3. Chapter 1 Content:
1.1: What is COBIT ?
1.2: ISACA
3. : COBIT History
4. : COBIT 2019
Certifications
Scheme
5. : COBIT 2019
Foundation
4. 1.1: What is COBIT ?
• COBIT stands for (Control Objectives for Information and Related Technology)
• It is a framework created by the ISACA for IT governance and management. It
was designed to be a supportive tool for managers and allows bridging the
crucial gap between technical issues, business risks, and control requirements.
• COBIT is a thoroughly recognized guideline that can be applied to any
organization in any industry.
• Overall, COBIT ensures quality, control, and reliability of information systems in
an organization, which is also the most important aspect of every modern
business.
• COBIT 2019 is 6th version of COBIT , launched late in 2018 to address new trends,
technologies and security needs.
5. 1.2: ISACA
• ISACA (previously known as Information Systems Audit
and Control Association) was incorporated in 1969
by a small group of individuals who recognized a need for centralized
source of
information and guidance in the growing field of auditing controls for computer systems
• Today, ISACA’s constituency of more than 165,000 strong worldwide is characterized by its diversity. These
professionals live and work in more than 180 countries and cover a variety of professional IT-related positions in
the disciplines of IS/IT audit, risk, security and governance as well as educators, consultants and regulators.
• More details about ISACA history are found in their website :
https://www.isaca.org/why-isaca/about-us/isaca-50/timeline
6. 1.2: ISACA
• ISACA offers multiple certifications, you can find more details in
their website: https://www.isaca.org/credentialing
8. 1.4: COBIT 2019 Certifications Scheme
COBIT 2019 Foundation
COBIT 2019 Design and
Implementation
Implementing the NIST
Cybersecurity Framework
Using COBIT 2019
• COBIT 2019 has 3 certifications”
COBIT 2019 Foundation
COBIT 2019 Design and Implementation
Implementing the NIST Cybersecurity Framework Using COBIT 2019
• COBIT 2019 Foundation is a pre-requisite for the other 2 certifications
10. Chapter 2 Content:
2.1: Enterprise Governance of Information and Technology
2.2: Benefits of Information and Technology Governance
2.3: COBIT as an I&T Governance Framework
4. : COBIT Stakeholders
5.: COBIT Format and Product Architecture
2.6: COBIT 2019 Core Publications
2.7: COBIT and Other Standards
11. 2.1: Enterprise Governance of Information and Technology
• In the light of digital transformation, information and technology (I&T) has become crucial in the support,
sustainability and growth of enterprises.
• Stakeholder value creation (i.e., realizing benefits at an optimal resource cost while optimizing risk) is
often driven by a high degree of digitization in new business models, efficient processes, successful
innovation, etc.
• Some key points to consider when considering this Enterprise Governance of Information and Technology
(EGIT) system are:
• EGIT is an integral part of corporate governance.
• Exercised by the board that oversees the definition and implementation of processes, structures and
relational mechanisms
• Enables both business and IT people to execute their responsibilities in support of business/IT
alignment.
• Enables creation of business value from I&T-enabled business investments
12. 2.1: Enterprise Governance of Information and Technology
• The context of Enterprise Governance of Information and Technology includes:
Enterprise Governance of IT : governing Information and Technology should not be left to IT
but should be governed from the enterprise level.
Business/IT Alignment : ensuring that goals, strategies and priorities are balanced between
stakeholder and enterprise needs and I&T.
Value Creation: ensuring benefits delivery, risk optimization and resource optimization.
13. 2.2: Benefits of Information and Technology Governance
• The main outcomes expected after successful adoption of EGIT is:
1) Benefits realization: through the delivery of fit-for-purpose services and solutions, on time,
and within budget, that generate financial and nonfinancial benefits. Value should be
measurable. The value that I&T delivers should be aligned directly with the values on which the
business is focused. IT value should also be measured in a way that shows the impact and
contributions of IT-enabled investments in the value creation process of the enterprise.
2) Risk optimization: through addressing the business risk associated with the use, ownership,
operation, involvement, influence and adoption of I&T within an enterprise. While value
delivery focuses on the creation of value, risk management focuses on the preservation of
value
3) Resource optimization : through the optimal use of people, hardware, software and
information
14. 2.3: COBIT as an I&T Governance Framework
• COBIT is a framework for the governance and management of enterprise information and
technology, aimed at the whole enterprise.
• Enterprise I&T means all the technology and information processing the enterprise puts
in place to achieve its goals, regardless of where this happens in the enterprise. In other words, enterprise I&T is
not limited to the IT department of an organization, but
certainly includes it.
• The COBIT framework makes a clear distinction between governance and management. These two disciplines
encompass different activities, require different organizational structures and serve different purposes.
• The target audience for COBIT includes those responsible during the whole life cycle of the governance solution,
from design to execution to assurance.
15. 2.3: COBIT as an I&T Governance Framework
• Governance ensures that:
Stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on
enterprise objectives.
Direction is set through prioritization and decision making.
Performance and compliance are monitored against agreed-on direction and objectives.
• In most enterprises, overall governance is the responsibility of the board of directors (BoD),
under
the leadership of the chairperson. Specific governance responsibilities may be delegated to
special
organizational structures at an appropriate level, particularly in larger, complex enterprises.
• Management plans, builds, runs and monitors activities, in alignment with the direction set by
the
governance body, to achieve the enterprise objectives.
• In most enterprises, management is the responsibility of the executive management, under the
16. 2.3: COBIT as an I&T Governance Framework
• What COBIT does:
COBIT defines the components to build and sustain a governance system: processes, organizational structures,
policies and procedures, information flows, culture and behaviors, skills, and infrastructure.
COBIT defines the design factors that should be considered by the enterprise to build a best-fit governance
system.
COBIT addresses governance issues by grouping relevant governance components into governance and
management objectives that can be managed to the required capability levels.
17. 2.3: COBIT as an I&T Governance Framework
• What COBIT is NOT:
COBIT is not a full description of the whole IT environment of an enterprise.
COBIT is not a framework to organize business processes.
COBIT is not an (IT-)technical framework to manage all technology.
COBIT does not make or prescribe any IT-related decisions. It will not decide what the best IT strategy is,
what the best architecture is, or how much IT can or should
cost. Rather, COBIT defines all the components that describe which decisions should be taken, and how and
by whom they should be taken.
20. 2.5: COBIT Format and Product Architecture
• The idea behind the COBIT 2019 was to update COBIT5 to make it more relevant and user-
friendly to framework users. Therefore, many inputs into this version include, of course,
COBIT5, as well as new and updated industry frameworks, standards, regulations and
bodies of knowledge as well as feedback and input from the community.
• The COBIT 2019 “CORE” consists of 40 governance and management
objectives, which are organized into five domains: one governance
domain and 4 management domains. Each of these governance and
management objectives is related to a process.
21. 2.5: COBIT Format and Product Architecture
• Next you see the design factors. These are new to COBIT and can
help an enterprise customize a governance system to the enterprise’s
unique context and circumstances. The design factors are one of the
new elements to the COBIT 2019 framework and will help enterprises
tailor a governance system to their particular needs.
• Beneath the Design Factors, on this schematic, are the focus areas.
Focus areas described a certain governance topic, domain or issue
that can be addressed by a collection of more detailed or targeted
governance and management objectives and their components which
can be helpful for designing a governance system tailored to your
needs.
22. 2.5: COBIT Format and Product Architecture
• We have the ability now to tailor the enterprise governance system for Information
and Technology by using the information from the core, design factors, focus areas
and performance management areas of COBIT to effectively adopt, or implement a
tailored governance system.
• This is where the COBIT 2019 Design Guide and COBIT 2019
Implementation Guide are extremely useful.
23. 2.6: COBIT 2019 Core Publications
• COBIT 2019 Framework: Introduction and Methodology introduces the key concepts of COBIT 2019.
• COBIT 2019 Framework: Governance and Management Objectives comprehensively describes the 40 core governance
and management objectives, the processes contained therein, and other related components. This guide also
references other standards and frameworks.
• COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution explores design factors that
can influence governance and includes a workflow for planning a tailored governance system for the enterprise.
• COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance
Solution represents an evolution of the COBIT 5 Implementation guide and develops a road map for continuous
governance improvement. It may be used in combination with the COBIT 2019 Design Guide.
24. 2.7: COBIT and Other Standards
• One of the guiding principles applied throughout the development of COBIT 2019 was to maintain the positioning
of COBIT as an umbrella framework. This means that COBIT continues to align with several relevant standards,
frameworks and/or regulations. Alignment in this context means:
COBIT does not contradict any guidance in the related standards.
COBIT does not copy all the contents of these related standards.
COBIT provides equivalent statements or references to related guidance.
• It is important to note that COBIT is not designed to work by itself – it is best applied when synchronized with
some of the most relevant models in our industry
26. Chapter 3 Content:
1. : COBIT 2019 Principle Sets
2. : Six Principles for a Governance System
3. : Three Principles for a Governance Framework
27. 3.1: COBIT 2019 Principle Sets
• COBIT 2019 was developed based on two sets of principles:
Principles that describe the core requirements of a governance system for enterprise information and
technology
Principles for a governance framework that can be used to build a governance system for the enterprise
28. 3.2: Six Principles for a Governance System
• The six principles for a governance system are:
1. Provide Stakeholder Value
Each enterprise needs a governance system to satisfy stakeholder needs and to generate value from the use of
I&T. Value reflects a balance among benefits, risks and resources, and enterprises need an actionable strategy
and governance system to realize this value.
2. Holistic Approach
A governance system for enterprise I&T is built from a number of components that can be of different types and
that work together in a holistic way.
29. 3.2: Six Principles for a Governance System
• The six principles for a governance system are:
3. Dynamic Governance System
This is new to COBIT. A governance system should be dynamic. This means that each time
one or more of the design factors are changed (e.g., a change in strategy or technology),
the impact of these changes on the EGIT system must be considered. A dynamic view of
EGIT will lead toward a viable and future-proof EGIT system.
4. Governance Distinct from Management
A governance system should clearly distinguish between governance and management
activities and structures.
37
30. 3.2: Six Principles for a Governance System
• The six principles for a governance system are:
5. Tailored to Enterprise Needs
This is new to COBIT. A governance system should be customized to the enterprise’s
needs. It should also use a set of design factors as parameters to customize and prioritize
the governance system components.
6. End-to-End Governance System
A governance system should cover the enterprise end to end. It should focus not only on
the IT function but on all technology and information processing the enterprise puts in
place to achieve its goals, regardless of its location in the enterprise.
31. 3.3: Three Principles for a Governance Framework
• The three principles for a governance formwork are:
1. Aligned with Major Standards
COBIT 2019 has updated and expanded on applicable and relevant standards, frameworks, bodies of
knowledge and models that can be part of the EGIT ecosystem. Therefore, a governance framework
should align to these relevant areas.
2. Open and Flexible
A governance framework should be open and flexible. It should allow the addition of new content
and
the ability to address new issues in the most flexible way, while maintaining integrity and
consistency.
3. Based on a Conceptual Model
A governance framework should be based on a conceptual model, That conceptual model should
identify the key components and relationships among components, to maximize consistency and allow
automation.
33. Chapter 4 Content:
4.1: Governance and Management Objectives
4.2: Components of a Governance System
4.3: Focus Areas
4. : Design Factors
5. : Goal Cascade
34. 4.1: Governance and Management Objectives
• The introduction of governance and management objectives helps provide more clear and achievable results. For
information and technology to contribute to enterprise goals, a number of governance and management objectives
should be achieved.
• Basic concepts include:
A governance or management objective always relates to one process and a series of related components of
other types to help achieve the objective.
A governance objective relates to a governance process, while a management objective relates to a
management process.
Governance processes typically are under the accountability of boards and executive management;
management processes are the domain of senior and middle management.
35. 4.1: Governance and Management Objectives
• Governance and Management objectives are described in the COBIT Core Model which
was known as the
Process Reference
Model, or PRM in
COBIT5.
• NOTE: This is
explained in more
details in Chapter5
36. 4.1: Governance and Management Objectives
• As shown in the COBIT core model, the governance and management objectives are grouped into five
domains.
• The domains have names with verbs that express the key purpose and areas of activity of the objectives contained
in them.
• Governance objectives are grouped in the Evaluate, Direct and Monitor (EDM) domain. In this domain, the governing
body evaluates strategic options, directs senior management
on the chosen strategic options and monitors the achievement of the strategy.
37. 4.1: Governance and Management Objectives
• Management objectives are grouped in four domains
Align, Plan and Organize (APO) addresses the overall organization, strategy and
supporting activities for I&T. This was also known as the plan domain in COBIT5.
Build, Acquire and Implement (BAI) treats the definition, acquisition and implementation
of I&T solutions and their integration in business processes. This was also known as the
build domain in COBIT5.
Deliver, Service and Support (DSS) addresses the operational delivery and support of I&T
services, including security. This was also known as the Run domain in COBIT5.
Monitor, Evaluate and Assess (MEA) —addresses performance monitoring and
conformance of I&T with internal performance targets, internal control objectives and
external requirements. This was also known as the monitor domain in COBIT5.
38. 4.2: Components of a Governance System
• To satisfy the governance and management objectives, each enterprise needs to establish, tailor and
sustain a governance system built from several components.
• Components are factors that, individually and
collectively, contribute to the good operations of the
enterprise’s governance system over I&T.
• These factors were known as enablers in COBIT5.
• Components interact with each other, resulting in
a holistic governance system for I&T.
39. 4.2: Components of a Governance System
1. Processes describe an organized set of practices and activities to achieve certain objectives
and produce a set of outputs that support achievement of overall IT-related goals.
2. Organizational structures are the key decision-making entities in an enterprise.
3. Information is pervasive throughout any organization and includes all information produced
and used by the enterprise. COBIT focuses on information required for the effective
functioning of the governance system of the enterprise.
4. People, skills and competencies are required for good decisions, execution of corrective
action and successful completion of all activities.
5. Culture, ethics and behavior of individuals and of the enterprise are often underestimated
as factors in the success of governance and management activities.
40. 4.2: Components of a Governance System
6. Principles, policies and frameworks translate desired behavior into practical guidance for day-to-day
management.
7. Services, infrastructure and applications include the infrastructure, technology and applications that provide the
enterprise with the governance system for I&T processing.
41. 4.2: Components of a Governance System
• It is important to understand that components of all types can be generic or can be variants of generic
components.
• The generic components are described in the COBIT core model and apply in principle to any situation. However,
they are generic in nature and generally need customization before being practically implemented.
• Variants are based on generic components but are tailored for a specific purpose or
context within a focus area (e.g., for information security, DevOps, a particular regulation).
42. 4.3: Focus Areas
• A focus area describes a certain governance topic, domain or issue that can be addressed by a collection of
governance and management objectives and their components and they can contain a combination of generic
governance components and variants.
• Current examples include small and medium enterprises, information security, digital transformation, cloud
computing, privacy and devops.
43. 4.4: Design Factors
• New to COBIT 2019, design factors are factors that can guide the design of an enterprise’s
governance system and position it for success in the use of I&T. Think of these as parameters that
can assist in creating a tailored governance system that truly aligns with specific and unique
enterprise needs.
44. 4.4: Design Factors
1. Enterprise Strategy: Enterprises can have different strategies, which can be expressed as (a combination of) the
archetypes.
45. 4.4: Design Factors
2. Enterprise goals supporting the enterprise strategy—Enterprise strategy is realized by the
achievement of (a set of) enterprise goals. These goals are defined in the COBIT framework,
structured along the balanced scorecard (BSC) dimensions,
46. 4.4: Design Factors
3. Risk profile identifies the sort of I&T related risk to which the enterprise is currently exposed and indicates
which areas of risk are exceeding the risk appetite.
47. 4.4: Design Factors
4. I&T-related issues: which are currently faced, or, in other words, what I&T-related risk has materialized.
48. 4.4: Design Factors
5. Threat landscape under which the enterprise operates can be classified to
6. Compliance requirements to which the enterprise is subject can be classified according to the
following categories:
52. 4.5: Goal Cascade
• COBIT goal cascade concept is a top-down
approach that helps organizations to create
enterprise goals from its stakeholder drivers
and needs
• Stakeholder needs have to be transformed
into an enterprise’s actionable strategy. The
goals cascade supports enterprise goals,
which is one of the key design factors for a
governance system. It supports prioritization
of management objectives based on
prioritization of enterprise goals.
61. Chapter 5 Content:
5.1: COBIT Governance and Management Objectives
5.2: Organizational Structure
5.3: Information Flows and Items Component
5.4: People, Skills and Competencies Component
61
62. 5.1: COBIT Governance and Management Objectives
• The COBIT core model presented 40 objectives grouped over 5 domains
62
63. 5.1: COBIT Governance and Management Objectives
• These 5 domains are 1 domain for governance objectives (EDM), and 4 domains for management objectives
(APO, BAI, DSS, and MEA)
• Evaluate, Direct and Monitor (EDM) domain. in this domain, the governing body evaluates strategic
options, directs senior management on the chosen strategic options and monitors the achievement of the
strategy.
• Align, Plan and Organize (APO) domain addresses the overall organization, strategy and supporting
activities for I&T.
• Build, Acquire and Implement (BAI) domain treats the definition, acquisition and implementation of I&T
solutions and their integration in business processes.
• Deliver, Service and Support (DSS) domain addresses the operational delivery and support of I&T
services,
including security.
• Monitor, Evaluate and Assess (MEA) domain addresses performance monitoring and conformance of I&T
with internal performance targets, internal control objectives and external requirements. 63
71. 5.1: COBIT Governance and Management Objectives
• Governance and management objectives always relate to one process in the COBIT Core model.
• Governance and management objectives relate to one or more governance components (one of
these components is Process)
• Each of the 40 governance and management objectives are described in detail as the following in
the “COBIT 2019 Framework: Governance and Management Objectives” publication:
1. High level Information for each includes
Domain name
Focus area
Governance or management objective name
Description
Purpose statement
71
72. 5.1: COBIT Governance and Management Objectives
2. Goals Cascade information includes
Applicable alignment goals
Applicable enterprise goals
Example metrics
3. Related Components
4. Related guidance is also provided for each governance and management objective these are
areas such as:
Standards, frameworks and compliance requirements and
Detailed references
72
78. 5.2: Organizational Structure
• This is the unpopulated view of the organizational structures component provided within each governance
and management objective.
• The organizational structures governance component suggests levels of responsibility and accountability
for process practices. Notice that only responsibility and accountability are mentioned, and not consulted
and informed – also known as the RACI model. The charts include individual roles as well as organizational
structures, from both business and IT. Where relevant, references to other standards and additional
guidance are included in the organizational structure components section.
78
79. 5.2: Organizational Structure
• Responsible and Accountable:
COBIT 2019 framework only suggests responsible and accountable roles.. The different levels of
involvement included for these structures can be divided into responsible and accountable levels:
Responsible (R) roles take the main operational stake in fulfilling the practice and create the
intended outcome. Who is getting the task done? Who drives the task?
Accountable (A) roles carry overall accountability. As a principle, accountability cannot be shared.
Who accounts for the success and achievement of the task?
Enterprises should review levels of responsibility and accountability, consulted and informed, and
update roles and organizational structures in the chart according to the enterprise’s context, priorities
and preferred terminology.
79
80. 5.2: Organizational Structure
• Consulted and Informed
Since the attribution of consulted and informed roles depends much more on organizational context
and priorities, they are not included in this detailed guidance. Practitioners can complete charts by
adding two levels of involvement for roles and organizational structures:
Consulted (C) roles provide input for the practice. Who is providing input?
Informed (I) roles are informed of the achievements and/or deliverables of the practice. Who is
receiving information?
80
81. 5.3: Information Flows and Items Component
• This component provides guidance on the information flows and items linked with process
practices. Each practice includes inputs and outputs, with indications of origin and destination.
Each output is sent to one or a number of destinations, typically another COBIT process practice.
Outputs become inputs to their destinations. Where relevant, references to other standards and
additional guidance are included in the information flows and items component.
81
82. 5.4: People, Skills and Competencies Component
• This component identifies human resources and skills required to achieve the governance or
management objective. COBIT 2019 based this guidance on the Skills Framework for the
Information Age, or SFIA V6. All listed skills are described in detail in the SFIA framework. The
detailed reference provides a unique code that correlates to SFIA guidance on the skill.
• As you see here, other references include:
The e-Competence Framework (e-CF) and
The Core Principles for the Professional Practice of Internal Auditing by The Institute of
Internal Auditors
82
84. Chapter 6 Content:
6.1: COBIT Performance Management Definition and Principles
6.2: COBIT Performance Management Overview
6.3: Process Capability Levels
6.4: Rating Capability Levels
6.5: Focus Area Maturity Levels
6.6: Managing Performance of Other Governance System Components
6.7: Performance Management of Organizational Structures
6.8: Performance Management of Information Items
6.9: Performance Management of Culture and Behavior
84
85. 6.1: COBIT Performance Management Definition and Principles
• Performance management is an essential part of a governance and management system.
• Performance management expresses how well the governance and management system and all
the components of an enterprise work, and how they can be improved up to the required level.
• It includes concepts and methods such as capability levels and maturity levels.
• COBIT uses the term “COBIT performance management” (CPM) to describe these activities, and
the concept is an integral part of the COBIT framework.
• Performance management in COBIT 2019 is based on the following principles:
It should be simple to understand and use
It should be consistent with, and support the COBIT conceptual model
It should provide reliable, repeatable and relevant results
It must be flexible
It should support different types of assessments
85
86. 6.2: COBIT Performance Management Overview
• The CPM model largely aligns to and extends CMMI Development 2.0 concepts:
Process activities are associated to capability levels. These are included in the “COBIT Framework:
Governance and Management Objectives guide”.
Other governance and management component types (organizational structures, information)
may also have capability levels defined for them in future guidance that ISACA may release.
Maturity levels are associated with focus areas (a collection of governance and management
objectives and underlying components) and will be achieved if all required capability levels
are
achieved.
86
87. 6.3: Process Capability Levels
• The capability level is a measure of how well a process is implemented and performing.
87
88. 6.4: Rating Capability Levels
• A capability level can be achieved to varying degrees, which can be expressed by a set of ratings.
The range of available ratings depends on the context in which the performance assessment is
made. Some formal methods leading to independent certification use a binary pass/fail set of
ratings. Less formal methods that are often used in performance-improvement contexts work
better with a larger range of ratings, such as the following set:
Fully—which means that the capability level is achieved for more than 85%.
Largely—The capability level is achieved between 50 percent and 85 percent.
Partially—The capability level is achieved between 15 percent and 50 percent.
Not—The capability level is achieved less than 15 percent.
88
89. 6.5: Focus Area Maturity Levels
• Sometimes a higher level is required for expressing performance without the granularity applicable to individual
process capability ratings. Maturity levels can be used for that purpose.
• COBIT 2019 defines maturity levels as a performance measure at the focus area level.
• Maturity levels are associated with focus areas, or a collection of governance and management objectives
and underlying components
• A certain maturity level is achieved if all the processes contained in the focus area
achieve that particular capability level.
89
91. 6.6: Managing Performance of Other Governance System Components
• Managing the performance of other governance system components is also crucial. In the COBIT 2019 Framework,
examples provided in the publication include the following governance components:
Organizational Structures
Information Items
Culture and Behavior
91
92. 6.7: Performance Management of Organizational Structures
• Although no generally accepted or formal method exists for assessing organizational structures,
they can be less formally assessed according to the following criteria. For each criterion, a number
of subcriteria can be defined, linked to the various capability levels. The criteria are:
Successful execution of those process practices for which the organizational structure (or role)
has accountability or responsibility (an A or an R, respectively, in a responsible-accountable-
consulted-informed [RACI] chart).
As for the processes, low capability levels require a subset of these criteria to be satisfied, and
higher capability levels require all criteria to be satisfied. But, as already indicated, no
generally accepted scheme exists for assessing organizational structures. However, this does
not prevent an enterprise from defining its own capability scheme for organizational
structures.
92
93. 6.7: Performance Management of Organizational Structures
• Successful application of a number of good practices for organizational structures, such as:
Operating principles
Composition
Span of control
Level of authority/decision rights
Delegation of authority
Escalation procedures
93
94. 6.8: Performance Management of Information Items
• The information item component for a governance system of I&T is equivalent to the process work products
as described in COBIT® 2019 Framework: Governance and Management Objectives.
• This model defines 3 main quality criteria for information and 15 subcriteria.
• The 3 main criteria are
1. Intrinsic
2. Contextual
3. Security/Privacy/Accessibility
94
97. 6.9: Performance Management of Culture and Behavior
• For the culture and behavior governance component, it should be possible to define a set of desirable (and/or
undesirable) behaviors for good governance and management of IT, and to assign different levels of capability to
each.
• COBIT 2019 Framework: Governance and Management Objectives defines aspects of the culture and behavior
component for most objectives. From there, it is possible to assess the extent to which these conditions or behaviors
are met.
97
99. Chapter 7 Content:
7.1: The Need for Tailoring
7.2: Impact of Design Factors
7.3: Designing a Tailored
System
99
100. 7.1: The Need for Tailoring
• Each enterprise is distinct in many various aspects: size of the enterprise, industry sector, regulatory landscape,
threat landscape, role of IT for the organization, tactical technology related choices and others. All of these
differences – which we collectively refer to as ‘design factors’– require organizations to tailor their governance
system for gaining most value out of their use of Information and Technology.
• There is no unique governance system for enterprise Information and Technology that fits
all. Tailoring means that an enterprise starts from the COBIT Core model and applies changes to this generic
framework based on the relevance and importance of a series of design.
100
101. 7.2: Impact of Design
Factors
• Design Factors influence in different ways the
tailoring of the governance system of an
enterprise.
• There are three different types of impacts:
1. Management Objective and Target
Capability Levels
2. Component Variations
3. Specific Focus Areas.
101
102. 7.2: Impact of Design
Factors
1. Management Objective and Target Capability Levels.
This design factor influence can make some governance and management objectives more important than
others, sometimes to the extent that they become negligible. In practice, this higher importance translates into
setting higher target capability levels.
The COBIT core model contains 40 governance and management objectives, each consisting of the
identically named process and a number of related components.
They are intrinsically equivalent; there is no natural order of priority among them.
102
103. 7.2: Impact of Design
Factors
1. Management Objective and Target Capability Levels.
Example: When an enterprise identifies the most relevant enterprise goal(s) from the
enterprise goal list and applies the goals cascade, this will lead to a selection of priority
management objectives. For example, when EG01 Portfolio of competitive products and
services is ranked as very high by an enterprise, this will make management objective APO05
Managed portfolio an important part of this enterprise’s governance system.
Example: An enterprise that is very risk averse will give more priority to management
objectives that aspire to govern and manage risk and security. Governance and management
objectives EDM03 Ensured risk optimization, APO12 Managed risk, APO13 Managed security
and DSS05 Managed security services will become important parts of that enterprise’s
governance system and will have higher target capability levels defined for them.
103
104. 7.2: Impact of Design
Factors
1. Management Objective and Target Capability Levels.
Example: An enterprise operating within a high threat landscape will require highly capable security-related
processes: APO13 Managed security and DSS05 Managed security services.
Example: An enterprise in which the role of IT is strategic and crucial to the success of the business will require
high involvement of IT-related roles in organizational
structures, a thorough understanding of business by IT professionals (and vice versa), and a focus on strategic
processes such as APO02 Managed strategy and APO08 Managed relationships.
104
105. 7.2: Impact of Design
Factors
2. Component Variations
Components are required to achieve governance and management objectives. Some
Design Factors can influence the importance of one or more components or can require
specific variations.
Example: An enterprise that operates in a highly regulated environment will attribute
more importance to documented work products and policies and procedures and to
some roles, such as the compliance officer function.
Example: Small and medium-sized enterprises might not need the full set of roles and
organizational structures as laid out in the COBIT core model, but may use a reduced set
instead. This reduced set of governance and management objectives and the included
components is defined in the Small and Medium Enterprise focus area
105
106. 7.2: Impact of Design
Factors
2. Component Variations
Example: An enterprise that uses DevOps in solution development and operations will require specific activities,
organizational structures, culture, etc., focused on BAI03 Managed solutions identification and build and DSS01
Managed operations.
106
107. 7.2: Impact of Design
Factors
3. Specific Focus Areas.
Some Design Factors, such as threat landscape, specific risk, target development methods and infrastructure
set-up, will drive the need for variation of the core COBIT model content to a specific context.
Example: Enterprises adopting a DevOps approach will require a governance system that
has a variant of several generic COBIT processes, described in the DevOps focus area
guidance for COBIT.
Example: Small and medium enterprises have less staff, fewer IT resources, and shorter
and more direct reporting lines, and differ in many more aspects from large enterprises.
For that reason, their governance system for I&T will have to be less onerous, compared
to large enterprises. This is described in the SME focus area guidance of COBIT
107
111. 8.1: Implementation Guide Purpose and Scope
• The COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of governance of I&T.
• The governance and management of enterprise I&T should, therefore, be implemented as an
integral part of enterprise governance, covering the full end-to-end business and IT functional
areas of responsibility.
• One of the common reasons why some governance system implementations fail is that they are
not initiated and then managed properly as programs to ensure that benefits are realized.
• Governance programs need to be sponsored by executive management, be properly scoped and
define objectives that are attainable. This enables the enterprise to absorb the pace of change as
planned. Program management is, therefore, addressed as an integral part of the implementation
life cycle.
111
112. 8.1: Implementation Guide Purpose and Scope
• It is also assumed that while a program and project approach is recommended to effectively drive improvement
initiatives, the goal is also to establish a normal business practice and sustainable approach to governing and
managing enterprise I&T just like any other aspect of enterprise governance.
• For this reason, the implementation approach is based on empowering business and IT stakeholders and role
players to take ownership of IT-related governance and
management decisions and activities by facilitating and enabling change.
• The implementation program is closed when the process for focusing on IT-related priorities and governance
improvement is generating a measurable benefit, and the program has become embedded in ongoing
business activity.
112
114. 8.2: COBIT Implementation Approach
• Phase 1 What are the drivers?
Phase 1 of the implementation approach identifies current change drivers and creates at executive
management levels a desire to change that is then expressed in an outline of a business case.
A change driver is an internal or external event, condition or key issue that serves as a stimulus for
change. Events, trends (industry, market or technical), performance shortfalls, software
implementations and even the goals of the enterprise can all act as change drivers.
Risk associated with implementation of the program itself is described in the business case and
managed throughout the life cycle.
Preparing, maintaining and monitoring a business case are fundamental and important disciplines
for justifying, supporting and then ensuring successful outcomes for any initiative, including
improvement of the governance system. They ensure a continuous focus on the benefits of the
program and their realization.
114
115. 8.2: COBIT Implementation Approach
• Phase 2 Where are we now?
Phase 2 aligns I&T-related objectives with enterprise strategies and risk, and prioritizes the
most important enterprise goals, alignment goals and processes.
The COBIT 2019 Design Guide provides several design factors to help with the selection.
Based on the selected enterprise and IT-related goals and other design factors, the enterprise
must identify critical governance and management objectives and underlying processes that
are of sufficient capability to ensure successful outcomes.
Management needs to know its current capability and where deficiencies may exist. This can
be achieved by a process capability assessment of the current status of the selected
processes.
115
116. 8.2: COBIT Implementation Approach
• Phase 3 Where do we want to be?
Phase 3 sets a target for improvement followed by a gap analysis to identify potential
solutions.
Some solutions will be quick wins and others more challenging, long-term tasks. Priority
should be given to projects that are easier to achieve and likely to give the greatest benefit.
Longer-term tasks should be broken down into manageable pieces.
• Phase 4 What needs to be done?
Phase 4 describes how to plan feasible and practical solutions by defining projects supported
by justifiable business cases and a change plan for implementation. A well-developed business
case can help ensure that the project’s benefits are identified and continually monitored.
116
117. 8.2: COBIT Implementation Approach
• Phase 5 How do we get there?
Phase 5 provides for implementing the proposed solutions via day-to-day practices and
establishing measures and monitoring systems to ensure that business alignment is achieved,
and performance can be measured.
Success requires engagement, awareness and communication, understanding and
commitment of top management, and ownership by the affected business and IT process
owners.
• Phase 6 Did we get there?
Phase 6 focuses on sustainable transition of the improved governance and management
practices into normal business operations. It further focuses on monitoring achievement of
the improvements using the performance metrics and expected benefits.
117
118. 8.2: COBIT Implementation Approach
• Phase 7 How do we keep the momentum going?
Phase 7 reviews the overall success of the initiative, identifies further governance or
management requirements and reinforces the need for continual improvement. It also
prioritizes further opportunities to improve the governance system.
118
119. 8.3: Design Guide and Implementation Guide Relationships
• The workflow explained in the COBIT 2019 Design Guide elaborates a set of tasks defined in the
Implementation Guide and has the following connection points:
Notice that there are three phases of the implementation guide that are influenced or
enhanced by the design guide.
Why only the first three phases?
Because these are the most appropriate for the design of EGIT
119
122. 9.1: COBIT Business Case
• Common business practices dictate preparing a business case to analyze and justify the initiation
of a large project and/or financial investment.
• The concept of a business case is not new. COBIT provides a nonprescriptive, generic guide to
encourage preparation of a business case. Every enterprise has its own reasons for improving EGIT
and its own approach to preparing business cases.
• The best way for senior leadership to communicate its expectations for IT governance prior to
commencing a governance implementation plan is to include a scope statement in the business
case
• Both the COBIT 2019 Implementation Guide and the COBIT design factors are required when
developing a business case
• The COBIT 2019 Framework and Methodology publication provides an example scenario using a
fictitious company
122
123. 9.1: COBIT Business Case
• It is recommended that every business case contains executive summary, background, business challenges
including gap analysis and alternatives , and the proposed solution
• The proposed solution part of the business case should include:
Pre-planning
Program implementation
Program Scope
Program methodology and alignment
Program deliverables
Program risk
Stakeholders
Cost-benefit analysis
Challenges and success factors
123
![6.7: Performance Management of Organizational Structures
• Although no generally accepted or formal method exists for assessing organizational structures,
they can be less formally assessed according to the following criteria. For each criterion, a number
of subcriteria can be defined, linked to the various capability levels. The criteria are:
Successful execution of those process practices for which the organizational structure (or role)
has accountability or responsibility (an A or an R, respectively, in a responsible-accountable-
consulted-informed [RACI] chart).
As for the processes, low capability levels require a subset of these criteria to be satisfied, and
higher capability levels require all criteria to be satisfied. But, as already indicated, no
generally accepted scheme exists for assessing organizational structures. However, this does
not prevent an enterprise from defining its own capability scheme for organizational
structures.
92](https://image.slidesharecdn.com/cobitme-250517081554-baf211be/85/COBIT-stands-for-Control-Objectives-for-Information-and-Related-Technology-92-320.jpg)
