INFORMATION TECHNOLOGY FLASH REPORT ISACA Releases COBIT 5: Updated Framework for the Governance and Management of IT May 18, 2012 In April, ISACA released COBIT 5 as a replacement for its current globally accepted business framework, COBIT 4.1. This framework has gained broad acceptance and has been used widely over the last 15 years to provide guidance on the governance and management of IT to users from business, IT, risk, security and assurance functions. COBIT continues to be recognized as a leading framework for purposes of providing guidance on the design and evaluation of IT governance processes and controls. Several business-related events and failures over the last decade, many on a global scale, have heightened the focus on governance as stakeholder expectations have evolved. There has been greater attention to risk and risk-based approaches, increased reliance on new and more complex technologies, the introduction of more complex organizational structures (including outsourcing), constant changes in regulatory requirements, and rising security threats. Successful organizations that have survived the challenges of the last decade have demonstrated the importance of good governance, which has moved this to the top of the agenda at all levels of the enterprise. Drivers for Change Organizations operating in today’s challenging and dynamic business environment have driven the need for this change. Stakeholders require an increased understanding of how IT investments create value for the organization. Business users are demanding improved engagement for IT services and there is an ever-increasing demand for compliance with relevant laws, regulations and policies. Other drivers cited by ISACA in its release of COBIT 5 include: • The requirement to help stakeholders better understand how various frameworks, good practices and standards are positioned relative to each other and how they can be used together and could augment each other. • A need to ensure that the scope covers the full end-to-end business and IT functional responsibilities, as well as a need to cover all aspects that lead to effective governance and management of enterprise IT – such as organizational structures, policies and culture – over and above the current processes. This is especially important given the increasing pervasiveness of IT and helps increase transparency. • A need to provide further guidance in areas of high interest, such as enterprise architecture, asset and service management, management of IT innovation and emerging technologies. • A need to link together and reinforce all major ISACA research, frameworks and guidance, with a primary focus on COBIT, Val IT and Risk IT, but also considering, amongst others, Business Model for Information Security (BMIS), Information Technology Assurance Framework (ITAF), Board Briefing on IT Governance, and Taking Governance Forward. • A need to connect to – and, where relevant, align with – other major frameworks and standards, such as Information Technology Infrastructure Library (ITIL®), The Open Group Architecture Forum (TOGAF), Project Management Body of Knowledge (PMBOK), PRojects IN Controlled Environments 2 (PRINCE2) and the International Organization for Standardization (ISO) standards. • Recognition that there are many current and potential users who wish to focus on specific topics, and who find it difficult to navigate current material and identify content that will satisfy their requirements. There is also a general need to improve ease of use and navigation and to bring consistency in concepts, terminology and the level of detail provided by ISACA. What has changed for COBIT 5? ISACA has revisited and restructured the COBIT framework design to ensure complete coverage for all major aspects related to the governance and management of enterprise IT. Five new governance processes are introduced in the updated framework, which builds and expands on COBIT 4.1. Other major frameworks, standards and resources are now integrated into COBIT 5, including ISACA’s Val IT and Risk IT, the Information Technology Infrastructure Library (ITIL®), TOGAF and ISO/IEC 27001. The intention of COBIT 5 is to provide a full enterprise-level view of business practices that actively reflects the current pervasive enterprisewide nature of IT use. To achieve this, the process reference model outlined in COBIT 4.1 has been revised and a new governance domain has been introduced together with several new and amended processes. COBIT 5 also makes more explicit and transparent the IT involvement, responsibilities and accountability of business stakeholders. ISACA believes this new framework will help enterprises achieve strategic goals and operational efficiency through maintaining high-quality and low-risk information technology services. ISACA has produced a detailed document comparing COBIT 5 with COBIT 4.1 that identifies nine of the major differences. This forms the basis of the following summary. 1 The new framework is based on five key principles: 1. A focus on meeting stakeholder needs – COBIT 5 includes new guidance on the required processes and enablers to support business value creation through the use of IT. The focus on “Stakeholder Needs” emphasizes the need to maintain balance between benefits realization and the optimization of risk and resources. COBIT 5 1 To view the full document or request a copy of this comparison document (Comparing COBIT 4.1 with COBIT 5.0), visit the ISACA website: http://www.isaca.org/COBIT/Documents/COBIT5-Compare-With-4.1.ppt. Protiviti | 2 provides an approach that can be tailored to suit the needs of an enterprise through a revised goals cascade, which interprets high-level enterprise goals into specified ITrelated goals that can be mapped to specific processes and principles for implementation. The revised goals cascade is based on enterprise goals driving ITrelated goals and critical processes. Example goals and metrics at the enterprise, process and management practice levels are provided to assist management with assessing whether alignment of goals has been achieved. 2. Covering the enterprise end-to-end – COBIT 5 follows the same goal and metric concepts as COBIT 4.1 but integrates the governance of enterprise IT into enterprise governance. The updated framework integrates and updates the previous content into a new model with an enterprise-level view that makes it easier for users to understand, and hence implement, improvement. Information and related technologies are treated as assets that need to be managed by all users and cover all functions and processes within an enterprise, not just those specific to an IT function. COBIT 5’s revised process reference model subdivides the IT elements of an enterprise into two principle domains – Governance and Management – that now cover enterprise business and IT activities end-to-end. As with the former framework, this model can be used as a guide for adjusting the enterprise’s own process model. Additionally, COBIT 5 provides more robust guidance for management pertaining to the inputs and outputs required to develop good practice management standards, while COBIT 4.1 only provided inputs and outputs at the highest level. This assists with inter-process integration by providing additional detailed guidance for designing processes that include essential work products. As a result, COBIT 5 can be more exhaustive than its predecessor. 3. Applying a single integrated framework – The number of organizations that use or rely on technology has grown substantially since the release of COBIT 4.1, as has the extent to which technology is used across the enterprise. During this time, there have been many IT-related standards and good practice frameworks developed that provide guidance on a range of IT activities. The updated framework aligns with other relevant standards and frameworks at a high level and can therefore be used as an overarching framework for the governance and management of IT across the enterprise. COBIT 5 “activities” are equivalent to the COBIT 4.1 “control practices” and Val IT and Risk IT management practices. These practices have been aligned, integrated and updated into a single model that makes it easier for users to understand and use the material when implementing improvements. Additionally, several new and modified processes have been added, including innovation, organizational change enablement, security services and managing assets, to name a few. 4. Enabling a holistic approach – The new framework emphasizes an increased focus on “Enablers,” which help to achieve the objectives of the enterprise. Processes that were explicitly or implicitly included in COBIT 4.1 have been brought to the fore with COBIT 5 and rebranded. A set of seven enablers is designed to support the implementation of a more holistic governance and management system for enterprise IT. These are: 2 a. b. c. d. e. Processes Principles, Policies and Frameworks Organizational Structures People, Skills and Competencies Culture, Ethics and Behavior 2 http://www.isaca.org/About-ISACA/Press-room/News-Releases/2012/Pages/ISACA-Issues-COBIT-5-GovernanceFramework.aspx. Protiviti | 3 f. Services, Infrastructure and Applications g. Information 5. Separating governance from management – The new framework provides an expanded discussion on governance relating to the board of directors, the needs of stakeholders, and the balance with enterprise direction and objectives. It also provides a key distinction between governance and management of IT, clearly separating the responsibility at the board and executive management levels and describing different types of organizational structures and activities required at each level. Other changes The updated framework also details a more complete RACI (Responsible, Accountable, Consulted and/or Informed) chart to help clarify responsibility and provides a more complete, detailed and clearer range of generic business and IT role players and charts than COBIT 4.1. This enables better definition of role player responsibilities or level of involvement when designing and implementing processes. COBIT 5 discontinues the capability maturity modeling (CMM) approach (as used by COBIT 4.1, Val IT and Risk IT). A new process capability assessment approach, based on ISO/IEC and the COBIT Assessment Program (a COBIT-based approach that enables the evaluation of selected IT processes and can be used to help determine process capability), has already been established for COBIT 5 as an alternative to the CMM approach. This approach is considered by ISACA to be more robust, reliable and repeatable as a process capability assessment method. COBIT 4.1, Val IT and Risk IT users wishing to move to the new COBIT Assessment Program approach will need to realign their previous ratings, adopt the new method and initiate a new set of assessments in order to gain the benefits of the new approach. Summary Executives reviewing the governance and management of enterprise IT are advised to review the new COBIT framework and consider its application to their organizations. To request your copy of COBIT 5 or obtain additional information, please visit ISACA’s website: http://www.isaca.org/COBIT. Protiviti | 4 About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. Contacts David Brand +1.312.476.6401 david.brand@protiviti.com James Armetta +1.212.399.8606 james.armetta@protiviti.com Michael Thor +1.312.476.6400 michael.thor@protiviti.com Anthony Samer +1.415.402.3627 anthony.samer@protiviti.com © 2012 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.