2015 International Conference on Science in Information Technology (ICSITech)
Assessment to COBIT 4.1 Maturity Model
Based on Process Attributes and Control Objectives
Teduh Dirgahayu
Department of Informatics
Universitas Islam Indonesia
Yogyakarta, Indonesia
teduh.dirgahayu@uii.ac.id
Abstract—COBIT 4.1 defines a number of IT processes; each
of which consists of several activities. A process is controlled by
several control objectives. All processes share the same maturity
attributes. COBIT 4.1 however does not define any assessment
method to determine the maturity of IT processes. This paper
reviews current assessment methods and identifies their
drawbacks. This paper then proposes an assessment method to
the COBIT 4.1 maturity model whose calculation is based on
process attributes and control objectives. The assessment
presumes that when the control objectives are met, the activity
must have been executed. Data are collected using a
questionnaire given to selected key functions. The maturity level
is calculated using simple average. The assessment method is
illustrated with a case study of process Manage Data (DS11). The
assessment method allows one to identify aspects of a process that
need improvement.
Keywords—COBIT 4.1; assessment; maturity; process attributes;
control objectives
I. INTRODUCTION
Nowadays most enterprises rely heavily on information
technology (IT) to enable their operations. IT is viewed as a
strategic means to achieve the enterprises’ business objectives.
Improvements on enterprise IT are hence necessary to ensure
that IT aligns with enterprise business. For doing so,
management shall understand the status of its enterprise IT in
order to make right decisions on which improvements to
conduct. This status indicates how enterprise IT is being
managed.
COBIT 4.1 is a framework for enterprise IT governance that
was released by IT Governance Institute (ITGI) in 2007 [1]. In
2012, COBIT 5 is released. We argue that COBIT 4.1 is still
relevant to discuss because COBIT 5 expands and integrates
COBIT 4.1 with other IT governance frameworks [2].
In COBIT 4.1, the status of enterprise IT is assessed using a
maturity model that indicates the reliability degree of enterprise
IT. In other areas, the concepts of maturity models are common
to measure processes or artifacts, e.g. in software development
process [3], business process management [4][5], information
security [6][7], and e-government [8][9][10].
In COBIT 4.1, the governance of enterprise IT is defined in
34 processes within four domains. Each process consists of a
978-1-4799-8386-5/15/$31.00 ©2015 IEEE
Dwiyono Ariyadi
Master Program in Informatics
Universitas Islam Indonesia
Yogyakarta, Indonesia
ayick19@gmail.com
number of control objectives to provide assurance that the
process’s objective is achieved. Control objectives can be
policies, procedures, practices, or organizational structures.
Processes are considered as the smallest units of enterprise IT
governance. The result of a process assessment is indicated in a
level of maturity.
All processes share common attributes that represent
aspects of those processes, e.g. procedures, tools, and
responsibility. A process is mature when all those aspects are
mature. These attributes are thus also called maturity attributes
[1].
COBIT 4.1 does not suggest any method to assess the
process maturity. Several literatures have proposed assessment
methods [11][12][13]. Those methods however do not
explicitly use the process attributes in the assessment of
process maturity. Hence the result cannot identify which
aspects of a process that should be improved.
The objectives of this paper are two folds. The first
objective is to review current assessments to the COBIT 4.1
maturity model and to identify their potential drawbacks. The
second objective is to propose an alternative assessment based
on COBIT 4.1 process attributes and control objectives to
overcome those potential drawbacks.
This paper is further structured as follows. Section II
describes the COBIT 4.1 maturity model. Section III reviews
current assessment and identifies their potential drawbacks.
Section IV presents an alternative assessment that explicitly
considers process attributes and control objectives. The
assessment is illustrated with a case study. Section V gives the
conclusions and identifies future work.
II. COBIT 4.1 MATURITY MODEL
COBIT 4.1 considers that an enterprise IT process comprises
a number of related activities. E.g., in domain Delivery and
Support (DS), process Manage Data (DS11) consists of five
activities: (i) translate data storage and retention arrangement
into procedures; (ii) define, maintain and implement
procedures to manage the media library; (iii) define, maintain
and implement procedures for secure disposal of media and
equipment; (iv) back up data according to scheme; and (v)
define, maintain and implement procedures for data restoration
[1].
343
 2015 International Conference on Science in Information Technology (ICSITech)
An activity execution involves one or more functions
within the enterprise as indicated in a RACI chart. This chart
indicates which units shall be responsible (R) and be
accountable (A) for that process; and which units shall be
consulted (C) and informed (I) about that process.
A process is controlled by a number of control objectives
that can be policies, procedures, practices, or organizational
structures. E.g., process DS11 has 6 control objectives: DS11.1
business requirements for data management; DS11.2 storage
and retention arrangements; DS11.3 media library management
system; DS11.4 disposal; DS11.5 backup and restoration; and
DS11.6 security requirements for data management [1].
The performance of a process is measured using KPIs (key
performance indicators). Its results reflect the achievement of
the process goals. E.g., process DS11 defines KPIs: (i) percent
of user satisfaction with availability of data; (ii) percent of
successful data restorations; and (iii) number of incidents
where sensitive data were retrieved after media were disposed.
KPI scores can only be known when the process includes
monitoring and measurement [1].
In an enterprise, a process evolves from non-existent to a
process with optimized capability. As mentioned earlier that
processes are the smallest unit of IT governance, hence the
maturity model is used to measure process maturity. Table 1
depicts the COBIT 4.1 generic maturity model. Each process
adapts this generic model into its own specific maturity model,
e.g. level 0-2 of process DS11 as shown in Table 2.
TABLE 1. GENERIC MATURITY MODEL [1]
Level Status Description
0 Non-existent Process is not applied at all.
1 Initial/ad hoc Process is ad hoc and disorganized.
Repeatable but
2 Process follows regular patterns.
intuitive
3 Defined process Process is documented and communicated.
Managed and
4 Process is monitored and measured.
measurable
5 Optimized Process follows best practices and automated
TABLE 2. MATURITY LEVELS OF PROCESS DS11 (EXCERPT) [1]
Level Description
0 Data are not recognized as corporate resources and assets. There is
no assigned data ownership or individual accountability for data
management. Data quality and security are poor or non-existent.
1 The organization recognizes a need for effective data management.
There is an ad hoc approach for specifying security requirements for
data management, but no formal communications procedures are in
place. No specific training on data management takes place.
Responsibility for data management is not clear. Backup/restoration
procedures and disposal arrangements are in place.
2 The awareness of the need for effective data management exists
throughout the organization. Data ownership at a high level begins to
occur. Security requirements for data management are documented
by key individuals. Some monitoring within IT is performed on data
management key activities (e.g., backup, restoration, disposal).
Responsibilities for data management are informally assigned for
key IT staff members.
344
A process has six maturity attributes, i.e. awareness and
communication (AC), policies, plans and procedures (PPP),
tools and automation (TA), skills and expertise (SE),
responsibility and accountability (RA), and goal setting and
measurement (GSM). These attributes represent a process from
different aspects [1].
COBIT 4.1 includes a maturity attribute table that is resulted
from a combination of maturity model and attributes, as
depicted in Table 3. Due to space limitation, the contents of the
table are not shown. The full table can be read in [1]. Table 4
shows examples of the contents of the maturity attribute table.
Attribute descriptions are not process-specific.
The maturity model is used to assess the current (as-is) and
the expected (to-be) status of enterprise IT. The gap between
the current and expected statuses indicates where
improvements are needed including their priorities [14].
III. REVIEW ON CURRENT MATURITY ASSESSMENTS
A maturity survey has been conducted to establish a
reference benchmark [15]. It indicated that the maturity of
enterprise IT processes were between 2.0 and 2.5. The
assessment was focused on 15 most important processes.
Unfortunately, the assessment method is not explained.
Several maturity assessment methods have been proposed
[11][12][13]. A method in [11] uses a questionnaire and a
ranking system. This method however does not take into
account the evolving nature of a process as suggested by the
COBIT 4.1 maturity model. Instead, it measures the
“compliance” of an IT process with each maturity level.
TABLE 3. MATURITY ATTRIBUTES TABLE [1]
Level AC PPP TA SE RA GSM
1
2
3
4
5
TABLE 4. MATURITY LEVELS OF AWARENESS AND COMMUNICATIONS [1]
Level Awareness and Communication (AC)
1 Recognition of the need for the process is emerging. There is
sporadic communication of the issues.
2 There is awareness of the need to act. Management communicates
the overall issues.
3 There is understanding of the need to act. Management is more
formal and structured in its communication.
4 There is understanding of the full requirements. Mature
communication techniques are applied and standard communication
tools are in use.
5 There is advanced, forward-looking understanding of requirements.
Proactive communication of issues based on trends exists, mature
communication techniques are applied, and integrated
communication tools are in use.
 2015 International Conference on Science in Information Technology (ICSITech)

Questionnaire statements are derived straightforwardly TABLE 5. QUESTIONS FOR PROCESS DS11 LEVEL 0-2 [11]
from the maturity level descriptions. E.g., we can see that
Level No. Questionnaire statements
questionnaires for process DS11 as listed in Table 5 are derived
from the descriptions in Table 2. Possible answers for these 0 0.1 Data are not recognized as corporate resources and assets.
questionnaires are provided in a Likert scale as “not at all” 0.2 There is no assigned data ownership or individual
(compliance value = 0.00), “a little” (0.33), “quite a lot” (0.66) accountability for data management.
and “completely” (1.00). The maturity level is then calculated 0.3 Data quality and security are poor or non-existent.
as a weighted average of those compliance values.
1 1.1 The organization recognizes a need for effective data
In Table 5, the statements for each level do not address management.
process attributes in entirety. E.g., level 2 assesses the maturity
1.2 There is an ad hoc approach for specifying security
of attributes AC (question 2.1), PPP (2.2 and 2.3), RA (2.3 and requirements for data management, but no formal
2.5) and GSM (2.4). Attributes TA and SE are however not communications procedures are in place.
assessed.
1.3 No specific training on data management takes place.
Furthermore, control objectives are not considered in 1.4 Responsibility for data management is not clear.
entirety. E.g., level 2 assesses control objectives of data
management requirements (question 2.1, 2.2, 2.3 and 2.5), 1.5 Backup/restoration procedures and disposal arrangements are
in place.
backup, restoration, and disposal (2.4). Storage and media
library are not considered at all. This incomplete consideration 2 2.1 The awareness of the need for effective data management
of process attributes and control objectives might result in exists throughout the organization.
unclear indications on which attributes or control objectives 2.2 Data ownership at a high level begins to occur.
need to improve.
2.3 Security requirements for data management are documented
An assessment method in [13] adopts the COBIT 4.1 by key individuals.
maturity model to define its maturity metrics. These metrics are 2.4 Some monitoring within IT is performed on data management
used to assess the maturity of activity execution, assigned key activities (e.g., backup, restoration, disposal).
responsibility, documents, and KPIs monitoring. The maturity 2.5 Responsibilities for data management are informally assigned
levels of activity execution include the process maturity for key IT staff members.
attributes of COBIT 4.1 inherently. The assigned responsibility
assesses the compliance of a process with its corresponding TABLE 6. METRICS FOR IT PROCESS MATURITY ASSESSMENT [13]
RACI chart. The maturity of documents and KPIs monitoring
is assessed based on the percentage of documents available to Level Assigned responsibility Documents KPIs
support the process and the percentage of the process’s KPIs in place monitored
monitored, respectively. Metrics for these assessments is 0 No RACI-relationships assigned. 0% 0%
depicted in Table 6.
1 25% of RACI-relationships assigned. 20% 20%
This method defines maturity in three levels, i.e. activity,
2 More than 26 % of RACI-relationships 40% 40%
process, and enterprise level. At the activity level, assessment assigned. 25 % or less of the identified
is conducted on the activity execution and assigned relationships are in line with COBIT.
responsibility. At the process level, the assessment calculates
3 More than 26% of RACI-relationships 60% 60%
the average of the maturity scores of all underlying activities,
assigned. 26- 74% of the identified
plus the document and KPIs maturity. At the enterprise level, relationships are in line with COBIT.
the assessment calculates the average of the maturity scores of
all processes. The method assumes that all metrics have the 4 More than 51% of RACI-relationships 80% 80%
assigned. 51- 99 % of the identified
same weight. relationships are in line with COBIT.
This assessment method applies a more comprehensive 5 100 % of RACI-relationships assigned. 100% 100%
approach by considering process activities, RACI, supporting 100 % of the identified relationships
documents, and KPIs. Nevertheless, it does not include are in line with COBIT.
maturity attributes and control objectives explicitly. Similar to
[11], this assessment might result in unclear indications on An attempt to align the COBIT 4.1 maturity model to
which attributes or control objectives to improve. ISO/IEC 15504:2003 measurement scale is proposed in [12].
Metrics for KPIs monitoring in Table 6, however, is not ISO/IEC 15504 is a standard for assessing and improving
defined properly. According to the COBIT 4.1 maturity model, software development process [16]. It provides minimum
KPI scores can only be known when a process includes requirements to ensure assessment consistency and
monitoring and measurement (i.e. maturity level 4). Thus it repeatability. The maturity levels of each process attributes in
should not be assessed in an increasing percentage, from no COBIT 4.1 is mapped to the rating scale in ISO/IEC 15504, i.e.
KPIs monitoring (0% at level 0) to full KPIs monitoring (100% level 1 to “none” (0-15%), level 2 to “partially” (16-50%),
at level 5). level 3 to “largely” (51-85%), and level 4 and 5 to “fully” (86-
100%).

345
 2015 International Conference on Science in Information Technology (ICSITech)
In this way, COBIT 4.1 process maturity could be assessed
using process assessment methods that comply with
requirements specified in ISO/IEC 15504. This attempt
however does not consider COBIT 4.1 control objectives of
enterprise IT processes.
IV. ASSESSMENT BASED ON PROCESS ATTRIBUTES AND
CONTROL OBJECTIVES
In COBIT 4.1, IT process maturity is characterized by
maturity attributes. Therefore, these attributes should be used
in assessment, gap analysis, and improvement planning [1].
The use of maturity attributes would give us clear indications
on which aspects of a process should be improved.
A process consists of a number of activities. A process is
controlled by control objectives. We consider control
objectives as requirements that a process must satisfy. COBIT
4.1 suggests that IT process audit is necessary to check whether
control objectives are met [1]. We consider activities as means
that must be done to meet the control objectives. An activity
execution does not attest that its control objectives are met. On
the contrary, when the control objectives are met, we can
presume that the activity must have been executed. Therefore
we propose an assessment method that is based on control
objectives rather than activities. In the following, we describe
the assessment method and illustrate its use with process DS11
as a case study.
In the case study, we assess proses DS11 as indicated in
COBIT Quickstart, which is a simplified version of COBIT 4.1
for smaller organizations [17]. Process DS11 of COBIT
Quickstart has 3 control objectives only, i.e. DS11.4, DS11.5,
and DS11.6. The study has been conducted in a public
education institution in East Java, Indonesia.
Our assessment uses a questionnaire, in which its
statements are developed for each combination of maturity
attributes and control objectives. Possible answers immediately
reflect the maturity levels of the control objective. Table 7
shows an example of questionnaire statement and its possible
answers for attribute AC and control objective DS11.6. The
questionnaire is then distributed to selected respondents, i.e.
key functions in the enterprise as indicated in the RACI chart
of the process. The answers are then calculated as in Table 8.
TABLE 7. QUESTION FOR AWARENESS AND COMMUNICATION OF DS11.6
DS11.6 How is the management’s awareness to data security?
0 Organization is not aware to data security.
1 Organization recognizes the need of data security.
2 There is awareness to data security and need to act accordingly.
There is a forum to communicate this issue.
3 There is an understanding about data security. There is a formal
communication from management to act effectively w.r.t. data
security.
4 The need of and act w.r.t. data security management have been
understood by organization. Periodically, an internal forum is
conducted to discuss relevant issues.
5 Data security management has been applied by organization. There
are external forums to find solutions to data security
issues/problems.
346
TABLE 8. CALCULATION OF PROCESS MATURITY LEVEL
Control objectives Maturity attributes
AC PPP TA SE RA GSM
DS11.4
DS11.5
DS11.6
Attribute maturity 1.33 1.67 2.00 2.00 1.00 1.00
Process maturity 1.50
The answers for each combination of maturity attribute and
control objectives (e.g. AC and DS11.6) from all respondents
are averaged and put into the corresponding cell in the table.
Attribute maturity is then calculated as the average of control
objectives maturity on that particular attribute as indicated with
a vertical arrow in Table 8. Finally, process maturity is
calculated as the average of all attribute maturity, which is
1.50. By rounding this number to the nearest integer, we can
say that process DS11 of the case study has maturity level 2
(repeatable but intuitive).
This assessment allows us to identify aspects of a process
that need improvement. From Table 8, we can see that
attributes RA and GSM score the lowest and thus need to be
prioritized. The improvement could refer to the description of
attribute maturity table for the expected (to-be) maturity level.
Suppose that the expected level is 3 (defined process), the
improvement can be “organization shall assign responsibility
for data management”.
V. CONCLUSIONS
This paper has presented a method for assessing enterprise
IT processes to the COBIT 4.1 maturity model based on process
attributes and control objectives. The use of process attributes
allows us to identify specifically aspects that need to be
improved. We choose to use control objectives, instead of
activities, since we presume that activity must have been
executed when the control objectives are met.
Our future work will use this assessment method with more
case studies and draw practical lessons from those experiences.
Moreover, we will investigate a method to validate the
recommendations indicated by the assessment method.
REFERENCES
[1] IT Governance Institute, COBIT 4.1, 2007.
[2] ISACA, COBIT 5, https://cobitonline.isaca.org/about, 2014.
[3] Software Engineering Institute, CMMI® for Development, Version 1.3,
Technical Report, CMU/SEI-2010-TR-033, 2010.
[4] M. Röglinger, J. Pöppelbuß, and J. Becker, “Maturity models in business
process management,” Business Process Management Journal, 18(2), pp.
328-346, 2012.
[5] T. De Bruin and M. Rosemann, “Towards a Business Process
Management Maturity Model”, Proc. of European Conf. on Information
Systems, 2005.
[6] M. Siponen, “Towards maturity of information security maturity criteria:
six lessons learned from software maturity criteria,” Information
Management & Computer Security, 10(5), pp. 210-224, 2002
 2015 International Conference on Science in Information Technology (ICSITech)
[7] V.A. Canal, ISM3 1.0. Information Security Management Maturity
Model, Institute for Security and Open Methodologies, 2004.
[8] K.V. Andersen and H.Z. Henriksen, “E-government maturity models:
Extension of the Layne and Lee model,” Government Information
Quarterly, 23(2), pp. 236-248, 2006.
[9] D.Y. Kim and G. Grant, “E-government maturity model using the
capability maturity model integration,” J. of Systems and Information
Technology, 12(3), pp. 230-244, 2010.
[10] G. Valdés, M. Solar, H. Astudillo, M. Iribarren, G. Concha, and M.
Visconti, “Conception, development and implementation of an e-
government maturity model in public agencies,” Government
Information Quarterly, 28(2), pp. 176-187, 2011.
[11] A. Pederiva, “The COBIT maturity model in a vendor evaluation case”,
Information Systems Control Journal, 3, 2003.
347
[12] A. Walker, T. McBride, G. Basson, and R. Oakley, “ISO/IEC 15504
measurement applied to COBIT process maturity”, Benchmarking: An
International Journal, 19(2), pp. 159-176, 2012.
[13] M. Simonsson, P. Johnson, and H. Wijkström, “Model-based IT
governance maturity assessments with COBIT”, Proc. of European
Conf. on Information Systems, 2007.
[14] IT Governance Institute, Board briefing on IT governance. 2nd ed., 2003
[15] E. Guldentops, W. van Grembergen, and S. de Haes. “Control and
governance maturity survey: establishing a reference benchmark an a
self-assessment tool”, Information Systems Control Journal, 6, 2002.
[16] ISO, ISO/IEC 15504-2:2003 Information technology – Process
assessment – Part 2: Performing an assessment, 2003.
[17] IT Governance Institute, COBIT Quickstart 2nd edition, 2007.