Auditing ethics, guidelines and standards of the

profession : Control Objectives for Information and

related Technology (COBIT)
•What is COBIT?
•COBIT governance principles
•COBIT enablers
•CBIT Governance and management objectives
•COBIT processes that support the two categories f
objectives (37 to 40 e.g APO14 Managed data, BAI11
Managed projectsMEA04 Managed assurance)
•COBIT on risk management –disaster recovery plans, ..
etc
What is COBIT?
•A business framework for governance and
management of IT enterprise.
•A framework for developing and implementing
strategies around information and related
technologies.
•A framework with which to enhance reliability of
Information Systems.
COBIT governance principles
•Meeting stakeholders’ needs
•Covering the enterprise end to end
•Applying a single integrated framework
•Enabling a holistic approach
•Separating governance from management
COBIT governance principles: Meeting
stakeholders’ needs
•The framework helps, through the governance and
management of the IT enterprise, to create value to
the stakeholders
COBIT governance principles: Covering the
enterprise end to end

•The framework helps to view an enterprise as a whole

and as a set of related functional areas
•Where an issue in one functional area or section
affects another section, the framework provides
facility to handle such
COBIT governance principles: Applying a single
integrated framework
•The framework has capability to integrate with other
management frameworks such as Prince 2.
COBIT governance principles: Enabling a holistic
approach
•The framework has capability to enable handling of an
entity as one complete unit.
•COBIT 5 uses 7 enablers (principles, policies and
framework; people, skills and competencies;
information; processes; service, insfrastructure and
applications; culture, ethics and behavior;
organizational structures)
COBIT governance principles: Separating
governance from management
• The framework calls on separate implementation of governance and
management practice.
• Governance objectives are to ensure stakeholders needs are
evaluated and agreed upon in line with enterprise objectives; set
direction through prioritization and decision making; monitor
performance and compliance against set direction and objectives.
• Management objectives are to align, plan and organize (APO); build,
acquire & implement; deliver, service & support; & monitor, evaluate
& Assess).
Control Objectives for Information and related
Technology (COBIT) Cont…
•According to COBIT these IT resources must be
managed to ensure that the organization has the
information that it needs to achieve its objectives.
•COBIT also describes the qualities that this
information must exhibit in order for it to be of value
to the organization
Control Objectives for Information and related
Technology (COBIT) Cont…
•COBIT groups IT control processes into four broad
domains:
•planning and organization,
•acquisition and implementation,
•delivery and support,
•monitoring.
Control Objectives for Information and related
Technology (COBIT): Planning and Organization Domain
Includes :-
•Development of strategy and tactics for an
organization’s information technology.
•Management communication, on the strategic vision,
to stakeholders.
•Management putting in place IT organization and
technology infrastructure that enables that vision.
While taking into account SWOT
Control Objectives for Information and related Technology
(COBIT): Planning and Organization Domain –Cont…

Summery processes :-
•Establish Strategic Vision for Information Technology
•Develop Tactics to Plan, Communicate, And Manage
Realization of the Strategic Mission
•Create positive control environment, such as instituting code
of ethics, Quality control, separation of duties, mandatory
leave days.
Control Objectives for Information and related
Technology (COBIT): acquisition and implementation
Includes:-
•processes to identify, develop or acquire, implement
IT solutions, and integrate them into the business
processes.
•Once installed, procedures must also be in place to
maintain and manage changes to existing systems.
Control Objectives for Information and related
Technology (COBIT): acquisition and implementation – cont…
Summery processes :-
• Acquire IT Solutions, adherence to SDLC, e.g. provide for preparation and
maintenance of service level requirements and application documentation to
ensure sustainable and effective use of the IT solution.
• Integrate IT Solutions into Operational Processes. The SDLC should provide
for a planned, tested, controlled, and approved conversion to the new system
• Manage Changes to Existing IT Systems. To ensure processing integrity
between versions of systems and to ensure consistency of results from period
to period, changes to IT infrastructure must be managed via change request,
impact assessment, documentation, authorization, release and distribution
policies, and procedures.
Control Objectives for Information and related
Technology (COBIT): delivery and support
Includes processes to :-
•Deliver required IT services,
•Ensure security and continuity of services,
•Set up support services, including training, and ensure
integrity of application data.
Failure of these processes can result in poor quality IS
Control Objectives for Information and related
Technology (COBIT): monitoring
• Includes process to assess IT services for quality and to ensure
compliance with control requirements. Monitoring may be performed
as a self-assessment activity within an organizational unit.

• To ensure the achievement of IT process objectives, management

should establish a system for defining performance indicators (service
levels), gathering performance data, and generating performance
reports. Management should review these reports to measure progress
toward identified goals. Independent audits or evaluations should be
conducted on a regular basis
ISO27001:2013

•What is ISO 27001-2013?

What is ISO 27001-2013?

•ISO, a composition of national standards organisations

•ISO promotes global organizational standards
•ISO 27001 is a subset of ISO 27000, standards on
information security, first published in 2005
•ISO 27001 was jointly published by International
Organisation for Standardisation (ISO) and
International Electrotechnical Commission (IEC).
•ISO/IEC 27001 revised in 2013 is ISO 27001: 2013
What is ISO 27001-2013? (Cont…)

•ISO/IEC 27001 is specific on information security

management system standard
•Establishes specific requirements through which the
security system can be assessed, verified and certified
by a third party accredited auditor
What is ISO 27001-2013? Cont…)
It details requirements for:
•Establishing,
•Implementing,
•Maintaining and
•Continually improving an IS security management system

Optionally, a business can choose to be audited and

certified as ISO/IE
Requirements of the ISO 27001-2013
•Systematic review of organization’s security risks
•Designing comprehensive set of information security
controls and other forms of risk treatment such as risk
avoidance and risk treatment.
•Implement the controls
•Put in place an overarching management process to
ensure continued and sustainable effectiveness and
efficiency of the controls.
Why the standards?
•Most organisations do deploy security controls
•But the security controls are often implemented
disjointedly to address a specific risk.
•Also, in some cases, other information assets such as
paper based, are not included in the security control
measures.
Class group work

Debate the following point. “Business continuity

planning is really an IT issue.”

Discuss any two processes in each of the 4 domains of

COBIT. Who should carry out the process (Internal staff
or outssource, Management or operational staff), and
why?
Thank you for your participation.