Professional Documents
Culture Documents
Process Objectives1
The objectives of this assessment are to determine that:
1 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
2 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
2. Obtain and understand plans, policies and procedures to verify that the program
management team:
4 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
3. Inquire and analyze that, on a regular basis, the program management team:
a) verifies with business management that the current program as designed will meet
business requirements, and makes adjustments as necessary
b) reviews progress of individual projects and adjusts the availability of resources, as
necessary, to meet schedule milestones
c) evaluates changes in technology and IT markets to determine if adjustments to the
program should be made to avoid newly occurring risks, takes advantage of newer and
more effective technological solutions, or takes advantage of changes in the market
that can lower costs
4. Obtain, determine, and analyze plans, policies and procedures to verify that the project
management framework:
5 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
BAI01.01.02 - Updates to Determine that IT updates the 1. Obtain any documentation of changes to the approach since the last assessment.
Approach program and project
management approach based 2. Inquire whether and confirm that effective mechanisms exist to track and implement changes
on lessons learned from its use in the approach based on formal lessons learned.
6 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
BAI01.02.02 - Program Understand if IT confirms the 1. For the projects under review, determine the mandate and confirm this with identified sponsors
Mandate program mandate with and stakeholders.
sponsors and stakeholders.
2. Obtain the project charter and outline the strategic objectives the project is supporting,
potential strategies for delivery, improvement, and benefits that are expected to result, and how
the project fits with other initiatives.
Note:
An alternate approach to getting to the heart of how the program sees its strategic fit and the
7 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
1. Describe what you do to ensure that Agile projects meet project time and scope
commitments and delivers business value.
2. What documentation do you produce that shows that value was achieved?
4. How often do you meet with the business clients to align business expectations with IT
delivery in a test of your assumptions of value?
5. Describe a time when assumed value became different than actual value.
6. How much of the work of Agile is rework because things were not done right in the first
8 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
7. In your implementation of Agile, how do you ensure that value is not just in the eyes of IT
but also in the eye of the business?
9. Can you think of any recent project that brought no business value?
1. Describe how you tie the Agile portfolio to the organizational strategy so that you can ensure
the organization is accomplishing what it needs to within an Agile framework.
2. To the best of your ability, describe if there is an Agile Portfolio charter. (The portfolio
charter defines: (1) what specifically is this portfolio going to accomplish in line with the
overall organizational strategic objectives? (2) roles and responsibilities, who is going to be
fulfilling the three major roles (portfolio owner, program manager, and area product owner)
9 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
3. Describe your project level governance (the work of a single Team). That is, how do you
achieve identifying and advocating for specific goals to be reached during each sprint? How
do you decide on the goals to achieve? How do you decide if additional goals are needed?
5. Describe how you filter down the company’s strategic goals to individual projects to produce
tangible results.
6. To what extent to the Scrum Masters understand this link? (They should be in a position to
understand and translate the overarching strategic goals of the organization to project
managers who may otherwise suffer from tunnel vision.)
7. Describe how ceremonies and artifacts help in Agile project governance. What do they add
to the decision-making process to ensure that the right things happen?
8. Describe how you monitor and report on the progress of projects under your oversight.
9. Describe how you monitor and measure individual projects in terms of time, money, and
personnel.
BAI01.02.03 - Business Determine if IT has developed Note: Involve a sample of key stakeholders to develop and document a complete understanding
Case a detailed business case for a of the expected enterprise outcomes, how they will be measured, the full scope of initiatives
10 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
A. From a sample of SDLC projects and inquiry, determine the extent and quality of the
following:
a) From the charter and initial project documentation, determine the detailed business case
for the project.
b) From the documentation, detail the understanding of the expected outcomes and how they
will be measured.
c) From the project documentation, determine if an initial risk assessment has been
performed that outlines the impact on all aspects of the enterprise.
d) Determine if alternate courses of action were Identified and assessed.
B. Inquire of the Agile managers how they come to understand who the stakeholders are, how
they come to understand and document the expected outcomes, how the outcomes are
measured, the scope of the project, the risks involved. Determine also how alternate courses
of action are identified and considered.
BAI01.02.04 - Benefits Determine that IT has From a sample of SDLC projects, determine if the project documentation details a benefits
Realization developed a benefits realization realization plan that will be managed throughout the project to ensure that planned benefits
plan that will be managed always have owners and are achieved.
throughout the program to
ensure that planned benefits Note: This will not be available for Agile projects.
always have owners and are
achieved, sustained and
optimized.
11 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
BAI01.02.05 - Approval Determine if IT has prepared 1. From a sample of SDLC projects, determine the approvers for the business case and project
and submitted for in-principle charter.
approval the initial (conceptual)
program business case, 2. Inquire of the Agile managers how stakeholders come to review and approve the work before
providing essential decision- it is started.
making information regarding
purpose, contribution to
business objectives, expected
value created, periods, etc.
BAI01.02.06 - Dedicated Understand that IT has From the sample of projects, determine the identify of the manager for the project and, through
Management appointed a dedicated manager inquiry and review, understand their scope of authority.
for the program, with the
commensurate competencies
and skills to manage the
program effectively and
efficiently.
12 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
2. From inquiries of Agile managers, determine how and when approvals are made during the
13 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
14 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
15 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
a) if the project plan specifies required resources and skills to execute project.
b) if there is a schedule of resources divided among independent contractors, employees,
and implementation partner staff.
16 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
2. On the sample of SDLC projects, determine the extent that the business drives the objectives
and helps to prioritize the work to ensure that the program as designed will meet requirements.
3. On the sample of SDLC projects, review progress reports to determine, if applicable, if the
project will meet scheduled milestones releases.
BAI01.04.06 - Business Determine that IT updates and For the selected SDLC projects, determine if the project updates the business case, as
Case Update maintains, throughout the necessary, and a benefit register to identify and define key benefits arising from undertaking the
programs economic life, the project.
business case and a benefit
register to identify and define
key benefits arising from
undertaking the program.
BAI01.04.07 - Budget Understand if IT prepares a 1. From the sample of SDLC projects, obtain and review the project budget to determine that
program budget that reflects it reflects the full economic life cycle costs and the associated financial and non-financial
the full economic life cycle benefits.
costs and the associated
financial and non-financial 2. Determine that management has reviewed and approved these cost projections.
17 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
18 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
BAI01.05.02 - Develop Determine if IT has established Note: At the end of each stage, the project managers should facilitate formal discussions of
Stages agreed-on stages of the approved criteria with the stakeholders. After successful completion of functionality,
development process performance and quality reviews, and before finalizing stage activities, managers should obtain
(development checkpoints). formal approval and sign-off from all stakeholders and the sponsor/business process owner
a. Determine, from the available documentation, if there are agreed-on stages of the
development process (development checkpoints).
b. During the life of the project and at the end of each stage, determine if there are formally
documented discussions of approved criteria with the stakeholders.
19 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
BAI01.05.03 - Benefits Determine if IT undertakes a Note: Project management should monitor benefits delivery and report against performance
Realization benefits realization process targets at the stage-gate or iteration and release reviews. They should perform root cause
throughout the program to analysis for deviations from the plan, identify, and address any necessary remedial actions.
ensure that planned benefits
always have owners and are 1. For a sample of SDLC projects,
likely to be achieved, sustained
and optimized. a. Understand and document if there is a benefits realization process.
b. Determine if the Steering Committee or stakeholders monitor benefits delivery and report
against performance targets at stages or iteration and release reviews.
c. Determine if there is root cause analysis performed for deviations from the plan and that
this identifies and addresses any necessary remedial actions.
20 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
21 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
22 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
BAI01.06.04 - Program Understand how IT manages Through inquiry and review of available documentation, determine if IT manages program
Performance Against Criteria program performance against performance against key criteria (e.g., scope, schedule, quality, benefits realization, costs, risk,
key criteria (e.g., scope, and velocity), identifies deviations from the plan and takes timely remedial action when required.
schedule, quality, benefits
realization, costs, risk, and
velocity), identifies deviations
from the plan and takes timely
remedial action when required.
BAI01.06.05 - Monitor Understand how IT monitors Through inquiry and review of available documentation, determine if and how IT monitors
Capability Delivery individual project performance individual project performance related to delivery of the expected capabilities, schedule, benefits
related to delivery of the realization, costs, risk or other metrics to identify potential impacts on program performance.
expected capabilities, schedule,
benefits realization, costs, risk or
other metrics to identify potential
impacts on program
performance.
BAI01.06.06 - IT Portfolio Understand if IT updates Through inquiry and review of available documentation, determine if and how IT updates
Updates operational IT portfolios operational IT portfolios reflecting changes that result from the program in the relevant IT
reflecting changes that result service, asset or resource portfolios.
from the program in the relevant
IT service, asset or resource
portfolios.
BAI01.06.07 - Progress Determine, in accordance with Review a sample of baseline project plans to determine if the IT program management team
23 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
Reports stage-gate, that IT performs recommends, implements, and monitors remedial action when required. The plans should be in
release or iteration review line with the program and project governance framework.
criteria, undertakes reviews to
report on the progress of the
program so that management
can make go/no go or
adjustment decisions and
approve further funding up to the
following stage-gate release or
iteration
24 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
25 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
BAI01.07.06 - Phase To track the execution of a 1. Inquire of SDLC managers if IT, to track the execution of a project, puts into place
Reviews and Reporting project, determine that IT has mechanisms such as regular reporting and stage-gate, release or phase reviews in a timely
put in place mechanisms such manner with appropriate approval.
as regular reporting and stage-
gate, release, or phase reviews 2. Obtain and review any documentation related to this activity.
in a timely manner with
appropriate approval.
26 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
1. a statement of scope,
2. details of project products and deliverables,
3. required resources and responsibilities,
4. clear work breakdown structures and work packages,
5. estimates of resources required,
6. milestones,
7. key dependencies, and
8. identification of a critical path.
BAI01.08.02 - Changes Understand that IT maintains the From a sample of SDLC project documentation, understand whether dependent plans are
project plan and any dependent updated with the agreement plan owner to reflect the actual progress and material changes from
plans (e.g. risk plan, quality master project plan checkpoints.
plan, benefits realization plan) to
ensure that they are up to data
27 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
BAI01.08.06 - Project Determine that IT establishes a 1. For selected SDLC projects, understand that IT has established a project baseline (e.g.
Baseline project baseline (e.g. costs, costs, schedule, scope, quality) that is appropriately reviewed, approved, and incorporated
schedule, scope, quality) that is into the integrated project plan.
appropriately reviewed,
approved, and incorporated into 2. Obtain examples of these items and determine their completeness.
the integrated project plan
28 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
29 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
30 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
31 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
Note:
There is no definite consensus on the need for risk management within the Agile method. This
has led many to believe that risk management is irrelevant in an iterative model. Some follow
the approach of ignoring risks until they manifest into issues; they then manage them through
the natural sprint progression. Ideally, it's better to manage risks proactively in Agile.
Fundamentally speaking, risk is something that may occur and cause unexpected or
unanticipated outcomes. Bear in mind that the outcome may have a positive or a negative
effect. A positive effect is an opportunity, while a negative effect is a threat. This is distinct from
an issue, which is an unexpected or unanticipated outcome. As there is a probability aspect
attached to risk, its exact occurrence is unknown but does fall within the limits of the project.
Because of this, managing risks may not seem to fit naturally into the Agile context.
32 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
1. A project objective
2. An identified risk
3. A description of the risk: A one- or two-line overview of the risk. It should be simple and
easy to comprehend.
4. Date identified: Date when the risk was identified.
5. Likelihood: Estimated probability of occurrence of the risk.
6. Severity: The severity of the risk is assessed based on impact of the undesired outcome.
7. Priority (optional): This could be either given an independent value or set as a product of
likelihood and severity (above). A high-severity risk with a high likelihood should receive
more importance than a high-severity risk with a low likelihood.
8. Owner: The person who manages, controls, and takes action in response to the risk.
9. Action: The response defined to manage/control the risk. Status: Indicates whether the
risk is open or closed or being monitored.
It is imperative that the register be made available for the team so that it can be managed and
monitored collaboratively. At every sprint meeting, the register must be reviewed and updated
with any new information obtained over the sprint. This way, risk management becomes an
integral part of Agile.
BAI01.10.02 - Risk Process Understand if IT assigns to Inquire of both Agile and SDLC project managers, if a formal risk management frame work
33 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
Consider allocating this role to an independent team, especially if an objective view point is
required to a project is considered critical.
BAI01.10.03 - Risk Determine that IT performs the Note: Project management should manage and communicate the risk appropriately within the
Assessment project risk assessment by project governance structure.
identifying and quantifying risk
continuously throughout the From the sample of all projects, if a formal risk management framework exists, determine and
project. analyze whether and confirm that a project risk assessment was performed to identified project
risks and issues.
BAI01.10.04 - Reapply Risk Understand if IT reassesses From the sample of projects, if a formal risk management framework exists, determine and
Assessment project risk periodically, analyze whether and confirm that project risks are reassessed periodically, including at entry
including at initiation of each into each major project phase and as part of major change request assessments.
major project phase and as part
of major change request
assessments
BAI01.10.05 - Risk Owners Determine that IT identifies From the sample of projects, if a formal risk management frame work exists, determine and
owners for actions to avoid, analyze documentation to verify that risk and issue owners are identified; actions for risk
accept or mitigate risk. avoidance, acceptance or mitigation (i.e., contingency plan) are identified for these risks;
corrective actions are assigned to owners; cost implications are considered; and actions are
managed to agreed-upon action due dates.
34 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
35 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
36 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
3. Determine for a sample of projects whether and confirm that the program and project plan
and documentation are updated for approved changes.
BAI01.11.05 - Change Understand if and how IT From the sample of projects, determine that IT documents and submit any necessary changes
Approval documents and submits any to the program’s key stakeholders for their approval before adoption.
necessary changes to the
program’s key stakeholders for
their approval before adoption.
BAI01.11.06 - Remedial Determine if IT recommends From inquiries of project managers and from the sample of projects, determine that IT
Actions and monitors remedial action, recommends and monitors remedial action, when required, in line with the program and project
when required, in line with the governance framework.
program and project governance
framework.
BAI01.11.07 - Iteration Understand that IT gains From inquiries of project managers and a review of a sample of projects, determine if IT gains
Deliverables Approval approval and signs-off on the approval and signs-off on the deliverables produced in each iteration, release or project phase
deliverables produced in each from designated managers and users in the affected business and IT functions.
iteration, release or project
phase from designated
managers and users in the
affected business and IT
functions.
BAI01.11.08 - Acceptance Determine that IT bases the From inquiries of project managers, determine if IT bases their approval process on clearly
Criteria approval process on clearly defined acceptance criteria agreed on by key stakeholders prior to work commencing on the
37 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
38 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
39 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
40 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
41 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
42 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
43 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
44 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
45 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
46 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
47 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
48 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
Risk Scenario - Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the threat/
vulnerability type and includes the actors, events, assets and time issues.
Event (Something that happens that was not supposed to happen, something does not happen ⃣ Disclosure
that was supposed to happen, or a change in circumstances. Events always have causes and ⃣ Interruption
usually have consequences. A consequence is the outcome of an event and has an impact on ⃣ Modification
objectives.) ⃣ Theft
⃣ Destruction
⃣ Ineffective design
⃣ Ineffective execution
⃣ Rules and regulations
⃣ Inappropriate use
49 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
50 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)