COBIT 2019 is a terrific resource for a wide range of business technology professionals. In ISACA's 19 September 2019 Professional Guidance webinar (free registration), “COBIT 2019 – Highly Relevant for Auditors,” we will focus on assurance professionals and the benefits they can obtain from COBIT 2019.
For that purpose, we will first quickly revisit the key COBIT 2019 concepts. We will then discuss the features of COBIT 2019 that are most relevant for auditors, such as the design factors and design guide, the governance and management objectives, and the new process capability scheme.
The design factors and design guide are intended to design a governance system, which prioritizes the 40 governance and management objectives and helps determine which focus area guidance is to be used. When assurance professionals have to develop their audit plans, they usually take a risk-based approach that considers enterprise objectives. This is exactly how the design factors can and should be used by assurance professionals to prioritize their audit plans. The goals cascade, risk scenarios, current IT issues and other elements are included as design factors.
The governance and management objectives, the process practices and activities are in essence language, concept and level of abstraction – equivalent to control objectives and control practices – and therefore can be used to develop audit programs and serve as suitable criteria for audit assignments. The process activities can also be used to develop detailed assurance steps.
COBIT 2019 contains a new process capability assessment scheme as part of its performance management guidance. The new scheme is based on CMMI and assigns capability levels to each process activity. The relevance for assurance professionals is twofold: based on the audit plan where governance and management objectives are prioritized, one can define target capability levels for the process component of each governance and management objective in scope of the assurance engagements, thus defining which process practices and activities will be in scope of the audit programs. Closely related, assurance professionals can use the capability levels to report process performance in their assurance engagements.
In addition to the above, assurance professionals should consider the non-process components of governance and management objectives when building their audit universes, plans and programs. COBIT 2019 indicates that not only are processes important governance components, but that organizational structures, culture and behaviors, information streams, skills and behaviors are important. For that reason, we encourage assurance professionals to consider them when conducting their engagements. The current COBIT 2019 performance management guidance does not yet fully support these other types of components – initial guidance for organizational structures and information quality is included in COBIT 2019, while guidance for other components is yet to come.
I look forward to this webinar further demonstrating the relevance of COBIT 2019 for assurance professionals and look forward to hearing your questions and suggestions for further guidance.
Training is important for marathon runners, but there are a number of specific factors that go into marathon runners achieving their personal best. Take a look at the examples below (and for you non-runners, your COBIT and digital transformation muscles will be exercised soon enough):
1. Get strong. It’s strength and conditioning, particularly around the ankles, knees and hips, that separates elites from mere mortals, according to British distance legend Liz McColgan.
2. Get loose. You want optimal flexibility and power from the first step. Come the end of the race, you'll actually have more energy reserves as you'll have run more efficiently.
3. Pace the workout. Going out too fast in both training and racing is the undoing of many talented runners.
4. Run with purpose. Each run has a plan with a focus, which increases motivation, gives training structure and ultimately improves times.
5. Create real incentives. Every runner knows the trick of mentally breaking up long runs into shorter, more manageable chunks; with rewards along the way and at the finish line.
6. Maintain quality. New shoes every 300 miles. Running in an old, worn-out pair of shoes can result in painful injuries and can mean a possible early end to your running career.
In many ways, digital transformation is like giving organizations a new pair of running shoes. Digital transformation, however, is not just technology; it’s more often about shedding outdated processes and legacy technology, giving organizations a chance to run faster.
Achieving your organization’s personal best requires more than just a new pair of running shoes. There are six steps, as outlined by ISACA’s recently updated COBIT 2019 framework, that can facilitate your organization’s ability to keep in top running condition. Here’s how:
- Get strong. COBIT incorporates the latest technology evolutions and methods, including new guidance on data management. COBIT enables your organization to strengthen and focus on the key objectives that are rightsized for your organization to continue to move forward.
- Get loose. Up-to-date and flexible frameworks for governance of enterprise IT will empower you to address current security risks, DevOps/DevSecOps, and cloud computing, and enabling the digital transformation sweeping many of our organizations.
- Pace the workout. The new Design Guide allows organizations to create a plan and tailor a governance system to specific context, defining the right priorities and providing a leaner, much more effective and efficient governance system.
- Run with purpose. Deploy a framework that is an authoritative reference useable by an organization’s boards, senior management, business and IT management and practitioners, audit and risk professionals, as well as external entities such as regulators and external auditors. This ultimately gives structure to align an organization and guide risk management activities.
- Create real incentives. The COBIT 2019 Implementation Guide provides you with assistance and direction for organizational change management and program management, identifying challenges and success factors.
- Maintain quality. Embedding and enabling an intuitive process capability model like CMMI will empower process improvement initiatives and allow for easier techniques and approaches to communicate with senior management.
Everyone approaches a marathon differently and, likewise, the approach to COBIT is different for every organization. No one way is better than the other; it’s just different. Your approach will depend upon your organization’s risk tolerance and appetite for change. At some point, as with runners, you will “hit the wall.” If it happens, don’t get too discouraged – be sure to refocus, recommit to the goal and recalibrate.
Editor’s note: Enhance your training of COBIT 2019 and stay fit for your organization in a pre-conference workshop at the 2019 GRC Conference in Ft. Lauderdale, Florida, USA, on 11 August or at a pre-conference workshop at EuroCACS/CSX 2019 in Geneva, Switzerland, on 14-15 October. For additional opportunities, see ISACA’s upcoming Training Week schedule.
It is said that anything with two heads is a monster. I usually think of this saying when carrying out IT governance reviews, as inclusive governance seems to be a missing link.
The study of governance has been fragmented and so diverse that it has birthed different specializations. But governance is the only head that should exist in any organization. Governance represents direction, strategies, policies, regulations and actions that influence how an organization is to be managed. Governance is a singular term; however, many organizations have adopted governance as a plural term and have adopted different leadership stances and priorities over management of financial governance, health governance and/or IT governance, with financial governance taking the center stage. Ask any finance director director – he or she will tell you that they do not need to remind any board member about the importance of financial regulation and how financial performance is a reflection that the board is executing its mandate.
Through specialization, “governance” has been stripped of its overarching position. It is the board’s responsibility to ensure that direction is provided for the entire organization as much as it is the government’s role to ensure that appropriate acts and regulations are available in all industries and sectors. Any industry that is not governed is prone to abuse.
When I was first introduced to COBIT®, I viewed it as an IT framework in the same way as the majority of IT personnel and experts view it. Trainings and workshops for COBIT were to be exclusive to IT personnel, as the framework is perceived as belonging to the IT experts. The exclusivity of IT-related governance frameworks to IT has given IT a little head that has proven to be a monster in many boardrooms. With so many new technology buzzwords such as artificial intelligence, robotics, Internet of Things, red teams, blue teams, etc., this little monster will continue to terrorize board members and executives in many organizations, as many don’t know how to control it.
Reading the definition of COBIT in the COBIT 2019 Introduction and Methodology publication, I see an opportunity for governance to take its rightful position as an inclusive concept rather than the current fragmented one. COBIT is defined as a framework for the governance and management of enterprise information and technology aimed at the whole enterprise, a departure from COBIT 5, which indicated that COBIT is a framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. COBIT 5 omitted an importance phrase, “aimed at the whole enterprise.” The inclusion of this phrase in COBIT 2019 strips off the “monster” tag from IT. IT governance should no longer be viewed as an exclusive term but part of the singular governance of an organization.
The opportunity to attend COBIT trainings and workshops therefore should not be limited to IT teams but should be open to all members of the executive team, as well as the board.
The time for making predictions about the number of IoT devices in future years and waiting for that time to come is long gone (however, if you really want to know, one source predicts there are going to be 75 billion IoT devices in 2025). If enterprises still have not thought about the ways IoT could bring them new value, now is certainly the right time to get started.
As the title suggests, COBIT 2019 and IoT could be a great combination for adding value to the enterprise. Auditors (including myself) need to follow the enterprises and keep up with IoT, so auditors can give reasonable assurance on topic.
If an enterprise plans to adopt IoT, the most likely COBIT 2019 governance and management objectives it would have to focus on (in one of the possible scenarios) are:
- APO03 Managed enterprise architecture
- APO04 Managed innovation
- APO07 Managed human resources
- BAI10 Managed configuration
- BAI03 Managed solutions identification and build
- BAI07 Managed IT change acceptance and transitioning
Of course, those are only six of 40 governance and management objectives recognized by the COBIT 2019 framework. The rest of them should not be neglected by default.
To satisfy stated objectives, consider these seven components of the governance system:
- Organizational structures
- Principles, policies and frameworks
- Culture, ethics and behavior
- People, skills and competencies
- Services, infrastructure and applications
Although the components are thoroughly explained in COBIT 2019, they do not prescribe any IT-related decisions. Every enterprise needs to customize COBIT to its own needs, as there is no “one size fits all” solution.
As for auditors, we must agree there are differences when auditing technology that has been previously audited numerous times (database management systems, operating systems, etc.) compared to auditing some of the emerging technologies (such as IoT). Before you get a headache trying to figure out IoT-related risks, audit scope, etc., please continue reading.
In the ISACA Journal article “Auditing the IoT”, you’ll find important steps for conducting IoT audit engagements.
You might be asking yourself: “So, can COBIT 2019 also help?“. The answer is (obviously, if we look at the blog title) yes. Whether the organization harnessed the power of COBIT 2019 to incorporate IoT in its business or did it another way, the auditor has plenty of information in COBIT 2019 to kick-start an effective audit engagement. The rationale behind that is as follows:
- COBIT is a framework for the governance and management of enterprise information and technology – all the technology and information processing the enterprise puts in place to achieve its goals.
- Let us switch for a second to a definition of internal auditing by the Institute of Internal Auditors. Part of it states: ”It helps an organization accomplish its objectives.”
When we put one and two together, it is clear that:
- If auditors are not aware of enterprise’s goals, they cannot fulfill their purpose; and
- COBIT 2019 can help in getting more insight on achieving the following goal – getting value from IoT.
Auditors would be well-served to focus on the same governance and management objectives mentioned in the “Business Perspective” section of this blog, but it’s of great importance to repeat once more ... customize, customize, customize.
Managing projects for the best possible outcome is a bit art and a bit science. From a high-level view, stakeholder management includes: identifying the people that could impact a project, understanding the expectations of the stakeholders and their impact on a project, and developing strategies for effectively engaging the decision-making project stakeholders.
OK, so that’s good. But, in looking at effectively engaging the decision -makers, what kind of strategies do you use for bringing them into the process and getting their buy in? Do you and the stakeholders all agree on the project goal? Are you heading in the same direction, with the same destination? Ideally, yes. Otherwise, your job engaging those stakeholders just got a lot harder.
When faced with a challenging stakeholder, you might tend to want to push this individual in the direction you want them to go. That direction should be the direction (and goal) in which most of the stakeholders agree. But, how often do you start pushing, only to realize the stakeholder is resisting and pushing back?
OK, now what? Maybe pulling this person along is a better idea? But, that also will likely result in resistance. Maybe you’re strong enough to overcome the stakeholder’s resistance, but is winning that battle going to win you the war (a successful project conclusion)? Maybe, maybe not. Some might choose to take that chance, but there might just be a better way.
Perhaps you should engage those challenging stakeholders who can influence the outcome and success of the project. At a minimum, you really need to engage all the influential stakeholders in a conversation about the project goal. This can be done either one-on-one or in a group. Ultimately, you need to discover why the challenger has a different goal than other stakeholders.
What’s wrong with the goal in which most stakeholders agree? Engaging in a dialogue about the pros and cons of the varying goals can help you (and the stakeholders) understand the problem space better and help all of you develop a better solution for the project — with a unified project goal being the ideal result.
So, what are you really doing here anyway? You’ve decided not to push the stakeholder down the road. You’ve decided that pulling the stakeholder down the road isn’t any better. So, perhaps you decide to just walk with them side-by-side on this journey and help this stakeholder along as needed. Perhaps you need to nudge or coax them a little bit here or there, but nothing to cause the stakeholder to become defensive.
And while you’re walking together during this project, you’re probably building trust with your stakeholders. I would call that stakeholder “relationship development,” not “management”. The golden rule here is: while you’re managing the process, make sure you don’t manage the stakeholder.
My guess is your stakeholder did not hire you to manage him or her. This individual wants you to solve a problem, and needs your help. Build a trusting relationship with your stakeholders, and you’ll find much greater project success.
About the author: Ken Russman is a senior project manager with TalaTek, who holds PMP and CISSP certifications and has 20 years of experience in managing projects, strategic planning, and policies and procedures development.
We are in 2019, and have all witnessed the effects of disruptive start-up companies, the growth and stability of the cloud market, the emergence of CI/CD practices and the simple need for agility. Inversely, there are organizations where none of what I mentioned is happening.
There are times when companies become good at what they do, and they become comfortable. With that comfort comes something that leaders and employee may choose to ignore. What is that? Well, to put it mildly, that thing would be the need for change. A provocative question to yourself would be: If I am doing my job properly and getting good results, do I need to change? Some may argue, “No,” and some may argue, “Yes.” From an IT point of view, the question becomes even more complex. This is especially the case when IT has taken on a supportive operational role within an organization, and by doing so, becomes expert at what they do, but finds that innovation is lost and resistance to change grows larger.
Enter the competitive threats. While your business was doing things right, the disruptor (which can be an existing competitor) was building solutions to solve customer issues, creating new products and services, and defining new ways of doing business to go to market. The result can be dramatic; your business suddenly gets a nudge, you have questions being asked by stakeholders, who all want to know:
- How does this impact us?
- What is next on our plate?
- What are we going to do now?
- Are we agile enough to deliver a solution in a short space of time?
At this point, all eyes turn to one of the major business enablers – none other than the IT department. Suddenly, IT goes from doing things right to not being agile enough to support strategy and innovation.
The need for agility in a rapid, flexible, durable and secure manner can best be delivered by cloud services. Layers of bureaucratic decision, hours of provisioning and other complexities can be addressed with IaaS, PaaS and SaaS solutions, which support CI/CD pipelines. From a security point of view, a lot of effort is put into cloud security, with the provider getting its platform certified by world-recognized standards such as 27001, PCI-DSS, and HIPAA.
What that means for businesses is that, combined with the shared security model of the cloud, they will be able to securely and effectively safeguard data while meeting regulatory compliance and internal enterprise security requirements. Enterprise Architect and GEIT are the solutions that can be introduced or remodeled within your enterprise to create both systems and processes to deal with this type of scenario.
Billy Beane was one of the first general managers in the history of Major League Baseball to use data to build out a successful team with a fraction of the budget relative to his peers. Like many IT leaders, he had to do more with less.
Now, imagine that you’re responsible for managing a Periodic Table’s worth of processes central to a successful IT shop.
You’re overworked, underfunded, and the business doesn’t understand why it should dedicate resources to supporting yet another acronym from the DRP, MDM, or COBIT-letter salad. Where do you go from here?
First, you need to think like Billy Beane. Think hard about your most important KPI. Now, reverse-engineer the drivers that factor into it.
Source: Info-Tech Research Group
For Billy, his KPI was on-base percentage. For IT leaders, your KPI should be stakeholder satisfaction because IT exists to support the business’s capabilities and revenue streams.
At Info-Tech Research Group, we’ve collected data from the thousands of stakeholders with whom our IT leaders work. Our goal was to mine this data until we uncovered the top drivers of stakeholder satisfaction. To this end, we ran a multiple linear regression, and there were two key take-home messages from these results – notably, one of them is more important than the other:
Source: Info-Tech Research Group
1) Your ability to prioritize stakeholder projects is, for obvious reasons, very important. Boiling the ocean is not an option.
2) Critically, however, your ability to communicate, understand, and execute on stakeholder needs carries even more weight than other more expensive drivers. The return on your investment in relationships is far greater than the ROI in innovation, infrastructure, and applications because working on relationships is cheap and effective.
Moral of the story? Maintaining good relationships with stakeholders yields greater dividends relative to investing in a new shiny toy. You can immediately improve relationships for free, which will cost you less than investing in the more expensive drivers of stakeholder satisfaction, like infrastructure or applications. The trick, though, is, you need to use your own data. Remember, the results above are averages across thousands of stakeholders.
Now, back to managing that Periodic Table of core processes. Once you’ve figured out which processes tie into your stakeholder’s top priorities, you must hone your focus on the five or six processes (e.g., DRP or Service Desk) that relate to those priorities. Ask your leadership team in IT how important and effective they perceive these processes to be, and suss out the areas you all agree are important to the business but are also areas in which you are not effective.
Source: Info-Tech Research Group
There are two major benefits to this alignment exercise between stakeholders and across your IT leadership team:
1) You will no longer be as overworked, and the business won’t be stuck supporting yet another acronym from the COBIT-letter salad or paying for yet another new toy that the business doesn’t really need.
2) Your IT shop will climb the maturity tower (see below) and make technology a better business partner.
Yogi Berra, ex-catcher for the New York Yankees, once said, "If you don't know where you are going, you might wind up someplace else."
His words resonate today. Use your own data to help prioritize stakeholder projects and benchmark the quality of business relationships to move the needle on the one-metric-to-rule-them-all, stakeholder satisfaction. As Billy Beane figured out all those years ago, it’ll help you accomplish more with less.
I love COBIT. Why? To begin with, COBIT is useful and usable. Secondly, the newly updated framework combines community knowledge and flexibility.
The What Is COBIT and What Is It Not section from COBIT 2019 Framework: Introduction and Methodology is very clear, and demonstrates how useful and usable the updated version of COBIT will be.
COBIT users know that COBIT in its last two versions utilized the components (formerly enablers) to plan, build and maintain a governance system. They were and are principles, policies and procedures, processes, organizational structures, information flows, culture and behaviors, skills, and infrastructure.
We can find these components in all organizations, and work with them to fix some problems or weaknesses in order to improve the current and future maturity of their governance system and, thus, create value for relevant stakeholders. These “magic resources” that create an appropriate solution are the first element to confirm that COBIT is usable and useful.
New design factors are the second one, and the new Design Guide was published this week. They should be considered by the enterprise to build a best-fit governance system. Not all organizations need the same solution with the same kind and quantity of resources. It is all about the best combination of needed resources to achieve expected or required benefits with a good balance or acceptable level of risks.
Not all organizations have the same strategy, goals, risk profile, I&T-related issues and threats. Compliance requirements, size and role, adoption strategy, sourcing model and implementation methods of IT are factors that we must complete soon.
Design factors influence in different ways the tailoring of the governance system of an enterprise. COBIT 2019 distinguishes three different types of impact, illustrated below.
The New COBIT 2019 Framework: Governance and Management Objectives are free for members and non-members. I believe this is a remarkable step to increase the number of COBIT followers and professional community engagement. How many students and professionals will benefit from these complimentary publications? How many of them will be influenced by COBIT 2019 and decide to initiate an IT career or improve it through a certification?
Will these new followers influence COBIT’s future design? I am sure of it.
Editor’s note: For more information about COBIT 2019 guidance, products and training, visit www.isaca.org/cobit, or view a webinar on the COBIT framework here or the Design Guide and Implementation Guide here.
One of the biggest challenges for modern businesses isn’t being able to collect data, but finding a way to organize it systematically and using the data that piles up. Learning how to interpret random data points and unstructured information often proves to be more than some companies can handle, but it doesn’t have to be.
Finding value in a heap of unstructured data
“Increasing the volume of quality content being fed into big data analytics tools dramatically increases the value of the output – whether it’s improved decision-making or better product design, risk reduction, and enhanced customer experience,” Scott Mackey writes for Adlib Software, a global leader in files analytics and data enrichment solutions. “To realize these benefits, however, organizations must develop the capability to process massive storehouses of unstructured data into a format that big data analytics tools can work with.”
Unstructured data, also known as “dark data,” poses a potential risk on multiple fronts. For starters, it represents a huge missed opportunity in terms of information that could be used to benefit the company’s bottom line.
But the issue goes much deeper than that. In an age when data needs to be encrypted and properly stored, unstructured data is often extremely vulnerable to getting hacked or stolen.
“When data isn’t used, there is a tendency for people to forget its content, purpose or even its existence,” data expert John Spacey explains. “There is a further tendency for such data to go unmanaged and be more vulnerable to security risks, such as unauthorized access that may leak trade secrets and other proprietary knowledge.”
Unstructured data is also resource-intensive and expensive to maintain. It can divert attention from the structured data that the firm needs to stay focused on.
The question is, how do you find value in something that appears so useless? In order to identify the true value in unstructured data, you need a plan of attack. The following tips should help you achieve some positive movement in this endeavor.
1. Get everyone on the same page.
The first step is to ensure everyone is on the same page. Specifically, gatekeepers and decision-makers within the firm must see the importance of tapping into unstructured data so it can be used for practical purposes.
2. Figure out where unstructured data is coming from.
Where is your unstructured data coming from? In other words, what’s the point of ingestion? It might be your website, social media profiles, system log files, healthcare information, financial data, CRM outputs, or a mobile app. If you don’t nail the point of entry, it will be nearly impossible to do anything else with the material.
3. Categorize ASAP.
The best time to apply structure to unstructured data is at the point of ingestion. Once you’ve figured out when and where the information comes from, you may implement systems that will filter and channel the data.
4. Eliminate the waste.
Although a lot of unstructured data can be valuable, there’s likely to be plenty that’s worthless for your organization. Instead of keeping that content around, go ahead and eliminate the waste. This will reduce your overhead and prevent energy from being expended on activities that don’t matter.
5. Combine unstructured and structured data.
Perhaps the best way to use unstructured data is to place it alongside appropriate structured data. When the two play nicely together, they can generate some surprisingly powerful and deep insights that neither would provide in isolation.
“While structured data is often easier to process and analyze, it can only reveal overall trends – not the reason behind those changes,” explains Eric Pendleton, a project training manager at a text analytics firm. “Unstructured data can reveal a deep understanding of the why behind the data; it’s just more difficult to track and may be dismissed by skeptical executives who reason that ‘it’s just what a few people say.' "
By combining the “what” (structured data) with the “how” and “why” (unstructured data), you will gain a much more complete and cohesive picture of reality … particularly as it pertains to customer-facing endeavors.
Use data; don’t let it use you
Collecting data for the sake of amassing information is pointless. If you aren’t careful, you’ll end up responsible for massive repositories of information, with nothing to show for it.
But if you develop a strategy for handling unstructured data, you may flip the script and make the most of the information-centric environment your business finds itself having to inhabit.
Practitioners charged with effective governance of information and technology have a tremendous new resource to draw upon with a significant refresh to the COBIT framework. Today, the first two books of COBIT 2019 have been released, with additional publications to follow later this year.
I could go on for hours about the elements of COBIT 2019 that I believe will be well-received by our passionate global community of COBIT users (and considering I am one of those passionate COBIT users, if I catch you in person at an ISACA event, I might just do so). For the purposes of this blog post, I will put forward a list of five aspects of COBIT 2019 that I consider especially appealing.
1. Sharper clarity. Past iterations of COBIT, most recently COBIT 5, helped practitioners across the world solve countless business challenges and help their enterprises better manage and govern enterprise IT. There was a lot to like, but that doesn’t mean they were perfect. In COBIT 2019, we have identified areas for improvement to ensure that COBIT users are able to extract even more value from the framework while making the content more accessible and straightforward.
For example, I often was asked to describe the COBIT 5 enablers, and it was difficult for me to succinctly explain, so I started calling them ingredients. We now have transitioned to referring to them as components of a governance system, a much clearer characterization. Throughout the COBIT 2019 publications, the terminology is less academic and more applicable, allowing users to streamline the adoption timeline.
2. New focus areas. I’m enthused about the new focus areas that are set up to organize certain hot governance topics, such as small/medium sized businesses, cybersecurity, digital transformation, cloud computing, privacy and DevOps.
While the COBIT framework has thrived for 20-plus years because it addresses core business principles that are every bit as true now as they were in the 1990s, it nonetheless was important to provide updated guidance pertinent to key drivers of the current technology landscape, and COBIT 2019 takes a big step forward in that regard.
3. New design factors. COBIT 2019 highlights new factors that can influence the design of an enterprise’s governance system and position organizations for success in the use of information and technology. These include:
- Enterprise strategy
- Enterprise goals
- Risk profile
- Enterprise size
- Threat landscape
- Compliance requirements
- Role of IT
- Sourcing model for IT
- IT implementation methods
- Technology adoption strategy
These design factors take into account enterprise strategy and allow users to better customize COBIT to a specific organizational structure.
4. Updated goals cascade. The new goals cascade supports the prioritization of governance and management objectives based on enterprise goals. Starting with stakeholder drivers and needs, this model seeks to avoid the frequent misunderstanding that these goals indicate purely internal objectives of the IT department within an enterprise. The alignment goals have also been consolidated, reduced, updated and clarified where necessary. These goals are organized using the Balanced Scorecard view and include example metrics to measure the achievement of each goal.
5. Integration between the CMMI maturity model and our current capability model. Performance management is an essential part of a governance and management system. It expresses how well the system and all components of an enterprise work, and how they can be improved up to the required level. As such, it includes concepts and methods such as capability and maturity levels. COBIT 2019 performance management leverages both the current capability model and the CMMI maturity model using the following principles:
- Simple to understand and use
- Consistent with and supports the COBIT conceptual model
- Provides reliable, repeatable and relevant results
- Supports different types of assessments
Editor’s note: For more information on COBIT 2019, its publications and guidance, and new training opportunities, visit www.isaca.org/cobit.