OVERVIEW OF COBIT 5

COBIT 5 provides the next generation of ISACA’s guidance on the enterprise governance
and management of IT. The major drivers for the development of COBIT 5 include the need to:
 Provide more stakeholders a say in determining what they expect from information and
related technology (what benefits at what acceptable level of risk and at what costs) and
what their priorities are in ensuring that expected value is actually being delivered. Some
will want short-term returns and others long-term sustainability. Some will be ready to
take a high risk that others will not. These divergent and sometimes conflicting
expectations need to be dealt with effectively. Furthermore, not only do these
stakeholders want to be more involved, but they want more transparency regarding how
this will happen and the actual results achieved.
 Address the increasing dependency of enterprise success on external business and IT
parties such as outsourcers, suppliers, consultants, clients, cloud and other service
providers, and on a diverse set of internal means and mechanisms to deliver the
expected value.
 Deal with the amount of information, which has increased significantly. How do
enterprises select the relevant and credible information that will lead to effective and
efficient business decisions? Information also needs to be managed effectively and an
effective information model can assist.
 Deal with much more pervasive IT; it is more and more an integral part of the business.
Often, it is no longer satisfactory to have IT separate even if it is aligned to the business.
It needs to be an integral part of the business projects, organisational structures, risk
management, policies, skills, processes, etc. The roles of the chief information officer
(CIO) and the IT function are evolving. More and more people within the business
functions have IT skills and are, or will be, involved in IT decisions and IT operations. IT
and business will need to be better integrated.
 Provide further guidance in the area of innovation and emerging technologies; this is
about creativity, inventiveness, developing new products, making the existing products
more compelling to customers and reaching new types of customers. Innovation also
implies streamlining product development, manufacturing and supply chain processes to
deliver products to market with increasing levels of efficiency, speed and quality.
 Cover the full end-to-end business and IT functional responsibilities, and cover all
aspects that lead to effective governance and management of enterprise IT, such as
organisational structures, policies and culture, over and above processes.
  Get better control over increasing user-initiated and user-controlled IT solutions
 Achieve enterprise:
– Value creation through effective and innovative use of enterprise IT
– Business user satisfaction with IT engagement and services
– Compliance with relevant laws, regulations, contractual agreements and internal
policies
– Improved relations between business needs and IT objectives
 Connect to, and, where relevant, align with, other major frameworks and standards in
the marketplace, such as Information Technology Infrastructure Library (ITIL), The Open
Group Architecture Forum (TOGAF), Project Management Body of Knowledge
(PMBOK), PRojects IN Controlled Environments 2 (PRINCE2), Committee of
Sponsoring Organizations of the Treadway Commission (COSO) and the International
Organization for Standardization (ISO) standards. This will help stakeholders understand
how various frameworks, good practices and standards are positioned relative to each
other and how they can be used together.
 Integrate all major ISACA frameworks and guidance, with a primary focus on COBIT, Val
IT and Risk IT, but also considering the Business Model for Information Security (BMIS),
the IT Assurance Framework (ITAF), the publication titled Board Briefing on IT
Governance, and the Taking Governance Forward (TGF) resource, such that COBIT 5
covers the complete enterprise and provides a basis to integrate other frameworks,
standards and practices as one single framework.

The COBIT 5 framework contains seven more chapters:

1) PRINCIPLE 1 : MEETING STAKEHOLDERS NEEDS

Every enterprise operates in a different context; this context is determined by external
factors (the market, the industry, geopolitics, etc.) and internal factors (the culture, organisation,
risk appetite, etc.), and requires a customised governance and management system.

Stakeholder needs have to be transformed into an enterprise’s actionable strategy. The

COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific,
actionable and customised enterprise goals, IT-related goals and enabler goals. This translation
allows setting specific goals at every level and in every area of the enterprise in support of the
overall goals and stakeholder requirements, and thus effectively supports alignment between
enterprise needs and IT solutions and services.

Step 1. Stakeholder Drivers Influence Stakeholder Needs

Stakeholder needs are influenced by a number of drivers, e.g., strategy changes, a changing
business and regulatory environment, and new technologies.

Step 2. Stakeholder Needs Cascade to Enterprise Goals

Stakeholder needs can be related to a set of generic enterprise goals. These enterprise goals
have been developed using the balanced scorecard (BSC) dimensions, and they represent a list
of commonly used goals that an enterprise may define for itself. Although this list is not
exhaustive, most enterprise-specific goals can be mapped easily onto one or more of the
generic enterprise goals.

Step 3. Enterprise Goals Cascade to IT-related Goals

Achievement of enterprise goals requires a number of IT-related outcomes, which are

represented by the IT-related goals. IT-related stands for information and related technology,
and the IT-related goals are structured along the dimensions of the IT balanced scorecard (IT
BSC).

Step 4. IT-related Goals Cascade to Enabler Goals

Achieving IT-related goals requires the successful application and use of a number of enablers.
Enablers include processes, organisational structures and information, and for each enabler a
set of specific relevant goals can be defined in support of the IT-related goals.

Benefits of the COBIT 5 Goals Cascade

The goals cascade is important because it allows the definition of priorities for implementation,
improvement and assurance of governance of enterprise IT based on (strategic) objectives of
the enterprise and the related risk. In practice, the goals cascade:

 Defines relevant and tangible goals and objectives at various levels of responsibility
 Filters the knowledge base of COBIT 5, based on enterprise goals, to extract relevant
guidance for inclusion in specific implementation, improvement or assurance projects
  Clearly identifies and communicates how (sometimes very operational) enablers are
important to achieve enterprise goals

Using the COBIT 5 Goals Cascade Carefully

The goals cascade—with its mapping tables between enterprise goals and IT-related goals and
between IT-related goals and COBIT 5 enablers (including processes)—does not contain the
universal truth, and users should not attempt to use it in a purely mechanistic way, but rather as
a guideline. There are various reasons for this, including:

 Every enterprise has different priorities in its goals, and priorities may change over time.
 The mapping tables do not distinguish between size and/or industry of the enterprise.
They represent a sort of common denominator of how, in general, the different levels of
goals are interrelated.
 The indicators used in the mapping use two levels of importance or relevance,
suggesting that there are ‘discrete’ levels of relevance, whereas, in reality, the mapping
will be close to a continuum of various degrees of correspondence.

Using the COBIT 5 Goals Cascade in Practice

From the previous disclaimer, it is obvious that the first step an enterprise should always apply
when using the goals cascade is to customise the mapping, taking into account its specific
situation. In other words, each enterprise should build its own goals cascade, compare it with
COBIT and then refine it.

For example, the enterprise may wish to:

 Translate the strategic priorities into a specific ‘weight’ or importance for each of the
enterprise goals.
 Validate the mappings of the goals cascade, taking into account its specific environment,
industry, etc.

2) PRINCIPLE 2: COVERING THE ENTERPRISE END-TO-END

COBIT 5 addresses the governance and management of information and related technology
from an enterprisewide, end-to-end perspective. This means that COBIT 5:
 Integrates governance of enterprise IT into enterprise governance. That is, the
governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any
governance system. COBIT 5 aligns with the latest views on governance.
 Covers all functions and processes required to govern and manage enterprise
information and related technologies wherever that information may be processed.
Given this extended enterprise scope, COBIT 5 addresses all the relevant internal and
external IT services, as well as internal and external business processes.

Governance Approach

In addition to the governance objective, the other main elements of the governance
approach include enablers; scope; and roles, activities, and relationships.

Governance Scope

Governance can be applied to the entire enterprise, an entity, a tangible or intangible asset,
etc. That is, it is possible to define different views of the enterprise to which governance is
applied, and it is essential to define this scope of the governance system well. The scope of
COBIT 5 is the enterprise—but in essence COBIT 5 can deal with any of the different views.

Roles, Activities and Relationships

 A last element is governance roles, activities and relationships. It defines who is involved in
governance, how they are involved, what they do and how they interact, within the scope of
any governance system. In COBIT 5, clear differentiation is made between governance and
management activities in the governance and management domains, as well as the
interfacing between them and the role players that are involved.

3) PRINCIPLE 3: APPLYING A SINGLE INTEGRATED FRAMEWORK

COBIT 5 is a single and integrated framework because:

 It aligns with other latest relevant standards and frameworks, and thus allows the
enterprise to use COBIT 5 as the overarching governance and management framework
integrator.
 It is complete in enterprise coverage, providing a basis to integrate effectively other
frameworks, standards and practices used. A single overarching framework serves as a
consistent and integrated source of guidance in a non- technical, technology-agnostic
common language.
 It provides a simple architecture for structuring guidance materials and producing a
consistent product set.
 It integrates all knowledge previously dispersed over different ISACA frameworks.
ISACA has researched the key area of enterprise governance for many years and has
developed frameworks such as COBIT, Val IT, Risk IT, BMIS, the publication Board
Briefing on IT Governance, and ITAF to provide guidance and assistance to enterprises.
COBIT 5 integrates all of this knowledge.

COBIT 5 Framework Integrator

The COBIT 5 framework delivers to its stakeholders the most complete and up-to-date guidance
on governance and management of enterprise IT by:

 Researching and using a set of sources that have driven the new content development,
including:
 Bringing together the existing ISACA guidance (COBIT 4.1, Val IT 2.0, Risk IT,
BMIS) into this single framework
 Complementing this content with areas needing further elaboration and updates
 Aligning to other relevant standards and frameworks, such as ITIL, TOGAF and
ISO standards.
 Defining a set of governance and management enablers, which provide a structure for
all guidance materials
 Populating a COBIT 5 knowledge base that contains all guidance and content produced
now and will provide a structure for additional future content
  Providing a sound and comprehensive reference base of good practices

4) PRINCIPLE 4: ENABLING A HOLISTIC APPROACH

COBIT 5 Enablers

Enablers are factors that, individually and collectively, influence whether something will work—in
this case, governance and management over enterprise IT. Enablers are driven by the goals
cascade, i.e., higher-level IT-related goals define what the different enablers should achieve.

The COBIT 5 framework describes seven categories of enablers:

 Principles, policies and frameworks are the vehicle to translate the desired behaviour
into practical guidance for day-to-day management.
 Processes describe an organised set of practices and activities to achieve certain
objectives and produce a set of outputs in support of achieving overall IT-related goals.
 Organisational structures are the key decision-making entities in an enterprise.
 Culture, ethics and behaviour of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
 Information is pervasive throughout any organisation and includes all information
produced and used by the enterprise. Information is required for keeping the
organisation running and well governed, but at the operational level, information is very
often the key product of the enterprise itself.
 Services, infrastructure and applications include the infrastructure, technology and
applications that provide the enterprise with information technology processing and
services.
 People, skills and competencies are linked to people and are required for successful
completion of all activities and for making correct decisions and taking corrective actions
Some of the enablers defined previously are also enterprise resources that need to be managed
and governed as well. This applies to:

 Information, which needs to be managed as a resource. Some information, such as

management reports and business intelligence information, are important enablers for
the governance and management of the enterprise.
 Service, infrastructure and applications
 People, skills and competencies

Systemic Governance and Management Through Interconnected Enablers

Any enterprise must always consider an interconnected set of enablers. That is, each enabler:

 Needs the input of other enablers to be fully effective, e.g., processes need information,
organisational structures need skills and behaviour.
 Delivers output to the benefit of other enablers, e.g., processes deliver information, skills
and behaviour make processes efficient.

So when dealing with governance and management of enterprise IT, good decisions can be
taken only when this systemic nature of governance and management arrangements is taken
into account. This means that to deal with any stakeholder need, all interrelated enablers have
to be analysed for relevance and addressed if required.

COBIT 5 Enabler Dimensions

All enablers have a set of common dimensions. This set of common dimensions:

 Provides a common, simple and structured way to deal with enablers

 Allows an entity to manage its complex interactions
 Facilitates successful outcomes of the enablers
Enabler Dimensions

The four common dimensions for enablers are:

 Stakeholders—Each enabler has stakeholders (parties who play an active role and/or
have an interest in the enabler). For example, processes have different parties who
execute process activities and/or who have an interest in the process outcomes;
organisational structures have stakeholders, each with his/her own roles and interests,
that are part of the structures. Stakeholders can be internal or external to the enterprise,
all having their own, sometimes conflicting, interests and needs. Stakeholders’ needs
translate to enterprise goals, which in turn translate to IT-related goals for the enterprise.
 Goals—Each enabler has a number of goals, and enablers provide value by the
achievement of these goals. Goals can be defined in terms of:
 Expected outcomes of the enabler
 Application or operation of the enabler itself

The enabler goals are the final step in the COBIT 5 goals cascade. Goals can be further
split up in different categories:

 Intrinsic quality—The extent to which enablers work accurately, objectively and

provide accurate, objective and reputable results
 Contextual quality—The extent to which enablers and their outcomes are fit for
purpose given the context in which they operate. For example, outcomes should
be relevant, complete, current, appropriate, consistent, understandable and easy
to use.
 Access and security—The extent to which enablers and their outcomes are
accessible and secured, such as:
 Enablers are available when, and if, needed.
  Outcomes are secured, i.e., access is restricted to those entitled and
needing it.
 Life cycle—Each enabler has a life cycle, from inception through an operational/useful
life until disposal. This applies to information, structures, processes, policies, etc. The
phases of the life cycle consist of:
 Plan (includes concepts development and concepts selection)
 Design
 Build/acquire/create/implement
 Use/operate
 Evaluate/monitor
 Update/dispose
 Good practices—For each of the enablers, good practices can be defined. Good
practices support the achievement of the enabler goals. Good practices provide
examples or suggestions on how best to implement the enabler, and what work products
or inputs and outputs are required. COBIT 5 provides examples of good practices for
some enablers provided by COBIT 5 (e.g., processes). For other enablers, guidance
from other standards, frameworks, etc., can be used.

Enabler Performance Management

Enterprises expect positive outcomes from the application and use of enablers. To manage
performance of the enablers, the following questions will have to be monitored and thereby
subsequently answered—based on metrics—on a regular basis:

 Are stakeholder needs addressed?

 Are enabler goals achieved?
 Is the enabler life cycle managed?
 Are good practices applied?

The first two bullets deal with the actual outcome of the enabler. The metrics used to measure
to what extent the goals are achieved can be called ‘lag indicators’. The last two bullets deal
with the actual functioning of the enabler itself, and metrics for this can be called ‘lead
indicators’.