Information Systems Governance and

Risk Management
Part I – 1 Intro to COBIT 5: Overview
Yüe “Jeff” Zhang, Acct & IS Dept, CSUN

01/02/2024 1
 Outline of Part I – 1. Overview
• COBIT 5 Overview

Evolution of COBIT

Benefits of COBIT 5

COBIT 5 Scope; Architecture

COBIT 5 five principles

COBIT 5 seven enablers

2
Learning Objectives (LO) Part I - 1
• Understand the benefits of COBIT 5
• Be familiar with the structure of COBIT 5
framework
• Understand the elements of COBIT 5
framework: 5 principles, 7 enablers
• Understand the differences between
governance and mgmt
• Understand the intrinsic logic of the
components of COBIT 5 framework
3
The IT Governance Focus Areas (“Pentagon”)

Focus Area Logical Role

Alignment premium requirement
Value ultimate goal
Risk optimized for value
Resource ground and “means”
Performance operational assurance

4
Philosophical framework of IT governance
 The COBIT Framework
The Need for a Control Framework

Over the past decade, the term ‘governance’ has moved to the
forefront of business thinking – COBIT 5, Executive Summary
“A control framework for IT Governance
defines the reasons IT Governance is needed,
the stakeholders and
what it needs to accomplish.”

• Now to the higher level of “enterprise

governance of IT” (GEIT) – emphasizing
Stakeholder needs – “High on top”
End-to-end coverage – “Whole enterprise”
5
 The COBIT Framework
Definition and Mission - Definition

• COBIT stands for “Control Objectives for

Information and Related Technology.”
Now just COBIT
• Developed by the IT Governance Institute
(ITGI)
• Promoted/advocated by ISACA
a standard setting body in the areas of information
governance, control, and security for professionals.
– ISACA motto recap

Successful enterprises have recognised that the board and 6

executives need to embrace IT – COBIT 5, Exe Summary
 ISACA Motto

Mo t t o

Risk management Risk management n

P entago
Assurance .
Strategic objective achievement Strategic Alignment
Value delivery Value delivery
Resources and performance Resources and performance
management management
Stakeholder interests Strategic Alignment 7
01/02/2024
 The COBIT Framework
Definition and Mission - Mission

• COBIT Mission: [Importance of mission]

To research, develop, publicize and
promote an authoritative, up‐to‐date,
internationally accepted IT governance
control framework (New: COBIT 2019)
for adoption by enterprises and day‐to‐day
use by business managers, IT professionals
and assurance professionals
• Reference: IT Governance Institute, COBIT 4.1 8
 The COBIT Framework
Definition and Mission - Mission

• COBIT's success as an increasingly

internationally accepted set of guidance
materials for IT governance has resulted in the
creation of a growing family of publications
and products designed to assist in the
implementation of effective IT governance
throughout an enterprise.
• What it is; how to use it
• PHILOSOPHY! ! ! METHODOLOGY! ! !
9
咨询师、高端分析师“必备绝技”
Evolution of COBIT

Enterprise Governance of I & T Understand and

analyze (3 trends)
Tim
Sco e
Le pe
Me vel
tho
d

COBIT
2019
10
2019
 The COBIT 5 Framework Benefits

• COBIT 5 helps enterprises create optimal value

from IT
by maintaining a balance between realising benefits
and optimising risk levels and resource use.
• COBIT 5 enables information and related
technology to be governed and managed in a
holistic manner for the entire enterprise, taking
in the full end-to-end business and functional
areas of responsibility, considering the IT-related
interests of internal and external stakeholders.
11
 The COBIT 5 Framework (cont)
• The COBIT 5 principles and enablers are
generic* and useful
for enterprises of all sizes ；
whether commercial, not-for-profit or in the public
sector ；
methodology can be adopted entirely or partially;
application can be on the whole org or a portion.

COBIT 5 Case Studies

 http://www.isaca.org/COBIT/Pages/Recognition.aspx

Generic: 通用的；功能本质（而非品牌决定的）
12
 The COBIT Framework
The IT Governance Framework
• Internationally accepted good practices
• Management-oriented
• Supported by tools and training
• Sharing knowledge and leveraging
expert volunteers
• Continually evolving
• Maps strongly to all major related
standards
• Is a reference, set of best practices, not an “off-the-shelf”
cure

13
The COBIT Framework - Aligning with the Business

• COBIT framework helps IT deliver the information

that an enterprise requires by helping align IT with
the business.

Req Deliver 14
01/02/2024
 Drivers* for Developing a Framework

• End-to-end business and IT responsibilities

• Provide guidance in: f : P. 1 5
 – Enterprise architecture
Re
 – Asset and service management
 – Emerging sourcing and organization models
 – Innovation and emerging technologies
• A need for the enterprise to:
 – Achieve increased value creation
 – Obtain business user satisfaction
 – Achieve compliance with relevant laws, regulations and policies
 – Improve the relation between business and IT
 – Increase the return of governance over enterprise IT 15
 – Connect and 驱动力，驱动因素
Driver: align with other major frameworks and standards
 Understanding Drivers (Zhang)

External - Environment Coupling Internal - Objective

Tech advancement & Drivers for Benefit realization
challenge development of
COBIT 5, P. 15
Biz advancement and Risk optimization
pressure
Compliance mandate * Resource optimization (Cost)

Mandate: 指令，（不可免除的）要求 ; （不可违的）“天命” 16

01/02/2024
Enterprise Architecture (EA) - Gartner
• A discipline for proactively and holistically
leading enterprise responses to disruptive forces
by identifying and analyzing the execution of change
toward desired business vision and outcomes.
• EA delivers value by presenting business and IT
leaders with signature-ready recommendations
for adjusting policies and projects to achieve
target business outcomes that capitalize on
relevant business disruptions.

17
01/02/2024
Enterprise Architecture – Tech Target Network

• A conceptual blueprint that

defines the structure and operation of an
organization.
• The intent of an enterprise architecture is
to determine how an organization can most
effectively achieve its current and future
objectives.

18
01/02/2024
Enterprise Architecture - Microsoft's Michael Platt
1. Business perspective defines the processes and
standards by which the business operates on a day-to-
day basis.
2. Application perspective defines the interactions among
the processes and standards.

3. Information perspective defines and classifies the raw

data that the organization requires in order to efficiently
operate.
4. Technology perspective defines the hardware, operating
systems, programming, and networking solutions used
by the organization. 19
01/02/2024
 Enterprise Architecture (EA) - Wikipedia
• Architecture is the fundamental organization
(structure) of components, their relationships, and the
principles governing their design and evolution.
a formal description of a system, a detailed plan of the
system at component level, to guide its implementation.
• Enterprise Architecture is the organization logic for
business processes and IT infrastructure
• EA is a conceptual blueprint that defines
the structure and operation of an organization.
The intent of EA is to determine how an organization can
most effectively achieve its current and future objectives.
20
01/02/2024
 Benefits of Using COBIT 5

COBIT assists from an Enterprises perspective by:

• Maintaining quality information to support business
decisions.
Benefit • Generating business value from IT-enabled investments,
Risk
i.e., achieve strategic goals and realize business benefits
Cost
-- three through effective and innovative use of IT.
Objectives • Achieving operational excellence through reliable and
of IT efficient application of technology.
gover-
nance • Maintaining IT-related risk at an acceptable level.
• Optimising the cost of IT services and technology.

21
Benefits of Using COBIT 5
• helps enterprises create optimal value from IT
by maintaining a balance between realising benefits and
optimising risk levels and resource use (cost).
• enables IT to be governed and managed in a holistic
manner for the entire enterprise,
taking in the full end-to-end business and IT functional
areas of responsibility, considering the IT-related interests
of internal and external stakeholders.
• is generic and useful for enterprises of all sizes,
whether commercial, not-for-profit or in the public
sector. Rep
rodu
• ced f
rom - COBIT 5, Executive Summary
Slide # 22
11 01/02/2024
Benefits of Using COBIT 5
COBIT drives Stakeholder Value:
• Delivering enterprise stakeholder value requires good
governance and management of information and
technology (IT) assets.
• Enterprise boards, executives and management have to
embrace IT like any other significant part of the business.
• External legal, regulatory and contractual compliance
requirements related to enterprise use of info and tech are
increasing, threatening value if breached.
• COBIT 5 provides a comprehensive framework that
assists enterprises to achieve their goals and deliver
value through effective governance and management of
23
enterprise IT.
Benefits of Using COBIT 5
COBIT 5:

24
COBIT Case Studies by Industry

• http://www.isaca.org/Knowledge-Center/cobit
/Pages/COBIT-Case-Studies.aspx

• COBIT 5, although developed for the whole

organization, can be used for any portion of a
firm/org, or any biz process
• The philosophy/methodology can even be
applied beyond biz, beyond org
Revisit slide #12
25
 COBIT5 Scope
• Not simply IT: not only for big business!
• COBIT5 is about governing and managing information
Whatever medium is used
End to end throughout the enterprise
• Information is equally important to:
Global, multinational business
National and local government
Charities and not for profit enterprise
Small to medium enterprises and
Clubs and associations

26
 The COBIT 5 Format & Product Architecture
The COBIT 5 Product Family:

27
COBIT 5 Principles

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved. 28

 1. Meeting Stakeholder Needs

• Enterprises exist to create value for their

stakeholders.
---Internal and external!!
• Consequently, any enterprise— commercial or
not—will have value creation as a governance
objective.
• Value creation means:
Realising benefits at an
optimal resource cost while
optimising risk.

29
The COBIT Framework
Mapping Goals and Processes

Enabler Goals

30
 Principle 1: Meeting Stakeholder Needs
• Stakeholder needs have
to be transformed into an
enterprise’s actionable
strategy.
• The COBIT 5 goals
cascade translates
stakeholder needs into
specific, actionable and
customised goals within
the context of
the enterprise,
IT-related goals and
enabler goals. 31
 Principle 2: Covering the Enterprise End-to-End
• COBIT 5 addresses the governance and management of
information and related technology from an enterprise-
wide, end-to-end perspective.

All ons
c ti
fun

32
Principle 3:
Applying a Single Integrated Framework
• COBIT5:
1. ► Is complete in enterprise coverage
2. ► Provides a basis to integrate effectively with
other frameworks, standards and practices used
3. ► Aligns with the latest relevant standards and
frameworks (COSO, ITIL, ISO, PMBOK, NIST
etc)
4. ► Integrates all knowledge previously
dispersed over different ISACA frameworks
(Risk IT, Val IT, BMIS)
33
 Principle 4:
Enabling a Holistic Approach ***
COBIT5 defines a set of enablers to support the
implementation of a comprehensive governance &
management system for enterprise IT.
• COBIT5 enablers are:
• ► Factors that, individually and collectively,
influence whether something will work
• ► Driven by the goals cascade
• ► Described by the COBIT5 framework in
seven categories
*** Important &
operationable 34
Principle 4: Enabling a Holistic Approach

35
 4. Enabling a Holistic Approach (cont.)
1. Principles, policies and frameworks—Are the vehicles to translate the
desired behaviour into practical guidance for day-to-day management
2. Processes—Describe an organised set of practices and activities to
achieve certain objectives and produce a set of outputs in support of
achieving overall IT-related goals  5 domains, 37 processes
3. Organisational structures—Are the key decision-making entities in an
organisation
4. Culture, ethics and behaviour—Of individuals and of the organisation;
very often underestimated as a success factor in governance and
management activities
5. Information—Is pervasive throughout any organisation, i.e., deals with all
information produced and used by the enterprise.
6. Services, infrastructure and applications—Include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services
7. People, skills and competencies—Are required for successful completion
of all activities and for making correct decisions and taking corrective
actions

36
 Principle 5. Separating
Governance From Management
The COBIT 5 framework makes a clear
distinction between governance and
management.
• Governance—In most enterprises, governance
is the responsibility of the board of directors
under the leadership of the chairperson.
• Management—In most enterprises,
management is the responsibility of the
executive management under the leadership of
the CEO.

37
 Governance Domain and
Management Domains
Gov: EDM; Mgmt: PBRM (Fig 15, P. 32)

38
Governance & Management in COBIT 5
• Governance ensures that enterprise objectives are achieved
by evaluating stakeholder needs, conditions and options;
setting direction through prioritisation and decision making;
and monitoring performance, compliance and progress
against agreed direction and objectives (EDM).
• Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives (PBRM).
• Exercising governance and management effectively in
practice requires appropriately using all enablers. The
COBIT process reference model allows us to focus easily on
the relevant enterprise activities.
Recap: COBIT 5 Principles

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved. 40

COBIT 5 Enablers

41
Incorporates Good Practices
- 5 domains, 37 Processes [Enabler #2]

42
Zhang’s “Distillation” of COBIT Logic
* * Reference:
IT Governance
Institute,
COBIT 5

Ent. Strat. Goals

ed r

Mon
nito

ed
Mo

ito
r
IT Goals
rol

Cont
Cont
led

ed
roll
IT Enabler Goals
© Yue Zhang
2015-2019
R A C I
43
 Structure of COBIT components
• 5 Principles
Princ. 1: Meeting stakeholder needs
…
Princ. 4: Holistic approach
 7 enablers:
• Enabler #2: Processes
Princ. 5: Separating gov from Mgmt

Process - (1) objectives; (2) Practices; Capability

(3) Activities; (4) Inputs/outputs; (5) RACI Model 44
01/02/2024
Structure of COBIT components

45
01/02/2024