COBIT Assessment Programme 

 

The COBIT Assessment Programme, an approach to determine process capability, currently consists of 3 publications:

 

Learn more

Programme Purpose

The COBIT Assessment Programme is a COBIT-based approach that enables the evaluation of selected IT processes. The assessment results provide a determination of process capability and can be used for process improvement, delivering value to the business, measuring the achievement of current or projected business goals, benchmarking, consistent reporting and organizational compliance.

The process capability is expressed in terms of attributes grouped into capability levels and the achievement of specific process attributes as defined in ISO/IEC 15504-2. Processes can be assessed individually or alternatively in logical groups. As such, scoping areas have been defined based on previously developed mappings, published by ISACA, which will allow for focused assessments. These scoping areas include:

  • Capability of IT processes to support cloud services
  • Capability of IT processes to support achievement of IT and business goals
  • Capability of IT processes to support SOX compliance
  • Capability of IT processes to support the enterprise governance of IT 

Assessment reports will include the level of capability achieved, the processes needing improvement and recommendations for improvement.

Need for the Programme

As part of strategy development, ISACA determined a need to provide a formal assessment approach based on the COBIT framework. We reviewed common assessment options in use—principally the Software Engineering Institute (SEI) Capability Maturity Model (CMM)/Standard CMM Integration (CMMI) Appraisal Method for Process Improvement (SCAMPI) approach (on which the COBIT maturity model [MM] in COBIT 4.1 is loosely based), and the International Organization for Standardization (ISO) approach.

Both provide guidance on topics such as the level of evidence required for an assessment and the skills required of competent assessors. Evidentiary requirements, assessor skills and competencies are required to deliver reliable and repeatable results in a formal assessment approach.

ISACA decided to adopt ISO/IEC 15504-2:2003 Information technology—Process assessment—Part 2: Performing an assessment, which is sometimes referred to as Software Process Improvement and Capability Determination (SPICE). This decision reflects, in part, recognition of recent market activity in the process assessment arena, including the publication of materials that support both the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control—Integrated Framework and ITIL Version 3 assessments using the ISO approach.

Programme Audience

Organizations seeking an evaluation/assessment of their IT processes and individuals responsible for performing such assessments including IT management/staff, IT auditors and consultants will find the COBIT Assessment Programme most useful.

COBIT 5 (Will there be a 5.0 version of the Programme?)

Given the popularity and significant use of COBIT 4.1 as a globally accepted framework utilized by thousands of enterprises, initial research, market validation and development was conducted using 4.1 as the base reference model. This approach was intentional and provides a useful process capability assessment programme for 4.1 users, as well as a basis for a programme based on COBIT 5.0 (in development). COBIT users will then find both versions valuable for conducting assessments, depending on their choice of preference for the assessment base: COBIT 4.1 or COBIT 5.

Training and Certification

ISACA is currently scoping the development of a scheme for the training and certification of individual assessors. Such training and certification will enable assessments to be completed in a reliable, consistent and repeatable manner.