COBIT 5 Assessment Programme 


The COBIT Assessment Programme, an approach to determine process capability, currently consists of the following publications:

  • COBIT Process Assessment Model (PAM): Using COBIT 5

    The PAM combines COBIT 5 with ISO/IEC 15504-2, and provides the basis for a robust, dependable assessment approach.

  • Learn More and Obtain

  • COBIT Assessor Guide: Using COBIT 5

    This PAM companion details how to undertake an assessment based on ISO/IEC 15504-2.

    Learn More and Obtain

  • COBIT Self-Assessment Guide: Using COBIT 5

    This PAM companion provides an alternative and less rigorous approach to performing an assessment.

    Learn More and Obtain


Programme Purpose

The COBIT Assessment Programme is a COBIT-based approach that enables the evaluation of selected IT processes. The assessment results provide a determination of process capability and can be used for process improvement, delivering value to the business, measuring the achievement of current or projected business goals, benchmarking, consistent reporting and organizational compliance.

The process capability is expressed in terms of attributes grouped into capability levels and the achievement of specific process attributes as defined in ISO/IEC 15504-2. Processes can be assessed individually or alternatively in logical groups. As such, scoping areas have been defined based on previously developed mappings, published by ISACA, which will allow for focused assessments. These scoping areas include:

  • Capability of IT processes to support cloud services
  • Capability of IT processes to support achievement of IT and business goals
  • Capability of IT processes to support SOX compliance
  • Capability of IT processes to support the enterprise governance of IT 

Assessment reports will include the level of capability achieved, the processes needing improvement and recommendations for improvement.

Need for the Programme

As part of strategy development, ISACA determined a need to provide a formal assessment approach based on the COBIT framework. We reviewed common assessment options in use—principally the Software Engineering Institute (SEI) Capability Maturity Model (CMM)/Standard CMM Integration (CMMI) Appraisal Method for Process Improvement (SCAMPI) approach (on which the COBIT maturity model [MM] in COBIT 4.1 is loosely based), and the International Organization for Standardization (ISO) approach.

Both provide guidance on topics such as the level of evidence required for an assessment and the skills required of competent assessors. Evidentiary requirements, assessor skills and competencies are required to deliver reliable and repeatable results in a formal assessment approach.

ISACA decided to adopt ISO/IEC 15504-2:2003 Information technology—Process assessment—Part 2: Performing an assessment, which is sometimes referred to as Software Process Improvement and Capability Determination (SPICE). This decision reflects, in part, recognition of recent market activity in the process assessment arena, including the publication of materials that support both the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control—Integrated Framework and ITIL Version 3 assessments using the ISO approach.

Programme Audience

Organizations seeking an evaluation/assessment of their IT processes and individuals responsible for performing such assessments including IT management/staff, IT auditors and consultants will find the COBIT Assessment Programme most useful.