The Introduction to COBIT Video Series is a collection of short videos that explain, in a straightforward, simple manner, the many features, tools and benefits of the COBIT 5 framework. The series can be viewed from start to finish or by module, based on individual needs and interests.
The series begins with an introduction to governance of enterprise IT (GEIT). That introduction is followed by 7 modules in the series, as listed in figure 1.
Figure 1—COBIT Video Series Modules
||Key Features of COBIT 5|
||COBIT 4.1 to COBIT 5 Differences|
||The COBIT 5 Principles|
||COBIT 5 Implementation|
||COBIT 5 Assessment Program|
||Summary and Conclusions|
||COBIT 5 Publication Overview|
Source: M. Thomas and P. Tessin. Reprinted with permission.
The first module, Key Features of COBIT, covers the evolution of COBIT through its 20-year history. It starts with the initial publication of COBIT in 1996 and describes its evolution to COBIT 5 in 2012. The module also covers drivers and scope, the format of COBIT 5 and an explanation of the COBIT 5 product family.
The second module, COBIT 4.1 to COBIT 5 Differences, describes the changes that were made to COBIT 4.1 to produce COBIT 5. It is important to understand that the content of the COBIT 4.1 control objectives is in COBIT 5, but under another name: process practices. The Processes enabler in COBIT 5 is made up of governance and management processes and their related practices and activities. For each process there is a responsible, accountable, consulted and informed (RACI) chart, goals and metrics, and related guidance. For each practice, there are also inputs, outputs and practice activities.
COBIT 5 was built on a set of guiding principles that were derived from research into what practitioners valued from COBIT 4.1 (and earlier editions) and areas practitioners felt were underserved. The results are covered in the third module, The COBIT 5 Principles, as follows:
- Meeting Stakeholder Needs is presented with a focus on value. Per COBIT 5, delivering stakeholder value is dependent on 3 factors: Stakeholders must receive the benefits they expect, not be exposed to more risk than they are comfortable with, and have their resources used efficiently and effectively. COBIT 5 takes the practitioner through the process of identifying stakeholder requirements to specifying enterprise goals. Each enterprise goal must be supported by an IT-related goal. In turn, each IT-related goal must have specific enablers assigned to it. This entire process is referred to in COBIT 5 as the “goals cascade,” which connects the requirements of all stakeholders, internal and external, to enterprise resources (enablers).
- Covering the Enterprise End-to-End describes the comprehensive nature of the framework. COBIT 5 is meant to be flexible enough to fit within a larger enterprise governance system while taking into consideration enablers that exist across the enterprise.
- Applying a Single, Integrated Framework establishes that a proper framework provides an overarching function that facilitates the use of multiple frameworks and standards, thus permitting a comprehensive governance structure that provides a common language and understanding across the enterprise. This principle also led to the incorporation into COBIT 5 of the concepts of the governance publications The Risk IT Framework, The Val IT Framework 2.0 and The Business Model for Information Security (BMIS), previously made available from ISACA, in addition to COBIT 4.1. Integrating these works makes it clearer that an enterprisewide governance structure needs to cover risk, value delivery and information security.
- Enabling a Holistic Approach describes enablers and their dimensions. Enablers are the resources that permit an enterprise to put into action the strategic goals it has established. Through the deployment and use of enablers, an enterprise accomplishes its goals and delivers value to its stakeholders. The COBIT 5 framework details the road map that connects stakeholder requirements to those enablers. Using the goals cascade to determine which enablers are needed and how to employ them allows an enterprise to realize greater efficiency and effectiveness from its resources.
- Separating Governance From Management is meant to align COBIT 5 with ISO/IEC 38500 Information technology—Governance of IT for the organization, which states, in part, that governance and management are not one and the same. They must be treated as separate functions and used in different manners to ensure the delivery of value to stakeholders. This principle is an important difference from prior versions of COBIT, and the module explains that in a clear, concise manner.
The fourth module, COBIT 5 Implementation, presents the 7-phase approach COBIT uses to assist users in determining why the framework is being implemented and how to do it. After the governance structure is implemented, COBIT is used in daily operations to accomplish enterprise goals and value delivery. ISACA’s guidance publication, COBIT 5 Implementation, provides detail on the 7 phases and shows how to measure performance of the governance structure to determine what, and whether, further improvement opportunities exist.
The fifth module, COBIT 5 Assessment Program, provides an outline of how process capability can be assessed. The approach outlined is consistent with ISO/IEC 15504-2:2003 Information technology—Process assessment—Part 2: Performing an assessment. In completing a process assessment, the assessor collects evidentiary material consistent with the process purpose and determines to what extent the process fulfills its intended purpose. The process assessment model (PAM) is presented, along with guidance on how assessors perform process assessments as opposed to enterprise staff performing self-assessments.
The sixth module, Summary and Conclusions, recaps the framework elements and provides reinforcement of lessons presented.
The seventh module, COBIT 5 Publication Overview, provides a description of all publications in the COBIT 5 product family. It includes COBIT 5: Enabling Processes, COBIT 5: Enabling Information, COBIT 5 for Risk, COBIT 5 for Assurance and COBIT 5 for Information Security.
The COBIT 5 product family delivers a comprehensive collection of guidance—building from the basic framework to include the implementation guide, professional guides, enabler guides, the assessment program and other publications—to help an enterprise establish an effective system of governance and management over one of its most valuable investments: its information technology. Perhaps because of the vast amount of COBIT 5 material available, it is not always an easy task to assimilate the needed information or understand exactly what resources are available and how the guidance is interconnected. This video series will prove a useful tool in becoming familiar with COBIT 5 and its many elements as well as providing an overview on how implementation of COBIT can benefit an enterprise.
Mark Thomas, CRISC, CGEIT, and Peter Tessin, CISA, CRISC, CGEIT
Is an internationally known IT governance expert and the president of Escoute Consulting. His background spans more than 20 years of professional experience including leadership roles from chief information officer to management and IT consulting. Thomas has led large teams in outsourced IT arrangements, managed enterprise applications implementations, and implemented governance and risk processes across multiple industries. Additionally, he is a consultative trainer and speaker in several disciplines including COBIT, ITIL and IT governance.
Peter Tessin, CISA, CRISC, CGEIT
Is a technical research manager at ISACA where he has been project manager for COBIT 5 and has led the development of other COBIT 5-related publications, white papers and articles. He also played a central role in the design of the COBIT online web site. Prior to joining ISACA, Tessin was a senior manager at an internal audit firm where he led client engagements and was responsible for IT and financial audit teams. Previously, he worked in various industry roles including staff accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and auditor. He has worked in many countries outside of his native US including Canada, Mexico, Germany, Italy, France, UK and Australia.