COBIT 2019 COBIT 2019 COBIT 2019 COBIT 2019 PRACTICE NAME ACTIVITIES (COMPONENT: PROCESS) INPUTS (COMPONENT:
PUTS (COMPONENT: INFORMATION OUTPUTS (COMPONENT: FUNCTION (COMPONENT: ORG
1. Define a QA plan and practices
include, for example, specification of
quality criteria, validation and
verification processes, definition of
how quality will be reviewed, necessary
qualifications of quality reviewers, and
roles and responsibilities for the
achievement of quality.
2. Frequently monitor the solution
quality based on project requirements,
enterprise policies, adherence to
development methodologies, quality
management procedures and
acceptance criteria.
3. Employ, as appropriate, code
inspection, test-driven development
practices, automated testing,
APO11.01 Results of QMS
continuous integration, walk-throughs
effectiveness reviews
and testing of applications. Report on
BAI01.07 Quality management
BAI03.06 Perform quality assurance (QA).
outcomes of the monitoring process
and testing to the application software
BAI11.05 Project quality
development team and IT
management plan
management.
4. Monitor all quality exceptions and
address all corrective actions. Maintain
a record of all reviews, results,
exceptions and corrections. Repeat
quality reviews, where appropriate,
based on the amount of rework and
corrective action.
1. Create an integrated test plan and
practices commensurate with the
enterprise environment and strategic
technology plans. Ensure that the
integrated test plan and practices will
enable the creation of suitable testing
and simulation environments to help
verify that the solution will operate
successfully in the live environment
and deliver the intended results and
that controls are adequate.
2. Create a test environment that
supports the full scope of the solution.
Ensure that the test environment
reflects, as closely as possible, real-
world conditions, including the
business processes and procedures,
range of users, transaction types, and
deployment conditions.
BAI03.07 Prepare for Solution Testing
RACI RELATED POLICIES ITIL V4 MANAGEMENT ITIL V4 MANAGEMENT
Steering Programs/Project Committee
Business Process Owners
Quality review results, exceptions and
Project Management Office
corrections --> APO11.04
Head Development
plan Quality assurance plan -->
Chief Technology Officer
APO11.04
Program Manager
Project Manager
Chief Technology Officer
Business Process Owners
Steering (Programs/Projects) Committee
Head Development
Test Procedures --> BAI07.03
- Head IT Operations
Test Plan --> BAI07.04
Service Manager
Information Security Manager
Business Continuity Manager
Privacy Officer
ITIL V4 MANAGEMENT VALUE CHAIN ACTIVITIES
Plan Software development and management provides information
about opportunities and constraints related to the creation and changing
of the organization’s software.
Improve Service improvements involving software components of the
services, especially those developed in house, rely on this practice.
Design and transition Software development and management allows
the organization to holistically design and manage changes to products
and services.
Obtain/build The creation of in-house products and the configuration of
products developed by partners and suppliers depend on this practice.
Software Development and Deliver and support Software development and management provides
Technical
Management delivery and support teams with documentation needed to use products
that facilitate the co-creation of value.
Plan Capacity and performance management supports tactical and
operational planning with information about actual demand and
Accountable performance, and with modelling and forecasting tools and methods.
Responsible Improve Improvements are identified and driven by performance
Responsible ISF, The Standard of Good information provided by this practice.
Responsible Practice for Information Security Engage Customers’ and users’ expectations are managed and
Responsible 2016 supported by information about performance and capacity constraints
Responsible and capabilities.
Responsible Design and transition Capacity and performance management is
essential for product and service design: it helps to ensure that new and
Capacity and Performance changed services are designed for optimum performance, capacity, and
Service Management
Management scalability.
Obtain/build Capacity and performance management helps to ensure
that components and services being obtained or built meet performance
needs of the organization.
Deliver and support Services and service components are supported
and tested by performance and capacity targets, metrics and
measurement, and reporting targets and tools.
Plan The continual improvement practice is applied to planning
activities, methods, and techniques to make sure they are relevant to the
organization’s current objectives and context.
Improve The continual improvement practice is key to this value chain
activity. It structures resources and activities, enabling improvement at
General Management Continual Improvement all levels of the organization and the SVS.
Engage, design and transition, obtain/build, and deliver and
support Each of these value chain activities is subject to continual
improvement, and the continual
Improve Some improvements may require components to be deployed before
they can be delivered, and these should be planned and managed in the same
way as any other deployment.
Design and transition Deployment management moves new and changed
components to live environments, so it is a vital element of this value chain
activity.
Obtain/build Changes can be deployed incrementally as part of this value
chain activity. This is especially common in DevOps environments using a
Deployment management
complete automated toolchain for continuous integration, delivery, and
deployment.
Plan Infrastructure and platform management provides information about
technology opportunities and constraints that is used for the organization’s
Technical management strategic and tactical planning.
practices Improve Information about technology opportunities that can support
continual improvement, and any constraints of the technologies in use, is
provided by this practice.
Design and transition Product and service design benefits from the
information provided about technology opportunities and constraints.
Obtain/build Infrastructure and platform management is a critical
Responsible
contributor to this activity as it provides necessary information about the
Responsible
Accountable Infrastructure and platform components to be obtained.
National Institute of Standards Deliver and support At the operational level, infrastructure and platform
Responsible management
and Technology Special management supports ongoing maintenance of the services and the
Responsible
Publication 800- 53, Revision 5 infrastructure, including any executions of patch management, backups, etc.
Responsible
(Draft), August 2017
Responsible
Responsible
Responsible
 3. Create test procedures that align Plan Business analysis contributes to strategic decision-making on what will
with the plan and practices and allow be done and how.
evaluation of the operation of the Improve All levels of evaluation and improvement benefit from business
solution in real-world conditions. analysis, which is particularly applicable at strategic and tactical levels.
Ensure that the test procedures Engage Business analysis is key to the gathering of requirements during this
evaluate the adequacy of the controls, value chain activity.
based on enterprisewide standards Design and transition Gathering, prioritization, and analysis of accurate
that define roles, responsibilities and requirements can help ensure that a high-quality solution is designed and
testing criteria, and are approved by progressed to operation.
project stakeholders and the Service Management Obtain/build Business analysis skills are integral to the definition of an agreed
Business Analysis
sponsor/business process owner. Practices solution.
Deliver and support Data from the ongoing delivery of a service can be part
of business analysis activities when designing changes to the service, as well
as when looking for opportunities for continual improvement.

4. Document and save the test

procedures, cases, controls and
parameters for future testing of the
application.

1. Undertake testing of solutions and Plan

their components in accordance with Strategy management ensures that the organization’s strategy has been
the testing plan. Include testers translated into tactical and operational plans for each organizational unit
independent from the solution team, that is expected to deliver on the strategy.
with representative business process Improve
owners and end users. Ensure that Strategy management provides strategy and objectives to be used to
testing is conducted only within the prioritize and evaluate improvements.
development and test environments. Engage
When opportunities or demand are identified by the organization, the
decisions about how to prioritize these are based upon the organization’s
General management Strategy management strategy plus the risk assessment and resource availability.
Managed Solutions Design and transition, obtain/build, and deliver and support
BAI-03 Identification and Strategy management ensures the strategy is implemented through
Build execution of the strategic plans in coordination with these activities. It
also provides feedback to enable the measurement and evaluation of
products and services during design and transition.

2. Use clearly defined test instructions, Plan

as defined in the test plan. Consider the The service design practice includes planning and organizing the
appropriate balance between people, partners and suppliers, information, communication, technology,
automated scripted tests and and practices for new or changed products and services, and the
interactive user testing. interaction between the organization and its customers.
Improve
CMMI Cybermaturity Platform, Service design can be used to improve an existing service as well as to
2018 create a new service from scratch. Services can be designed as a
Chief Technology Officer Responsible
ISF, The Standard of Good minimum viable service, deployed, and then iterated and improved to
Business Process Owners Responsible
Practice for Information Security add further value based on feedback.
Steering (Programs/Projects) Committee Accountable
APO04.05 Analysis of rejected Test result communications --> 2016 Engage
BAI03.08 Execute solution testing Head Development Responsible Service management Service Design
initiatives BAI07.03 National Institute of Standards Service design incorporates CX and UX, which are quintessential
Head IT Operations Responsible examples of engagement.
and Technology Special
Information Security Manager Responsible Design and transition
Publication
Privacy Officer Responsible The purpose of service design is to design products and services that
800-53, Revision 5 (Draft), August
2017 are easy to use, desirable, and that can be delivered by the organization.
Obtain/build
Service design includes the identification of products, services, and
service components that need to be obtained or built for the new or
changed service.

3. Undertake all tests in accordance Plan Software development and management provides information
with the test plan and practices. about opportunities and constraints related to the creation and changing
Include the integration of business of the organization’s software.
processes and IT solution components Improve Service improvements involving software components of the
and of nonfunctional requirements services, especially those developed in house, rely on this practice.
(e.g., security, privacy, interoperability, Design and transition Software development and management allows
usability). the organization to holistically design and manage changes to products
and services.
Obtain/build The creation of in-house products and the configuration of
4. Identify, log and classify (e.g., minor,
products developed by partners and suppliers depend on this practice.
significant and mission-critical) errors Software development and Deliver and support Software development and management provides
Technical management
during testing. Repeat tests until all management delivery and support teams with documentation needed to use products
significant errors have been resolved. that facilitate the co-creation of value.
Ensure that an audit trail of test results
is maintained.

5. Record testing outcomes and

communicate results of testing to
stakeholders in accordance with the
test plan.

1. Assess the impact of all solution Plan The continual improvement practice is applied to planning
change requests on the solution activities, methods, and techniques to make sure they are relevant to the
development, the original business organization’s current objectives and context.
case and the budget. Categorize and Improve The continual improvement practice is key to this value chain
prioritize them accordingly. activity. It structures resources and activities, enabling improvement at
General management Continual improvement
all levels of the organization and the SVS.
Engage, design and transition, obtain/build, and deliver and
support Each of these value chain activities is subject to continual
improvement, and the continual
 2. Track changes to requirements, Plan Service level management supports planning of the product and
enabling all stakeholders to monitor, service
review and approve the changes. portfolio and service offerings with information about the actual service
Ensure that the outcomes of the performance and trends.
Chief Technology Officer Responsible
change process are fully understood Improve Service feedback from users, as well as requirements from
Business Process Owners Responsible customers,
and agreed on by all the stakeholders
Steering (Programs/Projects) Committee Accountable can be a driving force for service improvement.
and the sponsor/business process APO04.05 Results and Program Manager Responsible Engage Service level management ensures ongoing engagement with
owner. recommendations from proof-of-
Record of all approved Project Manager Responsible ISF, The Standard of Good customers
concept initiatives
BAI03.09 Manage changes to requirements. and applied change Project Management Office Responsible Practice for Information Security and users through feedback processing and continual service review.
BAI02.01 Record of requirement
requests --> BAI06.03 Head Architect Responsible 2016 Design and transition The design and development of new and
3. Apply change requests, maintaining change requests
Head Development Responsible changed services
the integrity of integration and
Information Security Manager Responsible receives input from this practice, both through interaction with
configuration of solution components.
Privacy Officer Responsible customers and as part of the feedback loop in transition.
Assess the impact of any major solution Service management Service level management Obtain/build Service level management provides objectives for
upgrade and classify it according to
components and
agreed objective criteria (such as
service performance, as well as for measurement and reporting
enterprise requirements), based on the capabilities of
outcome of analysis of the risk involved the products and services.
(such as impact on existing systems and Deliver and support Service level management communicates service
processes or security/privacy), cost- performance objectives to the operations and support teams and collects
benefit justification and other their
requirements. feedback as an input for service improvement.

1. Develop and execute a plan for the Plan Software development and management provides information
maintenance of solution components. about opportunities and constraints related to the creation and changing
Include periodic reviews against of the organization’s software.
business needs and operational Improve Service improvements involving software components of the
requirements such as patch services, especially those developed in house, rely on this practice.
management, upgrade strategies, risk, Design and transition Software development and management allows
privacy, vulnerabilities assessment and the organization to holistically design and manage changes to products
security requirements. and services.
Obtain/build The creation of in-house products and the configuration of
products developed by partners and suppliers depend on this practice.
Software Development and
2. Assess the significance of a proposed Technical Deliver and support Software development and management provides
Management
maintenance activity on current delivery and support teams with documentation needed to use products
solution design, functionality and/or that facilitate the co-creation of value.
business processes. Consider risk, user
Accountable
impact and resource availability. Chief Information Officer
Responsible
Ensure that business process owners Chief Technology Officer
Responsible
understand the effect of designating Business Process Owners
Responsible
changes as maintenance. Maintenance plan --> APO08.05 Program Manager
Responsible ISO/IEC
BAI03.10 Maintain solutions. - Updated solution components and Project Manager
Responsible 27002:2013/Cor.2:2015(E)
related documentation --> BAI05.05 Project Management Office
Responsible
Head Development
Responsible
3. In the event of major changes to Information Security Manager Plan The continual improvement practice is applied to planning
Responsible
existing solutions that result in Privacy Officer activities, methods, and techniques to make sure they are relevant to the
significant change in current designs organization’s current objectives and context.
and/or functionality and/or business Improve The continual improvement practice is key to this value chain
processes, follow the development activity. It structures resources and activities, enabling improvement at
process used for new systems. For all levels of the organization and the SVS.
maintenance updates, use the change Engage, design and transition, obtain/build, and deliver and
management process. support Each of these value chain activities is subject to continual
General Management Continual Improvement
improvement, and the continual

4. Ensure that the pattern and volume

of maintenance activities are analyzed
periodically for abnormal trends that
indicate underlying quality or
performance problems, cost/benefit of
major upgrade, or replacement in lieu