ISMS Implementation.

Using COBIT for inspiration

20.02.2023

COBIT (by ISACA): https://www.isaca.org/resources/cobit

Core Books:
1. COBIT 2019 Framework: Introduction and Methodology
2. COBIT 2019 Framework: Governance and Management Objectives
3. COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution
4. COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology
Governance Solution

Focus Area Books:

5. COBIT Focus Area: Information Security. Using COBIT 2019
6. COBIT Focus Area: Information & Technology Risk. Using COBIT 2019
7. COBIT Focus Area: DevOps Using COBIT 2019
8. COBIT 5 for Information Security (old)

Other Books:
9. COBIT for Small and Medium Enterprises Using COBIT 2019
10. COBIT for DevOps Audit Program
11. Implementing the NIST Cybersecurity Framework Using COBIT 2019
12. IT Control Objectives for Sarbanes-Oxley, 4th Edition

COBIT: Models and Examples COBIT: Books ISMS (ISO 27001)

Governance and Management • COBIT 2019 Framework: IS Governance,
Three main outcomes: Introduction and Leadership, ISMS
Methodology
• Benefits realization
• COBIT Focus Area:
• Risk optimization
Information Security. Using
• Resource optimization COBIT 2019

Key Activities and RACI: • COBIT 2019

• Set direction for the program Implementation Guide:
• Provide program management resources Implementing and
Optimizing an Information
• Establish and maintain direction and
and Technology
oversight structures and processes. Establish
Governance Solution
and maintain program
• Align approaches with enterprise approaches

Components of the Governance System • COBIT 2019 Framework: ISMS

• Processes Introduction and
Methodology
• Organizational structures
• COBIT Focus Area:
• Principles, policies and frameworks
Information Security. Using
• Information COBIT 2019
• Culture, ethics and behavior • COBIT Focus Area:
• People, skills and competencies Information Security. Using
• Services, infrastructure and applications COBIT 2019
• COBIT for Small and
Medium Enterprises Using
COBIT 2019

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

www.patreon.com/AndreyProzorov
 ISMS Implementation. Using COBIT for inspiration
20.02.2023

Design Factors • COBIT 2019 Framework: Context

• Enterprise strategy Introduction and
Methodology
• Enterprise goals
• COBIT 2019 Design Guide:
• Risk profile
Designing an Information
• I&T-related issues and Technology
• Threat landscape Governance Solution
• Compliance requirements • COBIT for Small and
• Role of IT Medium Enterprises Using
COBIT 2019
• Sourcing model for IT
• IT implementation methods
• Technology adoption strategy
• Enterprise size
Goals Cascade • COBIT 2019 Framework: Objectives and
• Stakeholder Drivers and Needs Introduction and Performance
Methodology Evaluation
• Enterprise Goals
• COBIT 2019 Framework:
• Alignment Goals
Governance and
• Governance and Management Objectives Management Objectives
• COBIT 2019 Design Guide:
Designing an Information
and Technology
Governance Solution
Performance Management • COBIT 2019 Framework: Performance
(Capability and Maturity Levels, 0-5) Introduction and Evaluation
Methodology
Quality Criteria for Information • COBIT 2019 Framework: The CIA triad,
(Accuracy, Objectivity, Believability, Reputation, Introduction and Principles
Relevancy, Completeness, Currency, Appropriate Methodology
Amount, Concise Representation, Consistent
Representation, Interpretability,
Understandability, Ease of Manipulation,
Availability, Restricted Access)
COBIT Implementation Approach • COBIT 2019 PDCA, ISMS
1. What are the drivers? Implementation Guide: Implementation Plan
Implementing and
2. Where are we now?
Optimizing an Information
3. Where do we want to be? and Technology
4. What needs to be done? Governance Solution
5. How do we get there?
6. Did we get there? • COBIT 2019 Framework:
7. How do we keep the momentum going? Introduction and
Methodology
• COBIT 2019 Design Guide:
Challenges, root causes and success factors
Designing an Information
Enabling Change and Technology
Roles, Phase Objectives, Descriptions, Tasks Governance Solution
(Continual improvement, Change enablement,
Program management), Inputs, Resources and
Outputs, RACI

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

www.patreon.com/AndreyProzorov
 ISMS Implementation. Using COBIT for inspiration
20.02.2023

Business Case • COBIT 2019 Framework: ISMS

• Phase 1. Pre-planning Introduction and Implementation Plan
Methodology
• Phase 2. Program Implementation
• Program Scope
• COBIT 2019
• Program Methodology and Alignment
Implementation Guide:
• Program Deliverables Implementing and
• Program Risk Optimizing an Information
• Stakeholders and Technology
Governance Solution
• Cost-Benefit Analysis
• Challenges and Success Factors
Processes • COBIT 2019 Framework: ISMS Processes,
Description, Purpose, Goals and Metrics, Governance and Objectives and
Activities, RACI, Inputs/Outputs Management Objectives Metrics, Roles and
• COBIT Focus Area: Responsibilities
Information Security. Using
COBIT 2019
• COBIT for Small and
Medium Enterprises Using
COBIT 2019
Roles and Organizational Structures • COBIT 2019 Framework: Roles and
Governance and Responsibilities,
Management Objectives ISMS Committee
• COBIT Focus Area:
Information Security. Using
COBIT 2019
Stakeholder Involvement • COBIT 2019 Interested Parties
Implementation Guide:
Implementing and
Optimizing an Information
and Technology
Governance Solution
• COBIT 2019 Framework:
Governance and
Management Objectives
Information Security-related information • COBIT Focus Area: Documented
types Information Security. Using Information
• Information security strategy COBIT 2019
• Information security budget
• Information security plan/program
• Information security requirements
• Information security review report
• Information security management report
• Information security service catalog
Description, Goals and quality criteria, Metrics,
Structure/high-level content
People, Skills and Competencies • COBIT Focus Area: Competence
Information Security. Using
COBIT 2019

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

www.patreon.com/AndreyProzorov
 ISMS Implementation. Using COBIT for inspiration
20.02.2023

Information Security Principles • COBIT Focus Area: Principles

1. Support the business Information Security. Using
COBIT 2019
• Focus on the business
• Deliver quality and value to stakeholders
• Comply with relevant legal and regulatory
requirements
• Comply with relevant legal and regulatory
requirements
• Provide timely and accurate reporting on
information security performance
• Evaluate current and future information
threats
• Promote continuous improvement in
information security
2. Defend the business
• Protect classified information
• Concentrate on critical business applications
• Develop systems securely
3. Promote responsible information security
behavior
• Act in a professional and ethical manner
• Foster an information security-positive
culture
Information Security Policies • COBIT Focus Area: Documented
Information Security. Using Information,
COBIT 2019 Topic-specific
policies
Culture, Ethics and Behavior • COBIT Focus Area: Leadership,
• Behavior 1: Everyone is accountable for the Information Security. Using Awareness
protection of information within the COBIT 2019
enterprise.
• Behavior 2: Information security is practiced
in daily operations.
• Behavior 3: People respect the importance of
information security policies and principles.
• Behavior 4: People are provided with
sufficient and detailed information security
guidance and are encouraged to participate
in and challenge the current information
security situation.
• Behavior 5: Stakeholders are aware of how
to identify and respond to threats to the
enterprise.
• Behavior 6: Management proactively
supports and anticipates new information
security innovations and communicates them
throughout the enterprise. The enterprise is
ready to account for and address new
information security challenges.

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

www.patreon.com/AndreyProzorov
 ISMS Implementation. Using COBIT for inspiration
20.02.2023
• Behavior 7: Senior and middle management
engages in continuous cross- functional
collaboration to foster efficient and effective
information security programs.
• Behavior 8: Executive management
recognizes the business value of information
security.
• Behavior 9: Management provides clear
communication on information security
(enabling awareness and training).

Leadership Aspects:
• Aspect 1: Influencing behavior through
communication, enforcement, and rules and
norms
• Aspect 2: Influencing behavior through
incentives and rewards
• Aspect 3: Influencing behavior through
raising awareness
Risk Management • COBIT Focus Area: Risk Management
• Organizational Structures Information & Technology
Risk. Using COBIT 2019
• Risk Management Principles
• Detailed I&T Risk-Specific Guidance
• I&T Risk Scenarios
• Risk Register template
• IT Risk Reporting Examples
• Sample Risk Maps
• …

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

www.patreon.com/AndreyProzorov