COBIT 2019

Foundation
For Whom is this Course?
COBIT 2019 Foundation exam

Introduction to COBIT

Know the difference with COBIT 5

Assist enterprises in achieving EGIT objectives

Create optimal value from I&T

Structure of the course
1. Introduction
2. Intended Audience
3. COBIT Principles
4. Governance System and Components
5. Design Factors
6. Performance Management
7. Governance System Tailoring
8. Implementing Enterprise Governance of IT
COBIT Publications
● COBIT® 2019 Framework: Introduction and Methodology

● COBIT® 2019 Framework: Governance and Management Objectives

● COBIT® 2019 Design Guide: Designing an Information and Technology

Governance Solution

● COBIT® 2019 Implementation Guide: Implementing and Optimizing an

Information and Technology Governance Solution

Enterprise Governance of Information Technology

● IT is central for the enterprise

● Enterprise governance of IT is part of enterprise governance
○ Exercised by the board
○ Business/IT alignment
○ Business value creation

● Tailor enterprise governance of IT for specific context and needs

Benefits of Information Technology Governance
● Benefits realisation
○ IT value aligned with business value
○ IT Value should be measured
● Risk optimization
○ Address the Risk of use, ownership, involvement, influence and adoption of IT
○ Risk impacting the business
○ Focus on Preservation of value
○ Should be measured
● Resource optimization
○ Sufficient, appropriate and efficient resources
○ Provide training, promote retention, ensure competence of personnel
○ Exploit Data to gain optimal value
What is COBIT ?
● Clear distinction between Governance and Management
● Governance ensures
○ Balanced and agreed-on enterprise objectives
○ Direction through prioritization and decision making
○ Performance and compliance

● Management
○ Plan, build, run and monitor activities
○ Align with the direction of Governance body
○ Achieve enterprise objectives
What is COBIT ? (2)
● COBIT defines six components to build and sustain a governance system
● COBIT defines design factors
● COBIT groups components into governance and management objectives

What is Not COBIT?

● Not a description of the whole IT
● Does not organize business processes
● Does not prescribe IT-related decisions
COBIT 5 vs COBIT 2019
● The 37 processes have become 40
● The PRM, Process Reference Model has become COBIT Core Model
● COBIT 5’s enablers have become components
● COBIT 2019 has 11 Design Factors
● COBIT Performance Management is new in COBIT 2019
● CPM is inspired by CMMI
Intended Audience : Internal Stakeholders
● Boards
○ How to get value from IT
○ Explains responsibilities

● Executive management : how to organise and monitor performance of IT

● Business managers : how to exploit technology for strategic opportunities
● IT managers : structure, performance, efficiency, cost, alignment of IT
● Assurance providers : manage dependency on external providers
● Risk managers : management of IT-related risks
Intended Audience : External Stakeholders
● Regulators
○ Helps ensure compliance with regulations
○ Helps manage and sustain compliance

● Business partners
○ Helps ensure operations are secure and compliant

● IT vendors
○ Helps ensure operations are secure and compliant
The six COBIT principles of Governance System
● 1. Provide Stakeholder Value
○ Generate value from IT
○ Balance among benefits, risks and resources

● 2. Holistic Approach
○ Components work together in holistic way

● 3. Dynamic Governance System

○ Consider impact of design factors changes
○ Lead to future-proof EGIT system
The six COBIT principles of Governance System (2)
● 4. Governance Distinct from Management

○ Different activities and structures

● 5. Tailored to Enterprise Needs

○ Customized using design factors

● 6. End-to-End Governance System

○ All technology and information processing

The Three Principles of Governance Framework
● Based on Conceptual Model
○ Identify key components
○ Maximize consistency
○ Allow automation

● Open and Flexible

○ Addition of new content
○ Address new issues
○ Maintain integrity and consistency

● Aligned to Major Standards

○ frameworks and regulations
COBIT 2019 Improvements
● Flexibility and Openness
○ Enable tailoring for better alignment
○ Allow focusing on new areas

● Currency and Relevance

○ Supports referencing other standards

● Prescriptive Application
● Performance Management of IT
○ Better alignment with CMMI
Governance and Management Objectives
● A Governance or management objective relates to one process
● A governance objective relates to a governance process
● A management objective relates to a management process
● Board & executive management accountable for Governance processes
● Senior & middle management accountable for Management processes
Governance and Management Objectives (2)
One Domain of Governance Objectives

● Evaluate, Direct and Monitor (EDM)

Four Domains of Management Objectives

● Align, Plan and Organize (APO)

● Built, Acquire and Implement (BAI)
● Deliver, Service and Support (DSS)
● Monitor, Evaluate and Assess (MEA)
COBIT Core Model
Goal Cascade
Enterprise Goals
Alignment Goals
COBIT Governance and Management Objectives
Example of Goals Cascade
● Benefits realization
● Risk optimization
● Resource optimization

● EG01 : Portfolio of competitive products and services

● EG08 : Optimization of internal business process functionality

● AG05 : Delivery of I&T services in line with

business requirements

● DSS02 : Managed service

requests and incidents
Real World Example of Goals Cascade : Udemy
● Udemy gets profit from course sales
● Students get quality course at low prices
● Instructors get profit from sales

● Portfolio of course at competitive quality and prices

● Optimization of functionality to Udemy,students and instructors

● Delivery of I&T services through Udemy platform,

website and mobile applications

● Customer support to managed a

Service requests and incidents
Components of the Governance System
● Previously known as COBIT enablers in COBIT 5

● Components contribute to enterprise’s governance over IT

● Components interact with each other

● Components can be of different types :

○ processes. organizational structures; policies and procedures; information items;

○ culture and behavior; skills and competencies; and services, infrastructure and applications.
Components of the Governance System (2)
● Processes
○ Set of practices
○ Produces a set of outputs
○ Support IT related goals

● Organizational Structures
○ Decision making entities

● Principles, policies and Frameworks

○ Guidance for day to day management
Components of the Governance System (3)
● Information
○ For effective functioning of governance system

● Cultures, Ethics and Behavior

○ Often underestimated

● People, Skills and Competencies

○ For good decisions
○ And execution of activities

● Services, Infrastructure and Applications

○ That provide the governance system for I&T
Governance and Management Objectives Structure
Example : DSS02-Managed Service Requests and Incidents
Example : DSS02-Managed Service Requests and Incidents
Goals Cascade
Applicable Goals and Example Metrics
Example Metrics for Enterprise Goals for DSS02
Components of the Governance System
Process Component
Capability Levels for Processes
Example : Process Component of DSS02
Organizational Structures Component
Organizational Structures and Roles
● Board
● Executive Committee
● CEO, CFO, CTO, COO, CRO, CIO, CDO
● I&T Governance board, Architecture board, Enterprise Risk committee
● Portfolio manager, program manager, project manager
● Roles
○ Responsible : operational responsibility
○ Accountable : overall accountability
○ Consulted : who is providing the input
○ Informed : who is receiving the information
Example : Organizational Structures Of DSS
Information Flows and Items Component
Example : Information Flows and Items of DSS02
Skills and Competencies Component
Policies and Procedures Component
Example : Policies and Procedures of DSS02
Culture, Ethics and Behavior Component
Example : Culture, Ethics and Behavior of DSS02
Services, Infrastructures and Applications Component
Example : Services, Infrastructures and Applications of DSS02
Generic/Variant Focus Area
● Generic components
○ Apply to any situation
○ Need customization

● Variant component
○ Based on generic components
○ Tailored for a specific area
○ Example of area : information security, DevOps, a regulation
Design Factors
Enterprise Strategy Factor
● Growth/Acquisition

● Innovation/Differentiation

● Cost Leadership

● Client Service/Stability
Example : Cost Leadership as a Focus Area
Example of Mc-Donald’s

Low cost position by :

● Increasing productivity : DSS01—Managed Managed Operations

● Eliminating waste : APO11—Managed Quality

● Controlling costs : APO06—Managed Budget and Cost

Enterprise Goals
● Financial ● Internal
○ Portfolio of products and services ○ Optimization of process functionality
○ Business Risk ○ Optimization of process cost
○ Compliance with regulations ○ Staff skills, motivation, productivity
○ Quality of financial information ○ Compliance with internal policies
● Customer ● Growth
○ Service culture ○ Digital transformation programs
○ Continuity and availability ○ Product and business innovation
○ Quality of management information
Example : Focus on Competitive products and services

Enterprise Goal Selection Prioritize Management Objectives

EG01 : Portfolio of competitive products and services

APO05 : Managed Portfolio

Risk Profile
Example : Very Risk Averse Company
EDM03 : Ensured risk optimization

APO12 : Managed risk

APO13 : Managed security

DSS05 : Managed security services

With higher target capability levels

I&T Related Issues
Example : IT-Related issues
Failures to meet IT-related regulatory or contractual requirements

MEA-03 : Managed compliance with external requirements

● Monitor local and international laws

● Review and adjust policies and procedures
● Obtain and report assurance of compliance
High Threat Landscape
Example of High Threat Landscape
Geopolitical tensions, cyber attacks

Focus area : risk management, information security

● EDM03 : Ensure Risk Optimisation

● APO12 : managed risks
● APO13 : Managed security
● DSS05 : Managed security services

With higher target capability levels

Compliance Requirements

● Low compliance requirements

● Normal compliance requirements

● High compliance requirements

Example: Highly Regulated Environment
Highly regulated :

● Drug manufacturing, Nuclear, Government, Financial

High importance of

● Documentation (information)
● Procedures and policies
● Some roles (organizational structures)
Role of IT
Support : not crucial for business, nor for innovation

Factory : impact on business when it fails, but for innovation

Turnaround : driver for innovation not critical for running the business

Strategic : critical for both running and innovation

Example : High Involvement of IT-Related Roles
When IT is Strategic to the enterprise

● High involvement of IT roles (organizational structure)

● Understanding of business by IT

● APO02 : Managed strategy

● APO08 : Managed relationships

Sourcing Model for IT

● Outsourcing : Rely on third party

● Insourced : Own IT staff and services

● Cloud : Maximize the use of cloud

● Hybrid : Combine the three models

Example : Sourcing Model for IT
Insourced Model : in-house development and hosting

● APO03—Managed Enterprise Architecture

● APO11—Managed Quality
● BAI03—Managed Solution Identification and Build
● BAI07—Managed Programs Requirements
● BAI10—Managed Configuration
IT Implementation Method
● Agile for software development

● DevOps for software building deployment and operations

● Traditional separate development from operations

● Hybrid mix traditional and modern approaches

Example : IT Implementation Method
Entreprise Implements DevOps

● BAI03 Managed solutions identification and build

● BAI10 Managed configuration

● DSS01 Managed operation

Technology Adoption Strategy

● First mover : as early as possible

● Follower : waits for proved technologies

● Slow adopter : very late

Example : Technology Adoption Strategy
Slow mover companies

● Kodak : missed opportunity in digital photography

● Nokia : developed phones for short term market demands

APO04 : Managed innovation

Enterprise Size
● Large enterprise : more than 250 full-time employees
● Small And medium enterprise : between 50 and 250 full-time employees

Example : Small and medium enterprises

● Few IT resources
● Shorter reporting lines
● Less expensive governance system
Performance Management in COBIT
How Governance/management system and all Components

● Well they Work ?

● Can be improved ?
● achieve the required level ?

Capability and maturity levels

CPM : COBIT Performance Model

COBIT Performance Management (CPM) Principles
1. Simple to understand and use

2. Consistent and support the COBIT conceptual model

3. Provide reliable and repeatable results

4. Flexible

5. Support different types of assessments

Process Capability Levels
Capability

● Processes

● Other governance and management component types

Maturity

● Focus Areas
Capability Levels for Processes
Rating Process Activities
Formal methods : Pass/Fail

Less formal methods :

● Fully : more than 80%

● Largely : 50-80%
● Partially : 15-50%
● Not : less than 15%
Focus Area Maturity Levels
Performance Management of Organizational Structures
● A/R for process activities
● Application of good practices
○ Operating principles : OS established, clear mandate, regular meetings
○ Level of authority and decision rights
○ Delegation of authority
○ Escalation procedures

● Successful application of organizational structures management practices

○ Performance Objectives are identified, planned and adjusted
○ Resources and information are identified, allocated and used
○ Interfaces with stakeholders are managed
○ Regular evaluations result in continuous improvement
Performance Management of Information Items
Performance Management of Culture and Behavior
Define a set of desirable behaviors

Assign capability levels to each

Culture and behaviors are defined for Governance and Management objectives

Focus area will be developed

Visit Isaca.org/cobit for status

Impact of Design Factors
Management Selection
● Design factors influence the importance of governance and management
objectives

Example :

● EG01 Portfolio of competitive products and services

○ APO05 Managed Portfolio
● Risk Averse
○ EDM03 Ensured risk optimization,
○ APO12 Managed risk,
○ APO13 Managed security
○ DSS05 Managed security services
Component Variation
● Design factors can
○ Influence one more components
○ Require specific variations

Example :

● Small or medium enterprise requires

○ A reduced set of roles
○ A reduced organizational structures
● An enterprise in highly regulated environment attributes more importance to
○ Documentation
○ Procedures and policies
Specific Focus Areas
Design factors drive variation of the core model to specific context

Example :

DevOps

● BAI03 Managed solutions identification

● Managed configuration and build and DSS01 Managed operations.

Small and Medium enterprise

● Few IT resources
● Shorter reporting lines
Stages and Steps in Design Process
 COBIT Implementation
● Not possible to separate Business from I&T
● Governance and Management of I&T part of Enterprise Governance
● Governance System Implementation fails because it is not implemented as
programs
● Sponsorship of governance programs by executive management
● Implementation based on
○ Empowering business and IT stakeholders
○ Enabling change
COBIT Implementation Approach
Phase 1 : What are the Drivers?
● Change drivers

● Recognize the need to act

● Establish the desire to change

● Business case

● Initiate a program
Phase 2 : Where Are We Now?
● Align I&T with strategy

● Identify critical governance and management objectives

● Define problems and opportunities

● Form implementation team

● Assess current state

Phase 3 : Where Do We Want To Be?
● Define Target State

● Gap Analysis

● Quick Wins

● Define Roadmap

● Communicate outcome
Phase 4 : What Needs To Be Done?

● Plan program

● Identify project benefits

● Identify role players

● Build improvements
Phase 5 : How Do We Get There?
● Execute a plan

● Implement solutions

● Operate and use, day to day practices

● Implement improvements

● Top management commitment and ownership are required

Phase 6 : Did We Get There?

● Realize benefits

● Sustain transition

● Monitor achievements of improvements

● Embed new approaches

● Operate and measure

Phase 7 : How To Keep The Momentum Going?

● Review effectiveness

● Prioritize further improvements

● Sustain

● Monitor and evaluate