Professional Documents
Culture Documents
Cobit 2019 PDF
Cobit 2019 PDF
COBIT FOCUS
Strategy is a plan for achieving a set objective. COBIT 2019 is here to help
practitioners apply standard information and technology (I&T) controls to enterprise
governance strategy. Mapping control objectives from the International Organization
for Standardization (ISO)/International Electrotechnical Commission (IEC) standard
ISO/IEC 27001:2013 Information Security Management through COBIT 5 to the
COBIT 2019 framework is a useful exercise to help develop a governance strategy.
Mapping the relationships among ISO 27001:2013, ISO/IEC 38500:2015 Information
Technology—Governance of IT for the Organization, COBIT 5 and COBIT 2019
provides practitioners with performance data values, insights and results that aid in
strategic management consultations and decisions. Many of these relationships
have been explored in past articles published in COBIT Focus.1, 2 The balanced
scorecard (BSC)3, 4, 5 has also been applied successfully to these values to express
performance measurement for enterprise governance of I&T (EGIT).
What Is Driving the Need for This Mapping
Exercise?
The question “What can enterprise I&T deliver?” should be rephrased to ask “How
can enterprise I&T be used to add value?” Changing the question helps practitioners
focus on the business value of enterprise I&T, enterprise I&T cost-optimization
practices, investment prioritization, I&T project finance and sourcing options for
resources, project benefit realization, and innovation accounting.
The objectives driving the need for the mapping exercise discussed herein include:
• To meet the need for knowledge innovation, effective deployment and overall
governance and management of enterprise I&T through EGIT
It is worth noting that optimal and innovative integration of enterprise I&T can lead
to digital disruption and, thus, drive society, industry and business forward. However,
there have not been any true technology disruptions in the recent past, but there has
been a great deal of innovation based on technology for related businesses.
The 5 main goals of enterprise I&T governance are all driven by stakeholder value as
outlined in COBIT 2019.9 It is worth noting that 2 of these drivers are outcomes:
value delivery and risk management. The other 3 focus areas or drivers are:
1. Strategic alignment
2. Performance management
The focus areas are internally driven, because EGIT and business strategy evolve
reciprocally in a continuous life cycle10 although EGIT is distinct from enterprise I&T
management, as governance determines who makes the decisions, and
management is assigned the responsibility of directing and implementing the
decisions.11
1. Responsibility
2. Strategy
3. Acquisition
4. Performance
5. Conformance
Governance objectives are grouped under the EDM domain. In this domain, the
governing body evaluates strategic options, directs senior management on the
chosen strategic options and monitors achievement of the strategy as mentioned
previously in the 3 essential tasks. EDM encompasses the goal cascades and
determination of stakeholder drivers and needs.15
Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018
The essence of the goals cascade remains that of aligning I&T strategy to enterprise
strategy for both COBIT 5 and COBIT 2019.
It is worth noting that the goals cascade in COBIT 5, as it relates to governance and
strategy, translates stakeholder needs into specific actionable and customized
enterprise goals, I&T-related goals and enabler goals,18 while in COBIT 2019, the
goals cascade supports prioritization of management objectives based on
prioritization of enterprise goals.
There are 13 enterprise goals and 13 alignment goals in COBIT 2019. There are no
additional IT-related goals in COBIT 2019. Both enterprise goals and alignment
goals have been updated and simplified.
COBIT 2019 Framework in Digital Disruption
and Privacy Concerns
The COBIT 2019 framework helps practitioners refine business and enterprise I&T
skills to discern the true essentials of the business and provide technology solutions
to fulfil those needs.
Instituting controls enables the enterprise to derive results that optimize I&T
investment and create value for the benefit of stakeholders through an on-the-
ground assessment using a BSC approach. The results also bring to the fore IT
governance pain points to be addressed. The data values of COBIT 4.1 control
objectives (using input data from ISO/IEC 27001:2013), mapped to COBIT 5
governance and management practices, show how each IT-related goal is supported
by a COBIT 5 IT-related process.26 This mapping is expressed using the following
primary (P) and secondary (S) relationships:
• The value “P” indicates there is an important relationship, i.e., the COBIT 5
process is a primary support for the achievement of an IT-related goal.
• The value “S” indicates there is still a strong, but less important, relationship, i.e.,
the COBIT 5 process is a secondary support for the IT-related goal.27
Legend:
The COBIT 5 results shown in figure 3 indicate that the framework does not
sufficiently account for the importance of project management principles in relation
to EGIT. The strengths center around management through a higher reliance on
Build, Acquire and Implement (BAI) and MEA. However, COBIT 2019 has addressed
these shortcomings and has made the framework easier to adapt and adopt as an
umbrella framework for EGIT.
• The value “P” indicates there is an important relationship (i.e., the COBIT 2019
Objective is a primary support for the achievement of an Alignment goal).
• The value “S” indicates there is still a strong, but less important, relationship (i.e.,
the COBIT 2019 governance and management objective is a secondary support
for the Alignment goal).29
The assessment results can be drilled down to the input values, and a backward
review of the mapping values can be used in determining the root cause of having
low scores from a set of mapped data in ISO/IEC 27001 control objectives and
questions; this will form a basis for developing an action plan as needed by the
organization.30
Assumptions and Observations Related to the
Primary Values
The updates highlighted in yellow (P and S) are as follows for figure 4:
With this in mind, AG09 should have a primary support for EDM02 Ensured benefits
delivery and DSS06 Managed business process controls as these are important
relationships with program management functions, while AG09 should have a
secondary relationship with BAI06 Managed IT changes as it relates to EGIT.
Figure 4—Results Showing Mapped Data Values to COBIT 2019 Governance and
Management Objectives
Source: ISACA, COBIT 5, USA, 2012
Legend:
These were not present in COBIT 5, and these affected the results under COBIT 5 in
figure 2. With the introduction of these 3 objectives in the COBIT 2019 results as
shown in figures 4 and 5, there are no 0-score values in the figure 4 results as there
are in the figure 2 results (EDM05 and APO08). From the BSC tables in figure 5,
there is a higher score value for EDM as a result of the introduction of these
objectives. This outcome reflects the fact that the COBIT 2019 framework core of
EGIT is centered on governance and, when employed as a strategic framework,
COBIT 2019 helps organizations make a difference once it is adopted and adapted
to the organization’s culture.
Figure 6—Results Showing Mapped Data Values of COBIT 2019 Results from
Alignment Goals to Enterprise Goals
Source: ISACA, COBIT 5, USA, 2012
The observations and updates highlighted in yellow (P and S) are introduced based
on the need to cascade down the derived values from figure 4 and are used in figure
6 to define the mapping that will produce a BSC in figures 7 and 8.
Mapping Table—Enterprise Goals to Alignment Goals are as follows: AG08 and EG06
should have a secondary support or relationship for business continuity
management for the enterprise. AG09 and EG06 for business and I&T program
management address enhancing and supporting business continuity management
as a primary function or have a primary relationship with each other in EGIT.
AG09 and EG09 reflect a key relationship and should be a primary function based on
the rules for program management and expressed under EGIT. This relationship for
AG09 and EG09 should be changed from secondary to primary as noted previously.
For an enterprise to achieve the goals set out in AG12 and EG08, there should be a
secondary relationship to sustain the activities of an EGIT framework.
EG08 and EG09 should have an important primary relationship with AG13. Staff
relationships are strategic in initiating and formulating innovative products with
knowledge based on such relationships as stated in AG13. The linkage of the P
values of AG13 is derived from COBIT 2019 core management objectives of APO04,
APO07, APO08 and BAI08. All these relate to learning and development/growth
(BSC perspective) and are managed in the organization through the human
resources (HR) function.
Figure 7—Effect of Not Having a P Value for AG13 and EG08 From a BSC
Perspective
The mapping exercise takes into consideration a primary function of EG08 and
AG13. The assumption is built on the enterprise goals related to EG08, which should
have a primary relation, and is achieved by knowledge gained from the AG13. If the
P supporting relationship value for AG13 and EG08 is not achieved, the score
becomes 0 and this result tilts the balance scored on Internal Perspective to a value
of 64% (figure 7) instead of 85% (figure 8). It is important to note that EG08 is under
the Internal Perspective of the BSC, and AG13 is under the Learning and Growth
Perspective of the BSC.
Figure 8—Results Showing Mapped COBIT 2019 Data Values to Achieve Alignment
Goals and Enterprise Goals on BSC Perspective
The assumptions made for using the primary values related to the COBIT 2019
governance and management objectives and alignment goals are based on
information from COBIT 2019:
• The COBIT 2019 objectives are a primary support for the achievement of an
Alignment goal.
With this understanding from the BSC perspective and a focus on the primary
supporting values, practitioners can determine where the enterprise and its industry
face a significant risk of disruption to revenue or customer experience. Based on
this information, building skills and related capabilities can begin in these areas as
pointers within the enterprise I&T organization. The P values of AG13 is derived from
the combination of scores from COBIT 2019 core management objectives of
APO04, APO07, APO08 and BAI08.
Many practitioners would agree that many business roles now require I&T skills and
most I&T roles require non-technical skills—from understanding human behaviors
(i.e., psychology, social sciences) to design thinking to agile teamwork and even
interactions between humans and AI/machine learning (ML). These help I&T
innovate for the future. The way to address this is by employing an EGIT framework
(COBIT 2019) for interactions/mappings to investigate where the enterprise and its
industry face a significant risk of disruption to revenue or customer experience then
start building skills and related capabilities in these areas within the enterprise I&T
organization. It also helps to revisit the enterprise’s digital business transformation
road map.
Stakeholders must also assess the reality of the speed and effectiveness of the
current road map against the ambition of corporate leaders. If there are gaps that
will inhibit progress, HR and the C-level should be involved in planning a digital
agility program to develop the workforce of the future. Digitally agile businesses
transcend the legacy boundaries of technology knowledge, skills and ideas. As one
author notes, “Disruption requires creating a new basis (in a competition), usually
parallel to any existing paradigm”.35
Conclusion
COBIT 2019 has addressed these shortcomings (i.e., adopting a governance
framework, facing the risk of disruption to revenue, lack of road maps) and has
made the framework easier to adapt and adopt for the enterprise as an umbrella
framework for EGIT. COBIT 2019 helps build relationships (strategic team bonding);
identify external strategic opportunities with executive sponsors; and, for the
practitioner, manage people, data and technology. The vision and strategy driver
scores are achieved from mapping36 ISO/IEC 27001 through COBIT 5 to COBIT
2019. The results from mapping the COBIT 2019 governance and management
objectives to alignment goals and then to enterprise goals shows that if used
correctly, a strategy can be formulated from COBIT 2019. The strategic learning,
which consists of gathering feedback, testing the assumptions on which a
governance strategy is based and making necessary adjustments, is what this
mapping exercise has helped bring out from the COBIT 2019 framework.37 The
assessment results with low scores for alignment and enterprise goals form the
basis for developing an action plan as needed by the organization to address the
input items from ISO/IEC 27001 control objectives and determine questions that
need to be answered for a planned developmental/corrective road map as part of
the enterprise strategy. It can be concluded that using COBIT 2019 in strategic
planning to achieve an objective is effective, and employing tactical actions to
implement the strategy is paramount in enterprise operations.
Endnotes
1
Anoruo, C.; “ISO 27001 Process Mapping to COBIT 4.1 to Derive a Balanced
Scorecard for IT Governance,” COBIT Focus, 14 December 2015, figure 10
2 Anoruo, C.; “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy,”
9 Op cit ISACA
10 Op cit Hamidovic
11
Op cit ISACA
12
Op cit ITGI
13
Op cit ISACA
14
Zororo, T.; Exploring the Difference Between COBIT 5 and COBIT 2019, LinkedIn,
January 2019
15 Op cit ISACA
16 Ibid.
17 Ibid.
18
Steuperaert, D.; "Improving the Quality of the COBIT 5 Goals Cascade as an IT
Process Prioritisation Mechanism," International Journal of IT/Business Alignment
and Governance, vol. 7, iss. 2, July 2016
19 Op cit ISACA
20 Ibid.
21 Op cit ITGI
22
Ibid
23 Op cit Anoruo, “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy”
24
Op cit Zororo
25 Op cit Anoruo, “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy
26 Ibid.,
27 Ibid.
28 Ibid.
29 Ibid.
30 Ibid.
31
Lawrie, G.; I. Cobbold; J. Marshall; “Corporate Performance Management System
in a Devolved UK Governmental Organisation: A Case Study,” International Journal of
Productivity and Performance Management, vol. 53, no. 4, 2004, p. 353–370
32 Kaplan, R.; D. Norton; The Balanced Scorecard: Translating Vision Into Action,
34 Op cit Hamidovic
35
Ekekwe, N.; “#AimHigher – Move Upstream,” Tekedia, 7 October 2019
36 Op cit Anoruo, “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy”
37 Ibid.
QUICK LINKS
Resources