COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy

In recent years, (as demonstrated in my previous article titled “ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance”),¹ the balanced scorecard (BSC)^{2, 3, 4} has been applied to enterprise IT and the first real-life IT security governance application has been developed based on mapping the control objectives from the International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) ISO/IEC 27001:2013 standard to COBIT 4.1 process and IT governance focus areas.⁵ As a further exercise, the relationships and similarities between ISO/IEC 27001:2013, COBIT 4.1 and COBIT 5 can be explored to provide data values, insights and results that will help in strategic management discussions.

What is driving the need for this mapping exercise?

• The need to integrate IT governance with overall business governance
• The need for effective deployment, governance and management of enterprise IT
• The exercise will help in establishing enterprise IT strategy through control objective linkages
• Key performance indicators (KPIs) can be derived for individuals or business unit

This article explains how an exercise in instituting controls can be used to establish IT strategy, which is shown in the resultant enterprise and IT goals BSC values and outcomes applied in COBIT 5. In so doing, it showcases the IT/business governance and alignment processes as derived from mapping ISO/IEC 27001 and COBIT 4.1 controls and processes further to COBIT 5 governance and management processes.

Brief Understanding of ISO/IEC 27001:2013

An executive brief from ISO/IEC 27001:2013 sheds more light on the essence of having controls in an enterprise IT organization.⁶ Organizations of all types and sizes collect, process, store and transmit information in many forms. This information is valuable to an organization’s business and operations. In today’s interconnected and mobile world, information is processed using systems and networks that employ state-of-the-art technology. It is vital to protect this information against both deliberate and accidental threats and vulnerabilities. ISO/IEC 27001 helps organizations keep their information assets and those of their customers secure. Effective information security assures management and other stakeholders that the organization’s assets are safe, thereby acting as a business enabler.

“The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process, which reassures interested parties that risk factors are adequately managed. It is important for the information security management system to be part of, and integrated with, the organization’s processes and overall management structure and for information security to be considered in the design of processes, information systems and controls.”⁷ The information security risk assessment and treatment process in this international standard aligns with the principles and generic guidelines provided in ISO 31000.⁸

What Is the Essence of Having Controls?

Enterprise security is no longer solely the realm of the IT department. Within the Internet of Things (IoT) and in the world, “data is recognized as a core business asset, valuable to companies and cybercriminals alike. Therefore, the enterprise risk caused by cyber security threats to data requires a holistic approach”⁹ to security; oversight of security compliance and controls must be a senior management, C-suite and boardroom responsibility because security oversight is risk management oversight and, therefore, a corporation’s business oversight.

“Risk management aims to identify the risk a company faces and ways of mitigating it to a bearable level determined by the company’s risk appetite.”¹⁰ It is recognized that risk exists due to the confluence of assets, threats and vulnerabilities. Accordingly, employing mitigating controls that reduce one or all of these factors reduces the overall risk exposure of the organization.

“As data risk encompasses the risk of financial losses; business disruption; the loss or compromise of assets and information; the failure to meet legal, regulatory or contractual requirements; and reputational damage, effective oversight of IT security is essential to enterprise or corporate oversight of risk management. The need for information security requires a number of policies and procedures to be created and put in place. These policies, in turn, require a number of security-related standards and practices to be implemented. However, if the enterprise’s and personnel’s culture and ethics are not appropriate, enforcing information security processes (the policy controls) and procedures will not be effective.”¹¹ An exercise in instituting controls can be used to establish IT strategy, which will be shown in the resultant enterprise and IT goals BSC values and outcomes applied to COBIT 5 governance and management processes.

The resultant summation from the control questions is shown in figure 1 and figure 2 for control domains and security control areas. With these values from the exercise, low values can be potential areas of security breaches (i.e., backup, redundancies) leading to business continuity issues. Data security is no longer a cost of doing business, but a core component of remaining in business. Resources must, therefore, be appropriately allocated to meet these risk factors. Budgeting must enable the company to deploy, train and develop the right people and processes and employ technology to truly address the company’s security needs.¹²

Figure 1—Resulting ISO/IEC 27001:2013 Compliance Data by Domain

Source: Christopher Oparaugo. Reprinted with permission

Figure 2—Resulting ISO/IEC 27001:2013 Compliance Data by Controls and Domains

Source: Christopher Oparaugo. Reprinted with permission

Understanding COBIT 5 in Relation to Governance and Strategy

COBIT 5 provides the next generation of ISACA’s guidance on the enterprise governance and management of IT. It builds on more than 15 years of practical usage and application of COBIT by many enterprises and users from the business, IT, risk, security and assurance communities.¹³ COBIT has evolved from an auditing framework to controls, from being a control framework to an IT governance framework that can be mapped to other international standards, and now to a governance for enterprise IT (GEIT) framework, showing a management strategy for enterprise IT.

Key Concepts

Information is a key resource for all enterprises, and from the time that information is created to the moment that it is destroyed, technology plays a significant role. IT is increasingly advanced and has become pervasive in enterprises and in social, public and business environments.¹⁴

“As a result, today, more than ever, enterprises and their executives strive to:

• Maintain high-quality information to support business decisions
• Generate business value from IT-enabled investments, i.e., achieve strategic goals and realize business benefits through effective and innovative use of IT
• Achieve operational excellence through the reliable and efficient application of technology
• Maintain IT-related risk at an acceptable level
• Optimize the cost of IT services and technology
• Comply with ever-increasing relevant laws, regulations, contractual agreements and policies”¹⁵

COBIT 5 is not prescriptive, but it advocates that organizations implement governance and management processes such that the key areas are covered, as shown in figure 3.

Figure 3—Separating Governance From Management

Source: ISACA, COBIT 5, USA, 2012

COBIT 5 provides a comprehensive framework that helps enterprises achieve their goals and deliver value through effective governance and management of enterprise IT. Successful enterprises have recognized that the board of directors (BoD) needs to embrace IT just like any other significant part of doing business. Corporate boards and business management (in both the enterprise and IT functions) must collaborate and work together so that IT is included within the governance and management functions.

In addition, 2 core components of GEIT (controls and compliance) must be overseen at the highest levels of management to confirm that they are customized for the enterprise standards and are not applied generically:

• Controls—The organization’s systems, procedures and processes for protecting data
• Compliance—An organization’s program for ensuring adherence to and enforcement of enterprise security policies and relevant external privacy and data protection laws and regulations. Department’s policies, standards and procedures are often disconnected from operational practices, and technology infrastructures that are not tailored specifically to the company operations become worthless effort and ineffective.¹⁶

The COBIT 5 framework makes a clear distinction between governance and management. These 2 disciplines encompass different types of activities, require different organizational structures and serve different purposes.

The COBIT 5 view on this key distinction between governance and management is:

• Governance—Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. In most enterprises, governance is the responsibility of the BoD under the leadership of the chairperson.
• Management—Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve enterprise objectives. In most enterprises, it is the responsibility of the executive management, under the leadership of the chief executive officer (CEO).¹⁷

This article presents a mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013 using a previous article’s (“ISO 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance,”) control data values and a target value for differentiation. It has been designed for guidance purposes and discussion.

Further, this article extends the mapping from COBIT 4.1 processes to COBIT 5 processes using input control data from ISO/IEC 27001:2013 as designed to bring out the BSC dimensions for a strategic guide and measurement system.

Adopting the Lean Management theory’s 5 Whys approach, the process of continually asking questions until you get to the root cause,¹⁸ enabled the validation of the assessment results to get closer to a problem or low value until the real issue is understood. The 5 Whys method helps managers eliminate waste and aids executives in figuring out which projects or controls to pursue and which to address to find solutions to underperforming areas in a controlled environment to aid enforcement of the policy. Productivity and strategy mean different things to different people, but, at their core, the meaning is how effective an organization’s decisions are in delivering subsequent results.

COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective (figure 4).¹⁹

Figure 4—Covering the Enterprise End-to-end

Source: ISACA, COBIT 5, USA, 2012

The questions help stakeholders understand whether the set objectives were achieved based on the results and backward reviews of the elements contributing to these results. These results also show IT governance pain points to be addressed. In addition to these activities, COBIT 5 suggests accountabilities and responsibilities for enterprise roles and governance/management structures (responsible, accountable, consulted and informed [RACI] charts) for each process and Capability Maturity Model Integration (CMMI) scores help stakeholders see the picture and values of control activities.

These resultant data from the exercise were further employed as COBIT information criteria for primary and secondary grouping. The resultant values of the ISO/IEC 27001:2013 mapping to COBIT 4.1 processes are linked with the defined IT governance areas.

The value inputs of 0% to 100% from the ISO/IEC 27001:2013 control objectives security control questions are mapped to COBIT 4.1 domains and processes, and further mapping is done from COBIT 4.1 to COBIT 5 related processes. These are linked to the IT focus areas as exercise results showing the values from the data mapping outputs, illustrated in figure 5.

Figure 5—Results Showing Mapping of ISO/IEC 27001:2013 Data to COBIT Processes

Source (table): ISACA, Mapping COBIT 4.1 to ISO /IEC 27001, USA, 2005
Source (numeric values): Christopher Oparaugo. Reprinted with permission.

The results in figure 6 are a comparison of COBIT 4.1 domain results from the previous mapping of ISO/IEC 27001:2005 to ISO/IEC 27001:2013 data that was then mapped to COBIT 4.1

The new target exercise (having different data input values for comparison) represents values directly from the mapping of ISO/IEC 27001:2013 to COBIT 4.1.

The previous results were Plan and Organize (55%), Acquire and Implement (64%), Deliver and Support (55%), and Monitor and Evaluate (64%). There is a remarkable increase in the values generated through this realignment from ISO 27001:2005 to ISO 27001:2013.

Figure 6—Comparing Sample Results Showing Mapping of ISO/IEC 27001:2005 From the Previous Article’s Exercise and New ISO/IEC 27001:2013 Data to COBIT 4.1 Control Objectives

Using the scores from previous exercises of ISO 27001:2005 now mapped to ISO 27001:2013 producing the mapped results for COBIT 4.1 domains, showing compliance to future state.

New target exercise scores for ISO 27001:2013 are mapped to COBIT 4.1 domains and processes, showing compliance to future state.
Source: Christopher Oparaugo. Reprinted with permission

Having done this comparison, the focus is now to determine a relationship and understanding of how these scores and values map to COBIT 5.

The COBIT 5 process reference model divides the governance and management processes of enterprise IT into 2 main process domains:

• Governance—Contains 1 domain with 5 governance processes; Evaluate, Direct and Monitor (EDM) consisting of 5 processes in COBIT 5.
• Management—The management principles of COBIT 5, having evolved from the Plan, Do, Check and Act (PDCA) maxim, follows the functional responsibility areas of plan, build, run and monitor (PBRM) creating a new, elaborate set of 4 domains, and provides end-to-end coverage of IT. These domains are an evolution of the COBIT 4.1 domain and process structure as shown below:
  • Align, Plan and Organize (APO) consisting of 13 processes
  • Build, Acquire and Implement (BAI) consisting of 10 processes
  • Deliver, Service and Support (DSS) consisting of 6 processes
  • Monitor, Evaluate and Assess (MEA) consisting of 3 processes

Useful COBIT 5 Governance and Management Interactions

Principles, policies and frameworks—The vehicle by which governance decisions are institutionalized within the enterprise. For that reason, they are an interaction between governance decisions (direction setting) and management (execution of decisions).

Services, infrastructure and applications—Services are required and are supported by applications and infrastructure to provide the governance body with adequate information and to support the governance activities of evaluating, setting direction and monitoring.

Processes—In the illustrative COBIT 5 process model (COBIT 5: Enabling Processes), a distinction is made between governance and management processes, including specific sets of practices and activities for each. The process model also includes RACI charts, describing the responsibilities of different organizational structures and roles within the enterprise.

Enablers—Factors that individually and collectively influence whether something will work—in this case, governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve.”²⁰ To achieve success in enterprise governance and management, the COBIT 5 enablers must be interconnected and interrelated to deliver on the enterprise and IT goals. This will help the organization develop a 360-degree vision of cyber security.

These resultant data from the exercise are further employed as COBIT information criteria for primary and secondary grouping. The resultant values of the ISO/IEC 27001:2013 mapping into COBIT 5 processes are linked with the defined IT BSC dimension information and related technology goals. Exercise results showing the values from the data mapping outputs are shown in figure 7.

Figure 7—Results Showing Mapping Data Values of COBIT 4.1 Control Objectives (Using Input Data From ISO/IEC 27001:2013) to COBIT 5 Governance and Management Practices

Source (table): ISACA, COBIT 5, USA, 2012
Source (numerical data values): Christopher Oparaugo. Reprinted with permission.

The mapped data values of COBIT 4.1 control objectives (using input data from ISO/IEC 27001:2013) to COBIT 5 governance and management practices shows how an IT-related goal is supported by a COBIT 5 IT-related process. This mapping is expressed using the following scale:

• "P" stands for primary, indicating there is an important relationship, i.e., the COBIT 5 process is a primary support for the achievement of an IT-related goal.
• "S" stands for secondary, indicating there is still a strong, but less important, relationship, i.e., the COBIT 5 process is a secondary support for the IT-related goal.²¹

The compared results in figure 8 show that Evaluate, Direct and Monitor (EDM) (the governance area for enterprise IT) was lowest in all the cases as the bulk of the alignment was related to COBIT 4.1 in the other 4 domains of COBIT 5 governance and management practices (i.e., core enterprise IT management area).

Figure 8—Comparing Sample Results of ISO/IEC 27001:2005, ISO/IEC 27001:2013, COBIT 4.1 and COBIT 5 Mappings

Source: Christopher Oparaugo. Reprinted with permission

These results confirm that the bedrock of GEIT under COBIT 5 is in the BAI domain, which has taken on many elements of the COBIT 4.1 domains of Plan and Organize (PO), Acquire and Implement (AI) and Deliver and Support (DS).

Using the Balanced Scorecard as a Strategic Management System

“The BSC revolutionized conventional thinking about performance metrics. When the concept was first introduced in 1992, companies were busy transforming themselves to compete in the world of information; their ability to exploit intangible assets was becoming more developed than their ability to manage physical assets.

The authors of the BSC describe how it addresses a serious deficiency in traditional management systems: the inability to link a company’s long-term strategy with its short-term financial goals. The scorecard lets managers introduce 4 new processes (in the 3^rd-generation edition) that help companies make that important link.”²²

“The first process—translating the vision—helps managers build a consensus concerning a company’s strategy and express it in terms that can guide action at the local level. The second—communicating and linking—calls for communicating a strategy at all levels of the organization and linking it with unit and individual goals. The third—business planning—enables companies to integrate their business plans with their financial plans. The fourth—feedback and learning—gives companies the capacity for strategic learning, which consists of gathering feedback, testing the hypotheses on which a strategy is based and making necessary adjustments.”²³

“In addition, while traditional measures report on what happened last period without indicating how managers can improve performance in the next, the scorecard functions as the cornerstone of a company’s current and future success.”²⁴

“The information from the 4 perspectives provides balance between external measures such as operating income and internal measures such as new product development and innovation. This balanced set of measures both reveals the trade-offs that managers have already made among performance measures and encourages them to achieve their goals in the future without making trade-offs among key success factors.“²⁵

The assumptions made for using the primary (P) values related to the COBIT 5 processes and IT-related goals are based on information from COBIT 5:

• The COBIT 5 process is a primary support for the achievement of an IT-related goal.
• It is primary when there is an important relationship between the COBIT 5 process and IT-related goals.
• Achieving IT-related goals requires the successful application and use of a number of enablers.²⁶
• There is relationship to the 3 main governance objectives—benefits realization, risk optimization and resource optimization.²⁷

This understanding from the BSC perspective and a focus on the primary values shows the COBIT 5 governance and management practices that are a primary (P) support for the achievement of an IT-related goal. Applying these criteria and assumptions for IT-related goal 01, Alignment of IT and business strategy, which has 10 P values, the average cumulative score is 77%. The P values and the related COBIT 5 score entries for each of the 17 generic IT-related goals are added to get a cumulative average score for the particular IT-related goal as represented in figure 9. (See scores related to the 10 P values for IT-related goal 01, Alignment of IT and business strategy in figure 7 assigned to the COBIT 5 processes column COBIT 4.1 Mapping. The average of these [85.66+ 87.66+…+90.00+83.82] scores is 77.37, approximated to 77 %.)

Figure 9—Results Showing Mapping COBIT 5 Data Values From IT-related Goals to Enterprise Goals

Source (table): ISACA, COBIT 5, USA, 2012
Source (numeric data values): Christopher Oparaugo. Reprinted with permission.

Having completed these exercises and reviewed the outcomes, it is important to distil the values by making assumptions in using the legend’s primary values of the BSC related to the enterprise goals mapping to COBIT 5 and IT-related goals based on the information from ISACA COBIT 5 framework as follows:

• The IT-related goal is a primary support for the enterprise goal.
• It is primary when there is an important relationship between enterprise and IT-related goals.
• Achieving IT-related goals and enterprise goals requires the successful application and use of a number of enablers.
• There is relationship to the 3 main governance objectives—benefits realization, risk optimization and resource optimization.²⁸

With this understanding from a BSC perspective and focusing on the “P” values that show that the COBIT 5 governance and management practices are a primary support for the achievement of an IT-related goal. Applying these criteria and assumptions, for IT-related goal 01—Alignment of IT and business strategy—that has 10 P values, the result is an average score of 77% (from figure 7 data).For the enterprise goal 1 ofStakeholder value of business investments which has 6 P values, the result is an average score of 75%. This is achieved by calculating the cumulative average of the IT-related goals (column COBIT 5 - IT Goals Score) aligned/mapped to the enterprise goals with P values/fields.

The P values and the related enterprise goals score entries for each of all 17 generic IT-related goals are added to get a cumulatively average score for the particular enterprise related/mapped goal.

The BSC can serve as the fulcrum, defining and communicating priorities to managers, employees, investors and even customers. The scorecard is a strategic measurement system, not a measure of strategy that is reviewed every month or modified for weekly meetings. The 6 IT scorecard implementation cycles can be reviewed in line with the outcome of the exercises and effected.

The aim or objectives of the BSC should be:

• Improvement/alignment of processes and removal of enterprise operation bottlenecks
• Increased financial usage/return on investment/capital employed
• Greater customer satisfaction and loyalty
• Motivated/educated employees
• Enhanced information systems/employees understanding the business
• Successful realization of the strategic plan/vision
• Monitored activities and progress visibility

Instituting controls enable the enterprise to build effective governance and management results that optimize information and technology investment and use for the benefit of stakeholders through an on-the-ground assessment based on controls using a BSC approach. These results also show IT governance pain points to be addressed. In addition to these activities, COBIT 5 suggests accountabilities and responsibilities for enterprise roles and governance/management structures.²⁹

The final outcome on these exercises is shown in figure 10. If there were great deviations or skewed results, further reviews and employing the 5 Whys would be called into play to determine the elements from the ISO 27001 control questions that impacted these outcomes negatively and caused the deviations. Keep in mind that for a BSC to be established, all the criteria (the aim/objectives) should be met based on these 4 perspectives:

• Financial
• Customer
• Internal
• Learning and growth

This article highlights the importance of proper mapping to process and domains for both ISO and COBIT to achieve these results.

Figure 10 —Results Showing Mapped COBIT 5 Data Values to Achieve IT-related Goals, BSC and Enterprise Goals BSC

Source: Christopher Oparaugo. Reprinted with permission

Conclusion

IT governance is not an isolated discipline. It is an integral part of overall enterprise governance that drives the business in these days of IoT. This helps successful business enterprises understand the IT risk and exploit the benefits of IT, and find ways to deal with aligning IT strategy with the business strategy, incorporating IT strategy and goals into the fabrics of enterprise businesses and insisting that an IT control framework be adopted and implemented.³⁰ This understanding and discipline cuts across government and public and private business entities for effective deployment, governance and management of the enterprise IT.

Having gone through these exercises of mapping ISO/IEC 27001:2005 controls to ISO/IEC 27001:2013 controls and getting the results from COBIT 4.1 data mapped to COBIT 5, it can be deduced that when these controls are properly mapped, the end results shows an evenly distributed BSC for APO, BAI, DSS and MEA (the core operation/enterprise IT management areas in COBIT 5), while EDM is more of a governance area and has a lower score in all outcomes.

Enterprises that understand the risk and exploit the benefits of IT and cascade IT strategy and goals down to the enterprise business will insist that IT control framework be adopted and implemented, as IT governance is not an isolated discipline in an organization.

The need to integrate IT governance with overall business governance is similar to the need for IT to be an integral part of the business. Organizations recognize that risk exists due to the confluence of assets, threats and vulnerabilities and, accordingly, employing mitigating controls that reduce one or all of these factors will reduce the overall risk exposure of the organization.

Enterprise security is no longer a concern for only the IT department. Today’s IoT world means that data are a core business asset, valuable to companies and cybercriminals or Internet hackers alike.

Christopher Anoruo, CISM, CGEIT, CRISC

Is the chief technology officer at KATEC Consulting Ltd. He has also worked in various positions in the telecommunication and banking industries in West Africa. Prior to joining KATEC Consulting Ltd, he was an information security consultant with IBM Global Business Services. Oparaugo has contributed to the ISACA Certified Information Security Manager , Certified in the Governance of Enterprise IT and Certified in Risk and Information Systems Control examinations. He has also participated in ISACA certification projects and has been part of the ISACA Test Enhancement Committee since 2005, setting exam questions and reviewing exam manuals.

Endnotes

¹ Oparaugo, C.; “ ISO 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance ,” COBIT Focus, 14 December, 2015, figure 10
² Kaplan, R.; D. Norton; “ Using the Balanced Scorecard as a Strategic Management System ,” Harvard Business Review, January-February 1996, p. 75-85
³ Van Grembergen, W.; ” The Balanced Scorecard and IT Governance ,” Information Systems Control Journal, vol. 2, 2000
⁴ Op cit, Oparaugo
⁵ Ibid.
⁶ International Organization for Standardization, ISO/IEC 27001—Information Security Management
⁷ Op cit , Oparaugo
⁸ Op cit, ISO/IEC 27001
⁹ IT Governance.com
¹⁰ Ibid.
¹¹ Ibid.
¹² Ibid.
¹³ ISACA, COBIT 5 , USA, 2012
¹⁴ Ibid.
¹⁵ Ibid.
¹⁶ Op cit, IT Governance.com
¹⁷ Op cit, COBIT 5
¹⁸ Gold, C.; “Total Quality Management in Information Services—IS Measures: A Balancing Act,” Ernst & Young Center for Information Technology and Strategy, research note, 1992
¹⁹ Op cit, COBIT 5
²⁰ Ibid.
²¹ Ibid.
²² Lawrie, G.J.G.; I. Cobbold; J. Marshall; “Corporate Performance Management System in a Devolved UK Governmental Organisation: A Case Study,” International Journal of Productivity and Performance Management , vol. 53, no. 4, 2004, p. 353–370
²³ Op cit, Kaplan and Norton
²⁴ Ibid.
²⁵ Ibid.
²⁶ Op cit, COBIT 5
²⁷ Vendang Software
²⁸ Ibid.
²⁹ Ibid.
³⁰ Op cit , Oparaugo