Governance Implementation—COBIT 5 and ISO 

 
Download Article Article in Digital Form

ISACA has revised its governance and management of enterprise IT (GEIT) framework from COBIT 4.1 to 5, incorporating:

  • New GEIT principles
  • An increased focus on enablers
  • A new process reference model
  • New and modified processes
  • Practices and activities
  • Goals and metrics
  • Inputs and outputs
  • Responsible, Accountable, Consulted and Informed (RACI) charts
  • Process capability maturity models and assessments

The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies (ISO member bodies). This organization is responsible for preparing international standards through its committees staffed by members from government, business and nonprofit organizations on a worldwide basis. ISO is in the process of developing a standard (ISO/IEC JTC 1/WG6 N 261) to assist its members with initiating and implementing governance on an accurate and complete basis.

Two separate models to assist in implementing governance exist: COBIT 5 Implementation (formerly the IT Governance Implementation Guide), issued with the newly released COBIT 5 framework to address the demand for implementation guidance, and the ISO Governance Model (ISO 38500:2008 Model for Corporate Governance of IT). COBIT 5 Implementation provides an implementation approach based on quality improvement life cycles. Yet, a step-by–step, unified approach to follow in implementing GEIT that crosses the ISACA and ISO approaches does not readily exist.

This article provides a checklist or mechanism that spans the ISACA and ISO approaches and identifies common questions that need to be considered during the GEIT implementation process.

ISO’s Governance Model

ISO has identified the elements of implementing governance over IT as:

  1. The need to establish an enabling environment to implement governance. An environment required to enable or foster the implementation of GEIT includes:
    • Sponsorship and responsibilities
    • Stakeholder engagement
    • A baseline (governance) environment
    • Gap analysis to provide focus
    • Striving to improve continuously
    • A governance IT structure that includes:
        - Stakeholder expectations
        - Internal environment
        - External environment
  2. Maintaining an understanding of key aspects of the organization so that IT-related assessments and decisions can be realistically made. Key considerations include:
    • Business strategy, risk appetite and performance
    • Strategic change initiatives
    • Assurance reporting, including audit and risk
    • Culture of the organization and tone at the top
    • Organizational maturity and levels of skill
    • Key IT services and how they are provided
  3. Keeping apprised of external factors that may drive business opportunities and risk, thereby mandating IT-related business change responses, including:
    • Regulatory environment
    • Technological advances
    • Generational trends
    • Skills availability
    • Competitive forces
    • Stakeholder requirements

Figure 1ISO standards as well as ISACA’s COBIT 5, which is oriented around the enterprise’s business goals, indicate that it is important to adopt an outcomes-based approach to GEIT, rather than to apply the ISO/IEC 38500 framework to specific operational aspects of IT.1 This will ensure that the organization is appropriately guided or steered in its use of IT, rather than operationally managed, which is the approach of the more detailed process- and/or controls-oriented frameworks, the outputs of which generally provide the inputs in support of GEIT. ISO’s implementation approach is described in figure 1.2 ISO 38501 is in draft and the approach may change, but this article tries to provide an idea of a possible implementation approach.

While ISO recommends an outcomes-based approach to GEIT, it does not indicate how this should be implemented to “people on the ground.” That is, ISO does not provide a-step-by-step list of actions that are needed to achieve the desired outcome.

ISACA’s Governance Model

COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. The framework addresses both business and IT functional areas across an organization and considers the IT-related interests of internal and external stakeholders. Organizations of all sizes, whether commercial, not-for-profit or in the public sector, can benefit from COBIT 5.

COBIT 5 is based on five key principles for GEIT:

  1. Meeting stakeholder needs
  2. Covering the enterprise end-to-end
  3. Applying a single, integrated framework
  4. Enabling a holistic approach
  5. Separating governance from management

The COBIT 5 framework describes seven categories of enablers:

  1. Principles, policies and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management.
  2. Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.
  3. Organizational structures are the key decision-making entities in an organization.
  4. Culture, ethics and behavior of individuals and of the organization are very often underestimated as a success factor in governance and management activities.
  5. Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the organization itself.
  6. Services, infrastructure and applications include the infrastructure, technology and applications that provide the organization with IT processing and services.
  7. People, skills and competencies are required for successful completion of all activities, and for making correct decisions and taking corrective actions.

ISO vs. ISACA Governance Model

With at least two published governance models, is one better than the other? Should each one be used in different situations?

Most enterprise stakeholders and executive management are aware of the importance of general control frameworks (such as Committee of Sponsoring Organizations of the Treadway Commission [COSO]’s Enterprise Risk Management—Integrated Framework, Code of Connection [CoCo], the UK Corporate Governance Code, and King III3) with respect to their fiduciary responsibility; however, organization stakeholders and executive management may not necessarily be aware of the details of each framework. In addition, organization managers are increasingly aware of the more technical security guidance, such as the ISO/IEC 27000 series, and service delivery guidance, such as the Information Technology Infrastructure Library (ITIL). Although the aforementioned standard and framework emphasize business control and IT security and service management and delivery issues in specific areas of enterprise IT-related activity, only COBIT 5 integrates all functions and processes that establish GEIT into overall enterprise governance and from a business perspective.

The COBIT governance approach is based on the evaluate, direct and monitor (EDM) model, which is also used in ISO 38500. COBIT 5 is not meant to replace any of these frameworks or standards. It is intended to emphasize what governance and management elements and practices are required to create value from information and technology in support of the organization’s business goals.4

ISACA has compared COBIT 4.1 to COBIT 5 and documented the illustrative example process reference model within COBIT 5 (see figure 2).5

Figure 2

The following represents processes for governance in COBIT 5:

  • APO03 Manage enterprise architecture
  • APO04 Manage innovation
  • APO05 Manage portfolio
  • APO06 Manage budget and costs
  • APO08 Manage relationships
  • APO13 Manage security
  • BAI05 Manage organizational change enablement
  • BAI08 Manage knowledge
  • BAI09 Manage assets
  • DSS05 Manage security service
  • DSS06 Manage business process controls

Bridging ISO Standards and ISACA’s Business Framework

A checklist that bridges ISO’s general approach and ISACA’s business-operations approach is in order; this would help users implement the GEIT model. However, several items are readily apparent when attempting to generate such a checklist:

  1. While recognizing the aforementioned 11 management-level processes, one observes that a practical checklist or guide does not exist to either bridge the ISO and ISACA model or help the user reach senior management to ensure that the 11 modified processes are successfully implemented.
  2. An aid to help the user use COBIT 5 Implementation to implement the GEIT processes on a higher, more holistic level does not readily exist.

In other words, COBIT processes define the required outcomes from their implementation. An assessment against these outcomes—using an assurance approach including ISO 15504 as implemented in the COBIT Assessment Programme—will provide assurance of successful implementation. However, a checklist or mechanism that attempts to provide users with the ability to overlay the ISO and ISACA approaches would be helpful. Such a checklist addressing other areas of governance would include the following general processes (e.g., application controls, training, change standards and procedures):

  • Stakeholder engagement and responsibility
  • Sponsor responsibilities
  • Nature of internal control environment
  • Nature of the external environment impacting the controls
  • A baseline of the IT system’s control environment

The checklist, provided in figure 3, is meant to be a living document that can be enhanced over time. The checklist is aimed at helping the reader to crystallize to some degree the ISO standard and overlay the operational approach of COBIT. COBIT’s governance processes do contain metrics for users to consider and refine or extend the governance processes. Governance metrics have been suggested as a starting point in the form of related metrics linked to each of the process goals in each of the COBIT 5 governance processes. However, there are neither examples of these metrics nor uses of these metrics in a business setting. It appears that metrics that do not readily exist should be developed to evaluate whether an IT governance model, provided by ISO or ISACA, has been successfully implemented.

Figure 3

Along with the checklist, guidance is provided to explain how to use the checklist for reviewing GEIT implementation.

Conclusion

This article provides a checklist or mechanism that spans both the ISACA and ISO approaches and identifies common questions that need to be considered during the GEIT implementation process. The checklist is intended to be user friendly and includes suggested responses and tips to help users in their implementation.

Endnotes

1 International Organization for Standardization (ISO), ISO/IECJTC 1/WG 6 N261, ISO/IEC PDTR, ISO/IECJTC1 WG 6, Secretariat: SA, Introductory element—Main element—Complementary element, April 2012
2 Ibid.
3 IT Governance Ltd., “King Code of Governance Principle,” www.itgovernance.co.uk/king_iii_3.aspx
4 ISACA, COBIT 5 Frequently Asked Questions, www.isaca.org/COBIT/Pages/FAQs.aspx
5 ISACA, COBIT 5 Compare With 4.1., PowerPoint, 2012, p. 17
6 American Society for Quality (ASQ), http://asq.org/learn-about-quality/cause-analysis-tools/overview/fishbone.html
7 Aradi, Roger; “Putting the ‘Independent’ into Board-managed, Independent, Internal Investigations,” Association of Certified Fraud Examiners, 23 rd Annual Fraud Conference Exhibition, June 2012, www.fraudconference.com/fctwo-column.aspx?pageid=4294973640&terms=%28seaboard+report%29+%28seaboard%29+

Larry Marks, CISA, CGEIT, CRISC, CFE, CISSP, CSTE, ITIL, PMP, has extensive experience in implementing IT processes and policies and technology regarding internal controls and information security in the financial services, insurance, health care and telecommunications industries.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.