COBIT 5 – Understand the framework

COBIT® 5 is a registered trademark of ISACA.

Introduction:

COBIT 5 is an international IT governance framework and structures IT tasks into generic processes and control objectives. COBIT provides a framework, an umbrella, for IT governance across the entire organization. Up to version 4.1, the acronym COBIT was called “Control objectives for information and related technologies”. This framework has been developed since 1993 by ISACA (Global Systems Audit and Control Association), a global professional association for IT auditors, accountants, and IT governance experts.

Five COBIT 5 Principles

COBIT 5 is based on five principles that allow the organization to build an effective governance and management framework which optimizes information and technology investment and use for the benefit of stakeholders.

1. Meeting Stakeholder Needs

Key stakeholders and their needs must be identified and how value is created for the enterprise. Stakeholder needs are influenced by different variables. For example, a changing business, and regulatory environment, strategy changes or evolution of technology.

2. Covering the Enterprise End-to-End

All functions and processes wherever information is processed in the enterprise are covered in this principle. The four main elements of this approach are:

• Creating value through governance,
• Decisions about what will work,
• Scoping decisions,
• Assigning roles, responsibilities, and activities.

3. Applying a Single Integrated Framework

The single and integrated framework consists of various established frameworks and standards required for governance and management of enterprise IT. 

4. Enabling a Holistic Approach

A set of enablers is used for an all-inclusive or holistic approach to support the governance and management of enterprise IT. 

5. Separating Governance from Management

Governance and management roles, their activities and responsibilities must be differentiated, because each serves a different purpose.

COBIT 5 Enablers:

Enablers are factors which influence, individually or collectively, how governance and management over enterprise IT will work. In COBIT 5 seven enablers are defined and ordered as followed:

1. Principles, policies, and frameworks are translating the desired behavior into practical guidance for daily management.
2. Processes describe practices and activities in a company to achieve certain goals. This also includes several IT-related goals.
3. Organizational structures are the key decision-making entities in an enterprise.
4. Culture, ethics, and behavior, of individuals and of the enterprise, are very often underestimated as a success factor in governance and management activities.
5. Information is pervasive throughout any organization and includes all information produced and used by the company. Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the company itself.
6. Services, infrastructure and applications provide the company with information technology processing and services.
7. People, skills, and competencies are linked to people and are required for successful completion of all activities and for making correct decisions taking corrective actions.

Each Enabler needs the input of other Enablers to be fully effective. For example, processes need information and organizational structures need skills and behavior. They also deliver output to benefit other Enablers. For example, processes deliver information, skills, and behavior of individuals to make processes efficient.

COBIT 5 Process Reference Model

COBIT 5 defines 37 processes which are grouped in 5 domains. One governance domain (EDM) and four management domains (PBRM).

• EDM (Evaluate, Direct, and Monitor) ensures that the stakeholder needs are evaluated by identifying and agreeing on objectives to be achieved, which is directed by prioritization and are also monitored for performance against objectives.
• PBRM (Plan, Built, Run, and Monitor) ensures to monitor the activities and confirm that they are aligned with those described in the governance set.

The following two graphics show the COBIT 5 structure for governance of enterprise IT. The first graphic shows the overall COBIT structure (five domains) followed by an illustration where the 37 processes are assigned to these domains.

The following paragraphs show the high-level control objectives grouped by their domains. Starting with the governance domain (EDM) followed by the management domain (PBRM) with the APO, BAI, DSS and MEA control objectives.

Governance Domain (EDM)

Stakeholder needs are evaluated by identifying and agreeing on objectives to be achieved, which is directed by prioritization and are also monitored for performance against objectives.

Evaluate, Direct and Monitor (EDM):

• EDM01 Ensure Governance Framework Setting and Maintenance
• EDM02 Ensure Benefits Delivery
• EDM03 Ensure Risk Optimization
• EDM04 Ensure Resource Optimization
• EDM05 Ensure Stakeholder Transparency

Management Domains (PBRM):

“Management plans, builds, runs, and monitors” activities in alignment with the direction set by the governance to achieve the enterprise objectives.

Align, Plan and Organize (APO):

The “Align, Planning and Organization” domain covers the use of information and technology and how best it can be used in a company to help achieve the company’s goals and objectives. Organizational and infrastructural aspects are highlighted to achieve optimal results and benefits from the use of IT can be generated.

• APO01 Manage the IT Management Framework
• APO02 Manage Strategy
• APO03 Manage Enterprise Architecture
• APO04 Manage Innovation
• APO05 Manage Portfolio
• APO06 Manage Budget and Costs
• APO07 Manage Human Relations
• APO08 Manage Relationships
• APO09 Manage Service Agreements
• APO10 Manage Suppliers
• APO11 Manage Quality
• APO12 Manage Risk
• APO13 Manage Security

Build, Acquire and Implement (BAI):

The “Build, Acquire and Implement” domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes.

• BAI01 Manage Programs and Projects
• BAI02 Manage Requirements Definition
• BAI03 Manage Solutions Identification and Build
• BAI04 Manage Availability and Capacity
• BAI05 Manage Organizational Change Enablement
• BAI06 Manage Changes
• BAI07 Manage Changes Acceptance and Transitioning
• BAI08 Manage Knowledge
• BAI09 Manage Assets
• BAI10 Manage Configuration

Deliver, Service and Support (DSS)

The “Deliver, Service and Support” domain focuses on the delivery aspects of the IT environment. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems.

• DSS01 Manage Operations
• DSS02 Manage Service Requests and Incidents
• DSS03 Manage Problems
• DSS04 Manage Continuity
• DSS05 Manage Security Services
• DSS06 Manage Business Process Controls

Monitor, Evaluate and Assess (MEA)

The company’s strategy in assessing its needs and if its IT system still meets the objectives is covered by the “Monitor, Evaluate and Assess” domain. Regulatory requirements are also taken into consideration. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors.

• MEA01 Monitor, Evaluate and Assess Performance and Conformance
• MEA02 Monitor, Evaluate and Asses the System of Internal Control
• MEA03 Evaluate and Assess Compliance with External Requirements

Conclusion and benefits of COBIT:

The aim of the COBIT framework is to optimize the business IT structure. All aspects of COBIT 5 are in line with the responsibility areas of plan, build, run and monitor. It acts as an integrator of these different guidance materials, summarizing key objectives under one umbrella framework that links the proven practice models with governance and business requirements. Implementing COBIT processes in a company can create value through effective governance, management enterprise information and IT assets. Business user satisfaction can be created with IT engagement and services by enabling business objectives.

It is important to note that COBIT is a generic framework to manage IT processes and internal controls and must not be treated as a prescriptive standard. Therefore, COBIT key themes must be tailored to the specific governance needs of the company. The organization needs to have a good understanding of the governance controls for IT risks and, more importantly, a firm commitment from its top management. Otherwise, the business alignment of IT risks will not be achievable.

Sideinfo: This 37 COBIT 5 processes can be set in contrast with the 26 ITIL 2011 processes which are orderd in five modules (SS – Service Strategy, SD – Service Design, ST -Service Transition, SO – Service Operation, CSI – Continual Service Improvement).

---

Für weitere Informationen zum Thema Interne Kontrollsysteme, emfehlen wir unsere Präsenz Trainingskurse zu den folgenden Themen:

• Der IKS Manager
• Interne Kontrollsysteme in der IT
• Interne Revision für Kontrollsysteme
• oder unser Graser E-Learning über IKS und SOX Grundlagen