Share on:

Using Visual Models for Adopting IT Governance Practices

By Rafael Almeida, Pedro Linares Pinto, Renato Lourinho, Miguel Mira da Silva, Ph.D.

COBIT Focus | 20 March 2017

IT governance (ITG) can be adopted using a mixture of various structures, processes and relational mechanisms1 that encourage behaviors consistent with the organization’s mission, strategy, values, norms and culture.2 Examples of process mechanisms are ITG frameworks, best practices and International Organization for Standardization (ISO) standards such as COBIT 5, ITIL 2011 and ISO/IEC 27001. The term “ITG practices” is used throughout this article to refer to both standards and frameworks.

A recent survey highlighted the fact that while many enterprises have recognized the importance of formal ITG practices, many have yet to adopt them.3 The same sentiment has been echoed by other researchers through their own findings. For example, in a survey of IT service management adoption by US companies, researchers found that less than half of responding organizations had implemented any type of IT management standard or framework.4 Other research found that the level of adoption and certification of ISO/IEC 27001 was lower than similar management standards such as ISO 9001 and ISO 14001.5

Furthermore, increasing competitive demands, coupled with compliance requirements, have forced organizations to implement multiple frameworks and standards.6 ISACA responded by undertaking a high-level mapping between COBIT and various control standards, guidelines and frameworks such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO), PRINCE2, ISO/IEC 27002, ITIL, and Project Management Body of Knowledge (PMBOK).7 However, these mappings are represented in text.

This article proposes representing and modeling different ITG practices, more specifically, those that are complementary (such as COBIT 5 and ITIL, and COBIT 5 and ISO/IEC 27001) using ArchiMate.

The representation of different ITG practices in ArchiMate has the following objectives:

  • Better understanding of ITG practices
  • Improvement of internal education and training initiatives
  • Improvement of communication between stakeholders
  • A clear perception of current positioning, according to ITG practices
  • Facilitation of the migration from different versions of any given ITG practice
  • Detection of duplicated or similar ITG projects within the company
  • Performance of a cost/benefit analysis for a given ITG practice
  • Prioritization of current and future ITG initiatives
  • A search for ITG quick wins

By modeling and integrating ITG practices using ArchiMate, the adoption of their ITG practices is significantly facilitated. As an evolution from the current textual representation of ITG practices, visual models depict a more comprehensible representation, making knowledge and information more explicit.8


ArchiMate provides a uniform representation for diagrams that describes enterprise architectures. The ArchiMate core framework covers the business, application and technology layers of an organization (figure 1), and also provides extended layers that represent aspects such as the motivation.

Figure 1—ArchiMate Architectural Framework

Source: Adapted from The Open Group, ArchiMate 2 Certification Study Guide, 2014

The core elements of the ArchiMate language focus on describing the architecture of systems that support the enterprise. They do not cover the elements that, in different ways, drive the design and operation of the enterprise.9 An overview of motivation elements is described in figure 2.

Figure 2—Overview of Motivation Elements

Source: Adapted from The Open Group, ArchiMate 3.0 Specification, 2016


Modeling and integrating COBIT 5 and other ITG practices require a uniform representation. A common language ensures that everyone follows the same set of objectives, issues and priorities.10

ArchiMate is the common frame of reference. A concrete example that illustrates the models and integration between COBIT 5 and ISO/IEC 27001 is presented in this section. Figure 3 shows the COBIT 5 metamodel.

Figure 3—COBIT 5 Metamodel

Source: R. Almeida, P. Linares Pinto, R. Lourinho and M. Mira da Silva.11 Reprinted with permission.

A metamodel provides all concepts, properties, operations and relations between concepts necessary for designing any kind of models to be contained in it, at some level of abstraction and from some perspective.12

The COBIT 5 metamodel strictly follows the ArchiMate metamodel.13 The composition relationship between process and base practices is used since base practices exist only in a context of a process. The same is true for the relationship between base practices and activities.

The enabler goals (in this case represented by process goals) are associated with the IT-related goals. The same can be applied to the relationship between IT-related goals and enterprise goals, and the relationship between enterprise goals and governance goals, which are, in turn, influenced by stakeholder needs that are influenced by stakeholder drivers. Outputs of base practices may be inputs of other base practices. A proposed ISO 27001 metamodel is portrayed in figure 4.

Figure 4—ISO 27001 Metamodel

Source: R. Almeida, P. Linares Pinto, R. Lourinho and M. Mira da Silva. Reprinted with permission.

The ISO 27001 metamodel strictly follows the ArchiMate metamodel. In this metamodel, controls realize requirements by derived relationship through control objectives. In turn, requirements influence control objectives meaning that implementation of ISO 27001 should fit an organization’s risk management and processes already in place. Thus, an organization’s needs influence its requirements, which, in turn, influence the controls needed to be implemented.

Figure 5 presents an integrated metamodel that encompasses both COBIT 5 and ISO 27001 metamodels using ArchiMate.

Figure 5—Integrating COBIT 5 and ISO 27001 Metamodels

Source: R. Almeida, P. Linares Pinto, R. Lourinho and M. Mira da Silva. Reprinted with permission.
View Large Graphic.

COBIT 5 processes and ISO/IEC 27001 controls are related by association, meaning they can be mapped one to another. A COBIT 5 process is associated to one or more ISO 27001 control categories. Each category contains a single control objective and one or more controls.


The ITG models represented in ArchiMate are valuable contributions to the research community, but representations cannot be used directly by practitioners. For example, the analysis of representations modeled in ArchiMate is not prone to automatic analysis. It means that the size and level of detail and complexity of the ITG practices models can make analysis exclusively by human means a difficult task.

Therefore, these models have been designed in an enterprise architecture tool called the Enterprise Architecture Management System (EAMS) that allows both visualization and editing of models. EAMS is a common platform upon which business and IT can cooperate. EAMS is both an information aggregator with connectors for the main business and IT applications and catalogs (enterprise architecture, business intelligence and configuration management database [CMDB]) as well as a powerful visualizer that allows users to explore and navigate in time.

An example of the COBIT 5 EDM05 process is illustrated in figure 6.

Figure 6—Blueprint for the COBIT 5 EDM05 Process in EAMS

Source: R. Almeida, P. Linares Pinto, R. Lourinho and M. Mira da Silva. Reprinted with permission.
View Large Graphic.

EAMS ensures consistency of the models, cooperation (knowledge sharing) between stakeholders and easy access to ITG practices models, as well as their integrations.


ITG practices are considered highly complex, generic and difficult to adopt, requiring significant investment and resources.

The representation of the ITG practices in models facilitates their understandability as well as the integration of their common aspects in order to avoid a duplication of effort. ArchiMate is a suitable tool to represent the main ITG practices.

However, models have limitations, which can be addressed by using EAMS. A plug-in that would extend EAMS to support “multi-practice” assessments is currently in development.

The authors will continue to use the website to share these models, in particular with practitioners outside the research community.

Authors’ Note

The authors would like to thank Simão Vieira and Link Consulting for letting them use EAMS for academic and scientific purposes. They would also like to thank all students who attended the IT Governance and Management course at Instituto Superior Técnico, University of Lisbon (Portugal), for modeling COBIT 5 into EAMS.

Rafael Almeida

Is an IT governance researcher, INOV—Inesc Inovação. He is also a Ph.D. student at Instituto Superior Técnico, University of Lisbon, Portugal.

Pedro Linares Pinto

Is an IT governance invited researcher, INOV—Inesc Inovação. He has worked at PricewaterhouseCooper as an information systems auditor.

Renato Lourinho

Is a master’s degree student at Instituto Superior Técnico, University of Lisbon, Portugal.

Miguel Mira da Silva, Ph.D

Is an associate professor of Information Systems at the Instituto Superior Técnico in the University of Lisbon (Portugal) and research group leader at INOV INESC Inovação.


1 De Haes, S., W. Van Grembergen; “IT Governance and Its Mechanisms,” Information Systems Control Journal, vol. 1, 2004
2 Weill, P.; “Don't Just Lead, Govern: How Top-Performing Firms Govern IT,” MIS Quarterly Executive, vol. 3, iss. 1,2004, p. 1-17
3 IT Governance Institute, Global Status Report on the Governance of Enterprise IT (GEIT), 2011
4 Winniford, M., S. Conger, L. Erickson-Harris; “Confusion in the Ranks: IT Service Management Practice and Terminology,” Information Systems Management, vol. 26, iss. 2, p. 153 - 163
5 Fomin, V. V.; L. Kaunas; H. J. de Vries; Y. Barlette; F. Montpellier; “ISO/IEC 27001 Information Systems Security Management Standard: Exploring the Reasons for Low Adoption,” Proceedings of the 3rd European Conference on Management Technology, Nice, France, 2008
6 Nicho, M.; S. Muamaar; “Towards a Taxonomy of Challenges in an Integrated IT Governance Framework Implementation,” Journal of International Technology and Information Management, vol. 25, iss. 2
7 Heschl, J., “COBIT in Relation to Other International Standards,” Information Systems Control Journal, vol. 4, 2004 p. 37-40
8 Bartens, Y.; De Haes, S.; et al; “A Visualization Approach for Reducing the Perceived Complexity of COBIT 5,” Advancing the Impact of Design Science: Moving from Theory to Practice, Springer International Publishing, USA, 2014
9 The Open Group, ArchiMate® 2.1 Specification
10 Năstase, P., F. Năstase, C. Ionescu, “Challenges Generated by the Implementation of the IT standards COBIT 4.1, ITIL v3 and ISO/IEC 27002 in Enterprises,” Economic Computation & Economic Cybernetics Studies & Research, 2009, vol. 43, iss. 1, 2009 16
11 Almeida, R.; P. Linares Pinto; M. Mira da Silva; Using ArchiMate to Integrate COBIT 5 and COSO Metamodels, Proceedings of the 13th European Mediterranean and Middle Eastern Conference on Information Systems (EMCIS), Krakow, Poland, 2016
12 Roux-Rouquié, M., M. Soto, “Virtualization in Systems Biology: Metamodels and Modeling Languages for Semantic Data Integration,” Transactions on Computational Systems Biology I, 3380, 2005, p. 132
13 Op cit The Open Group