Tag Archives: COBIT 5

COBIT 5 is the Lingua Franca for Business Executives and Technology Leadership

Introducing COBIT 5

COBIT 5 is designed to serve both the needs of Business Executives and IT Professionals

IT is getting more complex every day but IT Governance doesn’t have to.

5 Essential Facts= LINK

Fact Number 2

“COBIT 5 is the only business framework for the governance and management of enterprise IT.

COBIT’s globally accepted principles, practices, analytical tools and models are designed for business executives – not just IT leaders. What’s more, COBIT 5 can be used in any industry and by organizations of all sizes”.

COBIT 5 – Govern and Manage Enterprise IT

ISACA International President Ken Vander Wal discusses the 5 Principles of COBIT 5 and how the framework helps Govern and Manage Enterprise IT.

COBIT 5 – Observations

Specialists are very good at what they do,” he said. “Service management professionals manage and, for most, their preferred guidance is ITIL. Security professionals protect, and, for many of them, the preferred guidance is the ISO/IEC 27000 series.

By using a COBIT-inspired model, all groups were able to see how their work fit under an overall umbrella and how their work related to each other’s work.”

Bob Frelinger, manager of the Process Management program for Oracle’s Global IT group

Here is a smart tweet from Greg and an interesting comment from Mr TIPU.

“The difference between COBIT and ITIL is that a COBIT practitioner knows the difference”.

Gregory Tucker ‏@ITSMinfo on Thursday !0th May

“Was asked if I could do an #ITIL assessment. No, I’d use ##COBIT. Surprised look: he hadn’t thought of that.”

Rob England ‏@theitskeptic on Wednesday 16th May

What’s in COBIT 5 for Auditors? – LINK

Shifts from a Technology to a Business Conversation

COBIT 5: Avoiding Common Implementation Missteps

Brian Barnier (Video Clip)LINK

So we are one month on since the launch of  COBIT 5 and there have been more than 66,000 publication downloads.

Practitioners have  warmed to the new Evaluate, Direct and Monitor processes for the Governance of Enterprise IT.

ISACA is turning it’s attention to COBIT 5 Training,

For more information or a list of dates and locations please contact COBITtraining@isaca.org.

For too long there has been a disconnect between Business and Technology goals.

COBIT 5  is a common language to strengthen the interlock between Business Executives and Technology leadership.

When there’s a downpour in IT you need the COBIT 5 umbrella framework.

“If management is about running the business, governance is about seeing that it is run properly.” – R Tricker



1 Comment

Filed under Business

Common Objectives for the Business and IT

COBIT 5 was officially launched on Tuesday the 10th of April.

The evolution from COBIT 4.1 shifts focus away from “Control Objectives for Information and Related Technology” to Governance and Management of Enterprise IT.

My take on the evolution of the COBIT 5 framework is that we now have a way of defining and agreeing “Common Objectives for Business and IT“.

The following number of downloads of the COBIT 5 Framework have been processed in just 4 days.

I wonder how many of these downloads have been made by individuals in the Business, Consultants and Trainers rather than IT folk.

Here is the LINK to the COBIT 5 Product Family.

The fresh guidance provided in COBIT 5  will make it possible to align Enterprise (Business) and IT related goals by defining and agreeing common objectives.

Common objectives are required to close the communication / expectation gap between IT and the Business.  In this video the CEO is talking with the CIO.

How are you helping the Business drive revenue?

Is IT focussing on driving our strategic initiatives?

How are you enabling innovation within the Business?

How is IT aligning to the Business and adding value?

Looks like they both could use some help

So how should you address the gap in perception and reality?

A good place to start is to read the new Evaluate, Direct and Monitor processes for the Governance of Enterprise IT, specifically:

  • EDM02 Ensure Benefits Delivery and
  • EDM05 Ensure Stakeholder Transparency

these processes will help the Business and IT to develop a shared understanding of stakeholder needs and value realisation.

The spring issue of ServiceTalk dropped on my mat this week and contained an article by Robert E Stroud entitled COBIT 5 : Delivering Value Through Governance and Management.  The 2 page article, tucked away at the back of the magazine, provides an overview of the COBIT 5 Framework, Enabler Guides and Professional Guides.

You have to a member of itSMF in order to view the article online. LINK

Stroud states that “Value can only be realised when COBIT is adopted and adapted to fit a particular environment.  The implementationmust ddress the specific business challenges, including mnaging changes to culture and behaviour”.


There is an expectation gap between the Business and IT because Enterprise and IT related goals are not aligned.

The purpose of Internal or External IT Service Providers is to serve the Business.  A successful relationship can only work if there is a set of shared goals and common objectives. COBIT 5 practical guidance is a great place to start in order to address communication gaps and have the right conversations.

The COBIT 5 framework enables the Business and IT to talk about the same things in the same way.  Tighter integration is required between the Business and IT in order to drive solutions and lay the foundations for a Transformation journey. (from 37 seconds in)  

We are operating in  a Multi Sourcing environment and COBIT 5 will jump start the ability of Service Integrators to implement the right governance processes.

Failure to act and demonstrate value to Business Executives will open the door for the Consulting firms / Independent Consultants who sit at the intersect between the Business and IT.

Making excuses that the IT organisation is too busy to carve out time to understand, plan and implement the COBIT 5 guidance is not acceptable.

Get involved or you will be bypassed and become irrelevant.  


Filed under Business

COBIT 5 launched and ready for download

The new COBIT 5 framework covers the Governance of Enterpise IT and sets out the guidance to achieve business objectives and help increase business user satisfaction with IT.

The three COBIT 5 publications introduce, define and describe the principles, enabling processes and the implementation steps.

“COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.”

Principle 1. Meeting Stakeholder Needs – Stakeholder needs are translated into specific Enterprise, IT-Related goals and Enabler goals

Principle 2. Covering the Enterprise End-to-End – Governance and Management of information and related technology is addressed from an enterprise-wide, end-to-end perspective.

Principle 3. Applying a Single Integrated Framework – COBIT 5 defines the overarching governance and management framework that has been designed to integrate seamlessly with other good practice guidance e.g. ISO 38500

Principle 4. Enabling a Holistic Approach – The seven categories of Interconnected Enterprise Enablers are set out below:

Principle 5. Separating Governance from Management

COBIT 5 advocates that organisations implement the key governance and management processes.

Significant attention should be given to the five Evaluate, Direct and Monitor processes.


COBIT 5 provides an end-to-end view of the 37 processes for successful governance and management of Enterprise IT.

 A separate publication describes the 7 Implementation Steps in detail.

Derek Oliver, Co-Chair COBIT 5 Task Force at ISACA, discusses the business benefits of using COBIT 5.

Access this link to reserve/download your copy of COBIT 5.  You will need to register with ISACA and state your affiliation before you are able to do so.

The COBIT 5 Framework of 3 concise Publications and supporting Toolkit provide fresh thinking and guidance on what is required to successfully Govern Enterprise IT. 

This version is an evolution of the previous guidance and sets out how to implement key Enterprise IT Governance and Management processes.

The COBIT 5 Process Capability Model and Training Curriculum will be released shortly.

The launch of the COBIT 5 Framework enables Business Executives to articulate their specific stakeholder needs in a language that is common to Internal and External IT Service Providers. 

Failure to understand and apply the new guidance will lead to an imperfect future for the IT organisation.

Business Executives have decision rights on how they source the provision of services. They will gravitate towards the IT organisations who can “talk the COBIT 5 talk” and can demonstrate value delivered.

Previously I have published two posts about COBIT 5

In my November 2011 POST – COBIT 5 is coming – will you be ready? there is a link to the Exposure Draft version of the Process Reference Guide.

and in my February 2012 POST – COBIT 5 is now approaching the finish line – there is a detailed description of the seven implementation steps.

For the two thirds of my readers who are in the US.  COBIT 5 is here – HOOYAH

Leave a comment

Filed under Business

What is my Cloud Computing Strategy?

At its most basic level, Cloud Computing allows users to obtain computing capabilities through the internet, regardless of their physical location.  Computing clouds are in essence online huge datacentres containing thousands of servers hosting web applications.  Cloud services from infrastructure to complete business processes can be purchased through web interfaces and turned on and off as they are needed.

Most Business and IT senior executives are aware of the benefits that cloud computing can bring – capital light, lower run costs, agility and faster time to market – all enabled by flexible access to applications and processing power on a pay-per-use basis.

 Red Flag 1 – The discretionary (Variable) and non-discretionary (Fixed – Keep The Lights On) cost management pressure that business place on IT will increase to become the new normal.  In addition use of an IT resource no longer depends on having the capital to own it.  The business is able to source, scale and deliver compute capacity unbound of physical location or labour thanks to the cloud.  

Red Flag 2 – Business Units are already choosing third party cloud vendors and bypassing the in-house IT function, which they find to be too slow, bureaucratic and difficult to work with.  While IT remains cautious, business users have fully embraced Cloud based services. Cloud usage in the enterprise today is widespread and uncontrolled, with security and audit implications.

 It is important to revisit the IT Strategy to incorporate the cloud and the new services it will enable.  With this in mind what guidance is available to help formulate the strategy?  The most common frameworks are ITIL, ISO 38500 and COBIT 5.

ITIL 2011 Edition – Service Strategy

“Strategy Management for IT services (page 136) is intended for managing the strategy of a service provider: it will include a specification of the types of service it will deliver, the customers of those services and the overall business outcomes to be achieved when the service provider executes the strategy.”

“Strategy Management ensures that all stakeholders are represented in deciding the appropriate direction of the organisation and that they all agree on its objectives and the means whereby resources, capabilities and investments are prioritized.”

Figure 4.3 The strategy management process (page 138) illustrates the Assessment, Generation and Execution phases.

Appendix C – Service Strategy and the Cloud (Page 387)

“The basic principle of the cloud is that whatever IT service or utility a customer needs can be provided directly using the internet (or intranet) on a pay-per-use basis.  Customers do not see, nor do they care, how the services are created and delivered.”

ISO/IEC 38500 Corporate governance of information technology

“The objective of ISO 38500 is to provide a structure of principles for directors (including owners, board members, directors, partners and senior executives) to use when evaluating, directing and monitoring the use of IT in their organizations.

 Directors should govern IT through three main tasks:

1. Evaluate the current and future use of IT.

2. Direct preparation and implementation of plans and policies to ensure that the use of IT meets business objectives.

3. Monitor conformance to policies and performance against the plans”.


COBIT 5 introduces a Governance Domain which has 5 EDM processes as described in my previous post.

In summary the guidance (What) provided by these three frameworks will help design and establish a robust governance framework; however there is limited (How) detail around the specific approach to take for Cloud enabled services.

Formulating a Cloud Computing Strategy

So let’s explore five key decisions that will need to be addressed in order to formulate a cloud computing strategy:

  • Do we continue to build out our own computing infrastructure?

IT must determine if the computing infrastructure is expensive and too inflexible because a highly virtualised and well managed infrastructure saves money.  Some legacy applications  will remain core and do not lend themselves to a cloud strategy (e.g. SWIFT transactions) however applications approaching end of life should migrate to avoid further investment.

  • Which parts of the Business do we move to the cloud?

IT should consider the cloud for new applications or business processes as requirements evolve.  The cloud can significantly reduce time to market when rolling out new functionality and processes.

  • What type of cloud deployment do we use?
  1. Public Cloud: scalable bandwidth shared with multiple tenants.
  2. Private Clouds : applications and services deployed through the cloud but within the confines of the organisations on premise data centre or off premise (TelCos building private clouds for customers)
  3. Hybrid Clouds: Mixing Public and Private Clouds is the preferred solution for the business because it provides the best balance of flexibility and risk management.  
  • How must our governance framework evolve?

IT must retain control over which services are offered and managed and business units will have a say in getting the technology they need.

  • How do we protect sensitive customer information?

New measures will be required to help ensure that while data can be accessed anywhere and anytime, businesses do not breach data protection laws.

Cloud Computing – Not If but When

What are the actions needed to create the cloud enabled business?

IT must partner closely with business customers across the enterprise to understand and meet their needs in a responsive and cost effective way, while also helping to manage and integrate private, hybrid and public cloud based services alongside existing core business applications and technology.

Appoint a Cloud Leadership Team to drive change across the organisation in a co-ordinated effort that is led by Business and IT champions who aggressively push communications.  The team should develop a position on how the cloud will impact the business – create new opportunities, new channels to market and new competitive threats – and how the technology can accelerate existing needs.  The Cloud Leadership Team will need to specify which changes are going to have the most profound impact and prioritise these initiatives based on business benefit, difficulty of migration and any required investment spend.

IT must develop and implement a roadmap to replatform or replace existing business applications over time and then to build new applications using cloud based platforms.

As IT implements its new cloud strategy the IT function has a great opportunity to transform its role and establish itself as the business’s supplier of choice.

IT will require new skills and capabilities, for example hybrid managers who are close enough to the business to fully understand their issues and how cloud computing can respond to meet their needs quickly and cost-effectively.  These hybrid managers will manage all the current and future cloud vendors and integrate cloud services on behalf of the business.

IT will act as the key service interface between the business units and the various suppliers.  Ensuring seamless data integration between cloud and non-cloud services is a critical element of IT’s new role.

IT will need to assess and mitigate the risk of “lock-in”.  With Infrastructure as a Service (IaaS) cloud makes it easier to migrate relatively smoothly to another provider.  But with Software as a Service (SaaS) data is stored on the supllier’s servers making it difficult to disentangle.

 As companies start shifting computing tasks to outside providers in the cloud, intermediaries have emerged to help them do it.

Cloud Service Brokerage

 “A successful cloud computing strategy often involves customizing services from one or more vendors.  One way to do this is through an intermediary service provider: a Cloud Services Brokerage.  A CSB can make it easier to consume and maintain cloud services, while reducing the cost and risk encountered when an enterprise tries to address these issues alone.” Gartner

If you want to consume SaaS, access an Information store or other services then the Cloud Service Broker provides a single interface and can also offer managed services, professionbal services or Business Process Outsourcing. 

The Cloud Service Broker sits between public cloud services and the customer taking the commodity like cloud services and customising them to be more specific to the customer. CSB also allows the business to extend their control over their applications and data into the cloud.

The Cloud Service Broker adds value when it is aggregating multiple services.

A recent Gartner report outlined three categories of cloud brokers that will enhance cloud services:

Cloud Service Intermediation: An intermediation broker provides value added services on top of existing cloud platforms, such as identity or access management capabilities.

Aggregation: An aggregation broker provides the “glue” to bring together multiple services and ensure the interoperability and security of data between systems.

Cloud Service Arbitrage: A cloud service arbitrage provides flexibility and “opportunistic choices” by offering multiple similar services to select from.

Leave a comment

Filed under Business

COBIT 5 is coming – will you be ready?

COBIT 5 (Control Objectives for Information Technology) will be published by the end of Quarter 1, 2012.  It is important to recognise that the new version shifts focus away from v4.1 control objectives to the governance and management processes set out in COBIT 5.  John W. Lainhart the co-chair of the COBIT 5 task force provides an overview.

John states that COBIT 5 goes into the business perspective not just the IT perspective. There is an increased business focus on enterprise governance and management of IT.  The starting point of governance and management activities are the stakeholder needs related to enterprise IT.

The business focus of COBIT 5 is further achieved through identifying all stakeholders and their needs.  There are many examples of internal and external stakeholder needs in Fig 10 (Page 25).

 The COBIT framework is based on these five principles:

The COBIT 5 Integrator Framework – includes Val IT, Risk IT, the Business Model for Information Security (BMIS) and the IT Assurance Framework (ITAF) plus integration with other frameworks, standards and practices  – ISO, TOGAF, PMBOK and ITIL.

The Governance Objective: Value Creation – Enterprises exist to create value for their stakeholders, so the governance objective for any enterprise is value creation. Value creation means realising benefits at an optimal resource cost whilst optimising risk.

Business and Context Focus – Having a business focus means focussing on enterprise goals and objectives. This relates to every enterprise’s objective for benefits realisation, risk optimisation and resource optimisation.  COBIT 5 covers all of the critical business elements, i.e. processes, organisational structures, principles & policies, culture, skills and service capabilities. In addition, a new information model provides a simple link between business information and the IT function.

The COBIT 5 Governance Approach—Enabler Based

The main elements of the governance approach are as follows:

  • Governance enablers are the organisational resources for governance, such as frameworks, principles, structure, processes and practices
  • Governance scope: Governance can be applied to the whole enterprise, an entity, a tangible or intangible asset, etc.
  • Roles, Activities and Relationships: It defines who is involved in governance, how they are involved, what they do and how they interact, within the scope of any governance system.

Governance- and Management structured – The COBIT 5 framework makes a clear distinction between governance and management.

Governance is about the Senior Management team providing a steer and making, sponsoring and enforcing the right decisions to meet enterprise objectives.

Management is responsible for execution by making effective use of resources, people, processes, practices in line with the direction set by the governing body.

COBIT 5 Process Capability Model (replaces the Maturity Model)

An important update in COBIT 5 is the use of the process capability model from ISO/IEC 15504 IT / Software Engineering—Process Assessment which provides a sound standard for the assessment of a process to achieve its required outcome.

Level 0 – Incomplete.  Process is not implemented or fails to achieve its process purpose.

Level 1 – Performed.  The implemented process achieves its process purpose.

Level 2 – Managed.  Process is planned, monitored and work products are established.

Level 3 – Established.  Process is capable of achieving its process outcomes.

Level 4 – Predictable.  Process now operates within defined limits to achieve its process outcomes

Level 5 – Optimizing.  Process is continuously improved to meet current and projected business goals

Previously much debate has been generated about the need to align the Maturity definitions across frameworks.  For example:

CMMi (Development & Services) has 5 levels – Initial, Managed, Defined, Quantitavely Managed, Optimized

ITIL 2011 Edition (Service Management Practices) – Initial, Repeatable, Defined, Managed, Optimized

I suggest that more focus and attention is given to the new Business facing processes than on arguing the relative merits of one level definition against another.  It is what it is!

COBIT 5 Process Model

  • Stakeholders – Processes have internal and external stakeholders
  • Goal & Metrics – Goals are defined as a statement describing the desired outcome of a process
  • Lifecycle – defined, created, operated, monitored and adjusted/updated, or retired
  • Good Practices – are described in cascading levels of detail: practices, activities and detailed activities
  • Attributes – provide the how, why and what to implement for each governance or management practice

COBIT 5 Process Reference Model

The COBIT 5 Process Reference Model divides the governance and management processes of enterprise IT into two main process domains:

  • The GOVERNANCE domain, contains five governance processes; within each process, Evaluate, Direct and Monitor practices are defined
    • EDM1  Set and Maintain the Governance Framework
    • EDM2  Ensure Value Optimisation
    • EDM3  Ensure Risk Optimisation
    • EDM4  Ensure Resource Optimisation
    • EDM5  Ensure Stakeholder Transparency
  • The four MANAGEMENT domains, in line with the responsibility areas of Plan, Build, Run and Monitor (PBRM—an evolution of the COBIT 4.1 domains), provides an end‐to‐end coverage of IT.

In COBIT 5, the processes also cover the full scope of business and IT activities related to the governance and management of enterprise IT, thus making the process model truly enterprise-wide.

COBIT 5 Process Reference Guide – Volume 2 (c. 225 pages)

The Process Reference Guide incorporates COBIT 4.1, Val IT and Risk IT processes and describes the following for each process:

  • Process Name, Area and Domain
  • Process Description
  • Process Purpose Statement
  • IT Related Goals and Metrics
  • Process Goals and Metrics
  • RACI Chart
  • Process (Governance or Management) Practices, Inputs/Outputs and Activities

The inputs and outputs of a process are defined in detail in the Process Reference Guide.

COBIT 5 Implementation Guide

There are seven phases in the implementation lifecycle which describe how to establish an approach to deliver a sustainable set of governance and management processes for the enterprise.

For the latest information access the ISACA COBIT 5 Initiative Status Update   

So what will COBIT 5 mean to my organisation?

The major improvement delivered by COBIT 5 is that the new guidance has been packaged in a way that Business leaders can understand and practice how to effectively govern their IT organization.  At a time when information assurance, risk and security controls are increasingly important to safeguard the reputation of the Business and meet regulatory requirements; COBIT 5 sets out how to align Business stakeholder needs wit IT related goals by implementing a rigorous governance and management framework. 

So, you effectively have four months to tailor the Evaluate, Direct and Monitor processes defined in the Governance domain by working closely with internal and external stakeholders.  The clock is ticking and you should expect that the IT Assurance consultants from the big audit practices and the traditional consulting firms are preparing their sales messages for their target clients.  By walking the halls and having the right conversations with the Business buyers they will commission engagements following the release of the new standard. 

Get ahead of the curve.  Download the COBIT Self Assessment Guide – Process Capability Assesment and the COBIT 5 Process Reference Guide.  Firstly conduct a gap analysis of your current governance and management framework, then perform an internal assessment  against the new process templates and share your findings with the business operations / operational excellence team.  Agree any investment spend required to uplift the maturity of the five Governance processes which are visible to the Business. Get tight with the Business in order to define and embed the key governance forums and roll out revised management processes across internal and external Service Providers. 


Filed under Business