
Case Study Scenario: Plan and Execute the Program
Awareness of the business’ frustration about the lack of visibility of the compliance
program has reached the Overseas Head Office. As a result of this, the Overseas Head Office
has instructed the Financial Services Organization to quickly solve this issue relating to the
poor relationships between IT and the business. The instruction has come down for IT to
solve this as part of the Governance Initiative.
The IT GRC Manager is already overloaded with work and hence has asked one of
his junior members of his team to take ownership of the task.
He has told the junior member that the solution to this issue will be to include
information relating to the compliance program on the Financial Services Organization’s
existing Intranet. Access to this Intranet is already available to the business. Due to budget
constraints, there will be a limit on the amount of information that can be added to the
Intranet. This work must be done in‐house.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 61
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
Module 3:
IP Initiate the program
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 62
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Continual Improvement Life cycle Phase‐1
Ref .”Figure 15
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 63
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Roles in Phase 1
Ref .”Figure 16
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 64
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Phase 1 Description (1/4)
Ref .”Figure 17
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 65
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Phase 1 Description (2/4)
Ref .”Figure 17
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 66
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Phase 1 Description (3/4)
Ref .”Figure 17
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 67
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Phase 1 Description (4/4)
Ref .”Figure 17
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 68
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Phase‐1 RACI Chart
Ref .”Figure 18
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 69
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Phase 1 – What Are the Drivers?
The Basics
Initiate the Programme
Establish desire to change:
Recognise need to act
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 70
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Phase 1 – What Are the Drivers?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 71
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Phase 1 – SWOT?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 72
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Phase 1 ‐ Typical Pain Points
Failed IT initiatives Resource waste through
Rising costs duplication or overlap in IT
Perception of low business value initiatives
for IT investments Insufficient IT resources
Significant incidents related to IT IT staff burnout / dissatisfaction
risk (e.g. data loss) IT enabled changes frequently
Service delivery problems failing to meet business needs
Failure to meet regulatory or (late deliveries or budget
contractual requirements overruns)
Audit findings for poor IT Multiple and complex IT assurance
performance or low service efforts
levels Board members or senior
Hidden and/or rogue IT spending managers that are reluctant to
engage with IT
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 73
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Phase 1 ‐ Relevant Trigger Events
Merger, acquisition or divestiture An enterprise‐wide governance
Shift in the market, economy or focus or project
competitive position A new CIO, CFO, COO or CEO
External audit or consultant
Change in business operating
assessments
model or sourcing arrangements
A new business strategy or
New regulatory or compliance priority
requirements
Significant technology change or
paradigm shift
By using pain points or trigger events as the launching point
for IT governance initiatives, the business case for GEIT
improvement can be related to issues being experienced,
which will improve buy‐in to the business case.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 74
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Case Study Scenario: Additional Phase 1 Information
In trying to understand where the Financial Services Organization currently stands in
respect to Governance, the IT GRC Manager has identified a number of issues:
The local office management is confused about what the Initiative is trying to achieve and
doesn’t appear to be fully engaged
Concerns have also been expressed as to the potential cost of the proposed
Initiative for what appears to be very little benefit. Suggestions have even been made that if
the Overseas Head Office wants the work completing then it should pay for it
Additionally, the long standing relationship issue between IT and Business
Management caused by previous project failures is still very much in existence
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 75
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Exercise 001
1. Which reason is a root cause for a lack of Senior Management buy‐in to an improvement initiative
according to the COBIT 5 Implementation Guide?
A. Lack of dedicated resources.
B. Poor perception of the credibility of the IT function.
C. Best practices are copied and are NOT adopted.
D. Continual improvement is NOT part of the culture.
2. Which reason is a root cause of why IT could have difficulty in getting the required business
participation according to the COBIT 5 Implementation Guide?
A. Barriers between IT and the business inhibit participation.
B. IT budget committed to infrastructure.
C. Priorities incorrectly allocated.
D. Fear of revealing inadequate practices.
3. Which reason is a root cause for the lack of current enterprise policy and direction within an
organization according to the COBIT 5 Implementation Guide?
A. IT budget committed to infrastructure.
B. Best practices are copied and are NOT adopted.
C. Overly optimistic goals.
D. Weak enterprise risk management.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 76
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Exercise 001
4. Which 2 documents are Inputs to Phase 1?
A. Outline Business Case for the Governance Initiative.
B. Reports showing the volume of changes since the takeover.
C. A report from HR on staff turnover.
D. A list of stakeholders at the local office and Overseas Head Office.
E. Documented approval from the CEO to proceed.
5. Which 2 documents are Outputs from Phase 1?
A. A process for engaging local Management about the Governance Initiative.
B. A report showing the local office’s capability to cope with the required amount of process change as a result of
the Governance Initiative.
C. An agreed list of the local office’s Roles and Responsibilities for the Governance Initiative.
D. Reports showing the volume of changes since the takeover.
E. Report on the Security issues.
6. Which 2 activities are Programme Management tasks performed during Phase 1?
A. Understand full impact of the Governance Initiative.
B. Raise awareness of compliance issues with the local office.
C. Obtain buy‐in and approval from the CEO to proceed.
D. Produce outline Governance Initiative business case.
E. Identify other project dependencies such as the Security and HR projects.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 77
COBIT5: Implementation
3 IP: Initiate the program (What are the COBIT5 Implementation
Exercise 001
7. Which 2 activities are Change Enablement tasks performed during Phase 1?
A. Obtain approval from the CEO to proceed.
B. Produce outline Governance Initiative business case.
C. Understand full impact of the Governance Initiative.
D. Raise awareness of compliance issues with the local office.
Issue the change plan based on the overseas compliance requirements.
8. Which 2 activities are Continual Improvement tasks performed during Phase 1?
A. Ensure the understanding of the Overseas Head Office’s compliance requirements for the local office is
correct.
B. Understand full impact of the Governance Initiative.
C. Raise awareness of compliance issues with the local office.
D. Identify other project dependencies such as the Security and HR projects.
E. Raise local Management’s awareness of the importance of the Initiative.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 78
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
Module 4:
DP Define Problems &
Opportunities
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 79
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 80
COBIT5: Implementation
4.1 DP Define Problems & Opportunities COBIT5 Implementation
(Where are we now Phase 2) 4P Advisory Services
Continual Improvement Life Cycle Phase‐2
Ref .”Figure 19
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 81
COBIT5: Implementation
4.1 DP Define Problems & Opportunities COBIT5 Implementation
(Where are we now Phase 2) 4P Advisory Services
Roles in Phase 2
Ref .”Figure 20
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 82
COBIT5: Implementation
4.1 DP Define Problems & Opportunities COBIT5 Implementation
(Where are we now Phase 2) 4P Advisory Services
Phase 2 Description (1/5)
Ref .”Figure 21
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 83
COBIT5: Implementation
4.1 DP Define Problems & Opportunities COBIT5 Implementation
(Where are we now Phase 2) 4P Advisory Services
Phase 2 Description (2/5)
Ref .”Figure 21
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 84
COBIT5: Implementation
4.1 DP Define Problems & Opportunities COBIT5 Implementation
(Where are we now Phase 2) 4P Advisory Services
Phase 2 Description (3/5)
Ref .”Figure 21
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 85
COBIT5: Implementation
4.1 DP Define Problems & Opportunities COBIT5 Implementation
(Where are we now Phase 2) 4P Advisory Services
Phase 2 Description (4/5)
Ref .”Figure 21
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 86
COBIT5: Implementation
4.1 DP Define Problems & Opportunities COBIT5 Implementation
(Where are we now Phase 2) 4P Advisory Services
Phase 2 Description (5/5)
Ref .”Figure 21
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 87
COBIT5: Implementation
4.1 DP Define Problems & Opportunities COBIT5 Implementation
(Where are we now Phase 2) 4P Advisory Services
Phase‐2 RACI Chart
Ref .”Figure 22
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 88
COBIT5: Implementation
4.1 DP Define Problems & Opportunities COBIT5 Implementation
(Where are we now Phase 2) 4P Advisory Services
Phase 2 – Where are We Now?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 90
COBIT5: Implementation
4.2 DP Define Problems & Opportunities COBIT5 Implementation
Continual Improvement Life Cycle Phase‐3
Ref .”Figure 23
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 91
COBIT5: Implementation
4.2 DP Define Problems & Opportunities COBIT5 Implementation
Roles in Phase 3
Ref .”Figure 24
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 92
COBIT5: Implementation
4.2 DP Define Problems & Opportunities COBIT5 Implementation
Phase 3 Description (1/5)
Ref .”Figure 25
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 93
COBIT5: Implementation
4.2 DP Define Problems & Opportunities COBIT5 Implementation
Phase 3 Description (2/5)
Ref .”Figure 25
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 94
COBIT5: Implementation
4.2 DP Define Problems & Opportunities COBIT5 Implementation
Phase 3 Description (3/5)
Ref .”Figure 25
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 95
COBIT5: Implementation
4.2 DP Define Problems & Opportunities COBIT5 Implementation
Phase 3 Description (4/5)
Ref .”Figure 25
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 96
COBIT5: Implementation
4.2 DP Define Problems & Opportunities COBIT5 Implementation
Phase 3 Description (5/5)
Ref .”Figure 25
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 97
COBIT5: Implementation
4.2 DP Define Problems & Opportunities COBIT5 Implementation
Phase 3 RACI Chart
Ref .”Figure 26
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 98
COBIT5: Implementation
4.2 DP Define Problems & Opportunities COBIT5 Implementation
Phase 3 – Where Do We Want to Be?
Define the roadmap
o Describe the high level change enablement plan and objectives
Communicate desired vision
o Develop a communication strategy
o Communicate the vision
o Articulate the rationale and benefits of the change
o Set the tone at the top
Define target state and perform gap analysis
o Define the target for improvement
o Analyze the gaps
o Identify potential improvements
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 9
9
99
COBIT5: Implementation
4 DP Define Problems & Opportunities COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Additional Phase 2 & 3 Information
The CIO approached the IT GRC manager and is not convinced that he has captured all of the
COBIT processes needed to mitigate the risks associated with their issues.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 100
COBIT5: Implementation
4 DP Define Problems & Opportunities COBIT5 Implementation
4P Advisory Services
Exercise 002
1. Which 2 reasons are root causes of the inability to gain the backing of local business management, according to
the COBIT 5 Implementation Guide?
A. The recent takeover has left uncertainty and the threat of further changes.
B. The priorities of the Initiative are NOT in line with the objectives of the local office.
C. There is poor communication about the expected successes of the Initiative.
D. More change is being enforced and the current processes are unable to cope with the existing amount of
change.
E. The implementation solution appears to have too many manual workarounds.
2. Which 2 reasons are root causes of why the cost of the IT Governance Initiative appears to exceed any benefit at
the local office, according to the COBIT 5 Implementation Guide?
A. There is a perception that there is a lack of required compliance skills at the local office.
B. Structure of the IT Governance Initiative does NOT demonstrate what the benefits will be at this stage of the
programme.
C. The recent takeover has left uncertainty and the threat of further changes.
D. Budget funds have already been spent on the takeover and this is seen as a further drain on resources.
E. There is poor communication about the expected successes of the Initiative.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 101
COBIT5: Implementation
4 DP Define Problems & Opportunities COBIT5 Implementation
4P Advisory Services
Exercise 002
3. Which 2 actions are success factors which should help resolve the current lack of trust between the local office IT
function and Business Management, according to the COBIT 5 Implementation Guide?
A. Produce a RACI matrix for Governance related roles for the local office.
B. Educate the business by running a COBIT 5 training course.
C. Produce a plan of expected changes for the year ahead which take account of the compliance requirements.
D. Only implement improvements that add value to the local office.
E. Ensure all resources are full time and dedicated to the Governance Initiative.
4. Which 2 actions are success factors should help resolve the inability to gain support from the local office’s
business management, according to the COBIT 5 Implementation Guide?
A. Produce a RACI matrix for Governance related roles for the local office.
B. Only implement improvements that add value to the local office.
C. Express the Governance Initiative in terms that are relevant to business management.
D. Set up a regular Compliance forum which includes members of both local and Overseas Business Management
and local IT Management.
E. Ensure all resources are full time and dedicated to the Governance Initiative
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 102
COBIT5: Implementation
4 DP Define Problems & Opportunities COBIT5 Implementation
4P Advisory Services
Exercise 002
5. Which 2 actions are success factors should help resolve the concerns that the local office has regarding the cost
of improvements outweighing any potential benefits, according to the COBIT 5 Implementation Guide?
A. Liaise with Business Management to identify initiatives that can be resolved quickly.
B. Secure secondments* of compliance staff from the overseas office.
C. Ensure all resources are full time and dedicated to the Governance Initiative.
D. Only implement improvements that add value to the local office.
E. Focus on the change process as an area to be tackled by the Initiative.
6. There is a current lack of ownership for both the business and IT in respect of who has a role to play in this
Governance Initiative. Which CE task is executed to address the concern of lack of ownership for the Governance
Initiative at the local office during Phase 2?
A. Engage with HR about producing a communications plan about the future benefits of the Initiative.
B. Develop an escalation process.
C. Elect key representatives from the local office and the Overseas Head Office.
D. Create steering committees for relevant parts of the Initiative.
*Secondment : A temporary transfer of an official or worker to another position or employment.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 103
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 104
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 105
COBIT5: Implementation
5.1 PE Plan & Execute the program COBIT5 Implementation
Continual Improvement Life Cycle Phase 4
Ref .”Figure 27
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 106
COBIT5: Implementation
5.1 PE Plan & Execute the program COBIT5 Implementation
Roles In Phase 4
Ref .”Figure 28
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 107
COBIT5: Implementation
5.1 PE Plan & Execute the program COBIT5 Implementation
Phase 4 Description (1/5)
Ref .”Figure 29
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 108
COBIT5: Implementation
5.1 PE Plan & Execute the program COBIT5 Implementation
Phase 4 Description (2/5)
Ref .”Figure 29
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 109
COBIT5: Implementation
5.1 PE Plan & Execute the program COBIT5 Implementation
Phase 4 Description (3/5)
Ref .”Figure 29
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 110
COBIT5: Implementation
5.1 PE Plan & Execute the program COBIT5 Implementation
Phase 4 Description (4/5)
Ref .”Figure 29
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 111
COBIT5: Implementation
5.1 PE Plan & Execute the program COBIT5 Implementation
Phase 4 Description (5/5)
Ref .”Figure 29
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 112
COBIT5: Implementation
5.1 PE Plan & Execute the program COBIT5 Implementation
Phase 4 RACI Chart
Ref .”Figure 30
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 113
COBIT5: Implementation
5.1 PE Plan & Execute the program COBIT5 Implementation
Phase 4 – What Needs to Be Done?
Develop program plan
Prioritize potential initiatives
Develop formal and justifiable projects
Use plans that include contribution and program objectives
Empower role players and identify quick wins
High benefit, easy implementations should come first
Obtain buy‐in by key stakeholders affected by the change
Identify strengths in existing processes and leverage accordingly
Design and build improvements
Plot improvements onto a grid to assist with prioritization
Consider approach, deliverables, resources needed, costs, estimated
time scales, project dependencies and risks
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 114
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 115
COBIT5: Implementation
5.2 PE Plan & Execute the program COBIT5 Implementation
Continual Improvement Life Cycle Phase 5
Ref .”Figure 31
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 116
COBIT5: Implementation
5.2 PE Plan & Execute the program COBIT5 Implementation
Roles in Phase 5
Ref .”Figure 32
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 117
COBIT5: Implementation
5.2 PE Plan & Execute the program COBIT5 Implementation
Phase 5 Description
Ref .”Figure 33
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 118
COBIT5: Implementation
5.2 PE Plan & Execute the program COBIT5 Implementation
Phase 5 Description
Ref .”Figure 33
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 119
COBIT5: Implementation
5.2 PE Plan & Execute the program COBIT5 Implementation
Phase 5 Description
Ref .”Figure 33
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 120
COBIT5: Implementation
5.2 PE Plan & Execute the program COBIT5 Implementation
Phase 5 Description
Ref .”Figure 33
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 121
COBIT5: Implementation
5.2 PE Plan & Execute the program COBIT5 Implementation
Phase 5 RACI Chart
Ref .”Figure 34
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 122
COBIT5: Implementation
5.2 PE Plan & Execute the program COBIT5 Implementation
Phase 5 – How Do We Get There?
Execute the plan
Execute projects according to an integrated program plan
Provide regular update reports to stakeholders
Document and monitor the contribution of projects while managing
risks identified
Enable operation and use
Build on the momentum and credibility of quick wins
Plan cultural and behavioral aspects of the broader transition
Define measures of success
Implement improvements
Adopt and adapt best practices to suit the enterprise’s approach to
policies and process changes
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 123
COBIT5: Implementation
5 PE Plan & Execute the program COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Additional Phase 4 & 5 Information
The CIO approached the IT GRC manager and is not convinced that he has captured all of the
COBIT processes needed to mitigate the risks associated with their issues
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 124
COBIT5: Implementation
5 PE Plan & Execute the program COBIT5 Implementation
4P Advisory Services
Exercise 003
1. Which 2 additional processes should be selected to help mitigate all of the risks associated
with the security issues (issue 2)?
A. APO07
B. DSS01
C. BAI06
D. APO01
E. APO08
2. Which 2 additional processes should be selected to help mitigate the risks of projects failing
due to cost, delays, scope creep or changed business priorities associated with the project delivery issues
(issue 4)?
A. BAI03
B. APO03
C. EDM04
D. MEA01
E. APO06
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 125
COBIT5: Implementation
5 PE Plan & Execute the program COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Additional Phase 4 & 5 Information
Using the Scenario, answer the following questions about change enablement tasks. The
project is now at Phase 4 ‘What needs to be done?’ The IT GRC Manager called a Project
planning meeting and decided on some Change Enablement objectives in order to ‘get things
moving’. Decide whether the action taken by the IT GRC Manager to address each objective is
an appropriate Phase 4 Change Enablement (CE) task and select the response that supports
your decision.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 126
COBIT5: Implementation
5 PE Plan & Execute the program COBIT5 Implementation
4P Advisory Services
Exercise 003
3. Objective 1:‐ Obtain buy‐in from the local office. Action: The IT GRC Manager has held a workshop
with key members of business and IT to review and confirm the proposed change management process? Is this
action an appropriate Phase 4 CE task for Objective No 1?
A. No, because any required changes will be enforced through local management or the Overseas Head Office.
B. No, because the commitment to make the change should have been obtained in Phase 3.
C. Yes, because consulting affected stakeholders will help make them responsible to accept results.
D. Yes, because this will ensure the change management process is implemented as a quick win.
4. Objective 2:‐ Speed up the implementation for a new Change process which will apply to both the
business and IT. Action: The IT GRC Manager has decided to implement an IT version of the change response plans.
Is this action an appropriate Phase 4 CE task to address Objective No 2?
A. No, because engagement should have been made with all affected areas prior to the implementation e.g. the
business management.
B. No, because the implementation of the change response plan should have been performed at Phase 3.
C. Yes, because a Phase 4 CE task is about understanding what IT solutions will be needed to support the Overseas
Head Office compliance requirements.
D. Yes, because a Phase 4 CE task is to prioritize and select improvements.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 127
COBIT5: Implementation
5 PE Plan & Execute the program COBIT5 Implementation
4P Advisory Services
Exercise 003
5. Objective 3:‐ Build on Phase 2 ‘Where are we now’ and identify tasks that don’t take long to
implement. Action: The IT GRC Manager has decided to go ahead and implement quick wins in as short as time as
possible without immediate consultation with the business. Is this action an appropriate Phase 4 CE task to address
Objective No 3?
A. No, because changes to existing processes at the local office should be designed during Phase 1.
B. No, because visibility of the changes by methods such as a workshop is needed.
C. Yes, because providing the concept of the change has been proven.
D. Yes, because a Phase 4 activity is to perform a gap analysis to identify the improvements needed to the change
management process.
6. Objective 4:‐ Leverage existing processes (from the Overseas Head Office). Action: The IT GRC
Manager has obtained details of a number of compliance related processes from the Overseas Head Office which
are used successfully to manage Compliance. The plan is to adapt these processes for use at the local office. Is this
action an appropriate Phase 4 CE task to address Objectives No 4?
A. No, because changes to existing processes at the local office should have been designed during Phase 1.
B. No, because the processes should be implemented ‘as is’ if they have been used successfully at the Overseas
Head Office.
C. Yes, because a Phase 4 CE task is to identify existing strengths.
D. Yes, because identifying work already performed in the organisation prevents duplication of effort and
encourages re‐use.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 128
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 129
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 130
COBIT5: Implementation
6.1 RB: Realize Benefits and Review
effectiveness (Did we get there? ‐ Phase 6)
COBIT5 Implementation
4P Advisory Services
Continual Improvement Life Cycle Phase 6
Ref .”Figure 35
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 131
COBIT5: Implementation
6.1 RB: Realize Benefits and Review
effectiveness (Did we get there? ‐ Phase 6)
COBIT5 Implementation
4P Advisory Services
Roles in Phase 6
Ref .”Figure 36
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 132
COBIT5: Implementation
6.1 RB: Realize Benefits and Review
effectiveness (Did we get there? ‐ Phase 6)
COBIT5 Implementation
4P Advisory Services
Phase 6 Description (1/3)
Ref .”Figure 37
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 133
COBIT5: Implementation
6.1 RB: Realize Benefits and Review
effectiveness (Did we get there? ‐ Phase 6)
COBIT5 Implementation
4P Advisory Services
Phase 6 Description (2/3)
Ref .”Figure 37
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 134
COBIT5: Implementation
6.1 RB: Realize Benefits and Review
effectiveness (Did we get there? ‐ Phase 6)
COBIT5 Implementation
4P Advisory Services
Phase 6 Description (3/3)
Ref .”Figure 37
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 135
COBIT5: Implementation
6.1 RB: Realize Benefits and Review
effectiveness (Did we get there? ‐ Phase 6)
COBIT5 Implementation
4P Advisory Services
Phase 6 RACI Chart
Ref .”Figure 38
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 136
COBIT5: Implementation
6.1 RB: Realize Benefits and Review
effectiveness (Did we get there? ‐ Phase 6)
COBIT5 Implementation
4P Advisory Services
Phase 6 – Did We Get There?
Realize benefits
o Monitor the overall performance of the program against business case
objectives
o Monitor and measure the investment performance
Embed new approaches
o Provide transition from project mode to business as usual mode
o Monitor whether new roles and responsibilities have been taken on
o Track and assess objectives of the change response plans
o Maintain communication and ensure communication between
appropriate stakeholders continues
Operate and measure
o Set targets for each metric
o Measure metrics against targets
o Communicate results and adjust targets as necessary
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 137
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 138
COBIT5: Implementation
RB: Realize Benefits and Review effectiveness
6.2 (How do we keep the momentum going? – Phase 7)
COBIT5 Implementation
4P Advisory Services
Continual Improvement Life Cycle Phase 7
Ref .”Figure 39
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 139
COBIT5: Implementation
RB: Realize Benefits and Review effectiveness
6.2 (How do we keep the momentum going? – Phase 7)
COBIT5 Implementation
4P Advisory Services
Roles in Phase 7
Ref .”Figure 40
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 140
COBIT5: Implementation
RB: Realize Benefits and Review effectiveness
6.2 (How do we keep the momentum going? – Phase 7)
COBIT5 Implementation
4P Advisory Services
Phase 7 Description (1/3)
Ref .”Figure 41
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 141
COBIT5: Implementation
RB: Realize Benefits and Review effectiveness
6.2 (How do we keep the momentum going? – Phase 7)
COBIT5 Implementation
4P Advisory Services
Phase 7 Description (2/3)
Ref .”Figure 41
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 142
COBIT5: Implementation
RB: Realize Benefits and Review effectiveness
6.2 (How do we keep the momentum going? – Phase 7)
COBIT5 Implementation
4P Advisory Services
Phase 7 Description (3/3)
Ref .”Figure 41
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 143
COBIT5: Implementation
RB: Realize Benefits and Review effectiveness
6.2 (How do we keep the momentum going? – Phase 7)
COBIT5 Implementation
4P Advisory Services
Phase 7 RACI Chart
Ref .”Figure 42
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 144
COBIT5: Implementation
RB: Realize Benefits and Review effectiveness
6.2 (How do we keep the momentum going? – Phase 7)
COBIT5 Implementation
4P Advisory Services
Phase 7 – How Do We Keep Momentum?
Continual improvements – keeping the momentum is critical to
sustainment of the lifecycle
Review the program benefits
o Review program effectiveness through a program review gate
Sustain
o Conscious reinforcement (reward achievers)
o Ongoing communication campaign (feedback on performance)
o Continuous top management commitment
Monitor and evaluate
o Identify new governance objectives based on program experience
o Communicate lessons learned and further improvement requirements
for the next iteration of the cycle
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 145
COBIT5: Implementation
6 RB: Realize Benefits and Review
effectiveness
COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Additional Phase 6 & 7 Information
The following questions about the root causes of the challenges encountered when
identifying whether the implementation has met its objectives. The IT GRC Manager decided
to speak to a number of key members of the local office Management to gauge feedback on
the Governance Initiative. The following issues were obtained from various members of local
office staff:‐
• The change management process is seen as too hard to understand and has resulted in
low usage of the process within the local office. Additionally there was feedback that the
solution looked like it was a direct copy of the Overseas Head Office process without
consideration of local factors.
• The IT staff working on the Initiative is de‐motivated as they felt they had been left to
manage the project with little or no assistance from the Business Management.
• A lot of feedback was asking the question ‘what have we achieved?’ as there was a belief
that very little had changed and concerns were raised as to the overall value of the
Initiative.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 146
COBIT5: Implementation
6 RB: Realize Benefits and Review
effectiveness
COBIT5 Implementation
4P Advisory Services
Exercise 004
1. Which 2 actions are success factors that should help to resolve the lack of take up of the change management
process?
A. Obtain compliance input from the Overseas Head Office auditors.
B. Involve the business process owners in the future refinement of the change process.
C. Ensure all resources are full time and dedicated to the Governance Initiative.
D. Arrange a training course for users of the change process.
E. Produce a RACI matrix for Governance related roles for the local office.
2. Which 2 actions are success factors that should help to resolve the de‐motivation of the IT staff working on the
Governance Initiative?
A. Produce a RACI matrix for Governance related roles for the local office.
B. Seek to second a Compliance resource from the Overseas Head Office.
C. Organise a road show with the Business Management ‐ Revisiting stakeholders.
D. Ensure all resources are full time and dedicated to the Governance Initiative.
E. Arrange a training course for users of the change process.
*Secondment : A temporary transfer of an official or worker to another position or employment.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 147
COBIT5: Implementation
6 RB: Realize Benefits and Review
effectiveness
COBIT5 Implementation
4P Advisory Services
Exercise 004
3. Which 2 actions are success factors that should help to resolve the concern raised over the overall value of the
Governance Initiative?
A. Issue a Compliance health check showing progress made.
B. Arrange a training course for users of the change process.
C. Seek to second a compliance resource from the Overseas Head Office.
D. Issue a compliance article on the Intranet site in business terms.
E. Produce a RACI matrix for Governance related roles for the local office.
4. Which 2 documents are Inputs to the Phase 6 review of the Change Management process?
A. Revised process documentation.
B. A signed‐off copy of the Change Management Procedure.
C. IT and business measures added into the ongoing monitoring of the change process, (post‐ project).
D. A copy of the Change Management process before the implementation.
E. A copy of the Benefits of the Change Process.
*Secondment : A temporary transfer of an official or worker to another position or employment.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 148
COBIT5: Implementation
6 RB: Realize Benefits and Review
effectiveness
COBIT5 Implementation
4P Advisory Services
Exercise 004
5. Which 2 documents are Outputs of the Phase 6 review of the Change Management process?
A. A signed off copy of the Business Case.
B. Revised process documentation.
C. Business and IT agreed measures to monitor the change process.
D. A signed off copy of the Change Management Procedure.
E. Identification of the appropriate Change agents within the local office.
6. Which 2 activities are Programme Manager tasks to be performed during the Phase 6 review of the Change
Management process?
A. Review if the Change Management process is meeting its original intentions.
B. Understand what went well and what didn’t.
C. Develop an escalation procedure to Management.
D. Communicate the results of the Change Management procedure to relevant Business and IT parties.
E. Produce a report of the success factors required to be met for a successful implementation of the Change
Management process.
*Secondment : A temporary transfer of an official or worker to another position or employment.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 149
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
Module 7:
The Inner Layers:
Change Enablement and
Continuous Improvement
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 150
COBIT5: Implementation
CE&CI Change Enablement and
7 Continuous Improvement
COBIT5 Implementation
4P Advisory Services
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 151
COBIT5: Implementation
CE&CI Change Enablement and
7 Continuous Improvement
COBIT5 Implementation
4P Advisory Services
Change enablement relationships to Programme management
Steps
The seven phases and shown as the program management steps they relate to. The below table outlines
the seven enablers (the second or red circle) and the relationship to the seven program management
steps (the outer ring or dark blue ring).:
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 152
COBIT5: Implementation
CE&CI Change Enablement and
7 Continuous Improvement
COBIT5 Implementation
4P Advisory Services
Making the Business Case
ie.: Justification to the Board
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 153
COBIT5: Implementation
CE&CI Change Enablement and
7 Continuous Improvement
COBIT5 Implementation
4P Advisory Services
Characteristics of Good Business Case
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 154
COBIT5: Implementation
CE&CI Change Enablement and
7 Continuous Improvement
COBIT5 Implementation
4P Advisory Services
Exercise 005
Make a project Plan for the COBIT5 Implementation with
typical timelines.
Allocate teams the relevant roles
Decide and Highlight the “Target State” metrics, compared to
the current ones.
*Secondment : A temporary transfer of an official or worker to another position or employment.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 155
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
Module 8:
Process Assessment /
Verification
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 156
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
Overview
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 157
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
COBIT 5 Process Reference Model
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 158
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
Components of ISO/IEC 15504 Process Assessment
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 159
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
Assessment Process Activities
1 – Initiation
2 – Planning the Assessment
3 – Briefing
4 – Data Collection
5 – Data Validation
6 – Process Attribute Rating
7 – Reporting the Results
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 160
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
1. Initiation
161
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 161
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
2. Planning the Assessment
162
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 162
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
3. Briefing
163
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 163
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
4. Data Collection
The assessor obtains (and documents) an understanding of the process(es)
including process purpose, inputs, outputs and work products, sufficient to
enable and support the assessment
Data required for evaluating the processes within the scope of the
assessment is collected in a systematic manner
The strategy and techniques for the selection, collection, analysis of
data and justification of the ratings are explicitly identified and
demonstrable
Each process identified in the assessment scope is assessed on the basis of
objective evidence
The objective evidence gathered for each attribute of each process assessed must be
sufficient to meet the assessment purpose and scope
Objective evidence that supports the assessors’ judgement of process attribute ratings is
recorded and maintained in the Assessment Record.
This Record provides evidence to substantiate the ratings and to verify compliance
with the requirements.
164
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 164
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
5. Data Validation
Actions are taken to ensure that the data is accurate and sufficiently covers
the assessment scope, including
seeking information from first hand, independent sources;
using past assessment results; and
holding feedback sessions to validate the information collected.
Some data validation may occur as the data is being collected
165
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 165
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
6. Process Attribute Rating
For each process assessed, a rating is assigned for each process attribute up
to and including the highest capability level defined in the assessment scope
The rating is based on data validated in the previous activity
Traceability shall be maintained between the objective evidence
collected and the process attribute ratings assigned
For each process attribute rated, the relationship between the indicators and
the objective evidence is recorded
166
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 166
COBIT5: Implementation
8 Process Assessment / Verification
COBIT5 Implementation
4P Advisory Services
7. Reporting the Results
The results of the assessment are analysed and presented in a report
The report also covers any key issues raised during the assessment such as:
• observed areas of strength and weakness
• findings of high risk
i.e. magnitude of gap between assessed capability and
desired/required capability
167
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 167
Corporate Training, Consulting, Examinations, Process
COBIT5: Implementation
Improvements, Assessments
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged. 168