INFORMATION TECHNOLOGY FLASH REPORT
ISACA Releases COBIT 5: Updated Framework for the
Governance and Management of IT
May 18, 2012
In April, ISACA released COBIT 5 as a replacement for its current globally accepted business
framework, COBIT 4.1. This framework has gained broad acceptance and has been used
widely over the last 15 years to provide guidance on the governance and management of IT to
users from business, IT, risk, security and assurance functions. COBIT continues to be
recognized as a leading framework for purposes of providing guidance on the design and
evaluation of IT governance processes and controls.
Several business-related events and failures over the last decade, many on a global scale, have
heightened the focus on governance as stakeholder expectations have evolved. There has
been greater attention to risk and risk-based approaches, increased reliance on new and more
complex technologies, the introduction of more complex organizational structures (including
outsourcing), constant changes in regulatory requirements, and rising security threats.
Successful organizations that have survived the challenges of the last decade have
demonstrated the importance of good governance, which has moved this to the top of the
agenda at all levels of the enterprise.
Drivers for Change
Organizations operating in today’s challenging and dynamic business environment have driven
the need for this change. Stakeholders require an increased understanding of how IT
investments create value for the organization. Business users are demanding improved
engagement for IT services and there is an ever-increasing demand for compliance with
relevant laws, regulations and policies.
Other drivers cited by ISACA in its release of COBIT 5 include:
•
The requirement to help stakeholders better understand how various frameworks, good
practices and standards are positioned relative to each other and how they can be used
together and could augment each other.
•
A need to ensure that the scope covers the full end-to-end business and IT functional
responsibilities, as well as a need to cover all aspects that lead to effective governance
and management of enterprise IT – such as organizational structures, policies and
culture – over and above the current processes. This is especially important given the
increasing pervasiveness of IT and helps increase transparency.
•
A need to provide further guidance in areas of high interest, such as enterprise
architecture, asset and service management, management of IT innovation and
emerging technologies.
•
A need to link together and reinforce all major ISACA research, frameworks and
guidance, with a primary focus on COBIT, Val IT and Risk IT, but also considering,
amongst others, Business Model for Information Security (BMIS), Information
Technology Assurance Framework (ITAF), Board Briefing on IT Governance, and Taking
Governance Forward.
•
A need to connect to – and, where relevant, align with – other major frameworks and
standards, such as Information Technology Infrastructure Library (ITIL®), The Open
Group Architecture Forum (TOGAF), Project Management Body of Knowledge
(PMBOK), PRojects IN Controlled Environments 2 (PRINCE2) and the International
Organization for Standardization (ISO) standards.
•
Recognition that there are many current and potential users who wish to focus on
specific topics, and who find it difficult to navigate current material and identify content
that will satisfy their requirements. There is also a general need to improve ease of use
and navigation and to bring consistency in concepts, terminology and the level of detail
provided by ISACA.
What has changed for COBIT 5?
ISACA has revisited and restructured the COBIT framework design to ensure complete
coverage for all major aspects related to the governance and management of enterprise IT. Five
new governance processes are introduced in the updated framework, which builds and expands
on COBIT 4.1. Other major frameworks, standards and resources are now integrated into
COBIT 5, including ISACA’s Val IT and Risk IT, the Information Technology Infrastructure
Library (ITIL®), TOGAF and ISO/IEC 27001.
The intention of COBIT 5 is to provide a full enterprise-level view of business practices that
actively reflects the current pervasive enterprisewide nature of IT use. To achieve this, the
process reference model outlined in COBIT 4.1 has been revised and a new governance
domain has been introduced together with several new and amended processes. COBIT 5 also
makes more explicit and transparent the IT involvement, responsibilities and accountability of
business stakeholders.
ISACA believes this new framework will help enterprises achieve strategic goals and operational
efficiency through maintaining high-quality and low-risk information technology services.
ISACA has produced a detailed document comparing COBIT 5 with COBIT 4.1 that identifies
nine of the major differences. This forms the basis of the following summary. 1
The new framework is based on five key principles:
1. A focus on meeting stakeholder needs – COBIT 5 includes new guidance on the
required processes and enablers to support business value creation through the use of
IT. The focus on “Stakeholder Needs” emphasizes the need to maintain balance
between benefits realization and the optimization of risk and resources. COBIT 5
1
To view the full document or request a copy of this comparison document (Comparing COBIT 4.1 with COBIT 5.0),
visit the ISACA website: http://www.isaca.org/COBIT/Documents/COBIT5-Compare-With-4.1.ppt.
Protiviti | 2
provides an approach that can be tailored to suit the needs of an enterprise through a
revised goals cascade, which interprets high-level enterprise goals into specified ITrelated goals that can be mapped to specific processes and principles for
implementation. The revised goals cascade is based on enterprise goals driving ITrelated goals and critical processes. Example goals and metrics at the enterprise,
process and management practice levels are provided to assist management with
assessing whether alignment of goals has been achieved.
2. Covering the enterprise end-to-end – COBIT 5 follows the same goal and metric
concepts as COBIT 4.1 but integrates the governance of enterprise IT into enterprise
governance. The updated framework integrates and updates the previous content into a
new model with an enterprise-level view that makes it easier for users to understand,
and hence implement, improvement. Information and related technologies are treated as
assets that need to be managed by all users and cover all functions and processes
within an enterprise, not just those specific to an IT function. COBIT 5’s revised process
reference model subdivides the IT elements of an enterprise into two principle domains –
Governance and Management – that now cover enterprise business and IT activities
end-to-end. As with the former framework, this model can be used as a guide for
adjusting the enterprise’s own process model. Additionally, COBIT 5 provides more
robust guidance for management pertaining to the inputs and outputs required to
develop good practice management standards, while COBIT 4.1 only provided inputs
and outputs at the highest level. This assists with inter-process integration by providing
additional detailed guidance for designing processes that include essential work
products. As a result, COBIT 5 can be more exhaustive than its predecessor.
3. Applying a single integrated framework – The number of organizations that use or
rely on technology has grown substantially since the release of COBIT 4.1, as has the
extent to which technology is used across the enterprise. During this time, there have
been many IT-related standards and good practice frameworks developed that provide
guidance on a range of IT activities. The updated framework aligns with other relevant
standards and frameworks at a high level and can therefore be used as an overarching
framework for the governance and management of IT across the enterprise. COBIT 5
“activities” are equivalent to the COBIT 4.1 “control practices” and Val IT and Risk IT
management practices. These practices have been aligned, integrated and updated into
a single model that makes it easier for users to understand and use the material when
implementing improvements. Additionally, several new and modified processes have
been added, including innovation, organizational change enablement, security services
and managing assets, to name a few.
4. Enabling a holistic approach – The new framework emphasizes an increased focus on
“Enablers,” which help to achieve the objectives of the enterprise. Processes that were
explicitly or implicitly included in COBIT 4.1 have been brought to the fore with COBIT 5
and rebranded. A set of seven enablers is designed to support the implementation of a
more holistic governance and management system for enterprise IT. These are: 2
a.
b.
c.
d.
e.
Processes
Principles, Policies and Frameworks
Organizational Structures
People, Skills and Competencies
Culture, Ethics and Behavior
2
http://www.isaca.org/About-ISACA/Press-room/News-Releases/2012/Pages/ISACA-Issues-COBIT-5-GovernanceFramework.aspx.
Protiviti | 3
f. Services, Infrastructure and Applications
g. Information
5. Separating governance from management – The new framework provides an
expanded discussion on governance relating to the board of directors, the needs of
stakeholders, and the balance with enterprise direction and objectives. It also provides a
key distinction between governance and management of IT, clearly separating the
responsibility at the board and executive management levels and describing different
types of organizational structures and activities required at each level.
Other changes
The updated framework also details a more complete RACI (Responsible, Accountable,
Consulted and/or Informed) chart to help clarify responsibility and provides a more complete,
detailed and clearer range of generic business and IT role players and charts than COBIT 4.1.
This enables better definition of role player responsibilities or level of involvement when
designing and implementing processes.
COBIT 5 discontinues the capability maturity modeling (CMM) approach (as used by COBIT 4.1,
Val IT and Risk IT). A new process capability assessment approach, based on ISO/IEC and the
COBIT Assessment Program (a COBIT-based approach that enables the evaluation of selected
IT processes and can be used to help determine process capability), has already been
established for COBIT 5 as an alternative to the CMM approach. This approach is considered
by ISACA to be more robust, reliable and repeatable as a process capability assessment
method.
COBIT 4.1, Val IT and Risk IT users wishing to move to the new COBIT Assessment Program
approach will need to realign their previous ratings, adopt the new method and initiate a new set
of assessments in order to gain the benefits of the new approach.
Summary
Executives reviewing the governance and management of enterprise IT are advised to review
the new COBIT framework and consider its application to their organizations. To request your
copy of COBIT 5 or obtain additional information, please visit ISACA’s website:
http://www.isaca.org/COBIT.
Protiviti | 4
About Protiviti
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in
finance, technology, operations, governance, risk and internal audit. Through our network of
more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE®
1000 and Global 500 companies. We also work with smaller, growing companies, including
those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in
1948, Robert Half International is a member of the S&P 500 index.
Contacts
David Brand
+1.312.476.6401
david.brand@protiviti.com
James Armetta
+1.212.399.8606
james.armetta@protiviti.com
Michael Thor
+1.312.476.6400
michael.thor@protiviti.com
Anthony Samer
+1.415.402.3627
anthony.samer@protiviti.com
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services.