Larry Marks, CISA, CGEIT, CRISC, CFE, CISSP, CSTE, ITIL, PMP
ISACA has revised its governance and management of enterprise IT (GEIT) framework from COBIT 4.1 to 5, incorporating:
The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies (ISO member bodies). This organization is responsible for preparing international standards through its committees staffed by members from government, business and nonprofit organizations on a worldwide basis. ISO is in the process of developing a standard (ISO/IEC JTC 1/WG6 N 261) to assist its members with initiating and implementing governance on an accurate and complete basis.
Two separate models to assist in implementing governance exist: COBIT 5 Implementation (formerly the IT Governance Implementation Guide), issued with the newly released COBIT 5 framework to address the demand for implementation guidance, and the ISO Governance Model (ISO 38500:2008 Model for Corporate Governance of IT). COBIT 5 Implementation provides an implementation approach based on quality improvement life cycles. Yet, a step-by–step, unified approach to follow in implementing GEIT that crosses the ISACA and ISO approaches does not readily exist.
This article provides a checklist or mechanism that spans the ISACA and ISO approaches and identifies common questions that need to be considered during the GEIT implementation process.
ISO has identified the elements of implementing governance over IT as:
ISO standards as well as ISACA’s COBIT 5, which is oriented around the enterprise’s business goals, indicate that it is important to adopt an outcomes-based approach to GEIT, rather than to apply the ISO/IEC 38500 framework to specific operational aspects of IT.1 This will ensure that the organization is appropriately guided or steered in its use of IT, rather than operationally managed, which is the approach of the more detailed process- and/or controls-oriented frameworks, the outputs of which generally provide the inputs in support of GEIT. ISO’s implementation approach is described in figure 1.2 ISO 38501 is in draft and the approach may change, but this article tries to provide an idea of a possible implementation approach.
While ISO recommends an outcomes-based approach to GEIT, it does not indicate how this should be implemented to “people on the ground.” That is, ISO does not provide a-step-by-step list of actions that are needed to achieve the desired outcome.
COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. The framework addresses both business and IT functional areas across an organization and considers the IT-related interests of internal and external stakeholders. Organizations of all sizes, whether commercial, not-for-profit or in the public sector, can benefit from COBIT 5.
COBIT 5 is based on five key principles for GEIT:
The COBIT 5 framework describes seven categories of enablers:
With at least two published governance models, is one better than the other? Should each one be used in different situations?
Most enterprise stakeholders and executive management are aware of the importance of general control frameworks (such as Committee of Sponsoring Organizations of the Treadway Commission [COSO]’s Enterprise Risk Management—Integrated Framework, Code of Connection [CoCo], the UK Corporate Governance Code, and King III3) with respect to their fiduciary responsibility; however, organization stakeholders and executive management may not necessarily be aware of the details of each framework. In addition, organization managers are increasingly aware of the more technical security guidance, such as the ISO/IEC 27000 series, and service delivery guidance, such as the Information Technology Infrastructure Library (ITIL). Although the aforementioned standard and framework emphasize business control and IT security and service management and delivery issues in specific areas of enterprise IT-related activity, only COBIT 5 integrates all functions and processes that establish GEIT into overall enterprise governance and from a business perspective.
The COBIT governance approach is based on the evaluate, direct and monitor (EDM) model, which is also used in ISO 38500. COBIT 5 is not meant to replace any of these frameworks or standards. It is intended to emphasize what governance and management elements and practices are required to create value from information and technology in support of the organization’s business goals.4
ISACA has compared COBIT 4.1 to COBIT 5 and documented the illustrative example process reference model within COBIT 5 (see figure 2).5
The following represents processes for governance in COBIT 5:
A checklist that bridges ISO’s general approach and ISACA’s business-operations approach is in order; this would help users implement the GEIT model. However, several items are readily apparent when attempting to generate such a checklist:
In other words, COBIT processes define the required outcomes from their implementation. An assessment against these outcomes—using an assurance approach including ISO 15504 as implemented in the COBIT Assessment Programme—will provide assurance of successful implementation. However, a checklist or mechanism that attempts to provide users with the ability to overlay the ISO and ISACA approaches would be helpful. Such a checklist addressing other areas of governance would include the following general processes (e.g., application controls, training, change standards and procedures):
The checklist, provided in figure 3, is meant to be a living document that can be enhanced over time. The checklist is aimed at helping the reader to crystallize to some degree the ISO standard and overlay the operational approach of COBIT. COBIT’s governance processes do contain metrics for users to consider and refine or extend the governance processes. Governance metrics have been suggested as a starting point in the form of related metrics linked to each of the process goals in each of the COBIT 5 governance processes. However, there are neither examples of these metrics nor uses of these metrics in a business setting. It appears that metrics that do not readily exist should be developed to evaluate whether an IT governance model, provided by ISO or ISACA, has been successfully implemented.
Along with the checklist, guidance is provided to explain how to use the checklist for reviewing GEIT implementation.
This article provides a checklist or mechanism that spans both the ISACA and ISO approaches and identifies common questions that need to be considered during the GEIT implementation process. The checklist is intended to be user friendly and includes suggested responses and tips to help users in their implementation.
1 International Organization for Standardization (ISO), ISO/IECJTC 1/WG 6 N261, ISO/IEC PDTR, ISO/IECJTC1 WG 6, Secretariat: SA, Introductory element—Main element—Complementary element, April 20122 Ibid. 3 IT Governance Ltd., “King Code of Governance Principle,” www.itgovernance.co.uk/king_iii_3.aspx4 ISACA, COBIT 5 Frequently Asked Questions, www.isaca.org/COBIT/Pages/FAQs.aspx 5 ISACA, COBIT 5 Compare With 4.1., PowerPoint, 2012, p. 176 American Society for Quality (ASQ), http://asq.org/learn-about-quality/cause-analysis-tools/overview/fishbone.html 7 Aradi, Roger; “Putting the ‘Independent’ into Board-managed, Independent, Internal Investigations,” Association of Certified Fraud Examiners, 23 rd Annual Fraud Conference Exhibition, June 2012, www.fraudconference.com/fctwo-column.aspx?pageid=4294973640&terms=%28seaboard+report%29+%28seaboard%29+
Larry Marks, CISA, CGEIT, CRISC, CFE, CISSP, CSTE, ITIL, PMP, has extensive experience in implementing IT processes and policies and technology regarding internal controls and information security in the financial services, insurance, health care and telecommunications industries.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.