Assessment Programme Using COBIT 5 Introduction

ISACA’s COBIT® Assessment Programme
(based on COBIT® 5)
Presented by:
Session Objectives
 Understanding the COBIT
Assessment Programme, its
ISOIEC 15504 base and the
use of COBIT 5 content in it
 Understanding the relationship
to ISO/IEC 15504 and why
ISACA selected this standard
and approach
 Understanding the COBIT
Assessment Programme
materials and support from
ISACA
Copyright ISACA 2014
All rights reserved
Slide 2
What is A Process Assessment?
 ISO/IEC 15504-4 identifies process assessment
as an activity that can be performed either as
part of a process improvement initiative or as
part of a capability determination approach.
 The purpose of process improvement is to
continually improve the enterprise’s effectiveness
and efficiency.
 The purpose of process capability determination
is to identify the strengths, weaknesses and risk
of selected processes with respect to a particular
specified requirement through the processes used
and their alignment with the business need.
 It provides an understandable, logical, repeatable,
reliable and robust methodology for assessing the
capability of IT processes.
Copyright ISACA 2014
All rights reserved
Slide 3
What is the COBIT Assessment
Programme?
 The COBIT Assessment Programme brings
together two proven heavyweights in the IT arena,
ISO and ISACA.
 The process assessment standard from ISO,
ISO/IEC 15504 is combined with the process
model from COBIT 5 to provide an
understandable, logical, repeatable, reliable and
robust methodology for assessing the capability of
IT processes.
Copyright ISACA 2014
All rights reserved
Slide 4
Programme support
 The COBIT Assessment Programme www.isaca.org/KnowledgeCenter/cobit/Pages/COBIT-Assessment-Programme.aspx
products include:
•
•
•
•
COBIT Self Assessment Guide: Using COBIT 5
A self-assessment tool kit
COBIT Assessor Guide: Using COBIT 5
COBIT Process Assessment Model (PAM): Using COBIT 5
 In addition, Accredited Training Organizations (ATOs) deliver the
COBIT Assurance training course to candidates who have
obtained the COBIT 5 Foundation certification.
 ISACA has established a Certified COBIT Assessor certification,
to allow appropriately trained and experienced assessors to be
able to demonstrate their competence to assessment project
sponsors, www.isaca.org/COBIT/Pages/COBIT-5-CertifiedAssessor-Program.aspx.
Copyright ISACA 2014
All rights reserved
Slide 5
Self-assessment approach
 Simple, stand alone guidance (10 pages
plus short appendices and a supporting tool
kit) has been developed in a Selfassessment Guide to support completion of
a simplified assessment approach.
 This approach can be used to perform a less
rigorous status assessment, perhaps to
determine problem or issue areas for
internal discussion or for targeting a formal
future 15504 compliant assessment.
 This approach is aligned with the formal
approach but does not require evidence
collection. It is a good way to learn initially
about the programme.
Copyright ISACA 2014
All rights reserved
Slide 6
Assessment Overview
Process Assessment
Model
Assessment Process
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
Copyright ISACA 2014
All rights reserved
Slide 7
Process Reference Model (PRM)
 The COBIT process reference model
(PRM) is defined in the Process
Assessment Model publication.
 The PRM content is directly based on
COBIT 5: Enabling Processes content,
with adjustments only made to reflect
ISO/IEC 15504 terminology as
necessary.
 Process domain and scope, purpose
and outcomes are defined for each of
the 37 COBIT 5 processes.
Copyright ISACA 2014
All rights reserved
Slide 8
Assessment Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
Copyright ISACA 2014.
All rights reserved
Slide 9
Measurement Framework
 The COBIT assessment process measures the extent to which a
given process achieves specific attributes relative to that process—
‘process attributes.’
 The COBIT assessment process defines nine process attributes
(based on ISO/IEC 15504-2)
•
•
•
•
•
•
•
•
•
PA 1.1 Process performance
PA 2.1 Performance management
PA 2.2 Work product management
PA 3.1 Process definition
PA 3.2 Process deployment
PA 4.1 Process measurement
PA 4.2 Process control
PA 5.1 Process innovation
PA 5.2 Continuous optimisation
Copyright ISACA 2014.
All rights reserved
Slide 10
Process Capability Levels
Level 5 Optimizing process
Optimizing
The process is continuously improved to meet relevant
current and projected business goals.
Predictable
The process is enacted consistently
within defined limits.
Established
A defined process is used based on a
standard process.
PA 5.1
PA 5.2
Level 4 Predictable process
PA 4.1
PA 4.2
Process measurement attribute
Process control attribute
Level 3 Established process
PA 3.1
PA 3.2
Process definition attribute
Process deployment attribute
Level 2 Managed process
PA 2.1
PA 2.2
Performance management attribute
Work product management attribute
Level 1 Performed process
PA 1.1
Process performance attribute
Level 0 Incomplete process
Copyright ISACA 2014.
Process innovation attribute
Process optimization attribute
Managed
The process is managed and work
products are established,
controlled and maintained.
Performed
The process is implemented and
achieves its process purpose.
Incomplete
The process is not implemented or fails to
achieve its purpose.
All rights reserved
Slide 11
Process Attributes (example)
 PA 1.1 Process performance
• The process performance attribute is a measure of the extent
to which the process purpose is achieved.
• As a result of full achievement of this attribute, the process
achieves its defined outcomes.
Copyright ISACA 2014
All rights reserved
Slide 12
Process Attributes (example)
 PA 2.1 Performance management
• A measure of the extent to which the performance of the process is managed. As a
result of full achievement of this attribute:
a.
b.
c.
d.
Objectives for the performance of the process are identified.
Performance of the process is planned and monitored.
Performance of the process is adjusted to meet plans.
Responsibilities and authorities for performing the process are defined, assigned and
communicated.
e. Resources and information necessary for performing the process are identified, made available,
allocated and used.
f. Interfaces between the involved parties are managed to ensure effective communication and
clear assignment of responsibility.
 PA 2.2 Work product management
• A measure of the extent to which the work products produced by the process are
appropriately managed. As a result of full achievement of this attribute:
a.
b.
c.
d.
Requirements for the work products of the process are defined.
Requirements for documentation and control of the work products are defined.
Work products are appropriately identified, documented and controlled.
Work products are reviewed in accordance with planned arrangements and adjusted as
necessary to meet requirements.
Copyright ISACA 2014.
All rights reserved
Slide 13
Process Attribute Rating Scale
 The COBIT assessment process measures the extent to which a
given process achieves the ‘process attributes:’
N Not achieved—0 to 15% achievement
There is little or no evidence of achievement of the defined attribute in the assessed
process.
P
Partially achieved—> 15% to 50% achievement
There is some evidence of an approach to, and some achievement of, the defined
attribute in the assessed process. Some aspects of achievement of the attribute may
be unpredictable.
L
Largely achieved—> 50% to 85% achievement
There is evidence of a systematic approach to, and significant achievement of,
the defined attribute in the assessed process. Some weakness related to this
attribute may exist in the assessed process.
F
Fully achieved—> 85% to 100% achievement
There is evidence of a complete and systematic approach to, and full achievement
of, the defined attribute in the assessed process. No significant weaknesses related
to this attribute exist in the assessed process.
Copyright ISACA 2014.
All rights reserved
Slide 14
Process Attribute Ratings and
Capability Levels
1 2 3 4 5
PA 5.2 Optimization
Level 5 - Optimizing
L
/
F
PA 5.1 Innovation
PA 4.2 Control
Level 4 - Predictable
L F
/
F
PA 4.1 Measurement
PA 3.2 Deployment
Level 3 - Established
PA 3.1 Definition
PA 2.2 Work product management
Level 2 - Managed
PA 2.1 Performance management
Level 1 - Performed
Level 0 - Incomplete
L F F
/
F
L F F F
/
F
L F F F F
PA 1.1 Process performance /
F
L/F = Largely or Fully F= Fully
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
Copyright ISACA 2014.
All rights reserved
Slide 15
COBIT Assessment Process
Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
Copyright ISACA 2014.
All rights reserved
Slide 16
Process Capability Levels and
Attributes
ISO
COBIT 5
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
Slide 17
Process Attribute Rating
Assessment indicators in the PAM are used to
support the assessors’ judgement in rating
process attributes:
• Provide the basis for repeatability across assessments
A rating is assigned based on objective,
validated evidence for each process attribute.
Traceability needs to be maintained between an
attribute rating and the objective evidence used
in determining that rating.
Copyright ISACA 2014.
All rights reserved
Slide 18
Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
Copyright ISACA 2014
All rights reserved
Slide 19
Assessment Process Activities
1 Initiation
2 Planning the assessment
3 Briefing
4 Data collection
5 Data validation
6 Process attributes rating
7 Reporting the results
Copyright ISACA 2014.
All rights reserved
Slide 20
1. Initiation
 Identify the sponsor and define the purpose of the
assessment:
• Why it is being carried out?
 Define the scope of the assessment:
• Which processes are being assessed?
• What constraints, if any, apply to the assessment?
 Identify any additional information that needs to be gathered.
 Select the assessment participants, the assessment team
and define the roles of team members.
 Define assessment inputs and outputs:
• Have them approved by the sponsor.
Copyright ISACA 2014.
All rights reserved
Slide 21
2. Planning the Assessment
 An assessment plan describing all activities performed in
conducting the assessment:
• Is developed
• Is documented
• Contains an assessment schedule
 Identify the project scope.
 Secure the necessary resources to perform the assessment.
 Determine the method of collating, reviewing, validating and
documenting the information required for the assessment.
 Co-ordinate assessment activities with the organisational
unit being assessed.
Copyright ISACA 2014.
All rights reserved
Slide 22
3. Briefing
 The assessment team leader ensures that the
assessment team understands the assessment:
•
•
•
Input
Process
Output
 Brief the organisational unit on the performance of the
assessment:
• PAM, assessment scope, scheduling, constraints, roles and
responsibilities, resource requirements, etc.
Copyright ISACA 2014.
All rights reserved
Slide 23
4. Data Collection
 The assessor obtains (and documents) an understanding of the
process(es) including process purpose, inputs, outputs and work
products, sufficient to enable and support the assessment.
 Data required for evaluating the processes within the scope of the
assessment are collected in a systematic manner.
 The strategy and techniques for the selection, collection and
analysis of data and justification of the ratings are explicitly identified
and demonstrable.
 Each process identified in the assessment scope is assessed on
the basis of objective evidence:
- The objective evidence gathered for each attribute of each process assessed
must be sufficient to meet the assessment purpose and scope.
- Objective evidence that supports the assessors’ judgement of process attribute
ratings is recorded and maintained in the assessment record:
• This record provides evidence to substantiate the ratings and to verify
compliance with the requirements.
Copyright ISACA 2014.
All rights reserved
Slide 24
5. Data Validation
 Actions are taken to ensure that the data are accurate and
sufficiently cover the assessment scope, including:
• Seeking information from firsthand, independent sources
• Using past assessment results
• Holding feedback sessions to validate the information collected
 Some data validation may occur as the data is being
collected.
Copyright ISACA 2014.
All rights reserved
Slide 25
6. Process Attribute Rating
 For each process assessed, a rating is assigned for each
process attribute up to and including the highest capability
level defined in the assessment scope.
 The rating is based on data validated in the previous activity.
 Traceability must be maintained between the objective
evidence collected and the process attribute ratings assigned.
 For each process attribute rated, the relationship between the
indicators and the objective evidence is recorded.
Copyright ISACA 2014.
All rights reserved
Slide 26
7. Reporting the Results
 The results of the assessment are analysed and
presented in a report .
 The report also covers any key issues raised during the
assessment such as:
• Observed areas of strength and weakness
• Findings of high risk, i.e., magnitude of gap between assessed
capability and desired/required capability
Copyright ISACA 2014.
All rights reserved
Slide 27
Target Process Capabilities (example)
Level 1
PA 1.1
Process A
Target Capability
Level 2
Level 3
PA 2.1 PA 2.2 PA 3.1 PA 3.2
L
Assessed
Process B
Target Capability
F
L
L
F
F
F
Assessed
Process C
Target Capability
L
L
Assessed
Copyright ISACA 2014
All rights reserved
Slide 28
Consequence of Capability Gaps
Consequence of Gaps at Various Capability Levels
This figure is reproduced from ISO 15504-4 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO.
Copyright ISACA 2014.
All rights reserved
Slide 29
Capability Gaps and Risk
Risk Associated With Each Capability Level
This figure is reproduced from ISO 15504-4 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO.
Copyright ISACA 2014.
All rights reserved
Slide 30
Assessor roles and competencies
 COBIT process assessment roles:
• Lead assessor—a ‘competent’ assessor responsible for
overseeing the assessment activities
• Assessor—an individual, developing assessor competencies, who
performs the assessment activities
 Assessor competencies:
• Knowledge, skills and experience:
• With the process reference model; process assessment model,
methods and tools; and rating processes
• With the processes/domains being assessed
• Personal attributes that contribute to effective performance
Copyright ISACA 2014.
All rights reserved
Slide 31
Assessor training and certification
opportunities
 Accredited training organizations (ATOs) deliver the COBIT
Assurance training course to candidates who have obtained the
COBIT 5 Foundation certification.
 ISACA has established a Certified COBIT Assessor certification,
to allow appropriately trained and experienced assessors to be
able to demonstrate their competence to assessment project
sponsors, www.isaca.org/COBIT/Pages/COBIT-5-CertifiedAssessor-Program.aspx
Copyright ISACA 2014.
All rights reserved
Slide 32
Goodbye and thank you . . .
COBIT Assessment Programme:
www.isaca.org/cobit-assessment-programme
Contact Information:
research@isaca.org
Copyright ISACA 2014.
All rights reserved
Slide 33