Transcription
A Business Framework for theGovernance and Managementof Enterprise ITPersonal Copy of: Oo2 Formations
ISACA With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,certifications, community, advocacy and education on information systems (IS) assurance and security, enterprisegovernance and management of IT, and IT-related risk and compliance. Founded in 1969, the non-profit, independentISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and controlstandards, which help its constituents ensure trust in, and value from, information systems. It also advances and attestsIT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA ), CertifiedInformation Security Manager (CISM ), Certified in the Governance of Enterprise IT (CGEIT ) and Certified inRisk and Information Systems ControlTM (CRISCTM) designations. ISACA continually updates COBIT , which helps ITprofessionals and enterprise leaders fulfil their IT governance and management responsibilities, particularly in the areas ofassurance, security, risk and control, and deliver value to the business.DisclaimerISACA has designed this publication, COBIT 5 (the ‘Work’), primarily as an educational resource for governance ofenterprise IT (GEIT), assurance, risk and security professionals. ISACA makes no claim that use of any of the Work willassure a successful outcome. The Work should not be considered inclusive of all proper information, procedures andtests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results.In determining the propriety of any specific information, procedure or test, readers should apply their own professionaljudgement to the specific GEIT, assurance, risk and security circumstances presented by the particular systems orinformation technology environment.Copyright 2012 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse.ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: 1.847.253.1545Fax: 1.847.253.1443Email: info@isaca.orgWeb site: www.isaca.orgFeedback: www.isaca.org/cobitParticipate in the ISACA Knowledge Center: www.isaca.org/knowledge-centerFollow ISACA on Twitter: https://twitter.com/ISACANewsJoin the COBIT conversation on Twitter: #COBITJoin ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficialLike ISACA on Facebook: www.facebook.com/ISACAHQCOBIT 5ISBN 978-1-60420-237-3Printed in the United States of America62Personal Copy of: Oo2 Formations
AcknowledgementsAcknowledgementsISACA wishes to recognise:COBIT 5 Task Force (2009–2011)John W. Lainhart, IV, CISA, CISM, CGEIT, IBM Global Business Services, USA, Co-chairDerek J. Oliver, Ph.D., DBA, CISA, CISM, CRISC, CITP, FBCS, FISM, MInstISP,Ravenswood Consultants Ltd., UK, Co-chairPippa G. Andrews, CISA, ACA, CIA, KPMG, AustraliaElisabeth Judit Antonsson, CISM, Nordea Bank, SwedenSteven A. Babb, CGEIT, CRISC, Betfair, UKSteven De Haes, Ph.D., University of Antwerp Management School, BelgiumPeter Harrison, CGEIT, FCPA, IBM Australia Ltd., AustraliaJimmy Heschl, CISA, CISM, CGEIT, ITIL Expert, bwin.party digital entertainment plc, AustriaRobert D. Johnson, CISA, CISM, CGEIT, CRISC, CISSP, Bank of America, USAErik H.J.M. Pols, CISA, CISM, Shell International-ITCI, The NetherlandsVernon Richard Poole, CISM, CGEIT, Sapphire, UKAbdul Rafeq, CISA, CGEIT, CIA, FCA, A. Rafeq and Associates, IndiaDevelopment TeamFloris Ampe, CISA, CGEIT, CIA, ISO 27000, PwC, BelgiumGert du Preez, CGEIT, PwC, CanadaStefanie Grijp, PwC, BelgiumGary Hardy, CGEIT, IT Winners, South AfricaBart Peeters, PwC, BelgiumGeert Poels, Ghent University, BelgiumDirk Steuperaert, CISA, CGEIT, CRISC, IT In Balance BVBA, BelgiumWorkshop ParticipantsGary Baker, CGEIT, CA, CanadaBrian Barnier, CGEIT, CRISC, ValueBridge Advisors, USAJohannes Hendrik Botha, MBCS-CITP, FSM, getITright Skills Development, South AfricaKen Buechler, CGEIT, CRISC, PMP, Great-West Life, CanadaDon Caniglia, CISA, CISM, CGEIT, FLMI, USAMark Chaplin, UKRoger Debreceny, Ph.D., CGEIT, FCPA, University of Hawaii at Manoa, USAMike Donahue, CISA, CISM, CGEIT, CFE, CGFM, CICA, Towson University, USAUrs Fischer, CISA, CRISC, CPA (Swiss), Fischer IT GRC Consulting & Training, SwitzerlandBob Frelinger, CISA, CGEIT, Oracle Corporation, USAJames Golden, CISM, CGEIT, CRISC, CISSP, IBM, USAMeenu Gupta, CISA, CISM, CBP, CIPP, CISSP, Mittal Technologies, USAGary Langham, CISA, CISM, CGEIT, CISSP, CPFA, AustraliaNicole Lanza, CGEIT, IBM, USAPhilip Le Grand, PRINCE2, Ideagen Plc, UKDebra Mallette, CISA, CGEIT, CSSBB, Kaiser Permanente IT, USAStuart MacGregor, Real IRM Solutions (Pty) Ltd., South AfricaChristian Nissen, CISM, CGEIT, FSM, CFN People, DenmarkJamie Pasfield, ITIL V3, MSP, PRINCE2, Pfizer, UKEddy J. Schuermans, CGEIT, Esras bvba, BelgiumMichael Semrau, RWE Germany, GermanyMax Shanahan, CISA, CGEIT, FCPA, Max Shanahan & Associates, AustraliaAlan Simmonds, TOGAF9, TCSA, PreterLex, UKCathie Skoog, CISM, CGEIT, CRISC, IBM, USADejan Slokar, CISA, CGEIT, CISSP, Deloitte & Touche LLP, CanadaRoger Southgate, CISA, CISM, UKNicky Tiesenga, CISA, CISM, CGEIT, CRISC, IBM, USAWim Van Grembergen, Ph.D., University of Antwerp Management School, BelgiumGreet Volders, CGEIT, Voquals N.V., BelgiumChristopher Wilken, CISA, CGEIT, PwC, USATim M. Wright, CISA, CRISC, CBCI, GSEC, QSA, Kingston Smith Consulting LLP, UKPersonal Copy of: Oo2 Formations3
Acknowledgements (cont.)Expert ReviewersMark Adler, CISA, CISM, CGEIT, CRISC, Commercial Metals Company, USAWole Akpose, Ph.D., CGEIT, CISSP, Morgan State University, USAKrzysztof Baczkiewicz, CSAM, CSOX, Eracent, PolandRoland Bah, CISA, MTN Cameroon, CameroonDave Barnett, CISSP, CSSLP, USAMax Blecher, CGEIT, Virtual Alliance, South AfricaRicardo Bria, CISA, CGEIT, CRISC, Meycor GRC, ArgentinaDirk Bruyndonckx, CISA, CISM, CGEIT, CRISC, MCA, KPMG Advisory, BelgiumDonna Cardall, UKDebra Chiplin, Investors Group, CanadaSara Cosentino, CA, Great-West Life, CanadaKamal N. Dave, CISA, CISM, CGEIT, Hewlett Packard, USAPhilip de Picker, CISA, MCA, National Bank of Belgium, BelgiumAbe Deleon, CISA, IBM, USAStephen Doyle, CISA, CGEIT, Department of Human Services, AustraliaHeidi L. Erchinger, CISA, CRISC, CISSP, System Security Solutions, Inc., USARafael Fabius, CISA, CRISC, UruguayUrs Fischer, CISA, CRISC, CPA (Swiss), Fischer IT GRC Consulting & Training, SwitzerlandBob Frelinger, CISA, CGEIT, Oracle Corporation, USAYalcin Gerek, CISA, CGEIT, CRISC, ITIL Expert, ITIL V3 Trainer, PRINCE2, ISO/IEC 20000 Consultant, TurkeyEdson Gin, CISA, CISM, CFE, CIPP, SSCP, USAJames Golden, CISM, CGEIT, CRISC, CISSP, IBM, USAMarcelo Hector Gonzalez, CISA, CRISC, Banco Central Republic Argentina, ArgentinaErik Guldentops, University of Antwerp Management School, BelgiumMeenu Gupta, CISA, CISM, CBP, CIPP, CISSP, Mittal Technologies, USAAngelica Haverblad, CGEIT, CRISC, ITIL, Verizon Business, SwedenKim Haverblad, CISM, CRISC, PCI QSA, Verizon Business, SwedenJ. Winston Hayden, CISA, CISM, CGEIT, CRISC, South AfricaEduardo Hernandez, ITIL V3, HEME Consultores, MexicoJorge Hidalgo, CISA, CISM, CGEIT, ATC, Lic. Sistemas, ArgentinaMichelle Hoben, Media 24, South AfricaLinda Horosko, Great-West Life, CanadaMike Hughes, CISA, CGEIT, CRISC, 123 Consultants, UKGrant Irvine, Great-West Life, CanadaMonica Jain, CGEIT, CSQA, CSSBB, Southern California Edison, USAJohn E. Jasinski, CISA, CGEIT, SSBB, ITIL Expert, USAMasatoshi Kajimoto, CISA, CRISC, JapanJoanna Karczewska, CISA, PolandKamal Khan, CISA, CISSP, CITP, Saudi Aramco, Saudi ArabiaEddy Khoo S. K., Prudential Services Asia, MalaysiaMarty King, CISA, CGEIT, CPA, Blue Cross Blue Shield NC, USAAlan S. Koch, ITIL Expert, PMP, ASK Process Inc., USAGary Langham, CISA, CISM, CGEIT, CISSP, CPFA, AustraliaJason D. Lannen, CISA, CISM, TurnKey IT Solutions, LLC, USANicole Lanza, CGEIT, IBM, USAPhilip Le Grand, PRINCE2, Ideagen Plc, UKKenny Lee, CISA, CISM, CISSP, Bank of America, USABrian Lind, CISA, CISM, CRISC, Topdanmark Forsikring A/S, DenmarkBjarne Lonberg, CISSP, ITIL, A.P. Moller - Maersk, DenmarkStuart MacGregor, Real IRM Solutions (Pty) Ltd., South AfricaDebra Mallette, CISA, CGEIT, CSSBB, Kaiser Permanente IT, USACharles Mansour, CISA, Charles Mansour Audit & Risk Service, UKCindy Marcello, CISA, CPA, FLMI, Great-West Life & Annuity, USANancy McCuaig, CISSP, Great-West Life, CanadaJohn A. Mitchell, Ph.D., CISA, CGEIT, CEng, CFE, CITP, FBCS, FCIIA, QiCA, LHS Business Control, UKMakoto Miyazaki, CISA, CPA, Bank of Tokyo-Mitsubishi, UFJ Ltd., Japan4Personal Copy of: Oo2 Formations
AcknowledgementsAcknowledgements (cont.)Expert Reviewers (cont.)Lucio Augusto Molina Focazzio, CISA, CISM, CRISC, ITIL, Independent Consultant, ColombiaChristian Nissen, CISM, CGEIT, FSM, ITIL Expert, CFN People, DenmarkTony Noblett, CISA, CISM, CGEIT, CISSP, USAErnest Pages, CISA, CGEIT, MCSE, ITIL, Sciens Consulting LLC, USAJamie Pasfield, ITIL V3, MSP, PRINCE2, Pfizer, UKTom Patterson, CISA, CGEIT, CRISC, CPA, IBM, USARobert Payne, CGEIT, MBL, MCSSA, PrM, Lode Star Strategy Consulting, South AfricaAndy Piper, CISA, CISM, CRISC, PRINCE2, ITIL, Barclays Bank Plc, UKAndre Pitkowski, CGEIT, CRISC, OCTAVE, ISO27000LA, ISO31000LA, APIT Consultoria de Informatica Ltd., BrazilDirk Reimers, Hewlett-Packard, GermanySteve Reznik, CISA, ADP, Inc., USARobert Riley, CISSP, University of Notre Dame, USAMartin Rosenberg, Ph.D., Cloud Governance Ltd., UKClaus Rosenquist, CISA, CISSP, Nets Holding, DenmarkJeffrey Roth, CISA, CGEIT, CISSP, L-3 Communications, USACheryl Santor, CISSP, CNA, CNE, Metropolitan Water District, USAEddy J. Schuermans, CGEIT, ESRAS bvba, BelgiumMichael Semrau, RWE Germany, GermanyMax Shanahan, CISA, CGEIT, FCPA, Max Shanahan & Associates, AustraliaAlan Simmonds, TOGAF9, TCSA, PreterLex, UKDejan Slokar, CISA, CGEIT, CISSP, Deloitte & Touche LLP, CanadaJennifer Smith, CISA, CIA, Salt River Pima Maricopa Indian Community, USAMarcel Sorouni, CISA, CISM, CISSP, ITIL, CCNA, MCDBA, MCSE, Bupa Australia, AustraliaRoger Southgate, CISA, CISM, UKMark Stacey, CISA, FCA, BG Group Plc, UKKaren Stafford Gustin, MLIS, London Life Insurance Company, CanadaDelton Sylvester, Silver Star IT Governance Consulting, South AfricaKatalin Szenes, CISA, CISM, CGEIT, CISSP, University Obuda, HungaryHalina Tabacek, CGEIT, Oracle Americas, USANancy Thompson, CISA, CISM, CGEIT, IBM, USAKazuhiro Uehara, CISA, CGEIT, CIA, Hitachi Consulting Co., Ltd., JapanRob van der Burg, Microsoft, The NetherlandsJohan van Grieken, CISA, CGEIT, CRISC, Deloitte, BelgiumFlip van Schalkwyk, Centre for e-Innovation, Western Cape Government, South AfricaJinu Varghese, CISA, CISSP, ITIL, OCA, Ernst & Young, CanadaAndre Viviers, MCSE, IT Project , Media 24, South AfricaGreet Volders, CGEIT, Voquals N.V., BelgiumDavid Williams, CISA, Westpac, New ZealandTim M. Wright, CISA, CRISC, CBCI, GSEC, QSA, Kingston Smith Consulting LLP, UKAmanda Xu, PMP, Southern California Edison, USATichaona Zororo, CISA, CISM, CGEIT, Standard Bank, South AfricaISACA Board of DirectorsKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, International PresidentChristos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Vice PresidentGregory T. Grocholski, CISA, The Dow Chemical Co., USA, Vice PresidentTony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Vice PresidentNiraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt. Ltd., India, Vice PresidentJeff Spivey, CRISC, CPP, PSP, Security Risk Management, Inc., USA, Vice PresidentJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, RSM Bird Cameron, Australia, Vice PresidentEmil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd. (retired), USA, Past International PresidentLynn C. Lawton, CISA, CRISC, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International PresidentAllan Neville Boardman, CISA, CISM, CGEIT, CRISC, CA (SA), CISSP, Morgan Stanley, UK, DirectorMarc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, DirectorPersonal Copy of: Oo2 Formations5
Acknowledgements (cont.)Knowledge BoardMarc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, ChairmanMichael A. Berardi Jr., CISA, CGEIT, Bank of America, USAJohn Ho Chi, CISA, CISM, CRISC, CBCP, CFE, Ernst & Young LLP, SingaporePhillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USAJon Singleton, CISA, FCA, Auditor General of Manitoba (retired), CanadaPatrick Stachtchenko, CISA, CGEIT, Stachtchenko & Associates SAS, FranceFramework Committee (2009-2012)Patrick Stachtchenko, CISA, CGEIT, Stachtchenko & Associates SAS, France, ChairmanGeorges Ataya, CISA, CISM, CGEIT, CRISC, CISSP, Solvay Brussels School of Economics and Management,Belgium, Past Vice PresidentSteven A. Babb, CGEIT, CRISC, Betfair, UKSushil Chatterji, CGEIT, Edutech Enterprises, SingaporeSergio Fleginsky, CISA, Akzo Nobel, UruguayJohn W. Lainhart, IV, CISA, CISM, CGEIT, CRISC, IBM Global Business Services, USAMario C. Micallef, CGEIT, CPAA, FIA, MaltaAnthony P. Noble, CISA, CCP, Viacom, USADerek J. Oliver, Ph.D., DBA, CISA, CISM, CRISC, CITP, FBCS, FISM, MInstISP,Ravenswood Consultants Ltd., UKRobert G. Parker, CISA, CA, CMC, FCA, Deloitte & Touche LLP (retired), CanadaRolf M. von Roessing, CISA, CISM, CGEIT, CISSP, FBCI, Forfa AG, SwitzerlandJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, RSM Bird Cameron, AustraliaRobert E. Stroud, CGEIT, CA Inc., USASpecial RecognitionISACA Los Angeles Chapter for its financial supportISACA and IT Governance Institute (ITGI ) Affiliates and SponsorsAmerican Institute of Certified Public AccountantsCommonwealth Association for Corporate Governance Inc.FIDA InformInformation Security ForumInstitute of Management Accountants Inc.ISACA chaptersITGI FranceITGI JapanNorwich UniversitySolvay Brussels School of Economics and ManagementStrategic Technology Management Insti
ISACA has designed this publication, COBIT 5 (the ‘Work’), primarily as an educational resource for governance of enterprise IT (GEIT), assurance, risk and security professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome.
