Strategy is a plan for achieving a set objective. COBIT 2019 is here to help practitioners apply standard information and technology (I&T) controls to enterprise governance strategy. Mapping control objectives from the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 27001:2013 Information Security Management through COBIT 5 to the COBIT 2019 framework is a useful exercise to help develop a governance strategy. Mapping the relationships among ISO 27001:2013, ISO/IEC 38500:2015 Information Technology—Governance of IT for the Organization, COBIT 5 and COBIT 2019 provides practitioners with performance data values, insights and results that aid in strategic management consultations and decisions. Many of these relationships have been explored in past articles published in COBIT Focus.1, 2 The balanced scorecard (BSC)3, 4, 5 has also been applied successfully to these values to express performance measurement for enterprise governance of I&T (EGIT).
What Is Driving the Need for This Mapping Exercise?
The question “What can enterprise I&T deliver?” should be rephrased to ask “How can enterprise I&T be used to add value?” Changing the question helps practitioners focus on the business value of enterprise I&T, enterprise I&T cost-optimization practices, investment prioritization, I&T project finance and sourcing options for resources, project benefit realization, and innovation accounting.
The objectives driving the need for the mapping exercise discussed herein include:
- To measure performance and integrate I&T governance with overall business governance and strategy through control objective mappings to COBIT processes
- To meet the need for knowledge innovation, effective deployment and overall governance and management of enterprise I&T through EGIT
- To develop key performance indicators (KPIs) that can be applied to individuals in an organization or business units for assessments and functional assignments
It is worth noting that optimal and innovative integration of enterprise I&T can lead to digital disruption and, thus, drive society, industry and business forward. However, there have not been any true technology disruptions in the recent past, but there has been a great deal of innovation based on technology for related businesses.
Why Do Governance Systems Fail?
When governance system implementations fail, one of the common reasons is that they are not initiated and then managed properly as programs to ensure that benefits are realized. Governance programs must be initiated and sponsored by executive management; they should be properly scoped and should always define objectives that are attainable. These provisions enable the enterprise to absorb the pace of change as planned.6
The governance and management of enterprise I&T should be implemented as part of overall enterprise governance and culture, encompassing the full business and enterprise I&T functional areas addressed in COBIT 2019.7
What Does I&T Governance Entail?
The IT Governance Institute (ITGI) states that, fundamentally, the governance of IT is concerned with 2 goals: I&T’s delivery of value to the business and the mitigation of I&T risk. These goals are driven by business enablers such as strategic alignment of I&T with the business; IT accountability to the enterprise, backed by adequate resources; measured outcomes to ensure that results are obtained with metrics for strategic planning and setting of future performance goals.8 One cannot measure what one cannot monitor. Performance monitoring aids in benchmarking.
The 5 main goals of enterprise I&T governance are all driven by stakeholder value as outlined in COBIT 2019.9 It is worth noting that 2 of these drivers are outcomes: value delivery and risk management. The other 3 focus areas or drivers are:
- Strategic alignment
- Performance management
- Resource management (which encompasses them all)
The focus areas are internally driven, because EGIT and business strategy evolve reciprocally in a continuous life cycle10 although EGIT is distinct from enterprise I&T management, as governance determines who makes the decisions, and management is assigned the responsibility of directing and implementing the decisions.11
ISO/IEC 38500—The IT Governance Framework
Essentially, ISO 38500:2015 consists of 6 guiding principles for good corporate governance of IT:
- Human behavior or culture of the enterprise12
I&T governance is driven to succeed when the enterprise internalizes it as a culture based on the responsibility to deliver stated goals from strategic plans and to achieve operational goals that can be performance driven.13 In working out each one of the 6 principles, executives must perform all 3 of these essential tasks—such that implementing the human-behavior principle would require Evaluating, Directing and Monitoring (EDM) as expressed in COBIT 2019.
Governance and Management Objectives in COBIT 2019
As mentioned, the overall aim here is to distill governance processes and provide a road map to a sustainable business strategy. COBIT 2019 is a framework that helps enterprises plan a strategy and also achieve their governance goals to deliver value through effective governance and management of enterprise I&T. The governance and management objectives in COBIT 2019 are grouped into 5 domains. The domains have names with verbs that express the key purpose and areas of activity of the objectives contained in them:14
- Evaluate, Direct and Monitor (EDM)
- Align, Plan and Organize (APO)
- Build, Acquire and Implement (BAI)
- Deliver, Service and Support (DSS)
- Monitor, Evaluate and Assess (MEA)
Governance objectives are grouped under the EDM domain. In this domain, the governing body evaluates strategic options, directs senior management on the chosen strategic options and monitors achievement of the strategy as mentioned previously in the 3 essential tasks. EDM encompasses the goal cascades and determination of stakeholder drivers and needs.15
Management objectives are grouped in these 4 domains:
APO—Addresses the overall organization, strategy and supporting activities for enterprise I&T
BAI—Treats the definition, acquisition and implementation of I&T solutions and their integration into business processes
DSS—Addresses operational delivery and support of I&T services, including security
MEA—Addresses performance monitoring and conformity of I&T to internal performance targets, internal control objectives and external requirements16
COBIT 2019 Goals Cascade
The goals cascade supports translation of enterprise goals into priorities for alignment goals. The goals cascade has been updated thoroughly in COBIT 2019; enterprise goals and alignment goals have been consolidated, reduced, updated and clarified where necessary.17
Figure 1—COBIT 2019 Goals Cascade
Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018
The essence of the goals cascade remains that of aligning I&T strategy to enterprise strategy for both COBIT 5 and COBIT 2019.
It is worth noting that the goals cascade in COBIT 5, as it relates to governance and strategy, translates stakeholder needs into specific actionable and customized enterprise goals, I&T-related goals and enabler goals,18 while in COBIT 2019, the goals cascade supports prioritization of management objectives based on prioritization of enterprise goals.
There are 13 enterprise goals and 13 alignment goals in COBIT 2019. There are no additional IT-related goals in COBIT 2019. Both enterprise goals and alignment goals have been updated and simplified.
COBIT 2019 Framework in Digital Disruption and Privacy Concerns
The COBIT 2019 framework helps practitioners refine business and enterprise I&T skills to discern the true essentials of the business and provide technology solutions to fulfil those needs.
As things evolve with technology spurred on by knowledge and innovation, strategic technology trends have shown significant disruptive potential and set the stage for innovative digital disruption over the next 5 years.19 Enterprise I&T cannot afford to ignore these trends. Organizations must examine the business impact of these trends and adjust business models and operations appropriately or risk losing their competitive advantage to those who do.20 In line with this evolution, it is imperative to restore DS11 Manage Data from COBIT 4.1 as APO014 Managed Data in COBIT 2019, given the criticality of data in this age of the Internet of Things (IoT) and as artificial intelligence (AI) more fully emerges with its heavy reliance on data. With the IoT, augmented reality (AR) and AI, data are recognized as a core business asset, valuable to enterprises and cybercriminals alike.21 Data management and security are no longer costs of doing business but are core components of remaining in business.22
Applied data risk increasingly encompasses the possibility of privacy concerns; financial losses; business disruptions; loss or compromised assets and information; failure to meet legal, regulatory or contractual requirements; and reputational damage. Effective management of data can enhance the systems of engagement and help mitigate risk and lower privacy concerns.23 Chief technology officers (CTOs), chief information officers (CIOs) and enterprise architects (EAs) should work with chief security officers (CSOs) and chief data officers (CDOs) to leverage digital disruption strategically through the adoption and adaption of the COBIT 2019 framework.24 Governments, city planners and business leaders must heed the warning signs of growing cybercrime and include cybersecurity experts at all stages of technology implementation—from design and construction to infrastructure management and beyond.
The most impactful disruptions happen in society, industry and business—not in technology. Radio to video is a disruption. Uber is a disruption that has affected society, industry and business, but not technology. Technology innovation, transformation and disruption are all the same thing.25 Digital disruption has to be sustained for a long time; any short-term disruption is a fad. Cloud computing does not reflect technology disruption, so much as the relocation of technology resource access.
Results and Application of Enterprise I&T Controls Using COBIT 5
As mentioned, COBIT 2019 refines business and enterprise I&T skills to both understand the true essentials of the business and provide the technology solutions to fulfil those needs.
Instituting controls enables the enterprise to derive results that optimize I&T investment and create value for the benefit of stakeholders through an on-the-ground assessment using a BSC approach. The results also bring to the fore IT governance pain points to be addressed. The data values of COBIT 4.1 control objectives (using input data from ISO/IEC 27001:2013), mapped to COBIT 5 governance and management practices, show how each IT-related goal is supported by a COBIT 5 IT-related process.26 This mapping is expressed using the following primary (P) and secondary (S) relationships:
- The value “P” indicates there is an important relationship, i.e., the COBIT 5 process is a primary support for the achievement of an IT-related goal.
- The value “S” indicates there is still a strong, but less important, relationship, i.e., the COBIT 5 process is a secondary support for the IT-related goal.27
Figure 2—Results Showing Mapping (Input Data from ISO/IEC 27001:2013) to COBIT 5 Governance and Management Processes
View Large Graphic. Source: ISACA, COBIT 5, USA, 201228
- Columns indicate 17 generic IT-related goals, grouped in IT BSC dimensions
- Rows indicate 37 COBIT 5 processes, grouped by domain
The COBIT 5 results shown in figure 3 indicate that the framework does not sufficiently account for the importance of project management principles in relation to EGIT. The strengths center around management through a higher reliance on Build, Acquire and Implement (BAI) and MEA. However, COBIT 2019 has addressed these shortcomings and has made the framework easier to adapt and adopt as an umbrella framework for EGIT.
Figure 3—Results Showing BSC Perspective Values as Mapped Data Values of COBIT 4.1 Control Objectives (Using Input Data from ISO/IEC 27001:2013) to COBIT 5 Domains
The Results and Application of Enterprise I&T Controls Using COBIT 2019
The mapped data values of COBIT 5 governance and management practices (using input data from ISO/IEC 27001:2013) to COBIT 2019 governance and management objectives shows how Alignment goals are supported by a COBIT 2019 governance and management objective. This mapping is expressed using the value scale:
- The value “P” indicates there is an important relationship (i.e., the COBIT 2019 Objective is a primary support for the achievement of an Alignment goal).
- The value “S” indicates there is still a strong, but less important, relationship (i.e., the COBIT 2019 governance and management objective is a secondary support for the Alignment goal).29
The assessment results can be drilled down to the input values, and a backward review of the mapping values can be used in determining the root cause of having low scores from a set of mapped data in ISO/IEC 27001 control objectives and questions; this will form a basis for developing an action plan as needed by the organization.30
Assumptions and Observations Related to the Primary Values
The updates highlighted in yellow (P and S) are as follows for figure 4:
- Mapping table—This maps Alignment goals to COBIT 2019 governance and management objectives.
- AG09—Delivering programs in time, on budget and meeting requirements and quality standards is a core definition of program management and is applicable to EGIT.
With this in mind, AG09 should have a primary support for EDM02 Ensured benefits delivery and DSS06 Managed business process controls as these are important relationships with program management functions, while AG09 should have a secondary relationship with BAI06 Managed IT changes as it relates to EGIT.
Figure 4—Results Showing Mapped Data Values to COBIT 2019 Governance and Management Objectives
View Large Graphic. Source: ISACA, COBIT 5, USA, 2012
- In the columns, all 13 Alignment goals in COBIT 2019
- In the rows, all 40 Governance and Management Objectives by Governance and Management of Information and Technology, grouped by domain
Figure 5—Results Showing BSC Perspective Values of Mapped Data Values to COBIT 2019 Core Domains
In COBIT 2019, the 3 new management objectives (processes) include:
- APO14 Managed data
- BAI11 Managed projects
- MEA04 Managed assurance
These were not present in COBIT 5, and these affected the results under COBIT 5 in figure 2. With the introduction of these 3 objectives in the COBIT 2019 results as shown in figures 4 and 5, there are no 0-score values in the figure 4 results as there are in the figure 2 results (EDM05 and APO08). From the BSC tables in figure 5, there is a higher score value for EDM as a result of the introduction of these objectives. This outcome reflects the fact that the COBIT 2019 framework core of EGIT is centered on governance and, when employed as a strategic framework, COBIT 2019 helps organizations make a difference once it is adopted and adapted to the organization’s culture.
Figure 6—Results Showing Mapped Data Values of COBIT 2019 Results from Alignment Goals to Enterprise Goals
View Large Graphic. Source: ISACA, COBIT 5, USA, 2012
The observations and updates highlighted in yellow (P and S) are introduced based on the need to cascade down the derived values from figure 4 and are used in figure 6 to define the mapping that will produce a BSC in figures 7 and 8.
Mapping Table—Enterprise Goals to Alignment Goals are as follows: AG08 and EG06 should have a secondary support or relationship for business continuity management for the enterprise. AG09 and EG06 for business and I&T program management address enhancing and supporting business continuity management as a primary function or have a primary relationship with each other in EGIT.
AG09 and EG09 reflect a key relationship and should be a primary function based on the rules for program management and expressed under EGIT. This relationship for AG09 and EG09 should be changed from secondary to primary as noted previously.
For an enterprise to achieve the goals set out in AG12 and EG08, there should be a secondary relationship to sustain the activities of an EGIT framework.
EG08 and EG09 should have an important primary relationship with AG13. Staff relationships are strategic in initiating and formulating innovative products with knowledge based on such relationships as stated in AG13. The linkage of the P values of AG13 is derived from COBIT 2019 core management objectives of APO04, APO07, APO08 and BAI08. All these relate to learning and development/growth (BSC perspective) and are managed in the organization through the human resources (HR) function.
Figure 7—Effect of Not Having a P Value for AG13 and EG08 From a BSC Perspective
View Large Graphic.
The mapping exercise takes into consideration a primary function of EG08 and AG13. The assumption is built on the enterprise goals related to EG08, which should have a primary relation, and is achieved by knowledge gained from the AG13. If the P supporting relationship value for AG13 and EG08 is not achieved, the score becomes 0 and this result tilts the balance scored on Internal Perspective to a value of 64% (figure 7) instead of 85% (figure 8). It is important to note that EG08 is under the Internal Perspective of the BSC, and AG13 is under the Learning and Growth Perspective of the BSC.
Figure 8—Results Showing Mapped COBIT 2019 Data Values to Achieve Alignment Goals and Enterprise Goals on BSC Perspective
View Large Graphic.
COBIT 2019 Based on BSC as a Measure of Strategic Performance
The authors of the BSC emphasized the shortcoming of traditional management systems, which did not address or harmonize the short-term strategy of the business with long-term financial goals. This is what precipitated the 4 BSC perspectives described as Financial, Customer, Internal, and Learning and Development to drive the business. These perspectives help the organization educate staff, communicate strategy and measure outcomes through improvements in financials and responses or growth of customers.31
The traditional measurements report on previous actions or events and do not proffer solutions on how to move forward or how managers can improve performance in the next phase based on the strategic outcomes, the scorecard functions as the cornerstone of a company’s current and future success.32
The information from the BSC 4 perspectives provides balance between external measures (such as customer reactions and operating income) and internal measures (i.e., new product development, knowledge, internal interactions and innovation).33 Performance measurement systems (e.g., BSC, skills management tools) are used to further distill the prerequisite data or information required for strategic and governance discussions to move an enterprise forward.
The assumptions made for using the primary values related to the COBIT 2019 governance and management objectives and alignment goals are based on information from COBIT 2019:
- The COBIT 2019 objectives are a primary support for the achievement of an Alignment goal.
- It is primary when there is an important relationship between the COBIT 2019 objectives and Alignment goals, the same as with Alignment goals and Enterprise goals.
- Achieving Alignment goals requires the successful application and use of a number of enablers.
- There are relationships to the 3 main enterprise I&T governance focus areas—value delivery, risk management (2 outcomes) and resource management (1 driver, which overlays all the other focus areas).34
With this understanding from the BSC perspective and a focus on the primary supporting values, practitioners can determine where the enterprise and its industry face a significant risk of disruption to revenue or customer experience. Based on this information, building skills and related capabilities can begin in these areas as pointers within the enterprise I&T organization. The P values of AG13 is derived from the combination of scores from COBIT 2019 core management objectives of APO04, APO07, APO08 and BAI08.
Driving digital transformation in an enterprise is a tough process without EGIT culture. Many enterprises have the right technology, but enterprises struggle to deliver stakeholder needs because they retain conventional organizations, practices and mind-sets that are no longer suited for the Internet of Things (IoT) and the digital business age Industry Internet of Things (IIoT).
Many practitioners would agree that many business roles now require I&T skills and most I&T roles require non-technical skills—from understanding human behaviors (i.e., psychology, social sciences) to design thinking to agile teamwork and even interactions between humans and AI/machine learning (ML). These help I&T innovate for the future. The way to address this is by employing an EGIT framework (COBIT 2019) for interactions/mappings to investigate where the enterprise and its industry face a significant risk of disruption to revenue or customer experience then start building skills and related capabilities in these areas within the enterprise I&T organization. It also helps to revisit the enterprise’s digital business transformation road map.
Stakeholders must also assess the reality of the speed and effectiveness of the current road map against the ambition of corporate leaders. If there are gaps that will inhibit progress, HR and the C-level should be involved in planning a digital agility program to develop the workforce of the future. Digitally agile businesses transcend the legacy boundaries of technology knowledge, skills and ideas. As one author notes, “Disruption requires creating a new basis (in a competition), usually parallel to any existing paradigm”.35
COBIT 2019 has addressed these shortcomings (i.e., adopting a governance framework, facing the risk of disruption to revenue, lack of road maps) and has made the framework easier to adapt and adopt for the enterprise as an umbrella framework for EGIT. COBIT 2019 helps build relationships (strategic team bonding); identify external strategic opportunities with executive sponsors; and, for the practitioner, manage people, data and technology. The vision and strategy driver scores are achieved from mapping36 ISO/IEC 27001 through COBIT 5 to COBIT 2019. The results from mapping the COBIT 2019 governance and management objectives to alignment goals and then to enterprise goals shows that if used correctly, a strategy can be formulated from COBIT 2019. The strategic learning, which consists of gathering feedback, testing the assumptions on which a governance strategy is based and making necessary adjustments, is what this mapping exercise has helped bring out from the COBIT 2019 framework.37 The assessment results with low scores for alignment and enterprise goals form the basis for developing an action plan as needed by the organization to address the input items from ISO/IEC 27001 control objectives and determine questions that need to be answered for a planned developmental/corrective road map as part of the enterprise strategy. It can be concluded that using COBIT 2019 in strategic planning to achieve an objective is effective, and employing tactical actions to implement the strategy is paramount in enterprise operations.
Christopher C. Anoruo, CRISC, CISM, CGEIT
Is the chief executive officer at TRAFTEC Ltd, a cybersecurity company he cofounded. He was the executive director of technology and operations officer at KATEC Consulting Ltd. He has also worked in various positions in the telecommunication and banking industries in West Africa. Prior to cofounding KATEC Consulting Ltd, he was an information security consultant with IBM Global Business Services. Anoruo has contributed to the ISACA Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC) and Certified in the Governance of Enterprise IT (CGEIT) examinations. He has also participated in ISACA certification projects and has been part of the ISACA Test Enhancement Committee since 2005, setting exam questions and reviewing exam manuals.
1 Anoruo, C.; “ISO 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance,” COBIT Focus, 14 December 2015, figure 10
2 Anoruo, C.; “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy,” COBIT Focus, 12 December 2016, figure 7
3 Kaplan, R.; D. Norton; “Using the Balanced Scorecard as a Strategic Management System,” Harvard Business Review, January-February 1996, p. 75-85
4 Van Grembergen, W.; ”The Balanced Scorecard and IT Governance,” Information Systems Control Journal, vol. 2, 2000
5 Op cit Anoruo, “ISO 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance”
6 Hamidovic, H.; “Fundamentals of IT Governance Based on ISO/IEC 38500,” ISACA Journal, vol. 5, 2010
7 ISACA, COBIT 2019, USA, 2018
8 ITGI, Board Briefing on IT Governance, 2nd Edition, USA, 2003
9 Op cit ISACA
10 Op cit Hamidovic
11 Op cit ISACA
12 Op cit ITGI
13 Op cit ISACA
14 Zororo, T.; Exploring the Difference Between COBIT 5 and COBIT 2019, LinkedIn, January 2019
15 Op cit ISACA
18 Steuperaert, D.; "Improving the Quality of the COBIT 5 Goals Cascade as an IT Process Prioritisation Mechanism," International Journal of IT/Business Alignment and Governance, vol. 7, iss. 2, July 2016
19 Op cit ISACA
21 Op cit ITGI
23 Op cit Anoruo, “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy”
24 Op cit Zororo
25 Op cit Anoruo, “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy
31 Lawrie, G.; I. Cobbold; J. Marshall; “Corporate Performance Management System in a Devolved UK Governmental Organisation: A Case Study,” International Journal of Productivity and Performance Management, vol. 53, no. 4, 2004, p. 353–370
32 Kaplan, R.; D. Norton; The Balanced Scorecard: Translating Vision Into Action, Harvard Business School Press, USA, 1996
34 Op cit Hamidovic
35 Ekekwe, N.; “#AimHigher – Move Upstream,” Tekedia, 7 October 2019
36 Op cit Anoruo, “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy”