COBIT2019DesignToolkit TKT Eng 1218 Corr 0222 20230425201947

06/09/2023
COBIT® 2019 Governance System Design Toolkit
COBIT® 2019 Governance System Design Workbook—Instructions
Terms & Definitions
Relative importance Relative importance (of governance and management objectives) is a number that indicates the influence of a certain design factor on the importance of a certain
COBIT governance or management objective as compared to a baseline (standard) situation. The number is calculated as a percentage difference between the
baseline and the current situation, as determined by the values given to the design factor at hand.
Instructions
Sheet
In this sheet all results of the impact assessment of the design factors are summarized. This is done in line with the governance system design flow explained in the
COBIT Design Guide.
Canvas The user can provide input in columns R/S to adjust the results of the automated calculations, taking into account the enterprise's specific context. When making
adjustments in column R, the spreadsheet expects an explanation in column S.
Sheet Input Section Output Section

In this sheet, the importance of different enterprise strategies can be described. The The output section of this sheet contains the calculated relative importance of
importance is expressed as an integer value between 1 (Not Important) and 5 each of the 40 COBIT 2019 Governance and Management Objectives
(Critical) and can be entered in cells C8-C11.
The chosen values are represented graphically in the two diagrams in the input
Description section. The diagrams depict the same information, one in a bar chart, the other in a
spider chart.
DF1
[Optional] Enter values between 1 and 5 expressing the importance or relevance of a) Observe the resulting importance scores for each of the 40
each of the given generic enterprise strategies for the user enterprise governance/management objectives.
b) [Optional] Use the graphic(s) for reporting the outcome of this step in the
governance system design process. Both diagrams contain the same
information but in a different representation. Use the one that suits you best.
User Action Required
Copyright ISACA 2018 671372358.xlsx Instructions—Page 1

06/09/2023
Description
DF2
Description
DF3
Description
DF4
Description
DF5

06/09/2023
Description
DF6
Description
DF7
Description
DF8
Description
DF9

06/09/2023
Description
DF10
Chart 1
Chart 2

06/09/2023
COBIT® 2019 Governance System Design Workbook—Canvas
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
Sourcing Refined Scope: Concluded Scope:

Design Factors: Enterprise Strategy Enterprise Risk Profile IT-Related Initial Scope: Governance/ Threat Compliance Req's Role of Model IT Implementation Technology Adoption Strategy
Governance/ Adjustment Governance/ Suggested
Goals Issues Management Objectives Landscape IT for IT Methods (between -100 and Reason Target Capability Agreed Target Reason
Score Management Objectives +100) Management Objectives Level Capability Level
Score Priority
Weight 0 1 0 0 0 0 0 0 0 0
EDM01—Ensured Governance Framework Setting & 5 5 5 0 ### 50 -10 90 5 0 0 0 50 50 3 3

Maintenance
EDM02—Ensured Benefits Delivery 20 0 20 110 ### 60 0 50 0 0 0 0 0 0 1 1
EDM03—Ensured Risk Optimization 5 5 5 0 ### 50 -10 130 0 0 0 0 50 50 3 3
EDM04—Ensured Resource Optimization 5 0 -5 0 ### 0 0 50 5 0 0 0 0 0 1 1
EDM05—Ensured Stakeholder Engagement 10 5 0 0 ### 50 -5 90 5 0 0 0 50 50 3 3
APO01—Managed I&T Management Framework 0 -5 10 0 ### -50 -10 75 0 0 0 0 -50 -50 1 1
APO02—Managed Strategy 10 0 5 0 ### 0 0 50 0 0 0 0 0 0 1 1
APO03—Managed Enterprise Architecture 5 0 30 10 ### 0 -10 50 0 0 0 0 0 0 1 1
APO04—Managed Innovation 25 0 40 -5 ### 0 0 50 0 0 0 0 0 0 1 1
APO05—Managed Portfolio 5 0 55 -5 ### 0 0 50 0 0 0 0 0 0 1 1
APO06—Managed Budget & Costs -30 0 15 0 ### 0 0 50 5 0 0 0 0 0 1 1
APO07—Managed Human Resources 0 5 -20 5 ### 50 -5 50 5 0 0 0 50 50 3 3
APO08—Managed Relationships 10 5 10 -10 ### 50 0 50 0 0 0 0 50 50 3 3
APO09—Managed Service Agreements 5 5 0 5 ### 50 -5 50 0 -10 0 0 50 50 3 3
APO10—Managed Vendors -25 0 -15 5 ### 0 -10 90 -5 -10 0 0 0 0 1 1
APO11—Managed Quality 10 0 70 20 ### 0 -5 50 0 0 0 0 0 0 1 1
APO12—Managed Risk 10 -5 15 5 ### -50 -10 130 0 -5 0 0 -50 -50 1 1
APO13—Managed Security 5 -5 -25 5 ### -50 -10 90 0 0 0 0 -50 -50 1 1
APO14—Managed Data 0 0 -5 0 ### 0 -10 75 0 0 0 0 0 0 1 1
BAI01—Managed Programs 0 0 35 15 ### 0 0 50 0 0 30 0 0 0 1 1
BAI02—Managed Requirements Definition -10 0 60 10 ### 0 0 50 0 0 60 0 0 0 1 1
BAI03—Managed Solutions Identification & Build -10 0 45 20 ### 0 0 50 0 0 65 0 0 0 1 1
BAI04—Managed Availability & Capacity 10 0 60 15 ### 0 -5 50 -5 0 0 0 0 0 1 1
BAI05—Managed Organizational Change 5 0 35 10 ### 0 0 50 5 0 40 0 0 0 1 1
BAI06—Managed IT Changes 10 0 25 10 ### 0 -10 50 0 0 60 0 0 0 1 1
BAI07—Managed IT Change Acceptance and Transitioning 10 0 45 15 ### 0 0 50 0 0 40 0 0 0 1 1
BAI08—Managed Knowledge 20 0 30 0 ### 0 0 50 5 0 0 0 0 0 1 1
BAI09—Managed Assets 0 5 -20 -15 ### 50 0 50 5 0 0 0 50 50 3 3
BAI10—Managed Configuration 0 0 20 0 ### 0 -10 50 0 0 15 0 0 0 1 1
BAI11—Managed Projects 5 0 60 20 ### 0 0 50 0 0 45 0 0 0 1 1
DSS01—Managed Operations 5 5 -15 10 ### 50 0 50 0 0 0 0 50 50 3 3
DSS02—Managed Service Requests & Incidents 10 0 30 15 ### 0 -10 50 0 0 0 0 0 0 1 1
DSS03—Managed Problems 10 0 60 20 ### 0 -5 50 0 0 0 0 0 0 1 1
Copyright ISACA 2018 671372358.xlsx Canvas—Page 5

06/09/2023
COBIT® 2019 Governance System Design Workbook—Canvas
Step 2: Determine the initial scope of the Governance System Step 3: Refine the scope of the Governance System Step 4: Conclude the Scope of the Governance System
Sourcing Refined Scope: Concluded Scope:

Design Factors: Enterprise Strategy Enterprise Risk Profile IT-Related Initial Scope: Governance/ Threat Compliance Req's Role of Model IT Implementation Technology Adoption Strategy
Governance/ Adjustment Governance/ Suggested
Goals Issues Management Objectives Landscape IT for IT Methods (between -100 and Reason Target Capability Agreed Target Reason
Score Management Objectives +100) Management Objectives Level Capability Level
Score Priority
Weight 0 1 0 0 0 0 0 0 0 0
DSS04—Managed Continuity 10 0 -10 -5 ### 0 -10 90 0 0 0 0 0 0 1 1
DSS05—Managed Security Services 5 -5 -15 -5 ### -50 -10 130 5 0 0 0 -50 -50 1 1
DSS06—Managed Business Process Controls 5 0 10 -10 ### 0 -10 50 5 0 0 0 0 0 1 1
MEA01—Managed Performance and Conformance Monitoring 0 0 10 5 ### 0 -10 50 5 -10 15 0 0 0 1 1
MEA02—Managed System of Internal Control 0 0 5 10 ### 0 -5 50 5 0 0 0 0 0 1 1
MEA03—Managed Compliance with External Requirements 0 -10 -25 -10 ### -100 -10 130 5 0 0 0 -100 -100 1 1
MEA04—Managed Assurance 0 0 0 5 ### 0 -10 110 5 0 0 0 0 0 1 1
Copyright ISACA 2018 671372358.xlsx Canvas—Page 6

06/09/2023
Information & Technology Governance System Design Information & Technology Governance System Design
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Input Section—Importance of Each Enterprise Strategy Archetype Input Section—Importance of Each Enterprise Strategy Archetype
Importance Design Factor 1 Enterprise Strategy

Value (1-5) Baseline
Importance of different strategies (Input)
Growth/Acquisition 3 3
Innovation/Differentiation 5 3
Cost Leadership 1 3
Client Service/Stability 4 3
5
Average 3.25
Design Factor 1 Enterprise Strategy 4
Stdev of different strategies1.48
Importance (Input)
Correction Factor 0.92 3
0 1 2 3 4 5
3
1
Copyright ISACA 2018 671372358.xlsx DF1—Page 7

06/09/2023
1
Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Output Section—Resulting relative importance of each governance/management objective Output Section—Resulting relative importance of each governance/management objective
Resulting Governance/Management Design Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
Objectives Importance Resulting Governance/Management Objectives Resulting Governance/Management Objectives Importance (Output)
Importance (Output)
Governance /
Management Score Baseline Relative EDM01
Score Importance EDM02 MEA04
Objective EDM03 MEA03
-100 -75 -50 -25 0 25 50 75 100
EDM04 MEA02
EDM01 15.5 15 -5 EDM01 100
EDM02 EDM05 MEA01
25.5 24 0 EDM02
EDM03 17 15 5 EDM03 75
APO01 DSS06
EDM04 17.5 22.5 -30 EDM04
50
EDM05 21 18 10 EDM05 APO02 DSS05
APO01 13 12 0 APO01 25
APO02 33.5 28.5 10 APO02 APO03 DSS04
0
APO03 27 24 5 APO03
APO04 28 21 25 APO04 APO04 -25 DSS03
APO05 37 33 5 APO05
APO06 -50
APO06 17.5 22.5 -30 APO05 DSS02
APO07 16 15 0 APO07 -75
APO08 25.5 21 10 APO08
APO09 APO06 -100 DSS01
APO09 25.5 22.5 5
APO10 APO10
17.5 21 -25
APO11 APO11
25 21 10 APO07 BAI11
APO12 APO12
21.5 18 10
APO13
APO13 19 16.5 5
APO14 APO08 BAI10
APO14 13 12 0
BAI01
BAI01 29.5 27 0
BAI02 APO09 BAI09
BAI03
Copyright ISACA 2018 BAI04 671372358.xlsx APO10 BAI08 DF1—Page 8
BAI05
APO11 BAI07
APO10
APO11 06/09/2023
COBIT® 2019 Governance System Design Toolkit APO07 BAI11
APO12
APO13
Information & Technology
APO14 Governance System Design APO08 Information & Technology Governance System Design
BAI10
Design
BAI01
Factor 1 Enterprise Strategy Design Factor 1 Enterprise Strategy
BAI02 APO09 BAI09
BAI02 13.5 13.5 -10
BAI03
BAI03 13.5 13.5 -10
BAI04 APO10 BAI08
BAI04 21 18 10
BAI05
BAI05 29 25.5 5 APO11 BAI07
BAI06
BAI06 23 19.5 10
BAI07 APO12 BAI06
BAI07 21.5 18 10 BAI08
BAI08 APO13 BAI05
25.5 19.5 20 BAI09 APO14 BAI04
BAI09 13 12 0 BAI01 BAI02 BAI03
BAI10
BAI10 13 12 0 BAI11
BAI11 31 27 5 DSS01
DSS01 15 13.5 5 DSS02
DSS02 25 21 10 DSS03
DSS03 21 18 10 DSS04
DSS04 25 21 10 DSS05
DSS05 19 16.5 5 DSS06
DSS06 15 13.5 5 MEA01
MEA01 13 12 0 MEA02
MEA02 13 12 0 MEA03
MEA03 13 12 0 MEA04
MEA04 13 12 0

06/09/2023
Growth / Innovation / Client Service /

DF1 Acquisition Differentiation Cost Leadership Stability
EDM01 1.0 1.0 1.5 1.5
EDM02 1.5 1.0 2.0 3.5
EDM03 1.0 1.0 1.0 2.0
EDM04 1.5 1.0 4.0 1.0
EDM05 1.5 1.5 1.0 2.0
APO01 1.0 1.0 1.0 1.0
APO02 3.5 3.5 1.5 1.0
APO03 4.0 2.0 1.0 1.0
APO04 1.0 4.0 1.0 1.0
APO05 3.5 4.0 2.5 1.0
APO06 1.5 1.0 4.0 1.0
APO07 2.0 1.0 1.0 1.0
APO08 1.0 1.5 1.0 3.5
APO09 1.0 1.0 1.5 4.0
APO10 1.0 1.0 3.5 1.5
APO11 1.0 1.0 1.0 4.0
APO12 1.0 1.5 1.0 2.5
APO13 1.0 1.0 1.0 2.5
APO14 1.0 1.0 1.0 1.0
BAI01 4.0 2.0 1.5 1.5
BAI02 1.0 1.0 1.5 1.0
BAI03 1.0 1.0 1.5 1.0
BAI04 1.0 1.0 1.0 3.0
BAI05 4.0 2.0 1.0 1.5
BAI06 2.0 2.0 1.0 1.5
BAI07 1.5 2.0 1.0 1.5
BAI08 1.0 3.5 1.0 1.0
BAI09 1.0 1.0 1.0 1.0
BAI10 1.0 1.0 1.0 1.0
BAI11 3.5 3.0 1.5 1.0
DSS01 1.0 1.0 1.0 1.5
Copyright ISACA 2018 671372358.xlsx DF1map—Page 10

06/09/2023
Growth / Innovation / Client Service /

DF1 Acquisition Differentiation Cost Leadership Stability
DSS02 1.0 1.0 1.0 4.0
DSS03 1.0 1.0 1.0 3.0
DSS04 1.0 1.0 1.0 4.0
DSS05 1.0 1.0 1.0 2.5
DSS06 1.0 1.0 1.0 1.5
MEA01 1.0 1.0 1.0 1.0
MEA02 1.0 1.0 1.0 1.0
MEA03 1.0 1.0 1.0 1.0
MEA04 1.0 1.0 1.0 1.0

06/09/2023
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
Input Section—Importance of Each Enterprise Goal Input Section—Importance of Each Enterprise Goal
Value Importance Baseline

(1-5)
EG01—Portfolio of competitive products and services 5 3 Design Factor 2 Enterprise Goals (Input)
EG02—Managed business risk 3 3
EG03—Compliance with external laws and regulations 4 3 EG01—Portfolio of competitive products and services 5
EG04—Quality of financial information 5 3
EG05—Customer-oriented service culture 4 3 EG02—Managed business risk 3
EG06—Business-service continuity and availability 5 3
EG07—Quality of management information 4 3 EG03—Compliance with external laws and regulations 4
EG08—Optimization of internal business process functionality 3 3
EG04—Quality of financial information 5
EG09—Optimization of business process costs 4 3
EG10—Staff skills, motivation and productivity 5 3
EG05—Customer-oriented service culture 4
EG11—Compliance with internal policies 4 3
EG12—Managed digital transformation programs 4 3
EG06—Business-service continuity and availability 5
EG13—Product and business innovation 4 3
Average 4.15
EG07—Quality of management information 4
Design Factor 2 Enterprise Goals (Input) Stdev 0.66
Correction Fact 0.72 EG08—Optimization of internal business process functionality 3
EG09—Optimization of business process costs 4
EG01—Portfolio of competitive products and services

EG13—Product and business innovation EG02—Managed business risk EG10—Staff skills, motivation and productivity 5
5
EG12—Managed digital transformation programs 4 EG03—Compliance with external laws and regulations
3 EG11—Compliance with internal policies 4
2
EG11—Compliance with internal policies 1 EG04—Quality of financial information
0 EG12—Managed digital transformation programs 4
EG10—Staff skills, motivation and productivity EG05—Customer-oriented service culture EG13—Product and business innovation 4
EG06—Business-service continuity and availability 5
06/09/2023
EG07—Quality of management information 4
Design Factor 2 Enterprise Goals (Input)
Design Factor 2 Enterprise Goals EG08—Optimization of internal business process functionality Design 3Factor 2 Enterprise Goals
EG09—Optimization of business process costs 4
EG01—Portfolio of competitive products and services

EG13—Product and business innovation EG02—Managed business risk EG10—Staff skills, motivation and productivity 5
5
EG12—Managed digital transformation programs 4 EG03—Compliance with external laws and regulations
3 EG11—Compliance with internal policies 4
2
EG11—Compliance with internal policies 1 EG04—Quality of financial information
0 EG12—Managed digital transformation programs 4
EG10—Staff skills, motivation and productivity EG05—Customer-oriented service culture EG13—Product and business innovation 4
EG09—Optimization of business process costs EG06—Business-service continuity and availability

EG08—Optimization of internal business process functionality EG07—Quality of management information
Resulting Governance/ Management Objectives

Importance
Governance /
Management Score Baseline Relative Design Factor 2 Enterprise Goals
Score Importance Design Factor 2 Enterprise Goals Resulting Governance/Management Objectives Importance
Objective
Resulting Governance/ Man-
EDM01 146 111 -5 agement Objectives Importance
EDM02 163 117 0
EDM03 88 69 -10
-100 -75 -50 -25 0 25 50 75 100

EDM01 EDM02 EDM01 MEA04
Copyright ISACA 2018 EDM02 671372358.xlsx EDM03 MEA03 DF2—Page 13
EDM03 EDM04 MEA02
EDM04
COBIT® 2019 Governance System Design Toolkit Design Factor 2 Enterprise Goals 06/09/2023
Design Factor 2 Enterprise Goals Resulting Governance/Management Objectives Importance
Resulting Governance/ Man-
agement Objectives Importance
Design Factor 2 Enterprise Goals Design Factor 2 Enterprise Goals
EDM04 193 138 0

-100 -75 -50 -25 0 25 50 75 100
EDM05 89 63 0
APO01 247 183 -5 EDM02 EDM03 MEA03
APO02 191 135 0 EDM03 EDM04 MEA02
APO03 192 138 0 EDM04 EDM05 100 MEA01
EDM05
APO04 178 126 0
APO01 APO01 75 DSS06
APO05 196 141 0 APO02
APO06 164 117 0 APO03 APO02 50 DSS05
APO07 163 114 5 APO04
25
APO08 APO05 APO03 DSS04
277 195 5
APO06 0
APO09 90 63 5 APO07
APO04 DSS03
APO10 110 78 0 APO08 -25
APO11 186 132 0 APO09
-50
APO12 APO10 APO05 DSS02
54 42 -5
APO11 -75
APO13 58 45 -5 APO12
APO14 112 81 0 APO13 APO06 -100 DSS01
BIA01 177 129 0 APO14
BAI02 244 174 0 BIA01
BAI02 APO07 BAI11
BAI03 230 165 0 BAI03
BAI04 101 72 0 BAI04 APO08 BAI10
BAI05 255 183 0 BAI05
BAI06 125 90 0 BAI06
BAI07 APO09 BAI09
BAI07 94 69 0 BAI08
BAI08 200 141 0 BAI09 APO10 BAI08
BAI09 74 51 5 BAI10
BAI10 58 42 0 BAI11 APO11 BAI07
DSS01
BAI11 190 138 0 APO12 BAI06
DSS02
DSS01 90 63 5 DSS03 APO13 BAI05
DSS02 79 57 0 DSS04 APO14 BAI04
BIA01 BAI02 BAI03
DSS03 79 57 0 DSS05
DSS06
DSS04 95 69 0
MEA01
DSS05 114 87 -5 MEA02
DSS06 148 108 0 MEA03
MEA01 187 135 0 MEA04

DSS03 APO13 BAI05
DSS04 APO14 BAI04
BIA01 BAI02 BAI03 06/09/2023
COBIT® 2019 Governance System Design Toolkit DSS05
DSS06
MEA01
MEA02 Governance System Design Information & Technology Governance System Design
Design Factor 2 Enterprise Goals
MEA03 Design Factor 2 Enterprise Goals
MEA04
MEA02 187 138 0
MEA03 49 39 -10
MEA04 154 114 0

06/09/2023
Agile portfolio of Compliance with external Transparency and Customer-oriented service Business service continuity Quality of management Optimization of internal Optimization of business Staff skills, motivation and Compliance with internal Managed business Product and business
competitive products and Managed business risks accuracy of financial business process
services laws and regulations information culture and availability information functionality process costs productivity policies transformation programs innovation
5 3 4 5 4 5 4 3 4 5 4 4 4
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
IT compliance and Enablement and Competent and

Security of information, Delivery of programs
Mapping table EG-GA support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business support of business Quality of IT motivated staff with Knowledge, expertise
compliance with Information related IT-enabled investments related financial in line with business requirements into processing processes by on time, on budget, and Management IT compliance with mutual understanding and initiatives for
external laws and risks and services portfolio information requirements operational solutions infrastructure and Integrating applications meeting requirements Information internal policies of technology and business innovation
applications and quality standards
regulations and technology business.
EG01 Portfolio of agile and competitive 0 0 1 0 2 2 0 2 2 0 0 0 2

products and services
EG02 Managed business risks 1 2 0 0 0 0 2 0 0 0 1 0 0

Compliance with external laws and
EG03 2 0 0 0 0 0 0 0 0 0 2 0 1
regulations
EG04 Transparency and accuracy of financial 0 0 0 2 0 0 0 0 0 2 0 0 0

information
EG05 Customer-oriented service culture 0 0 1 0 1 1 0 2 1 0 0 1 0
EG06 Business service continuity and 0 1 0 0 1 0 2 0 0 0 0 0 0

availability
Accuracy (Quality?) of Management
EG07 0 0 0 2 0 0 0 0 0 2 0 0 0
Information
Optimization of business process
EG08 functionality
0 0 1 0 1 1 0 1 1 0 0 0 0
EG09 Optimization of business process costs 0 0 1 2 0 0 0 0 1 1 0 0 0
EG10 Staff skills, motivation and productivity 0 0 0 0 0 0 0 1 0 0 0 2 0
EG11 Compliance with internal policies 1 0 0 0 0 0 0 0 0 0 2 0 0
EG12 Managed business transformation 0 0 2 0 1 1 0 2 2 0 0 0 1

programs
EG13 Product and business innovation 0 0 0 0 0 1 0 1 1 0 0 0 2
AG01 AG02 AG03 AG04 AG05 AG06 AG07 AG08 AG09 AG10 AG11 AG12 AG13
IT compliance and Enablement and Competent and

support for business Managed Technology & Realized benefits from Quality of technology delivery of IT services Agility to turn business Security of information, support of business Delivery of programs Quality of IT motivated staff with Knowledge, expertise
processing on time, on budget, and IT compliance with
compliance with Information related IT-enabled investments related financial in line with business requirements into processes by Management mutual understanding and initiatives for
infrastructure and meeting requirements internal policies
external laws and risks and services portfolio information requirements operational solutions Integrating applications Information of technology and business innovation
regulations applications and technology and quality standards business.
15 11 24 26 26 25 16 38 33 22 19 14 26
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
Managed Managed IT Managed Managed Managed Managed Managed

Mapping Table AG-GMO Ensured Governance Ensured Resource Ensured Stakeholder Managed IT Management Managed Human Managed Managed Managed Managed Managed Managed Managed Managed Managed Managed Performance System of
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Optimization Managed Strategy Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Resources Managed Relationships Service Managed Risk Information Requirements Solutions Availability & Organizationa Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed Security Business & Compliance Managed
Maintenance Transparency Framework Agreements Suppliers Quality Security Data Programs Definition Identification Capacity l Change Changes Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Services Process Conformance Internal with External Internal Audit
& Build Transitioning Incidents Controls Monitoring Control Requirements
IT compliance and support for business

AG01 compliance with external laws and 2 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 2 1
regulations
Managed Technology & Information

AG02 related risks 1 0 2 0 0 1 0 0 0 0 0 0 0 0 0 0 2 1 1 0 0 0 0 0 1 1 0 0 0 0 0 1 1 1 2 1 0 1 0 1
Realized benefits from IT-enabled

AG03 investments and services portfolio 2 2 0 1 0 2 1 1 1 2 1 1 1 0 0 1 0 0 0 2 1 1 0 2 0 0 1 0 0 2 0 0 0 0 0 0 1 0 0 0
Quality of technology related financial

AG04 information 0 0 0 0 1 0 0 0 0 0 2 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 1 0 1
Delivery of IT services in line with business

AG05 requirements 0 1 0 1 0 1 1 1 0 2 0 1 2 2 2 1 0 0 0 0 2 2 2 1 1 0 0 0 1 1 2 2 2 2 1 1 2 1 0 1
Agility to turn business requirements into

AG06 operational solutions 0 1 0 1 0 0 1 2 2 1 0 0 2 0 1 0 0 0 0 1 2 2 0 1 2 2 1 0 0 2 0 0 0 0 0 0 0 0 0 0
Security of information, processing

AG07 infrastructure and applications 0 0 2 0 0 1 0 1 0 0 0 0 0 0 0 0 2 2 1 0 0 0 1 0 0 0 0 0 2 0 0 1 1 2 2 1 0 1 0 1
Enablement and support of business

AG08 processes by Integrating applications and 1 1 0 1 0 1 2 2 1 1 0 0 1 1 0 0 0 0 0 1 1 1 0 2 1 0 1 0 0 0 1 0 0 0 0 2 0 0 0 0
technology
Delivery of programs on time, on budget,

AG09 and meeting requirements and quality 0 0 0 2 0 1 0 0 0 1 2 1 1 0 1 2 0 0 0 2 2 2 1 2 0 1 1 0 0 2 0 0 0 0 0 0 1 1 0 0
standards
AG10 Quality of IT Management Information 0 0 0 0 2 1 0 0 0 0 1 0 0 0 0 2 0 0 2 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 2 1 0 1
AG11 IT compliance with internal policies 1 0 1 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 2 1 2

Competent and motivated staff with
AG12 mutual understanding of technology and 0 0 0 1 0 0 1 0 1 0 0 2 2 0 0 0 0 0 0 0 1 0 0 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0
business.
AG13 Knowledge, expertise and initiatives for 0 1 0 0 0 0 1 0 2 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0

business innovation
EDM01 EDM02 EDM03 EDM04 EDM05 APO01 APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 APO14 BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05 DSS06 MEA01 MEA02 MEA03 MEA04
Managed
Ensured Governance Managed Managed Managed Managed Managed Managed Managed IT Managed Managed Managed Performance Managed Managed
Ensured Resource Ensured Stakeholder Managed IT Management Managed Human Managed Managed Managed Managed Solutions Managed IT Change Managed Managed Managed Managed Managed Service Managed Managed Business System of Compliance Managed
Framework Setting & Ensured Benefits Delivery Ensured Risk Optimization Optimization Transparency Framework Managed Strategy Managed Architecture Managed Innovation Managed Portfolio Managed Budget & Costs Resources Managed Relationships Service Suppliers Quality Managed Risk Information Data Programs Requirements Identification Availability & Organizationa Changes Acceptance & Knowledge Assets Configuration Projects Operations Requests & Problems Continuity Security Process & Internal with External Internal Audit
Maintenance Agreements Security Definition & Build Capacity l Change Transitioning Incidents Services Controls Conformance Control Requirements
Monitoring
146 163 88 193 89 247 191 192 178 196 164 163 277 90 110 186 54 58 112 177 244 230 101 255 125 94 200 74 58 190 90 79 79 95 114 148 187 187 49 154
Baseline 111 117 69 138 63 183 135 138 126 141 117 114 195 63 78 132 42 45 81 129 174 165 72 183 90 69 141 51 42 138 63 57 57 69 87 108 135 138 39 114
Imp® 31 39 27 39 41 34 41 39 41 39 40 42 42 42 41 40 28 28 38 37 40 39 40 39 38 36 41 45 38 37 42 38 38 37 31 37 38 35 25 35

06/09/2023
Design Factor 3 Risk Profile Design Factor 3 Risk Profile
Input Section—Importance of Each Generic IT Risk Category Input Section—Importance of Each Generic IT Risk Category
Impact Likelihood Design Factor 3 IT Risk Profile

Risk Scenario Category (1-5) (1-5) Risk Rating Baseline
Risk Rating of IT Risk Scenario Categories (Input)
IT investment decision making, portfolio definition &
maintenance 5 4 9 Very High Risk 0 5 10 15 20 25
IT investment decision making, portfolio definition & maintenance
Program & projects life cycle management 4 3 9 High Risk
Program & projects life cycle management
IT cost & oversight 3 3 9 Normal Risk
IT cost & oversight
IT expertise, skills & behavior 2 2 9 Low Risk
IT expertise, skills & behavior
Enterprise/IT architecture 2 2 9
Enterprise/IT architecture
IT operational infrastructure incidents 4 3 9
Unauthorized actions 4 1 9 IT operational infrastructure incidents
Software adoption/usage problems 4 3 9 Unauthorized actions
Hardware incidents 4 1 9 Software adoption/usage problems

Software failures 5 3 9 Hardware incidents
Logical attacks (hacking, malware, etc.) 5 2 9
Software failures
Third-party/supplier incidents 1 1 9
Logical attacks (hacking, malware, etc.)
Noncompliance 2 1 9
Third-party/supplier incidents
Geopolitical Issues 2 1 9
Noncompliance
Industrial action 1 1 9
Acts of nature 4 2 9 Geopolitical Issues
Technology-based innovation 4 3 9 Industrial action

Environmental 1 1 9 Acts of nature
Data & information management 5 2 9 Technology-based innovation
Environmental
Average 7.53
Stdev 5.35 Data & information management
Correction Factor 1.20

06/09/2023
Resulting Governance/Management
Objectives Importance Design Factor 3 IT Risk Profile Design Factor 3 IT Risk Profile
Resulting Governance/Management Resulting Governance/Management Objectives Importance
Governance / Baseline Relative Objectives Importance
Management Score Score Importance
Objective
EDM01 175 189 10 -100 -75 -50 -25 0 25 50 75 100

EDM02 161 135 45 EDM01
EDM03 EDM02
143 162 5
EDM04 EDM03
154 198 -5
EDM04
EDM05 157 189 0
EDM05
APO01 303 324 10
APO01 EDM02 EDM01 MEA04
APO02 128 144 5 EDM03 MEA03
APO02 EDM04 MEA02
APO03 186 171 30
APO03
APO04 52 45 40 EDM05 MEA01
APO04 100
APO05 186 144 55 APO01 DSS06
APO05 75
APO06 144 153 15 APO06
APO07 APO02 DSS05
142 216 -20 APO07
50
APO08 142 153 10 APO08 25
APO03 DSS04
APO09 100 117 0 APO09 0
APO10 157 216 -15 APO10 APO04 DSS03
APO11 140 99 70 -25
APO11
APO12 88 90 15 APO12 APO05 -50 DSS02
APO13 62 99 -25 APO13
-75
APO14 160 198 -5 APO14
APO06 -100 DSS01
BIA01 92 81 35 BIA01
BAI02 158 117 60 BAI02
BAI03 143 117 45 BAI03 APO07 BAI11
BAI04 12 9 60 BAI04
BAI05 80 72 35 BAI05 APO08 BAI10
BAI06 142 135 25 BAI06
BAI07 BAI07 APO09 BAI09

140 117 45
BAI08
BAI08 147 135 30
BAI09 APO10 BAI08
BAI10
APO11 BAI07
BAI11
DSS01 APO12 BAI06
DSS02 APO13 BAI05
BAI02
BAI03 APO07 BAI11
BAI04 06/09/2023
BAI05 APO08 BAI10
BAI06
BAI07
Governance System Design Information & Technology Governance System Design
APO09 BAI09
BAI08
BAI09 APO10 BAI08
BAI09 24 36 -20
BAI10
BAI10 100 99 20 APO11 BAI07
BAI11
BAI11 48 36 60
DSS01 APO12 BAI06
DSS01 98 135 -15
DSS02 APO13 BAI05
DSS02 158 144 30 APO14 BAI04
DSS03 BIA01 BAI03
DSS03 143 108 60 BAI02
DSS04
DSS04 159 216 -10 DSS05
DSS05 155 216 -15 DSS06
DSS06 130 144 10 MEA01
MEA01 200 216 10 MEA02
MEA02 218 243 5 MEA03
MEA03 96 153 -25 MEA04
MEA04 190 225 0

06/09/2023
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
DF3 IT Investment
Decision Making,
Program &
Projects Life IT Cost &
IT Expertise,
Skills & Enterprise/
IT Operational
Infrastructure Unauthorized
Software
Adoption/ Hardware Software
Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight Behavior IT Architecture Incidents Actions Usage Incidents Failures Malware, etc.) Incidents Issues Action Innovation Management
Maintenance Management Problems
EDM01 3.0 2.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 2.0 2.0
EDM02 3.0 2.0 0.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 3.0 1.0 3.0
EDM03 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 2.0 3.0
EDM04 3.0 0.0 4.0 3.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 2.0 0.0 0.0 2.0 3.0
EDM05 3.0 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 1.0 0.0 1.0 3.0 3.0 0.0 0.0 0.0 2.0 2.0
APO01 2.0 3.0 2.0 0.0 2.0 2.0 4.0 2.0 0.0 2.0 3.0 3.0 3.0 0.0 0.0 0.0 3.0 2.0 3.0
APO02 2.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 1.0 0.0 1.0 2.0 0.0 0.0 0.0 0.0 2.0 2.0 1.0
APO03 2.0 0.0 0.0 0.0 4.0 0.0 0.0 2.0 0.0 2.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 0.0 3.0
APO04 0.0 0.0 0.0 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0
APO05 4.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0
APO06 2.0 3.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 2.0 2.0 0.0
APO07 0.0 0.0 0.0 4.0 0.0 2.0 3.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 4.0 0.0 2.0 2.0 0.0
APO08 0.0 0.0 0.0 2.0 2.0 0.0 0.0 4.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 2.0
APO09 0.0 0.0 2.0 0.0 0.0 0.0 2.0 3.0 0.0 1.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
APO10 0.0 2.0 3.0 0.0 0.0 0.0 2.0 2.0 3.0 2.0 2.0 4.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0
APO11 0.0 3.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0
APO12 0.0 0.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0
APO13 0.0 0.0 0.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 4.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0
APO14 0.0 0.0 0.0 0.0 0.0 0.0 3.0 2.0 0.0 0.0 2.0 0.0 3.0 0.0 2.0 4.0 2.0 0.0 4.0
BAI01 0.0 4.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI02 2.0 2.0 0.0 0.0 2.0 0.0 0.0 3.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI03 0.0 3.0 0.0 0.0 2.0 0.0 0.0 2.0 0.0 3.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI04 0.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI05 0.0 2.0 0.0 2.0 0.0 0.0 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 3.0
BAI07 0.0 0.0 0.0 0.0 0.0 2.0 3.0 2.0 0.0 4.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI08 0.0 0.0 0.0 2.0 0.0 3.0 0.0 3.0 0.0 3.0 0.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 2.0
BAI09 0.0 0.0 0.0 0.0 0.0 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI10 0.0 0.0 0.0 0.0 0.0 2.0 4.0 0.0 0.0 2.0 3.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
BAI11 0.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS01 0.0 0.0 0.0 0.0 0.0 4.0 3.0 0.0 4.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 2.0 0.0
DSS02 0.0 0.0 0.0 0.0 0.0 3.0 2.0 3.0 2.0 2.0 4.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS03 0.0 0.0 0.0 0.0 0.0 3.0 1.0 4.0 0.0 3.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
DSS04 0.0 0.0 0.0 0.0 0.0 3.0 3.0 0.0 3.0 0.0 4.0 0.0 2.0 0.0 3.0 4.0 0.0 0.0 2.0
DSS05 0.0 0.0 0.0 0.0 0.0 3.0 4.0 0.0 2.0 0.0 4.0 0.0 3.0 0.0 3.0 2.0 0.0 0.0 3.0

06/09/2023
RISKCAT01 RISKCAT02 RISKCAT03 RISKCAT04 RISKCAT05 RISKCAT06 RISKCAT07 RISKCAT08 RISKCAT09 RISKCAT10 RISKCAT11 RISKCAT12 RISKCAT13 RISKCAT14 RISKCAT15 RISKCAT16 RISKCAT17 RISKCAT18 RISKCAT19
DF3 IT Investment
Decision Making,
Program &
Projects Life IT Cost &
IT Expertise,
Skills & Enterprise/
IT Operational
Infrastructure Unauthorized
Software
Adoption/ Hardware Software
Logical Attacks
(Hacking,
Third-Party/
Supplier Noncompliance
Geopolitical Industrial
Acts of Nature
Technology-
Based Environmental
Data &
Information
Portfolio Definition & Cycle Oversight Behavior IT Architecture Incidents Actions Usage Incidents Failures Malware, etc.) Incidents Issues Action Innovation Management
Maintenance Management Problems
DSS06 0.0 0.0 0.0 0.0 0.0 3.0 4.0 2.0 0.0 0.0 2.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 3.0
MEA01 1.0 2.0 2.0 0.0 0.0 2.0 2.0 0.0 0.0 2.0 3.0 2.0 2.0 2.0 0.0 2.0 0.0 0.0 2.0
MEA02 1.0 2.0 2.0 0.0 0.0 3.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 3.0 0.0 2.0 0.0 0.0 2.0
MEA03 0.0 1.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 0.0 3.0 2.0 4.0 2.0 0.0 0.0 0.0 0.0 2.0
MEA04 1.0 2.0 0.0 0.0 0.0 0.0 3.0 0.0 0.0 2.0 3.0 2.0 2.0 4.0 0.0 2.0 2.0 0.0 2.0

06/09/2023
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues
Input Section—Importance of Each Generic IT-Related Issue Input Section—Importance of Each Generic IT-Related Issue
IT-Related Issue Importance Baseline

(1-3) Design Factor 4 IT-Related Issues
Importance of IT-Related Issues (Input)
Frustration between different IT entities across the organization because
of a perception of low contribution to business value 2 No Issue 0 1 2 3
Frustration between business departments (i.e., the IT customer) and the

IT department because of failed initiatives or a perception of low 2 Issue
contribution to business value
Significant IT-related incidents, such as data loss, security breaches, project

failure and application errors, linked to IT
2 Serious Issue
rd members, executives or senior management to engage with IT, or a lack of committed business sponsorship for IT
Service delivery problems by the IT outsourcer(s) 2
Failures to meet IT-related regulatory or contractual requirements 2
Regular audit findings or other assessment reports about poor IT 2

performance or reported IT quality or service problems
Substantial hidden and rogue IT spending, that is, IT spending by user

departments outside the control of the normal IT investment decision 2
mechanisms and approved budgets
Duplications or overlaps between various initiatives, or other forms of

2
wasted resources
Insufficient IT resources, staff with inadequate skills or staff

2
burnout/dissatisfaction
IT-enabled changes or projects frequently failing to meet business needs

2
and delivered late or over budget
Reluctance by board members, executives or senior management to

2
engage with IT, or a lack of committed business sponsorship for IT
Complex IT operating model and/or unclear decision mechanisms for IT-

2
related decisions
Excessively high cost of IT 2
Obstructed or failed implementation of new initiatives or innovations 2

caused by the current IT architecture and systems

Reluctance by board members, executives or senior management to enga
06/09/2023
Design Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues
Gap between business and technical knowledge, which leads to business

users and information and/or technology specialists speaking different 2
languages
Regular issues with data quality and integration of data across various 2
sources
High level of end-user computing, creating (among other problems) a lack

of oversight and quality control over the applications that are being 2
developed and put in operation
Business departments implementing their own information solutions with

little or no involvement of the enterprise IT department (related to end-
user computing, which often stems from dissatisfaction with IT solutions 2 Average 1.35
and services)
Ignorance of and/or noncompliance with privacy regulations 2 Stdev 0.65

Inability to exploit new technologies or innovate using I&T 2
Correction 1.48
Factor
Resulting Governance/ Management Design Factor 4 IT-Related Issues

Objectives Importance Resulting Governance/ Management Objectives Design Factor 4 IT-Related Issues
Importance Resulting Governance/Management Objectives Importance
Governance / Baseline Relative
Management Score
Score Importance
Objective
-100 -75 -50 -25 0 25 50 75 100
EDM01 44 70 -5 EDM01
EDM02 48.5 70 5 EDM02
EDM03 32 47 0 EDM03
EDM04 46 67 0 EDM04
EDM02 EDM01 MEA04
EDM05 28 41 0 EDM05 EDM03 MEA03
APO01 37 56 0 APO01 EDM04 MEA02
APO02 33 50 0 APO02
EDM05 100 MEA01
APO03 APO03
49 66 10
APO04 APO01 DSS06
APO04 20 32 -5 75
APO05
APO05 44.5 68 -5
APO06 41 62 0
APO07
APO07 33.5 47 5 25
APO08 APO03 DSS04
APO09 0
APO10 APO04 DSS03
Copyright ISACA 2018 671372358.xlsx -25 DF4—Page 23
APO11
APO12 -50
APO01 EDM04 MEA02
APO02
EDM05 100 MEA01 06/09/2023
COBIT® 2019 Governance System Design Toolkit APO03
APO04 APO01 DSS06
75
APO05
APO06
Governance System Design APO02 Information
50 & Technology GovernanceDSS05
System Design
Design
APO07
Factor 4 IT-Related Issues Design Factor 4 IT-Related Issues
25
APO08 APO03 DSS04
APO08 42.5 70 -10 APO09 0
APO09 31 43 5 APO10 APO04 DSS03
APO10 28 39 5 -25
APO11
APO11 35 43 20 APO12 -50
APO12 APO05 DSS02
36 52 5 APO13
APO13 23 33 5 APO14 -75
APO14 41.5 60 0 BIA01
APO06 -100 DSS01
BIA01 27.5 35 15 BAI02
BAI02 BAI03
38.5 51 10
BAI04 APO07 BAI11
BAI03 33.5 41 20
BAI05
BAI04 17.5 23 15
BAI06
BAI05 20.5 28 10 APO08 BAI10
BAI07
BAI06 30.5 42 10 BAI08
BAI07 29 38 15 BAI09 APO09 BAI09
BAI08 20.5 31 0 BAI10
BAI09 13.5 23 -15 BAI11 APO10 BAI08
BAI10 16.5 25 0 DSS01
BAI11 36 45 20 DSS02 APO11 BAI07
DSS01 20 27 10 DSS03 APO12 BAI06

DSS02 25.5 33 15 DSS04
APO13 BAI05
DSS03 26 32 20 DSS05
APO14 BAI04
DSS04 DSS06 BIA01 BAI02 BAI03
13.5 21 -5
MEA01
DSS05 18.5 29 -5
MEA02
DSS06 18 29 -10
MEA03
MEA01 43 61 5
MEA04
MEA02 35.5 48 10
MEA03 17.5 29 -10
MEA04 42 58 5

06/09/2023
Frustration between different Frustration between business Significant IT-related Regular audit findings or Substantial hidden and rogue IT IT-enabled changes or Reluctance by board members, Complex IT operating model Obstructed or failed Gap between business and technical High level of end-user computing,
Duplications or overlaps creating (among other problems) Business departments implementing
IT entities across the departments (i.e., the IT customer) incidents, such as data loss, Service delivery problems by Failures to meet IT-related other assessment reports spending, that is, IT spending by user between various initiatives Insufficient IT resources, staff projects frequently failing to executives or senior management and/or unclear decision implementation of new knowledge, which leads to business Regular issues with data a lack of oversight and quality their own information solutions with Ignorance of and/or Inability to exploit new
DF4 organization because of a and the IT department because of security breaches, project the IT outsourcer(s) regulatory or contractual about poor IT performance departments outside the control of or other forms of wasted with inadequate skills or staff meet business needs and to engage with IT, or a lack of Excessively high cost of IT initiatives or innovations users and information and/or quality and integration of noncompliance with technologies or innovate
perception of low contribution failed initiatives or a perception of failure and application requirements or reported IT quality or the normal IT investment decision burnout / dissatisfaction delivered late or over committed business sponsorship mechanisms for IT-related caused by the current IT technology specialists speaking data across various sources control over the applications that little or no involvement of the privacy regulations using I&T
to business value low contribution to business value errors, linked to IT service problems mechanisms and approved budgets resources budget for IT decisions architecture and systems different languages are being developed and put in enterprise IT department
operation
EDM01 3.0 3.0 1.0 1.0 2.0 2.0 2.0 1.0 1.0 1.0 3.0 3.5 1.0 1.0 1.0 1.0 2.0 3.0 1.5 1.0 35
EDM02 2.5 3.0 1.0 1.0 1.5 2.5 2.0 1.5 0.5 2.5 1.5 1.0 3.0 2.0 1.0 1.0 2.0 2.0 1.0 2.5 35
EDM03 1.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.0 0.0 1.0 1.5 1.0 2.0 1.0 1.0 2.5 1.0 24
EDM04 1.0 1.0 1.0 1.0 1.0 2.0 3.0 3.5 3.5 1.0 1.5 0.0 4.0 2.0 1.0 1.5 2.0 2.5 0.0 1.0 34
EDM05 1.0 1.0 1.0 1.0 1.5 2.0 1.0 1.0 0.0 1.0 3.0 1.5 1.5 0.5 0.0 0.5 1.0 1.0 1.0 0.0 21
APO01 2.0 1.0 2.0 1.0 2.0 2.0 1.0 1.0 0.0 0.5 1.5 4.0 1.0 2.0 1.0 1.0 1.5 2.0 0.5 1.0 28
APO02 1.5 1.5 1.5 1.5 1.0 1.5 1.0 1.0 0.0 1.0 2.5 0.5 0.5 1.5 1.5 0.5 2.0 2.0 0.0 2.5 25
APO03 1.0 1.5 1.0 2.0 0.5 1.5 2.0 1.5 1.0 3.5 0.5 0.5 1.0 4.0 1.0 3.5 2.0 3.0 0.0 2.0 33
APO04 1.0 1.0 1.0 1.0 0.5 0.5 0.5 0.5 0.0 0.0 0.5 1.0 0.5 2.0 1.0 0.0 0.5 0.5 0.0 4.0 16
APO05 3.0 3.0 1.0 1.5 2.0 2.0 1.5 3.5 0.5 2.0 2.0 1.5 2.0 1.0 0.5 0.0 2.5 2.5 0.0 2.0 34
APO06 3.5 2.0 1.0 1.5 1.5 2.0 4.0 3.0 1.0 2.0 1.0 1.5 4.0 0.0 0.0 0.0 1.0 2.0 0.0 0.0 31
APO07 1.5 1.0 1.0 1.0 1.0 1.5 2.0 2.0 4.0 1.0 0.0 0.0 1.0 0.0 3.0 0.0 0.5 0.5 1.5 1.0 24
APO08 2.5 2.0 1.0 2.5 1.5 1.0 2.5 2.0 1.5 1.0 3.0 1.0 0.5 1.0 4.0 1.0 3.0 3.5 0.0 0.5 35
APO09 2.0 1.5 2.0 4.0 1.0 2.5 1.5 2.0 0.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 1.0 1.5 0.0 0.0 22
APO10 1.0 1.0 2.0 4.0 1.5 1.5 1.5 0.0 1.5 1.0 0.0 0.0 1.0 0.0 0.0 0.0 0.5 2.0 1.0 0.0 20
APO11 1.0 1.0 3.0 1.5 1.0 3.0 0.0 0.0 0.0 2.0 0.0 0.0 0.0 0.5 0.5 3.0 2.0 2.0 0.0 1.0 22
APO12 1.0 0.5 2.5 1.5 2.0 2.0 1.0 1.0 0.5 1.0 1.0 1.0 1.0 1.0 1.0 2.0 1.0 1.5 2.5 1.0 26
APO13 0.0 0.0 3.5 1.0 2.0 1.0 0.0 1.0 0.0 0.5 0.0 0.0 0.0 0.0 0.0 1.5 2.0 1.0 2.0 1.0 17
APO14 1.0 1.5 3.0 1.0 2.5 1.5 1.0 1.5 0.0 1.5 0.0 0.0 0.5 2.5 0.5 4.0 2.5 2.0 3.0 0.5 30
BAI01 0.0 1.0 1.5 0.0 0.0 0.0 0.0 3.0 1.0 3.5 0.0 0.0 1.5 0.5 1.0 0.0 1.5 2.0 0.0 1.0 18
BAI02 0.0 3.0 0.0 0.0 0.5 2.0 0.0 2.0 0.0 3.5 0.0 1.0 1.0 2.0 2.0 1.5 2.5 3.0 0.5 1.0 26
BAI03 1.0 2.0 2.0 0.0 0.0 2.0 0.0 1.0 0.0 3.0 0.0 0.5 1.0 1.0 1.0 0.5 2.0 2.0 1.0 0.5 21
BAI04 0.5 0.0 2.0 3.0 0.0 2.0 0.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 0.0 1.0 1.0 1.0 0.0 0.5 12
BAI05 1.0 3.0 0.0 0.0 0.0 0.0 0.0 0.5 0.0 3.0 1.0 0.0 0.0 0.5 2.0 0.0 0.5 1.5 0.0 1.0 14
BAI06 0.0 0.0 2.5 3.0 0.5 1.5 0.0 1.0 0.0 1.5 0.0 1.0 0.5 1.0 0.5 2.0 2.0 2.0 1.0 1.0 21
BAI07 0.0 1.0 2.0 2.0 0.5 1.5 0.0 0.5 0.0 2.0 0.0 1.0 0.0 1.0 0.5 2.0 2.0 2.0 0.0 1.0 19
BAI08 0.0 0.0 0.0 1.5 0.5 0.5 0.0 1.0 2.0 0.5 0.0 0.5 0.0 1.0 3.0 2.0 1.0 1.5 0.0 0.5 16
BAI09 0.5 0.5 1.0 0.0 0.0 0.0 2.0 2.0 0.0 0.0 0.0 0.0 2.0 1.0 0.0 0.0 1.0 1.5 0.0 0.0 12
BAI10 0.0 0.0 2.5 2.0 0.5 0.0 0.0 0.5 0.0 0.0 0.0 0.0 1.0 1.5 0.0 1.5 1.0 2.0 0.0 0.0 13
BAI11 1.0 2.0 2.5 0.0 0.0 0.0 2.0 3.0 1.0 4.0 0.0 0.0 1.5 2.0 0.5 0.0 1.0 1.5 0.0 0.5 23

Step 2 Initial Design
Governance and Management Objectives Importance
-100 -80 -60 -40 -20 0 20 40 60 80 100
EDM01 50
EDM02 60
EDM03 50
0
EDM04
EDM05 50
-50 APO01
0
APO02
0
APO03
0
APO04
0
APO05
0
APO06
APO07 50
APO08 50
APO09 50
0
APO10
0
APO11
-50 APO12
-50 APO13
0
APO14
0
BAI01
0
BAI02
0
BAI03
0
BAI04
0
BAI05
0
BAI06
0
BAI07
0
BAI08
BAI09 50
0
BAI10
0
BAI11
DSS01 50
0
DSS02
0
DSS03
0
DSS04
-50 DSS05
0
DSS06
0
MEA01
0
MEA02
-100 MEA03
0
MEA04
06/09/2023
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
Input Section—Importance of Threat Landscape Input Section—Importance of Threat Landscape
Value Importance (100%) Baseline Page intentionally left blank
High 25% 33%

Normal 75% 67%
Average
Stdev
Design Factor 5 IT Threat Landscape
Correction Factor
1.00
High Normal
25%
75%

06/09/2023
Design Factor 5 Threat Landscape Design Factor 5 Threat Landscape
75%

Importance Design Factor 5 Threat Landscape
Resulting Governance/Management Objectives Importance
Governance / Baseline Relative Design Factor 5 Threat Landscape
Management Score
Objective
Score Importance Resulting Governance/Management
Objectives Importance
EDM01 1.50 1.66 -10
EDM02 1.00 1.00 0
EDM03 1.75 1.99 -10 -100 -75 -50 -25 0 25 50 75 100
EDM04 1.00 1.00 0 EDM01
EDM05 EDM02 EDM01
1.25 1.33 -5 EDM02 MEA04
EDM03 EDM03 MEA03
APO01 1.50 1.66 -10 EDM04 MEA02
EDM04
APO02 1.00 1.00 0 EDM05 EDM05 100 MEA01
APO03 1.50 1.66 -10 APO01
APO04 1.00 1.00 0 APO02 APO01 75 DSS06
APO05 1.00 1.00 0 APO03
APO06 1.00 1.00 0
APO05 25
APO07 1.25 1.33 -5 APO06 APO03 DSS04
APO08 1.00 1.00 0 APO07 0
APO09 1.25 1.33 -5 APO08 APO04 DSS03
-25
APO09
APO10 -50
APO05 DSS02
Copyright ISACA 2018 APO11 671372358.xlsx DF5—Page 28
APO12 -75
100
APO01
APO03 06/09/2023
APO05 25
Information & Technology Governance
APO06 System Design APO03 Information & Technology Governance System
DSS04 Design
Design Factor
APO07 5 Threat Landscape 0 Design Factor 5 Threat Landscape
APO08 APO04 DSS03
-25
APO10 1.50 1.66 -10 APO09
APO11 APO10 -50
1.25 1.33 -5 APO05 DSS02
APO11
APO12 1.75 1.99 -10 -75
APO12
APO13 1.75 1.99 -10 APO13
APO06 -100 DSS01
APO14 1.50 1.66 -10 APO14
BIA01 1.00 1.00 0 BIA01
BAI02 1.00 1.00 0 BAI02 APO07 BAI11
BAI03
BAI03 1.00 1.00 0
BAI04
BAI04 1.25 1.33 -5 BAI05
APO08 BAI10
BAI05 1.00 1.00 0 BAI06
BAI06 1.50 1.66 -10 BAI07 APO09 BAI09
BAI07 1.00 1.00 0 BAI08
BAI09 APO10 BAI08
BAI08 1.00 1.00 0
BAI10
BAI09 1.00 1.00 0 BAI11 APO11 BAI07
BAI10 1.50 1.66 -10 DSS01
APO12 BAI06
BAI11 1.00 1.00 0 DSS02
DSS01 1.00 1.00 0 DSS03 APO13 BAI05
DSS04 APO14 BAI04
DSS02 1.50 1.66 -10 BIA01 BAI02 BAI03
DSS05
DSS03 1.25 1.33 -5 DSS06
DSS04 1.75 1.99 -10 MEA01
DSS05 1.50 1.66 -10 MEA02
DSS06 1.50 1.66 -10 MEA03
MEA01 1.50 1.66 -10 MEA04
MEA02 1.25 1.33 -5

MEA03 1.50 1.66 -10
MEA04 1.50 1.66 -10

06/09/2023
DF5 High Normal

EDM01 3.0 1.0
EDM02 1.0 1.0
EDM03 4.0 1.0
EDM04 1.0 1.0
EDM05 2.0 1.0
APO01 3.0 1.0
APO02 1.0 1.0
APO03 3.0 1.0
APO04 1.0 1.0
APO05 1.0 1.0
APO06 1.0 1.0
APO07 2.0 1.0
APO08 1.0 1.0
APO09 2.0 1.0
APO10 3.0 1.0
APO11 2.0 1.0
APO12 4.0 1.0
APO13 4.0 1.0
APO14 3.0 1.0
BAI01 1.0 1.0
BAI02 1.0 1.0
BAI03 1.0 1.0
BAI04 2.0 1.0
BAI05 1.0 1.0
BAI06 3.0 1.0
BAI07 1.0 1.0
BAI08 1.0 1.0
BAI09 1.0 1.0
BAI10 3.0 1.0
BAI11 1.0 1.0
DSS01 1.0 1.0
DSS02 3.0 1.0

06/09/2023
DF5 High Normal

DSS03 2.0 1.0
DSS04 4.0 1.0
DSS05 3.0 1.0
DSS06 3.0 1.0
MEA01 3.0 1.0
MEA02 2.0 1.0
MEA03 3.0 1.0
MEA04 3.0 1.0

06/09/2023
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Input Section—Importance of Compliance Requirements Input Section—Importance of Compliance Requirements
Value Importance Baseline Page intentionally left blank

(100%)
High 80% 0%
Normal 70% 100%
Low 0% 0%
Average
Design Factor 6 Compliance Requirements
High Normal Low
47%
53%
Stdev

06/09/2023
Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Correction Facto 1.00
Resulting Governance/ Management

Objectives Importance Design Factor 6 Compliance Requirements Design Factor 6 Compliance Requirements
Resulting Governance/Management Resulting Governance/Management Objectives Importance
Governance / Objectives Importance
Management Baseline Relative
Score Score Importance
Objective
-100 -75 -50 -25 0 25 50 75 100
EDM01 3.80 2.00 90 EDM01
EDM02 1.50 1.00 50 EDM02
EDM03 4.60 2.00 130 EDM03
EDM04 1.50 1.00 50 EDM04
EDM05 1.90 1.00 90 EDM05
EDM01
EDM02 MEA04
APO01 2.65 1.50 75 APO01 EDM03 MEA03
APO02 EDM04 MEA02
APO02 1.50 1.00 50
APO03 EDM05 MEA01
APO03 1.50 1.00 50 100
APO04
APO04 1.50 1.00 50 APO01
75
DSS06
APO05
APO05 1.50 1.00 50 APO06 APO02 50 DSS05
APO06 1.50 1.00 50 APO07
APO07 1.50 1.00 50 APO08 APO03 25 DSS04
APO08 1.50 1.00 50 APO09 0
APO09 1.50 1.00 50 APO10 APO04 DSS03
-25
APO10 APO11
1.90 1.00 90
APO12 -50
APO11 1.50 1.00 50 APO05 DSS02
APO13
APO12 4.60 2.00 130 -75
APO14
APO13 1.90 1.00 90 BIA01 APO06 -100 DSS01
APO14 2.65 1.50 75 BAI02
BIA01 1.50 1.00 50 BAI03
APO07 BAI11
BAI02 1.50 1.00 50 BAI04
BAI03 1.50 1.00 50 BAI05
APO08 BAI10
BAI04 1.50 1.00 50 BAI06
BAI07
BAI05 1.50 1.00 50 APO09 BAI09
BAI08
BAI09
APO10 BAI08
Copyright ISACA 2018 BAI10 671372358.xlsx DF6—Page 33
BAI11 APO11 BAI07
APO14
BIA01 APO06 -100 DSS01
BAI02 06/09/2023
COBIT® 2019 Governance System Design Toolkit BAI03
APO07 BAI11
BAI04
Information & Technology Governance
BAI05 System Design APO08
Information & Technology Governance System Design
BAI10
Design Factor 6 Compliance
BAI06 Requirements Design Factor 6 Compliance Requirements
BAI07
APO09 BAI09
BAI08
BAI06 1.50 1.00 50
BAI09
BAI07 1.50 1.00 50 APO10 BAI08
BAI10
BAI08 1.50 1.00 50 BAI11 APO11 BAI07
BAI09 1.50 1.00 50 DSS01
APO12 BAI06
BAI10 1.50 1.00 50 DSS02
APO13 BAI05
BAI11 1.50 1.00 50 DSS03
APO14 BAI04
DSS01 1.50 1.00 50 DSS04 BIA01 BAI02 BAI03
DSS02 DSS05
1.50 1.00 50
DSS06
DSS03 1.50 1.00 50
MEA01
DSS04 1.90 1.00 90 MEA02
DSS05 2.30 1.00 130 MEA03
DSS06 1.50 1.00 50 MEA04
MEA01 1.50 1.00 50
MEA02 1.50 1.00 50
MEA03 4.60 2.00 130
MEA04 4.20 2.00 110

06/09/2023
DF6 High Normal Low

EDM01 3.0 2.0 1.0
EDM02 1.0 1.0 1.0
EDM03 4.0 2.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.5 1.0 1.0
APO01 2.0 1.5 1.0
APO02 1.0 1.0 1.0
APO03 1.0 1.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.0 1.0
APO08 1.0 1.0 1.0
APO09 1.0 1.0 1.0
APO10 1.5 1.0 1.0
APO11 1.0 1.0 1.0
APO12 4.0 2.0 1.0
APO13 1.5 1.0 1.0
APO14 2.0 1.5 1.0
BAI01 1.0 1.0 1.0
BAI02 1.0 1.0 1.0
BAI03 1.0 1.0 1.0
BAI04 1.0 1.0 1.0
BAI05 1.0 1.0 1.0
BAI06 1.0 1.0 1.0
BAI07 1.0 1.0 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.0 1.0 1.0
BAI11 1.0 1.0 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0

06/09/2023
DF6 High Normal Low

DSS03 1.0 1.0 1.0
DSS04 1.5 1.0 1.0
DSS05 2.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 1.0 1.0 1.0
MEA02 1.0 1.0 1.0
MEA03 4.0 2.0 1.0
MEA04 3.5 2.0 1.0

06/09/2023
Design Factor 7 Role of IT Design Factor 7 Role of IT
Input Section—Importance of Role of IT Input Section—Importance of Role of IT
Value Importance (1-5) Baseline Page intentionally left blank

Support 5 3
Factory 3 3
Turnaround 3 3
Strategic 5 3
Average 4.00
Stdev 1.00
Correction Factor 0.75
Design Factor 7 Role of IT (Input)

0 1 2 3 4 5
Support 5
Factory 3
Turnaround 3
Strategic 5

Support 5
06/09/2023
Factory Information3& Technology Governance System Design Information & Technology Governance System Design
Design Factor 7 Role of IT Design Factor 7 Role of IT
Turnaround 3
Strategic 5

Importance Design Factor 7 Role of IT
Governance / Design Factor 7 Role of IT Resulting Governance/Management Objectives Importance
Management Baseline Relative Resulting Governance/Management Ob-
Score Score Importance
Objective jectives Importance
EDM01 35.5 25.5 5
EDM02 30.5 22.5 0 -100 -75 -50 -25 0 25 50 75 100
EDM03 32.0 24.0 0 EDM01
EDM04 21.0 15.0 5 EDM02
EDM05 EDM03 EDM01
21.0 15.0 5 EDM02 MEA04
EDM04 EDM03 MEA03
APO01 26.5 19.5 0
EDM05 EDM04 MEA02
APO02 32.0 24.0 0
APO01 EDM05 100 MEA01
APO03 24.0 18.0 0
APO02
APO04 36.0 27.0 0 APO01 75 DSS06
APO03
APO05 30.5 22.5 0 APO04
21.0 15.0 5 APO05
APO07 18.5 13.5 5 APO06 25
APO03 DSS04
APO07
0
APO08
APO09 APO04 DSS03
-25
APO10
EDM05 EDM04 MEA02
APO01 EDM05 100 MEA01 06/09/2023
APO02
APO01 75 DSS06
APO03
APO04 Information
50
& Technology Governance System Design
APO02 DSS05
APO05Design Factor 7 Role of IT Design Factor 7 Role of IT
APO06 25
APO08 APO03 DSS04
26.5 19.5 0 APO07
0
APO09 25.5 19.5 0 APO08
APO10 27.0 21.0 -5 APO09 APO04
-25
DSS03
APO11 24.0 18.0 0 APO10
APO12 APO11 -50
30.5 22.5 0 APO05 DSS02
APO13 30.5 22.5 0 APO12
-75
APO14 APO13
26.5 19.5 0
BIA01 26.5 19.5 0
BIA01
BAI02 32.0 24.0 0
BAI02
BAI03 32.0 24.0 0 APO07 BAI11
BAI03
BAI04 27.0 21.0 -5 BAI04
BAI05 21.0 15.0 5 BAI05 APO08 BAI10
BAI06 25.5 19.5 0 BAI06
BAI07 24.0 18.0 0 BAI07
APO09 BAI09
BAI08 21.0 15.0 5 BAI08
BAI09 21.0 15.0 5 BAI09
APO10 BAI08
BAI10 22.5 16.5 0 BAI10
BAI11 24.0 18.0 0 BAI11
APO11 BAI07
DSS01 33.5 25.5 0 DSS01
DSS02 33.5 25.5 0 DSS02 APO12 BAI06
DSS03 DSS03
36.0 27.0 0 APO13 BAI05
DSS04
DSS04 36.0 27.0 0 APO14 BAI04
DSS05 BIA01 BAI02 BAI03
DSS05 37.0 27.0 5
DSS06
DSS06 23.5 16.5 5 MEA01
MEA01 21.0 15.0 5 MEA02
MEA02 21.0 15.0 5 MEA03
MEA03 18.5 13.5 5 MEA04
MEA04 21.0 15.0 5

06/09/2023
DF7 Support Factory Turnaround Strategic

EDM01 1.0 2.0 1.5 4.0
EDM02 1.0 1.0 2.5 3.0
EDM03 1.0 3.0 1.0 3.0
EDM04 1.0 1.0 1.0 2.0
EDM05 1.0 1.0 1.0 2.0
APO01 1.0 1.5 1.5 2.5
APO02 1.0 1.0 3.0 3.0
APO03 1.0 1.0 2.0 2.0
APO04 0.5 1.0 3.5 4.0
APO05 1.0 1.0 2.5 3.0
APO06 1.0 1.0 1.0 2.0
APO07 1.0 1.0 1.0 1.5
APO08 1.0 1.0 2.0 2.5
APO09 1.0 2.0 1.5 2.0
APO10 1.0 2.5 1.5 2.0
APO11 1.0 1.5 1.5 2.0
APO12 1.0 2.5 1.0 3.0
APO13 1.0 2.0 1.5 3.0
APO14 1.0 1.5 1.5 2.5
BAI01 1.0 1.0 2.0 2.5
BAI02 1.0 1.0 3.0 3.0
BAI03 1.0 1.0 3.0 3.0
BAI04 1.0 2.5 1.5 2.0
BAI05 1.0 1.0 1.0 2.0
BAI06 1.0 2.5 1.0 2.0
BAI07 1.0 1.0 2.0 2.0
BAI08 1.0 1.0 1.0 2.0
BAI09 1.0 1.0 1.0 2.0
BAI10 1.0 1.5 1.0 2.0
BAI11 1.0 1.0 2.0 2.0
DSS01 1.0 3.5 1.0 3.0
DSS02 1.0 3.0 1.5 3.0

06/09/2023
DF7 Support Factory Turnaround Strategic

DSS03 1.0 3.0 1.5 3.5
DSS04 1.0 3.0 1.5 3.5
DSS05 1.5 2.5 1.5 3.5
DSS06 1.0 1.0 1.0 2.5
MEA01 1.0 1.0 1.0 2.0
MEA02 1.0 1.0 1.0 2.0
MEA03 1.0 1.0 1.0 1.5
MEA04 1.0 1.0 1.0 2.0

06/09/2023
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Input Section—Importance of Sourcing Model for IT Input Section—Importance of Sourcing Model for IT
Value Importance (100%) Baseline

Outsourcing 20% 33% Page intentionally left blank
Cloud 35% 33%
Insourced 45% 34%
Average Design Factor 8 IT Sourcing Model (Input)

Stdev
Correction Facto 1.00
Outsourcing Cloud Insourced
20%
45%
35%

06/09/2023
Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
35%

Importance
Governance / Design Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
Baseline Relative Resulting Governance/ Management Objectives Importance
Management Score Score Importance Resulting Governance/Management Ob-
Objective jectives Importance
EDM01 1.00 1.00 0
EDM02 1.00 1.00 0
EDM03 1.35 1.33 0 -100 -75 -50 -25 0 25 50 75 100
EDM04 EDM01
1.00 1.00 0
EDM05 1.00 1.00 0 EDM03 EDM03 MEA03
APO01 1.00 1.00 0 EDM04 EDM04 MEA02
APO02 1.00 1.00 0 EDM05 EDM05 100 MEA01
APO03 1.00 1.00 0 APO01
APO04 1.00 1.00 0
APO03
APO05 1.00 1.00 0 APO04 APO02 50 DSS05
APO06 1.00 1.00 0 APO05 25
APO07 1.00 1.00 0 APO06 APO03 DSS04
APO08 APO07 0
1.00 1.00 0
APO08 APO04 DSS03
APO09 2.65 2.98 -10 -25
APO09
APO10 2.65 2.98 -10 APO10 -50
APO11 1.00 1.00 0 APO11 APO05 DSS02
APO12 1.55 1.66 -5 APO12 -75
APO13 APO13
1.00 1.00 0 APO06 -100 DSS01
APO14
APO14 1.00 1.00 0 BIA01
BIA01 1.00 1.00 0 BAI02
APO07 BAI11
BAI03
BAI04
BAI05 APO08 BAI10
BAI06
BAI07 APO09 BAI09
-25
APO09
APO10 -50
APO11 APO05 DSS02 06/09/2023
APO12 -75
APO13
APO14Governance System Design APO06 Information
-100 & Technology GovernanceDSS01
System Design
Design BIA01
Factor 8 Sourcing Model for IT Design Factor 8 Sourcing Model for IT
BAI02
APO07 BAI11
BAI02 1.00 1.00 0 BAI03
BAI03 1.00 1.00 0 BAI04
BAI05 APO08 BAI10
BAI04 1.00 1.00 0
BAI06
BAI05 1.00 1.00 0 BAI07 APO09 BAI09
BAI06 1.00 1.00 0 BAI08
BAI07 1.00 1.00 0 BAI09 APO10 BAI08
BAI08 1.00 1.00 0 BAI10
BAI11
BAI09 1.00 1.00 0 APO11 BAI07
DSS01
BAI10 1.00 1.00 0 DSS02 APO12 BAI06
BAI11 1.00 1.00 0 DSS03 APO13 BAI05
DSS01 1.00 1.00 0 DSS04 APO14 BAI04
DSS05 BIA01 BAI02 BAI03
DSS02 1.00 1.00 0
DSS06
DSS03 1.00 1.00 0 MEA01
DSS04 1.00 1.00 0 MEA02
DSS05 1.00 1.00 0 MEA03
DSS06 1.00 1.00 0 MEA04
MEA01 2.10 2.32 -10
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

06/09/2023
DF8 Outsourcing Cloud Insourcing

EDM01 1.0 1.0 1.0
EDM02 1.0 1.0 1.0
EDM03 1.0 2.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.0 1.0 1.0
APO01 1.0 1.0 1.0
APO02 1.0 1.0 1.0
APO03 1.0 1.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.0 1.0
APO08 1.0 1.0 1.0
APO09 4.0 4.0 1.0
APO10 4.0 4.0 1.0
APO11 1.0 1.0 1.0
APO12 2.0 2.0 1.0
APO13 1.0 1.0 1.0
APO14 1.0 1.0 1.0
BAI01 1.0 1.0 1.0
BAI02 1.0 1.0 1.0
BAI03 1.0 1.0 1.0
BAI04 1.0 1.0 1.0
BAI05 1.0 1.0 1.0
BAI06 1.0 1.0 1.0
BAI07 1.0 1.0 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.0 1.0 1.0
BAI11 1.0 1.0 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0

06/09/2023
DF8 Outsourcing Cloud Insourcing

DSS03 1.0 1.0 1.0
DSS04 1.0 1.0 1.0
DSS05 1.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 3.0 3.0 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

06/09/2023
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
Input Section—Importance of IT Implementation Methods Input Section—Importance of IT Implementation Methods
Agile 50% 15%
DevOps 10% 10%
Traditional 40% 75%
Design Factor 9 IT Implementation Methods

Agile DevOps Traditional
40%
50%
10%

06/09/2023
Design Factor 9 IT Implementation Methods Design Factor 9 IT Implementation Methods
10%

Importance
Governance / Design Factor 9 IT Implementation Methods Resulting Governance/Management Objectives Importance
Management Score Baseline Relative Resulting Governance/Management Objec-
Objective Score Importance tives Importance
EDM01 1.00 1.00 0
EDM02 1.00 1.00 0
1.00 1.00 0 -100 -75 -50 -25 0 25 50 75 100 EDM03 MEA03
EDM04 1.00 1.00 0 EDM01 EDM04 MEA02
EDM05 1.00 1.00 0 EDM02
EDM05 100 MEA01
APO01 1.00 1.00 0 EDM03
EDM04
APO02 1.00 1.00 0 APO01 75 DSS06
EDM05
APO03 1.10 1.10 0 APO01
APO02 50 DSS05
APO04 1.00 1.00 0 APO02
APO05 1.00 1.00 0 APO03 25
APO04 APO03 DSS04
APO06 1.00 1.00 0 APO05 0
APO07 1.05 1.05 0 APO06
APO08 1.00 1.00 0 APO07 APO04 -25 DSS03
APO09 1.00 1.00 0 APO08
APO09 -50
APO10 1.00 1.00 0 APO05 DSS02
APO10
APO11 1.00 1.00 0 APO11 -75
APO12
APO14
BIA01
BAI02 APO07 BAI11
APO03 25
APO04 APO03 DSS04
APO05 0
APO06 06/09/2023
APO08
APO09 Governance System Design Information
-50 & Technology Governance System Design
Design FactorAPO10
9 IT Implementation Methods APO05 DSS02
APO11 -75
APO12 1.05 1.05 0 APO12
APO13 1.00 1.00 0
APO14
APO14 1.00 1.00 0 BIA01
BIA01 1.55 1.20 30 BAI02 APO07 BAI11
BAI02 2.35 1.48 60 BAI03
BAI03 BAI04
2.70 1.65 65 APO08 BAI10
BAI05
BAI04 1.00 1.00 0 BAI06
BAI05 1.80 1.28 40 BAI07
APO09 BAI09
BAI06 2.35 1.48 60 BAI08
BAI07 BAI09
1.90 1.38 40
BAI10 APO10 BAI08
BAI08 1.00 1.00 0 BAI11
BAI09 1.00 1.00 0 DSS01 APO11 BAI07
BAI10 1.35 1.18 15 DSS02
DSS03 APO12 BAI06
BAI11 1.75 1.23 45
DSS04
DSS01 1.15 1.15 0 DSS05
APO13 BAI05
DSS02 APO14 BAI04
1.05 1.05 0 DSS06 BIA01 BAI03
BAI02
DSS03 1.05 1.05 0 MEA01
DSS04 MEA02
1.00 1.00 0
MEA03
DSS05 1.00 1.00 0 MEA04
DSS06 1.00 1.00 0
MEA01 1.30 1.13 15
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

06/09/2023
DF9 Agile DevOps Traditional

EDM01 1.0 1.0 1.0
EDM02 1.0 1.0 1.0
EDM03 1.0 1.0 1.0
EDM04 1.0 1.0 1.0
EDM05 1.0 1.0 1.0
APO01 1.0 1.0 1.0
APO02 1.0 1.0 1.0
APO03 1.0 2.0 1.0
APO04 1.0 1.0 1.0
APO05 1.0 1.0 1.0
APO06 1.0 1.0 1.0
APO07 1.0 1.5 1.0
APO08 1.0 1.0 1.0
APO09 1.0 1.0 1.0
APO10 1.0 1.0 1.0
APO11 1.0 1.0 1.0
APO12 1.0 1.5 1.0
APO13 1.0 1.0 1.0
APO14 1.0 1.0 1.0
BAI01 2.0 1.5 1.0
BAI02 3.5 2.0 1.0
BAI03 4.0 3.0 1.0
BAI04 1.0 1.0 1.0
BAI05 2.5 1.5 1.0
BAI06 3.5 2.0 1.0
BAI07 2.5 2.5 1.0
BAI08 1.0 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.5 2.0 1.0
BAI11 2.5 1.0 1.0
DSS01 1.0 2.5 1.0
DSS02 1.0 1.5 1.0

06/09/2023
DF9 Agile DevOps Traditional

DSS03 1.0 1.5 1.0
DSS04 1.0 1.0 1.0
DSS05 1.0 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 1.5 1.5 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

06/09/2023
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
Input Section—Importance of Technology Adoption Strategy Input Section—Importance of Technology Adoption Strategy
First mover 15% 15%

Follower 70% 70%
Slow adopter 15% 15%
Design Factor 10 Technology Adoption Strategy

First mover Follower Slow adopter
15% 15%
70%

06/09/2023
Design Factor 10 Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy

Importance
Design Factor 10 Technology Adoption
Governance / Baseline Relative Strategy Design Factor 10 Technology Adoption Strategy
Management Score Resulting Governance/Management Objec-
Objective Score Importance Resulting Governance/Management Objectives Importance
tives Importance
EDM01 2.50 2.50 0
EDM02 2.58 2.58 0
EDM03 1.08 1.08 0 -100 -75 -50 -25 0 25 50 75 100
EDM04 2.00 2.00 0 EDM01
EDM05 1.08 1.08 0 EDM03 MEA03
EDM03
APO01 1.58 1.58 0 EDM04 MEA02
EDM04
APO02 2.93 2.93 0 EDM05 EDM05 100 MEA01
APO03 1.15 1.15 0 APO01
APO01 DSS06
APO02 75
APO04 2.85 2.85 0
APO03
APO05 2.50 2.50 0 APO02 50 DSS05
APO04
APO06 1.35 1.35 0 APO05 25
APO03 DSS04
APO07 1.23 1.23 0 APO06
APO07 0
APO08 1.65 1.65 0
APO08 APO04 DSS03
APO09 1.43 1.43 0 -25
APO09
APO10 1.58 1.58 0 APO10 -50
APO05 DSS02
APO11 1.43 1.43 0 APO11
APO12 -75
APO12 1.50 1.50 0
APO13
APO13 1.00 1.00 0 APO06 -100 DSS01
APO14
APO14 1.93 1.93 0 BIA01
BIA01 2.93 2.93 0 BAI02
APO07 BAI11
BAI02 2.43 2.43 0 BAI03
BAI04
BAI03 2.50 2.50 0
BAI05 APO08 BAI10
BAI04 1.43 1.43 0 BAI06
BAI05 2.00 2.00 0 BAI07
APO09 BAI09
BAI08
BAI09
APO10 BAI08
Copyright ISACA 2018 BAI10 671372358.xlsx DF10—Page 53
BAI11
APO11 BAI07
DSS01
APO13
APO06 -100 DSS01
APO14
BIA01
06/09/2023
COBIT® 2019 Governance System Design Toolkit BAI02
APO07 BAI11
BAI03
BAI04
BAI05 APO08
Information & Technology GovernanceBAI10
System Design
Design Factor 10 BAI06
Technology Adoption Strategy Design Factor 10 Technology Adoption Strategy
BAI07
APO09 BAI09
BAI06 1.93 1.93 0 BAI08
BAI09
BAI07 2.43 2.43 0 APO10 BAI08
BAI10
BAI08 1.08 1.08 0 BAI11
BAI09 APO11 BAI07
1.00 1.00 0 DSS01
BAI10 1.08 1.08 0 DSS02 APO12 BAI06
BAI11 DSS03
2.43 2.43 0 APO13 BAI05
DSS04
DSS01 1.00 1.00 0 DSS05
APO14 BAI04
BIA01 BAI02 BAI03
DSS02 1.00 1.00 0 DSS06
DSS03 1.08 1.08 0 MEA01
DSS04 1.08 1.08 0 MEA02
MEA03
DSS05 1.08 1.08 0 MEA04
DSS06 1.00 1.00 0
MEA01 2.00 2.00 0
MEA02 1.00 1.00 0
MEA03 1.00 1.00 0
MEA04 1.00 1.00 0

06/09/2023
DF10 First Mover Follower Slow Adopter

EDM01 3.5 2.5 1.5
EDM02 4.0 2.5 1.5
EDM03 1.5 1.0 1.0
EDM04 2.5 2.0 1.5
EDM05 1.5 1.0 1.0
APO01 2.5 1.5 1.0
APO02 4.0 3.0 1.5
APO03 2.0 1.0 1.0
APO04 4.0 3.0 1.0
APO05 4.0 2.5 1.0
APO06 1.0 1.5 1.0
APO07 2.5 1.0 1.0
APO08 3.0 1.5 1.0
APO09 1.5 1.5 1.0
APO10 2.5 1.5 1.0
APO11 1.5 1.5 1.0
APO12 2.0 1.5 1.0
APO13 1.0 1.0 1.0
APO14 2.5 2.0 1.0
BAI01 4.0 3.0 1.5
BAI02 3.5 2.5 1.0
BAI03 4.0 2.5 1.0
BAI04 1.5 1.5 1.0
BAI05 3.0 2.0 1.0
BAI06 2.5 2.0 1.0
BAI07 3.5 2.5 1.0
BAI08 1.5 1.0 1.0
BAI09 1.0 1.0 1.0
BAI10 1.5 1.0 1.0
BAI11 3.5 2.5 1.0
DSS01 1.0 1.0 1.0
DSS02 1.0 1.0 1.0

06/09/2023
DF10 First Mover Follower Slow Adopter

DSS03 1.5 1.0 1.0
DSS04 1.5 1.0 1.0
DSS05 1.5 1.0 1.0
DSS06 1.0 1.0 1.0
MEA01 3.0 2.0 1.0
MEA02 1.0 1.0 1.0
MEA03 1.0 1.0 1.0
MEA04 1.0 1.0 1.0

Governance and Management Objectives Importance (All Design Factors)
-100 -80 -60 -40 -20 0 20 40 60 80 100

EDM01 50
EDM02
0
EDM03 50
EDM04
0
EDM05 50
-50 APO01
APO02
0
APO03
0
APO04
0
APO05
0
APO06
0
APO07 50
APO08 50
APO09 50
APO10
0
APO11
0
-50 APO12
-50 APO13
APO14
0
BIA01
0
BAI02
0
BAI03
0
BAI04
0
BAI05
0
BAI06
0
BAI07
0
BAI08
0
BAI09 50
BAI10
0
BAI11
0
DSS01 50
DSS02
0
DSS03
0
DSS04
0
-50 DSS05
DSS06
0
MEA01
0
MEA02
0
-100 MEA03
MEA04
0
06/09/2023
Design Factor 1 Enterprise Strategy Design Factor 2 Enterprise Goals

Resulting Governance/Management Resulting Governance/ Management Initial Summary—Governance and Management Objectives
Objectives Importance Objectives Importance
-100 -80 -60 -40 -20 0 20 40 60 80
EDM02 EDM01 MEA04
EDM03 MEA03 EDM02 EDM01 MEA04 EDM01—Ensured Governance Framework Setting & Maintenance 50
EDM03 MEA03
EDM04 MEA02 EDM04 MEA02
EDM05 100 MEA01
EDM02—Ensured Benefits Delivery 60
EDM05 100 MEA01
APO01 75 DSS06 APO01 75 DSS06
EDM03—Ensured Risk Optimization 50
50 50 EDM04—Ensured Resource Optimization0
APO02 DSS05 APO02 DSS05
25 25
APO03 DSS04 APO03 DSS04 EDM05—Ensured Stakeholder Engagement 50
0 0
-50 APO01—Managed I&T Management Framework
APO04 -25 DSS03 APO04 -25 DSS03
0
APO02—Managed Strategy
-50 APO05 -50 DSS02
APO05 DSS02
-75 -75 APO03—Managed Enterprise Architecture0
APO06 -100 DSS01 APO06 -100 DSS01 APO04—Managed Innovation0
0
APO05—Managed Portfolio
APO07 BAI11 APO07 BAI11
0
APO06—Managed Budget & Costs
APO07—Managed Human Resources 50
APO09 BAI09
APO09 BAI09 APO08—Managed Relationships 50
APO10 BAI08
APO10 BAI08 APO09—Managed Service Agreements 50
APO11 BAI07
APO11 BAI07 0
APO10—Managed Vendors
APO12 BAI06
APO12 BAI06 0
APO11—Managed Quality
APO13 BAI05
APO14 BAI04 BIA01 BAI02 BAI03 -50 APO12—Managed Risk
BAI01 BAI02 BAI03
-50 APO13—Managed Security
0
APO14—Managed Data
Design Factor 3 Risk Profile Design Factor 4 IT-Related Issues 0
BAI01—Managed Programs
Resulting Governance/Management Resulting Governance/Management BAI02—Managed Requirements Definition0
BAI03—Managed Solutions Identification & Build0
EDM02 EDM01 MEA04

0
BAI04—Managed Availability & Capacity
EDM03 MEA03 EDM02 EDM01 MEA04
EDM03 MEA03 BAI05—Managed Organizational Change0
EDM04 MEA02
EDM04 MEA02
EDM05 100 MEA01 EDM05 100 MEA01 0
BAI06—Managed IT Changes
0
BAI07—Managed IT Change Acceptance and Transitioning
APO02 50 DSS05 50
APO02 DSS05
25 BAI08—Managed Knowledge0
25
0 0 BAI09—Managed Assets 50
APO04 -25 DSS03 APO04 -25 DSS03 0
BAI10—Managed Configuration
-50 -50 0
BAI11—Managed Projects
-75 -75
DSS01—Managed Operations 50
APO06 -100 DSS01 APO06 -100 DSS01
DSS02—Managed Service Requests & Incidents0
APO07 BAI11 APO07 BAI11 0
DSS03—Managed Problems
APO08 BAI10 0
DSS04—Managed Continuity
APO08 BAI10
-50 DSS05—Managed Security Services
0
DSS06—Managed Business Process Controls
MEA01—Managed Performance and Conformance Monitoring0
APO12 BAI06 MEA02—Managed System of Internal Control0
APO12 BAI06
APO13 BAI05 -100 MEA03—Managed Compliance with External Requirements
APO14 BAI04 BIA01 BAI02 BAI03
BIA01 BAI02 BAI03 MEA04—Managed Assurance0
Copyright ISACA 2018 671372358.xlsx Dashboard1—Page 58

06/09/2023
Design Factor 5 Threat Landscape Design Factor 6 Compliance Requirements

Resulting Governance/Management Resulting Governance/Management
Objectives Importance Objectives Importance Governance and Management Objectives Importance (All Design Factors)
EDM02 EDM01 MEA04 EDM02 EDM01 MEA04

EDM01—Ensured Governance Framework Setting & Maintenance 50
EDM05 100 MEA01 EDM05 100 MEA01 0
EDM02—Ensured Benefits Delivery
APO02 50 DSS05 APO02 50 DSS05 EDM03—Ensured Risk Optimization 50

25 25
0 0 0
EDM04—Ensured Resource Optimization
APO04 -25 DSS03 APO04 -25 DSS03
APO05
-50
DSS02 APO05
-50
DSS02 EDM05—Ensured Stakeholder Engagement 50
-75 -75
APO06 -100 DSS01 APO06 -100 DSS01

-50I&T Management Framework
APO01—Managed

0
APO02—Managed Strategy

APO03—Managed Enterprise Architecture

0
APO04—Managed Innovation

APO05—Managed Portfolio
BIA01 BAI02 BAI03 BIA01 BAI02 BAI03
0
APO06—Managed Budget & Costs
APO07—Managed Human Resources 50
Design Factor 7 Role of IT Design Factor 8 Sourcing Model for IT APO08—Managed Relationships 50
Resulting Governance/Management Resulting Governance/Management
APO09—Managed Service Agreements 50
0
APO10—Managed Vendors
EDM03 MEA03
EDM04 MEA02 EDM04 MEA02 0
APO11—Managed Quality
EDM05 MEA01 EDM05 100 MEA01
100

-50 APO12—Managed Risk
50 APO02 50 DSS05
APO02 DSS05
25
APO03
25
DSS04 APO03 DSS04 -50 APO13—Managed Security
0 0
APO04 DSS03 APO04 -25 DSS03

-25
0
APO14—Managed Data
-50 -50
-75 -75
0
BAI01—Managed Programs
APO06 -100 DSS01 APO06 -100 DSS01

BAI02—Managed Requirements Definition

0
BAI03—Managed Solutions Identification & Build


BAI05—Managed Organizational Change
0
0
BAI03—Managed Solutions Identification & Build
06/09/2023

BAI05—Managed Organizational Change
0
0
BAI07—Managed IT Change Acceptance and Transitioning
0
BAI08—Managed Knowledge
Design Factor 9 IT Implementation Methods Design Factor 10 Technology Adoption Strategy

Resulting Governance/Management Resulting Governance/Management BAI09—Managed Assets 50
0
BAI10—Managed Configuration
0
BAI11—Managed Projects
EDM02 EDM01 MEA04 EDM02 EDM01 MEA04
EDM05 100 MEA01 EDM05 100 MEA01 DSS01—Managed Operations 50
APO02 50 DSS05 APO02 50 DSS05 0

DSS02—Managed Service Requests & Incidents
25 25
0 0 0
DSS03—Managed Problems
APO04 -25 DSS03 APO04 -25 DSS03
APO05
-50
DSS02 APO05
-50
DSS02 0
DSS04—Managed Continuity
-75 -75
APO06 -100 DSS01 APO06 -100 DSS01 -50

DSS05—Managed Security Services

0
DSS06—Managed Business Process Controls

MEA01—Managed Performance and Conformance Monitoring

0
MEA02—Managed System of Internal Control

-100MEA03—Managed Compliance with External Requirements
0
MEA04—Managed Assurance

COBIT2019DesignToolkit TKT Eng 1218 Corr 0222 20230425201947

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

COBIT2019DesignToolkit TKT Eng 1218 Corr 0222 20230425201947

Uploaded by

Copyright:

Available Formats

06/09/2023

COBIT® 2019 Governance System Design Toolkit

COBIT® 2019 Governance System Design Workbook—Instructions

Terms & Definitions

Sheet Input Section Output Section

Copyright ISACA 2018 671372358.xlsx Instructions—Page 1

COBIT® 2019 Governance System Design Workbook—Instructions

User Action Required

User Action Required

User Action Required

User Action Required

Copyright ISACA 2018 671372358.xlsx Instructions—Page 2

COBIT® 2019 Governance System Design Workbook—Instructions

User Action Required

User Action Required

User Action Required

User Action Required

Copyright ISACA 2018 671372358.xlsx Instructions—Page 3

COBIT® 2019 Governance System Design Workbook—Instructions

User Action Required

Copyright ISACA 2018 671372358.xlsx Instructions—Page 4

COBIT® 2019 Governance System Design Workbook—Canvas

Sourcing Refined Scope: Concluded Scope:

EDM01—Ensured Governance Framework Setting & 5 5 5 0 ### 50 -10 90 5 0 0 0 50 50 3 3

EDM02—Ensured Benefits Delivery 20 0 20 110 ### 60 0 50 0 0 0 0 0 0 1 1

EDM03—Ensured Risk Optimization 5 5 5 0 ### 50 -10 130 0 0 0 0 50 50 3 3

EDM04—Ensured Resource Optimization 5 0 -5 0 ### 0 0 50 5 0 0 0 0 0 1 1

EDM05—Ensured Stakeholder Engagement 10 5 0 0 ### 50 -5 90 5 0 0 0 50 50 3 3

APO01—Managed I&T Management Framework 0 -5 10 0 ### -50 -10 75 0 0 0 0 -50 -50 1 1

APO02—Managed Strategy 10 0 5 0 ### 0 0 50 0 0 0 0 0 0 1 1

APO03—Managed Enterprise Architecture 5 0 30 10 ### 0 -10 50 0 0 0 0 0 0 1 1

APO04—Managed Innovation 25 0 40 -5 ### 0 0 50 0 0 0 0 0 0 1 1

APO05—Managed Portfolio 5 0 55 -5 ### 0 0 50 0 0 0 0 0 0 1 1

APO06—Managed Budget & Costs -30 0 15 0 ### 0 0 50 5 0 0 0 0 0 1 1

APO07—Managed Human Resources 0 5 -20 5 ### 50 -5 50 5 0 0 0 50 50 3 3

APO08—Managed Relationships 10 5 10 -10 ### 50 0 50 0 0 0 0 50 50 3 3

APO09—Managed Service Agreements 5 5 0 5 ### 50 -5 50 0 -10 0 0 50 50 3 3

APO10—Managed Vendors -25 0 -15 5 ### 0 -10 90 -5 -10 0 0 0 0 1 1

APO11—Managed Quality 10 0 70 20 ### 0 -5 50 0 0 0 0 0 0 1 1

APO12—Managed Risk 10 -5 15 5 ### -50 -10 130 0 -5 0 0 -50 -50 1 1

APO13—Managed Security 5 -5 -25 5 ### -50 -10 90 0 0 0 0 -50 -50 1 1

APO14—Managed Data 0 0 -5 0 ### 0 -10 75 0 0 0 0 0 0 1 1

BAI01—Managed Programs 0 0 35 15 ### 0 0 50 0 0 30 0 0 0 1 1

BAI02—Managed Requirements Definition -10 0 60 10 ### 0 0 50 0 0 60 0 0 0 1 1

BAI03—Managed Solutions Identification & Build -10 0 45 20 ### 0 0 50 0 0 65 0 0 0 1 1

BAI04—Managed Availability & Capacity 10 0 60 15 ### 0 -5 50 -5 0 0 0 0 0 1 1

BAI05—Managed Organizational Change 5 0 35 10 ### 0 0 50 5 0 40 0 0 0 1 1

BAI06—Managed IT Changes 10 0 25 10 ### 0 -10 50 0 0 60 0 0 0 1 1

BAI07—Managed IT Change Acceptance and Transitioning 10 0 45 15 ### 0 0 50 0 0 40 0 0 0 1 1

BAI08—Managed Knowledge 20 0 30 0 ### 0 0 50 5 0 0 0 0 0 1 1

BAI09—Managed Assets 0 5 -20 -15 ### 50 0 50 5 0 0 0 50 50 3 3

BAI10—Managed Configuration 0 0 20 0 ### 0 -10 50 0 0 15 0 0 0 1 1

BAI11—Managed Projects 5 0 60 20 ### 0 0 50 0 0 45 0 0 0 1 1

DSS01—Managed Operations 5 5 -15 10 ### 50 0 50 0 0 0 0 50 50 3 3

DSS02—Managed Service Requests & Incidents 10 0 30 15 ### 0 -10 50 0 0 0 0 0 0 1 1

DSS03—Managed Problems 10 0 60 20 ### 0 -5 50 0 0 0 0 0 0 1 1

Copyright ISACA 2018 671372358.xlsx Canvas—Page 5

COBIT® 2019 Governance System Design Workbook—Canvas

Sourcing Refined Scope: Concluded Scope:

DSS04—Managed Continuity 10 0 -10 -5 ### 0 -10 90 0 0 0 0 0 0 1 1

DSS06—Managed Business Process Controls 5 0 10 -10 ### 0 -10 50 5 0 0 0 0 0 1 1

MEA01—Managed Performance and Conformance Monitoring 0 0 10 5 ### 0 -10 50 5 -10 15 0 0 0 1 1

MEA02—Managed System of Internal Control 0 0 5 10 ### 0 -5 50 5 0 0 0 0 0 1 1