• Bookmark

Implementing an ISO-integrated Management System Using COBIT 5

By Opeyemi Onifade, CISA, CISM, CGEIT, COBIT Certified Assessor, CISSP, ISO 20000 Practitioner, ISO 27001 LA/LI, PRINCE2 (P)

COBIT Focus | 2 March 2015

The Central Bank of Nigeria issued a compliance document titled “Nigeria Financial Services IT Standards Blueprint” in May 2013.1 The blueprint, which includes time lines, is the main driver for the implementation of IT-related standards such as COBIT 5, ISO/IEC 27001:2013, ISO/IEC 20000:2011 and ISO/IEC 22301:2012 in banks and IT service provider organizations in Nigeria today. The blueprint was developed by Accenture for the regulatory body prior to the publication of COBIT 5. The revised edition, which is in the works, will reference COBIT 5 specifically.

The implementation of these good practices is expected to result in improved operational effectiveness, uptime and availability, service quality, enterprise control and management, risk management and assurance, regulatory reporting, and business continuity.

The compliance blueprint also provides information about the compliance priority (figure 1), time lines, scope and capability/maturity levels for each requirement. However, the compliance obligations extend beyond commercial banks to include their service providers, suppliers and vendors.

Figure 1—Compliance Domains

Source: IT Standards Adoption Roadmap, www.cbn.gov.ng/ITStandards/Roadmap.asp

This case study explains how an IT service provider (the client) to the central bank leveraged COBIT 5 principles and implementation guidance to implement ISO 27001 and ISO 20000 standards as an integrated management system.

Understanding the Structure of New ISO Management System Requirements

In April 2012, ISO updated its directives. The overall goal is to make it easier to create integrated management systems and to adapt management system standards to the nature and culture of organizations. Figure 2 includes the high-level structure for all new and revised management system standards.

Figure 2—High-level Structure for All New and Revised Management System Standards

Source: ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2014, appendix 2,

Afenoid® Enterprise Limited was contracted in 2013 by the service provider to the Central Bank of Nigeria, MicroAccess Limited (the client) to implement two of the top priority standards that apply—ISO 27001 and ISO 20000—as part of the client’s service strategy positioning. The major constraint Afenoid needed to address as implementation consultants was the complexity of implementing two management system standards at the same time within a tight schedule and in a business environment with an inadequate IT governance culture.

The release of a new edition of ISO 27001 in October 2013 introduced a new challenge as the client decided to update the implementation to meet the new requirements of ISO 27001:2013 while integrating with ISO 20000:2011. The project director was able to leverage his accredited COBIT 5 training (COBIT Foundation, COBIT Implementation and COBIT Assessor credentials) to help the client pioneer the compliance and certification to the ISO 27001:2013 standard. After a third-party audit, the British Standards Institution (BSI) issued the certificate of compliance to the client in February 2014.

Leveraging COBIT 5 Principles to Implement ISO 27001:2013 and ISO 20000:2012

To address the complexity and challenges to the implementation of the certification program, the client relied on COBIT 5 guidance on program management, change enablement and continual improvement to integrate the standards. The client leveraged COBIT 5 principles (figure 3) to guide it through the phases having divided the implementation program into the following phases: training and awareness, gap assessment, implementation design, and program management.

Figure 3—COBIT 5 Principles

Source: ISACA, COBIT 5, 2012

High-level Mapping of COBIT 5 to the New Management System’s Requirements

Figure 4 shows how the client drew guidance from COBIT 5 to establish an integrated management system for ISO 27001 and ISO 20000.

Figure 4—High-level Mapping of ISO Requirement to COBIT 5 Guidance

Clause No,

   Management System Requirements

   COBIT 5 Guidance

  4 4. Context of the organization
  4.1 Understanding the organization and its context
  4.2 Understanding the needs and expectations of interested parties
  4.3 Determining the scope of the information security and service management systems
  4.4 ISO 27001 and ISO 20000 management systems
Pain points, trigger events, stakeholder drivers, enterprise goals, IT-related goals and information on related guidance
  5 5. Leadership
  5.1 Leadership and commitment
  5.2 Policy
  5.3 Organization roles, responsibilities and authorities
Responsible, Accountable, Consulted and Informed (RACI) chart from EDM 01-05 processes

RACI chart from APO 06, APO 08, APO 09, APO 10, APO 12, APO 13, BAI 04, BAI 06, BAI 07, BAI 09, BAI 10, DSS 01, DSS 02, DSS 03, DSS 04, DSS 05

Framework Principle and Policies—Appendix G, COBIT 5 Framework
  6 6. Planning
  6.1 Actions to address risk and opportunities
  6.2 ISO 27001 and ISO 20000 objectives and planning to achieve them
Management practices from APO 06, APO 08, APO 09, APO 10, APO 12, APO 13, BAI 04, BAI 06, BAI 07, BAI 09, BAI 10, DSS 01, DSS 02, DSS 03, DSS 04, DSS 05
  7 7. Support
  7.1 Resources
  7.2 Competence
  7.3 Awareness
  7.4 Communication
  7.5 Documented information
      7.5.1 General
      7.5.2 Creating and updating
      7.5.3 Control of documented information
Enabler: People, Skills and Competencies
  8 8. Operation
  8.1 Operational planning and control
BAI 05
  9 9. Performance evaluation
  9.1 Monitoring, measurement, analysis and evaluation
  9.2 Internal audit
  9.3 Management review
Lag and lead indicators

EDM 05, MEA 01, MEA 02, MEA 03
  10 10. Improvement
  10.1 Nonconformity and corrective action
  10.2 Continual improvement
MEA 01, MEA 02, MEA 03, Process goals and metrics

Figure 5 shows the practical steps taken to leverage COBIT 5.

Figure 5—Afenoid’s Implementation Approach

Implementation Phases

COBIT 5 Principle and Guidance Applied

Actions Taken

Training and awareness Meeting stakeholder’s needs

Covering the enterprise end to end

COBIT 5 Implementation phase 4 success factors (Educate and train in COBIT 5, other related standards and good practices)
COBIT 5 Foundation training for top management team across all business units, ITIL Foundation for all IT service provider staff, and ISO 27001 and ISO 20000 certification training for process managers and process owners

COBIT 5 Implementation phase 4 success factors (Educate and train in COBIT 5, other related standards and good practices)
Gap assessment and implementation design Applying single integrated framework

Enabling a holistic approach
COBIT 5 guidance to design compliance to most of the ISO management system requirement clauses, especially clauses 4, 5, 6, 7, 9 and 10

The “related guidance” of each of the 32 COBIT 5 processes in the management domain, to determine the processes that are specifically related to ISO 27001 and ISO 20000
Implementation design Applying single integrated framework

Enabling a holistic approach

Separating governance from management
COBIT 5 for stakeholder identification as well as stakeholder needs and expectations (Who is receiving benefits? Who is bearing risk? Who is providing resources?); scope of management system; organizational roles, responsibilities and authorities; performance evaluation; and internal audit
Programme management Separating governance from management

Enabling a holistic approach
The COBIT 5: Enabling Processes product to help determine the critical integration points with the extensive guidance on process inputs, base practices, process outputs, process managers and process owners (as per RACI charts)

Source: Afenoid, Project Initiation Document. Reprinted with permission.


One of the five principles of COBIT 5 is Applying a Single, Integrated Framework.2 Leveraging this principle helped Afenoid’s client, MicroAcces Limited-a service provider to the Central Bank of Nigeria, to attain and maintain its certification to ISO 27001:2013 and ISO 20000:2011 through the continual improvement guidelines in COBIT 5. The subsequent successful surveillance audits by the Registered Certification Body, British Standard Institute, proves COBIT 5 to be highly recommended as an integrator of multiple IT-related management system standards.

Opeyemi Onifade, CISA, CISM, CGEIT, COBIT Certified Assessor, CISSP, ISO 20000 Practitioner, ISO 27001 LA/LI, PRINCE2 (P)

Is the Principal Consultant at Afenoid Enterprise Limited, an IT management and assurance firm. He works out of Abuja, the federal capital territory of Nigeria. He is also the ISACA Abuja (Nigeria) Chapter President. He can be reached at opeyemi@afenoid.com.


1 Central Bank of Nigeria, “Nigeria Financial Services IT Standards Blueprint,” May 2013
2 ISACA, COBIT 5, 2012, pg. 14