COBIT 5© ISACA

COBIT 5 ISACA’s new framework for IT Governance, Risk,

Security and Auditing

An overview

M. Garsoux
COBIT 5 Licensed Training Provider
COBIT 5© ISACA

Introduction
Principles
Processes
Implementation
Supporting Products
Questions

2
COBIT 5© ISACA

3
COBIT 5© ISACA

Evolution of scope Governance of Enterprise IT

IT Governance

Val IT 2.0
Management (2008)

Control
Risk IT
(2009)
Audit

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5

1996 1998 2000 2005/7 2012

A business framework from ISACA, at www.isaca.org/cobit

4
COBIT 5© ISACA

What is CobiT?
• Control Objectives for Information and Related Technology (CobiT)
• is a set of best practices for Information Technology management
• developed by ISACA (Information Systems Audit & Control Association)
• and IT Governance Institute
• in 1996.

ISACA develops and maintains the internationally recognized COBIT

framework, helping IT professionals and enterprise leaders fulfil their IT
Governance responsibilities while delivering value to the business.

The latest ISACA’s globally accepted framework

COBIT 5 is aimed to provide an end-to-end business
view of the governance of enterprise IT that reflects
the central role of IT in creating value for enterprises

5
COBIT 5© ISACA

• Information is a key resource for all enterprises.

• Information is created, used, retained, disclosed
and destroyed.
• Technology plays a key role in these actions.
• Technology is becoming pervasive in all aspects of
business and personal life.

What benefits does information and technology

bring to enterprises?

6
COBIT 5© ISACA

Helps enterprises:

• Bring Order to Complex

Standards and Frameworks
• Extract Value from Information
Chaos
• Address all Stakeholders Needs
and Maximize Value of
Corporate Information
• Protect and Drive Enterprise
Value

7
COBIT 5© ISACA

Enterprises and their executives strive to :

• Maintain quality information to support business decisions.
• Generate business value from IT-enabled investments, i.e.,
achieve strategic goals and realise business benefits through
effective and innovative use of IT.
• Achieve operational excellence through reliable and efficient
application of technology.
• Maintain IT-related risk at an acceptable level.
• Optimise the cost of IT services and technology.
How can these benefits be realized to create
enterprise stakeholder value?

8
COBIT 5© ISACA

• COBIT 5 is a comprehensive framework that helps

enterprises to create optimal value from IT by maintaining a
balance between realising benefits and optimising risk levels
and resource use.
• COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the whole
enterprise, taking in the full end-to-end business and
functional areas of responsibility, considering the IT-related
interests of internal and external stakeholders.
• The COBIT 5 principles and enablers are generic and useful
for enterprises of all sizes, whether commercial, not-for -
profit or in the public sector.

9
COBIT 5© ISACA

10
COBIT 5© ISACA

11
COBIT 5© ISACA

• Enterprises exist to create value for their stakeholders

12
COBIT 5© ISACA

Stakeholder Value
• Delivering enterprise stakeholder value requires good governance
and management of information and technology (IT) assets.
• Enterprise boards, executives and management have to embrace
IT like any other significant part of the business.
• External legal, regulatory and contractual compliance
requirements related to enterprise use of information and
technology are increasing, threatening value if breached.
• COBIT 5 provides a comprehensive framework that assists
enterprises to achieve their goals and deliver value through
effective governance and management of enterprise IT.

13
COBIT 5© ISACA

Goals cascade

• Stakeholder needs have to be

transformed into an enterprises’
actionable strategy.
• The COBIT 5 goals cascade
translates stakeholder needs into
specific, actionable and customised
goals within the context of the
enterprise, IT-related goals and
enabler goals.

14
COBIT 5© ISACA

COBIT 5 entreprise goals

Governance objectives
BSC Description Benefits Risk Resource
F 1.Stakeholder value of business investments P S
I
N 2.Portfolio of competitive products and services P P S
A
N 3.Managed business risks (safeguarding of assets) P S
C
I 4.Compliance with external laws and regulations P
A
L 5.Financial transparency P S S
C 6.Customer oriented service culture P S
U 7.Business service continuity and availability P
S
T 8.Agile responses to a changing business environment P S
O
M 9.Information based strategic decision making P P P
E
R 10.Optimisation of service delivery costs P P
I 11.Optimisation of business process functionality P P
N 12.Optimisation of business process costs P P
T
E 13.Managed business change programmes P P S
R
N 14.Operational and staff productivity P P
A
L 15.Compliance with internal policies P
Learning 16.Skilled and motivated people S P P
&Growth 17.Product and business innovation culture P 15
COBIT 5© ISACA

COBIT 5 IT-related goals

BSC Description
F 1. Alignment of IT and business strategy
I
N 2. IT compliance and support for business compliance with external laws & regulations
A 3. Commitment of executive management for making IT related decisions
N
C 4. Managed IT related business risks
I
A 5. Realised benefits form IT-enabled investments and services portfolio
L
6. Transparency of IT costs, benefits and risk
C 7. Delivery of IT services in line with business requirements
U
S 8. Adequate use of applications, information and technology structure
T
9. IT agility
I 10. Security of information, processing infrastructure and applications
N
T 11. Optimisation of IT assets, resources and capabilities
E
R 12. Enablement and support of business processes by integrating applications and technology
N
A 13. Delivery of programme on time, on budget, and meeting requirements and quality standards
L
14. Availability of reliable and useful information for decision making
15. IT compliance with internal policies
L 16. Competent and motivated business and IT personnel
&G 17. Knowledge, expertise and initiatives for business innovation
16
COBIT 5© ISACA

Mapping of Enterprise goals into IT-goals

Enterprise Goal
Stakeholder Value of Customer - oriented Optimisation of business Skilled and
Business investments service culture process functionality motivated peole
1 6 11 16
IT -Related Goal Financial Customer Internal Learning and Growth
Alignment of IT and
Financial 1 P P P S
business strategy
Delivery of IT services
Customer 7 in line with business P P P S
requirements
Internal 9 IT agility S S P S
Competent and
Learning
16 motivated business S S P
and Growth
and IT personnel

17
COBIT 5© ISACA

Mapping IT goals to processes

IT - Related Goal

Delivery of IT services Knowledge, expertise

Alignment of IT and in line with business and initiatives for
business strategy requirements IT agility business innovation
1 7 9 17
COBIT 5 Process Financial Customer Internal
Ensure
Governance
EDM01 Framework
Setting and
P P S S
Maintenance
Ensure

Evaluate,
EDM02 Benefits
Delivery
P P P
Direct and
Ensure Risk
Monitor EDM03
Optimisation S S S
Ensure
EDM0
4
Ressource
Optimisation
S S P S
Ensure
EDM05 Stakeholder
Transparency
S P S

18
COBIT 5© ISACA

Key components of a
governance system

19
COBIT 5© ISACA

• COBIT 5 aligns with the latest relevant other standards and

frameworks used by enterprises:
– Enterprise: COSO, COSO ERM, ISO 9000, ISO 31000
– IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF, PMBOK/PRINCE2,
CMMI
– Etc.
• This allows the enterprise to use COBIT 5 as the overarching
governance and management framework integrator.
• ISACA plans a capability to facilitate COBIT user mapping of
practices and activities to third-party references.

20
COBIT 5© ISACA

COBIT 5 defines a set of enablers to support the

implementation of a comprehensive governance and
management system for enterprise IT.

COBIT 5 enablers are:

• Factors that, individually and collectively, influence
whether something will work
• Driven by the goals cascade
• Described by the COBIT 5 framework in seven
categories

21
COBIT 5© ISACA

2 4
3

6
5 7

22
COBIT 5© ISACA

1. Principles, policies and frameworks—Are the vehicle to translate the desired behaviour
into practical guidance for day-to-day management
2. Processes—Describe an organised set of practices and activities to achieve certain
objectives and produce a set of outputs in support of achieving overall IT related goals
3. Organisational structures—Are the key decision-making entities in an organisation
4. Culture, ethics and behaviour—Of individuals and of the organisation; very often
underestimated as a success factor in governance and management activities
5. Information—Is pervasive throughout any organisation, i.e., deals with all information
produced and used by the enterprise. Information is required for keeping the
organisation running and well governed, but at the operational level, information is very
often the key product of the enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure, technology and
applications that provide the enterprise with information technology processing and
services
7. People, skills and competencies—Are linked to people and are required for successful
completion of all activities and for making correct decisions and taking corrective
actions

23
COBIT 5© ISACA

• Governance ensures that enterprise objectives are

achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation and
decision making; and monitoring performance,
compliance and progress against agreed direction and
objectives (EDM)
• Management plans, builds, runs and monitors activities
in alignment with the direction set by the governance
body to achieve the enterprise objectives (PBRM)

24
COBIT 5© ISACA

COBIT 5 is not prescriptive, but it advocates that

organisations implement governance and management
processes such that the key areas are covered, as shown.

25
COBIT 5© ISACA

COBIT 5 brings together the five principles that

allow the enterprise to build an effective
governance and management framework based on
a holistic set of seven enablers that optimises
information and technology investment and use for
the benefit of stakeholders.

26
COBIT 5© ISACA

27
COBIT 5© ISACA

28
COBIT 5© ISACA

29
COBIT 5© ISACA

30
COBIT 5© ISACA

31
COBIT 5© ISACA

32
COBIT 5© ISACA

33
COBIT 5© ISACA
• Failed IT initiatives
• Rising costs
• Perception of low business value
for IT investments
• Significant incidents related to IT
risk (e.g. data loss)
• Service delivery problems
• Failure to meet regulatory or
contractual requirements
• Audit findings for poor IT
performance or low service levels
• Hidden and/or rogue IT spending
 Resource waste through duplication
or overlap in IT initiatives
 Insufficient IT resources
 IT staff burnout / dissatisfaction
 IT enabled changes frequently
failing to meet business needs (late
deliveries or budget overruns)
 Multiple and complex IT assurance
efforts
 Board members or senior managers
that are reluctant to engage with IT
34
COBIT 5© ISACA
• Merger, acquisition or divestiture
• Shift in the market, economy or
competitive position
• Change in business operating
model or sourcing arrangements
• New regulatory or compliance
requirements
• Significant technology change or
paradigm shift
 An enterprise-wide governance focus
or project
 A new CIO, CFO, COO or CEO
 External audit or consultant
assessments
 A new business strategy or priority
By using pain points or trigger events as the
launching point for IT governance initiatives,
the business case for GEIT improvement can
be related to issues being experienced,
which will improve buy-in to the business
case.
35
COBIT 5© ISACA

36
COBIT 5© ISACA

37
COBIT 5© ISACA

38
COBIT 5© ISACA

39