COBIT® 5 Frequently Asked Questions (FAQs) 1. What is the purpose of COBIT 5? COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise information and technology assets (IT). Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end‐to‐end business and IT functional areas of responsibility, considering the IT‐related interests of internal and external stakeholders. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not‐for‐ profit or in the public sector. 2. Who is using COBIT 5? COBIT 5 is used globally by those who have the primary responsibility for business processes and technology, depend on technology for relevant and reliable information, and provide quality, reliability and control of information and related technology. 3. Where are the control objectives in COBIT 5? Based on five principles and seven enablers, COBIT 5 uses governance and management practices to describe actions that are examples of good practices to effect governance and management over enterprise IT. Many of these practices and the supporting activities exert ‘control’ over the process to deliver the required outcome. The move from the ‘control objectives’ term was explained in an ISACA® Journal article (volume 4, 2011) written by one of COBIT’s first contributors, Erik Guldentops. The article can be found at this link ’Where Have All The Control Objectives Gone?’ (www.isaca.org/Journal/Past-Issues/2011/volume-4/ pages/Where-Have-All-the-Control-Objectives-Gone.aspx)? 4. Are there other major differences between COBIT 4.1 and COBIT 5? Yes, the framework design for COBIT 5 was revisited and restructured to ensure complete coverage for all major aspects related to the governance and management of enterprise IT. ISACA has prepared a presentation that outlines the main changes introduced. The presentation can be found at this link ’Compare COBIT versions 4.1 to 5’. 5. What is the overall quality of COBIT 5, and were any industry professionals part of the expert review? To assure the high quality of COBIT 5, several measures were taken. The most important measures are: • The entire research process was overseen by both ISACA’s Knowledge Board and Framework Committee, which are responsible for overseeing all ISACA framework research development. • The detailed research results and deliverables were quality‐controlled throughout the development process by a dedicated task force of experienced volunteer professionals. • A draft design document was issued for public exposure, and the feedback was integrated into the development work to produce the final COBIT 5 products. Before being issued, the draft • • development products were distributed to more than 100 subject matter experts around the world to obtain their professional review. Once ready, draft versions of COBIT 5 and COBIT® 5: Enabling Processes were made available to the public for review. Many good comments were received, suggesting further improvements for consideration. Survey questions concerning the level of satisfaction of the work at the draft stage were included in the public exposure activity, with 79 percent of the responses being positive. Based on the review comments, the development team made changes as appropriate. The final product was reviewed by COBIT 5 Task Force members, the Framework Committee and the Knowledge Board. 6. Can I use COBIT 5 as a statement of criteria for specific audit conclusions? There are additional professional guides planned that will extend COBIT 5. Amongst these is COBIT 5 for Assurance. This will serve as the guide for assurance professionals wanting to use COBIT 5 in their work. Once complete, COBIT 5 for Assurance will provide comprehensive guidance on using COBIT 5 to support assurance activities. The completion of this guide is planned for 2013. 7. What training is available for the use of COBIT 5? ISACA is developing an education and training portfolio to support COBIT 5. As training is developed, ISACA will communicate news via appropriate media, including the Education & Training page in the COBIT 5 area of the ISACA web site. 8. In what way can I suggest to executive management that it use COBIT 5? Because COBIT is business‐oriented, using it to deliver value and govern and manage IT‐related business risk is straightforward. The COBIT 5 two‐page executive summary and supporting short presentation can be used in the discussion with management. The goals cascade in the framework can be used to: • Determine stakeholder needs and governance objectives (value creation) • Identify enterprise goals that can support stakeholder needs. If the balanced scorecard (BSC) is used to develop these goals, then a common set of terms can be used to communicate the goals. Enterprise goals from the BSC are reproduced in figure 5 on page 19 of COBIT 5. • Select IT‐related goals (for each enterprise goal) that will facilitate the achievement of the goals. IT‐related goals can be found in figure 6 on page 19 of COBIT 5. • Achieve IT‐related goals. This requires the successful application and use of enablers. The framework describes enablers in detail in chapter 5. One of the enablers, processes, is treated separately in the COBIT 5: Enabling Processes publication. • Present the proposed set of needs, goals and enablers to executive management as a means of delivering effective governance and management of IT‐related technology 9. Is the COBIT 5 framework superior to the other standards and frameworks such as the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27000 series and Information Technology Infrastructure Library (ITIL®)? Most enterprise stakeholders and executive management are aware of the importance of the general control frameworks with respect to their fiduciary responsibility, such as Committee of Sponsoring Organizations of the Treadway Commission (COSO), Code of Connection (CoCo), the UK Corporate Governance Code, King III, etc.; however, enterprise stakeholders and executive management may not necessarily be aware of the details of each framework. In addition, enterprise managers are increasingly aware of the more technical security guidance, such as the ISO/IEC 27000 series, and service delivery guidance, such as ITIL. Although the aforementioned standard and framework emphasise business control and IT security and service management and delivery issues in specific areas of enterprise IT‐related activity, only COBIT 5 integrates all functions and processes that establish the governance of enterprise IT (GEIT) into overall enterprise governance and from a business perspective. It should be noted that ISO/IEC 15504 and ITIL V3 were used to develop the governance and management practices. COBIT 5 is not meant to replace any of these frameworks or standards. It is intended to emphasise what governance and management elements and practices are required to create value from information and technology in support of enterprise business goals. 10. What is the quickest and best way to convince key executives and other enterprise stakeholders of the value of using COBIT 5? The enterprise’s culture is vitally important. A proactive culture will be more receptive than one that is not proactive; however, consider emphasizing COBIT’s focus on stakeholder value creation, it being business driven, its alignment with other internationally recognised standards and frameworks, and its simple, but complete, structure. COBIT 5 is based on five principles and seven enablers. All other governance and management guidance in COBIT 5 cascade from these basic areas. 11. Has the COBIT 5 framework been accepted by C‐level executives? Yes, previous versions of COBIT have been accepted in many enterprises globally, and new cases continue to be documented. However, it should not be a surprise that in those entities where the chief information officer (CIO) has embraced COBIT as a business framework for information and technology, this has come as a direct consequence of one or more COBIT champions within the audit and/or IT function(s). Even more important than acceptance by the CIO is acceptance by the board of directors and executive management. Successful implementation of governance and management of enterprise IT using COBIT depends greatly on the commitment of the executive management team as a whole. The CIO alone cannot implement COBIT 5 effectively throughout the enterprise because there are implications for many areas of the enterprise outside of the IT function. The emphasis on value creation and alignment of stakeholder needs, enterprise goals, and IT‐related goals will ensure that COBIT 5 is seen as a business framework. 12. How is COBIT 5 aligned with the international standard on IT governance, ISO/IEC 38500? COBIT 5 clearly differentiates between the key areas of governance and management. In alignment with ISO/IEC 38500, COBIT 5 presents governance in terms of Evaluate, Direct and Monitor. These terms come directly from the standard’s ’Model for Corporate Governance of IT’. 13. Do I need to meet an exact level when assessing a process using COBIT's process assessment models? The main purpose of the COBIT assessment programme (the programme web site can be found at this link ‘COBIT Assessment Programme’) is to give management a robust, reliable, repeatable approach and supporting tools to better understand the current capability of their governance and management processes, and to help management do benchmarking, gap analysis and process improvement planning. The assessment objective is to understand the level of capability that is present and the level that is appropriate for a given process, based on business requirements, and to understand the nature of any gaps so that any significant weaknesses in the process can be identified and improved. 14. What does COBIT stand for? COBIT was originally an acronym for Control Objectives for Information and related Technology. Now used in short form, COBIT is used to identify the name of the framework. 15. Why is COBIT 5 presented in international English? Starting with the first COBIT (1996), a conscious effort was made to use international English to underscore the global nature of the sources that went into its development (the international standards and frameworks used as references) and the global application of the resulting COBIT. Over the years, this approach has been questioned and challenged from time to time, but it has remained in place and all COBIT derivative products follow this rule as well.