The Differences Between COBIT 4.1 and COBIT 5

Please download to get full document.

View again

of 12
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Education

Published:

Views: 119 | Pages: 12

Extension: PDF | Download: 0

Share
Related documents
Description
The Differences Between COBIT 4.1 and COBIT 5 Upgrading to the most recent version of COBIT provides enterprises with numerous benefits unavailable in past releases Abstract The release of COBIT 5 developed
Transcript
The Differences Between COBIT 4.1 and COBIT 5 Upgrading to the most recent version of COBIT provides enterprises with numerous benefits unavailable in past releases Abstract The release of COBIT 5 developed by ISACA truly represents a next-generation evolution of the well-known and highly regarded COBIT framework. It is a departure from the previous edition, COBIT 4.1, because COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise. It takes in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of all internal and external stakeholders. COBIT 5 can now be the framework for all of the frameworks and standards employed in the enterprise. Because COBIT 5 considers the full enterprise view, it offers guidance for both governance and management activities. To explain the sweeping changes and the enhanced benefits of COBIT 5, this whitepaper will detail the specific differences between 4.1 and 5 as well as the thinking behind these important changes. Central to COBIT 5 is the governance objective of value creation. Introduction Since 1996, the COBIT framework has undergone multiple evolutions, as it adapts to the needs of a changing marketplace. The original COBIT and later its 2 nd edition from 1998 were known as IT audit and control frameworks. The focus was placed on control objectives. In 2000, COBIT s 3 rd edition debuted as an IT management framework, featuring newly added management guidelines. When COBIT 4.0 and COBIT 4.1 were released in 2005 and 2007, respectively, more adjustments were made. The assurance processes were removed. In return, governance and compliance processes were added, making COBIT 4.1 an IT governance framework. COBIT 5 represents a culmination of these previous releases, as well as the incorporation of numerous other standards and frameworks, into the ultimate framework for the governance and management of enterprise IT. COBIT 4.1, Val IT, Risk IT and BMIS users who are already engaged in governance of enterprise IT (GEIT) implementation activities can transition to COBIT 5 and benefit from the latest and improved guidance that it provides during the next iterations of their enterprise s improvement life cycle. Since COBIT 5 builds on previous versions of COBIT (and Val IT, Risk IT and BMIS), enterprises can also build on what they have developed using earlier versions. Most enterprise stakeholders and executive management are aware of the importance of the general control frameworks with respect to their fiduciary responsibility, such as Committee of Sponsoring Organizations of the Treadway Commission (COSO), Code of Connection (CoCo), the UK Corporate Governance Code, King III, etc.; however, enterprise stakeholders and executive management may not necessarily be aware of the details of each framework. In addition, enterprise managers are increasingly aware of the more technical security guidance, such as the ISO/IEC series, and service delivery guidance, such as ITIL. Although the aforementioned standard and framework emphasize business control and IT security and service management and delivery issues in specific areas of enterprise IT-related activity, only COBIT 5 integrates all functions and processes that establish the governance of enterprise IT (GEIT) into overall enterprise governance and from a business perspective. COBIT 5 is not meant to replace any of these frameworks or standards. It is intended to emphasize what governance and management elements and practices are required to create value from information and technology in support of enterprise business goals. To assure the high quality of COBIT 5, several measures were taken, most important: The entire research process was overseen by both ISACA s Knowledge Board and Framework Committee, which were responsible for overseeing all ISACA framework research development. The detailed research results and deliverables were quality-controlled throughout the development process by a dedicated task force of experienced volunteer professionals. A draft design document was issued for public exposure, and the feedback was integrated into the development work to produce the final COBIT 5 products. Before being issued, the draft development products were distributed to more than 100 subject matter experts around the world to obtain their professional review. Once ready, draft versions of COBIT 5 and COBIT 5: Enabling Processes were made available to the public for review. Workshops were held in London and Washington DC; more than 650 people contributed their feedback. Many good comments were received, suggesting further improvements for consideration. Survey questions concerning the level of satisfaction of the work at the draft stage were included in the public exposure activity, with 79 percent of the responses being positive. Based on the review comments, the development team made changes as appropriate. The final product was reviewed by COBIT 5 Task Force members, the Framework Committee and the Knowledge Board. The Differences Between COBIT 4.1 and COBIT 5 // 2 COBIT 5 Governance Objective: Value Creation The development of COBIT 5 was driven by this central concept: Enterprises exist to create value for their stakeholders. Consequently, any enterprise commercial or not will have value creation as a governance objective. Value creation means: Realizing benefits at an optimal resource cost while optimizing risk. Information and technology are used to bring benefits to enterprises. In doing so, enterprises and their executives strive to: Maintain quality information to support business decisions Generate business value from IT-enabled investments (i.e., achieve strategic goals and realize business benefits through effective and innovative use of IT) Achieve operational excellence through reliable and efficient application of technology Maintain IT-related risk at an acceptable level Optimize the cost of IT services and technology When these benefits are properly realized, enterprises are in a position to create value for their stakeholders. Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets. In addition, enterprise boards, executives and management have to embrace IT like any other significant part of the business. Moreover, external legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT. Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector. THE GOVERNANCE OBJECTIVE: VALUE CREATION SOURCE: COBIT 5, figure ISACA All rights reserved. The Differences Between COBIT 4.1 and COBIT 5 // 3 Meeting Stakeholder Needs through the Goals Cascade Once stakeholder needs have been recognized, those needs must be transformed into an enterprise s strategy. The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customized goals within the context of the enterprise, IT-related goals and enabler goals. COBIT 5 GOALS CASCADE OVERVIEW First, stakeholder needs can be related to a set of generic enterprise goals. These generic enterprise goals have been developed using the Balanced Scorecard (BSC) dimensions. 1 Although this list is not exhaustive, most enterprise-specific goals can be easily mapped onto one or more of the generic enterprise goals. The goals cascade is not new to COBIT 5 it was introduced in COBIT 4.0 in Some COBIT 4.0 users who have applied the thinking to their enterprises have found value. But not everyone was able to recognize this value. So the goals cascade has been given greater importance in the COBIT 5 release, making it prominent early in the COBIT 5 guidance because it supports the COBIT 5 stakeholder needs principle that is fundamental to COBIT 5. SOURCE: COBIT 5, figure ISACA All rights reserved. 1 Kaplan, Robert S.; Norton, David P.; The Balanced Scorecard: Translating Strategy into Action, Harvard University Press, USA, 1996) The Differences Between COBIT 4.1 and COBIT 5 // 4 SOURCE: COBIT 5, figure ISACA All rights reserved. COBIT 5: A Framework for the Governance and Management of Enterprise IT One of the most important changes to the COBIT framework is COBIT 5 s separation of governance and management domains: Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreedon enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). COBIT 5 uses a Process Reference Model that subdivides the IT-related practices and activities of the enterprise into two main areas governance and management with management further divided into domains of processes: The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. (ISO/IEC 38500) The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM). (ISO/IEC 15504) The Differences Between COBIT 4.1 and COBIT 5 // 5 COBIT 5 GOVERNANCE AND MANAGEMENT KEY AREAS SOURCE: COBIT 5, figure ISACA All rights reserved. New Changes Introduced in the COBIT 5 Release The move from COBIT 4.1 to COBIT 5 saw major changes in the framework s content and how it may impact GEIT implementation/improvement. These changes consist of: New GEIT Principles Increased Focus on Enablers New Process Reference Model Control Objectives Updated New and Modified Processes New GEIT Principles: In preparing the new COBIT 5 release, experts recognized that the Val IT and Risk IT frameworks are principles-based. Furthermore, feedback indicated that principles are easy to understand and put into an enterprise context, allowing value to be derived from the supporting guidance more effectively. (ISO/IEC also incorporates principles to underpin its messages to achieve the same market benefit delivery, although the principles in this standard and COBIT 5 are not the same.) Practices and Activities Goals and Metrics Inputs and Outputs at the Practice Level Expanded RACI Charts with Business and IT Roles Process Capability Model The Differences Between COBIT 4.1 and COBIT 5 // 6 So the new foundation of this framework is supported by the COBIT 5 Principles: COBIT 5 ENTERPRISE ENABLERS COBIT 5 PRINCIPLES SOURCE: COBIT 5, figure ISACA All rights reserved. SOURCE: COBIT 5, figure ISACA All rights reserved. Increased Focus on Enablers: COBIT 5 also introduces seven new enablers. COBIT 4.1 did not have enablers, but COBIT 4.1 users might recognize some common elements that evolved into more formal guidance in COBIT 5. COBIT 4.1 discussed three resources, which are now referred to as enablers. COBIT 5 introduced four new enablers for a total of seven in the framework. COBIT 4.1 resources were known as Services and People; COBIT 5 has further defined and detailed these categories. In addition, Principles, Policies and Frameworks were mentioned in a few COBIT 4.1 processes, and Processes were central to COBIT 4.1 use. COBIT 5 s organizational structure was implied through the responsible, accountable, consulted or informed (RACI) roles and their definitions found in COBIT 4.1. Culture, Ethics and Behavior were also mentioned in a few COBIT 4.1 processes. New Process Reference Model (PRM): COBIT 5 is based on a revised process reference model with a new governance domain and several new and modified processes that now cover enterprise activities end-to-end (i.e., business and IT function areas). COBIT 5 consolidates COBIT 4.1, Val IT, Risk IT and BMIS into one framework, and has been updated to align with current best practices (e.g., ITIL V3 2011, TOGAF). The new model can be used as a guide for adjusting as necessary the enterprise s own process model (just like COBIT 4.1). Control Objectives Updated: The control objectives found in COBIT 4.1 can be found in COBIT 5, but now they are called management practices. The content was expanded, and the COBIT 4.1 control practices were updated and moved into the PRM for user convenience. New and Modified Processes: COBIT 5 introduces five new governance processes that have leveraged and improved COBIT 4.1, Val IT and Risk IT governance approaches. This guidance helps enterprises to further refine and strengthen executive management-level GEIT practices and activities. In addition, the governance processes support GEIT integration with existing enterprise governance practices and is aligned with ISO/IEC The Differences Between COBIT 4.1 and COBIT 5 // 7 COBIT 5 PROCESS REFERENCE MODEL SOURCE: COBIT 5, figure ISACA All rights reserved. COBIT 5 also has clarified management level processes and integrated COBIT 4.1, Val IT and Risk IT content into one process reference model. There are several new and modified management processes that reflect current thinking, in particular: APO03 Manage enterprise architecture APO04 Manage innovation APO05 Manage portfolio APO06 Manage budget and costs APO08 Manage relationships APO13 Manage security BAI05 Manage organizational change enablement BAI08 Manage knowledge BAI09 Manage assets DSS05 Manage security service DSS06 Manage business process controls COBIT 5 processes now cover end-to-end business and IT activities (i.e., a full enterprise-level view). This provides for a more holistic and complete coverage of practices reflecting The Differences Between COBIT 4.1 and COBIT 5 // 8 the pervasive enterprise-wide nature of IT use. It makes the involvement, responsibilities and accountabilities of business stakeholders in the use of IT more explicit and transparent. Practices and Activities: The COBIT 5 governance or management practices are related to the COBIT 4.1 control objectives and Val IT and Risk IT processes. The COBIT 5 activities are equivalent to the COBIT 4.1 control practices and Val IT and Risk IT management practices. COBIT 5 integrates and updates all of the previous content into the one new model, making it easier for users to understand and use this material when implementing improvements. Goals and Metrics: COBIT 5 follows the same goal and metric concepts as COBIT 4.1, Val IT and Risk IT, but these are renamed enterprise goals, IT-related goals and process goals, reflecting an enterprise level view. For example, COBIT 5 provides a revised Goals Cascade based on enterprise goals driving IT-related goals and then supported by critical processes. COBIT 5 provides examples of goals and metrics at the enterprise, process, and governance and management practice levels. This is a change to COBIT 4.1, Val IT and Risk IT, which went down one level lower. Inputs and Outputs at the Practice Level: COBIT 5 provides inputs and outputs for every management practice, whereas COBIT 4.1 only provided these at the process level. This provides additional detailed guidance for designing processes to include essential work products and to assist with inter-process integration. Expanded RACI Charts with Business and IT Roles: COBIT 5 provides RACI charts describing roles and responsibilities in a similar way to COBIT 4.1, Val IT and Risk IT. COBIT 5 provides a more complete, detailed and clearer range of generic business and IT role players and charts than COBIT 4.1 for each management practice, enabling better definition of role player responsibilities or level of involvement when designing and implementing processes. RACI CHART SOURCE: COBIT 5: Enabling Processes, page ISACA All rights reserved. The Differences Between COBIT 4.1 and COBIT 5 // 9 DEVELOPING COBIT 5 SOURCE: 2016 ISACA All rights reserved Process Capability Model: COBIT 5 discontinues the COBIT 4.1, Val IT and Risk IT CMM-based capability maturity modeling approach. COBIT 5 is supported by a new process capability assessment approach based on ISO/IEC The COBIT Assessment Program approach is considered by ISACA to be more robust, reliable and repeatable as a process capability assessment method. The assessment objective is to understand the level of capability that is present and the level that is appropriate for a given process, based on business requirements, and to understand the nature of any gaps so that any significant weaknesses in the process can be identified and improved. The COBIT Assessment Program supports: Formal assessments by accredited assessors Less rigorous self-assessments for internal gap analysis and process improvement planning In addition, the COBIT Assessment Program approach is supported by these materials: COBIT Process Assessment Model: Using COBIT 5 COBIT Assessor Guide: Using COBIT 5 COBIT Self-Assessment Guide: Using COBIT 5 COBIT 4.1, Val IT and Risk IT users wishing to move to the new COBIT Assessment Program approach will need to realign their previous ratings, adopt and learn the new method, and initiate a new set of assessments in order to gain the benefits of the new approach. Although some of the information gathered from previous assessments may be reusable, care will be needed in migrating this information forward because there are significant differences in requirements and in what is being measured. The Differences Between COBIT 4.1 and COBIT 5 // 10 Making the Business Case for COBIT 5 in Your Enterprise To convince decision-makers in your enterprise to use COBIT 5, you may want to use the COBIT 5 Goals Cascade to bolster your position: Determine stakeholder needs and governance objectives value creation Identify enterprise goals that can support stakeholder needs if the balanced scorecard (BSC) is used to develop these goals, then a common set of terms can be used to communicate the goals Select IT-related goals (for each enterprise goal) that will facilitate the achievement of the goals Prioritize enabler-related goals this requires the successful application and use of enablers (one of the enablers, Processes, is treated separately in the COBIT 5: Enabling Processes publication) Present the proposed set of needs, goals and enablers to executive management as a means of delivering effective governance and management of IT-related technology Another vitally important aspect to consider is the enterprise s culture. A proactive culture will be more receptive than one that is not proactive. Consider emphasizing COBIT s focus on stakeholder value creation; it being business-driven; its alignment with other internationally recognized standards and frameworks; and its simple, but complete, structure. COBIT 5 is based on five principles and seven enablers. All other governance and management guidance in COBIT 5 originate from these basic areas. Previous versions of COBIT have been accepted in many enterprises globally, and new cases continue to be documented. However, it should not be a surprise that, in those entities where the chief information officer (CIO) has embraced COBIT as a business framework for information and technology, this has come as a direct consequence of one or more COB
Recommended
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks