COBIT 5 Process Assessment Method (PAM)
COBIT 5 Process AssessmentMethod (PAM)Debra Mallette, CGEIT, CISA, CSSBBGovernance Risk and Compliance -G22
Session Objectives Why AssessProcess Capability COBIT 5 ProcessAssessment Model Relationship toISO/IEC 15504 An assessmentwalk through of:Define andmanage servicelevels2
Why Assess Process Capability?Informs executive management, board ofdirectors and management stakeholders of: the capability of its IT processes targets for improvement based on businessrequirementsEnables fact-based decisions of where andhow to apply resources in order to mitigaterisks or assure value is delivered3
When?2. Where are we now? Define the Problems andOpportunities Form Powerful Guiding Team Assess the Current State4
COBIT Process Assessment Model 1st Described in COBIT Process Assessment Model(PAM): Using COBIT 4.1. PAM brings together ISO and ISACA. COBIT 4.1 was adapted into ISO 15504 compliantProcess Reference Model for COBIT 4.1 PAM COBIT 5 Enabling Processes designed for ISO 15504complianceCopyright ISACA 2011.All rights reservedSlide 55
What’s different? But don’t we already have maturity models forCOBIT 4.1 processes? The new COBIT assessment programme is:– A robust assessment process based on ISO 15504– An alignment of COBIT’s maturity model scalewith the international standard– A capability-based assessment model More rigor results in a more robust, objective andrepeatable assessment Caution: Assessment results will likely vary fromexisting COBIT maturity models (or any othercapability and/or maturity model!)Copyright ISACA 2011.All rights reservedSlide 66
ISO 15504 Assessment OverviewPROCESSINITIAL INPUTPROCESSMEASUREMENT FRAMEWORKASSESSMENT MODELREFERENCE MODEL Purpose Capability LevelsProcessAssessmentModel Scope Scope Domain andASSESSMENTScope ProcessAttributesPROCESS Constraints Indicators Process Purpose Planning RatingOUTPUTScale Mapping Identities Date Process OutcomesDataCollection Translation Approach Assessment InputROLES ANDDataRESPONSIBILITIESValidation AssessorAssessmentProcess IdentificationProcess Attribute Rating of Evidencecompetencecriteria Assessment Process Used SponsorReporting Additional Competent ProcessAssessorProfilesInformation Assessors Additional InformationThis figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.7
Assessment Model:Process Reference ModelPROCESSREFERENCE MODELProcess Assessment Model Domain and Scope Process Purpose Process OutcomesAssessment ProcessThis figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.8
COBIT as Process Reference ModelPROCESSREFERENCE MODEL Domain and Scope Process Purpose Process Outcomes4.1 or5.0? Purpose Outcomes Base Practices Work Products9
COBIT 5 Process Reference Modelin PAM (excerpt from Draft) Purpose Outcomes Base Practices Work Products10
5 Process Reference ModelProcessCOBITID: APO09Name in PAMManageService fromAgreements(excerptDraft)Process Align IT-enabled services and serviceDescription levels with enterprise needs andexpectations, including identification,specification, design, publishing,agreement, and monitoring of IT services,service levels and performance indicatorsProcess Ensure that IT services and service levelsPurpose meet current and future enterpriseStatement requirements.Purpose: high-level measurable objectives ofperforming the process and the likely outcomes ofeffective implementation of the process11
COBIT 5 Process Reference Modelin PAM (excerpt from Draft)Outcomes (O)NumberDescriptionAPO09-O1 The enterprise can effectively utilize ITservices as defined in a catalogue.APO09-O2 Service Agreements reflect enterpriseneeds and the capabilities of IT.APO09-O3 IT Services perform as stipulated inservice agreements.Outcomes: observable results of a process—anartefact, a significant change of state or the meeting ofspecified constraints12
Base PracticesCOBIT 5(BPs)Process Reference ModelNumberDescriptionin PAM (excerptfrom Draft)SupportsAPO09- Identify IT services.APO09-O1BP1APO09- Catalogue IT-enabledAPO09-O1BP2services.APO09- Define and prepare service APO09BP3agreements.O1/O2APO09BP4Monitor and report service APO09-O3levels.APO09- Review serviceAPO09-O3BP5agreements and contracts.Base Practices: activities that, when consistently13performed, contribute to achieving the process purpose
Work ProductsCOBIT 5(WPs)Process Reference ModelInputsfrom Draft)in PAM (excerptNumberDescriptionSupportsEDMO4- Guiding principles forAPO09-BP2WP1allocation of resources and APO09-O1capabilitiesAPO02- Gaps and changes requiredWP8to realize target capabilityAPO02- Value Benefit statement forWP9target environmentAPO06WP4IT Budget and planWork Products: artefacts associated with theexecution of a process—‘inputs’ and “outputs”14
COBIT 5 Process Reference Modelin PAM (excerpt from Draft) Purpose Outcomes Base Practices Work Products15
COBIT 5 Enabling Processesas Process Reference ModelYou don’t need theCOBIT 5 PAM to getstarted. COBIT 5Enabling Processesalready documented asa ISO 15504 PRM Purpose Outcomes Base Practices Work Products16
COBIT 5 Enabling Processes PurposeAPO09 Manage ServiceAgreements Outcomes Base Practices Work ProductsPurpose: Process Purpose Statement is thePurpose.Outcomes: Under Process Goals and Metrics,the Process Goals are the observable outcomes.17
COBIT 5 Enabling ProcessesAPO09 Manage Service AgreementsBase Practices: TheManagement Practicesare the Base Practices. Purpose Outcomes Base Practices Work ProductsWork Products: The Inputsand Outputs are the WorkProducts and/or Evidence.18
Assessment Model:Measurement FrameworkMEASUREMENT FRAMEWORK Capability Levels Process Attributes Rating Scale19
Process Capability Levels & AttributesLevel 5OptimizingThe process is continuously improved to meetrelevant current and projected business goals.PredictableThe process is enactedconsistently within defined limits.EstablishedA defined process is usedbased on a standard process.PA 2.1PA 2.2Level 1PA 1.1Level 0PA 4.1PA 4.2PA 3.1PA 3.2Level 2Process innovation attributeProcess optimization attributePredictable processProcess measurement attributeProcess control attributeEstablished processProcess definition attributeProcess deployment attributeManaged processPerformance management attributeWork product management attributePerformed processProcess performance attributeIncomplete processPA 5.1PA 5.2Level 4Level 3Optimizing processManagedThe process is managed andwork products are established,controlled and maintained.PerformedThe process is implemented andachieves its process purpose.IncompleteThe process is not implementedor fails to achieve its purpose.20
Process Capability Levels & AttributesLevel 0Incomplete processIncompleteThe process is notimplemented or failsto achieve its purpose.21
Process Capability Levels & AttributesLevel 1PerformedprocessPA 1.1 ProcessperformanceattributeLevel 0Incomplete processPerformedThe process isimplementedand achieves itsprocess purpose.IncompleteThe process is not implementedor fails to achieve its purpose.22
Process Capability Levels & AttributesLevel 2 ManagedprocessPA 2.1Performancemanagement attributePA 2.2 Work productmanagement attributeLevel 1PA 1.1Level 0Performed processProcess performance attributeIncomplete processManagedThe process ismanaged andwork productsare established,controlled andmaintained.PerformedThe process is implemented andachieves its process purpose.IncompleteThe process is not implementedor fails to achieve its purpose.23
Process Capability Level & AttributesEstablishedA definedprocess is usedbased on astandardprocess.Level 2PA 2.1PA 2.2Level 1PA 1.1Level 0Level 3 EstablishedprocessPA 3.1 Process definitionattributePA 3.2 Process deploymentattributeManagedManaged processPerformance management attributeWork product management attributePerformed processProcess performance attributeIncomplete processThe process is managed andwork products are established,controlled and maintained.PerformedThe process is implemented andachieves its process purpose.IncompleteThe process is not implementedor fails to achieve its purpose.24
Process Capability Levels & AttributesPredictableThe process isenactedconsistentlyEstablishedwithindefined Level 3A definedprocess is usedbased on a standard process.limits.PA 1.1Level 0PA process4.1 ProcessEstablishedmeasurementattributeManagedLevel 2 Managed processThe process is managed andPA 2.1Performance management attributePA 4.2 Processcontrolwork products areestablished,PA 2.2Work product management attributecontrolled and maintained.attributePerformed processPerformedPA 3.1PA 3.2Level 1Level 4PredictableprocessProcess definition attributeProcess deployment attributeProcess performance attributeIncomplete processThe process is implemented andachieves its process purpose.IncompleteThe process is not implementedor fails to achieve its purpose.25
Process Capability Levels & AttributesLevel 5OptimizingThe process isOptimizingPredictableLevel 4 Predictable processcontinuouslyThe process is enactedprocessconsistently within defined limits.improved to meetEstablishedPAprocess5.1 ProcessLevel 3 EstablishedA defined process is usedrelevant current andbased on a standard process.innovation attributeprojected businessProcessLevel 2 Managed process PA 5.2ManagedThe process is managed andgoals.optimizationwork products are established,PA 4.1PA 4.2PA 3.1PA 3.2PA 2.1PA 2.2Level 1PA 1.1Level 0Process definition attributeProcess deployment attributePerformance management attributeWork product management attributePerformed processProcess performance attributeIncomplete processProcess measurement attributeProcess control attributecontrolled and maintained.attributePerformedThe process is implemented andachieves its process purpose.IncompleteThe process is not implementedor fails to achieve its purpose.26
Process Capability Levels & AttributesLevel 5OptimizingThe process is continuously improved to meetrelevant current and projected business goals.PredictableThe process is enactedconsistently within defined limits.EstablishedA defined process is usedbased on a standard process.PA 2.1PA 2.2Level 1PA 1.1Level 0PA 4.1PA 4.2PA 3.1PA 3.2Level 2Process innovation attributeProcess optimization attributePredictable processProcess measurement attributeProcess control attributeEstablished processProcess definition attributeProcess deployment attributeManaged processPerformance management attributeWork product management attributePerformed processProcess performance attributeIncomplete processPA 5.1PA 5.2Level 4Level 3Optimizing processManagedThe process is managed andwork products are established,controlled and maintained.PerformedThe process is implemented andachieves its process purpose.IncompleteThe process is not implementedor fails to achieve its purpose.27
Process Attributes Each of the 9 Process Attributes arespecified as:– Result of Full Achievement of Attribute– Generic Practices (GPs)– Generic Work Products (GWPs)28
Capability Level 1: PerformedPA1.1 Process PerformancePA1.1-Process PerformanceResult of Full Generic PracticesGeneric WorkAchievement(GPs)Products (GWPs)of the AttributeThe processGP1.1.1 Achieve Work products areachieves itsthe processproduced thatdefinedoutcomes. There provide evidence ofoutcomes.is evidence thatprocess outcomes.the intent of basepractice is beingperformed.29
Capability Level 1: PerformedPA1.1 Process Performance Capability Level 1 Performed? PA1.1 Process Performance? Does the process achieve its definedoutcomes?–As evidenced by:- Production of an object- A significant change of state- Meeting of specified constraints-e.g., requirements, goals30
Process Attribute Rating Scale COBIT assessment process measures theextent to which a given process achievesthe process attributes as:– Result of Full Achievement of Attribute– Generic Practices (GPs)– Generic Work Products (GWPs)31
Process Attribute Rating ScaleNachieved— 015% achievement NotCOBITassessment toprocessmeasures the extent Littleor noevidenceof achievementto whicha givenprocessachieves the ‘processP Partiallyachieved— 15% to 50% achievementattributes’. Some evidence of approach Some achievement with aspects unpredictableL Largely achieved— 50% to 85% achievement Evidence of systematic approach Significant achievement with some weaknessF Fully achieved— 85% to 100% achievement Evidence of a complete & systematic approach Full achievement, no significant weaknesses32
Process Attribute Rating Heat Map85%50%15%0%Process Attribute Achievement85%-100% Fully achieved50%-85% Largely achieved15%-50% Partially achieved0-15% Not achieved33
Capability Level & Process AttributesCapability LevelLevel 5: OptimizingProcessAttributePA5.1&5.2Level 4: PredictablePA4.1&4.2Level 3: EstablishedPA3.1&3.2Level 2: ManagedPA2.1&2.2Level 1: PerformedPA1.112345L/FL/F FL/F FL/F FL/F FFFFFFFLevel 0: IncompleteL/F Largely or Fully Achieved F Fully Achieved 34
COBIT Assessment Model OverviewPROCESSASSESSMENT MODEL Scope Indicators Mapping Translation35
COBIT 4.1 PAM:COBIT 4.1 Capability Attributes & dIncompleteCapabilityPRMMeasurement PurposeSystem Outcomes Base Practices Work ProductsThis figure is reproduced from ISO 15504-5 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO.36
COBIT 5 PAM COBIT 5 Capability Attributes & dIncompleteCapabilityPRMMeasurement PurposeSystem Outcomes Base Practices Work Products37
Primary and Supporting Processesin PRM38
Assess Process Capabilitywith PAM:COBIT 5 PAM Example:APO09 Manage Service Agreements39
APO09 Manage Service Agreements Capability Level 1 Performed? PA1.1 Process Performance? Does the process achieve its definedoutcomes?–As evidenced by:- Production of an object- A significant change of state- Meeting of specified constraints-e.g., requirements, goals40
APO09 Manage Service Agreements Capability Level 1 Performed? PA1.1 Process Performance? Does the process achieve its 100%Fully achieved–As evidencedby:- Production of an object50% - A significant50%-85%changeLargelyachievedof state15% - Meeting15%-50%achievedof specifiedPartiallyconstraints-e.g., requirements, goals0%0-15%Not achieved41
(Draft) COBIT 5 PAM:APO09 Manage Service Agreements Purpose Outcomes Base Practices Work Products42
Capability Level 2 ManagedPA 2.1 Performance Managementa.Objectives for process performance identified?b.Performance of process planned andmonitored?c. Performance of process adjusted to meet plans?d.Responsibilities and authorities for performingthe process defined, assigned andcommunicated?e.Resources and information necessary forperforming the process identified, madeavailable, allocated and used?f. Interfaces between involved parties managed toensure effective communication and clearassignment of responsibility?43
Capability Level 2: ManagedPA2.2 Work Product Managementa.Have requirements for the work products of theprocess been defined?b.Have requirements for documentation andcontrol of the work products been defined?c. Are work products appropriately identified,documented and controlled?d.Are work products reviewed in accordance withplanned arrangements and adjusted asnecessary to meet requirements?44
Assessed Process Capability LevelCapabilityLevel 1:PerformedProcessAssessedCapabilityLevel 0:IncompleteFalse ifCapabilityLevel / 1PA 1.1PA2.1PA2.2APO09 ManageServiceAgreementsFALSE45%0%0%Copyright ISACA 2011.All rights reservedCapabilityLevel 2:ManagedSlide 4545
Assessment Process: Initial InputINITIAL INPUT Purpose Scope Constraints Identities Approach Assessorcompetence criteria AdditionalInformation46
Assessment Process: RolesROLES AND RESPONSIBILITIES Sponsor Competent Assessor Assessors47
Assessor Roles:COBIT process assessment roles:Lead assessor—‘competent’ assessor responsiblefor overseeing the assessment activitiesAssessor—developing assessor competencies;performs assessment activitiesCompetencies-Knowledge, skills and experience: PRM, PAM, Methods & Tools, Rating Processes Processes/Domains being assessed Personal attributes for effective performanceISACA’s COBIT Assessor training and certificationscheme under development48
Assessment ProcessASSESSMENT PROCESSPlanningData CollectionData ValidationProcess Attribute RatingReporting49
Assessment Process - Planning1. Initiation2. Planning the assessment3. Briefing4. Data collection5. Data validation6. Process attributes rating7. Reporting the resultsCopyright ISACA 2011.All rights reservedSlide 505050
Assessment Process - Assessing1. Initiation2. Planning the assessment3. Briefing4. Data collection5. Data validation6. Process attributes rating7. Reporting the results5151
Assessment Process - Reporting1. Initiation2. Planning the assessment3. Briefing4. Data collection5. Data validation6. Process attributes rating7. Reporting the resultsCopyright ISACA 2011.All rights reservedSlide 525252
Assessment Process: OutputOUTPUT Date Assessment Input Identification of Evidence Assessment Process Used Process Profiles Additional Information53
A Process Capability cess Capability Level Capability CapabilityLevel 1:Level 2:Level 3:Level 4:Level 5:(based on attributes) Level 0:Incomplete lse ifWorkProcessCapability is Process Performance Product DefinitionDeployment Measurement Control Innovation OptimizationLevel 1 or Performance management ManagementProcesses Assessed(PA4.1) (PA4.2) (PA5.1)(PA5.2)(PA 1.1)(PA2.1)(PA2.2) (PA3.1) (PA3.2)BetterDS1: Define and Manage Service LevelsDS2: Manage Third Party ServicesDS4: Ensure Continuous ServiceDS6: Ensure Systems SecurityDS8: Manage Service Desk and IncidentsDS9: Manage the ConfigurationDS11: Manage DataME2: Monitor and Evaluate Internal ControlME3: Ensure Compliance with External /AN/AN/AN/AN/AN/AN/AN/A54
Consequence of Capability GapsFigure A.3—Consequence of Gaps at Various Capability LevelsThis figure is reproduced from ISO 15504-4 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO.55
Risk from Capability GapsFigure A.4—Risk Associated With Each Capability LevelThis figure is reproduced from ISO 15504-4 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO.56
SummaryProcess Assessment ModelAssessment cess Capability Level Capability CapabilityLevel 1:Level 2:Level 3:Level 4:Level 5:(based on attributes) Level 0:Incomplete lse ifWorkProcessCapability is Process Performance Product DefinitionDeployment Measurement Control Innovation OptimizationLevel 1 or Performance management ManagementProcesses Assessed(PA4.1) (PA4.2) (PA5.1)(PA5.2)(PA 1.1)(PA2.1)(PA2.2) (PA3.1) (PA3.2)BetterDS1: Define and Manage Service LevelsDS2: Manage Third Party ServicesDS4: Ensure Continuous ServiceDS6: Ensure Systems SecurityDS8: Manage Service Desk and IncidentsDS9: Manage the ConfigurationDS11: Manage DataME2: Monitor and Evaluate Internal ControlME3: Ensure Compliance with External AN/AN/AN/AN/AN/AN/AN/AN/A
Contact Information: Debra Mallette, CGEIT, CISA, CSSBB PastPresident@sfisaca.orgCopyright ISACA 2011.All rights reservedSlide 5858
5 1st Described in COBIT Process Assessment Model (PAM): Using COBIT 4.1. PAM brings together ISO and ISACA. COBIT 4.1 was adapted into ISO 15504 compliant Process Reference Model for COBIT 4.1 PAM COBIT 5 Enabling Processes designed for ISO 15504 compliance COBIT Process Assessment ModelFile Size: 1MBPage Count: 58
– COBIT 5: Enabling Information COBIT Online Replacement COBIT Assessment Programme: – Process Assessment Model (PAM): Using COBIT 5 – Assessor Guide: Using COBIT 5 – Self-assessment Guide: Using COBIT 5 COBIT 5 – Vendor Management COBIT 5 – Configuration Management COBIT 5 Future and Supporting Products
COBIT 5: Enabling Information COBIT 5: Enabling Processes Other Enabler Guides COBIT 5 for Assurance COBIT 5 for Information Security COBIT 5 for Risk Other Professional Guides COBIT 5 Principles Source: COBIT 5, figure 2 1. Meeting Stakeholder Needs 5. Separating Governance From Management 4. Enabling a Holistic Approach 3. Applying .
5. Cobit framework, evolution, concept (Cobit 5 Business Framework, Cobit 5 Enabling Processes, Cobit 2019) 6. Cobit support of IS audit/assurance (audit process, Cobit 5 for Assurance, comparison of different frameworks) 7. Process maturity and capability assessment (CMMI, ISO 15504, Cobit 5 assessment program 8.
The COBIT 5 Publication Suite contains all the core ISACA manuals: COBIT 5 Manual, COBIT 5 Enabling Process and COBIT 5 Implementation. COBIT 5 for Information Security In this manual you will be shown how the relevant frameworks, best practices and standards for information security can be adapted to form a cohesive framework using COBIT 5.
OTHER COBIT 5 RESOURCES COBIT 5: Enabling Information (Just Released) Risk Scenarios Using COBIT 5 for Risk (February 2014) Controls and Assurance in the Cloud Using COBIT 5 (April 2014) IT Control Objectives for Sarbanes-Oxley (update, June 2014) Vendor Management Using COBIT 5 Configuration Management Using COBIT 5
Welcome to COBIT 5! The Basics of COBIT 5 History of COBIT COBIT, at origination, was an abbreviation for Control Objectives for Information and related Technology. Nowadays it is simply known as COBIT. Originally conceptualized with a focus on Auditing in the area of Information Technology in 1996, its scope has evolved over the years
The COBIT Framework and the components of COBIT (Control Objectives, Control Practices, Management Guidelines, Assurance Guide). COBIT 5 Principles COBIT 5 Enablers . Day 2 The relationship between COBIT and other standards and best practices including ITIL,
and confirm that they have no conflict before accepting the appointment. External examiners must advise the Quality & Academic Standards Office immediately via email at pgtexamining@lshtm.ac.uk if a declaration of a conflict of interest needs to be made before appointment or arises during their term. 1. The LSHTM will not appoint anyone in the following categories or circumstances as an .
