Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
COBIT 5
PRINCIPLES:
WHERE DID THEY COME FROM?
ISACA
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business
and IT leaders build trust in, and value from, information and information systems. Established in
1969, ISACA is the trusted source of knowledge, standards, networking, and career development
for information systems audit, assurance, security, risk, privacy and governance professionals.
Provide feedback:
www.isaca.org/COBIT5-Principles
professionals, and COBIT, a business framework that helps enterprises govern and manage
ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity
their information and technology. ISACA also advances and validates business-critical skills
and knowledge through the globally respected Certified Information Systems Auditor (CISA),
DISCLAIMER
ISACA has designed and created COBIT 5 Principles: Where Did They Come From? white paper (the Work) primarily as
an educational resource for assurance, governance, risk and security professionals. ISACA makes no claim that use of any of
the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific information, procedure or test, assurance, governance, risk and security professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or information
technology environment.
2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse.
ACKNOWLEDGMENTS
Development Team
University of AntwerpAntwerp
Management School, Belgium
CGEIT, FCPA,
University of Hawaii at Manoa, USA
Expert Reviewers
Steven A. Babb
Ramses Gallego
Theresa Grafenstine
Vittal R. Raj
Tony Hayes
Sushil Chatterji
Gregory T. Grocholski
CGEIT,
Edutech Enterprises, Singapore
Jimmy Heschl
Debbie A. Lew
Andre Pitkowski
CGEIT, CRISC,
APIT Informatica, Brazil
Steven A. Babb
Garry J. Barnes
Robert A. Clyde
Knowledge Board
Sushil Chatterji
CGEIT,
Edutech Enterprises, Singapore
Phil J. Lageschulte
CGEIT, CPA,
KPMG LLP, USA
Anthony P. Noble
CISA,
Viacom, USA
Jamie Pasfield
Framework Committee
Sushil Chatterji
CGEIT,
Edutech Enterprises, Singapore, Chairman
David Cau
Jimmy Heschl
Katherine McIntosh
Steven A. Babb
CISA, CIA,
Central Hudson Gas & Electric Corp., USA
Rosemary M. Amato
Charlie Blanchard
CGEIT, PMP,
Uruguay
Andre Pitkowski
Sylvia Tosar
Tichaona Zororo
Steven A. Babb
Frank J. Cindrich
INTRODUCTION
COBIT 5 is an internationally accepted governance and
management of enterprise information and related technology
(GEIT) framework from ISACA that was developed by, and
for, practitioners and includes insights from IT and general
management literature. This white paper helps practitioners
to better understand the COBIT 5 principles (figure 1) and,
therefore, be more efficient and effective in the application of
the COBIT 5 GEIT framework to their enterprises. This paper
clearly explains how the principles of COBIT 5 are built on
sound, accepted IT and general governance and management
guidance and practices.
PRINCIPLE 1
Financial
Customer
Internal
Learning and Growth
Kaplan, R.; D. Norton; The Balanced ScorecardMeasures That Drive Performance, Harvard Business Review, USA, 1992
Van Grembergen, W.; R. Saul; S. De Haes; Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial Group, Journal for Information Technology Cases and
Applications, USA, 2003
3
Balanced Scorecard Institute, a Strategy Management Group company, USA, 1998-2014, https://balancedscorecard.org
1
2
PRINCIPLE 2
Weill, P.; J. Ross; IT Savvy: What Top Executives Must Know to Go From Pain to Gain, Harvard Business Press, USA, 2009
Ibid.
6
Ibid.
4
5
PRINCIPLE 2
COVERING THE ENTERPRISE END-TO-END (CONT.)
Figure 3COBIT 5 RACI Chart Example
Business roles
IT Function roles
APO01.05
Optimise the placement of the
IT function.
APO01.06
Define information (data) and
system ownership.
APO01.07
Manage continual improvement
of processes.
APO01.08
Maintain compliance with
policies and procedures.
Privacy Officer
Architecture Board
APO01.04
Communicate management
objectives and direction.
Service Manager
Head IT Administration
Head IT Operations
Head Development
Head Architect
Audit
Compliance
APO01.03
Maintain the enablers of the
management system.
APO01.02
Establish roles and
responsibilities.
Business Executives
APO01.01
Define the organisational
structure.
Board
PRINCIPLE 3
APPLYING A SINGLE INTEGRATED FRAMEWORK
The third principle highlights the need to use an overall single,
integrated GEIT framework to deliver the optimum value from the
IT assets and resources used.
COBIT 5 aligns with other relevant standards and frameworks at
a high level and, thus, can serve as the overarching framework for
GEIT (figure 4). ISACA made a major investment over the years to
align COBIT with other standards and frameworks, including:
ISO/IEC 38500:20087
ISO/IEC 27001:20138
ISO/IEC 200009
ISO 31000 series10
ISO 9001:200811
Committee of Sponsoring Organizations of
the Treadway Commission (COSO) Internal
ControlIntegrated Framework12
IT Infrastructure Library (ITIL V3)13
Project Management Body of Knowledge (PMBOK)14
Data Management Body of Knowledge (DMBOK)15
The Open Group Architecture Framework (TOGAF 9)16
Projects in Controlled Environments (PRINCE2)17
ISO, ISO/IEC 38500:2008 Corporate governance of information technology, Switzerland, 2008, www.iso.org
ISO, ISO/IEC:27001:2013 Information technologySecurity techniquesInformation security management systems Requirements, Switzerland, 2013, www.iso.org
ISO, ISO/IEC 20000-1:2011 Information technologyService managementPart 1: Service management system requirements, Switzerland, 2011, www.iso.org
10
ISO, ISO 31000:2009 Risk management Principles and guidelines, Switzerland, 2009, www.iso.org
11
ISO, ISO 9001:2008 Quality management systemsRequirements, Switzerland, 2008, www.iso.org
12
Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal ControlIntegrated Framework (2013), USA, 2013, www.coso.org/IC.htm
13
ITIL Home, Welcome to the Official ITIL Website, UK, www.itil-officialsite.com
14
Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK), USA, 2008
15
Data Management Association International (DAMA), The DAMA Guide to the Data Management Body of Knowledge (DMBOK), USA, 2009
16
The Open Group, TOGAF 9, UK, 2009, www.opengroup.org/togaf
17
PRINCE2Projects In Controlled Environments Home, Welcome to the Official PRINCE2 Website, UK, www.prince-officialsite.com
7
8
9
PRINCIPLE 3
PRINCIPLE 4
18
19
20
10
De Wit, B.; R. Meyer; Strategy Synthesis: Revolving Strategy Paradoxes to Create Competitive Advantage, Cengage Learning EMEA, USA, 2005
Peterson, R.; Crafting Information Technology Governance, Information Systems Management, USA, 2004
De Haes, S.; W. Van Grembergen; An Exploratory Study Into IT Governance Implementations and Its Impact on Business/IT Alignment, Information Systems Management, USA, 2009
2014 ISACA. All rights reserved.
PRINCIPLE 5
SEPARATING GOVERNANCE FROM MANAGEMENT
Finally, COBIT 5 makes a distinction between governance
and management. This distinction aligns with the following
guidance in ISO/IEC 38500:2008:
In COBIT 5, ISACA states for the first time that GEIT processes
encompass different types of activities. The governance
processes are organized following the evaluate, direct and monitor
(EDM) model, as proposed by ISO/IEC 38500. IT governance
processes ensure that enterprise goals are achieved by evaluating
stakeholder needs; setting direction through prioritization and
decision making; and monitoring performance, compliance and
progress against plans. Based on the results, guidance and output
from these governance activities, business and IT management
plans, builds, runs and monitors activities (PBRM) to ensure
alignment with the direction that was set by the governance body
and, thus, achieve the enterprise objectives (figure 6).
Governance
Evaluate
Direct
Management Feedback
Monitor
Management
Plan
(APO)
Build
(BAI)
RUN
(DSS)
MONITOR
(MEA)
21
11
ISO, ISO/IEC 38500:2008 Corporate governance of information technology, Switzerland, 2008, www.iso.org
2014 ISACA. All rights reserved.
CONCLUSION
GEIT is the boards accountability and responsibility, and the
execution of the set direction is managements accountability and
responsibility.22 COBIT 5 is primarily a business GEIT framework
made by, and for, practitioners and includes insights from IT and
general management literature, including concepts and models
such as strategic alignment, balanced scorecard, IT savviness
and organizational systems.
The core elements of COBIT 5 are built on these IT and general
management insights. Practitioners can use the insights in this
white paper and its references to apply COBIT 5 principles and
guidance in their enterprises.
22
12
Van Grembergen, W.; S. De Haes; Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, USA, 2009
2014 ISACA. All rights reserved.