cobit5 compare with 4.1 27feb2012

8/2/2019 COBIT5 Compare With 4.1 27Feb2012

1/32

Comparing

COBIT 4.1 and COBIT 5Presented by


2/32


3/32

Stakeholder Value andBusiness Objectives

Enterprises exist to create value for theirstakeholders. Consequently, any enterprise commercial or not will have value creation as agovernance objective.

Value creation means: Realising benefits at anoptimal resource cost while optimising risk.

2012 ISACA. All rights reserved.


4/32

Principle 1:Meeting Stakeholder Needs Stakeholder needs have to be

transformed into an

enterprises actionablestrategy.

The COBIT 5 goals cascadetranslates stakeholder needs

into specific, actionable andcustomised goals within thecontext of the enterprise,IT-related goals and enablergoals.


Stakeholder Value andBusiness Objectives (cont.)


5/32


6/32

Stakeholder Value andBusiness Objectives (cont.)



7/32


8/32 2012 ISACA. All rights reserved.

Governance and ManagementDefined

What sort of framework is COBIT? An IT audit and control framework? COBIT (1996) and COBIT 2 nd Edition (1998) Focus on Control Objectives

An IT management framework? COBIT 3 rd Edition (2000) Management Guidelines added

An IT governance framework? COBIT 4.0 (2005) and COBIT 4.1 (2007) Governance and compliance processes added Assurance processes removed

BUT what is the difference between governanceand management?



Governance and ManagementDefined (cont.)

Governance ensures that enterprise objectives areachieved by evaluating stakeholder needs, conditions

and options; setting direction through prioritisation anddecision making; and monitoring performance,compliance and progress against agreed-on directionand objectives (EDM).

Management plans, builds, runs and monitors activities in alignment with the direction set by thegovernance body to achieve the enterprise objectives(PBRM).



Governance and ManagementDefined (cont.)

The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into twomain areas governance and management withmanagement further divided into domains of processes:

The GOVERNANCE domaincontains five governanceprocesses; within each process,evaluate, direct and monitor(EDM) practices are defined.

The four MANAGEMENTdomains are in line with theresponsibility areas of plan,build, run and monitor (PBRM)


11/32

Areas of Change

The following slides summarise the major changesin COBIT 5 content and how they may impactGEIT implementation/improvement:1. New GEIT Principles

2. Increased Focus on Enablers3. New Process Reference Model4. New and Modified Processes5. Practices and Activities6. Goals and Metrics7. Inputs and Outputs8. RACI Charts

9. Process Capability Maturity Models and Assessments 2010 ISACA. All rights reserved.


12/32

1. New GEIT Principles

COBIT 5 Principles



13/32

Val IT and Risk IT frameworks areprinciples-based.

Feedback indicated that principles are easy to

understand and put into an enterprise context,allowing value to be derived from the supportingguidance more effectively.

ISO/IEC 38500 also incorporates principles to

underpin its messages to achieve the samemarket benefit delivery, although the principlesin this standard and COBIT 5 are not the same.


1. New GEIT Principles (cont.)


14/32

2. Increased Focus on Enablers

COBIT 4.1 did not have enablers! Yes it did they were not called enablers, but they werethere, explicitly or implicitly!



15/32


16/32

COBIT 5 is based on a revised processreference model with a new governance domainand several new and modified processes thatnow cover enterprise activities end-to-end i.e.,

business and IT function areas. COBIT 5 consolidates COBIT 4.1, Val IT and

Risk IT into one framework, and has beenupdated to align with current best practices

e.g., ITIL, TOGAF. The new model can be used as a guide for

adjusting as necessary the enterprises ownprocess model (just like COBIT 4.1).


3. New Process Reference Model



3. New Process Reference Model (cont.)


18/32

COBIT 5 introduces five new governanceprocesses that have leveraged and improvedCOBIT 4.1, Val IT and Risk IT governanceapproaches.

This guidance: Helps enterprises to further refine and strengthen

executive management-level GEIT practices andactivities

Supports GEIT integration with existing enterprisegovernance practices and is aligned withISO/IEC 38500


4. New and Modified Processes


19/32

COBIT 5 has clarified management levelprocesses and integrated COBIT 4.1, Val IT andRisk IT content into one process reference model


4. New and Modified Processes (cont.)


20/32

There are several new and modified processesthat reflect current thinking, in particular: APO03 Manage enterprise architecture. APO04 Manage innovation. APO05 Manage portfolio. APO06 Manage budget and costs. APO08 Manage relationships. APO13 Manage security. BAI05 Manage organisational change enablement. BAI08 Manage knowledge. BAI09 Manage assets. DSS05 Manage security service. DSS06 Manage business process controls.




21/32

COBIT 5 processes now cover end-to-end business and IT activities i.e., a fullenterprise-level view.

This provides for a more holistic and completecoverage of practices reflecting the pervasiveenterprisewide nature of IT use.

It makes the involvement, responsibilities and

accountabilities of business stakeholders in theuse of IT more explicit and transparent.




22/32

The COBIT 5 governance or managementpractices are equivalent to the COBIT 4.1 controlobjectives and Val IT and Risk IT processes.www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All- the-Control-Objectives-Gone.aspx

The COBIT 5 activities are equivalent to theCOBIT 4.1 control practices and Val IT and RiskIT management practices.

COBIT 5 integrates and updates all of theprevious content into the one new model,making it easier for users to understand and usethis material when implementing improvements.


5. Practices and Activities
http://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspxhttp://www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspx


23/32

COBIT 5 follows the same goal and metricconcepts as COBIT 4.1, Val IT and Risk IT, butthese are renamed enterprise goals, IT-relatedgoals and process goals reflecting an enterprise

level view. COBIT 5 provides a revised goals cascade basedon enterprise goals driving IT-related goals andthen supported by critical processes.

COBIT 5 provides examples of goals and metricsat the enterprise, process and managementpractice levels. This is a change to COBIT 4.1, ValIT and Risk IT, which went down one level lower.


6. Goals and Metrics


24/32

COBIT 5 provides inputs and outputs for everymanagement practice, whereas COBIT 4.1 onlyprovided these at the process level.

This provides additional detailed guidance fordesigning processes to include essential workproducts and to assist with interprocessintegration.


7. Inputs and Outputs


25/32

COBIT 5 provides RACI charts describing rolesand responsibilities in a similar way toCOBIT4.1, Val IT and Risk IT.

COBIT 5 provides a more complete, detailedand clearer range of generic business and ITrole players and charts than COBIT 4.1 for eachmanagement practice, enabling better definitionof role player responsibilities or level ofinvolvement when designing and implementingprocesses.


8. RACI Charts


26/32


8. RACI Charts (cont.)


27/32


9. Process Capability Maturity Modelsand Assessments

COBIT 5 discontinues the COBIT 4.1, Val IT andRisk IT CMM-based capability maturity modellingapproach.

COBIT 5 will be supported by a new processcapability assessment approach based on ISO/IEC15504, and the COBIT Assessment Programme has already been established for COBIT 4.1 as analternative to the CMM approach.www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx

The COBIT 4.1, Val IT and Risk IT CMM-basedapproaches are not considered compatible withthe ISO/IEC 15504 approach because the methodsuse different attributes and measurement scales.
http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx


28/32


9. Process Capability Maturity Modelsand Assessments (cont.)

COBIT 4.1/5


29/32

The COBIT Assessment Programme approachis considered by ISACA to be more robust,reliable and repeatable as a process capabilityassessment method.

The COBIT Assessment Programme supports: Formal assessments by accredited assessors

(assessor training is being developed) Less rigorous self-assessments for internal gap

analysis and process improvement planning

The COBIT Assessment Programme, in thefuture, will also potentially enable an enterpriseto obtain an independent and certifiedassessments aligned to the ISO/IEC standard.




30/32

What materials support the COBIT AssessmentProgramme approach? COBIT Process Assessment Model (PAM): Using COBIT 4.1

Serves as a base reference document for the performance of acapability assessment of an organisations current IT processesagainst COBIT

COBIT Assessor Guide: Using COBIT 4.1 Provides details onhow to undertake a full ISO-compliant assessment

COBIT Self-assessment Guide: Using COBIT 4.1 Providesguidance on how to perform a basic self-assessment of anorganisations current IT process capability levels against COBIT

processes The above materials exist to support

COBIT 4.1-based assessments now; versions willbe produced to support COBIT 5-based

assessments. 2012 ISACA. All rights reserved.



31/32

COBIT 4.1, Val IT and Risk IT users wishing tomove to the new COBIT AssessmentProgramme approach will need to realign theirprevious ratings, adopt and learn the new

method, and initiate a new set of assessments inorder to gain the benefits of the new approach. Although some of the information gathered from

previous assessments may be reusable, carewill be needed in migrating this informationforward because there are significant differencesin requirements.




32/32

COBIT 4.1, Val IT and Risk IT users wishing tocontinue with the CMM-based approach, eitheras an interim or ongoing approach, can use theCOBIT 5 guidance, but must use the COBIT 4.1generic attribute table without the high-levelmaturity models.


cobit5 compare with 4.1 27feb2012

Documents