Share on:


Tips for Implementing COBIT in a Continuously Changing Environment

By José Ángel Peña Ibarra, CRISC, CGEIT, COBIT 2019 Foundation, COBIT 5 Accredited Trainer

COBIT Focus | 29 April 2019

There is a new term coined here: “COBITIAN.” It describes professionals who love COBIT and are excited and happy for the evolution to COBIT 2019, including its new governance and management objectives, design factors, and focus areas concepts.

After many years training and helping organizations address governance and management issues, I have learned that there is no single way to implement or use COBIT, no magic formula. Therefore, the insights that follow do not pretend to be a prescriptive implementation guide but are intended as tips to be shared on this subject.

The main purpose of COBIT is to serve as a reference framework to implement and/or improve the governance system for enterprise information and technology (I&T).

To help address some of the typical challenges related to implementing and/or improving governance of enterprise I&T, COBIT 2019 has been published. There are still many questions about the transition from COBIT 5 to COBIT 2019. Should practitioners continue using COBIT 5? How does one start using COBIT 2019? Does understanding and using COBIT 2019 require new certifications? Is this change in COBIT a problem for the organization and for the practitioner?

The tips that follow can help answer some of these questions.


Tip 1—Transitioning From COBIT 5 to COBIT 2019 Should Not Be a Traumatic Experience

It is an evolution, not a revolution. Many of the concepts in COBIT 5 persist in COBIT 2019. Many of the publications based on COBIT 5 will remain in use (and useful) for some time, so there is no reason to be afraid. Practitioners can evaluate where their organizations are now and where they want them to be—and then plan the transition from COBIT 5 to COBIT 2019 in a way that maximizes advantages of the updated concepts in COBIT 2019.


Tip 2—Consider the 4 Stages of Learning

Knowledge, understanding, application and analysis are the 4 stages of learning, and they are important. Many people try to skip the first 2 stages and go directly to the application stage. This is a big mistake.

Complex mathematical problems cannot be solved without knowing the basics of arithmetic; likewise, the governance of I&T is also a complex matter. Fundamental governance concepts must be known and understood before anyone can even dream of applying them. Practitioners are often in a hurry, looking to apply the concepts with speed; however, it behoves all practitioners to take time to know and understand first. ISACA has published the necessary products and guidance for the acquisition of knowledge and understanding.

The remaining tips include those concepts that are most important to know and understand.


Tip 3—Know and Understand the Principles of COBIT

In particular, it is essential to know and understand the 6 principles for a governance system (figure 1), because in the universe of COBIT 2019, they constitute the North Star and point COBIT users in the right direction. Principles express not only good intentions—rather, everything practitioners do must be aligned to these principles.


Figure 1—Governance System Principles

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018, figure 3.1. Reprinted with permission.


Tip 4—Know and Understand the 7 Components of a Governance System

The IT professional who does not use a holistic approach is like a physician who prescribes an aspirin when a patient has a headache without taking into consideration all the other symptoms that can have an impact on the patient’s health. In order to apply a holistic approach, COBIT users must know and understand the components of a governance system (figure 2). One big mistake is to think that governance and management relate only to processes or IT resources—on the contrary, practitioners must account for components as diverse and wide-ranging as culture, ethics and behavior, and principles, policies and procedures.


Figure 2—COBIT Components of a Governance System

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018, figure 4.3. Reprinted with permission.


The components of COBIT 2019 were called enablers in COBIT 5. They are the same—so practitioners familiar with enablers will understand the components of a governance system.


Tip 5—Know and Understand the Structure and Purpose of the COBIT 2019 Core Model

The COBIT 2019 core model includes 40 governance and management objectives (figure 3). At first glance, one might think that the only changes from COBIT 5 to COBIT 2019 include a name change from “process” to “objective” and the addition of 3 new objectives—but this is not the case. Each COBIT 2019 objective relates to 1 and only 1 process yet also includes other components related to the objective. In the new structure, each activity within a given process practice is assigned a number to indicate capability level. The conceptual division of process into practices and activities helps practitioners better understand not only an organization’s actual capability levels—in all their nuanced levels of maturity—but also helps determine desired target capability levels.


Figure 3—COBIT Core Model

View Large Graphic.
Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018, figure 4.2. Reprinted with permission.


The tips that follow span both design and implementation of COBIT 2019.


Tip 6—Review and Start Using the COBIT 2019 Design Factors

Design factors reflect key contextual elements critical to enterprise success and offer practitioners a flexible method not only to select values that best characterize the enterprise’s environment and direction, but also register their relative degrees of importance (figure 4).


Figure 4—COBIT Design Factors

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018, figure 4.4. Reprinted with permission.


Design factors can be found in the COBIT 2019 Framework: Introduction and Methodology publication and in the COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution. ISACA also developed the COBIT 2019 Governance System Design Tool Kit to help users apply the design guide and quantify the influence of design factors in the design process. The Excel spreadsheet included in the tool kit will save users time and help them learn to execute the 4 design steps of COBIT 2019. The tool kit makes extensive use of design factors and is especially integral to the quantitative aspects of the design process.

It is important to work through the 4 design steps carefully. Users can prioritize their governance and management objectives, define target capability levels, and achieve a design for a governance system of I&T tailored to the organization’s specific needs.

If the organization already has a governance system of I&T based on COBIT 5, the design stage is the right starting point for a smooth and organized transition from the COBIT 5-designed governance system to the more flexible, updated COBIT 2019 governance system.


Tip 7—The First 3 Phases of COBIT 2019 Implementation Life Cycle Are Connected With the Design Steps

While it is true that the COBIT 2019 and COBIT 5 implementation life cycles are the same (figure 5), users now have more guidance to work in the first 3 phases of this cycle in more detail, and these phases are aligned to the 4 design steps of COBIT 2019 (figure 6). Therefore, users should avoid the temptation of going directly to the Implementation phase but take into consideration the steps of Governance System Design Workflow (figure 7) and the corresponding design factors.


Figure 5—COBIT Implementation Life Cycle

View Large Graphic.
Source: ISACA, COBIT 2019 Implementation Guide, USA, 2018, Chapter 6. Reprinted with permission.


Figure 6—Connection Points Between COBIT Design Guide and COBIT Implementation Guide

Source: ISACA, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018, figure 5.2. Reprinted with permission.


Figure 7—Governance System Design Workflow

Source: ISACA, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018, figure 4.1. Reprinted with permission.


An important aspect of the COBIT implementation life cycle is that it is not a finite project, but a process with infinite iterations so users can evaluate where they are now and start a new iteration, considering the upgrade to COBIT 2019, with a parallel period on some aspects of COBIT 5.


Tip 8—With Adaptations, Use the Process Assessment Model to Evaluate Process Capability in COBIT 2019 Processes, But Plan to Move to CMMI

Practitioners do not have to abandon the COBIT 5 process assessment model (PAM) to evaluate process capability. It can still be used—with some adaptations—because COBIT 2019 has all the elements needed for this evaluation, as process purpose, practices and work products. Anyone already using PAM can work in the adaptation with various levels of difficulty, depending on the particular case.

However, the intention was not to develop a new PAM for COBIT 2019. Therefore, sooner or later, users should move to the new COBIT performance management model based on CMMI. If users are beginning the performance management activities, then they should use the new approach based on CMMI.

In fact, CMMI is a comprehensive approach that includes both capability and maturity, and it is easier to apply than PAM.

Process activities are associated to capability levels. This is described in the COBIT 2019 Framework: Governance and Management Objectives.

Maturity levels are associated with focus areas (i.e., a collection of governance and management objectives and underlying components) and will be achieved if all required capability levels are achieved.


Tip 9—Make COBIT Training a High Priority

COBIT 2019 does not discontinue COBIT 5, and training in the various levels of COBIT 5 will continue. Also, the COBIT 5 certifications are still very valuable. However, training in COBIT 2019 should be considered a priority. For practitioners who hold the COBIT 5 Foundation certificate, attaining the COBIT 2019 Foundation level will be relatively easy. Users can attend a COBIT Bridge course and sit for the Bridge exam. If they pass this exam, they achieve the Foundation (Bridge) level.

Those starting to learn COBIT 2019 should begin with the COBIT 2019 Foundation course.

There are 3 levels of training and exams in COBIT 2019:

  • COBIT Bridge course and exam
  • COBIT 2019 Foundation course and exam
  • COBIT 2019 Design and Implementation (expected to be released in Q2 2019)

As a prerequisite to achieving the COBIT 2019 Design and Implementation certification, one must either first pass the Bridge exam or pass the COBIT 2019 Foundation exam and then attend the COBIT 2019 Design and Implementation course and pass the exam for Design and Implementation level.


Conclusion

This is a great time for those working in the IT, risk, assurance and related fields, particularly for COBITIANS. There are many advantages in the update to COBIT 2019 that will help practitioners design a governance system tailored to the organization’s needs. Several products and guides are still in development—including publications devoted to specific focus areas, such as digital transformation, cloud, DevOps, risk, information security, and small and medium enterprises.

IT governance practitioners, risk management and business professionals should continue moving forward. In this changing I&T environment, we have to run as fast as we can just to stay in the same position. If we want to advance, we need to move even faster.


José Ángel Peña Ibarra, CRISC, CGEIT, COBIT 2019 Foundation, COBIT 5 Accredited Trainer

Is a COBITIAN with more than 35 years of professional experience in IT governance and management. He has served as managing director of CCISA, a Mexican consulting firm since 2002. Formerly, he was with PricewaterhouseCoopers. He is a former international vice president of ISACA (2007-11) and is currently the president of the ISACA Monterrey (Mexico) Chapter (2019-20). Peña Ibarra has delivered more than 40 COBIT courses in several countries. He has utilized COBIT in several implementation and assurance projects.