Evaluate, Direct &

Monitor!
EDM1 Set and Maintain the
Governance Framework
1. Evaluate the design of the enterprise
governance of IT
2. Direct the governance system.
3. Monitor the governance system.
EDM2 Ensure Value Optimisation
1. Evaluate value optimisation.
2. Direct value optimisation.
3. Monitor value optimisation.
EDM3 Ensure Risk Optimisation
1. Evaluate risk management.
2. Direct risk management.
3. Monitor IT risk management.
EDM4 Ensure Resource Optimisation
1. Evaluate IT resourcing strategies.
2. Direct resource management.
3. Monitor resource management.
EDM5 Ensure Stakeholder
Transparency
1. Evaluate stakeholder reporting
requirements.
2. Direct stakeholder communication and
reporting.
3. Monitor stakeholder communication.

Align, Plan &

Organise!
APO1 Define the Management
Framework for IT
1. Define the organisational structure.
2. Establish roles and responsi0.6bilities.
3. Maintain the enablers of the
management system.
4. Communicate management objectives
and direction.
5. Optimise the placement of the IT
function.

6. Define information (data) and system

ownership.
7. Manage continual improvement of
processes.
8. Ensure compliance with policies and
procedures.
APO2 Define Strategy
1. Understand enterprise direction.
2. Assess the current environment,
capabilities and performance.
3. Define the target IT capabilities.
4. Conduct a gap analysis.
5. Define the strategic plan and road map.
6. Communicate the IT strategy and
direction.
APO3 Manage Enterprise Architecture
1. Develop the enterprise architecture
vision.
2. Define reference architecture.
3. Select opportunities and solutions.
4. Define architecture implementation.
5. Provide enterprise architecture services.
APO4 Manage Innovation
1. Create an environment conducive to
innovation.
2. Maintain an understanding of the
enterprise environment.
3. Monitor and scan the technology
environment.
4. Assess the potential of emerging
technologies and innovation ideas.
5. Recommend appropriate further
initiatives.
6. Monitor the implementation and use of
innovation.
APO5 Manage Portfolio
1. Establish target investment mix.
2. Determine the availability and sources of
funds.
3. Evaluate and select programmes to
fund.

4. Monitor, optimise and report on

investment portfolio performance.
5. Maintain portfolios.
6. Manage benefits achievement.
APO6 Manage Budget and Cost
1. Manage finance and accounting.
2. Prioritise resource allocation.
3. Create and maintain budgets.
4. Model and allocate costs.
5. Manage costs.
APO7 Manage Human Resources
1. Maintain adequate and appropriate
staffing.
2. Identify key IT personnel.
3. Maintain the skills and competencies of
personnel.
4. Evaluate employee job performance.
5. Plan and track the usage of IT and
business human resources.
6. Manage contract staff.
APO8 Manage Relationships
1. Understand business expectations.
2. Identify opportunities, risks and
constraints for IT to enhance the
business.
3. Manage business relationship.
4. Coordinate and communicate.
5. Provide input to the continual
improvement of services.

Cobit 5
Domains - Processes - Best Practices

COBIT is a registered trademark by ISACA (http://www.isaca.org/), COBIT 5 Information according to Exposure Draft June 2011

APO9 Manage Service Agreements

1. Identify IT services.
2. Define IT services and maintain the
service portfolio.
3. Catalogue ITenabled services.
4. Define and prepare service agreements.
5. Monitor and report service levels.
6. Review service agreements and
contracts.
APO10 Manage Suppliers
1. Identify and evaluate supplier
relationships and contracts.
2. Select suppliers.
3. Manage supplier relationships and
contracts.
4. Manage supplier risk.
5. Monitor supplier performance and
compliance.
APO11 Manage Quality
1. Establish a quality management system.
2. Define and manage quality standards,
practices and procedures.
3. Focus quality management on
customers.
4. Perform quality monitoring, control and
reviews.
5. Integrate quality management into
solutions for development and service
delivery.
6. Ensure continuous improvement.
APO12 Manage Risk
1. Collect data.
2. Analyse risk.
3. Maintain a risk profile.
4. Articulate risk.
5. Define a risk management action
portfolio.
6. Respond to risk.

Build, Acquire and

Implement!
BAI1 Manage Programmes and
Projects
1. Maintain a standard approach for
Programme and project management.
2. Initiate a programme.
3. Manage stakeholder engagement.
4. Develop and maintain the programme
plan.
5. Launch and execute the programme.
6. Monitor, control and report on the
programme outcomes.
7. Start up and initiate projects within a
programme.
8. Plan projects.
9. Manage programme and project quality.
10. Manage programme and project risk.
11. Monitor and control a project.
12. Execute a project.
13. Close a project.
14. Close a programme.
BAI2 Define Requirements
1. Define and maintain business functional
and technical requirements.
2. Perform a feasibility study and formulate
alternative solutions.
3. Manage requirements risk.
4. Obtain approval of requirements and
solutions.
BAI3 Identify and Build Solutions
1. Design high-level solutions.
2. Design detailed solution components.
3. Develop solution components.
4. Procure solution components.
5. Build solutions.
6. Perform quality assurance.
7. Prepare for solution testing.
8. Execute solution testing.
9. Manage changes to requirements.
10. Maintain solutions.

naber consulting www.naber.at Tel +43 1 524 94 84

BAI4 Manage Availability and Capacity

1. Assess current availability, performance
and capacity and create a baseline.
2. Assess business impact.
3. Plan for new or changed service
requirements.
4. Monitor and review availability and
capacity.
5. Investigate and address availability,
performance and capacity issues.
BAI5 Enable Organisational Change
1. Establish the desire to change.
2. Form an effective implementation team.
3. Communicate desired vision.
4. Empower role players and identify
short-term wins.
5. Enable operation and use.
6. Embed new approaches.
7. Sustain changes.
BAI6 Manage changes
1. Perform impact assessment; prioritise
and authorise changes.
2. Manage emergency changes.
3. Track and report change status.
4. Close and document the changes.
BAI7 Accept and Transition of Change
1. Establish an implementation plan.
2. Plan business process, system and data
conversion.
3. Plan acceptance tests.
4. Establish a test environment.
5. Perform acceptance tests.
6. Promote to production and manage
releases.
7. Provide early production support.
8. Perform a post-implementation review.
BAI8 Knowledge Management
1. Nurture and facilitate a knowledgesharing culture
2. Identify and classify sources of
information.

3. Organise and contextualise information

into knowledge.
4. Use and share knowledge.
5. Evaluate and retire information.

Deliver, Service and

Support!
DSS1 Manage Operations
1. Maintain regular operational
procedures.
2. Manage outsourced IT services.
3. Monitor IT infrastructure.
4. Manage the environment.
5. Manage facilities.
DSS2 Manage Assets
1. Identify and record current assets.
2. Manage critical assets.
3. Manage the asset life cycle.
4. Optimise asset costs.
5. Manage licences.
DSS3 Manage Configuration
1. Establish and maintain a configuration
model.
2. Establish and maintain a configuration
repository and baseline.
3. Maintain and control configuration
items.
4. Produce status and configuration
reports.
5. Verify and review integrity of the
configuration repository.
DSS4 Manage Service Requests and
Incidents
1. Define incident and service request
classification schemes.
2. Record, classify and prioritise requests
and incidents.
3. Verify, approve and fulfil service
requests.
4. Investigate, diagnose and allocate
incidents.

5. Resolve and recover from incidents.

6. Close service requests and incidents.
7. Track status and produce reports.
DSS5 Manage Problems
1. Identify and classify problems.
2. Investigate and diagnose problems.
3. Raise known errors.
4. Resolve and close problems.
5. Perform proactive problem
management.
DSS6 Manage Continuity
1. Define the business continuity policy,
objectives and scope.
2. Maintain a continuity strategy.
3. Develop and implement a business
continuity response.
4. Ensure continuity of operations.
5. Exercise, test and review the business
continuity plan.
6. Review, maintain and improve the
continuity plan.
7. Conduct continuity plan training.
8. Manage backup arrangements.
9. Conduct post-resumption review.
DSS7 Manage Security
1. Protect against malware.
2. Manage network and connectivity
security.
3. Manage endpoint security.
4. Manage user identity and access.
5. Manage physical security.
6. Manage sensitive documents and output
devices.
7. Manage information security incidents.
8. Manage information handling.
DSS8 Manage Business Process
Controls
1. Control the processing of business
information.
2. Manage roles, responsibilities, access
privileges and levels of authority.

COBIT is a registered trademark by ISACA (http://www.isaca.org/), COBIT 5 Information according to Exposure Draft June 2011

3. Manage errors and exceptions.

4. Ensure traceability of Information
events and accountabilities.
5. Protect information assets.

Monitor, Evaluate
and Assess!
MEA1 Monitor and Evaluate
Performance and Conformance
1. Establish a monitoring approach.
2. Set performance and conformance
targets.
3. Collect and process performance and
conformance data.
4. Analyse and report performance.
5. Ensure the implementation of corrective
actions.
MEA2 Monitor System of Internal
Control
1. Monitor internal controls.
2. Review business process controls
effectiveness.
3. Perform control self-assessments.
4. Identify and report control deficiencies.
5. Ensure that assurance providers are
independent and qualified.
6. Plan assurance initiatives.
7. Scope assurance initiatives.
8. Execute assurance initiatives.
MEA3 Monitor and Evaluate
Compliance with External
Requirements
1. Identify external compliance
requirements.
2. Optimise response to external
requirements.
3. Confirm external compliance.
4. Assure external compliance.

naber consulting www.naber.at Tel +43 1 524 94 84