Introduction to COBIT 2019 and IT management

COBIT 2019 and IT Management
- Introduction
Christian F. Nissen, CFN Consult
RESILIATM, ITIL®, PRINCE2® MSP®, MoP® and MoV® are Registered Trade Marks of AXELOS in the United Kingdom and other countries
COBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)
TOGAFTM and IT4ITTM are trademarks of The Open Group
SIAM® is a registered trademark of EXIN
© 2019 of CFN Consult unless otherwise stated

2
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
Agenda
© 2019

3
Assignment
 What is the difference between “IT Governance” and
“IT Management”?
 What are the differences and similarities between
“Corporate governance”, “IT Governance”, “Project
governance”, “Process governance”, “Service
governance”, “Information governance” and
“application governance”?
 Time: 10 minutes
Governance
© 2019

Governance – an introduction
Definition? MANAGEMENT of MANAGEMENT
Object?
4
Asset
System
(Architecture/configuration of
resources)
Value
Lifecycle
Governance
© 2019

Who?
Why?
5
Delegate
Accountable
Owner
Evaluate &
direct
Monitor
Gover-
nance
body
Plan-do-
check-act
Report
Operation
&
execution
Manage-
ment
Asset
Optimize
resources
Maximize return on investment
Optimize
risk
Meet preference
Governance
© 2019

How?
What?
❍ Principles, policies and plans (Boundaries, principles,
policies, decision models, strategies, plans, etc.)
❍ Goals (Performance and outcome goals)
❍ Controls (Control objectives, requirements, agreements, etc.)
❍ Maturity (Capability maturity, benchmarks, etc.)
❍ Resources (Money, etc. etc.)
6
Evaluate
Direct Monitor
Governance
© 2019

When?
7
Asset value
Complexity of asset
(system/lifecycle)
Need for governance
Governance
© 2019

9
IT governance balances:
Conformance
 Adhering to legislation, internal
policies, audit requirements, etc.
Performance
 Improving profitability, efficiency,
effectiveness, growth, etc.
Performance
Conformance
A delicate balance
Governance
© 2019

10
Agenda
1. Governance of IT
2. COBIT Background
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
Agenda
© 2019

COBIT
 Originally: The Control Objectives for Information and
related Technology (COBIT)
 COBIT consists of a number of general goals, practices
(controls), processes, organizational structures, information
flows, and other components for governance and
management of enterprise IT
 Are references, sets of best practices, not an ‘off-the-shelf’
cure (descriptive – not prescriptive)
 COBIT is produced and owned by Information Systems
Audit and Control Association (ISACA) and the IT
Governance Institute (ITGI)
www.isaca.org/cobit
COBIT
11 © 2019

12
Why COBIT 2019?
Value creation:
 Benefits realization
 Risk optimization
 Resource optimization
COBIT
© 2019
Business/IT
Alignment
Enterprise
Governance of IT
Value Creation

COBIT 2019 – Governance framework principles
13
COBIT
© 2019
1. Based on
a conceptual
model
2. Open
and
flexible
3. Aligned
to major
standards

14
For latest updates on COBIT, visit www.isaca.org/cobit.
COBIT History
COBIT
© 2019
Audit Control Practices
Manage-
ment
Gover-
nance
Capabili-
ties

15
COBIT 2019 – Scope
Governance ensures that:
 Stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives.
 Direction is set through prioritization and decision making.
 Performance and compliance are monitored against agreed-
on direction and objectives.
Management
 Plans, builds, runs and monitors activities, in alignment with
the direction set by the governance body, to achieve the
enterprise objectives.
COBIT
© 2019

16 © 2019
COBIT

17
 COBIT defines the components to build and sustain a
governance system: processes, organizational structures,
policies and procedures, information flows, culture and
behaviors, skills, and infrastructure.
 COBIT addresses governance issues by grouping relevant
governance components into governance and management
objectives that can be managed to the required capability
levels.
 COBIT defines the design factors that should be considered
by the enterprise to build a best-fit governance system.
COBIT
© 2019

18
COBIT 2019 – Target audience
COBIT
Stakeholder Benefit of COBIT
Internal Stakeholders
Boards Provides insights on how to get value from the use of IT and explains relevant
board responsibilities
Executive
Management
Helps to understand how to obtain the IT solutions enterprises require and how
best to exploit new technology for new strategic opportunities
Business
Managers
Provides guidance on how to organize and monitor performance of IT across the
enterprise
IT Managers Provides guidance on how best to build and structure the IT department, manage
performance of IT, run an efficient and effective IT operation, control IT costs, align
IT strategy to business priorities, etc.
Assurance
Providers
Helps to manage dependency on external service providers, get assurance over
IT, and ensure the existence of an effective and efficient system of internal controls
Risk
Management
Helps to ensure the identification and management of all IT-related risk
External Stakeholders
Regulators Helps to ensure the enterprise is compliant with applicable rules and regulations
and has the right governance system in place to manage and sustain compliance
Business
Partners
Helps to ensure that a business partner’s operations are secure, reliable and
compliant with applicable rules and regulations
IT Vendors Helps to ensure that an IT vendor’s operations are secure, reliable and compliant
with applicable rules and regulations

COBIT 2019 – Overview
19
COBIT
© 2019

COBIT 2019 – Product family
Products
 COBIT 2019 Framework: Introduction and Methodology
 COBIT 2019 Framework: Governance and Management
Objectives
 COBIT 2019 Design Guide
 COBIT 2019 Implementation Guide
20
COBIT
© 2019

21
Agenda
1. Governance of IT
2. COBIT Background
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
Agenda
© 2019

Some relevant best practices and standards
Best practices Standards Regulations
Corporate
Governance
God Selskabsledelse
COSO
Sarbanes-Oxley
(SoX)
IT Governance COBIT, MoV, MoP ISO/IEC 38500
IT Management COBIT / MoR
Enterprise
Architecture
TOGAF ISO/IEC 42016
IT Service
Management
ITIL, eTOM, VeriSM,
SAFe
ISO/IEC 20000, IT4IT
Information Security
& privacy
ISF ISO/IEC 27000 Data protection
acts, GDPR
Quality Management LEAN, EFQM, Six
Sigma, Test
ISO 9000
Process Maturity CMMi, TIPA ISO/IEC 33000
Project & Program
Management
PRINCE2, MSP,
PMBOK
Industry specific GAMP, Basel II,
Solvency II
FDA requirements
22
COBITandrelatedframeworks
© 2019

COBIT and related frameworks (COBIT 5, Appendix E)
23

Governance related best practices and standards
 IT Governance Institute (ISACA)
 Board Briefing on IT Governance
 COBIT
 Peter Weill and Jeanne W. Ross
 IT Governance
 Cabinet Office
 ITIL
 PRINCE2
 MoR
 MSP
 MoV, MoP, P3O, P3M3
 ISO/IEC
 ISO/IEC 38500 Corporate governance of IT
24
© 2019

25
ISO/IEC 38500
 Formal standard for IT Governance
 ISO/IEC 38500 is produced and owned by Standards
Organization (ISO)
 ISO/IEC 38500 covers six principles for IT
Governance:
 Responsibility
 Strategy
 Acquisition
 Performance
 Conformance
 Human behavior
 www.iso.org
© 2019

ISO/IEC 38500 History and ownership
 ISO/IEC 38500 was originally developed by the
Australian standardization organization and was
named AS8015:2005.
 In 2009 it was fast tracked through ISO and officially
re-named to ISO/IEC 38500:2008 in April 2008.
 In 2016 it was revised to ISO/IEC 38500:2016
26
© 2019

ISO/IEC 38500 The six principles
 Principle 1: Responsibility
Individuals and groups within the organization understand
and accept their responsibilities in respect of both supply of,
and demand for IT. Those with responsibility for actions also
have the authority to perform those actions.
 Principle 2: Strategy
The organization’s business strategy takes into account the
current and future capabilities of IT; the strategic plans for IT
satisfy the current and ongoing needs of the organization’s
business strategy.
 Principle 3: Acquisition
IT acquisitions are made for valid reasons, on the basis of
appropriate and ongoing analysis, with clear and
transparent decision making. There is appropriate balance
between benefits, opportunities, costs, and risks, in both the
short term and the long term.
27
© 2019

ISO/IEC 38500 The six principles
 Principle 4: Performance
IT is fit for purpose in supporting the organization, providing
the services, levels of service and service quality required to
meet current and future business requirements.
 Principle 5: Conformance
The use of IT complies with all mandatory legislation and
regulations. Policies and practices are clearly defined,
implemented and enforced.
 Principle 6: Human Behavior
IT policies, practices and decisions demonstrate respect for
Human Behavior, including the current and evolving needs
of all the ‘people in the process’.
28
© 2019

Governance activities according to ISO/IEC 38500
29
 Evaluate (Current and future use of IT)
 Direct (Preparation and implementation)
 Monitor (Conformance and performance)
© 2019

30
Agenda
1. Governance of IT
2. COBIT Background
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
Agenda
© 2019

COBIT 2019 – Six governance system principles
31
COBITPrinciples
COBIT
2019
principles
2. Holistic
Approach
1. provide
Stakeholder
Value
5. Tailored to
Enterprise
Needs
3. Dynamic
Governance
System
4. Governance
Distinct From
Management
© 2019
6. End-to-End
Governance
System

32
Agenda
1. Governance of IT
2. COBIT Background
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
Agenda
© 2019

COBIT 2019 – Goals cascade
33
Enterprise Goals
Alignment Goals
Governance and Management
Objectives
Cascade to
Cascade to
COBITGoals
© 2019
Stakeholder Drivers and Needs
Cascade to

COBIT 2019 – Enterprise Goals
34 © 2019
BSC dimension Ref. Enterprise Goal
Financial EG01 Portfolio of competitive products and services
EG02 Managed business risk
EG03 Compliance with external laws and regulations
EG04 Quality of financial information
Customer EG05 Customer-oriented service culture
EG06 Business-service continuity and availability
EG07 Quality of management information
Internal EG08 Optimization of internal business process functionality
EG09 Optimization of business process costs
EG10 Staff skills, motivation and productivity
EG11 Compliance with internal policies
Learning and
Growth
EG12 Managed digital transformation programs
EG13 Product and business innovation
COBITGoals

COBIT 2019 – Alignment Goals
35 © 2019
BSC dimension Ref. Alignment Goal
Financial AG01 IT compliance and support for business compliance with external
laws and regulations
AG02 Managed IT-related risk
AG03 Realized benefits from IT enabled investments and services
portfolio
AG04 Quality of technology-related financial information
Customer AG05 Delivery of I&T services in line with business requirements
AG06 Agility to turn business requirements into operational solutions
Internal AG07 Security of information, processing infrastructure and applications,
and privacy
AG08 Enabling and supporting business processes by integrating
applications and technology
AG09 Delivery of programs on time, on budget and meeting
requirements and quality standards
AG10 Quality of IT management information
AG11 IT compliance with internal policies
Learning and
Growth
AG12 Competent and motivated staff with mutual
understanding of technology and business
AG13 Knowledge, expertise and initiatives for business innovation
COBITGoals

COBIT 2019 – Mapping Enterprise and Alignment Goals
36 © 2019
COBITGoals

COBIT 2019 – Mapping Alignment Goals and Objectives
37 © 2019
COBITGoals

38
Agenda
1. Governance of IT
2. COBIT Background
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
Agenda
© 2019

COBIT 2019 – Objectives
 For information and technology to contribute to
enterprise goals, a number of governance and
management objectives (i.e. capabilities) should be
achieved.
 A governance or management objective always
relates to one process and a series of related
components of other types to help achieve the
objective.
39
COBITObjectives
© 2019

COBIT 2019 – Objectives
 COBIT 2019 includes 5 governance objectives and 35
management objectives and covering 231 governance
and management practices (controls) in five domains:
 Evaluate, Direct and Monitor (Governance)
 Align, Plan and Organize (Management)
 Build, Acquire and Implement (Management)
 Deliver, Service and Support (Management)
 Monitor, Evaluate and Assess (Management)
40
COBITObjectives
© 2019

COBIT 2019 – Core model (40 objectives)
41
COBITObjectives
© 2019

COBIT 2019 – Core model
42
EDM01 Ensured Governance Framework Setting & Maintenance
EDM02 Ensured Benefits Delivery
EDM03 Ensured Risk Optimization
EDM04 Ensured Resource Optimization
EDM05 Ensured Stakeholder Engagement
APO01 Managed I&T Management Framework
APO02 Managed Strategy
APO03 Managed Enterprise Architecture
APO04 Managed Innovation
APO05 Managed Portfolio
APO06 Managed Budget & Costs
APO07 Managed Human Resources
APO08 Managed Relationships
APO09 Managed Service Agreements
APO10 Managed Vendors
APO11 Managed Quality
APO12 Managed Risk
APO13 Managed Security
APO14 Managed Data
© 2019
COBITObjectives

COBIT 2019 – Core model
43
BAI01 Managed Programs
BAI02 Managed Requirements Definition
BAI03 Managed Solutions Identification & Build
BAI04 Managed Availability & Capacity
BAI05 Managed Organizational Change
BAI06 Managed IT Changes
BAI07 Managed IT Change Acceptance and Transitioning
BAI08 Managed Knowledge
BAI09 Managed Assets
BAI10 Managed Configuration
BAI11 Managed Projects
DSS01 Managed Operations
DSS02 Managed Service Requests & Incidents
DSS03 Managed Problems
DSS04 Managed Continuity
DSS05 Managed Security Services
DSS06 Managed Business Process Controls
MEA01 Managed Performance and Conformance Monitoring
MEA02 Managed System of Internal Control
MEA03 Managed Compliance with External Requirements
MEA04 Managed Assurance
© 2019
COBITObjectives

COBIT 2019 – Objective – Example
44
COBITObjectives
© 2019

45
Agenda
1. Governance of IT
2. COBIT Background
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
Agenda
© 2019

COBIT 2019 – Components
To satisfy the objectives, each enterprise needs to
establish, tailor and sustain a governance system built
from a number of components.
 Components are factors that, individually and
collectively, contribute to the good operations of the
enterprise’s governance system over IT.
 Components interact with each other, resulting in a
holistic governance system for IT.
 Components can be of different types.
46 © 2019
COBITComponents

COBIT 2019 – Components
47
COBITComponents
© 2019
Governance
System
Processes
Organizational
Structures
Information
People, Skills
and
Competences
Principles,
Policies,
Procedures
Culture, Ethics
and Behavior
Services,
Infrastructure
and
Applications

COBIT 2019 – Processes – Example
48 © 2019
COBITComponents

COBIT 2019 – Processes – Controls
 Controls are statements of managerial actions to
increase value or reduce risk
 Are designed to provide reasonable assurance that
business objectives will be achieved and undesired
events will be prevented or detected and corrected
 In COBIT, called “Governance Practices” and
“Management Practices”
49 © 2019
COBITComponents

50
COBIT 2019 – Processes – Control types
 Directive controls
 Preventive controls
 Compensating
 Detective controls
 Corrective controls
© 2019
COBITComponents

COBIT 2019 – Processes – Process specific controls
Example: Manager IT Changes
BAI06.01 Evaluate, prioritize and authorize change requests.
 Evaluate all requests for change to determine the impact on business processes and
IT services, and to assess whether change will adversely affect the operational
environment and introduce unacceptable risk. Ensure that changes are logged,
prioritized, categorized, assessed, authorized, planned and scheduled.
BAI06.02 Manage emergency changes
 Carefully manage emergency changes to minimize further incidents. Ensure the
emergency change is controlled and takes place securely. Verify that emergency
changes are appropriately assessed and authorized after the change.
BAI06.03 Track and report change status
 Maintain a tracking and reporting system to document rejected changes and
communicate the status of approved, in-process and complete changes. Make
certain that approved changes are implemented as planned.
BAI06.04 Close and document the changes
 Whenever changes are implemented, update the solution, user documentation and
procedures affected by the change
51 © 2019
COBITComponents

ISO/IEC 20000-1:2011 – Requirements
9.2 Change management
A change management policy shall be established that defines:
a) CIs which are under the control of change management;
b) criteria to determine changes with potential to have a major impact
on services or the customer.
Removal of a service shall be classified as a change to a service with
the potential to have a major impact. Transfer of a service from the
service provider to the customer or a different party shall be classified
as a change with potential to have a major impact.
There shall be a documented procedure to record, classify, assess
and approve requests for change.
The service provider shall document and agree with the customer the
definition of an emergency change. There shall be a documented
procedure for managing emergency changes.
All changes to a service or service component shall be raised using a
request for change. Requests for change shall have a defined scope.
. . .
52 © 2019
COBITComponents

ISO/IEC 27002:2013 – Requirements
12.1.2 Change Management
Control
Changes to the organization, business processes, information processing facilities and
systems that affect information security should be controlled.
Implementation guidance
In particular, the following items should be considered:
a) identification and recording of significant changes;
b) planning and testing of changes;
c) assessment of the potential impacts, including information security impacts, of such
changes;
d) formal approval procedure for proposed changes;
e) verification that information security requirements have been met;
f) communication of change details to all relevant persons;
g) fall-back procedures, including procedures and responsibilities for aborting and
recovering from unsuccessful changes and unforeseen events;
h) provision of an emergency change process to enable quick and controlled
implementation of changes needed to resolve an incident.
Formal management responsibilities and procedures should be in place to ensure
satisfactory control of all changes. When changes are made, an audit log containing all
relevant information should be retained.
53 © 2019
COBITComponents

Compliance requirements
 Security standards
 Privacy legislation
 Spam legislation
 Trade practices legislation
 Intellectual property rights, including software
licensing agreements
 Record keeping requirements
 Environmental legislation and regulations
 Health and safety legislation
 Accessibility legislation
 Social responsibility standards
 . . .
54 © 2019
COBITComponents

COBIT
ISO/IEC
20000
ISO/IEC
27000
Control
Objective
Database
Policy
Process
Procedure
Work
instructions
Roles
55
7.1 Owners should be
identified for all assets
and the responsibility for
the maintenance of
appropriate controls
should be assigned . . .
9.1 Configuration
management shall
provide information to
the change management
process on the impact of
a requested change on
the service and
infrastructure
configurations . . .
BAI10.03 Maintain an up-
to-date repository of
configuration items
(CIs) by populating
any configuration
changes. . . .
Mapping compliance requirements
© 2019
COBITComponents

COBIT 2019 – Organizational Structures – Example
56 © 2019
COBITComponents

COBIT 2019 – Information – Example
57 © 2019
COBITComponents

COBIT 2019 – People, Skills, Competences – Example
58 © 2019
COBITComponents
The people, skills and competencies governance component identifies human
resources and skills required to achieve the governance or management objective.
COBIT® 2019 based this guidance on the Skills Framework for the Information Age
(SFIA®) V6 (version 6). All listed skills are described in detail in the SFIA framework.
The Detailed Reference provides a unique code that correlates to SFIA guidance on the
skill

COBIT 2019 – Policies, Procedures – Example
59 © 2019
COBITComponents

COBIT 2019 – Culture, Ethics, Behavior – Example
60 © 2019
COBITComponents

COBIT 2019 – Services, Infrastructure, Applications – Example
61 © 2019
COBITComponents

62
Agenda
1. Governance of IT
2. COBIT Background
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
Agenda
© 2019

COBIT 2019 – Design factors
Design factors are factors that can influence the design
of an enterprise’s governance system and position it for
success in the use of IT. Design factors include any
combination of the following:
63 © 2019
COBITDesignfactors
6. Compliance
Requirements
7. Role of IT
8. Sourcing
Model for IT
9. IT
Implemen-
tation
Methods
10.
Technology
Adoption
Strategy
11. Enterprise
Size
1. Enterprise
Strategy
2. Enterprise
Goals
3. Risk Profile
4. IT-Related
Issues
5. Threat
Landscape

1. Enterprise strategy. Organizations typically have a
primary strategy and, at most, one secondary strategy.
Enterprises can have different strategies, which can be
expressed as one or more of the following archetypes:
64 © 2019
COBITDesignfactors
Strategy Archetype Explanation
Growth/Acquisition The enterprise has a focus on growing (revenues)
Innovation/Differentiation The enterprise has a focus on offering different and/or
innovative products and services to their clients
Cost leadership The enterprise has a focus on short-term cost
minimization
Client service/Stability The enterprise has a focus on providing stable and
client-oriented service

2. Enterprise goals supporting the enterprise strategy:
65 © 2019
COBITDesignfactors
BSC dimension Ref. Enterprise goal
Financial EG01 Portfolio of competitive products and services
EG02 Managed business risk
EG03 Compliance with external laws and regulations
EG04 Quality of financial information
Customer EG05 Customer-oriented service culture
EG06 Business-service continuity and availability
EG07 Quality of management information
Internal EG08 Optimization of internal business process functionality
EG09 Optimization of business process costs
EG10 Staff skills, motivation and productivity
EG11 Compliance with internal policies
Growth EG12 Managed digital transformation programs
EG13 Product and business innovation

3. Risk profile of the enterprise:
66 © 2019
COBITDesignfactors
1 IT investment decision making, portfolio definition & maintenance
2 Program & projects life cycle management
3 IT cost & oversight
4 IT expertise, skills & behavior
5 Enterprise/IT architecture
6 IT operational infrastructure incidents
7 Unauthorized actions
8 Software adoption/usage problems
9 Hardware incidents
10 Software failures
11 Logical attacks (hacking, malware, etc.)
12 Third-party/supplier incidents
13 Noncompliance
14 Geopolitical Issues
15 Industrial action
16 Acts of nature
17 Technology-based innovation
18 Environmental
19 Data & information management

4. IT-related issues. The most common issues include:
67 © 2019
COBITDesignfactors
A Frustration between different IT entities across the organization because of a perception
of low contribution to business value
B Frustration between business departments (i.e., the IT customer) and the IT department
because of failed initiatives or a perception of low contribution to business value
C Significant I&T-related incidents, such as data loss, security breaches, project failure and
application errors, linked to IT
D Service delivery problems by the IT outsourcer(s)
E Failures to meet IT-related regulatory or contractual requirements
F Regular audit findings or other assessment reports about poor IT performance or reported
IT quality or service problems
G Substantial hidden and rogue IT spending, that is, I&T spending by user departments
outside the control of the normal I&T investment decision mechanisms and approved
budgets
H Duplications or overlaps between various initiatives, or other forms of wasted resources
I Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction
J IT-enabled changes or projects frequently failing to meet business needs and delivered
late or over budget
K Reluctance by board members, executives or senior management to engage with IT, or a
lack of committed business sponsorship for IT
L Complex IT operating model and/or unclear decision mechanisms for IT-related decisions
M Excessively high cost of IT

4. IT-related issues continued . . .
68 © 2019
COBITDesignfactors
N Obstructed or failed implementation of new initiatives or innovations caused by the current
IT architecture and systems
O Gap between business and technical knowledge, which leads to business users and
information and/or technology specialists speaking different languages
P Regular issues with data quality and integration of data across various sources
Q High level of end-user computing, creating (among other problems) a lack of oversight
and quality control over the applications that are being developed and put in operation
R Business departments implementing their own information solutions with little or no
involvement of the enterprise IT department (related to end-user computing, which often
stems from dissatisfaction with IT solutions and services)
S Ignorance of and/or noncompliance with privacy regulations
T Inability to exploit new technologies or innovate using I&T

5. Threat landscape under which the enterprise operates:
69 © 2019
COBITDesignfactors
Threat Landscape Explanation
Normal The enterprise is operating under what are considered
normal threat levels.
High Due to its geopolitical situation, industry sector or particular
profile, the enterprise is operating in a high-threat
environment.

Regulatory
Environment
Explanation
Low compliance
requirements
The enterprise is subject to a minimal set of regular
compliance requirements that are lower than average.
Normal compliance
requirements
The enterprise is subject to a set of regular compliance
requirements that are common across different industries.
High compliance
requirements
The enterprise is subject to higher-than-average
compliance requirements, most often related to industry
sector or geopolitical conditions.
6. Compliance requirements to which the enterprise is subject:
70 © 2019
COBITDesignfactors

Role of IT Explanation
Support IT is not crucial for the running and continuity of the
business process and services, nor for their innovation.
Factory When IT fails, there is an immediate impact on the running
and continuity of the business processes and services.
However, IT is not seen as a driver for innovating business
processes and services.
Turnaround IT is seen as a driver for innovating business processes
and services. At this moment, however, there is not a
critical dependency on IT for the current running and
continuity of the business processes and services.
Strategic IT is critical for both running and innovating the
organization’s business processes and services.
7. Role of IT for the enterprise:
71 © 2019
COBITDesignfactors

Sourcing Model Explanation
Outsourcing The enterprise calls upon the services of a third party to
provide IT services.
Cloud The enterprise maximizes the use of the cloud for providing
IT services to its users.
Insourced The enterprise provides for its own IT staff and services.
Hybrid A mixed model is applied, combining the other three
models in varying degrees.
8. Sourcing model for IT that the enterprise adopts:
72 © 2019
COBITDesignfactors

Agile The enterprise uses Agile development working methods
for its software development.
DevOps The enterprise uses DevOps working methods for software
building, deployment and operations.
Traditional The enterprise uses a more classic approach to software
development (waterfall) and separates software
development from operations.
Hybrid The enterprise uses a mix of traditional and modern IT
implementation, often referred to as “bimodal IT.”
9. IT implementation methods that the enterprise adopts:
73 © 2019
COBITDesignfactors

First mover The enterprise generally adopts new technologies as early
as possible and tries to gain first-mover advantage.
Follower The enterprise typically waits for new technologies to
become mainstream and proven before adopting them.
Slow adopter The enterprise is very late with adoption of new
technologies.
10. Technology Adaption Strategy:
74 © 2019
COBITDesignfactors

Large enterprise
(Default)
Enterprise with more than 250 full-time employees (FTEs)
Small and medium
enterprise
Enterprise with 50 to 250 FTEs
11. Enterprise size:
75 © 2019
COBITDesignfactors

77
Agenda
1. Governance of IT
2. COBIT Background
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
Agenda
© 2019

COBIT 2019 – Focus areas
A focus area describes a certain governance topic,
domain or issue that can be addressed by a collection of
governance and management objectives and their
components.
 Examples of focus areas include: small and medium
enterprises, cybersecurity, digital transformation,
cloud computing, privacy, and DevOps.
 Focus areas may contain a combination of generic
governance components and variants.
 The number of focus areas is virtually unlimited. That
is what makes COBIT open-ended.
78 © 2019
COBITFocusareas

79
Agenda
1. Governance of IT
2. COBIT Background
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
Agenda
© 2019

COBIT 2019 – Performance management
The COBIT Performance Management (CPM) model
largely aligns to the CMMI® Development concepts:
 Process activities are associated to capability levels
included in the Governance and Management
Objectives guide.
 Other governance and management component types
(e.g., organizational structures, information) may also
have capability levels defined for them in future
guidance.
 Maturity levels are associated with focus areas (i.e., a
collection of governance and management objectives
and underlying components) and will be achieved if all
required capability levels are achieved.
80 © 2019
COBITPerformancemanagement

Capability and maturity levels:
81 © 2019
Processes
Other types of governance
and management components
Maturity
Capability
Capability

Capability levels for processes:
82 © 2019
0
1
2
3
4
5
• Lack of any basic capability
• Incomplete approach to address governance and management purpose
• May or may not be meeting the intent of any process practices
The process more or less achieves its purpose through the application of an
incomplete set of activities that can be characterized as initial or intuitive—not
very organized.
The process achieves its purpose through the application of a basic, yet
complete, set of activities that can be characterized as performed.
The process achieves its purpose in a much more organized way
using organizational assets. Processes typically are well defined.
The process achieves its purpose, is well defined, and its
performance is (quantitatively) measured.
The process its purpose, is well defined, its performance
is measured to improve performance and continuous
improvement is pursued.

The COBIT core model assigns capability levels to all
process activities, enabling clear definition of the
processes and required activities for achieving the
different capability levels.
83 © 2019

COBIT also provides guidance for how to assign
capability levels for the other governance and
management component types such as:
 Organizational structures,
 Information, and
 Culture and behavior
84 © 2019

Maturity levels for focus areas:
85 © 2019
0
1
2
3
4
5
Incomplete—Work may or may not be completed toward achieving the purpose of
governance and management objectives in the focus area.
Initial—Work is completed, but the full goal and intent of the focus area are not
yet achieved.
Managed—Planning and performance measurement take place, although
not yet in a standardized way.
Defined—Enterprise wide standards provide guidance across the
enterprise.
Quantitative—The enterprise is data driven, with quantitative
performance improvement.
Optimizing—The enterprise is focused on continuous
improvement.

86
Agenda
1. Governance of IT
2. COBIT Background
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
Agenda
© 2019

COBIT 2019 – Implementation Road Map
There are seven phases that comprise the COBIT
implementation approach:
1. What are the drivers?
2. Where are we now?
3. Where do we want to be?
4. What needs to be done?
5. How do we get there?
6. Did we get there?
7. How do we keep the
momentum going?
88 © 2019

COBIT 2019 – Design vs. Implementation
Connection Points Between COBIT Design Guide and
COBIT Implementation Guide:
89 © 2019
COBIT Implementation Guide COBIT Design Guide
Phase 1—What are the drivers?
(Continuous improvement [CI] tasks)
Step 1—Understand the enterprise
context and strategy.
Phase 2—Where are we now? (CI
tasks)
Step 2—Determine the initial scope
of the governance system.
Step 3—Refine the scope of the
governance system.
Step 4—Conclude the governance
system design.
Phase 3—Where do we want to be?
(CI tasks)
Step 4—Conclude the governance
system design

Contact
92
Christian F. Nissen
cfn@cfnconsult.dk
+45 40 19 41 45
CFN Consult ApS
Nysoevang 15A
DK-2750 Ballerup
CVR: 39 36 47 86
© 2019

Introduction to COBIT 2019 and IT management

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Introduction to COBIT 2019 and IT management

Similar to Introduction to COBIT 2019 and IT management (20)

More from Christian F. Nissen

More from Christian F. Nissen (7)

Recently uploaded

Recently uploaded (20)

Introduction to COBIT 2019 and IT management