COBIT 5 was released in 2012 and, after 6 years, in November 2018, the first titles in the updated COBIT 2019 framework began to appear. Implementers observe that, in practice, enterprises often require several years to become familiar with an upgraded framework and adopt new guidance and standards. The point is, there is a gap between the pace at which frameworks are modified and the pace at which enterprises—even entire industries—adopt, implement and gain value from updated frameworks.
What does this mean? Should authorities release updated frameworks less frequently? No. It makes more sense for enterprises and industries to find leaner, quicker, better and more effective approaches to adopting and implementing updated frameworks to keep pace. Otherwise, they will be left behind.
When enterprises are slow to adopt and implement frameworks, they rarely reach the point of demonstrating value of a given version to top management before a newer version of the framework has evolved.
Top management is interested in value, quick wins and return on investment (ROI) from any framework. Among senior executives and board members, the typical dashboard of key metrics displays jumps in sales, profits, compliance benchmarks, turnover among employees, churn among customers, IT spend vs. value delivery, etc. For top management, as long as these metrics are under control, any framework is a good framework.
Now IT must tell top management that COBIT 2019 is here. IT teams must provide the current status and timelines for migrating from COBIT 5 to COBIT 2019 and, more important, IT must estimate the associated resource investment and expected ROI. In this context, it is critically important for enterprises to understand how to transition from COBIT 5 to COBIT 2019 as efficiently and quickly as possible.
Ascertain the Enterprise’s COBIT Implementation Status
When it comes to COBIT implementation, enterprises typically fall into one of several categories:
- The enterprise has never heard about COBIT or other frameworks, let alone considered implementation. Such an enterprise believes that minimal or no process oversight is required to function relatively well without a governance framework.
- The enterprise is still implementing COBIT 4.1. Yes, there are some slow-moving enterprises that exhibit reactive governance cultures and act only when needed or ordered to do so.
- The enterprise is still training COBIT 5 resources and preparing for its implementation.
- The enterprise has already started implementing COBIT 5.
- The enterprise has completed COBIT 5 implementation and is planning to migrate to COBIT 2019.
- The enterprise implements elements of different standards or frameworks, but none entirely or consistently.
For the implementers, it is very important to know where the enterprise stands at this point before rushing to implement COBIT 2019 or, for that matter, transitioning to it.
Understand What Changed From COBIT 5 to COBIT 2019
It is important to understand what is new in COBIT 2019 as compared to COBIT 5 at a high level (figure 1).
Figure 1—Differences Between COBIT 5 and COBIT 2019
Now called components
Governance processes begin with “Ensure”
Governance objectives begin with “Ensured”
Management processes begin with “Manage”
Management objectives begin with “Managed”
Evaluate, Direct and Monitor (EDM) has Ensure transparency process
EMD has Ensured stakeholder engagement objective
Align, Plan and Organize (APO) has Managed data as a new objective
APO has Manage suppliers process
APO has Managed vendors objective
Build, Acquire and Implement (BAI) has Program and project management as one process
Managed program and Managed projects are 2 different objectives
BAI has Manage change process
BAI has Managed IT changes objective
Monitor, Evaluate and Assess (MEA) has Managed assurance objective
Process reference model
COBIT core model
Governance system has 6 principles
Governance framework has 3 principles
17 enterprise goals
13 enterprise goals
11 design factors are introduced
ISACA has created an Excel-based design tool.
- Download the Excel-based tool.
- Select a design factor workbook (e.g., Design Factor 3—Risk Profile).
- Provide a value as an input in the “Importance” cell.
- See the output section; how the relative importance of all 40 objectives are rated based on input selection.
- Repeat this for all 11 design factors.
- Pay attention to highly relative important objectives. This can assist in prioritizing objectives for implementation based on the design factors.
For those new to COBIT 2019 and the design factors, studying each of the design factors in detail before using the Excel tool is strongly advised.
PAM can still be used to measure process capability.
Capability assessment based on International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 15504
Information technology‑‑Process Assessment
Capability assessment based on CMMI V2.0
Base practices are equivalent to process practices for each governance and management objective
Work products are equivalent to information flows
Performance management for all 7 components (formerly enablers)
How to Transition an Enterprise to COBIT 2019?
COBIT 2019 implementation follows the same life cycle implementation phases found in the COBIT 5: Implementation guide. And, for transitioning to COBT 2019, the life cycle phase must be adopted and adapted. Figure 2 shows a summary per phase that gives a brief outline of the transition.
For enterprises that are still implementing COBIT 4.1 and want to switch to COBIT 2019, the following points must be kept in mind:
- COBIT 4.1 had Risk IT and Val IT as separate frameworks and, in COBIT 5, these are integrated and an authoritative governance and management framework is created.
- COBIT 2019 is based in part upon COBIT 5 and builds on the prior framework to increase flexibility while maintaining continuity.
- If an enterprise is still using COBIT 4.1 and wants to switch to COBIT 2019, bypassing COBIT 5 may prove to be difficult, unless a sufficient number of practitioners have been trained on COBIT 5, the implementation methodology specific to COBIT 2019 and CMMI V2.0 concepts for capability assessment and performance management.
Figure 2—COBIT 2019 Implementation Guidance
Phase of COBIT Implementation Life Cycle
What Should the Enterprise Do?
Typical Activities and Deliverables
Phase 1—What are the drivers?
What is the reason the enterprise started to implement COBIT 4.1 or COBIT 5?
What necessitates switching to COBIT 2019?
Typical drivers could be that a competitor has already started to implement COBIT 2019, while the enterprise is still using COBIT 5 or an earlier version.
Was COBIT 5 implemented to address pain points or triggers or both?
What was the outcome until now? It is time to tell the top management.
- Governance, risk management and compliance (GRC) team
- Chief information officer (CIO)
- Chief information security officer (CISO)
- Chief risk officer (CRO)
- Chief financial officer (CFO)
- Chief technology officer (CTO)
The governing body provides rationale, justification for switching to COBIT 2019.
A business case should be created or an update to the COBIT 5 business case should be completed.
As a prerequisite, stakeholders should determine how comfortable business and IT are with COBIT 5 and COBIT 2019.
Phase 2—Where are we now?
Study what has been achieved to this point.
If COBIT 5 is implemented or still in implementation, find out how many processes have been rolled out and are in business as usual (BAU) mode, and what their capability levels are.
If COBIT 4.1 is implemented, what is blocking migration to the newer versions?
Are COBIT 2019 terminologies known and understood?
How comfortable are stakeholders with interpretation?
How many IT and business staff received COBIT 5 and COBIT 2019 training?
How do the new COBIT 2019 principles impact users?
Articulate a clear status of the current situation.
Management will ask for information regarding any delays, blockers, value achieved or not achieved, and planned vs. actual outcomes.
If previous projects have been delayed and yielded low value, then management needs to understand the value proposition of COBIT 2019 implementation.
Be ready with all details.
Conduct assessment of processes and their capability levels. Do this for only implemented processes.
Revisit the business case and update it with current benefits and expected new benefits post-COBIT 2019 implementation.
IT must organize meetings with the governing body to provide benefits accrued until now and expected benefits post-COBIT 2019.
Deliverables at this stage are:
- Assessment plans, assessor selections
- Assessment reports
- Meetings and discussions on findings with the governing body
Phase 3—Where do we want to be?
Based on the size of the organization, design the governance and management structure using the COBIT 2019 core model as a reference point.
Note: The following 2 objectives are new in COBIT 2019:
- Managed data
- Managed assurance
Certain COBIT 5 processes in BAI are segregated:
- Managed Programs
- Managed Projects
Use COBIT 2019 principles to plan the implementation.
Use a top-down approach from governance down to management processes.
Haphazard implementation of one or another process from domains has the least value gain.
Zero noncompliance in data breaches by implementing Managed data process and Managed assurance should be the goal.
Study each of the COBIT 2019 design factors:
- Enterprise strategy
- Enterprise goals
- Risk profiles
- I&T-related issues
- Threat landscape
- Compliance requirements
- Role of IT
- Sourcing model
- IT implementation methods
- Technology adoption
- Enterprise size
Determine how the design factors influence objective prioritization. Note: Each design factor has different inputs. For example, design factor 9 Implementation methods has 3 inputs:
Studying each design factors and its inputs helps develop an approach to give relative importance to objectives.
Identify the most crucial governance and management objectives.
Consider Managed data and Managed assurance as mandatory objectives to safeguard the enterprise from data breaches, ensuring regulatory compliance. Therefore, these 2 objectives cannot be taken up at later stages; rather, they must be implemented first.
Phase 4—What do we need to do?
To implement COBIT 2019,
the following conditions are necessary:
- Implement Managed data objective—Data privacy and compliance must be maintained by the enterprise and understood from top management down to the business and IT
Implement assurance and audit process
- Implement program and project management
Revisit the objectives to streamline:
- Managed IT changes
- Managed vendors
- Ensured stakeholder engagement
If all the COBIT 5 37 processes are implemented, then to switch to COBIT 2019, additional processes such as Managed data, Managed projects, Managed assurance are needed.
For Managed data
objective, set up a workshop with the business, architects, CISO and CIO to understand data privacy, compliance, laws, regulations and security needs. Every country has different laws for implementing privacy rules. First, local regulations must be met, then the global. Therefore, IT must have a data privacy officer to oversee compliance with local and global regulations.
To create a process, follow these steps:
- Gather requirements from business.
- Draft process workflows.
- Get workflows verified and signed off on by the business.
- Work with tool vendors to customize workflows.
- Conduct trainings for users.
- Roll out process and baseline it.
Phase 5—How do we get there?
As recommended in COBIT 5, make a road map to address the gaps.
Ideally, a 3-month iteration should be planned for covering all 7 phases of the COBIT 2019 implementation life cycle.
Use a project plan to drive the implementation.
Come up with a plan, resources, milestones, deliverables and quick wins. That plan should include these items:
- Execute tasks daily as per the plan.
- Provide weekly updates to stakeholders.
- Control delays and check quality issues.
- Highlight excessive time, cost, resource issues to sponsor.
Phase 6—Did we get there?
Use CMMI V2.0 to assess the capability of the processes.
The minimum capability expectation most of the industry sets is level 3. It takes a few years to reach to level 5 for each process.
Evidence collection should be based on samples.
Use COBIT Assessor Guide: Using COBIT 5, which includes guidance to plan evidence collection and reporting of assessment.
Use CMMI V2.0 capability and maturity model.
Ideally, all 40 COBIT 2019 objectives should be plotted on a grid on the x-axis and all 40 objectives and on the y-axis. Five levels and post assessments determine which process stands in which capability (figure 3). The purpose of this graph is to let stakeholders know the capability status of every process. It can also assist in prioritizing improvements when a particular process is considered to be too low in its capability.
Phase 7—How do we keep momentum?
Discuss the lessons learned in the implementation, including:
- Team issues
- Tool issues
- Collaboration issues
- Escalation issues
- Supplier interests
Prove every win, loss or near win by measurements.
Conduct lessons learned sessions with business, IT and COBIT 5 implementers.
The sponsor of COBIT 2019 should be the main invite along with governing body members.
Figure 3—Plotting Levels and Processes for Current State View
The information outlined herein is a guiding light to find the best ways to implement COBIT 2019. Many enterprises may still be in the training mode, and these tips could help them avoid pitfalls.
Govind Kulkarni, COBIT 5 Foundation, CSQA, ISO 27001 LI, ITIL Expert, PMP
Has 2 decades of experience providing IT solutions. He has worked in the entire life cycle of software development and, currently, he conducts training on COBIT 5, ITIL, information and cybersecurity. He has completed consulting assignments for gap analysis, COBIT 5/ITIL implementation, assessments using the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC15504 standard and tool customization for clients across the globe. Kulkarni’s current interests include business continuity, IT asset and cost management, scalability and performance optimization of web applications, predictive analytics, and technology areas such as OpenStack and DevOps. He was one of the editors of How to Reduce Cost of Software Testing published by CRC press. He can be reached email@example.com.