for Assurance for Assurance for Assurance for Assurance

COBIT 5 Product Family COBIT 5 Goals Cascade Overview Governance and Management in COBIT 5 Assurance Components

Governance Objective: Value Creation Three-party

Relationship
COBIT 5 ®
Stakeholder Drivers
Benefits Risk Resource
involving an accountable
(Environment, Technology Evolution, …) party for the subject
Realisation Optimisation Optimisation matter, an assurance
professional and an
COBIT 5 Enabler Guides intended user
Assurance Process that the assurance professional will undertake:

Influence
COBIT® 5: COBIT® 5: Other Enabler
Enabling Processes Assurance
Enabling Information Guides Professional Performs
A. Determine Scope B. Understand the Subject Matter,
Stakeholder Needs of the Set Suitable Assessment C. Communication
Governance Governance Assurance Initiative Criteria and Assess
Benefits Risk Resource Enablers Scope Governs and
COBIT 5 Professional Guides Accountable
Party Manages Suitable Criteria
Realisation Optimisation Optimisation Execute the Conclusion
Subject Matter against which issued by the
COBIT 5 ®
COBIT 5 ®
COBIT 5 ®
Other Professional over which the assurance the subject assurance
COBIT® 5 Implementation for Information engagement assurance
for Assurance for Risk Guides is to be provided matter will

Primary
Security professional
User be assessed
Cascade to
Roles, Activities and Relationships
COBIT 5 Online Collaborative Environment Secondary
Provides Comfort to
Enterprise Goals
Source: COBIT 5, figure 8
Source: COBIT 5, figure 11 and COBIT 5 for Assurance, figure 1 Source: COBIT 5 for Assurance, figure 4

Cascade to Key Roles, Activities and Relationships

COBIT 5 Principles Scope of COBIT 5 for Assurance
Roles, Activities and Relationships
COBIT® 5 for Assurance
Instruct and
1. Meeting IT-related Goals Delegate Set Direction Align Operations
COBIT 5 Enablers for the
Owners and Governing Assurance Function
Stakeholder Stakeholders Body
Management and
Needs Accountable Monitor Report Execution Processes Organisational Culture, Ethics
Structures and Behaviour Generic
Cascade to
Assurance
Function Assurance
method
for Assessment COBIT 5 framework and
Principles, Policies and Frameworks Perspective providing Perspective COBIT® 5: Enabling Processes
assurance
Source: COBIT 5, figure 9 over
5. Separating 2. Covering the Services, People, Skills COBIT 5
Governance Enterprise Enabler Goals Information Infrastructure
and Applications
and
Competencies
enablers
From End-to-end COBIT 5 Governance and Management Key Areas
Management
COBIT 5 Business Needs
Principles Source: COBIT 5, figure 4

ITAF Audit/Assurance Programmes for Subject Matter

Governance
ISACA Audit/Assurance Programmes
Evaluate
Selected Guidance From the COBIT 5 Family Source: COBIT 5 for Assurance, figure 6
4. Enabling a 3. Applying a
Holistic Single These charts and figures are elements of COBIT 5 and its supporting guides. This excerpt is available as a complimentary
Approach Integrated PDF (www.isaca.org/cobit) and for purchase in hard copy (www.isaca.org/bookstore). It provides an overview of the
Framework COBIT 5 guidance, its five principles and seven enablers. We encourage you to share this document with your enterprise Monitor
Direct Management Feedback
leaders, team members, clients and/or consultants.

Source: COBIT 5, figure 2 and COBIT 5 for Assurance, figure 7 COBIT enables enterprises to maximise the value and minimise the risk related to information, which has become the
currency of the 21st century. COBIT 5 is a comprehensive framework of globally accepted principles, practices, analytical
tools and models that can help any enterprise effectively address critical business issues related to the governance and Management
management of information and technology. Additional information is available at www.isaca.org/cobit.

Plan Build Run Monitor

(APO) (BAI) (DSS) (MEA)
3701 Algonquin Road, Suite 1010 • Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545 • Fax: +1.847.253.1443 • Email: info@isaca.org
Web site: www.isaca.org Source: COBIT 5, figure 15

© 2013 ISACA. A l l r i g h t s r e s e r v e d .
 for Assurance for Assurance for Assurance for Assurance

Generic COBIT 5-based Assurance Engagement Approach COBIT 5 Enterprise Enablers The Seven Phases of the Implementation Life Cycle

B. Understand Enablers, Set Suitable

A. Determine Scope of the
Assurance Initiative Assessment Criteria and Perform the Assessment C. Communicate the mentu
m going? 1 What a
Results of the he mo re th

Monitor, Evaluate
t ed
eep rive

External Requirements
Assessment

the System of Internal

ek Initiat

Evaluate and Assess

Evaluate and Assess

Evaluate and Assess

B-1 rs?
viewness

and Assess
4. Culture, Ethics w e pr

Performance and
3. Organisational

Compliance With
MEA02 Monitor,
MEA01 Monitor,

MEA03 Monitor,
Agree on metrics and criteria for enterprise goals and do Re ogr

Conformance
2. Processes
IT-related goals. Assess enterprise goals and Structures and Behaviour ow ive am
ect

Control
IT-related goals. f me

7H
ef
B-2 Establ
is
Obtain understanding of the principles, policies stai
n to ch h des
and frameworks in scope. Su ang ire

2W
1. Principles, Policies and Frameworks e

Def opport
re?
Assess principles, policies and frameworks.

efits
6 Did we get the

ine
Recog

here a
r
nito

Fo
Mo and need nise

rm team
B-3
• Programme management

probleities
Realise ben
A-1 ate act to

approach ew
alu

es
Obtain understanding of the processes in scope and

re we now?
impl
Human Resources
Determine the stakeholders of the ev

Acceptance and

Embed n
APO07 Manage
(outer ring)

EDM05 Ensure

BAI07 Manage

un
set suitable assessment criteria.

Transparency

Transitioning
assurance initiative and their stake.

Stakeholder
6. Services, 7. People,

ementation
Operate

Asseent
e
Assess the processes.

curr te
Change

ms and
measur
• Change enablement

sta
and
5. Information Infrastructure Skills and

ss
B-4 C-1 and Applications Competencies (middle ring)
Obtain understanding of the organisational structures Document exceptions

I m p o ve m

rg n e
• Continual improvement life cycle

imp
A-2 and gaps.
De

ta e t
in scope.

fi
Resources

le m
r
e ta

te
Determine the assurance objectives en n t

m e te
Assess the organisational structures. (inner ring)

Processes for Management of Enterprise IT

s

co c a
based on assessment of the internal and ts B u il d

O p d us
i m pro

ut u ni
external environment/context and of the ve m e nts

Budget and Costs

an
Process Controls

er

ap
B-5

DSS06 Manage
APO06 Manage
C-2

APO13 Manage

BAI06 Manage
e

m
relevant risk and related opportunities. m

at
E xe

e?
Obtain understanding of the culture, Communicate the work e Co o

dm
Business
Changes

5H
Security

to b
ethics and behaviour in scope. performed and findings. Source: COBIT 5, figure 12 and COBIT 5 for Assurance figure 10

cu
I d e n tif y r o l e

oa
Assess culture, ethics and behaviour.

ow

te

ant
la

er
pla ye rs
n fi n

p
do

ew
EDM04 Ensure
A-3 De

Optimisation

we
COBIT 5 Enablers: Generic

Resource
B-6

ow
Determine the enablers in scope and the

COBIT 5 Process Reference Model

ge
Obtain understanding of the information items in scope. th e

ed
instance(s) of the enablers in scope.
er

t
Assess information. re ? P la n p ro g ra m m e Wh
3

APO12 Manage
APO05 Manage

DSS05 Manage
BAI05 Manage
Organisational

Enablement
– Principles, Policies and Frameworks

Services
Portfolio

Security
Stakeholders Goals Life Cycle Good Practices

Change
B-7
4 W hat n eeds to be d one?

Enabler Dimension
Risk
– Processes Obtain understanding of the services, infrastructure
– Organisational Structures and applications in scope.
– Culture, Ethics and Behaviour
– Information
Assess services, infrastructure and applications. • Internal • Intrinsic Quality • Plan • Practices
– Services, Infrastructure and Applications Stakeholders • Contextual Quality • Design • Work Products Source: COBIT 5, figure 17 and COBIT 5 Implementation, figure 6
– People, Skills and Competencies B-8
Obtain understanding of the people, skills and • External (Relevance, • Build/Acquire/ (Inputs/Outputs)
competencies in scope. Stakeholders Effectiveness) Create/Implement

Risk Optimisation

APO04 Manage

APO11 Manage

DSS04 Manage
BAI04 Manage
EDM03 Ensure
Summary of the COBIT 5 Process Capability Model

and Capacity
Assess people, skills and competencies. • Accessibility and • Use/Operate

Availability
Innovation

Continuity
Quality
Security • Evaluate/Monitor

Processes for Governance of Enterprise IT

• Update/Dispose
Generic Process Capability Attributes
Source: COBIT 5 for Assurance, figure 32

APO10 Manage

DSS03 Manage
APO03 Manage

BAI03 Manage

BAI10 Manage
Performance

Configuration
Assurance Engagement Scoping Summary

Identification
Architecture
PA 2.1 PA 2.2 PA 3.1 PA 3.2 PA 4.1 PA 4.2 PA 5.1 PA 5.2

Enterprise

Enabler Performance
and Build
Suppliers

Problems
Solutions
Attribute (PA) 1.1 Performance Work Process Process Process Process Process Process
Are Stakeholders Are Enabler Is Life Cycle Are Good Practices Process Management Product Definition Deployment Management Control Innovation Optimisation

Management
Performance Management
Needs Addressed? Goals Achieved? Managed? Applied?

Benefits Delivery
EDM02 Ensure
A. Determine Scope of the
Assurance Initiative

Build, Acquire and Implement

Incomplete Performed Managed Established Predictable Optimising

Service Requests
Deliver, Service and Support
APO09 Manage

DSS02 Manage
APO02 Manage

BAI09 Manage
BAI02 Manage
Requirements

and Incidents
Agreements
Metrics for Achievement of Goals Metrics for Application of Practice Process Process Process Process Process Process

Definition
Strategy

Service
Evaluate, Direct and Monitor

Assets
Align, Plan and Organise
A-1 (Lead Indicators)
(Lag Indicators)
Determine the stakeholders of the
assurance initiative and their stake.
0 1 2 3 4 5
3. Refine the list of potential
1. Define the assurance 2. Identify the enterprise goals
objective in enterprise goals to a
that are most related to the

Source: COBIT 5 for Assurance figure 15

simple language. manageable set of key goals
high-level assurance objective. and additional goals.

the IT Management
Framework Setting
and Maintenance

Programmes and
Source: COBIT 5, figure 13 and COBIT 5 for Assurance figure 11

APO08 Manage

DSS01 Manage
A-2

APO01 Manage
EDM01 Ensure

BAI08 Manage
BAI01 Manage
Relationships
Governance

Knowledge
Framework

Operations
Determine the assurance objectives

Projects
based on assessment of the internal and 6. Use the mapping table 5. Refine—taking into account
4. Use the mapping table
external environment/context and of the between IT goals and COBIT 5 the specific environment—the
between enterprise goals and
relevant risk and related opportunities. processes to identify potential set of potential IT goals to a
IT goals to identify potential COBIT 5 Process Assessment COBIT 5 Process Assessment
processes that support manageable set of key IT goals
IT goals that need to be achieved. Model—Performance Indicators
the IT goals. and additional IT goals. Model–Capability Indicators
Process Outcomes
A-3 8. Use the RACI charts of the 9. Use the RACI charts of the
Determine the enablers in scope and the 7. Refine the list of selected processes to identify selected processes to identfy
instance(s) of the enablers in scope. selected processes to a potential organisational potential people, skills and Base Practices Work
manageable list. structures in scope, and refine competencies in scope, and
(Management/ Products Generic Practices Generic Resources Generic Work Products
the list. refine the list.
– Principles, Policies and Frameworks Governance (Inputs/
– Processes Practices) Outputs)
– Organisational Structures
– Culture, Ethics and Behaviour 12. Consolidate the list of 11. Identify which other 10. Use the input/output tables This figure highlights the key supporting COBIT 5 processes (shown in dark pink), as well as the
of the selected processes to
enablers support the
– Information
– Services, Infrastructure and Applications
enablers in scope and
remove redundancies. achievement of the identify potential information
items in scope, and
other supporting processes (shown in light pink). COBIT 5 for Assurance, section 2A, 3.2.1 ad 3.2.2
selected IT goals.
– People, Skills and Competencies refine the list. provide short descriptions of each supporting process, the reason it is important and the key outputs. Source: COBIT 5, figure 19
MEA activities (shown in light blue) are detailed in COBIT 5 for Assurance, section 2, chapter 1.
Source: COBIT 5 for Assurance, figure 34