This is an exercise in providing creative brainstorm references for using COBIT® content to support digital business governance and management activities. It is important to keep in mind that COBIT is a reference model to be used as you see fit. It is the user’s choice as to how to use it—a little or a lot, for comparison or as reference.
Now, let us review some helpful ideas and comments.
1. Resources: 5 New COBIT Books
The COBIT content available from ISACA® is amazing, providing industry-validated good practice references for free or at low cost. For example, the PDF of COBIT® 2019 Framework: Governance and Management Objectives is free to anyone. If you have not yet downloaded a personal copy of this publication and COBIT® 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, do it today. Check out all 5 of the latest COBIT® 2019 publications and tool kits. Buy hard copies for your team and leaders and discuss them in team meetings. Promote a common refence model and language. Compare the examples and case studies offered to your own internal efforts to establish an in-house model. These publications are, without doubt, the best desk references.
2. Work Breakdown Structure (WBS): Context and Structure
Looking to clarify or identify your current processes? Consider using the COBIT identifier numbers for each objective (formerly process). Use these identifiers in project plans and statements of work for clarity. Take, for example, Deliver, Service and Support (DSS) DSS03 Managed problems. Use of the DSS03 identifier does not mandate the activity, but using the label helps focus attention on the objective, providing content and structural reference to the reader—your stakeholders—keeping it simple to accelerate understanding.
3. Metrics on 3 Levels
We have all been in metrics meetings. Imagine the results if you use COBIT’s goals cascade construct and the related example metrics as a base reference. COBIT 2019 Framework: Governance and Management Objectives provides 530 example metrics across 40 objectives at 3 organizational levels. Aligning goals and a balanced scorecard (BSC) structure increases confidence in the approach. Some data metrics may be difficult to obtain, but each is worth discussing. If needed, insert placeholders in reporting reviews. Use COBIT example metrics for comparison or, better yet, gradually build them into your existing reporting capability.
4. Tools: Mapping a Tools Inventory to Objectives
Use the COBIT core model (the diagram showing the 40 governance and management objectives) to map what tools you currently use for each objective. This approach can help architects visualize overlaps, gaps and opportunities in tool coverage. Copy the figure onto an 11” x 17” (or A4) size page, then annotate with names of the tools in use. Show current and target state ideas to stimulate conversations and look for opportunities to integrate data with application programming interfaces (APIs), sharing data between applications.
Figure 1—COBIT Core Model
5. Policies Can Be Easy
How many times have you tried to write high-level policies for basic objectives? One approach is to use the COBIT practice descriptions verbatim. The policy component provides some guidance, but consider this example for strategy: Use Align, Plan and Organize (APO) APO02 for 6 policy statements based on the management practices, with the practice name and description. This is a relatively easy way to provide context and support understanding and is certainly easier than making it up. And keep in mind, COBIT defines control objectives—now called management practices—to be business friendly. COBIT can be a best practice source for aligned policies and controls.
6. Implementation Plan Template
A crowd favorite in the COBIT library is COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution. It is not just about implementing COBIT; it also provides guidance for improving any digital management process. Use it across your organization as a template reference. Put the guidance into a spreadsheet or project plan format—standardization of an approach can provide huge benefits. The COBIT library is great, as is the ITIL library and others, but the books cannot do anything on their own. You need to read them and download the code into your brain. Sharing the resource references with your team and manager can help accelerate the diffusion of innovation.
7. Cloud Assurance
To learn more about cloud computing and controls, go find the Controls and Assurance in the Cloud: Using COBIT® 5. Its decision tree diagrams and questions for service and deployment models are excellent starting points. The references to the Cloud Security Alliance (CSA) and the US National Institute of Standards and Technology (NIST) are on the need-to-know list for high-performance leaders. It is also very helpful for studying for CSA’s Certificate of Cloud Security Knowledge (CCSK) exam.
8. Roles—How Many?
Your organization has defined roles and responsibilities, but how well and thoroughly are they defined? Appendix A.2 (p. 299–300) in COBIT 2019 Framework: Governance and Management Objectives lists 33 roles with descriptions used across the COBIT model. Lining them up with a cross reference to your actual roles and employee names will make your responsible, accountable, consulted, informed (RACI) chart more meaningful. The chief digital officer (CDO), relationship manager, legal and other titles newly included in COBIT 2019 are welcome additions.
9. Goals Cascade
The goals cascade is a must-know topic. Every organization has goals, and with each reorganizational change, the goals evolve. Generally, it is possible to find a consistent set of goals applicable to any digital business and the ones with a BSC foundation usually provide the best view. This goals cascade content, which serves as a great foundation, is located in section 4.2 of COBIT 2019 Framework: Governance and Management Objectives. It provides reasonable goals for consistency, aligned to example metrics, mentioned in number 3 herein.
10. Pandemic: Continuity and Current Events
Continuity in COBIT is addressed in DSS04. It aligns with International Organization for Standardization (ISO) 22301:2019 Security and resilience—Business continuity management systems—Requirements. This ISO guidance is not mentioned in the latest COBIT publication, but it relates directly to DSS04. Additional useful guidance is ISO/International Electrotechnical Commission (IEC) 27001, A.17, and NIST’s Framework for Improving Critical Infrastructure, PR. IP-9. Continuity managers should have direct awareness of the references.
John E. Jasinski, CISA, CRISC, CISM, CGEIT, COBIT 5 Assessor, COBIT Foundation, COBIT Guidance and Practices, CSX-F, AWS Cloud Practitioner, CCSK, DPBoK, ISO 20000, ISO27001:2013 F, ISO20000-1:2018 F, IT4IT, ITIL Expert, ITIL Foundation and Improvement Instructor, LITA, MOF, PMI, ServiceNow and RSA Certified System Administrator, Certified Scrum Master and Product Owner, Six Sigma Blackbelt, TOGAF
Is a management and governance process advocate focused on results. With more than 25 years of experience in market-leading organizations and important government departments, he provides a common-sense business perspective, emphasizing that cost savings from process standardization far outweigh benefits of custom process and that process is continuous, improvement a choice. Standardize processes and integrate data. Jasinski’s hobby is being an enthusiastic advocate for ISACA® and COBIT. He is an author and has contributed to numerous ISACA and COBIT publications. He encourages anyone working in digital business to be aware of, use and share ISACA and COBIT knowledge and resources where possible.