04/16/2023

COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Terms & Definitions

Relative importance Relative importance (of governance and management objectives) is a number that indicates the influence of a certain design factor on the importance of a certain
COBIT governance or management objective as compared to a baseline (standard) situation. The number is calculated as a percentage difference between the
baseline and the current situation, as determined by the values given to the design factor at hand.

Instructions

Sheet
In this sheet all results of the impact assessment of the design factors are summarized. This is done in line with the governance system design flow explained in the
COBIT Design Guide.

Canvas The user can provide input in columns R/S to adjust the results of the automated calculations, taking into account the enterprise's specific context. When making
adjustments in column R, the spreadsheet expects an explanation in column S.

Sheet Input Section Output Section

In this sheet, the importance of different enterprise strategies can be described. The The output section of this sheet contains the calculated relative importance of
importance is expressed as an integer value between 1 (Not Important) and 5 each of the 40 COBIT 2019 Governance and Management Objectives
(Critical) and can be entered in cells C8-C11.

The chosen values are represented graphically in the two diagrams in the input
Description section. The diagrams depict the same information, one in a bar chart, the other in a
spider chart.

DF1
[Optional] Enter values between 1 and 5 expressing the importance or relevance of a) Observe the resulting importance scores for each of the 40
each of the given generic enterprise strategies for the user enterprise governance/management objectives.
b) [Optional] Use the graphic(s) for reporting the outcome of this step in the
governance system design process. Both diagrams contain the same
information but in a different representation. Use the one that suits you best.
User Action Required

Copyright ISACA 2018 658130091.xlsx Instructions—Page 1

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Description

DF2

User Action Required

Description

DF3

User Action Required

Description

DF4

User Action Required

Description

DF5

User Action Required

Copyright ISACA 2018 658130091.xlsx Instructions—Page 2

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Description

DF6

User Action Required

Description

DF7

User Action Required

Description

DF8

User Action Required

Description

DF9

User Action Required

Copyright ISACA 2018 658130091.xlsx Instructions—Page 3

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Description

DF10

User Action Required

Chart 1
Chart 2

Copyright ISACA 2018 658130091.xlsx Instructions—Page 4

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Canvas

Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System

Sourcing Refined Scope: Concluded Scope:

Design Factors: Enterprise Strategy Enterprise Risk Profile
IT-Related Initial Scope: Governance/ Threat
Compliance Req's
Role of Model IT Implementation Technology Adoption Strategy
Governance/ Adjustment Governance/ Suggested
Goals Issues Management Objectives Landscape IT for IT Methods (between -100 and Reason Target Capability Agreed Target Reason
Score Management Objectives +100) Management Objectives Level Capability Level
Score Priority
Weight 1 1 1 1 1 1 1 1 1 1

EDM01—Ensured Governance Framework Setting & 0 10 -5 -10 ### -5 50 15 35 0 0 30 45 45 2 2

Maintenance

EDM02—Ensured Benefits Delivery 5 35 15 -5 ### 45 0 0 30 0 0 40 40 40 2 2

EDM03—Ensured Risk Optimization 5 -15 10 -10 ### -10 65 25 15 15 0 25 45 45 2 2

EDM04—Ensured Resource Optimization -10 30 -15 5 ### 10 0 0 25 0 0 20 20 20 1 1

EDM05—Ensured Stakeholder Engagement 5 -45 -15 -15 ### -65 30 15 25 0 0 25 10 10 1 1

APO01—Managed I&T Management Framework 0 5 15 -5 ### 15 50 10 25 0 0 40 50 50 3 3

APO02—Managed Strategy 0 35 -5 5 ### 35 0 0 30 0 0 25 30 30 2 2

APO03—Managed Enterprise Architecture 0 30 15 5 ### 45 50 0 20 0 -10 50 55 55 3 3

APO04—Managed Innovation 0 40 45 20 ### 100 0 0 40 0 0 30 60 60 3 3

APO05—Managed Portfolio -5 30 -15 -5 ### 5 0 0 30 0 0 40 25 25 2 2

APO06—Managed Budget & Costs -10 -5 -20 -10 ### -40 0 0 25 0 0 -15 -10 -10 1 1

APO07—Managed Human Resources 0 35 15 15 ### 60 30 0 15 0 -5 65 60 60 3 3

APO08—Managed Relationships 10 35 40 5 ### 85 0 0 25 0 0 55 60 60 3 3

APO09—Managed Service Agreements 10 30 10 -10 ### 40 30 0 10 15 0 5 35 35 2 2

APO10—Managed Vendors -5 30 -10 -10 ### 5 50 15 5 15 0 40 45 45 2 2

APO11—Managed Quality 10 0 30 -15 ### 25 30 0 15 0 0 5 25 25 2 2

APO12—Managed Risk 5 -10 50 -5 ### 40 65 25 20 10 -5 25 65 65 3 3

APO13—Managed Security 5 -15 60 -15 ### 35 65 15 25 0 0 0 50 50 3 3

APO14—Managed Data 0 -35 35 -15 ### -15 50 10 25 0 0 20 30 30 2 2

BAI01—Managed Programs 0 30 15 15 ### 55 0 0 25 0 65 25 60 60 3 3

BAI02—Managed Requirements Definition -5 30 15 0 ### 40 0 0 30 0 135 30 80 80 4 4

BAI03—Managed Solutions Identification & Build -5 30 35 -10 ### 45 0 0 30 0 140 40 90 90 4 4

BAI04—Managed Availability & Capacity 10 25 35 -15 ### 50 30 0 5 0 0 5 35 35 2 2

BAI05—Managed Organizational Change 0 30 45 5 ### 75 0 0 25 0 95 35 80 80 4 4

BAI06—Managed IT Changes 0 30 45 0 ### 70 50 0 5 0 135 20 100 100 4 4

BAI07—Managed IT Change Acceptance and Transitioning 0 30 30 -5 ### 50 0 0 20 0 80 30 65 65 3 3

BAI08—Managed Knowledge 0 40 15 20 ### 70 0 0 25 0 0 25 45 45 2 2

BAI09—Managed Assets 0 -50 20 5 ### -25 0 0 25 0 0 0 0 0 1 1

BAI10—Managed Configuration 0 25 40 0 ### 60 50 0 15 0 30 25 65 65 3 3

BAI11—Managed Projects 0 30 35 10 ### 70 0 0 20 0 105 30 80 80 4 4

DSS01—Managed Operations 5 30 -5 -15 ### 15 0 0 10 0 -15 0 5 5 1 1

DSS02—Managed Service Requests & Incidents 10 15 30 -20 ### 35 50 0 15 0 -5 0 35 35 2 2

DSS03—Managed Problems 10 15 15 -5 ### 35 30 0 20 0 -5 25 35 35 2 2

Copyright ISACA 2018 658130091.xlsx Canvas—Page 5

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Canvas

Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System

Sourcing Refined Scope: Concluded Scope:

Design Factors: Enterprise Strategy Enterprise Risk Profile
IT-Related Initial Scope: Governance/ Threat
Compliance Req's
Role of Model IT Implementation Technology Adoption Strategy
Governance/ Adjustment Governance/ Suggested
Goals Issues Management Objectives Landscape IT for IT Methods (between -100 and Reason Target Capability Agreed Target Reason
Score Management Objectives +100) Management Objectives Level Capability Level
Score Priority
Weight 1 1 1 1 1 1 1 1 1 1

DSS04—Managed Continuity 10 15 15 -15 ### 25 65 15 20 0 0 25 50 50 3 3

DSS05—Managed Security Services 5 -10 20 -15 ### 0 50 25 20 0 0 25 40 40 2 2

DSS06—Managed Business Process Controls 5 20 40 -25 ### 40 50 0 35 0 0 0 45 45 2 2

MEA01—Managed Performance and Conformance Monitoring 0 0 10 -5 ### 5 50 0 25 10 35 35 55 55 3 3

MEA02—Managed System of Internal Control 0 -15 5 -15 ### -25 30 0 25 0 0 0 10 10 1 1

MEA03—Managed Compliance with External Requirements 0 -30 25 -30 ### -35 50 25 15 0 0 0 20 20 1 1

MEA04—Managed Assurance 0 -25 20 -10 ### -15 50 20 25 0 0 0 30 30 2 2

Copyright ISACA 2018 658130091.xlsx Canvas—Page 6

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy

Input Section—Importance of Each Enterprise Strategy Archetype Input Section—Importance of Each Enterprise Strategy Archetype

Value Importance Baseline Design Factor 1 Enterprise Strategy

(1-5)
Importance of different strategies (Input)
Growth/Acquisition 4 3
Innovation/Differentiation 4 3
Cost Leadership 3 3
Client Service/Stability 5 3
5

Average 4.00
Design Factor 1 Enterprise Strategy 4
Stdev of different strategies0.71
Importance (Input)
Correction Factor 0.75 3
0 1 2 3 4 5

4
1

Copyright ISACA 2018 658130091.xlsx DF1—Page 7

 04/16/2023
COBIT® 2019 Governance System Design Toolkit
3

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/Management Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Objectives Importance Resulting Governance/Management Objectives Resulting Governance/Management Objectives Importance (Output)
Importance (Output)
Governance /
Management Score Baseline Relative EDM01
Score Importance EDM02 MEA04
Objective EDM03 MEA03
-100 -75 -50 -25 0 25 50 75 100
EDM04 MEA02
EDM01 20 15 0 EDM01 100
EDM02 EDM05 MEA01
33.5 24 5 EDM02
EDM03 21 15 5 EDM03 75
APO01 DSS06
EDM04 27 22.5 -10 EDM04
50
EDM05 25 18 5 EDM05 APO02 DSS05
APO01 16 12 0 APO01 25
APO02 37.5 28.5 0 APO02 APO03 DSS04
0
APO03 32 24 0 APO03
APO04 28 21 0 APO04 APO04 -25 DSS03
APO05 42.5 33 -5 APO05
APO06 -50
APO06 27 22.5 -10 APO05 DSS02
APO07 20 15 0 APO07 -75
APO08 30.5 21 10 APO08
APO09 APO06 -100 DSS01
APO09 32.5 22.5 10
APO10 APO10
26 21 -5
APO11 APO11
31 21 10 APO07 BAI11
APO12 APO12
25.5 18 5
APO13
APO13 23.5 16.5 5
APO14 APO08 BAI10
APO14 16 12 0
BAI01
BAI01 36 27 0
BAI02 APO09 BAI09
BAI03
BAI04 APO10 BAI08
Copyright ISACA 2018 BAI05
658130091.xlsx DF1—Page 8
APO11 BAI07
BAI06
 APO09 APO06 -100 DSS01
APO10
APO11 04/16/2023
COBIT® 2019 Governance System Design Toolkit APO07 BAI11
APO12
APO13
Information & Technology
APO14
Governance System Design APO08 Information & Technology Governance SystemBAI10Design
Design
BAI01
Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
BAI02 APO09 BAI09
BAI02 17.5 13.5 -5
BAI03
BAI03 17.5 13.5 -5
BAI04 APO10 BAI08
BAI04 26 18 10
BAI05
BAI05 34.5 25.5 0 APO11 BAI07
BAI06
BAI06 26.5 19.5 0
BAI07 APO12 BAI06
BAI07 24.5 18 0 BAI08 APO13
BAI08 BAI05
26 19.5 0 BAI09 APO14 BAI04
BAI09 16 12 0 BAI01 BAI02 BAI03
BAI10
BAI10 16 12 0 BAI11
BAI11 35.5 27 0 DSS01
DSS01 18.5 13.5 5 DSS02
DSS02 31 21 10 DSS03
DSS03 26 18 10 DSS04
DSS04 31 21 10 DSS05
DSS05 23.5 16.5 5 DSS06
DSS06 18.5 13.5 5 MEA01
MEA01 16 12 0 MEA02
MEA02 16 12 0 MEA03
MEA03 16 12 0 MEA04
MEA04 16 12 0

Copyright ISACA 2018 658130091.xlsx DF1—Page 9

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Growth / Innovation / Client Service /

DF1 Acquisition Differentiation Cost Leadership Stability
EDM01 1.0 1.0 1.5 1.5
EDM02 1.5 1.0 2.0 3.5
EDM03 1.0 1.0 1.0 2.0
EDM04 1.5 1.0 4.0 1.0
EDM05 1.5 1.5 1.0 2.0
APO01 1.0 1.0 1.0 1.0
APO02 3.5 3.5 1.5 1.0
APO03 4.0 2.0 1.0 1.0
APO04 1.0 4.0 1.0 1.0
APO05 3.5 4.0 2.5 1.0
APO06 1.5 1.0 4.0 1.0
APO07 2.0 1.0 1.0 1.0
APO08 1.0 1.5 1.0 3.5
APO09 1.0 1.0 1.5 4.0
APO10 1.0 1.0 3.5 1.5
APO11 1.0 1.0 1.0 4.0
APO12 1.0 1.5 1.0 2.5
APO13 1.0 1.0 1.0 2.5
APO14 1.0 1.0 1.0 1.0
BAI01 4.0 2.0 1.5 1.5
BAI02 1.0 1.0 1.5 1.0
BAI03 1.0 1.0 1.5 1.0
BAI04 1.0 1.0 1.0 3.0
BAI05 4.0 2.0 1.0 1.5
BAI06 2.0 2.0 1.0 1.5
BAI07 1.5 2.0 1.0 1.5
BAI08 1.0 3.5 1.0 1.0
BAI09 1.0 1.0 1.0 1.0
BAI10 1.0 1.0 1.0 1.0
BAI11 3.5 3.0 1.5 1.0
DSS01 1.0 1.0 1.0 1.5
DSS02 1.0 1.0 1.0 4.0

Copyright ISACA 2018 658130091.xlsx DF1map—Page 10

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Growth / Innovation / Client Service /

DF1 Acquisition Differentiation Cost Leadership Stability
DSS03 1.0 1.0 1.0 3.0
DSS04 1.0 1.0 1.0 4.0
DSS05 1.0 1.0 1.0 2.5
DSS06 1.0 1.0 1.0 1.5
MEA01 1.0 1.0 1.0 1.0
MEA02 1.0 1.0 1.0 1.0
MEA03 1.0 1.0 1.0 1.0
MEA04 1.0 1.0 1.0 1.0

Copyright ISACA 2018 658130091.xlsx DF1map—Page 11

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals

Input Section—Importance of Each Enterprise Goal Input Section—Importance of Each Enterprise Goal

Value Importance Baseline

(1-5)
EG01—Portfolio of competitive products and services 4 3 Design Factor 2 Enterprise Goals (Input)
EG02—Managed business risk 2 3
EG03—Compliance with external laws and regulations 2 3 EG01—Portfolio of competitive products and services 4
EG04—Quality of financial information 1 3
EG05—Customer-oriented service culture 2 3 EG02—Managed business risk 2
EG06—Business-service continuity and availability 3 3
EG07—Quality of management information 2 3 EG03—Compliance with external laws and regulations 2

EG08—Optimization of internal business process functionality 3 3

EG04—Quality of financial information 1
EG09—Optimization of business process costs 1 3
EG10—Staff skills, motivation and productivity 4 3
EG05—Customer-oriented service culture 2
EG11—Compliance with internal policies 2 3
EG12—Managed digital transformation programs 5 3
EG06—Business-service continuity and availability 3
EG13—Product and business innovation 5 3

Average 2.77
EG07—Quality of management information 2
Design Factor 2 Enterprise Goals (Input) Stdev 1.31
Correction Fact 1.08 EG08—Optimization of internal business process functionality 3

EG09—Optimization of business process costs 1

EG01—Portfolio of competitive products and services

EG13—Product and business innovation EG02—Managed business risk EG10—Staff skills, motivation and productivity 4
5
EG12—Managed digital transformation programs 4 EG03—Compliance with external laws and regulations
3 EG11—Compliance with internal policies 2
2
EG11—Compliance with internal policies 1 EG04—Quality of financial information
0 EG12—Managed digital transformation programs 5
Copyright ISACA 2018 658130091.xlsx DF2—Page 12
EG10—Staff skills, motivation and productivity EG05—Customer-oriented service culture EG13—Product and business innovation 5
 EG06—Business-service continuity and availability 3
04/16/2023
COBIT® 2019 Governance System Design Toolkit
EG07—Quality of management information 2
Design Factor 2 Enterprise Goals (Input)
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 2 Enterprise Goals EG08—Optimization of internal business process functionality Design 3Factor 2 Enterprise Goals

EG09—Optimization of business process costs 1

EG01—Portfolio of competitive products and services

EG13—Product and business innovation EG02—Managed business risk EG10—Staff skills, motivation and productivity 4
5
EG12—Managed digital transformation programs 4 EG03—Compliance with external laws and regulations
3 EG11—Compliance with internal policies 2
2
EG11—Compliance with internal policies 1 EG04—Quality of financial information
0 EG12—Managed digital transformation programs 5

EG10—Staff skills, motivation and productivity EG05—Customer-oriented service culture EG13—Product and business innovation 5

EG09—Optimization of business process costs EG06—Business-service continuity and availability

EG08—Optimization of internal business process functionality EG07—Quality of management information

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance
Governance / Baseline Relative Design Factor 2 Enterprise Goals
Management Score Design Factor 2 Enterprise Goals
Objective
Score Importance Resulting Governance/Management Objectives Importance
Resulting Governance/ Man-
EDM01 99 99 10 agement Objectives Importance
EDM02 141 114 35
EDM03 48 63 -15
EDM04 156 129 30
-100 -75 -50 -25 0 25 50 75 100
EDM02 EDM01 MEA04
EDM01
EDM03 MEA03
Copyright ISACA 2018 EDM02 658130091.xlsx DF2—Page 13
EDM04 MEA02
EDM03
EDM04 EDM05 100 MEA01
 Design Factor 2 Enterprise Goals
Design Factor 2 Enterprise Goals Resulting Governance/Management Objectives Importance 04/16/2023
COBIT® 2019 Governance System Design Toolkit Resulting Governance/ Man-
agement Objectives Importance
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
-100 -75 -50 -25 0 25 50 75 100
EDM05 32 63 -45 EDM01 EDM02 EDM01 MEA04
EDM03 MEA03
APO01 174 180 5 EDM02
EDM04 MEA02
APO02 165 132 35 EDM03
EDM04 EDM05 100 MEA01
APO03 163 135 30
EDM05
APO04 156 120 40 APO01 75 DSS06
APO01
APO05 168 141 30 APO02
APO02 50 DSS05
APO06 101 117 -5 APO03
APO07 136 108 35 APO04 25
APO05 APO03 DSS04
APO08 237 189 35
APO06 0
APO09 76 63 30 APO07 APO04 DSS03
APO10 94 78 30 APO08 -25
APO11 121 132 0 APO09
-50
APO10 APO05 DSS02
APO12 30 36 -10
APO11 -75
APO13 31 39 -15 APO12
APO14 45 78 -35 APO13 APO06 -100 DSS01
BIA01 155 129 30 APO14
BAI02 BIA01
210 174 30
BAI02 APO07 BAI11
BAI03 200 165 30 BAI03
BAI04 79 69 25 BAI04
APO08 BAI10
BAI05 220 183 30 BAI05
BAI06 108 90 30 BAI06
BAI07 APO09 BAI09
BAI07 82 69 30 BAI08
BAI08 172 135 40 BAI09 APO10 BAI08
BAI09 23 51 -50 BAI10
BAI10 21 18 25 BAI11 APO11 BAI07
DSS01
BAI11 165 138 30
DSS02 APO12 BAI06
DSS01 76 63 30 DSS03
APO13 BAI05
DSS02 57 54 15 DSS04
APO14 BAI04
DSS03 57 54 15 DSS05 BIA01 BAI02 BAI03
DSS04 DSS06
57 54 15
MEA01
DSS05 69 81 -10 MEA02
DSS06 114 105 20 MEA03
MEA01 123 135 0 MEA04
MEA02 108 135 -15
MEA03 26 39 -30

Copyright ISACA 2018 658130091.xlsx DF2—Page 14

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals

MEA04 79 111 -25

Copyright ISACA 2018 658130091.xlsx DF2—Page 15

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Agile portfolio of Compliance with external Transparency and Customer-oriented service Business service continuity Quality of management Optimization of internal Optimization of business Staff skills, motivation and Compliance with internal Managed business Product and business
competitive products and Managed business risks laws and regulations accuracy of financial culture and availability information business process process costs productivity policies transformation programs innovation
services information functionality

4 2 2 1 2 3 2 3 1 4 2 5 5

AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13

IT compliance and Enablement and Competent and

Security of information, Delivery of programs
Mapping table EG-GA support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business processing support of business on time, on budget, and Quality of IT IT compliance with motivated staff with Knowledge, expertise
compliance with Information related IT-enabled investments related financial in line with business requirements into processes by Management mutual understanding and initiatives for
infrastructure and meeting requirements internal policies
external laws and risks and services portfolio information requirements operational solutions Integrating applications Information of technology and business innovation
regulations applications and technology and quality standards business.

Portfolio of agile and competitive

EG01 0 0 1 0 2 2 0 2 2 0 0 0 2
products and services
EG02 Managed business risks 1 2 0 0 0 0 1 0 0 0 1 0 0
Compliance with external laws and
EG03 regulations
2 0 0 0 0 0 0 0 0 0 2 0 0

EG04 Transparency and accuracy of financial 0 0 0 2 0 0 0 0 0 2 0 0 0

information
EG05 Customer-oriented service culture 0 0 1 0 1 1 0 2 1 0 0 1 0
Business service continuity and
EG06 0 1 0 0 1 0 2 0 0 0 0 0 0
availability

EG07 Accuracy (Quality?) of Management 0 0 0 2 0 0 0 0 0 2 0 0 0

Information
Optimization of business process
EG08 0 0 1 0 1 1 0 1 1 0 0 0 0
functionality

EG09 Optimization of business process costs 0 0 1 2 0 0 0 0 1 1 0 0 0

EG10 Staff skills, motivation and productivity 0 0 0 0 0 0 0 1 0 0 0 2 0

EG11 Compliance with internal policies 1 0 0 0 0 0 0 0 0 0 2 0 0

EG12 Managed business transformation 0 0 2 0 1 1 0 2 2 0 0 0 1

programs
EG13 Product and business innovation 0 0 0 0 0 1 0 1 1 0 0 0 2

AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13

IT compliance and Enablement and Competent and

Security of information, Delivery of programs
support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business processing support of business on time, on budget, and Quality of IT IT compliance with motivated staff with Knowledge, expertise
compliance with Information related IT-enabled investments related financial in line with business requirements into processes by Management mutual understanding and initiatives for
infrastructure and meeting requirements internal policies
external laws and risks and services portfolio information requirements operational solutions Integrating applications Information of technology and business innovation
applications and quality standards
regulations and technology business.

8 7 20 8 21 23 8 34 29 7 10 10 23

EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04

Managed Managed IT Managed Managed Managed Managed Managed

Mapping Table AG-GMO Ensured Governance Ensured Resource Ensured Stakeholder Managed IT Management Managed Human Managed Managed Managed Managed Managed Managed Managed Managed Managed Managed Performance System of
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Optimization Managed Strategy Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Resources Managed Relationships Service Managed Risk Information Requirements Solutions Availability & Organizationa Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed Security Business & Compliance Managed
Maintenance Transparency Framework Agreements Suppliers Quality Security Data Programs Definition Identification Capacity l Change Changes Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Services Process Conformance Internal with External Internal Audit
& Build Transitioning Incidents Controls Monitoring Control Requirements

IT compliance and support for business

AG01 compliance with external laws and 1 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 2 1
regulations

AG02 Managed Technology & Information 1 0 2 0 0 1 0 0 0 0 0 0 0 0 0 0 2 1 1 0 0 0 0 0 1 1 0 0 0 0 0 1 1 1 2 1 0 1 0 1

related risks
Realized benefits from IT-enabled
AG03 investments and services portfolio 2 2 0 1 0 2 1 1 1 2 1 1 1 0 0 1 0 0 0 2 1 1 0 2 0 0 1 0 0 2 0 0 0 0 0 0 1 0 0 0

AG04 Quality of technology related financial 0 0 0 0 1 0 0 0 0 0 2 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 1 0 1

information
Delivery of IT services in line with business
AG05 requirements 0 1 0 1 0 1 1 1 0 2 0 1 2 2 2 1 0 0 0 0 2 2 2 1 1 0 0 0 1 1 2 2 2 2 1 1 2 1 0 1

AG06 Agility to turn business requirements into 0 1 0 1 0 0 1 2 2 1 0 0 2 0 1 0 0 0 0 1 2 2 0 1 2 2 1 0 0 2 0 0 0 0 0 0 0 0 0 0

operational solutions
Security of information, processing
AG07 infrastructure and applications 0 0 2 0 0 1 0 1 0 0 0 0 0 0 0 0 2 2 1 0 0 0 1 0 0 0 0 0 0 0 0 1 1 1 2 1 0 1 0 1

Enablement and support of business

AG08 processes by Integrating applications and 1 1 0 1 0 1 2 2 1 1 0 0 1 1 0 0 0 0 0 1 1 1 0 2 1 0 1 0 0 0 1 0 0 0 0 2 0 0 0 0
technology
Delivery of programs on time, on budget,
AG09 and meeting requirements and quality 0 0 0 2 0 1 0 0 0 1 2 1 1 0 1 2 0 0 0 2 2 2 1 2 0 1 1 0 0 2 0 0 0 0 0 0 1 1 0 0
standards
AG10 Quality of IT Management Information 0 0 0 0 2 1 0 0 0 0 1 0 0 0 0 2 0 0 2 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 2 1 0 1
AG11 IT compliance with internal policies 1 0 1 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 2 1 2
Competent and motivated staff with
AG12 mutual understanding of technology and 0 0 0 0 0 0 1 0 1 0 0 2 2 0 0 0 0 0 0 0 1 0 0 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0
business.
Knowledge, expertise and initiatives for
AG13 business innovation 0 1 0 0 0 0 1 0 2 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0

EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04

Managed Managed IT Managed Managed Managed Managed Managed

Ensured Governance Managed Managed Managed Managed Managed Managed Performance
Framework Setting & Ensured Resource Ensured Stakeholder Managed IT Management Managed Human Service Managed Managed Managed Managed Requirements Solutions Availability & Organizationa Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed Business System of Compliance Managed
Ensured Benefits Delivery Ensured Risk Optimization Optimization Transparency Framework Managed Strategy Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Resources Managed Relationships Suppliers Quality Managed Risk Information Data Programs Identification Capacity Changes Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity
Security
Process
&
Internal with External Internal Audit
Maintenance Agreements Security Definition l Change Services Conformance
& Build Transitioning Incidents Controls Monitoring Control Requirements

99 141 48 156 32 174 165 163 156 168 101 136 237 76 94 121 30 31 45 155 210 200 79 220 108 82 172 23 21 165 76 57 57 57 69 114 123 108 26 79
Baseline 99 114 63 129 63 180 132 135 120 141 117 108 189 63 78 132 36 39 78 129 174 165 69 183 90 69 135 51 18 138 63 54 54 54 81 105 135 135 39 111
Imp® 0 23 -24 20 -50 -4 25 20 30 19 -14 25 25 20 20 -9 -17 -21 -43 20 20 21 14 20 20 18 27 -55 16 19 20 5 5 5 -15 8 -9 -20 -34 -29

Copyright ISACA 2018 658130091.xlsx DF2map—Page 16

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile Design Factor 3 Risk Profile

Input Section—Importance of Each Generic IT Risk Category Input Section—Importance of Each Generic IT Risk Category

Impact Likelihood Design Factor 3 IT Risk Profile

Risk Scenario Category Risk Rating Baseline
(1-5) (1-5) Risk Rating of IT Risk Scenario Categories (Input)
IT investment decision making, portfolio definition &
2 2 9 Very High Risk 0 5 10 15 20 25
maintenance
IT investment decision making, portfolio definition & maintenance
Program & projects life cycle management 4 3 9 High Risk
Program & projects life cycle management
IT cost & oversight 2 2 9 Normal Risk
IT cost & oversight
IT expertise, skills & behavior 4 4 9 Low Risk
IT expertise, skills & behavior
Enterprise/IT architecture 2 2 9
Enterprise/IT architecture
IT operational infrastructure incidents 3 2 9
Unauthorized actions 3 4 9 IT operational infrastructure incidents

Software adoption/usage problems 4 3 9 Unauthorized actions

Hardware incidents 2 2 9 Software adoption/usage problems

Software failures 3 3 9 Hardware incidents
Logical attacks (hacking, malware, etc.) 4 5 9
Software failures
Third-party/supplier incidents 2 2 9
Logical attacks (hacking, malware, etc.)
Noncompliance 3 3 9
Third-party/supplier incidents
Geopolitical Issues 2 2 9
Noncompliance
Industrial action 1 3 9
Acts of nature 3 3 9 Geopolitical Issues

Technology-based innovation 5 3 9 Industrial action

Environmental 2 3 9 Acts of nature

Data & information management 4 4 9 Technology-based innovation

Environmental
Average 8.89
Stdev 5.06 Data & information management
Correction Factor 1.01

Copyright ISACA 2018 658130091.xlsx DF3—Page 17

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 3 Risk Profile Design Factor 3 Risk Profile

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/Management
Objectives Importance Design Factor 3 IT Risk Profile Design Factor 3 IT Risk Profile
Resulting Governance/Management Resulting Governance/Management Objectives Importance
Governance / Baseline Relative Objectives Importance
Management Score Score Importance
Objective
EDM01 181 189 -5 -100 -75 -50 -25 0 25 50 75 100
EDM02 152 135 15 EDM01
EDM03 EDM02
180 162 10
EDM04 EDM03
167 198 -15
EDM04
EDM05 156 189 -15
EDM05
APO01 366 324 15 EDM02 EDM01 MEA04
APO01 EDM03 MEA03
APO02 134 144 -5
APO02 EDM04 MEA02
APO03 192 171 15
APO03 EDM05 MEA01
APO04 64 45 45 100
APO04
APO05 118 144 -15 APO01 DSS06
APO05 75
APO06 118 153 -20 APO06 APO02 50 DSS05
APO07 250 216 15 APO07
APO08 213 153 40 APO08 APO03 25 DSS04
APO09 129 117 10 APO09 0
APO10 196 216 -10 APO10 APO04 DSS03
-25
APO11 128 99 30 APO11
APO12 132 90 50 APO12 APO05 -50 DSS02
APO13 155 99 60 APO13 -75
APO14 263 198 35 APO14
APO06 -100 DSS01
BIA01 92 81 15 BIA01
BAI02 134 117 15 BAI02
BAI03 155 117 35 BAI03 APO07 BAI11
BAI04 12 9 35 BAI04
BAI05 104 72 45 BAI05 APO08 BAI10
BAI06 192 135 45 BAI06
BAI07 BAI07
148 117 30 APO09 BAI09
BAI08
BAI08 151 135 15
BAI09 APO10 BAI08
BAI09 42 36 20
BAI10
BAI11 APO11 BAI07
DSS01 APO12 BAI06
Copyright ISACA 2018 658130091.xlsx DF3—Page 18
DSS02
APO13 BAI05
DSS03 APO14 BAI04
 BAI03 APO07 BAI11
BAI04
04/16/2023
COBIT® 2019 Governance System Design Toolkit BAI05 APO08 BAI10
BAI06
BAI07 APO09 BAI09 System Design
Information & Technology
BAI08
Governance System Design Information & Technology Governance
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
BAI09 APO10 BAI08
BAI10
BAI10 138 99 40 APO11 BAI07
BAI11
BAI11 48 36 35
DSS01 APO12 BAI06
DSS01 128 135 -5
DSS02
DSS02 184 144 30 APO13 BAI05
DSS03 APO14 BAI04
DSS03 125 108 15 DSS04 BIA01 BAI02 BAI03
DSS04 241 216 15 DSS05
DSS05 256 216 20 DSS06
DSS06 196 144 40 MEA01
MEA01 234 216 10 MEA02
MEA02 256 243 5 MEA03
MEA03 186 153 25 MEA04
MEA04 264 225 20

Copyright ISACA 2018 658130091.xlsx DF3—Page 19

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19

DF3 IT Investment
Decision Making,
Program &
Projects Life IT Cost & IT Expertise,
Skills &
Enterprise/ IT Operational
Infrastructure
Unauthorized
Software
Adoption/ Hardware Software Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight IT Architecture Actions Usage Incidents Failures Issues Action
Maintenance Management Behavior Incidents Problems Malware, etc.) Incidents Innovation Management

EDM01 3.0 2.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 2.0 2.0
EDM02 3.0 2.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 3.0 1.0 3.0
EDM03 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 2.0 3.0
EDM04 3.0 0.0 4.0 3.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 2.0 0.0 0.0 2.0 3.0
EDM05 3.0 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 1.0 0.0 1.0 3.0 3.0 0.0 0.0 0.0 2.0 2.0
APO01 2.0 3.0 2.0 0.0 2.0 2.0 4.0 2.0 0.0 2.0 3.0 3.0 3.0 0.0 0.0 0.0 3.0 2.0 3.0
APO02 2.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 1.0 0.0 1.0 2.0 0.0 0.0 0.0 0.0 2.0 2.0 1.0
APO03 2.0 0.0 0.0 0.0 4.0 0.0 0.0 2.0 0.0 2.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 0.0 3.0
APO04 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0
APO05 4.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0
APO06 2.0 3.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0
APO07 0.0 0.0 0.0 4.0 0.0 2.0 3.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 4.0 0.0 2.0 2.0 0.0
APO08 0.0 0.0 0.0 2.0 2.0 0.0 0.0 4.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 2.0
APO09 0.0 0.0 2.0 0.0 0.0 0.0 2.0 3.0 0.0 1.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
APO10 0.0 2.0 3.0 0.0 0.0 0.0 2.0 2.0 3.0 2.0 2.0 4.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0
APO11 0.0 3.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0
APO12 0.0 0.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0
APO13 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 4.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0
APO14 0.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 0.0 3.0 0.0 2.0 4.0 2.0 0.0 4.0
BAI01 0.0 4.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI02 2.0 2.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI03 0.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI04 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI05 0.0 2.0 0.0 2.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 3.0
BAI07 0.0 0.0 0.0 0.0 0.0 2.0 3.0 2.0 0.0 4.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI08 0.0 0.0 0.0 2.0 0.0 3.0 0.0 3.0 0.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 2.0
BAI09 0.0 0.0 0.0 0.0 0.0 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI10 0.0 0.0 0.0 0.0 0.0 2.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI11 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS01 0.0 0.0 0.0 0.0 0.0 4.0 3.0 0.0 4.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0
DSS02 0.0 0.0 0.0 0.0 0.0 3.0 2.0 3.0 2.0 2.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS03 0.0 0.0 0.0 0.0 0.0 3.0 1.0 4.0 0.0 3.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS04 0.0 0.0 0.0 0.0 0.0 3.0 3.0 0.0 3.0 0.0 4.0 0.0 2.0 0.0 3.0 4.0 0.0 0.0 2.0
DSS05 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 2.0 0.0 4.0 0.0 3.0 0.0 3.0 2.0 0.0 0.0 3.0
DSS06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 2.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0
MEA01 1.0 2.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 2.0 3.0 2.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0

Copyright ISACA 2018 658130091.xlsx DF3map—Page 20

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19

DF3 IT Investment
Decision Making,
Program &
Projects Life IT Cost & IT Expertise,
Skills &
Enterprise/ IT Operational
Infrastructure
Unauthorized
Software
Adoption/ Hardware Software Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight IT Architecture Actions Usage Incidents Failures Issues Action
Maintenance Management Behavior Incidents Problems Malware, etc.) Incidents Innovation Management

MEA02 1.0 2.0 2.0 0.0 0.0 3.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 3.0 0.0 2.0 0.0 0.0 2.0
MEA03 0.0 1.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 0.0 3.0 2.0 4.0 2.0 0.0 0.0 0.0 0.0 2.0
MEA04 1.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 4.0 0.0 2.0 2.0 0.0 2.0

Copyright ISACA 2018 658130091.xlsx DF3map—Page 21

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues

Input Section—Importance of Each Generic IT-Related Issue Input Section—Importance of Each Generic IT-Related Issue

Importance
IT-Related Issue (1-3) Baseline Design Factor 4 IT-Related Issues
Importance of IT-Related Issues (Input)
Frustration between different IT entities across the organization because
of a perception of low contribution to business value 2 No Issue 0 1 2 3

Frustration between business departments (i.e., the IT customer) and the

IT department because of failed initiatives or a perception of low 2 Issue
contribution to business value

Significant IT-related incidents, such as data loss, security breaches,

project failure and application errors, linked to IT 2 Serious Issue

rd members, executives or senior management to engage with IT, or a lack of committed business sponsorship for IT
Service delivery problems by the IT outsourcer(s) 2
Failures to meet IT-related regulatory or contractual requirements 2

Regular audit findings or other assessment reports about poor IT

2
performance or reported IT quality or service problems

Substantial hidden and rogue IT spending, that is, IT spending by user

departments outside the control of the normal IT investment decision 2
mechanisms and approved budgets

Duplications or overlaps between various initiatives, or other forms of

2
wasted resources

Insufficient IT resources, staff with inadequate skills or staff

2
burnout/dissatisfaction

IT-enabled changes or projects frequently failing to meet business needs

2
and delivered late or over budget

Reluctance by board members, executives or senior management to 2

engage with IT, or a lack of committed business sponsorship for IT

Complex IT operating model and/or unclear decision mechanisms for IT-

related decisions 2

Excessively high cost of IT 2

Obstructed or failed implementation of new initiatives or innovations

2
caused by the current IT architecture and systems

Copyright ISACA 2018 658130091.xlsx DF4—Page 22

 Reluctance by board members, executives or senior management to enga
04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues

Gap between business and technical knowledge, which leads to business

users and information and/or technology specialists speaking different 2
languages

Regular issues with data quality and integration of data across various
sources 2

High level of end-user computing, creating (among other problems) a lack

of oversight and quality control over the applications that are being 2
developed and put in operation

Business departments implementing their own information solutions with

little or no involvement of the enterprise IT department (related to end-
user computing, which often stems from dissatisfaction with IT solutions
2 Average 1.85
and services)

Ignorance of and/or noncompliance with privacy regulations 2 Stdev 0.79

Inability to exploit new technologies or innovate using I&T 2
Correction 1.08
Factor

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Design Factor 4 IT-Related Issues

Objectives Importance Resulting Governance/ Management Objectives Design Factor 4 IT-Related Issues
Importance Resulting Governance/Management Objectives Importance
Governance / Baseline Relative
Management Score Score Importance
Objective
-100 -75 -50 -25 0 25 50 75 100
EDM01 59.5 70 -10 EDM01
EDM02 61 70 -5 EDM02
EDM03 39 47 -10 EDM03
EDM04 65.5 67 5 EDM04 EDM02 EDM01 MEA04
EDM05 EDM05 EDM03 MEA03
33 41 -15
APO01 EDM04 MEA02
APO01 50 56 -5
APO02 48 50 5 APO02 EDM05 100 MEA01
APO03 APO03
64.5 66 5 APO01 DSS06
APO04 75
APO04 35.5 32 20
APO05
APO05 61 68 -5 APO02 50 DSS05
APO06
APO06 52 62 -10
APO07 25
APO07 49 47 15 APO08 APO03 DSS04
APO09 0
APO10 APO04 DSS03
-25
Copyright ISACA 2018 APO11 658130091.xlsx DF4—Page 23
APO12 -50
APO05 DSS02
APO13
 APO01 EDM04 MEA02
APO02 EDM05 100 MEA01
04/16/2023
COBIT® 2019 Governance System Design Toolkit APO03
APO04 APO01 75 DSS06
APO05
Information & Technology
APO06
Governance System Design APO02 Information
50 & Technology GovernanceDSS05
System Design
Design
APO07
Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues
25
APO08 APO03 DSS04
APO08 67.5 70 5 APO09 0
APO09 36.5 43 -10 APO10 APO04 DSS03
-25
APO10 33 39 -10 APO11
APO11 34 43 -15 APO12 -50
APO05 DSS02
APO12 44.5 52 -5 APO13
APO13 APO14 -75
26.5 33 -15
APO14 48.5 60 -15 BIA01
APO06 -100 DSS01
BIA01 37.5 35 15 BAI02
BAI02 BAI03
47 51 0
BAI04 APO07 BAI11
BAI03 35 41 -10
BAI05
BAI04 18.5 23 -15
BAI06
BAI05 27.5 28 5 APO08 BAI10
BAI07
BAI06 38 42 0 BAI08
BAI07 34 38 -5 BAI09 APO09 BAI09
BAI08 34.5 31 20 BAI10
BAI09 22 23 5 BAI11 APO10 BAI08
BAI10 23 25 0 DSS01
BAI11 46.5 45 10 DSS02 APO11 BAI07
DSS01 21 27 -15 DSS03
APO12 BAI06
DSS02 24.5 33 -20 DSS04
DSS03 28 32 -5 DSS05 APO13 BAI05
DSS04 DSS06 APO14 BAI04
16.5 21 -15 BIA01 BAI03
MEA01 BAI02
DSS05 22.5 29 -15
MEA02
DSS06 20 29 -25
MEA03
MEA01 52.5 61 -5
MEA04
MEA02 38 48 -15
MEA03 18.5 29 -30
MEA04 47 58 -10

Copyright ISACA 2018 658130091.xlsx DF4—Page 24

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Frustration between different
IT entities across the
DF4 organization because of a
perception of low contribution
to business value
Frustration between business Significant IT-related Regular audit findings or Substantial hidden and rogue IT IT-enabled changes or Reluctance by board members, Complex IT operating model Obstructed or failed Gap between business and technical High level of end-user computing,
Duplications or overlaps creating (among other problems) a Business departments implementing
departments (i.e., the IT customer) incidents, such as data loss, Service delivery problems by Failures to meet IT-related other assessment reports spending, that is, IT spending by user between various initiatives Insufficient IT resources, staff projects frequently failing to executives or senior management and/or unclear decision implementation of new knowledge, which leads to business  Regular issues with data lack of oversight and quality their own information solutions with Ignorance of and/or Inability to exploit new
and the IT department because of security breaches, project the IT outsourcer(s) regulatory or contractual about poor IT performance departments outside the control of or other forms of wasted with inadequate skills or staff meet business needs and to engage with IT, or a lack of Excessively high cost of IT initiatives or innovations users and information and/or quality and integration of noncompliance with technologies or innovate
failed initiatives or a perception of failure and application requirements or reported IT quality or the normal IT investment decision burnout / dissatisfaction delivered late or over committed business sponsorship mechanisms for IT-related caused by the current IT technology specialists speaking data across various sources  control over the applications that little or no involvement of the privacy regulations using I&T
low contribution to business value errors, linked to IT service problems mechanisms and approved budgets resources budget for IT decisions architecture and systems different languages are being developed and put in enterprise IT department
operation

EDM01 3.0 3.0 1.0 1.0 2.0 2.0 2.0 1.0 1.0 1.0 3.0 3.5 1.0 1.0 1.0 1.0 2.0 3.0 1.5 1.0 35

EDM02 2.5 3.0 1.0 1.0 1.5 2.5 2.0 1.5 0.5 2.5 1.5 1.0 3.0 2.0 1.0 1.0 2.0 2.0 1.0 2.5 35

EDM03 1.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.0 0.0 1.0 1.5 1.0 2.0 1.0 1.0 2.5 1.0 24

EDM04 1.0 1.0 1.0 1.0 1.0 2.0 3.0 3.5 3.5 1.0 1.5 0.0 4.0 2.0 1.0 1.5 2.0 2.5 0.0 1.0 34

EDM05 1.0 1.0 1.0 1.0 1.5 2.0 1.0 1.0 0.0 1.0 3.0 1.5 1.5 0.5 0.0 0.5 1.0 1.0 1.0 0.0 21

APO01 2.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.5 4.0 1.0 2.0 1.0 1.0 1.5 2.0 0.5 1.0 28

APO02 1.5 1.5 1.5 1.5 1.0 1.5 1.0 1.0 0.0 1.0 2.5 0.5 0.5 1.5 1.5 0.5 2.0 2.0 0.0 2.5 25

APO03 1.0 1.5 1.0 2.0 0.5 1.5 2.0 1.5 1.0 3.5 0.5 0.5 1.0 4.0 1.0 3.5 2.0 3.0 0.0 2.0 33

APO04 1.0 1.0 1.0 1.0 0.5 0.5 0.5 0.5 0.0 0.0 0.5 1.0 0.5 2.0 1.0 0.0 0.5 0.5 0.0 4.0 16

APO05 3.0 3.0 1.0 1.5 2.0 2.0 1.5 3.5 0.5 2.0 2.0 1.5 2.0 1.0 0.5 0.0 2.5 2.5 0.0 2.0 34

APO06 3.5 2.0 1.0 1.5 1.5 2.0 4.0 3.0 1.0 2.0 1.0 1.5 4.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 31

APO07 1.5 1.0 1.0 1.0 1.0 1.5 2.0 2.0 4.0 1.0 0.0 0.0 1.0 0.0 3.0 0.0 0.5 0.5 1.5 1.0 24

APO08 2.5 2.0 1.0 2.5 1.5 1.0 2.5 2.0 1.5 1.0 3.0 1.0 0.5 1.0 4.0 1.0 3.0 3.5 0.0 0.5 35

APO09 2.0 1.5 2.0 4.0 1.0 2.5 1.5 2.0 0.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 1.0 1.5 0.0 0.0 22

APO10 1.0 1.0 2.0 4.0 1.5 1.5 1.5 0.0 1.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 0.5 2.0 1.0 0.0 20

APO11 1.0 1.0 3.0 1.5 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.5 0.5 3.0 2.0 2.0 0.0 1.0 22

APO12 1.0 0.5 2.5 1.5 2.0 2.0 1.0 1.0 0.5 1.0 1.0 1.0 1.0 1.0 1.0 2.0 1.0 1.5 2.5 1.0 26

APO13 0.0 0.0 3.5 1.0 2.0 1.0 0.0 1.0 0.0 0.5 0.0 0.0 0.0 0.0 0.0 1.5 2.0 1.0 2.0 1.0 17

APO14 1.0 1.5 3.0 1.0 2.5 1.5 1.0 1.5 0.0 1.5 0.0 0.0 0.5 2.5 0.5 4.0 2.5 2.0 3.0 0.5 30

BAI01 0.0 1.0 1.5 0.0 0.0 0.0 0.0 3.0 1.0 3.5 0.0 0.0 1.5 0.5 1.0 0.0 1.5 2.0 0.0 1.0 18

BAI02 0.0 3.0 0.0 0.0 0.5 2.0 0.0 2.0 0.0 3.5 0.0 1.0 1.0 2.0 2.0 1.5 2.5 3.0 0.5 1.0 26

BAI03 1.0 2.0 2.0 0.0 0.0 2.0 0.0 1.0 0.0 3.0 0.0 0.5 1.0 1.0 1.0 0.5 2.0 2.0 1.0 0.5 21

BAI04 0.5 0.0 2.0 3.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 0.0 1.0 1.0 1.0 0.0 0.5 12

BAI05 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 3.0 1.0 0.0 0.0 0.5 2.0 0.0 0.5 1.5 0.0 1.0 14

BAI06 0.0 0.0 2.5 3.0 0.5 1.5 0.0 1.0 0.0 1.5 0.0 1.0 0.5 1.0 0.5 2.0 2.0 2.0 1.0 1.0 21

BAI07 0.0 1.0 2.0 2.0 0.5 1.5 0.0 0.5 0.0 2.0 0.0 1.0 0.0 1.0 0.5 2.0 2.0 2.0 0.0 1.0 19

BAI08 0.0 0.0 0.0 1.5 0.5 0.5 0.0 1.0 2.0 0.5 0.0 0.5 0.0 1.0 3.0 2.0 1.0 1.5 0.0 0.5 16

BAI09 0.5 0.5 1.0 0.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 0.0 1.0 1.5 0.0 0.0 12

BAI10 0.0 0.0 2.5 2.0 0.5 0.0 0.0 0.5 0.0 0.0 0.0 0.0 1.0 1.5 0.0 1.5 1.0 2.0 0.0 0.0 13

BAI11 1.0 2.0 2.5 0.0 0.0 0.0 2.0 3.0 1.0 4.0 0.0 0.0 1.5 2.0 0.5 0.0 1.0 1.5 0.0 0.5 23

Copyright ISACA 2018 658130091.xlsx DF4map—Page 25

 Step 2 Initial Design
Governance and Management Objectives Importance

-100 -80 -60 -40 -20 0 20 40 60 80 100

-5
EDM01
EDM02 45
-10
EDM03
EDM04 10
-65 EDM05
APO01 15
APO02 35
APO03 45
APO04 100
APO05 5

-40 APO06
APO07 60
APO08 85
APO09 40
APO10 5
APO11 25
APO12 40
APO13 35
-15
APO14
BAI01 55
BAI02 40
BAI03 45
BAI04 50
BAI05 75
BAI06 70
BAI07 50
BAI08 70
-25 BAI09
BAI10 60
BAI11 70
DSS01 15
DSS02 35
DSS03 35
DSS04 25
0
DSS05
DSS06 40
MEA01 5

-25 MEA02

-35 MEA03

-15
MEA04
 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape

Input Section—Importance of Threat Landscape Input Section—Importance of Threat Landscape

Value Importance (100%) Baseline Page intentionally left blank

High 75% 33%

Normal 25% 67%

Average
Stdev
Design Factor 5 IT Threat Landscape
Correction Factor
1.00
High Normal

25%

75%

Copyright ISACA 2018 658130091.xlsx DF5—Page 27

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape

75%

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance Design Factor 5 Threat Landscape
Resulting Governance/Management Objectives Importance
Governance / Baseline Relative Design Factor 5 Threat Landscape
Management Score Score Importance Resulting Governance/Management
Objective
Objectives Importance
EDM01 2.50 1.66 50
EDM02 1.00 1.00 0
EDM03 3.25 1.99 65 -100 -75 -50 -25 0 25 50 75 100
EDM04 1.00 1.00 0 EDM01
EDM02 EDM02 EDM01 MEA04
EDM05 1.75 1.33 30 EDM03 MEA03
EDM03
APO01 2.50 1.66 50 EDM04
EDM04 MEA02
APO02 1.00 1.00 0 EDM05 EDM05 100 MEA01
APO03 2.50 1.66 50 APO01
APO01 75 DSS06
APO04 1.00 1.00 0 APO02
APO03
APO05 1.00 1.00 0 APO02 50 DSS05
APO04
APO06 1.00 1.00 0 APO05 25
APO07 1.75 1.33 30 APO06 APO03 DSS04
APO08 1.00 1.00 0 APO07 0
APO09 1.75 1.33 30 APO08 APO04
-25
DSS03
APO09
APO10 -50
APO05 DSS02
APO11
Copyright ISACA 2018 APO12 658130091.xlsx -75 DF5—Page 28
APO13
APO06 -100 DSS01
 APO01
APO01 75 DSS06
APO02
04/16/2023
COBIT® 2019 Governance System Design Toolkit APO03
50
APO02 DSS05
APO04
APO05 25
Information & Technology Governance
APO06 System Design APO03 DSS04 Design
Information & Technology Governance System
Design Factor
APO07 5 Threat Landscape 0 Design Factor 5 Threat Landscape
APO08 APO04 DSS03
-25
APO10 2.50 1.66 50 APO09
APO10 -50
APO11 1.75 1.33 30 APO05 DSS02
APO11
APO12 3.25 1.99 65 APO12 -75
APO13 3.25 1.99 65 APO13
APO06 -100 DSS01
APO14 2.50 1.66 50 APO14
BIA01 1.00 1.00 0 BIA01
BAI02 BAI02
1.00 1.00 0 APO07 BAI11
BAI03
BAI03 1.00 1.00 0 BAI04
BAI04 1.75 1.33 30 BAI05 APO08 BAI10
BAI05 1.00 1.00 0 BAI06
BAI06 2.50 1.66 50 BAI07 APO09 BAI09
BAI07 1.00 1.00 0 BAI08
BAI09
BAI08 1.00 1.00 0 APO10 BAI08
BAI10
BAI09 1.00 1.00 0 BAI11 APO11 BAI07
BAI10 2.50 1.66 50 DSS01
BAI11 1.00 1.00 0 DSS02 APO12 BAI06
DSS01 1.00 1.00 0 DSS03 APO13 BAI05
DSS02 DSS04
2.50 1.66 50 APO14 BAI04
DSS05 BIA01 BAI02 BAI03
DSS03 1.75 1.33 30
DSS06
DSS04 3.25 1.99 65 MEA01
DSS05 2.50 1.66 50 MEA02
DSS06 2.50 1.66 50 MEA03
MEA01 2.50 1.66 50 MEA04
MEA02 1.75 1.33 30
MEA03 2.50 1.66 50
MEA04 2.50 1.66 50

Copyright ISACA 2018 658130091.xlsx DF5—Page 29

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF5 High Normal

EDM01 3.0 1.0
EDM02 1.0 1.0
EDM03 4.0 1.0
EDM04 1.0 1.0
EDM05 2.0 1.0
APO01 3.0 1.0
APO02 1.0 1.0
APO03 3.0 1.0
APO04 1.0 1.0
APO05 1.0 1.0
APO06 1.0 1.0
APO07 2.0 1.0
APO08 1.0 1.0
APO09 2.0 1.0
APO10 3.0 1.0
APO11 2.0 1.0
APO12 4.0 1.0
APO13 4.0 1.0
APO14 3.0 1.0
BAI01 1.0 1.0
BAI02 1.0 1.0
BAI03 1.0 1.0
BAI04 2.0 1.0
BAI05 1.0 1.0
BAI06 3.0 1.0
BAI07 1.0 1.0
BAI08 1.0 1.0
BAI09 1.0 1.0
BAI10 3.0 1.0
BAI11 1.0 1.0
DSS01 1.0 1.0
DSS02 3.0 1.0
DSS03 2.0 1.0

Copyright ISACA 2018 658130091.xlsx DF5map—Page 30

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF5 High Normal

DSS04 4.0 1.0
DSS05 3.0 1.0
DSS06 3.0 1.0
MEA01 3.0 1.0
MEA02 2.0 1.0
MEA03 3.0 1.0
MEA04 3.0 1.0

Copyright ISACA 2018 658130091.xlsx DF5map—Page 31

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements

Input Section—Importance of Compliance Requirements Input Section—Importance of Compliance Requirements

Importance
Value (100%) Baseline Page intentionally left blank
High 25% 0%
Normal 75% 100%
Low 0% 0%

Average
Design Factor 6 Compliance Requirements
High Normal Low

25%

Stdev

75%

Copyright ISACA 2018 658130091.xlsx DF6—Page 32

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements

Correction Facto 1.00

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management

Objectives Importance Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Resulting Governance/Management Resulting Governance/Management Objectives Importance
Governance / Objectives Importance
Management Baseline Relative
Score Score Importance
Objective
-100 -75 -50 -25 0 25 50 75 100
EDM01 2.25 2.00 15 EDM01
EDM02 1.00 1.00 0 EDM02
EDM03 2.50 2.00 25 EDM03
EDM04 1.00 1.00 0 EDM04
EDM05 1.13 1.00 15 EDM05 EDM02 EDM01 MEA04
EDM03 MEA03
APO01 1.63 1.50 10 APO01
EDM04 MEA02
APO02 APO02
1.00 1.00 0 EDM05 MEA01
APO03 100
APO03 1.00 1.00 0
APO04 APO01 DSS06
APO04 1.00 1.00 0 APO05
75
APO05 1.00 1.00 0 APO06 APO02 50 DSS05
APO06 1.00 1.00 0 APO07
25
APO07 1.00 1.00 0 APO08 APO03 DSS04
APO08 1.00 1.00 0 APO09 0
APO09 1.00 1.00 0 APO10 APO04 DSS03
-25
APO10 1.13 1.00 15 APO11
APO12 APO05 -50 DSS02
APO11 1.00 1.00 0
APO13 -75
APO12 2.50 2.00 25 APO14
APO13 1.13 1.00 15 BIA01 APO06 -100 DSS01
APO14 1.63 1.50 10 BAI02
BIA01 1.00 1.00 0 BAI03
APO07 BAI11
BAI02 1.00 1.00 0 BAI04
BAI03 1.00 1.00 0 BAI05
APO08 BAI10
BAI04 1.00 1.00 0 BAI06
BAI07
BAI05 1.00 1.00 0 APO09 BAI09
BAI08
BAI09
BAI10 APO10 BAI08
Copyright ISACA 2018 BAI11 658130091.xlsx DF6—Page 33
APO11 BAI07
DSS01
DSS02 APO12 BAI06
 APO14
BIA01 APO06 -100 DSS01
BAI02 04/16/2023
COBIT® 2019 Governance System Design Toolkit
BAI03
APO07 BAI11
BAI04
Information & Technology Governance
BAI05 System Design Information & Technology Governance System Design
APO08 BAI10
Design Factor 6 Compliance
BAI06 Requirements Design Factor 6 Compliance Requirements
BAI07
BAI08 APO09 BAI09
BAI06 1.00 1.00 0
BAI09
BAI07 1.00 1.00 0 BAI10 APO10 BAI08
BAI08 1.00 1.00 0 BAI11
APO11 BAI07
BAI09 1.00 1.00 0 DSS01
BAI10 1.00 1.00 0 DSS02 APO12 BAI06
BAI11 1.00 1.00 0 DSS03 APO13 BAI05
DSS01 1.00 1.00 0 DSS04 APO14 BAI04
BIA01 BAI02 BAI03
DSS02 DSS05
1.00 1.00 0
DSS06
DSS03 1.00 1.00 0
MEA01
DSS04 1.13 1.00 15 MEA02
DSS05 1.25 1.00 25 MEA03
DSS06 1.00 1.00 0 MEA04
MEA01 1.00 1.00 0
MEA02 1.00 1.00 0
MEA03 2.50 2.00 25
MEA04 2.38 2.00 20

Copyright ISACA 2018 658130091.xlsx DF6—Page 34

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF6 High Normal Low

EDM01 3.0 2.0 1.0
EDM02 1.0 1.0 1.0
EDM03 4.0 2.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.5 1.0 1.0
APO01 2.0 1.5 1.0
APO02 1.0 1.0 1.0
APO03 1.0 1.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.0 1.0
APO08 1.0 1.0 1.0
APO09 1.0 1.0 1.0
APO10 1.5 1.0 1.0
APO11 1.0 1.0 1.0
APO12 4.0 2.0 1.0
APO13 1.5 1.0 1.0
APO14 2.0 1.5 1.0
BAI01 1.0 1.0 1.0
BAI02 1.0 1.0 1.0
BAI03 1.0 1.0 1.0
BAI04 1.0 1.0 1.0
BAI05 1.0 1.0 1.0
BAI06 1.0 1.0 1.0
BAI07 1.0 1.0 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.0 1.0 1.0
BAI11 1.0 1.0 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0
DSS03 1.0 1.0 1.0

Copyright ISACA 2018 658130091.xlsx DF6map—Page 35

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF6 High Normal Low

DSS04 1.5 1.0 1.0
DSS05 2.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 1.0 1.0 1.0
MEA02 1.0 1.0 1.0
MEA03 4.0 2.0 1.0
MEA04 3.5 2.0 1.0

Copyright ISACA 2018 658130091.xlsx DF6map—Page 36

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT

Input Section—Importance of Role of IT Input Section—Importance of Role of IT

Value Importance (1-5) Baseline Page intentionally left blank

Support 1 3
Factory 1 3
Turnaround 2 3
Strategic 5 3

Average 2.25
Stdev 1.64
Correction Factor 1.33

Design Factor 7 Role of IT (Input)

0 1 2 3 4 5

Support 1

Factory 1

Turnaround 2

Strategic 5

Copyright ISACA 2018 658130091.xlsx DF7—Page 37

 Support 1
04/16/2023
COBIT® 2019 Governance System Design Toolkit

Factory 1 Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT

Turnaround 2

Strategic 5

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance Design Factor 7 Role of IT
Governance /
Design Factor 7 Role of IT Resulting Governance/Management Objectives Importance
Management Score
Baseline Relative Resulting Governance/Management Ob-
Score Importance jectives Importance
Objective
EDM01 26.0 25.5 35
EDM02 -100 -75 -50 -25 0 25 50 75 100
22.0 22.5 30
EDM03 EDM01
21.0 24.0 15
EDM02
EDM04 14.0 15.0 25 EDM01
EDM03 EDM02 MEA04
EDM05 14.0 15.0 25 EDM03 MEA03
EDM04
APO01 18.0 19.5 25 EDM04 MEA02
EDM05
APO02 23.0 24.0 30 EDM05 100 MEA01
APO01
APO03 16.0 18.0 20 APO02
APO01 75 DSS06
APO04 28.5 27.0 40 APO03
APO05 22.0 22.5 30 APO04 50
APO02 DSS05
APO06 14.0 15.0 25 APO05
APO07 11.5 13.5 15 APO06 25
APO03 DSS04
APO07
0
APO08
Copyright ISACA 2018 APO09 APO04
658130091.xlsx -25 DSS03
DF7—Page 38
APO10
-50
 EDM04
EDM04 MEA02
EDM05
APO01 EDM05 100 MEA01
04/16/2023
COBIT® 2019 Governance System Design Toolkit
APO02
APO01 75 DSS06
APO03
Information & Technology Governance System Design
APO04 APO02 Information
50 & Technology Governance DSS05
System Design
APO05Design Factor 7 Role of IT Design Factor 7 Role of IT
APO06 25
APO03 DSS04
APO08 18.5 19.5 25 APO07
0
APO09 16.0 19.5 10 APO08
APO09 APO04 DSS03
APO10 16.5 21.0 5 -25
APO11 15.5 18.0 15 APO10
APO11 -50
APO12 20.5 22.5 20 APO05 DSS02
APO12
APO13 21.0 22.5 25 -75
APO13
APO14 18.0 19.5 25
APO14 APO06 -100 DSS01
BIA01 18.5 19.5 25
BIA01
BAI02 23.0 24.0 30
BAI02
BAI03 23.0 24.0 30 BAI03 APO07 BAI11
BAI04 16.5 21.0 5 BAI04
BAI05 14.0 15.0 25 BAI05
APO08 BAI10
BAI06 15.5 19.5 5 BAI06
BAI07 16.0 18.0 20 BAI07
BAI08 14.0 15.0 25 BAI08 APO09 BAI09
BAI09 14.0 15.0 25 BAI09
BAI10 14.5 16.5 15 BAI10 APO10 BAI08
BAI11 16.0 18.0 20 BAI11
DSS01 APO11 BAI07
DSS01 21.5 25.5 10
DSS02 22.0 25.5 15 DSS02
APO12 BAI06
DSS03
DSS03 24.5 27.0 20
DSS04 APO13 BAI05
DSS04 24.5 27.0 20
DSS05 APO14 BAI04
DSS05 24.5 27.0 20 BIA01 BAI02 BAI03
DSS06
DSS06 16.5 16.5 35
MEA01
MEA01 14.0 15.0 25 MEA02
MEA02 14.0 15.0 25 MEA03
MEA03 11.5 13.5 15 MEA04
MEA04 14.0 15.0 25

Copyright ISACA 2018 658130091.xlsx DF7—Page 39

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF7 Support Factory Turnaround Strategic

EDM01 1.0 2.0 1.5 4.0
EDM02 1.0 1.0 2.5 3.0
EDM03 1.0 3.0 1.0 3.0
EDM04 1.0 1.0 1.0 2.0
EDM05 1.0 1.0 1.0 2.0
APO01 1.0 1.5 1.5 2.5
APO02 1.0 1.0 3.0 3.0
APO03 1.0 1.0 2.0 2.0
APO04 0.5 1.0 3.5 4.0
APO05 1.0 1.0 2.5 3.0
APO06 1.0 1.0 1.0 2.0
APO07 1.0 1.0 1.0 1.5
APO08 1.0 1.0 2.0 2.5
APO09 1.0 2.0 1.5 2.0
APO10 1.0 2.5 1.5 2.0
APO11 1.0 1.5 1.5 2.0
APO12 1.0 2.5 1.0 3.0
APO13 1.0 2.0 1.5 3.0
APO14 1.0 1.5 1.5 2.5
BAI01 1.0 1.0 2.0 2.5
BAI02 1.0 1.0 3.0 3.0
BAI03 1.0 1.0 3.0 3.0
BAI04 1.0 2.5 1.5 2.0
BAI05 1.0 1.0 1.0 2.0
BAI06 1.0 2.5 1.0 2.0
BAI07 1.0 1.0 2.0 2.0
BAI08 1.0 1.0 1.0 2.0
BAI09 1.0 1.0 1.0 2.0
BAI10 1.0 1.5 1.0 2.0
BAI11 1.0 1.0 2.0 2.0
DSS01 1.0 3.5 1.0 3.0
DSS02 1.0 3.0 1.5 3.0
DSS03 1.0 3.0 1.5 3.5

Copyright ISACA 2018 658130091.xlsx DF7map—Page 40

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF7 Support Factory Turnaround Strategic

DSS04 1.0 3.0 1.5 3.5
DSS05 1.5 2.5 1.5 3.5
DSS06 1.0 1.0 1.0 2.5
MEA01 1.0 1.0 1.0 2.0
MEA02 1.0 1.0 1.0 2.0
MEA03 1.0 1.0 1.0 1.5
MEA04 1.0 1.0 1.0 2.0

Copyright ISACA 2018 658130091.xlsx DF7map—Page 41

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT

Input Section—Importance of Sourcing Model for IT Input Section—Importance of Sourcing Model for IT

Value Importance (100%) Baseline

Outsourcing 30% 33% Page intentionally left blank
Cloud 50% 33%
Insourced 20% 34%

Average
Design Factor 8 IT Sourcing Model (Input)
Stdev
Correction Facto 1.00
Outsourcing Cloud Insourced

20%

30%

50%

Copyright ISACA 2018 658130091.xlsx DF8—Page 42

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT

50%

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance
Governance / Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Baseline Relative Resulting Governance/ Management Objectives Importance
Management Score
Score Importance Resulting Governance/Management Ob-
Objective jectives Importance
EDM01 1.00 1.00 0
EDM02 1.00 1.00 0
-100 -75 -50 -25 0 25 50 75 100
EDM03 1.50 1.33 15
EDM01
EDM04 1.00 1.00 0 EDM02 EDM01 MEA04
EDM02
EDM05 1.00 1.00 0 EDM03 MEA03
EDM03
EDM04 MEA02
APO01 1.00 1.00 0 EDM04
APO02 EDM05 EDM05 100 MEA01
1.00 1.00 0
APO03 APO01
1.00 1.00 0 APO01 75 DSS06
APO02
APO04 1.00 1.00 0 APO03 50
APO05 1.00 1.00 0 APO02 DSS05
APO04
APO06 1.00 1.00 0 APO05 25
APO03 DSS04
APO07 1.00 1.00 0 APO06
APO07 0
APO08 1.00 1.00 0
APO08 APO04 DSS03
APO09 3.40 2.98 15 APO09
-25
APO10 3.40 2.98 15 APO10 -50
APO11 APO05 DSS02
1.00 1.00 0 APO11
APO12 1.80 1.66 10 APO12 -75

APO13 APO13
1.00 1.00 0 APO06 -100 DSS01
APO14
APO14 1.00 1.00 0 BIA01
BIA01 1.00 1.00 0 BAI02
APO07 BAI11
BAI02 1.00 1.00 0 BAI03
BAI04
BAI05 APO08 BAI10
BAI06
Copyright ISACA 2018 658130091.xlsx DF8—Page 43
BAI07
APO09 BAI09
BAI08
 APO10 -50
APO05 DSS02
APO11
APO12 -75 04/16/2023
COBIT® 2019 Governance System Design Toolkit
APO13
APO06 -100 DSS01
APO14
Information & Technology Governance System Design
BIA01 Information & Technology Governance System Design
Design BAI02
Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
APO07 BAI11
BAI03
BAI03 1.00 1.00 0 BAI04
BAI05 APO08 BAI10
BAI04 1.00 1.00 0
BAI06
BAI05 1.00 1.00 0 BAI07
BAI06 APO09 BAI09
1.00 1.00 0 BAI08
BAI07 1.00 1.00 0 BAI09
BAI10 APO10 BAI08
BAI08 1.00 1.00 0
BAI11
BAI09 1.00 1.00 0 APO11 BAI07
DSS01
BAI10 1.00 1.00 0 DSS02 APO12 BAI06
BAI11 1.00 1.00 0 DSS03
DSS01 APO13 BAI05
1.00 1.00 0 DSS04
DSS05 APO14 BAI04
DSS02 1.00 1.00 0 BIA01 BAI02 BAI03
DSS06
DSS03 1.00 1.00 0
MEA01
DSS04 1.00 1.00 0 MEA02
DSS05 1.00 1.00 0 MEA03
DSS06 1.00 1.00 0 MEA04
MEA01 2.60 2.32 10
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

Copyright ISACA 2018 658130091.xlsx DF8—Page 44

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF8 Outsourcing Cloud Insourcing

EDM01 1.0 1.0 1.0
EDM02 1.0 1.0 1.0
EDM03 1.0 2.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.0 1.0 1.0
APO01 1.0 1.0 1.0
APO02 1.0 1.0 1.0
APO03 1.0 1.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.0 1.0
APO08 1.0 1.0 1.0
APO09 4.0 4.0 1.0
APO10 4.0 4.0 1.0
APO11 1.0 1.0 1.0
APO12 2.0 2.0 1.0
APO13 1.0 1.0 1.0
APO14 1.0 1.0 1.0
BAI01 1.0 1.0 1.0
BAI02 1.0 1.0 1.0
BAI03 1.0 1.0 1.0
BAI04 1.0 1.0 1.0
BAI05 1.0 1.0 1.0
BAI06 1.0 1.0 1.0
BAI07 1.0 1.0 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.0 1.0 1.0
BAI11 1.0 1.0 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0
DSS03 1.0 1.0 1.0

Copyright ISACA 2018 658130091.xlsx DF8map—Page 45

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF8 Outsourcing Cloud Insourcing

DSS04 1.0 1.0 1.0
DSS05 1.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 3.0 3.0 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

Copyright ISACA 2018 658130091.xlsx DF8map—Page 46

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods

Input Section—Importance of IT Implementation Methods Input Section—Importance of IT Implementation Methods

Value Importance (100%) Baseline Page intentionally left blank

Agile 100% 15%

DevOps 0% 10%

Traditional 0% 75%

Design Factor 9 IT Implementation Methods

Agile DevOps Traditional

100%

Copyright ISACA 2018 658130091.xlsx DF9—Page 47

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
100%

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance
Design Factor 9 IT Implementation Methods
Governance /
Design Factor 9 IT Implementation Methods Resulting Governance/Management Objectives Importance
Management Score Baseline Relative Resulting Governance/Management Objec-
Score Importance tives Importance
Objective
EDM01 1.00 1.00 0
EDM02 1.00 1.00 0 EDM02 EDM01 MEA04
EDM03 1.00 1.00 0 -100 -75 -50 -25 0 25 50 75 100 EDM03 MEA03
EDM04 1.00 1.00 0 EDM01 EDM04 MEA02
EDM05 1.00 1.00 0 EDM02 EDM05 100 MEA01
APO01 EDM03
1.00 1.00 0
EDM04 APO01 75 DSS06
APO02 1.00 1.00 0 EDM05
APO03 1.00 1.10 -10 APO01 50
APO02 DSS05
APO04 1.00 1.00 0 APO02
APO05 APO03 25
1.00 1.00 0 APO03 DSS04
APO04
APO06 1.00 1.00 0 APO05 0
APO07 1.00 1.05 -5 APO06
APO04 -25 DSS03
APO08 1.00 1.00 0 APO07
APO09 APO08
1.00 1.00 0 -50
APO09
APO10 1.00 1.00 0 APO10
APO05 DSS02
APO11 1.00 1.00 0 APO11 -75
APO12 1.00 1.05 -5 APO12
APO13 APO06 -100 DSS01
APO14
Copyright ISACA 2018 BIA01 658130091.xlsx DF9—Page 48
BAI02 APO07 BAI11
BAI03
 APO05 0
APO06
APO07 APO04 -25 DSS0304/16/2023
COBIT® 2019 Governance System Design Toolkit
APO08
APO09 -50
APO05 DSS02
Information & Technology
APO10 Governance System Design Information & Technology Governance System Design
Design FactorAPO11
9 IT Implementation Methods -75Design Factor 9 IT Implementation Methods
APO12
APO13 APO06 -100 DSS01
APO13 1.00 1.00 0
APO14
APO14 1.00 1.00 0 BIA01
BIA01 2.00 1.20 65 BAI02 APO07 BAI11
BAI02 3.50 1.48 135 BAI03
BAI03 BAI04
4.00 1.65 140
BAI05 APO08 BAI10
BAI04 1.00 1.00 0 BAI06
BAI05 2.50 1.28 95 BAI07
BAI06 BAI08 APO09 BAI09
3.50 1.48 135
BAI07 BAI09
2.50 1.38 80
BAI10 APO10 BAI08
BAI08 1.00 1.00 0 BAI11
BAI09 1.00 1.00 0 DSS01
APO11 BAI07
BAI10 1.50 1.18 30 DSS02
BAI11 DSS03
2.50 1.23 105 APO12 BAI06
DSS04
DSS01 1.00 1.15 -15 DSS05 APO13 BAI05
DSS02 1.00 1.05 -5 DSS06 APO14 BAI04
DSS03 1.00 1.05 -5 MEA01 BIA01 BAI02 BAI03

DSS04 MEA02
1.00 1.00 0
MEA03
DSS05 1.00 1.00 0 MEA04
DSS06 1.00 1.00 0
MEA01 1.50 1.13 35
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

Copyright ISACA 2018 658130091.xlsx DF9—Page 49

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF9 Agile DevOps Traditional

EDM01 1.0 1.0 1.0
EDM02 1.0 1.0 1.0
EDM03 1.0 1.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.0 1.0 1.0
APO01 1.0 1.0 1.0
APO02 1.0 1.0 1.0
APO03 1.0 2.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.5 1.0
APO08 1.0 1.0 1.0
APO09 1.0 1.0 1.0
APO10 1.0 1.0 1.0
APO11 1.0 1.0 1.0
APO12 1.0 1.5 1.0
APO13 1.0 1.0 1.0
APO14 1.0 1.0 1.0
BAI01 2.0 1.5 1.0
BAI02 3.5 2.0 1.0
BAI03 4.0 3.0 1.0
BAI04 1.0 1.0 1.0
BAI05 2.5 1.5 1.0
BAI06 3.5 2.0 1.0
BAI07 2.5 2.5 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.5 2.0 1.0
BAI11 2.5 1.0 1.0
DSS01 1.0 2.5 1.0
DSS02 1.0 1.5 1.0
DSS03 1.0 1.5 1.0

Copyright ISACA 2018 658130091.xlsx DF9map—Page 50

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF9 Agile DevOps Traditional

DSS04 1.0 1.0 1.0
DSS05 1.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 1.5 1.5 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

Copyright ISACA 2018 658130091.xlsx DF9map—Page 51

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy

Input Section—Importance of Technology Adoption Strategy Input Section—Importance of Technology Adoption Strategy

Value Importance (100%) Baseline Page intentionally left blank

First mover 70% 15%

Follower 30% 70%
Slow adopter 0% 15%

Design Factor 10 Technology Adoption Strategy

First mover Follower Slow adopter

30%

70%

Copyright ISACA 2018 658130091.xlsx DF10—Page 52

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy

Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective

Resulting Governance/ Management Objectives

Importance
Design Factor 10 Technology Adoption
Governance / Baseline Relative Strategy Design Factor 10 Technology Adoption Strategy
Management Score Score Importance Resulting Governance/Management Objec- Resulting Governance/Management Objectives Importance
Objective
tives Importance
EDM01 3.20 2.50 30
EDM02 3.55 2.58 40
EDM03 1.35 1.08 25 -100 -75 -50 -25 0 25 50 75 100
EDM04 EDM01 EDM01
2.35 2.00 20 EDM02 MEA04
EDM02 EDM03 MEA03
EDM05 1.35 1.08 25 EDM03 EDM04 MEA02
APO01 2.20 1.58 40 EDM04
EDM05 100 MEA01
APO02 3.70 2.93 25 EDM05
APO03 1.70 1.15 50 APO01 APO01 75 DSS06
APO02
APO04 3.70 2.85 30 APO03 APO02 50 DSS05
APO05 3.55 2.50 40 APO04
APO06 1.15 1.35 -15 APO05 25
APO03 DSS04
APO07 2.05 1.23 65 APO06
0
APO07
APO08 2.55 1.65 55
APO08 APO04 DSS03
APO09 1.50 1.43 5 -25
APO09
APO10 2.20 1.58 40 APO10 -50
APO05 DSS02
APO11 1.50 1.43 5 APO11
APO12 -75
APO12 1.85 1.50 25
APO13
APO13 1.00 1.00 0 APO14
APO06 -100 DSS01
APO14 2.35 1.93 20 BIA01
BIA01 3.70 2.93 25 BAI02
BAI03 APO07 BAI11
BAI02 3.20 2.43 30
BAI04
BAI03 3.55 2.50 40
BAI05 APO08 BAI10
BAI04 1.50 1.43 5 BAI06
BAI05 2.70 2.00 35 BAI07
BAI08 APO09 BAI09
BAI06 2.35 1.93 20
BAI09
BAI10 APO10 BAI08
BAI11
Copyright ISACA 2018 658130091.xlsx APO11 BAI07
DF10—Page 53
DSS01
DSS02
APO12 BAI06
 APO14
BIA01
BAI02
BAI03 APO07 BAI11 04/16/2023
COBIT® 2019 Governance System Design Toolkit
BAI04
BAI05 APO08 BAI10
Information & Technology
BAI06Governance System Design Information & Technology Governance System Design
Design Factor 10 BAI07
Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
BAI08 APO09 BAI09
BAI09
BAI07 3.20 2.43 30
BAI10 APO10 BAI08
BAI08 1.35 1.08 25 BAI11
BAI09 1.00 1.00 0 DSS01 APO11 BAI07
BAI10 1.35 1.08 25 DSS02
DSS03 APO12 BAI06
BAI11 3.20 2.43 30
DSS04 APO13 BAI05
DSS01 1.00 1.00 0 DSS05 APO14 BAI04
DSS02 1.00 1.00 0 DSS06 BIA01 BAI02 BAI03
DSS03 1.35 1.08 25 MEA01
DSS04 1.35 1.08 25 MEA02
MEA03
DSS05 1.35 1.08 25 MEA04
DSS06 1.00 1.00 0
MEA01 2.70 2.00 35
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

Copyright ISACA 2018 658130091.xlsx DF10—Page 54

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF10 First Mover Follower Slow Adopter

EDM01 3.5 2.5 1.5
EDM02 4.0 2.5 1.5
EDM03 1.5 1.0 1.0
EDM04 2.5 2.0 1.5
EDM05 1.5 1.0 1.0
APO01 2.5 1.5 1.0
APO02 4.0 3.0 1.5
APO03 2.0 1.0 1.0
APO04 4.0 3.0 1.0
APO05 4.0 2.5 1.0
APO06 1.0 1.5 1.0
APO07 2.5 1.0 1.0
APO08 3.0 1.5 1.0
APO09 1.5 1.5 1.0
APO10 2.5 1.5 1.0
APO11 1.5 1.5 1.0
APO12 2.0 1.5 1.0
APO13 1.0 1.0 1.0
APO14 2.5 2.0 1.0
BAI01 4.0 3.0 1.5
BAI02 3.5 2.5 1.0
BAI03 4.0 2.5 1.0
BAI04 1.5 1.5 1.0
BAI05 3.0 2.0 1.0
BAI06 2.5 2.0 1.0
BAI07 3.5 2.5 1.0
BAI08 1.5 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.5 1.0 1.0
BAI11 3.5 2.5 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0
DSS03 1.5 1.0 1.0

Copyright ISACA 2018 658130091.xlsx DF10map—Page 55

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

DF10 First Mover Follower Slow Adopter

DSS04 1.5 1.0 1.0
DSS05 1.5 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 3.0 2.0 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

Copyright ISACA 2018 658130091.xlsx DF10map—Page 56

 Governance and Management Objectives Importance (All Design Factors)

-100 -80 -60 -40 -20 0 20 40 60 80 100

EDM01 45
EDM02 40
EDM03 45
EDM04 20
EDM05 10
APO01 50
APO02 30
APO03 55
APO04 60
APO05 25
APO06
-10
APO07 60
APO08 60
APO09 35
APO10 45
APO11 25
APO12 65
APO13 50
APO14 30
BIA01 60
BAI02 80
BAI03 90
BAI04 35
BAI05 80
BAI06 100
BAI07 65
BAI08 45
BAI09
0
BAI10 65
BAI11 80
DSS01 5
DSS02 35
DSS03 35
DSS04 50
DSS05 40
DSS06 45
MEA01 55
MEA02 10
MEA03 20
MEA04 30
 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Design Factor 1 Enterprise Strategy Design Factor 2 Enterprise Goals

Resulting Governance/Management Resulting Governance/ Management Initial Summary—Governance and Management Objectives
Objectives Importance Objectives Importance
-100 -50 0 50 100 150
EDM01 EDM02 EDM01 MEA04
EDM02
EDM03
MEA04
MEA03 EDM03 MEA03 -5
EDM01—Ensured Governance Framework Setting & Maintenance
EDM04 MEA02 EDM04 MEA02
100 EDM05 100 MEA01 EDM02—Ensured Benefits Delivery 45
EDM05 MEA01
APO01 75 DSS06 APO01 75 DSS06 -10
EDM03—Ensured Risk Optimization
50
APO02 50 DSS05 APO02 DSS05 EDM04—Ensured Resource Optimization 10
25 25
APO03 DSS04 APO03 DSS04 -65 EDM05—Ensured Stakeholder Engagement
0 0
APO04 DSS03
APO01—Managed I&T Management Framework 15
APO04 -25 DSS03 -25
-50
APO02—Managed Strategy 35
-50 APO05 DSS02
APO05 DSS02
-75 -75 APO03—Managed Enterprise Architecture 45
APO06 -100 DSS01 APO06 -100 DSS01 APO04—Managed Innovation 100
APO05—Managed Portfolio 5
APO07 BAI11 APO07 BAI11
-40
APO06—Managed Budget & Costs
APO08 BAI10 APO08 BAI10
APO07—Managed Human Resources 60
APO09 BAI09 APO09 BAI09 APO08—Managed Relationships 85
APO10 BAI08 APO10 BAI08 APO09—Managed Service Agreements 40
APO11 BAI07 APO11 BAI07 APO10—Managed Vendors 5
APO12 BAI06 APO12 BAI06
APO11—Managed Quality 25
APO13 BAI05 APO13 BAI05
APO14
BAI01 BAI03
BAI04 APO14
BIA01 BAI02 BAI03
BAI04 APO12—Managed Risk 40
BAI02
APO13—Managed Security 35
-15 Data
APO14—Managed
Design Factor 3 Risk Profile Design Factor 4 IT-Related Issues BAI01—Managed Programs 55
Resulting Governance/Management Resulting Governance/Management BAI02—Managed Requirements Definition 40
Objectives Importance Objectives Importance
BAI03—Managed Solutions Identification & Build 45
EDM02 EDM01 MEA04 BAI04—Managed Availability & Capacity 50
EDM03 MEA03 EDM02 EDM01 MEA04
EDM03 MEA03
EDM04 MEA02 BAI05—Managed Organizational Change 75
EDM04 MEA02
EDM05 100 MEA01 EDM05 100 MEA01
75 BAI06—Managed IT Changes 70
APO01 DSS06 APO01 75 DSS06
50 50
BAI07—Managed IT Change Acceptance and Transitioning 50
APO02 DSS05 APO02 DSS05
25 25 BAI08—Managed Knowledge 70
APO03 DSS04 APO03 DSS04
0 0 -25
BAI09—Managed Assets
APO04 -25 DSS03 APO04 DSS03
-25 BAI10—Managed Configuration 60
-50 -50
APO05 DSS02 APO05 DSS02 BAI11—Managed Projects 70
-75 -75
DSS01—Managed Operations 15
APO06 -100 DSS01 APO06 -100 DSS01
DSS02—Managed Service Requests & Incidents 35
APO07 BAI11 APO07 BAI11 DSS03—Managed Problems 35
DSS04—Managed Continuity 25
APO08 BAI10 APO08 BAI10
0
DSS05—Managed Security Services
APO09 BAI09 APO09 BAI09
DSS06—Managed Business Process Controls 40
APO10 BAI08 APO10 BAI08
MEA01—Managed Performance and Conformance Monitoring 5
APO11 BAI07 APO11 BAI07
-25
MEA02—Managed System of Internal Control
APO12 BAI06
APO12 BAI06
APO13 BAI05 MEA03—Managed Compliance-35
with External Requirements
APO13 BAI05 APO14 BAI04
APO14
BIA01 BAI03
BAI04 BIA01 BAI02 BAI03 MEA04—Managed-15
Assurance
BAI02

Copyright ISACA 2018 658130091.xlsx Dashboard1—Page 58

 04/16/2023
COBIT® 2019 Governance System Design Toolkit

Design Factor 5 Threat Landscape Design Factor 6 Compliance Requirements

Resulting Governance/Management Resulting Governance/Management
Objectives Importance Objectives Importance Governance and Management Objectives Importance (All Design Factors)

EDM03
EDM02 EDM01 MEA04
MEA03 EDM03
EDM02 EDM01 MEA04
MEA03
EDM01—Ensured Governance Framework Setting & Maintenance 45
EDM04 MEA02 EDM04 MEA02
EDM05 100 MEA01 EDM05 100 MEA01
EDM02—Ensured Benefits Delivery 40
APO01 75 DSS06 APO01 75 DSS06

APO02 50 DSS05 APO02 50 DSS05

25 25
EDM03—Ensured Risk Optimization 45
APO03 DSS04 APO03 DSS04
0 0
APO04 -25 DSS03 APO04 -25 DSS03 EDM04—Ensured Resource Optimization 20
-50 -50
APO05 DSS02 APO05 DSS02
-75 -75
EDM05—Ensured Stakeholder Engagement 10
APO06 -100 DSS01 APO06 -100 DSS01
APO01—Managed I&T Management Framework 50
APO07 BAI11 APO07 BAI11

APO08 BAI10 APO08 BAI10

APO02—Managed Strategy 30

APO09 BAI09 APO09 BAI09

APO03—Managed Enterprise Architecture 55
APO10 BAI08 APO10 BAI08

APO11 BAI07 APO11 BAI07 APO04—Managed Innovation 60

APO12 BAI06 APO12 BAI06
APO13 BAI05 APO13 BAI05
APO14 BAI04 APO14 BAI04 APO05—Managed Portfolio 25
BIA01 BAI02 BAI03 BIA01 BAI02 BAI03

APO06—Managed Budget-10
& Costs

APO07—Managed Human Resources 60

Design Factor 7 Role of IT Design Factor 8 Sourcing Model for IT
Resulting Governance/Management Resulting Governance/Management APO08—Managed Relationships 60
Objectives Importance Objectives Importance

APO09—Managed Service Agreements 35

EDM02 EDM01 MEA04

EDM03
EDM02 EDM01 MEA04
MEA03 EDM03 MEA03 APO10—Managed Vendors 45
EDM04 MEA02 EDM04 MEA02

EDM05 100 MEA01 EDM05 100 MEA01

APO01 75 DSS06
APO11—Managed Quality 25
APO01 75 DSS06

50 APO02 50 DSS05
APO02 DSS05

25 25 APO12—Managed Risk 65
APO03 DSS04 APO03 DSS04
0 0

APO04 -25 DSS03 APO04 -25 DSS03 APO13—Managed Security 50

-50 -50
APO05 DSS02 APO05 DSS02

-75 -75 APO14—Managed Data 30

APO06 -100 DSS01 APO06 -100 DSS01

BAI01—Managed Programs 60
APO07 BAI11 APO07 BAI11

APO08 BAI10 APO08 BAI10 BAI02—Managed Requirements Definition 80

APO09 BAI09 APO09 BAI09
BAI03—Managed Solutions Identification & Build 90
APO10 BAI08 APO10 BAI08

APO11 BAI07
APO11 BAI07 BAI04—Managed Availability & Capacity 35
APO12 BAI06 APO12 BAI06

APO13 BAI05 APO13 BAI05

APO14 BAI04 APO14
BIA01 BAI02 BAI03
BAI04 BAI05—Managed Organizational Change 80
Copyright ISACA 2018 BIA01 BAI02 BAI03 658130091.xlsx Dashboard2—Page 59

BAI06—Managed IT Changes 100

 APO09 BAI09 APO09 BAI09
BAI03—Managed Solutions Identification & Build 90
APO10 BAI08 APO10 BAI08

APO11 BAI07
APO11
COBIT® 2019 Governance System Design Toolkit BAI07 BAI04—Managed Availability & Capacity 35 04/16/2023

APO12 BAI06 APO12 BAI06

APO13 BAI05 APO13 BAI05

APO14 BAI04 APO14
BIA01 BAI02 BAI03
BAI04 BAI05—Managed Organizational Change 80
BIA01 BAI02 BAI03

BAI06—Managed IT Changes 100

BAI07—Managed IT Change Acceptance and Transitioning 65

Design Factor 9 IT Implementation Methods Design Factor 10 Technology Adoption Strategy
Resulting Governance/Management Resulting Governance/Management BAI08—Managed Knowledge 45
Objectives Importance Objectives Importance
0
BAI09—Managed Assets

EDM02 EDM01 MEA04 EDM02 EDM01 MEA04 BAI10—Managed Configuration 65

EDM03 MEA03 EDM03 MEA03
EDM04 MEA02 EDM04 MEA02
EDM05 100 MEA01 EDM05 100 MEA01
BAI11—Managed Projects 80
APO01 75 DSS06 APO01 75 DSS06

50 50
APO02 DSS05 APO02 DSS05
DSS01—Managed Operations 5
25 25
APO03 DSS04 APO03 DSS04
0 0
APO04 DSS03 APO04 DSS03
DSS02—Managed Service Requests & Incidents 35
-25 -25

-50 -50
APO05 DSS02 APO05 DSS02
DSS03—Managed Problems 35
-75 -75

APO06 -100 DSS01 APO06 -100 DSS01

DSS04—Managed Continuity 50
APO07 BAI11 APO07 BAI11

DSS05—Managed Security Services 40

APO08 BAI10 APO08 BAI10

APO09 BAI09 APO09 BAI09

DSS06—Managed Business Process Controls 45
APO10 BAI08 APO10 BAI08

APO11 BAI07 APO11 BAI07 MEA01—Managed Performance and Conformance Monitoring 55

APO12 BAI06 APO12 BAI06
APO13
APO14 BAI04
BAI05 APO13
APO14 BAI04
BAI05 MEA02—Managed System of Internal Control 10
BIA01 BAI02 BAI03 BIA01 BAI02 BAI03

MEA03—Managed Compliance with External Requirements 20

MEA04—Managed Assurance 30

Copyright ISACA 2018 658130091.xlsx Dashboard2—Page 60