• Bookmark

Tips for Implementing IT Governance With COBIT 5

By Zachy Olorunojowon, CISA, CGEIT, COBIT 5 Foundation, Implementation and Assessor, CSXF, PMP

COBIT Focus | 4 September 2018 Japanese

Underlying the implementation of a number of governance of enterprise IT (GEIT) initiatives are information governance and information management issues such as big data, analytics, information disintermediation, security, privacy, compliance and the need to drive quality decisions based on quality information, among others. However, most GEIT implementation initiatives tend to focus more on technology than information, forgetting that even in COBIT, as in the GEIT framework, “I” (information) comes before “T” (technology). Taking an information perspective to GEIT implementation increases stakeholders’ buy-in and supports successful implementation of GEIT initiatives.

Here are some tips.

Determine Information Requirements

Before delving too deep into technical solutions and technology, be thorough about determining the information needs/requirements of the organization. Applying COBIT 5’s first principle of Meeting Stakeholders’ Needs,1 as simple as it sounds, becomes very foundational to:

  • Understanding what the information needs are, the criticality of the information, and why and how it needs to be managed and governed appropriately based on any additional legislative, regulatory and policy constraints.
  • Understanding information quality goals at different levels in the organization is important given the recognition that information is an asset or resource that delivers benefits to the enterprise when the enterprise meets necessary quality goals.

Follow the Information

As a GEIT professional, adapt the catchphrase “Follow the money” and keep in mind that one must follow the information across the organization since information is used at every level in the organization—operational, management, governance, executive and management levels. Use the goals cascade to analyze and illustrate dependency of information resources while showing how information contributes to achieving the enterprise objectives. The stakeholders will love this and buy into the GEIT implementation initiative. For example, show the information items in the information flow that support the enterprise value-chain goals across functional areas,2 i.e., human resources (HR), marketing, finance and IT (figure 1). An organization whose drivers for implementation of GEIT include compliance with legislative retention requirements will do well to take an end-to-end information view across the organization.

Figure 1—Examples of Information Items in Information Flows That Support the Enterprise Value Chain Goals

Source: ISACA, COBIT 5: Enabling Information, USA, 2013. Reprinted with permission.

Determine Stakeholder Roles

Broadly consult across stakeholder groups—both internal and external—to identify various roles and responsibilities throughout the information life cycle (figure 2). Determine whether there is an information model in the organization and who plays what role at every stage of the information life cycle. Some of the roles suggested in COBIT include:

  • Information producer
  • Information consumer
  • Information owner
  • Information acquirer
  • Information planner
  • Information users
  • Information custodians

Figure 2—Customer Data Information Stakeholders

Source: ISACA, COBIT 5: Enabling Information, USA, 2013. Reprinted with permission.

One approach observed working for a US bank and an organization in British Columbia, Canada, is assigning owners to organizational processes based on the COBIT 5 Process Reference Model.3 The process owners are then tasked with determining the information requirement of these core processes.

Identify Value Driving IT Goals and Their Information Items

Recognition of the IT goals (based on the generic 17 IT-related goals4 in COBIT 5) that need to be achieved to drive value and the information items that support those are important. Figure 3 is illustrative of how each IT-related goal can be supported by specific (IT-related) information items and potential metrics that can be used to assess the information quality.

Figure 3—Information Items Supporting IT-Related Goals

Source: ISACA, COBIT 5: Enabling Information, USA, 2013. Reprinted with permission.

Planning and engaging stakeholders from an information-needs perspective lays a solid footing for a successful GEIT implementation.

Zachy Olorunojowon, CISA, CGEIT, COBIT 5 Foundation, Implementation and Assessor, CSXF, PMP

Has more than 15 years of experience spanning systems development, network and database administration, enterprise information systems implementation, strategic planning and project management, and governance and management of enterprise IT. He is currently a project director with the Ministry of Health, British Columbia, Canada, and has been a chief information officer and a head of IT with financial institutions in Nigeria. An accredited COBIT 5 instructor, Olorunojowon has delivered risk IT courses in Nigeria and COBIT 5 courses in Canada and at ISACA training weeks. He has conducted on-site COBIT 5 training across North America. He is a past president of the ISACA Victoria (British Columbia, Canada) Chapter and has been a member of ISACA since 2004.


1 ISACA, COBIT 5, USA, 2012
2 ISACA, COBIT 5: Enabling Information, USA, 2013
3 Ibid., p. 24
4 Op cit ISACA, COBIT 5, p. 19