Compare With 4.1

8/2/2019 Compare With 4.1

1/32

Comparing

COBIT 4.1 and COBIT 5


2/32

Transition Message

COBIT 4.1, Val IT and Risk IT users who arealready engaged in governance of enterprise IT(GEIT) implementation activities can transition toCOBIT 5 and benefit from the latest and

improved guidance that it provides during thenext iterations of their enterprisesimprovement life cycle.

COBIT 5 builds on previous versions of COBIT

(and Val IT and Risk IT) and so enterprises canalso build on what they have developed usingearlier versions.

2012 ISACA. All rights reserved.


3/32

Stakeholder Value and

Business Objectives

Enterprises exist to create value for theirstakeholders. Consequently, any enterprisecommercial or notwill have value creation as agovernance objective.

Value creation means: Realising benefits at anoptimal resource cost while optimising risk.



4/32

Principle 1:Meeting Stakeholder Needs

Stakeholder needs have to betransformed into an

enterprises actionablestrategy.

The COBIT 5 goals cascadetranslates stakeholder needs

into specific, actionable andcustomised goals within thecontext of the enterprise,IT-related goals and enablergoals.



Business Objectives (cont.)


5/32

Stakeholder needs can be related to a set ofgeneric enterprise goals.

These enterprise goals have been developed

using the Balanced Scorecard (BSC) dimensions.(Kaplan, Robert S.; David P. Norton; The Balanced Scorecard: TranslatingStrategy into Action, Harvard University Press,USA,1996)

The enterprise goals are a list of commonly usedgoals that an enterprise has defined for itself.

Although this list is not exhaustive, mostenterprise-specific goals can be easily mappedonto one or more of the generic enterprise goals.



Business Objectives (cont.)


6/32

Stakeholder Value andBusiness Objectives (cont.)



7/32

The goals cascade is not new to COBIT. It was introduced in COBIT 4.0 in 2005.

Those COBIT users who have applied thethinking to their enterprises have found value.

BUT not everyone has recognized this value.

The goals cascade supports the COBIT 5stakeholder needs principle that is fundamental

to COBIT and has therefore been madeprominent early in the COBIT 5 guidance.

The goals cascade has been revisited andupdated for the COBIT 5 release.


Stakeholder Value andBusiness Objectives (cont.)


8/32 2012 ISACA. All rights reserved.

Governance and Management

Defined

What sort of framework is COBIT?An IT audit and control framework? COBIT (1996) and COBIT 2nd Edition (1998)

Focus on Control Objectives

An IT management framework? COBIT 3rd Edition (2000)

Management Guidelines added

An IT governance framework?

COBIT 4.0 (2005) and COBIT 4.1 (2007)

Governance and compliance processes added

Assurance processes removed

BUT what is the difference between governanceand management?



Governance and ManagementDefined (cont.)

Governance ensures that enterprise objectives areachieved by evaluating stakeholder needs, conditions

and options; setting direction through prioritisation anddecision making; and monitoring performance,compliance and progress against agreed-on directionand objectives (EDM).

Management plans, builds, runs and monitorsactivities in alignment with the direction set by thegovernance body to achieve the enterprise objectives(PBRM).



Governance and Management

Defined (cont.)

The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into twomain areasgovernance and managementwithmanagement further divided into domains of processes:

The GOVERNANCE domaincontains five governance

processes; within each process,

evaluate, direct and monitor

(EDM) practices are defined.

The four MANAGEMENT

domainsarein line with the

responsibility areas of plan,

build, run and monitor (PBRM)


11/32

Areas of Change

The following slides summarise the major changesin COBIT 5 content and how they may impactGEIT implementation/improvement:

1. New GEIT Principles

2. Increased Focus on Enablers3. New Process Reference Model

4. New and Modified Processes

5. Practices and Activities

6. Goals and Metrics

7. Inputs and Outputs

8. RACI Charts

9. Process Capability Maturity Models and Assessments 2010 ISACA. All rights reserved.


12/32

1. New GEIT Principles

COBIT 5 Principles



13/32

Val IT and Risk IT frameworks areprinciples-based.

Feedback indicated that principles are easy to

understand and put into an enterprise context,allowing value to be derived from the supportingguidance more effectively.

ISO/IEC 38500 also incorporates principles to

underpin its messages to achieve the samemarket benefit delivery, although the principlesin this standard and COBIT 5 are not the same.


1. New GEIT Principles (cont.)


14/32

2. Increased Focus on Enablers

COBIT 4.1 did not have enablers! Yes it didthey were not called enablers, but they werethere, explicitly or implicitly!



15/32

Information, infrastructure, applications(services) and people (people, skills andcompetencies) were COBIT 4.1 resources.

Principles, policies and frameworks werementioned in a few COBIT 4.1 processes.

Processes were central to COBIT 4.1 use.

Organisational structure was implied through the

responsible, accountable, consulted or informed(RACI) roles and their definitions.

Culture, ethics and behaviour were mentioned ina few COBIT 4.1 processes.


2. Increased Focus on Enablers (cont.)


16/32

COBIT 5 is based on a revised processreference model with a new governance domainand several new and modified processes thatnow cover enterprise activities end-to-endi.e.,

business and IT function areas. COBIT 5 consolidates COBIT 4.1, Val IT and

Risk IT into one framework, and has beenupdated to align with current best practices

e.g., ITIL, TOGAF. The new model can be used as a guide for

adjusting as necessary the enterprises ownprocess model (just like COBIT 4.1).


3. New Process Reference Model



3. New Process Reference Model (cont.)


18/32

COBIT 5 introduces five new governanceprocesses that have leveraged and improvedCOBIT 4.1, Val IT and Risk IT governanceapproaches.

This guidance:

Helps enterprises to further refine and strengthenexecutive management-level GEIT practices andactivities

Supports GEIT integration with existing enterprisegovernance practices and is aligned withISO/IEC 38500


4. New and Modified Processes


19/32

COBIT 5 has clarified management levelprocesses and integrated COBIT 4.1, Val IT andRisk IT content into one process reference model


4. New and Modified Processes (cont.)


20/32

There are several new and modified processesthat reflect current thinking, in particular: APO03 Manage enterprise architecture.

APO04 Manage innovation.

APO05 Manage portfolio.

APO06 Manage budget and costs.

APO08 Manage relationships.

APO13 Manage security.

BAI05 Manage organisational change enablement.

BAI08 Manage knowledge.

BAI09 Manage assets.

DSS05 Manage security service.

DSS06 Manage business process controls.




21/32

COBIT 5 processes now cover end-to-endbusiness and IT activitiesi.e., a fullenterprise-level view.

This provides for a more holistic and completecoverage of practices reflecting the pervasiveenterprisewide nature of IT use.

It makes the involvement, responsibilities and

accountabilities of business stakeholders in theuse of IT more explicit and transparent.




22/32

The COBIT 5 governance or managementpractices are equivalent to the COBIT 4.1 controlobjectives and Val IT and Risk IT processes.www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspx

The COBIT 5 activities are equivalent to theCOBIT 4.1 control practices and Val IT and RiskIT management practices.

COBIT 5 integrates and updates all oftheprevious content into the one new model,making it easier for users to understand and usethis material when implementing improvements.


5. Practices and Activities
http://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspx


23/32

COBIT 5 follows the same goal and metricconcepts as COBIT 4.1, Val IT and Risk IT, butthese are renamed enterprise goals, IT-relatedgoals and process goals reflecting an enterprise

level view. COBIT 5 provides a revised goals cascade based

on enterprise goals driving IT-related goals andthen supported by critical processes.

COBIT 5 provides examples of goals and metricsat the enterprise, process and managementpractice levels. This is a change to COBIT 4.1, ValIT and Risk IT, which went down one level lower.


6. Goals and Metrics


24/32

COBIT 5 provides inputs and outputs for everymanagement practice, whereas COBIT 4.1 onlyprovided these at the process level.

This provides additional detailed guidance fordesigning processes to include essential workproducts and to assist with interprocessintegration.


7. Inputs and Outputs


25/32

COBIT 5 provides RACI charts describing rolesand responsibilities in a similar way toCOBIT4.1, Val IT and Risk IT.

COBIT 5 provides a more complete, detailedand clearer range of generic business and ITrole players and charts than COBIT 4.1 for eachmanagement practice, enabling better definitionof role player responsibilities or level ofinvolvement when designing and implementingprocesses.


8. RACI Charts


26/32


8. RACI Charts (cont.)


27/32


9. Process Capability Maturity Modelsand Assessments

COBIT 5 discontinues the COBIT 4.1, Val IT andRisk IT CMM-based capability maturity modellingapproach.

COBIT 5 will be supported by a new processcapability assessment approach based on ISO/IEC15504, and theCOBIT Assessment Programmehas already been established for COBIT 4.1 as analternative to the CMM approach.www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx

The COBIT 4.1, Val IT and Risk IT CMM-basedapproaches are not considered compatible withthe ISO/IEC 15504 approach because the methodsuse different attributes and measurement scales.
http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx


28/32


9. Process Capability Maturity Modelsand Assessments (cont.)

COBIT 4.1/5

9 P C bilit M t it M d l


29/32

The COBIT Assessment Programme approach

is considered by ISACA to be more robust,reliable and repeatable as a process capabilityassessment method.

The COBIT Assessment Programme supports:

Formal assessments by accredited assessors(assessor training is being developed)

Less rigorous self-assessments for internal gapanalysis and process improvement planning

The COBIT Assessment Programme, in thefuture, will also potentially enable an enterpriseto obtain an independent and certifiedassessments aligned to the ISO/IEC standard.




30/32

What materials support the COBIT Assessment

Programme approach? COBIT Process Assessment Model (PAM): Using COBIT 4.1

Serves as a base reference document for the performance of acapability assessment of an organisations current IT processesagainst COBIT

COBIT Assessor Guide: Using COBIT 4.1Provides details onhow to undertake a full ISO-compliant assessment

COBIT Self-assessment Guide: Using COBIT 4.1Providesguidance on how to perform a basic self-assessment of anorganisations current IT process capability levels against COBIT

processes

The above materials exist to supportCOBIT 4.1-based assessments now; versions willbe produced to support COBIT 5-based

assessments. 2012 ISACA. All rights reserved.



31/32

COBIT 4.1, Val IT and Risk IT users wishing tomove to the new COBIT AssessmentProgramme approach will need to realign theirprevious ratings, adopt and learn the new

method, and initiate a new set of assessments inorder to gain the benefits of the new approach.

Although some of the information gathered fromprevious assessments may be reusable, care

will be needed in migrating this informationforward because there are significant differencesin requirements.



C


32/32

COBIT 4.1, Val IT and Risk IT users wishing tocontinue with the CMM-based approach, eitheras an interim or ongoing approach, can use theCOBIT 5 guidance, but must use the COBIT 4.1generic attribute table without the high-levelmaturity models.


Compare With 4.1

Documents

Transcript of Compare With 4.1