• Bookmark

Importance of CMMI-DEV in COBIT-based IT Governance

By Kiran Chaudhari, CISA, COBIT Assessor, CMMI, ISO 27001, ISO 90001

COBIT Focus | 4 January 2016

The Capability Maturity Model Integration (CMMI) is a world-class performance improvement framework for competitive organizations that want to achieve high-performance operations. Today, CMMI has become the de facto standard for information and communications technology (ICT) companies to improve operational efficiencies.

CMMI for Development (CMMI-DEV) consists of best practices that address development activities applied to products and services. It addresses practices that cover the product’s life cycle from conception through delivery and maintenance. Organizations from many industries, including aerospace, banking, computer hardware, software, defense, automobile manufacturing and telecommunications, use CMMI-DEV.

The CMMI framework is frequently used in ICT companies for process improvement initiatives. However, it is not often used in IT-enabled services companies, especially financial organizations.

With increasing dependence on IT, many financial organizations are facing challenges in translating business vision and alignment strategies into multi-year IT investments and operating plans, as well as challenges with the impact of IT on the enterprise’s performance measurement.

COBIT provides an end-to-end business view of the governance and management of enterprise IT (GEIT) and reflects the central roles of information and technology in creating value for enterprises.

COBIT helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 was developed as an integrated framework that provides a simple and easy way to integrate with other frameworks and standards, such as CMMI, Information Technology Infrastructure Library (ITIL), The Open Group Architecture Framework (TOGAF), International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 and many more and, thus, serves as the overarching framework for GEIT.

Figure 1—COBIT 5 Coverage of Other Standards and Frameworks

Source: ISACA, COBIT 5, USA 2012

The CMMI-DEV framework covers certain COBIT processes from the Align, Plan and Organize (APO) and Build, Acquire and Implement (BAI) domains. COBIT 5: Enabling Processes, part of the COBIT 5 family of products, specifies appropriate references to TOGAF, ITIL, ISO/IEC 20000 and ISO/IEC 27001, but while CMMI is identified as one of the aligned frameworks, few references to various CMMI process areas are specified, whereas CMMI process areas mapping to COBIT is not defined in any COBIT documents.

The following figures map the COBIT processes of the APO, BAI and Measure, Evaluate and Assess (MEA) domains to various CMMI process areas. Figure 2 maps CMMI process areas (up to maturity level 3) to COBIT processes in the APO, BAI and MEA domains.

Figure 2—Mapping COBIT 5 Processes to CMMI Process Areas

Source: K. Chaudhari. Reprinted with permission.

To elicit more details, figure 3 maps COBIT APO10 Manage Suppliers practices to CMMI Supplier Agreement Management (SAM)-specific practices.

Figure 3—APO10 Mapped to CMMI SAM Practices

Source: K. Chaudhari. Reprinted with permission.

By comparing and applying the CMMI framework practice, an organization would likely conclude that the CMMI practices satisfy the intent of most of the COBIT practices.


Organizations that are adopting the COBIT framework would implement most of the APO and BAI enabling processes by implementing CMMI best practices.

Many organizations have implemented or adopted either ITIL, ISO or the CMMI framework based on their business strategies, pain points or customer demands. Most of these companies are now looking forward to COBIT adoption.

Companies that have adopted the CMMI framework would find ease in mapping most of APO, BAI and MEA practices because CMMI practices map closely to most of the COBIT management practices in the domains listed.

Because CMMI process areas have built-in generic practices, this helps organizations to implement and institutionalize practices across the organization. This unique feature of CMMI also helps organizations to implement and institutionalize COBIT practices across the organization easily to achieve specific capability levels.

Kiran Chaudhari, CISA, COBIT Assessor, CMMI, ISO 27001, ISO 90001

Is the CMMI Institute lead appraiser for CMMI-DEV and CMMI-SVC. He has more than 24 years of experience spanning software and implementing quality systems. He also specializes in framework- and nonframework-based business-driven process improvement, application of the CMMI-SVC framework to various IT and non-IT business, multi-model appraisals, audits, training on systems development life cycle, Agile methods of working, and statistical analysis.