While facilitating COBIT 5 courses, I have discovered that many students believe that one should take the framework, commence on page one and work through to the last page. I once had a student tell me she wanted to learn how to implement all the processes according to COBIT and was very disappointed when she learned she would not be doing that. But since most people feel comfortable with processes, I tell them to start there. Using COBIT 5 Implementation and going from phase 1 through phase 7 is laudable and would improve the performance of every enabler and, consequently, organizational maturity. However, there are multiple ways to use COBIT 5 and its supporting documents. ISACA has provided a rich tool set, and COBIT users can and should choose to use it as appropriate for their environment. All that said, COBIT 5 can be used to:
There are multiple ways to use COBIT 5 and its supporting documents.
- Focus on enterprise goals. Forego the process outlined in COBIT 5 Implementation and instead use the cascading mechanism, starting with figure 5 in the COBIT 5 framework, to focus with laser-like precision on those processes that support the most significant enterprise goals. Doing so offers strategic alignment, resource optimization and ultimately delivers value, which, in due course, satisfies stakeholders.
- Meet regulatory requirements. Perhaps an organization thinks its overall governance framework is decent, but wishes to ensure legal compliance. Use figure 45 in appendix A of COBIT 5 Implementation to learn how to focus attention on processes EDM03 and MEA03. Additionally, use figure 46 in appendix B to determine who is accountable and who is responsible.
- Focus on pain points. An organization has a big fat problem that will not go away. Again, stakeholders could use figure 45 to focus on processes for the pain points referenced there.
- Ensure process orientation. Slogging away on processes helps an organization become more capable, more proactive and less reactive. Forget the framework and COBIT 5 Implementation and just start doing the things in COBIT 5: Enabling Processes. When the organization has control over processes, it is able to maintain better control during periods of rapid change and organizational crisis. The organization becomes more resilient and less fragile.
- Define a common language. Often the absence of a common vocabulary leads to a breakdown in communication that can result in mistrust. A client once asked me to find a configuration manager, so I searched high and low and found a suitable candidate. The client rejected the candidate out-of-hand and, upon reconsidering their requirements, we agreed they really wanted a release-and-deploy manager. The client and I lost time and resources because we assumed we had a common understanding of configuration manager. So should an organization do nothing else, it should promote and utilize the COBIT 5 framework nontechnical business terminology in appendix H within the organization.
When all is said and done, I do not want someone telling me they have a “COBIT-compliant” shop, but rather that they have used the framework and supporting documents to improve their enablers, especially processes that are the focus of these tips. Remember, progress, not perfection, is the goal—a little better tomorrow than the enterprise is today. Stakeholders need not kick off a large program to begin; they just need to adopt and adapt the various tools in their organization.
Peter T. Davis, CISA, CISM, CGEIT, COBIT FC/IC/AC, CISSP, CMA, CMC, CPA, ITIL FC, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 20000 FC, ISO 9001 FC, ISO 28000 FC, ISTQB CTFL, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SSGB
Is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 Foundation, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.