COBIT - II
Process Orientation
Domains
Natural grouping of processes,
often matching an
organisational domain of
responsibility
A series of joined activities with
natural control breaks
Processes
Activities
or Tasks
Actions needed to achieve a
measurable result. Activities
have a life cycle, whereas tasks
are discrete.
Domains
• COBIT defines IT activities in a generic process
model within four domains.
1.
Plan and Organize
2.
Acquire and Implement
3.
Deliver and Support
4.
Monitor and Evaluate
Plan and Organise
Description
 This domain covers strategy and tactics, and concerns the identification of how IT can
best contribute to the achievement of the business objectives. Furthermore, the
realisation of the strategic vision needs to be planned, communicated and managed for
different perspectives. Finally, a proper organisation as well as technological
infrastructure must be put in place.
Topics
 Strategy and tactics
 Vision planned
 Organisation and infrastructure
Questions





Are IT and the business strategy aligned?
Is the enterprise achieving optimum use of its resources?
Does everyone in the organisation understand the IT objectives?
Are IT risks understood and being managed?
Is the quality of IT systems appropriate for business needs?
Plan and Organise
 PO1 Define a strategic information
 PO2
 PO3
 PO4
 PO5
 PO6
 PO7
 PO8
 PO9
 PO10
.
 PO11
technology plan
Define the information architecture
Determine the technological direction
Define the IT organisation and relationships
Manage the investment in information technology
Communicate management aims and direction
Manage human resources
Ensure compliance with external requirements
Assess risks
Manage projects
Manage quality
Acquire and Implement
Description
 To realise the IT strategy, IT solutions need to be identified, developed or acquired, as
well as implemented and integrated into the business process. In addition, changes in
and maintenance of existing systems are covered by this domain to make sure that the
life cycle is continued for these systems.
Topics
 IT solutions
 Changes and maintenance
Questions




Are new projects likely to deliver solutions that meet business needs?
Are new projects likely to deliver on time and within budget?
Will the new systems work properly when implemented?
Will changes be made without upsetting current business operations?
Acquire and Implement
 AI1 Identify automated solutions
 AI2 Acquire and maintain application software
 AI3 Acquire and maintain technology infrastructure
 AI4 Develop and maintain IT procedures
 AI5 Install and accredit systems
 AI6 Manage changes
Deliver and Support
Description
 This domain is concerned with the actual delivery of required services, which range from
traditional operations over security and continuity aspects to training. To deliver
services, the necessary support processes must be set up. This domain includes the
actual processing of data by application systems, often classified under application
controls.
Topics
 Delivery of required services
 Setup of support processes
 Processing by application systems
Questions




Are IT services being delivered in line with business priorities?
Are IT costs optimised?
Is the work force able to use the IT systems productively and safely?
Are adequate security, integrity and availability in place?
Deliver and Support













DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Define and manage service levels
Manage third-party services
Manage performance and capacity
Ensure continuous service
Ensure systems security
Identify and allocate costs
Educate and train users
Assist and advise customers
Manage the configuration
Manage problems and incidents
Manage data
Manage facilities
Manage operations
Monitor and Evaluate
Description
 All IT processes need to be regularly assessed over time for their quality and
compliance with control requirements. This domain thus addresses management’s
oversight of the organisation’s control process and independent assurance provided by
internal and external audit or obtained from alternative sources.
Topics
 Assessment over time, delivering assurance
 Management’s oversight of the control system
 Performance measurement
Questions
 Can IT’s performance be measured and can problems be detected before it is
too late?
 Is independent assurance needed to ensure critical areas are operating as
intended?
Monitor and Evaluate
M1 Monitor the process
M2 Assess internal control adequacy
M3 Obtain independent assurance
M4 Provide for independent audit
Business Requirements
Quality Requirements:
• Quality
• Delivery
• Cost
Security Requirements
• Confidentiality
• Integrity
• Availability
Fiduciary Requirements*
• Effectiveness and efficiency of
operations
• Compliance with laws and
regulations
• Reliability of financial reporting
 Effectiveness
 Efficiency
 Confidentiality
 Integrity
 Availability
 Compliance
 Reliability of
*Treadway Commission req’s that management must attest to its organisation’s
effectiveness and efficiency of operations, reliability of financial reporting (not
financial reports), and compliance with laws and regulations.
information
The resources made
available to—and
built up by—IT
IT
Resources
How IT is organised
to respond to the
requirements
What the
stakeholders
expect from IT
IT Processes
Business
Requirements
 Data
 Plan and Organise
 Application
systems
 Aquire and Implement
 Technology
 Facilities
 People
 Deliver and Support
 Monitor and Evaluate







Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Information reliability
DS2 Example - Manage third-party
services
Drilling Down
the COBIT
model