COBIT Mapping: Mapping SEI’s CMM for Software With COBIT 4.0 


COBIT Mapping: Mapping SEI’s CMM for Software With COBIT 4.0   Download (Member Only, 790K)

  Provide feedback on this document
Knowledge Center  Visit the COBIT - Implementation Knowledge Center community
Knowledge Center  Visit the COBIT - Use it Effectively Knowledge Center community

This document contains a detailed mapping of the Software Engineering Institute (SEI) Capability Maturity Model (CMM) for Software with COBIT 4.0. A brief overview of the standards mapped against each other in this document is as follows:

  • COBIT-Originally released as an IT process and control framework linking IT to business requirements, it was initially used mainly by the assurance community in conjunction with business and IT process owners. With the addition of management guidelines in 1998, COBIT is now used more and more as a framework for IT governance, providing management tools such as metrics and maturity models to complement the control framework.
  • SEI CMM-CMM for Software is a framework for evaluating the capability of the software development process of organisations on a scale of 1 to 5. CMM was developed by the SEI at Carnegie Mellon University in Pittsburgh, Pennsylvania, USA. It has been used extensively for avionics software and government projects since it was created in the mid-1980s. Since 1991, CMMs have been developed for a myriad disciplines. The CMM for software was sunsetted by the SEI and integrated into the CMMI in 2000. The CMM for Software includes a description of the stages through a software organisation’s process progresses as it is defined, implemented, measured, controlled and improved. The model and the large body of publications, including books, articles, papers and conference proceedings, can be used as a guide for selecting process improvement strategies. The model was accompanied by a rigorous certification of lead assessors, trained and certified by the SEI. Assessments examined the organisation’s process capabilities and identified the issues most critical to software quality and process improvement. These issues then drove action plans to improve the organisation’s process capabilities.

The mapping is performed in two layers: high level and detailed mappings of COBIT to the SEI CMM for Software.

A high-level mapping compares the CMM for Software maturity model levels and key process area goals with the high-level control objectives of COBIT. As an example, COBIT DS7 Educate and train users maps to SEI CMM for Software KPA: Training program.

The detailed mapping process is outlined in figure 1.

Figure 1—Detailed Mapping Process

Step Description
1 The terms used in the CMM for Software KPA Common Features, e.g., Commitment to Perform, Activities, Abilities, Measurements, and section 4.4.1 Roles and Responsibilities were mapped to the same terms used in one or more of the COBIT detailed control objectives.

The extent of coverage of the detailed control objective was assessed for:

  1. Exact matches in the detailed control objective text.
  2. Relative matches of intent based on interpretation of the model.
  3. Match of intent allowing for specific gaps in COBIT and CMM for Software.
3 The coverage of the detailed control objectives was rolled up and reconciled with the high-level mapping.

Figure 2
is an example of the results of step 1 mapping references and interpretations for risk management and event identification. The left hand column summarizes the SEI CMM for Software references and the right-hand column summarises the COBIT references.

Figure 2—Example of Mapping References

SEI CMM for Software Maturity Level (ML) KPA Common Feature
Specific References

COBIT Domain,Control Objective (CO)Detailed Control Objective (DCO)
Specific References

ML 2: Defined
KPA: Project Planning (PP)
Common Feature: Activity
Activity 13:
“The software risks associated with the cost, resource, schedule, and technical aspects of the project are identified, assessed, and documented.”

ML 3: Repeatable
Interpretation of the Context:
Maturity Level 3 expands focus of the KPA’s to cross-organization processes.

KPA: Integrated Software Management (ISM)Description: "The basic practices for estimating, planning, and tracking a softwareproject are described in the Software Project Planning and Software Project Tracking and Oversight key process areas. They focus on recognizing problems when they occur and adjusting the plans and/or performance to address the problems. The practices of this key process area build on, and are in addition to, the practices of those two key process areas. The emphasis of Integrated Software Management shifts to anticipating problems and acting to prevent or minimize the effects of these problems."

Activity 10. "… a procedure for identifying, assessing and responding to risks using a documented process and action plan to prevent and eliminate the risks."

Domain: Plan and Organise
CO: PO10 Manage projects
DCO: PO10.9 Project risk management:

"Eliminate or minimize specific risks associated with individual projects through a systematic process of planning, identifying, analyzing, responding to, monitoring and controlling the areas or events that have the potential to cause unwanted change."

Domain: Plan and Organise
CO: PO9 Assess and manage IT risks
Interpretation of the Context:
PO9 receives project’s risk plan as input from PO10 which indicates the PO9 is dependent on PO10 and expands the focus beyond the project to the organisation.

DCO: PO9.3 Event identificationIdentify any event (threat and vulnerability) with a potential impact on the goals or operations of the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. Determine the nature of the impact—positive, negative or both.