COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by
COBIT–The ISACA Framework COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risk. COBIT enables clear policy development and good practice for IT control throughout organisations. COBIT emphasises regulatory compliance, helps organisations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework. For more information:
COBIT 4.1–The ISACA Framework Issued in 2007 An IT governance and management framework Focus on processes as the key enabler Source: COBIT® 4.1, figure 23. © 2007 IT Governance Institute® All rights reserved.
COBIT 5–The NEW Version COBIT 5 is a major strategic improvement providing the next generation of ISACA guidance on the governance and management of enterprise information technology (IT) assets. Building on more than 15 years of practical application, ISACA designed COBIT 5 to meet the needs of stakeholders, and to align with current thinking on enterprise governance and management techniques as they relate to IT. For more information:
COBIT 5 Product Family–The Overarching Framework Product Source: COBIT® 5, figure 1. © 2012 ISACA® All rights reserved.
COBIT 5: Value Creation Delivering enterprise stakeholder value requires good governance and management of IT assets—including information security arrangements. External legal, regulatory and contractual compliance requirements (sometimes covering information security requirements) related to enterprise use of information and technology are increasing, threatening value if breached. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT – providing a sound basis for information security arrangements.
The COBIT 5 Framework Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for -profit or in the public sector.
COBIT 5 Principles and Enablers COBIT 5 Enterprise Enablers Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved. Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
COBIT 5 Product Family–The Detailed Process Guidance is Still There Source: COBIT® 5: Enabling Processes, figure 1. © 2012 ISACA® All rights reserved.
COBIT 5 Enabling Processes Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
COBIT 5–Integrates Earlier ISACA Frameworks COBIT 5 has clarified management level processes and integrated COBIT 4.1, Val IT and Risk IT content into one process reference model. COBIT 4.1 COBIT 5 Val IT 2.0 Risk IT
COBIT 5–Integrates BMIS Components Too COBIT 5 has also taken the valuable holistic, interrelated component model approach from the Business Model for Information Security (BMIS) work and incorporated it into the framework components. COBIT 5 Source: BMIS®, figure 2. © 2010 ISACA® All rights reserved.
BMIS Introduction Business Model for Information Security (BMIS) A holistic and business-oriented approach to managing information security, and a common language for information security and business management to talk about information protection BMIS challenges conventional thinking and enables you to creatively re-evaluate your information security investment The Business Model for Information Security, provides an in-depth explanation to a holistic business model which examines security issues from a systems perspective. For more information:
COBIT 5 Integrates BMIS Components Several of the BMIS components are now integrated within COBIT 5 as interacting enablers that support the enterprise in achieving its business goals and create stakeholder value: Organisation Process People Human Factors Technology Culture
COBIT 5 Integrates BMIS Components (cont) The remaining BMIS components are actually related the larger aspects of the COBIT 5 framework: Governing—The dimensions of governance activities (evaluate, direct, monitor—ISO/IEC 38500) are addressed at the enterprise level in the COBIT 5 framework Architecture (including a process model) —COBIT 5 includes the need to address enterprise architecture aspects to link organisation and technology effectively Emergence—The holistic and integrated nature of the COBIT 5 enablers supports enterprise in adapting to changes in both stakeholder needs and enabler capabilities as necessary
COBIT 5 Product Family—Includes Implementation Guidance Source: COBIT® 5 Implementation, figure 1. © 2012 ISACA® All rights reserved.
COBIT 5 Implementation The improvement of the governance of enterprise IT (GEIT) is widely recognised by top management as an essential part of enterprise governance. Information and the pervasiveness of information technology are increasingly part of every aspect of business and public life. The need to drive more value from IT investments and manage an increasing array of IT-related risk, including often cited security risk, has never been greater. Increasing regulation and legislation over business use and security of information is also driving heightened awareness of the importance of well-governed, managed and secure IT use.
COBIT 5 Implementation (cont.) ISACA has developed the COBIT 5 framework to help enterprises implement sound governance enablers. Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework. Best practices and standards are also available to underpin COBIT 5—including many focused on information security. However, frameworks, best practices and standards are useful only if they are adopted and adapted effectively. There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully. COBIT 5 Implementation provides guidance on how to do this.
COBIT 5 Implementation (cont.) COBIT 5 Implementation covers the following subjects: Positioning GEIT within an enterprise Taking the first steps towards improving GEIT Implementation challenges and success factors Enabling GEIT-related organisational and behavioural change Implementing continual improvement that includes change enablement and programme management Using COBIT 5 and its components
COBIT 5 Implementation (cont.) Source: COBIT® 5 Implementation, figure 6. © 2012 ISACA® All rights reserved.
COBIT 5 Product Family—Includes an Information Security Member Source: COBIT® 5, adapted from figure 11. © 2012 ISACA® All rights reserved.
COBIT 5 and Information Security COBIT 5 addresses information security specifically: The focus on information security management system (ISMS) in the align, plan and organise (APO) management domain, APO13 Manage security, establishes the prominence of information security within the COBIT 5 process framework. This process highlights the need for enterprise management to plan and establish an appropriate ISMS to support the information security governance principles and security-impacted business objectives resulting from the evaluate, direct and monitor (EDM) governance domain.
COBIT 5 for Information Security (cont) COBIT 5 for Information Security will be an extended view of COBIT 5 that explains each component of COBIT 5 from an information security perspective. Additional value for information security constituents will be created through additional explanations, activities, processes and recommendations. The COBIT 5 for Information Security deliverable will be a view of information security governance and management that will provide security professionals detailed guidance for using COBIT 5 as they establish, implement and maintain information security in the business policies, processes and structures of an enterprise.
COBIT 5 for Information Security (cont) What content will be included in the guide? Guidance on the enterprise business drivers and benefits related to information security How the COBIT 5 principles can be viewed and applied from an information security professionals’ perspective How the COBIT 5 enablers can be used by information security professionals to support enterprise governance and management of information security arrangements How COBIT 5 for Information Security guidance aligns with other information security standards
COBIT 5 for Information Security (cont) At what stage of development is COBIT 5 for Information Security? Development has been underway for some time and a draft delivered for subject matter expert (SME) review in January 2012. The COBIT Security Task Force met in February 2012 to review and incorporate SME feedback into the product. Expectation is that the COBIT 5 for Information Security professional guide will be available in July 2012.
Thank you for listening! If you have questions about ISACA publications and ongoing research, please contact: ISACA Research Department Phone: +1.847.660.5630 Fax: +1.847.253.1443 Email: