COBIT Case Study: Information and Communications Technology Study of Public Health Institutions in Mexico 


Come join the discussionCome join the discussion! Carlos Zamora Sotelo and Carlos H. García Orozco will respond to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 21 October 2013.


Health services are a crucial activity worldwide and reflect the level of awareness and social development of a country. In Mexico, 44 percent of the people perceive the main problem of health services to be poor quality, with the affecting factors being timely care services, quality of diagnosis and treatment.1 Another crucial issue is the availability of medical records among public health institutions in which information and communication technologies (ICTs) play a key role. According to the Organisation for Economic Co-operation and Development (OECD), Mexico is among the countries with the lowest expenditure on health. However, it has been increasing steadily over the previous decade.2

The ICT Study of Public Health Institutions in Mexico3 was conducted under the sponsorship of Strategic Consulting Information Technology (ConSETI) and Brio Software Mexico (Brio). ConSETI and Brio are using this study to help evolve health services in Mexico. The study includes a gap/risk analysis of the current ICT situation, proposing recommendations that will lead to the improvement and implementation of better ICT objectives in the public health institutions. For this purpose, the sponsors became convinced of the importance of using COBIT 5 and recognize it as the best practice framework for the governance and management of enterprise IT (GEIT). It provides a holistic view, and a common language between ICT and business. Thus, for the as-is stage of this study—the understanding and evaluation of the current situation—the goals sought through COBIT were to:

  • Select the main processes
  • Identify the current health services’ capacities, gaps and risk factors related to those gaps
  • Reach implementation and maturity goals

Figure 1


COBIT 5 utilization in the ICT assessment of public health institutions in Mexico was focused on the following areas:

  • Defining the IT substantive processes—According to COBIT 5 and as a first step, ConSETI and Brio selected the business objectives that had higher impact on the citizens. Eight were selected and mapped, as shown in figure 1, resulting in 13 IT-related objectives, highlighted in green in figure 1.

    The second step was to map IT-selected objectives vs. the 37 primary COBIT processes. Figure 2 is an example of the Align, Plan and Organize (APO) process with seven priority processes. The total number of processes selected was 34.

Figure 2

  • Scoring processes capacities—For this assessment, the COBIT 4.1 process maturity model was used rather than the newer COBIT Process Assessment Model (PAM) because the PAM framework was released after the conclusion of the assessment.

    The COBIT 4.1 process maturity model was used for scoring IT-selected processes, taking into account the following attributes: responsibility and accountability; skills and expertise; policies, plans and procedures; awareness and communication; goal setting and measurement; and tools and automation. Every attribute was evaluated according to the level of maturity defined in COBIT, to obtain the final score for every selected process, as shown in figure 3.

Figure 3

  • Gap analysis—To determine gaps, the fourth maturity level of capacity (the process is able to generate the results defined) was defined as the goal to achieve and it was contrasted against the capacity level evaluated previously. Process capability level 4 (ensure efficient and effective health services, and make predictable processes) was established as the goal and is the basis for further definition of the strategy and action plan.
  • Associated risk—To identify the risk factors of each COBIT process selected, identified gaps were taken into the gap analysis performed, thus evaluating the potential negative impact that these gaps could have if not adequately addressed and materialized. Relevant and inherent risk scenarios for each process were generated. For this, it was necessary to build on the mapping of COBIT risk scenarios. Figure 4 is an example of the mapping performed.

    It is important to mention that, in the identification of risk scenarios, ConSETI and Brio did not evaluate the frequency of occurrence of identified risk.

Figure 4


Integrating the COBIT 5 framework into the ICT Study of Public Health Institutions in Mexico has resulted in the following positive impacts:

  • The development of a well-defined, standardized analysis methodology, to determine gaps and risk factors associated to the main IT processes selected for health services institutions, related and aligned to major problems, such as the availability of health records and medical consultation time improvement
  • Better alignment among IT and business goals and pain points
  • The generation of proposals, projects and IT strategies based on gap and risk analysis, according to the capacity goal defined

At this point, COBIT 5 has been used only in the as-is diagnosis. In the future, the sponsors of this study plan to use the same framework for the to-be state, in order to define a competitive products and services portfolio, within and while implementing governance of enterprise IT assurance.

Carlos Zamora Sotelo, CISA, CISM, CGEIT
Is the chief executive officer at ConSETI and has more than 15 years of experience in IT audit and training more than 3,000 people. He can be contacted at

Carlos H. García Orozco
Is vice president at Brio and has more than 15 years of experience in IT, software development, and business intelligence assessment and implementation. He can be contacted at


1 The Organisation for Economic Co-operation and Development (OECD), Mexico
2 Ibid.
3 A summary of the study is available at The complete study is available only for Mexican Public Health Federal Agencies at the Panamerican Public Health Organization Library in Mexico and Washington DC, USA, offices.