Volume 3, July 2013 Come join the discussion! Sudarsan Jayaraman will respond to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 22 July 2013. Why, When and How to Migrate to COBIT 5 By Sudarsan Jayaraman, CISA, CISM, BS 25999 LA, COBIT (F), ITIL V3 Expert, ISO 20000 LA, ISO 27001 LA, ISO 9001 LA ® With the release of COBIT 5, a new evolution in the thinking process of managing and governing IT has taken shape. The question to answer is whether organizations that have invested in the implementation of the earlier versions of COBIT have to migrate to COBIT 5. If yes, the question becomes: why, when and how does an organization migrate to the new framework? Migrating to COBIT 5 is not the same as migration of software or hardware or a platform. Instead, this should be considered as a transition of the way work is done to meet the requirements of stakeholders. That said, was this not being done in the ® earlier versions of COBIT? That is, how different is COBIT 5 from COBIT 4.1 and what are the benefits an organization can realize from this new release? Why Migrate to COBIT 5? COBIT 4.1, while a popular framework, is considered by many to be an IT framework, not an enterprise framework. COBIT 4.1 addresses the IT requirement more as an operation model and a good practice guideline related to IT processes. After going through COBIT 5, one may get a feeling that COBIT 4.1 was lacking the governance view toward the organization and was more process-oriented. However, COBIT 4.1 does bring in the view of business-IT alignment by way of mapping enterprise goals with IT goals and finally with the IT process goals. COBIT 5 has further built on the process model and has clearly demarcated the governance and management processes separately. A new governance domain is introduced as a part of the COBIT 5 process reference model; this is a major improvement that provides clarity on the management and governance functions within an organization. A major improvement in COBIT 5 is the introduction of the five key principles and seven enablers, which form the pillar of the framework. With these additions, COBIT 5 has aligned itself closely with the ISO 38500 framework. COBIT 5 has retained the goal cascading model of COBIT 4.1; however, it has gone further by including the stakeholder needs as the starting point of the mapping, which then cascades to enterprise goals, IT goals and finally to enabler goals. The other key difference to point out is that a new process assessment model (PAM) has been introduced. The COBIT PAM is aligned with the ISO 15504 standards requirement. This means more stringent and accurate assessment of the relevant processes. In brief, the key benefits of COBIT 5 for enterprises can be summarized as follows: Aligning business and IT more closely by taking into account the stakeholder needs as the starting point. This provides more business focus with due consideration of internal and external stakeholders’ needs. Introducing the seven enablers as a more efficient and effective way of using resources to meet business requirements Showing the entire organization as responsible for governance of IT through the holistic inclusion of enhanced role descriptions in the RACI chart Helping the organization to understand business perspective more clearly by mapping the goals and objectives to a business scorecard model Thus, for organizations that have implemented COBIT 4.1, migrating to the new framework is a natural process of progression under which the organization will extend its coverage of IT governance to an enterprisewide governance initiative. When to Migrate to COBIT 5? At this current age of economic stagnation, is it wise to reinvest and migrate to the COBIT 5 framework? When is the right time to consider migration to COBIT 5? There is no single answer to this question. However, if the organization is still in the process of completing the COBIT 4.1 process implementation, it is advisable to continue the implementation before considering a migration to the new framework since any COBIT 4.1 implementation would have been typically initiated to respond to business requirements for improvements or to address specific pain points encountered by the organization. Since the respective controls to treat such issues would have been identified from the earlier version of COBIT, it is better to continue implementation and monitor whether the key goals are being accomplished, before migrating to COBIT 5. If the organization has implemented most of the COBIT 4.1 controls and has reached what it believes to be a reasonable degree of maturity, it is time to consider migration to COBIT 5, as COBIT 5 brings in the key differentiating aspect of segregating governance from management, which is important to consider and is a new addition with COBIT 5. Also, when using COBIT 5, the IT governance setup, which had been typically more inward-focused, will transition into the model of governance of enterprise IT (GEIT), in which involvement of enterprise stakeholders plays an imperative role. The following is a list of triggers that would suggest it is time to migrate to COBIT 5: Repeated failure of critical IT process results in issues related to the delivery of committed services by the business. Risk to the business has not been reduced considerably and IT risk does not align to enterprise risk. Controls implemented are more IT-oriented and do not span the enterprise. Figure 1—Pain Points and COBIT 5 Mitigations Pain Areas Target Processes Pain Areas Target Processes Failed Projects BAI01 Manage Programs and Projects End-user Responsibilities APO09 Manage Service Agreements Ad hoc Initiatives/ Planning APO01 and APO02 IT Mgmt. Framework and Strategy Support From Suppliers APO10 Manage Suppliers Communication Within IT Division APO09 Manage Service Agreements Lack of Automation Tools BAI02 and BAI03 Requirements Definition and Solutions Identification Management Reporting MEA01 and MEA02 Performance and Internal Control Accountability Among IT Staff APO09 Manage Service Agreements (OLAs) There are other pain triggers that may lead to migration to COBIT 5. Figure 1 provides an overview of pain points and typical COBIT 5 processes that can be used to mitigate the issue. How to Initiate Migration? Before initiating a migration to the new framework, it is recommended to clearly set the objective of migration. That is, what are the business benefits the organization will achieve by adopting the new framework? If a tangible and measurable goal is set as the baseline, achievement can be measured and success of adoption can be demonstrated. Volume 2, April 2013 Page 2 The key to a successful migration is to commence the activity by addressing the key pain areas within the organization. Once the pain areas are identified, the following steps can be followed: Initiate an assessment to identify the status and maturity of the processes that are currently implemented, if any. Prepare a migration strategy by identifying the processes and the required enablers from COBIT 5 to be implemented. Identify the affected departments, section and services that will be impacted by this migration. Ensure that a project management plan with time lines is created and a budget is allocated for this effort. Remember to run the migration activity through the change management process. Address the organization change impact that will be created by this migration and have a transitional plan to roll out the migration. Market and communicate the positive impact that will be achieved by this migration to get buy-in from top management. Once the above initial steps are performed, the organization is ready to commence the journey. It is recommended to break the entire migration into smaller scope areas that are manageable, because quick wins will motivate the migration team and the organization to continue the journey. Sudarsan Jayaraman, CISA, CISM, BS 25999 LA, COBIT (F), ITIL V3 Expert, ISO 20000 LA, ISO 27001 LA, ISO 9001 LA Is a director of technology risk services at Protiviti Member Firm (Middle East). He has more than 20 years of experience in IT advisory and consultancy services, focusing predominately in IT governance, IT service management and information security management. Jayaraman has successfully managed and facilitated ISO 27001 and ISO 20000 certification at a number of large and prestigious companies in the Middle East. ©2013 ISACA. All rights reserved. Volume 2, April 2013 Page 3
© Copyright 2024