• Bookmark

Are You a COBIT 5 Expert, Champion or Consultant? Be Aware!

By Paras Kesharichand Shah, CISA, CGEIT, CRISC, CA

COBIT Focus | 13 July 2015

The COBIT 5 Implementation guide1 is one of the most valuable jewels in the COBIT 5 crown. Any practitioner who has used any of the COBIT 5 practices and guidance might have come across the implementation guidance at some point in time.

Often, practitioners and consultants who are new to the COBIT 5 family of products consider implementation of the COBIT 5 process reference model as the implementation of COBIT 5. This is called the “COBIT 5 Implementation Myth.”

GEIT Implementation Using COBIT 5

The COBIT 5 product family contains the COBIT 5 framework for governing and managing enterprise IT. However, the COBIT 5 family of products collectively is not just a framework; it is a body of knowledge.

Figure 1—COBIT 5 Product Family

Source: ISACA, COBIT 5, USA, 2012

What does that mean?

Implementing COBIT 5 is nothing but implementing a system for governance of enterprise IT (GEIT). Whether one wants to implement an information security management system (ISMS) using ISO/IEC 27001: 20132 requirements or improve program and project management processes within the technology team, these can be considered GEIT implementations. And, of course, huge benefits will be realized by adopting and adapting the guidance available in COBIT 5 Implementation.

The ISACA white paper Getting Started With Governance of Enterprise IT (GEIT)3 describes the use of a framework to implement GEIT, the resources needed to do so and the benefits that can be expected.

Let Us Practice What We Preach

Either as internal consultants/auditors (practitioners) or external consultants/auditors (consultants), we might have used the COBIT 5 Implementation guide to consult or audit. However, do we practice what we preach?

Often, these consulting or audit engagements are to be delivered and completed within tight time frames and with some budget or effort constraints. In many cases, these engagements are run in parallel with other engagements.

Are the challenges faced by business and technology teams not similar to those faced by consultants or auditors? A few missed deadlines or redundant work due to poor quality is not uncommon.

Is the guidance for improving program and project management processes not similar to improving consulting project delivery?

Would we not refer to guidance for improving IT assurance activities provided in COBIT 5 for Assurance as the GEIT guidance for assurance professionals and other interested parties at all levels of the enterprise?

Have you looked at the GEIT implementation challenges described in the chapter 4 of the COBIT 5 Implementation guide?

This is an “aha moment,” is it not?

Solution to the Management Commitment Problem

The first GEIT implementation challenge is lack of senior management buy-in, commitment and support.

Let us assume that we as practitioners have decided to adopt and adapt the COBIT 5 Implementation guidance for improving our consulting project delivery or maturing our IT assurance function. This means we cannot encounter the implementation challenge of gaining senior management support. This is because we are the senior management for our own GEIT implementation.

As COBIT 5 experts, champions and consultants, we are likely to face fewer challenges while working toward our GEIT goals even if we encounter budget and resource constraints.

Still not convinced?

Here are some of the value creation advantages:

  • Improved consulting or assurance engagement outcomes (Benefits realization)
  • Consistent approach and methodology, leading to better client experience (Benefits realization)
  • Minimal or reduced wasted efforts, resulting in fewer annoyed clients and better brand image (Risk optimization)
  • Less dependency on experienced and senior staff for coaching and training (Resource optimization)

The Example Business Case guidance found in appendix D of COBIT 5 Implementation can help us build cost/benefit analysis for our own GEIT implementation.

What Is Next?

Now that we know that senior management is committed, through our own commitment, let us start our journey:

  • Communicate to the team that it will be adopting and adapting COBIT 5 Implementation guidance for consulting project delivery or audit engagement delivery.
  • Follow and implement guidance provided in the COBIT 5 Implementation as applicable.
  • Consider organizing COBIT 5 Implementation training for the team.
  • Share your experiences (case studies) with others.

And, most important, be creative and have fun along the way.

Paras Kesharichand Shah, CISA, CGEIT, CRISC, CA

Is practice lead, strategic advisory at Vital Interacts Australia. He has more than sixteen years’ experience in business and technology consulting. He has offered consulting and advisory services to a wide ranging commercial, public sector, educational and not-for-profit organisations to solve business and technology problems. Shah currently serves on the ISACA Framework Committee (2012-2015) and as the ISACA Sydney (Australia) Chapter President. He is an accredited trainer for COBIT 5 Foundation and COBIT 5 Implementation trainings. He is also a certified trainer and certification assessor for management systems certifications including ISO 27001 (Information security), ISO 9001 (Quality), ISO 20000 (IT Service management), and ISO 22301 (Business continuity).


1 ISACA, COBIT 5 Implementation, USA, 2012
2 International Organization for Standardization, ISO/IEC 27001: 2013, Switzerland, 2013
3 ISACA, Getting Started With Governance of Enterprise IT (GEIT), USA, 2015