WIXLIB

COBIT5Briefing PaperSeptember 2013Protect Comply Thrive

IT Governance Green Paper COBIT5OverviewAbout COBIT 5Businesses today must understand thevalue of information and the importance ofmanaging their IT in such a way as tomaximise that value. The ubiquity ofinformation and IT is such that evenorganisations that would not traditionallyconsider themselves part of the IT industrymust consider it a significant component oftheir business.Developed by ISACA , COBIT (ControlObjectives for Information and RelatedTechnology) is a framework for IT servicemanagement which has traditionally offeredbenefits across the business spectrum. Firstreleased in 1996, COBIT is now in its fifthedition, and has become broader and morecomprehensive through drawing in relatedsystems and standards.There is also increasing regulatory pressureregarding the security and use of thisinformation. Governments and businesspartners want to know that information issecure; shareholders and investors seekmaximum returns on leveraginginformation.COBIT 5 consolidates the tools andprocesses developed in COBIT 4.1 andearlier, as well as ValIT (governing andmanaging investments) and RiskIT(governing and managing risk). As such,COBIT 5 is a holistic approach to ITgovernance and management, with theadded advantage that it remains technologyagnostic.COBIT 5 is an increasingly popular andwidely used control framework for themanagement of the IT organisation. Theframework seeks to ensure that IT deliversvalue to the organisation throughcontrolling the inputs and outputs ofbusiness processes. Further, it is of use toall organisations in any sector due to itsdedication to first principles of governanceand management.By remaining technology agnostic, COBIT 5ensures that the guidance offered for themanagement of IT is valid regardless ofyour organisation. This approach is basedon five key principles, which aretransferrable across private, public andnon-profit organisations.Increasing the effectiveness of yourorganisation’s governance andmanagement of IT can lead to significantbenefits:“Governments and businesspartners want to know that Improvement of services related to orserved by IT Streamlining complex businessprocesses Increased confidence from investorsand business partners Compliance with regulations IT Governance Ltd 2013information is secure;shareholders and investors seekmaximum returns on leveraginginformation.”2Name Month/Year vXX

The five principles are: framework provides controls to enable yourorganisation to effectively manage risk,continuity, security and privacy ofinformation, while ensuring compliance withrequired standards and regulations.Meeting stakeholder needsCovering the enterprise end-to-endApplying a single, integrated frameworkEnabling a holistic approachSeparating governance frommanagementSeparating governance frommanagementGovernance and management comprisedifferent activities to serve differentpurposes, and thus different organisationstructures and processes are necessary.COBIT 5 defines distinct categories ofprocess in order to ensure that governancegoals and processes are identified andimplemented as separate from those ofmanagement.COBIT 5 comes with inputs and outputs foreach and every management practice, whileCOBIT 4.1 only provided these at a processlevel. The inclusion of this additional levelof detail naturally makes COBIT 5 asignificantly more exhaustive system.The main strengths of this new approach isthat it is more robust, reliable andrepeatable.ComplianceMeeting stakeholder needsGovernance of corporate IT is seeing rapidgrowth as a regulatory requirement.It is important for any governance andmanagement system to identify thestakeholders’ needs. By establishing earlyon the essential functions, inputs andoutputs, business processes can bemanaged in a manner that improvesoversight and efficacy. COBIT 5 offers amodel for identifying internal and externalstakeholders, and their interest in theoutcomes of its implementation.In South Africa, the Department of PublicService and Administration (DPSA) hasmandated COBIT 51 for all public services,as well as many private and non-profitorganisations with which they do business.In the US, COBIT 5 is recognised as aneffective method of complying with theSarbanes-Oxley Act2. The mandate toproduce an internal control report includedin their annual Exchange Act report isreadily generated as a by-product of theadoption of COBIT 5. IT Control Objectivesfor Sarbanes-Oxley, written by the ITGovernance Institute, provides a furtherreference source for executives whenevaluating an organisation's IT controls asrequired by the Act.Covering the enterprise end-to-endIt is important in any major endeavour toensure that the whole enterprise and allprocesses are accounted for. The keypractices identified by COBIT 5 cover thefull business process, including allinteractions between IT, other businessunits and external suppliers/customers.Applying a single, integratedframeworkThe COBIT 5 methodologyCOBIT 5 provides a structure for thegovernance of enterprise IT through thealignment of enterprise goals and IT goals.It achieves this through a broad set ofguidance that can be applied to anybusiness model, and integrates with otherframeworks to offer precision and a widescope of compliance opportunities.Probably the most important detail ofCOBIT 5 is its ‘modular’ nature that enablesthe organisation to draw in processes andcontrols from other frameworks andstandards. In this way, the organisation isable to tailor the system to their needs andregulatory requirements.Enabling a holistic approachThe guidance offered is broken downbetween seven enablers – features of theITSM that can be leveraged to achieve thefive key principles. Within this structure,COBIT 5 recognises that there are multiplekey facets in the governance andmanagement of information. The IT Governance Ltd 20133Name Month/Year vXX

individual business processes are identifiedand further broken down into key practices.By working down through the layers, theorganisation naturally works towardsachieving the primary goals of improvingthe business, aligning corporate and ITgoals, and compliance with legal, regulatoryand contractual obligations.it is likely that many organisations will needsome additional guidance. Consultants canoffer expertise in implementation, as wellas identifying key competencies and theirspread throughout the enterprise. Toolkits,such as the IT Governance ControlFramework Implementation Toolkit, canprovide the backbone of the policies andprocedures that will need to be established.These principles, enablers and processesare deliberately non-prescriptive. Animplementation of COBIT 5 can only beconsidered successful if it refersconsistently to the organisation at hand:the goal is for the organisation to create aframework that is a synergy betweenCOBIT 5 and the enterprise’s needs.For organisations seeking to develop theskills and expertise to handle theimplementation and day-to-day dutiesassociated with COBIT 5, training andCGEIT (Certified in the Governance ofEnterprise IT) qualifications are available.This can be further bolstered by developingexpertise in related standards andframeworks, thereby providing theorganisation with a solid basis for continuedcompliance, improved practices and a solidbusiness model.Implementing COBIT 5In implementing COBIT 5 as a framework,your organisation will likely discover thatthe flexibility of the framework equallycauses some consternation. The absence ofspecific measures for specific technologiesrequires the board and management toconsider carefully how the organisationconducts its business internally. This –while potentially frustrating for thoseseeking a swift transformation – is of greatbenefit to an organisation embarking on amajor governance programme.Integration with other frameworks andstandardsCOBIT 5 has been designed to integratecleanly and painlessly with other majorframeworks and standards, including the ITInfrastructure Library (ITIL), ISO/IEC27000, COSO and PMBOK . It has alsobeen developed in such a way as to alignwith ISO/IEC 38500:2008 – theinternational standard for the corporategovernance of information technology.Organisations that are well prepared andalready exist in a state of regulatorycompliance, meanwhile, will find thetransition to COBIT 5 simple, and may findthat the structure offers a more streamlinedapproach.As a ‘modular’ framework, the enterprisecan adapt the system to comply with theregulations and standards applicable to theindustry and obligations. By complying withnecessary regulations and standards as partof the implementation of a COBITframework, the organisation can ensurethat all needs are met as part of a singleprogramme. This is clearly preferable tomultiple implementations, which mayrequire repeated examination of businessprocesses that are of concern to differentstandards, such as risk management orbusiness continuity.The passage through this process can beenlightening for an organisation as it alignsthe IT goals with the enterprise goals.Recognition of divergence can bring abouteffective change to streamline businessprocesses, and each aspect of theframework – such as risk management,information security, business continuity,and so on – can highlight weaknessesbeyond the IT department.While it is possible that a company canmigrate to COBIT 5 quickly and efficiently, IT Governance Ltd 20134Name Month/Year vXX

Useful ResourcesIT Governance offers a unique range of products and services, including books, standards,pocket guides, training courses, staff awareness solutions and professional consultancyservices.COBIT 5 Resources COBIT 5 for Information SecurityIn this manual you will be shown how the relevant frameworks, best practicesand standards for information security can be adapted to form a cohesiveframework using COBIT 5. COBIT 5 is mapped to International Standards andrelevant frameworks in the appendix to the book to aid this process. Governance and Internal Controls for Cutting Edge ITIn Governance and Internal Controls for Cutting Edge IT, Karen Worstell explainsstrategies and techniques to guide IT managers as they implement cutting edgesolutions for their business needs in the context of COBIT 5. IT Governance Control Framework Implementation ToolkitDrawing on a decade of experience in IT governance, combined with ITGP'sestablished skills in publishing easy-to-use, customisable policy and proceduredocumentation templates, this COBIT 5 Documentation Toolkit will help youaccelerate your IT governance project, while helping you avoid documentationdead-ends or re-inventing the procedural wheel. COBIT 5 Foundation (2 day) CourseThis is the official 2-day COBIT 5 Foundation Course using content with thepermission of ISACA. It includes the official COBIT 5 foundation exam fromAPMG. It is an interactive classroom-based training course based on the latestversion, COBIT 5. Certified in the Governance of Enterprise IT (CGEIT) TrainingThe CGEIT designation is designed for professionals responsible for managing,providing advisory and assurance services, or otherwise support thegovernance of an enterprise's IT, and wish to be recognised for their ITGovernance-related experience and knowledge. COBIT 5 Foundation Training (90 Days Online Access, Excluding Exam)Now you can study for the COBIT 5 Foundation exam using this online elearning course. Study as and when you want basing your studies aroundyour normal work schedule. This e-learning course includes a practice examthat allows you to test your knowledge prior to taking the actual COBIT 5Foundation exam. IT Governance Ltd 20135Name Month/Year vXX