The new Process Reference Model with particular focus on the “Applying a Single Integrated Framework” principle has been a pleasure to implement as clients often asked me whether they should implement previous COBIT versions or some other framework like ITIL, ISO 20000 or 27001. I can answer with complete confidence that COBIT is integrated with all of them and that if they implement COBIT, they will have implemented the bulk of every other relevant framework and standard. For example, the Project Management Body of Knowledge (PMBOK) has some very detailed financial metrics, reporting and modeling approaches that are not present in COBIT 5. While they may be relevant to very large projects (billions of dollars), they are a bit too detailed to add significant value to projects at the size that most of my clients run (10s to 100s of thousands). That they are not a part of COBIT 5 is thus not relevant. The new “APO05 Manage Portfolio” process is a wonderful addition to COBIT in that it brings the framework into alignment with PMBOK in an area that I often found myself having to go outside of previous COBIT versions (often to Val IT).
APO03 Manage Enterprise Architecture is another new process that takes its inspiration from TOGAF. IT architecture and its critical strategic focus on selecting and supporting the “right” technologies for the business were very challenging to address with previous versions of COBIT. Describing the best way to select the enterprise’s IT building blocks required concurrently referring to TOGAF so that we could adequately address their control and management. Now, COBIT 5 includes this big-money area.
The new capability model has generally been a hard sell. My clients find the present capability attributes challenging to understand and miss the previous maturity model’s clarity, prescriptive approach and best practice content. The one aspect of the new capability model that is universally loved is that partially achieved process attributes can satisfy process capability. This new approach saves me from having to answer, “The framework says ‘no,’ but I will make an exception for you,” each time a client asked me, “Since we satisfy most of the next level maturity requirements, why can’t we be rated a 2.5?” I believe that most COBIT users would welcome a fleshed out version of the present capability model, provided that it included more detail about how to implement the attributes for each process. Even something as simple as mapping each processes practices and activities to specific attributes would help COBIT users understand how to easily implement the capability model.
Kaya Kazmirci, CISA, CISM, CISSP
Managing Director, Kazmirci Associates
[ISACA]