Professional Documents
Culture Documents
Relative importance Relative importance (of governance and management objectives) is a number that indicates the influence of a certain design factor on the importance of a certain
COBIT governance or management objective as compared to a baseline (standard) situation. The number is calculated as a percentage difference between the
baseline and the current situation, as determined by the values given to the design factor at hand.
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
Enterprise I&T-Related Threat Role of Sourcing IT Implementation Refined Scope: Concluded Scope:
Design Factors: Enterprise Strategy Goals Risk Profile Issues
Initial Scope: Governance/
Management Objectives Landscape Compliance Req's IT Model Methods Technology Adoption Strategy
Governance/ Adjustment
(between -100 and Reason
Governance/ Suggested
Target Capability Agreed Target Reason
for IT Management Objectives Management Objectives Capability Level
Score +100) Level
Score Priority
Weight 1 1 1 1 1 1 1 1 1 1
APO06—Managed Budget & Costs -20 -5 -20 -10 ### -50 0 0 25 0 0 -20 -20 -20 1 1
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
Enterprise I&T-Related Threat Role of Sourcing IT Implementation Refined Scope: Concluded Scope:
Design Factors: Enterprise Strategy Goals Risk Profile Issues
Initial Scope: Governance/
Management Objectives Landscape Compliance Req's IT Model Methods Technology Adoption Strategy
Governance/ Adjustment
(between -100 and Reason
Governance/ Suggested
Target Capability Agreed Target Reason
for IT Management Objectives Management Objectives Capability Level
Score +100) Level
Score Priority
Weight 1 1 1 1 1 1 1 1 1 1
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Input Section—Importance of Each Enterprise Strategy Archetype Input Section—Importance of Each Enterprise Strategy Archetype
5 1
Innovation/Differentiation
1
Client Service/Stability
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Resulting Governance/Management Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Objectives Importance Resulting Governance/Management Objectives Resulting Governance/Management Objectives Importance (Output)
Importance (Output)
Governance /
Management Score Baseline Relative
EDM02 EDM01 MEA04
Objective Score Importance
EDM03 MEA03
-100 -75 -50 -25 0 25 50 75 100
EDM04 MEA02
EDM01 13 15 -5 EDM01 100
EDM05 MEA01
EDM02
EDM03 75
© 2018 ISACA. All rights reserved. 645518342.xlsx APO01 DSS06 DF1—Page 4
EDM04
50
EDM05 APO02 DSS05
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
COBIT® 2019 Governance System Design Toolkit
Resulting Governance/Management Objectives Resulting Governance/Management Objectives Importance (Output) 02/17/2023
Importance (Output)
EDM01
Information & Technology Governance System Design EDM03
Information
EDM02 & Technology
MEA04
MEA03
Governance System Design
-100 -75 -50 Design
-25 Factor
0 251 Enterprise
50 75Strategy
100
EDM04
Design Factor
MEA02
1 Enterprise Strategy
EDM01 100
EDM02 EDM05 MEA01
22 24 0 EDM02
EDM03 14 15 0 EDM03 75
APO01 DSS06
EDM04 16.5 22.5 -20 EDM04
50
EDM05 17.5 18 5 EDM05 APO02 DSS05
APO01 11 12 0 APO01 25
APO02 29 28.5 10 APO02 APO03 DSS04
0
APO03 28 24 25 APO03
APO04 17 21 -10 APO04 APO04 -25 DSS03
APO05 31 33 0 APO05
APO06 -50
APO06 16.5 22.5 -20 APO05 DSS02
APO07 16 15 15 APO07 -75
APO08 19.5 21 0 APO08
APO09 APO06 -100 DSS01
APO09 20.5 22.5 0
APO10 APO10
15 21 -20
APO11 APO11
20 21 5 APO07 BAI11
APO12 APO12
16.5 18 0
APO13
APO13 15.5 16.5 0
APO14 APO08 BAI10
APO14 11 12 0
BAI01
BAI01 30 27 20
BAI02 APO09 BAI09
BAI02 11.5 13.5 -5
BAI03
BAI03 11.5 13.5 -5
BAI04 APO10 BAI08
BAI04 17 18 5
BAI05
BAI05 29.5 25.5 25 APO11 BAI07
BAI06
BAI06 19.5 19.5 10
BAI07 APO12 BAI06
BAI07 17 18 5 BAI08
BAI08 APO13 BAI05
16 19.5 -10 BAI09 APO14 BAI04
BAI09 11 12 0 BAI01 BAI02 BAI03
BAI10
BAI10 11 12 0 BAI11
BAI11 28 27 15 DSS01
DSS01 12.5 13.5 0 DSS02
DSS02 20 21 5 DSS03
DSS03 17 18 5 DSS04
DSS04 20 21 5 DSS05
DSS05 15.5 16.5 0 DSS06
DSS06 12.5 13.5 0 MEA01
MEA01 11 12 0 MEA02
MEA02 11 12 0 MEA03
MEA03 11 12 0 MEA04
MEA04 11 12 0
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
Input Section—Importance of Each Enterprise Goal Input Section—Importance of Each Enterprise Goal
Average 2.77
EG07—Quality of management information 2
Design Factor 2 Enterprise Goals (Input) Stdev 1.31
Correction Fact 1.08 EG08—Optimization of internal business process functionality 3
EG10—Staff skills, motivation and productivity EG05—Customer-oriented service culture EG13—Product and business innovation 5
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Agile portfolio of Compliance with external Transparency and Customer-oriented service Business service continuity Quality of management Optimization of internal Optimization of business Staff skills, motivation and Compliance with internal Managed business Product and business
competitive products and Managed business risks accuracy of financial business process
services laws and regulations information culture and availability information functionality process costs productivity policies transformation programs innovation
4 2 2 1 2 3 2 3 1 4 2 5 5
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
IT compliance and Security of information, Enablement and Delivery of programs Competent and
support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business support of business Quality of IT motivated staff with Knowledge, expertise
compliance with Information related IT-enabled investments related financial in line with business requirements into processing processes by on time, on budget, and Management IT compliance with mutual understanding and initiatives for
infrastructure and meeting requirements internal policies
external laws and risks and services portfolio information requirements operational solutions Integrating applications Information of technology and business innovation
applications and quality standards
regulations and technology business.
8 7 20 8 21 23 8 34 29 7 10 10 23
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
Managed
Managed Managed IT Managed Managed Performance Managed Managed
Mapping Table AG-GMO Ensured Governance Managed Managed Managed Managed Managed Managed
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Ensured Resource
Optimization
Ensured Stakeholder
Transparency
Managed IT Management Managed Strategy
Framework Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Managed
Resources
Human Managed Relationships Service Managed
Suppliers
Managed
Quality Managed Risk Information Managed
Data
Managed
Programs Requirements Solutions Managed IT
Identification Availability & Organizationa Changes
Change Managed
Acceptance & Knowledge
Managed
Assets
Managed Managed
Configuration Projects
Managed
Operations
Service
Requests &
Managed
Problems
Managed
Continuity Security Business
Process & System of
Internal
Compliance Managed
with External Internal Audit
Maintenance Agreements Security Definition & Build Capacity l Change Transitioning Incidents Services Controls Conformance Control Requirements
Monitoring
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
99 141 48 156 32 174 165 163 156 168 101 136 237 76 94 121 30 31 45 155 210 200 79 220 108 82 172 23 21 165 76 57 57 57 69 114 123 108 26 79
Baseline 99 114 63 129 63 180 132 135 120 141 117 108 189 63 78 132 36 39 78 129 174 165 69 183 90 69 135 51 18 138 63 54 54 54 81 105 135 135 39 111
Imp® 0 23 -24 20 -50 -4 25 20 30 19 -14 25 25 20 20 -9 -17 -21 -43 20 20 21 14 20 20 18 27 -55 16 19 20 5 5 5 -15 8 -9 -20 -34 -29
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
Input Section—Importance of Each Generic IT Risk Category Input Section—Importance of Each Generic IT Risk Category
Environmental
Average 8.89
Stdev 5.06 Data & information management
Correction Factor 1.01
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Resulting Governance/Management
Objectives Importance Design Factor 3 IT Risk Profile Design Factor 3 IT Risk Profile
Resulting Governance/Management Resulting Governance/Management Objectives Importance
Governance / Baseline Relative Objectives Importance
Management Score Score Importance
Objective
EDM03 EDM02
180 162 10
EDM04 EDM03
167 198 -15
EDM04
EDM05 156 189 -15
EDM05
APO01 366 324 15 EDM02 EDM01 MEA04
APO01 EDM03 MEA03
APO02 134 144 -5
APO02 EDM04 MEA02
APO03 192 171 15
APO03 EDM05 MEA01
APO04 64 45 45 100
APO04
APO05 118 144 -15 APO01 DSS06
APO05 75
APO06 118 153 -20 APO06 APO02 DSS05
APO07 250 216 15 50
APO07
APO08 213 153 40 APO08 25
APO03 DSS04
APO09 129 117 10 APO09 0
APO10 196 216 -10 APO10 APO04 DSS03
APO11 -25
128 99 30 APO11
APO12 132 90 50 APO12 APO05 -50 DSS02
APO13 155 99 60 APO13 -75
APO14 263 198 35 APO14
APO06 -100 DSS01
BAI01 92 81 15 BAI01
BAI02 134 117 15 BAI02
BAI03 155 117 35 BAI03 APO07 BAI11
BAI04 12 9 35 BAI04
BAI05 104 72 45 BAI05 APO08 BAI10
BAI06 192 135 45 BAI06
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
DF3 IT Investment
Decision Making,
Program &
Projects Life IT Cost & IT Expertise,
Skills &
Enterprise/ IT Operational
Infrastructure
Unauthorized
Software
Adoption/ Hardware Software Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight IT Architecture Actions Usage Incidents Failures Issues Action
Maintenance Management Behavior Incidents Problems Malware, etc.) Incidents Innovation Management
EDM01 3.0 2.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 2.0 2.0
EDM02 3.0 2.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 3.0 1.0 3.0
EDM03 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 2.0 3.0
EDM04 3.0 0.0 4.0 3.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 2.0 0.0 0.0 2.0 3.0
EDM05 3.0 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 1.0 0.0 1.0 3.0 3.0 0.0 0.0 0.0 2.0 2.0
APO01 2.0 3.0 2.0 0.0 2.0 2.0 4.0 2.0 0.0 2.0 3.0 3.0 3.0 0.0 0.0 0.0 3.0 2.0 3.0
APO02 2.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 1.0 0.0 1.0 2.0 0.0 0.0 0.0 0.0 2.0 2.0 1.0
APO03 2.0 0.0 0.0 0.0 4.0 0.0 0.0 2.0 0.0 2.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 0.0 3.0
APO04 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0
APO05 4.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0
APO06 2.0 3.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0
APO07 0.0 0.0 0.0 4.0 0.0 2.0 3.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 4.0 0.0 2.0 2.0 0.0
APO08 0.0 0.0 0.0 2.0 2.0 0.0 0.0 4.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 2.0
APO09 0.0 0.0 2.0 0.0 0.0 0.0 2.0 3.0 0.0 1.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
APO10 0.0 2.0 3.0 0.0 0.0 0.0 2.0 2.0 3.0 2.0 2.0 4.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0
APO11 0.0 3.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0
APO12 0.0 0.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0
APO13 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 4.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0
APO14 0.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 0.0 3.0 0.0 2.0 4.0 2.0 0.0 4.0
BAI01 0.0 4.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI02 2.0 2.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI03 0.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI04 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI05 0.0 2.0 0.0 2.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 3.0
BAI07 0.0 0.0 0.0 0.0 0.0 2.0 3.0 2.0 0.0 4.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI08 0.0 0.0 0.0 2.0 0.0 3.0 0.0 3.0 0.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 2.0
BAI09 0.0 0.0 0.0 0.0 0.0 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI10 0.0 0.0 0.0 0.0 0.0 2.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI11 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS01 0.0 0.0 0.0 0.0 0.0 4.0 3.0 0.0 4.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0
DSS02 0.0 0.0 0.0 0.0 0.0 3.0 2.0 3.0 2.0 2.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS03 0.0 0.0 0.0 0.0 0.0 3.0 1.0 4.0 0.0 3.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS04 0.0 0.0 0.0 0.0 0.0 3.0 3.0 0.0 3.0 0.0 4.0 0.0 2.0 0.0 3.0 4.0 0.0 0.0 2.0
DSS05 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 2.0 0.0 4.0 0.0 3.0 0.0 3.0 2.0 0.0 0.0 3.0
DSS06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 2.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
DF3 IT Investment
Decision Making,
Program &
Projects Life IT Cost & IT Expertise,
Skills &
Enterprise/ IT Operational
Infrastructure
Unauthorized
Software
Adoption/ Hardware Software Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight IT Architecture Actions Usage Incidents Failures Issues Action
Maintenance Management Behavior Incidents Problems Malware, etc.) Incidents Innovation Management
MEA01 1.0 2.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 2.0 3.0 2.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0
MEA02 1.0 2.0 2.0 0.0 0.0 3.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 3.0 0.0 2.0 0.0 0.0 2.0
MEA03 0.0 1.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 0.0 3.0 2.0 4.0 2.0 0.0 0.0 0.0 0.0 2.0
MEA04 1.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 4.0 0.0 2.0 2.0 0.0 2.0
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 4 I&T-Related Issues Design Factor 4 I&T-Related Issues
Input Section—Importance of Each Generic I&T-Related Issue Input Section—Importance of Each Generic I&T-Related Issue
Importance
I&T-Related Issue (1-3) Baseline Design Factor 4 I&T-Related Issues
Importance of I&T-Related Issues (Input)
Frustration between different IT entities across the organization because
of a perception of low contribution to business value 2 No Issue 0 1 2 3
oard members, executives or senior management to engage with IT, or a lack of committed business sponsorship for IT
Service delivery problems by the IT outsourcer(s) 2
Failures to meet IT-related regulatory or contractual requirements 2
Substantial hidden and rogue IT spending, that is, I&T spending by user
departments outside the control of the normal I&T investment decision 2
mechanisms and approved budgets
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 4 I&T-Related Issues Design Factor 4 I&T-Related Issues
Regular issues with data quality and integration of data across various
sources 2
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Frustration between different Frustration between business Significant IT-related Regular audit findings or Substantial hidden and rogue IT IT-enabled changes or Reluctance by board members, Complex IT operating model Obstructed or failed Gap between business and technical High level of end-user computing,
Duplications or overlaps Insufficient IT resources, staff creating (among other problems) a Business departments implementing
IT entities across the departments (i.e., the IT customer) incidents, such as data loss, Service delivery problems by Failures to meet IT-related other assessment reports spending, that is, IT spending by user between various initiatives with inadequate skills or projects frequently failing to executives or senior management and/or unclear decision implementation of new knowledge, which leads to business Regular issues with data lack of oversight and quality their own information solutions with Ignorance of and/or Inability to exploit new
DF4 organization because of a and the IT department because of security breaches, project the IT outsourcer(s) regulatory or contractual about poor IT performance departments outside the control of or other forms of wasted staff burnout / meet business needs and to engage with IT, or a lack of Excessively high cost of IT initiatives or innovations users and information and/or quality and integration of noncompliance with technologies or innovate
perception of low contribution failed initiatives or a perception of failure and application requirements or reported IT quality or the normal IT investment decision delivered late or over committed business sponsorship mechanisms for IT-related caused by the current IT technology specialists speaking data across various sources control over the applications that little or no involvement of the privacy regulations using I&T
to business value low contribution to business value errors, linked to IT service problems mechanisms and approved budgets resources dissatisfaction budget for IT decisions architecture and systems different languages are being developed and put in enterprise IT department
operation
EDM01 3.0 3.0 1.0 1.0 2.0 2.0 2.0 1.0 1.0 1.0 3.0 3.5 1.0 1.0 1.0 1.0 2.0 3.0 1.5 1.0 35
EDM02 2.5 3.0 1.0 1.0 1.5 2.5 2.0 1.5 0.5 2.5 1.5 1.0 3.0 2.0 1.0 1.0 2.0 2.0 1.0 2.5 35
EDM03 1.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.0 0.0 1.0 1.5 1.0 2.0 1.0 1.0 2.5 1.0 24
EDM04 1.0 1.0 1.0 1.0 1.0 2.0 3.0 3.5 3.5 1.0 1.5 0.0 4.0 2.0 1.0 1.5 2.0 2.5 0.0 1.0 34
EDM05 1.0 1.0 1.0 1.0 1.5 2.0 1.0 1.0 0.0 1.0 3.0 1.5 1.5 0.5 0.0 0.5 1.0 1.0 1.0 0.0 21
APO01 2.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.5 4.0 1.0 2.0 1.0 1.0 1.5 2.0 0.5 1.0 28
APO02 1.5 1.5 1.5 1.5 1.0 1.5 1.0 1.0 0.0 1.0 2.5 0.5 0.5 1.5 1.5 0.5 2.0 2.0 0.0 2.5 25
APO03 1.0 1.5 1.0 2.0 0.5 1.5 2.0 1.5 1.0 3.5 0.5 0.5 1.0 4.0 1.0 3.5 2.0 3.0 0.0 2.0 33
APO04 1.0 1.0 1.0 1.0 0.5 0.5 0.5 0.5 0.0 0.0 0.5 1.0 0.5 2.0 1.0 0.0 0.5 0.5 0.0 4.0 16
APO05 3.0 3.0 1.0 1.5 2.0 2.0 1.5 3.5 0.5 2.0 2.0 1.5 2.0 1.0 0.5 0.0 2.5 2.5 0.0 2.0 34
APO06 3.5 2.0 1.0 1.5 1.5 2.0 4.0 3.0 1.0 2.0 1.0 1.5 4.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 31
APO07 1.5 1.0 1.0 1.0 1.0 1.5 2.0 2.0 4.0 1.0 0.0 0.0 1.0 0.0 3.0 0.0 0.5 0.5 1.5 1.0 24
APO08 2.5 2.0 1.0 2.5 1.5 1.0 2.5 2.0 1.5 1.0 3.0 1.0 0.5 1.0 4.0 1.0 3.0 3.5 0.0 0.5 35
APO09 2.0 1.5 2.0 4.0 1.0 2.5 1.5 2.0 0.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 1.0 1.5 0.0 0.0 22
APO10 1.0 1.0 2.0 4.0 1.5 1.5 1.5 0.0 1.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 0.5 2.0 1.0 0.0 20
APO11 1.0 1.0 3.0 1.5 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.5 0.5 3.0 2.0 2.0 0.0 1.0 22
APO12 1.0 0.5 2.5 1.5 2.0 2.0 1.0 1.0 0.5 1.0 1.0 1.0 1.0 1.0 1.0 2.0 1.0 1.5 2.5 1.0 26
APO13 0.0 0.0 3.5 1.0 2.0 1.0 0.0 1.0 0.0 0.5 0.0 0.0 0.0 0.0 0.0 1.5 2.0 1.0 2.0 1.0 17
APO14 1.0 1.5 3.0 1.0 2.5 1.5 1.0 1.5 0.0 1.5 0.0 0.0 0.5 2.5 0.5 4.0 2.5 2.0 3.0 0.5 30
BAI01 0.0 1.0 1.5 0.0 0.0 0.0 0.0 3.0 1.0 3.5 0.0 0.0 1.5 0.5 1.0 0.0 1.5 2.0 0.0 1.0 18
BAI02 0.0 3.0 0.0 0.0 0.5 2.0 0.0 2.0 0.0 3.5 0.0 1.0 1.0 2.0 2.0 1.5 2.5 3.0 0.5 1.0 26
BAI03 1.0 2.0 2.0 0.0 0.0 2.0 0.0 1.0 0.0 3.0 0.0 0.5 1.0 1.0 1.0 0.5 2.0 2.0 1.0 0.5 21
BAI04 0.5 0.0 2.0 3.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 0.0 1.0 1.0 1.0 0.0 0.5 12
BAI05 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 3.0 1.0 0.0 0.0 0.5 2.0 0.0 0.5 1.5 0.0 1.0 14
BAI06 0.0 0.0 2.5 3.0 0.5 1.5 0.0 1.0 0.0 1.5 0.0 1.0 0.5 1.0 0.5 2.0 2.0 2.0 1.0 1.0 21
BAI07 0.0 1.0 2.0 2.0 0.5 1.5 0.0 0.5 0.0 2.0 0.0 1.0 0.0 1.0 0.5 2.0 2.0 2.0 0.0 1.0 19
BAI08 0.0 0.0 0.0 1.5 0.5 0.5 0.0 1.0 2.0 0.5 0.0 0.5 0.0 1.0 3.0 2.0 1.0 1.5 0.0 0.5 16
BAI09 0.5 0.5 1.0 0.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 0.0 1.0 1.5 0.0 0.0 12
BAI10 0.0 0.0 2.5 2.0 0.5 0.0 0.0 0.5 0.0 0.0 0.0 0.0 1.0 1.5 0.0 1.5 1.0 2.0 0.0 0.0 13
BAI11 1.0 2.0 2.5 0.0 0.0 0.0 2.0 3.0 1.0 4.0 0.0 0.0 1.5 2.0 0.5 0.0 1.0 1.5 0.0 0.5 23
0
EDM04
-65 EDM05
APO01 15
APO02 40
APO03 70
APO04 90
APO05 10
-50 APO06
APO07 75
APO08 75
APO09 30
-10
APO10
APO11 20
APO12 35
APO13 30
-15
APO14
BAI01 75
BAI02 40
BAI03 45
BAI04 45
BAI05 100
BAI06 80
BAI07 55
BAI08 60
-25 BAI09
BAI10 60
BAI11 85
DSS01 10
DSS02 30
DSS03 30
DSS04 20
-5
DSS05
DSS06 35
MEA01 5
-25 MEA02
-35 MEA03
-15
MEA04
02/17/2023
COBIT® 2019 Governance System Design Toolkit
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
Average
Stdev
Design Factor 5 IT Threat Landscape
Correction Factor
1.00
High Normal
25%
75%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
75%
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Average
Design Factor 6 Compliance Requirements
High Normal Low
25%
Stdev
75%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT
Average 2.25
Stdev 1.64
Correction Factor 1.33
Support 1
Factory 1
Turnaround 2
Strategic 5
Factory 1 Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT
Turnaround 2
Strategic 5
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Input Section—Importance of Sourcing Model for IT Input Section—Importance of Sourcing Model for IT
20%
30%
50%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
50%
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
40%
50%
10%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
10%
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
Input Section—Importance of Technology Adoption Strategy Input Section—Importance of Technology Adoption Strategy
10%
15%
75%
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
APO08 BAI10
DSS04—Managed Continuity 20
APO08 BAI10
-5
DSS05—Managed Security Services
APO09 BAI09 APO09 BAI09
DSS06—Managed Business Process Controls 35
APO10 BAI08 APO10 BAI08
MEA01—Managed Performance and Conformance Monitoring 5
APO11 BAI07 APO11 BAI07
-25of Internal Control
MEA02—Managed System
APO12 BAI06
APO12 BAI06
APO13 BAI05
APO13 BAI05 MEA03—Managed Compliance-35
with External Requirements
APO14 BAI04
APO14 BAI04 BAI01 BAI02 BAI03
BAI01 BAI02 BAI03 -15
MEA04—Managed Assurance
APO05
-50
DSS02 APO05
-50
DSS02 EDM05—Ensured Stakeholder Engagement 15
-75 -75
Design Factor 7 Role of IT Design Factor 8 Sourcing Model for IT APO08—Managed Relationships 70
Resulting Governance/Management Resulting Governance/Management
Objectives Importance Objectives Importance
APO09—Managed Service Agreements 40
APO10—Managed Vendors 50
EDM01 EDM02 EDM01 MEA04
EDM02 MEA04 EDM03 MEA03
EDM03 MEA03
EDM04 MEA02 EDM04 MEA02 APO11—Managed Quality 30
EDM05 100 MEA01 EDM05 100 MEA01
APO01 75 DSS06
APO01 75 DSS06
APO12—Managed Risk 80
50 APO02 50 DSS05
APO02 DSS05
25
APO03
25
DSS04 APO03 DSS04 APO13—Managed Security 60
0 0
-75 -75
BAI01—Managed Programs 70
APO06 -100 DSS01 APO06 -100 DSS01
APO12 BAI06
BAI05—Managed Organizational Change 95
APO12 BAI06
APO13 BAI05 APO13 BAI05
© 2018 ISACA. All rights reserved. APO14 BAI04 645518342.xlsx Dashboard2—Page 55
APO14
BAI01 BAI02 BAI03
BAI04 BAI01 BAI02 BAI03 BAI06—Managed IT Changes 100
BAI08—Managed Knowledge 55
Design Factor 9 IT Implementation Methods Design Factor 10 Technology Adoption Strategy
Resulting Governance/Management Resulting Governance/Management 0
BAI09—Managed Assets
Objectives Importance Objectives Importance
BAI10—Managed Configuration 80
APO05
-50
DSS02 APO05
-50
DSS02 DSS04—Managed Continuity 70
-75 -75