Posted April 19th, 2011 by Geoff Harmer
Key Concepts
COBIT 5 concerns “the governance and management of enterprise information.” It is more than IT governance and includes information governance. It also adopts the ISO 38500 view that both IT governance and IT management are required and uses the Evaluate, Direct and Monitor model of ISO 38500.
A new approach has been introduced to direct potential users of COBIT to relevant core COBIT 5 publications that then direct them on to other frameworks and standards – rather than incorporating those into COBIT 5 itself. The concept for achieving this is called the “Lens Concept”. Essentially there is a 60pp COBIT Framework volume that provides the basics that is supported by a range of subsection volumes that assist a stakeholder to meet their specific needs: e.g. “COBIT for Assurance” volume is for auditors and “COBIT for Security” volume is for security specialists.
All volumes will be slimmer and each is created, assessed and maintained by subject matter experts (SMEs).
As usual with a version upgrade, there is migration guidance and mappings from CobiT 4.1, Val IT, Risk IT etc. to COBIT 5.
Processes
The focus of COBIT 5 is on processes and there are 36 processes, with 3 letter names, that are split into governance and management “areas”. The two areas contain a total of 5 domains:
Governance of Enterprise IT
Evaluate, Direct and Monitor (EDM) – 5 processes
Management of Enterprise IT
Align, Plan and Organise (APO) – 12 processes
Build, Acquire and Implement (BAI) – 8 processes
Deliver, Service and Support (DSS) – 8 processes
Monitor, Evaluate and Inform (MEI) - 3 processes
This is quite a condensation when you consider that COBIT 5 has incorporated the 34 processes of CobiT 4.1, the 22 processes of Val IT, the 9 processes of Risk IT.
Interesting new processes are the EDM processes:
EDM1 Set and Maintain the Governance Framework
EDM2 Ensure Value Optimisation
EDM3 Ensure Risk Optimisation
EDM4 Ensure Resource Optimisation
EDM5 Ensure Stakeholder Transparency
Processes present in other frameworks and standards are formally included:
APO3 Manage Enterprise Architecture
APO4 Manage Innovation
APO5 Manage Portfolio
APO8 Manage Relationships
APO10 Manage Supplier
BAI8 Manage Knowledge
Also Availability and Capacity are merged:
BAI4 Manage Availability and Capacity
The Service Desk has been removed as part of a process name, so now there is:
DSS4 Manage Service Requests and Incidents
Core Volumes
COBIT 5 has 3 core volumes:
- Volume 1: The Framework ~ 60pp – principles & models for enterprise governance of IT
- Volume 2: Process Reference Guide ~ 200pp – detailed process reference guide
- Volume 3: Implementing and Continually Improving Enterprise Governance of IT (ready later in 2011)
Volume 2: Process Reference Guide: retains the basic approach, structure and content of the process reference model of CobiT 4.1 with its template-driven set of pages for each process. However new layouts and heading terminology are used. E.g. the process description page of each process is simplified with replacement of the cascaded description of the process with its multiple indents – instead there is a simple, short “process purpose” statement.
A major change is that the COBIT Maturity Model has been replaced by the COBIT Process Capability Model that is based on ISO 15504 – the process assessment standard. There are still levels 0 to 5 but with different level-names and since ISO 15504 calls these Capability Levels that name has been adopted rather than Maturity Levels. These levels are related to 9 Process Attributes. This change will ensure compliance with the international standard while also giving improved focus on how well processes are being performed and whether they are achieving their purpose. It may be the case that the recently released (April 12, 2011) ISACA document CobiT Assessment Process (CAP) is the basis for this – but that is my personal view and may be incorrect.
Volume 3: Implementing & Continually Improving Enterprise Governance of IT: will be an updated version of the CobiT 4.1 lifecycle approach (Implementing and Continually Improving IT Governance) with the addition of how to migrate to COBIT 5 from CobiT 4.1.
Other Initial VolumesVolume 2 will be a set that is likely to be seen as “Enabler Views”.
2a Process Reference Guide (discussed earlier as Volume 2)
2b Information Reference Model – a new model, publication due in 2011.
2c Organisational Structure Reference Guide
2d Policies and Procedures Reference Guide
2e People Reference Guide
2f Service Capability Reference Guide
2g Culture, Ethics and Behaviour Reference Guide
Volume 3 will be the lead volume in a set called the COBIT 5 Practice Guides:
Vol. 3: Implementing and Continually Improving Enterprise Governance of IT
Other volumes in the set:
COBIT for Security
COBIT for Risk
COBIT for Value
COBIT for Assurance
COBIT for Privacy
COBIT for Small to Medium Enterprises
COBIT 5 Capability Assessment Guide
and others as required.
Development Status
Volumes 1 and 2 of the core volumes are complete and are being reviewed by subject matter experts (SMEs) and expected to be published for public exposure and comment in June-July 2011. Vol. 3 development is awaiting sign-off by the ISACA Framework Committee but is still expected in 2011 since it is only an update to the CobiT 4.1 version. All 3 core volumes are targeted for final publication in January 2012. ISACA will also be using writing specialists to make the content readable. Work is currently under way to develop the COBIT for Security volume but others in that set will be developed later.
The other interesting news was that ISACA is considering devising a new logo for COBIT 5 and will likely produce a 5 page pre-launch, marketing guide. I was amused to hear that COBIT 5 is often known as C5. Brits of my age are unlikely to use that abbreviation since C5 was Clive Sinclair’s C5 electric car, built in 1985 and immediately the object of media and popular ridicule.
I’d like to thank Derek Oliver for taking the time to prepare and present the evening lecture and John Mitchell of the Information Risk Management and Assurance Group (IRMA) of the British Computer Society (BCS) for organising the event. Any mistakes or misunderstandings in this column are, of course, solely my responsibility.
© 2011 Geoff Harmer
No comments:
Post a Comment