Share on:

GEIT Framework at Work, Part 3: Creating a Project Plan

By Peter C. Tessin, CISA, CRISC, CISM, CGEIT

COBIT Focus | 23 July 2018 Chinese Simplified | Spanish

Peter C. Tessin There is an old saying about the importance of planning: “Failing to plan is planning to fail.” While the saying has become almost a cliché from years of use, it is essentially true. Very few projects are successful in achieving their goals without the support of a clear, comprehensive, fully defined and approved plan.

Hence, the purpose of this article: creating a project plan in support of a solution. This article, the third in a 6-part series that looks at the practical application of a governance of enterprise IT (GEIT) framework, describes the plan built to support the solution designed in part 2. This article covers requesting authorization for the project, defining the project scope, designing the project schedule and specifying the project requirements.

The essential elements of a project plan are that it is authorized, has a clear mandate and resources are available to undertake the work. For a governance structure implementation to be truly effective, there must be support from the top. If a director or manager were to independently perform a governance structure implementation, there might be resistance from affected departments if commitment from the top could not be demonstrated.

The project plan must contain a project charter, elaboration of requirements, project schedule with defined milestones (likely, a Gantt chart1 will be included) and a communication plan.

The first step is to design and write the project charter and gain commitment from a key employee to sponsor the implementation. In the case this series of articles is considering, the key person can be found in the responsible, accountable, consulted and informed (RACI) chart of process APO13 Manage Security in COBIT 5: Enabling Processes. That RACI chart shows the chief information security officer (CISO) as the person accountable for the Manage Security process. For this example, the CISO will be asked to sponsor the project. The charter will be used to communicate the project’s authority to the enterprise and include signoff from the sponsor.

A sample project charter that can be used as a template for project planning purposes follows.

Sample Project Charter Template

Security Management Project Charter
9 July 2018

Project title: Security Management Governance Structure Implementation

Scope and objectives: (Enterprise name) is addressing an internal audit finding that demonstrated a lack of proper oversight in the internal control environment. To address this finding, the governance team will conduct an analysis of potential weaknesses within the security management area and design and implement governance structure elements to rectify the finding in that area. This project will serve as a proof-of-concept exercise and, if successful, will serve to inform a broader effort to address internal control oversight.

Project description: Analyze existing controls and control activities to determine effective design and operating effectiveness for security management. Identify work products and assess process capability to support process goals. Where gaps are found, design work products and practice activities to produce defined work product requirements.

Project assumptions: Staff assigned to this project will be available and will be provided access to business unit functionality as the project requires. The completion of the project will be 31 December 2018. A recommendation to proceed with a larger examination of the internal control environment will follow within 2 weeks of that date.

Project organization: The project will require a project manager (PM) from the governance team, which will provide additional team members. Periodic contributions will be required from the information security manager, enterprise architecture, operations, and service manager, and they will be utilized 50% for the duration of the project.

Team responsibilities: The project manager will:

  • Determine which staff and skills are needed to provide analysis on the security management process practices.
  • Assign work tasks and record progress toward planned milestones.
  • Report project status and progress to project sponsor.
  • Report findings and make a final recommendation.

Project Approval:




Jane Doe

Chief Information Security Officer (CISO)

(Signature) Jane Doe

Defining and Scheduling Project Tasks

Based on the scope defined in the charter, a set of work tasks must be developed. The level of detail used to define and describe the tasks should be consistent with the complexity of the overall project. Besides the task itself, the project schedule often communicates planned start and end dates, actual start and end dates, resources assigned, and dependencies on other tasks. A simplified version is presented as a sample in figure 1.

Figure 1—Sample Simplified Project Schedule Template (Gantt Chart)



Duration (days)


Percent Complete

Secure project charter approval.

1 August 2018


Project manager

Initiate project kickoff.

2 August 2018


Project manager

Assign project team members.

2 August 2018


Project manager

Analyze security management practices.

6 August 2018


Team members

Identify current work products.

20 August 2018


Team members

Assess process capabilities.

4 September 2018


Project manager, team members

Determine practice gaps.

17 September 2018


Project manager, team members

Define necessary work products and practice activities.

24 September 2018


Project manager, team members

Establish new practices with business unit.

15 October 2018


Project manager, team members, business unit

Assess effectiveness of new practices.

5 November 2018


Project manager, team members, business unit

Compile data and write final report.

17 December 2018


Project manager

Close project and hold exit meeting.

21 December 2018


Project manager

Developing a Communication Plan

The PM must set expectations with respect to how the project sponsor and any other interested parties will be kept informed of the project’s status. The PM must also provide names and contact information for each team member and business unit participant. These details are presented in a communication plan. This plan is used to provide quick access to people, but also to confirm project status reporting frequency, who must be informed and on what schedule, and how.

Sample Communication Plan Template

Reporting contact: Enterprise CISO

Project status meetings: Weekly, preferably on Thursday mornings

Report format: Completion dashboard

Project Team Contacts:









Project Manager



Information Security Manager



Enterprise Architect



Service Manager


Work Outline—Next Time

The next installment in this series will discuss outlining the work and describing the contributions of each role player. Each of the work products will be further defined with elaboration on who creates each and how to tie them back to the process structure design.


Is a senior manager at Discover Financial Services. He leads the governance group within business technology (BT) risk. In this role, he is responsible for ensuring that policy, standards and procedures align with corporate objectives. He serves as the internal party responsible for regulatory exam management and is the internal liaison to corporate risk management. Prior to this role, Tessin was a technical research manager at ISACA where he was the project manager for COBIT 5 and led the development of other COBIT 5-related publications, white papers and articles. Tessin also played a central role in the design of COBIT Online, ISACA’s website that offers convenient access to the COBIT 5 product family and includes interactive digital tools to assist in the use of COBIT. Prior to joining ISACA, Tessin was a senior manager at an internal audit firm, where he led client engagements and was responsible for IT and financial audit teams. Previously, he worked in various industry roles including staff accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and auditor. He has worked in many countries outside of his native United States, including Australia, Canada, France, Germany, Italy, Jordan, Mexico and the United Kingdom.


1, What Is a Gantt Chart?