Cobit 5 Checklist

1. Cobit Goals Cascade 3. Cobit Areas and Processes • APO5 Manage Portfolio
• APO6 Manage Budget and Cost
1. Stakeholder Drivers Influence Stakeholder Needs;
• APO7 Manage Human Resources
2. Stakeholder Needs Cascade to Enterprise Goals;
• APO8 Manage Relationships
3. Enterprise Goals Cascade to IT-related Goals;
• APO9 Manage Service Agreements
4. IT-related Goals Cascade to Enabler Goals.
• APO10 Manage Suppliers
• APO11 Manage Quality
• APO12 Manage Risk
• APO13 Manage Security

Build, Acquire & Implement (BAI)

Cobit splits the processes into governance and • BAI1 Manage Programmes and Projects
management “areas”. These two areas contain a total of • BAI2 Define Requirements
5 domains with 3 letter names, and a total of 37 • BAI3 Identify and Build Solutions
processes organized as follows: • BAI4 Manage Availability and Capacity
• BAI5 Manage Organisational Change Enablement
Governance of Enterprise IT Deliver, Service and Support
Evaluate, Direct and Monitor (EDM) – 5 processes • BAI6 Manage Changes
Management of Enterprise IT • BAI7 Manage Change Acceptance and Transitioning
Align, Plan and Organise (APO) – 13 processes • BAI8 Manage Knowledge
Build, Acquire and Implement (BAI) – 10 processes • BAI9 Manage Assets
Deliver, Service and Support (DSS) – 6 processes • BAI10 Manage Configuration
Monitor, Evaluate and Assess (MEA) - 3 processes
Deliver, Service & Support (DSS)
17 Generic and IT-related goals, distributed according • DSS1 Manage Operations
Balance Score Card four dimensions (Financial, Customer, Evaluate, Direct & Monitor (EDM) • DSS2 Manage Service Requests and Incidents
Internal, Learning/Growth). • EDM1 Set and Maintain the Governance Framework • DSS3 Manage Problems
• EDM2 Ensure Value Optimisation • DSS6 Manage Continuity
• EDM3 Ensure Risk Optimisation • DSS5 Manage Security Services
2. Principles of Cobit
• EDM4 Ensure Resource Optimisation • DSS6 Manage Business Process Controls
Cobit is based on 5 key principles for governance and
• EDM5 Ensure Stakeholder Transparency
management of enterprise Information Technology. Monitor, evaluate & Assess (MEA)
Principle 1 - Meeting Stakeholder Needs Align, Plan & Organise (APO) • MEA1 MEA Performance and Conformance
Principle 2 - Covering the Enterprise End-to-End • APO1 Define the Management Framework for IT • MEA2 MEA the System of Internal Control
Principle 3 - Applying a Single Integrated Framework • APO2 Manage Strategy • MEA3 MEA Compliance with External Requirements
Principle 4 - Enabling a Holistic Approach • APO3 Manage Enterprise Architecture
Principle 5 - Separating Governance from Management • APO4 Manage Innovation
Cobit is a registered trademark by ISACA (http://www.isaca.org/) - Copyright 2013 - Minimarisk® Gmbh/Sàrl – www.minimarisk.com – Tel +41 44 586 45 00

4. Cobit Seven Enterprise Enablers
1. Principles, policies and frameworks are the vehicle to
translate the desired behavior into practical guidance
for day-to-day management. Internal and External
Stakeholders.
2. Processes describe an organised set of practices and
activities. Life cycle of a process; Governance and
Management Processes.
3. Organisational structures describe RACI and roles.
4. Culture, ethics and behavior of individuals and of the
enterprise are very often underestimated as a success
factor in governance and management activities.
5. Information define its attributes: Physical (Carrier,
Media); Empirical (User Interface); Syntactic
(Language, Format); Semantic (Meaning); Type,
Currency; Pragmatic (Use) Includes Retention, Status,
Contingency, Novelty; and Social (Context)
6. Services, infrastructure and applications. Includes:
reuse, buy-vs-build, agility, simplicity and openness.
Definition of Architecture Principles, Architecture
Viewpoints, and Service Levels.
7. People, skills and competencies are linked to people.
Define Role Skill, Requirements, Skill Levels, Skill
Categories and Skill Definitions.
Cobit is a registered trademark by ISACA (http://www.isaca.org/) - Copyright 2013 - Minimarisk® Gmbh/Sàrl – www.minimarisk.com – Tel +41 44 586 45 00
Cobit 5 Checklist
5. Cobit Enabler dimensions 7. Process attributes
1. Stakeholders
2. Goals (Intrinsic quality [results, process according
best practices, information is actual and true],
contextual quality [fit for purpose, relevant, easy to
apply, effectiveness], Access and security The capability of processes is measured using process
3. Life cycle (Plan, Design, Build/Acquire/Create/ attributes. The international standard defines nine
Implement, Use/Operate, Evaluate/Monitor, process attributes:
Update/Dispose)
1.1 Process Performance
4. Good practices
2.1 Performance Management
6. Process Capability Model and Levels 2.2 Work Product Management
Capability Model is now based on ISO/IEC 15504 (SPICE). 3.1 Process Definition
• Level 0: Incomplete. The process is not implemented 3.2 Process Deployment
or fails to achieve its purpose; 4.1 Process Measurement
• Level 1: Performed (Informed). The process is 4.2 Process Control
implemented and achieves its purpose; 5.1 Process Innovation
• Level 2: Managed (Planned and monitored).The 5.2 Process Optimization.
process is managed and results are specified,
Each process attribute is assessed on a four-point
controlled and maintained;
(N-P-L-F) rating scale:
• Level 3: Established (Well defined).
• Not achieved (0 - 15%)
A standard process is defined and used throughout
• Partially achieved (>15% - 50%)
the organization;
• Largely achieved (>50%- 85%)
• Level 4: Predictable (Quantitatively managed). The
• Fully achieved (>85% - 100%)
process is executed consistently within defined limits
• Level 5: Optimizing (Continuous improvement). The
process is continuously improved to meet relevant
current and projected business goals.
COBIT 5 Foundation Exam Revision on a page!
Governance of Enterprise IT (GEIT)
Enterprise = organisation = commercial (corporate) OR public sector OR not for profit
Governance Objective: Value Creation from Benefits Realisation + Risk Optimisation+ Resource Optimisation
Governance Scope = where governance applies: usually the enterprise, but can be just some assets
GOALS CASCADE: Stakeholder Needs Enterprise Goals IT-related Goals Enabler Goals
5 Principles of COBIT 5 7 Enablers of COBIT 5 (i.e. Governance Enablers)
1. Meeting stakeholder needs 1. Principles, policies and frameworks
2. Covering the Enterprise end-to-end 2. Processes
3. Single integrated Framework 3. Organisational structures Memory aid:
4. Holistic approach of 7 enterprise Enablers 4. Culture, ethics and behaviours POP PICS
5. Separating governance from management 5. Information
6. Service infrastructure and applications
Memory aid: “Stakeholder FEES” 7. People skills and competencies
Generic Governance Enablers
Enabler Dimensions Enabler Performance Management
Stakeholders Questions to be answered:
Internal & External Outcomes (Lag indicators)
Goals = expected outcome of enabler Are stakeholders’ needs addressed?
Intrinsic Quality (work well & provide results) Are enabler goals achieved?
Contextual Quality (Relevance, effectiveness) Functioning of enabler itself (Lead indicator)
Accessibility & Security (of enablers + outcomes) Is the enabler lifecycle managed?
Life Cycle Are good practices applied?
Plan, Design, Information Enabler (Enabler 5)
Build/Acquire/Create/Implement
Use/Operate Intrinsic quality:
Evaluate/Monitor Accuracy, Objectivity, Believability, Reputation
Update/Dispose Information layers
Good Practices Physical world (carrier/media), Empiric (User interface)
Practices Syntactic (code/language), Semantic (meaning)
Work Products (Inputs & Outputs) Pragmatic (use)
Social world (e.g. contracts, law, culture)
COBIT 5 Processes COBIT 5 Process Capability Assessment Model (PAM)
5 Domains = 37 processes Performance
0 Incomplete
Governance Attribute (PA)
Evaluate, Direct & Monitor (EDM) PA1.1 Process Performance
1 Performed
Management
Align, Plan & Organise (APO) – strategic
Build, Acquire & Implement (BAI) – tactical PA2.1 Performance Management
Deliver, Service & Support (DSS) - operational 2 Managed
Monitor, Evaluate & Assess (MEA) PA2.2 Work Product Management
EDM(5) APO(13) BAI(10) DSS(6) PA3.1 Process Definition
MEA(3) 3 Established
PA3.2 Process Deployment
Memory aid: PA4.1 Process Measurement
Management domains are in alphabetic 4 Predictable
order. PA4.2 Process Control
E is 5th letter in alphabet and EDM has
5 processes. PA5.1 Process Innovation
In alphabetic order, Management 5 Optimising PA5.2 Process Optimisation
processes get less by 3 or 4
COBIT 5 Implementation Lifecycle
Phase 1 2 3 4 5 6 7
What are the Where are we Where do we What needs to How do we get Did we get How do we keep
drivers? now? want to be? be done? there? there? the momentum
going?
Programme Initiate Define problems Define road Plan Execute plan Realise Review
Management program & opportunities map programme benefits Effectiveness
Change Establish Form Communicate Identify role Operate and Embed new Sustain
Enablement desire to implementation outcome players use approaches
change team
Continual Recognise Assess current Define target Build Implement Operate Monitor and
Improvement need to act state state improvements improvements improvements evaluate
Lifecycle

© 2012-13 Maat Consulting Ltd www.maatconsulting.com

COBIT is a registered trade mark of ISACA and the IT Governance Institute (ITGI) V1.3 Feb 2013
This is not an official COBIT publication and is not endorsed, sponsored, or otherwise affiliated with ISACA or ITGI.
 rocesses or o er ce o er r se Process Reference Model (PRM) Process Assessment Model Value Creation Goals
valuate Direct and onitor Process Attributes Process Capability Attribute Indicators (PCAIs) Cascade
Level 1 to 5 Level 1 to 5
nsure PA5.2 Continuous optimization Stakeholder
nsure nsure
Governance nsure nsure Level 5 PA5.1 Process innovation COBIT 5 PCAIs Needs Stakeholder Drivers
Benefits Deliver Risk Optimi ation Resource Stakeholder
rame ork Settin (Environment, Technology Evolution, ...)

Capability Dimension
Optimi ation ransparenc PA4.2 Process control GP : Generic Practice (Levels 2 to 5 only)
and aintenance Level 4
PA4.1 Process measurement GR : Generic Resource (Not defined)

Drive
Level 3 PA3.2 Process deployment GWP : Generic Work Product (Levels 2 to 5 only) Influence
PA3.1 Process definition
r se o or Level 2 PA2.2 Performance management
Stakeholder Needs
u e PA2.1 Work product management Governance Objectives:Value Creation
Level 1 Process Performance Indicators
ana e ana e PA1.1 Process performance Benefits Risk Resource
the ana ement
ana e
nterprise ana e ana e ana e ana e ssess BP : Base practices (Level 1) Benefits Resource Risk
Strate nnovation ortfolio Bud et and Costs uman Resources Level 0 Realisation Optimisation Optimisation
rame ork rchitecture WP : Work products (Level 1) Realisation Optimisation Optimisation
onitor
valuate and ssess Cascade to
ana e erformance and
ana e ana e ana e ana e ana e Conformance
Service
Relationships Suppliers ualit Risk Securit Process Dimension
reements Enterprise Goals
EDM Evaluate, Direct,
Monitor
APO Align Plan and Organize
COBIT 5
Cascade to
u c u re e e Principles 1. Meeting
BAI - Build, Acquire and Implement Stakeholder
ana e ana e ana e
ana e ana e ana e Needs IT-related Goals
Solutions Or ani ational ana e Chan e onitor DSS Deliver, Service and
ro rammes and Re uirements vailabilit COBIT 5 Processes
dentification Chan e Chan es cceptance and valuate and ssess Support
rojects Definition and Capacit
and Build nablement ransitionin the S stem of nternal
Control MEA Monitor, Evaluate & Assess Cascade to

ana e ana e ana e 5. Seperating

2. Covering the
no led e ssets Confi uration Governance Enabler Goals
Enterprise
from
End-to-end
Management
Business Needs Key Areas COBIT 5
e er er ce u or Principles
onitor o er ce

ana e
ana e
ana e ana e
ana e ana e valuate and ssess u e Governance & Management
Service Re uests Securit Business Compliance ith
Operations roblems Continuit ternal Re uirements
and ncidents Services rocess Controls o er ce ec e ue re o
rec ana ement eedback o or
Benefits Risk Resource
3. Applying a Reali ation Optimi ation Optimi ation
rocesses or e e o er r se 4. Enabling a
Single
Holistic
Integrated
e e Approach
Framework
A process describes an Enablers Culture, ethics and
u Ru o or
organized set of practices and behaviour of individuals
activities to achieve certain Organizational structures and of the enterprise are Governance Governance
objectives and produce a set of are the key decision-making very often underestimated nablers Scope
outputs in support of achieving entities in an enterprise. as a success factor
overall IT-related goals. in governance and
management activities.
Enablers: Generic
Or ani ational Culture thics s e
er Ro es c es Re o s s
rocesses u ce r s
Structures and Behaviour COB Val
u ce
er s
People, skills and Risk B S r e or s

Principles, policies and competencies are Stakeholders Goals Life Cycle Good Practices
COB
Enabler Dimension

nablers

linked to people
rocesses

frameworks are the rinciples olicies and rame orks • Internal • Intrinsic Quality • Plan • Practices nablers provide
Service
Capabilities
Culture
thics
Ro es c es Re o s s
and are required for
Behaviour
o e e se
vehicle to translate the Stakeholders • Contextual Quality • Design • Work Products structure to the
COB
(Relevance,
Or ani ational

successful completion
Skills and
Current Guidance and Contents
desired behaviour into • External • Build/Acquire/ (Inputs/Outputs) kno led e base
Competencies Structures
nstruct and
Structure for uture Contents Dele ate Set Direction Operations
Stakeholders Effectiveness) O ners and Governin li n
practical guidance for of all activities and Create/Implement rinciples
and olicies
nformation

Stakeholders
ana ement and
• Accessibility and • Use/Operate ccountable Bod
onitor Report ecution
day-to-day management. Services eople for making correct Security Content ilter
nformation nfrastructure Skills and • Evaluate/Monitor
and pplications Competencies
decisions and taking • Update/Dispose
for no led e Base

corrective actions. COB roduct amil

Resources COB
Single
COB nabler Guides
Integrated
Enabler Performance

Information is pervasive throughout any organization Are Stakeholders Are Enabler Is Life Cycle Are Good Practices COB rofessional Guides
Framework
Management

and includes all information produced and used by Needs Addressed? Goals Achieved? Managed? Applied?
Services, infrastructure and applications include COB Online
Collaborative Init Implementation
iate
the enterprise. Information is required for keeping the infrastructure, technology and applications nvironment iew s
Rev enes
pro
the organization running and well governed, but at the ctiv
gram
me Life Cycle
that provide the enterprise with information effe
operational level, information is very often the key Metrics for Achievement of Goals Metrics for Application of Practice
technology processes and services. (Lag Indicators) (Lead Indicators) Esta
blis
product of the enterprise itself. Sus
tain to c h desir
han e

Defi
ge

nefits

ne p tunities
oppo
r Reco
nito

imple team
gn
need ise

roble
Mo nd

appro new
se be

r
aches
a to

Form tation
luate act Programme management
eva

men

ms a
Embed
us ess rocess

Reali

ate
Product Family (outer ring)

Assess
curren
sure
Oper
and
Generate and rocess Drive

state

nd
Contextual Goals

mea

t
Change enablement
rocesses (middle ring)
COB

tar fine
sta get
De
Governance ensures that stakeholder needs, conditions and options are evaluated to

te
Relevancy

me te
Continual improvement life cycle

tco ica
Op d us
COB nabler Guides (inner ring)
determine balanced, agreed-on enterprise objectives to be achieved; setting direction

an

ou mun
era e
Completeness

te

m
through prioritization and decision making; monitoring performance, compliance and

ap
COB : COB : Other nabler

Co
Appropriateness

Ex

dm
nablin rocesses nablin nformation Guides
Information

ec
Identify role
progress against agreed direction and objectives.

a
u
ue

ro
Conciseness

te
players

ne
Cycle

pla

fi
COB rofessional Guides
Consistency

De
Understandability Management plans, builds, runs and monitors activities in alignment with the direction set COB mplementation
COB
for nformation
COB COB Other rofessional
for ssurance

Ease of Manipulation by the governance body to achieve the enterprise objectives Securit
for Risk Guides
Plan programme

COB Online Collaborative nvironment

or o o e e © Copyright 2014 by Service Management Art Inc. All rights reserved.
ransform ransform Create These materials include COBIT 5 & 4.1, which is used with the permission of ISACA. ©1996-2012 ITGI.
COBIT is a registered trademark of the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI).
NOT FOR RESALE, Version 2.3

COBIT 5 Foundation Overview

For more information:
Call: Toll Free 1 866 616 4195
proven experience • proven tactics • proven success
Email: Info@ServiceManagementArt.com
C Ed
O it
B io
IT n
5
 COBIT 5 Goals Cascade
Enterprise Goal COBIT 5 Processes

Monitor, Evaluate and Assess the System on Internal

Agile responses to a changing business environment
Enterprise Goals

Compliance with external laws and regulations

Portfolio of competitive products and services

Monitor, Evaluate and Assess Performance and

Monitor, Evaluate and Assess Compliance with

Optimization of business process functionality
Managed business risk (safeguarding of assets)

Manage Change Acceptance and Transitioning

Information-based strategic decision making

Ensure Governance Framework Setting and

Manage Organizational Change Enablement

Stakeholder value of business investments

Business service continuity and availability

Manage Solutions Identification and Build

Cascade to

Product and business innovation culture

Manage the IT Management Framework

Manage Service Requests and Incidents

Optimization of business process costs

Managed business change programmes

Optimization of service delivery costs
Customer-oriented service culture

Manage Business Process Controls

Manage Programmes and Projects
Operational and staff productivity

Compliance with internal policies

IT-related Goals

Ensure Stakeholder Transparency

Manage Requirements Definition

Manage Availability and Capacity

Manage Enterprise Architecture
Ensure Resource Optimization
Skilled and motivated people

Manage Service Agreements

Manager Budgets and Costs

Manage Human Resources

Cascade to

Ensure Risk Optimization

Manage Security Services

Ensure Benefits Delivery

External Requirements
Manage Configuration
Financial transparency

Manage Relationships

Manage Operations
Manage Knowledge

Manage Continuity
Manage Innovation
Process Goals

Manage Suppliers
Manage Portfolio

Manage Changes

Mange Problems
Manage Strategy

Manage Security
Manage Quality

Manage Assets

Conformance
Maintenance

Manage Risk

Controls
P Primary
Relationship

Secondary

EDM01

EDM02

EDM03

EDM04

EDM05

APO01

APO02

APO03

APO04

APO05

APO06

APO07

APO08

APO09

APO10

APO11

APO12

APO13

MEA01

MEA02

MEA03
S

DSS01

DSS02

DSS03

DSS04

DSS05

DSS06
BAI01

BAI02

BAI03

BAI04

BAI05

BAI06

BAI07

BAI08

BAI09

BAI10
Relationship 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Learning Evaluate, Direct and Deliver, Service and Monitor,

Financial Customer Internal and Monitor Align, Plan and Organize Build, Acquire and Implement Support Evaluate and
IT-related Goal Growth Assess

Alignment of IT and business

01 strategy P P S P S P P S P S P S S ð P P S S S P P P S P S P P S S P P S S S S S S

IT compliance and support for

02 business compliance with external
laws and regulations
S P P ð S S S P S S S P P S S P S S S P S S P P

Commitment of executive
03 management for making IT-related P S S S S S P S S ð P S S S P S S S S S S S S S S S S
Financial

decisions

04 Managed IT-related business risk P S P S P S S S ð S P S S S S S S S S S S P S P P P S S S P S S S P P P P P P P P P

Realized benefits from IT-enabled

05 investments of services portfolio P P S S S S P S S ð S P S S S P P P S S S P P S S S S S S S S S S S S

Transparency of IT costs, benefits

06 and risk S S P S P P ð S P P S P S S P S S S P P S P S S S

Delivery of IT services in line with P P S S P S P S P S S S S ð P P S S P S P S S S S P P P P S S S P P P S P S S S P P P P S P P S S

Customer

07 business requirements

Adequate use of applications,

08 information and technology
solutions
S S S S S S S P S P S S ð S S S S S P S S S S S S S S S S S S P S P S S S S S S S S S S

09 IT agility S P S S P P S S S P ð S P P S P P S S S P S S S S S S S P S S S S S S

Security and information,

10 processing infrastructure and
applications
P P P P ð S P S S S S S P P S P S S S S S S P S S S S

Optimization of IT assets,
11 resources and capabilities P S S P S P S S S ð S S P P S P P S S P S S S S S S S P S S S P P P P S S S P

Enablement and support of

Internal

business processes by integrating

12 applications and technology into S P S S S S P S S S S ð S S S S S S P P S S S P S S S S
business processes
Delivery of programmes delivering
benefits, on time, on budget, and
13 meeting requirements and quality P S S S S S P ð S S S S S S S P S P S S S P P P S S S P S S S
standards

Availability of reliable and useful

14 information for decision making S S S S P P S ð S S S S S S S S P S S S P S S P S S S S P S S P P S S S S

IT compliance with internal

15 policies S S P ð S P S P S S S S S S S S S S S S S S S S S P P S

Competent and motivated

Learning and

16 business and
IT personnel
S S P S S P P S ð S S S P P S P S S S S S S S S S
Growth

Knowledge, expertise and

17 initiatives for business innovation S P S P S S S S P ð S P S S S P P S P S P P S S S S S S S P S S P S S S S S S S S
 Good e-Learning Resources :: www.goodelearning.com/downloads

COBIT® Poster Series #1

Transforming Stakeholder Needs into Actions
by Gregor Polančič

The COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific, actionable and customized enterprise goals, IT-related goals and
enabler goals. This translation allows setting specific goals at every level and in every area of the enterprise in support of the overall goals and stakeholder
requirements, and thus effectively supports alignment between enterprise needs and IT solutions and services.

A stakeholder is anyone who has a

responsibility for, an expectation from or Stakeholder Drivers
some other interest in an enterprise.

Infuence
Value creation means realizing benefits at an
optimal resource cost while optimizing risk.

Stakeholder needs are influenced by a number

of drivers, e.g., organizational changes, business
changes and technology changes.

Stakeholder Needs Drive Value Creation

COBIT 5 defines 22 common internal
stakeholder needs. How do I best build and
structure my IT department?
Cascade to

Common internal stakeholder needs and

Realize

enterprise goals are interrelated.

COBIT 5 defines 17 generic enterprise goals.

Stakeholder value of business investments. Enterprise Goals
Stakeholder value of business investments.
Cascade to

COBIT 5 defines all goals according to Enterprise goals and IT-related goals
Realize

Balances ScoreCard (BSC) dimensions. are interrelated.

COBIT 5 defines 17 information and

related technology (i.e. IT-related) goals. IT Related Goals
Transparency of IT costs, benefits and risk.
Cascade to

Realize

Achieving IT-related goals requires the

successful application and use of a
number of enablers. Enablers include processes, information,
organizational structures, policies,
Enabler Goals culture, people, services, infrastructure,
Enablers are broadly defined as anything that and applications.
can help to achieve the objectives of
the enterprise.
COBIT 5 contains a mapping between
For each enabler a set of specific goals can
IT-related goals and the relevant COBIT
be defined in support of the IT-related goals.
5 processes, which then contain related
process goals.

@goodelearning /goodelearning /company/good-e-learning Free Resource Library

www.goodelearning.com

© Good e-Learning 2015. COBIT® is a Registered Trademark of ISACA

 Good e-Learning Resources :: www.goodelearning.com/downloads

COBIT5® Poster Series #2

What drives IT Governance
by Gregor Polančič and Boris Ovčjak

Governance, as defined in the scope of COBIT 5, is driven by enablers. Enablers are factors that individually and collectively
influence whether something will work. In the case of COBIT 5 this refers to governance and management over enterprise IT.
COBIT 5 Framework describes seven categories of enablers that are listed bellow. Some of the enablers are also enterprise
resources that need to be managed and governed as well.

Enablers are driven by the goals cascade,
that are high level IT-related goals that
define what the different enablers should
achieve.
These enterprise goals for IT are used to
formalise and structure the stakeholder
needs. Enterprise goals can be linked
to IT-related goals, and these can be
achieved through the optimal use and
execution of all enablers.
To achieve the main objectives of the
enterprise, it must always consider an
interconnected set of enablers. That is,
GOALS CASCADE that each enabler:
• Needs the input of other enablers
to be fully effective
• Delivers output to the benefit of
other enablers

ENABLERS

1 PRINCIPLES, POLICIES DESIRED BEHAVIOUR

TRANSLATE
PRACTICAL GUIDANCE
AND FRAMEWORKS DAY-TO-DAY
MANAGEMENT

2 PROCESSES 3 ORGANI- 4 CULTURE,

Describe an organised SATIONAL ETHICS AND
set of practices and STRUCTURES BEHAVIOUR
activities to achieve
Key decision-making Often underestimated
certain objectives.
entities in an enterprise. as a success factor
Produce a set of outputs
and support of achieving in governance and
overall IT-related goals. management activities.

RESOURCES
PEOPLE,
5 INFORMATION 6 SERVICES,
INFRASTRUC- 7 SKILL AND
• Pervasive throughout
any organisation. TURE AND COMPETENCIES
• Includes all information APPLICATION Linked to people and
produced and used by required to:
the enterprise. INFRA-
TECHNOLOGY APPLICATION
STRUCTURE
• Successful completion
• Required for keeping the
of all activities
organisation running ENTERPRISE
• Making correct
and well governed.
Provide with information decisions
• Key product of the
technology processing • Taking corrective
enterprise.
and services actions

ENABLERS DIRECTLY INFLUENCE

GOVERNANCE AND MANAGEMENT OVER ENTERPRISE IT.

GOVERNANCE AND MANAGEMENT OVER ENTERPRISE IT

@goodelearning /goodelearning /company/good-e-learning Free Resource Library

www.goodelearning.com

© Good e-Learning 2015. COBIT® is a Registered Trademark of ISACA registered in United States of America and other countries, www.isaca.org
 Good e-Learning Resources :: www.goodelearning.com/downloads

COBIT5® Poster Series #3

Can We Separate Governance From Management?
by Gregor Polančič and Boris Ovčjak

In the scope of COBIT 5 there is a clear distinction between governance and management. Although they comprise different types of activities with
different responsibilities, a set of interactions is required between governance and management to result in an efficient and effective governance
system. To achieve that, COBIT 5 also advocates that enterprises implement governance and management processes such that key areas are covered.

Governance ensures that stakeholder needs, Management plans, builds,

conditions and options are evaluated to runs and monitors activities in
determine balanced agreed-on enterprise alignment with the direction set
objectives to be achieved; setting direction GOVERNANCE MANAGEMENT by governance body to achieve the
through prioritisation and decision making; and INTERACTION enterprise objectives.
monitoring performance and compliance against IS REQUIRED
agreed-on direction and objectives

ENABLER GOVERNANCE-MANAGEMENT INTERACTION

There exist a distinction between governance and management processes, including specific sets of practices and activities for
PROCESS each. The process model also includes RACI charts, describing the responsibilities of different organisational structures and
roles within the enterprise

Information used for evaluating, directing and monitoring enterprise IT is exchanged between governance and management as
INFORMATION
described in the process model inputs and outputs.

ORGANISATIONAL In the scope of organisational structures the interaction takes place between the decisions taken by the governance structures
STRUCTURES and the decisions and operations implementing the former.

PRINCIPLES, POLICIES Principles, policies and frameworks are the vehicle by which governance decisions are institutionalized within the enterprise,
ANDFRAMEWORKS and for that reason are an interaction between governance decisions and management.

CULTURE, ETHICS
Behaviour is a key enabler of good governance and management of the enterprise
AND BEHAVIOUR

PEOPLE, SKILLS Governance and management activities require different skill sets, but an essential skill for both governance body memebers
AND COMPETENCIES and management is to understand both tasks and how they are different.

SERVICES, INFRASTRUCTURE Services are required, supported by applications and infrastructure to provide the governance body with adequate information
AND APPLICATIONS and to support governance activities of evaluating, setting direction and monitoring.

PROCESS REFERENCE MODEL WITHIN GOVERNANCE AND MANAGEMENT KEY AREAS

BUSINESS NEEDS

GOVERNANCE
Ensure Governance
Framework Setting
And Maintenance Ensure Resources
EVALUATE
Optimisation
Ensure Benefits
Delivery
Ensure Stakeholder
DIRECT MANAGEMENT MONITOR
Transparency
Ensure Risk FEEDBACK
Optimisation

ALIGN, PLAN BUILD ACQUIRE DELIVER, SERVICE MONITOR, EVALUATE

AND ORGANISE AND IMPLEMENT AND SUPPORT AND ASSESS
Manage the IT Manage Manage Manage Manage Manage Manage Manage Service Monitor, Evaluate and
Management Strategy Enterprise Programmers Requirements Knowledge Operations Requests and Assess Performance
Framework Architecture and Projects Definition Incidents and Conformance

Manage Manage Manage Budget Manage Manage Manage Manage Security Monitor, Evaluate and
Innovation Portfolio and Costs Availability Manage Assets Changes Problems Services Assess the System
and Capacity of Internal
Manage Manage Manage Service Manage Manage Manage Business Monitor, Evaluate and
Human Relationships Agreements Configuration Manage Continuity Process Controls Assess Compliance
Resources Manage Change Organisational With External
Acceptance and Change Requirements
Manage Manage Man. Solutions Transitioning
Manage Risk Identification Enablement
Suppliers Quality and Builds

Manage
Security

MANAGEMENT

@goodelearning /goodelearning /company/good-e-learning Free Resource Library

www.goodelearning.com

© Good e-Learning 2015. COBIT® is a Registered Trademark of ISACA registered in United States of America and other countries, www.isaca.org
ISACA COBIT® 5 - Glossary (EN)
63 terms by miroslawdabrowski

Like this study set? Create a free account to save it.

Create a free account

accountable party (RACI) The individual, group or entity that is

ultimately responsible for a subject
matter, process or scope

In a RACI chart, answers the question:

Who accounts for the success of the
task?

accountability of governance Governance ensures that enterprise

objectives are achieved by evaluating
stakeholder needs, conditions and
options; setting direction through
prioritisation and decision making; and
monitoring performance, compliance
and progress against plans. In most
enterprises, governance is the
responsibility of the board of directors,
under the leadership of the
chairperson.
Activity In COBIT, the main action taken to
operate the process. Guidance to
achieve management practices for
successful governance and
management of enterprise
IT. Activities:
- Describe a set of necessary and
sufficient action-oriented
implementation steps to
achieve a Governance Practice or
Management Practice
- Consider the inputs and outputs of
the process
- Are based on generally accepted
standards and good practices
- Support establishment of clear roles
and responsibilities
- Are non-prescriptive and need to be
adapted and developed into specific
procedures appropriate for the
enterprise

alignment A state where the enablers of

governance and management of
enterprise IT support the goals and
strategies of the enterprise

application architecture Description of the logical grouping of

capabilities that manage the objects
necessary to process information and
support the enterprise's objectives

architecture board A group of stakeholders and experts

who are accountable for guidance on
enterprise architecture related matters
and decisions, and for setting
architectural policies and standards
authentication The act of verifying the identity of a
user and the user's eligibility to access
computerised information

Scope Note: Assurance: Authentication

is designed to protect against
fraudulent logon activity.
It can also refer to the verification of
the correctness of a piece of data.

baseline architecture The existing description of the

fundamental underlying design of the
components of the business system
before entering a cycle of architecture
review and redesign

benefits realisation One of the objectives of governance.

The bringing about of new benefits for
the enterprise, the maintenance and
extension of existing forms of benefits,
and the elimination of those initiatives
and assets that are not creating
sufficient value.

business continuity Preventing, mitigating and recovering

from disruption. The terms 'business
resumption planning', 'disaster recovery
planning' and 'contingency planning'
also may be used in this context; they
focus on recovery aspects of continuity,
and for that reason the 'resilience'
aspect should also be taken into
account.

business goal The translation of the enterprise's

mission from a statement of intention
into performance targets and results

Business process control The translation of the enterprise's

mission from a statemenThe policies,
procedures, practices and
organisational structures designed to
provide reasonable assurance that a
business process will achieve its
objectives of intention into
performance targets and results
Chargeback The redistribution of expenditures to
the units within a company that gave
rise to them

Scope Note: Chargeback is important

because without such a policy,
misleading views may be given as to the
real profitability of a product or service,
as certain key expenditures will be
ignored or calculated according to an
arbitrary formula.

COBIT 1. COBIT 5: Formerly known as Control

Objectives for Information and related
Technology (COBIT); now used only as
the acronym in its fifth iteration. A
complete, internationally accepted
framework for governing and managing
enterprise information and technology
(IT) that supports enterprise executives
and management in their definition and
achievement of business goals and
related IT goals. COBIT describes five
principles and seven enablers that
support enterprises in the
development, implementation, and
continuous improvement and
monitoring of good IT-related
governance and management
practices.

Scope Note: Earlier versions of COBIT

focused on control objectives related to
IT processes, management and control
of IT processes and IT governance
aspects.

Adoption and use of the COBIT

framework are supported by guidance
from a growing family of supporting
products. (See www.isaca.org/cobit for
more information.)

2. COBIT 4.1 and earlier: Formerly

 known as Control Objectives for
Information and related Technology
(COBIT). A complete, internationally
accepted process framework for IT that
supports business and IT executives
and management in their definition and
achievement of business goals and
related IT goals by providing a
comprehensive IT governance,
management, control and assurance
model. COBIT describes IT processes
and associated control objectives,
management guidelines (activities,
accountabilities, responsibilities and
performance metrics) and maturity

code of ethics A document designed to influence

individual and organisational behaviour
of employees by defining organisational
values and the rules to be applied in
certain situations. It is adopted to assist
those in the enterprise called upon to
make decisions understand the
difference between 'right' and 'wrong'
and to apply this understanding to their
decisions.

competence The ability to perform a specific task,

action or function successfully
consulted party (RACI) Refers to those people whose opinions
are sought on an activity (two-way
communication)

In a RACI chart, answers the question:

Who is providing input?

Key roles that provide input. Note that

it is up to the accountable and
responsible roles to obtain information
from other units or external partners,
too; however, inputs from the roles
listed are to be considered and, if
required, appropriate action has to be
taken for escalation, including the
information of the process owner
and/or the steering committee

context The overall set of internal and external

factors that might influence or
determine how an enterprise, entity,
process or individual acts Scope Note:
Context includes:
- Technology context - Technological
factors that affect organization's ability
to extract value from data
- Data context - Data accuracy,
availability, currency and quality
- Skills and knowledge - General
experience, and analytical, technical
and business skills
- Organization and cultural context -
Political factors, and whether the
organisation prefers data to intuition -
Strategic context - Strategical objectives
of the enterprise

control The means of managing risk, including

policies, procedures, guidelines,
practices or organisational structures,
which can be of an administrative,
technical, management or legal nature.
Also used as a synonym for safeguard
or countermeasure.
culture A pattern of behaviours, beliefs,
assumptions, attitudes and ways of
doing things

driver External and internal factors that

initiate and affect how an enterprise or
individuals act or change

enterprise goal See Business goal

enterprise governance A set of responsibilities and practices

exercised by the board and executive
management with the goal of providing
strategic direction, ensuring that
objectives are achieved, ascertaining
that risk is managed appropriately and
verifying that the enterprise's resources
are used responsibly. It could also
mean a governance view focussing on
the overall enterprise; the highest-level
view of governance to which all others
must align.

full economic life cycle A period of time during which material

business benefits are expected to arise
from, and/or during which material
expenditures (including investments,
running and retirement costs) are
expected to be incurred by, an
investment programme

good practice A proven activity or process that has

been successfully used by multiple
enterprises and has been shown to
produce reliable results

governance The framework, principles and policies,

structures, processes and practices,
information, skills, culture, ethics, and
behaviour to set direction and monitor
compliance and performance of the
enterprise aligned with the overall
purpose and defined objectives.
Governance defines accountability,
responsibility and decision making
(among other elements).
governance/management practice For each COBIT process, the
governance and management practices
provide a complete set of high-level
requirements for effective and practical
governance and management of
enterprise IT. They are statements of
actions from governance bodies and
management.

governance enabler Something (tangible or intangible) that

assists in the realization of effective
governance

governance framework A framework is a basic conceptual

structure used to solve or address
complex issues; an enabler of
governance; a set of concepts,
assumptions and practices that define
how something can be approached or
understood, the relationships amongst
the entities involved, the roles of those
involved, and the boundaries (what is
and is not included in the governance
system).

Examples: COBIT and COSO's Internal

Control—Integrated Framework

governance of enterprise IT An asset that, like other important

business assets, is essential to an
enterprise's business. It can exist in
many forms: printed or written on
paper, stored electronically, transmitted
by post or electronically, shown on
films, or spoken in conversation.

information An asset that, like other important

business assets, is essential to an
enterprise's business. It can exist in
many forms: printed or written on
paper, stored electronically, transmitted
by post or electronically, shown on
films, or spoken in conversation.
informed party (RACI) Refers to those people who are kept up
to date on the progress of an activity
(one-way communication)

In a RACI chart, answers the question:

Who is receiving information?

Roles who are informed of the

achievements and/or deliverables of
the task. To role in 'accountable', of
course, should always receive
appropriate information to oversee the
task, as do the responsible roles for
their area of interest.

inputs and outputs The process work products/artefacts

considered necessary to support
operation of the process.

They enable key decisions, provide a

record and audit trail of process
activities, and enable follow-up in the
event of an incident. They are defined
at the key management practice level,
may include some work products used
only within the process and are often
essential inputs to other processes. The
illustrative COBIT 5 inputs and outputs
should not be regarded as an
exhaustive list since additional
information flows could be defined
depending on a particular enterprise's
environment and process framework.

investment portfolio The collection of investments being

considered and/or being made

IT application Electronic functionality that constitutes

parts of business processes undertaken
by, or with the assistance of, IT

IT goal A statement describing a desired

outcome of enterprise IT in support of
enterprise goals. An outcome can be an
artefact, a significant change of a state
or a significant capability improvement.
IT service The day-to-day provision to customers
of IT infrastructure and applications
and support for their use. Examples
include service desk, equipment supply
and moves, and security authorisations.

management Entails the judicious use of means

(resources, people, processes, practices,
etc.) to achieve an identified end. It is a
means or instrument by which the
governance body achieves a result or
objective. Management is responsible
for execution within the direction set by
the governance body. Management is
about planning, building, organising
and controlling operational activities to
align with the direction set by the
governance body, and reporting back
on these activities.

model A way to describe a given set of

components and how those
components relate to each other to
describe the main workings of an
object, system, or concept

objective Statement of a desired outcome

organisational structure An enabler of governance and of

management. Includes the enterprise
and its structures, hierarchies and
dependencies.

Example: Steering committee

output See Inputs and outputs

owner Individual or group that holds or

possesses the rights of and the
responsibilities for an enterprise, entity
or asset, e.g., process owner, system
owner

policy Overall intention and direction as

formally expressed by management
principle An enabler of governance and of
management. Comprises the values
and fundamental assumptions held by
the enterprise, the beliefs that guide
and put boundaries around the
enterprise's decision making,
communication within and outside the
enterprise, and stewardship - caring for
assets owned by another.

Example: Ethics charter, social

responsibility charter

process Generally, a collection of practices

influenced by the enterprise's policies
and procedures that takes inputs from
a number of sources (including other
processes), manipulates the inputs and
produces outputs (e.g., products,
services)

Scope note: Processes have clear

business reasons for existing,
accountable owners, clear roles and
responsibilities around the execution of
the process, and the means to measure
performance.

process (capability) attribute ISO/IEC 15504: A measurable

characteristic of process capability
applicable to any process

process capability ISO/IEC 15504: A characterization of the

ability of a process to meet current or
projected business goals

process goal A statement describing the desired

outcome of a process. An outcome can
be an artefact, a significant change of a
state or a significant capability
improvement of other processes.
programme and project management
office (PMO)
The function responsible for supporting
programme and project managers, and
gathering, assessing and reporting
information about the conduct of their
programmes and constituent projects

quality Being fit for purpose (achieving

intended value)

RACI chart Illustrates who is responsible,

accountable, consulted and informed
within an organisational framework

resource Any enterprise asset that can help the

organisation achieve its objectives

resource optimisation One of the governance objectives.

Involves effective, efficient and
responsible use of all resources -
human, financial, equipment, facilities,
etc.

responsible party (RACI) Refers to the person who must ensure

that activities are completed
successfully In a RACI chart, answers
the question: Who is getting the task
done? Roles taking the main
operational stake in fulfilling the activity
listed and creating the intended
outcome

risk The combination of the probability of

an event and its consequence (ISO/IEC
73)

risk management One of the governance objectives.

Entails recognising risk; assessing the
impact and likelihood of that risk; and
developing strategies, such as avoiding
the risk, reducing the negative effect of
the risk and/or transferring the risk, to
manage it within the context of the
enterprise's risk appetite.

service catalogue Structured information on all IT services

available to customers

services See IT service

skill The learned capacity to achieve
predetermined results

stakeholder Anyone who has a responsibility for, an

expectation from or some other
interest in the enterprise - e.g.,
shareholders, users, government,
suppliers, customers and the public

system of internal control The policies, standards, plans and

procedures, and organisational
structures designed to provide
reasonable assurance that enterprise
objectives will be achieved and
undesired events will be prevented or
detected and corrected

value creation The main governance objective of an

enterprise, achieved when the three
underlying objectives (benefits
realisation, risk optimisation and
resource optimisation) are all balanced