SlideShare ist ein Scribd-Unternehmen logo

Cobit 5 for Information Security

Seto Joseles
Seto Joseles
Technologie
1 von 8
Downloaden Sie, um offline zu lesen
for Information Security COBIT 5 Product Family COBIT® 5 COBIT 5 Enabler Guides COBIT® 5: Enabling Processes COBIT® 5: Enabling Information Other Enabler Guides COBIT 5 Professional Guides COBIT® 5 Implementation COBIT® 5 for Information Security COBIT® 5 for Assurance COBIT® 5 for Risk COBIT 5 Online Collaborative Environment Source: COBIT 5 for Information Security, figure 1 COBIT 5 Principles 1. Meeting Stakeholder Needs 5. Separating Governance From Management 2. Covering the Enterprise End-to-end COBIT 5 Principles 3. Applying a Single Integrated Framework 4. Enabling a Holistic Approach Source: COBIT 5, figure 2 3701 Algonquin Road, Suite 1010 • Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 • Fax: +1.847.253.1443 • Email: info@isaca.org Web site: www.isaca.org ©2013 ISACA. A l l r i g h t s r e s e r v e d . Other Professional Guides
for Information Security COBIT 5 Goals Cascade Overview Stakeholder Drivers (Environment, Technology Evolution, …) Influence Stakeholder Needs Benefits Realisation Risk Optimisation Resource Optimisation Cascade to Enterprise Goals Cascade to IT-related Goals Cascade to Enabler Goals Source: COBIT 5, figure 4 Selected Guidance From the COBIT 5 Family These charts and figures are elements of COBIT 5 and its supporting guides. This excerpt is available as a complimentary PDF (www.isaca.org/cobit) and for purchase in hard copy (www.isaca.org/bookstore). It provides an overview of the COBIT 5 guidance, its five principles and seven enablers. We encourage you to share this document with your enterprise leaders, team members, clients and/or consultants. COBIT enables enterprises to maximize the value and minimize the risk related to information, which has become the currency of the 21st century. COBIT 5 is a comprehensive framework of globally accepted principles, practices, analytical tools and models that can help any enterprise effectively address critical business issues related to the governance and management of information and technology. Additional information is available at www.isaca.org/cobit. ©2013 ISACA. A l l r i g h t s r e s e r v e d .
for Information Security Governance and Management in COBIT 5 Governance Objective: Value Creation Benefits Realisation Risk Optimisation Resource Optimisation Governance Enablers Governance Scope Roles, Activities and Relationships Source: COBIT 5, figure 8 Key Roles, Activities and Relationships Roles, Activities and Relationships Delegate Owners and Stakeholders Accountable Instruct and Align Set Direction Governing Body Management Monitor Report Source: COBIT 5, figure 9 COBIT 5 Governance and Management Key Areas Business Needs Governance Evaluate Direct Monitor Management Feedback Management Plan (APO) Build (BAI) Run (DSS) Monitor (MEA) Source: COBIT 5, figure 15 ©2013 ISACA. A l l r i g h t s r e s e r v e d . Operations and Execution
for Information Security Information Security Skills/Competencies Skills/Competencies Information security governance Information security strategy formulation Information risk management Information security architecture development Information security operations Information assessment and testing and compliance Source: COBIT 5 for Information Security, Figure 20 Example Stakeholders for Information Security-related Information (Small/Medium Enterprise) A Chief executive officer (CEO) U A U I U U U Policies Information Security Dashboard I Information Risk Profile Information Security Review Reports U Information Security Requirements I Information Security Plan U Stakeholder Information Security Budget Board Information Security Strategy Awareness Material Information Security Service Catalogue Information Type Internal: Enterprise Chief financial officer (CFO) A U Chief information security officer (CISO) O U O O A A A A U U Information security steering committee (ISSC) A O A U U I U I U U Business process owner U O U U U Head of human resources (HR) U U U O O O U Internal: IT Chief information officer (CIO)/IT manager U O U U U U I Information security manager (ISM) U U U O U O O External Investors I Insurers I I I I Business Partners I I Vendors/Suppliers I Regulators I External Auditors I I An indication of the nature of the relationship of the stakeholder for each information type: A—Approver O—Originator I—Informed of information type U—User of information type Source: COBIT 5 for Information Security, Figure 17 ©2013 ISACA. A l l r i g h t s r e s e r v e d . I I I I
for Information Security Advantages and Disadvantages of Potential Paths for Information Security Reporting Role Advantages Disadvantages Chief executive officer (CEO) Information risk is elevated to the highest level in the enterprise. Information risk needs to be presented in a format that is understandable to the CEO. Given the multitude of responsibilities of the CEO, information risk might be monitored and managed at too high a level of abstraction or might not be fully understood in its relevant details. Chief information officer (CIO) Information security issues and solutions can be aligned with all IT initiatives. Information risk may not be addressed due to other IT initiatives and deadlines taking precedence over information security. There is a potential conflict of interest. The work performed by information security professionals may be IT-focussed and not information security-focussed. In other words, there may be an insufficient business focus. Chief financial officer (CFO) Information security issues can be addressed from a financial business impact point of view. Information risk may not be addressed due to financial initiatives and deadlines taking precedence over information security. There is a potential conflict of interest. Chief risk officer (CRO) Information risk is elevated to a position that can also look at risk from strategic, financial, operational, reputational and compliance perspectives. This role does not exist in most enterprises. It is most often found in financial service organisations. In enterprises in which a CRO is not present, organisational risk decisions may be decided by the CEO or board of directors. Chief technology officer (CTO) Information security can be partnered and included in future technology road maps. Information risk may not be addressed due to technology directions taking precedence over information security. Chief operating officer (COO) Information security issues and solutions can be addressed from the standpoint of impact to the business’ operations. Information risk may not be addressed due to operational initiatives and deadlines taking precedence over information security. Board of directors (indirect report) Information risk is elevated to the highest level in the enterprise. Information risk needs to be presented in a format that is understandable to board members, and hence may become too high-level to be relevant. Source: COBIT 5 for Information Security, Figure 14 Policy Framework Policy Framework Input Information Security Principles Mandatory Information Security Standards, Frameworks and Models Information Security Policy Specific Information Security Policies Generic Information Security Standards, Frameworks and Models Information Security Procedures Information Security Requirements and Documentation Source: COBIT 5 for Information Security, Figure 10 ©2013 ISACA. A l l r i g h t s r e s e r v e d .
APO03 Manage Enterprise Architecture EDM02 Ensure Benefits Delivery ©2013 ISACA. A l l r i g h t s r e s e r v e d BAI09 Manage Assets BAI02 Manage Requirements Definition . Source: COBIT 5, figure 16 DSS01 Manage Operations DSS02 Manage Service Requests and Incidents Deliver, Service and Support BAI08 Manage Knowledge BAI01 Manage Programmes and Projects DSS04 Manage Continuity BAI04 Manage Availability and Capacity APO11 Manage Quality APO04 Manage Innovation EDM03 Ensure Risk Optimisation DSS05 Manage Security Services BAI05 Manage Organisational Change Enablement APO12 Manage Risk APO05 Manage Portfolio DSS06 Manage Business Process Controls BAI06 Manage Changes APO13 Manage Security APO06 Manage Budget and Costs EDM04 Ensure Resource Optimisation Processes for Management of Enterprise IT DSS03 Manage Problems BAI10 Manage Configuration BAI03 Manage Solutions Identification and Build APO09 Manage Service Agreements APO08 Manage Relationships Build, Acquire and Implement APO10 Manage Suppliers APO02 Manage Strategy APO01 Manage the IT Management Framework Align, Plan and Organise EDM01 Ensure Governance Framework Setting and Maintenance Evaluate, Direct and Monitor Processes for Governance of Enterprise IT COBIT 5 Process Reference Model BAI07 Manage Change Acceptance and Transitioning APO07 Manage Human Resources EDM05 Ensure Stakeholder Transparency MEA03 Monitor, Evaluate and Assess Compliance With External Requirements MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA01 Monitor, Evaluate and Assess Performance and Conformance Monitor, Evaluate and Assess for Information Security
for Information Security COBIT 5 Enterprise Enablers 4. Culture, Ethics and Behaviour 3. Organisational Structures 2. Processes 1. Principles, Policies and Frameworks 6. Services, Infrastructure and Applications 5. Information 7. People, Skills and Competencies Resources Source: COBIT 5, figure 12 Enabler Performance Management Enabler Dimension COBIT 5 Enablers: Generic Stakeholders Goals Life Cycle Good Practices • Internal Stakeholders • External Stakeholders • Intrinsic Quality • Contextual Quality (Relevance, Effectiveness) • Accessibility and Security • Plan • Design • Build/Acquire/ Create/Implement • Use/Operate • Evaluate/Monitor • Update/Dispose • Practices • Work Products (Inputs/Outputs) Are Stakeholders Needs Addressed? Are Enabler Goals Achieved? Is Life Cycle Managed? Are Good Practices Applied? Metrics for Application of Practice (Lead Indicators) Metrics for Achievement of Goals (Lag Indicators) Source: COBIT 5, figure 13 ©2013 ISACA. A l l r i g h t s r e s e r v e d .
for Information Security p do we t re ? (middle ring) fi n e? to b ed ge th e ap m Co o De • Change enablement ant te n (outer ring) ew cu ow I d e n tif y r o l e pla ye rs oa e s er ta B u il d i m pro ve m e nts m ut u ni co c a m e te fi rg n e ta e t te e en n t ts • Programme management • Continual improvement life cycle (inner ring) dm Operate and measur e Embed n approach ew es Realise ben efits le m I m p o ve m r imp at er O p d us an E xe 5H e De re we now? here a Recog need nise act to ementation impl rm team Fo r nito Mo and ate alu ev 2W Establ is to ch h des ang ire e n stai Su la Initiat e pr ogr am me ow e ctiv ffe e re th ed rive rs? ss Asseent curr te sta 6 Did we get the ow 1 What a going? entum mom the p kee we viewness do Re ms and probleities ine un Def opport re? 7H The Seven Phases of the Implementation Life Cycle P la n p ro g ra m m e 3 4 W hat n eeds to be d one? Wh er Source: COBIT 5, figure 17 and COBIT 5 Implementation, figure 6 Summary of the COBIT 5 Process Capability Model Generic Process Capability Attributes Performance Attribute (PA) 1.1 Process Performance Incomplete Process Performed Process 0 PA 2.1 Performance Management PA 2.2 Work Product Management Managed Process 1 PA 3.1 Process Definition PA 3.2 PA 4.1 Process Process Deployment Management Established Process 2 Predictable Process 3 COBIT 5 Process Assessment Model—Performance Indicators PA 4.2 Process Control PA 5.1 Process Innovation PA 5.2 Process Optimisation Optimising Process 4 COBIT 5 Process Assessment Model–Capability Indicators Process Outcomes Base Practices (Management/ Governance Practices) Work Products (Inputs/ Outputs) Generic Resources Generic Practices Source: COBIT 5, figure 19 ©2013 ISACA. A l l r i g h t s r e s e r v e d . Generic Work Products 5

Empfohlen

Cobit 5 used in an information security review
Cobit 5 used in an information security reviewCobit 5 used in an information security review
Cobit 5 used in an information security reviewJohnbarchie
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information securityElkanouni Mohamed
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACAMDFazlaRabbiAbir
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveSayyed Zakir Ali Rizwe
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5Eryk Budi Pratama
 

Empfohlen

Cobit 5 used in an information security review
Cobit 5 used in an information security reviewCobit 5 used in an information security review
Cobit 5 used in an information security reviewJohnbarchie
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information securityElkanouni Mohamed
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACAMDFazlaRabbiAbir
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveSayyed Zakir Ali Rizwe
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5Eryk Budi Pratama
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.pptEmmacuet
 
Cobit 5 - An Overview
Cobit 5 - An OverviewCobit 5 - An Overview
Cobit 5 - An OverviewAnurag Purohit
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Privacy by design
Privacy by designPrivacy by design
Privacy by designProf. Jacques Folon (Ph.D)
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5Laddawan Rattanaruang
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
IT Strategy Assessment & Optimization - Catallysts Approach
IT Strategy Assessment & Optimization - Catallysts ApproachIT Strategy Assessment & Optimization - Catallysts Approach
IT Strategy Assessment & Optimization - Catallysts ApproachRajanish Dass
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001Burcu Pelin TELLİ
 
ISO 27701
ISO 27701ISO 27701
ISO 27701UtkarshDhiman4
 
Data Architecture Strategies
Data Architecture StrategiesData Architecture Strategies
Data Architecture StrategiesDATAVERSITY
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Cobit5 laminate
Cobit5 laminateCobit5 laminate
Cobit5 laminateclaudiocj7
 
Cobit 5 introduction plgr
Cobit 5 introduction plgrCobit 5 introduction plgr
Cobit 5 introduction plgrPedro Garcia Repetto
 

Weitere ähnliche Inhalte

Was ist angesagt?

Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.pptEmmacuet
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
IT Strategy Assessment & Optimization - Catallysts Approach
IT Strategy Assessment & Optimization - Catallysts ApproachIT Strategy Assessment & Optimization - Catallysts Approach
IT Strategy Assessment & Optimization - Catallysts ApproachRajanish Dass
 
Data Architecture Strategies
Data Architecture StrategiesData Architecture Strategies
Data Architecture StrategiesDATAVERSITY
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 

Was ist angesagt? (20)

Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.ppt
 
Cobit 5 - An Overview
Cobit 5 - An OverviewCobit 5 - An Overview
Cobit 5 - An Overview
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
 
IT Strategy Assessment & Optimization - Catallysts Approach
IT Strategy Assessment & Optimization - Catallysts ApproachIT Strategy Assessment & Optimization - Catallysts Approach
IT Strategy Assessment & Optimization - Catallysts Approach
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
 
ISO 27701
ISO 27701ISO 27701
ISO 27701
 
Data Architecture Strategies
Data Architecture StrategiesData Architecture Strategies
Data Architecture Strategies
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 

Ähnlich wie Cobit 5 for Information Security

Cobit5 laminate
Cobit5 laminateCobit5 laminate
Cobit5 laminateclaudiocj7
 
Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deckddcomeau
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptxjamiejohngianna
 
Cobit Foundation Training
Cobit Foundation TrainingCobit Foundation Training
Cobit Foundation Trainingvyomlabs
 
Marcos cobi t -e-itil-v040811
Marcos cobi t -e-itil-v040811Marcos cobi t -e-itil-v040811
Marcos cobi t -e-itil-v040811faau09
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGoutama Bachtiar
 
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...PECB
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introductionsuhaskokate
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
Savings, security, and stability: how ShareGate benefits everyone
Savings, security, and stability: how ShareGate benefits everyoneSavings, security, and stability: how ShareGate benefits everyone
Savings, security, and stability: how ShareGate benefits everyonesammart93
 

Ähnlich wie Cobit 5 for Information Security (20)

Cobit5 laminate
Cobit5 laminateCobit5 laminate
Cobit5 laminate
 
Cobit 5 introduction plgr
Cobit 5 introduction plgrCobit 5 introduction plgr
Cobit 5 introduction plgr
 
Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deck
 
Cobit 5 Business Framework -Governance and Management of Enterprise IT
Cobit 5 Business Framework -Governance and Management of Enterprise ITCobit 5 Business Framework -Governance and Management of Enterprise IT
Cobit 5 Business Framework -Governance and Management of Enterprise IT
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBook
 
5 essential-facts-about-cobit
5 essential-facts-about-cobit5 essential-facts-about-cobit
5 essential-facts-about-cobit
 
Cobit5 and-grc
Cobit5 and-grcCobit5 and-grc
Cobit5 and-grc
 
COBIT5 Introduction
COBIT5 IntroductionCOBIT5 Introduction
COBIT5 Introduction
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
 
Introduction to cobit 5.0
Introduction to cobit 5.0Introduction to cobit 5.0
Introduction to cobit 5.0
 
Cobit Foundation Training
Cobit Foundation TrainingCobit Foundation Training
Cobit Foundation Training
 
Intro to COBIT 5.0
Intro to COBIT 5.0Intro to COBIT 5.0
Intro to COBIT 5.0
 
Marcos cobi t -e-itil-v040811
Marcos cobi t -e-itil-v040811Marcos cobi t -e-itil-v040811
Marcos cobi t -e-itil-v040811
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
 
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
COBIT 5 FAQ
COBIT 5 FAQCOBIT 5 FAQ
COBIT 5 FAQ
 
Savings, security, and stability: how ShareGate benefits everyone
Savings, security, and stability: how ShareGate benefits everyoneSavings, security, and stability: how ShareGate benefits everyone
Savings, security, and stability: how ShareGate benefits everyone
 

Kürzlich hochgeladen

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Kürzlich hochgeladen (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Cobit 5 for Information Security

  • 1. for Information Security COBIT 5 Product Family COBIT® 5 COBIT 5 Enabler Guides COBIT® 5: Enabling Processes COBIT® 5: Enabling Information Other Enabler Guides COBIT 5 Professional Guides COBIT® 5 Implementation COBIT® 5 for Information Security COBIT® 5 for Assurance COBIT® 5 for Risk COBIT 5 Online Collaborative Environment Source: COBIT 5 for Information Security, figure 1 COBIT 5 Principles 1. Meeting Stakeholder Needs 5. Separating Governance From Management 2. Covering the Enterprise End-to-end COBIT 5 Principles 3. Applying a Single Integrated Framework 4. Enabling a Holistic Approach Source: COBIT 5, figure 2 3701 Algonquin Road, Suite 1010 • Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 • Fax: +1.847.253.1443 • Email: info@isaca.org Web site: www.isaca.org ©2013 ISACA. A l l r i g h t s r e s e r v e d . Other Professional Guides
  • 2. for Information Security COBIT 5 Goals Cascade Overview Stakeholder Drivers (Environment, Technology Evolution, …) Influence Stakeholder Needs Benefits Realisation Risk Optimisation Resource Optimisation Cascade to Enterprise Goals Cascade to IT-related Goals Cascade to Enabler Goals Source: COBIT 5, figure 4 Selected Guidance From the COBIT 5 Family These charts and figures are elements of COBIT 5 and its supporting guides. This excerpt is available as a complimentary PDF (www.isaca.org/cobit) and for purchase in hard copy (www.isaca.org/bookstore). It provides an overview of the COBIT 5 guidance, its five principles and seven enablers. We encourage you to share this document with your enterprise leaders, team members, clients and/or consultants. COBIT enables enterprises to maximize the value and minimize the risk related to information, which has become the currency of the 21st century. COBIT 5 is a comprehensive framework of globally accepted principles, practices, analytical tools and models that can help any enterprise effectively address critical business issues related to the governance and management of information and technology. Additional information is available at www.isaca.org/cobit. ©2013 ISACA. A l l r i g h t s r e s e r v e d .
  • 3. for Information Security Governance and Management in COBIT 5 Governance Objective: Value Creation Benefits Realisation Risk Optimisation Resource Optimisation Governance Enablers Governance Scope Roles, Activities and Relationships Source: COBIT 5, figure 8 Key Roles, Activities and Relationships Roles, Activities and Relationships Delegate Owners and Stakeholders Accountable Instruct and Align Set Direction Governing Body Management Monitor Report Source: COBIT 5, figure 9 COBIT 5 Governance and Management Key Areas Business Needs Governance Evaluate Direct Monitor Management Feedback Management Plan (APO) Build (BAI) Run (DSS) Monitor (MEA) Source: COBIT 5, figure 15 ©2013 ISACA. A l l r i g h t s r e s e r v e d . Operations and Execution
  • 4. for Information Security Information Security Skills/Competencies Skills/Competencies Information security governance Information security strategy formulation Information risk management Information security architecture development Information security operations Information assessment and testing and compliance Source: COBIT 5 for Information Security, Figure 20 Example Stakeholders for Information Security-related Information (Small/Medium Enterprise) A Chief executive officer (CEO) U A U I U U U Policies Information Security Dashboard I Information Risk Profile Information Security Review Reports U Information Security Requirements I Information Security Plan U Stakeholder Information Security Budget Board Information Security Strategy Awareness Material Information Security Service Catalogue Information Type Internal: Enterprise Chief financial officer (CFO) A U Chief information security officer (CISO) O U O O A A A A U U Information security steering committee (ISSC) A O A U U I U I U U Business process owner U O U U U Head of human resources (HR) U U U O O O U Internal: IT Chief information officer (CIO)/IT manager U O U U U U I Information security manager (ISM) U U U O U O O External Investors I Insurers I I I I Business Partners I I Vendors/Suppliers I Regulators I External Auditors I I An indication of the nature of the relationship of the stakeholder for each information type: A—Approver O—Originator I—Informed of information type U—User of information type Source: COBIT 5 for Information Security, Figure 17 ©2013 ISACA. A l l r i g h t s r e s e r v e d . I I I I
  • 5. for Information Security Advantages and Disadvantages of Potential Paths for Information Security Reporting Role Advantages Disadvantages Chief executive officer (CEO) Information risk is elevated to the highest level in the enterprise. Information risk needs to be presented in a format that is understandable to the CEO. Given the multitude of responsibilities of the CEO, information risk might be monitored and managed at too high a level of abstraction or might not be fully understood in its relevant details. Chief information officer (CIO) Information security issues and solutions can be aligned with all IT initiatives. Information risk may not be addressed due to other IT initiatives and deadlines taking precedence over information security. There is a potential conflict of interest. The work performed by information security professionals may be IT-focussed and not information security-focussed. In other words, there may be an insufficient business focus. Chief financial officer (CFO) Information security issues can be addressed from a financial business impact point of view. Information risk may not be addressed due to financial initiatives and deadlines taking precedence over information security. There is a potential conflict of interest. Chief risk officer (CRO) Information risk is elevated to a position that can also look at risk from strategic, financial, operational, reputational and compliance perspectives. This role does not exist in most enterprises. It is most often found in financial service organisations. In enterprises in which a CRO is not present, organisational risk decisions may be decided by the CEO or board of directors. Chief technology officer (CTO) Information security can be partnered and included in future technology road maps. Information risk may not be addressed due to technology directions taking precedence over information security. Chief operating officer (COO) Information security issues and solutions can be addressed from the standpoint of impact to the business’ operations. Information risk may not be addressed due to operational initiatives and deadlines taking precedence over information security. Board of directors (indirect report) Information risk is elevated to the highest level in the enterprise. Information risk needs to be presented in a format that is understandable to board members, and hence may become too high-level to be relevant. Source: COBIT 5 for Information Security, Figure 14 Policy Framework Policy Framework Input Information Security Principles Mandatory Information Security Standards, Frameworks and Models Information Security Policy Specific Information Security Policies Generic Information Security Standards, Frameworks and Models Information Security Procedures Information Security Requirements and Documentation Source: COBIT 5 for Information Security, Figure 10 ©2013 ISACA. A l l r i g h t s r e s e r v e d .
  • 6. APO03 Manage Enterprise Architecture EDM02 Ensure Benefits Delivery ©2013 ISACA. A l l r i g h t s r e s e r v e d BAI09 Manage Assets BAI02 Manage Requirements Definition . Source: COBIT 5, figure 16 DSS01 Manage Operations DSS02 Manage Service Requests and Incidents Deliver, Service and Support BAI08 Manage Knowledge BAI01 Manage Programmes and Projects DSS04 Manage Continuity BAI04 Manage Availability and Capacity APO11 Manage Quality APO04 Manage Innovation EDM03 Ensure Risk Optimisation DSS05 Manage Security Services BAI05 Manage Organisational Change Enablement APO12 Manage Risk APO05 Manage Portfolio DSS06 Manage Business Process Controls BAI06 Manage Changes APO13 Manage Security APO06 Manage Budget and Costs EDM04 Ensure Resource Optimisation Processes for Management of Enterprise IT DSS03 Manage Problems BAI10 Manage Configuration BAI03 Manage Solutions Identification and Build APO09 Manage Service Agreements APO08 Manage Relationships Build, Acquire and Implement APO10 Manage Suppliers APO02 Manage Strategy APO01 Manage the IT Management Framework Align, Plan and Organise EDM01 Ensure Governance Framework Setting and Maintenance Evaluate, Direct and Monitor Processes for Governance of Enterprise IT COBIT 5 Process Reference Model BAI07 Manage Change Acceptance and Transitioning APO07 Manage Human Resources EDM05 Ensure Stakeholder Transparency MEA03 Monitor, Evaluate and Assess Compliance With External Requirements MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA01 Monitor, Evaluate and Assess Performance and Conformance Monitor, Evaluate and Assess for Information Security
  • 7. for Information Security COBIT 5 Enterprise Enablers 4. Culture, Ethics and Behaviour 3. Organisational Structures 2. Processes 1. Principles, Policies and Frameworks 6. Services, Infrastructure and Applications 5. Information 7. People, Skills and Competencies Resources Source: COBIT 5, figure 12 Enabler Performance Management Enabler Dimension COBIT 5 Enablers: Generic Stakeholders Goals Life Cycle Good Practices • Internal Stakeholders • External Stakeholders • Intrinsic Quality • Contextual Quality (Relevance, Effectiveness) • Accessibility and Security • Plan • Design • Build/Acquire/ Create/Implement • Use/Operate • Evaluate/Monitor • Update/Dispose • Practices • Work Products (Inputs/Outputs) Are Stakeholders Needs Addressed? Are Enabler Goals Achieved? Is Life Cycle Managed? Are Good Practices Applied? Metrics for Application of Practice (Lead Indicators) Metrics for Achievement of Goals (Lag Indicators) Source: COBIT 5, figure 13 ©2013 ISACA. A l l r i g h t s r e s e r v e d .
  • 8. for Information Security p do we t re ? (middle ring) fi n e? to b ed ge th e ap m Co o De • Change enablement ant te n (outer ring) ew cu ow I d e n tif y r o l e pla ye rs oa e s er ta B u il d i m pro ve m e nts m ut u ni co c a m e te fi rg n e ta e t te e en n t ts • Programme management • Continual improvement life cycle (inner ring) dm Operate and measur e Embed n approach ew es Realise ben efits le m I m p o ve m r imp at er O p d us an E xe 5H e De re we now? here a Recog need nise act to ementation impl rm team Fo r nito Mo and ate alu ev 2W Establ is to ch h des ang ire e n stai Su la Initiat e pr ogr am me ow e ctiv ffe e re th ed rive rs? ss Asseent curr te sta 6 Did we get the ow 1 What a going? entum mom the p kee we viewness do Re ms and probleities ine un Def opport re? 7H The Seven Phases of the Implementation Life Cycle P la n p ro g ra m m e 3 4 W hat n eeds to be d one? Wh er Source: COBIT 5, figure 17 and COBIT 5 Implementation, figure 6 Summary of the COBIT 5 Process Capability Model Generic Process Capability Attributes Performance Attribute (PA) 1.1 Process Performance Incomplete Process Performed Process 0 PA 2.1 Performance Management PA 2.2 Work Product Management Managed Process 1 PA 3.1 Process Definition PA 3.2 PA 4.1 Process Process Deployment Management Established Process 2 Predictable Process 3 COBIT 5 Process Assessment Model—Performance Indicators PA 4.2 Process Control PA 5.1 Process Innovation PA 5.2 Process Optimisation Optimising Process 4 COBIT 5 Process Assessment Model–Capability Indicators Process Outcomes Base Practices (Management/ Governance Practices) Work Products (Inputs/ Outputs) Generic Resources Generic Practices Source: COBIT 5, figure 19 ©2013 ISACA. A l l r i g h t s r e s e r v e d . Generic Work Products 5