- Why did ISACA select ISO 15504?
- What is the major value of using the new COBIT Assessment Programme?
- Is this simply a way to push more certifications to consultants?
- We know where our strengths and weaknesses lie. Why undertake a COBIT process assessment?
- Why do I need a more rigorous assessment? Is the self-assessment process not sufficient?
- Does the new COBIT Assessment Programme approach replace the existing COBIT 4.1 CMM approach?
- What is the difference between the COBIT 4.1 CMM and the new COBIT Assessment Programme approach?
- Will COBIT 5 have the same process capability assessment approach using ISO 15504? And how will it differ?
- Why would you want to do a COBIT process capability assessment using COBIT 4.1 when COBIT 5 will be available in early 2012?
- What about enterprises not using COBIT 4.1?
- How is assessing cloud different from assessing other services?
- What other models, frameworks and approaches have been aligned to ISO 15504?
- What qualifications and experience will be required to be a certified assessor?
- How will training and certification be provided?
- How long on average does a COBIT Assessment take to execute?
- Will the ISO revised standard ISO 33000 which will be the replacement to ISO 15504 have an impact on the model just developed for both COBIT 4.1 and COBIT 5?
- If all of the work (heavy lifting) is done to achieve level 1, which is deemed to be a major achievement, what is the incentive to go to further levels of capability? Is it not a “nice to have’?”
- What tools are available to assist assessors in performing these process capability assessments?
1. Why did ISACA select ISO 15504?
ISO 15504 effectively deals with a capability process assessment. It provides an understandable, logical, repeatable, reliable and robust methodology for assessing the capability of IT processes (evidentiary requirements).
2. What is the major value of using the new COBIT Assessment Programme?
The value derived from assessments using this approach includes reliable results that focus the enterprise on the benefits and resource implications arising from the performance and capability of its IT processes, and provide a sound basis for benchmarking and improvement, prioritization and planning.
There are a number of specific benefits for COBIT users in taking this approach:
- Focus first on confirming that a process is achieving its intended purpose and delivering its required outcomes as expected.
- Simplification of the content supporting process assessment.
- Improved reliability and repeatability of process capability assessment activities and evaluations, reduced debates and disagreements between stakeholders on assessment results.
- Increased usability of process capability assessment results, as the new approach establishes a basis for more formal, rigorous assessments to be performed, for both internal and potential external purposes such as benchmarking.
- Compliance with a generally accepted process assessment standard (ISO 15504) and therefore strong support for process assessment approach in the market.
3. Is this simply a way to push more certifications to consultants?
No, because ISO 15504 identifies the need for both “independent” and “competent” assessors to perform an assessment. ISACA has identified a number of key competencies and experience requirements. This necessitates a comprehensive training programme with an exam that requires a certificate upon the successful completion of the exam. This type of certification is more a “product-based” rather than a “professional-based” certification program such as CISA or CPA.
4. We know where our strengths and weaknesses lie. Why undertake a COBIT process assessment?
Many organizations believe they have some idea of their strengths and weaknesses. However, they can often be surprised when a particular process fails to perform as expected because it is not robust enough to deal with either organizational change or different circumstances.
5. Why do I need a more rigorous assessment? Is the self-assessment process not sufficient?
- A self-assessment can be used by organizations to perform a less rigorous assessment of the capability of IT processes. This may be a precursor to undertaking a more rigorous, evidence-based assessment. It is intended as a “stand-alone” process with the minimum of training and not requiring a certified assessor.
- A self-assessment is based more on judgement of the individual or individuals making the assessment. It will be subjective without a requirement for evidence. As a result, the assessment will be indicative of the process capability. Experience has shown that such assessments are often optimistic, showing a better result than would be shown in a more formal, evidence-based assessment. They are generally not repeatable or objective. For a repeatable, objective assessment, a full assessment using the COBIT PAM and assessor guide (with training) is required.
6. Does the new COBIT Assessment Programme approach replace the existing COBIT 4.1 CMM approach?
- No, it does not; it is a different approach to assessing process capability that ISACA has selected to use. COBIT 4.1 CMM remains as published and the option of applying a COBIT Assessment Programme approach as an alternative has been made available.
- However, The CMM approach will not be offered in COBIT 5 because the new ISO 15504 approach is core to performing a capability process assessment using COBIT 5 content.
7. What is the difference between the COBIT 4.1 CMM and the new COBIT Assessment Programme approach?
- The capability level scale is the same, i.e., 0 to 5 and some of the level names are very similar, but that is where the similarities end. The attributes assessed and measured in each approach are NOT the same nor is there a clean cut relationship between the two sets of attributes.
- There are no specific requirements to provide evidentiary support for assessment results in the existing COBIT 4.1 CMM approach, but this is mandatory in the ISO 15504 approach. Providing such evidence in support of the assessment produces more robust, repeatable and defensible results.
- The assessment done under the old COBIT 4.1 CMM approach will likely result in “higher scores,” due to the subjective averaging approach adopted, and also due to the more rigorous ISO 15504 requirements for level 1 in the new approach.
8. Will COBIT 5 have the same process capability assessment approach using ISO 15504? And how will it differ?
- COBIT 5 has been designed taking into account all of the ISO 15504 process capability assessment requirements. As a result the consistency of content between the COBIT 5 process content and the COBIT 5 PAM will be improved over those of COBIT 4.1.
- For the purposes of applying the COBIT Assessment Programme approach, the only difference between COBIT 4.1 and COBIT 5 will be the level 1 content which is specific and unique to each framework version. Assessment levels 2 to 5 focus on generic process attributes (as defined in ISO 15504) and are therefore the same for both frameworks.
9. Why would you want to do a COBIT process capability assessment using COBIT 4.1 when COBIT 5 will be available in early 2012?
Enterprises have invested in using COBIT 4.1 and will continue to use it for a number of years—until a driver is encountered for them to consider a transition to COBIT 5. During this time a formal process capability assessment against COBIT 4.1 will be of value to
10. What about enterprises not using COBIT 4.1?
Those organizations who have not yet implemented COBIT are encouraged to use the COBIT 5 PAM because of the added value that the expanded COBIT 5 framework scope brings to the enterprise.
11. How is assessing cloud different from assessing other services?
There is no difference, cloud services are a subset of IT services, Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Regardless of the deployment model, private, public etc, cloud computing is a delivery of a service in the same way as any other IT service delivery; ISACA cloud publications provide a predefined selection of COBIT processes; the assessment of the processes itself will be the same for cloud as for any other IT service delivered. . For more information on ISACA’s cloud publications visit: www.isaca.org/cloud.
12. What other models, frameworks and approaches have been aligned to ISO 15504?
- ITIL3 has been mapped to ISO 15504 but only at level 1; i.e., a Process Reference Model (PRM) has been developed and released via a Tudor publication. However, to our knowledge no full PAM has been developed.
- The ISO group responsible for ISO 20000 on IT service management is also in the process of developing an ISO 15504 PAM
- COSO has also developed an ISO 15504 PRM (level 1 only) but not a full PAM.
13. What qualifications and experience will be required to be a certified assessor?
Certification and competency requirements are still being developed but ISACA sees the following as likely requirements:
Experience—Minimum of five years’ experience in business management, IT management or management consultancy. Two years can be substituted by having a Certified Information Systems Auditor (CISA); or equivalent/relevant auditing or assessment certification.
- Foundation level training, exam and certificate (to demonstrate core knowledge of COBIT)
- Process level training, exam and certificate
- Assessor training, exam and certification to become a certified assessor
14. How will training and certification be provided?
ISACA is in the process of developing worldwide training and certification for the accreditation of training organizations.
15. How long on average does a COBIT Assessment take to execute?
- There is no specific answer to this as it depends on the scope of the assessment; 3 processes vs. 34/37. It depends on the business need and what processes management would like to see assessed/improved.
- ISACA has provided a scoping tool as part of its tool kit to assist organizations in selecting processes to scope. (See tool kit link on the web site.)
16. Will the ISO revised standard ISO 33000 which will be the replacement to ISO 15504 have an impact on the model just developed for both COBIT 4.1 and COBIT 5?
- Yes, in that any changes to the process capability assessment approach required by the new standard when published will need to be considered into the COBIT Assessment Programme approach and supporting materials at some point.
- ISACA has studied the draft proposals for the new standard being developed and concluded that the big improvements proposed for ISO 33000 will affect mainly the enterprise maturity assessment that is based currently on ISO 15504-7 guide, which ISACA has not implemented, preferring instead to concentrate on a process capability assessment because this activity must be completed first before an enterprise level maturity assessment can be undertaken.
17. If all of the work (heavy lifting) is done to achieve level 1, which is deemed to be a major achievement, what is the incentive to go to further levels of capability? Is it not a “nice to have’?”
- There is always a cost/benefit trade off in how high a capability level an organization wants to achieve and indeed many organizations have focused a lot of their attention at level 1 because this is a major achievement to show that your processes are meeting fully their purpose.
- Level 3 is seen by ISACA as the level that enterprises should aspire to for consistency in the performance of their processes irrespective of the staff involved.
- Levels 4 and 5 will depend on the industry and product sector, so for example to meet a government contract to provide defense technology an organization may be required to show a level 5 capability, i.e., “their processes are optimized.”
18. What tools are available to assist assessors in performing these process capability assessments?
- ISACA has provided a tool kit for both the assessor and the self-assessment guide.
- There are also commercial organizations that provide ISO assessment tools both online and via software download that can be tailored to a specific organization’s needs.