The June edition of the monthly COBIT 5 poster series features a graphic summary of the six levels of process capability and their related attributes. These capability levels attributes are aligned with ISO/IEC 15504.
The poster charts the six levels of capability that a process can achieve, from an incomplete process that is not implemented or fails, to an optimized process.
Each capability level can only be achieved after the previous level has been fully met. For example, before assessing a process as an established process (process capability level 3) attributes of a managed process (level 2) must first be fully achieved.
ISACA’s website states that “membership sets you apart from other IT professionals by signifying that you are:
My reason is that CISA and CISM are widely known—more so than ISACA itself. Many organizations know COBIT and many additional firms use the framework but may not know it comes from ISACA. CGEIT and CRISC are not quite as well known, in comparison, but as a professional organization we have an opportunity to promote these as a substantial solution to better manage cyber-security threats, which have finally hit the board agenda.
If I had a £1 for every time a client said “it won’t happen to us,” I would be a very rich man and probably would not be writing this blog!
Risk management is about minimizing the chance that it will happen to us, by anticipating what might occur to affect the successful delivery of an enterprises’ business goals or objectives and to implement an appropriate risk response to minimize the risk of an adverse business impact materializing.
This is how risk management is usually seen. However, a good risk management process can also be used to help achieve the successful delivery of a business goal or objective.
The book Advanced Persistent Threats: How to Manage the Risk to Your Business is a nice overview of advanced persistent threats (APTs) that lays out a framework for addressing the risk associated with APT. The book provides enough detail to give any practitioner the starting points for additional research.
As with most ISACA publications, the book takes a risk-based approach to the APT problem so that it can be used as a guide to help information security professionals build the business case for the resources to address their APT risk.
Here is an excerpt:
When a majority of enterprises report that less than half of their IT initiatives actually deliver the expected business benefits, it is time to take a closer look at what businesses can do to attain those sought after benefits.
Enterprises make investments in technology as part of their daily operations, so the need for business benefits realization from those investments is ongoing. That need—and the general failure of businesses to meet it consistently—is the driving idea behind the creation of COBIT 5 for Business Benefits Realization, a new book from ISACA.
This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.
The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.
Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.
To volunteer to write a blog or suggest a topic send an email here.