COBIT 2019 and IT Management
- Introduction
Christian F. Nissen, CFN Consult
RESILIATM, ITIL®, PRINCE2® MSP®, MoP® and MoV® are Registered Trade Marks of AXELOS in the United Kingdom and other countries
COBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)
TOGAFTM and IT4ITTM are trademarks of The Open Group
SIAM® is a registered trademark of EXIN
© 2019 of CFN Consult unless otherwise stated
Agenda
Agenda
2
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
Assignment
Governance

3
What is the difference between “IT Governance” and
“IT Management”?

What are the differences and similarities between
“Corporate governance”, “IT Governance”, “Project
governance”, “Process governance”, “Service
governance”, “Information governance” and
“application governance”?

Time: 10 minutes
© 2019
Governance – an introduction
Governance
Definition?
MANAGEMENT of MANAGEMENT
Object?
Value
Asset
System
(Architecture/configuration of
resources)
4
Lifecycle
© 2019
Governance – an introduction
Governance
Who?
Delegate
Owner
Accountable
Governance
body
Evaluate &
direct
Monitor
Management
Plan-docheck-act
Report
Why?
Maximize return on investment
Asset
Optimize
resources
Optimize
risk
Meet preference
5
© 2019
Operation
&
execution
Governance – an introduction
Governance
How?
6
Evaluate
Direct
Monitor
What?
❍
Principles, policies and plans (Boundaries, principles,
policies, decision models, strategies, plans, etc.)
❍
Goals (Performance and outcome goals)
❍
Controls (Control objectives, requirements, agreements, etc.)
❍
Maturity (Capability maturity, benchmarks, etc.)
❍
Resources (Money, etc. etc.)
© 2019
Governance – an introduction
Governance
When?
7
Asset value
Need for governance
Complexity of asset
(system/lifecycle)
© 2019
A delicate balance
Governance
IT governance balances:
9
Conformance
 Adhering to legislation, internal
policies, audit requirements, etc.
Performance
 Improving profitability, efficiency,
effectiveness, growth, etc.
© 2019
Performance
Conformance
Agenda
Agenda
10
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
COBIT
COBIT

Originally: The Control Objectives for Information and
related Technology (COBIT)

COBIT consists of a number of general goals, practices
(controls), processes, organizational structures, information
flows, and other components for governance and
management of enterprise IT


Are references, sets of best practices, not an ‘off-the-shelf’
cure (descriptive – not prescriptive)
COBIT is produced and owned by Information Systems
Audit and Control Association (ISACA) and the IT
Governance Institute (ITGI)
www.isaca.org/cobit
11
© 2019
COBIT
Why COBIT 2019?
Value creation:
 Benefits realization
 Risk optimization
 Resource optimization
Enterprise
Governance of IT
12
Business/IT
Alignment
© 2019
Value Creation
COBIT
COBIT 2019 – Governance framework principles
1. Based on
a conceptual
model
3. Aligned
to major
standards
13
2. Open
and
flexible
© 2019
COBIT History
Control
Practices
Management
Governance
COBIT
Audit
14
For latest updates on COBIT, visit www.isaca.org/cobit.
© 2019
Capabilities
COBIT
COBIT 2019 – Scope
15
Governance ensures that:
 Stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives.
 Direction is set through prioritization and decision making.
 Performance and compliance are monitored against agreedon direction and objectives.
Management
 Plans, builds, runs and monitors activities, in alignment with
the direction set by the governance body, to achieve the
enterprise objectives.
© 2019
COBIT
COBIT 2019 – Scope
16
© 2019
COBIT 2019 – Scope
COBIT



17
COBIT defines the components to build and sustain a
governance system: processes, organizational structures,
policies and procedures, information flows, culture and
behaviors, skills, and infrastructure.
COBIT addresses governance issues by grouping relevant
governance components into governance and management
objectives that can be managed to the required capability
levels.
COBIT defines the design factors that should be considered
by the enterprise to build a best-fit governance system.
© 2019
COBIT 2019 – Target audience
Stakeholder
COBIT
Boards
Executive
Management
Business
Managers
IT Managers
Assurance
Providers
Risk
Management
Regulators
Business
Partners
IT Vendors
18
Benefit of COBIT
Internal Stakeholders
Provides insights on how to get value from the use of IT and explains relevant
board responsibilities
Helps to understand how to obtain the IT solutions enterprises require and how
best to exploit new technology for new strategic opportunities
Provides guidance on how to organize and monitor performance of IT across the
enterprise
Provides guidance on how best to build and structure the IT department, manage
performance of IT, run an efficient and effective IT operation, control IT costs, align
IT strategy to business priorities, etc.
Helps to manage dependency on external service providers, get assurance over
IT, and ensure the existence of an effective and efficient system of internal controls
Helps to ensure the identification and management of all IT-related risk
External Stakeholders
Helps to ensure the enterprise is compliant with applicable rules and regulations
and has the right governance system in place to manage and sustain compliance
Helps to ensure that a business partner’s operations are secure, reliable and
compliant with applicable rules and regulations
Helps to ensure that an IT vendor’s operations are secure, reliable and compliant
with applicable rules and regulations
COBIT
COBIT 2019 – Overview
19
© 2019
COBIT 2019 – Product family
COBIT
Products
20

COBIT 2019 Framework: Introduction and Methodology

COBIT 2019 Framework: Governance and Management
Objectives

COBIT 2019 Design Guide

COBIT 2019 Implementation Guide
© 2019
Agenda
Agenda
21
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
COBIT and related frameworks
22
Some relevant best practices and standards
Best practices
Standards
Corporate
Governance
God Selskabsledelse
COSO
IT Governance
COBIT, MoV, MoP
IT Management
COBIT / MoR
Enterprise
Architecture
TOGAF
ISO/IEC 42016
IT Service
Management
ITIL, eTOM, VeriSM,
SAFe
ISO/IEC 20000, IT4IT
Information Security
& privacy
ISF
ISO/IEC 27000
Quality Management
LEAN, EFQM, Six
Sigma, Test
ISO 9000
Process Maturity
CMMi, TIPA
ISO/IEC 33000
Project & Program
Management
PRINCE2, MSP,
PMBOK
Industry specific
GAMP, Basel II,
Solvency II
Regulations
Sarbanes-Oxley
(SoX)
ISO/IEC 38500
Data protection
acts, GDPR
FDA requirements
© 2019
COBIT and related frameworks
23
COBIT and related frameworks (COBIT 5, Appendix E)
COBIT and related frameworks
Governance related best practices and standards


IT Governance Institute (ISACA)

Board Briefing on IT Governance

COBIT
Peter Weill and Jeanne W. Ross



Cabinet Office

ITIL

PRINCE2

MoR

MSP

MoV, MoP, P3O, P3M3
ISO/IEC

24
IT Governance
ISO/IEC 38500 Corporate governance of IT
© 2019
COBIT and related frameworks
ISO/IEC 38500

Formal standard for IT Governance

ISO/IEC 38500 is produced and owned by Standards
Organization (ISO)

ISO/IEC 38500 covers six principles for IT
Governance:

25

Responsibility

Strategy

Acquisition

Performance

Conformance

Human behavior
www.iso.org
© 2019
COBIT and related frameworks
26
ISO/IEC 38500 History and ownership

ISO/IEC 38500 was originally developed by the
Australian standardization organization and was
named AS8015:2005.

In 2009 it was fast tracked through ISO and officially
re-named to ISO/IEC 38500:2008 in April 2008.

In 2016 it was revised to ISO/IEC 38500:2016
© 2019
COBIT and related frameworks
27
ISO/IEC 38500 The six principles

Principle 1: Responsibility
Individuals and groups within the organization understand
and accept their responsibilities in respect of both supply of,
and demand for IT. Those with responsibility for actions also
have the authority to perform those actions.

Principle 2: Strategy
The organization’s business strategy takes into account the
current and future capabilities of IT; the strategic plans for IT
satisfy the current and ongoing needs of the organization’s
business strategy.

Principle 3: Acquisition
IT acquisitions are made for valid reasons, on the basis of
appropriate and ongoing analysis, with clear and
transparent decision making. There is appropriate balance
between benefits, opportunities, costs, and risks, in both the
short term and the long term.
© 2019
COBIT and related frameworks
28
ISO/IEC 38500 The six principles

Principle 4: Performance
IT is fit for purpose in supporting the organization, providing
the services, levels of service and service quality required to
meet current and future business requirements.

Principle 5: Conformance
The use of IT complies with all mandatory legislation and
regulations. Policies and practices are clearly defined,
implemented and enforced.

Principle 6: Human Behavior
IT policies, practices and decisions demonstrate respect for
Human Behavior, including the current and evolving needs
of all the ‘people in the process’.
© 2019
COBIT and related frameworks
29
Governance activities according to ISO/IEC 38500

Evaluate (Current and future use of IT)

Direct (Preparation and implementation)

Monitor (Conformance and performance)
© 2019
Agenda
Agenda
30
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
COBIT Principles
COBIT 2019 – Six governance system principles
6. End-to-End
Governance
System
5. Tailored to
Enterprise
Needs
1. provide
Stakeholder
Value
COBIT
2019
principles
4. Governance
Distinct From
Management
31
© 2019
2. Holistic
Approach
3. Dynamic
Governance
System
Agenda
Agenda
32
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
COBIT 2019 – Goals cascade
COBIT Goals
Stakeholder Drivers and Needs
Cascade to
Enterprise Goals
Cascade to
Alignment Goals
Cascade to
Governance and Management
Objectives
33
© 2019
COBIT Goals
COBIT 2019 – Enterprise Goals
BSC dimension
Ref.
Enterprise Goal
Financial
EG01
Portfolio of competitive products and services
EG02
Managed business risk
EG03
Compliance with external laws and regulations
EG04
Quality of financial information
EG05
Customer-oriented service culture
EG06
Business-service continuity and availability
EG07
Quality of management information
EG08
Optimization of internal business process functionality
EG09
Optimization of business process costs
EG10
Staff skills, motivation and productivity
EG11
Compliance with internal policies
EG12
Managed digital transformation programs
EG13
Product and business innovation
Customer
Internal
Learning and
Growth
34
© 2019
COBIT Goals
COBIT 2019 – Alignment Goals
BSC dimension
Ref.
Alignment Goal
Financial
AG01
IT compliance and support for business compliance with external
laws and regulations
AG02
Managed IT-related risk
AG03
Realized benefits from IT enabled investments and services
portfolio
AG04
Quality of technology-related financial information
AG05
Delivery of I&T services in line with business requirements
AG06
Agility to turn business requirements into operational solutions
AG07
Security of information, processing infrastructure and applications,
and privacy
AG08
Enabling and supporting business processes by integrating
applications and technology
AG09
Delivery of programs on time, on budget and meeting
requirements and quality standards
AG10
Quality of IT management information
AG11
IT compliance with internal policies
AG12
Competent and motivated staff with mutual
understanding of technology and business
AG13
Knowledge, expertise and initiatives for business innovation
Customer
Internal
Learning and
Growth
35
© 2019
COBIT Goals
COBIT 2019 – Mapping Enterprise and Alignment Goals
36
© 2019
COBIT Goals
COBIT 2019 – Mapping Alignment Goals and Objectives
37
© 2019
Agenda
Agenda
38
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
COBIT Objectives
COBIT 2019 – Objectives
39

For information and technology to contribute to
enterprise goals, a number of governance and
management objectives (i.e. capabilities) should be
achieved.

A governance or management objective always
relates to one process and a series of related
components of other types to help achieve the
objective.
© 2019
COBIT Objectives
COBIT 2019 – Objectives
40

COBIT 2019 includes 5 governance objectives and 35
management objectives and covering 231 governance
and management practices (controls) in five domains:

Evaluate, Direct and Monitor (Governance)

Align, Plan and Organize (Management)

Build, Acquire and Implement (Management)

Deliver, Service and Support (Management)

Monitor, Evaluate and Assess (Management)
© 2019
COBIT Objectives
COBIT 2019 – Core model (40 objectives)
41
© 2019
COBIT Objectives
COBIT 2019 – Core model
42
EDM01
EDM02
EDM03
EDM04
EDM05
APO01
APO02
APO03
APO04
APO05
APO06
APO07
APO08
APO09
APO10
APO11
APO12
APO13
APO14
Ensured Governance Framework Setting & Maintenance
Ensured Benefits Delivery
Ensured Risk Optimization
Ensured Resource Optimization
Ensured Stakeholder Engagement
Managed I&T Management Framework
Managed Strategy
Managed Enterprise Architecture
Managed Innovation
Managed Portfolio
Managed Budget & Costs
Managed Human Resources
Managed Relationships
Managed Service Agreements
Managed Vendors
Managed Quality
Managed Risk
Managed Security
Managed Data
© 2019
COBIT Objectives
COBIT 2019 – Core model
43
BAI01
BAI02
BAI03
BAI04
BAI05
BAI06
BAI07
BAI08
BAI09
BAI10
BAI11
DSS01
DSS02
DSS03
DSS04
DSS05
DSS06
MEA01
MEA02
MEA03
MEA04
Managed Programs
Managed Requirements Definition
Managed Solutions Identification & Build
Managed Availability & Capacity
Managed Organizational Change
Managed IT Changes
Managed IT Change Acceptance and Transitioning
Managed Knowledge
Managed Assets
Managed Configuration
Managed Projects
Managed Operations
Managed Service Requests & Incidents
Managed Problems
Managed Continuity
Managed Security Services
Managed Business Process Controls
Managed Performance and Conformance Monitoring
Managed System of Internal Control
Managed Compliance with External Requirements
Managed Assurance
© 2019
COBIT Objectives
COBIT 2019 – Objective – Example
44
© 2019
Agenda
Agenda
45
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
COBIT Components
COBIT 2019 – Components
46
To satisfy the objectives, each enterprise needs to
establish, tailor and sustain a governance system built
from a number of components.

Components are factors that, individually and
collectively, contribute to the good operations of the
enterprise’s governance system over IT.

Components interact with each other, resulting in a
holistic governance system for IT.

Components can be of different types.
© 2019
COBIT Components
COBIT 2019 – Components
Processes
Services,
Infrastructure
and
Applications
Organizational
Structures
Governance
System
Culture, Ethics
and Behavior
Information
People, Skills
and
Competences
Principles,
Policies,
Procedures
47
© 2019
COBIT Components
COBIT 2019 – Processes – Example
48
© 2019
COBIT Components
COBIT 2019 – Processes – Controls
49



Controls are statements of managerial actions to
increase value or reduce risk
Are designed to provide reasonable assurance that
business objectives will be achieved and undesired
events will be prevented or detected and corrected
In COBIT, called “Governance Practices” and
“Management Practices”
© 2019
COBIT Components
COBIT 2019 – Processes – Control types
50

Directive controls

Preventive controls

Compensating

Detective controls

Corrective controls
© 2019
COBIT Components
COBIT 2019 – Processes – Process specific controls
Example: Manager IT Changes
BAI06.01 Evaluate, prioritize and authorize change requests.

Evaluate all requests for change to determine the impact on business processes and
IT services, and to assess whether change will adversely affect the operational
environment and introduce unacceptable risk. Ensure that changes are logged,
prioritized, categorized, assessed, authorized, planned and scheduled.
BAI06.02 Manage emergency changes

Carefully manage emergency changes to minimize further incidents. Ensure the
emergency change is controlled and takes place securely. Verify that emergency
changes are appropriately assessed and authorized after the change.
BAI06.03 Track and report change status

Maintain a tracking and reporting system to document rejected changes and
communicate the status of approved, in-process and complete changes. Make
certain that approved changes are implemented as planned.
BAI06.04 Close and document the changes

51
Whenever changes are implemented, update the solution, user documentation and
procedures affected by the change
© 2019
COBIT Components
ISO/IEC 20000-1:2011 – Requirements
9.2 Change management
A change management policy shall be established that defines:
a) CIs which are under the control of change management;
b) criteria to determine changes with potential to have a major impact
on services or the customer.
Removal of a service shall be classified as a change to a service with
the potential to have a major impact. Transfer of a service from the
service provider to the customer or a different party shall be classified
as a change with potential to have a major impact.
There shall be a documented procedure to record, classify, assess
and approve requests for change.
The service provider shall document and agree with the customer the
definition of an emergency change. There shall be a documented
procedure for managing emergency changes.
All changes to a service or service component shall be raised using a
request for change. Requests for change shall have a defined scope.
...
52
© 2019
COBIT Components
ISO/IEC 27002:2013 – Requirements
12.1.2 Change Management
Control
Changes to the organization, business processes, information processing facilities and
systems that affect information security should be controlled.
Implementation guidance
In particular, the following items should be considered:
a) identification and recording of significant changes;
b) planning and testing of changes;
c) assessment of the potential impacts, including information security impacts, of such
changes;
d) formal approval procedure for proposed changes;
e) verification that information security requirements have been met;
f) communication of change details to all relevant persons;
g) fall-back procedures, including procedures and responsibilities for aborting and
recovering from unsuccessful changes and unforeseen events;
h) provision of an emergency change process to enable quick and controlled
implementation of changes needed to resolve an incident.
Formal management responsibilities and procedures should be in place to ensure
satisfactory control of all changes. When changes are made, an audit log containing all
relevant information should be retained.
53
© 2019
COBIT Components
Compliance requirements











54
Security standards
Privacy legislation
Spam legislation
Trade practices legislation
Intellectual property rights, including software
licensing agreements
Record keeping requirements
Environmental legislation and regulations
Health and safety legislation
Accessibility legislation
Social responsibility standards
...
© 2019
COBIT Components
Mapping compliance requirements
55
BAI10.03 Maintain an upto-date repository of
configuration items
(CIs) by populating
any configuration
changes. . . .
COBIT
Policy
Process
9.1 Configuration
management shall
provide information to
the change management
process on the impact of
a requested change on
the service and
infrastructure
configurations . . .
ISO/IEC
20000
7.1 Owners should be
identified for all assets
and the responsibility for
the maintenance of
appropriate controls
should be assigned . . .
ISO/IEC
27000
Control
Objective
Database
Procedure
Work
instructions
Roles
© 2019
COBIT Components
COBIT 2019 – Organizational Structures – Example
56
© 2019
COBIT Components
COBIT 2019 – Information – Example
57
© 2019
COBIT Components
COBIT 2019 – People, Skills, Competences – Example
58
The people, skills and competencies governance component identifies human
resources and skills required to achieve the governance or management objective.
COBIT® 2019 based this guidance on the Skills Framework for the Information Age
(SFIA®) V6 (version 6). All listed skills are described in detail in the SFIA framework.
The Detailed Reference provides a unique code that correlates to SFIA guidance on the
skill
© 2019
COBIT Components
COBIT 2019 – Policies, Procedures – Example
59
© 2019
COBIT Components
COBIT 2019 – Culture, Ethics, Behavior – Example
60
© 2019
COBIT Components
COBIT 2019 – Services, Infrastructure, Applications – Example
61
© 2019
Agenda
Agenda
62
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
COBIT Design factors
COBIT 2019 – Design factors
63
Design factors are factors that can influence the design
of an enterprise’s governance system and position it for
success in the use of IT. Design factors include any
combination of the following:
1. Enterprise
Strategy
6. Compliance
Requirements
2. Enterprise
Goals
7. Role of IT
3. Risk Profile
8. Sourcing
Model for IT
© 2019
4. IT-Related
Issues
9. IT
Implementation
Methods
5. Threat
Landscape
10.
Technology
Adoption
Strategy
11. Enterprise
Size
COBIT Design factors
COBIT 2019 – Design factors
64
1. Enterprise strategy. Organizations typically have a
primary strategy and, at most, one secondary strategy.
Enterprises can have different strategies, which can be
expressed as one or more of the following archetypes:
Strategy Archetype
Explanation
Growth/Acquisition
The enterprise has a focus on growing (revenues)
Innovation/Differentiation
The enterprise has a focus on offering different and/or
innovative products and services to their clients
Cost leadership
The enterprise has a focus on short-term cost
minimization
Client service/Stability
The enterprise has a focus on providing stable and
client-oriented service
© 2019
COBIT Design factors
COBIT 2019 – Design factors
2. Enterprise goals supporting the enterprise strategy:
BSC dimension
Ref.
Enterprise goal
Financial
EG01
Portfolio of competitive products and services
EG02
Managed business risk
EG03
Compliance with external laws and regulations
EG04
Quality of financial information
EG05
Customer-oriented service culture
EG06
Business-service continuity and availability
EG07
Quality of management information
EG08
Optimization of internal business process functionality
EG09
Optimization of business process costs
EG10
Staff skills, motivation and productivity
EG11
Compliance with internal policies
EG12
Managed digital transformation programs
EG13
Product and business innovation
Customer
Internal
Growth
65
© 2019
COBIT Design factors
COBIT 2019 – Design factors
66
3. Risk profile of the enterprise:
1
2
3
4
5
IT investment decision making, portfolio definition & maintenance
Program & projects life cycle management
IT cost & oversight
IT expertise, skills & behavior
Enterprise/IT architecture
6
7
8
9
10
11
12
IT operational infrastructure incidents
Unauthorized actions
Software adoption/usage problems
Hardware incidents
Software failures
Logical attacks (hacking, malware, etc.)
13
14
15
16
17
18
Third-party/supplier incidents
Noncompliance
Geopolitical Issues
Industrial action
Acts of nature
Technology-based innovation
Environmental
19
Data & information management
© 2019
COBIT Design factors
COBIT 2019 – Design factors
4. IT-related issues. The most common issues include:
A
B
C
D
E
F
G
H
I
J
K
L
M
67
Frustration between different IT entities across the organization because of a perception
of low contribution to business value
Frustration between business departments (i.e., the IT customer) and the IT department
because of failed initiatives or a perception of low contribution to business value
Significant I&T-related incidents, such as data loss, security breaches, project failure and
application errors, linked to IT
Service delivery problems by the IT outsourcer(s)
Failures to meet IT-related regulatory or contractual requirements
Regular audit findings or other assessment reports about poor IT performance or reported
IT quality or service problems
Substantial hidden and rogue IT spending, that is, I&T spending by user departments
outside the control of the normal I&T investment decision mechanisms and approved
budgets
Duplications or overlaps between various initiatives, or other forms of wasted resources
Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction
IT-enabled changes or projects frequently failing to meet business needs and delivered
late or over budget
Reluctance by board members, executives or senior management to engage with IT, or a
lack of committed business sponsorship for IT
Complex IT operating model and/or unclear decision mechanisms for IT-related decisions
Excessively high cost of IT
© 2019
COBIT Design factors
COBIT 2019 – Design factors
68
4. IT-related issues continued . . .
N
O
P
Q
R
S
T
Obstructed or failed implementation of new initiatives or innovations caused by the current
IT architecture and systems
Gap between business and technical knowledge, which leads to business users and
information and/or technology specialists speaking different languages
Regular issues with data quality and integration of data across various sources
High level of end-user computing, creating (among other problems) a lack of oversight
and quality control over the applications that are being developed and put in operation
Business departments implementing their own information solutions with little or no
involvement of the enterprise IT department (related to end-user computing, which often
stems from dissatisfaction with IT solutions and services)
Ignorance of and/or noncompliance with privacy regulations
Inability to exploit new technologies or innovate using I&T
© 2019
COBIT Design factors
COBIT 2019 – Design factors
69
5. Threat landscape under which the enterprise operates:
Threat Landscape
Explanation
Normal
The enterprise is operating under what are considered
normal threat levels.
High
Due to its geopolitical situation, industry sector or particular
profile, the enterprise is operating in a high-threat
environment.
© 2019
COBIT Design factors
COBIT 2019 – Design factors
70
6. Compliance requirements to which the enterprise is subject:
Regulatory
Environment
Explanation
Low compliance
requirements
The enterprise is subject to a minimal set of regular
compliance requirements that are lower than average.
Normal compliance
requirements
The enterprise is subject to a set of regular compliance
requirements that are common across different industries.
High compliance
requirements
The enterprise is subject to higher-than-average
compliance requirements, most often related to industry
sector or geopolitical conditions.
© 2019
COBIT Design factors
COBIT 2019 – Design factors
71
7. Role of IT for the enterprise:
Role of IT
Explanation
Support
IT is not crucial for the running and continuity of the
business process and services, nor for their innovation.
Factory
When IT fails, there is an immediate impact on the running
and continuity of the business processes and services.
However, IT is not seen as a driver for innovating business
processes and services.
Turnaround
IT is seen as a driver for innovating business processes
and services. At this moment, however, there is not a
critical dependency on IT for the current running and
continuity of the business processes and services.
Strategic
IT is critical for both running and innovating the
organization’s business processes and services.
© 2019
COBIT Design factors
COBIT 2019 – Design factors
72
8. Sourcing model for IT that the enterprise adopts:
Sourcing Model
Explanation
Outsourcing
The enterprise calls upon the services of a third party to
provide IT services.
Cloud
The enterprise maximizes the use of the cloud for providing
IT services to its users.
Insourced
The enterprise provides for its own IT staff and services.
Hybrid
A mixed model is applied, combining the other three
models in varying degrees.
© 2019
COBIT Design factors
COBIT 2019 – Design factors
73
9. IT implementation methods that the enterprise adopts:
Sourcing Model
Explanation
Agile
The enterprise uses Agile development working methods
for its software development.
DevOps
The enterprise uses DevOps working methods for software
building, deployment and operations.
Traditional
The enterprise uses a more classic approach to software
development (waterfall) and separates software
development from operations.
Hybrid
The enterprise uses a mix of traditional and modern IT
implementation, often referred to as “bimodal IT.”
© 2019
COBIT Design factors
COBIT 2019 – Design factors
74
10. Technology Adaption Strategy:
Sourcing Model
Explanation
First mover
The enterprise generally adopts new technologies as early
as possible and tries to gain first-mover advantage.
Follower
The enterprise typically waits for new technologies to
become mainstream and proven before adopting them.
Slow adopter
The enterprise is very late with adoption of new
technologies.
© 2019
COBIT Design factors
COBIT 2019 – Design factors
75
11. Enterprise size:
Sourcing Model
Explanation
Large enterprise
(Default)
Enterprise with more than 250 full-time employees (FTEs)
Small and medium
enterprise
Enterprise with 50 to 250 FTEs
© 2019
COBIT Design factors
COBIT 2019 – Design factors
76
COBIT 2019 Governance System Design Workbook – Canvas
© 2019
Agenda
Agenda
77
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
COBIT Focus areas
COBIT 2019 – Focus areas
78
A focus area describes a certain governance topic,
domain or issue that can be addressed by a collection of
governance and management objectives and their
components.

Examples of focus areas include: small and medium
enterprises, cybersecurity, digital transformation,
cloud computing, privacy, and DevOps.

Focus areas may contain a combination of generic
governance components and variants.

The number of focus areas is virtually unlimited. That
is what makes COBIT open-ended.
© 2019
Agenda
Agenda
79
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
COBIT Performance management
80
COBIT 2019 – Performance management
The COBIT Performance Management (CPM) model
largely aligns to the CMMI® Development concepts:

Process activities are associated to capability levels
included in the Governance and Management
Objectives guide.

Other governance and management component types
(e.g., organizational structures, information) may also
have capability levels defined for them in future
guidance.

Maturity levels are associated with focus areas (i.e., a
collection of governance and management objectives
and underlying components) and will be achieved if all
required capability levels are achieved.
© 2019
COBIT Performance management
81
COBIT 2019 – Performance management
Capability and maturity levels:
Maturity
Processes
Capability
Other types of governance
and management components
Capability
© 2019
COBIT Performance management
82
COBIT 2019 – Performance management
Capability levels for processes:
5
4
3
2
1
0
The process its purpose, is well defined, its performance
is measured to improve performance and continuous
improvement is pursued.
The process achieves its purpose, is well defined, and its
performance is (quantitatively) measured.
The process achieves its purpose in a much more organized way
using organizational assets. Processes typically are well defined.
The process achieves its purpose through the application of a basic, yet
complete, set of activities that can be characterized as performed.
The process more or less achieves its purpose through the application of an
incomplete set of activities that can be characterized as initial or intuitive—not
very organized.
• Lack of any basic capability
• Incomplete approach to address governance and management purpose
• May or may not be meeting the intent of any process practices
© 2019
COBIT Performance management
83
COBIT 2019 – Performance management
The COBIT core model assigns capability levels to all
process activities, enabling clear definition of the
processes and required activities for achieving the
different capability levels.
© 2019
COBIT Performance management
84
COBIT 2019 – Performance management
COBIT also provides guidance for how to assign
capability levels for the other governance and
management component types such as:

Organizational structures,

Information, and

Culture and behavior
© 2019
COBIT Performance management
85
COBIT 2019 – Performance management
Maturity levels for focus areas:
5
4
3
2
1
0
Optimizing—The enterprise is focused on continuous
improvement.
Quantitative—The enterprise is data driven, with quantitative
performance improvement.
Defined—Enterprise wide standards provide guidance across the
enterprise.
Managed—Planning and performance measurement take place, although
not yet in a standardized way.
Initial—Work is completed, but the full goal and intent of the focus area are not
yet achieved.
Incomplete—Work may or may not be completed toward achieving the purpose of
governance and management objectives in the focus area.
© 2019
Agenda
Agenda
86
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Governance of IT
COBIT Background
COBIT Other frameworks
COBIT Principles
COBIT Goals
COBIT Objectives
COBIT Components
COBIT Design factors
COBIT Focus areas
COBIT Performance management
Designing and implementing a governance system
© 2019
Design and implement governance
87
COBIT 2019 – Governance System Design Workflow
© 2019
Design and implement governance
88
COBIT 2019 – Implementation Road Map
There are seven phases that comprise the COBIT
implementation approach:
1. What are the drivers?
2. Where are we now?
3. Where do we want to be?
4. What needs to be done?
5. How do we get there?
6. Did we get there?
7. How do we keep the
momentum going?
© 2019
Design and implement governance
89
COBIT 2019 – Design vs. Implementation
Connection Points Between COBIT Design Guide and
COBIT Implementation Guide:
COBIT Implementation Guide
COBIT Design Guide
Phase 1—What are the drivers?
(Continuous improvement [CI] tasks)
Step 1—Understand the enterprise
context and strategy.
Phase 2—Where are we now? (CI
tasks)
Step 2—Determine the initial scope
of the governance system.
Step 3—Refine the scope of the
governance system.
Step 4—Conclude the governance
system design.
Phase 3—Where do we want to be?
(CI tasks)
Step 4—Conclude the governance
system design
© 2019
Conclusion
COBIT 2019 – Overview
90
© 2019
Conclusion
Questions and comments
91
© 2019
Contact
92
Christian F. Nissen
cfn@cfnconsult.dk
+45 40 19 41 45
CFN Consult ApS
Nysoevang 15A
DK-2750 Ballerup
CVR: 39 36 47 86
© 2019