Avoid Framework

Overload
Use COBIT5 to Leverage Multiple Best Practices

Mark Thomas, CGEIT, CRISC, ITIL Expert

Mark Thomas, CGEIT, CRISC
Areas of expertise
Governance of Enterprise IT (CGEIT)
Enterprise Risk Management (CRISC)
COBIT
ITIL Expert
Experience
IT Director
VP, IT Operations
Enterprise Program Manager
Governance frameworks consulting
Agenda
Introduction and Background

Value Creation

The Framework Ecosystem

A Framework to Manage Frameworks

Closing and Questions

Presentation Synopsis

In the IT Governance environment there are multiple frameworks, models and

standards to choose from. A challenge for most organizations is simply understanding
what all of these are, and which ones are applicable or appropriate for them. Some
common questions include: If were using ITIL, should we consider COBIT? How do
ISO standards fit into my model? Should I be using Project Management models if I
already use COBIT? In this insightful presentation on frameworks and standards
integration, explore the many models that are available today: what they are, how they
fit, and why choose them. Most importantly, we will use COBIT as the framework
integrator to create a more holistic approach to leveraging multiple best practices
under a single model.

The purpose of this presentation is to gain an understanding of various applicable

frameworks that exist in the GEIT space, and how to understand, position, and
integrate multiple frameworks using COBIT5.
Presentation Goals

Recognize the various frameworks in the GEIT ecosystem and how they can
be collectively used to align with enterprise needs.

Understand a model to synchronize various frameworks such as COBIT, ITIL,

TOGAF, PRINCE2, PMBOK, and many more.

Understand a model to synchronize various standards such as ISO38500,

ISO27000, ISO20000, ISO31000, and many more.

Identify approaches to selecting appropriate frameworks for your needs by

leveraging COBIT5 as the framework integrator.
Value Creation

Why the enterprise exists

Todays Challenges
Why Does the Enterprise Exist?

Benefits
Realization

Creating Risk
Value Optimization

Resource
Optimization
ISACA Information Systems Audit and Control Association. ITGI IT Governance Institute
 How Do We Provide This Value?

Governance Management

Evaluate Direct Monitor Plan Build Run Monitor

EVALUATE stakeholder needs, PLAN, BUILD, RUS and MONITOR

conditions and options activities
DIRECT through prioritization and Align with the direction set by the
decision making governance body to achieve the
MONITOR performance, compliance enterprise objectives
and progress against agreed-on
direction and objectives

ISACA Information Systems Audit and Control Association. ITGI IT Governance Institute
The Framework
Ecosystem
What is out there?
Drivers for Framework Adoption

Rising demand for best practices

More competitive landscape
Cost control
Conformance and performance
Meeting enterprise objectives
Technology investment justification
Framework Drivers
Standards and Good Practices

Example Framework Categories

Improvement
Management

Management

Management

Management
Program and
Governance

Architecture

Quality and
IT Service

Lifecycles
Security
Project

Risk
Example ISO31000 ISO27001
ISO38500 ISO42010 ISO20000 ISO21500 ISO15504 ISO12207
Standards NIST NIST
SDLC
Example COSO TOGAF PMBOK SIX SIGMA
COBIT5 COBIT5 for
Good ITIL
For Risk Security
AGILE
COBIT ASL/BiSL PRINCE2 PDCA
Practices DEVOPS

This is not a complete list. It is a representation of the presenters experience only.

A Framework to
Manage Frameworks
Using COBIT5
Scenario
Company Background
Managed service provider
Mid-market
Multi-tenant environment

Challenges
Regulatory and compliance
Multiple fragmented frameworks
Customer satisfaction
Duplicated efforts
Goals

Adopt an enterprise IT governance

framework that supports value creation
and alignment.

Leverage applicable standards and

industry best practices to balance
performance and conformance.
Framework Drivers
Approach

Analyze Link
Understand Inventory
Business Frameworks
the Enablers Frameworks
Needs to Enablers
Analyze Business Needs

Leverage the Goals Cascade from COBIT.

Translate stakeholder needs into specific,
practical and customized goals.
Cascade the goals to selected enablers.
Consider external regulations, laws and
contractual obligations.
Determine the implications of the overall
enterprise control environment with regard to IT.

ISACA Information Systems Audit and Control Association.

ITGI IT Governance Institute
Modified Goals Cascade
Approach

Analyze Link
Understand Inventory
Business Frameworks
the Enablers Frameworks
Needs to Enablers
Understand the Enablers

Principles, Policies and Frameworks

Processes
Organizational Structures
Culture, Ethics and Behaviours
Information
Services, Infrastructure and Applications
People, Skills and Competencies
Approach

Analyze Link
Understand Inventory
Business Frameworks
the Enablers Frameworks
Needs to Enablers
Inventory Frameworks

Standards

Best Practices
Inventory Frameworks
Inventory Frameworks

EDM APO BAI DSS MEA

COSO ISO/IEC 20000 PMBOK ITIL V3 2011 ISO/IEC 20000
ISO/IEC 38500 ISO/IEC 27002 PRINCE2 ISO/IEC 20000 ITIL 2011
King III ITIL 2011 ISO/IEC 20000 ISO/IEC 27002
OECD TOGAF 9 ITIL 2011 BS 25999:2007
COSO/ERM SFIA ISO/IEC 27002:2011
ISO/IEC 31000 ISO/IEC 27002 NIST SP800-53 Rev 1
TOGAF 9 PMBOK
ISO/IEC 9001-2008
ISO/IEC 27001:2005
ISO/IEC 27002:2011
NIST SP800-53 Rev 1

COSO = Committee of Sponsoring Organizations of the Treadway Committee

OECD = Organization for Economic Cooperation and Development
TOGAF = The Open Group Architecture Forum
SFIA = Skills Framework for the Information Age
PMBOK = Project Management Body of Knowledge
NIST = National Institute of Standards and Technology
Approach

Analyze Link
Understand Inventory
Business Frameworks
the Enablers Frameworks
Needs to Enablers
Link Frameworks to Selected Enablers

Initial focus on the process enabler.

Process selection based on internal assessment.
Cross reference to avoid duplication.
Use the COBIT5 Enabling Process Guide for
guidance.
 Domains and Processes

ISACA Information Systems Audit and Control Association. ITGI IT Governance Institute
 COBIT5 Process Reference Model

Process
Process Process Goals Cascade
Purpose
Identification Description Information
Statement

Detailed
Process Goals Related
RACI Chart Practice
& Metrics Guidance
Descriptions

ISACA Information Systems Audit and Control Association. ITGI IT Governance Institute
Link Frameworks to Selected Enablers

ISACA Information Systems Audit and Control Association. ITGI IT Governance Institute
Closing and Questions
Considerations and Tips

You dont have to call it by its name!

Use more than one framework, they
each have unique focus areas.
There is no such thing as a single silver
bullet.
Ownership and accountability are key.
Communicate value in business terms.
Use COBIT Online to assist.