What are the next steps for COBIT 5 guidance? What do users want? What do they need?
In August/September 2014, ISACA undertook a market survey under the direction of the Framework Committee (FC) to identify what guidance COBIT 5 users most need to help them obtain maximum value from their use of the COBIT 5 framework. Two areas were focused on—the need for more guidance related to the COBIT 5 enablers and specific topics where practical guidance related to COBIT 5 would be most helpful.
ISACA targeted a very broad base of IT professionals when gathering the raw data for this survey. The market survey was distributed globally to COBIT users working in diverse industries and in all types of IT-related professional roles.
- The survey was sent to 10,000 COBIT users; 226 respondents completed the entire survey.
- All respondents had downloaded a COBIT publication or completed a simplified registration process to access COBIT 5 materials in the last 12 months.
- Respondents were from Asia (17%), Europe (37%), Latin America (16%), North America (27%) and Oceania (3%).
- Respondents were primarily COBIT 5 users employed in IT strategy/governance (32%), audit (31%), risk and control (9%), security (12%), and compliance (6%) roles.
- 81% of respondents were members of ISACA.
- 69% of respondents had more than 13 years of professional experience.
- Responses were from many industry sectors—the top 2 being technology services/consulting (25%) and finance/banking (20%), followed closely by government, insurance and health care.
- 27% of respondents held a COBIT Foundation Certificate.
- 46% of respondents said they possessed intermediate-level experience with COBIT 5 and 30% considered themselves novices.
"The market survey was distributed globally to COBIT users working in diverse industries and in all types of IT-related professional roles."
Enabler Guidance Results
As a reminder, guidance for the process and information COBIT 5 enablers (figure 1) has already been published in COBIT 5: Enabling Processes and COBIT 5: Enabling Information.
Figure 1—COBIT 5 Enterprise Enablers
Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission
Looking at the survey responses provided, the enabler guidance ranking results clearly put the Principles, Policies and Frameworks option in first place in terms of demand for further market guidance.
There was less differentiation among the other 4 enabler types, but the demand for all was around half of the indicated demand for additional Principles, Policies and Frameworks guidance. There were no significant differences in the responses when the results were analyzed by region or level of COBIT 5 experience.
As one respondent stated, “Because the Principles, Policies and Frameworks enabler constitutes the foundation, guidance here is the groundwork for building the other enablers.”
As a result of this feedback, the FC is planning to develop enabler guidance around Principles, Policies and Frameworks in 2015.
Practical Guidance Results
The survey suggested 7 topics for COBIT 5-related practical guidance development; these topics were based on feedback and queries received by ISACA and FC members. These topics were presented in random order to survey respondents, to avoid list-position bias in the results. The 7 topics were:
- Process management and management systems
- Implementing the 20 Critical Security Controls
- Change management
- Consolidation of controls/multiple source compliance management
- Software development, acquisition and maintenance
- Agile and development/operations (Dev/Ops) from a business-approach perspective
- HR/IT using COBIT organizational structures and people, skills and competencies models
Looking at the responses to the survey, the practical market topic guidance needs rankings are close, with “process management and management systems” and “implementing the Critical Security Controls” tied for highest importance, with the remaining publications more closely grouped around slightly lower scores. Regionally, North America was much more likely to select implementing the Critical Security Controls in highest priority than either Asia or Europe, both of which ranked process management as the highest need. Again, there were no significant differences in the responses when analyzed by level of COBIT 5 experience.
The FC also plans to develop practical guidance related to process management and management systems in 2015.
The Critical Security Controls is a SANS product. ISACA plans to map COBIT 5 practices to them as a part of a larger Cybersecurity Nexus (CSX) product development. This product will result in an online interactive tool that will display threats (explain the threat, provide context, etc.) and the security controls that are available to help protect information assets. The user will be able to learn more about the control and the controls will map into COBIT 5 for Information Security to set the larger business context.
The survey respondents also had the opportunity to suggest other topics for ISACA to consider as part of future development plans. Suggested topics include business continuity/disaster recovery, fraud, strategic planning, knowledge management and innovation. All suggestions have been noted by the FC and will be taken into account in future FC work planning to support COBIT users with relevant practical guidance.
Also, among the suggestions received were several for guidance already published by ISACA or third parties. Here are some of those topics and the supporting products:
The FC is also focused on developing a series of white papers to explain how other standards, frameworks and practices (such as ISO 27001/2, ITIL v3, TOGAF 9.1) relate to COBIT 5. This series is being planned at present, with an initial focus on enterprise architecture (and, therefore, TOGAF 9.1). The initial release will set a template for future papers in this series.
Sushil Chatterji, CGEIT, CEA, CMC, MBM
Is director of Edutech Enterprises and has 12 years of experience in IT governance and enterprise architecture consulting and training. He is chair of ISACA’s Framework Committee, which oversees the planning and development for the COBIT framework. Chatterji is a trainer for the COBIT Foundation and the CGEIT certifications. He has previously been involved with the International Organization for Standardization (ISO) Work Group that has published global IT governance standards.