COBIT 5 domain delivery, service and support mapping for business continuity plan

Amirul Iqbal, Widyawan, and I. Wayan Mustika

Citation: AIP Conference Proceedings 1746, 020045 (2016); doi: 10.1063/1.4953970

View online: http://dx.doi.org/10.1063/1.4953970
View Table of Contents: http://aip.scitation.org/toc/apc/1746/1
Published by the American Institute of Physics
 COBIT 5 Domain Delivery, Service and Support mapping
for Business Continuity Plan
Amirul Iqbala, Widyawanb, I Wayan Mustikac

Department of Electrical Engineering and Information Technology, Faculty of Engineering, Universitas Gadjah
Mada, Jl. Grafika No. 2, Yogyakarta, Indonesia, 55281
a)
Corresponding author: Amiruliqbal.mti13@mail.ugm.ac.id,
b)
widyawan@ugm.ac.id
c)
wmustika@ugm.ac.id

Abstract. Business Continuity Plan (BCP) is a plan that have function to maintain continuity of business activity during
and after the interruption or disaster happen. BCP can be an indicator of how well an organization in prepare to maintain
their business activities so that business activities can continue to function even in a state affected by a disruption or
disaster. There are several international standards that regulate and provide guidance in establishing BCP. In its
implementation, especially for non-profit organizations like educational institutions, diversity factor in forming BCP
makes its own difficulties when we want to compare the readiness in the face of a disruption or disaster in an
organization to another organization. COBIT 5 is one standard for IT governance that can be used in particular for
managing the performance of information technology in a business activity. COBIT 5 can provide direction or guidance
on quality systems, planning, management, security, development and management of IT services. This paper aims to
map and analyze an IT governance standards, that is COBIT 5 Domain DSS as a framework in making business
continuity planning (BCP) for uniformity the formation of BCP and to facilitate the measurement of the organization's
readiness in the face of a disruption or disaster..

INTRODUCTION
Rapid development of current Information Technology has made IT as a very significant component to support
organizations in conducting their business activities [1]. Computer system is used widely in various range of
business activities, including planning, controlling, organizing, and decision making [2]. Even at certain extend, it is
very difficult to find an organization that can run its business activities without the help of computer system.
At one hand, integration of business activities into a computer system is conducted with the purpose of
accelerating data processing and manipulation to be meaningful information [3]. At the other hand, as the computer
technology develops, the threats to it—in term of disturbance or even disaster—can bring a new type of catastrophe
for the organization [4]. There has been several occurrence of organization fall-offs when some threats become
troubles to the business activities that it conducts. The damages can range from loss of service provision up to
system failure .
A computer system, particularly the one with the function of providing service to someone or to a group of
persons, needs to guarantee that its service is always available. One of possible ways to do so is by creating a
Business Continuity Plan (BCP).
Business continuity plan is created and developed in order to minimalize or even to avoid interruption in
business activities that are integrated in computer system, so that the damage potential caused by disaster or
disturbance can be minimalized and therefore reducing the cost that the organization has to spend [5]. Such planning
requires the involvement of various working units or divisions within an organization and requires full support from
all related business units.

The 2016 Conference on Fundamental and Applied Science for Advanced Technology (ConFAST 2016)
AIP Conf. Proc. 1746, 020045-1–020045-6; doi: 10.1063/1.4953970
Published by AIP Publishing. 978-0-7354-1403-7/$30.00

020045-1
 Business continuity plan in an organizations is not limited to profit-oriented organizations only. Non-profit
organizations, such as education institutions, also need this type of planning. It is because business continuity plan
can help organizations in maintaining their system and service to be always available.
There are several main factors that need to be considered in developing business continuity plan. There have to
be such factors in consideration because they can guide the organizations in minimizing the effects of disturbance or
threats related to their business and in providing easier way to normalize business activities. In the application,
however, there are significantly numerous different methods of business continuity plan. There are several
organizations that formulate the planning according to their own condition and requirement. Such policy can cause
difficulties for other companies that are just starting to formulate their business continuity planning, since they are
trying to refer to the best role model in creating business continuity planning.
On this research, a formulation in developing business continuity plan using COBIT 5 is proposed. It also
considers main factors that are necessary in business continuity plan. Such formulation is expected to provide
variation in planning, to assist organizations in creating business continuity planning in easier way, and to help
organizations in conducting benchmarking test in respect to other organizations.
The organization of this paper is as following. Brief explanation of the research is provided in Chapter I. Chapter
II describes other researches that are done previously using COBIT 5 and also main factors that have to be
considered in creating business continuity planning. The core of the research is discussed in Chapter III, which
covers the mapping of COBIT 5 related to the main factors in business continuity planning. Chapter IV summarizes
the research by discussing the conclusions.

RESEARCH QUESTION
The research will try to address issues in the aforementioned study areas like :
1. How could COBIT 5 implemented in BCP?
2. Is COBIT 5 have a guideline or toolkit to formulating BCP?
3. Which COBIT 5 Processes and related practices can be implemented as BCP?

LITERATURE REVIEW

Business Continuity Plan

Business continuity plan is a strategy of the organization in order to minimalize the effects of certain disturbance
or threats to their business activities and to provide them with easy remedy to normalize the business activities
during those moments [6][7].
There are 4 main components in business continuity plan [8], which are:
1. Business Impact Analysis (BIA)
2. Risk Management
3. Incident handling
4. Disaster recovery and restoration
Business continuity plan (BCP) is a policy and action conducted by the organization in order to minimize, or
even prevent, incidents and threats that can potentially harm the business activities. In addition to that, BCP also
serves as documentation mechanism for all steps of actions that need to be done upon the occurrence of incidence.
Therefore, the organization is expected to have immediate respond and appropriate actions in facing threats. It
certainly can reduce the loss that the organization can face and the business process that they run can immediately
recover to normal condition.

COBIT 5
Control Objectives for Information and related Technology (COBIT) is a collection of best practice
documentation for IT governance that can help auditors, managements and users in bridging the gap between
business risks, control requirement and other technical problems. COBIT 5 is general purpose, and therefore can be
implemented for all size of company, either in commercial industry, non-profit organizations, or government/public
sector. There are two areas in COBIT 5, namely governance and management. Those two areas consist of 5 domains
and 37 processes[9].

020045-2
 COBIT 5 is based on 5 key principles for IT governance and management of an organization. Those 5 principles
allow the organization to establish an effective governance and management framework, which in turn can optimize
investment and IT usage.
There are several processes in COBIT 5, among which a process from Deliver, Service and Support Domain is
selected for this research, namely DSS04 process. DSS Domain is chosen since it has focus on information
technology delivery, a process and support system that allows the implementation of effective and efficient IT.
Moreover, DSS Domain is a domain that focuses on the improvement of IT service to customers demanding the
service.
DSS04 process is the one in DSS Domain that aims to continue the critical business activities and to maintain the
information availability on the accepted level according to the standard of the organization or company. DSS04
contains guidance in making sure that IT service on the organization is always available. This process is selected in
BCP mapping because it is based on process description and process purpose statement that reflect points which are
in accordance to the main factors in BCP[10].

RESEARCH METHODS
The method used in this research was mapping between COBIT 5 DSS 04 with main component in Business
Continuity Plan. The methods of research included stage of analysis of potential and problems, determine
theimportant process and mapping the BCP main factor with COBIT 5 DSS 04.
The analysis of potential and problem was conducted through study of literature about BCP. Then result from the
analysis was using to choose the framework and determine the main component in BCP. COBIT 5 selected because
COBIT 5 is IT framework which has Control Objectives, management guidelines and maturity model [9]. COBIT 5
hasa toolkit for implementation, relatively easy to implement because there are lot of supporting documents/best
practices on implementation[9]. Furthermore is mapping the BCP main factor with COBIT 5 DSS 04 which
described in detail in next chapter.

DSS04 MAPPING FOR BCP

The utilization of IT in supporting business activities needs to be conducted while considering requirements and
procedures that an organization has. COBIT can be employed as a supporting toolset that bridges the gap between
demand and the technical supply to such demand. COBIT is process oriented, in which it can be practically used as a
standard guidance to support an organization in achieving its goals with the support of IT. COBIT provides
framework guidance that will help top-level decision making within the organization.
DSS04 is a process in COBIT 5 domain—deliver, service and support—whose function is compiling and
maintaining business planning and IT in responding to incidents and disturbance, so that critical business processes
of the organization can always run. Moreover, this process also aims to maintain information availability according
to tolerance rate of information availability, which has been determined by the organization [11].
As stated earlier in this paper, business continuity plan is very important plan to the organization. Not only
profit-oriented institutions that need this type of plan, non-profit organizations (e.g. education institutions) also need
business continuity plan. This planning helps the organization in maintaining their system and service to be always
available. For example, researchers in a certain education institution needs to have real-time access to datasets to
support the success of their research. Therefore, in this research, an analysis of utilization of Deliver, Service and
Support (DSS) domain of COBIT 5 is conducted, in order to increase control toward all activities involved in
business continuity plan.
The utilization of framework aims to assist an organization. A framework has a complete and detailed guide,
which makes it as a proper best practice guide, particularly in business continuity planning. In addition to that, it can
also simplify planning integration and assessment of output achievement of the planning.
In order to further understand the BCP mapping factors with DSS04 process of COBIT 5, each BCP factor has
been mapped relevantly with 8 objective controls in DSS04 process, in accordance with its responding the key areas.
Mapping is based on expected output goals on each BCP main factors with expected output on each objective
control in DSS04 process. From the matching of the goals, it is found that each main factor in BCP contains one or
more objective controls. TABLE 1 shows activity guidance that each objective control is capable of. Such activities
can be used as guidance for the organization in fulfilling its business continuity planning requirement, based on
main factors in BCP.

020045-3
 The implementation of best practice frameworks in business activities of a certain organization is a very complex
process, and thus it requires full support of all elements related to the organization. In order to make the utilization
of best practice be effective, an approach according to the business requirement of the organization is considered as
the best one. That approach will cause each party to follow the same goal and priority.

TABLE 1. Mapping DSS04 process with BCP factors

BCP Factors DSS04 Control Activities
Process Objective
Business DSS04.1 Define the 1. Identify internal and outsourced business processes and service
Impact business activities that are critical to the enterprise operations or necessary
Analysis continuity to meet legal and/or contractual obligations.
policy, 2. Identify key stakeholders and roles and responsibilities for
objective and defining and agreeing on continuity policy and scope.
scope 3. Define and document the agreed-on minimum policy objectives
and scope for business continuity and embed the need for
continuity planning in the enterprise culture.
4. Identify essential supporting business process and related IT
services.
DSS04.2 Maintain a 1. identify potential scenarios likely to give rise to events that could
continuity cause significant disruptive incidents.
strategy 2. Conduct a business impact analysis to evaluate the impact over
time of a disruption to critical business functions and the effect
that a disruption would have on them.
3. Establish the minimum time required to recover a business
process and supporting IT based on an acceptable length of
business interruption and maximum tolerable outage.
4. Assess the likelihood or threats that could cause loss of business
continuity and identify measures that will reduce the likelihood
and impact through improved prevention and increased
resilience.
5. Analyze continuity requirement to identify the possible strategic
business and technical options.
6. Identify potential scenarios likely to give rise to events that could
cause significant disruptive incidents.
7. Determine the conditions and owners of key decisions that will
cause the continuity plans to be invoked.
8. Identify resource requirements and costs for each strategic
technical option and make strategic recommendations.
9. Obtain executive business approval for selected strategic options.
Incident DSS04.3 Develop and 1. define incident response actions and communications to be taken
Handling implement a in the event of disruption. Define related roles and
business responsibilities, including accountability for policy and
continuity implementation.
response 2. Develop and maintain operational BCPs containing the
procedures to be followed to enable continued operation of
critical business processes and/or temporary processing
arrangements, including links to plans of outsourced service
providers.
3. Ensure that key suppliers and outsource partners have effective
continuity plans in place. Obtain audited evidence as required.
4. Define the conditions and recovery procedures that would enable
resumption of business processing, including updating and
reconciliation of information databases to preserve information
integrity.

020045-4
 5. Define and document the resources required to support the
continuity and recovery procedures, considering people, facilities
and IT infrastructure.
6. Define and document the information backup requirements
required to support the plans, including plans and paper
documents as well as data files, and consider the need for
security and off-site storage.
7. Determine required skills for individuals involved in executing
the plan and procedures.
8. Distribute the plans and supporting documentation securely to
appropriately authorized interested parties and make sure they
are accessible under all disaster scenarios.
Risk DSS04.4 Exercise, test 1. define objectives for exercising and testing the business,
Management and review technical, logistical, administrative, procedural and operational
the BCP systems of the plan to verify completeness of the BCP in meeting
business risk.
2. Define and agree on with stakeholders exercises that are realistic,
validate continuity procedures, and include roles and
responsibilities and data retention arrangements that cause
minimum disruption to business processes.
3. Assign roles and responsibilities for performing continuity plan
exercises and tests.
4. Schedule exercises and test activities as defined in continuity
plan.
5. Conduct a post-exercise debriefing and analysis to consider the
achievement.
6. Develop recommendations for improving the current continuity
plan based on the results of the review.
DSS04.5 Review, 1. review the continuity plan and capability on a regular basis
maintain and against any assumptions made and current business operational
improve the and strategic objectives.
continuity 2. Consider whether a revised business impact assessment may be
plan required, depending on the nature of the change.
3. Recommend and communicate changes in policy, plans,
procedures, infrastructure, and roles and responsibilities for
management approval and processing via the change
management process.
4. Review the continuity plan on a regular basis to consider the
impact of new or major changes to: enterprise organization,
business processes, outsourcing arrangements, technologies,
infrastructure, operating systems and application systems.
DSS04.6 Conduct 1. define and maintaining training requirements and plans for those
continuity performing continuity planning, impact assessments, risk
plan training assessments, media communication and incident response.
Ensure that the training plans consider frequency of training and
training delivery mechanisms.
2. Develop competencies based on practical training including
participation in exercises and test.
3. Monitor skills and competencies based on the exercise and test
results.
Disaster DSS04.7 Manage 1. back up systems, applications, data and documentation according
Recovery Backup to a defined schedule.
and arrangements 2. ensure that systems, applications, data and documentation
Restoration maintained or processed by third parties are adequately backed

020045-5
 up or otherwise secured. Considering requiring return of backups
from third parties. Consider escrow or deposit arrangements.
3. Define requirements for on-site and off-site storage of backups
data that meet the business requirements. Consider the
accessibility requires to back up data.
4. Roll out BCP awareness and training.
5. Periodically test and refresh archived and backup data.
DSS04.8 Conduct 1. assess adherence to the documented BCP.
post- 2. Determine the effectiveness of the plan, continuity capabilities,
resumption roles and responsibilities, skills and competencies, resilience to
review the incident, technical infrastructure, and organizational
structures and relationship.
3. Identify weakness or omissions in the plan and capabilities and
make recommendations for improvement.
4. Obtain management approval for any changes to the plan and
apply via the enterprise change control process.

CONCLUSION
This paper focuses on the utilization of a standardized information technology management system that is
adopted widely all over the world. COBIT, as a standard reference in business continuity plan, provides guidance in
managing service aspects and in providing guidance in controlling activities that are related to business continuity
via DSS Domain process DSS04. From the result of mapping, COBIT 5 can be implemented into a BCP. COBIT 5
has control objectives that accordance with the main factor in a BCP. With a guide and toolkit owned by COBIT 5,
it can be used as a guide in formulating a BCP.
Business Continuity Plan aims to support those business activities by making sure that IT service can work
optimally and can be restored—with minimal amount of time and cost—after some disturbance or disaster. In
addition to that, Business Continuity Plan needs to have full support from all elements of the organization, including
owner, chief executive, managers and divisions within that organization.
In general, the utilization of IT has big potential in supporting organization in achieving their business goals.
Information technology can provide a significant benefit for the organization, in terms of competitive advantage and
on the raise of productivity. By managing and implementing a good performance standard to the technology, an
organization can manage and monitor its information technology in more effective way. This is certainly beneficial
to the organization since it can have a more accurate benchmarking, in order to maintain or to improve its
information technology service availability.

REFERENCES
[1] R. von Solms, Information Management in ComputerSecurity,7, 50 (1999).
[2] S. de Haes and W.V. Grembergen, in Hawaii Int. Conf. Syst. Sci. Proceeding of the 41st Annual Conference
(2008), pp. 428–428.
[3] I.G. Institute, Enterprise Value: Governance of IT Investments - Getting Started With Value Management
(ISACA, 2008).
[4] S.Halliday, K. Badenhorst,R. von Solms, Information Management in Computer Security,4, 19 (1996).
[5] International Organization for Standardization, ISO 22301:2012(E): Social Security -- Business Continuity
Management Systems -- Requirements (ISO, Geneva, 2012).
[6] S. Prakash, S. Mody, A. Wahab, S. Swaminathan, and R. Paramount, in Cloud Comput. Technol. Appl. Manag.
ICCCTAM 2012 Int. Conf. On (IEEE, 2012), pp. 139–144.
[7] R.L. Krutz and R.D. Vines, The CISSP Prep Guide, Gold edition, (Wiley Publisher, Indianapolis, 2003).
[8] M. Dey, in GCC Conf. Exhib. GCC 2011 IEEE (2011), pp. 229–232.
[9] Information Systems Audit and Control Association, editor, COBIT 5: A Business Framework for the
Governance and Management of Enterprise IT (ISACA, Rolling Meadows, Illionis, 2012).
[10] Isaca, COBIT 5 Enabling Processes (ISACA, 2011).
[11] Isaca, COBIT Process Assessment Model (PAM): Using COBIT 5 (ISACA, 2011).

020045-6