The document discusses Iman Baradari's background and qualifications. It states that he has a Master's degree in project management from the University of Melbourne and various professional certifications in project management, IT service management, and risk management. It also lists his work experience, which includes roles as a project manager for several large IT projects in Iran.
3. Teachers Name: Iman Baradari
Master of Engineering project management, University of Melbourne
Project management professional certifications:
• Risk Management Professional(RMP)
• Project Management Professional(PMP)
• PRINCE2 (Foundation and Practitioner)
• Managing successful Programmes (MSP)
• Management of Portfolio(MOP)
ITSM professional certifications:
• ITIL V2 and V3.0 (Foundation)
• ITIL V2 Service manager
• ISO 20000
IBPM Group• COBIT
4. Working Experiences:
• Project manager: E-SASAD programme
• Designing an integrated ITSM solution based on ITIL
• Vice President: Iran Fuel Smart Card National Project
• Project planning and control manager: Iran Fuel Smart Card National
Project
• Project manager: Iran rail way Support System based on ITIL and
ISO 20000
IBPM Group
6. Please describe your
Roles and Responsibility
Knowledge in IT service management
Knowledge in Project management
Work experiences in IT service management
Clarify your needs and expectations from this course
IBPM Group
8. IT Challenges
Aligning IT with business requirement
Value delivery
IT expenditure
Mastering complexity
Regulatory compliance
Security
IT risks
IBPM Group
10. Corporate Governance vs. IT Governance
Corporate governance is the set of processes, customs, policies, laws,
management practices and institutions affecting the way an entity is
controlled and managed. It incorporates all the relationships among the
many stakeholders involved and aims to organize them to meet the
goals of the organization in the most effective and efficient manner
possible. An effective corporate governance strategy allows an
organization to manage all aspects of its business in order to meet its
objectives.
IT Governance is a subset discipline of Corporate Governance focused
on information technology (IT) systems and their performance and risk
management.
IBPM Group
11. Enterprise governance drives IT governance
Enterprise governance is
about:
• Conformance
• Adhering to legislation, internal
policies, audit requirements, etc.
Performance
• Performance
• Improving profitability, efficiency, Conformance
effectiveness, growth, etc.
Enterprise governance and IT governance require a
balance between conformance and performance goals
directed by the board.
Source: ITGI
IBPM Group
12. Corporate Governance
The field of Corporate Governance is a multi-faceted subject that
includes several fields of study. These fields include areas such as:
1. Accountability and fiduciary duty. These advocate the
implementation of guidelines and mechanisms to ensure management
acts in good faith and that the public organization is protected from
wrongdoing or fraud.
2. Economic efficiency view. This involves how the corporate
governance system intends to optimize results, and meet its objectives.
3. Strategic efficiency view. This involves public policy objectives that
are not directly measurable in economic terms such as alleviation of
poverty, access to markets, income stabilization, health care and job
creation. These are issues that are the main focus of most public
sector institutions and are not readily measured in economic terms.
4. Stakeholder view. This area of study focuses more attention and
accountability on other stakeholders such as citizens, employees,
businesses and other levels of government (i.e. provincial, municipal or
local authorities).
IBPM Group
13. IT Governance
IT Governance focuses specifically on information technology systems,
their performance and risk management.
The primary goals of IT Governance are to assure that the investments
in IT generate business value, and to mitigate the risks that are
associated with IT. This can be done by implementing an
organizational structure with well-defined roles for the responsibility of
information, business processes, applications and infrastructure.
IT governance should be viewed as how IT creates value that fits into
the overall Corporate Governance Strategy of the organization, and
never be seen as a discipline on its own. In taking this approach, all
stakeholders would be required to participate in the decision making
process. This creates a shared acceptance of responsibility for critical
systems and ensures that IT related decisions are made and driven by
the business and not vice versa.
IBPM Group
14. Various definitions of IT Governance
The structure, oversight and management processes which
ensure the delivery of the expected benefits of IT in a controlled
way to help enhance the long term sustainable success of the
enterprise.
IT governance is the responsibility of the board of directors and
executive management. It is an integral part of enterprise
governance and consists of the leadership and organizational
structures and processes that ensure that the organization's IT
sustains and extends the organization's strategies and objectives.
A structure of relationships and processes to direct and control
the enterprise in order to achieve the enterprise’s goals by adding
value while balancing risk versus return over IT and its processes.
IBPM Group
15. Various definitions of IT Governance
Specifying the decision rights and accountability framework to encourage
desirable behaviors in the use of IT.
Governance is not about what decisions get made – that is management
– but it is about who makes the decisions and how they are made.
IT governance is the term used to describe how those persons entrusted
with governance of an entity will consider IT in their supervision,
monitoring, control and direction of the entity. How IT is applied will have
an immense impact on whether the entity will attain its vision, mission or
strategic goals.
IBPM Group
16. Various definitions of IT Governance
ITGI definition:
IT governance consists of the leadership and organizational structures and
processes that ensure that the organization’s IT sustains and extends the
enterprise’s strategies and objectives.
At its core, IT has 2 responsibilities:
1.IT must deliver value
2.Enable the business
IBPM Group
17. Purpose of IT Governance
Establish and clarify accountability and decision rights (clearly define
roles and authority).
Manage risks, change and contingency proactively.
Improve IT organizational performance, compliance, maturity and
staff development.
Improve customer service and overall responsiveness.
Align IT investments and priorities more closely with the business.
Manage, evaluate, prioritize, fund, measure and monitor requests for
IT services and the resulting work and deliverables, in a more
consistent and repeatable manner that optimizes returns to the
business.
Manage the responsible utilization of resources and assets.
Ensure that IT delivers on its plans, budgets and commitments.
IBPM Group
18. What does it mean?
Governance is about deciding the "who, what, when, why, and how" of
decision-making.
The decisions required by the organization (the "what")
The roles (the "who") in the organization that are accountable for
which decisions
Policies that guide how the decisions should be made (the "why")
The measures that enable informed decision-making (the "how")
At what point in the governance process is the decision appropriately
made? (the "when")
IBPM Group
19. Benefits of IT Governance
Confidence of Top management
Responsiveness of IT to Business
Formalizes IT oversight and accountability to ensure more effective
and ethical management.
Improves planning, integration, communications and performance
between the Business Units and IT Groups and within IT Groups
Improves ROI based demand management (IT requests and Total
Cost of Ownership) decisions to analyze, prioritize, fund, approve and
manage major IT investments (capital and operating expenses).
Optimize assets and human capital resources
Facilitates compliance and audits by documenting processes,
controls and decision authority.
More Trancparency
IBPM Group
20. IT Governance Responsibilities
To meet the requirements listed in the previous section, a framework
for IT governance and control should:
Provide a business focus to enable alignment between business and
IT objectives
Establish a process orientation to define the scope and extent of
coverage, with a defined structure enabling easy navigation of content
Be generally acceptable by being consistent with accepted IT good
practices and standards and independent of specific technologies
Supply a common language with a set of terms and definitions that
are generally understandable by all stakeholders
Help meet regulatory requirements by being consistent with generally
accepted corporate governance standards (e.g., COSO) and IT
controls expected by regulators and external auditors
IBPM Group
21. IT Governance stakeholders
A governance and control framework needs to serve a variety of
internal and external stakeholders, each of whom has specific needs:
Stakeholders within the enterprise who have an interest in generating
value from IT investments:
• Those who make investment decisions
• Those who decide about requirements
• Those who use IT services
Internal and external stakeholders who provide IT services:
• Those who manage the IT organization and processes
• Those who develop capabilities
• Those who operate the services
Internal and external stakeholders who have a control/risk
responsibility:
• Those with security, privacy and/or risk responsibilities
• Those performing compliance functions
• Those requiring or providing assurance services
IBPM Group
23. IT Governance Focus areas
IT
IT
Governance
Governance
Focus Areas
Domains
Resource
Management
IBPM Group
24. IT Governance Focus areas
Strategic alignment
focuses on ensuring the linkage of business and IT plans; defining,
maintaining and validating the IT value proposition; and aligning IT
operations with enterprise operations.
Value delivery
is about executing the value proposition throughout the delivery cycle,
ensuring that IT delivers the promised benefits against the strategy,
concentrating on optimizing costs and proving the intrinsic value of IT.
Resource management
is about the optimal investment in, and the proper management of, critical
IT resources: applications, information, infrastructure and people. Key
issues relate to the optimisation of knowledge and infrastructure.
.
IBPM Group
25. IT Governance Focus areas
Risk management
requires risk awareness by senior corporate officers, a clear
understanding of the enterprise’s appetite for risk, understanding of
compliance requirements, transparency about the significant risks to the
enterprise and embedding of risk management responsibilities into the
organization.
Performance measurement
tracks and monitors strategy implementation, project completion, resource
usage, process performance and service delivery, using, for example,
balanced scorecards that translate strategy into action to achieve goals
measurable beyond conventional accounting.
.
IBPM Group
26. IT Governance Focus areas – Strategic Alignment
Strategic Alignment focuses on ensuring the linkage of business and IT
plans
IT value proposition
Defining,
Maintaining
Validating
Aligning IT operations with enterprise operations
IBPM Group
27. IT Governance Focus areas – Value Delivery
Value Delivery is about executing the value proposition throughout
the delivery cycle, ensuring that IT delivers the promised benefits
against the strategy, concentrating on optimizing costs and proving the
intrinsic value of IT.
Governance are mostly qualitative and less quantitative which does
not lend itself to ‘value delivery’.
Many new IT Governance initiatives often have no mechanism in
place to measure the success or benefits of their governance efforts.
When IT Governance performance measurement disciplines and
practices are in use, they are mostly informal, subjective or based on
qualitative measures only.
IBPM Group
28. IT Governance Focus areas – Risk management
Risk awareness by senior corporate officer
A clear understanding of the enterprise’s appetite for risk
Transparency about the significant risks to the enterprise
Embedding of risk management responsibilities into the organization
IBPM Group
29. IT Governance Focus areas – Resource management
Optimal investment in, and the proper management of, critical IT
resources:
Processes
People
Applications
Infrastructure
Information
IBPM Group
30. IT Governance Focus areas – Performance management
Tracks and monitors strategy implementation
Project completion
Resource usage
Process performance
Service delivery
IBPM Group
33. COBIT is a framework and supporting tool set that allow managers to
bridge the gap with respect to control requirements, technical
issues and business risks, and communicate that level of control to
stakeholders. COBIT enables the development of clear policies
and good practice for IT control throughout enterprises. COBIT is
continuously kept up to date and harmonised with other standards
and guidance. Hence, COBIT has become the integrator for IT good
practices and the umbrella framework for IT governance that
helps in understanding and managing the risks and benefits associated
with IT. The process structure of COBIT and its high-level,
business-oriented approach provide an end-to-end view of IT and the
decisions to be made about IT.
IBPM Group
34. COBIT Characteristics
Business Focused
Process Oriented
Control Based
Measurement driven
IBPM Group
37. COBIT is Business Focused
Business orientation is the main theme of COBIT. It is designed not
only to be employed by IT service providers, users and auditors, but
also, and more important, to provide comprehensive guidance for
management and business process owners.
The COBIT framework is based on the following principle To provide
the information that the enterprise requires to achieve its objectives,
the enterprise needs to invest in and manage and control IT resources
using a structured set of processes to provide the services that deliver
the required enterprise information.
Managing and controlling information are at the heart of the COBIT
framework and help ensure alignment to business requirements
IBPM Group
43. Business Goals and IT Goals
Whilst information criteria provide a generic method for defining the
business requirements, defining a set of generic business and IT goals
provides a business-related and more refined basis for establishing
business requirements and developing the metrics that allow
measurement against these goals. Every enterprise uses IT to enable
business initiatives, and these can be represented as business goals
for IT.
If IT is to successfully deliver services to support the enterprise’s
strategy, there should be a clear ownership and direction of the
requirements by the business (the customer) and a clear
understanding of what needs to be delivered, and how, by IT (the
provider).
IBPM Group
45. COBIT’s Information criteria
Effectiveness
deals with information being relevant and pertinent to the business
process as well as being delivered in a timely, correct, consistent and
usable manner.
Efficiency
concerns the provision of information through the optimal (most
productive and economical) use of resources.
Confidentiality
concerns the protection of sensitive information from unauthorized
disclosure.
Integrity
relates to the accuracy and completeness of information as well as to
its validity in accordance with business values and expectations.
IBPM Group
46. COBIT’s Information criteria
Availability
relates to information being available when required by the business
process now and in the future. It also concerns the safeguarding of
necessary resources and associated capabilities.
Compliance
deals with complying with the laws, regulations and contractual
arrangements to which the business process is subject, i.e., externally
imposed business criteria as well as internal policies.
Reliability
relates to the provision of appropriate information for management to
operate the entity and exercise its fiduciary and governance
responsibilities.
IBPM Group
48. IT Resources
The IT organization delivers against these goals by a clearly defined
set of processes that use people skills and technology infrastructure to
run automated business applications while leveraging business
information. These resources, together with the processes, constitute
an enterprise architecture for IT.
IBPM Group
49. IT Resources
The IT resources identified in COBIT can be defined as follows:
Applications
are the automated user systems and manual procedures that process the
information.
Information
is the data, in all their forms, input, processed and output by the information
systems in whatever form is used by the business.
Infrastructure
is the technology and facilities (i.e., hardware, operating systems, database
management systems, networking, multimedia, and the environment that houses
and supports them) that enable the processing of the applications.
People
are the personnel required to plan, organise, acquire, implement, deliver, support,
monitor and evaluate the information systems and services. They may be internal,
outsourced or contracted as required.
IBPM Group
50. IT Resources
Below diagram summarizes how the business goals for IT influence how
the IT resources need to be managed by the IT processes to deliver IT’s
goals.
IBPM Group
52. COBIT is Process Oriented
COBIT defines IT activities in a generic process model within four
domains. These domains are Plan and Organize, Acquire and
Implement, Deliver and Support, and Monitor and Evaluate. The domains
map to IT’s traditional responsibility areas of plan, build, run and monitor.
The COBIT framework provides a reference process model and common
language for everyone in an enterprise to view and manage IT activities.
Incorporating an operational model and a common language for all parts
of the business involved in IT is one of the most important and initial
steps toward good governance. It also provides a framework for
measuring and monitoring IT performance, communicating with service
providers and integrating best management practices.
A process model encourages process ownership, enabling
responsibilities and accountability to be defined.
IBPM Group
54. The Four interrelated Domains of COBIT
To govern IT effectively, it is important to appreciate the activities and
risks within IT that need to be managed. They are usually ordered into
the responsibility domains of plan, build, run and monitor. Within the
COBIT framework, these domains, as shown in figure 8, are called:
Plan and Organize (PO) Provides direction to solution delivery (AI)
and service delivery (DS)
Acquire and Implement (AI) Provides the solutions and passes
them to be turned into services
Deliver and Support (DS) Receives the solutions and makes them
usable for end users
Monitor and Evaluate (ME) Monitors all processes
to ensure that the direction provided is followed
IBPM Group
55. Plan and Organize(PO)
This domain covers strategy and tactics, and concerns the
identification of the way IT can best contribute to the achievement of
the business objectives. The realization of the strategic vision needs to
be planned, communicated and managed for different perspectives. A
proper organization as well as technological infrastructure should be
out in place. This domain typically addresses the following
management questions:
Are IT and the business strategy aligned?
Is the enterprise achieving optimum use of its resources?
Does everyone in the organization understand the IT objectives?
Is the quality of IT systems appropriate for business needs?
Are IT risks understood and being managed?
IBPM Group
56. ACQUIRE AND IMPLEMENT (AI)
To realize the IT strategy, IT solutions need to be identified, developed
or acquired, as well as implemented and integrated into the
business process. In addition, changes in and maintenance of existing
systems are covered by this domain to make sure the solutions
continue to meet business objectives. This domain typically addresses
the following management questions:
Are new projects likely to deliver solutions that meet business needs?
Are new projects likely to be delivered on time and within budget?
Will the new systems work properly when implemented?
Will changes be made without upsetting current business operations?
IBPM Group
57. DELIVER AND SUPPORT (DS)
This domain is concerned with the actual delivery of required services,
which includes service delivery, management of security and
continuity, service support for users, and management of data and
operational facilities. It typically addresses the following
management questions:
Are IT services being delivered in line with business priorities?
Are IT costs optimized?
Is the workforce able to use the IT systems productively and safely?
Are adequate confidentiality, integrity and availability in place for
information security?
IBPM Group
58. MONITOR AND EVALUATE (ME)
All IT processes need to be regularly assessed over time for their
quality and compliance with control requirements. This domain
addresses performance management, monitoring of internal control,
regulatory compliance and governance. It typically addresses the
following management questions:
Is IT’s performance measured to detect problems before it is too late?
Does management ensure that internal controls are effective and
efficient?
Can IT performance be linked back to business goals?
Are adequate confidentiality, integrity and availability controls in place
for information security?
IBPM Group
59. The Four interrelated Domains of COBIT
Across these four domains, COBIT has identified 34 IT processes that
are generally used.
While most enterprises have defined plan, build, run and monitor
responsibilities for IT, and most have the same key processes, few
will have the same process structure or apply all 34 COBIT processes.
COBIT provides a complete list of processes that can be used
to verify the completeness of activities and responsibilities; however,
they need not all apply, and, even more, they can be combined as
required by each enterprise.
For each of these 34 processes, a link is made to the business and IT
goals that are supported. Information on how the goals can be
measured, what the key activities and major deliverables are, and who
is responsible for them is also provided.
IBPM Group
61. COBIT Framework
BUSINESS OBJECTIVES AND
GOVERNANCE OBJECTIVES
C O B I T
ME1 Monitor and evaluate IT FRAMEWORK
PO1 Define a strategic IT plan.
performance. INFORMATION PO2 Define the information
ME2 Monitor and evaluate
architecture.
internal control.
Efficiency Integrity PO3 Determine technological
ME3 Ensure compliance with
direction.
external requirements. Effectiveness Availability
PO4 Define the IT processes,
ME4 Provide IT governance. Compliance Confidentiality organisation and
Reliability relationships.
MONITOR PLAN PO5 Manage the IT investment.
AND AND PO6 Communicate management
EVALUATE ORGANISE aims and direction.
IT PO7 Manage IT human
DS1 Define and manage service
RESOURCES resources.
levels.
PO8 Manage quality.
DS2 Manage third-party
PO9 Assess and manage IT
services.
risks.
DS3 Manage performance and
PO10 Manage projects.
capacity. Applications
DS4 Ensure continuous service. Information AI1 Identify automated
DS5 Ensure systems security. Infrastructure solutions.
DS6 Identify and allocate costs. DELIVER People ACQUIRE AI2 Acquire and maintain
DS7 Educate and train users. application software.
AND AND
DS8 Manage service desk and AI3 Acquire and maintain
incidents. SUPPORT IMPLEMENT technology infrastructure.
DS9 Manage the configuration. AI4 Enable operation and use.
DS10 Manage problems. AI5 Procure IT resources.
DS11 Manage data. AI6 Manage changes.
DS12 Manage the physical AI7 Install and accredit
environment. solutions and changes.
DS13 Manage operations.
Source: ITGI
IBPM Group
63. COBIT is Controls based
COBIT defines control objectives for all 34 processes, as well as
overarching process and application controls.
Control is defined as the policies, procedures, practices and
organizational structures designed to provide reasonable assurance that
business objectives will be achieved and undesired events will be
prevented or detected and corrected.
IT control objectives provide a complete set of high-level requirements to
be considered by management for effective control of each IT process.
They:
• Are statements of managerial actions to increase value or reduce risk
• Consist of policies, procedures, practices and organizational structures
• Are designed to provide reasonable assurance that business objectives
will be achieved and undesired events will be prevented or detected and
corrected
IBPM Group
64. COBIT is Controls based
The control objectives are identified by a two-character domain reference
(PO, AI, DS and ME) plus a process number and a control objective
number. In addition to the control objectives, each COBIT process has
generic control requirements that are identified by PCn, for process
control number. They should be considered together with the process
control objectives to have a complete view of control requirements.
IBPM Group
65. IT GENERAL CONTROLS AND APPLICATION CONTROLS
General controls are controls embedded in IT processes and services.
Examples include:
Systems development
Change management
Security
Computer operations
Controls embedded in business process applications are commonly
referred to as application controls. Examples include:
• Completeness
• Accuracy
• Validity
• Authorization
IBPM Group
66. Generic Control requirements
PC1 Process Goals and Objectives
Define and communicate specific, measurable, actionable, realistic, results-
oriented and timely (SMARRT) process goals and objectives for the effective
execution of each IT process. Ensure that they are linked to the business goals
and supported by suitable metrics.
PC2 Process Ownership
Assign an owner for each IT process, and clearly define the roles and
responsibilities of the process owner. Include, for example, responsibility for
process design, interaction with other processes, accountability for the end results,
measurement of process performance and the identification of improvement
opportunities.
PC3 Process Repeatability
Design and establish each key IT process such that it is repeatable and
consistently produces the expected results. Provide for a logical but flexible and
scalable sequence of activities that will lead to the desired results and is agile
enough to deal with exceptions and emergencies. Use consistent processes,
where possible, and tailor only when unavoidable.
IBPM Group
67. Generic Control requirements
PC4 Roles and Responsibilities
Define the key activities and end deliverables of the process. Assign and
communicate unambiguous roles and responsibilities for effective and efficient
execution of the key activities and their documentation as well as accountability for
the process end deliverables.
PC5 Policy, Plans and Procedures
Define and communicate how all policies, plans and procedures that drive an IT
process are documented, reviewed, maintained, approved, stored, communicated
and used for training. Assign responsibilities for each of these activities and, at
appropriate times, review whether they are executed correctly. Ensure that the
policies, plans and procedures are accessible, correct, understood and up to date.
PC6 Process Performance Improvement
Identify a set of metrics that provides insight into the outcomes and performance of
the process. Establish targets that reflect on the process goals and performance
indicators that enable the achievement of process goals. Define how the data are
to be obtained.
IBPM Group
68. Application Control
The following list provides a recommended set of application control objectives.
They are identified by ACn, for application control number.
AC1 Source Data Preparation and Authorization
Ensure that source documents are prepared by authorised and qualified personnel
following established procedures, taking into account adequate segregation of
duties regarding the origination and approval of these documents. Errors and
omissions can be minimised through good input form design. Detect errors and
irregularities so they can be reported and corrected.
AC2 Source Data Collection and Entry
Establish that data input is performed in a timely manner by authorised and
qualified staff. Correction and resubmission of data that were erroneously input
should be performed without compromising original transaction authorisation
levels. Where appropriate for reconstruction, retain original source documents for
the appropriate amount of time.
AC3 Accuracy, Completeness and Authenticity Checks
Ensure that transactions are accurate, complete and valid. Validate data that were
input, and edit or send back for correction as close to the point of origination as
possible.
IBPM Group
69. Application Control
AC4 Processing Integrity and Validity
Maintain the integrity and validity of data throughout the processing cycle.
Detection of erroneous transactions does not disrupt the processing of valid
transactions.
AC5 Output Review, Reconciliation and Error Handling
Establish procedures and associated responsibilities to ensure that output is
handled in an authorised manner, delivered to the appropriate recipient, and
protected during transmission; that verification, detection and correction of the
accuracy of output occurs; and that information provided in the output is used.
AC6 Transaction Authentication and Integrity
Before passing transaction data between internal applications and
business/operational functions (in or outside the enterprise), check it for proper
addressing, authenticity of origin and integrity of content. Maintain authenticity and
integrity during transmission or transport.
IBPM Group
70. Business and IT Controls
The enterprise’s system of internal controls impacts IT at three levels:
Executive management level
business objectives are set, policies are established and decisions are made on
how to deploy and manage the resources of the enterprise to execute the
enterprise strategy. The overall approach to governance and control is established
by the board and communicated throughout the enterprise. The IT control
environment is directed by this top-level set of objectives and policies.
At the business process level
controls are applied to specific business activities. Most business processes are
automated and integrated with IT application systems, resulting in many of the
controls at this level being automated as well. These controls are known as
application controls. However, some controls within the business process remain
as manual procedures, such as authorization for transactions, separation of duties
and manual reconciliations
To support the business processes, IT provides IT services, usually in a shared
service to many business processes, as many of the development and operational
IT processes are provided to the whole enterprise, and much of the IT
infrastructure is provided as a common service (e.g., networks, databases,
IBPM Group
71. Business and IT Controls
Support the business processes, IT provides IT services, usually in a shared
service to many business processes, as many of the development and operational
IT processes are provided to the whole enterprise, and much of the IT
infrastructure is provided as a common service (e.g., networks, databases,
operating systems and storage). The controls applied to all IT service activities are
known as IT general controls. The reliable operation of these general controls is
necessary for reliance to be placed on application controls.
IBPM Group
74. COBIT Maturity Model
0 Non-existent
Complete lack of any recognizable processes. The enterprise has not
even recognized that there is an issue to be addressed.
1 Initial/Ad Hoc
There is evidence that the enterprise has recognized that the issues
exist and need to be addressed. There are, however, no standardized
processes; instead, there are ad hoc approaches that tend to be
applied on an individual or case-by-case basis. The overall approach
to management is disorganized.
2 Repeatable but Intuitive
Processes have developed to the stage where similar procedures are
followed by different people undertaking the same task. There is no
formal training or communication of standard procedures, and
responsibility is left to the individual. There is a high degree of reliance
on the knowledge of individuals and, therefore, errors are likely.
IBPM Group
75. COBIT Maturity Model
3 Defined Process
Procedures have been standardized and documented, and communicated
through training. It is mandated that these processes should be followed;
however, it is unlikely that deviations will be detected. The procedures
themselves are not sophisticated but are the formalization of existing practices.
4 Managed and Measurable
Management monitors and measures compliance with procedures and takes
action where processes appear not to be working effectively. Processes are
under constant improvement and provide good practice. Automation and tools
are used in a limited or fragmented way.
5 Optimized
Processes have been refined to a level of good practice, based on the results
of continuous improvement and maturity modelling with other enterprises. IT is
used in an integrated way to automate the workflow, providing tools to improve
quality and effectiveness, making the enterprise quick to adapt.
IBPM Group
78. Goals and metrics are defined in COBIT at three levels:
IT goals and metrics that define what the business expects from IT
and how to measure it
Process goals and metrics that define what the IT process must
deliver to support IT’s objectives and how to measure it
Activity goals and metrics that establish what needs to happen inside
the process to achieve the required performance and how to measure
it
IBPM Group
80. Example of Goal relationship
The terms KGI and KPI, used in previous versions of COBIT, have been replaced with two
types of metrics:
Outcome measures, previously key goal indicators (KGIs), indicate whether the goals have
been met. These can be measured only after the fact and, therefore, are called ‘lag indicators’.
Performance indicators, previously key performance indicators (KPIs), indicate whether goals
are likely to be met. They can be measured before the outcome is clear and, therefore, are
called ‘lead indicators’.
IBPM Group
86. COBIT Benefits
Better alignment, based on a business focus
A view, understandable to management, of what IT does
Clear ownership and responsibilities, based on process orientation
General acceptability with third parties and regulators
Shared understanding amongst all stakeholders, based on a
common language
IBPM Group
91. Process Description
All changes, including emergency maintenance and patches,
relating to infrastructure and applications within the
production environment are formally managed in a controlled
manner. Changes (including those to procedures, processes,
system and service parameters) are logged, assessed and
authorized prior to implementation, and reviewed against
planned outcomes following implementation. This assures
mitigation of the risks of negatively impacting the stability or
integrity of the production environment.
IBPM Group
96. Control Objectives
AI6.5 Change Closure and Documentation
Whenever changes are implemented, update the associated system and user
documentation and procedures accordingly.
IBPM Group
99. Input-output Matrix
Managing the Life Cycle
Outputs going to
other processes
Inputs coming from
other processes
IBPM Group
100. Managing the Life Cycle
Whilst COBIT represents the life cycle of
IT investments, it must also manage
inter-process interdependencies.
PO AI DS
IBPM Group