My presentation (in EN) from itSMF Pomorze (Poland) meeting. It shows how to combine SCRUM agility in product development with Corporate Governance controls from COBIT.

1. How to? Combining SCRUM with
Corporate Compliance (COBIT AI.6)

2. Intro
Is there a way to combine
agile and flexible product
development aproach &
requirements of Corporate
Governance?

3. SCRUM – rules and agreements
 Iterations
 Each sprint delivers „closed”, working functionality
 Flexible, allows frequent change of direction
 Responsibility for the product delivery and quality
 Accordingly to Product/Story Owner requirements

4. COBIT – Change Control (AI6)

5. Characteristics of SCRUM & COBIT
SCRUM
• Rapid (Agile), and
iterationary delivery of
products
• Moderate to high
changeability
• Flexible approach
• No guarantee (high apetite
for risk)
COBIT
• Stabilization (through using
controls)
• Preffered low changeability
• „Strict” requirements
• Required guarantee (low
apetite for risk)

6. So we’re done… You cannot
provide high changeability of
product and provide
stabilization at the time.
Really? What if we look at
rules and agreement in
SCRUM?

7. Problem Statement
How to, using SCRUM mechanisms,
deliver proof of following COBIT
controls???

8. Roles in SCRUM
SCRUM
Master
Product
Owner
Developer
 Product Backlog
 Authorization for DoD
 Authorization for
sprints
 Validation of DoD i
sprints’ products
 Coordination
 SCRUM
„compliance”
 „Accountancy” of
sprints/team
 Estimation
 Production
 QA
 Deployment

9. Roles in SCRUM (2)
SCRUM
Master
Product
Owner
Developer Developer Developer
QA
QA
QA
Definition
Control
Validation
ACTIVITY
Develop and implement the process
to consistently record, assess, and
prioritise change requests.
Assess impact and prioritise changes
based on business needs 
Assure that any emergency and
critical change follows the approved
process
Authorise changes
Manage and disseminate relevant
information regarding changes.

10. SCRUM tasks’ types & Products distribution
EPIC
STORY
STORY
BUGBUGBUG
 Bug ->Sprints’
technological debt ->
Emergency Change
 Epic<>Story – ability
to use SoD (e.g.
Test/Prod deployment
done in diff. Stories of
the same Epic
 Sprint & Product
backlog Mgmt -
prioritization

11. SCRUM tasks’ types & Products distribution (2)
Backlog of Sprint 1
 Task 1
 Task 2
 Task 3
 Task 4
Backlog of Sprint 2
 Task 5
 Task 6
 Task 7
 Task 8
OK, what about
Authorization? We spoke
about it yet…
ACTIVITY OK?
Develop and implement the process to
consistently record, assess, and
prioritise change requests.
Assess impact and prioritise changes
based on business needs 
Assure that any emergency and critical
change follows the approved process 
Authorise changes
Manage and disseminate relevant
information regarding changes.

12. Authorization of changes
 Product Backlog
 Authorization for DoD
 Authorization for
sprints
 Validation of DoD i
sprints’ products
Product
Owner
Product Owner is responsible for
authorization. This role manages both
authorization and prioritization of
tasks/products. If there is more
stakeholders – PO is responsible for gaining
decisions and final authorization.
ACTIVITY OK?
Develop and implement the process to
consistently record, assess, and
prioritise change requests.
Assess impact and prioritise changes
based on business needs 
Assure that any emergency and critical
change follows the approved process 
Authorise changes

Manage and disseminate relevant
information regarding changes.

13. OK, We got 3 of 5 controls
checked. 2 remaining?
Lets see…

14. Information about Changes
We need some assumptions for
our SCRUM „agreement”:
1. SCRUM is transparent – we
do not hide product nor
information
2. SCRUM has wing-2-wing
responsibility for products
3. Product Owner is acting as
Customer/users
representative.
Makes sense…

15. Information about Changes (2)
Product
Owner
Product Owner is responsible for
communication. Depending on product,
actual comm actions may differ. They will
cover checks from public access to backlog
through sprints scope access up to specific
channels related to particular deploys.
Users, Customer, Other POs, Teams, etc.
ACTIVITY OK?
Develop and implement the process to consistently record, assess, and prioritise
change requests.
Assess impact and prioritise changes based on business needs 
Assure that any emergency and critical change follows the approved process 
Authorise changes 
Manage and disseminate relevant information regarding changes. 

16. What about prioritization of
CRs…
It’s the simplest thing:
1. User Story
2. Product Backlog
3. Sprint Backlog
4. PO’s decision

17. Problem Solved!
ACTIVITY OK?
Develop and implement the process to consistently record, assess, and
prioritise change requests.

Assess impact and prioritise changes based on business needs 
Assure that any emergency and critical change follows the approved
process

Authorise changes 
Manage and disseminate relevant information regarding changes. 

18. Is that all?
Of course we have not shown everything.
Apart from CC (AI 6) there is in COBIT
many areas around changes. However
„mind/toolset” is similar. It requires basic
knowledge:
a) Acknowledgement that SCRUM is based
on Human-2-Human interactions
b) Acknowledgement that meeting the
controls don’t have to be machine
interface one. Control Models require
validation/documentation.

19. What else?
PCI
(VISA)
Similar approach
a bit different SoD
and some details
ISO20000Similar approach ITIL ChM
Other
models
I duknow…
Dont be afrais of
asking! 
CMMi
100% compatibility
(with given
requirements)
100% compatibility
(with given
requirements)

20. ???
…
Discussion?

21. Thanks!
Przemek Wysota
ITSM/IT Management Expert
Contact
Mail: przemek.wysota@outlook.com
Tweet: @pwysota
LinkedIn: https://pl.linkedin.com/in/przemekwysota