COBIT® 2019 RACI Tool—Instructions

Tab
1 COBIT 2019 RACI
2 Board
3 Executive Committee
4 Chief Executive Officer
5 Chief Financial Officer
6 Chief Operating Officer
7 Chief Risk Officer
8 Chief Information Officer
9 Chief Technology Officer
10 Chief Digital Officer
11 I&T Governance Board
12 Architecture Board
13 Enterprise Risk Committee
14 Chief Information Security Officer
15 Business Process Owner
16 Portfolio Manager
17 Steering Programs/Projects Committee
18 Program Manager
19 Project Manager
20 Project Management Office
21 Data Management Function
22 Head Human Resources
23 Relationship Manager
24 Head Architect
25 Head Development
26 Head IT Operations
27 Head IT Administration
28 Service Manager
29 Information Security Manager
30 Business Continuity Manager
31 Privacy Officer
32 Legal Counsel
33 Compliance
34 Audit
Tool—Instructions
Area
Governance
Governance
Governance
Governance
Governance
Governance
Governance
Governance
Governance
Governance
Governance
Governance
Governance
Governance
Governance
Governance
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Management
Practice_Name
Evaluate the governance system.
Direct the governance system.
Monitor the governance system.
Establish the target investment mix.
Evaluate value optimization.
Direct value optimization.
Monitor value optimization.
Evaluate risk management.
Direct risk management.
Monitor risk management.
Evaluate resource management.
Direct resource management.
Monitor resource management.
Evaluate stakeholder engagement and reporting requirements.
Direct stakeholder engagement, communication and reporting.
Monitor stakeholder engagement.
Design the management system for enterprise I&T.
Communicate management objectives, direction and decisions made.
Implement management processes (to support the achievement of governance and management objective
Define and implement the organizational structures.
Establish roles and responsibilities.
Optimize the placement of the IT function.
Define information (data) and system ownership.
Define target skills and competencies.
Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and manageme
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Communicate the I&T strategy and direction.
Develop the enterprise architecture vision.
Define reference architecture.
Select opportunities and solutions.
Define architecture implementation.
Provide enterprise architecture services.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Determine the availability and sources of funds.
Evaluate and select programs to fund.
Monitor, optimize and report on investment portfolio performance.
Maintain portfolios.
Manage benefits achievement.
Manage finance and accounting.
Prioritize resource allocation.
Create and maintain budgets.
Model and allocate costs.
Manage costs.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Assess and recognize/reward employee job performance.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Understand business expectations.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Manage the business relationship.
Coordinate and communicate.
Provide input to the continual improvement of services.
Identify I&T services.
Catalog I&T-enabled services.
Define and prepare service agreements.
Monitor and report service levels.
Review service agreements and contracts.
Identify and evaluate vendor relationships and contracts.
Select vendors.
Manage vendor relationships and contracts.
Manage vendor risk.
Monitor vendor performance and compliance.
Establish a quality management system (QMS).
Focus quality management on customers.
Manage quality standards, practices and procedures and integrate quality management into key processes
Perform quality monitoring, control and reviews.
Maintain continuous improvement.
Collect data.
Analyze risk.
Maintain a risk profile.
Articulate risk.
Define a risk management action portfolio.
Respond to risk.
Establish and maintain an information security management system (ISMS).
Define and manage an information security risk treatment plan.
Monitor and review the information security management system (ISMS).
Define and communicate the organization's data management strategy and roles and responsibilities.
Define and maintain a consistent business glossary.
Establish the processes and infrastructure for metadata management.
Define a data quality strategy.
Establish data profiling methodologies, processes and tools.
Ensure a data quality assessment approach.
Define the data cleansing approach.
Manage the life cycle of data assets.
Support data archiving and retention.
Manage data backup and restore arrangements.
Maintain a standard approach for program management.
Initiate a program.
Manage stakeholder engagement.
Develop and maintain the program plan.
Launch and execute the program.
Monitor, control and report on the program outcomes.
Manage program quality.
Manage program risk.
Close a program.
Define and maintain business functional and technical requirements.
Perform a feasibility study and formulate alternative solutions.
Manage requirements risk.
Obtain approval of requirements and solutions.
Design high-level solutions.
Design detailed solution components.
Develop solution components.
Procure solution components.
Build solutions.
Perform quality assurance (QA).
Prepare for solution testing.
Execute solution testing.
Manage changes to requirements.
Maintain solutions.
Define IT products and services and maintain the service portfolio.
Design solutions based on the defined development methodology.
Assess current availability, performance and capacity and create a baseline.
Assess business impact.
Plan for new or changed service requirements.
Monitor and review availability and capacity.
Investigate and address availability, performance and capacity issues.
Establish the desire to change.
Form an effective implementation team.
Communicate desired vision.
Empower role players and identify short-term wins.
Enable operation and use.
Embed new approaches.
Sustain changes.
Evaluate, prioritize and authorize change requests.
Manage emergency changes.
Track and report change status.
Close and document the changes.
Establish an implementation plan.
Plan business process, system and data conversion.
Plan acceptance tests.
Establish a test environment.
Perform acceptance tests.
Promote to production and manage releases.
Provide early production support.
Perform a post-implementation review.
Identify and classify sources of information for governance and management of I&T.
Organize and contextualize information into knowledge.
Use and share knowledge.
Evaluate and update or retire information.
Identify and record current assets.
Manage critical assets.
Manage the asset life cycle.
Optimize asset value.
Manage licenses.
Establish and maintain a configuration model.
Establish and maintain a configuration repository and baseline.
Maintain and control configuration items.
Produce status and configuration reports.
Verify and review integrity of the configuration repository.
Maintain a standard approach for project management.
Start up and initiate a project.
Manage stakeholder engagement.
Develop and maintain the project plan.
Manage project quality.
Manage project risk.
Monitor and control projects.
Manage project resources and work packages.
Close a project or iteration.
Perform operational procedures.
Manage outsourced I&T services.
Monitor I&T infrastructure.
Manage the environment.
Manage facilities.
Define classification schemes for incidents and service requests.
Record, classify and prioritize requests and incidents.
Verify, approve and fulfill service requests.
Investigate, diagnose and allocate incidents.
Resolve and recover from incidents.
Close service requests and incidents.
Track status and produce reports.
Identify and classify problems.
Investigate and diagnose problems.
Raise known errors.
Resolve and close problems.
Perform proactive problem management.
Define the business continuity policy, objectives and scope.
Maintain business resilience.
Develop and implement a business continuity response.
Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP).
Review, maintain and improve the continuity plans.
Conduct continuity plan training.
Manage backup arrangements.
Conduct post-resumption review.
Protect against malicious software.
Manage network and connectivity security.
Manage endpoint security.
Manage user identity and logical access.
Manage physical access to I&T assets.
Manage sensitive documents and output devices.
Manage vulnerabilities and monitor the infrastructure for security-related events.
Align control activities embedded in business processes with enterprise objectives.
Control the processing of information.
Manage roles, responsibilities, access privileges and levels of authority.
Manage errors and exceptions.
Ensure traceability and accountability for information events.
Secure information assets.
Establish a monitoring approach.
Set performance and conformance targets.
Collect and process performance and conformance data.
Analyze and report performance.
Ensure the implementation of corrective actions.
Monitor internal controls.
Review effectiveness of business process controls.
Perform control self-assessments.
Identify and report control deficiencies.
Identify external compliance requirements.
Optimize response to external requirements.
Confirm external compliance.
Obtain assurance of external compliance.
Ensure that assurance providers are independent and qualified.
Develop risk-based planning of assurance initiatives.
Determine the objectives of the assurance initiative.
Define the scope of the assurance initiative.
Define the work program for the assurance initiative.
Execute the assurance initiative, focusing on design effectiveness.
Execute the assurance initiative, focusing on operating effectiveness.
Report and follow up on the assurance initiative.
Follow up on recommendations and actions.
Practice ID Objective Board Chief Executive Officer Chief Financial Officer
EDM01.01 EDM01 Accountable Responsible
EDM01.02 EDM01 Accountable
EDM01.03 EDM01 Accountable Responsible
EDM02.01 EDM02 Accountable Responsible Responsible
EDM02.02 EDM02 Accountable Responsible Responsible
EDM02.03 EDM02 Accountable Responsible Responsible
EDM02.04 EDM02 Accountable Responsible Responsible
EDM03.01 EDM03 Accountable Responsible
EDM03.02 EDM03 Accountable Responsible
EDM03.03 EDM03 Accountable Responsible
EDM04.01 EDM04 Accountable Responsible
EDM04.02 EDM04 Accountable Responsible
EDM04.03 EDM04 Accountable Responsible
EDM05.01 EDM05 Accountable Responsible
EDM05.02 EDM05 Accountable Responsible
EDM05.03 EDM05 Accountable Responsible
APO01.01 APO01
APO01.02 APO01
APO01.03 APO01
APO01.04 APO01
APO01.05 APO01
APO01.06 APO01
APO01.07 APO01
APO01.08 APO01
APO01.09 APO01
APO01.10 APO01
APO01.11 APO01
APO02.01 APO02
APO02.02 APO02
APO02.03 APO02
APO02.04 APO02
APO02.05 APO02
APO02.06 APO02 Responsible
APO03.01 APO03
APO03.02 APO03
APO03.03 APO03
APO03.04 APO03
APO03.05 APO03
APO04.01 APO04
APO04.02 APO04
APO04.03 APO04
APO04.04 APO04
APO04.05 APO04
APO04.06 APO04
APO05.01 APO05 Responsible
APO05.02 APO05 Responsible
APO05.03 APO05
APO05.04 APO05
APO05.05 APO05 Responsible
APO06.01 APO06 Accountable
APO06.02 APO06 Responsible
APO06.03 APO06 Responsible
APO06.04 APO06 Responsible
APO06.05 APO06 Responsible
APO07.01 APO07
APO07.02 APO07
APO07.03 APO07
APO07.04 APO07
APO07.05 APO07 Responsible
APO07.06 APO07
APO08.01 APO08
APO08.02 APO08
APO08.03 APO08 Responsible Responsible
APO08.04 APO08 Responsible Responsible
APO08.05 APO08
APO09.01 APO09
APO09.02 APO09
APO09.03 APO09
APO09.04 APO09
APO09.05 APO09
APO10.01 APO10
APO10.02 APO10
APO10.03 APO10
APO10.04 APO10
APO10.05 APO10
APO11.01 APO11
APO11.02 APO11
APO11.03 APO11
APO11.04 APO11
APO11.05 APO11
APO12.01 APO12
APO12.02 APO12
APO12.03 APO12
APO12.04 APO12
APO12.05 APO12
APO12.06 APO12
APO13.01 APO13
APO13.02 APO13
APO13.03 APO13
APO14.01 APO14
APO14.02 APO14
APO14.03 APO14
APO14.04 APO14
APO14.05 APO14
APO14.06 APO14
APO14.07 APO14
APO14.08 APO14
APO14.09 APO14
APO14.10 APO14
BAI01.01 BAI01 Accountable
BAI01.02 BAI01
BAI01.03 BAI01
BAI01.04 BAI01
BAI01.05 BAI01
BAI01.06 BAI01
BAI01.07 BAI01
BAI01.08 BAI01
BAI01.09 BAI01
BAI02.01 BAI02
BAI02.02 BAI02
BAI02.03 BAI02
BAI02.04 BAI02
BAI03.01 BAI03
BAI03.02 BAI03
BAI03.03 BAI03
BAI03.04 BAI03
BAI03.05 BAI03
BAI03.06 BAI03
BAI03.07 BAI03
BAI03.08 BAI03
BAI03.09 BAI03
BAI03.10 BAI03
BAI03.11 BAI03
BAI03.12 BAI03
BAI04.01 BAI04
BAI04.02 BAI04
BAI04.03 BAI04
BAI04.04 BAI04
BAI04.05 BAI04
BAI05.01 BAI05 Accountable
BAI05.02 BAI05
BAI05.03 BAI05
BAI05.04 BAI05
BAI05.05 BAI05
BAI05.06 BAI05
BAI05.07 BAI05
BAI06.01 BAI06
BAI06.02 BAI06
BAI06.03 BAI06
BAI06.04 BAI06
BAI07.01 BAI07
BAI07.02 BAI07
BAI07.03 BAI07
BAI07.04 BAI07
BAI07.05 BAI07
BAI07.06 BAI07
BAI07.07 BAI07
BAI07.08 BAI07
BAI08.01 BAI08
BAI08.02 BAI08
BAI08.03 BAI08
BAI08.04 BAI08
BAI09.01 BAI09
BAI09.02 BAI09
BAI09.03 BAI09
BAI09.04 BAI09
BAI09.05 BAI09
BAI10.01 BAI10
BAI10.02 BAI10
BAI10.03 BAI10
BAI10.04 BAI10
BAI10.05 BAI10
BAI11.01 BAI11 Accountable
BAI11.02 BAI11
BAI11.03 BAI11
BAI11.04 BAI11
BAI11.05 BAI11
BAI11.06 BAI11
BAI11.07 BAI11
BAI11.08 BAI11
BAI11.09 BAI11
DSS01.01 DSS01
DSS01.02 DSS01
DSS01.03 DSS01
DSS01.04 DSS01
DSS01.05 DSS01
DSS02.01 DSS02
DSS02.02 DSS02
DSS02.03 DSS02
DSS02.04 DSS02
DSS02.05 DSS02
DSS02.06 DSS02
DSS02.07 DSS02
DSS03.01 DSS03
DSS03.02 DSS03
DSS03.03 DSS03
DSS03.04 DSS03
DSS03.05 DSS03
DSS04.01 DSS04
DSS04.02 DSS04
DSS04.03 DSS04
DSS04.04 DSS04
DSS04.05 DSS04
DSS04.06 DSS04
DSS04.07 DSS04
DSS04.08 DSS04
DSS05.01 DSS05
DSS05.02 DSS05
DSS05.03 DSS05
DSS05.04 DSS05
DSS05.05 DSS05
DSS05.06 DSS05
DSS05.07 DSS05
DSS06.01 DSS06
DSS06.02 DSS06
DSS06.03 DSS06
DSS06.04 DSS06
DSS06.05 DSS06
DSS06.06 DSS06
MEA01.01 MEA01 Accountable Responsible
MEA01.02 MEA01
MEA01.03 MEA01
MEA01.04 MEA01
MEA01.05 MEA01
MEA02.01 MEA02
MEA02.02 MEA02 Responsible
MEA02.03 MEA02
MEA02.04 MEA02
MEA03.01 MEA03
MEA03.02 MEA03 Responsible Responsible
MEA03.03 MEA03 Responsible Responsible
MEA03.04 MEA03
MEA04.01 MEA04
MEA04.02 MEA04
MEA04.03 MEA04
MEA04.04 MEA04
MEA04.05 MEA04
MEA04.06 MEA04
MEA04.07 MEA04
MEA04.08 MEA04
MEA04.09 MEA04
Chief Operating Officer Business Process Owners I&T Governance Board
Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible Responsible
Responsible
Responsible Responsible

Responsible
Responsible Accountable
Responsible Accountable
Accountable
Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
 Accountable
Accountable
Accountable
Accountable
Responsible Accountable

Accountable

Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible Responsible

Responsible
Responsible
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Responsible
 Responsible
Responsible
Responsible

Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible

Responsible

Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Responsible
Responsible

Responsible

Responsible
Responsible

Responsible

Responsible
 Responsible

Accountable Responsible
Accountable Responsible
Responsible
Responsible
Accountable Responsible
Responsible

Responsible
Responsible

Responsible

Responsible Accountable
Responsible Accountable
Responsible Accountable
Accountable
Accountable
Accountable
Responsible Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible

Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Steering Programs/Projects Committee Project Management Office Chief Risk Officer

Responsible
Responsible
Responsible

Responsible
Responsible
Responsible

Responsible
Responsible

Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Responsible
Responsible

Responsible
Responsible
Responsible
Responsible Accountable
Accountable
Accountable
Accountable
Accountable
Responsible Responsible

Responsible
 Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Accountable Responsible Responsible

Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable
Accountable Responsible
Accountable Responsible
Accountable
Accountable
Accountable Responsible
Responsible

Responsible

Responsible
 Responsible
Responsible

Accountable Responsible Responsible

Accountable
Accountable Responsible
Accountable
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Responsible Responsible

Responsible Responsible
Responsible

Responsible

Responsible
Responsible
Responsible

Responsible
Chief Information Security Officer Architecture Board Enterprise Risk Committee

Responsible
Responsible
Responsible Responsible

Responsible
Responsible

Responsible
Responsible

Responsible Responsible

Accountable
Accountable
Accountable
Accountable
Accountable
 Responsible

Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Accountable Responsible
Accountable Responsible
Accountable
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible

Responsible

Responsible
Accountable
Accountable
Accountable
Accountable
Accountable

Accountable

Responsible
Responsible
Responsible
Responsible
Responsible

Responsible
Head Human Resources Compliance Audit Chief Information Officer
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Accountable
Accountable
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
 Responsible
Responsible
Responsible
Responsible
Responsible

Accountable
Accountable
Accountable
Accountable
Responsible Accountable
Responsible Accountable
Responsible Accountable
Responsible Accountable
Responsible Responsible
Responsible Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Responsible
Responsible
Responsible
Responsible
Accountable
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Accountable
Accountable
Accountable
Accountable
Responsible
Responsible
Responsible
Responsible
Responsible
Accountable
Responsible
Responsible
Responsible
 Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Responsible

Responsible
Responsible

Responsible

Responsible

Accountable
Accountable
Accountable
Responsible

Responsible

Responsible
Responsible Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable

Accountable
Accountable

Accountable

Responsible

Responsible

Responsible
Responsible

Accountable
Accountable
Responsible
Responsible
Responsible
 Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Responsible
Responsible

Accountable

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable Responsible Responsible
Responsible Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Responsible Accountable
Head Architect Head Development Head IT operations Head IT administration

Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
 Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible

Responsible Responsible

Responsible Responsible
Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible

Responsible Responsible Responsible Responsible

Responsible Responsible Responsible Responsible

Responsible Responsible Responsible Responsible

Responsible Responsible Responsible Responsible

Responsible
Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible

Responsible
Responsible

Responsible Responsible
Responsible
Responsible Responsible

Responsible
Responsible
Responsible
Responsible Responsible Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible Responsible

Responsible

Responsible Responsible
 Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible Responsible
Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible
Responsible Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible
Responsible Responsible Responsible

Responsible

Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible Responsible
 Responsible
Responsible Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible

Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible Responsible

Responsible Responsible Responsible

Responsible Responsible Responsible

Responsible Responsible Responsible

Responsible
Responsible

Responsible
Service Manager Information Security Manager Business Continuity Manager

Responsible Responsible Responsible

Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible

Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible
Responsible

Responsible Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible Responsible Responsible
Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible

Responsible Responsible Responsible

Responsible
Responsible
Responsible Responsible Responsible
 Responsible

Responsible
Responsible
Responsible

Responsible

Responsible Responsible Responsible

Responsible
Responsible
Responsible
Responsible Responsible

Responsible
Responsible
Responsible
Responsible
Responsible Responsible

Responsible Responsible Responsible

Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible
Responsible
Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible
Responsible

Responsible Responsible Responsible

Responsible
Responsible
Responsible

Responsible
Responsible Responsible

Responsible

Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible Accountable
Responsible Accountable
Responsible
Responsible Accountable
Responsible Responsible
Accountable
Responsible
Responsible
Responsible
Responsible
Responsible

Responsible

Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible Responsible Responsible

Responsible Responsible Responsible

Responsible Responsible Responsible

Responsible Responsible Responsible

Responsible Responsible Responsible
Responsible Responsible Responsible
Privacy Officer Data Mgmt Function Executive Committee Chief Technology Officer
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Responsible Accountable Responsible
Accountable Responsible
Responsible Responsible Accountable Responsible
Responsible Responsible Accountable Responsible
Responsible Responsible Accountable Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible Accountable Responsible
Responsible Accountable Responsible
Responsible Accountable Responsible
Responsible Accountable Responsible
Responsible Accountable Responsible
Responsible Accountable Responsible
 Responsible
Responsible
Responsible
Responsible

Responsible
Responsible

Responsible
Responsible
Responsible Responsible
Responsible

Responsible
Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible
Accountable
Accountable
Responsible Accountable
Accountable
Responsible
Responsible
Responsible Responsible
Responsible
Responsible Responsible
Responsible

Responsible Responsible

Responsible Responsible Responsible

Responsible Responsible

Responsible
Responsible Responsible
 Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible

Accountable
Accountable
Accountable
Accountable
Accountable
Responsible Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
Accountable Responsible
 Accountable Responsible
Accountable Responsible
Responsible
Responsible

Responsible
Responsible

Responsible

Responsible
Responsible
Responsible Responsible
Responsible Responsible
Accountable
Responsible Accountable
Accountable
Responsible
Responsible
Accountable
Accountable
Responsible
Accountable
Accountable

Responsible

Responsible
Responsible Responsible
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
 Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Accountable
Responsible Accountable
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Accountable
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Responsible
Accountable

Responsible Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible
Responsible

Responsible
Responsible
 Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible
Responsible
Chief Digital Officer Portfolio Manager Program Manager Project Manager

Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Accountable
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
 Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible
Responsible Responsible
Responsible

Responsible
Responsible
Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible Responsible Responsible
Responsible
Responsible Responsible Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible
Responsible Responsible

Responsible Responsible
Responsible Responsible

Responsible Responsible
Responsible Responsible

Responsible Responsible Responsible Responsible

Responsible Responsible Responsible

Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible Responsible Responsible
Responsible
Responsible
Responsible Responsible Responsible

Responsible Responsible
Responsible Responsible

Responsible Responsible Responsible Responsible

Responsible Responsible

Responsible Responsible
Responsible Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Legal Counsel Relationship Manager

Responsible

Responsible

Responsible

Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible

Responsible
Responsible

Responsible

Responsible

Responsible
Responsible
Responsible
Responsible

Responsible

Responsible
Responsible
Responsible

Responsible
Responsible
Responsible
Responsible

Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Responsible
Board Objective Practice ID

Accountable EDM01 EDM01.01

EDM01.02
EDM01.03
EDM02 EDM02.01
EDM02.02
EDM02.03
EDM02.04
EDM03 EDM03.01
EDM03.02
EDM03.03
EDM04 EDM04.01
EDM04.02
EDM04.03
EDM05 EDM05.01
EDM05.02
EDM05.03
Accountable Result
Total Result
Practice_Name Count - Board

Evaluate the governance system. 1

Direct the governance system. 1
Monitor the governance system. 1
Establish the target investment mix. 1
Evaluate value optimization. 1
Direct value optimization. 1
Monitor value optimization. 1
Evaluate risk management. 1
Direct risk management. 1
Monitor risk management. 1
Evaluate resource management. 1
Direct resource management. 1
Monitor resource management. 1
Evaluate stakeholder engagement and reporting requirements. 1
Direct stakeholder engagement, communication and reporting. 1
Monitor stakeholder engagement. 1
16
16
Executive Committee Objective

Accountable APO01

APO04

BAI04

BAI05

MEA01
Accountable Result
Responsible BAI05
DSS03
DSS04

DSS06
EDM01

EDM02
 EDM03

EDM04

EDM05

MEA01
Responsible Result
Total Result
Practice ID

APO01.01
APO01.02
APO01.03
APO01.04
APO01.05
APO01.06
APO01.07
APO01.08
APO01.09
APO01.10
APO01.11
APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
BAI04.02
BAI04.04
BAI05.02
BAI05.03
BAI05.04
BAI05.05
BAI05.06
BAI05.07
MEA01.02

BAI05.01
DSS03.05
DSS04.01
DSS04.02
DSS06.01
EDM01.01
EDM01.02
EDM01.03
EDM02.01
EDM02.02
EDM02.03
EDM02.04
EDM03.01
EDM03.02
EDM03.03
EDM04.01
EDM04.02
EDM04.03
EDM05.01
EDM05.02
EDM05.03
MEA01.01
Practice_Name

Design the management system for enterprise I&T.

Communicate management objectives, direction and decisions made.
Implement management processes (to support the achievement of governance and management objectives).
Define and implement the organizational structures.
Establish roles and responsibilities.
Optimize the placement of the IT function.
Define information (data) and system ownership.
Define target skills and competencies.
Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Assess business impact.
Monitor and review availability and capacity.
Form an effective implementation team.
Communicate desired vision.
Empower role players and identify short-term wins.
Enable operation and use.
Embed new approaches.
Sustain changes.
Set performance and conformance targets.

Establish the desire to change.

Perform proactive problem management.
Define the business continuity policy, objectives and scope.
Maintain business resilience.
Align control activities embedded in business processes with enterprise objectives.
Evaluate the governance system.
Direct the governance system.
Monitor the governance system.
Establish the target investment mix.
Evaluate value optimization.
Direct value optimization.
Monitor value optimization.
Evaluate risk management.
Direct risk management.
Monitor risk management.
Evaluate resource management.
Direct resource management.
Monitor resource management.
Evaluate stakeholder engagement and reporting requirements.
Direct stakeholder engagement, communication and reporting.
Monitor stakeholder engagement.
Establish a monitoring approach.
Count - Executive Committee

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
26
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
1
1
1
1
22
48
Chief Executive Officer Objective Practice ID

Accountable BAI01 BAI01.01

BAI05 BAI05.01
BAI11 BAI11.01
MEA01 MEA01.01
Accountable Result
Responsible APO02 APO02.06
APO08 APO08.03
APO08.04
EDM01 EDM01.01
EDM01.03
EDM02 EDM02.01
EDM02.02
EDM02.03
EDM02.04
EDM03 EDM03.01
EDM03.02
EDM03.03
EDM04 EDM04.01
EDM04.02
EDM04.03
EDM05 EDM05.01
EDM05.02
EDM05.03
MEA03 MEA03.02
MEA03.03
Responsible Result
Total Result
Practice_Name Count - Chief Executive Officer

Maintain a standard approach for program management. 1

Establish the desire to change. 1
Maintain a standard approach for project management. 1
Establish a monitoring approach. 1
4
Communicate the I&T strategy and direction. 1
Manage the business relationship. 1
Coordinate and communicate. 1
Evaluate the governance system. 1
Monitor the governance system. 1
Establish the target investment mix. 1
Evaluate value optimization. 1
Direct value optimization. 1
Monitor value optimization. 1
Evaluate risk management. 1
Direct risk management. 1
Monitor risk management. 1
Evaluate resource management. 1
Direct resource management. 1
Monitor resource management. 1
Evaluate stakeholder engagement and reporting requirements. 1
Direct stakeholder engagement, communication and reporting. 1
Monitor stakeholder engagement. 1
Optimize response to external requirements. 1
Confirm external compliance. 1
20
24
Chief Financial Officer Objective Practice ID

Accountable APO06 APO06.01

Accountable Result
Responsible APO05 APO05.01
APO05.02
APO05.05
APO06 APO06.02
APO06.03
APO06.04
APO06.05
APO07 APO07.05
APO08 APO08.03
APO08.04
EDM02 EDM02.01
EDM02.02
EDM02.03
EDM02.04
MEA01 MEA01.01
MEA02 MEA02.02
MEA03 MEA03.02
MEA03.03
Responsible Result
Total Result
Practice_Name Count - Chief Financial Officer

Manage finance and accounting. 1

1
Determine the availability and sources of funds. 1
Evaluate and select programs to fund. 1
Manage benefits achievement. 1
Prioritize resource allocation. 1
Create and maintain budgets. 1
Model and allocate costs. 1
Manage costs. 1
Plan and track the usage of IT and business human resources. 1
Manage the business relationship. 1
Coordinate and communicate. 1
Establish the target investment mix. 1
Evaluate value optimization. 1
Direct value optimization. 1
Monitor value optimization. 1
Establish a monitoring approach. 1
Review effectiveness of business process controls. 1
Optimize response to external requirements. 1
Confirm external compliance. 1
18
19
Chief Operating Officer Objective Practice ID

Accountable APO07 APO07.05

APO11 APO11.01
DSS04 DSS04.01
DSS04.02
DSS04.05
Accountable Result
Responsible APO03 APO03.04
APO03.05
APO08 APO08.03
APO08.04
APO09 APO09.01
APO09.05
BAI05 BAI05.05
BAI05.06
BAI05.07
DSS01 DSS01.01
EDM02 EDM02.01
EDM02.02
EDM02.03
EDM02.04
EDM04 EDM04.01
EDM04.02
EDM04.03
MEA01 MEA01.01
MEA03 MEA03.02
MEA03.03
MEA04 MEA04.02
MEA04.03
MEA04.04
MEA04.05
MEA04.06
MEA04.07
MEA04.08
MEA04.09
Responsible Result
Total Result
Practice_Name Count - Chief Operating Officer

Plan and track the usage of IT and business human resources. 1

Establish a quality management system (QMS). 1
Define the business continuity policy, objectives and scope. 1
Maintain business resilience. 1
Review, maintain and improve the continuity plans. 1
5
Define architecture implementation. 1
Provide enterprise architecture services. 1
Manage the business relationship. 1
Coordinate and communicate. 1
Identify I&T services. 1
Review service agreements and contracts. 1
Enable operation and use. 1
Embed new approaches. 1
Sustain changes. 1
Perform operational procedures. 1
Establish the target investment mix. 1
Evaluate value optimization. 1
Direct value optimization. 1
Monitor value optimization. 1
Evaluate resource management. 1
Direct resource management. 1
Monitor resource management. 1
Establish a monitoring approach. 1
Optimize response to external requirements. 1
Confirm external compliance. 1
Develop risk-based planning of assurance initiatives. 1
Determine the objectives of the assurance initiative. 1
Define the scope of the assurance initiative. 1
Define the work program for the assurance initiative. 1
Execute the assurance initiative, focusing on design effectiveness. 1
Execute the assurance initiative, focusing on operating effectiveness. 1
Report and follow up on the assurance initiative. 1
Follow up on recommendations and actions. 1
28
33
ating Officer
Chief Risk Officer Objective

Accountable APO12

Accountable Result
Responsible APO01

APO10

APO11
APO12
APO14

BAI01

BAI02
BAI11

EDM03

EDM05

MEA02

MEA04
Responsible Result
Total Result
Practice ID

APO12.01
APO12.02
APO12.03
APO12.04
APO12.05

APO01.02
APO01.03
APO10.04
APO10.05
APO11.04
APO12.06
APO14.01
APO14.02
APO14.03
APO14.04
APO14.05
APO14.06
APO14.07
APO14.08
APO14.09
APO14.10
BAI01.02
BAI01.08
BAI02.03
BAI11.02
BAI11.06
EDM03.01
EDM03.02
EDM03.03
EDM05.01
EDM05.02
EDM05.03
MEA02.01
MEA02.03
MEA04.02
MEA04.03
MEA04.04
MEA04.09
Practice_Name

Collect data.
Analyze risk.
Maintain a risk profile.
Articulate risk.
Define a risk management action portfolio.

Communicate management objectives, direction and decisions made.

Implement management processes (to support the achievement of governance and management objectives).
Manage vendor risk.
Monitor vendor performance and compliance.
Perform quality monitoring, control and reviews.
Respond to risk.
Define and communicate the organization's data management strategy and roles and responsibilities.
Define and maintain a consistent business glossary.
Establish the processes and infrastructure for metadata management.
Define a data quality strategy.
Establish data profiling methodologies, processes and tools.
Ensure a data quality assessment approach.
Define the data cleansing approach.
Manage the life cycle of data assets.
Support data archiving and retention.
Manage data backup and restore arrangements.
Initiate a program.
Manage program risk.
Manage requirements risk.
Start up and initiate a project.
Manage project risk.
Evaluate risk management.
Direct risk management.
Monitor risk management.
Evaluate stakeholder engagement and reporting requirements.
Direct stakeholder engagement, communication and reporting.
Monitor stakeholder engagement.
Monitor internal controls.
Perform control self-assessments.
Develop risk-based planning of assurance initiatives.
Determine the objectives of the assurance initiative.
Define the scope of the assurance initiative.
Follow up on recommendations and actions.
Count - Chief Risk Officer

1
1
1
1
1
5
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
33
38
Chief Information Officer Objective

Accountable APO02

APO06

APO07

APO08

APO09
APO11

APO12
APO14

BAI03

BAI06
 BAI07

BAI08

BAI09

BAI10
DSS01

DSS05
MEA01

MEA02

MEA04
Accountable Result
Responsible APO01

APO02
APO03

APO04

APO05

APO07
APO09

APO10

APO11
APO12

APO13

BAI01

BAI02
BAI04

BAI05
BAI11

DSS01

DSS03
DSS04

DSS06

EDM01

EDM02

EDM03

EDM04

EDM05

MEA01
MEA03
 MEA04

Responsible Result
Total Result
Practice ID

APO02.01
APO02.02
APO06.02
APO06.03
APO06.04
APO06.05
APO07.01
APO07.02
APO07.03
APO07.04
APO07.06
APO08.01
APO08.02
APO08.03
APO08.04
APO08.05
APO09.05
APO11.02
APO11.03
APO11.04
APO11.05
APO12.06
APO14.01
APO14.02
APO14.03
APO14.04
APO14.05
APO14.06
APO14.07
APO14.08
APO14.09
APO14.10
BAI03.10
BAI03.11
BAI03.12
BAI06.01
BAI06.02
BAI06.03
BAI06.04
BAI07.01
BAI07.02
BAI07.03
BAI07.04
BAI07.05
BAI07.06
BAI07.07
BAI07.08
BAI08.01
BAI08.02
BAI08.03
BAI08.04
BAI09.04
BAI09.05
BAI10.03
DSS01.01
DSS01.02
DSS05.06
MEA01.03
MEA01.04
MEA01.05
MEA02.01
MEA02.02
MEA02.03
MEA02.04
MEA04.09

APO01.01
APO01.02
APO01.03
APO01.04
APO01.05
APO01.06
APO01.07
APO01.08
APO01.09
APO01.10
APO01.11
APO02.03
APO02.04
APO02.05
APO02.06
APO03.01
APO03.02
APO03.03
APO03.04
APO03.05
APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
APO05.01
APO05.02
APO05.03
APO05.04
APO05.05
APO07.05
APO09.01
APO09.02
APO09.03
APO09.04
APO10.01
APO10.02
APO10.03
APO10.04
APO10.05
APO11.01
APO12.01
APO12.02
APO12.03
APO12.04
APO12.05
APO13.01
APO13.02
APO13.03
BAI01.01
BAI01.05
BAI01.06
BAI01.09
BAI02.03
BAI04.01
BAI04.03
BAI04.05
BAI05.01
BAI05.02
BAI05.03
BAI05.04
BAI05.05
BAI05.06
BAI05.07
BAI11.01
BAI11.03
BAI11.05
BAI11.06
DSS01.03
DSS01.04
DSS01.05
DSS03.01
DSS04.01
DSS04.02
DSS04.03
DSS04.04
DSS04.05
DSS04.06
DSS04.08
DSS06.02
DSS06.03
DSS06.04
DSS06.05
DSS06.06
EDM01.01
EDM01.03
EDM02.01
EDM02.02
EDM02.03
EDM02.04
EDM03.01
EDM03.02
EDM03.03
EDM04.01
EDM04.02
EDM04.03
EDM05.01
EDM05.02
EDM05.03
MEA01.01
MEA03.01
MEA03.02
MEA03.03
MEA03.04
MEA04.01
MEA04.02
MEA04.03
MEA04.04
MEA04.05
MEA04.06
MEA04.07
MEA04.08
Practice_Name

Understand enterprise context and direction.

Assess current capabilities, performance and digital maturity of the enterprise.
Prioritize resource allocation.
Create and maintain budgets.
Model and allocate costs.
Manage costs.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Assess and recognize/reward employee job performance.
Manage contract staff.
Understand business expectations.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Manage the business relationship.
Coordinate and communicate.
Provide input to the continual improvement of services.
Review service agreements and contracts.
Focus quality management on customers.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Perform quality monitoring, control and reviews.
Maintain continuous improvement.
Respond to risk.
Define and communicate the organization's data management strategy and roles and responsibilities.
Define and maintain a consistent business glossary.
Establish the processes and infrastructure for metadata management.
Define a data quality strategy.
Establish data profiling methodologies, processes and tools.
Ensure a data quality assessment approach.
Define the data cleansing approach.
Manage the life cycle of data assets.
Support data archiving and retention.
Manage data backup and restore arrangements.
Maintain solutions.
Define IT products and services and maintain the service portfolio.
Design solutions based on the defined development methodology.
Evaluate, prioritize and authorize change requests.
Manage emergency changes.
Track and report change status.
Close and document the changes.
Establish an implementation plan.
Plan business process, system and data conversion.
Plan acceptance tests.
Establish a test environment.
Perform acceptance tests.
Promote to production and manage releases.
Provide early production support.
Perform a post-implementation review.
Identify and classify sources of information for governance and management of I&T.
Organize and contextualize information into knowledge.
Use and share knowledge.
Evaluate and update or retire information.
Optimize asset value.
Manage licenses.
Maintain and control configuration items.
Perform operational procedures.
Manage outsourced I&T services.
Manage sensitive documents and output devices.
Collect and process performance and conformance data.
Analyze and report performance.
Ensure the implementation of corrective actions.
Monitor internal controls.
Review effectiveness of business process controls.
Perform control self-assessments.
Identify and report control deficiencies.
Follow up on recommendations and actions.

Design the management system for enterprise I&T.

Communicate management objectives, direction and decisions made.
Implement management processes (to support the achievement of governance and management objectives).
Define and implement the organizational structures.
Establish roles and responsibilities.
Optimize the placement of the IT function.
Define information (data) and system ownership.
Define target skills and competencies.
Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Communicate the I&T strategy and direction.
Develop the enterprise architecture vision.
Define reference architecture.
Select opportunities and solutions.
Define architecture implementation.
Provide enterprise architecture services.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Determine the availability and sources of funds.
Evaluate and select programs to fund.
Monitor, optimize and report on investment portfolio performance.
Maintain portfolios.
Manage benefits achievement.
Plan and track the usage of IT and business human resources.
Identify I&T services.
Catalog I&T-enabled services.
Define and prepare service agreements.
Monitor and report service levels.
Identify and evaluate vendor relationships and contracts.
Select vendors.
Manage vendor relationships and contracts.
Manage vendor risk.
Monitor vendor performance and compliance.
Establish a quality management system (QMS).
Collect data.
Analyze risk.
Maintain a risk profile.
Articulate risk.
Define a risk management action portfolio.
Establish and maintain an information security management system (ISMS).
Define and manage an information security risk treatment plan.
Monitor and review the information security management system (ISMS).
Maintain a standard approach for program management.
Launch and execute the program.
Monitor, control and report on the program outcomes.
Close a program.
Manage requirements risk.
Assess current availability, performance and capacity and create a baseline.
Plan for new or changed service requirements.
Investigate and address availability, performance and capacity issues.
Establish the desire to change.
Form an effective implementation team.
Communicate desired vision.
Empower role players and identify short-term wins.
Enable operation and use.
Embed new approaches.
Sustain changes.
Maintain a standard approach for project management.
Manage stakeholder engagement.
Manage project quality.
Manage project risk.
Monitor I&T infrastructure.
Manage the environment.
Manage facilities.
Identify and classify problems.
Define the business continuity policy, objectives and scope.
Maintain business resilience.
Develop and implement a business continuity response.
Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP).
Review, maintain and improve the continuity plans.
Conduct continuity plan training.
Conduct post-resumption review.
Control the processing of information.
Manage roles, responsibilities, access privileges and levels of authority.
Manage errors and exceptions.
Ensure traceability and accountability for information events.
Secure information assets.
Evaluate the governance system.
Monitor the governance system.
Establish the target investment mix.
Evaluate value optimization.
Direct value optimization.
Monitor value optimization.
Evaluate risk management.
Direct risk management.
Monitor risk management.
Evaluate resource management.
Direct resource management.
Monitor resource management.
Evaluate stakeholder engagement and reporting requirements.
Direct stakeholder engagement, communication and reporting.
Monitor stakeholder engagement.
Establish a monitoring approach.
Identify external compliance requirements.
Optimize response to external requirements.
Confirm external compliance.
Obtain assurance of external compliance.
Ensure that assurance providers are independent and qualified.
Develop risk-based planning of assurance initiatives.
Determine the objectives of the assurance initiative.
Define the scope of the assurance initiative.
Define the work program for the assurance initiative.
Execute the assurance initiative, focusing on design effectiveness.
Execute the assurance initiative, focusing on operating effectiveness.
Report and follow up on the assurance initiative.
Count - Chief Information Officer

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
65
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
113
178
Chief Technology Officer Objective

Responsible APO01

APO02

APO03

APO04

APO05

APO06

APO07
APO08

APO09
APO10

APO11
APO12

APO13
BAI03

BAI05

BAI08
BAI09

BAI10
BAI11
DSS01

DSS04
 MEA02

MEA04

Responsible Result
Accountable APO09

BAI04

BAI09

BAI10

DSS01

DSS02

DSS03
 DSS04
Accountable Result
Total Result
Practice ID

APO01.01
APO01.02
APO01.03
APO01.04
APO01.05
APO01.06
APO01.07
APO01.08
APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.03
APO02.04
APO02.05
APO02.06
APO03.01
APO03.02
APO03.03
APO03.04
APO03.05
APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
APO05.02
APO05.03
APO05.04
APO05.05
APO06.02
APO06.03
APO06.05
APO07.01
APO07.02
APO07.03
APO07.05
APO07.06
APO08.01
APO08.02
APO08.03
APO08.04
APO08.05
APO09.05
APO10.01
APO10.02
APO10.03
APO10.04
APO10.05
APO11.03
APO12.01
APO12.06
APO13.03
BAI03.01
BAI03.02
BAI03.03
BAI03.04
BAI03.05
BAI03.06
BAI03.07
BAI03.08
BAI03.09
BAI03.10
BAI05.01
BAI05.02
BAI05.03
BAI05.04
BAI05.05
BAI05.06
BAI05.07
BAI08.03
BAI09.04
BAI09.05
BAI10.03
BAI11.02
DSS01.01
DSS01.02
DSS04.03
DSS04.04
DSS04.05
DSS04.06
DSS04.08
MEA02.01
MEA02.02
MEA02.03
MEA02.04
MEA04.01
MEA04.02
MEA04.03
MEA04.04
MEA04.05
MEA04.06
MEA04.07
MEA04.08
MEA04.09

APO09.01
APO09.02
APO09.03
APO09.04
BAI04.01
BAI04.03
BAI04.05
BAI09.01
BAI09.02
BAI09.03
BAI10.01
BAI10.02
BAI10.04
BAI10.05
DSS01.03
DSS01.04
DSS01.05
DSS02.01
DSS02.02
DSS02.03
DSS02.04
DSS02.05
DSS02.06
DSS02.07
DSS03.01
DSS03.02
DSS03.03
DSS03.04
DSS03.05
DSS04.07
Practice_Name

Design the management system for enterprise I&T.

Communicate management objectives, direction and decisions made.
Implement management processes (to support the achievement of governance and management objectives).
Define and implement the organizational structures.
Establish roles and responsibilities.
Optimize the placement of the IT function.
Define information (data) and system ownership.
Define target skills and competencies.
Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Communicate the I&T strategy and direction.
Develop the enterprise architecture vision.
Define reference architecture.
Select opportunities and solutions.
Define architecture implementation.
Provide enterprise architecture services.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Evaluate and select programs to fund.
Monitor, optimize and report on investment portfolio performance.
Maintain portfolios.
Manage benefits achievement.
Prioritize resource allocation.
Create and maintain budgets.
Manage costs.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Understand business expectations.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Manage the business relationship.
Coordinate and communicate.
Provide input to the continual improvement of services.
Review service agreements and contracts.
Identify and evaluate vendor relationships and contracts.
Select vendors.
Manage vendor relationships and contracts.
Manage vendor risk.
Monitor vendor performance and compliance.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Collect data.
Respond to risk.
Monitor and review the information security management system (ISMS).
Design high-level solutions.
Design detailed solution components.
Develop solution components.
Procure solution components.
Build solutions.
Perform quality assurance (QA).
Prepare for solution testing.
Execute solution testing.
Manage changes to requirements.
Maintain solutions.
Establish the desire to change.
Form an effective implementation team.
Communicate desired vision.
Empower role players and identify short-term wins.
Enable operation and use.
Embed new approaches.
Sustain changes.
Use and share knowledge.
Optimize asset value.
Manage licenses.
Maintain and control configuration items.
Start up and initiate a project.
Perform operational procedures.
Manage outsourced I&T services.
Develop and implement a business continuity response.
Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP).
Review, maintain and improve the continuity plans.
Conduct continuity plan training.
Conduct post-resumption review.
Monitor internal controls.
Review effectiveness of business process controls.
Perform control self-assessments.
Identify and report control deficiencies.
Ensure that assurance providers are independent and qualified.
Develop risk-based planning of assurance initiatives.
Determine the objectives of the assurance initiative.
Define the scope of the assurance initiative.
Define the work program for the assurance initiative.
Execute the assurance initiative, focusing on design effectiveness.
Execute the assurance initiative, focusing on operating effectiveness.
Report and follow up on the assurance initiative.
Follow up on recommendations and actions.

Identify I&T services.

Catalog I&T-enabled services.
Define and prepare service agreements.
Monitor and report service levels.
Assess current availability, performance and capacity and create a baseline.
Plan for new or changed service requirements.
Investigate and address availability, performance and capacity issues.
Identify and record current assets.
Manage critical assets.
Manage the asset life cycle.
Establish and maintain a configuration model.
Establish and maintain a configuration repository and baseline.
Produce status and configuration reports.
Verify and review integrity of the configuration repository.
Monitor I&T infrastructure.
Manage the environment.
Manage facilities.
Define classification schemes for incidents and service requests.
Record, classify and prioritize requests and incidents.
Verify, approve and fulfill service requests.
Investigate, diagnose and allocate incidents.
Resolve and recover from incidents.
Close service requests and incidents.
Track status and produce reports.
Identify and classify problems.
Investigate and diagnose problems.
Raise known errors.
Resolve and close problems.
Perform proactive problem management.
Manage backup arrangements.
Count - Chief Technology Officer

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
97
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
30
127
Chief Digital Officer Objective

A APO02
A Result
R APO01

APO02

APO03

APO04

APO05

APO06
 APO07

APO08

APO10

APO11

APO12

APO14

BAI03
BAI05

BAI08
R Result
Total Result
Practice ID

APO02.03

APO01.01
APO01.02
APO01.03
APO01.04
APO01.05
APO01.06
APO01.07
APO01.08
APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.04
APO02.05
APO02.06
APO03.01
APO03.02
APO03.03
APO03.04
APO03.05
APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
APO05.02
APO05.03
APO05.04
APO05.05
APO06.02
APO06.03
APO06.05
APO07.01
APO07.02
APO07.03
APO07.05
APO07.06
APO08.01
APO08.02
APO08.03
APO08.04
APO08.05
APO10.01
APO10.02
APO10.03
APO10.04
APO10.05
APO11.01
APO11.02
APO11.03
APO11.04
APO12.01
APO12.06
APO14.01
APO14.02
APO14.03
APO14.04
APO14.05
APO14.06
APO14.07
APO14.08
APO14.09
APO14.10
BAI03.12
BAI05.01
BAI05.02
BAI05.03
BAI05.04
BAI05.05
BAI05.06
BAI05.07
BAI08.03
Practice_Name

Define target digital capabilities.

Design the management system for enterprise I&T.

Communicate management objectives, direction and decisions made.
Implement management processes (to support the achievement of governance and management objectives).
Define and implement the organizational structures.
Establish roles and responsibilities.
Optimize the placement of the IT function.
Define information (data) and system ownership.
Define target skills and competencies.
Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Conduct a gap analysis.
Define the strategic plan and road map.
Communicate the I&T strategy and direction.
Develop the enterprise architecture vision.
Define reference architecture.
Select opportunities and solutions.
Define architecture implementation.
Provide enterprise architecture services.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Evaluate and select programs to fund.
Monitor, optimize and report on investment portfolio performance.
Maintain portfolios.
Manage benefits achievement.
Prioritize resource allocation.
Create and maintain budgets.
Manage costs.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Understand business expectations.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Manage the business relationship.
Coordinate and communicate.
Provide input to the continual improvement of services.
Identify and evaluate vendor relationships and contracts.
Select vendors.
Manage vendor relationships and contracts.
Manage vendor risk.
Monitor vendor performance and compliance.
Establish a quality management system (QMS).
Focus quality management on customers.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Perform quality monitoring, control and reviews.
Collect data.
Respond to risk.
Define and communicate the organization's data management strategy and roles and responsibilities.
Define and maintain a consistent business glossary.
Establish the processes and infrastructure for metadata management.
Define a data quality strategy.
Establish data profiling methodologies, processes and tools.
Ensure a data quality assessment approach.
Define the data cleansing approach.
Manage the life cycle of data assets.
Support data archiving and retention.
Manage data backup and restore arrangements.
Design solutions based on the defined development methodology.
Establish the desire to change.
Form an effective implementation team.
Communicate desired vision.
Empower role players and identify short-term wins.
Enable operation and use.
Embed new approaches.
Sustain changes.
Use and share knowledge.
Count - Chief Digital Officer

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
74
75
I&T Governance Board Objective Practice ID

Responsible APO01 APO01.01

APO01.02
APO01.03
APO01.04
APO01.05
APO01.06
APO01.07
APO01.08
APO01.09
APO01.10
APO01.11
APO03 APO03.01
APO03.02
APO03.03
APO03.04
APO03.05
APO08 APO08.02
APO11 APO11.04
BAI01 BAI01.01
BAI05 BAI05.01
BAI05.03
EDM01 EDM01.01
EDM01.02
EDM01.03
EDM02 EDM02.01
EDM02.02
EDM02.03
EDM02.04
EDM03 EDM03.01
EDM03.02
EDM03.03
EDM04 EDM04.01
EDM04.02
EDM04.03
MEA01 MEA01.01
MEA02 MEA02.02
 MEA03 MEA03.02
MEA03.03
Responsible Result
Accountable APO02 APO02.04
APO02.05
APO02.06
APO05 APO05.01
APO05.02
APO05.03
APO05.04
APO05.05
APO10 APO10.01
APO10.02
APO10.03
APO10.04
APO10.05
DSS06 DSS06.01
DSS06.02
DSS06.03
Accountable Result
Total Result
Practice_Name

Design the management system for enterprise I&T.

Communicate management objectives, direction and decisions made.
Implement management processes (to support the achievement of governance and management objectives).
Define and implement the organizational structures.
Establish roles and responsibilities.
Optimize the placement of the IT function.
Define information (data) and system ownership.
Define target skills and competencies.
Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Develop the enterprise architecture vision.
Define reference architecture.
Select opportunities and solutions.
Define architecture implementation.
Provide enterprise architecture services.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Perform quality monitoring, control and reviews.
Maintain a standard approach for program management.
Establish the desire to change.
Communicate desired vision.
Evaluate the governance system.
Direct the governance system.
Monitor the governance system.
Establish the target investment mix.
Evaluate value optimization.
Direct value optimization.
Monitor value optimization.
Evaluate risk management.
Direct risk management.
Monitor risk management.
Evaluate resource management.
Direct resource management.
Monitor resource management.
Establish a monitoring approach.
Review effectiveness of business process controls.
Optimize response to external requirements.
Confirm external compliance.

Conduct a gap analysis.

Define the strategic plan and road map.
Communicate the I&T strategy and direction.
Determine the availability and sources of funds.
Evaluate and select programs to fund.
Monitor, optimize and report on investment portfolio performance.
Maintain portfolios.
Manage benefits achievement.
Identify and evaluate vendor relationships and contracts.
Select vendors.
Manage vendor relationships and contracts.
Manage vendor risk.
Monitor vendor performance and compliance.
Align control activities embedded in business processes with enterprise objectives.
Control the processing of information.
Manage roles, responsibilities, access privileges and levels of authority.
Count - I&T Governance Board

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
38
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
16
54
Architecture Board Objective

Responsible APO01
Responsible Result
Accountable APO03

Accountable Result
Total Result
Practice ID Practice_Name Count - Architecture Board

APO01.09 Define and communicate policies and procedures. 1

1
APO03.01 Develop the enterprise architecture vision. 1
APO03.02 Define reference architecture. 1
APO03.03 Select opportunities and solutions. 1
APO03.04 Define architecture implementation. 1
APO03.05 Provide enterprise architecture services. 1
5
6
ount - Architecture Board
Enterprise Risk Committee Objective

Responsible APO01

APO09
APO10

APO12

APO13

APO14

EDM03

MEA04
Responsible Result
Total Result
Practice ID Practice_Name Count - Enterprise Risk C

APO01.06 Optimize the placement of the IT function. 1

APO01.07 Define information (data) and system ownership. 1
APO01.09 Define and communicate policies and procedures. 1
APO09.02 Catalog I&T-enabled services. 1
APO10.04 Manage vendor risk. 1
APO10.05 Monitor vendor performance and compliance. 1
APO12.02 Analyze risk. 1
APO12.03 Maintain a risk profile. 1
APO12.04 Articulate risk. 1
APO12.05 Define a risk management action portfolio. 1
APO13.01 Establish and maintain an information security management system (ISMS). 1
APO13.02 Define and manage an information security risk treatment plan. 1
APO14.08 Manage the life cycle of data assets. 1
APO14.09 Support data archiving and retention. 1
EDM03.01 Evaluate risk management. 1
EDM03.02 Direct risk management. 1
EDM03.03 Monitor risk management. 1
MEA04.01 Ensure that assurance providers are independent and qualified. 1
18
18
Count - Enterprise Risk Committee
Chief Information Security Officer Objective

Responsible APO01

APO12

APO14

DSS04

DSS06

EDM03
Responsible Result
Accountable APO13

DSS05

Accountable Result
Total Result
Practice ID

APO01.02
APO01.03
APO12.01
APO12.06
APO14.01
APO14.02
APO14.03
APO14.04
APO14.05
APO14.06
APO14.07
APO14.08
APO14.09
APO14.10
DSS04.01
DSS04.05
DSS04.08
DSS06.02
DSS06.03
DSS06.04
DSS06.05
DSS06.06
EDM03.03

APO13.01
APO13.02
APO13.03
DSS05.01
DSS05.02
DSS05.03
DSS05.04
DSS05.05
DSS05.07
Practice_Name

Communicate management objectives, direction and decisions made.

Implement management processes (to support the achievement of governance and management objectives).
Collect data.
Respond to risk.
Define and communicate the organization's data management strategy and roles and responsibilities.
Define and maintain a consistent business glossary.
Establish the processes and infrastructure for metadata management.
Define a data quality strategy.
Establish data profiling methodologies, processes and tools.
Ensure a data quality assessment approach.
Define the data cleansing approach.
Manage the life cycle of data assets.
Support data archiving and retention.
Manage data backup and restore arrangements.
Define the business continuity policy, objectives and scope.
Review, maintain and improve the continuity plans.
Conduct post-resumption review.
Control the processing of information.
Manage roles, responsibilities, access privileges and levels of authority.
Manage errors and exceptions.
Ensure traceability and accountability for information events.
Secure information assets.
Monitor risk management.

Establish and maintain an information security management system (ISMS).

Define and manage an information security risk treatment plan.
Monitor and review the information security management system (ISMS).
Protect against malicious software.
Manage network and connectivity security.
Manage endpoint security.
Manage user identity and logical access.
Manage physical access to I&T assets.
Manage vulnerabilities and monitor the infrastructure for security-related events.
Count - Chief Information Security Officer

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
23
1
1
1
1
1
1
1
1
1
9
32
Business Process Owners Objective Practice ID

Responsible APO01 APO01.07

APO01.09
APO01.11
APO02 APO02.03
APO02.04
APO02.05
APO04 APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
APO05 APO05.05
APO08 APO08.01
APO08.02
APO08.03
APO08.04
APO08.05
APO09 APO09.01
APO09.04
APO11 APO11.02
APO11.03
APO11.04
APO11.05
APO12 APO12.01
APO12.02
APO12.03
APO12.04
APO12.05
APO12.06
APO13 APO13.03
BAI01 BAI01.02
BAI01.03
BAI01.05
BAI01.07
BAI01.08
 BAI01.09
BAI02 BAI02.01
BAI02.02
BAI02.03
BAI02.04
BAI03 BAI03.01
BAI03.02
BAI03.03
BAI03.04
BAI03.05
BAI03.06
BAI03.07
BAI03.08
BAI03.09
BAI03.10
BAI04 BAI04.01
BAI04.02
BAI04.03
BAI04.04
BAI04.05
BAI05 BAI05.01
BAI05.05
BAI05.06
BAI05.07
BAI06 BAI06.01
BAI06.03
BAI06.04
BAI07 BAI07.01
BAI07.02
BAI07.03
BAI07.04
BAI07.05
BAI07.06
BAI07.07
BAI07.08
BAI08 BAI08.01
BAI08.03
BAI08.04
BAI11 BAI11.02
BAI11.07
BAI11.08
DSS02 DSS02.03
DSS02.04
DSS04 DSS04.01
DSS04.02
 DSS04.03
DSS04.04
DSS04.05
DSS04.06
DSS04.08
DSS05 DSS05.01
DSS05.04
DSS06 DSS06.01
DSS06.02
DSS06.03
MEA01 MEA01.02
MEA01.03
MEA01.04
MEA01.05
MEA02 MEA02.01
MEA02.02
MEA02.03
MEA02.04
MEA03 MEA03.01
MEA03.02
MEA03.03
MEA04 MEA04.01
MEA04.02
MEA04.03
MEA04.04
MEA04.05
MEA04.06
MEA04.07
MEA04.08
MEA04.09
Responsible Result
Accountable DSS06 DSS06.04
DSS06.05
DSS06.06
Accountable Result
Total Result
Practice_Name

Define information (data) and system ownership.

Define and communicate policies and procedures.
Manage continual improvement of the I&T management system.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Manage benefits achievement.
Understand business expectations.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Manage the business relationship.
Coordinate and communicate.
Provide input to the continual improvement of services.
Identify I&T services.
Monitor and report service levels.
Focus quality management on customers.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Perform quality monitoring, control and reviews.
Maintain continuous improvement.
Collect data.
Analyze risk.
Maintain a risk profile.
Articulate risk.
Define a risk management action portfolio.
Respond to risk.
Monitor and review the information security management system (ISMS).
Initiate a program.
Manage stakeholder engagement.
Launch and execute the program.
Manage program quality.
Manage program risk.
Close a program.
Define and maintain business functional and technical requirements.
Perform a feasibility study and formulate alternative solutions.
Manage requirements risk.
Obtain approval of requirements and solutions.
Design high-level solutions.
Design detailed solution components.
Develop solution components.
Procure solution components.
Build solutions.
Perform quality assurance (QA).
Prepare for solution testing.
Execute solution testing.
Manage changes to requirements.
Maintain solutions.
Assess current availability, performance and capacity and create a baseline.
Assess business impact.
Plan for new or changed service requirements.
Monitor and review availability and capacity.
Investigate and address availability, performance and capacity issues.
Establish the desire to change.
Enable operation and use.
Embed new approaches.
Sustain changes.
Evaluate, prioritize and authorize change requests.
Track and report change status.
Close and document the changes.
Establish an implementation plan.
Plan business process, system and data conversion.
Plan acceptance tests.
Establish a test environment.
Perform acceptance tests.
Promote to production and manage releases.
Provide early production support.
Perform a post-implementation review.
Identify and classify sources of information for governance and management of I&T.
Use and share knowledge.
Evaluate and update or retire information.
Start up and initiate a project.
Monitor and control projects.
Manage project resources and work packages.
Verify, approve and fulfill service requests.
Investigate, diagnose and allocate incidents.
Define the business continuity policy, objectives and scope.
Maintain business resilience.
Develop and implement a business continuity response.
Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP).
Review, maintain and improve the continuity plans.
Conduct continuity plan training.
Conduct post-resumption review.
Protect against malicious software.
Manage user identity and logical access.
Align control activities embedded in business processes with enterprise objectives.
Control the processing of information.
Manage roles, responsibilities, access privileges and levels of authority.
Set performance and conformance targets.
Collect and process performance and conformance data.
Analyze and report performance.
Ensure the implementation of corrective actions.
Monitor internal controls.
Review effectiveness of business process controls.
Perform control self-assessments.
Identify and report control deficiencies.
Identify external compliance requirements.
Optimize response to external requirements.
Confirm external compliance.
Ensure that assurance providers are independent and qualified.
Develop risk-based planning of assurance initiatives.
Determine the objectives of the assurance initiative.
Define the scope of the assurance initiative.
Define the work program for the assurance initiative.
Execute the assurance initiative, focusing on design effectiveness.
Execute the assurance initiative, focusing on operating effectiveness.
Report and follow up on the assurance initiative.
Follow up on recommendations and actions.

Manage errors and exceptions.

Ensure traceability and accountability for information events.
Secure information assets.
Count - Business Process Owners

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
111
1
1
1
3
114
Portfolio Manager Objective

Responsible APO05

APO06

APO11

BAI03
BAI08
EDM02
Responsible Result
Total Result
Practice ID

APO05.01
APO05.02
APO05.03
APO05.04
APO05.05
APO06.01
APO06.02
APO11.03
APO11.05
BAI03.12
BAI08.03
EDM02.04
Practice_Name

Determine the availability and sources of funds.

Evaluate and select programs to fund.
Monitor, optimize and report on investment portfolio performance.
Maintain portfolios.
Manage benefits achievement.
Manage finance and accounting.
Prioritize resource allocation.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Maintain continuous improvement.
Design solutions based on the defined development methodology.
Use and share knowledge.
Monitor value optimization.
Count - Portfolio Manager

1
1
1
1
1
1
1
1
1
1
1
1
12
12
Steering Programs/Projects Committee Objective

Accountable BAI01

BAI02

BAI03

BAI11

Accountable Result
Total Result
Practice ID Practice_Name Count - Steering Programs/Pro

BAI01.02 Initiate a program. 1

BAI01.03 Manage stakeholder engagement. 1
BAI01.04 Develop and maintain the program plan. 1
BAI01.05 Launch and execute the program. 1
BAI01.06 Monitor, control and report on the program outcomes. 1
BAI01.07 Manage program quality. 1
BAI01.08 Manage program risk. 1
BAI01.09 Close a program. 1
BAI02.01 Define and maintain business functional and technical requirements. 1
BAI02.02 Perform a feasibility study and formulate alternative solutions. 1
BAI02.03 Manage requirements risk. 1
BAI02.04 Obtain approval of requirements and solutions. 1
BAI03.01 Design high-level solutions. 1
BAI03.02 Design detailed solution components. 1
BAI03.03 Develop solution components. 1
BAI03.04 Procure solution components. 1
BAI03.05 Build solutions. 1
BAI03.06 Perform quality assurance (QA). 1
BAI03.07 Prepare for solution testing. 1
BAI03.08 Execute solution testing. 1
BAI03.09 Manage changes to requirements. 1
BAI11.02 Start up and initiate a project. 1
BAI11.03 Manage stakeholder engagement. 1
BAI11.04 Develop and maintain the project plan. 1
BAI11.05 Manage project quality. 1
BAI11.06 Manage project risk. 1
BAI11.07 Monitor and control projects. 1
BAI11.08 Manage project resources and work packages. 1
BAI11.09 Close a project or iteration. 1
29
29
ount - Steering Programs/Projects Committee
Program Manager Objective

Responsible APO05

APO11

BAI01

BAI02

BAI03

BAI05

BAI06

BAI08
 BAI11

Responsible Result
Total Result
Practice ID

APO05.02
APO05.03
APO05.04
APO05.05
APO11.03
APO11.05
BAI01.01
BAI01.02
BAI01.03
BAI01.04
BAI01.05
BAI01.06
BAI01.07
BAI01.08
BAI01.09
BAI02.01
BAI02.02
BAI02.03
BAI02.04
BAI03.01
BAI03.02
BAI03.03
BAI03.05
BAI03.06
BAI03.09
BAI03.10
BAI03.12
BAI05.01
BAI05.02
BAI05.03
BAI05.04
BAI05.07
BAI06.03
BAI06.04
BAI08.03
BAI08.04
BAI11.01
BAI11.02
Practice_Name

Evaluate and select programs to fund.

Monitor, optimize and report on investment portfolio performance.
Maintain portfolios.
Manage benefits achievement.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Maintain continuous improvement.
Maintain a standard approach for program management.
Initiate a program.
Manage stakeholder engagement.
Develop and maintain the program plan.
Launch and execute the program.
Monitor, control and report on the program outcomes.
Manage program quality.
Manage program risk.
Close a program.
Define and maintain business functional and technical requirements.
Perform a feasibility study and formulate alternative solutions.
Manage requirements risk.
Obtain approval of requirements and solutions.
Design high-level solutions.
Design detailed solution components.
Develop solution components.
Build solutions.
Perform quality assurance (QA).
Manage changes to requirements.
Maintain solutions.
Design solutions based on the defined development methodology.
Establish the desire to change.
Form an effective implementation team.
Communicate desired vision.
Empower role players and identify short-term wins.
Sustain changes.
Track and report change status.
Close and document the changes.
Use and share knowledge.
Evaluate and update or retire information.
Maintain a standard approach for project management.
Start up and initiate a project.
Count - Program Manager

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
38
38
Project Manager Objective

Responsible APO11

BAI02

BAI03

BAI05

BAI06

BAI08

BAI11

Responsible Result
Total Result
Practice ID

APO11.03
APO11.05
BAI02.01
BAI02.02
BAI02.03
BAI02.04
BAI03.01
BAI03.02
BAI03.03
BAI03.05
BAI03.06
BAI03.09
BAI03.10
BAI03.12
BAI05.01
BAI05.02
BAI05.03
BAI05.04
BAI05.07
BAI06.03
BAI06.04
BAI08.03
BAI08.04
BAI11.01
BAI11.02
BAI11.03
BAI11.04
BAI11.05
BAI11.06
BAI11.07
BAI11.08
BAI11.09
Practice_Name

Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Maintain continuous improvement.
Define and maintain business functional and technical requirements.
Perform a feasibility study and formulate alternative solutions.
Manage requirements risk.
Obtain approval of requirements and solutions.
Design high-level solutions.
Design detailed solution components.
Develop solution components.
Build solutions.
Perform quality assurance (QA).
Manage changes to requirements.
Maintain solutions.
Design solutions based on the defined development methodology.
Establish the desire to change.
Form an effective implementation team.
Communicate desired vision.
Empower role players and identify short-term wins.
Sustain changes.
Track and report change status.
Close and document the changes.
Use and share knowledge.
Evaluate and update or retire information.
Maintain a standard approach for project management.
Start up and initiate a project.
Manage stakeholder engagement.
Develop and maintain the project plan.
Manage project quality.
Manage project risk.
Monitor and control projects.
Manage project resources and work packages.
Close a project or iteration.
Count - Project Manager

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
32
32
Project Management Office Objective

Responsible APO02
APO05
APO07

APO11

APO12

APO13
BAI01

BAI02

BAI03

BAI05
 BAI11

MEA02

MEA03
Responsible Result
Total Result
Practice ID

APO02.05
APO05.04
APO07.01
APO07.02
APO07.03
APO07.04
APO07.05
APO07.06
APO11.03
APO11.05
APO12.01
APO12.06
APO13.03
BAI01.02
BAI01.03
BAI01.04
BAI01.05
BAI01.06
BAI01.07
BAI01.08
BAI01.09
BAI02.01
BAI02.02
BAI02.03
BAI02.04
BAI03.01
BAI03.02
BAI03.03
BAI03.05
BAI03.06
BAI03.09
BAI03.10
BAI05.02
BAI05.05
BAI05.06
BAI05.07
BAI11.02
BAI11.04
BAI11.07
BAI11.08
BAI11.09
MEA02.01
MEA02.03
MEA02.04
MEA03.02
Practice_Name

Define the strategic plan and road map.

Maintain portfolios.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Assess and recognize/reward employee job performance.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Maintain continuous improvement.
Collect data.
Respond to risk.
Monitor and review the information security management system (ISMS).
Initiate a program.
Manage stakeholder engagement.
Develop and maintain the program plan.
Launch and execute the program.
Monitor, control and report on the program outcomes.
Manage program quality.
Manage program risk.
Close a program.
Define and maintain business functional and technical requirements.
Perform a feasibility study and formulate alternative solutions.
Manage requirements risk.
Obtain approval of requirements and solutions.
Design high-level solutions.
Design detailed solution components.
Develop solution components.
Build solutions.
Perform quality assurance (QA).
Manage changes to requirements.
Maintain solutions.
Form an effective implementation team.
Enable operation and use.
Embed new approaches.
Sustain changes.
Start up and initiate a project.
Develop and maintain the project plan.
Monitor and control projects.
Manage project resources and work packages.
Close a project or iteration.
Monitor internal controls.
Perform control self-assessments.
Identify and report control deficiencies.
Optimize response to external requirements.
Count - Project Management Office

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
45
45
Data Mgmt Function Objective

Responsible APO01

APO02

APO03

APO04

APO11
APO12
APO14

BAI07
BAI08
 DSS04
DSS06
MEA04

Responsible Result
Total Result
Practice ID

APO01.07
APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.03
APO02.04
APO02.05
APO03.01
APO03.02
APO03.03
APO03.04
APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
APO11.03
APO12.01
APO14.01
APO14.02
APO14.03
APO14.04
APO14.05
APO14.06
APO14.07
APO14.08
APO14.09
APO14.10
BAI07.02
BAI08.01
BAI08.02
BAI08.03
BAI08.04
DSS04.07
DSS06.02
MEA04.06
MEA04.07
Practice_Name

Define information (data) and system ownership.

Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Develop the enterprise architecture vision.
Define reference architecture.
Select opportunities and solutions.
Define architecture implementation.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Collect data.
Define and communicate the organization's data management strategy and roles and responsibilities.
Define and maintain a consistent business glossary.
Establish the processes and infrastructure for metadata management.
Define a data quality strategy.
Establish data profiling methodologies, processes and tools.
Ensure a data quality assessment approach.
Define the data cleansing approach.
Manage the life cycle of data assets.
Support data archiving and retention.
Manage data backup and restore arrangements.
Plan business process, system and data conversion.
Identify and classify sources of information for governance and management of I&T.
Organize and contextualize information into knowledge.
Use and share knowledge.
Evaluate and update or retire information.
Manage backup arrangements.
Control the processing of information.
Execute the assurance initiative, focusing on design effectiveness.
Execute the assurance initiative, focusing on operating effectiveness.
Count - Data Mgmt Function

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
40
40
Head Human Resources Objective

Responsible APO01

APO04
APO07

BAI05

DSS05
Responsible Result
Total Result
Practice ID Practice_Name Count - Head Human Resources

APO01.04 Define and implement the organizational structures. 1

APO01.09 Define and communicate policies and procedures. 1
APO04.01 Create an environment conducive to innovation. 1
APO07.01 Acquire and maintain adequate and appropriate staffing. 1
APO07.02 Identify key IT personnel. 1
APO07.03 Maintain the skills and competencies of personnel. 1
APO07.04 Assess and recognize/reward employee job performance. 1
APO07.05 Plan and track the usage of IT and business human resources. 1
APO07.06 Manage contract staff. 1
BAI05.01 Establish the desire to change. 1
BAI05.04 Empower role players and identify short-term wins. 1
DSS05.01 Protect against malicious software. 1
12
12
Count - Head Human Resources
Relationship Manager Objective

Responsible APO01
APO02

APO04
APO08

BAI02
BAI03
MEA01

Responsible Result
Total Result
Practice ID

APO01.02
APO02.01
APO02.03
APO04.02
APO08.01
APO08.02
APO08.03
APO08.04
APO08.05
BAI02.01
BAI03.01
MEA01.02
MEA01.03
MEA01.04
MEA01.05
Practice_Name

Communicate management objectives, direction and decisions made.

Understand enterprise context and direction.
Define target digital capabilities.
Maintain an understanding of the enterprise environment.
Understand business expectations.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Manage the business relationship.
Coordinate and communicate.
Provide input to the continual improvement of services.
Define and maintain business functional and technical requirements.
Design high-level solutions.
Set performance and conformance targets.
Collect and process performance and conformance data.
Analyze and report performance.
Ensure the implementation of corrective actions.
Count - Relationship Manager

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
15
15
Head Architect Objective

Responsible APO01

APO02

APO03

APO04

APO07

APO08
APO11

APO12

APO13
BAI01
BAI02
BAI03
 BAI04
BAI08
BAI09

BAI10
DSS04
Responsible Result
Total Result
Practice ID

APO01.07
APO01.08
APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.03
APO02.04
APO02.05
APO03.01
APO03.02
APO03.03
APO03.04
APO03.05
APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
APO07.01
APO07.02
APO07.03
APO07.04
APO07.05
APO07.06
APO08.02
APO11.03
APO11.05
APO12.01
APO12.06
APO13.03
BAI01.05
BAI02.01
BAI03.09
BAI04.05
BAI08.04
BAI09.02
BAI09.04
BAI10.05
DSS04.02
Practice_Name

Define information (data) and system ownership.

Define target skills and competencies.
Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Develop the enterprise architecture vision.
Define reference architecture.
Select opportunities and solutions.
Define architecture implementation.
Provide enterprise architecture services.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Assess and recognize/reward employee job performance.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Maintain continuous improvement.
Collect data.
Respond to risk.
Monitor and review the information security management system (ISMS).
Launch and execute the program.
Define and maintain business functional and technical requirements.
Manage changes to requirements.
Investigate and address availability, performance and capacity issues.
Evaluate and update or retire information.
Manage critical assets.
Optimize asset value.
Verify and review integrity of the configuration repository.
Maintain business resilience.
Count - Head Architect

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
42
42
Head Development Objective

Responsible APO01

APO02

APO04

APO07

APO08

APO10

APO11

APO12

APO13
BAI01
BAI02

BAI03

BAI05

BAI06

BAI07

BAI08

BAI09

BAI10

BAI11

DSS02
 DSS03
DSS04
DSS05

MEA01

MEA02

MEA03
Responsible Result
Total Result
Practice ID

APO01.08
APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.03
APO02.04
APO02.05
APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
APO07.01
APO07.02
APO07.03
APO07.04
APO07.05
APO07.06
APO08.01
APO08.02
APO08.03
APO08.04
APO08.05
APO10.02
APO10.03
APO10.04
APO10.05
APO11.03
APO11.05
APO12.01
APO12.06
APO13.03
BAI01.05
BAI01.07
BAI01.08
BAI02.01
BAI02.02
BAI02.03
BAI03.01
BAI03.02
BAI03.03
BAI03.04
BAI03.05
BAI03.06
BAI03.07
BAI03.08
BAI03.09
BAI03.10
BAI05.02
BAI05.05
BAI05.06
BAI05.07
BAI06.01
BAI06.02
BAI06.03
BAI06.04
BAI07.01
BAI07.02
BAI07.03
BAI07.04
BAI07.05
BAI07.06
BAI07.07
BAI07.08
BAI08.01
BAI08.02
BAI08.04
BAI09.02
BAI09.04
BAI09.05
BAI10.02
BAI10.03
BAI10.05
BAI11.02
BAI11.07
BAI11.08
DSS02.01
DSS02.03
DSS02.05
DSS03.01
DSS04.06
DSS05.01
DSS05.02
DSS05.03
MEA01.02
MEA01.03
MEA01.04
MEA01.05
MEA02.01
MEA02.03
MEA02.04
MEA03.02
Practice_Name

Define target skills and competencies.

Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Assess and recognize/reward employee job performance.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Understand business expectations.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Manage the business relationship.
Coordinate and communicate.
Provide input to the continual improvement of services.
Select vendors.
Manage vendor relationships and contracts.
Manage vendor risk.
Monitor vendor performance and compliance.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Maintain continuous improvement.
Collect data.
Respond to risk.
Monitor and review the information security management system (ISMS).
Launch and execute the program.
Manage program quality.
Manage program risk.
Define and maintain business functional and technical requirements.
Perform a feasibility study and formulate alternative solutions.
Manage requirements risk.
Design high-level solutions.
Design detailed solution components.
Develop solution components.
Procure solution components.
Build solutions.
Perform quality assurance (QA).
Prepare for solution testing.
Execute solution testing.
Manage changes to requirements.
Maintain solutions.
Form an effective implementation team.
Enable operation and use.
Embed new approaches.
Sustain changes.
Evaluate, prioritize and authorize change requests.
Manage emergency changes.
Track and report change status.
Close and document the changes.
Establish an implementation plan.
Plan business process, system and data conversion.
Plan acceptance tests.
Establish a test environment.
Perform acceptance tests.
Promote to production and manage releases.
Provide early production support.
Perform a post-implementation review.
Identify and classify sources of information for governance and management of I&T.
Organize and contextualize information into knowledge.
Evaluate and update or retire information.
Manage critical assets.
Optimize asset value.
Manage licenses.
Establish and maintain a configuration repository and baseline.
Maintain and control configuration items.
Verify and review integrity of the configuration repository.
Start up and initiate a project.
Monitor and control projects.
Manage project resources and work packages.
Define classification schemes for incidents and service requests.
Verify, approve and fulfill service requests.
Resolve and recover from incidents.
Identify and classify problems.
Conduct continuity plan training.
Protect against malicious software.
Manage network and connectivity security.
Manage endpoint security.
Set performance and conformance targets.
Collect and process performance and conformance data.
Analyze and report performance.
Ensure the implementation of corrective actions.
Monitor internal controls.
Perform control self-assessments.
Identify and report control deficiencies.
Optimize response to external requirements.
Count - Head Development

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
1
1
1
1
1
95
95
Head IT operations Objective

Responsible APO01

APO02

APO04

APO07

APO08

APO09

APO10

APO11

APO12
APO13
BAI01
BAI02
BAI03

BAI04

BAI05

BAI06

BAI07

BAI08

BAI09

BAI10

DSS01

DSS02
 DSS03

DSS04

DSS05

MEA01

MEA02

MEA03
MEA04

Responsible Result
Total Result
Practice ID

APO01.08
APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.03
APO02.04
APO02.05
APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
APO07.01
APO07.02
APO07.03
APO07.04
APO07.05
APO07.06
APO08.01
APO08.02
APO08.03
APO08.04
APO08.05
APO09.03
APO09.05
APO10.02
APO10.03
APO10.04
APO10.05
APO11.03
APO11.05
APO12.01
APO12.06
APO13.03
BAI01.05
BAI02.03
BAI03.04
BAI03.07
BAI03.08
BAI04.01
BAI04.02
BAI04.03
BAI04.04
BAI04.05
BAI05.05
BAI05.06
BAI05.07
BAI06.01
BAI06.02
BAI06.03
BAI06.04
BAI07.03
BAI07.04
BAI07.05
BAI07.06
BAI07.07
BAI07.08
BAI08.01
BAI08.02
BAI08.04
BAI09.01
BAI09.02
BAI09.03
BAI09.04
BAI09.05
BAI10.01
BAI10.02
BAI10.03
BAI10.04
BAI10.05
DSS01.01
DSS01.02
DSS01.03
DSS01.04
DSS01.05
DSS02.01
DSS02.02
DSS02.03
DSS02.04
DSS02.05
DSS02.06
DSS02.07
DSS03.01
DSS03.02
DSS03.03
DSS03.04
DSS03.05
DSS04.01
DSS04.02
DSS04.03
DSS04.04
DSS04.05
DSS04.06
DSS04.07
DSS04.08
DSS05.01
DSS05.02
DSS05.03
DSS05.04
DSS05.05
DSS05.06
DSS05.07
MEA01.02
MEA01.03
MEA01.04
MEA01.05
MEA02.01
MEA02.03
MEA02.04
MEA03.02
MEA04.06
MEA04.07
MEA04.09
Practice_Name

Define target skills and competencies.

Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Assess and recognize/reward employee job performance.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Understand business expectations.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Manage the business relationship.
Coordinate and communicate.
Provide input to the continual improvement of services.
Define and prepare service agreements.
Review service agreements and contracts.
Select vendors.
Manage vendor relationships and contracts.
Manage vendor risk.
Monitor vendor performance and compliance.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Maintain continuous improvement.
Collect data.
Respond to risk.
Monitor and review the information security management system (ISMS).
Launch and execute the program.
Manage requirements risk.
Procure solution components.
Prepare for solution testing.
Execute solution testing.
Assess current availability, performance and capacity and create a baseline.
Assess business impact.
Plan for new or changed service requirements.
Monitor and review availability and capacity.
Investigate and address availability, performance and capacity issues.
Enable operation and use.
Embed new approaches.
Sustain changes.
Evaluate, prioritize and authorize change requests.
Manage emergency changes.
Track and report change status.
Close and document the changes.
Plan acceptance tests.
Establish a test environment.
Perform acceptance tests.
Promote to production and manage releases.
Provide early production support.
Perform a post-implementation review.
Identify and classify sources of information for governance and management of I&T.
Organize and contextualize information into knowledge.
Evaluate and update or retire information.
Identify and record current assets.
Manage critical assets.
Manage the asset life cycle.
Optimize asset value.
Manage licenses.
Establish and maintain a configuration model.
Establish and maintain a configuration repository and baseline.
Maintain and control configuration items.
Produce status and configuration reports.
Verify and review integrity of the configuration repository.
Perform operational procedures.
Manage outsourced I&T services.
Monitor I&T infrastructure.
Manage the environment.
Manage facilities.
Define classification schemes for incidents and service requests.
Record, classify and prioritize requests and incidents.
Verify, approve and fulfill service requests.
Investigate, diagnose and allocate incidents.
Resolve and recover from incidents.
Close service requests and incidents.
Track status and produce reports.
Identify and classify problems.
Investigate and diagnose problems.
Raise known errors.
Resolve and close problems.
Perform proactive problem management.
Define the business continuity policy, objectives and scope.
Maintain business resilience.
Develop and implement a business continuity response.
Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP).
Review, maintain and improve the continuity plans.
Conduct continuity plan training.
Manage backup arrangements.
Conduct post-resumption review.
Protect against malicious software.
Manage network and connectivity security.
Manage endpoint security.
Manage user identity and logical access.
Manage physical access to I&T assets.
Manage sensitive documents and output devices.
Manage vulnerabilities and monitor the infrastructure for security-related events.
Set performance and conformance targets.
Collect and process performance and conformance data.
Analyze and report performance.
Ensure the implementation of corrective actions.
Monitor internal controls.
Perform control self-assessments.
Identify and report control deficiencies.
Optimize response to external requirements.
Execute the assurance initiative, focusing on design effectiveness.
Execute the assurance initiative, focusing on operating effectiveness.
Follow up on recommendations and actions.
Count - Head IT operations

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
116
116
Head IT administration Objective

Responsible APO01

APO02

APO06

APO07

APO09

APO10

APO11

APO12

APO13

BAI03
 BAI08

BAI09

BAI10

MEA02

MEA03
Responsible Result
Total Result
Practice ID

APO01.08
APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.03
APO02.04
APO02.05
APO06.01
APO06.02
APO06.03
APO06.04
APO06.05
APO07.01
APO07.02
APO07.03
APO07.04
APO07.05
APO07.06
APO09.03
APO09.05
APO10.01
APO10.02
APO10.03
APO10.04
APO10.05
APO11.01
APO11.03
APO11.05
APO12.01
APO12.06
APO13.01
APO13.02
APO13.03
BAI03.04
BAI08.02
BAI08.03
BAI08.04
BAI09.01
BAI09.02
BAI09.03
BAI09.04
BAI09.05
BAI10.01
BAI10.02
BAI10.03
BAI10.04
MEA02.01
MEA02.03
MEA02.04
MEA03.02
Practice_Name

Define target skills and competencies.

Define and communicate policies and procedures.
Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Manage finance and accounting.
Prioritize resource allocation.
Create and maintain budgets.
Model and allocate costs.
Manage costs.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Assess and recognize/reward employee job performance.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Define and prepare service agreements.
Review service agreements and contracts.
Identify and evaluate vendor relationships and contracts.
Select vendors.
Manage vendor relationships and contracts.
Manage vendor risk.
Monitor vendor performance and compliance.
Establish a quality management system (QMS).
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Maintain continuous improvement.
Collect data.
Respond to risk.
Establish and maintain an information security management system (ISMS).
Define and manage an information security risk treatment plan.
Monitor and review the information security management system (ISMS).
Procure solution components.
Organize and contextualize information into knowledge.
Use and share knowledge.
Evaluate and update or retire information.
Identify and record current assets.
Manage critical assets.
Manage the asset life cycle.
Optimize asset value.
Manage licenses.
Establish and maintain a configuration model.
Establish and maintain a configuration repository and baseline.
Maintain and control configuration items.
Produce status and configuration reports.
Monitor internal controls.
Perform control self-assessments.
Identify and report control deficiencies.
Optimize response to external requirements.
Count - Head IT administration

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
52
52
Service Manager Objective

Responsible APO01

APO02

APO04

APO07

APO08

APO09

APO10

APO11
APO12

APO13
BAI03

BAI04

BAI05

BAI06

BAI07

BAI08

BAI09

BAI10

DSS02

DSS03

DSS04
 DSS06
MEA01

MEA02

MEA03
MEA04

Responsible Result
Total Result
Practice ID

APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.03
APO02.04
APO02.05
APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
APO07.01
APO07.02
APO07.03
APO07.04
APO07.05
APO07.06
APO08.01
APO08.02
APO08.03
APO08.04
APO08.05
APO09.01
APO09.02
APO09.03
APO09.04
APO09.05
APO10.02
APO10.03
APO10.04
APO10.05
APO11.01
APO11.02
APO11.03
APO11.04
APO11.05
APO12.01
APO12.06
APO13.03
BAI03.07
BAI03.11
BAI04.01
BAI04.02
BAI04.03
BAI04.04
BAI04.05
BAI05.05
BAI05.06
BAI05.07
BAI06.01
BAI06.02
BAI06.03
BAI06.04
BAI07.01
BAI07.02
BAI07.06
BAI07.07
BAI07.08
BAI08.01
BAI08.04
BAI09.03
BAI09.04
BAI10.01
BAI10.02
BAI10.05
DSS02.01
DSS02.02
DSS02.03
DSS02.04
DSS02.05
DSS02.06
DSS02.07
DSS03.01
DSS03.02
DSS03.03
DSS03.04
DSS03.05
DSS04.01
DSS06.04
MEA01.02
MEA01.03
MEA01.04
MEA01.05
MEA02.01
MEA02.03
MEA02.04
MEA03.02
MEA04.06
MEA04.07
Practice_Name

Define and communicate policies and procedures.

Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Assess and recognize/reward employee job performance.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Understand business expectations.
Align I&T strategy with business expectations and identify opportunities for IT to enhance the business.
Manage the business relationship.
Coordinate and communicate.
Provide input to the continual improvement of services.
Identify I&T services.
Catalog I&T-enabled services.
Define and prepare service agreements.
Monitor and report service levels.
Review service agreements and contracts.
Select vendors.
Manage vendor relationships and contracts.
Manage vendor risk.
Monitor vendor performance and compliance.
Establish a quality management system (QMS).
Focus quality management on customers.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Perform quality monitoring, control and reviews.
Maintain continuous improvement.
Collect data.
Respond to risk.
Monitor and review the information security management system (ISMS).
Prepare for solution testing.
Define IT products and services and maintain the service portfolio.
Assess current availability, performance and capacity and create a baseline.
Assess business impact.
Plan for new or changed service requirements.
Monitor and review availability and capacity.
Investigate and address availability, performance and capacity issues.
Enable operation and use.
Embed new approaches.
Sustain changes.
Evaluate, prioritize and authorize change requests.
Manage emergency changes.
Track and report change status.
Close and document the changes.
Establish an implementation plan.
Plan business process, system and data conversion.
Promote to production and manage releases.
Provide early production support.
Perform a post-implementation review.
Identify and classify sources of information for governance and management of I&T.
Evaluate and update or retire information.
Manage the asset life cycle.
Optimize asset value.
Establish and maintain a configuration model.
Establish and maintain a configuration repository and baseline.
Verify and review integrity of the configuration repository.
Define classification schemes for incidents and service requests.
Record, classify and prioritize requests and incidents.
Verify, approve and fulfill service requests.
Investigate, diagnose and allocate incidents.
Resolve and recover from incidents.
Close service requests and incidents.
Track status and produce reports.
Identify and classify problems.
Investigate and diagnose problems.
Raise known errors.
Resolve and close problems.
Perform proactive problem management.
Define the business continuity policy, objectives and scope.
Manage errors and exceptions.
Set performance and conformance targets.
Collect and process performance and conformance data.
Analyze and report performance.
Ensure the implementation of corrective actions.
Monitor internal controls.
Perform control self-assessments.
Identify and report control deficiencies.
Optimize response to external requirements.
Execute the assurance initiative, focusing on design effectiveness.
Execute the assurance initiative, focusing on operating effectiveness.
Count - Service Manager

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
1
1
92
92
Information Security Manager Objective

Responsible APO01

APO02

APO04

APO07

APO08
APO09
APO10

APO11

APO12

APO13

BAI02

BAI03
BAI05

BAI06

BAI07

BAI08
BAI09
BAI10
BAI11

DSS01

DSS02

DSS03

DSS04

DSS05

DSS06
MEA02

MEA03
MEA04
Responsible Result
Total Result
Practice ID

APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.03
APO02.04
APO02.05
APO04.01
APO04.02
APO04.03
APO04.04
APO04.05
APO04.06
APO07.01
APO07.02
APO07.03
APO07.04
APO07.05
APO07.06
APO08.01
APO09.03
APO10.02
APO10.04
APO11.03
APO11.05
APO12.01
APO12.06
APO13.01
APO13.02
APO13.03
BAI02.01
BAI02.03
BAI02.04
BAI03.01
BAI03.05
BAI03.07
BAI03.08
BAI03.09
BAI03.10
BAI03.11
BAI05.05
BAI05.06
BAI05.07
BAI06.01
BAI06.02
BAI07.01
BAI07.02
BAI07.03
BAI07.04
BAI07.05
BAI08.04
BAI09.02
BAI10.02
BAI11.05
BAI11.06
DSS01.02
DSS01.03
DSS01.04
DSS01.05
DSS02.05
DSS02.06
DSS03.02
DSS03.03
DSS04.02
DSS04.03
DSS04.04
DSS04.06
DSS04.07
DSS05.01
DSS05.02
DSS05.03
DSS05.04
DSS05.05
DSS05.07
DSS06.03
MEA02.01
MEA02.03
MEA02.04
MEA03.02
MEA04.06
MEA04.07
Practice_Name

Define and communicate policies and procedures.

Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Create an environment conducive to innovation.
Maintain an understanding of the enterprise environment.
Monitor and scan the technology environment.
Assess the potential of emerging technologies and innovative ideas.
Recommend appropriate further initiatives.
Monitor the implementation and use of innovation.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Assess and recognize/reward employee job performance.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Understand business expectations.
Define and prepare service agreements.
Select vendors.
Manage vendor risk.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Maintain continuous improvement.
Collect data.
Respond to risk.
Establish and maintain an information security management system (ISMS).
Define and manage an information security risk treatment plan.
Monitor and review the information security management system (ISMS).
Define and maintain business functional and technical requirements.
Manage requirements risk.
Obtain approval of requirements and solutions.
Design high-level solutions.
Build solutions.
Prepare for solution testing.
Execute solution testing.
Manage changes to requirements.
Maintain solutions.
Define IT products and services and maintain the service portfolio.
Enable operation and use.
Embed new approaches.
Sustain changes.
Evaluate, prioritize and authorize change requests.
Manage emergency changes.
Establish an implementation plan.
Plan business process, system and data conversion.
Plan acceptance tests.
Establish a test environment.
Perform acceptance tests.
Evaluate and update or retire information.
Manage critical assets.
Establish and maintain a configuration repository and baseline.
Manage project quality.
Manage project risk.
Manage outsourced I&T services.
Monitor I&T infrastructure.
Manage the environment.
Manage facilities.
Resolve and recover from incidents.
Close service requests and incidents.
Investigate and diagnose problems.
Raise known errors.
Maintain business resilience.
Develop and implement a business continuity response.
Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP).
Conduct continuity plan training.
Manage backup arrangements.
Protect against malicious software.
Manage network and connectivity security.
Manage endpoint security.
Manage user identity and logical access.
Manage physical access to I&T assets.
Manage vulnerabilities and monitor the infrastructure for security-related events.
Manage roles, responsibilities, access privileges and levels of authority.
Monitor internal controls.
Perform control self-assessments.
Identify and report control deficiencies.
Optimize response to external requirements.
Execute the assurance initiative, focusing on design effectiveness.
Execute the assurance initiative, focusing on operating effectiveness.
Count - Information Security Manager

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
82
82
Business Continuity Manager Objective

Accountable DSS04

Accountable Result
Responsible APO01

APO02

APO07

APO08
APO11

APO12

APO13
BAI03
BAI04
BAI05

BAI06

BAI07
 BAI08
DSS04

MEA02

MEA03
MEA04

Responsible Result
Total Result
Practice ID

DSS04.03
DSS04.04
DSS04.06
DSS04.08

APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.03
APO02.04
APO02.05
APO07.01
APO07.02
APO07.03
APO07.04
APO07.05
APO07.06
APO08.01
APO11.03
APO11.05
APO12.01
APO12.06
APO13.03
BAI03.07
BAI04.05
BAI05.05
BAI05.06
BAI05.07
BAI06.01
BAI06.04
BAI07.01
BAI07.02
BAI07.03
BAI07.04
BAI07.05
BAI07.06
BAI08.04
DSS04.01
DSS04.02
DSS04.05
DSS04.07
MEA02.01
MEA02.03
MEA02.04
MEA03.02
MEA04.06
MEA04.07
Practice_Name

Develop and implement a business continuity response.

Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP).
Conduct continuity plan training.
Conduct post-resumption review.

Define and communicate policies and procedures.

Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Acquire and maintain adequate and appropriate staffing.
Identify key IT personnel.
Maintain the skills and competencies of personnel.
Assess and recognize/reward employee job performance.
Plan and track the usage of IT and business human resources.
Manage contract staff.
Understand business expectations.
Manage quality standards, practices and procedures and integrate quality management into key processes and solutions.
Maintain continuous improvement.
Collect data.
Respond to risk.
Monitor and review the information security management system (ISMS).
Prepare for solution testing.
Investigate and address availability, performance and capacity issues.
Enable operation and use.
Embed new approaches.
Sustain changes.
Evaluate, prioritize and authorize change requests.
Close and document the changes.
Establish an implementation plan.
Plan business process, system and data conversion.
Plan acceptance tests.
Establish a test environment.
Perform acceptance tests.
Promote to production and manage releases.
Evaluate and update or retire information.
Define the business continuity policy, objectives and scope.
Maintain business resilience.
Review, maintain and improve the continuity plans.
Manage backup arrangements.
Monitor internal controls.
Perform control self-assessments.
Identify and report control deficiencies.
Optimize response to external requirements.
Execute the assurance initiative, focusing on design effectiveness.
Execute the assurance initiative, focusing on operating effectiveness.
Count - Business Continuity Manager

1
1
1
1
4
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
1
1
1
1
1
1
1
44
48
Privacy Officer Objective

Responsible APO01

APO02

APO07
APO08
APO09
APO10

APO12

APO13

BAI02

BAI03

BAI06

BAI07

BAI08
BAI09
DSS01
DSS05
 MEA02

MEA03

Responsible Result
Total Result
Practice ID

APO01.09
APO01.10
APO01.11
APO02.01
APO02.02
APO02.03
APO02.04
APO02.05
APO07.02
APO08.01
APO09.03
APO10.02
APO10.04
APO12.01
APO12.06
APO13.02
APO13.03
BAI02.01
BAI02.03
BAI02.04
BAI03.07
BAI03.08
BAI03.09
BAI03.10
BAI03.11
BAI06.01
BAI06.02
BAI07.03
BAI07.05
BAI08.04
BAI09.02
DSS01.02
DSS05.04
DSS05.05
DSS05.06
DSS05.07
MEA02.01
MEA02.03
MEA02.04
MEA03.01
MEA03.02
MEA03.03
Practice_Name

Define and communicate policies and procedures.

Define and implement infrastructure, services and applications to support the governance and management system.
Manage continual improvement of the I&T management system.
Understand enterprise context and direction.
Assess current capabilities, performance and digital maturity of the enterprise.
Define target digital capabilities.
Conduct a gap analysis.
Define the strategic plan and road map.
Identify key IT personnel.
Understand business expectations.
Define and prepare service agreements.
Select vendors.
Manage vendor risk.
Collect data.
Respond to risk.
Define and manage an information security risk treatment plan.
Monitor and review the information security management system (ISMS).
Define and maintain business functional and technical requirements.
Manage requirements risk.
Obtain approval of requirements and solutions.
Prepare for solution testing.
Execute solution testing.
Manage changes to requirements.
Maintain solutions.
Define IT products and services and maintain the service portfolio.
Evaluate, prioritize and authorize change requests.
Manage emergency changes.
Plan acceptance tests.
Perform acceptance tests.
Evaluate and update or retire information.
Manage critical assets.
Manage outsourced I&T services.
Manage user identity and logical access.
Manage physical access to I&T assets.
Manage sensitive documents and output devices.
Manage vulnerabilities and monitor the infrastructure for security-related events.
Monitor internal controls.
Perform control self-assessments.
Identify and report control deficiencies.
Identify external compliance requirements.
Optimize response to external requirements.
Confirm external compliance.
Count - Privacy Officer

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
 1
1
1
1
1
1
42
42
Legal Counsel Objective

Responsible APO07

APO09

APO10

APO14

BAI08
DSS06
MEA03

MEA04

Responsible Result
Total Result
Practice ID Practice_Name Count - Legal Counsel

APO07.02 Identify key IT personnel. 1

APO07.06 Manage contract staff. 1
APO09.03 Define and prepare service agreements. 1
APO09.04 Monitor and report service levels. 1
APO10.01 Identify and evaluate vendor relationships and contracts. 1
APO10.03 Manage vendor relationships and contracts. 1
APO10.05 Monitor vendor performance and compliance. 1
APO14.08 Manage the life cycle of data assets. 1
APO14.09 Support data archiving and retention. 1
APO14.10 Manage data backup and restore arrangements. 1
BAI08.03 Use and share knowledge. 1
DSS06.02 Control the processing of information. 1
MEA03.01 Identify external compliance requirements. 1
MEA03.02 Optimize response to external requirements. 1
MEA03.03 Confirm external compliance. 1
MEA03.04 Obtain assurance of external compliance. 1
MEA04.01 Ensure that assurance providers are independent and qualified. 1
MEA04.02 Develop risk-based planning of assurance initiatives. 1
MEA04.03 Determine the objectives of the assurance initiative. 1
MEA04.04 Define the scope of the assurance initiative. 1
MEA04.05 Define the work program for the assurance initiative. 1
MEA04.06 Execute the assurance initiative, focusing on design effectiveness. 1
MEA04.07 Execute the assurance initiative, focusing on operating effectiveness. 1
MEA04.08 Report and follow up on the assurance initiative. 1
MEA04.09 Follow up on recommendations and actions. 1
25
25
Count - Legal Counsel
Compliance Objective

Accountable MEA03

Accountable Result
Responsible MEA03
Responsible Result
Total Result
Practice ID Practice_Name Count - Compliance

MEA03.01 Identify external compliance requirements. 1

MEA03.03 Confirm external compliance. 1
MEA03.04 Obtain assurance of external compliance. 1
3
MEA03.02 Optimize response to external requirements. 1
1
4
ount - Compliance
Audit Objective

Accountable MEA03
MEA04

Accountable Result
Responsible MEA03
MEA04
Responsible Result
Total Result
Practice ID Practice_Name Count - Audit

MEA03.02 Optimize response to external requirements. 1

MEA04.01 Ensure that assurance providers are independent and qualified. 1
MEA04.02 Develop risk-based planning of assurance initiatives. 1
MEA04.03 Determine the objectives of the assurance initiative. 1
MEA04.04 Define the scope of the assurance initiative. 1
MEA04.05 Define the work program for the assurance initiative. 1
MEA04.06 Execute the assurance initiative, focusing on design effectiveness. 1
MEA04.07 Execute the assurance initiative, focusing on operating effectiveness. 1
MEA04.08 Report and follow up on the assurance initiative. 1
9
MEA03.01 Identify external compliance requirements. 1
MEA04.09 Follow up on recommendations and actions. 1
2
11
ount - Audit