The Self-assessment Guide is provided as a ‘stand-alone’ guide, which can be used by enterprises to perform a less rigorous a

the capability of their IT processes. This may be a precursor to undertaking more rigorous evidenced-based assessment. The a
based on the COBIT PAM used in the COBIT 5 Assessment Programme, but does not require evidentiary requirements in supp
assessment, nor does it require use of the COBIT PAM; sufficient information from the PAM and a full self-assessment templa
provided that simplifies the process without the need to reference the other two guides in the COBIT Assessment Programme
© ISACA 2013 All rights reserved.
Instructions
1. It is recommended that the assessment be undertaken by a small team or reviewed by a team of IT management and/or ass
although independent assessors are not required for this.
1. Use the Process results tab (example in appendix A of the guide) to summarize your results of the assessments
2. If a more rigoruous assessment is required and/or evidentiary requirements to be produced then use the full assessor guide
templates at 3. and 4. of the toolkit
3. You are required to start at level 1 because that is where the specfic questions are asked about the process outomes and p
achieved.
4. At Level 1 For each process be assessed ask if the process is achieveing its outcomes, answer yes or no; include any relevan
support your conclusion.
5. For Level 1 you can RATE each of the outcomes but the assessment approach requires an overall assessment rating at the p
attribute level PA1.1

6. At higher levels you are no longer looking at specific process outcomes but at overall generic goals shown for each of the le

7. To PASS a particular level the process must be rated Largely or Fully, to move onto the next level all attributes must be rated
example if PA2.1 is Largely and PA2.2 Fully, you are deemed to be at Level 2 but the overall Level 2 rating must be a Fully to be
assess at higher levels.

8. Use this process as a 'pre-cursor' to a more detailed assessment and not as the definitive assessment of your IT processes
Proses 2
Proses 1
governance system

govermance system
govermance system
EDM01.02 Direct the
EDM01 RACI Chart

EDM01.03 Monitor the

EDM01.01 Evaluate the

Key Governance Practice

Key Governance Practice

A
A
A
A
A
Dekan Fakultas Board

R
R
R
R
R
Ketua Program Studi Sistem Komputer Chief Executive Officer

C
C
C
C
C

Ketua Program Studi Sistem Informasi Chief Financial Officer

C
C
C
C
C

Ketua Program Studi Teknologi Informasi Chief Operating Officer

R
R
R
R
R

Ketua Program Studi Manajemen Informatika Business Executive

RACI Chart

I
I
I

Administrator Business Process Owners

R
R
R
R
R

Mahasiswa Ngkatan 2014 Strategy Executive Committee

I
I
I

Mahasiswa Ngkatan 2015 Steering (Programmes/Projects) Committee

I
I
I

Mahasiswa Ngkatan 2016 Project Management Office

I
I
I

Mahasiswa Ngkatan 2017 Value Management Office

C
C
C
C
C

Mahasiswa Ngkatan 2018 Chief Risk Officer

I
I
I

Mahasiswa Ngkatan 2019 Chief Information Security Officer

I
I
C

Architecture Board
I
I
C

Enterprise Risk Committee

Proses 3 A R C C R I R I I I C I
I
I
C
Head Human Resources

C
C
C
Compliance

C
C
C
Audit

R
R
R
Chief Information Officer

C
C
C
Head Architect

I
I
C
Head Development

I
I
C
Head IT Operations

I
I
Head IT Administration

I
I
Service Manager

I
I
Information Security Manager

I
I
Business Continuity Manager

I
I
Privacy Officer
 PROCESS ASSESSMENT RESULTS PROCESS ASSESSMENT RESULTS

Process ID Process Name Process ID Process Name

Processes for Governance of Enterprise IT - Evaluate, Direct and Monitor Proses untuk Tata Kelola TI Perusahaan - Mengevaluasi, Mengarahkan, dan Memantau
EDM01 Ensure Governance Framework Setting and Maintenance EDM01 Pastikan Pengaturan dan Pemeliharaan Kerangka Tata Kelola
EDM02 Ensure Benefits Delivery EDM02 Pastikan Pengiriman Manfaat
EDM03 Ensure Risk Optimisation EDM03 Pastikan Optimasi Risiko
EDM04 Ensure Resource Optimisation EDM04 Pastikan Optimalisasi Sumber Daya
EDM05 Ensure Stakeholder Transparency EDM05 Pastikan Transparansi Stakeholder
Align, Plan and Organise Sejajarkan, Rencanakan, dan Atur
APO01 Manage the IT Management Framework APO01 Kelola Kerangka Kerja Manajemen TI
APO02 Manage Strategy APO02 Kelola Strategi
APO03 Manage Enterprise Architecture APO03 Kelola Arsitektur Perusahaan
APO04 Manage Innovation APO04 Kelola Inovasi
APO05 Manage Portfolio APO05 Kelola Portofolio
APO06 Manage Budget and Costs APO06 Kelola Anggaran dan Biaya
APO07 Manage Human Resources APO07 Kelola Sumber Daya Manusia
APO08 Manage Relationships APO08 Kelola Hubungan
APO09 Manage Service Agreements APO09 Kelola Perjanjian Layanan
APO10 Manage Suppliers APO10 Kelola Pemasok
APO11 Manage Quality APO11 Kelola Kualitas
APO12 Manage Risk APO12 Kelola Risiko
APO13 Manage Security APO13 Kelola Keamanan
Build, Acquire and Implement Bangun, Peroleh, dan Implementasikan
BAI01 Manage Programmes and Projects BAI01 Kelola Program dan Proyek
BAI02 Manage Requirements Definition BAI02 Kelola Definisi Persyaratan
BAI03 Manage Solutions Identification and Build BAI03 Kelola Identifikasi dan Bangun Solusi
BAI04 Manage Availability and Capacity BAI04 Kelola Ketersediaan dan Kapasitas
BAI05 Manage Organisational Change Enablement BAI05 Kelola Pemberdayaan Perubahan Organisasi
BAI06 Manage Changes BAI06 Kelola Perubahan
BAI07 Manage Change Acceptance and Transitioning BAI07 Kelola Perubahan Penerimaan dan Transisi
BAI08 Manage Knowledge BAI08 Kelola Pengetahuan
BAI09 Manage Assets BAI09 Kelola Aset
BAI10 Manage Configuration BAI10 Kelola Konfigurasi
Deliver, Service and Support Memberikan, Layanan, dan Dukungan
DSS01 Manage Operations DSS01 Kelola Operasi
DSS02 Manage Service Requests and Incidents DSS02 Kelola Permintaan dan Insiden Layanan
DSS03 Manage Problems DSS03 Kelola Masalah
DSS04 Manage Continuity DSS04 Kelola Kontinuitas
DSS05 Manage Security Services DSS05 Kelola Layanan Keamanan
DSS06 Manage Business Process Controls DSS06 Kelola Kontrol Proses Bisnis
Monitor, Evaluate and Assess Pantau, Evaluasi, dan Nilai
MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA01 Memantau, Mengevaluasi, dan Menilai Kinerja dan Kesesuaian
MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA02 Memantau, Mengevaluasi, dan Menilai Sistem Pengendalian Internal
MEA03 Monitor, Evaluate and Assess Compliance with External Requirements MEA03 Memantau, Mengevaluasi, dan Menilai Kepatuhan dengan Persyaratan Eksternal
 Figure 5-COBIT 5 IT-related Goals
IT BSC Dimantion Information and Related Technology Goal
01 Aligmentt of IT and Business strategy
02 IT Compliance and support for business compliance with external laws and regulations
03 commitment of excekutive management for making IT-related decisions
Financial
04 Manage IT-related business risk
05 Reaised benefits from IT-enabeled investment and service portofolio
06 Transparcy if IT costs, benefits and risk
07 Delivery of IT service in line with business requirements
Customer
08 Adequate use of applications, information and technology solutions
09 IT agaility
10 Security of nformation, processing infrastructure and applications
11 Optimisation of IT asset, resource and capabilites
Internal 12 Enablement support of bisiness processes by inttegrating application and technology into business process
13 Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standard
14 Availability of reliabele and useful information for decision making
15 IT compliance with internal policies
16 Competen and motivated business and IT personnel
Learning and Groth
17 Knowledge, expertise and initiatves for business innovation
 Figure 22- Mapping COBIT 5 Enterprise Goals to IT-related Goals

Enterprise Goals

business prosess costs

Managed business risk

Optimisation of service
Portfolio of comvetitive

Financial transparency
products and services

Procuct and business

business invesments

Skilled and potivated

change programmes
Stakehoder value of

changing bussiness

Oprational and staff

Custemer -oriented
exsternal laws and

information-based

innovation culture
Manage business
Agile response to

business precess
strategic desition
Business service
Compliance with

Compliance with
(safeguarding of

internal policies
Optimisation of

Optimisation of
service culture
continuity and

delivery costs

functionality

productivity
enviroment
regulations

availability
assets)

making

people
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17

Learni
IT-related Goals Financial Customer Internal ng and
Groth
Aligmentt of IT and Business
01 strategy P P S P S P P S P S P S S

IT Compliance and support for

02 business compliance with S P P
external laws and regulations

commitment of excekutive
Financial

03 management for making IT- P S S S S S P S S

related decisions

04 Manage IT-related business risk P S P S P S S S

Reaised benefits from IT-

05 enabeled investment and P P S S S S P S S
service portofolio

Transparcy if IT costs, benefits

06 and risk S S P S P P

Delivery of IT service in line

07 P P S S P S P S P S S S S
Customer

with business requirements

Adequate use of applications,
08 information and technology S S S S S S S P S P S S
solutions

09 IT agaility S P S S P P S S S P

Security of nformation,
10 processing infrastructure and P P P P
applications

Optimisation of IT asset,
11 resource and capabilites P S S P S P S S S

Enablement support of
bisiness processes by
Internal

12 inttegrating application and S P S S S S P S S S S

technology into business
process

Delivery of programmes
delivering benefits, on time, on
13 budget, and meeting P S S S S S P
requirements and quality
standard

Availability of reliabele and

14 useful information for decision S S S S P P S
making

IT compliance with internal

15 policies S S P
Learning and

Competen and motivated

16 business and IT personnel S S P S S P P S
Groth

Knowledge, expertise and

17 initiatves for business S P S P S S S S P
innovation
 Figure 23- Mapping COBIT 5 IT-related Goals to Processes (cont.)
IT-related Goals

Delivery of programmes delivering benefits,

commitment of excekutive management for

Enablement support of bisiness processes

Delivery of IT service in line with business

Competen and motivated business and IT

by inttegrating application and technology
Adequate use of applications, information
IT Compliance and support for business

Transparcy if IT costs, benefits and risk

Knowledge, expertise and initiatves for

Optimisation of IT asset, resource and
Aligmentt of IT and Business strategy

IT compliance with internal policies

Reaised benefits from IT-enabeled
compliance with external laws and

Security of nformation, processing

requirements and quality standard

Availability of reliabele and useful

investment and service portofolio
Manage IT-related business risk

on time, on budget, and meeting

information for decision making

infrastructure and applications
making IT-related decisions

and technology solutions

into business process

business innovation
requirements
regulations

capabilites

personnel
IT agaility
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17

Learning and
COBIT 5 Process Financial Customer Internal
Groth

Ensure Governance Framework

EDM01 P S P S S S P S S S S S S S S S
Evaluate, Direct and

Setting and Maintenance

Monitor

EDM02 Ensure Benefits Delivery P S P P P S S S S S S P

EDM03 Ensure Risk Optimisation S S S P P S S P S S P S S
EDM04 Ensure Resource Optimisation S S S S S S S P P S P S

EDM05 Ensure Stakeholder Transparency S S P P P S S S S

Manage the IT Management

APO01 P P S S S P S P S S S P P P
Framework
APO02 Manage Strategy P S S S P S S S S S S S S P

APO03 Manage Enterprise Architecture P S S S S S S P S P S S S

Align, Plan and Organise

APO04 Manage Innovation S S P P P P S S P

APO05 Manage Portfolio P S S P S S S S S P S

APO06 Manage Budget and Costs S S S P P S S S S
APO07 Manage Human Resources P S S S S S S P P S P P
APO08 Manage Relationships P S S S S P S S S S S P
APO09 Manage Service Agreements S S S S P S S S S S P S
APO10 Manage Suppliers S P S S P S P S S S S S S
APO11 Manage Quality S S S P P S S S P S S S S
APO12 Manage Risk P P P S S S P P S S S S
APO13 Manage Security P P P S S P P

BAI01 P S P P S S S S P S S
Manage Programmes and Projects
BAI02 Manage Requirements Definition P S S S S P S S S S P S S S
Build, Acquire and Implement

BAI03 Manage Solutions Identification and S S S P S S S S S S

Build

BAI04 S S P S S P S P S
Manage Availability and Capacity
Manage Organisational Change
BAI05 Enablement S S S S P S S S P P

BAI06 Manage Changes S P S P S S P S S S S S S

Manage Change Acceptance and
BAI07 Transitioning S S S P S P S S S S

BAI08 Manage Knowledge S S S S P S S S S P

BAI09 Manage Assets S S P S S S P S S
BAI10 Manage Configuration P S S S S S P P S
DSS01 Manage Operations S P S P S S S P S S S S
Deliver, Service and

DSS02 Manage Service Requests and P P S S S S S

Incidents
Support

DSS03 Manage Problems S P S P S S P S P S S

DSS04 Manage Continuity S S P S P S S S S S P S S S
DSS05 Manage Security Services S P P S S P S S S S

DSS06 S P P S S S S S S S S
Manage Business Process Controls
Monitor, Evaluate and Assess
Monitor, Evaluate

MEA01 Performance and Conformance S S S P S S P S S S P S S P S S

and Assess

Monitor, Evaluate and Assess the

MEA02 System of Internal Control P P S S S S S P S

Monitor, Evaluate and Assess

MEA03 Compliance with External P P S S S S S
Requirements
 Enterprise Goals

BSC Dimension NO Enterprise Goal Tujuan Bisnis Perusahaan

Financial 4 Kepatuhan dengan hukum dan peraturan eksternal Mengikuti peraturan Mentri Pendidikan tentang aturan dan kebijakan sistem pembelajaran.

6 Budaya layanan yang berorientasi pada pelanggan Terciptanya rasa puas terhadap semua fasilitas, pelayanan dan informasi yang telah diberikan.
Customer Terciptanya proses pengambilan keputusan yang disesuaikan dengan kebutuhan sistem dengan melakukan
9 pengambilan keputusan strategis berbasis informasi
kordinasi dengan pihak terkait guna keberlangsungan sistem
Internal 15 Kepatuhan dengan kebijakan internal Memberikan wadah agar terciptanya kordinasi yang baik antara para pimpinan untuk keberlangsungan penglolaan
sistem
Learning and Groth 16 Orang-orang yang terampil dan terdorong Memberikan wadah kepada user agar mendapatkan kemudahan dalam memperoleh informasi

IT-related Goals

IT BSC Dimension NO Information and Related TI Tujuan TI

Kepatuhan dan dukungan TI untuk kepatuhan bisnis

Financial 2 Mempermudah proses penampilan data dan, rekapitulasi hasil pembelajaran dan controling proses pelaksanaanya
dengan hukum dan peraturan eksternal
9 Ketangkasan dalam penggunaan TI Mengurangi kesalahan pada sistem
Keamanan informasi, infrastruktur pemrosesan, dan Setiap data mahasiswa akan dijamin kerahasiaannya, karena penyangkut hal pribadi dalam proses pelaksanaaan
10
aplikasi perkuliahan
11 Optimalisasi aset, sumber daya, dan kapabilitas TI Mengoptimalisasikan SDM yang berkompeten dalam penglolaan SISTEM
Pemberdayaan dan dukungan proses bisnis dengan
12 mengintegrasikan aplikasi dan teknologi kedalam proses Mempermudah proses pemindahan atau proses akses data menjai lebih cepat
Internal
bisnis

Penyampaian program yang memberikan manfaat, tepat

13 waktu, sesuai anggaran, dan memenuhi persyaratan serta Terciptanya penglolaan yang bermanfaat dan berguna bagi setiap user dan kekesuaian dengan apa yang diperoleh
standar kualitas

Ketersediaan reliabele dan informasi yang berguna untuk

14 Memberikan informasi yang tepat terhaap setiap mahasiswa
pengambilan keputusan
15 Kepatuhan TI dengan kebijakan internal Mengikuti arahan dan peraturan yang telah dikordinasikan sebelumnya antara para atasan

Learning and Groth 16 Tenaga bisnis dan TI yang kompeten dan bermotivasi Mempberdayakan tenaga TI yang nantinya akan menangani kesalahan , update sistem agar memenuhi sandar
Proses
Kapabilitas Level 0
Kapabilitas Level 1
Kapabilitas Level 2
Kapabilitas Level 3
Kapabilitas Level 4
Kapabilitas Level 5

Abbreviation
N
P
L
P
Tingkat Kapabilitas
Incomplete proses, dimana proses tata kelola TI tidak dilaksanakan atau gagal untuk mencapai tujuan proses itu sendiri.
Performed proses, dimana proses dikerjakan secara adhoc dan tidak terorganisasi, oleh karenanya sangat tergantung pada kem
Managed proses, dimana proses yang dikerjakan telah terrencana, terpantau, didokumentasikan, dan disesuaikan agar dapat
Estabilished proses, dimana proses yang terimplementasi sebelumnya dilaksanakan berdasarkan standar dari suatu proses, un
Predictable proses, dimana proses yang diimplementasikan sebelumnya, saat ini diimplementasikan untuk menggunakan bata
Optimizing proses, proses sudah dikembangkan secara berkelanjutan untuk mencapai tujuan organisasi.

Achieved
0 - 15% achievemeent
>15 - 50% achievemeent
>50 - 85% achievemeent
>85 - 100% achievemeent
ujuan proses itu sendiri.
a sangat tergantung pada kemampuan individual
, dan disesuaikan agar dapat memenuhi objektifitas yang telah diidentifikasi sebelumnya
standar dari suatu proses, untuk tercapainya outcome dari proses tersebut. Proses didokumentasikan dan dikomunikasikan dalam rangka
kan untuk menggunakan batasan yang terdefinisi untuk mencapai output yang dihasilkan. Disini proses dimonitor, diukur dan diprediksi.

Description
Not achieveed Proses penilaian tata kelola TI tidak terpenuhi
Partially achieveed Proses penilaian tata kelola TI terpenuhi sebagian
Largely achieveed Proses tata kelola TI terpenuhi sebagian besar
Fully achieveed Proses tata kelola TI terpenuhi keseluruhan skor tinggi
Ti
Ke

Tingkat 5
Kapabilitas Kesenjan
Proses
As Is To Be gan
EDM03 4 5 1
APO01 4 5 1
APO13 3 5 2
DSS05 3 5 2
MEA02 3 5 2
munikasikan dalam rangka efisiensi organisasi
or, diukur dan diprediksi.

Chart Title
Tingkat Kapabilitas As Is To Be
Kesenjangan
1
5

5 2

4 3
 Figure 22- Mapping COBIT 5 Enterprise Goals to IT-related Goals
Enterprise Goals

comvetitive products
Stakehoder value of

changing bussiness
Custemer -oriented

Agile response to

service delivery
Optimisation of
service culture
and services
invesments

enviroment
Portfolio of
business

costs
01 02 06 08 10
IT-related Goals Financial Customer
commitment of excekutive
03 management for making IT- P S S
related decisions
Delivery of IT service in line
Cust
ome

07 with business requirements P P P P

r

09 IT agaility S P S P
Internal

Optimisation of IT asset,
11 resource and capabilites P S S P
IT compliance with internal
15 policies
 Optimisation of IT-related Goals

S
P
P
S
11
business precess Enterprise Goals
functionality

Optimisation of

P
S
12
business prosess
costs

Internal
Manage business

S
S
S
P
13
change programmes

Compliance with

P
15

internal policies

Procuct and

S
P
S
S
17

business innovation
and
Groth

culture
Learning
 Figure 13- Mapping COBIT 5 Enterprise Goals to IT-related Goals
IT-related Goals

Security of nformation,
Transparcy if IT costs,
support for business
Aligmentt of IT and

IT Compliance and
Business strategy

infrastructure and
external laws and

benefits and risk

compliance with

applications
regulations

processing
01 02 06 10
COBIT 5 Process Financial Internal

EDM03 Ensure Risk Optimisation S S P P

and Organise

Manage the IT
Align, Plan

APO01 P P S
Management Framework

Manage Human
APO07 P S S
Resources

DSS05 Manage Security S P P

Services
Monitor, Evaluate and
Monitor

Evaluat

Assess
e and

MEA01 Assess Performance and S S S S

,

Conformance
 Optimisation of IT
asset, resource and

P
S
P
P
11
capabilites IT-related Goals
o IT-related Goals

Delivery of

Internal
programmes

S
P
S
S
13
delivering benefits, on
time, on budget, and
meeting
IT requirements
compliance with
and quality
internal standard
policies

P
S
S
P
P
15 Knowledge, expertise
and initiatves for

S
P
P
S
17
Learning business innovation
and Groth
 Monitor, Deliver, Align, Plan
Evaluate, Direct
Evaluate and Service and and
and Monitor
Assess Support Organise

DSS05
APO07

MEA01
EDM03

Services
Resources
Framework
COBIT 5 Process

Ensure Risk
Optimisation

APO01 Management
Manage the IT

Manage Human

Manage Security

and Conformance
Assess Performance
Monitor, Evaluate and
Aligmentt of IT and

S
S
P
P
S
01

Business strategy

IT Compliance and
support for business
compliance with

S
P
S
P
S
02

external laws and

Financial

regulations

Transparcy if IT costs,

S
P
06

benefits and risk

Security of nformation,
processing

S
P
S
S
P
10

infrastructure and
applications

Optimisation of IT
asset, resource and
P
S
P
P
11

capabilites
IT-related Goals
Figure 13- Mapping COBIT 5 Enterprise Goals to IT-related Goals

Internal
 ated Goals
Delivery of
T-related Goals
programmes delivering

Internal
benefits, on time, on

S
P
S
S
budget, and meeting

13
requirements and
quality standard

IT compliance with

P
S
S
P
P
15
internal policies

Knowledge, expertise
and initiatves for

S
P
P
S
17
business innovation

Learning
and Groth
EDM03 Ensure Risk Optimisation
Purpose Satisfy the business requirement of having stable, cost-effective,
integrated and standard application systems, resources and capabilities
that meet current and future business requirements.

Assess whether the Criteria Partially Largely

following outcomes are Criteria Are Met Not Achieved Achieved Fully
achieved. Y/N achieved (15% - (50% - Achieved
(0-15%) 50%) 85%) (85-100%)
Level 0 The process is not At this level,
Incomplet implemented, or fails to there is little or no
e achieve its process evidence of any
purpose. achievement of
the process
purpose.

Level 1  PA 1.1 The The following Overall rating for the process
Performe implemented process process
d achieves its process outcomes are
purpose. being achieved:
EDM03-O1 Risk
thresholds are
defined and
communicated
and key IT-
related risks are
known.

EDM03-O2 The
enterprise is
managing critical
IT-related
enterprise risks
effectively and
efficiently.

EDM03-O3 IT-
related enterprise
risks do not
exceed risk
appetite and the
impact of IT risk
to enterprise
value is identified
and managed.
APO01 Define the Management Framework for IT
Purpose
Satisfy the business requirement of supplying accurate and timely control
over current and future IT services, associated risks and responsibilities.

Assess whether the Criteria Partially

following outcomes are Criteria Are Met Not Achieved
achieved. Y/N achieved (15% -
(0-15%) 50%)
Level 0 The process is not At this level, there is
Incomplet implemented, or fails to little or no evidence
e achieve its process of any achievement
purpose. of the process
purpose.

Level 1  PA 1.1 The The following Overall rating for the process
Performe implemented process process outcomes
d achieves its process are being achieved:
purpose.
APO01-O1 An up-
to-date and
effective IT control
framework are
defined and
maintained

- APO01-O1A The
IT organisation
structure is fully
defined including
management
structures, roles and
responsibilities

- APO01-O1B
Operational and
communication
guidelines for the IT
organisation are
defined

- APO01-O1C The
ownership of
information and
systems is clearly
defined.
 - APO01-O1D The
structure and
processes of the IT
organisation support
the enterprise
strategy and
operating model.

APO1-O2. A set of
policies is defined
and maintained

- APO01-O2A IT
policies have been
fully defined

- APO01-O2B IT
objectives and
policies are
understood and
followed by all
relevant staff and
stakeholders

APO01-O3 The IT
control framework
is effectively
implemented and
communicated

- APO01-O3A
Supporting enablers,
for the IT control
framework are
effectively
implemented and
communicated

- APO01-O3B IT
personnel and
stakeholders
understand their
roles and
responsibiltiies
 APO07 Manage Human Resources
Purpose Satisfy the business requirement of aligning a
ng accurate and timely control and security requirements, and doing so in a t
ed risks and responsibilities. cost.
Largely
Achieved Fully Assess whether the following
Criteria
(50% - Achieved outcomes are achieved.
85%) (85-100%)
Level 0 The process is not At this level, there is little
Incomplet implemented, or fails to achieve or no evidence of any
e its process purpose. achievement of the
process purpose.

ating for the process Level 1  PA 1.1 The implemented The following process
Performe process achieves its process outcomes are being
d purpose. achieved:

APO07-O1 The IT
organisational
structure and
relationships are
flexible and
responsive.

- APO07-O1A The IT
organisation structure
provides the necessary
roles and responsibilities
to achieve
organisational goals.

- APO07-O1B Risks of
overdependence on key
resources are mitigated

APO07- O2 Human
resoures are
effectively and
efficiently managed.
- APO07-O2A The
enterprise has sufficient
human resources to
achieve organisational
goals

- APO07-O2B
Personnel have the
required skills,
competencies and
abilities to achieve
organsiational goals.

- APO07-O2C Staff
performance is regularly
reviewed and evaluated.

- APO07-O2D
Consultants and
contract staff comply
with policies and
contractual agreements
 DSS05
usiness requirement of aligning available applications with business
equirements, and doing so in a timely manner and at a reasonable

Criteria Partially Largely

Are Met Not Achieved Achieved Fully
Y/N achieved (15% - (50% - Achieved
(0-15%) 50%) 85%) (85-100%)
Level 0
Incomplet
e

Overall rating for the process Level 1

Performe
d
 Manage Security Services
Purpose
Satisfy the business requirement of ensuring compliance with laws, regulations
and contractual requirements.

Criteria Partially Largely

Assess whether the following Not Achieved Achieved
Criteria Are Met
outcomes are achieved. achieved (15% - (50% -
Y/N
(0-15%) 50%) 85%)
The process is not implemented, or At this level, there is little
fails to achieve its process purpose. or no evidence of any
achievement of the
process purpose.

 PA 1.1 The implemented process The following process Overall rating for the process
achieves its process purpose. outcomes are being
achieved:

DSS05-O1 Networks
and communications
security meet business
needs.

DSS05-O2 Information
processed on, stored on
and transmitted by
endpoint devices is
protected.

DSS05-O3 All users are

uniquely identifiable and
have access rights in
accordance with their
business role.

DSS05-O4 Physical
measures to protect
information from
unauthorised access,
damage and interference
when being processed,
stored or transmitted
have been implemented.
DSS05-O5 Electronic
information is properly
secured when strored,
transmitted or destroyed
 MEA01 Monitor and Evaluate Performance and Conformance
Purpose
th laws, regulations Satisfy the business requirement of integrating IT
governance and complying with laws, regulations

Criteria
Fully Assess whether the following
Criteria Are Met
Achieved outcomes are achieved.
Y/N
(85-100%)
Level 0 The process is not implemented, or At this level, there
Incomplet fails to achieve its process purpose. is little or no
e evidence of any
achievement of the
process purpose.

e process Level 1  PA 1.1 The implemented process The following Overall ra
Performe achieves its process purpose. process outcomes
d are being achieved:

MEA01-O1
Stakeholders
approve the goals
and metrics.

MEA01-O2
Processes are
measured against
agreed-upon goals
and metrics.

MEA01-O3 The
enterprise
monitoring,
assessing and
informing approach
is effective and
operational.

MEA01-O4 Goals
and metrics are
integrated within
enterprise
monitoring systems.
MEA01-O5 Process
reporting on
performance and
conformance is
useful and timely.
s requirement of integrating IT governance with enterprise
mplying with laws, regulations and contracts.
Partially Largely
Comment Not Achieved Achieved Fully
achieved (15% - (50% - Achieved
(0-15%) 50%) 85%) (85-100%)

Overall rating for the process

 Assess whether the
Criteria Are Partially Largely
following outcomes are Criteria Comment
Met Y/N Not achieved Achieved Achieved
achieved. (0-15%) (15% -50%) (50% - 85%)
Level 2 PA 2.1 Performance As a result of full achievement
Managed Management - A measure of this attribute:
of the extent to which the
performance of the process
is managed. a)       Objectives for the
performance of the process
are identified.

b)       Performance of the

process is planned and
monitored.

c)        Performance of the

process is adjusted to meet
plans.

d)       Responsibilities and

authorities for performing
the process are defined,
assigned and
communicated.

e)       Resources and

information necessary for
performing the process are
identified, made available,
allocated and used.

f)        Interfaces  between 

the  involved  parties  are 
managed  to  ensure  both 
effective  communication 
and  also clear assignment of
responsibility.

PA 2.2 Work Product As a result of full achievement

Management - A measure of this attribute:
of the extent to which the
work products produced by
the process are a)       Requirements for the
appropriately managed. work products of the
The work products (or process are defined.
outputs from the process)
are defined and controlled.

b)       Requirements for

documentation and control
of the work products are
defined.

c)        Work products are

appropriately identified,
documented, and
controlled.
 d)       Work products are
reviewed in accordance with
planned arrangements and
adjusted as necessary to
meet requirements.

Level 3 PA 3.1 Process Definition - As a result of full achievement

Established A measure of the extent to of this attribute:
which a standard process is
maintained to support the
deployment of the defined
process.
a)       A standard process,
including appropriate
tailoring guidelines, is
defined that describes the
fundamental elements that
must be incorporated into a
defined process.

b)       The sequence and

interaction of the standard
process with other
processes is determined.

c)        Required
competencies and roles for
performing a process are
identified as part of the
standard process.

d)       Required
infrastructure and work
environment for
performing a process are
identified as part of the
standard process.

e)       Suitable methods for

monitoring the effectiveness
and suitability of the process
are determined.

PA 3.2 Process Deployment As a result of full achievement

- A measure of the extent of this attribute:
to which the standard
process is effectively
deployed as a defined a)       A defined process is
process to achieve its deployed based upon an
process outcomes. appropriately selected
and/or tailored standard
process.

b)       Required roles,

responsibilities and
authorities for performing
the defined process are
assigned and
communicated.
 c)        Personnel performing
the defined process are
competent on the basis of
appropriate education,
training, and experience.

d)       Required resources

and information necessary
for performing the defined
process are made
available, allocated and
used.

e)       Required
infrastructure and work
environment for
performing the defined
process are made
available, managed and
maintained.

f)        Appropriate data are

collected and analysed as
a basis for understanding
the behaviour of, and to
demonstrate the suitability
and effectiveness of the
process, and to evaluate
where continuous
improvement of the process
can be made.

Level 4 PA 4.1 Process As a result of full achievement

Predictable Measurement - A measure of this attribute:
of the extent to which
measurement results are
used to ensure that a)       Process information
performance of the process needs in support of relevant
supports the achievement defined business goals are
of relevant process established.
performance objectives in
support of defined business
goals.
b)       Process measurement
objectives are derived from
process information needs.

c)        Quantitative
objectives for process
performance in support of
relevant business goals are
established.

PA 4.2 Process Control - A
measure of the extent to
which the process is
quantitatively managed to
produce a process that is
stable, capable and
predictable within defined
limits.
Level 5 PA 5.1 Process innovation -
Optimizing. A measure of the extent to
which changes to the As a result of full achievement
process are identified from of this attribute:
analysis of common causes
of variation in
performance, and from
investigations of innovative relevant business goals.
approaches to the
definition and deployment
of the process.
d)       Measures and
frequency of measurement
are identified and defined in
line with process
measurement objectives
and quantitative objectives
for process performance.
e)       Results of
measurement are collected,
analysed and reported in
order to monitor the extent
to which the quantitative
objectives for process
performance are met.
f) Measurement results
are used to characterise
process performance.
As a result of full
achievement of this
attribute:
a) Analysis and control
techniques are determined
and applied where
applicable.
b) Control limits of
variation are established for
normal process
performance.
c) Measurement data are
analysed for special causes
of variation.
d) Corrective actions are
taken to address special
causes of variation.
e) Control limits are re-
established (as necessary)
following corrective action.
a) Pprocess improvement
objectives for the process
are defined that support the
investigations of innovative
approaches to the
definition and deployment
of the process.

b) Appropriate data are

analysed to identify
common causes of
variations in process
performance.

c) Appropriate data are

analysed to identify
opportunities for best
practice and innovation.

d) Improvement
opportunities derived from
new technologies and
process concepts are
identified.

e) An implementation
strategy is established to
achieve the process
improvement objectives.

PA 5.2 Process optimisation

- A measure of the extent
to which changes to the As a result of full achievement
definition, management of this attribute:
and performance of the
process result in effective a)   Impact of all proposed
impact that achieves the changes is assessed against
relevant process the objectives of the defined
improvement objectives. process and standard
process.

b)   Implementation of all
agreed changes is managed
to ensure that any
disruption to the process
performance is understood
and acted upon.

c)   Based on actual
performance, effectiveness
of process change is
evaluated against the
defined product
requirements and process
objectives to determine
whether results are due to
common or special causes.
 Fully
Achieved (85-
100%)
 Figure 22- Mapping COBIT 5 Enterprise Goals to IT-related Goals
Enterprise Goals

Skilled and potivated people

Agile response to changing

information-based strategic
Custemer -oriented service

Business service continuity

Manage business change

Compliance with internal

Optimisation of service
bussiness enviroment

Procuct and business

Oprational and staff

innovation culture
desition making
and availability

delivery costs

programmes

productivity

policies
culture
06 07 08 09 10 13 14 15 16 17
Learning and
IT-related Goals Customer Internal
Groth
IT Compliance and support for business
02 compliance with external laws and P
regulations
Security of nformation, processing
10 infrastructure and applications P P

Optimisation of IT asset, resource and

11 capabilites S P S S S

Delivery of programmes delivering

Internal

benefits, on time, on budget, and

13 meeting requirements and quality S S P
standard
Availability of reliabele and useful
14 information for decision making P P

15 IT compliance with internal policies P

Competen and motivated business and
and Groth
Learning

16 IT personnel S S P P S

Knowledge, expertise and initiatves for

17 business innovation S P S S S P
 Figure 13- Mapping COBIT 5 Enterprise Goals to IT-related Goals
IT-related Goals

Security of nformation,

of reliabele
quality information
delivering benefits, on

meeting requirements

Knowledge, expertise
time, on budget, and

standard
asset, resource and

business innovation
for decision making

motivated business
IT compliance with
Optimisation of IT
infrastructure and

and IT personnel

and initiatves for

internal policies

Competen and
programmes
applications
processing

Delivery of
capabilites

Availability
and useful
10 11 13 14 15 16 17
COBIT 5 Process Internal Learning and Groth

Ensure Governance
Evaluate, Direct and Monitor

EDM01 Framework Setting and S S S S S S S

Maintenance

EDM02 Ensure Benefits Delivery S S S S P

EDM03 Ensure Risk Optimisation P S S P S S

Ensure Resource
EDM04 P S P S
Optimisation
Ensure Stakeholder
EDM05 S S S S
Transparency

Manage the IT
APO01 S P S S P P P
Management Framework
APO02 Manage Strategy S S S S S P
Manage Enterprise
APO03 S P S S
Architecture
Align, Plan and Organise

APO04 Manage Innovation P S P

APO05 Manage Portfolio S P S
Manage Budget and
APO06 S S
Costs
Manage Human
APO07 S P P S P P
Resources
APO08 Manage Relationships S S S S P
Manage Service
APO09 S S S P S
Agreements
APO10 Manage Suppliers S S S S S S
APO11 Manage Quality S P S S S S
APO12 Manage Risk P P S S S S
APO13 Manage Security P P
BAI01 Manage Programmes S P S S
and Projects
BAI02 Manage Requirements S S S S S
Definition
Build, Acquire and Implement

BAI03 Manage Solutions S S S S

Identification and Build
BAI04 Manage Availability and P S P S
Capacity
Manage Organisational
BAI05 S P P
Change Enablement
BAI06 Manage Changes P S S S S S
Manage Change
BAI07 Acceptance and S S S S
Transitioning
BAI08 Manage Knowledge S S S S P
BAI09 Manage Assets S P S S
BAI10 Manage Configuration S P P S
DSS01 Manage Operations S P S S S S
Deliver, Service and

DSS02 Manage Service S S S S

Requests and Incidents
DSS03 Manage Problems P P S S
Support

DSS04 Manage Continuity S S P S S S

DSS05 Manage Security P S S S
Services
DSS06 Manage Business S S S S S S
Process Controls
Monitor, Evaluate and
MEA01 Assess Performance and S P S S P S S
Monitor, Evaluate and

Conformance
Monitor, Evaluate and
Assess

MEA02 Assess the System of S S P S

Internal Control
Monitor, Evaluate and
Assess Compliance with
MEA03 External Requirements S S S