COBIT 5 Product Family
COBIT® 5
COBIT 5 Enabler Guides
COBIT® 5:
Enabling Processes
COBIT® 5:
Enabling Information
Other Enabler
Guides
COBIT 5 Professional Guides
COBIT® 5 Implementation
COBIT® 5
for Information
Security
COBIT® 5
for Assurance
COBIT® 5
for Risk
Other Professional
Guides
COBIT 5 Online Collaborative Environment
Source: COBIT 5, figure 11
COBIT 5 Principles
1. Meeting
Stakeholder
Needs
5. Separating
Governance
From
Management
2. Covering the
Enterprise
End-to-end
COBIT 5
Principles
3. Applying a
Single
Integrated
Framework
4. Enabling a
Holistic
Approach
Source: COBIT 5, figure 2
3701 Algonquin Road, Suite 1010 • Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545 • Fax: +1.847.253.1443 • Email: info@isaca.org
Web site: www.isaca.org
© 2012 ISACA. A
l l
r i g h t s
r e s e r v e d
. F
o r
u sa g e
g u i d e l i n e s
,
s e e
w w w
.
i s a c a
.
o r g
/ CO B I T u
s e
.
Governance and Management in COBIT 5
Governance Objective: Value Creation
Benefits
Realisation
Risk
Optimisation
Resource
Optimisation
Governance
Enablers
Governance
Scope
Roles, Activities and Relationships
Source: COBIT 5, figure 8
Key Roles, Activities and Relationships
Roles, Activities and Relationships
Delegate
Owners and
Stakeholders
Set Direction
Governing
Body
Accountable
Management
Instruct and
Align
Monitor
Operations
and
Execution
Report
Source: COBIT 5, figure 9
COBIT 5 Governance and Management Key Areas
Business Needs
Governance
Evaluate
Direct
Management Feedback
Monitor
Management
Plan
(APO)
Build
(BAI)
Run
(DSS)
Monitor
(MEA)
Source: COBIT 5, figure 15
© 2012 ISACA. A
l l
r i g h t s
r e s e r v e d
. F
o r
u sa g e
g u i d e l i n e s
,
s e e
w w w
.
i s a c a
.
o r g
/ CO B I T u
s e
.
we
t
th e
re ?
(middle ring)
e?
to b
oa
fi n
ed
ge
De
• Change enablement
ant
do
p
n
er
te
ow
cu
m
Co o
I d e n tif y r o l e
pla ye rs
dm
e
s
ap
ta
B u il d
i m pro
ve m e nts
(outer ring)
• Continual improvement life cycle
(inner ring)
m
ut u ni
co c a
m e te
fi
rg n e
ta e t
te
e
en n t
ts
• Programme management
ow
Operate
and
measur
e
Embed n
approach ew
es
Realise ben
efits
le m
I m p o ve m
r
imp
at
er
O p d us
an
E xe
5H
e
De
re we now?
here a
Recog
need nise
act to
ementation
impl
rm team
Fo
r
nito
Mo and
ate
alu
ev
2W
Establ
is
to ch h des
ang ire
e
n
stai
Su
la
Initiat
e pr
ogr
am
me
ew
ive
ect
f
f
e
re th
ed
rive
rs?
ss
Asseent
curr te
sta
6 Did we get the
ow
1 What a
m going?
mentu
e mo
h
t
eep
ek
w
viewness
do
Re
ms and
probleities
ine
un
Def opport
re?
7H
The Seven Phases of the Implementation Life Cycle
P la n p ro g ra m m e
3
4 W hat n eeds to be d one?
Wh
er
Source: COBIT 5, figure 17 and COBIT 5 Implementation, figure 6
Summary of the COBIT 5 Process Capability Model
Generic Process Capability Attributes
Performance
Attribute (PA) 1.1
Process
Performance
Incomplete
Process
PA 2.1
Performance
Management
Performed
Process
0
PA 2.2
Work
Product
Management
Managed
Process
1
PA 3.1
Process
Definition
PA 3.2
PA 4.1
Process
Process
Deployment Management
Established
Process
2
COBIT 5 Process Assessment
Model—Performance Indicators
PA 4.2
Process
Control
PA 5.1
Process
Innovation
Predictable
Process
3
PA 5.2
Process
Optimisation
Optimising
Process
4
5
COBIT 5 Process Assessment
Model–Capability Indicators
Process Outcomes
Base Practices
(Management/
Governance
Practices)
Work
Products
(Inputs/
Outputs)
Generic Work Products
Generic Resources
Generic Practices
Source: COBIT 5, figure 19
© 2012 ISACA. A
l l
r i g h t s
r e s e r v e d
. F
o r
u sa g e
g u i d e l i n e s
,
s e e
w w w
.
i s a c a
.
o r g
/ CO B I T u
s e
.
COBIT 5 Enterprise Enablers
4. Culture, Ethics
and Behaviour
3. Organisational
Structures
2. Processes
1. Principles, Policies and Frameworks
6. Services,
Infrastructure
and Applications
5. Information
7. People,
Skills and
Competencies
Resources
Source: COBIT 5, figure 12
Enabler Performance
Management
Enabler Dimension
COBIT 5 Enablers: Generic
Stakeholders
Goals
Life Cycle
Good Practices
• Internal
Stakeholders
• External
Stakeholders
• Intrinsic Quality
• Contextual Quality
(Relevance,
Effectiveness)
• Accessibility and
Security
• Plan
• Design
• Build/Acquire/
Create/Implement
• Use/Operate
• Evaluate/Monitor
• Update/Dispose
• Practices
• Work Products
(Inputs/Outputs)
Are Stakeholders
Needs Addressed?
Are Enabler
Goals Achieved?
Is Life Cycle
Managed?
Are Good Practices
Applied?
Metrics for Application of Practice
(Lead Indicators)
Metrics for Achievement of Goals
(Lag Indicators)
Source: COBIT 5, figure 13
© 2012 ISACA. A
l l
r i g h t s
r e s e r v e d
. F
o r
u sa g e
g u i d e l i n e s
,
s e e
w w w
.
i s a c a
.
o r g
/ CO B I T u
s e
.
COBIT 5 Goals Cascade Overview
Stakeholder Drivers
(Environment, Technology Evolution, …)
Influence
Stakeholder Needs
Benefits
Realisation
Risk
Optimisation
Resource
Optimisation
Appendix D
Cascade to
Enterprise Goals
Figure 5
Appendix B
Cascade to
Figure 6
IT-related Goals
Appendix C
Cascade to
Enabler Goals
Source: COBIT 5, figure 4
© 2012 ISACA. A
l l
r i g h t s
r e s e r v e d
. F
o r
u sa g e
g u i d e l i n e s
,
s e e
w w w
.
i s a c a
.
o r g
/ CO B I T u
s e
.
Stakeholder Needs
Internal and external Stakeholder Questions
Figure 7—Governance and Management Questions on IT
Internal Stakeholders

















Board
Chief Executive Officer (CEO)
Chief financial Officer (CFO)
Chier Information Officer (CIO)
Chief Risk Officer (CRO)
Business Executives
Business process owners
Business Managers
Risk Managers
Security Managers
Service Managers
Human Resource (HR)
Managers
Internal audit
Privacy officers
IT Users
IT Managers
etc.
Internal Stakeholder Questions
























External Stakeholders










Business Partners
Suppliers
Shareholders
Regulators/government
External users
Customers
Standardisation organisations
External auditors
Consultans
etc.
How do I get value from the use of IT? Are end users satisfied with the quality of the IT Service?
How do I manage performance of IT?
How can I best exploit new technology for new strategic opportunities?
How do I best build and structure my IT department?
How dependent am I on external providers? How well are IT outsourcing agreements being managed?
How do I obtain assurance of external providers?
What are the (control) requirements of information?
Did I address all IT-related risks?
Am I running an efficient and resilient IT operation?
How do I control the cost of IT? How do I use IT resources in the most effective and efficient manner?
What are the most effective and efficient sourcing options?
Do I have enough people for IT? How do I develop and maintain their skills, and how do I manage their performance?
How do I get assurance over IT?
Is the information I am processing well secured?
How do I improve business agility through a more flexible IT environment?
Do IT projects fail to deliver what they promised – and if so, why? Is IT standing in the way of executing the business
strategy?
How critical is IT to sustaining the enterprise? What do I do if IT is not available?
What critical business processes are dependent on IT, and what are the requirements of business processes?
What has been the average overrun on the IT operational budget? How often and how much do IT projects go over
budget?
How much of the IT effort goes to fighting fires than to enabling business improvements?
Are sufficient IT resources and infrastructure available to meet required enterprise strategic objectives?
How long does it takes to make major IT decisions?
Are the total IT effort and investments transparent?
Does IT support the enterprise in complying with regulators and service levels? How do I know whether I am compliant with
all the applicable regulations?
External Stakeholder Questions




How do I know my business partner’s operations are secure and reliable?
How do I know the enterprise is compliant with applicable rules and regulations?
How do I know the enterprise is maintaining an effective system of internal control?
Do business partners have the information chain between them under control?
APPENDIX D
STAKEHOLDER NEEDS AND ENTERPRISE GOALS
APPENDIX D
STAKEHOLDER NEEDS AND ENTERPRISE GOALS
Chapter 4 showed the individual steps of the goals cascade, starting from stakeholder needs down to enabler goals.
Chapter 2 included a table with typical governance and management questions on IT. From a stakeholder point of view it is
interesting to know how these questions relate to the enterprise goals. For that reason, figure 24 is included; it shows how
a list of internal stakeholder needs can be linked to the enterprise goals.
This table can be used to help setting and prioritising specific enterprise goals or IT-related goals, based on specific
stakeholder needs. The same precautions should be used when using these tables as with the other goals cascade tables,
i.e., every enterprise’s individual situation differs, and these tables should not be used in a mechanical way, but only as a
suggested generic set of relationships. In figure 24, the intersection of a stakeholder need and enterprise goal is filled in if
that need should be considered for that goal.
Optimisation of service delivery
costs
Optimisation of business process
functionality
Optimisation of business process
costs
Managed business change
programmes
Operational and staff productivity
Compliance with internal policies
Skilled and motivated people
Product and business innovation
culture
5.
Information-based strategic
decision making
4.
Agile responses to a changing
business environment
3.
Business service continuity and
availability
Compliance with external laws
and regulations
2.
Customer-oriented service
culture
Managed business risk
(safeguarding of assets)
1.
Financial transparency
Portfolio of competitive products
and services
STAKEHOLDER NEEDS
Stakeholder value of business
investments
Figure 24—Mapping COBIT 5 Enterprise Goals to Governance and Management Questions
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
(OW DO ) GET VALUE FROM THE USE
OF )4 !RE END USERS SATISFIED
with the quality of the IT
SERVICE
(OW DO ) MANAGE PERFORMANCE
OF )4
(OW CAN ) BEST EXPLOIT NEW
technology for new strategic
OPPORTUNITIES
(OW DO ) BEST BUILD AND
STRUCTURE MY )4 DEPARTMENT
(OW DEPENDENT AM ) ON
EXTERNAL PROVIDERS (OW WELL
are IT outsourcing agreements
BEING MANAGED (OW DO )
obtain assurance over external
PROVIDERS
What are the (control)
REQUIREMENTS FOR INFORMATION
$ID ) ADDRESS ALL )4 RELATED RISK
Am I running an efficient and
RESILIENT )4 OPERATION
(OW DO ) CONTROL THE COST OF )4
(OW DO ) USE )4 RESOURCES IN
the most effective and efficient
MANNER 7HAT ARE THE MOST
effective and efficient sourcing
OPTIONS
$O ) HAVE ENOUGH PEOPLE FOR )4
(OW DO ) DEVELOP AND MAINTAIN
their skills, and how do I
MANAGE THEIR PERFORMANCE
(OW DO ) GET ASSURANCE OVER )4
55
Appendix D (cont)
Mapping Stakeholder Needs and Enterprise Goals
(OW DO ) IMPROVE BUSINESS
agility through a more flexible IT
ENVIRONMENT
Do IT projects fail to deliver
WHAT THEY PROMISEDˆAND IF
SO WHY )S )4 STANDING IN THE
way of executing the business
STRATEGY
(OW CRITICAL IS )4 TO SUSTAINING
THE ENTERPRISE 7HAT DO ) DO IF
)4 IS NOT AVAILABLE
What concrete vital primary
business processes are
dependent on IT, and what are
the requirements of business
PROCESSES
What has been the average
overrun of the IT operational
BUDGETS (OW OFTEN AND HOW
much do IT projects go over
BUDGET
(OW MUCH OF THE )4 EFFORT
goes to fighting fires rather
than to enabling business
IMPROVEMENTS
Are sufficient IT resources and
infrastructure available to meet
required enterprise strategic
OBJECTIVES
(OW LONG DOES IT TAKE TO MAKE
MAJOR )4 DECISIONS
Are the total IT effort and
INVESTMENTS TRANSPARENT
Does IT support the enterprise
in complying with regulations
AND SERVICE LEVELS (OW DO )
know whether I am compliant
WITH ALL APPLICABLE REGULATIONS
56
Optimisation of service delivery
costs
Optimisation of business process
functionality
Optimisation of business process
costs
Managed business change
programmes
Operational and staff productivity
Compliance with internal policies
Skilled and motivated people
Product and business innovation
culture
5.
Information-based strategic
decision making
4.
Agile responses to a changing
business environment
3.
Business service continuity and
availability
Compliance with external laws
and regulations
2.
Customer-oriented service
culture
Managed business risk
(safeguarding of assets)
1.
Financial transparency
Portfolio of competitive products
and services
STAKEHOLDER NEEDS
Is the information I am
PROCESSING WELL SECURED
Stakeholder value of business
investments
Figure 24—Mapping COBIT 5 Enterprise Goals to Governance and Management Questions (cont.)
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
P
R
E
S
D
D
L
E
O
E E
H
L
E
P
K
I
A
N
C
N
I
R
M
:
T
1
G
N
I
T
E
E
S
Enterprise Goals Balanced Scorecard BSC
IT-related Balanced Scorecard IT-BSC
R
E
T
P
A
H
2
C
Figure 5—COBIT 5 Enterprise Goals
Relation to Governance Objectives
BSC Dimension
Financial
Enterprise Goal
Benefits
Realisation
1. Stakeholder value of business investments
P
2. Portfolio of competitive products and services
P
3. Managed business risk (safeguarding of assets)
5. Financial transparency
P
6. Customer-oriented service culture
P
8. Agile responses to a changing business environment
P
9. Information-based strategic decision making
P
P
S
P
S
S
S
S
S
P
P
10. Optimisation of service delivery costs
P
P
11. Optimisation of business process functionality
P
P
12. Optimisation of business process costs
P
13. Managed business change programmes
P
14. Operational and staff productivity
P
P
P
S
P
P
15. Compliance with internal policies
Learning and Growth
S
P
7. Business service continuity and availability
Internal
Resource
Optimisation
P
4. Compliance with external laws and regulations
Customer
Risk
Optimisation
16. Skilled and motivated people
S
17. Product and business innovation culture
P
P
P
Figure 6—IT-related Goals
IT BSC Dimension
Financial
Information and Related Technology Goal
01
Alignment of IT and business strategy
02
IT compliance and support for business compliance with external laws and regulations
03
Commitment of executive management for making IT-related decisions
04
Managed IT-related business risk
05
Realised benefits from IT-enabled investments and services portfolio
06
Transparency of IT costs, benefits and risk
Customer
07
Delivery of IT services in line with business requirements
08
Adequate use of applications, information and technology solutions
Internal
09
IT agility
10
Security of information, processing infrastructure and applications
11
Optimisation of IT assets, resources and capabilities
12
Enablement and support of business processes by integrating applications and technology into business processes
13
Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards
14
Availability of reliable and useful information for decision making
15
IT compliance with internal policies
Learning and Growth
16
Competent and motivated business and IT personnel
17
Knowledge, expertise and initiatives for business innovation
19
Appendix B
Mapping COBIT 5 Enterprise Goals to IT-related Goals
When using the table in figure 22, please consider the remarks made in chapter 2 on how to use the COBIT 5
goals cascade.
Figure 22—Mapping COBIT 5 Enterprise Goals to IT-related Goals
Managed business risk (safeguarding of assets)
Compliance with external laws and regulations
Financial transparency
Customer-oriented service culture
Business service continuity and availability
Agile responses to a changing business environment
Information-based strategic decision making
Optimisation of service delivery costs
Optimisation of business process functionality
Optimisation of business process costs
Managed business change programmes
Operational and staff productivity
Compliance with internal policies
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Alignment of IT and business strategy
02
IT compliance and support for business
compliance with external laws and
regulations
Learning
and
Growth
P
P
Customer
S
S
P
Managed IT-related business risk
05
Realised benefits from IT-enabled
investments and services portfolio
P
06
Transparency of IT costs, benefits and risk
S
07
Delivery of IT services in line with business
requirements
P
P
S
08
Adequate use of applications, information
and technology solutions
S
S
09
IT agility
S
P
10
Security of information, processing
infrastructure and applications
11
Optimisation of IT assets, resources and
capabilities
P
S
12
Enablement and support of business
processes by integrating applications and
technology into business processes
S
P
S
S
Delivery of programmes delivering
benefits, on time, on budget, and meeting
requirements and quality standards
P
S
S
S
14
Availability of reliable and useful
information for decision making
S
S
S
S
15
IT compliance with internal policies
S
S
16
Competent and motivated business and
IT personnel
S
S
17
Knowledge, expertise and initiatives for
business innovation
S
P
S
S
P
S
S
P
P
S
S
P
S
S
S
P
S
S
S
S
S
S
P
S
P
S
S
S
S
P
Internal
S
P
P
P
P
17.
P
S
S
S
S
P
04
P
S
16.
Learning
and
Growth
P
Commitment of executive management for
making IT-related decisions
13
50
Financial
03
Internal
Customer
Financial
IT-related Goal
01
Product and business innovation culture
Portfolio of competitive products and services
1.
Skilled and motivated people
Stakeholder value of business investments
Enterprise Goal
P
S
S
S
P
S
S
P
P
P
S
S
S
S
P
P
S
P
S
P
S
S
S
S
P
S
S
S
S
P
P
P
S
P
S
P
S
S
S
S
S
P
S
S
S
S
S
P
S
S
P
P
S
P
S
S
S
P
P
S
S
S
P
S
S
P
Appendix C
Detailed Mapping IT-related Goals - IT-related Processes
When using the table in figure 23, please consider the remarks made in chapter 2 on how to use the COBIT 5
goals cascade.
Figure 23—Mapping COBIT 5 IT-related Goals to Processes
Alignment of IT and business strategy
IT compliance and support for business compliance with
external laws and regulations
Commitment of executive management for making
IT-related decisions
Managed IT-related business risk
Realised benefits from IT-enabled investments and
services portfolio
Transparency of IT costs, benefits and risk
Delivery of IT services in line with business requirements
Adequate use of applications, information and technology
solutions
IT agility
Security of information, processing infrastructure and
applications
Optimisation of IT assets, resources and capabilities
Enablement and support of business processes
by integrating applications and technology into
business processes
Delivery of programmes delivering benefits, on time, on
budget, and meeting requirements and quality standards
Availability of reliable and useful information for decision
making
IT compliance with internal policies
Competent and motivated business and IT personnel
Knowledge, expertise and initiatives for business
innovation
IT-related Goal
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
Align, Plan and Organise
Evaluate, Direct and Monitor
COBIT 5 Process
52
EDM01
Financial
Customer
Ensure Governance
Framework Setting and
Maintenance
P
EDM02
Ensure Benefits Delivery
P
EDM03
Ensure Risk Optimisation
S
EDM04
Ensure Resource
Optimisation
S
EDM05
Ensure Stakeholder
Transparency
S
S
P
APO01
Manage the IT Management
Framework
P
P
S
S
APO02
Manage Strategy
P
S
S
S
APO03
Manage Enterprise
Architecture
P
S
S
S
S
P
S
S
S
S
S
S
S
S
S
S
P
S
S
S
S
P
S
P
S
S
S
S
P
S
P
S
S
S
S
P
S
S
APO04
Manage Innovation
S
APO05
Manage Portfolio
P
APO06
Manage Budget and Costs
S
APO07
-ANAGE (UMAN 2ESOURCES
P
APO08
Manage Relationships
P
APO09
Manage Service Agreements
S
APO10
Manage Suppliers
APO11
Manage Quality
APO12
Manage Risk
P
P
APO13
Manage Security
P
P
S
S
S
S
P
P
P
P
S
P
S
S
S
S
S
P
P
S
Internal
S
S
Learning
and
Growth
S
S
S
S
S
P
P
P
P
S
S
S
S
S
S
S
S
S
S
S
S
S
P
P
S
S
P
P
P
S
S
S
P
P
P
S
S
S
S
P
P
P
S
S
S
P
S
S
S
P
S
S
S
P
P
S
S
S
S
S
P
S
P
P
P
P
P
S
P
P
S
P
S
S
S
S
S
S
S
S
S
S
S
S
S
P
S
S
P
S
S
S
S
S
P
S
S
S
P
S
S
S
P
S
S
S
P
S
P
P
S
S
P
S
S
S
S
S
S
P
S
S
S
S
P
S
S
S
S
P
S
APPENDIX C
DETAILED MAPPING IT-RELATED GOALS—IT-RELATED PROCESSES
Figure 23—Mapping COBIT 5 IT-related Goals to Processes (cont.)
Alignment of IT and business strategy
IT compliance and support for business compliance with
external laws and regulations
Commitment of executive management for making ITrelated decisions
Managed IT-related business risk
Realised benefits from IT-enabled investments and
services portfolio
Transparency of IT costs, benefits and risk
Delivery of IT services in line with business requirements
Adequate use of applications, information and technology
solutions
IT agility
Security of information, processing infrastructure and
applications
Optimisation of IT assets, resources and capabilities
Enablement and support of business processes
by integrating applications and technology into
business processes
Delivery of programmes delivering benefits, on time, on
budget, and meeting requirements and quality standards
Availability of reliable and useful information for decision
making
IT compliance with internal policies
Competent and motivated business and IT personnel
Knowledge, expertise and initiatives for business
innovation
IT-related Goal
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
Monitor, Evaluate and Assess
Deliver, Service and Support
Build, Acquire and Implement
COBIT 5 Process
Financial
Customer
BAI01
Manage Programmes and
Projects
P
BAI02
Manage Requirements
Definition
P
BAI03
Manage Solutions
Identification and Build
S
BAI04
Manage Availability and
Capacity
BAI05
Manage Organisational
Change Enablement
BAI06
Manage Changes
BAI07
Manage Change Acceptance
and Transitioning
BAI08
Manage Knowledge
BAI09
Manage Assets
S
S
P
BAI10
Manage Configuration
P
S
S
DSS01
Manage Operations
S
P
DSS02
Manage Service Requests
and Incidents
DSS03
Manage Problems
DSS04
Manage Continuity
DSS05
Manage Security Services
DSS06
Manage Business Process
Controls
MEA01
Monitor, Evaluate and
Assess Performance and
Conformance
MEA02
MEA03
S
S
S
P
P
S
S
S
Internal
S
S
S
P
S
S
S
P
S
S
S
P
S
S
P
S
S
P
S
S
S
P
P
S
P
S
S
S
S
S
S
S
S
S
S
S
P
S
P
S
S
S
S
S
S
S
P
S
S
P
S
S
S
S
S
P
P
S
P
S
S
S
P
S
S
P
S
S
S
S
S
S
S
S
S
P
S
S
S
P
S
P
S
S
S
S
P
S
P
S
S
S
P
P
S
S
S
P
P
S
S
P
S
S
S
S
S
S
P
Monitor, Evaluate and Assess
the System of Internal
Control
P
P
Monitor, Evaluate and Assess
Compliance With External
Requirements
P
P
S
S
S
S
P
S
P
S
S
P
S
S
S
S
S
S
S
S
S
P
S
S
S
S
P
S
P
S
S
S
S
P
S
P
S
S
S
S
S
S
S
S
S
P
S
S
S
S
S
S
S
Learning
and
Growth
S
P
S
P
S
S
S
S
S
S
S
S
P
S
S
S
P
S
S
S
53
© 2012 ISACA ‐ Glenfis AG
Activities associated with each of the governance and management practices in COBIT 5.
ment
Governance
Management
Align, Plan and Organise
Evaluate, Direct and Monitor
Domain
ID
CO5 Processes
EDM01
Ensure Governance Framework Setting and
Maintenance
EDM02
Ensure Benefits Delivery
EDM03
Ensure Risk Optimisation
EDM04
Ensure Resource Optimisation
EDM05
Ensure Stakeholder Transparency
APO01
Manage the IT Management Framework
APO02
Manage Strategy
APO03
Manage Enterprise Architecture
APO04
Manage Innovation
APO05
Manage Portfolio
APO06
Manage Budget and Costs
APO07
Manage Human Resources
APO08
Manage Relationships
APO09
Manage Service Agreements
APO10
Manage Suppliers
APO11
Manage Quality
APO12
Manage Risk
APO13
Manage Security
BAI01
Manage Programmes and Projects
BAI02
Manage Requirements Definition
BAI03
Manage SolutionsIdentification and Build
Governance / Management Practice
EDM01.01
Evaluate the governance system.
EDM01.02
Direct the governance system.
EDM01.03
Monitor the governance system.
EDM02.01
Evaluate value optimisation.
EDM02.02
Direct value optimisation.
EDM02.03
Monitor value optimisation.
EDM03.01
Evaluate risk management.
EDM03.02
Direct risk management.
EDM03.03
Monitor risk management.
EDM04.01
Evaluate resource management.
EDM04.02
Direct resource management.
EDM04.03
Monitor resource management.
EDM05.01
Evaluate stakeholder reporting requirements.
EDM05.02
Direct stakeholder communication and reporting.
EDM05.03
Monitor stakeholder communication.
APO01.01
Define the organisational structure.
APO01.02
Establish roles and responsibilities.
APO01.03
Maintain the enablers of the management system.
APO01.04
Communicate management objectives and direction.
APO01.05
Optimise the placement of the IT function.
APO01.06
Define information (data) and system ownership.
APO01.07
Manage continual improvement of processes.
APO01.08
Maintain compliance with policies and procedures.
APO02.01
Understand enterprise direction.
APO02.02
Assess the current environment, capabilities and performance.
APO02.03
Define the target IT capabilities.
APO02.04
Conduct a gap analysis.
APO02.05
Define the strategic plan and road map.
APO02.06
Communicate the IT strategy and direction.
APO03.01
Develop the enterprise architecture vision.
APO03.02
Define reference architecture.
APO03.03
Select opportunties and solutions.
APO03.04
Define architecture implementation.
APO03.05
Provide enterprise architecture services.
APO04.01
Create an environment conducive to innovation.
APO04.02
Maintain an understanding of the enterprise environment.
APO04.03
Monitor and scan the technology environment.
APO04.04
Assess the potential of emerging technologies and innovation ideas.
APO04.05
Recommend appropriate further initiatives.
APO04.06
Monitor the implementation and use of innovation.
APO05.01
Establish the target investment mix.
APO05.02
Determien the availability and sources of funds.
APO05.03
Evaluate and select programmes to fund.
APO05.04
Monitor, optimise and report on investment portfolio performance.
APO05.05
Maintain portfolios.
APO05.06
Manage benefits achievement.
APO06.01
Manage finance and accounting.
APO06.02
Prioritise resource allocation.
APO06.03
Create and maintain budgets.
APO06.04
Model and allocate costs.
APO06.05
Manage costs.
APO07.01
Maintain adequate and appropriate staffing.
APO07.02
Identify key IT personnel.
APO07.03
Maintain the skills and competencies of personnel.
APO07.04
Evaluate employee job performance.
APO07.05
Plan and track the usage of IT and business human resources.
APO07.06
Manage contract staff.
APO08.01
Understand business exepctations.
APO08.02
Identify opportunities, risk and constraints for IT to enhance the business.
APO08.03
Manage the business relationship.
APO08.04
Co-ordinate and communicate.
APO08.05
Provide input to the continual improvement of services.
APO09.01
Identify IT services.
APO09.02
Catalogue IT-enabled services.
APO09.03
Define and prepare service agreements.
APO09.04
Monitor and report service levels.
APO09.05
Review service agreements and contracts.
APO10.01
Identify and evaluate supplier relationships and contracts.
APO10.02
Select suppliers.
APO10.03
Manage supplier relationships and contracts.
APO10.04
Manage supplier risk.
APO10.05
Monitor supplier performance and compliance.
APO11.01
Establish a quality management system (QMS).
APO11.02
Define and manage quality standards, practices and procedures.
APO11.03
Focus quality management on customers.
APO11.04
Perform quality monitoring, control and reviews.
APO11.05
Integrate quality management into solutions for development and service delivery.
APO11.06
Maintain continuous improvement.
APO12.01
Collect data.
APO12.02
Analyse risk.
APO12.03
Maintain a risk profile.
APO12.04
Articulate risk.
APO12.05
Define a risk management action portfolio.
APO12.06
Respond to risk.
APO13.01
Establish and maintain an ISMS.
APO13.02
Define and manage an information security risk treatment plan.
APO13.03
Monitor and review the ISMS.
BAI01.01
Maintain a standard approach for programme and project management.
BAI01.02
Initiate a programme.
BAI01.03
Manage stakeholder engagement.
BAI01.04
Develop and maintain the programme plan.
BAI01.05
Launch and execute the programme.
BAI01.06
Monitor, control and report on the programme outcomes.
BAI01.07
Start up and initiate projects within a programme.
BAI01.08
Plan projects.
BAI01.09
Manage programme and project quality.
BAI01.10
Manage programme and project risk.
BAI01.11
Monitor and control projects.
BAI01.12
Manage project resources and work packages.
BAI01.13
Close a project or iteration.
BAI01.14
Close a programme.
BAI02.01
Define and maintain business functional and technical requirements.
BAI02.02
Perform a feasibility study and formulate alternative solutions.
BAI02.03
Manage requirements risk.
BAI02.04
Obtain approval of requirements and solutions.
BAI03.01
Design high-level solutions.
BAI03.02
Design detailed solution components.
BAI03.03
Develop solution components.
BAI03.04
Procure solution components.
BAI03.05
Build solutions.
BAI03.06
Perform quality assurance.
BAI03.07
Prepare for solution testing.
BAI03.08
Execute solution testing.
BAI03.09
Manage changes to requirements.
BAI03.10
Maintain solutions.
BAI03.11
Define IT services and maintain the service portfolio.
BAI04.01
Assess current availability, performance and capacity and create a baseline.
© 2012 ISACA ‐ Glenfis AG
Activities associated with each of the governance and management practices in COBIT 5.
Management
Management
Deliver, Service and Support
Monitor, Evaluate and Assess
Management
Build, Acquire and Implem
Domain
ID
CO5 Processes
BAI04
Manage Availability and Capacity
BAI05
Manage Organisational Change Enablement
BAI06
Manage Changes
BAI07
Manage Change Acceptance and Transitioning
BAI08
Manage Knowledge
BAI09
Manage Assets
BAI10
Manage Configuration
DSS01
Manage Operations
DSS02
Manage Service Requests and Incidents
DSS03
Manage Problems
DSS04
Manage Continuity
DSS05
Manage Security Services
DSS06
Manage Business Process Controls
MEA01
Monitor, Evaluate and Assess Performance and
Conformance
MEA02
Monitor, Evaluate and Assess the System of Internal
Control
MEA03
Monitor, Evaluate and Assess Compliance with External
Requirements
Governance / Management Practice
BAI04.02
BAI04.03
BAI04.04
BAI04.05
BAI05.01
BAI05.02
BAI05.03
BAI05.04
BAI05.05
BAI05.06
BAI05.07
BAI06.01
BAI06.02
BAI06.03
BAI06.04
BAI07.01
BAI07.02
BAI07.03
BAI07.04
BAI07.05
BAI07.06
BAI07.07
BAI07.08
BAI08.01
BAI08.02
BAI08.03
BAI08.04
BAI08.05
BAI09.01
BAI09.02
BAI09.03
BAI09.04
BAI09.05
BAI10.01
BAI10.02
BAI10.03
BAI10.04
BAI10.05
DSS01.01
DSS01.02
DSS01.03
DSS01.04
DSS01.05
DSS02.01
DSS02.02
DSS02.03
DSS02.04
DSS02.05
DSS02.06
DSS02.07
DSS03.01
DSS03.02
DSS03.03
DSS03.04
DSS03.05
DSS04.01
DSS04.02
DSS04.03
DSS04.04
DSS04.05
DSS04.06
DSS04.07
DSS04.08
DSS05.01
DSS05.02
DSS05.03
DSS05.04
DSS05.05
DSS05.06
DSS05.07
DSS06.01
DSS06.02
DSS06.03
DSS06.04
DSS06.05
DSS06.06
MEA01.01
MEA01.02
MEA01.03
MEA01.04
MEA01.05
MEA02.01
MEA02.02
MEA02.03
MEA02.04
MEA02.05
MEA02.06
MEA02.07
MEA02.08
MEA03.01
MEA03.02
MEA03.03
MEA03.04
Assess business impact.
Plan for new or changed service requirements.
Monitor and review availability and capacity.
Investigate and address availability, performance and capacity issues.
Establish the desire to change.
Form an effective implementation team.
Communicate desired vision.
Empower role players and identify short-term wins.
Enable operation and use.
Embed new approaches.
Sustain changes.
Evaluate, prioritise and authorise change requests.
Manage emergency changes.
Track and report change status.
Close and document the changes.
Establish an implementation plan.
Plan business process, system and data conversion.
Plan acceptance tests.
Establish a test environment.
Perform acceptance tests.
Promote to production and manage releases.
Provide early production support.
Perform a post-implementation review.
Nurture and facilitate a knowledge-sharing culture.
Identify and classify sources of information.
Organise and contextualise information into knowledge.
Use and share knowledge.
Evaluate and retire information.
Identify and record current assets.
Manage critical assets.
Manage the asset life cycle.
Optimise asset costs.
Manage licences.
Establish and maintain a configuration model.
Establish and maintain a configuration repository and baseline.
Maintain and control configuration items.
Produce status and configuration reports.
Verify and review integrity of the configuration repository.
Perform operational procedures.
Manage outsourced IT services.
Monitor IT infrastructure.
Manage the environment.
Manage facilities.
Define incident and service request classification schemes.
Record, classify and prioritise requests and incidents.
Verify, approve and fulfil service requests.
Investigate, diagnose and allocate incidents.
Resolve and recover from incidents.
Close service requests and incidents.
Track status and produce reports.
Identify and classify problems.
Investigate and diagnose problems.
Raise known errors.
Resolve and close problems.
Perform proactive problem management.
Define the business continuity policy, objectives and scope.
Maintain a continuity strategy.
Develop and implement a business continuity response.
Exercise, test and review the BCP.
Review, maintain and improve the continuity plan.
Conduct continuity plan training.
Manage backup arrangements.
Conduct post-resumption review.
Protect against malware.
Manage network and connectivity security.
Manage endpoint security.
Manage user identity and logical access.
Manage physical access to IT assets.
Manage sensitive documents and output devices.
Monitor the infrastructure for security-related events.
Align control activities embedded in business processes with enterprise objectives.
Control the processing of information.
Manage roles, responsibilities, access privileges and levels of authority.
Manage errors and exceptions.
Ensure traceability of information events and accountabilities.
Secure information assets.
Establish a monitoring approach.
Set performance and conformance targets.
Collect and process performance and conformance data.
Analyse and report performance.
Ensure the implementation of corrective actions.
Monitor internal controls.
Review business process controls effectiveness.
Perform control self-assessments.
Identify and report control deficiencies.
Ensure that assurance providers are independent and qualified.
Plan assurance initiatives.
Scope assurance initiatives.
Execute assurance initiatives.
Identify external compliance requirements.
Optimise response to external requirements.
Confirm external compliance.
Obtain assurance of external compliance.
Glenfis AG
Seite 1 von 1
ITIL© Edition 2011 - COBIT® 5 Mapping
ITIL© Edition 2011 - COBIT© 5 Mapping
Service
Strategy
Service
Design
Service
Transition
Service
Operation
CSI
Governance of Enterprise IT
The seven-step improvement process
Service Reporting
Access management
Request fulfilment
Problem management
Incident management
x
Event management
x
Change evaluation
x
Knowledge management
Service validation and testing
x
Service asset and configuration management
Release and deployment management
x
Change management
Transition planning and support
Supplier management
Information security management
Capacity management
IT service continuity management
Availability management
x
Service Level Mgmt
Service catalogue management
Design coordination
Business relationship management
Demand management
Financial management for IT services
x
x
x
x
x x
x
x
x
x
x
x
x x
x
x
x x
x
x
x
x
Monitor, Evaluate and Assess
Monitor, Evaluate and Assess Performance and Conformance
Monitor, Evaluate and Assess the System of Internal Control
Monitor, Evaluate and Assess Compliance with External Requirements
x
MEA
MEA01
MEA02
MEA03
x
Deliver, Service and Support
Manage Operations
Manage Service Requests and Incidents
Manage Problems
Manage Continuity
Manage Security Services
Manage Business Process Controls
x
DSS
DSS01
DSS02
DSS03
DSS04
DSS05
DSS06
x
Build, Acquire and Implement
Manage Programmes and Projects
Manage Requirements Definition
Manage Solutions Identification and Build
Manage Availability and Capacity
Manage Organisational Change Enablement
Manage Changes
Manage Change Acceptance and Transitioning
Manage Knowledge
Manage Assets
Manage Configuration
x
BAI
BAI01
BAI02
BAI03
BAI04
BAI05
BAI06
BAI07
BAI08
BAI09
BAI10
x
Align, Plan and Organise
Manage the IT Management Framework
Manage Strategy
Manage Enterprise Architecture
Manage Innovation
Manage Portfolio
Manage Budget and Costs
Manage Human Resources
Manage Relationships
Manage Service Agreements
Manage Suppliers
Manage Quality
Manage Risk
Manage Security
x
APO
APO01
APO02
APO03
APO04
APO05
APO06
APO07
APO08
APO09
APO10
APO11
APO12
APO13
x
Evaluate, Direct and Monitor
Ensure Governance Framework Setting and Maintenance
Ensure Benefits Delivery
Ensure Risk Optimisation
Ensure Resource Optimisation
Ensure Stakeholder Transparency
x x
EDM
EDM01
EDM02
EDM03
EDM04
EDM05
Service portfolio management
COBIT
x
Monitor
(MEA)
x
Run
(DSS)
x
Build
(BAI)
x
Plan
(APO)
Monitor
x
Direct
Strategy management for IT services
Evaluate
ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Cabinet Office, and is Registered in the U.S. Patent and Trademark Office, and is used hereby GLENFIS AG
under licence from and with the permission of OC.
COBIT® is a trademark of ISACA registered in the U.S. and other countries. COBIT 5 is an ISACA publication (www.isaca.org) and portions of COBIT 5 appear in this document with permission
from ISACA
(c) Glenfis AG
www.glenfis.ch
www.itil.org
www.ISO20000.ch
V 2.0
© 2012 ISACA. A
l l
r i g h t s
r e s e r v e d
. F
o r
u sa g e
g u i d e l i n e s
,
s e e
w w w
.
i s a c a
.
o r g
/ CO B I T u
s e
.
APO10 Manage
Suppliers
APO09 Manage
Service
Agreements
APO08 Manage
Relationships
Source: COBIT 5, figure 16
DSS01 Manage
Operations
DSS02 Manage
Service Requests
and Incidents
DSS04 Manage
Continuity
BAI04 Manage
Availability
and Capacity
APO11 Manage
Quality
APO04 Manage
Innovation
EDM03 Ensure
Risk Optimisation
DSS05 Manage
Security
Services
BAI05 Manage
Organisational
Change
Enablement
APO12 Manage
Risk
APO05 Manage
Portfolio
DSS06 Manage
Business
Process Controls
BAI06 Manage
Changes
APO13 Manage
Security
APO06 Manage
Budget and Costs
EDM04 Ensure
Resource
Optimisation
Processes for Management of Enterprise IT
DSS03 Manage
Problems
BAI010 Manage
Configuration
BAI09 Manage
Assets
BAI08 Manage
Knowledge
Deliver, Service and Support
BAI03 Manage
Solutions
Identification
and Build
BAI02 Manage
Requirements
Definition
BAI01 Manage
Programmes and
Projects
Build, Acquire and Implement
APO03 Manage
Enterprise
Architecture
APO02 Manage
Strategy
EDM02 Ensure
Benefits Delivery
APO01 Manage
the IT Management
Framework
Align, Plan and Organise
EDM01 Ensure
Governance
Framework Setting
and Maintenance
Evaluate, Direct and Monitor
Processes for Governance of Enterprise IT
COBIT 5 Process Reference Model
BAI07 Manage
Change
Acceptance and
Transitioning
APO07 Manage
Human Resources
EDM05 Ensure
Stakeholder
Transparency
MEA03 Monitor,
Evaluate and Assess
Compliance With
External Requirements
MEA02 Monitor,
Evaluate and Assess
the System of Internal
Control
MEA01 Monitor,
Evaluate and Assess
Performance and
Conformance
Monitor, Evaluate
and Assess