ISACA Journal
Volume 3, 2,017 


IS Audit Basics: Data Management Body of Knowledge—A Summary for Auditors 

Ed Gelbstein, Ph.D. 

This column is the final IS Audit Basics contribution from Ed Gelbstein, Ph.D., to the ISACA Journal. He was the IS Audit Basics columnist from volume 1, 2015, to volume 3, 2017. Prior to his death in July 2015, Gelbstein wrote and contributed enough columns to the ISACA Journal to fill this column until now because of his desire to share his professional knowledge and his prolific writing. ISACA is deeply grateful to Ed Gelbstein and his wife Cora for his continued, valuable contributions of knowledge and expertise to ISACA Journal readers both before and after his death.

A previous column reviewed the domains of data and information audits.1 This column continues the exploration of this topic by focusing on the Data Management Body of Knowledge2 (DMBOK) and what it does not cover. The DMBOK should be regarded as a complement to the guidance offered in ISACA’s COBIT 5: Enabling Information.3

Without data, applications and information technologies are of no use. Data are often referred to as a “key corporate asset” and yet, being intangible, they are not always managed as if they have value. Besides, the issues around data governance and management are complex and not always understood by the IT department or data owners (or, in other terminology, stewards or custodians).

Purists and taxonomists are likely to take issue with the following statements:

  • There cannot be knowledge without information.
  • There cannot be information without data.
  • Data represent “things” that can be observed, measured, shared and recorded.

While proof is unattainable, it can be assumed that human prehistory was rich in knowledge and information. The earliest human societies did, after all, survive, develop and spread around the earth by land and sea. This cannot be explained by just chance.

The oldest records known are cave paintings, e.g., Lascaux and Chauvet4 in France, the latter estimated to be 36,000 years old, containing stunning drawings done for an unknown reason. These paintings gradually evolved into means to represent language in graphical forms,5 the earliest of which (Sumerian and Egyptian) are around 5,000 years old.

Mass literacy (reading and writing) continues to expand around the world, but has not yet reached 100 percent. Despite this growth, many people remain functionally illiterate, unable to make sense of, say, income tax forms and insurance policies, let alone complex texts on any subject.

When it comes to data, with billions of people having access to the Internet and social networks, everyone is a potential content creator. Many provide quality information while others feel free to express opinions, gossip, and mis- and disinformation. Poor-quality data should be treated as the garbage of the information society, and the real issue is the ability to separate the quality items from the garbage.

Literacy in data quality and data validation has a long way to go. This is equally true in the corporate environment as enterprises deal with their own collections of data, let alone big data, business intelligence and other services requiring data from multiple sources.

To make matters more difficult, the responsibility for data is not always shared between business owners and IS/IT. Data quality and life cycle management from acquisition to disposal are business issues (as are data classification, role-based access rules, etc.) while IT looks after implementing identity management, physical and logical security, backups, disaster recovery, etc. Dialog between these parties often leaves a lot to be desired.

Auditors are in an ideal position to determine the effectiveness of these shared responsibilities and identify areas where business risk could be mitigated further.

The COBIT 5 family of products includes a special publication6 covering some of these topics, and the DMBOK is a comprehensive framework discussing data governance issues in several well-structured sections (knowledge areas) covering several hundred pages.


First published in 2009, the DMBOK presented a coherent and comprehensive guide to best practices in data governance. It was updated in 2012 to reflect the explosive growth of data, security issues and new services such as the cloud, and to add several topics that were not included in the first edition.

It would be nice if the 430 pages of the 2012 publication could be summarized into something easy to absorb. The illustrations in this column attempt to do just that in the form of a single-page mind map,7 shown in figure 1. Is it complete? Certainly not, but it shows the 10 knowledge areas covered and the main elements discussed in them.

View Large Image.

Presented this way, it contains more details than the pie chart in the DMBOK text (a circle divided into 10 segments with just a title). It is also easier to see the whole at once than by reading the table of contents.

A useful feature of both versions of the DMBOK is that every chapter, i.e., every knowledge area, begins with a summary diagram using the template shown in figure 2.

This provides an at-a-glance summary of each knowledge area that facilitates the study of the full DMBOK. Interestingly, the DMBOK does not need to be read sequentially, as each knowledge area is self-contained and invites a “just in time,” rather than a “just in case,” approach to study.

New in the 2012 version of DMBOK is the data management maturity assessment, based on the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC)’s ISO/IEC 15504, Information technology—Process assessment. The publication COBIT Process Assessment Model (PAM): Using COBIT 5 is equally applicable.

What Is Not in DMBOK

Two relevant topics are not covered in the DMBOK: assigning value to data and auditing data management.

Assigning Value to Data
At the lowest level, qualitative data values consist of words while quantitative data values consist of numbers, ideally financial numbers, as these can be used to support return on investment (ROI) assessments for database technologies, data warehouses, business intelligence applications, data security initiatives, etc. The interested reader could consider Douglas Hubbard’s book on how to measure anything.8

While classifying data into categories such as public, restricted and confidential is well established, this does not assign business value, e.g., of intellectual property.

A data-valuation framework9 groups data in a way that identifies their business importance and, therefore, the degree to which they need to be protected and recovered:

  • Mission-critical—Frequently used, must have very high availability. If corrupted or disclosed, high and immediate impact (financial, operational, reputational, possibly legal) may follow.
  • Business-critical—Frequently used, high availability, significant long-term impact if disclosed
  • Essential—Periodically used, available in a defined time frame, possible long-term impact if disclosed
  • Consequential—Occasionally used, available over a long time frame, unlikely financial or operational impact if disclosed, but possible compliance issues
  • Noncritical—Rarely used, availability uncritical, minimal or no business impact if disclosed
  • Inconsequential—Used only on request, availability uncritical, minimal or no business impact if disclosed
  • Disposable—Not used, no impact (and yet, kept in huge amounts, as dark data)

There is an interesting quote on dark data from the Gartner Blog Network: “‘Dark data’ is the cute name given to all that data an organization gathers that is not part of their day-to-day operations. It is old stuff, stuff that turned up in the mail that you kept, ‘just in case.’ It is data that you didn’t erase, because ‘it might come in handy some time’.”10 And, as the blogger said, dark data are a storage vendor’s dream.

Auditing Data Governance
For the purpose of auditing data governance, one could consider the Data Audit Framework11 (DAF) developed by the Humanities Advanced Technology and Information Institute (HATII) at the University of Glasgow (Scotland, UK) and its associated DAF methodology, both available as free downloads.12

In addition, auditors can rely on the DMBOK and COBIT 5: Enabling Information13 to formulate an audit plan that examines:

  • Which of the 10 knowledge areas have been implemented
  • The extent to which the individual sub-areas have been implemented
  • The extent to which the roles and accountabilities of the various parties shown in figure 2 are defined and implemented
  • The assessed maturity of the various knowledge area processes


If data really are a corporate resource, it would make sense to manage them as such. How can management continue to justify a situation where dark data outnumbers mission- and business-critical data, where data governance is weak, and big data continues to dominate the media? By contrast, old office furniture stored in a basement is bar coded and inventoried and shown as assets in the accounts.


1 Gelbstein, E., “The Domains of Data and Information Audits,” ISACA Journal, vol. 6, 2016,
2 The Data Management Association, DAMA-Data Management Body of Knowledge Framework, 6 March 2014,
3 ISACA, COBIT 5: Enabling Information, USA, 2013,
4 La Grotte Chauvet-Pont d’Arc, Ardeche,
5 Robinson, A.; The Story of Writing: Alphabets, Hieroglyphs & Pictograms, Thames & Hudson, UK, 2007
6 Op cit, ISACA
7 Buzan, T.; B. Buzan; The Mind Map Book: How to Use Radiant Thinking to Maximize Your Brain’s Untapped Potential, Plume, USA, 1996
8 Hubbard, D. W.; How to Measure Anything: Finding the Value of “Intangibles” in Business, Tantor Audio, USA, 2014
9 Croy, M.; “The Business Value of Data,” Disaster Recovery Journal, 22 November 2007,
10 White, A.; “Dark Data Is Like That Furniture You Have in That Dark Cupboard,” Gartner Blog Network, 11 July 2012,
11 Jones, S.; A. Ball; C. Ekmekcioglu; “The Data Audit Framework: A First Step in the Data Management Challenge,” International Journal of Data Curation, vol. 3, no. 2, 2008
12 Jones, S.; S. Ross; R. Ruusalepp; “Data Audit Framework Methodology,” Humanities Advanced Technology and Information Institute, University of Glasgow, Scotland, United Kingdom, 2009,
13 Op cit, ISACA

Ed Gelbstein, Ph.D., 1940–2015
Worked in IS/IT in the private and public sectors in various countries for more than 50 years. Gelbstein did analog and digital development in the 1960s, incorporated digital computers in the control systems for continuous process in the late ‘60s and early ‘70s, and managed projects of increasing size and complexity until the early 1990s. In the ‘90s, he became an executive at the preprivatized British Railways and then the United Nations global computing and data communications provider. Following his (semi)retirement from the UN, he joined the audit teams of the UN Board of Auditors and the French National Audit Office. Thanks to his generous spirit and prolific writing, his column will continue to be published in the ISACA Journal posthumously.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.