8/4/2019 CobiT4_0

1/20

CobiT 4.0:

Causes & Changes

Presenter:

Girard Jergensen, CISAOffice of the State Auditor & Inspector

8/4/2019 CobiT4_0

2/20

Overview

History of COBIT

Evolution of COBIT

Meeting Changes in the BusinessEnvironment

Focus of the Update

Changes to the Components

Layout of COBIT 4.0

COBIT 4.0 vs. COBIT 3rd Edition

8/4/2019 CobiT4_0

3/20

History of the CobiT framework

The COBIT (Control Objectives for Information and relatedTechnology) framework was defined in the first edition, published in1994.

Research for the first and second editions (released in 1998)included the collection and analysis of identified internationalsources and was carried out by teams in Europe [Free University of Amsterdam (The Netherlands)] US ( California Polytechnic University) Australia ( University of New South Wales)..

The COBIT 3rd Edition project (released in 2000) consisted ofdeveloping the management guidelines and updating the secondedition based on new and revised international references.

The COBIT framework was revised and enhanced to Support increased management control Introduce performance management Further develop IT governance

8/4/2019 CobiT4_0

4/20

Evolution of CobiT

It is the intention of ITGI and its COBIT SteeringCommittee, to continuously evolve the COBIT body ofknowledge through: Research into several detailed aspects of the control objectives

and the management guidelines.

Based on the expertise and volunteer teams of ISACA members,COBIT users, expert advisors and academics.

Some specific research projects were assigned to business schoolssuch as the University of Antwerp Management School (UAMS,Belgium) and the University of Hawaii (USA).

Large workshops of 40 to 50 international experts focusing on

the control objectives, management guidelines and maturitymodel components of the framework. Exposure draft to more than 90 specialists completed the

production process.

GOAL: Not a global analysis of all material or a redevelopment of thecontrol objectives, but to provide an incremental update process.

8/4/2019 CobiT4_0

5/20

Meeting Changes in the BusinessEnvironment

Increasing IT management focus Management and control guidance suitable for the

current IT operational environment

More varied assurance audience Auditors, regulators, security experts and othersinvolved in providing assurance about theperformance of IT in many different circumstances

Greater focus on governance at board levels Business focus and mechanisms for aligning the

management and control of IT objectives with theneeds of the enterprise

8/4/2019 CobiT4_0

6/20

Meeting Changes in the BusinessEnvironment

Increased maturity of IT best practices and standards As enterprises increasingly adopt specialized guidance such as

ITIL and ISO 17799, COBIT can be used as the integrator andoverarching umbrella framework and continue to be regarded asa highly credible and practical guidance for overall IT control

Integrated use by the three main target audiences:management, IT and auditors Structure, presentation and language used provide for easier

understanding and application by management-levelstakeholders as well as practitioners and professionals

Growth in regulation and compliance Making sure that COBIT covers the full scope of IT governance Mapping to IT governance domains and COSO framework Continued regard as THE IT control framework for IT

governance

8/4/2019 CobiT4_0

7/20

Focus in the Update to CobiT 4.0

IT governance Based on the five domains of alignment, value delivery, risk management,

resource management and performance measurement, as defined by ITGI.Analysis showed some gaps that have now been filled by adjusting some of theIT process titles and adding some new control objectives. COBIT 4.0 alsocontains a matrix mapping all IT processes to the governance domains.

Business requirements Extensive research provided a generic cross-reference of common business

goals to IT goals. A table is provided showing the relationship among businessgoals, IT goals and COBITs IT processes to help users identify business to ITlinkages in their own organizations. This was also used to improve the goal andperformance metrics.

Harmonization Refined terms and principles to integrate COBIT more easily with other guidance,

such as ITIL, ISO 17799, PMBOK and PRINCE 2 Value creation

COBIT has placed a strong emphasis on controls to manage risk. COBIT4.0provides a better balance between risk and value

8/4/2019 CobiT4_0

8/20

Focus in the Update to CobiT 4.0

Enterprise architecture COBIT 4.0 provides RACI charts (who is responsible, accountable, consulted and

informed) to address process roles and responsibilities for each IT process, andenterprise architecture principles are now explained within the framework, linkinggoals, resources, information and processes.

Process definitions and process flows To improve understanding of the IT process model, COBIT 4.0 contains

descriptions of each process together with process inputs and outputs withcross-references to other processes.

Language and presentation More concise, contemporary and action-oriented language has been used in

COBIT 4.0. The control objectives and management guideline content have beencombined by IT process.

Feedback Comments and recommendations are received on a regular basis from users

and these, together with feedback from three COBIT User Conventions, wereused to help improve the content of COBIT 4.0.

8/4/2019 CobiT4_0

9/20

Components Changed in CobiT 4.0

Control Objectives COBITIT governance alignment

Bottom-up - An analysis into how the detailed Control Objectives can be mapped to thefive IT Governance domains to identify potential gaps

Top-down A research into important IT Governance practices that are not yet (fully)covered in COBIT 3.0 to be able to address potential gaps

A detailed mapping between COBIT and ITIL, CMM, COSO, PMBOK, ISF and

ISO/IEC 17799 to enable harmonization with those standards in language,definitions and concepts The M domain has now become ME, standing for Monitor and Evaluate. M3 and M4 were audit processes and not IT processes. They have been

replaced,, but hooks have been provided within the updated framework tohighlight managements need for, and use of, assurance functions.

ME3 covers the process of governance oversight over IT.

ME4 is the process related to regulatory oversight, previously covered by PO8. To keep the numbering for PO9 Assess riskand PO10 Manage projectsconsistent withCOBIT 3rd Edition, PO11 Manage qualitymoves to PO8

AI7 added. Covers what was originally in AI5, along with release management. AI5 now covers procurement process.

8/4/2019 CobiT4_0

10/20

Components Changed in CobiT 4.0

Management Guidelines Clarification of KGI-KPI causal relationships Identifying in more detail

how KPIs drive the achievement of the KGIs Review of the quality of the KGIs, KPIs and CSFsBased on the

KPI/KGI causal relationship analysis, improve the quality of the metrics Splitting the CSFs into what one needs from others (inputs) and what

one needs to do oneself (management practices) Detailed analysis of metrics conceptsDetailed development with

metrics experts to enhance the metrics concepts, building up a cascadeof process-IT-business metrics and identifying quality criteria for metrics

Linking business goal, IT goals and IT processesDetailed research ineight different industries resulting in a more detailed insight into howCOBIT processes support the achievement of specific IT goals and, byextension, business goals; results then generalized

Review of the maturity model contentsEnsuring consistency andquality of maturity levels between and within processes, includingimproved and expanded definitions of maturity model attributes

8/4/2019 CobiT4_0

11/20

Layout of CobiT 4.0

The new COBIT volume consists of four sections: The executive overview The framework The core content (high-level and detailed control objectives, management

guidelines and maturity models) Appendices (various mappings and cross-references, more maturity model

information, reference material, a project description and a glossary) The core content is divided according to the 34 IT process. Each process is covered in four sections, each approximately one page

The high level control objective for the process A process description summarizing the process objectives A high-level control objective represented in a waterfall summarizing process goals,

metrics and practices The mapping of the process to the process domains, information criteria and IT

resources.

The detailed control objectives for the process Management guidelines: the process inputs and outputs, a RACI (responsible,

accountable, consulted and/or informed) chart, goal and metrics The maturity model for the process

8/4/2019 CobiT4_0

12/20

Layout of CobiT 4.0

Another way of viewing the process performance content Process inputs are what the process owner needs from others.

The process description describes what the process ownerneeds to do.

The process outputs are what the process owner has to deliver. The goals and metrics show how the process should bemeasured.

The RACI chart defines what has to be delegated, and to whom.

The maturity model shows how the process can be improved.

8/4/2019 CobiT4_0

13/20

CobiT 4.0 Maturity Model

0 Non-existent. Complete lack of any recognizable processes.

1 Initial. There is evidence that the enterprise has recognized that the

issues exist and need to be addressed. There are, however, no

standardized processes; instead there are ad hocapproachesthat tend to be applied on an individual or case-by-case basis.The overall approach to management is disorganized.

2 Repeatable. Processes have developed to the stage where similar

procedures are followed by different people undertaking thesame task. There is no formal training or communication ofstandard procedures, and responsibility is left to the individual.There is a high degree of reliance on the knowledge ofindividuals and, therefore, errors are likely.

8/4/2019 CobiT4_0

14/20

CobiT 4.0 Maturity Model

3 Defined. Procedures have been standardized and documented, and

communicated through training. It is, however, left to the individual tofollow these processes, and it is unlikely that deviations will be detected.The procedures themselves are not sophisticated but are theformalization of existing practices.

4 Managed. It is possible to monitor and measure compliance with procedures and

to take action where processes appear not to be working effectively.Processes are under constant improvement and provide good practice.Automation and tools are used in a limited or fragmented way.

5 Optimized.

Processes have been refined to a level of best practice, based on theresults of continuous improvement and maturity modeling with otherenterprises. IT is used in an integrated way to automate the workflow,providing tools to improve quality and effectiveness, making theenterprise quick to adapt.

8/4/2019 CobiT4_0

15/20

Portions of CobiT 3rd EditionCovered by 4.0

COBIT 4.0 contains new Executive Summary Framework, Control Objectives

Management Guidelines. Work is underway to update the control practices

and Audit Guidelinesto reflect the changes inthe COBIT framework and content at 4.0.

The Implementation Tool Setwas supersededby IT Governance Implementation Guide,released in 2003, although the ImplementationTool Setis still available.

8/4/2019 CobiT4_0

16/20

Does CobiT 4.0 replace CobiT 3rdEdition?

No COBIT 4.0 is an enhancement of COBIT 3rd Edition and in no way

invalidates any implementation or execution activities based onCOBIT 3rd Edition.

The introduction of COBIT 4.0 provides the opportunity to furtherimprove IT governance and control arrangements, whereappropriate.

Mappings to support this transition are included in a COBIT 4.0appendix, and release 3.2 of COBIT Online will remain available,in a frozen state, to support transition activity.

Future COBIT update activity will take place electronically and onan ongoing basis via new releases of COBIT Online.

Occasional print copies will be released when the update activitywarrants.

8/4/2019 CobiT4_0

17/20

Acquiring CobiT 4.0

COBIT 4.0 is downloadable (free, PDF), andcan also be purchased (printed book) at

http://www.isaca.org/bookstore

along with other COBIT and IT Governanceproducts.

8/4/2019 CobiT4_0

18/20

Sources

www.isaca.org - CobiT 4.0 FAQCobiT 3rd Edition (PDF)

CobiT 4.0 (PDF)CobiT 4.0 Pamphlet

8/4/2019 CobiT4_0

19/20

ISACA Education

8/4/2019 CobiT4_0

20/20

Reference/Research

Home Members & Leaders Professional ResourcesK-NET

K-NET contains over 5,200 peer-reviewed web site resources

pertaining to knowledge covering IT Governance, Assurance,Security and Control. Full access to K-NET is reserved for associationmembers. In addition, a personalized tracking feature, that notifiesusers on a weekly basis of new references within their areas of focus,is also reserved for members (see 'track-updates' link throughout K-NET). Reference items are organized into logical categories of interestand concern.

Search-style data engine.