Professional Documents
Culture Documents
COBIT2019 (CristinaFlores JhovanySantacruz) Suscal
COBIT2019 (CristinaFlores JhovanySantacruz) Suscal
Relative importance Relative importance (of governance and management objectives) is a number that indicates the influence of a certain design factor on the importance of a certain
COBIT governance or management objective as compared to a baseline (standard) situation. The number is calculated as a percentage difference between the
baseline and the current situation, as determined by the values given to the design factor at hand.
Instructions
Sheet
In this sheet all results of the impact assessment of the design factors are summarized. This is done in line with the governance system design flow explained in the
COBIT Design Guide.
Canvas The user can provide input in columns R/S to adjust the results of the automated calculations, taking into account the enterprise's specific context. When making
adjustments in column R, the spreadsheet expects an explanation in column S.
Description
DF1
Description
DF2
Ingrese valores entre 1 y 5 que expresen la importancia o relevancia de cada una de MEA03
las estrategias empresariales genéricas dadas para la empresa usuaria.
User Action Required
Description
Ingrese valores entre 1 y 5 que expresen la importancia o relevancia de cada una de APO07 BAI06 DSS02 MEA01
las estrategias empresariales genéricas dadas para la empresa usuaria. APO08 BAI07 DSS03 MEA02
DF3 APO09 BAI08 DSS05 MEA03
APO11 BAI09 DSS06 MEA04
APO12 BAI10
User Action Required APO13
Description
DF4
Description
DF5
Ingrese el porcentaje que expresen la importancia del panorama de amenazas
Description
Ingrese el porcentaje que expresen la importancia de los requisitos de cumplimiento EDM01 APO13
DF6 EDM03 APO14
EDM05 DSS04
APO01 DSS05
User Action Required APO10 MEA03
APO12 MEA04
Importance of Role of IT
Description
DF7
Ingrese valores entre 1 y 5 que expresen la importancia del Rol de TI
Description
DF8
Description
Description
DF10
Ingrese el porcentaje que expresen la importancia de la estrategia de adopción de
User Action Required tecnología
Chart 1
Chart 2
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
EDM01—Ensured Governance Framework Setting & 0 0 0 0 ### 0 -5 5 -25 0 0 -30 -45 -45 1 1
Maintenance
EDM02—Ensured Benefits Delivery -5 -5 -10 0 ### -20 0 0 -25 0 0 -35 -65 -65 1 1
EDM04—Ensured Resource Optimization 5 -5 -10 0 ### -10 0 0 -10 0 0 -20 -30 -30 1 1
APO04—Managed Innovation -10 -5 -20 0 ### -40 0 0 -40 0 0 -50 -100 -100 1 1
APO06—Managed Budget & Costs 5 5 -15 0 ### -5 0 0 -10 0 0 -20 -30 -30 1 1
BAI03—Managed Solutions Identification & Build 0 -5 20 0 ### 15 0 0 -25 0 -5 -50 -50 -50 1 1
BAI04—Managed Availability & Capacity -10 0 -15 0 ### -25 0 0 -20 0 0 -25 -55 -55 1 1
BAI07—Managed IT Change Acceptance and Transitioning -5 -5 50 0 ### 45 0 0 -15 0 0 -45 -15 -15 1 1
BAI11—Managed Projects 5 -5 -15 0 ### -15 0 0 -15 0 -10 -45 -70 -70 1 1
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
MEA01—Managed Performance and Conformance Monitoring 0 5 10 0 ### 15 -5 0 -10 5 0 -40 -30 -30 1 1
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Input Section—Importance of Each Enterprise Strategy Archetype Input Section—Importance of Each Enterprise Strategy Archetype
Design Average
Factor 1 Enterprise Strategy2.75 4
Stdev of different strategies0.83
Importance (Input)
Correction Factor 1.09 3
0 1 2 3 4 5
4
1
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
GAD "C"
GAD "C" GAD "C"
Governance / Baseline Relative
Management Score
Score Importance EDM04
Objective -100 -75 -50 -25 0 25 50 75 100
EDM01 13.5 15 0 EDM01
EDM02 EDM02 100
21 24 -5
EDM03 EDM03 APO02 BAI11
13 15 -5 75
EDM04 EDM04
22 22.5 5
EDM05 EDM05 50
16 18 -5
APO01 APO01
11 12 0
APO02 25
APO02 27.5 28.5 5 5
APO03
APO03 25 24 15 0
APO04 5 5
APO04 17 21 -10
APO05 -25
APO05 31.5 33 5
APO06
APO06 22 22.5 5 -50
APO07 APO03 BAI05
APO07 15 15 10
APO08 -75
APO08 17 21 -10 15 10
APO09
APO09 18.5 22.5 -10 -100
APO10
APO10 19.5 21 0
APO11
APO11 17 21 -10
APO12
APO12 15 18 -10
APO13
APO13 14 16.5 -5 5 10
APO14
APO14 11 12 0
BAI01
BAI01 27.5 27 10 BAI02
BAI03 5 10
APO05 BAI01
BAI04
Copyright ISACA 2018 BAI05
571350190.xlsx DF1—Page 8
BAI06
APO10 -100
APO11 01/19/2022
COBIT® 2019 Governance System Design Toolkit
APO12
APO13
5
Information & Technology
APO14 Governance System Design Information & Technology10Governance System Design
Design
BAI01Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
BAI02
BAI02 12.5 13.5 0 5
BAI03 10
BAI03 12.5 13.5 0 APO05 BAI01
BAI04
BAI04 15 18 -10 BAI05
BAI05 26 25.5 10 BAI06
BAI06 18 19.5 0 BAI07
BAI07 16 18 -5 BAI08
BAI08 16 19.5 -10 BAI09
BAI09 11 12 0 BAI10 APO06 APO07
BAI10 11 12 0 BAI11
BAI11 26.5 27 5 DSS01
DSS01 12 13.5 -5 DSS02
DSS02 17 21 -10 DSS03
DSS03 15 18 -10 DSS04
DSS04 17 21 -10 DSS05
DSS05 14 16.5 -5 DSS06
DSS06 12 13.5 -5 MEA01
MEA01 11 12 0 MEA02
MEA02 11 12 0 MEA03
MEA03 11 12 0 MEA04
MEA04 11 12 0
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
Input Section—Importance of Each Enterprise Goal Input Section—Importance of Each Enterprise Goal
Importance
Value (1-5) Baseline
EG01—Portfolio of competitive products and services 2 3 Design Factor 2 Enterprise Goals (Input)
EG02—Managed business risk 2 3
EG03—Compliance with external laws and regulations 2 3 EG01—Portfolio of competitive products and services 2
EG04—Quality of financial information 3 3
EG05—Customer-oriented service culture 2 3 EG02—Managed business risk 2
EG06—Business-service continuity and availability 2 3
EG07—Quality of management information 2 3 EG03—Compliance with external laws and regulations 2
Average 1.77
EG07—Quality of management information 2
Design Factor 2 Enterprise GoalsStdev
(Input) 0.58
Correction Fact 1.70 EG08—Optimization of internal business process functionality 1
EG10—StaffISACA
Copyright skills, motivation
2018 and productivity EG05—Customer-oriented service culture 571350190.xlsx EG13—Product and business innovation 1 DF2—Page 12
EG01—Portfolio of competitive products and services
EG13—Product and business innovation EG02—Managed business risk EG10—Staff skills, motivation and productivity 2 01/19/2022
COBIT® 2019 Governance System Design Toolkit 5
EG12—Managed digital transformation programs 4 EG03—Compliance with external laws and regulations
3 Information & Technology Governance System Design EG11—Compliance with internal policies 1 & Technology Governance System Design
Information
2 Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
EG11—Compliance with internal policies 1 EG04—Quality of financial information
0 EG12—Managed digital transformation programs 2
EG10—Staff skills, motivation and productivity EG05—Customer-oriented service culture EG13—Product and business innovation 1
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Agile portfolio of
Compliance with external Transparency and
Optimization of internal
Customer-oriented service Business service continuity Quality of management Optimization of business Staff skills, motivation and Compliance with internal Managed business Product and business
competitive products and Managed business risks accuracy of financial business process
laws and regulations culture and availability information process costs productivity policies transformation programs innovation
services information functionality
2 2 2 3 2 2 2 1 1 2 1 2 1
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
7 6 10 12 11 10 6 16 13 11 8 6 8
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
Managed
Managed Managed IT Managed Managed
Performance Managed
Managed
Mapping Table AG-GMO Ensured Governance
Ensured Resource Ensured Stakeholder Managed IT Management Managed Strategy Managed Human
Managed
Managed Managed
Managed Managed Managed Managed Managed
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Optimization Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Managed Relationships Service Managed Risk Information Managed Data Managed Requirements Solutions Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed Business System of Compliance Managed
Identification Availability &
Organizational Changes Security &
Transparency Framework Resources Suppliers Quality Programs Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Process Internal with External Internal Audit
Maintenance Agreements Security Definition & Build Capacity Change Transitioning Incidents Services Controls Conformance Control Requirements
Monitoring
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
Managed
Managed Managed IT Managed Managed Managed Managed
Ensured Governance Managed Managed Managed Managed Managed Managed Performance
Ensured Benefits Delivery Ensured Risk Optimization Ensured
Resource Ensured Stakeholder Managed IT Management Managed Strategy Managed Human Managed Managed
Managed Data Managed Requirements Solutions Organizational Managed
IT Change Managed Managed Managed Managed Managed Service Managed Managed Business System of Compliance Managed
Framework Setting & Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Managed Relationships Service Managed Risk Information
Identification Availability
& Security &
Optimization Transparency Framework Resources Suppliers Quality Programs Changes Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Process
Conformance Internal
with External Internal Audit
Maintenance Agreements Security Definition Capacity Change Services
& Build Transitioning Incidents Controls Control Requirements
Monitoring
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
Input Section—Importance of Each Generic IT Risk Category Input Section—Importance of Each Generic IT Risk Category
Risk Scenario Category Impact Likelihood Risk Rating Baseline Design Factor 3 IT Risk Profile
(1-5) (1-5)
Risk Rating of IT Risk Scenario Categories (Input)
IT investment decision making, portfolio definition & 4 2 9 Very High Risk
maintenance 0 5 10 15 20 25
IT investment decision making, portfolio definition & maintenance
Program & projects life cycle management 3 3 9 High Risk
Program & projects life cycle management
IT cost & oversight 4 3 9 Normal Risk
IT cost & oversight
IT expertise, skills & behavior 4 4 9 Low Risk
IT expertise, skills & behavior
Enterprise/IT architecture 4 3 9
Enterprise/IT architecture
IT operational infrastructure incidents 4 4 9
Unauthorized actions 5 4 9 IT operational infrastructure incidents
Environmental
Average 10.84
Stdev 5.82 Data & information management
Correction Factor 0.83
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
Resulting Governance/Management
Objectives Importance Design Factor 3 IT Risk Profile
Resulting Governance/Management GADEDM03
"C"
Governance / Baseline Relative Objectives Importance EDM05 MEA04
Management Score Score Importance
Objective APO01 MEA03
100
EDM01 232 189 0 -100 -75 -50 -25 0 25 50 75 100
APO03 MEA02
EDM02 147 135 -10 EDM01 75
EDM03 EDM02
208 162 5 APO07 50 MEA01
EDM04 EDM03
212 198 -10
EDM04
EDM05 247 189 10 10
25 15
EDM05 5 15
APO01 413 324 5 APO08 DSS06
APO01 5 0 20
APO02 146 144 -15 10
APO02
APO03 224 171 10 10 -25 10 45
APO03
APO04 44 45 -20 APO09 15 DSS05
APO04 -50
APO05 162 144 -5 APO05
APO06 15 5
157 153 -15 APO06 -75
APO07 290 216 10 APO07
APO10 50 DSS03
5
APO08 -100
208 153 15 APO08
APO09 164 117 15 APO09 30 35
APO10 278 216 5 APO10 APO11
10
DSS02
25
APO11 155 99 30 APO11
APO12 134 90 25 APO12
25
APO13 152 99 25 APO13 APO12 10 DSS01
50
APO14 234 198 0 APO14
15
BIA01 108 81 10 BIA01 30
20 15
BAI02 162 117 15 BAI02 APO13 75 BAI10
30
BAI03 167 117 20 BAI03
50
BAI04 9 9 -15 BAI04
BIA01 BAI09
BAI05 114 72 30 BAI05
BAI06 BAI06
347.5 247.5 15 BAI02 BAI08
BAI07 BAI07
212 117 50
BAI08 BAI03 BAI07
BAI08 210 135 30 BAI05 BAI06
BAI09
BAI09 76 36 75
BAI10
BAI10 180 99 50
BAI11
BAI11 36 36 -15
DSS01
DSS02
Copyright ISACA 2018 DSS03 571350190.xlsx DF3—Page 17
DSS04
DSS05
BAI05
BAI06
BAI02 BAI08
BAI07 01/19/2022
COBIT® 2019 Governance System Design Toolkit
BAI08 BAI03 BAI07
BAI05 BAI06
BAI09
Information & Technology
BAI10 Governance System Design Information & Technology Governance System Design
BAI11
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
DSS01
DSS01 182 135 10
DSS02
DSS02 232 144 35 DSS03
DSS03 192 108 50 DSS04
DSS04 243 216 -5 DSS05
DSS05 273 216 5 DSS06
DSS06 248 144 45 MEA01
MEA01 292 216 10 MEA02
MEA02 348 243 20 MEA03
MEA03 213 153 15 MEA04
MEA04 312 225 15
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
EDM01 3.0 2.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 2.0 2.0
EDM02 3.0 2.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 3.0 1.0 3.0
EDM03 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 2.0 3.0
EDM04 3.0 0.0 4.0 3.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 2.0 0.0 0.0 2.0 3.0
EDM05 3.0 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 1.0 0.0 1.0 3.0 3.0 0.0 0.0 0.0 2.0 2.0
APO01 2.0 3.0 2.0 0.0 2.0 2.0 4.0 2.0 0.0 2.0 3.0 3.0 3.0 0.0 0.0 0.0 3.0 2.0 3.0
APO02 2.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 1.0 0.0 1.0 2.0 0.0 0.0 0.0 0.0 2.0 2.0 1.0
APO03 2.0 0.0 0.0 0.0 4.0 0.0 0.0 2.0 0.0 2.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 0.0 3.0
APO04 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0
APO05 4.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0
APO06 2.0 3.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0
APO07 0.0 0.0 0.0 4.0 0.0 2.0 3.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 4.0 0.0 2.0 2.0 0.0
APO08 0.0 0.0 0.0 2.0 2.0 0.0 0.0 4.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 2.0
APO09 0.0 0.0 2.0 0.0 0.0 0.0 2.0 3.0 0.0 1.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
APO10 0.0 2.0 3.0 0.0 0.0 0.0 2.0 2.0 3.0 2.0 2.0 4.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0
APO11 0.0 3.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0
APO12 0.0 0.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0
APO13 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 4.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0
APO14 0.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 0.0 3.0 0.0 2.0 4.0 2.0 0.0 4.0
BAI01 0.0 4.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI02 2.0 2.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI03 0.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI04 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI05 0.0 2.0 0.0 2.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI06 9.0 3.5 0.0 0.0 0.0 3.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 3.0
BAI07 0.0 0.0 0.0 0.0 0.0 2.0 3.0 2.0 0.0 4.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI08 0.0 0.0 0.0 2.0 0.0 3.0 0.0 3.0 0.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 2.0
BAI09 0.0 0.0 0.0 0.0 0.0 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI10 0.0 0.0 0.0 0.0 0.0 2.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI11 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS01 0.0 0.0 0.0 0.0 0.0 4.0 3.0 0.0 4.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0
DSS02 0.0 0.0 0.0 0.0 0.0 3.0 2.0 3.0 2.0 2.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS03 0.0 0.0 0.0 0.0 0.0 3.0 1.0 4.0 0.0 3.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS04 0.0 0.0 0.0 0.0 0.0 3.0 3.0 0.0 3.0 0.0 4.0 0.0 2.0 0.0 3.0 4.0 0.0 0.0 2.0
DSS05 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 2.0 0.0 4.0 0.0 3.0 0.0 3.0 2.0 0.0 0.0 3.0
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
DSS06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 2.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0
MEA01 1.0 2.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 2.0 3.0 2.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0
MEA02 1.0 2.0 2.0 0.0 0.0 3.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 3.0 0.0 2.0 0.0 0.0 2.0
MEA03 0.0 1.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 0.0 3.0 2.0 4.0 2.0 0.0 0.0 0.0 0.0 2.0
MEA04 1.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 4.0 0.0 2.0 2.0 0.0 2.0
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues
Input Section—Importance of Each Generic IT-Related Issue Input Section—Importance of Each Generic IT-Related Issue
Importance
IT-Related Issue (1-3) Baseline Design Factor 4 IT-Related Issues
Importance of IT-Related Issues (Input)
Frustration between different IT entities across the organization because
of a perception of low contribution to business value No Issue 0 1 2 3
Frustration between business departments (i.e., the IT customer) and the Frustration between different IT entities across the organization because of a perception of low contribution to business value
IT department because of failed initiatives or a perception of low 2 Issue
contribution to business value
Frustration between business departments (i.e., the IT customer) and the IT department because of failed initiatives or a perception of low contribution to business value
Significant IT-related incidents, such as data loss, security breaches, project
failure and application errors, linked to IT
2 Serious Issue
Significant IT-related incidents, such as data loss, security breaches, project failure and application errors, linked to IT
Service delivery problems by the IT outsourcer(s) 2
Regular audit findings or other assessment reports about poor IT Failures to meet IT-related regulatory or contractual requirements
2
performance or reported IT quality or service problems
Regular audit findings or other assessment reports about poor IT performance or reported IT quality or service problems
Substantial hidden and rogue IT spending, that is, IT spending by user
departments outside the control of the normal IT investment decision 2
mechanisms and approved budgets
Substantial hidden and rogue IT spending, that is, IT spending by user departments outside the control of the normal IT investment decision mechanisms and approved budgets
Duplications or overlaps between various initiatives, or other forms of 2
wasted resources
Duplications or overlaps between various initiatives, or other forms of wasted resources
Insufficient IT resources, staff with inadequate skills or staff 2
burnout/dissatisfaction
Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction
IT-enabled changes or projects frequently failing to meet business needs 2
and delivered late or over budget
IT-enabled changes or projects frequently failing to meet business needs and delivered late or over budget
Reluctance by board members, executives or senior management to 2
engage with IT, or a lack of committed business sponsorship for IT
Reluctance by board members, executives or senior management to engage with IT, or a lack of committed business sponsorship for IT
Gap between business and technical knowledge, which leads to business users and information and/or technology specialists speaking different languages
Regular issues with data quality and integration of data across various sources
Copyright ISACA 2018 571350190.xlsx DF4—Page 21
High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put in operation
Reluctance by board members, executives or senior management to engage with IT, or a lack of committed business sponsorship for IT
01/19/2022
COBIT® 2019 Governance System Design Toolkit
Complex IT operating model and/or unclear decision mechanisms for IT-related decisions
Information & Technology Governance System Design Information & Technology Governance System Design
Excessively high cost of IT
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues
Obstructed or failed implementation of new initiatives or innovations caused by the current IT architecture and systems
Gap between business and technical knowledge, which leads to business
users and information and/or technology specialists speaking different 2
languages Gap between business and technical knowledge, which leads to business users and information and/or technology specialists speaking different languages
Regular issues with data quality and integration of data across various
2
sources Regular issues with data quality and integration of data across various sources
Business departments implementing their own information solutions with little or no involvement of the enterprise IT department (related to end-user computing, which often stems from dissatisfaction with IT solutions and services)
Business departments implementing their own information solutions with
little or no involvement of the enterprise IT department (related to end-
user computing, which often stems from dissatisfaction with IT solutions
2 Average 2.15
Ignorance of and/or noncompliance with privacy regulations
and services)
Ignorance of and/or noncompliance with privacy regulations 2 Stdev 0.65 Inability to exploit new technologies or innovate using I&T
Inability to exploit new technologies or innovate using I&T 2
Correction 0.93
Factor
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Frustration between different Frustration between business Significant IT-related Regular audit findings or Substantial hidden and rogue IT IT-enabled changes or Reluctance by board members, Complex IT operating model Obstructed or failed Gap between business and technical High level of end-user computing,
Duplications or overlaps creating (among other problems) Business departments implementing
IT entities across the departments (i.e., the IT customer) incidents, such as data loss, Service delivery problems by Failures to meet IT-related other assessment reports spending, that is, IT spending by user between various initiatives Insufficient IT resources, staff projects frequently failing to executives or senior management and/or unclear decision implementation of new knowledge, which leads to business Regular issues with data a lack of oversight and quality their own information solutions with Ignorance of and/or Inability to exploit new
DF4 organization because of a and the IT department because of security breaches, project the IT outsourcer(s) regulatory or contractual about poor IT performance departments outside the control of or other forms of wasted with inadequate skills or staff meet business needs and to engage with IT, or a lack of Excessively high cost of IT initiatives or innovations users and information and/or quality and integration of noncompliance with technologies or innovate
perception of low contribution failed initiatives or a perception of failure and application requirements or reported IT quality or the normal IT investment decision burnout / dissatisfaction delivered late or over committed business sponsorship mechanisms for IT-related caused by the current IT technology specialists speaking data across various sources control over the applications that little or no involvement of the privacy regulations using I&T
to business value low contribution to business value errors, linked to IT service problems mechanisms and approved budgets resources budget for IT decisions architecture and systems different languages are being developed and put in enterprise IT department
operation
EDM01 3.0 3.0 1.0 1.0 2.0 2.0 2.0 1.0 1.0 1.0 3.0 3.5 1.0 1.0 1.0 1.0 2.0 3.0 1.5 1.0 35
EDM02 2.5 3.0 1.0 1.0 1.5 2.5 2.0 1.5 0.5 2.5 1.5 1.0 3.0 2.0 1.0 1.0 2.0 2.0 1.0 2.5 35
EDM03 1.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.0 0.0 1.0 1.5 1.0 2.0 1.0 1.0 2.5 1.0 24
EDM04 1.0 0.0 1.0 1.0 1.0 2.0 3.0 3.5 3.5 1.0 1.5 0.0 4.0 2.0 1.0 1.5 2.0 2.5 0.0 1.0 33
EDM05 1.0 1.0 1.0 1.0 1.5 2.0 1.0 1.0 0.0 1.0 3.0 1.5 1.5 0.5 0.0 0.5 1.0 1.0 1.0 0.0 21
APO01 2.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.5 4.0 1.0 2.0 1.0 1.0 1.5 2.0 0.5 1.0 28
APO02 1.5 1.5 1.5 1.5 1.0 1.5 1.0 1.0 0.0 1.0 2.5 0.5 0.5 1.5 1.5 0.5 2.0 2.0 0.0 2.5 25
APO03 1.0 1.5 1.0 2.0 0.5 1.5 2.0 1.5 1.0 3.5 0.5 0.5 1.0 4.0 1.0 3.5 2.0 3.0 0.0 2.0 33
APO04 1.0 1.0 1.0 1.0 0.5 0.5 0.5 0.5 0.0 0.0 0.5 1.0 0.5 2.0 1.0 0.0 0.5 0.5 0.0 4.0 16
APO05 3.0 3.0 1.0 1.5 2.0 2.0 1.5 3.5 0.5 2.0 2.0 1.5 2.0 1.0 0.5 0.0 2.5 2.5 0.0 2.0 34
APO06 3.5 2.0 1.0 1.5 1.5 2.0 4.0 3.0 1.0 2.0 1.0 1.5 4.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 31
APO07 1.5 1.0 1.0 1.0 1.0 1.5 2.0 2.0 4.0 1.0 0.0 0.0 1.0 0.0 3.0 0.0 0.5 0.5 1.5 1.0 24
APO08 2.5 2.0 1.0 2.5 1.5 1.0 2.5 2.0 1.5 1.0 3.0 1.0 0.5 1.0 4.0 1.0 3.0 3.5 0.0 0.5 35
APO09 2.0 1.5 2.0 4.0 1.0 2.5 1.5 2.0 0.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 1.0 1.5 0.0 0.0 22
APO10 1.0 1.0 2.0 4.0 1.5 1.5 1.5 0.0 1.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 0.5 2.0 1.0 0.0 20
APO11 1.0 1.0 3.0 1.5 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.5 0.5 3.0 2.0 2.0 0.0 1.0 22
APO12 1.0 0.5 2.5 1.5 2.0 2.0 1.0 1.0 0.5 1.0 1.0 1.0 1.0 1.0 1.0 2.0 1.0 1.5 2.5 1.0 26
APO13 0.0 0.0 3.5 1.0 2.0 1.0 0.0 1.0 0.0 0.5 0.0 0.0 0.0 0.0 0.0 1.5 2.0 1.0 2.0 1.0 17
APO14 1.0 1.5 3.0 1.0 2.5 1.5 1.0 1.5 0.0 1.5 0.0 0.0 0.5 2.5 0.5 4.0 2.5 2.0 3.0 0.5 30
BAI01 0.0 1.0 1.5 0.0 0.0 0.0 0.0 3.0 1.0 3.5 0.0 0.0 1.5 0.5 1.0 0.0 1.5 2.0 0.0 1.0 18
BAI02 0.0 3.0 0.0 0.0 0.5 2.0 0.0 2.0 0.0 3.5 0.0 1.0 1.0 2.0 2.0 1.5 2.5 3.0 0.5 1.0 26
BAI03 1.0 2.0 2.0 0.0 0.0 2.0 0.0 1.0 0.0 3.0 0.0 0.5 1.0 1.0 1.0 0.5 2.0 2.0 1.0 0.5 21
BAI04 0.5 0.0 2.0 3.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 0.0 1.0 1.0 1.0 0.0 0.5 12
BAI05 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 3.0 1.0 0.0 0.0 0.5 2.0 0.0 0.5 1.5 0.0 1.0 14
BAI06 0.0 0.0 2.5 3.0 0.5 1.5 0.0 1.0 0.0 1.5 0.0 1.0 0.5 1.0 0.5 2.0 2.0 2.0 1.0 1.0 21
BAI07 0.0 1.0 2.0 2.0 0.5 1.5 0.0 0.5 0.0 2.0 0.0 1.0 0.0 1.0 0.5 2.0 2.0 2.0 0.0 1.0 19
BAI08 0.0 0.0 0.0 1.5 0.5 0.5 0.0 1.0 2.0 0.5 0.0 0.5 0.0 1.0 3.0 2.0 1.0 1.5 0.0 0.5 16
BAI09 0.5 0.5 1.0 0.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 0.0 1.0 1.5 0.0 0.0 12
BAI10 0.0 0.0 2.5 2.0 0.5 0.0 0.0 0.5 0.0 0.0 0.0 0.0 1.0 1.5 0.0 1.5 1.0 2.0 0.0 0.0 13
BAI11 1.0 2.0 2.5 0.0 0.0 0.0 2.0 3.0 1.0 4.0 0.0 0.0 1.5 2.0 0.5 0.0 1.0 1.5 0.0 0.5 23
-20 EDM02
EDM03 5
-10
EDM04
EDM05 20
APO01 5
-10
APO02
APO03 25
-40 APO04
-5
APO05
-5
APO06
APO07 15
APO08 5
APO09 5
APO10 5
APO11 25
APO12 35
APO13 35
APO14 15
BAI01 15
BAI02 10
BAI03 15
-25 BAI04
BAI05 40
BAI06 15
BAI07 45
BAI08 15
BAI09 100
BAI10 60
-15
BAI11
DSS01 5
DSS02 35
DSS03 50
-10
DSS04
DSS05 5
DSS06 45
MEA01 15
MEA02 25
MEA03 10
MEA04 20
01/19/2022
COBIT® 2019 Governance System Design Toolkit
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
Average
Stdev
Design Factor 5 IT Threat Landscape
Correction Factor
1.00
High Normal
30%
70%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
70%
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Average
Design Factor 6 Compliance Requirements
High Normal Low
15%
25%
Stdev
60%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT
Average 2.00
Stdev 1.73
Correction Factor 1.50
Support 5
Factory 1
Turnaround 1
Strategic 1
Factory 1 Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT
Turnaround 1
Strategic 1
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Input Section—Importance of Sourcing Model for IT Input Section—Importance of Sourcing Model for IT
30%
60%
10%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
Agile 5% 15%
5%
20%
75%
75% Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
Input Section—Importance of Technology Adoption Strategy Input Section—Importance of Technology Adoption Strategy
20%
80%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
APO02
50
DSS05 50 BAI07—Managed IT Change Acceptance and Transitioning 45
APO02 DSS05
25 25 BAI08—Managed Knowledge 15
APO03 DSS04 APO03 DSS04
0 0 BAI09—Managed Assets 100
APO04 -25 DSS03 APO04 -25 DSS03 BAI10—Managed Configuration 60
-50 -50
APO05 DSS02 APO05 DSS02 -15 Projects
BAI11—Managed
-75 -75
DSS01—Managed Operations 5
APO06 -100 DSS01 APO06 -100 DSS01
DSS02—Managed Service Requests & Incidents 35
APO07 BAI11 APO07 BAI11 DSS03—Managed Problems 50
APO08 BAI10 APO08 BAI10 -10
DSS04—Managed Continuity
DSS05—Managed Security Services 5
APO09 BAI09 APO09 BAI09
DSS06—Managed Business Process Controls 45
APO10 BAI08 APO10 BAI08
MEA01—Managed Performance and Conformance Monitoring 15
APO11 BAI07 APO11 BAI07
MEA02—Managed System of Internal Control 25
APO12 BAI06 APO12 BAI06
APO13 BAI05
MEA03—Managed Compliance with External Requirements 10
APO13 BAI05
APO14 BAI04
APO14
BIA01 BAI02 BAI03
BAI04 BIA01 BAI02 BAI03 MEA04—Managed Assurance 20
EDM02 EDM01 MEA04 EDM02 EDM01 MEA04 -45 Setting & Maintenance
EDM01—Ensured Governance Framework
EDM03 MEA03 EDM03 MEA03
EDM04 MEA02 EDM04 MEA02
EDM05 100 MEA01 EDM05 100 MEA01
-65 EDM02—Ensured Benefits Delivery
APO01 75 DSS06 APO01 75 DSS06
-50 -50
APO05 DSS02 APO05 DSS02 EDM05—Ensured Stakeholder Engagement 15
-75 -75
-5
APO07—Managed Human Resources
-25 Vendors
APO10—Managed
EDM02 EDM01 MEA04 EDM02 EDM01 MEA04
EDM03 MEA03 EDM03 MEA03
EDM04 MEA02 EDM04 MEA02
EDM05 100 MEA01
-10
APO11—Managed Quality
EDM05 100 MEA01
25 25
APO03 DSS04 APO03
0
DSS04 APO13—Managed Security 10
0
APO10 BAI08
-55
BAI04—Managed Availability & Capacity
APO10 BAI08
BAI08—Managed Knowledge 0
APO10 BAI08
-15
BAI07—Managed IT Change Acceptance and Transitioning
BAI08—Managed Knowledge 0
EDM03
EDM02 EDM01 MEA04
MEA03 EDM03
EDM02 EDM01 MEA04
MEA03
-70 BAI11—Managed Projects
EDM04 MEA02 EDM04 MEA02
EDM05 100 MEA01 EDM05 100 MEA01
-5
DSS01—Managed Operations
APO01 75 DSS06 APO01 75 DSS06
50 50
APO02 DSS05 APO02 DSS05 DSS02—Managed Service Requests & Incidents 5
25 25
APO03 DSS04 APO03 DSS04
0 0
DSS03—Managed Problems 10
APO04 -25 DSS03 APO04 -25 DSS03
APO05
-50
DSS02 APO05
-50
DSS02
-30
DSS04—Managed Continuity
-75 -75
-30 Monitoring
MEA01—Managed Performance and Conformance
APO09 BAI09 APO09 BAI09
APO10 BAI08
APO10 BAI08 MEA02—Managed System of Internal Control 10
APO11 BAI07 APO11 BAI07