ISACA Journal
Volume 3, 2,015 


How to Evaluate Knowledge and Knowledge Management in the Organization Using COBIT 5 

Bostjan Delak, Ph.D., CISA, CIS 

Knowledge is recognized as the most important strategic asset of any and every organization. It is very important to identify, capture/acquire, share, reuse and unlearn knowledge. These activities are managed through knowledge management. It is a rather challenging task to evaluate the level of knowledge and knowledge management in an organization. This article seeks to evaluate how the use of COBIT 5 can enhance the due diligence for knowledge management and knowledge evaluation within the enterprise. Due diligence was conducted on two Slovenian companies using the COBIT 5 framework for knowledge and knowledge management evaluation. The results of the study, presented here, clearly indicate that COBIT 5 can be effectively used as an approach to assess an organization’s knowledge management within due diligence.

The next step beyond data and information is knowledge.1 Knowledge is considered to be an important resource to maintain the competitiveness of an organization. “In an economy where the only certainty is uncertainty, the one sure source of lasting competitive advantage is knowledge.”2 For every organization, it is important to know how to identify knowledge and how to share it. One challenge is determining how to identify the level of knowledge and evaluate the level of knowledge management. COBIT 5 has stepped forward to help solve this issue, with its inclusion of process BAI08 Manage knowledge. Together with process APO07 Manage human resources, these processes provide a sufficient basis for knowledge and knowledge management evaluation.

Is it feasible to measure knowledge, knowledge sharing and knowledge management within the organization using the COBIT 5 framework?

What is Knowledge?

“Knowledge is the currency of the current economy, a vital organizational asset and a key to creating a sustainable competitive advantage,”3 according to Mohamed Ragab and Amr Arisha. Knowledge is epistemologically classified in two dimensions—tacit and explicit—and from an organization’s perspective, has two distinct goals: generate knowledge and apply knowledge. Author Michael Polanyi defines tacit knowledge as personal, context-specific and, thus, not easily visible and expressible, nor easy to formalize and communicate to others.4 Professor Levy vividly described tacit knowledge, as “What someone has between the ears.”5 On the other hand, Polanyi refers to explicit knowledge as being transmittable in some systematic language such as words, numbers, diagrams or models.

Sharing knowledge can help an organization achieve better organizational performance through the implementation of new ideas, processes, products and/or services. The need to measure knowledge resources within the organization has, therefore, emerged as a key area of interest for researchers and practitioners within the knowledge management domain.

Managing Knowledge

One of the simplest definitions of knowledge management is the “conscious strategy of getting the right knowledge to the right people at the right time and helping people share and put information into action in ways that strive to improve organizational performance.”6 Today, information and communications technology (ICT) plays an important role in major competitive organizations, and several papers refer to the role of ICT in knowledge management. Some argue that the measurement of knowledge is one of the most difficult knowledge management activities.7 There are different frameworks and methodologies to measure knowledge and knowledge management.

COBIT 5 and Knowledge Management

When it was issued in 2012, one of many improvements in COBIT 5 was BAI08. The process’s description is “Maintain the availability of relevant, current, validated and reliable knowledge to support all process activities and to facilitate decision making. Plan for the identification, gathering, organizing, maintaining, use and retirement of knowledge.”8 The pre-existing process APO07 also deals with knowledge and knowledge sharing and says, “Provide a structured approach to ensure optimal structuring, placement, decision rights and skills of human resources. This includes communicating the defined roles and responsibilities, learning and growth plans, and performance expectations, supported by competent and motivated people.”9

Case Studies

The two COBIT 5 processes mentioned, APO07 and BAI08, serve as a basis for this study’s qualitative analysis. The purpose of the case studies was to validate the approach by conducting closed interviews (a questionnaire with predefined possible answers) with top management in the case study companies. The questionnaire was built using the COBIT 5 description of these two processes and their practices from the COBIT 5 product family documentation: COBIT 5: Enabling Processes, COBIT 5: for Assurance and COBIT Process Assessment Model (PAM): Using COBIT 5. The COBIT 5 knowledge management questionnaire contained 97 questions and was divided into three parts: enabling processes (with 36 questions in 11 question subgroups), assessment (with 15 questions in eight question subgroups) and process assessment (with 28 questions).10

For these case studies, two companies from Slovenia were selected. The first (company A) is a software/solution development company with an international focus. The second (company B) is a consultancy and service company that works mainly with the Slovene market. The study was conducted in the first quarter of 2014. The evaluation method was based on the mathematical analysis of responses from interviewees. For each answer, the transition to numeric values was made for the first and second part of the questionnaire based on: “yes” equals 2, “partially” equals 1 and “no” equals 0. Each management practice question consisted of several subquestions (marks for subquestions were added and divided by the number of subquestions).

Figure 1 presents the calculated results for enabling processes for both companies (part 1 of the questionnaire). The research shows that company A has partially implemented both processes (total score is 1.34), where the calculated result of the survey performers based on their assessment of the survey value scale for process APO07 is 1.55 and the score for process BAI08 is 1.10. For company B, the research also indicates some implementation of the knowledge management process (total score is 0.71), which, correlated with the organization’s calculated result from the survey, was almost half that of company A.

Figure 2 presents the calculated results for part 2 of the questionnaire, assurance for both companies. The set of assurance questions is different from the questions used in the first part, enabling processes, but the survey audience is the same. The research shown that company A has partially implemented both processes (total score is 0.97), which correlated with the average of the calculated result from the survey for process APO07 (0.69) and for process BAI08 (1.25). For company B, the research shown a lower score (0.47), which was in-line with the organization’s calculated result from the survey for process BAI08 (0.50) and process APO07 (0.44).

The third part of the questionnaire covered the process assessment model (PAM) questions, which have a wider range of values, as the questionnaire allows for four possible answers. In this case, the numeric transformation was based on: fully achieved equals 3, largely achieved equals 2, partially achieved equals 1 and not achieved equals 0.

The work products in figure 3 present summary headings, and for each heading, there were several statements/questions in the actual questionnaire. Figure 3 presents the numeric results for both companies. The differences between company A and company B are even bigger than within the data presented in figures 1 and 2.

To validate the approach, management of both companies also completed a self-assessment questionnaire provided by ISACA. Results from company A show that the company is at the third process capability level—managed—out of six possible capability levels for both reviewed processes, which correlated with the result from COBIT 5 PA 2.1 Performance management.11 Results from company B show that the company is at the second process capability level—performed—which is in-line with their result from COBIT 5 PA 1.1 Process performance.


A study of research papers on knowledge management outlined several issues that had not been fully answered and left open the question as to how knowledge management could be easily measured during process analysis. While the case studies were realized within only one country (Slovenia) and with a limited number of organizations, the research completed indicates that the COBIT 5 framework is suitable for use in rapid assessment of knowledge management within companies that are ICT-oriented and have major processes supported by ICT. COBIT 5 does not integrate widely used human capital methods such as human capital readiness, human capital index and human capital monitor, which were presented in the critical review of knowledge and knowledge management.12 Some authors suggest a chief knowledge officer (CKO) be appointed to lead an organization’s knowledge effort; however, COBIT 5 does not address this item. Currently, the chief information officer (CIO) is accountable for all management practices within APO7. BAI08 is more complicated, and the accountability for this management practice is divided into different positions, including business executives, CIOs and business process owners.

Some researchers13, 14 state the importance of documenting measurable results/scores, and with the COBIT assessment program, ISACA provides a way to measure COBIT 5 processes’ capabilities in a robust, reliable and repeatable way.


“The most important contribution management needs to make in the 21st century is to increase the productivity of knowledge work and knowledge workers.”15 COBIT 5 supports this statement and once again confirms one of its IT-related goals: knowledge, expertise and initiatives for business innovation.16

The answer to the question of whether it is feasible to measure knowledge, knowledge sharing and knowledge management within the organization using COBIT 5 is that the framework is an effective tool for assessing levels of knowledge sharing and knowledge management, as presented in figures 1, 2 and 3. While COBIT 5 has some limitations when evaluating the level of knowledge and the value of intellectual capital within the organization, this research clearly shows that an experienced COBIT 5 specialist can very quickly evaluate the level of knowledge management in an organization during due diligence, IS analysis or even IS audit.


1 Gray, P.; “Knowledge Management,” Proceedings of the Americas Conference on Information Systems, paper 292, 1999
2 Nonaka, Ikujiro; “The Knowledge-Creating Company,” Harvard Business Review, July 2007,
3 Ragab, M. A. F.; A. Arisha; “Knowledge Management and Measurement: A Critical Review,” Journal of Knowledge Management, vol. 17, no. 6, 2013, p. 873-901
4 Polanyi, M.; The Tacit Dimension, Routledge and Kegan Paul, England, 1966
5 Levy, L.; “Data Analytics for Knowledge Discovery, Improving, and Sustaining Quality,” keynote presentation, KM Conference 2013, Novi Sad, Serbia, 2013
6 O’Dell, C.; C. J. Grayson; If Only We Knew What We Know: The Transfer of Internal Knowledge and Best Practice, Free Press, USA, 1998
7 Chen, A. N. K.; T. M. Edington; “Assessing Value in Organizational Knowledge Creation: Considerations for Knowledge Workers,” MIS Quarterly, vol. 29, no. 2, June 2005, p. 279-309
8 ISACA, COBIT 5: Enabling Processes, 2012,
9 Ibid.
10 The full questionnaire can be obtained by a direct request to the author at
11 ISACA, COBIT Process Assessment Model (PAM): Using COBIT 5, 2013,
12 Op cit, Ragab and Arisha
13 Arisha, A.; M. Ragab; “The MinK Framework: Developing Metrics for the Measurement of Individual Knowledge,” Proceedings of KIM2013 Knowledge & Information Management Conference, UK, 2013
14 Skyrme, D.; Measuring Knowledge and Intellectual Capital, Business Intelligence, 2003
15 Drucker, P.; “Knowledge-Worker Productivity: The Biggest Challenge,” California Management Review, vol. 41, no. 2, 1999, p. 79-94
16 Op cit, ISACA 2012, p. 15

Bostjan Delak, Ph.D., CISA, CIS, is an assistant professor on several faculties in Slovenia and senior consultant for IS advisory and IS audit at ITAD, Technology Park Ljubljana, Slovenia. His research interests include IS analysis, IS due diligences and knowledge management. His main occupation is IS auditing.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.