cobit 5 mapping exercise for establishing enterprise it ... · cobit 5 mapping exercise for...
TRANSCRIPT
1 | P a g e
COBIT 5 Mapping Exercise for
Establishing Enterprise IT Strategy By Christopher Oparaugo, CISM, CGEIT, CRISC
COBIT Focus | 5 December 2016
In recent years, (as demonstrated in my previous article titled “ISO/IEC 27001 Process Mapping to COBIT 4.1 to
Derive a Balanced Scorecard for IT Governance”),1 the balanced scorecard (BSC)
2, 3, 4 has been applied to
enterprise IT and the first real-life IT security governance application has been developed based on mapping the
control objectives from the International Organization for Standardization (ISO)/International Electrotechnical
Commission’s (IEC) ISO/IEC 27001:2013 standard to COBIT®
4.1 process and IT governance focus areas.5 As a
further exercise, the relationships and similarities between ISO/IEC 27001:2013, COBIT 4.1 and COBIT®
5 can be
explored to provide data values, insights and results that will help in strategic management discussions.
What is driving the need for this mapping exercise?
The need to integrate IT governance with overall business governance
The need for effective deployment, governance and management of enterprise IT
The exercise will help in establishing enterprise IT strategy through control objective linkages
Key performance indicators (KPIs) can be derived for individuals or business unit
This article explains how an exercise in instituting controls can be used to establish IT strategy, which is shown in
the resultant enterprise and IT goals BSC values and outcomes applied in COBIT 5. In so doing, it showcases the
IT/business governance and alignment processes as derived from mapping ISO/IEC 27001 and COBIT 4.1 controls
and processes further to COBIT 5 governance and management processes.
Brief Understanding of ISO/IEC 27001:2013 An executive brief from ISO/IEC 27001:2013 sheds more light on the essence of having controls in an enterprise IT
organization.6 Organizations of all types and sizes collect, process, store and transmit information in many forms.
This information is valuable to an organization’s business and operations. In today’s interconnected and mobile
world, information is processed using systems and networks that employ state-of-the-art technology. It is vital to
protect this information against both deliberate and accidental threats and vulnerabilities. ISO/IEC 27001 helps
organizations keep their information assets and those of their customers secure. Effective information security
assures management and other stakeholders that the organization’s assets are safe, thereby acting as a business
enabler.
“The information security management system preserves the confidentiality, integrity and availability of information
by applying a risk management process, which reassures interested parties that risk factors are adequately
managed. It is important for the information security management system to be part of, and integrated with, the
DISCUSS THIS ARTICLE
2 | P a g e
organization’s processes and overall management structure and for information security to be considered in the
design of processes, information systems and controls.”7 The information security risk assessment and treatment
process in this international standard aligns with the principles and generic guidelines provided in ISO 31000.8
What Is the Essence of Having Controls? Enterprise security is no longer solely the realm of the IT department. Within the Internet of Things (IoT) and in the
world, “data is recognized as a core business asset, valuable to companies and cybercriminals alike. Therefore, the
enterprise risk caused by cyber security threats to data requires a holistic approach”9 to security; oversight of
security compliance and controls must be a senior management, C-suite and boardroom responsibility because
security oversight is risk management oversight and, therefore, a corporation’s business oversight.
“Risk management aims to identify the risk a company faces and ways of mitigating it to a bearable level
determined by the company’s risk appetite.”10
It is recognized that risk exists due to the confluence of assets,
threats and vulnerabilities. Accordingly, employing mitigating controls that reduce one or all of these factors
reduces the overall risk exposure of the organization.
“As data risk encompasses the risk of financial losses; business disruption; the loss or compromise of assets and
information; the failure to meet legal, regulatory or contractual requirements; and reputational damage, effective
oversight of IT security is essential to enterprise or corporate oversight of risk management. The need for
information security requires a number of policies and procedures to be created and put in place. These policies, in
turn, require a number of security-related standards and practices to be implemented. However, if the enterprise’s
and personnel’s culture and ethics are not appropriate, enforcing information security processes (the policy
controls) and procedures will not be effective.”11
An exercise in instituting controls can be used to establish IT
strategy, which will be shown in the resultant enterprise and IT goals BSC values and outcomes applied to COBIT 5
governance and management processes.
The resultant summation from the control questions is shown in figure 1 and figure 2 for control domains and
security control areas. With these values from the exercise, low values can be potential areas of security breaches
(i.e., backup, redundancies) leading to business continuity issues. Data security is no longer a cost of doing business,
but a core component of remaining in business. Resources must, therefore, be appropriately allocated to meet
these risk factors. Budgeting must enable the company to deploy, train and develop the right people and processes
and employ technology to truly address the company’s security needs.12
Figure 1—Resulting ISO/IEC 27001:2013 Compliance Data by Domain
3 | P a g e
Source: Christopher Oparaugo. Reprinted with permission
Figure 2—Resulting ISO/IEC 27001:2013 Compliance Data by Controls and Domains
Security Control Domains Status (%)
A.5 Information Security Policies 90.50
A.6 Organization of Information Security 86.43
A.7 Human resource security 88.19
A.8 Asset management 83.29
A.9 Access control 85.71
A.10 Cryptography 82.33
A.11 Physical and Environmental Security 82.26
A.12 Operations Security 82.74
A.13 Communications Security 81.72
A.14 System Acquisition, Development and Maintenance 81.48
A.15 Supplier Relationships 83.40
A.16 Information Security incident management 80.20
A.17 Information Security aspects of Business Continuity Management 80.69
A.18 Compliance 82.47
4 | P a g e
Source: Christopher Oparaugo. Reprinted with permission.
Understanding COBIT 5 in Relation to Governance and Strategy COBIT 5 provides the next generation of ISACA’s guidance on the enterprise governance and management of IT. It
Control Domains Security Control Areas Status (%)
A.5 Information Security Policies Management direction for information security 90.50
Internal Organization 87.72
Mobile devices and teleworking 85.14
Prior to employment 86.25
During employment 90.00
Termination and change of employment 88.33
Responsibility for assets 83.75
Information classification 81.39
Media handling 84.72
Business requirements of access control 86.25
User access management 88.26
User responsibilities 85.00
System and application access control 83.33
A.10 Cryptography Cryptographic controls 82.33
Secure areas 83.38
Equipment 81.15
Operational procedures and responsibilities 85.21
Protection from malware 82.50
Backup 76.67
Logging and monitoring 81.87
Control of operational software 80.00
Technical Vulnerability Management 89.59
Information Systems Audit considerations 83.34
Network Security Management 83.24
Information transfer 80.21
Security requirements of information systems 81.20
Security in development and support processes 83.24
Test data 80.00
Information security in supplier relationships 83.89
Supplier service delivery management 82.92
A.16 Information Security incident
management
Management of information security incidents and
improvements80.20
Information Security Continuity 81.39
Redundancies 80.00
Compliance with Legal and Contractual requirements 81.33
Information Security reviews 83.61
A.17 Information Security aspects of Business
Continuity Management
A.18 Compliance
A.7 Human resource security
A.8 Asset management
A.6 Organization of Information Security
A.9 Access control
A.14 System Acquisition, Development and
Maintenance
A.12 Operations Security
A.13 Communications Security
A.15 Supplier Relationships
A.11 Physical and Environmental Security
5 | P a g e
builds on more than 15 years of practical usage and application of COBIT®
by many enterprises and users from the
business, IT, risk, security and assurance communities.13 COBIT has evolved from an auditing framework to controls,
from being a control framework to an IT governance framework that can be mapped to other international
standards, and now to a governance for enterprise IT (GEIT) framework, showing a management strategy for
enterprise IT.
Key Concepts Information is a key resource for all enterprises, and from the time that information is created to the moment that it
is destroyed, technology plays a significant role. IT is increasingly advanced and has become pervasive in
enterprises and in social, public and business environments.14
“As a result, today, more than ever, enterprises and their executives strive to:
Maintain high-quality information to support business decisions
Generate business value from IT-enabled investments, i.e., achieve strategic goals and realize business benefits
through effective and innovative use of IT
Achieve operational excellence through the reliable and efficient application of technology
Maintain IT-related risk at an acceptable level
Optimize the cost of IT services and technology
Comply with ever-increasing relevant laws, regulations, contractual agreements and policies”15
COBIT 5 is not prescriptive, but it advocates that organizations implement governance and management processes
such that the key areas are covered, as shown in figure 3.
Figure 3—Separating Governance From Management
Source: ISACA, COBIT
® 5, USA, 2012
COBIT 5 provides a comprehensive framework that helps enterprises achieve their goals and deliver value through
effective governance and management of enterprise IT. Successful enterprises have recognized that the board of
directors (BoD) needs to embrace IT just like any other significant part of doing business. Corporate boards and
business management (in both the enterprise and IT functions) must collaborate and work together so that IT is
included within the governance and management functions.
6 | P a g e
In addition, 2 core components of GEIT (controls and compliance) must be overseen at the highest levels of
management to confirm that they are customized for the enterprise standards and are not applied generically:
Controls—The organization’s systems, procedures and processes for protecting data
Compliance—An organization’s program for ensuring adherence to and enforcement of enterprise security
policies and relevant external privacy and data protection laws and regulations. Department’s policies,
standards and procedures are often disconnected from operational practices, and technology infrastructures
that are not tailored specifically to the company operations become worthless effort and ineffective.16
The COBIT 5 framework makes a clear distinction between governance and management. These 2 disciplines
encompass different types of activities, require different organizational structures and serve different purposes.
The COBIT 5 view on this key distinction between governance and management is:
Governance—Governance ensures that stakeholder needs, conditions and options are evaluated to determine
balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision
making; and monitoring performance and compliance against agreed-on direction and objectives. In most
enterprises, governance is the responsibility of the BoD under the leadership of the chairperson.
Management—Management plans, builds, runs and monitors activities in alignment with the direction set by
the governance body to achieve enterprise objectives. In most enterprises, it is the responsibility of the
executive management, under the leadership of the chief executive officer (CEO).17
This article presents a mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013 using a
previous article’s (“ISO 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT
Governance,”) control data values and a target value for differentiation. It has been designed for guidance
purposes and discussion.
Further, this article extends the mapping from COBIT 4.1 processes to COBIT 5 processes using input control data
from ISO/IEC 27001:2013 as designed to bring out the BSC dimensions for a strategic guide and measurement
system.
Adopting the Lean Management theory’s 5 Whys approach, the process of continually asking questions until you
get to the root cause,18 enabled the validation of the assessment results to get closer to a problem or low value
until the real issue is understood. The 5 Whys method helps managers eliminate waste and aids executives in
figuring out which projects or controls to pursue and which to address to find solutions to underperforming areas
in a controlled environment to aid enforcement of the policy. Productivity and strategy mean different things to
different people, but, at their core, the meaning is how effective an organization’s decisions are in delivering
subsequent results.
COBIT 5 addresses the governance and management of information and related technology from an
enterprisewide, end-to-end perspective (figure 4).19
Figure 4—Covering the Enterprise End-to-end
7 | P a g e
Source: ISACA, COBIT®
5, USA, 2012
The questions help stakeholders understand whether the set objectives were achieved based on the results and
backward reviews of the elements contributing to these results. These results also show IT governance pain points
to be addressed. In addition to these activities, COBIT 5 suggests accountabilities and responsibilities for enterprise
roles and governance/management structures (responsible, accountable, consulted and informed [RACI] charts) for
each process and Capability Maturity Model Integration (CMMI) scores help stakeholders see the picture and values
of control activities.
These resultant data from the exercise were further employed as COBIT information criteria for primary and
secondary grouping. The resultant values of the ISO/IEC 27001:2013 mapping to COBIT 4.1 processes are linked
with the defined IT governance areas.
The value inputs of 0% to 100% from the ISO/IEC 27001:2013 control objectives security control questions are
mapped to COBIT 4.1 domains and processes, and further mapping is done from COBIT 4.1 to COBIT 5 related
processes. These are linked to the IT focus areas as exercise results showing the values from the data mapping
outputs, illustrated in figure 5.
Figure 5—Results Showing Mapping of ISO/IEC 27001:2013 Data to COBIT Processes
8 | P a g e
Source (table): ISACA, Mapping COBIT 4.1 to ISO /IEC 27001, USA, 2005
Source (numeric values): Christopher Oparaugo. Reprinted with permission.
The results in figure 6 are a comparison of COBIT 4.1 domain results from the previous mapping of ISO/IEC
27001:2005 to ISO/IEC 27001:2013 data that was then mapped to COBIT 4.1
COBIT 4.1 Domains and Processes
Risk
Rank
Strategic
Alignment
Value
Delivery
Resource
Mgt
Risk
Mgt
Performance
Management
ISO
27001:2013
Status
(%)
1 Plan and Organise Mapping
PO1 Define a Strategic IT Plan H P S S 88.33 88%
PO2 Define the Information Architecture L P S P S 80.69 81%
PO3 Determine Technological Direction M S S P S 84.33 84%
PO4 Define the IT Processes, Organisation and Relationships L S P P 85.25 85%
PO5 Manage the IT Investment M S P S S 86.33 86%
PO6 Communicate Management Aims and Direction M P P 84.40 84%
PO7 Manage IT Human Resources L P P S S 89.20 89%
PO8 Manage Quality M P S S 81.67 82%
PO9 Assess and Manage IT Risks H P P 83.03 83%
PO10 Manage Projects H P S S S S 90.00 90%
85%
2 Acquire and Implement
AI1 Identify Automated Solutions M P P S S 83.82 84%
AI2 Acquire and Maintain Application Software M P P S 82.22 82%
AI3 Acquire and Maintain Technology Infrastructure L P 84.37 84%
AI4 Enable Operation and Use L S P S S 83.61 84%
AI5 Procure IT Resources. M S P 80.83 81%
AI6 Manage Changes. H P S 86.50 87%
AI7 Install and Accredit Solutions and Changes M S P S S S 85.00 85%
84%
3 Deliver and Support
DS1 Define and Manage Service Levels M P P P P 82.92 83%
DS2 Manage Third-party Services L P S P S 81.95 82%
DS3 Manage Performance and Capacity L S S P S S 80.00 80%
DS4 Ensure Continuous Service M S P S P S 84.00 84%
DS5 Ensure Systems Security H P 84.48 84%
DS6 Identify and Allocate Costs L S P S 90.00 90%
DS7 Educate and Train Users M S P S 83.33 83%
DS8 Manage Service Desk and Incidents M S P S 80.32 80%
DS9 Manage the Configuration M P S 81.39 81%
DS10 Manage Problems M P S 80.00 80%
DS11 Manage Data H P P P 80.22 80%
DS12 Manage the Physical Environment L S P 82.17 82%
DS13 Manage Operations L P 82.25 82%
83%
4 Monitor and Evaluate
ME1 Monitor and Evaluate IT Performance. H P 80.28 80%
ME2 Monitor and Evaluate Internal Control. M P P 84.10 84%
ME3 Ensure Regulatory Compliance. H P P 84.21 84%
ME4 Provide IT Governance. H P P P P P 86.99 87%
84%
COBIT4.1 Domains and Processes
ScoreFuture
State
PERCENTAG
E
COMPLIANC
E
Plan and Organise 85% 90% 95%
Acquire and Implement 84% 90% 93%
Deliver and Support 83% 90% 92%
Monitor and Evaluate 84% 90% 93%
84% 90% 93%
IT GOVERNANCE FOCUS AREAS
9 | P a g e
The new target exercise (having different data input values for comparison) represents values directly from the
mapping of ISO/IEC 27001:2013 to COBIT 4.1.
The previous results were Plan and Organize (55%), Acquire and Implement (64%), Deliver and Support (55%), and
Monitor and Evaluate (64%). There is a remarkable increase in the values generated through this realignment from
ISO 27001:2005 to ISO 27001:2013.
Figure 6—Comparing Sample Results Showing Mapping of ISO/IEC 27001:2005 From the Previous
Article’s Exercise and New ISO/IEC 27001:2013 Data to COBIT 4.1 Control Objectives
Using the scores from previous exercises of ISO 27001:2005 now mapped to ISO 27001:2013 producing the mapped
results for COBIT 4.1 domains, showing compliance to future state.
New target exercise scores for ISO 27001:2013 are mapped to COBIT 4.1 domains and processes, showing
compliance to future state.
Source: Christopher Oparaugo. Reprinted with permission.
Having done this comparison, the focus is now to determine a relationship and understanding of how these scores
and values map to COBIT 5.
The COBIT 5 process reference model divides the governance and management processes of enterprise IT into 2
main process domains:
Governance—Contains 1 domain with 5 governance processes; Evaluate, Direct and Monitor (EDM) consisting
of 5 processes in COBIT 5.
Management—The management principles of COBIT 5, having evolved from the Plan, Do, Check and Act
(PDCA) maxim, follows the functional responsibility areas of plan, build, run and monitor (PBRM) creating a new,
elaborate set of 4 domains, and provides end-to-end coverage of IT. These domains are an evolution of the
COBIT 4.1 domain and process structure as shown below:
o Align, Plan and Organize (APO) consisting of 13 processes
10 | P a g e
o Build, Acquire and Implement (BAI) consisting of 10 processes
o Deliver, Service and Support (DSS) consisting of 6 processes
o Monitor, Evaluate and Assess (MEA) consisting of 3 processes
Useful COBIT 5 Governance and Management Interactions “Principles, policies and frameworks—The vehicle by which governance decisions are institutionalized within the
enterprise. For that reason, they are an interaction between governance decisions (direction setting) and
management (execution of decisions).
Services, infrastructure and applications—Services are required and are supported by applications and
infrastructure to provide the governance body with adequate information and to support the governance activities
of evaluating, setting direction and monitoring.
Processes—In the illustrative COBIT 5 process model (COBIT®
5: Enabling Processes), a distinction is made
between governance and management processes, including specific sets of practices and activities for each. The
process model also includes RACI charts, describing the responsibilities of different organizational structures and
roles within the enterprise.
Enablers—Factors that individually and collectively influence whether something will work—in this case,
governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e., higher-level IT-
related goals define what the different enablers should achieve.”20
To achieve success in enterprise governance and
management, the COBIT 5 enablers must be interconnected and interrelated to deliver on the enterprise and IT
goals. This will help the organization develop a 360-degree vision of cyber security.
These resultant data from the exercise are further employed as COBIT information criteria for primary and
secondary grouping. The resultant values of the ISO/IEC 27001:2013 mapping into COBIT 5 processes are linked
with the defined IT BSC dimension information and related technology goals. Exercise results showing the values
from the data mapping outputs are shown in figure 7.
Figure 7—Results Showing Mapping Data Values of COBIT 4.1 Control Objectives (Using Input Data
From ISO/IEC 27001:2013) to COBIT 5 Governance and Management Practices
11 | P a g e
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17
1 Evaluate, Direct and Monitor
EDM01Ensure Governance Framework
Setting and MaintenanceP S P S S S P S S S S S S S S S
85.66 86%
EDM02 Ensure Benefits Delivery P S P P P S S S S S S S P 87.66 88%
EDM03 Ensure Risk Optimisation S S S P P S S P S S P S S 84.81 85%
EDM04 Ensure Resource Optimisation S S S S S S S P P S P S 86.99 87%
EDM05 Ensure Stakeholder Transparency S S P P P S S S S - 0%
69%
2 Align, Plan and Organise
APO01Manage the IT Management
FrameworkP P S S S P S P S S S P P P
84.48 84%
APO02 Manage Strategy P S S S P S S S S S S S S P 86.33 86%
APO03 Manage Enterprise Architecture P S S S S S S P S P S S S 82.51 83%
APO04 Manage Innovation S S P P P P S S P 84.33 84%
APO05 Manage Portfolio P S S P S S S S S P S 87.33 87%
APO06 Manage Budget and Costs S S S P P S S S S 88.17 88%
APO07 Manage Human Resources P S S S S S S P P S P P 85.93 86%
APO08 Manage Relationships P S S S S P S S P S S S P - 0%
APO09 Manage Service Agreements S S S S P S S S S S P S 82.92 83%
APO10 Manage Suppliers S P S S P S P S S S S S S 81.39 81%
APO11 Manage Quality S S S P P S S S P S S S S 83.46 83%
APO12 Manage Risk P P P S S S P P S S S S 83.03 83%
APO13 Manage Security P P P S S P P 84.48 84%
78%
3 Build, Acquire and Implement
BAI01 Manage Programmes and Projects P S P P S S S S P S S 90.00 90%
BAI02 Manage Requirements Definition P S S S S P S S S S P S S S 83.82 84%
BAI03Manage Solutions Identification and
BuildS S S P S S S S S S
82.48 82%
BAI04 Manage Availability and Capacity S S P S S P S P S 80.00 80%
BAI05Manage Organisational Change
EnablementS S S S P S S S P P
84.31 84%
BAI06 Manage Changes S P S P S S P S S S S S S 86.50 87%
BAI07Manage Change Acceptance and
Transitioning S S S P S P S S S S85.00
85%
BAI08 Manage Knowledge S S S S P S S S S P 83.61 84%
BAI09 Manage Assets S S P S S S P S S 82.25 82%
BAI10 Manage Configuration P S S S S S P P S 81.39 81%
84%
4 Deliver, Service and Support
DSS01 Manage Operations S P S P S S S P S S S S 81.62 82%
DSS02Manage Service Requests and
IncidentsP P S S S S S
82.64 83%
DSS03 Manage Problems S P S P S S P S P S S 80.00 80%
DSS04 Manage Continuity S S P S P S S S S S P S S S 82.11 82%
DSS05 Manage Security Services S P P S S P S S S S 82.28 82%
DSS06 Manage Business Process Controls S P P S S S S S S S S 80.22 80%
81%
5 Monitor, Evaluate and Assess
MEA01
Monitor, Evaluate and Assess
Performance and Conformance S S S P S S P S S S P S S P S S 80.28 80%
MEA02
Monitor, Evaluate and Assess the System
of Internal Control P P S S S S S P S 85.54 86%
MEA03Monitor, Evaluate and Assess Compliance
With External Requirements P P S S S S S 84.21 84%
83%
77 84 43 83 87 73 74 85 84 84 83 56 86 82 84 86 75
COBIT4.1
Mapping
Status
(%)
IT
co
mp
lian
ce w
ith
in
tern
al p
olicie
s
Co
mp
ete
nt
an
d m
oti
vate
d b
usin
ess a
nd
IT
pers
on
nel
Kn
ow
led
ge, exp
ert
ise a
nd
in
itia
tives f
or
bu
sin
ess in
no
vati
on
Financial Customer Internal
Learning
and
Growth
Op
tim
isati
on
of
IT a
ssets
, re
so
urc
es a
nd
cap
ab
ilit
ies
En
ab
lem
en
t an
d s
up
po
rt o
f b
usin
ess
pro
cesses b
y in
teg
rati
ng
ap
plicati
on
s a
nd
tech
no
log
y in
to b
usin
ess p
rocesses
Delivery
of
pro
gra
mm
es d
eliveri
ng
ben
efi
ts,
on
tim
e, o
n b
ud
get,
an
d m
eeti
ng
req
uir
em
en
ts a
nd
qu
ality
sta
nd
ard
s
Availab
ilit
y o
f re
liab
le a
nd
usefu
l in
form
ati
on
for
decis
ion
makin
g
IT BSC Dimension Information and Related
Technology Goal
COBIT 5 Domains and Processes
Alig
nm
en
t o
f IT
an
d b
usin
ess s
trate
gy
IT
co
mp
lian
ce a
nd
su
pp
ort
fo
r b
usin
ess
co
mp
lian
ce w
ith
exte
rnal la
ws a
nd
reg
ula
tio
ns
Co
mm
itm
en
t o
f execu
tive m
an
ag
em
en
t fo
r
makin
g IT
-rela
ted
decis
ion
s
Man
ag
ed
IT
-Rela
ted
Bu
sin
ess R
isk
COBIT 5 Process
IT BSC Dimension Information and Related Technology Goal
Realised
ben
efi
ts f
rom
IT
-en
ab
led
investm
en
ts a
nd
serv
ices p
ort
folio
Tra
nsp
are
ncy o
f IT
co
sts
, b
en
efi
ts a
nd
ris
k
Delivery
of
IT s
erv
ices in
lin
e w
ith
bu
sin
ess
req
uir
em
en
ts
Ad
eq
uate
use o
f ap
plicati
on
s, in
form
ati
on
an
d t
ech
no
log
y s
olu
tio
ns
IT
Ag
ilit
y
Secu
rity
of
info
rmati
on
, p
rocessin
g
infr
astr
uctu
re a
nd
ap
plicati
on
s
12 | P a g e
Source (table): ISACA, COBIT®
5, USA, 2012
Source (numerical data values): Christopher Oparaugo. Reprinted with permission.
The mapped data values of COBIT 4.1 control objectives (using input data from ISO/IEC 27001:2013) to COBIT 5
governance and management practices shows how an IT-related goal is supported by a COBIT 5 IT-related process.
This mapping is expressed using the following scale:
"P" stands for primary, indicating there is an important relationship, i.e., the COBIT 5 process is a primary
support for the achievement of an IT-related goal.
“S" stands for secondary, indicating there is still a strong, but less important, relationship, i.e., the COBIT 5
process is a secondary support for the IT-related goal.21
The compared results in figure 8 show that Evaluate, Direct and Monitor (EDM) (the governance area for enterprise
IT) was lowest in all the cases as the bulk of the alignment was related to COBIT 4.1 in the other 4 domains of COBIT
5 governance and management practices (i.e., core enterprise IT management area).
Figure 8—Comparing Sample Results of ISO/IEC 27001:2005, ISO/IEC 27001:2013, COBIT 4.1 and
COBIT 5 Mappings
Legend:
In the columns, all 17 generic IT-related goals, grouped in IT BSC dimensions
In the rows, all 37 COBIT 5 processes, grouped by domain
13 | P a g e
Source: Christopher Oparaugo. Reprinted with permission.
These results confirm that the bedrock of GEIT under COBIT 5 is in the BAI domain, which has taken on many
elements of the COBIT 4.1 domains of Plan and Organize (PO), Acquire and Implement (AI) and Deliver and Support
(DS).
Using the Balanced Scorecard as a Strategic Management System “The BSC revolutionized conventional thinking about performance metrics. When the concept was first introduced
in 1992, companies were busy transforming themselves to compete in the world of information; their ability to
exploit intangible assets was becoming more developed than their ability to manage physical assets.
The authors of the BSC describe how it addresses a serious deficiency in traditional management systems: the
inability to link a company’s long-term strategy with its short-term financial goals. The scorecard lets managers
introduce 4 new processes (in the 3rd
-generation edition) that help companies make that important link.”22
“The first process—translating the vision—helps managers build a consensus concerning a company’s strategy and
express it in terms that can guide action at the local level. The second—communicating and linking—calls for
communicating a strategy at all levels of the organization and linking it with unit and individual goals. The third—
business planning—enables companies to integrate their business plans with their financial plans. The fourth—
feedback and learning—gives companies the capacity for strategic learning, which consists of gathering feedback,
testing the hypotheses on which a strategy is based and making necessary adjustments.”23
“In addition, while traditional measures report on what happened last period without indicating how managers can
improve performance in the next, the scorecard functions as the cornerstone of a company’s current and future
success.”24
“The information from the 4 perspectives provides balance between external measures such as operating income
and internal measures such as new product development and innovation. This balanced set of measures both
reveals the trade-offs that managers have already made among performance measures and encourages them to
achieve their goals in the future without making trade-offs among key success factors.“25
The assumptions made for using the primary (P) values related to the COBIT 5 processes and IT-related goals are
based on information from COBIT 5:
The COBIT 5 process is a primary support for the achievement of an IT-related goal.
It is primary when there is an important relationship between the COBIT 5 process and IT-related goals.
Achieving IT-related goals requires the successful application and use of a number of enablers.26
There is relationship to the 3 main governance objectives—benefits realization, risk optimization and resource
optimization.27
This understanding from the BSC perspective and a focus on the primary values shows the COBIT 5 governance and
management practices that are a primary (P) support for the achievement of an IT-related goal. Applying these
criteria and assumptions for IT-related goal 01, Alignment of IT and business strategy, which has 10 P values, the
average cumulative score is 77%. The P values and the related COBIT 5 score entries for each of the 17 generic IT-
related goals are added to get a cumulative average score for the particular IT-related goal as represented in figure
9. (See scores related to the 10 P values for IT-related goal 01, Alignment of IT and business strategy in figure 7
assigned to the COBIT 5 processes column COBIT 4.1 Mapping. The average of these [85.66+ 87.66+…+90.00+83.82]
scores is 77.37, approximated to 77 %.)
14 | P a g e
Figure 9—Results Showing Mapping COBIT 5 Data Values From IT-related Goals to Enterprise Goals
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
1 Alignment of IT and business strategy P P S P S P P S P S P S S 77.37 77%
2
IT compliance and support for business
compliance with external laws and
regulations
S P P 83.63 84%
3 Commitment of executive management for
making IT-related decisions P S S S S S P S S 42.83 43%
4 Managed IT-related business risk P S P S P S S S 83.27 83%
5 Realised benefits from IT-enabled
investments and services portfolio P P S S S S P S S 86.82 87%
6 Transparency of IT costs, benefits and risk S S P S P P 72.91 73%
74%
7 Delivery of IT services in line with
business requirements P P S S P S P S P S S S S 73.73 74%
8 Adequate use of applications, information
and technology solutions S S S S S S S P S P S S 85.04 85%
79%9 IT Agility S P S S P P S S S P 83.89 84%
10 Security of information, processing
infrastructure and applications P P P P 84.22 84%
11 Optimisation of IT assets, resources and
capabilities P S S P S P S S S 82.71 83%
12
Enablement and support of business
processes by integrating applications and
technology into business processes
S P S S S S P S S S S 56.27 56%
13 Delivery of programmes delivering
benefits, on time, on budget, and meeting
requirements and quality standards
P S S S S S P 85.68 86%
14 Availability of reliable and useful
information for decision making S S S S P P S 82.09 82%
15 IT compliance with internal policies S S P 83.78 84%
80%
16 Competent and motivated business and IT
personnel S S P S S P P S 85.80 86%
17 Knowledge, expertise and initiatives for
business innovation S P S P S S S S P 74.58 75%
Enterprise Goals by BSC 74.86 75.44 84.43 83.93 72.91 75.55 83.19 77.39 79.73 79.63 75.26 80.82 68.63 85.42 83.88 85.80 79.23 80%
Enterprise Goals Status (%) 75% 75% 84% 84% 73% 76% 83% 77% 80% 80% 75% 81% 69% 85% 84% 86% 79%
78% 79% 79% 83%
Man
ag
ed
bu
sin
ess r
isk
(safeg
uard
ing
of a
ssets)
COBIT5 -
IT Goals
Scores
Skille
d a
nd
mo
tiv
ated
peo
ple
Internal
Learning
and
Growth
Bu
sin
ess s
ervic
e c
on
tin
uit
y a
nd
availab
ilit
y
Ag
ile r
esp
on
ses t
o a
ch
an
gin
g
bu
sin
ess e
nvir
on
men
t
In
fo
rm
atio
n-b
ased
strateg
ic
decis
ion
makin
g
Op
tim
isatio
n o
f s
ervic
e d
elivery
co
sts
Op
tim
isatio
n o
f b
usin
ess p
ro
cess
fu
nctio
nality
Op
tim
isatio
n o
f b
usin
ess p
ro
cess
co
sts
IT BSC Dimension Information and Related
Technology Goal
Op
eratio
nal an
d s
taff p
ro
du
ctiv
ity
Co
mp
lian
ce w
ith
in
tern
al p
olicie
s
Fin
an
cia
l tran
sp
aren
cy
Cu
sto
mer-o
rie
nted
servic
e c
ult
ure
BSC Dimension Mapping COBIT 5 Enterprise Goals to IT-related Goals
Average COBIT 5
Related Process
scores with Primary
support to the IT-
related goal
Pro
du
ct a
nd
bu
sin
ess in
no
vatio
n
cu
ltu
re
Financial Customer
Status
(%) C
om
plian
ce w
ith
extern
al la
ws a
nd
reg
ula
tio
ns
Man
ag
ed
bu
sin
ess c
han
ge
pro
gram
mes
Stakeh
old
er v
alu
e o
f b
usin
ess
investm
en
ts
Po
rtfo
lio
of c
om
petit
ive p
ro
du
cts
an
d s
ervic
es
Fin
an
cia
lC
usto
mer
Inte
rn
al
Learn
ing
an
d
Gro
wth
15 | P a g e
Source (table): ISACA, COBIT®
5, USA, 2012
Source (numeric data values): Christopher Oparaugo. Reprinted with permission.
Having completed these exercises and reviewed the outcomes, it is important to distil the values by making
assumptions in using the legend’s primary values of the BSC related to the enterprise goals mapping to COBIT 5 and
IT-related goals based on the information from ISACA COBIT 5 framework as follows:
The IT-related goal is a primary support for the enterprise goal.
It is primary when there is an important relationship between enterprise and IT-related goals.
Achieving IT-related goals and enterprise goals requires the successful application and use of a number of
enablers.
There is relationship to the 3 main governance objectives—benefits realization, risk optimization and resource
optimization.28
With this understanding from a BSC perspective and focusing on the “P” values that show that the COBIT 5
governance and management practices are a primary support for the achievement of an IT-related goal. Applying
these criteria and assumptions, for IT-related goal 01—Alignment of IT and business strategy—that has 10 P values,
the result is an average score of 77% (from figure 7 data). For the enterprise goal 1 of Stakeholder value of business
investments which has 6 P values, the result is an average score of 75%. This is achieved by calculating the
cumulative average of the IT-related goals (column COBIT 5 - IT Goals Score) aligned/mapped to the enterprise goals
with P values/fields.
The P values and the related enterprise goals score entries for each of all 17 generic IT-related goals are added to
get a cumulatively average score for the particular enterprise related/mapped goal.
The BSC can serve as the fulcrum, defining and communicating priorities to managers, employees, investors and
even customers. The scorecard is a strategic measurement system, not a measure of strategy that is reviewed every
month or modified for weekly meetings. The 6 IT scorecard implementation cycles can be reviewed in line with the
outcome of the exercises and effected.
The aim or objectives of the BSC should be:
Improvement/alignment of processes and removal of enterprise operation bottlenecks
Increased financial usage/return on investment/capital employed
Greater customer satisfaction and loyalty
Motivated/educated employees
Enhanced information systems/employees understanding the business
Successful realization of the strategic plan/vision
Monitored activities and progress visibility
Instituting controls enable the enterprise to build effective governance and management results that optimize
information and technology investment and use for the benefit of stakeholders through an on-the-ground
assessment based on controls using a BSC approach. These results also show IT governance pain points to be
addressed. In addition to these activities, COBIT 5 suggests accountabilities and responsibilities for enterprise roles
Legend:
The purpose of this mapped table in Figure 9 is to demonstrate how enterprise goals are supported by or translate into IT-related goals
showing the values for compliance purposes.
For that reason, the table contains the following information:
• In the columns, all 17 generic enterprise goals defined in COBIT 5, grouped by BSC dimension
• In the rows, all 17 IT-related goals, grouped in IT BSC dimensions
• A mapping of how each enterprise goal is supported by IT-related goals. This mapping is expressed using the following scale: “P” stands for
primary, indicating there is an important relationship, i.e., the IT-related goal is a primary support for the enterprise goal. “S” stands for
secondary, indicating there is still a strong, but less important, relationship, i.e., the IT-related goal is a secondary support for the enterprise
goal.
16 | P a g e
and governance/management structures.29
The final outcome on these exercises is shown in figure 10. If there were great deviations or skewed results, further
reviews and employing the 5 Whys would be called into play to determine the elements from the ISO 27001 control
questions that impacted these outcomes negatively and caused the deviations. Keep in mind that for a BSC to be
established, all the criteria (the aim/objectives) should be met based on these 4 perspectives:
Financial
Customer
Internal
Learning and growth
This article highlights the importance of proper mapping to process and domains for both ISO and COBIT to achieve
these results.
Figure 10—Results Showing Mapped COBIT 5 Data Values to Achieve IT-related Goals, BSC and
Enterprise Goals BSC
Source: Christopher Oparaugo. Reprinted with permission.
Conclusion IT governance is not an isolated discipline. It is an integral part of overall enterprise governance that drives the
business in these days of IoT. This helps successful business enterprises understand the IT risk and exploit the
benefits of IT, and find ways to deal with aligning IT strategy with the business strategy, incorporating IT strategy
and goals into the fabrics of enterprise businesses and insisting that an IT control framework be adopted and
implemented.30
This understanding and discipline cuts across government and public and private business entities
for effective deployment, governance and management of the enterprise IT.
Having gone through these exercises of mapping ISO/IEC 27001:2005 controls to ISO/IEC 27001:2013 controls and
getting the results from COBIT 4.1 data mapped to COBIT 5, it can be deduced that when these controls are
properly mapped, the end results shows an evenly distributed BSC for APO, BAI, DSS and MEA (the core
operation/enterprise IT management areas in COBIT 5), while EDM is more of a governance area and has a lower
IT Goals BSC Mapping to COBIT 5 Score
Financial Perspective 74%
Customer Perspective 79%
Internal Perspective 80%
Learning and Growth Perspective 80%
78%
Enterprise Goals BSC Mapping to
COBIT 5 and IT GoalsScore
Financial Perspective 78%
Customer Perspective 79%
Internal Perspective 79%
Learning and Growth Perspective 83%
80%
17 | P a g e
score in all outcomes.
Enterprises that understand the risk and exploit the benefits of IT and cascade IT strategy and goals down to the
enterprise business will insist that IT control framework be adopted and implemented, as IT governance is not an
isolated discipline in an organization.
The need to integrate IT governance with overall business governance is similar to the need for IT to be an integral
part of the business. Organizations recognize that risk exists due to the confluence of assets, threats and
vulnerabilities and, accordingly, employing mitigating controls that reduce one or all of these factors will reduce the
overall risk exposure of the organization.
Enterprise security is no longer a concern for only the IT department. Today’s IoT world means that data are a core
business asset, valuable to companies and cybercriminals or Internet hackers alike.
Christopher Oparaugo, CISM, CGEIT, CRISC Is the chief technology officer at KATEC Consulting Ltd. He has also worked in various positions in the
telecommunication and banking industries in West Africa. Prior to joining KATEC Consulting Ltd, he was an
information security consultant with IBM Global Business Services. Oparaugo has contributed to the ISACA®
Certified Information Security Manager®
, Certified in the Governance of Enterprise IT®
and Certified in Risk and
Information Systems Control™ examinations. He has also participated in ISACA certification projects and has been
part of the ISACA Test Enhancement Committee since 2005, setting exam questions and reviewing exam manuals.
Endnotes 1 Oparaugo, C.; “ISO 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance ,” COBIT Focus, 14 December, 2015, figure 10 2 Kaplan, R.; D. Norton; “Using the Balanced Scorecard as a Strategic Management System ,” Harvard Business Review,
January-February 1996, p. 75-85 3 Van Grembergen, W.; ”The Balanced Scorecard and IT Governance,” Information Systems Control Journal, vol. 2, 2000 4 Op cit, Oparaugo 5 Ibid. 6 International Organization for Standardization, ISO/IEC 27001—Information Security Management 7 Op cit, Oparaugo 8 Op cit, ISO/IEC 27001 9 IT Governance.com 10 Ibid. 11 Ibid. 12 Ibid. 13 ISACA, COBIT
® 5, USA, 2012
14 Ibid. 15 Ibid. 16 Op cit, IT Governance.com 17 Op cit, COBIT 5 18 Gold, C.; “Total Quality Management in Information Services—IS Measures: A Balancing Act,” Ernst & Young Center for Information Technology
and Strategy, research note, 1992 19 Op cit, COBIT 5 20 Ibid. 21 Ibid.
22 Lawrie, G.J.G.; I. Cobbold; J. Marshall; “Corporate Performance Management System in a Devolved UK
Governmental Organisation: A Case Study,” International Journal of Productivity and Performance Management, vol. 53, no. 4, 2004,
p. 353–370
18 | P a g e
23 Op cit, Kaplan and Norton
24 Ibid. 25 Ibid. 26 Op cit, COBIT 5
27 Vendang Software
28 Ibid. 29 Ibid. 30 Op cit, Oparaugo