COBIT® v5
Informační management VIKMA07
Mgr. Jan Matula, PhD.
177798@mail.muni.cz
COBIT
• COBIT je framework vytvořený mezinárodní asociací ISACA pro správu
a řízení informatiky (IT Governance).
• Jedná se o soubor praktik, které by měly umožnit dosažení
strategických cílů organizace díky efektivnímu využití dostupných
zdrojů a minimalizaci IT rizik.
• Prakticky je tedy určen především top manažerům k posuzování
fungování ICT a auditorovi pro provádění auditu systému řízení ICT. Na
rozdíl od ITIL, který je určen více manažerovi IT (CIO).
COBIT 5 - Struktura dokumentů
• Cobit 5 Framework; popisuje základní rámec (principy, předpoklady, vazby
na jiné rámce),
• Cobit 5 Enabler Guides; jde o dokumenty, které jsou obecným návodem na
vytváření předpokladů pro efektivní řízení IT; z těchto dokumentů byl k
srpnu 2012 uvolněn dokument Cobit 5 Enabling processes,
• Cobit 5 Processional Guides; jde o dokumenty určené pro jednotlivé
specialisty, jako například auditory, specialisty pro informační bezpečnost,
specialisty pro řízení rizik, apod.; z tento dokumentů byl k srpnu 2012
uvolněn dokument Cobit 5 Implementation,
• Colaborativní on-line dokumenty, jejichž prostřednictvím budou uživatelé
Cobit 5 sdílet svoje znalosti získané aplikací předešlých dokumentů.
COBIT 5 - Struktura dokumentů
COBIT 5 - Model
Procesy v COBIT
COBIT v5 popisuje 37 procesů vždy ve stejné struktuře popisu:
• identifikaci procesu, oblasti Governance/management, domény,
• popis procesu (Process Description),
• popis účelu procesu (Process Purpose Statement),
• tabulku obsahující IT cíle, na které má daný proces primární vazbu a metriky pro tyto cíle,
• tabulku obsahující cíle procesu a metriky k těmto cílům,
• tabulku ukazující vazby mezi klíčovými procesními praktikami a typickými rolemi na všech
úrovních řízení a typ odpovědnosti (RACI Chart),
• tabulku popisující vstupy a výstupy pro jednotlivé procesní praktiky a dále aktivity
spojené s jednotlivými procesními praktikami (Process Practices, Inputs/Outputs and
Activities),
• tabulku vazeb procesu na jiné standardy (Related Guidance).
COBIT Principy
Principle 1: Meeting Stakeholder Needs
• Enterprises exist to create value for their stakeholders. Consequently,
any enterprise—commercial or not—will have value creation as a
governance objective. Value creation means realising benefits at an
optimal resource cost while optimising risk. Benefits can take many
forms, e.g., financial for commercial enterprises or public service for
government entities.
Benefits of the COBIT 5 Goals Cascade
The goals cascade is important because it allows the definition of priorities
for implementation, improvement and assurance of governance of
enterprise IT based on (strategic) objectives of the enterprise and the related
risk.
In practice, the goals cascade:
• Defines relevant and tangible goals and objectives at various levels of
responsibility
• Filters the knowledge base of COBIT 5, based on enterprise goals, to extract
relevant guidance for inclusion in specific implementation, improvement or
assurance projects
• Clearly identifies and communicates how (sometimes very operational)
enablers are important to achieve enterprise goals
COBIT 5 Goals Cascade
• Every enterprise operates in a different context; this context is
determined by external factors (the market, the industry, geopolitics,
etc.) and internal factors (the culture, organisation, risk appetite,
etc.), and requires a customised Governance and management
system.
• Stakeholder needs have to be transformed into an enterprise’s
actionable strategy.
COBIT 5 Goals Cascade
• The COBIT 5 goals cascade is the mechanism to translate stakeholder
needs into specific, actionable and customised enterprise goals, ITrelated
goals and enabler goals. This translation allows setting specific
goals at every level and in every area of the enterprise in support of
the overall goals and stakeholder requirements, and thus effectively
supports alignment between enterprise needs and IT solutions and
services.
COBIT 5 Goals Cascade
Step 1. Stakeholder Drivers
Influence Stakeholder Needs
• Stakeholder needs are
influenced by a number of
drivers, e.g., strategy changes, a
changing business and
regulatory
• environment, and new
technologies.
COBIT 5 Goals Cascade
Step 2. Stakeholder Needs Cascade to
Enterprise Goals
• Stakeholder needs can be related to a set
of generic enterprise goals. These
enterprise goals have been developed
using the balanced scorecard (BSC)
dimensions, and they represent a list of
commonly used goals that an enterprise
may define for itself. Although this list is
not exhaustive, most enterprise-specific
goals can be mapped easily onto one or
more of the generic enterprise goals. A
table of stakeholder needs and enterprise
goals is presented in appendix D.
• COBIT 5 defines 17 generic goals.
COBIT 5 Goals Cascade
Step 3. Enterprise Goals Cascade to
IT-related Goals
Achievement of enterprise goals
requires a number of IT-related
outcomes,2 which are represented
by the IT-related goals.
IT-related stands for information and
related technology, and the ITrelated
goals are structured along
the dimensions of the
IT balanced scorecard (IT BSC). COBIT
5 defines 17 IT-related goals.
COBIT 5 Goals Cascade
Step 4. IT-related Goals Cascade to Enabler Goals
• Achieving IT-related goals requires the successful application and use
of a number of enablers. The enabler concept is
• explained in detail in chapter 5. Enablers include processes,
organisational structures and information, and for each enabler
• a set of specific relevant goals can be defined in support of the ITrelated
goals.
Principle 2: Covering the Enterprise End-to-
end
• Integrates governance of enterprise IT into enterprise governance.
That is, the governance system for enterprise IT proposed by COBIT 5
integrates seamlessly in any governance system. COBIT 5 aligns with
the latest views on governance.
• Covers all functions and processes required to govern and manage
enterprise information and related technologies wherever that
information may be processed. Given this extended enterprise scope,
COBIT 5 addresses all the relevant internal and external IT services, as
well as internal and external business processes.
Principle 2: Covering the Enterprise End-to-
end
Governance Enablers
• Governance enablers are the organisational resources for governance,
such as frameworks, principles, structures, processes and practices,
through or towards which action is directed and objectives can be
attained. Enablers also include the enterprise’s resources—e.g.,
service capabilities (IT infrastructure, applications, etc.), people and
information.
• A lack of resources or enablers may affect the ability of the enterprise
to create value.
Governance Scope
• Governance can be applied to the entire enterprise, an entity, a
tangible or intangible asset, etc. That is, it is possible to define
different views of the enterprise to which governance is applied, and
it is essential to define this scope of the governance system well.
• The scope of COBIT 5 is the enterprise—but in essence COBIT 5 can
deal with any of the different views.
Roles, Activities and Relationships
• A last element is governance roles, activities and relationships. It
defines who is involved in governance, how they are involved, what
they do and how they interact, within the scope of any governance
system.
• In COBIT 5, clear differentiation is made between governance and
management activities in the governance and management domains,
as well as the interfacing between them and the role players that are
involved.
Principle 3: Applying a Single Integrated
Framework
• It aligns with other latest relevant standards and frameworks, and
thus allows the enterprise to use COBIT 5 as the overarching
governance and management framework integrator.
• It is complete in enterprise coverage, providing a basis to integrate
effectively other frameworks, standards and practices used. A single
overarching framework serves as a consistent and integrated source
of guidance in a nontechnical, technology-agnostic common
language.
• It provides a simple architecture for structuring guidance materials
and producing a consistent product set.
Principle 4: Enabling a Holistic Approach
COBIT 5 Enablers
Enablers are factors that, individually and collectively, influence
whether something will work—in this case, Governance and
management over enterprise IT. Enablers are driven by the goals
cascade, i.e., higher-level IT-related goals define what the different
enablers should achieve.
7 Enablers (předpoklady pro dosažení cílů)
1. Principy, politiky a rámce;
2. Procesy;
3. Organizační struktury;
4. Kultura, etika a chování;
5. Informace;
6. Služby, infrastruktura a aplikace;
7. Lidé, dovednosti a kompetence.
COBIT 5 Enablers
• Principles, policies and frameworks are the vehicle to translate the
desired behaviour into practical guidance for day-to-day
management.
• Processes describe an organised set of practices and activities to
achieve certain objectives and produce a set of outputs in support of
achieving overall IT-related goals.
• Organisational structures are the key decision-making entities in an
enterprise.
• Culture, ethics and behaviour of individuals and of the enterprise are
very often underestimated as a success factor in governance and
management activities.
COBIT 5 Enablers
• Information is pervasive throughout any organisation and includes all
information produced and used by the enterprise. Information is
required for keeping the organisation running and well governed, but
at the operational level, information is very often the key product of
the enterprise itself.
• Services, infrastructure and applications include the infrastructure,
technology and applications that provide the enterprise with
information technology processing and services.
• People, skills and competencies are linked to people and are required
for successful completion of all activities and for making correct
decisions and taking corrective actions.
COBIT 5 Enablers
COBIT 5 Enabler Dimensions
Principle 5: Separating Governance From
Management
• The COBIT 5 framework makes a clear distinction between governance and
management. These two disciplines encompass different types of activities,
require different organisational structures and serve different purposes.
• Governance ensures that stakeholder needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives to be
achieved; setting direction through prioritisation and decision making; and
monitoring performance and compliance against agreed-on direction and
objectives.
• Management plans, builds, runs and monitors activities in alignment with
the direction set by the Governance body to achieve the enterprise
objectives.
Separating Governance From Management
Separating Governance From Management
• Governance—Contains five governance processes; within each
process, evaluate, direct and monitor (EDM) practices are defined.
• Management—Contains four domains, in line with the responsibility
areas of plan, build, run and monitor (PBRM), and provides end-toend
coverage of IT.
– Align, Plan and Organise (APO)
– Build, Acquire and Implement (BAI)
– Deliver, Service and Support (DSS)
– Monitor, Evaluate and Assess (MEA)