ISACA has now released three publications to support the COBIT Assessment Programme services: COBIT Process Assessment Model (PAM): Using COBIT 4.1, COBIT Assessor Guide: Using COBIT 4.1 and COBIT Self-assessment Guide: Using COBIT 4.1
I am a member of the development team, and we created the new assessment approach to provide a methodology that results in repeatable, reliable and robust assessments of the capability of COBIT processes. The aim is that a similar assessment undertaken by different assessors would have similar results. This is important for the reliance that can be placed over time on COBIT-based assessments. We designed the assessment process around ISO/IEC 15504, the international standard on process assessments.
To ensure reliability, assessments must follow a clear methodology (outlined in the Assessor Guide); be led by a competent assessor with appropriate skills, knowledge and experience; have senior management support; and involve people internal to the organisation who have knowledge of the process. Each assessment requires documented evidence to support the assessment result.
The assessment utilises the measurement scale from ISO/IEC 15504. The assessment rating scale is expressed in terms of process capability and is also based on measurement scale from ISO/IEC 15504.
The new scale has more fully defined attributes. In particular, the new scale requires that, at capability level 2, a process has to be planned and monitored, and its work products have to be established, controlled and maintained.
In practice, the variation between an assessment using the COBIT 4.1 maturity model and the new scale will depend on the robustness of the original assessment. For example, there is evidence to suggest that self-assessments result in a higher assessment than independent assessments do.
A training and certification program for assessors is planned and will be available in 2012. ISACA plans to produce a COBIT 5 PAM, based on the COBIT 5 Process Reference Model (PRM) and make any appropriate revisions to the supporting guides once COBIT 5 is published. The Assessor Guide will also provide a basis for training of assessors and, in the longer term, certified assessors.
Max Shanahan, CISA, CGEIT, FCPA, MIIA (Aust), SMACS
Max Shanahan & Associates