COBIT® 5 contains highly relevant guidance for IT practitioners and business leaders regarding governing and protecting data and information. However, the question of whether COBIT 5 is enough should be asked. This article explores what COBIT 5 provides and does not provide, then suggests a series of appropriate additions.
COBIT 5 does correctly start with an overarching set of business recommendations. For example, COBIT 5 suggests that business leaders include compliance with external laws and regulations, management of business risk, and compliance with internal enterprise policies in their balanced scorecard (BSC). For each of these, relevant metrics exist, including:
· The use and application of risk assessments
· The cost of regulatory noncompliance
· The measurement of noncompliance incidents
· The percentage of stakeholders who understand policies
· The percentage of policies supported by effective standards and working practices
You can read the rest of this article here. The author will also be available to answer questions and discuss.