Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Join author Christopher Oparaugo, as he responds to ISACA member questions beginning 14 December 2015. Add your questions by responding to this post!

You must be logged in and be a member of this group* to participate.
*After logging in click "Join this Community" to the right and then return to this page by clicking the back button. As a member of this topic you can now view this and other discussions from the topic homepage.

The balanced scorecard (BSC) initiallydeveloped by Kaplan and Norton is a performance management system that should allow enterprises to drive theirstrategies on measurement and follow-up.

In recent years, the BSC has been applied to IT and, currently, the first real-life IT security governance application has been developed based on mapping International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 control objectives to COBIT® 4.1 process areas and IT governance focus areas. As a further exercise, the relationships and similarities of COBIT 4.1 and COBIT 5 can be explored to create a mapping for COBIT 5 in future publications.

This article explains how an exercise in instituting controls can be used to establish the IT BSC, which can be linked to the business BSC and, in so doing, can support the IT/business governance and alignment processes as derived from mapping ISO/IEC 27001 and COBIT 4.1 controls.

Read the rest of the article here

You must sign in to rate content.
(Unrated)

Comments

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Hi, it would be applicable,  thanks.
Alireza525Lively at 12/11/2015 1:42:07 PM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Yes, it is applicable, thanks
Chris Emeka AnoruoSocial at 12/15/2015 8:05:32 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Yes, it is applicable, thanks
Chris Oparaugo at 12/15/2015 8:05:32 AM
I was asked on LinkedIn on how the P and S can be derived, these legends are from ISACA COBIT Information Criteria Legend: Information Criteria Blank = No impact P = Primary Impact Status S = Secondary Impact Status
Chris Emeka AnoruoSocial at 12/15/2015 8:12:11 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Most organization have a good handle on managing IT Governance, but where they fail is how it relates to Information Security. Your work shows the business benefit of information security controls and they relate to business goals..
Chris Emeka AnoruoSocial at 12/15/2015 8:37:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Question... How practicable is using a standard like ISO 27001 to map to COBIT to cover all aspects of IT Governance? It looks like the end result may produce a more information security-centric view on Governance rather than an overall view which will highlight other areas such as Strategic Alignment, Performance Management and Resource Management. Response... Very practicable, as this is the result of such exercise. The key thing to note is that you can derive a balanced score card and back track to see the cause of the low values in your BSC. Richard, this can also be used in setting staff KPIs in organisations
Chris Emeka AnoruoSocial at 12/15/2015 8:53:49 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Hi Chris,

Greetings. From the Figure#2 of the article I would like to know the basis for calculating the status in percentage. Greatly appreciate your clarification.

Best

Joe
Joseph Kiran101Lively at 12/16/2015 10:20:43 AM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Hi Chris,

Greetings. From the Figure#2 of the article I would like to know the basis for calculating the status in percentage. Greatly appreciate your clarification.

Best

Joe
Joseph Kiran101 at 12/16/2015 10:20:43 AM
Hi Joe, The basis for calculating the status in percentages is based on a scale of 1 to 10 and that can be converted into percentages. The scale of 1 being the lowest and 10 being highest acceptance, and effective operationally. For example Checklist 1.1.1, Standard 5.1.1 -Information Security policy document, A) part shows that the policy document has been approved by management and communicated to all, and in the exercise users agreed to that except for few new joiners, that gives a score of almost 9.5, but the B) part shows that the commitment is lower than the understanding and acknowledgement that the policy document exists. The cumulative scores are now aggregated and a normal average result is what I have presented from the exercises in the document.
Chris Emeka AnoruoSocial at 12/17/2015 10:51:47 AM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

In relation to business through IT, the IT goals (14 and 18) of figure 9 are the bedrock or foundation for IT assurance in an organization and are built with COBIT PO9 as the driver. These components are what have enhanced the BSC -Financial and International business perspectives in figure 10. My solution for this build up can be crosschecked (done by backward review) of the input components from ISO27001 Control objectives, checklists and questions. I am available if you want to engage in a workshop.
Chris Emeka AnoruoSocial at 12/21/2015 1:40:14 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

I have been following this topic, but I have not seen any document which gives the details of the Cross Mapping. Could someone please provide a link to the document.
Srinath313Lively at 12/23/2015 3:52:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

From ISACA site, following material is available,only.

"Mapping of ISO/IEC 17799:2000 With COBIT®, 4.0"
ISO/IEC 17799 is included in ISO/IEC 27001.
https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=WCMISO

"Mapping of ISO/IEC 17799:2005 With COBIT®, 4.0"
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-Mapping-Mapping-ISO-IEC-17799-2005-With-COBIT-4-0.aspx

And please refer "COBIT Mapping: Overview of International IT Guidance, 3rd Edition"
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-Mapping-Overview-of-International-IT-Guidance-3rd-Edition.aspx


Masatoshi Kajimoto,CISA, CRISCEnergizer at 12/23/2015 6:13:44 AM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Thanks Chris and Kajimoto-san, for your insights. Appreciate them. Best Joseph
Joseph Kiran101Lively at 12/28/2015 10:42:01 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Thanks Chris and Kajimoto-san, for your insights. Appreciate them. Best Joseph
Joseph Kiran101Lively at 12/28/2015 10:42:01 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

From ISACA site, following material is available,only.

"Mapping of ISO/IEC 17799:2000 With COBIT®, 4.0"
ISO/IEC 17799 is included in ISO/IEC 27001.
https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=WCMISO

"Mapping of ISO/IEC 17799:2005 With COBIT®, 4.0"
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-Mapping-Mapping-ISO-IEC-17799-2005-With-COBIT-4-0.aspx

And please refer "COBIT Mapping: Overview of International IT Guidance, 3rd Edition"
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-Mapping-Overview-of-International-IT-Guidance-3rd-Edition.aspx


Masatoshi Kajimoto,CISA, CRISCEnergizer at 12/23/2015 6:13:44 AM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

I have been following this topic, but I have not seen any document which gives the details of the Cross Mapping. Could someone please provide a link to the document.
Srinath313Lively at 12/23/2015 3:52:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

In relation to business through IT, the IT goals (14 and 18) of figure 9 are the bedrock or foundation for IT assurance in an organization and are built with COBIT PO9 as the driver. These components are what have enhanced the BSC -Financial and International business perspectives in figure 10. My solution for this build up can be crosschecked (done by backward review) of the input components from ISO27001 Control objectives, checklists and questions. I am available if you want to engage in a workshop.
Chris Emeka AnoruoSocial at 12/21/2015 1:40:14 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Hi Chris,

Greetings. From the Figure#2 of the article I would like to know the basis for calculating the status in percentage. Greatly appreciate your clarification.

Best

Joe
Joseph Kiran101 at 12/16/2015 10:20:43 AM
Hi Joe, The basis for calculating the status in percentages is based on a scale of 1 to 10 and that can be converted into percentages. The scale of 1 being the lowest and 10 being highest acceptance, and effective operationally. For example Checklist 1.1.1, Standard 5.1.1 -Information Security policy document, A) part shows that the policy document has been approved by management and communicated to all, and in the exercise users agreed to that except for few new joiners, that gives a score of almost 9.5, but the B) part shows that the commitment is lower than the understanding and acknowledgement that the policy document exists. The cumulative scores are now aggregated and a normal average result is what I have presented from the exercises in the document.
Chris Emeka AnoruoSocial at 12/17/2015 10:51:47 AM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Hi Chris,

Greetings. From the Figure#2 of the article I would like to know the basis for calculating the status in percentage. Greatly appreciate your clarification.

Best

Joe
Joseph Kiran101Lively at 12/16/2015 10:20:43 AM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Question... How practicable is using a standard like ISO 27001 to map to COBIT to cover all aspects of IT Governance? It looks like the end result may produce a more information security-centric view on Governance rather than an overall view which will highlight other areas such as Strategic Alignment, Performance Management and Resource Management. Response... Very practicable, as this is the result of such exercise. The key thing to note is that you can derive a balanced score card and back track to see the cause of the low values in your BSC. Richard, this can also be used in setting staff KPIs in organisations
Chris Emeka AnoruoSocial at 12/15/2015 8:53:49 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Most organization have a good handle on managing IT Governance, but where they fail is how it relates to Information Security. Your work shows the business benefit of information security controls and they relate to business goals..
Chris Emeka AnoruoSocial at 12/15/2015 8:37:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Yes, it is applicable, thanks
Chris Oparaugo at 12/15/2015 8:05:32 AM
I was asked on LinkedIn on how the P and S can be derived, these legends are from ISACA COBIT Information Criteria Legend: Information Criteria Blank = No impact P = Primary Impact Status S = Secondary Impact Status
Chris Emeka AnoruoSocial at 12/15/2015 8:12:11 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Yes, it is applicable, thanks
Chris Emeka AnoruoSocial at 12/15/2015 8:05:32 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Hi, it would be applicable,  thanks.
Alireza525Lively at 12/11/2015 1:42:07 PM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Hi Chris,

Greetings. From the Figure#2 of the article I would like to know the basis for calculating the status in percentage. Greatly appreciate your clarification.

Best

Joe
Joseph Kiran101 at 12/16/2015 10:20:43 AM
Hi Joe, The basis for calculating the status in percentages is based on a scale of 1 to 10 and that can be converted into percentages. The scale of 1 being the lowest and 10 being highest acceptance, and effective operationally. For example Checklist 1.1.1, Standard 5.1.1 -Information Security policy document, A) part shows that the policy document has been approved by management and communicated to all, and in the exercise users agreed to that except for few new joiners, that gives a score of almost 9.5, but the B) part shows that the commitment is lower than the understanding and acknowledgement that the policy document exists. The cumulative scores are now aggregated and a normal average result is what I have presented from the exercises in the document.
Chris Emeka AnoruoSocial at 12/17/2015 10:51:47 AM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Hi Chris,

Greetings. From the Figure#2 of the article I would like to know the basis for calculating the status in percentage. Greatly appreciate your clarification.

Best

Joe
Joseph Kiran101Lively at 12/16/2015 10:20:43 AM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

From ISACA site, following material is available,only.

"Mapping of ISO/IEC 17799:2000 With COBIT®, 4.0"
ISO/IEC 17799 is included in ISO/IEC 27001.
https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=WCMISO

"Mapping of ISO/IEC 17799:2005 With COBIT®, 4.0"
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-Mapping-Mapping-ISO-IEC-17799-2005-With-COBIT-4-0.aspx

And please refer "COBIT Mapping: Overview of International IT Guidance, 3rd Edition"
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-Mapping-Overview-of-International-IT-Guidance-3rd-Edition.aspx


Masatoshi Kajimoto,CISA, CRISCEnergizer at 12/23/2015 6:13:44 AM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Hi, it would be applicable,  thanks.
Alireza525Lively at 12/11/2015 1:42:07 PM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Yes, it is applicable, thanks
Chris Emeka AnoruoSocial at 12/15/2015 8:05:32 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Yes, it is applicable, thanks
Chris Oparaugo at 12/15/2015 8:05:32 AM
I was asked on LinkedIn on how the P and S can be derived, these legends are from ISACA COBIT Information Criteria Legend: Information Criteria Blank = No impact P = Primary Impact Status S = Secondary Impact Status
Chris Emeka AnoruoSocial at 12/15/2015 8:12:11 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Most organization have a good handle on managing IT Governance, but where they fail is how it relates to Information Security. Your work shows the business benefit of information security controls and they relate to business goals..
Chris Emeka AnoruoSocial at 12/15/2015 8:37:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Question... How practicable is using a standard like ISO 27001 to map to COBIT to cover all aspects of IT Governance? It looks like the end result may produce a more information security-centric view on Governance rather than an overall view which will highlight other areas such as Strategic Alignment, Performance Management and Resource Management. Response... Very practicable, as this is the result of such exercise. The key thing to note is that you can derive a balanced score card and back track to see the cause of the low values in your BSC. Richard, this can also be used in setting staff KPIs in organisations
Chris Emeka AnoruoSocial at 12/15/2015 8:53:49 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

In relation to business through IT, the IT goals (14 and 18) of figure 9 are the bedrock or foundation for IT assurance in an organization and are built with COBIT PO9 as the driver. These components are what have enhanced the BSC -Financial and International business perspectives in figure 10. My solution for this build up can be crosschecked (done by backward review) of the input components from ISO27001 Control objectives, checklists and questions. I am available if you want to engage in a workshop.
Chris Emeka AnoruoSocial at 12/21/2015 1:40:14 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

I have been following this topic, but I have not seen any document which gives the details of the Cross Mapping. Could someone please provide a link to the document.
Srinath313Lively at 12/23/2015 3:52:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

Thanks Chris and Kajimoto-san, for your insights. Appreciate them. Best Joseph
Joseph Kiran101Lively at 12/28/2015 10:42:01 PM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.