Reservation of Rights

© 2018 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, mo
stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photo
otherwise) without the prior written authorization of ISACA.
 
 copied, reproduced, modified, distributed, displayed,
ronic, mechanical, photocopying, recording or
Listed below are the practices associated with each of the governance and management processes in COBIT® 2019.
The practices are sorted in the order in which they appear in COBIT® 2019 Framework: Governance and Management Objectives.

Objectives: 40
New in New in
Area Domain Objective ID Objective Objective Description Objective Purpose Statement COBIT In 4.1
2019 COBIT 5

Governance Evaluate, Direct and Monitor EDM01 Ensured Governance Framework Setting and Maintenance Analyze and articulate the requirements for the governance of Provide a consistent approach integrated and aligned with the
enterprise I&T. Put in place and maintain governance components with enterprise governance approach. I&T-related decisions are made in line
clarity of authority and responsibilities to achieve the enterprise's with the enterprise's strategies and objectives and desired value is
mission, goals and objectives. realized. To that end, ensure that I&T-related processes are overseen
effectively and transparently; compliance with legal, contractual and
regulatory requirements is confirmed; and the governance requirements
for board members are met.

Governance Evaluate, Direct and Monitor EDM02 Ensured Benefits Delivery Optimize the value to the business from investments in business Secure optimal value from I&T-enabled initiatives, services and assets;
processes, I&T services and I&T assets. cost-efficient delivery of solutions and services; and a reliable and
accurate picture of costs and likely benefits so that business needs are
supported effectively and efficiently.

Governance Evaluate, Direct and Monitor EDM03 Ensured Risk Optimization Ensure that the enterprise's risk appetite and tolerance are understood, Ensure that I&T-related enterprise risk does not exceed the enterprise's
articulated and communicated, and that risk to enterprise value related risk appetite and risk tolerance, the impact of I&T risk to enterprise
to the use of I&T is identified and managed. value is identified and managed, and the potential for compliance
failures is minimized.

Governance Evaluate, Direct and Monitor EDM04 Ensured Resource Optimization Ensure that adequate and sufficient business and I&T-related resources Ensure that the resource needs of the enterprise are met in the optimal
(people, process and technology) are available to support enterprise manner, I&T costs are optimized, and there is an increased likelihood of
objectives effectively and, at optimal cost. benefit realization and readiness for future change.

Governance Evaluate, Direct and Monitor EDM05 Ensured Stakeholder Engagement Ensure that stakeholders are identified and engaged in the I&T Ensure that stakeholders are supportive of the I&T strategy and road
governance system and that enterprise I&T performance and map, communication to stakeholders is effective and timely, and the
conformance measurement and reporting are transparent, with basis for reporting is established to increase performance. Identify areas
stakeholders approving the goals and metrics and necessary remedial for improvement, and confirm that I&T-related objectives and strategies
actions. are in line with the enterprise’s strategy.

Management Align, Plan and Organize APO01 Managed I&T Management Framework Design the management system for enterprise I&T based on enterprise Implement a consistent management approach for enterprise
goals and other design factors. Based on this design, implement all governance requirements to be met, covering governance components
required components of the management system. such as management processes; organizational structures; roles and
responsibilities; reliable and repeatable activities; information items;
policies and procedures; skills and competencies; culture and behavior;
and services, infrastructure and applications.

Management Align, Plan and Organize APO02 Managed Strategy Provide a holistic view of the current business and I&T environment, the Support the digital transformation strategy of the organization and
future direction, and the initiatives required to migrate to the desired deliver the desired value through a road map of incremental changes.
future environment. Ensure that the desired level of digitization is Use a holistic I&T approach, ensuring that each initiative is clearly
integral to the future direction and the I&T strategy. Assess the connected to an overarching strategy. Enable change in all different
organization’s current digital maturity and develop a road map to close aspects of the organization, from channels and processes to data,
the gaps. With the business, rethink internal operations as well as culture, skills, operating model and incentives.
customer-facing activities. Ensure focus on the transformation journey
across the organization. Leverage enterprise architecture building
blocks, governance components and the organization's ecosystem,
including externally provided services and related capabilities, to enable
reliable but agile and efficient response to strategic objectives.

Management Align, Plan and Organize APO03 Managed Enterprise Architecture Establish a common architecture consisting of business process, Represent the different building blocks that make up the enterprise and Yes
information, data, application and technology architecture layers. Create its interrelationships as well as the principles guiding their design and
key models and practices that describe the baseline and target evolution over time, to enable a standard, responsive and efficient
architectures, in line with the enterprise and I&T strategy. Define delivery of operational and strategic objectives.
requirements for taxonomy, standards, guidelines, procedures,
templates and tools, and provide a linkage for these components.
Improve alignment, increase agility, improve quality of information and
generate potential cost savings through initiatives such as re-use of
building block components.

Management Align, Plan and Organize APO04 Managed Innovation Maintain an awareness of I&T and related service trends and monitor Achieve competitive advantage, business innovation, improved Yes
emerging technology trends. Proactively identify innovation customer experience, and improved operational effectiveness and
opportunities and plan how to benefit from innovation in relation to efficiency by exploiting I&T developments and emerging technologies.
business needs and the defined I&T strategy. Analyze what
opportunities for business innovation or improvement can be created
by emerging technologies, services or I&T-enabled business innovation;
through existing established technologies; and by business and IT
process innovation. Influence strategic planning and enterprise
architecture decisions.

Page 3
 New in
Area Domain Objective ID Objective Objective Description Objective Purpose Statement COBIT New in In 4.1
COBIT 5
2019
Management Align, Plan and Organize APO05 Managed Portfolio Execute the strategic direction set for investments in line with the Optimize the performance of the overall portfolio of programs in Yes
enterprise architecture vision and I&T road map. Consider the different response to individual program, product and service performance and
categories of investments and the resources and funding constraints. changing enterprise priorities and demand.
Evaluate, prioritize and balance programs and services, managing
demand within resource and funding constraints, based on their
alignment with strategic objectives, enterprise worth and risk. Move
selected programs into the active products or services portfolio for
execution. Monitor the performance of the overall portfolio of products
and services and programs, proposing adjustments as necessary in
response to program, product or service performance or changing
enterprise priorities.

Management Align, Plan and Organize APO06 Managed Budget and Costs Manage the I&T-related financial activities in both the business and IT Foster a partnership between IT and enterprise stakeholders to enable Yes
functions, covering budget, cost and benefit management and the effective and efficient use of I&T-related resources and provide
prioritization of spending through the use of formal budgeting practices transparency and accountability of the cost and business value of
and a fair and equitable system of allocating costs to the enterprise. solutions and services. Enable the enterprise to make informed decisions
Consult stakeholders to identify and control the total costs and benefits regarding the use of I&T solutions and services.
within the context of the I&T strategic and tactical plans. Initiate
corrective action where needed.

Management Align, Plan and Organize APO07 Managed Human Resources Provide a structured approach to ensure optimal Optimize human resources capabilities to meet enterprise objectives.
recruitment/acquisition, planning, evaluation and development of
human resources (both internal and external).

Management Align, Plan and Organize APO08 Managed Relationships Manage relationships with business stakeholders in a formalized and Enable the right knowledge, skills and behaviors to create improved Yes
transparent way that ensures mutual trust and a combined focus on outcomes, increased confidence, mutual trust and effective use of
achieving the strategic goals within the constraints of budgets and risk resources that stimulate a productive relationship with business
tolerance. Base relationships on open and transparent communication, a stakeholders.
common language, and the willingness to take ownership and
accountability for key decisions on both sides. Business and IT must
work together to create successful enterprise outcomes in support of
the enterprise objectives.

Management Align, Plan and Organize APO09 Managed Service Agreements Align I&T-enabled products and services and service levels with Ensure that I&T products, services and service levels meet current and
enterprise needs and expectations, including identification, specification, future enterprise needs.
design, publishing, agreement, and monitoring of I&T products and
services, service levels and performance indicators.

Management Align, Plan and Organize APO10 Managed Vendors Manage I&T-related products and services provided by all types of Optimize available I&T capabilities to support the I&T strategy and road
vendors to meet enterprise requirements. This includes the search for map, minimize the risk associated with nonperforming or noncompliant
and selection of vendors, management of relationships, management of vendors, and ensure competitive pricing.
contracts, and reviewing and monitoring of vendor performance and
vendor ecosystem (including upstream supply chain) for effectiveness
and compliance.

Management Align, Plan and Organize APO11 Managed Quality Define and communicate quality requirements in all processes, Ensure consistent delivery of technology solutions and services to meet
procedures and related enterprise outcomes. Enable controls, ongoing the quality requirements of the enterprise and satisfy stakeholder
monitoring, and the use of proven practices and standards in continuous needs.
improvement and efficiency efforts.

Management Align, Plan and Organize APO12 Managed Risk Continually identify, assess and reduce I&T-related risk within tolerance Integrate the management of I&T-related enterprise risk with overall
levels set by enterprise executive management. enterprise risk management (ERM) and balance the costs and benefits of
managing I&T-related enterprise risk.

Management Align, Plan and Organize APO13 Managed Security Define, operate and monitor an information security system. Keep the impact and occurrence of information security privacy Yes
incidents within the enterprise’s risk appetite levels.
Management Align, Plan and Organize APO14 Managed Data Achieve and sustain effective management of the enterprise data assets Ensure effective utilization of the critical data assets to achieve Yes
across the data life cycle, from creation through delivery, maintenance enterprise goals and objectives.
and archiving.

Management Build, Acquire and Implement BAI01 Managed Programs Manage all programs from the investment portfolio in alignment with Realize desired business value and reduce the risk of unexpected delays,
enterprise strategy and in a coordinated way, based on a standard costs and value erosion. To do so, improve communications to and
program management approach. Initiate, plan, control, and execute involvement of business and end users, ensure the value and quality of
programs, and monitor expected value from the program. program deliverables and follow up of projects within the programs, and
maximize program contribution to the investment portfolio.

Management Build, Acquire and Implement BAI02 Managed Requirements Definition Identify solutions and analyze requirements before acquisition or Create optimal solutions that meet enterprise needs while minimizing
creation to ensure that they align with enterprise strategic requirements risk.
covering business processes, applications, information/data,
infrastructure and services. Coordinate the review of feasible options
with affected stakeholders, including relative costs and benefits, risk
analysis, and approval of requirements and proposed solutions.

Page 4
 New in
Area Domain Objective ID Objective Objective Description Objective Purpose Statement COBIT New in In 4.1
COBIT 5
2019
Management Build, Acquire and Implement BAI03 Managed Solutions Identification and Build Establish and maintain identified products and services (technology, Ensure agile and scalable delivery of digital products and services.
business processes and workflows) in line with enterprise requirements Establish timely and cost-effective solutions (technology, business
covering design, development, procurement/sourcing and partnering processes and workflows) capable of supporting enterprise strategic and
with vendors. Manage configuration, test preparation, testing, operational objectives.
requirements management and maintenance of business processes,
applications, information/data, infrastructure and services.

Management Build, Acquire and Implement BAI04 Managed Availability and Capacity Balance current and future needs for availability, performance and Maintain service availability, efficient management of resources and
capacity with cost-effective service provision. Include assessment of optimization of system performance through prediction of future
current capabilities, forecasting of future needs based on business performance and capacity requirements.
requirements, analysis of business impacts, and assessment of risk to
plan and implement actions to meet the identified requirements.

Management Build, Acquire and Implement BAI05 Managed Organizational Change Maximize the likelihood of successfully implementing sustainable Prepare and commit stakeholders for business change and reduce the Yes
enterprisewide organizational change quickly and with reduced risk. risk of failure.
Cover the complete life cycle of the change and all affected stakeholders
in the business and IT.

Management Build, Acquire and Implement BAI06 Managed IT Changes Manage all changes in a controlled manner, including standard changes Enable fast and reliable delivery of change to the business. Mitigate the
and emergency maintenance relating to business processes, applications risk of negatively impacting the stability or integrity of the changed
and infrastructure. This includes change standards and procedures, environment.
impact assessment, prioritization and authorization, emergency
changes, tracking, reporting, closure, and documentation.

Management Build, Acquire and Implement BAI07 Managed IT Change Acceptance and Transitioning Formally accept and make operational new solutions. Include Implement solutions safely and in line with the agreed expectations and
implementation planning, system and data conversion, acceptance outcomes.
testing, communication, release preparation, promotion to production
of new or changed business processes and I&T services, early production
support, and a post-implementation review.

Management Build, Acquire and Implement BAI08 Managed Knowledge Maintain the availability of relevant, current, validated and reliable Provide the knowledge and information required to support all staff in Yes
knowledge and management information to support all process the governance and management of enterprise I&T and allow for
activities and to facilitate decision making related to the governance and informed decision making.
management of enterprise I&T. Plan for the identification, gathering,
organizing, maintaining, use and retirement of knowledge.

Management Build, Acquire and Implement BAI09 Managed Assets Manage I&T assets through their life cycle to make sure that their use Account for all I&T assets and optimize the value provided by their use. Yes
delivers value at optimal cost, they remain operational (fit for purpose),
and they are accounted for and physically protected. Ensure that those
assets that are critical to support service capability are reliable and
available. Manage software licenses to ensure that the optimal number
are acquired, retained and deployed in relation to required business
usage, and the software installed is in compliance with license
agreements.

Management Build, Acquire and Implement BAI10 Managed Configuration Define and maintain descriptions and relationships among key resources Provide sufficient information about service assets to enable the service
and capabilities required to deliver I&T-enabled services. Include to be effectively managed. Assess the impact of changes and deal with
collecting configuration information, establishing baselines, verifying and service incidents.
auditing configuration information, and updating the configuration
repository.

Management Build, Acquire and Implement BAI11 Managed Projects Manage all projects that are initiated within the enterprise in alignment Realize defined project outcomes and reduce the risk of unexpected Yes
with enterprise strategy and in a coordinated way based on the standard delays, costs and value erosion by improving communications to and
project management approach. Initiate, plan, control and execute involvement of business and end users. Ensure the value and quality of
projects, and close with a post-implementation review. project deliverables and maximize their contribution to the defined
programs and investment portfolio.

Management Deliver, Service and Support DSS01 Managed Operations Coordinate and execute the activities and operational procedures Deliver I&T operational product and service outcomes as planned.
required to deliver internal and outsourced I&T services. Include the
execution of predefined standard operating procedures and the
required monitoring activities.

Management Deliver, Service and Support DSS02 Managed Service Requests and Incidents Provide timely and effective response to user requests and resolution of Achieve increased productivity and minimize disruptions through quick
all types of incidents. Restore normal service; record and fulfil user resolution of user queries and incidents. Assess the impact of changes
requests; and record, investigate, diagnose, escalate and resolve and deal with service incidents. Resolve user requests and restore
incidents. service in response to incidents.

Management Deliver, Service and Support DSS03 Managed Problems Identify and classify problems and their root causes. Provide timely Increase availability, improve service levels, reduce costs, improve
resolution to prevent recurring incidents. Provide recommendations for customer convenience and satisfaction by reducing the number of
improvements. operational problems, and identify root causes as part of problem
resolution.

Management Deliver, Service and Support DSS04 Managed Continuity Establish and maintain a plan to enable the business and IT Adapt rapidly, continue business operations and maintain availability of
organizations to respond to incidents and quickly adapt to disruptions. resources and information at a level acceptable to the enterprise in the
This will enable continued operations of critical business processes and event of a significant disruption (e.g., threats, opportunities, demands).
required I&T services and maintain availability of resources, assets and
information at a level acceptable to the enterprise.

Page 5
 New in
Area Domain Objective ID Objective Objective Description Objective Purpose Statement COBIT New in In 4.1
COBIT 5
2019
Management Deliver, Service and Support DSS05 Managed Security Services Protect enterprise information to maintain the level of information Minimize the business impact of operational information security Yes
security risk acceptable to the enterprise in accordance with the security vulnerabilities and incidents.
policy. Establish and maintain information security roles and access
privileges. Perform security monitoring.

Management Deliver, Service and Support DSS06 Managed Business Process Controls Define and maintain appropriate business process controls to ensure Maintain information integrity and the security of information assets Yes
that information related to and processed by in-house or outsourced handled within business processes in the enterprise or its outsourced
business processes satisfies all relevant information control operation.
requirements. Identify the relevant information control requirements.
Manage and operate adequate input, throughput and output controls
(application controls) to ensure that information and information
processing satisfy these requirements.

Management Monitor, Evaluate and Assess MEA01 Managed Performance and Conformance Monitoring Collect, validate and evaluate enterprise and alignment goals and Provide transparency of performance and conformance and drive
metrics. Monitor that processes and practices are performing against achievement of goals.
agreed performance and conformance goals and metrics. Provide
reporting that is systematic and timely.

Management Monitor, Evaluate and Assess MEA02 Managed System of Internal Control Continuously monitor and evaluate the control environment, including Obtain transparency for key stakeholders on the adequacy of the system
self-assessments and self-awareness. Enable management to identify of internal controls and thus provide trust in operations, confidence in
control deficiencies and inefficiencies and to initiate improvement the achievement of enterprise objectives and an adequate
actions. Plan, organize and maintain standards for internal control understanding of residual risk.
assessment and process control effectiveness.

Management Monitor, Evaluate and Assess MEA03 Managed Compliance With External Requirements Evaluate that I&T processes and I&T-supported business processes are Ensure that the enterprise is compliant with all applicable external
compliant with laws, regulations and contractual requirements. Obtain requirements.
assurance that the requirements have been identified and complied
with; integrate IT compliance with overall enterprise compliance.

Management Monitor, Evaluate and Assess MEA04 Managed Assurance Plan, scope and execute assurance initiatives to comply with internal Enable the organization to design and develop efficient and effective Yes
requirements, laws, regulations and strategic objectives. Enable assurance initiatives, providing guidance on planning, scoping, executing
management to deliver adequate and sustainable assurance in the and following up on assurance reviews, using a road map based on well-
enterprise by performing independent assurance reviews and activities. accepted assurance approaches.

Page 6
Listed below are the practices associated with each of the governance and management objectives in COBIT® 2019.
The practices are sorted in the order in which they appear in COBIT® 2019 Framework: Governance and Management O

Objectives: 40
Practices: 231
Area Domain Objective ID Objective Objective Description

Management Align, Plan APO06 Managed Budget and Manage the I&T-related financial
and Organize Costs activities in both the business and IT
functions, covering budget, cost and
benefit management and prioritization
of spending through the use of formal
budgeting practices and a fair and
equitable system of allocating costs to
the enterprise. Consult stakeholders
to identify and control the total costs
and benefits within the context of the
I&T strategic and tactical plans.
Initiate corrective action where
needed.

Management Align, Plan APO07 Managed Human Provide a structured approach to

and Organize Resources ensure optimal
recruitment/acquisition, planning,
evaluation and development of
human resources (both internal and
external).

7
anagement objectives in COBIT® 2019.
amework: Governance and Management Objectives.

Objective Purpose Statement Practice ID Practice Name Practice Description

Foster a partnership between IT and APO06.01 Manage finance Establish and maintain a method to manage and account
enterprise stakeholders to enable the and accounting. for all I&T-related costs, investments and depreciation as
effective and efficient use of I&T-related an integral part of enterprise financial systems and
resources and provide transparency and accounts. Report using the enterprise’s financial
accountability of the cost and business measurement systems.
value of solutions and services. Enable the
enterprise to make informed decisions
regarding the use of I&T solutions and
services.

Optimize human resources capabilities to APO07.01 Acquire and Evaluate internal and external staffing requirements on a
meet enterprise objectives. maintain adequate regular basis or upon major changes to the enterprise or
and appropriate operational or IT environments to ensure that the
staffing. enterprise has sufficient human resources to support
enterprise goals and objectives.

8
Listed below are the activities associated with each of the governance and management practices in COBIT® 2019.
The activities are sorted in the order in which they appear in COBIT® 2019 Framework: Governance and Management Objectives.

Activities: 1202
Area Domain Objective ID Objective Practice ID Practice Name Activity

Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 1. Identify and document the necessary control activities for
and Support Business Process embedded in business key business processes to satisfy control requirements for
Controls processes with strategic, operational, reporting and compliance objectives.
enterprise objectives.

Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 2. Prioritize control activities based on the inherent risk to the
and Support Business Process embedded in business business. Identify key controls.
Controls processes with
enterprise objectives.

Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 3. Ensure ownership of key control activities.
and Support Business Process embedded in business
Controls processes with
enterprise objectives.

Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 4. Implement automated controls.
and Support Business Process embedded in business
Controls processes with
enterprise objectives.

Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 5. Continually monitor control activities on an end-to-end
and Support Business Process embedded in business basis to identify opportunities for improvement.
Controls processes with
enterprise objectives.

9
 Area Domain Objective ID Objective Practice ID Practice Name Activity

Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 6. Continually improve the design and operation of business
and Support Business Process embedded in business process controls.
Controls processes with
enterprise objectives.

Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 1. Authenticate the originator of transactions and verify that
and Support Business Process of information. the individual has the authority to originate the transaction.
Controls

Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 2. Ensure adequate segregation of duties regarding the
and Support Business Process of information. origination and approval of transactions.
Controls

Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 3. Verify that transactions are accurate, complete and valid.
and Support Business Process of information. Controls may include sequence, limit, range, validity,
Controls reasonableness, table look-ups, existence, key verification,
check digit, completeness, duplicate and logical relationship
checks, and time edits. Validation criteria and parameters
should be subject to periodic reviews and confirmations.
Validate input data and edit or, where applicable, send back
Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 4.
for Without compromising
correction original
as close to the point transaction authorization
of origination as possible.
and Support Business Process of information. levels, correct and resubmit data that were erroneously input.
Controls Where appropriate for reconstruction, retain original source
documents for the appropriate amount of time.

Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 5. Maintain the integrity and validity of data throughout the
and Support Business Process of information. processing cycle. Ensure that detection of erroneous
Controls transactions does not disrupt processing of valid transactions.

10
 Area Domain Objective ID Objective Practice ID Practice Name Activity

Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 6. Handle output in an authorized manner, deliver it to the
and Support Business Process of information. appropriate recipient and protect the information during
Controls transmission. Verify the accuracy and completeness of the
output.

Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 7. Maintain the integrity of data during unexpected
and Support Business Process of information. interruptions in business processing. Confirm data integrity
Controls after processing failures.

Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 8. Before passing transaction data between internal
and Support Business Process of information. applications and business/operational functions (inside or
Controls outside the enterprise), check for proper addressing,
authenticity of origin and integrity of content. Maintain
authenticity and integrity during transmission or transport.

Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 1. Allocate roles and responsibilities based on approved job
and Support Business Process responsibilities, access descriptions and business process activities.
Controls privileges and levels
of authority.

Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 2. Allocate levels of authority for approval of transactions,
and Support Business Process responsibilities, access transaction limits and any other decisions relating to the
Controls privileges and levels business process, based on approved job roles.
of authority.

Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 3. Allocate roles for sensitive activities so there is a clear
and Support Business Process responsibilities, access segregation of duties.
Controls privileges and levels
of authority.

11
 Area Domain Objective ID Objective Practice ID Practice Name Activity

Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 4. Allocate access rights and privileges based on the minimum
and Support Business Process responsibilities, access that is required to perform job activities, based on pre-defined
Controls privileges and levels job roles. Remove or revise access rights immediately if the
of authority. job role changes or a staff member leaves the business
process area. Periodically review to ensure that the access is
appropriate for the current threats, risk, technology and
business need.
Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 5. On a regular basis, provide awareness and training
and Support Business Process responsibilities, access regarding roles and responsibilities so that everyone
Controls privileges and levels understands their responsibilities; the importance of controls;
of authority. and the security, integrity, confidentiality and privacy of
company information in all its forms.

Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 6. Ensure administrative privileges are sufficiently and
and Support Business Process responsibilities, access effectively secured, tracked and controlled to prevent misuse.
Controls privileges and levels
of authority.

Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 7. Periodically review access control definitions, logs and
and Support Business Process responsibilities, access exception reports. Ensure that all access privileges are valid
Controls privileges and levels and aligned with current staff members and their allocated
of authority. roles.

Management Deliver, Service DSS06 Managed DSS06.04 Manage errors and 1. Review errors, exceptions and deviations.
and Support Business Process exceptions.
Controls

Management Deliver, Service DSS06 Managed DSS06.04 Manage errors and 2. Follow up, correct, approve and resubmit source
and Support Business Process exceptions. documents and transactions.
Controls

12
 Area Domain Objective ID Objective Practice ID Practice Name Activity

Management Deliver, Service DSS06 Managed DSS06.04 Manage errors and 3. Maintain evidence of remedial actions.
and Support Business Process exceptions.
Controls

Management Deliver, Service DSS06 Managed DSS06.04 Manage errors and 4. Define and maintain procedures to assign ownership for
and Support Business Process exceptions. errors and exceptions, correct errors, override errors and
Controls handle out-of-balance conditions.

Management Deliver, Service DSS06 Managed DSS06.04 Manage errors and 5. Report relevant business information process errors in a
and Support Business Process exceptions. timely manner to perform root cause and trending analysis.
Controls

Management Deliver, Service DSS06 Managed DSS06.05 Ensure traceability 1. Capture source information, supporting evidence and the
and Support Business Process and accountability for record of transactions.
Controls information events.

Management Deliver, Service DSS06 Managed DSS06.05 Ensure traceability 2. Define retention requirements, based on business
and Support Business Process and accountability for requirements, to meet operational, financial reporting and
Controls information events. compliance needs.

Management Deliver, Service DSS06 Managed DSS06.05 Ensure traceability 3. Dispose of source information, supporting evidence and
and Support Business Process and accountability for the record of transactions in accordance with the retention
Controls information events. policy.

13
 Area Domain Objective ID Objective Practice ID Practice Name Activity

Management Deliver, Service DSS06 Managed DSS06.06 Secure information 1. Restrict use, distribution and physical access of information
and Support Business Process assets. according to its classification.
Controls

Management Deliver, Service DSS06 Managed DSS06.06 Secure information 2. Provide acceptable use awareness and training.
and Support Business Process assets.
Controls

Management Deliver, Service DSS06 Managed DSS06.06 Secure information 3. Apply data classification and acceptable use and security
and Support Business Process assets. policies and procedures to protect information assets under
Controls the control of the business.

Management Deliver, Service DSS06 Managed DSS06.06 Secure information 4. Identify and implement processes, tools and techniques to
and Support Business Process assets. reasonably verify compliance.
Controls

Management Deliver, Service DSS06 Managed DSS06.06 Secure information 5. Report to business and other stakeholders on violations
and Support Business Process assets. and deviations.
Controls

14