COBIT2019 (CristinaFlores JhovanySantacruz) Suscal

01/19/2022
COBIT® 2019 Governance System Design Toolkit
COBIT® 2019 Governance System Design Workbook—Instructions

EMPRESA CORPORPACIONES UNIDAS (COURIER Y y FINANCIERA PAGADORA DE REMESAS)
Cristina Flores Urgiés
Jhovany Santacruz Espinoza
Terms & Definitions
Relative importance Relative importance (of governance and management objectives) is a number that indicates the influence of a certain design factor on the importance of a certain
COBIT governance or management objective as compared to a baseline (standard) situation. The number is calculated as a percentage difference between the
baseline and the current situation, as determined by the values given to the design factor at hand.
Instructions
Sheet
In this sheet all results of the impact assessment of the design factors are summarized. This is done in line with the governance system design flow explained in the
COBIT Design Guide.
Canvas The user can provide input in columns R/S to adjust the results of the automated calculations, taking into account the enterprise's specific context. When making
adjustments in column R, the spreadsheet expects an explanation in column S.
Sheet Input Section Output Section

Importance of Each Enterprise Strategy Archetype The output section of this sheet contains the calculated relative importance of
each of the 40 COBIT 2019 Governance and Management Objectives
Description
DF1
Copyright ISACA 2018 571350190.xlsx Instructions—Page 1

01/19/2022

DF1
Ingrese valores entre 1 y 5 que expresen la importancia o relevancia de cada una de APO03
las estrategias empresariales genéricas dadas para la empresa usuaria. BAI05
User Action Required
Importance of Each Enterprise Goal
Description
DF2
Ingrese valores entre 1 y 5 que expresen la importancia o relevancia de cada una de MEA03
las estrategias empresariales genéricas dadas para la empresa usuaria.
Importance of Each Generic IT Risk Category
Description
Ingrese valores entre 1 y 5 que expresen la importancia o relevancia de cada una de APO07 BAI06 DSS02 MEA01
las estrategias empresariales genéricas dadas para la empresa usuaria. APO08 BAI07 DSS03 MEA02
DF3 APO09 BAI08 DSS05 MEA03
APO11 BAI09 DSS06 MEA04
APO12 BAI10
User Action Required APO13
Importance of Each Generic IT-Related Issue
Description
DF4

01/19/2022

DF4 Ingrese valores entre 1 y 3 que expresen la importancia de cada problema genérico BAI04 BAI10 DSS5
relacionado con las tecnologías de la información APO02 DSS1
APO04 DSS2
User Action Required APO09 DSS3
APO10 DSS4
Importance of Threat Landscape
Description
DF5
Ingrese el porcentaje que expresen la importancia del panorama de amenazas
Importance of Compliance Requirements
Description
Ingrese el porcentaje que expresen la importancia de los requisitos de cumplimiento EDM01 APO13
DF6 EDM03 APO14
EDM05 DSS04
APO01 DSS05
User Action Required APO10 MEA03
APO12 MEA04
Importance of Role of IT
Description
DF7
Ingrese valores entre 1 y 5 que expresen la importancia del Rol de TI
Importance of Sourcing Model for IT
Description
DF8

01/19/2022

DF8 Ingrese el porcentaje que expresen la importancia del modelo de abastecimiento EDM03
para TI APO09
APO10
User Action Required APO12
MEA01
Importance of IT Implementation Methods
Description
Ingrese el porcentaje que expresen la Importancia de los métodos de BAI02 BAI07

DF9 implementación de TI BAI03 BAI01
BAI05 BAI10
BAI06 MEA01
User Action Required BAI11
Importance of Technology Adoption Strategy
Description
DF10
Ingrese el porcentaje que expresen la importancia de la estrategia de adopción de
User Action Required tecnología
Initial Summary—Governance and Management Objectives BAI06 Administración de cambios

BAI10 Administración de configuración
BAI07 Gestionar la aceptación y la transición de los cambios de TI
DSS02—Gestionar las peticiones y los incidentes de servicio
BAI09—BAI09—Gestionar los activos
DSS03—Gestionar los problemas
MEA03 MEA03—Gestionar el cumplimiento de los requisitos externos
Chart 1
Chart 2

01/19/2022
COBIT® 2019 Governance System Design Workbook—Canvas
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
Sourcing Refined Scope: Concluded Scope:

Design Factors: Enterprise Strategy Enterprise Risk Profile IT-Related Initial Scope: Governance/ Threat Compliance Req's Role of Model IT Implementation Technology Adoption Strategy
Governance/ Adjustment Governance/ Suggested
Goals Issues Management Objectives Landscape IT for IT Methods (between -100 and Reason Target Capability Agreed Target Reason
Management Objectives +100) Management Objectives Level Capability Level
Score
Score Priority
Weight 1 1 1 1 1 1 1 1 1 1
EDM01—Ensured Governance Framework Setting & 0 0 0 0 ### 0 -5 5 -25 0 0 -30 -45 -45 1 1
Maintenance
EDM02—Ensured Benefits Delivery -5 -5 -10 0 ### -20 0 0 -25 0 0 -35 -65 -65 1 1
EDM03—Ensured Risk Optimization -5 5 5 0 ### 5 -5 20 -25 -15 0 -5 -20 -20 1 1
EDM04—Ensured Resource Optimization 5 -5 -10 0 ### -10 0 0 -10 0 0 -20 -30 -30 1 1
EDM05—Ensured Stakeholder Engagement -5 15 10 0 ### 20 0 15 -10 0 0 -5 15 15 1 1
APO01—Managed I&T Management Framework 0 0 5 0 ### 5 -5 5 -20 0 0 -30 -35 -35 1 1
APO02—Managed Strategy 5 0 -15 0 ### -10 0 0 -25 0 0 -40 -60 -60 1 1
APO03—Managed Enterprise Architecture 15 0 10 0 ### 25 -5 0 -15 0 10 -15 0 0 1 1
APO04—Managed Innovation -10 -5 -20 0 ### -40 0 0 -40 0 0 -50 -100 -100 1 1
APO05—Managed Portfolio 5 -5 -5 0 ### -5 0 0 -25 0 0 -50 -65 -65 1 1
APO06—Managed Budget & Costs 5 5 -15 0 ### -5 0 0 -10 0 0 -20 -30 -30 1 1
APO07—Managed Human Resources 10 -5 10 0 ### 15 0 0 -5 0 5 -20 -5 -5 1 1
APO08—Managed Relationships -10 0 15 0 ### 5 0 0 -20 0 0 -35 -40 -40 1 1
APO09—Managed Service Agreements -10 0 15 0 ### 5 0 0 -20 5 0 -25 -30 -30 1 1
APO10—Managed Vendors 0 0 5 0 ### 5 -5 15 -20 5 0 -30 -25 -25 1 1
APO11—Managed Quality -10 5 30 0 ### 25 0 0 -15 0 0 -25 -10 -10 1 1
APO12—Managed Risk -10 15 25 0 ### 35 -5 20 -25 0 5 -25 0 0 1 1
APO13—Managed Security -5 10 25 0 ### 35 -5 15 -25 0 0 0 10 10 1 1
APO14—Managed Data 0 15 0 0 ### 15 -5 5 -20 0 0 -40 -35 -35 1 1
BAI01—Managed Programs 10 -5 10 0 ### 15 0 0 -20 0 -5 -40 -40 -40 1 1
BAI02—Managed Requirements Definition 0 -5 15 0 ### 10 0 0 -25 0 -10 -45 -55 -55 1 1
BAI03—Managed Solutions Identification & Build 0 -5 20 0 ### 15 0 0 -25 0 -5 -50 -50 -50 1 1
BAI04—Managed Availability & Capacity -10 0 -15 0 ### -25 0 0 -20 0 0 -25 -55 -55 1 1
BAI05—Managed Organizational Change 10 -5 30 0 ### 40 0 0 -10 0 -10 -40 -20 -20 1 1
BAI06—Managed IT Changes 0 0 15 0 ### 15 -5 0 -20 0 -10 -40 -50 -50 1 1
BAI07—Managed IT Change Acceptance and Transitioning -5 -5 50 0 ### 45 0 0 -15 0 0 -45 -15 -15 1 1
BAI08—Managed Knowledge -10 -5 30 0 ### 15 0 0 -10 0 0 -5 0 0 1 1
BAI09—Managed Assets 0 15 75 0 ### 100 0 0 -10 0 0 0 65 65 3 3
BAI10—Managed Configuration 0 5 50 0 ### 60 -5 0 -15 0 5 -5 30 30 2 2
BAI11—Managed Projects 5 -5 -15 0 ### -15 0 0 -15 0 -10 -45 -70 -70 1 1
DSS01—Managed Operations -5 0 10 0 ### 5 0 0 -25 0 15 0 -5 -5 1 1
DSS02—Managed Service Requests & Incidents -10 5 35 0 ### 35 -5 0 -25 0 5 0 5 5 1 1
DSS03—Managed Problems -10 5 50 0 ### 50 0 0 -30 0 5 -5 10 10 1 1
Copyright ISACA 2018 571350190.xlsx Canvas—Page 5

01/19/2022
COBIT® 2019 Governance System Design Workbook—Canvas
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
Sourcing Refined Scope: Concluded Scope:

Design Factors: Enterprise Strategy Enterprise Risk Profile IT-Related Initial Scope: Governance/ Threat Compliance Req's Role of Model IT Implementation Technology Adoption Strategy
Governance/ Adjustment Governance/ Suggested
Goals Issues Management Objectives Landscape IT for IT Methods (between -100 and Reason Target Capability Agreed Target Reason
Management Objectives +100) Management Objectives Level Capability Level
Score
Score Priority
Weight 1 1 1 1 1 1 1 1 1 1
DSS04—Managed Continuity -10 5 -5 0 ### -10 -5 15 -30 0 0 -5 -30 -30 1 1
DSS05—Managed Security Services -5 5 5 0 ### 5 -5 25 -15 0 0 -5 5 5 1 1
DSS06—Managed Business Process Controls -5 0 45 0 ### 45 -5 0 -15 0 0 0 15 15 1 1
MEA01—Managed Performance and Conformance Monitoring 0 5 10 0 ### 15 -5 0 -10 5 0 -40 -30 -30 1 1
MEA02—Managed System of Internal Control 0 5 20 0 ### 25 0 0 -10 0 0 0 10 10 1 1
MEA03—Managed Compliance with External Requirements 0 -5 15 0 ### 10 -5 20 -5 0 0 0 15 15 1 1
MEA04—Managed Assurance 0 5 15 0 ### 20 -5 10 -10 0 0 0 10 10 1 1
Copyright ISACA 2018 571350190.xlsx Canvas—Page 6

01/19/2022
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Input Section—Importance of Each Enterprise Strategy Archetype Input Section—Importance of Each Enterprise Strategy Archetype
Importance Design Factor 1 Enterprise Strategy

Value (1-5) Baseline
Importance of different strategies (Input)
Growth/Acquisition 4 3
Innovation/Differentiation 2 3
Cost Leadership 3 3
Client Service/Stability 2 3
5
Design Average
Factor 1 Enterprise Strategy2.75 4
Stdev of different strategies0.83
Importance (Input)
Correction Factor 1.09 3
0 1 2 3 4 5
4
1
Copyright ISACA 2018 571350190.xlsx DF1—Page 7

01/19/2022
3
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
GAD "C"
GAD "C" GAD "C"
Governance / Baseline Relative
Management Score
Score Importance EDM04
Objective -100 -75 -50 -25 0 25 50 75 100
EDM01 13.5 15 0 EDM01
EDM02 EDM02 100
21 24 -5
EDM03 EDM03 APO02 BAI11
13 15 -5 75
EDM04 EDM04
22 22.5 5
EDM05 EDM05 50
16 18 -5
APO01 APO01
11 12 0
APO02 25
APO02 27.5 28.5 5 5
APO03
APO03 25 24 15 0
APO04 5 5
APO04 17 21 -10
APO05 -25
APO05 31.5 33 5
APO06
APO06 22 22.5 5 -50
APO07 APO03 BAI05
APO07 15 15 10
APO08 -75
APO08 17 21 -10 15 10
APO09
APO09 18.5 22.5 -10 -100
APO10
APO10 19.5 21 0
APO11
APO11 17 21 -10
APO12
APO12 15 18 -10
APO13
APO13 14 16.5 -5 5 10
APO14
APO14 11 12 0
BAI01
BAI01 27.5 27 10 BAI02
BAI03 5 10
APO05 BAI01
BAI04
Copyright ISACA 2018 BAI05
571350190.xlsx DF1—Page 8
BAI06
APO10 -100
APO11 01/19/2022
APO12
APO13
5
Information & Technology
APO14 Governance System Design Information & Technology10Governance System Design
Design
BAI01Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
BAI02
BAI02 12.5 13.5 0 5
BAI03 10
BAI03 12.5 13.5 0 APO05 BAI01
BAI04
BAI04 15 18 -10 BAI05
BAI05 26 25.5 10 BAI06
BAI06 18 19.5 0 BAI07
BAI07 16 18 -5 BAI08
BAI08 16 19.5 -10 BAI09
BAI09 11 12 0 BAI10 APO06 APO07
BAI10 11 12 0 BAI11
BAI11 26.5 27 5 DSS01
DSS01 12 13.5 -5 DSS02
DSS02 17 21 -10 DSS03
DSS03 15 18 -10 DSS04
DSS04 17 21 -10 DSS05
DSS05 14 16.5 -5 DSS06
DSS06 12 13.5 -5 MEA01
MEA01 11 12 0 MEA02
MEA02 11 12 0 MEA03
MEA03 11 12 0 MEA04
MEA04 11 12 0

01/19/2022
Growth / Innovation / Client Service /

DF1 Acquisition Differentiation Cost Leadership Stability
EDM01 1.0 1.0 1.5 1.5
EDM02 1.5 1.0 2.0 3.5
EDM03 1.0 1.0 1.0 2.0
EDM04 1.5 1.0 4.0 1.0
EDM05 1.5 1.5 1.0 2.0
APO01 1.0 1.0 1.0 1.0
APO02 3.5 3.5 1.5 1.0
APO03 4.0 2.0 1.0 1.0
APO04 1.0 4.0 1.0 1.0
APO05 3.5 4.0 2.5 1.0
APO06 1.5 1.0 4.0 1.0
APO07 2.0 1.0 1.0 1.0
APO08 1.0 1.5 1.0 3.5
APO09 1.0 1.0 1.5 4.0
APO10 1.0 1.0 3.5 1.5
APO11 1.0 1.0 1.0 4.0
APO12 1.0 1.5 1.0 2.5
APO13 1.0 1.0 1.0 2.5
APO14 1.0 1.0 1.0 1.0
BAI01 4.0 2.0 1.5 1.5
BAI02 1.0 1.0 1.5 1.0
BAI03 1.0 1.0 1.5 1.0
BAI04 1.0 1.0 1.0 3.0
BAI05 4.0 2.0 1.0 1.5
BAI06 2.0 2.0 1.0 1.5
BAI07 1.5 2.0 1.0 1.5
BAI08 1.0 3.5 1.0 1.0
BAI09 1.0 1.0 1.0 1.0
BAI10 1.0 1.0 1.0 1.0
BAI11 3.5 3.0 1.5 1.0
DSS01 1.0 1.0 1.0 1.5
Copyright ISACA 2018 571350190.xlsx DF1map—Page 10

01/19/2022
Growth / Innovation / Client Service /

DF1 Acquisition Differentiation Cost Leadership Stability
DSS02 1.0 1.0 1.0 4.0
DSS03 1.0 1.0 1.0 3.0
DSS04 1.0 1.0 1.0 4.0
DSS05 1.0 1.0 1.0 2.5
DSS06 1.0 1.0 1.0 1.5
MEA01 1.0 1.0 1.0 1.0
MEA02 1.0 1.0 1.0 1.0
MEA03 1.0 1.0 1.0 1.0
MEA04 1.0 1.0 1.0 1.0

01/19/2022
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
Input Section—Importance of Each Enterprise Goal Input Section—Importance of Each Enterprise Goal
Importance
Value (1-5) Baseline
EG01—Portfolio of competitive products and services 2 3 Design Factor 2 Enterprise Goals (Input)
EG02—Managed business risk 2 3
EG03—Compliance with external laws and regulations 2 3 EG01—Portfolio of competitive products and services 2
EG04—Quality of financial information 3 3
EG05—Customer-oriented service culture 2 3 EG02—Managed business risk 2
EG06—Business-service continuity and availability 2 3
EG07—Quality of management information 2 3 EG03—Compliance with external laws and regulations 2
EG08—Optimization of internal business process functionality 1 3

EG04—Quality of financial information 3
EG09—Optimization of business process costs 1 3
EG10—Staff skills, motivation and productivity 2 3
EG05—Customer-oriented service culture 2
EG11—Compliance with internal policies 1 3
EG12—Managed digital transformation programs 2 3
EG06—Business-service continuity and availability 2
EG13—Product and business innovation 1 3
Average 1.77
EG07—Quality of management information 2
Design Factor 2 Enterprise GoalsStdev
(Input) 0.58
Correction Fact 1.70 EG08—Optimization of internal business process functionality 1
EG09—Optimization of business process costs 1
EG01—Portfolio of competitive products and services

EG13—Product and business innovation EG02—Managed business risk EG10—Staff skills, motivation and productivity 2
5
EG12—Managed digital transformation programs 4 EG03—Compliance with external laws and regulations
3 EG11—Compliance with internal policies 1
2
EG11—Compliance with internal policies 1 EG04—Quality of financial information
0 EG12—Managed digital transformation programs 2
EG10—StaffISACA
Copyright skills, motivation
2018 and productivity EG05—Customer-oriented service culture 571350190.xlsx EG13—Product and business innovation 1 DF2—Page 12
EG01—Portfolio of competitive products and services
EG13—Product and business innovation EG02—Managed business risk EG10—Staff skills, motivation and productivity 2 01/19/2022
COBIT® 2019 Governance System Design Toolkit 5
EG12—Managed digital transformation programs 4 EG03—Compliance with external laws and regulations
3 Information & Technology Governance System Design EG11—Compliance with internal policies 1 & Technology Governance System Design
Information
2 Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
EG11—Compliance with internal policies 1 EG04—Quality of financial information
0 EG12—Managed digital transformation programs 2
EG10—Staff skills, motivation and productivity EG05—Customer-oriented service culture EG13—Product and business innovation 1
EG09—Optimization of business process costs EG06—Business-service continuity and availability

EG08—OptimizationEG07—Quality
of internal business
of management
process functionality
information
Resulting Governance/ Management Objectives

Importance
Governance /
Management Score
Baseline Relative
Design Factor 2 Enterprise Goals
GAD
EDM05 "C"
Score Importance
Objective APO06 MEA04
Resulting Governance/ Management
100
EDM01 57 0 0 Objectives Importance
EDM02 65 114 -5 75
EDM03 39 63 5 APO11
50
MEA02
EDM04 73 129 -5
-100 -75 -50 -25 0 25 50 75 100 1525
EDM05 42 63 15
E
APO01 106 180 0 5 0 5
E
APO02 77 132 0 E 5 5
APO12 -25 MEA01
APO03 79 135 0 E
E -50
APO04 68 120 -5
APO01 15
APO05 81 141 -5 5
APO02 -75
APO06 71 117 5 APO03
-100
APO07 62 108 -5 APO04
10 5
APO08 APO05
109 189 0 APO13 DSS05
APO06
APO07
APO08 15 5
Copyright ISACA 2018 APO09 571350190.xlsx DF2—Page 13
APO10 5
APO11 15
E 5 5
APO12 -25 MEA01
E
E -50 01/19/2022
APO01 15 5
APO02 -75
APO03 Governance System Design Information & Technology Governance System Design
-100
Design Factor 2 Enterprise Goals
APO04
10 5 Design Factor 2 Enterprise Goals
APO05 APO13 DSS05
APO06
APO09 38 63 0 APO07
APO10 45 78 0 APO08 15 5
APO11 81 132 5 APO09
APO12 APO10 5
24 36 15 15
APO11
APO13 25 39 10 APO12 APO14 5 5 DSS04
APO14 53 78 15 APO13
BIA01 72 129 -5 APO14
BAI02 100 174 -5 BIA01
BAI02
BAI03 94 165 -5 BAI09 DSS03
BAI03
BAI04 41 69 0 BAI04
BAI05 105 183 -5 BAI05
BAI10 DSS02
BAI06 53 90 0 BAI06
BAI07
BAI07 39 69 -5 BAI08
BAI08 77 135 -5 BAI09
BAI09 35 51 15 BAI10
BAI10 11 18 5 BAI11
DSS01
BAI11 77 138 -5
DSS02
DSS01 38 63 0 DSS03
DSS02 34 54 5 DSS04
DSS03 34 54 5 DSS05
DSS06
DSS04 34 54 5
M
DSS05 50 81 5 M
DSS06 63 105 0 M
MEA01 82 135 5 M
MEA02 82 135 5
MEA03 22 39 -5
MEA04 69 111 5

01/19/2022
Agile portfolio of
Compliance with external Transparency and
Optimization of internal
Customer-oriented service Business service continuity Quality of management Optimization of business Staff skills, motivation and Compliance with internal Managed business Product and business
competitive products and Managed business risks accuracy of financial business process
laws and regulations culture and availability information process costs productivity policies transformation programs innovation
services information functionality
2 2 2 3 2 2 2 1 1 2 1 2 1
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
IT compliance and Enablement and Competent and

Mapping table EG-GA support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business Security of information, support of business Delivery of programs Quality of IT motivated staff with Knowledge, expertise
compliance with Information related IT-enabled investments related financial in line with business requirements into processing processes by on time, on budget, and Management IT compliance with mutual understanding and initiatives for
external laws and risks and services portfolio information requirements operational solutions infrastructure and Integrating applications meeting requirements Information internal policies of technology and business innovation
regulations applications and technology and quality standards business.
EG01 Portfolio of agile and competitive 0 0 1 0 2 2 0 2 2 0 0 0 2

products and services
EG02 Managed business risks 1 2 0 0 0 0 1 0 0 0 1 0 0
EG03 Compliance with external laws and 2 0 0 0 0 0 0 0 0 0 2 0 0

regulations
Transparency and accuracy of financial
EG04 information 0 0 0 2 0 0 0 0 0 2 0 0 0
EG05 Customer-oriented service culture 0 0 1 0 1 1 0 2 1 0 0 1 0
EG06 Business service continuity and 0 1 0 0 1 0 2 0 0 0 0 0 0

availability
Accuracy (Quality?) of Management
EG07 Information
0 0 0 2 0 0 0 0 0 2 0 0 0
EG08 Optimization of business process 0 0 1 0 1 1 0 1 1 0 0 0 0

functionality
EG09 Optimization of business process costs 0 0 1 2 0 0 0 0 1 1 0 0 0
EG10 Staff skills, motivation and productivity 0 0 0 0 0 0 0 1 0 0 0 2 0
EG11 Compliance with internal policies 1 0 0 0 0 0 0 0 0 0 2 0 0
EG12 Managed business transformation 0 0 2 0 1 1 0 2 2 0 0 0 1

programs
EG13 Product and business innovation 0 0 0 0 0 1 0 1 1 0 0 0 2
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
IT compliance and Enablement and Competent and

support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business Security of information, support of business Delivery of programs Quality of IT motivated staff with Knowledge, expertise
compliance with Information related IT-enabled investments related financial in line with business requirements into processing processes by on time, on budget, and Management IT compliance with mutual understanding and initiatives for
infrastructure and meeting requirements internal policies
external laws and risks and services portfolio information requirements operational solutions applications Integrating applications and quality standards Information of technology and business innovation
regulations and technology business.
7 6 10 12 11 10 6 16 13 11 8 6 8
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
Managed
Managed Managed IT Managed Managed
Performance Managed
Managed
Mapping Table AG-GMO Ensured Governance
Ensured Resource Ensured Stakeholder Managed IT Management Managed Strategy Managed Human
Managed
Managed Managed
Managed Managed Managed Managed Managed
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Optimization Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Managed Relationships Service Managed Risk Information Managed Data Managed Requirements Solutions Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed Business System of Compliance Managed
Identification Availability &
Organizational Changes Security &
Transparency Framework Resources Suppliers Quality Programs Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Process Internal with External Internal Audit
Maintenance Agreements Security Definition & Build Capacity Change Transitioning Incidents Services Controls Conformance Control Requirements
Monitoring
IT compliance and support for business

AG01 compliance with external laws and 1 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 2 1
regulations
Managed Technology & Information

AG02 related risks 1 0 2 0 0 1 0 0 0 0 0 0 0 0 0 0 2 1 1 0 0 0 0 0 1 1 0 0 0 0 0 1 1 1 2 1 0 1 0 1
Realized benefits from IT-enabled

AG03 investments and services portfolio 2 2 0 1 0 2 1 1 1 2 1 1 1 0 0 1 0 0 0 2 1 1 0 2 0 0 1 0 0 2 0 0 0 0 0 0 1 0 0 0
Quality of technology related financial

AG04 0 0 0 0 1 0 0 0 0 0 2 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 1 0 1
information
Delivery of IT services in line with business
AG05 requirements 0 1 0 1 0 1 1 1 0 2 0 1 2 2 2 1 0 0 0 0 2 2 2 1 1 0 0 0 1 1 2 2 2 2 1 1 2 1 0 1
Agility to turn business requirements into

AG06 0 1 0 1 0 0 1 2 2 1 0 0 2 0 1 0 0 0 0 1 2 2 0 1 2 2 1 0 0 2 0 0 0 0 0 0 0 0 0 0
operational solutions
Security of information, processing

AG07 infrastructure and applications 0 0 2 0 0 1 0 1 0 0 0 0 0 0 0 0 2 2 1 0 0 0 1 0 0 0 0 0 0 0 0 1 1 1 2 1 0 1 0 1
Enablement and support of business

AG08 processes by Integrating applications and 1 1 0 1 0 1 2 2 1 1 0 0 1 1 0 0 0 0 0 1 1 1 0 2 1 0 1 0 0 0 1 0 0 0 0 2 0 0 0 0
technology
Delivery of programs on time, on budget,

AG09 and meeting requirements and quality 0 0 0 2 0 1 0 0 0 1 2 1 1 0 1 2 0 0 0 2 2 2 1 2 0 1 1 0 0 2 0 0 0 0 0 0 1 1 0 0
standards
AG10 Quality of IT Management Information 0 0 0 0 2 1 0 0 0 0 1 0 0 0 0 2 0 0 2 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 2 1 0 1
AG11 IT compliance with internal policies 1 0 1 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 2 1 2
Competent and motivated staff with

AG12 mutual understanding of technology and 0 0 0 0 0 0 1 0 1 0 0 2 2 0 0 0 0 0 0 0 1 0 0 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0
business.
Knowledge, expertise and initiatives for

AG13 0 1 0 0 0 0 1 0 2 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0
business innovation
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
Managed
Managed Managed IT Managed Managed Managed Managed
Ensured Governance Managed Managed Managed Managed Managed Managed Performance
Ensured Benefits Delivery Ensured Risk Optimization Ensured
Resource Ensured Stakeholder Managed IT Management Managed Strategy Managed Human Managed Managed
Managed Data Managed Requirements Solutions Organizational Managed
IT Change Managed Managed Managed Managed Managed Service Managed Managed Business System of Compliance Managed
Framework Setting & Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Managed Relationships Service Managed Risk Information
Identification Availability
& Security &
Optimization Transparency Framework Resources Suppliers Quality Programs Changes Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Process
Conformance Internal
with External Internal Audit
Maintenance Agreements Security Definition Capacity Change Services
& Build Transitioning Incidents Controls Control Requirements
Monitoring
57 65 39 73 42 106 77 79 68 81 71 62 109 38 45 81 24 25 53 72 100 94 41 105 53 39 77 35 11 77 38 34 34 34 50 63 82 82 22 69

Baseline 99 114 63 129 63 180 132 135 120 141 117 108 189 63 78 132 36 39 78 129 174 165 69 183 90 69 135 51 18 138 63 54 54 54 81 105 135 135 39 111
Imp® -43 -43 -39 -44 -34 -42 -42 -42 -44 -43 -40 -43 -43 -40 -43 -39 -34 -36 -33 -45 -43 -44 -41 -43 -42 -44 -43 -32 -39 -45 -40 -38 -38 -38 -39 -40 -40 -40 -44 -38

01/19/2022
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
Input Section—Importance of Each Generic IT Risk Category Input Section—Importance of Each Generic IT Risk Category
Risk Scenario Category Impact Likelihood Risk Rating Baseline Design Factor 3 IT Risk Profile
(1-5) (1-5)
Risk Rating of IT Risk Scenario Categories (Input)
IT investment decision making, portfolio definition & 4 2 9 Very High Risk
maintenance 0 5 10 15 20 25
IT investment decision making, portfolio definition & maintenance
Program & projects life cycle management 3 3 9 High Risk
Program & projects life cycle management
IT cost & oversight 4 3 9 Normal Risk
IT cost & oversight
IT expertise, skills & behavior 4 4 9 Low Risk
IT expertise, skills & behavior
Enterprise/IT architecture 4 3 9
Enterprise/IT architecture
IT operational infrastructure incidents 4 4 9
Unauthorized actions 5 4 9 IT operational infrastructure incidents
Software adoption/usage problems 4 4 9 Unauthorized actions
Hardware incidents 4 2 9 Software adoption/usage problems

Software failures 4 4 9 Hardware incidents
Logical attacks (hacking, malware, etc.) 4 3 9
Software failures
Third-party/supplier incidents 2 2 9
Logical attacks (hacking, malware, etc.)
Noncompliance 2 4 9
Third-party/supplier incidents
Geopolitical Issues 4 5 9
Noncompliance
Industrial action 1 1 9
Acts of nature 3 1 9 Geopolitical Issues
Technology-based innovation 4 2 9 Industrial action

Environmental 1 1 9 Acts of nature
Data & information management 4 4 9 Technology-based innovation
Environmental
Average 10.84
Stdev 5.82 Data & information management
Correction Factor 0.83

01/19/2022
Resulting Governance/Management
Objectives Importance Design Factor 3 IT Risk Profile
Resulting Governance/Management GADEDM03
"C"
Governance / Baseline Relative Objectives Importance EDM05 MEA04
Management Score Score Importance
Objective APO01 MEA03
100
EDM01 232 189 0 -100 -75 -50 -25 0 25 50 75 100
APO03 MEA02
EDM02 147 135 -10 EDM01 75
EDM03 EDM02
208 162 5 APO07 50 MEA01
EDM04 EDM03
212 198 -10
EDM04
EDM05 247 189 10 10
25 15
EDM05 5 15
APO01 413 324 5 APO08 DSS06
APO01 5 0 20
APO02 146 144 -15 10
APO02
APO03 224 171 10 10 -25 10 45
APO03
APO04 44 45 -20 APO09 15 DSS05
APO04 -50
APO05 162 144 -5 APO05
APO06 15 5
157 153 -15 APO06 -75
APO07 290 216 10 APO07
APO10 50 DSS03
5
APO08 -100
208 153 15 APO08
APO09 164 117 15 APO09 30 35
APO10 278 216 5 APO10 APO11
10
DSS02
25
APO11 155 99 30 APO11
APO12 134 90 25 APO12
25
APO13 152 99 25 APO13 APO12 10 DSS01
50
APO14 234 198 0 APO14
15
BIA01 108 81 10 BIA01 30
20 15
BAI02 162 117 15 BAI02 APO13 75 BAI10
30
BAI03 167 117 20 BAI03
50
BAI04 9 9 -15 BAI04
BIA01 BAI09
BAI05 114 72 30 BAI05
BAI06 BAI06
347.5 247.5 15 BAI02 BAI08
BAI07 BAI07
212 117 50
BAI08 BAI03 BAI07
BAI08 210 135 30 BAI05 BAI06
BAI09
BAI09 76 36 75
BAI10
BAI10 180 99 50
BAI11
BAI11 36 36 -15
DSS01
DSS02
Copyright ISACA 2018 DSS03 571350190.xlsx DF3—Page 17
DSS04
DSS05
BAI05
BAI06
BAI02 BAI08
BAI07 01/19/2022
BAI08 BAI03 BAI07
BAI05 BAI06
BAI09
BAI10 Governance System Design Information & Technology Governance System Design
BAI11
DSS01
DSS01 182 135 10
DSS02
DSS02 232 144 35 DSS03
DSS03 192 108 50 DSS04
DSS04 243 216 -5 DSS05
DSS05 273 216 5 DSS06
DSS06 248 144 45 MEA01
MEA01 292 216 10 MEA02
MEA02 348 243 20 MEA03
MEA03 213 153 15 MEA04
MEA04 312 225 15

01/19/2022
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
IT Investment Program & Software

DF3 Decision Making, Projects Life IT Cost &
IT Expertise,
Skills & Enterprise/
IT Operational
Infrastructure Unauthorized Adoption/ Hardware Software
Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight Behavior IT Architecture Incidents Actions Usage Incidents Failures Malware, etc.) Incidents Issues Action Innovation Management
Maintenance Management Problems
EDM01 3.0 2.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 2.0 2.0
EDM02 3.0 2.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 3.0 1.0 3.0
EDM03 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 2.0 3.0
EDM04 3.0 0.0 4.0 3.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 2.0 0.0 0.0 2.0 3.0
EDM05 3.0 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 1.0 0.0 1.0 3.0 3.0 0.0 0.0 0.0 2.0 2.0
APO01 2.0 3.0 2.0 0.0 2.0 2.0 4.0 2.0 0.0 2.0 3.0 3.0 3.0 0.0 0.0 0.0 3.0 2.0 3.0
APO02 2.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 1.0 0.0 1.0 2.0 0.0 0.0 0.0 0.0 2.0 2.0 1.0
APO03 2.0 0.0 0.0 0.0 4.0 0.0 0.0 2.0 0.0 2.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 0.0 3.0
APO04 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0
APO05 4.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0
APO06 2.0 3.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0
APO07 0.0 0.0 0.0 4.0 0.0 2.0 3.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 4.0 0.0 2.0 2.0 0.0
APO08 0.0 0.0 0.0 2.0 2.0 0.0 0.0 4.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 2.0
APO09 0.0 0.0 2.0 0.0 0.0 0.0 2.0 3.0 0.0 1.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
APO10 0.0 2.0 3.0 0.0 0.0 0.0 2.0 2.0 3.0 2.0 2.0 4.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0
APO11 0.0 3.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0
APO12 0.0 0.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0
APO13 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 4.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0
APO14 0.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 0.0 3.0 0.0 2.0 4.0 2.0 0.0 4.0
BAI01 0.0 4.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI02 2.0 2.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI03 0.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI04 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI05 0.0 2.0 0.0 2.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI06 9.0 3.5 0.0 0.0 0.0 3.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 3.0
BAI07 0.0 0.0 0.0 0.0 0.0 2.0 3.0 2.0 0.0 4.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI08 0.0 0.0 0.0 2.0 0.0 3.0 0.0 3.0 0.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 2.0
BAI09 0.0 0.0 0.0 0.0 0.0 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI10 0.0 0.0 0.0 0.0 0.0 2.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI11 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS01 0.0 0.0 0.0 0.0 0.0 4.0 3.0 0.0 4.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0
DSS02 0.0 0.0 0.0 0.0 0.0 3.0 2.0 3.0 2.0 2.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS03 0.0 0.0 0.0 0.0 0.0 3.0 1.0 4.0 0.0 3.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS04 0.0 0.0 0.0 0.0 0.0 3.0 3.0 0.0 3.0 0.0 4.0 0.0 2.0 0.0 3.0 4.0 0.0 0.0 2.0
DSS05 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 2.0 0.0 4.0 0.0 3.0 0.0 3.0 2.0 0.0 0.0 3.0

01/19/2022
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
IT Investment Program & Software

DF3 Decision Making, Projects Life IT Cost &
IT Expertise,
Skills & Enterprise/
IT Operational
Infrastructure Unauthorized Adoption/ Hardware Software
Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight Behavior IT Architecture Incidents Actions Usage Incidents Failures Malware, etc.) Incidents Issues Action Innovation Management
Maintenance Management Problems
DSS06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 2.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0
MEA01 1.0 2.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 2.0 3.0 2.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0
MEA02 1.0 2.0 2.0 0.0 0.0 3.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 3.0 0.0 2.0 0.0 0.0 2.0
MEA03 0.0 1.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 0.0 3.0 2.0 4.0 2.0 0.0 0.0 0.0 0.0 2.0
MEA04 1.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 4.0 0.0 2.0 2.0 0.0 2.0

01/19/2022
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues
Input Section—Importance of Each Generic IT-Related Issue Input Section—Importance of Each Generic IT-Related Issue
Importance
IT-Related Issue (1-3) Baseline Design Factor 4 IT-Related Issues
Importance of IT-Related Issues (Input)
Frustration between different IT entities across the organization because
of a perception of low contribution to business value No Issue 0 1 2 3
Frustration between business departments (i.e., the IT customer) and the Frustration between different IT entities across the organization because of a perception of low contribution to business value
IT department because of failed initiatives or a perception of low 2 Issue
contribution to business value
Frustration between business departments (i.e., the IT customer) and the IT department because of failed initiatives or a perception of low contribution to business value
Significant IT-related incidents, such as data loss, security breaches, project
failure and application errors, linked to IT
2 Serious Issue
Significant IT-related incidents, such as data loss, security breaches, project failure and application errors, linked to IT
Service delivery problems by the IT outsourcer(s) 2
Service delivery problems by the IT outsourcer(s)

Failures to meet IT-related regulatory or contractual requirements 2
Regular audit findings or other assessment reports about poor IT Failures to meet IT-related regulatory or contractual requirements
2
performance or reported IT quality or service problems
Regular audit findings or other assessment reports about poor IT performance or reported IT quality or service problems
Substantial hidden and rogue IT spending, that is, IT spending by user
departments outside the control of the normal IT investment decision 2
mechanisms and approved budgets
Substantial hidden and rogue IT spending, that is, IT spending by user departments outside the control of the normal IT investment decision mechanisms and approved budgets
Duplications or overlaps between various initiatives, or other forms of 2
wasted resources
Duplications or overlaps between various initiatives, or other forms of wasted resources
Insufficient IT resources, staff with inadequate skills or staff 2
burnout/dissatisfaction
Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction
IT-enabled changes or projects frequently failing to meet business needs 2
and delivered late or over budget
IT-enabled changes or projects frequently failing to meet business needs and delivered late or over budget
Reluctance by board members, executives or senior management to 2
engage with IT, or a lack of committed business sponsorship for IT
Reluctance by board members, executives or senior management to engage with IT, or a lack of committed business sponsorship for IT
Complex IT operating model and/or unclear decision mechanisms for IT-

2
related decisions Complex IT operating model and/or unclear decision mechanisms for IT-related decisions
Excessively high cost of IT 2

Excessively high cost of IT
Obstructed or failed implementation of new initiatives or innovations
2
caused by the current IT architecture and systems
Obstructed or failed implementation of new initiatives or innovations caused by the current IT architecture and systems
Gap between business and technical knowledge, which leads to business users and information and/or technology specialists speaking different languages
Regular issues with data quality and integration of data across various sources
High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put in operation
Reluctance by board members, executives or senior management to engage with IT, or a lack of committed business sponsorship for IT
01/19/2022
Complex IT operating model and/or unclear decision mechanisms for IT-related decisions
Excessively high cost of IT
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues
Obstructed or failed implementation of new initiatives or innovations caused by the current IT architecture and systems
Gap between business and technical knowledge, which leads to business
users and information and/or technology specialists speaking different 2
languages Gap between business and technical knowledge, which leads to business users and information and/or technology specialists speaking different languages
Regular issues with data quality and integration of data across various
2
sources Regular issues with data quality and integration of data across various sources
High level of end-user computing, creating (among other problems) a lack

of oversight and quality control over the applications that are being 2 High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put in operation
developed and put in operation
Business departments implementing their own information solutions with little or no involvement of the enterprise IT department (related to end-user computing, which often stems from dissatisfaction with IT solutions and services)
Business departments implementing their own information solutions with
little or no involvement of the enterprise IT department (related to end-
user computing, which often stems from dissatisfaction with IT solutions
2 Average 2.15
Ignorance of and/or noncompliance with privacy regulations
and services)
Ignorance of and/or noncompliance with privacy regulations 2 Stdev 0.65 Inability to exploit new technologies or innovate using I&T
Inability to exploit new technologies or innovate using I&T 2
Correction 0.93
Factor
Resulting Governance/ Management Design Factor 4 IT-Related Issues

Objectives Importance Resulting Governance/ Management Objectives Importance Design Factor 4 IT-Related Issues
Resulting Governance/Management Objectives Importance
Governance /
Management Score Baseline Relative
Score Importance -100 -75 -50 -25 0 25 50 75 100
Objective
EDM01
EDM01 76 #VALUE! 0
EDM02
EDM02 71.5 #VALUE! 0 EDM03
EDM03 52.5 #VALUE! 0 EDM04
EDM04 62.5 #VALUE! 0 EDM02 EDM01 MEA04
EDM05 EDM03 MEA03
EDM05 42.5 #VALUE! 0 APO01 EDM04 MEA02
APO01 62.5 #VALUE! 0 APO02
EDM05 100 MEA01
APO02 54 #VALUE! 0 APO03
APO03 72.5 #VALUE! 0 APO04 APO01 75 DSS06
APO04 36.5 #VALUE! 0 APO05
APO05 66.5 #VALUE! 0 APO06 APO02 50 DSS05
APO06 56 #VALUE! 0 APO07
25
APO07 46.5 #VALUE! 0 APO08 APO03 DSS04
APO08 72 #VALUE! 0 APO09 0
APO10
APO11 APO04 -25 DSS03
APO12
Copyright ISACA 2018 571350190.xlsx -50 DF4—Page 22
APO13
APO05 DSS02
APO14 -75
EDM05 100 MEA01
APO03
APO04 APO01 75 DSS06
01/19/2022
COBIT® 2019 Governance System Design Toolkit APO05
APO07
Information & Technology Governance System Design Information
25 & Technology Governance System Design
Design Factor 4 IT-Related Issues
APO08 APO03 Design Factor 4 IT-Related
DSS04 Issues
APO09 0
APO09 APO10
41.5 #VALUE! 0
APO10 42 #VALUE! 0
APO12
APO11 51 #VALUE! 0 -50
APO13
APO12 59.5 #VALUE! 0 APO05 DSS02
APO14 -75
APO13 41 #VALUE! 0
BIA01
APO14 69.5 #VALUE! 0 APO06 -100 DSS01
BAI02
BIA01 35 #VALUE! 0 BAI03
BAI02 55 #VALUE! 0 BAI04
APO07 BAI11
BAI03 44.5 #VALUE! 0 BAI05
BAI05 29 #VALUE! 0 BAI07 APO08 BAI10
APO09 BAI09
APO10 BAI08
BAI10 29.5 #VALUE! 0 DSS01
BAI11 44 #VALUE! 0 DSS02
APO11 BAI07
DSS01 31.5 #VALUE! 0 DSS03
DSS02 DSS04 APO12 BAI06
37 #VALUE! 0
DSS03 DSS05
37.5 #VALUE! 0 APO13 BAI05
DSS06
DSS04 27.5 #VALUE! 0 APO14 BAI04
MEA01 BIA01 BAI02 BAI03
DSS05 38.5 #VALUE! 0
MEA02
DSS06 35 #VALUE! 0
MEA03
MEA01 64.5 #VALUE! 0
MEA04
MEA02 55 #VALUE! 0
MEA03 37 #VALUE! 0
MEA04 64 #VALUE! 0

01/19/2022
Frustration between different Frustration between business Significant IT-related Regular audit findings or Substantial hidden and rogue IT IT-enabled changes or Reluctance by board members, Complex IT operating model Obstructed or failed Gap between business and technical High level of end-user computing,
Duplications or overlaps creating (among other problems) Business departments implementing
IT entities across the departments (i.e., the IT customer) incidents, such as data loss, Service delivery problems by Failures to meet IT-related other assessment reports spending, that is, IT spending by user between various initiatives Insufficient IT resources, staff projects frequently failing to executives or senior management and/or unclear decision implementation of new knowledge, which leads to business Regular issues with data a lack of oversight and quality their own information solutions with Ignorance of and/or Inability to exploit new
DF4 organization because of a and the IT department because of security breaches, project the IT outsourcer(s) regulatory or contractual about poor IT performance departments outside the control of or other forms of wasted with inadequate skills or staff meet business needs and to engage with IT, or a lack of Excessively high cost of IT initiatives or innovations users and information and/or quality and integration of noncompliance with technologies or innovate
perception of low contribution failed initiatives or a perception of failure and application requirements or reported IT quality or the normal IT investment decision burnout / dissatisfaction delivered late or over committed business sponsorship mechanisms for IT-related caused by the current IT technology specialists speaking data across various sources control over the applications that little or no involvement of the privacy regulations using I&T
to business value low contribution to business value errors, linked to IT service problems mechanisms and approved budgets resources budget for IT decisions architecture and systems different languages are being developed and put in enterprise IT department
operation
EDM01 3.0 3.0 1.0 1.0 2.0 2.0 2.0 1.0 1.0 1.0 3.0 3.5 1.0 1.0 1.0 1.0 2.0 3.0 1.5 1.0 35
EDM02 2.5 3.0 1.0 1.0 1.5 2.5 2.0 1.5 0.5 2.5 1.5 1.0 3.0 2.0 1.0 1.0 2.0 2.0 1.0 2.5 35
EDM03 1.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.0 0.0 1.0 1.5 1.0 2.0 1.0 1.0 2.5 1.0 24
EDM04 1.0 0.0 1.0 1.0 1.0 2.0 3.0 3.5 3.5 1.0 1.5 0.0 4.0 2.0 1.0 1.5 2.0 2.5 0.0 1.0 33
EDM05 1.0 1.0 1.0 1.0 1.5 2.0 1.0 1.0 0.0 1.0 3.0 1.5 1.5 0.5 0.0 0.5 1.0 1.0 1.0 0.0 21
APO01 2.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.5 4.0 1.0 2.0 1.0 1.0 1.5 2.0 0.5 1.0 28
APO02 1.5 1.5 1.5 1.5 1.0 1.5 1.0 1.0 0.0 1.0 2.5 0.5 0.5 1.5 1.5 0.5 2.0 2.0 0.0 2.5 25
APO03 1.0 1.5 1.0 2.0 0.5 1.5 2.0 1.5 1.0 3.5 0.5 0.5 1.0 4.0 1.0 3.5 2.0 3.0 0.0 2.0 33
APO04 1.0 1.0 1.0 1.0 0.5 0.5 0.5 0.5 0.0 0.0 0.5 1.0 0.5 2.0 1.0 0.0 0.5 0.5 0.0 4.0 16
APO05 3.0 3.0 1.0 1.5 2.0 2.0 1.5 3.5 0.5 2.0 2.0 1.5 2.0 1.0 0.5 0.0 2.5 2.5 0.0 2.0 34
APO06 3.5 2.0 1.0 1.5 1.5 2.0 4.0 3.0 1.0 2.0 1.0 1.5 4.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 31
APO07 1.5 1.0 1.0 1.0 1.0 1.5 2.0 2.0 4.0 1.0 0.0 0.0 1.0 0.0 3.0 0.0 0.5 0.5 1.5 1.0 24
APO08 2.5 2.0 1.0 2.5 1.5 1.0 2.5 2.0 1.5 1.0 3.0 1.0 0.5 1.0 4.0 1.0 3.0 3.5 0.0 0.5 35
APO09 2.0 1.5 2.0 4.0 1.0 2.5 1.5 2.0 0.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 1.0 1.5 0.0 0.0 22
APO10 1.0 1.0 2.0 4.0 1.5 1.5 1.5 0.0 1.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 0.5 2.0 1.0 0.0 20
APO11 1.0 1.0 3.0 1.5 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.5 0.5 3.0 2.0 2.0 0.0 1.0 22
APO12 1.0 0.5 2.5 1.5 2.0 2.0 1.0 1.0 0.5 1.0 1.0 1.0 1.0 1.0 1.0 2.0 1.0 1.5 2.5 1.0 26
APO13 0.0 0.0 3.5 1.0 2.0 1.0 0.0 1.0 0.0 0.5 0.0 0.0 0.0 0.0 0.0 1.5 2.0 1.0 2.0 1.0 17
APO14 1.0 1.5 3.0 1.0 2.5 1.5 1.0 1.5 0.0 1.5 0.0 0.0 0.5 2.5 0.5 4.0 2.5 2.0 3.0 0.5 30
BAI01 0.0 1.0 1.5 0.0 0.0 0.0 0.0 3.0 1.0 3.5 0.0 0.0 1.5 0.5 1.0 0.0 1.5 2.0 0.0 1.0 18
BAI02 0.0 3.0 0.0 0.0 0.5 2.0 0.0 2.0 0.0 3.5 0.0 1.0 1.0 2.0 2.0 1.5 2.5 3.0 0.5 1.0 26
BAI03 1.0 2.0 2.0 0.0 0.0 2.0 0.0 1.0 0.0 3.0 0.0 0.5 1.0 1.0 1.0 0.5 2.0 2.0 1.0 0.5 21
BAI04 0.5 0.0 2.0 3.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 0.0 1.0 1.0 1.0 0.0 0.5 12
BAI05 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 3.0 1.0 0.0 0.0 0.5 2.0 0.0 0.5 1.5 0.0 1.0 14
BAI06 0.0 0.0 2.5 3.0 0.5 1.5 0.0 1.0 0.0 1.5 0.0 1.0 0.5 1.0 0.5 2.0 2.0 2.0 1.0 1.0 21
BAI07 0.0 1.0 2.0 2.0 0.5 1.5 0.0 0.5 0.0 2.0 0.0 1.0 0.0 1.0 0.5 2.0 2.0 2.0 0.0 1.0 19
BAI08 0.0 0.0 0.0 1.5 0.5 0.5 0.0 1.0 2.0 0.5 0.0 0.5 0.0 1.0 3.0 2.0 1.0 1.5 0.0 0.5 16
BAI09 0.5 0.5 1.0 0.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 0.0 1.0 1.5 0.0 0.0 12
BAI10 0.0 0.0 2.5 2.0 0.5 0.0 0.0 0.5 0.0 0.0 0.0 0.0 1.0 1.5 0.0 1.5 1.0 2.0 0.0 0.0 13
BAI11 1.0 2.0 2.5 0.0 0.0 0.0 2.0 3.0 1.0 4.0 0.0 0.0 1.5 2.0 0.5 0.0 1.0 1.5 0.0 0.5 23

Step 2 Initial Design
Governance and Management Objectives Importance
-100 -80 -60 -40 -20 0 20 40 60 80 100

EDM01 0
-20 EDM02
EDM03 5
-10
EDM04
EDM05 20
APO01 5
-10
APO02
APO03 25
-40 APO04
-5
APO05
-5
APO06
APO07 15
APO08 5
APO09 5
APO10 5
APO11 25
APO12 35
APO13 35
APO14 15
BAI01 15
BAI02 10
BAI03 15
-25 BAI04
BAI05 40
BAI06 15
BAI07 45
BAI08 15
BAI09 100
BAI10 60
-15
BAI11
DSS01 5
DSS02 35
DSS03 50
-10
DSS04
DSS05 5
DSS06 45
MEA01 15
MEA02 25
MEA03 10
MEA04 20
01/19/2022
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
Input Section—Importance of Threat Landscape Input Section—Importance of Threat Landscape
Value Importance (100%) Baseline Page intentionally left blank
High 30% 33%

Normal 70% 67%
Average
Stdev
Design Factor 5 IT Threat Landscape
Correction Factor
1.00
High Normal
30%
70%

01/19/2022
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
70%

Importance
Governance / Baseline Relative Design Factor 5 Threat Landscape
GADAPO12
"C"
Management Score BIA01 MEA04
Objective
Score Importance Resulting Governance/Management Objectives
Importance BAI02 100 MEA03
EDM01 1.60 1.66 -5
EDM02 1.00 1.00 0 75
EDM03 1.90 1.99 -5 -100 -75 -50 -25 0 25 50 75 100
BAI03 MEA02
50
EDM04 1.00 1.00 0 E
EDM05 E
1.30 1.33 0 25
E
APO01 1.60 1.66 -5
E BAI04 0 MEA01
APO02 1.00 1.00 0 E
APO03 1.60 1.66 -5 APO01 -25
APO04 1.00 1.00 0 APO02
APO05 1.00 1.00 0 APO03 -50
APO04
APO06 1.00 1.00 0 BAI05 DSS06
APO05 -75
APO07 1.30 1.33 0 APO06
APO08 1.00 1.00 0 APO07 -100
APO09 1.30 1.33 0 APO08
APO10 1.60 1.66 -5 APO09 BAI06 DSS05
APO10
APO11
Copyright ISACA 2018 APO12 571350190.xlsx DF5—Page 27
APO13
APO14
APO02
APO03 -50
APO04 01/19/2022
COBIT® 2019 Governance System Design Toolkit BAI05 DSS06
APO05 -75
APO06
Information & Technology APO07
Governance System Design Information & Technology Governance System Design
-100
DesignAPO08
Factor 5 Threat Landscape Design Factor 5 Threat Landscape
APO09 BAI06 DSS05
APO11 APO10
1.30 1.33 0
APO11
APO12 1.90 1.99 -5 APO12
APO13 1.90 1.99 -5 APO13
APO14 1.60 1.66 -5 APO14 BAI07 DSS04
BIA01 1.00 1.00 0 BIA01
BAI02 BAI02
1.00 1.00 0
BAI03
BAI03 1.00 1.00 0
BAI04 BAI08 DSS03
BAI04 1.30 1.33 0 BAI05
BAI05 1.00 1.00 0 BAI06
BAI06 1.60 1.66 -5 BAI07
BAI09 DSS02
BAI07 1.00 1.00 0 BAI08
BAI09
BAI08 1.00 1.00 0 BAI10 DSS01
BAI10 BAI11
BAI09 1.00 1.00 0 BAI11
BAI10 1.60 1.66 -5 DSS01
BAI11 1.00 1.00 0 DSS02
DSS01 1.00 1.00 0 DSS03
DSS02 DSS04
1.60 1.66 -5
DSS05
DSS03 1.30 1.33 0 DSS06
DSS04 1.90 1.99 -5 M
DSS05 1.60 1.66 -5 M
DSS06 1.60 1.66 -5 M
MEA01 1.60 1.66 -5 M
MEA02 1.30 1.33 0

MEA03 1.60 1.66 -5
MEA04 1.60 1.66 -5

01/19/2022
DF5 High Normal

EDM01 3.0 1.0
EDM02 1.0 1.0
EDM03 4.0 1.0
EDM04 1.0 1.0
EDM05 2.0 1.0
APO01 3.0 1.0
APO02 1.0 1.0
APO03 3.0 1.0
APO04 1.0 1.0
APO05 1.0 1.0
APO06 1.0 1.0
APO07 2.0 1.0
APO08 1.0 1.0
APO09 2.0 1.0
APO10 3.0 1.0
APO11 2.0 1.0
APO12 4.0 1.0
APO13 4.0 1.0
APO14 3.0 1.0
BAI01 1.0 1.0
BAI02 1.0 1.0
BAI03 1.0 1.0
BAI04 2.0 1.0
BAI05 1.0 1.0
BAI06 3.0 1.0
BAI07 1.0 1.0
BAI08 1.0 1.0
BAI09 1.0 1.0
BAI10 3.0 1.0
BAI11 1.0 1.0
DSS01 1.0 1.0
DSS02 3.0 1.0

01/19/2022
DF5 High Normal

DSS03 2.0 1.0
DSS04 4.0 1.0
DSS05 3.0 1.0
DSS06 3.0 1.0
MEA01 3.0 1.0
MEA02 2.0 1.0
MEA03 3.0 1.0
MEA04 3.0 1.0

01/19/2022
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Input Section—Importance of Compliance Requirements Input Section—Importance of Compliance Requirements
Value Importance Baseline Page intentionally left blank

(100%)
High 25% 0%
Normal 60% 100%
Low 15% 0%
Average
Design Factor 6 Compliance Requirements
High Normal Low
15%
25%
Stdev
60%
Correction Facto 1.00

01/19/2022
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Resulting Governance/ Management

Objectives Importance Design Factor 6 Compliance Requirements EDM01
Resulting Governance/Management GAD "C"
Governance / Objectives Importance EDM03 100 MEA04
Objective Score Importance 75
-100 -75 -50 -25 0 25 50 75 100
EDM01 2.10 2.00 5 EDM01
50
EDM02 1.00 1.00 0 EDM02 25
EDM05 5 MEA03
EDM03 2.35 2.00 20 EDM03 20
0 10
EDM04 1.00 1.00 0 EDM04
EDM05 1.13 1.00 15 EDM05 -25
15 20
APO01 1.55 1.50 5 APO01
-50
APO02 APO02
1.00 1.00 0
APO03 -75
APO03 1.00 1.00 0
APO04
APO04 1.00 1.00 0 APO01 5 -100 25 DSS05
APO05
APO05 1.00 1.00 0 APO06
APO06 1.00 1.00 0 APO07
APO07 1.00 1.00 0 APO08
15 15
APO08 1.00 1.00 0 APO09
APO09 1.00 1.00 0 APO10
5
APO10 APO11
1.13 1.00 15 20
APO12 APO10 DSS04
APO11 1.00 1.00 0 15
APO13
APO12 2.35 2.00 20
APO14
APO13 1.13 1.00 15 BIA01
APO14 1.55 1.50 5 BAI02
BIA01 1.00 1.00 0 BAI03 APO12 APO14
BAI02 1.00 1.00 0 BAI04
APO13
BAI03 1.00 1.00 0 BAI05
BAI04 1.00 1.00 0 BAI06
BAI07
BAI05 1.00 1.00 0
BAI08
BAI06 1.00 1.00 0
BAI09
BAI10
BAI11
DSS02
BAI02
BAI03 APO12 APO14
01/19/2022
COBIT® 2019 Governance System Design Toolkit BAI04
APO13
BAI05
Information & Technology Governance
BAI06 System Design Information & Technology Governance System Design
Design Factor 6 Compliance
BAI07 Requirements Design Factor 6 Compliance Requirements
BAI08
BAI09
BAI07 1.00 1.00 0 BAI10
BAI08 1.00 1.00 0 BAI11
BAI09 1.00 1.00 0 DSS01
BAI10 1.00 1.00 0 DSS02
BAI11 1.00 1.00 0 DSS03
DSS01 1.00 1.00 0 DSS04
DSS02 DSS05
1.00 1.00 0
DSS06
DSS03 1.00 1.00 0
MEA01
DSS04 1.13 1.00 15 MEA02
DSS05 1.25 1.00 25 MEA03
DSS06 1.00 1.00 0 MEA04
MEA01 1.00 1.00 0
MEA02 1.00 1.00 0
MEA03 2.35 2.00 20
MEA04 2.23 2.00 10

01/19/2022
DF6 High Normal Low

EDM01 3.0 2.0 1.0
EDM02 1.0 1.0 1.0
EDM03 4.0 2.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.5 1.0 1.0
APO01 2.0 1.5 1.0
APO02 1.0 1.0 1.0
APO03 1.0 1.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.0 1.0
APO08 1.0 1.0 1.0
APO09 1.0 1.0 1.0
APO10 1.5 1.0 1.0
APO11 1.0 1.0 1.0
APO12 4.0 2.0 1.0
APO13 1.5 1.0 1.0
APO14 2.0 1.5 1.0
BAI01 1.0 1.0 1.0
BAI02 1.0 1.0 1.0
BAI03 1.0 1.0 1.0
BAI04 1.0 1.0 1.0
BAI05 1.0 1.0 1.0
BAI06 1.0 1.0 1.0
BAI07 1.0 1.0 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.0 1.0 1.0
BAI11 1.0 1.0 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0

01/19/2022
DF6 High Normal Low

DSS03 1.0 1.0 1.0
DSS04 1.5 1.0 1.0
DSS05 2.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 1.0 1.0 1.0
MEA02 1.0 1.0 1.0
MEA03 4.0 2.0 1.0
MEA04 3.5 2.0 1.0

01/19/2022
Design Factor 7 Role of IT Design Factor 7 Role of IT
Input Section—Importance of Role of IT Input Section—Importance of Role of IT
Value Importance (1-5) Baseline Page intentionally left blank

Support 5 3
Factory 1 3
Turnaround 1 3
Strategic 1 3
Average 2.00
Stdev 1.73
Correction Factor 1.50
Design Factor 7 Role of IT (Input)

0 1 2 3 4 5
Support 5
Factory 1
Turnaround 1
Strategic 1

Support 5
01/19/2022
Factory 1 Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT
Turnaround 1
Strategic 1

Importance Design Factor 7 Role of IT
Governance / Design Factor 7 Role of IT Resulting Governance/Management Objectives Importance
Management Score Baseline Relative Resulting Governance/Management Objectives
Objective Score Importance Importance
EDM01 12.5 25.5 -25
EDM02 11.5 22.5 -25 -100 -75 -50 -25 0 25 50 75 100
EDM03 12.0 24.0 -25 E
EDM04 9.0 15.0 -10 E
EDM02 EDM01 MEA04
EDM05 E EDM03 MEA03
9.0 15.0 -10
E EDM04 MEA02
APO01 10.5 19.5 -20
E
APO02 12.0 24.0 -25 EDM05 100 MEA01
APO01
APO03 10.0 18.0 -15
APO04 11.0 27.0 -40 APO03
APO05 11.5 22.5 -25 APO04 50
APO02 DSS05
APO06 9.0 15.0 -10 APO05
APO07 8.5 13.5 -5 25
APO06 APO03 DSS04
APO08 10.5 19.5 -20 APO07 0
APO08
APO10
-50
APO11
EDM05 100 MEA01
APO01
APO02 APO01 75 DSS06 01/19/2022
COBIT® 2019 Governance System Design Toolkit APO03
APO05 System Design Information
25
& Technology Governance System Design
APO06 Design Factor 7 Role of IT APO03 Design Factor 7 Role of IT
DSS04
APO07 0
APO09 10.5 19.5 -20 APO08
APO10 11.0 21.0 -20 APO09 APO04 -25 DSS03
APO11 10.0 18.0 -15 APO10
-50
APO12 11.5 22.5 -25 APO11
APO05 DSS02
APO13 11.5 22.5 -25 APO12
-75
APO14 APO13
10.5 19.5 -20
BIA01 10.5 19.5 -20
BIA01
BAI02 12.0 24.0 -25
BAI02
BAI03 12.0 24.0 -25 APO07 BAI11
BAI03
BAI04 11.0 21.0 -20 BAI04
BAI05 9.0 15.0 -10 BAI05 APO08 BAI10
BAI06 10.5 19.5 -20 BAI06
BAI07 10.0 18.0 -15 BAI07
BAI08 9.0 15.0 -10 BAI08 APO09 BAI09
BAI09 9.0 15.0 -10 BAI09
BAI10 9.5 16.5 -15 BAI10 APO10 BAI08
BAI11 10.0 18.0 -15 BAI11
DSS01 12.5 25.5 -25 DSS01 APO11 BAI07
DSS02 12.5 25.5 -25 DSS02
APO12 BAI06
DSS03 DSS03
13.0 27.0 -30
DSS04 APO13 BAI05
DSS04 13.0 27.0 -30
DSS05 APO14 BAI04
DSS05 15.0 27.0 -15 BIA01 BAI02 BAI03
DSS06
DSS06 9.5 16.5 -15 M
MEA01 9.0 15.0 -10 M
MEA02 9.0 15.0 -10 M
MEA03 8.5 13.5 -5 M
MEA04 9.0 15.0 -10

01/19/2022
DF7 Support Factory Turnaround Strategic

EDM01 1.0 2.0 1.5 4.0
EDM02 1.0 1.0 2.5 3.0
EDM03 1.0 3.0 1.0 3.0
EDM04 1.0 1.0 1.0 2.0
EDM05 1.0 1.0 1.0 2.0
APO01 1.0 1.5 1.5 2.5
APO02 1.0 1.0 3.0 3.0
APO03 1.0 1.0 2.0 2.0
APO04 0.5 1.0 3.5 4.0
APO05 1.0 1.0 2.5 3.0
APO06 1.0 1.0 1.0 2.0
APO07 1.0 1.0 1.0 1.5
APO08 1.0 1.0 2.0 2.5
APO09 1.0 2.0 1.5 2.0
APO10 1.0 2.5 1.5 2.0
APO11 1.0 1.5 1.5 2.0
APO12 1.0 2.5 1.0 3.0
APO13 1.0 2.0 1.5 3.0
APO14 1.0 1.5 1.5 2.5
BAI01 1.0 1.0 2.0 2.5
BAI02 1.0 1.0 3.0 3.0
BAI03 1.0 1.0 3.0 3.0
BAI04 1.0 2.5 1.5 2.0
BAI05 1.0 1.0 1.0 2.0
BAI06 1.0 2.5 1.0 2.0
BAI07 1.0 1.0 2.0 2.0
BAI08 1.0 1.0 1.0 2.0
BAI09 1.0 1.0 1.0 2.0
BAI10 1.0 1.5 1.0 2.0
BAI11 1.0 1.0 2.0 2.0
DSS01 1.0 3.5 1.0 3.0
DSS02 1.0 3.0 1.5 3.0

01/19/2022
DF7 Support Factory Turnaround Strategic

DSS03 1.0 3.0 1.5 3.5
DSS04 1.0 3.0 1.5 3.5
DSS05 1.5 2.5 1.5 3.5
DSS06 1.0 1.0 1.0 2.5
MEA01 1.0 1.0 1.0 2.0
MEA02 1.0 1.0 1.0 2.0
MEA03 1.0 1.0 1.0 1.5
MEA04 1.0 1.0 1.0 2.0

01/19/2022
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Input Section—Importance of Sourcing Model for IT Input Section—Importance of Sourcing Model for IT
Value Importance (100%) Baseline

Outsourcing 60% 33% Page intentionally left blank
Cloud 10% 33%
Insourced 30% 34%
Average Design Factor 8 IT Sourcing Model (Input)

Stdev
Correction Facto 1.00
Outsourcing Cloud Insourced
30%
60%
10%

10%
01/19/2022
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT

Importance
Governance / Baseline Relative
Design Factor 8 Sourcing Model for IT GADAPO09
"C"
Management Score Score Importance Resulting Governance/Management Objectives
Objective Importance
EDM01 50
1.00 1.00 0
EDM02 1.00 1.00 0
EDM03 1.10 1.33 -15 -100 -75 -50 -25 0 25 50 75 100
EDM04 E 25
1.00 1.00 0
E
EDM05 1.00 1.00 0 E
APO01 1.00 1.00 0 5
E
APO02 1.00 1.00 0 E 0
APO03 1.00 1.00 0 A
A
APO04 1.00 1.00 0
A
APO05 1.00 1.00 0 A -25
APO06 1.00 1.00 0 A
APO07 1.00 1.00 0 A
APO08 1.00 1.00 0 A
A -50
APO09 3.10 2.98 5
A
APO10 3.10 2.98 5 A
APO11 1.00 1.00 0 A
APO12 1.70 1.66 0 A
A 5 5
APO13 1.00 1.00 0
A
APO14 1.00 1.00 0 B
BIA01 1.00 1.00 0 B
BAI02 1.00 1.00 0 B APO10 MEA01
BAI03 1.00 1.00 0 B
BAI04 B
1.00 1.00 0
B
BAI05 1.00 1.00 0 B
BAI06 1.00 1.00 0 B
B
B
B
Copyright ISACA 2018 D
571350190.xlsx DF8—Page 42
D
B
B
B APO10 MEA01 01/19/2022
B
B
Information & Technology BGovernance System Design Information & Technology Governance System Design
Design Factor
B 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
B
BAI07 1.00 1.00 0 B
BAI08 1.00 1.00 0 B
B
BAI09 1.00 1.00 0
D
BAI10 1.00 1.00 0 D
BAI11 1.00 1.00 0 D
DSS01 1.00 1.00 0 D
DSS02 1.00 1.00 0 D
D
DSS03 1.00 1.00 0
M
DSS04 1.00 1.00 0 M
DSS05 1.00 1.00 0 M
DSS06 1.00 1.00 0 M
MEA01 2.40 2.32 5
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

01/19/2022
DF8 Outsourcing Cloud Insourcing

EDM01 1.0 1.0 1.0
EDM02 1.0 1.0 1.0
EDM03 1.0 2.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.0 1.0 1.0
APO01 1.0 1.0 1.0
APO02 1.0 1.0 1.0
APO03 1.0 1.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.0 1.0
APO08 1.0 1.0 1.0
APO09 4.0 4.0 1.0
APO10 4.0 4.0 1.0
APO11 1.0 1.0 1.0
APO12 2.0 2.0 1.0
APO13 1.0 1.0 1.0
APO14 1.0 1.0 1.0
BAI01 1.0 1.0 1.0
BAI02 1.0 1.0 1.0
BAI03 1.0 1.0 1.0
BAI04 1.0 1.0 1.0
BAI05 1.0 1.0 1.0
BAI06 1.0 1.0 1.0
BAI07 1.0 1.0 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.0 1.0 1.0
BAI11 1.0 1.0 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0

01/19/2022
DF8 Outsourcing Cloud Insourcing

DSS03 1.0 1.0 1.0
DSS04 1.0 1.0 1.0
DSS05 1.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 3.0 3.0 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

01/19/2022
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
Input Section—Importance of IT Implementation Methods Input Section—Importance of IT Implementation Methods
Agile 5% 15%
DevOps 20% 10%
Traditional 75% 75%
Design Factor 9 IT Implementation Methods

Agile DevOps Traditional
5%
20%
75%

01/19/2022
75% Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods

Importance
Design Factor 9 IT Implementation Methods
Governance / Design Factor 9 IT Implementation Methods Resulting Governance/Management Objectives Importance
Baseline Relative Resulting Governance/Management Objectives
Management Score Score Importance
Objective Importance
EDM01 1.00 1.00 0
EDM02 1.00 1.00 0 EDM02 EDM01 MEA04
EDM03 1.00 1.00 0 EDM03 MEA03
-100 -75 -50 -25 0 25 50 75 100
EDM04 EDM04 MEA02
1.00 1.00 0 E
EDM05 1.00 1.00 0 E EDM05 100 MEA01
APO01 1.00 1.00 0 E
E APO01 75 DSS06
APO02 1.00 1.00 0 E
APO03 1.20 1.10 10 A APO02
50
DSS05
APO04 1.00 1.00 0 A
A 25
APO05 1.00 1.00 0
A APO03 DSS04
APO06 1.00 1.00 0 0
A
APO07 1.10 1.05 5 A
APO08 1.00 1.00 0 A APO04 -25 DSS03
APO09 1.00 1.00 0 A
A -50
APO10 1.00 1.00 0 APO05 DSS02
A
APO11 1.00 1.00 0 A -75
APO12 1.10 1.05 5 A
A APO06 -100 DSS01
A
BIA01
Copyright ISACA 2018 BAI02 571350190.xlsx
APO07 DF9—Page 47
BAI11
BAI03
A 0
A
A APO04 -25 DSS03 01/19/2022
A
A -50
A System Design APO05 Information & Technology Governance System Design
DSS02
Design Factor 9 IT
A Implementation Methods -75 Design Factor 9 IT Implementation Methods
A
A APO06 -100 DSS01
APO13 1.00 1.00 0
A
APO14 1.00 1.00 0 BIA01
BIA01 1.15 1.20 -5 BAI02 APO07 BAI11
BAI02 1.33 1.48 -10 BAI03
BAI03 BAI04
1.55 1.65 -5 APO08 BAI10
BAI05
BAI04 1.00 1.00 0 BAI06
BAI05 1.18 1.28 -10 BAI07
BAI06 1.33 1.48 -10 BAI08 APO09 BAI09
BAI07 BAI09
1.38 1.38 0
BAI10 APO10 BAI08
BAI08 1.00 1.00 0 BAI11
BAI09 1.00 1.00 0 D
APO11 BAI07
BAI10 1.23 1.18 5 D
BAI11 D
1.08 1.23 -10 APO12 BAI06
D
DSS01 1.30 1.15 15 D APO13 BAI05
DSS02 1.10 1.05 5 D APO14 BAI04
DSS03 1.10 1.05 5 M BIA01 BAI02 BAI03
DSS04 M
1.00 1.00 0
M
DSS05 1.00 1.00 0 M
DSS06 1.00 1.00 0
MEA01 1.13 1.13 0
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

01/19/2022
DF9 Agile DevOps Traditional

EDM01 1.0 1.0 1.0
EDM02 1.0 1.0 1.0
EDM03 1.0 1.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.0 1.0 1.0
APO01 1.0 1.0 1.0
APO02 1.0 1.0 1.0
APO03 1.0 2.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.5 1.0
APO08 1.0 1.0 1.0
APO09 1.0 1.0 1.0
APO10 1.0 1.0 1.0
APO11 1.0 1.0 1.0
APO12 1.0 1.5 1.0
APO13 1.0 1.0 1.0
APO14 1.0 1.0 1.0
BAI01 2.0 1.5 1.0
BAI02 3.5 2.0 1.0
BAI03 4.0 3.0 1.0
BAI04 1.0 1.0 1.0
BAI05 2.5 1.5 1.0
BAI06 3.5 2.0 1.0
BAI07 2.5 2.5 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.5 2.0 1.0
BAI11 2.5 1.0 1.0
DSS01 1.0 2.5 1.0
DSS02 1.0 1.5 1.0

01/19/2022
DF9 Agile DevOps Traditional

DSS03 1.0 1.5 1.0
DSS04 1.0 1.0 1.0
DSS05 1.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 1.5 1.5 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

01/19/2022
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
Input Section—Importance of Technology Adoption Strategy Input Section—Importance of Technology Adoption Strategy
First mover 0% 15%

Follower 20% 70%
Slow adopter 80% 15%
Design Factor 10 Technology Adoption Strategy

First mover Follower Slow adopter
20%
80%

01/19/2022
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy

Importance
Design Factor 10 Technology Adoption Strategy
Governance / Resulting Governance/Management Objectives Design Factor 10 Technology Adoption Strategy
Objective Score Importance Importance Resulting Governance/Management Objectives Importance
EDM01 1.70 2.50 -30

EDM02 1.70 2.58 -35
EDM03 1.00 1.08 -5 -100 -75 -50 -25 0 25 50 75 100
EDM04 1.60 2.00 -20 E EDM02 EDM01 MEA04
E EDM03 MEA03
EDM05 1.00 1.08 -5 EDM04 MEA02
E
APO01 1.10 1.58 -30 E EDM05 100 MEA01
APO02 1.80 2.93 -40 E
APO03 1.00 1.15 -15 A APO01 75 DSS06
APO04 A
1.40 2.85 -50 50
A APO02 DSS05
APO05 1.30 2.50 -50 A
APO06 1.10 1.35 -20 A 25
APO03 DSS04
APO07 1.00 1.23 -20 A
0
APO08 A
1.10 1.65 -35
A APO04 -25 DSS03
APO09 1.10 1.43 -25 A
APO10 1.10 1.58 -30 A -50
APO11 1.10 1.43 -25 A APO05 DSS02
A -75
APO12 1.10 1.50 -25
A
APO13 1.00 1.00 0 APO06 -100 DSS01
A
APO14 1.20 1.93 -40 BIA01
BIA01 1.80 2.93 -40 BAI02 APO07 BAI11
BAI02 1.30 2.43 -45 BAI03
BAI04
BAI03 1.30 2.50 -50 APO08 BAI10
BAI05
BAI04 1.10 1.43 -25 BAI06
BAI05 1.20 2.00 -40 BAI07
BAI08 APO09 BAI09
BAI06 1.20 1.93 -40
BAI07 BAI09
1.30 2.43 -45
BAI10 APO10 BAI08
BAI11
DSS01 APO11 BAI07
DSS03 APO12 BAI06
DSS04
BAI02 APO07 BAI11
BAI03
BAI04 01/19/2022
COBIT® 2019 Governance System Design Toolkit APO08 BAI10
BAI05
BAI06
BAI07Governance System Design Information & Technology Governance System Design
APO09
Design Factor 10 BAI08
Technology Adoption Strategy Design Factor 10 TechnologyBAI09
Adoption Strategy
BAI09
BAI10 APO10 BAI08
BAI08 1.00 1.08 -5 BAI11
BAI09 1.00 1.00 0 DSS01 APO11 BAI07
BAI10 1.00 1.08 -5 DSS02
DSS03 APO12 BAI06
BAI11 1.30 2.43 -45
DSS04 APO13 BAI05
DSS01 1.00 1.00 0 DSS05 APO14 BAI04
DSS02 1.00 1.00 0 DSS06 BIA01 BAI02 BAI03
DSS03 1.00 1.08 -5 M
DSS04 1.00 1.08 -5 M
M
DSS05 1.00 1.08 -5 M
DSS06 1.00 1.00 0
MEA01 1.20 2.00 -40
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

01/19/2022
DF10 First Mover Follower Slow Adopter

EDM01 3.5 2.5 1.5
EDM02 4.0 2.5 1.5
EDM03 1.5 1.0 1.0
EDM04 2.5 2.0 1.5
EDM05 1.5 1.0 1.0
APO01 2.5 1.5 1.0
APO02 4.0 3.0 1.5
APO03 2.0 1.0 1.0
APO04 4.0 3.0 1.0
APO05 4.0 2.5 1.0
APO06 1.0 1.5 1.0
APO07 2.5 1.0 1.0
APO08 3.0 1.5 1.0
APO09 1.5 1.5 1.0
APO10 2.5 1.5 1.0
APO11 1.5 1.5 1.0
APO12 2.0 1.5 1.0
APO13 1.0 1.0 1.0
APO14 2.5 2.0 1.0
BAI01 4.0 3.0 1.5
BAI02 3.5 2.5 1.0
BAI03 4.0 2.5 1.0
BAI04 1.5 1.5 1.0
BAI05 3.0 2.0 1.0
BAI06 2.5 2.0 1.0
BAI07 3.5 2.5 1.0
BAI08 1.5 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.5 1.0 1.0
BAI11 3.5 2.5 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0

01/19/2022
DF10 First Mover Follower Slow Adopter

DSS03 1.5 1.0 1.0
DSS04 1.5 1.0 1.0
DSS05 1.5 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 3.0 2.0 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

Governance and Management Objectives Importance (All Design Factors)
-100 -80 -60 -40 -20 0 20 40 60 80 100

-45 EDM01
-65 EDM02
-20 EDM03
-30 EDM04
EDM05 15
-35 APO01
-60 APO02
APO03 0
-100 APO04
-65 APO05
-30 APO06
APO07
-5
-40 APO08
-30 APO09
-25 APO10
APO11
-10
APO12 0
APO13 10
-35 APO14
-40 BIA01
-55 BAI02
-50 BAI03
-55 BAI04
-20 BAI05
-50 BAI06
-15
BAI07
BAI08 0
BAI09 65
BAI10 30
-70 BAI11
DSS01
-5
DSS02 5
DSS03 10
-30 DSS04
DSS05 5
DSS06 15
-30 MEA01
MEA02 10
MEA03 15
MEA04 10
01/19/2022
GAD "C" Design Factor 2 Enterprise Goals

Resulting Governance/ Management Initial Summary—Governance and Management Objectives
EDM03
EDM02 EDM01 MEA04
MEA03
Objectives Importance
EDM04 MEA02 -100 -50 0 50 100 150
100 EDM02EDM01MEA04
EDM05 MEA01 EDM03 MEA03 EDM01—Ensured Governance Framework Setting & Maintenance 0
75 EDM04 MEA02
APO01 DSS06 100 -20
EDM02—Ensured Benefits Delivery
EDM05 MEA01
50 75
APO02 DSS05 APO01 DSS06 EDM03—Ensured Risk Optimization 5
25 50
APO03 DSS04 APO02 DSS05 -10
EDM04—Ensured Resource Optimization
0 25
APO03 DSS04 EDM05—Ensured Stakeholder Engagement 20
APO04 -25 DSS03 0
APO01—Managed I&T Management Framework 5
-50 APO04 -25 DSS03
APO05 DSS02
-50
-10
APO02—Managed Strategy
-75
APO05 DSS02
APO06 -100 DSS01 -75 APO03—Managed Enterprise Architecture 25
APO06 -100 DSS01 -40 APO04—Managed Innovation
APO07 BAI11
APO07 BAI11
-5
APO05—Managed Portfolio
APO08 BAI10 -5
APO06—Managed Budget & Costs
APO08 BAI10
APO07—Managed Human Resources 15
APO09 BAI09
APO09 BAI09 APO08—Managed Relationships 5
APO10 BAI08
APO10 BAI08 APO09—Managed Service Agreements 5
APO11 BAI07
APO11 BAI07 APO10—Managed Vendors 5
APO12 BAI06 APO12 BAI06 APO11—Managed Quality 25
APO13 BAI05 APO13 BAI05
APO14 BAI04 APO14 BAI04 APO12—Managed Risk 35
BAI01 BAI02 BAI03 BIA01 BAI02 BAI03
APO13—Managed Security 35
APO14—Managed Data 15
Design Factor 3 Risk Profile Design Factor 4 IT-Related Issues BAI01—Managed Programs 15
Resulting Governance/Management Resulting Governance/Management BAI02—Managed Requirements Definition 10
Objectives Importance Objectives Importance
BAI03—Managed Solutions Identification & Build 15
EDM02EDM01MEA04 EDM02EDM01MEA04 -25
BAI04—Managed Availability & Capacity
EDM03 MEA03 EDM03 MEA03
100 BAI05—Managed Organizational Change 40
EDM05 MEA01 EDM05 100 MEA01
APO01 75 DSS06 75
BAI06—Managed IT Changes 15
APO01 DSS06
APO02
50
DSS05 50 BAI07—Managed IT Change Acceptance and Transitioning 45
APO02 DSS05
25 25 BAI08—Managed Knowledge 15
APO03 DSS04 APO03 DSS04
0 0 BAI09—Managed Assets 100
APO04 -25 DSS03 APO04 -25 DSS03 BAI10—Managed Configuration 60
-50 -50
APO05 DSS02 APO05 DSS02 -15 Projects
BAI11—Managed
-75 -75
DSS01—Managed Operations 5
APO06 -100 DSS01 APO06 -100 DSS01
DSS02—Managed Service Requests & Incidents 35
APO07 BAI11 APO07 BAI11 DSS03—Managed Problems 50
APO08 BAI10 APO08 BAI10 -10
DSS04—Managed Continuity
DSS05—Managed Security Services 5
DSS06—Managed Business Process Controls 45
MEA01—Managed Performance and Conformance Monitoring 15
MEA02—Managed System of Internal Control 25
APO13 BAI05
MEA03—Managed Compliance with External Requirements 10
APO13 BAI05
APO14 BAI04
APO14
BIA01 BAI02 BAI03
BAI04 BIA01 BAI02 BAI03 MEA04—Managed Assurance 20
Copyright ISACA 2018 571350190.xlsx Dashboard1—Page 57

01/19/2022
Design Factor 5 Threat Landscape Design Factor 6 Compliance Requirements

Resulting Governance/Management Resulting Governance/Management
Objectives Importance Objectives Importance Governance and Management Objectives Importance (All Design Factors)
EDM02 EDM01 MEA04 EDM02 EDM01 MEA04 -45 Setting & Maintenance
EDM01—Ensured Governance Framework
EDM05 100 MEA01 EDM05 100 MEA01
-65 EDM02—Ensured Benefits Delivery
APO01 75 DSS06 APO01 75 DSS06

-20
EDM03—Ensured Risk Optimization
25 25
0 0
-30 Optimization
EDM04—Ensured Resource
APO04 -25 DSS03 APO04 -25 DSS03
-50 -50
APO05 DSS02 APO05 DSS02 EDM05—Ensured Stakeholder Engagement 15
-75 -75
APO06 -100 DSS01 APO06 -100 DSS01

-35
APO01—Managed I&T Management Framework
-60 APO02—Managed Strategy

APO03—Managed Enterprise Architecture 0

-100 APO04—Managed Innovation

-65 APO05—Managed Portfolio
BIA01 BAI02 BAI03 BIA01 BAI02 BAI03
-30Budget & Costs
APO06—Managed
-5
APO07—Managed Human Resources
Design Factor 7 Role of IT Design Factor 8 Sourcing Model for IT -40

APO08—Managed Relationships
Resulting Governance/Management Resulting Governance/Management
-30 Agreements
APO09—Managed Service
-25 Vendors
APO10—Managed
EDM02 EDM01 MEA04 EDM02 EDM01 MEA04
EDM05 100 MEA01
-10
APO11—Managed Quality
EDM05 100 MEA01

APO12—Managed Risk 0
50 APO02 50 DSS05
APO02 DSS05
25 25
APO03 DSS04 APO03
0
DSS04 APO13—Managed Security 10
0
APO04 -25 DSS03 APO04 -25 DSS03

-35
APO14—Managed Data
-50 -50
-75 -75
-40
BAI01—Managed Programs
APO06 -100 DSS01 APO06 -100 DSS01
APO07 BAI11 APO07 BAI11 -55

BAI02—Managed Requirements Definition

BAI03—Managed-50
Solutions Identification & Build
APO10 BAI08
-55
BAI04—Managed Availability & Capacity
APO10 BAI08

-20 Change
BAI05—Managed Organizational

APO14 BAI04 APO14
BIA01 BAI02 BAI03
BAI04 -50BAI06—Managed IT Changes
BIA01 BAI02 BAI03
Copyright ISACA 2018 571350190.xlsx -15

BAI07—Managed IT Change Acceptance and Transitioning Dashboard2—Page 58
BAI08—Managed Knowledge 0
APO10 BAI08

-20 Change
BAI05—Managed Organizational
01/19/2022
COBIT® 2019 Governance System Design
APO13Toolkit BAI05 APO13 BAI05
APO14 BAI04 APO14
BIA01 BAI02 BAI03
BAI04 -50BAI06—Managed IT Changes
BIA01 BAI02 BAI03
-15
BAI07—Managed IT Change Acceptance and Transitioning
BAI08—Managed Knowledge 0
Design Factor 9 IT Implementation Methods Design Factor 10 Technology Adoption Strategy

Resulting Governance/Management Resulting Governance/Management BAI09—Managed Assets 65
BAI10—Managed Configuration 30
EDM03
EDM02 EDM01 MEA04
MEA03 EDM03
EDM02 EDM01 MEA04
MEA03
-70 BAI11—Managed Projects
EDM05 100 MEA01 EDM05 100 MEA01
-5
DSS01—Managed Operations
50 50
APO02 DSS05 APO02 DSS05 DSS02—Managed Service Requests & Incidents 5
25 25
0 0
DSS03—Managed Problems 10
APO04 -25 DSS03 APO04 -25 DSS03
APO05
-50
DSS02 APO05
-50
DSS02
-30
DSS04—Managed Continuity
-75 -75
APO06 -100 DSS01 APO06 -100 DSS01 DSS05—Managed Security Services 5

DSS06—Managed Business Process Controls 15
-30 Monitoring
MEA01—Managed Performance and Conformance
APO10 BAI08
APO10 BAI08 MEA02—Managed System of Internal Control 10
APO12 BAI06 APO12 BAI06 MEA03—Managed Compliance with External Requirements 15

BIA01 BAI03 BIA01 BAI02 BAI03
BAI02 MEA04—Managed Assurance 10
Copyright ISACA 2018 571350190.xlsx Dashboard2—Page 59

COBIT2019 (CristinaFlores JhovanySantacruz) Suscal

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

COBIT2019 (CristinaFlores JhovanySantacruz) Suscal

Uploaded by

Copyright:

Available Formats

01/19/2022

COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Sheet Input Section Output Section

Copyright ISACA 2018 571350190.xlsx Instructions—Page 1

COBIT® 2019 Governance System Design Workbook—Instructions

User Action Required

Importance of Each Enterprise Goal

Importance of Each Generic IT Risk Category

Importance of Each Generic IT-Related Issue

Copyright ISACA 2018 571350190.xlsx Instructions—Page 2

COBIT® 2019 Governance System Design Workbook—Instructions

Importance of Threat Landscape

User Action Required

Importance of Compliance Requirements

User Action Required

Importance of Sourcing Model for IT

Copyright ISACA 2018 571350190.xlsx Instructions—Page 3

COBIT® 2019 Governance System Design Workbook—Instructions

Importance of IT Implementation Methods

Ingrese el porcentaje que expresen la Importancia de los métodos de BAI02 BAI07

Importance of Technology Adoption Strategy

Initial Summary—Governance and Management Objectives BAI06 Administración de cambios

Copyright ISACA 2018 571350190.xlsx Instructions—Page 4

COBIT® 2019 Governance System Design Workbook—Canvas

Sourcing Refined Scope: Concluded Scope:

EDM03—Ensured Risk Optimization -5 5 5 0 ### 5 -5 20 -25 -15 0 -5 -20 -20 1 1

EDM05—Ensured Stakeholder Engagement -5 15 10 0 ### 20 0 15 -10 0 0 -5 15 15 1 1

APO01—Managed I&T Management Framework 0 0 5 0 ### 5 -5 5 -20 0 0 -30 -35 -35 1 1

APO02—Managed Strategy 5 0 -15 0 ### -10 0 0 -25 0 0 -40 -60 -60 1 1

APO03—Managed Enterprise Architecture 15 0 10 0 ### 25 -5 0 -15 0 10 -15 0 0 1 1

APO05—Managed Portfolio 5 -5 -5 0 ### -5 0 0 -25 0 0 -50 -65 -65 1 1

APO07—Managed Human Resources 10 -5 10 0 ### 15 0 0 -5 0 5 -20 -5 -5 1 1

APO08—Managed Relationships -10 0 15 0 ### 5 0 0 -20 0 0 -35 -40 -40 1 1

APO09—Managed Service Agreements -10 0 15 0 ### 5 0 0 -20 5 0 -25 -30 -30 1 1

APO10—Managed Vendors 0 0 5 0 ### 5 -5 15 -20 5 0 -30 -25 -25 1 1

APO11—Managed Quality -10 5 30 0 ### 25 0 0 -15 0 0 -25 -10 -10 1 1

APO12—Managed Risk -10 15 25 0 ### 35 -5 20 -25 0 5 -25 0 0 1 1

APO13—Managed Security -5 10 25 0 ### 35 -5 15 -25 0 0 0 10 10 1 1

APO14—Managed Data 0 15 0 0 ### 15 -5 5 -20 0 0 -40 -35 -35 1 1

BAI01—Managed Programs 10 -5 10 0 ### 15 0 0 -20 0 -5 -40 -40 -40 1 1

BAI02—Managed Requirements Definition 0 -5 15 0 ### 10 0 0 -25 0 -10 -45 -55 -55 1 1

BAI05—Managed Organizational Change 10 -5 30 0 ### 40 0 0 -10 0 -10 -40 -20 -20 1 1

BAI06—Managed IT Changes 0 0 15 0 ### 15 -5 0 -20 0 -10 -40 -50 -50 1 1

BAI08—Managed Knowledge -10 -5 30 0 ### 15 0 0 -10 0 0 -5 0 0 1 1

BAI09—Managed Assets 0 15 75 0 ### 100 0 0 -10 0 0 0 65 65 3 3

BAI10—Managed Configuration 0 5 50 0 ### 60 -5 0 -15 0 5 -5 30 30 2 2

DSS01—Managed Operations -5 0 10 0 ### 5 0 0 -25 0 15 0 -5 -5 1 1

DSS02—Managed Service Requests & Incidents -10 5 35 0 ### 35 -5 0 -25 0 5 0 5 5 1 1

DSS03—Managed Problems -10 5 50 0 ### 50 0 0 -30 0 5 -5 10 10 1 1

Copyright ISACA 2018 571350190.xlsx Canvas—Page 5

COBIT® 2019 Governance System Design Workbook—Canvas

Sourcing Refined Scope: Concluded Scope:

DSS04—Managed Continuity -10 5 -5 0 ### -10 -5 15 -30 0 0 -5 -30 -30 1 1

DSS05—Managed Security Services -5 5 5 0 ### 5 -5 25 -15 0 0 -5 5 5 1 1

DSS06—Managed Business Process Controls -5 0 45 0 ### 45 -5 0 -15 0 0 0 15 15 1 1

MEA02—Managed System of Internal Control 0 5 20 0 ### 25 0 0 -10 0 0 0 10 10 1 1

MEA03—Managed Compliance with External Requirements 0 -5 15 0 ### 10 -5 20 -5 0 0 0 15 15 1 1

MEA04—Managed Assurance 0 5 15 0 ### 20 -5 10 -10 0 0 0 10 10 1 1

Copyright ISACA 2018 571350190.xlsx Canvas—Page 6

Importance Design Factor 1 Enterprise Strategy

Copyright ISACA 2018 571350190.xlsx DF1—Page 7

Copyright ISACA 2018 571350190.xlsx DF1—Page 9