Comparing

C i g COBIT4.1
COBIT4 1
and COBIT 5

ROBERT E STROUD CGEIT CRISC

I S A C A S T R AT E G I C A D V I S O R Y B O A R D
V I C E P R E S I D E N T S T R AT E G Y & I N N O V AT I O N
CA TECHNOLOGIES

1 © 2012 ISACA. All Rights Reserved.

 Comparing COBIT 4.1 and COBIT 5
Abstract
COBIT 5 integrates Risk IT, Val IT, BMIS and COBIT 4.1 into a
single
i l b business
i fframework.
k This
Thi integrated
i d approach
h ffacilitates
ili
more effective delivery of value to stakeholders from the more
appropriate and effective governance and management of
enterprise IT assets. By now you are aware that COBIT 5
distinguishes between governance and management, but did
you know that COBIT 5 is now organized around five governance
of enterprise IT (GEIT) principles and seven enablers, delivers a
new process reference model, covers enterprise activities end-
to-end and much more? This session will provide you with
information on the differences between COBIT 4.1 and COBIT 5
and provide you information you need to move forward with
COBIT 5!

2 © 2012 ISACA. All Rights Reserved.

 Robert E Stroud CRISC CGEIT

y Vice President Strategy & Innovation

y Evangelist Service Management, Governance & Cloud
Computing
y Immediate Past International Vice President ISACA\ITGI
\
y ISACA Strategic Advisory Council
y 15 years Banking Experience
y C t ib t COBIT,
Contributor COBIT VALIT andd RISK IT
y Immediate Past Executive Board itSMF Intl.
Treasurer and Director Audit Standards
& compliance
y Former Board Member USA itSMF
y Author Public Speaker & Industry GeeK
Author,

3
 Where are we…

y COBIT 4.1, Val IT and Risk IT users who are already

engaged in governance of enterprise IT (GEIT)
y Implementation activities can transition to COBIT 5 and
b fi from
benefit f the
h latest
l andd improved
i d guidance
id
y COBIT 5 builds on previous versions ISACA IP

4
 Stakeholder Value and 
Business Objectives
Business Objectives
y Enterprises exist to create value for their stakeholders
y Consequently, any enterprise, commercial or not—will
have value creation as a governance objective

y Value creation:
Realising benefits at an
optimal resource cost while
optimising risk

Source: COBIT® 5, figure 3. © 2012 ISACA® All rights reserved.

5
 Stakeholder Value and
Business Objectives
Business Objectives 
Principle 1.
Meeting Stakeholder Needs:
y Stakeholder needs transformed
into an enterprise’s
enterprise s actionable
strategy
y COBIT 5 goals cascade translates
stakeholder needs into specific,
actionable and customised goals
within
ithi the
th context
t t off the
th
enterprise, IT-related goals and
enabler ggoals

6 Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.

 Stakeholder Value and Business 
Objectives (cont.)
Objectives
y Stakeholder needs can be related to a set of generic
enterprise goals
y These enterprise goals have been developed using the
Balanced Scorecard (BSC) dimensions.
dimensions (Kaplan,
(Kaplan Robert S
S.;;
David P. Norton; The Balanced Scorecard: Translating
Strategy into Action, Harvard University Press, USA, 1996)
y The enterprise goals are a list of commonly used goals that
an enterprise has defined for itself
y Although
Alth h this
thi li
listt is
i nott exhaustive,
h ti mostt enterprise-specific
t i ifi
goals can be easily mapped onto one or more of the generic
enterprise goals

7
 Stakeholder Value and Business 
Objectives (cont.)
Objectives  (cont )

8 Source: COBIT® 5, figure 5. © 2012 ISACA® All rights reserved.

 Stakeholder Value and Business 
Objectives (cont.)
Objectives
y Goals cascade introduced in COBIT 4.0 in 2005
y Goals cascade supports the COBIT 5 stakeholder needs
principle
y The goals cascade has been revisited and updated for
the COBIT 5 release

9
 COBIT framework evolution

Governance of Enterprise IT
scope

IT Governance
Evolution of s

V l IT 2.0
Val 20
Management (2008)

Control
Ri k IT
Risk
(2009)
Audit

COBIT1 COBIT2 COBIT3 COBIT 5

COBIT4.0/4.1
T4 0/4 1

1996 1998 2000 2005/7 2012

An business framework from ISACA,

ISACA at www.isaca.org/cobit
www isaca org/cobit

10
© 2012 ISACA® All rights reserved.
 Governance and Management Defined

y Governance ensures that enterprise

p objectives
j are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation and
decision making; and monitoring performance,
compliance and progress against agreed-on direction
and objectives (EDM).
(EDM)
y Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise objectives
((PBRM). )

11
 Governance and Management Defined

12 Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.

 Areas of Change

y Major changes in COBIT 5 content

‰ New GEIT Principles
‰ Increased Focus on Enablers
‰ New Process Reference Model
‰ New and Modified Processes
‰ Practices and Activities
‰ Goals and Metrics
‰ Inputs and Outputs
‰ RACI ChCharts
t
‰ Process Capability Maturity Models
and Assessments

13
 New GEIT Principles

14 Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.

 New GEIT Principles (cont.)

y Val IT and Risk IT frameworks are principles-based

y Feedback indicated that principles are easy to
understand and put into an enterprise context, allowing
value
l to be
b derived
d i d from
f the
h supporting
i guidance
id more
effectively.
y ISO/IEC 38500 also incorporates principles to underpin
its messages to achieve the same market benefit delivery
‰ Principles
p in ISO/IEC 38500 and COBIT 5 differ

15
 Focus on Enablers

16 Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

 Increased Focus on Enablers

y Information, infrastructure, applications (services) and

people
l (people,
( l skills
kill andd competencies)
i ) were COBIT
4.1 resources
y Principles,
Principles policies and frameworks were mentioned in
a few COBIT 4.1 processes
y Processes were central to COBIT 4.1
y Organisational structure was implied through the
responsible, accountable, consulted or informed (RACI)
roles and their definitions
y Culture, ethics and behaviour were mentioned in a few
COBIT 4.1 processes

17
 New Process Reference 
Model for COBIT 5
Model for COBIT 5
y Revised process reference model with a new
governance domain
‰ Several new and modified processes
‰ Enterprise activities end-to-end

‰ Business and IT function areas

y Aligns
Ali with
ith currentt bbestt practices,
ti e.g., ITIL
ITIL, TOGAF,
TOGAF
PmBok, ISO\IEC 27000, etc
y The new model can be used as a guide for adjusting as
necessary the enterprise’s own process model

18
19
Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
 New and Modified Processes

y Five new governance processes that have leveraged and

improved COBIT 4.1, Val IT and Risk IT governance
approaches
y This
Thi guidance:
id
‰ Helps enterprises to further refine and strengthen
executive management-level GEIT practices and activities
‰ Supports GEIT integration with existing enterprise
ggovernance practices
p and is aligned
g with
ISO/IEC 38500

20
 New and Modified Processes

y Single process reference model

21
 New and Modified Processes
y New and modified processes:
y APO03 M
Manage enterprise
t i architecture.
hit t
y APO04 Manage innovation.
y APO05 Manage
g pportfolio.
y APO06 Manage budget and costs.
y APO08 Manage relationships.
y A O13 Manage security.
APO13 i
y BAI05 Manage organisational change enablement.
y BAI08 Manage knowledge
knowledge.
y BAI09 Manage assets.
y DSS05 Manage security service.
y DSS06 Manage business process controls.
22
 New and Modified Processes

y COBIT 5 processes now cover end-to-end business and

IT activities, i.e., a full enterprise-level view
y This provides for a more holistic and complete coverage
off practices
i reflecting
fl i the h pervasive
i enterprise-wide
i id
nature of IT use
y The involvement,
involvement responsibilities and accountabilities of
business stakeholders in the use of IT more explicit and
transparent

23
 Practices and Activities

y The COBIT 5 governance or management practices are

equivalent
i l to theh COBIT 4.14 1 controll objectives
bj i andd Val
Vl
IT and Risk IT processes
www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-
g/J / / /V / g /W
Have-All-the-Control-Objectives-Gone.aspx
y The COBIT 5 activities are equivalent to the COBIT 4.1
control practices and Val IT and Risk IT management
practices
y COBIT 5 integrates
g and updates
p all of the pprevious
content into the one new model, making it easier for
users to understand and use this material when
implementing
p g improvements
p

24
 Goals and Metrics

y COBIT 5 follows the same goal and metric concepts as

COBIT 4.1, Val IT and Risk IT, but these are renamed
enterprise goals, IT-related goals and process goals
reflecting an enterprise level view
y COBIT 5 provides a revised goals cascade based on
enterprise goals driving IT-related
IT related goals and then
supported by critical processes
y COBIT 5 provides examples of goals and metrics at the
enterprise, process and management practice levels.
This is a change to COBIT 4.1, Val IT and Risk IT,
which went down one level lower
25
 Inputs and Outputs

y COBIT 5 provides inputs and outputs for every

management practice, whereas COBIT 4.1 only
provided these at the process level
y Additional
Addi i l detailed
d il d guidance
id for
f designing
d i i processes to
include essential work products and to assist with inter-
process integration

26
 RACI Charts

y COBIT 5 provides RACI charts describing roles and

responsibilities in a similar way to COBIT 4.1, Val IT
and Risk IT
y COBIT 5 provides
id a more complete,l detailed
d il d andd
clearer range of generic business and IT role players and
charts than COBIT 4.1 for each management practice,
enabling better definition of role player responsibilities
or level of involvement when designing and
i l
implementing
ti processes

27
 RACI Charts (cont.)

Source: COBIT® 4.1, page 39. © 2007 IT Governance Institute® All rights reserved.

28 Source: COBIT® 5: Enabling Processes, page 31. © 2012 ISACA® All rights reserved.
 Process Capability Maturity 
Models and Assessments
Models and Assessments
y COBIT 4.1, Val IT and Risk IT CMM-based capability
maturity
i modelling
d lli approachh terminated
i d
y New process capability assessment approach based on
ISO/IEC 15504,
15504 and the COBIT Assessment
Programme
www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-
A
Assessment-Programme.aspx
P
y COBIT 4.1, Val IT and Risk IT CMM-based approaches
are not considered compatible with the ISO/IEC
15504 approach because the methods use different
attributes and measurement scales.

29
 Process Capability Maturity 
Models and Assessments
Models and Assessments
COBIT 4.1/5

30 © 2012 ISACA® All rights reserved.

 Process Capability Maturity 
Models and Assessments
Models and Assessments
y The COBIT Assessment Programme approach is
considered
id d by b ISACA to bbe more robust,
b reliable
li bl and
d
repeatable as a process capability assessment method
y The COBIT Assessment Programme supports:
‰ Formal assessments by accredited assessors
‰ Less rigorous
g self-assessments for internal g
gapp analysis
y
and process improvement planning
y The COBIT Assessment Programme potentially enable
an enterprise to obtain an independent and certified
assessments aligned to the ISO/IEC standard

31
 Process Capability Maturity 
Models and Assessments
Models and Assessments
y COBIT Process Assessment Model (PAM): Using
COBIT 4.1
41
‰ Serves as a base reference document for the performance of a
capability assessment of an organisation’s current IT processes
against COBIT
y COBIT Assessor Guide: Using COBIT 4.1
‰ Provides details on how to undertake a full ISO-compliant
p
assessment
y COBIT Self-assessment Guide: Using COBIT 4.1
‰ Provides
P id guidance
id on how
h to t perform
f a basic
b i self-assessment
lf t off
an organisation’s current IT process capability levels against
COBIT processes

32
 Process Capability Maturity 
Models and Assessments
Models and Assessments
y COBIT 4.1, Val IT and Risk IT users wishing to move
to the new COBIT Assessment Programme approach
will need to:
‰ realign
li their
th i previous
i ratings
ti
‰ adopt and learn the new method

‰ initiate a new set of assessments

33
 Process Capability Maturity 
Models and Assessments
Models and Assessments
y COBIT 4.1, Val IT and Risk IT users wishing to
continue with the CMM-based approach, either as an
interim or ongoing approach, can use the COBIT 5
guidance but must use the COBIT 4.1
guidance, 4 1 generic attribute
table without the high-level maturity models.

34
 COBIT 5 delivers value!

y COBIT 5 helps
p enterprises
p create optimal
p value from IT
by maintaining a balance between realising benefits and
optimising risk levels and resource use.
y COBIT 5 enables information and related technology to
be governed and managed in a holistic manner
y The COBIT 5 principles and enablers are generic –
generally applicable!
y A series of publications, education and online
collaboration will drive COBIT forward!

35
 COBIT 5 Product Family

36 Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved.

 COBIT 5 Future Supporting 
Products
• Professional Guides:
•COBIT 5 for Information Security
• COBIT 5 for Assurance

• COBIT 5 for Risk

• Enabler Guides:
• COBIT 5 5: E
Enabling
bli IInformation
f ti
• COBIT Online Replacement
• COBIT Assessment Programme:
• Process Assessment Model (PAM): Using COBIT 5

• Assessor Guide: Usingg COBIT 5

• Self-assessment Guide: Using COBIT 5
37