COBIT 5 was released in 2012 and, after 6 years, in November 2018, the first titles in the updated COBIT 2019 framework began to appear. Implementers observe that, in practice, enterprises often require several years to become familiar with an upgraded framework and adopt new guidance and standards. The point is, there is a gap between the pace at which frameworks are modified and the pace at which enterprises—even entire industries—adopt, implement and gain value from updated frameworks.
What does this mean? Should authorities release updated frameworks less frequently? No. It makes more sense for enterprises and industries to find leaner, quicker, better and more effective approaches to adopting and implementing updated frameworks to keep pace. Otherwise, they will be left behind.
When enterprises are slow to adopt and implement frameworks, they rarely reach the point of demonstrating value of a given version to top management before a newer version of the framework has evolved.
Top management is interested in value, quick wins and return on investment (ROI) from any framework. Among senior executives and board members, the typical dashboard of key metrics displays jumps in sales, profits, compliance benchmarks, turnover among employees, churn among customers, IT spend vs. value delivery, etc. For top management, as long as these metrics are under control, any framework is a good framework.
Now IT must tell top management that COBIT 2019 is here. IT teams must provide the current status and timelines for migrating from COBIT 5 to COBIT 2019 and, more important, IT must estimate the associated resource investment and expected ROI. In this context, it is critically important for enterprises to understand how to transition from COBIT 5 to COBIT 2019 as efficiently and quickly as possible.
Ascertain the Enterprise’s COBIT Implementation Status
When it comes to COBIT implementation, enterprises typically fall into one of several categories:
- The enterprise has never heard about COBIT or other frameworks, let alone considered implementation. Such an enterprise believes that minimal or no process oversight is required to function relatively well without a governance framework.
- The enterprise is still implementing COBIT 4.1. Yes, there are some slow-moving enterprises that exhibit reactive governance cultures and act only when needed or ordered to do so.
- The enterprise is still training COBIT 5 resources and preparing for its implementation.
- The enterprise has already started implementing COBIT 5.
- The enterprise has completed COBIT 5 implementation and is planning to migrate to COBIT 2019.
- The enterprise implements elements of different standards or frameworks, but none entirely or consistently.
For the implementers, it is very important to know where the enterprise stands at this point before rushing to implement COBIT 2019 or, for that matter, transitioning to it.
Understand What Changed From COBIT 5 to COBIT 2019
It is important to understand what is new in COBIT 2019 as compared to COBIT 5 at a high level (figure 1).
Figure 1—Differences Between COBIT 5 and COBIT 2019
|COBIT 5||COBIT 2019|
|Enablers||Now called components|
|Governance processes begin with “Ensure”||Governance objectives begin with “Ensured”|
|Management processes begin with “Manage”||Management objectives begin with “Managed”|
|Evaluate, Direct and Monitor (EDM) has Ensure transparency process||EMD has Ensured stakeholder engagement objective|
|Align, Plan and Organize (APO) has Managed data as a new objective|
|APO has Manage suppliers process||APO has Managed vendors objective|
|Build, Acquire and Implement (BAI) has Program and project management as one process||Managed program and Managed projects are 2 different objectives|
|BAI has Manage change process||BAI has Managed IT changes objective|
|Monitor, Evaluate and Assess (MEA) has Managed assurance objective|
|Process reference model||COBIT core model|
|5 principles||Governance system has 6 principles|
|Governance framework has 3 principles|
|17 enterprise goals||13 enterprise goals|
|17 IT goals||13 IT goals|
11 design factors are introduced
For those new to COBIT 2019 and the design factors, studying each of the design factors in detail before using the Excel tool is strongly advised.
|Process Assessment Model (PAM) was a separate guide, COBIT Process Assessment Model (PAM): Using COBIT 5||PAM can still be used to measure process capability.|
|Capability assessment based on International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 15504 Information technology‑‑Process Assessment||Capability assessment based on CMMI V2.0|
|Base practices are equivalent to process practices for each governance and management objective|
|Work products are equivalent to information flows|
|Performance management for all 7 components (formerly enablers)|
How to Transition an Enterprise to COBIT 2019?
COBIT 2019 implementation follows the same life cycle implementation phases found in the COBIT 5: Implementation guide. And, for transitioning to COBT 2019, the life cycle phase must be adopted and adapted. Figure 2 shows a summary per phase that gives a brief outline of the transition.
For enterprises that are still implementing COBIT 4.1 and want to switch to COBIT 2019, the following points must be kept in mind:
- COBIT 4.1 had Risk IT and Val IT as separate frameworks and, in COBIT 5, these are integrated and an authoritative governance and management framework is created.
- COBIT 2019 is based in part upon COBIT 5 and builds on the prior framework to increase flexibility while maintaining continuity.
- If an enterprise is still using COBIT 4.1 and wants to switch to COBIT 2019, bypassing COBIT 5 may prove to be difficult, unless a sufficient number of practitioners have been trained on COBIT 5, the implementation methodology specific to COBIT 2019 and CMMI V2.0 concepts for capability assessment and performance management.
Figure 2—COBIT 2019 Implementation Guidance
|Phase of COBIT Implementation Life Cycle||What Should the Enterprise Do?||Remarks||Typical Activities and Deliverables|
|Phase 1—What are the drivers?||
What is the reason the enterprise started to implement COBIT 4.1 or COBIT 5?
Typical drivers could be that a competitor has already started to implement COBIT 2019, while the enterprise is still using COBIT 5 or an earlier version.
The governing body provides rationale, justification for switching to COBIT 2019.
|Phase 2—Where are we now?||
Study what has been achieved to this point.
Articulate a clear status of the current situation.
Conduct assessment of processes and their capability levels. Do this for only implemented processes.
|Phase 3—Where do we want to be?||
Based on the size of the organization, design the governance and management structure using the COBIT 2019 core model as a reference point.
Certain COBIT 5 processes in BAI are segregated:
Use a top-down approach from governance down to management processes.
Determine how the design factors influence objective prioritization. Note: Each design factor has different inputs. For example, design factor 9 Implementation methods has 3 inputs:
Studying each design factors and its inputs helps develop an approach to give relative importance to objectives.
|Phase 4—What do we need to do?||To implement COBIT 2019,
the following conditions are necessary:
Revisit the objectives to streamline:
|If all the COBIT 5 37 processes are implemented, then to switch to COBIT 2019, additional processes such as Managed data, Managed projects, Managed assurance are needed.||For Managed data objective, set up a workshop with the business, architects, CISO and CIO to understand data privacy, compliance, laws, regulations and security needs. Every country has different laws for implementing privacy rules. First, local regulations must be met, then the global. Therefore, IT must have a data privacy officer to oversee compliance with local and global regulations.
To create a process, follow these steps:
|Phase 5—How do we get there?||
As recommended in COBIT 5, make a road map to address the gaps.
|Use a project plan to drive the implementation.||
Come up with a plan, resources, milestones, deliverables and quick wins. That plan should include these items:
|Phase 6—Did we get there?||
Use CMMI V2.0 to assess the capability of the processes.
|Evidence collection should be based on samples.||
Use COBIT Assessor Guide: Using COBIT 5, which includes guidance to plan evidence collection and reporting of assessment.
|Phase 7—How do we keep momentum?||
Discuss the lessons learned in the implementation, including:
|Prove every win, loss or near win by measurements.||
Conduct lessons learned sessions with business, IT and COBIT 5 implementers.
Figure 3—Plotting Levels and Processes for Current State View
The information outlined herein is a guiding light to find the best ways to implement COBIT 2019. Many enterprises may still be in the training mode, and these tips could help them avoid pitfalls.
Govind Kulkarni, COBIT 5 Foundation, CSQA, ISO 27001 LI, ITIL Expert, PMP
Has 2 decades of experience providing IT solutions. He has worked in the entire life cycle of software development and, currently, he conducts training on COBIT 5, ITIL, information and cybersecurity. He has completed consulting assignments for gap analysis, COBIT 5/ITIL implementation, assessments using the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC15504 standard and tool customization for clients across the globe. Kulkarni’s current interests include business continuity, IT asset and cost management, scalability and performance optimization of web applications, predictive analytics, and technology areas such as OpenStack and DevOps. He was one of the editors of How to Reduce Cost of Software Testing published by CRC press. He can be reached email@example.com.