COBIT Design2

6/12/2024
3/7
Design and
Implementation Course
Instructor name
Copyright © 2019 Information Systems Audit and Control Association, Inc. All rights reserved.
3/7
COURSE MODULES
Session One Session Two
Module 1 Module 6
• Course Introduction • Governance Design Toolkit
Module 2 Module 7
• COBIT 2019 Basic Concepts • Implementing and Optimizing I&T

Governance Overview
Module 3
Module 8
• Design Factors for a Governance System
• Governance Implementation Lifecycle
Module 4
Module 9
• Impact of Design Factors
• Key Topics Decision Matrix
Module 5
Module 10
• Governance System Design Flow
• Closing Remarks
COURSE LEARNING OBJECTIVES SESSION ONE
1. Describe the key concepts of COBIT 2019 as taught in the COBIT Foundation course.
2. Describe the benefits of the COBIT 2019 Design Guide for its target audience.
3. Describe the current design factors in COBIT 2019.
4. Apply the design factor concept to identify relevant values.
5. Describe the impact design factors can have on the design of a governance system.
6. Describe the design workflow of a governance system.
7. Use the steps in the design workflow for governance systems.
8. Apply the design workflow to a concrete situation in order to obtain a governance system
design.
10
10
3/7
COBIT 2019 ARCHITECTURE
17 Reference: COBIT 2019 Framew ork: Introduction and Methodology, Chapter 4: Basic Concepts
17
COBIT 2019 PRODUCT PRODUCTS
COBIT® 2019 Framework: Introduction and Methodology
COBIT® 2019 Framework: Governance and Management Objectives
COBIT® 2019 Design Guide: Designing an Information and

Technology Governance Solution
COBIT® 2019 Implementation Guide: Implementing and Optimizing an

Information and Technology
18 Reference: COBIT 2019 Framew ork: Introduction and Methodology, Chapter 4: Basic Concepts
18
1
6/12/2024
3/7
GOVERNANCE AND MANAGEMENT OBJECTIVES
Governance
Management Objectives
Objectives
EDM APO BAI DSS MEA

Evaluate, Direct Align, Plan and Build, Acquire Deliver, Service Monitor, Evaluate
and Monitor Organize and Implement and Support and Assess
21 Reference: COBIT 2019 Framew ork: Basic Concepts: Governance Systems and Components, Chapter 4
21
22
3/7
COMPONENTS OF A
GOVERNANCE SYSTEM
To satisfy governance and management objectives,
each enterprise needs to establish, tailor and
sustain a governance system built from several
components.
• Components are factors that, individually and
collectively, contribute to the good operations of the
enterprise’s governance system over I&T.
• Components interact with each other, resulting in a
holistic governance system for I&T.
• Components can be of different types; the most familiar
are processes.
25
COMPONENTS OF A GOVERNANCE SYSTEM
Processes
Serv ices,
Inf rastructure Organizational
and Structures
Applications
Governance
System
Inf ormation
Culture, Ethics
and Behav iour Flows and
Items
Principles, People, Skills

Policies, and
Procedures Competencies
26
3/7
FOCUS AREAS
A focus area describes a certain governance topic, domain or

issue that can be addressed by a collection of governance
and management objectives and their components. Examples of focus
areas:
Focus areas can contain a combination of generic Small and medium
governance components and variants. enterprises
Cybersecurity
The number of focus areas is virtually unlimited. That is what
makes COBIT open-ended: New focus areas can be added Risk
as required or as subject matter experts and practitioners DevOps
contribute.
30
27
DESIGN FACTORS
28
2
6/12/2024
3/7
INTENDED AUDIENCE
Board members
Executive and senior
The Design Guide explores Direct management
design factors that can influence Stakeholders Experience enterprise
professionals
governance and includes a
workflow for planning a tailored
governance system for the Customers
enterprise. Users Indirect
Stakeholders
Citizens
Those responsible
during the whole life
Responsible cycle of the
Parties governance solution,
from initial design to
execution
44 Reference: COBIT 2019 Design Guide, Chapter 1
44
31
COBIT PERFORMANCE MANAGEMENT

DEFINITION AND PRINCIPLES
Performance management is an essential part of a The term “COBIT
Performance
governance and management system.
Management” (CPM)
How an enterprise can be improved up to the required level: is used to describe
capability and
• Capability levels maturity level
• Maturity levels assessment
activities, and the
COBIT 2019 is based on the following principles: concept is an
• Simple to understand and use integral part of the
• Consistent with and support the COBIT conceptual model COBIT framework.
• Provide reliable, repeatable and relevant results

• Must be flexible
• Should support different types of assessments
32 Reference: COBIT 2019 Framew ork: Introduction and Methodology, Chapter 6: Performance Management in COBIT
32
3/7
COBIT PERFORMANCE MANAGEMENT OVERVIEW
The CPM model largely aligns to and extends CMMI® Development

2.0 concepts:
• Process activities are associated to capability levels. This is included in
COBIT 2019 Framework: Governance and Management Objectives.
• Other governance and management component types (e.g., organizational
structures, information) may also have capability levels defined for them in
future guidance that ISACA may release.
• Maturity levels are associated with focus areas (i.e., a collection of
governance and management objectives and underlying components) and
will be achieved if all required capability levels are achieved.
33
33
COBIT PERFORMANCE MANAGEMENT OVERVIEW
34
3/7
PROCESS CAPABILITY LEVELS
35
FOCUS AREA MATURITY LEVELS
36
3
6/12/2024
3/7
DESIGN FACTORS
45
45
DESIGN FACTOR 1: ENTERPRISE STRATEGY
Enterprises can have different strategies, which can be expressed as (a combination of)
the archetypes shown below. Organizations typically have a primary strategy and, at
most, one secondary strategy.
Figure 2.5—Enterprise Strategy Design Factor

Strategy Archetype Explanation
Growth/Acquisition The enterprise has a focus on growing (revenues).
Innovation/Differentiation The enterprise has a focus on offering different and/or innovative products
and services to their clients.
Cost Leadership The enterprise has a focus on short-term cost minimization.
Client Service/Stability The enterprise has a focus on providing stable and client-oriented service.
46
3/7
DESIGN FACTOR 2: ENTERPRISE GOALS
Figure 2.6—Enterprise GoalsDesign Factor

Reference Balanced Enterprise Goal
Scorecard (BSC)
Dimension
Enterprise strategy is EG01 Financial Portfolio of competitive products and services
realized by the achievement EG02 Financial Managed business risk
of (a set of) enterprise goals. EG03 Financial Compliance with external laws and regulations
These goals are defined in EG04 Financial Quality of financial information
the COBIT framework, EG05 Customer Customer-oriented service culture
structured along the EG06 Customer Business-service continuity and availability
balanced scorecard (BSC) EG07 Customer Quality of management information

EG08 Internal Optimization of internal business process functionality
dimensions.
EG09 Internal Optimization of business process costs
EG10 Internal Staff skills, motivation and productivity
EG11 Internal Compliance with internal policies
EG12 Growth Managed digital transformation programs
EG13 Growth Product and business innovation
47
DESIGN FACTOR 3: RISK PROFILE
2.7
The risk profile identifies the sort of I&T-

related risk to which the enterprise is
currently exposed and indicates which
areas of risk are exceeding the risk
appetite.
48
3/7
DESIGN FACTOR 3: RISK PROFILE
IT-investment
decisionmaking, Program and
IT cost and Enterprise/IT projects lifecycle IT expertise, skills
portfolio definition oversight architecture and behavior
and maintenance management
IT operational Software
infrastructure Unauthorized Hardware adoption/usage Software failures
incidents actions incidents problems
Logicalattacks Third-
(hacking, party/supplier Geopolitical Noncompliance Industrial action
malware, etc.) incidents issues
Data and
Technology- Acts of nature information Environmental
based innovation management
49
DESIGN FACTOR 4: I&T RELATED ISSUES

A related method for an I&T risk assessment is for the enterprise is to consider which I&T-related
issues it currently faces, or, in other words, what I&T-related risk has materialized. These are the
most common of such issues:
Figure 2.8–I&T Related Issues Design Factor
Reference Description
Frustration between different IT entities across the organization because of a perception of
A
low contribution to business value.
Frustration between business departments (i.e., the IT customer) and the IT department
B
because of failed initiatives or a perception of low contribution to business value.
Significant IT related incidents, such as data loss, security breaches, project failure,
C
application errors, etc. linked to IT.
D Service delivery problems by the IT outsourcer(s).
E Failures to meet IT related regulatory or contractual requirements.
Regular audit findings or other assessment reports about poor IT performance or reported
F
IT quality or service problems.
50
4
6/12/2024
3/7
DESIGN FACTOR 4: I&T RELATED ISSUES (CONTINUED)

Substantial hidden and rogue IT spending, that is, IT spending by user departments outside
G
the control of the normal IT investment decision mechanisms and approved budgets.
H Duplications or overlaps between various initiatives or other forms of wasting resources.
I Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction.

IT-enabled changes or projects frequently failing to meet business needs and delivered late
J
or over budget.
Reluctance by board members, executives or senior management to engage with IT, or lack
K
of committed business sponsors for IT.
L Complex IT operating model and/or unclear decision mechanisms for IT-related decisions.
M Excessively high cost of IT.

Obstructed or failed implementations of new initiatives or innovations caused by the current
N
IT architecture and system.
51
DESIGN FACTOR 4: I&T RELATED ISSUES (CONTINUED)

O Gap between business and technical knowledge which leads to business users and IT
and/or technology specialists speaking different languages.
P Regular issues with data quality and integration of data across various sources.
Q High level of end-user computing, creating (among other problems) a lack of oversight and
quality control over the applications that are being developed and put in operation.
R Business departments implementing their own information solutions with little or no
involvement of the enterprise IT department.
S Ignorance and/or noncompliance with security and privacy regulations.
T Inability to exploit new technologies or to innovate using I&T.
52
3/7
DESIGN FACTOR 5: THREAT LANDSCAPE
The threat landscape under which the enterprise operates can be classified as shown
below:
Figure 2.9–Threat Landscape Design Factor
Threat Landscape Explanation
Normal The enterprise is operating under what are considered normal threat levels.
High Due to its geopolitical situation, industry sector or particular profile, the
enterprise is operating in a high-threat environment.
53
DESIGN FACTOR 6: COMPLIANCE REQUIREMENTS
The compliance requirements to which the enterprise is subject can be classified

according to the categories below.
Figure 2.10—Compliance Requirements Design Factor
Regulatory Environment Explanation
Low compliance The enterprise is subject to a minimal set of regular compliance
requirements requirements that are lower than average.
Normal compliance The enterprise is subject to a set of regular compliance requirements that
requirements are common across different industries.
High compliance The enterprise is subject to higher-than-average compliance

requirements requirements, most often related to industry sector or geopolitical
conditions.
54
3/7
DESIGN FACTOR 7: ROLE OF IT
The role of IT for the enterprise can be classified as shown below.
Figure 2.11—Role of IT Design Factor

Role of IT Explanation
Support IT is not crucial for the running and continuity of the business process
and services, nor for their innovation.
Factory When IT fails, there is an immediate impact on the running and continuity
of the business processes and services. However, IT is not seen as a
driver for innovating business processes and services.
Turnaround IT is seen as a driver for innovating business processes and services. At
this moment, however, there is not a critical dependency on IT for the
current running and continuity of the business processes and services.
Strategic IT is critical for both running and innovating the organization’s business
processes and services.
55
DESIGN FACTOR 8: SOURCING MODEL FOR IT
The sourcing model for IT the enterprise adopts can be classified as shown below.
Figure 2.12—Sourcing Model for IT Design Factor

Sourcing Model Explanation
Outsourcing The enterprise calls upon the services of a third party to provide IT
services.
Cloud The enterprise maximizes the use of the cloud for providing IT services
to its users.
Insourced The enterprise provides for its own IT staff and services.
Hybrid A mixed model is applied, combining the other three models in varying
degrees.
56
5
6/12/2024
3/7
DESIGN FACTOR 9: IT IMPLEMENTATION METHODS
The IT implementation methods the enterprise adopts can be classified as shown below.
Figure 2.13—IT Implementation Methods Design Factor

IT Implementation Explanation
Agile The enterprise uses Agile development working methods for its
software development.
DevOps The enterprise uses DevOps working methods for software building,
deployment and operations.
Traditional The enterprise uses a more classic approach to software development
(waterfall) and separates software development from operations.
Hybrid The enterprise uses a mix of traditional and modern IT implementation,
often referred to as “bimodal IT.”
57
DESIGN FACTOR 10: TECHNOLOGY ADOPTION STRATEGY
The technology adoption strategy can be classified as shown below.
Figure 2.14—Technology Adoption Strategy Design Factor

Technology Adoption Standards Explanation
First mover The enterprise generally adopts new technologies as early
as possible and tries to gain first-mover advantage.
Follower The enterprise typically waits for new technologies to

become mainstream and proven before adopting them.
Slow adopter The enterprise is very late with adoption of new technologies.
58
3/7
DESIGN FACTOR 11: ENTERPRISE SIZE
Two categories are identified for the design of an enterprise’s governance system.
Micro-enterprises (i.e., enterprises with fewer than 50 staff members) are not considered
in this view.
Figure 2.15—Enterprise Size Design Factor
Enterprise Size Explanation
Large enterprise (Default) Enterprise with more than 250 full-time employees (FTEs)
Small and medium enterprise Enterprise with 50 to 250 FTEs
59
INDUSTRY DIMENSION (OPTION 1)
Why is there no industry sector design factor?

Every industry sector has its own unique set of
requirements regarding expectations from the use of
I&T.
However, it is possible to capture the key

characteristics of an industry sector by a
combination of the design factors listed in the
preceding tables.
For example:
• Financial sector
• Healthcare providers
• Nonprofit enterprises
• Public sector agencies
60
3/7
INTRODUCTION
75
75
IMPACT OF DESIGN FACTORS

Management
Objective
Priority and
Design factors influence in different ways Target
Capability
the tailoring of the governance system of Levels
an enterprise. There are three different
types of impacts.
Design
Factors
Specific Component
Focus Areas Variations
76
6
6/12/2024
3/7
MANAGEMENT OBJECTIVE SELECTION
77
77
Management Objective Priority and

Management
Objective Target Capability Levels
Priority and
Target
Capability
Design factor influence can make some governance
Levels
and management objectives more important than
others. In practice, this higher importance translates
into setting higher target capability levels.
Design
Factors
Specific Focus Component

Areas Variations
78
3/7
Management Objective Priority and Target Capability Levels – EXAMPLES

Appendix A and B of COBIT 2019 Framework: Governance and Management Objectives show the
mappings from enterprise goals to alignment goals, and then from alignment goals to governance
and management objectives.
Identify the most relevant

enterprise goal(s) from Selection of priority
Apply the goals cascade.
the enterprise goal list. management objectives.
79
Management Objective Priority and Target Capability Levels - EXAMPLES
Enterprise profile: Goal: Objective:

Diversify offerings • EG01 Portfolio of • APO05 Managed
increasing profit and growth competitive products portfolio
and services
Enterprise profile: Goals: Objective:

Risk-avoidant • EG02 Managed • EDM03 Ensured risk
business risk optimization
• APO12 Managed risk
• APO13 Managed security
• DSS05 Managed security
services
80
3/7
Management Objective Priority and Target Capability Levels - EXAMPLES
Enterprise profile: Goal: Objective:

Operating in a high-threat • EG02 Managed business • APO13 Managed
landscape risk security
• EG06 Business service • DSS05 Managed
continuity and availability security services
Enterprise profile: Goals: Objective:

Role of IT is strategic and • EG01 Portfolio of • APO02 Managed
crucial to the success of competitive products strategy
the business and services • APO08 Managed
• EG05 Customer relationships
oriented service
culture
81
COMPONENT VARIATIONS
82
82
7
6/12/2024
3/7
Component Variations
Management
Objective
Priority and Components are required to achieve governance and
Target
Capability management objectives. Some design factors can
Levels
influence the importance of one or more components
or can require specific variations.
Design
Factors

Areas Variations
83
Components Variation - EXAMPLES
Small and medium-sized enterprises might not need the

full set of roles and organizational structures as laid out in
the COBIT core model but may use a reduced set instead.
DevOps in solution development and operations example:

• BAI03 Managed solutions identification
• DSS01 Managed operations
84
3/7
SPECIFIC FOCUS AREAS
85
85
Specific Focus Areas

Management
Objective
Some design factors, such as threat landscape, specific
Priority and
Target risk, target development methods and infrastructure set-
Capability
Levels up, will drive the need for variation of the core COBIT
model content to a specific context.
Design
Factors

Areas Variations
86
3/7
DESIGN PROCESS
The design process describes how an enterprise can design a

customized governance solution for enterprise I&T.
An effective and efficient governance system over I&T is the

starting point for generating value and applies to all types and
sizes of enterprises.
Governance over a complex domain like I&T requires a multitude

of components, including processes, organizational structures,
information flows and behaviors that must work together in a
systemic way.
There is no unique, one-size-fits-all governance system for

enterprise I&T, every enterprise has its own distinct character and
profile, and will differ from other organizations in several critical
respects.
Tailoring means that an enterprise should start from the COBIT

core model, and from there, apply changes to the generic
framework based on the relevance and importance.
93
GOVERNANCE SYSTEM DESIGN WORKFLOW
94
8
6/12/2024
3/7
STEP 1: UNDERSTAND ENTERPRISE CONTEXT AND STRATEGY
95
95
UNDERSTAND THE ENTERPRISE CONTEXT AND STRATEGY
1.
2. Determine 3. Refine the 4. Conclude
Understand the initial the
the scope of the scope of the governance
enterprise governance governance system
context and system. system. design.
strategy.
In the first step, we examine context, strategy and business environment to achieve a
clear understanding across four partially overlapping, interdependent and complementary
domains.
The following subsections outline the critical sub-steps in Step 1:

• Enterprise strategy
• Enterprise goals and alignment goals
• I&T risk profile
• Current I&T-related issues
96
3/7
ENTERPRISE STRATEGY
• Determine which of the archetypes enterprise strategies best fits When an enterprise
enterprise strategy. strategy is defined as
• The translation works best when clear choices are made for a mix of equally
enterprise strategy archetypes. important strategy
archetypes, the
• It is best to identify one primary and one secondary archetype.
governance and
management
objectives from the
COBIT core model
tend to become equally
Growth / Client important, making
Cost Innovation / Service /
Acquisition prioritization difficult.
Leadership Differentiation Stability
97
ENTERPRISE GOALS
• The enterprise strategy is realized through the achievement of When all enterprise
enterprise goals. goals are assigned
• COBIT defines a set of 13 generic enterprise goals. equally important
• To translate enterprise goals into a relative rating of importance of priorities, the
governance and management objectives (see the goals cascade), governance and
make clear choices when selecting enterprise strategy archetypes. management
objectives from the
• Identify a few primary enterprise goals and a limited number of COBIT core model
secondary enterprise goals: 3-5 with high priority. tend to become
equally important,
making prioritization
difficult.
98
3/7
RISK PROFILE
Understand which risk scenarios may affect the enterprise and

how to assess their impact and likelihood of materializing.
When all IT risk is rated
To achieve this understanding, a high-level risk analysis should as equally important,
the governance and
be performed, including:
management objectives
from the COBIT core
model tend to become
equally
important, making
prioritization difficult.
Identification Assessment Rating
Risk Impact & High, Med,

Scenarios Likelihood Low
99
CURRENT I&T RELATED ISSUES
These are also called pain points—from which the enterprise

is suffering. When all I&T-related
issues are rated as
• These could be considered risks that have materialized. equally serious, the
governance and
• IT issues can be identified or reported through risk management objectives
management, audit, senior management or external from the COBIT core
stakeholders. model tend to become
equally important,
• Clear differentiation should be made in rating I&T issues, in making prioritization
order to provide the necessary inputs to determine difficult.
governance design priorities.
100
9
6/12/2024
3/7
STEP 1 CONCLUSION
At the end of Step 1, the enterprise will

have a clear and consistent view of
enterprise strategy, enterprise goals, IT-
related risk and current I&T issues.
In the next step this information will be

translated into prioritized governance/
management objectives for an initial
scoping of a customized governance
system for the enterprise.
101
STEP 2: DETERMINE INITIAL SCOPE OF THE GOVERNANCE SYSTEM
102
102
3/7
DETERMINE THE INITIAL SCOPE OF THE GOVERNANCE SYSTEM
To determine the initial scope of the governance system, Step 2 synthesizes information
collected during Step 1. Values derived for enterprise strategy, enterprise goals, risk
profile and I&T-related issues are translated into a set of prioritized governance
components to yield the initial tailored governance system for the enterprise.
1. 2. Determine 4. Conclude
Und erstand the initial
3. Refine the the
the enterprise scope of the
scope of the governance
context and governance
governance system
strategy system system design
103
TRANSLATING DESIGN FACTORS INTO

GOVERNANCE AND MANAGEMENT PRIORITIES
Step 2 presents a number of relevant design factors and associated
descriptive values, whose selection will drive prioritization of
governance and management objectives.
• Decide on a qualitative vs. a quantitative approach.
• Mapping tables contain values between zero (0) and four (4) where zero is
no relevance and four is maximum relevance.
• Translating design factor values into governance and management
objective importance involves a matrix calculation, resulting in a score for
each governance and management objective.
• Scores can be further manipulated for presentation purposes.
104 Reference: COBIT 2019 Design Guide, Chapter 4 104
104
3/7
ENTERPRISE STRATEGY – DESIGN FACTOR 1

Figure 4.2—Governance and Management Objectives Priority Mapped to Enterprise Strategy Design Factor
Governance and Management Focus Area

Design Factor Value Com ponents
Objectives Priority Variants
Grow th/acquisition Important* management objectives Important components: COBIT core model
include: • Organizational structures
• APO02, APO03, APO05 ▪ Support the portfolio management role w ith an investment office
• BAI01, BAI05, BAI11 • Enterprise architect
• Services, infrastructure and applications
▪ Facilitate automation and grow th and realize economies of scale
Innovation/ Important governance and Important components: COBIT core model
differentiation management objectives include: • Organizational structures
• APO02, APO04, APO05 • Chief digital officer and/or chief innovation officer
• BAI08, BAI05, BAI11 • Important influence of culture and behavior component for innovation
Cost leadership Important governance and Important components: COBIT core model
management objectives include: • Skills and competencies
• EDM04 ▪ Focus on IT costing and budgeting skills
• APO06, APO10 • Important influence of culture and behavior component
• Services, infrastructure and applications component
(e.g., for automation of controls, improving efficiency)
Client service/stability Important governance and Important component: COBIT core model
management objectives include: • Important influence of culture and behavior component (client
• EDM02 centricity)
• APO08, APO09, APO11
• BAI04
• DSS02, DSS03, DSS04
105
ENTERPRISE STRATEGY – DESIGN FACTOR 1

MAPPING TABLES
The mappings express the degree to which design factor values influence the
importance of a governance or management objective.
The mappings use

a scale from zero
(0) to four (4)
4 indicates the
most influence
0 indicates the
absence of any
relationship.
106 Reference: COBIT 2019 Design Guide, Appendix A
106
10
6/12/2024
3/7
ENTERPRISE GOALS – DESIGN FACTOR 2
The enterprise strategy is realized by achieving a set of enterprise goals. COBIT defines
13 generic enterprise goals—each enterprise should prioritize these enterprise goals in
alignment with the enterprise strategy.
Step 1 Step 2 Step 3
Start with the generic Find the prioritized enterprise Find the prioritized alignment
enterprise goals and goals on the mapping table goals on the mapping table
determine the most important between enterprise goals and between alignment goals and
enterprise goals for the alignment goals. Use the governance and management
organization. Select the top mapping to determine the objectives. Use the mapping
three to five most important most important alignment to determine the most
enterprise goals goals. important governance and
management objectives.
107
ENTERPRISE GOALS – DESIGN FACTOR 2

MAPPING TABLES
108 Reference: COBIT 2019 Design Guide, Appendix A
108
3/7
RISK PROFILE – DESIGN FACTOR 3
In Step 1, risks exceeding the enterprise’s risk appetite were

identified. Here, the results of the risk analysis are translated into
priorities for governance and management objectives.
• The most common risk response is risk mitigation requiring controls, or
governance and management objectives that need to be achieved. Map the
IT risk categories and the governance and management objectives.
• The mapping table relates the risk profile to governance and management
objectives and their priorities.
109
109
RISK PROFILE – DESIGN FACTOR 3

MAPPING TABLES
The mappings use a scale

from zero (0) to four (4).
4 indicates the most
influence.
0 indicates the absence of
any relationship.
110 Reference: COBIT 2019 Design Guide, Appendix D
110
3/7
I&T RELATED ISSUES – DESIGN FACTOR 4
In Step 1, a high-level diagnostic on the I&T-related issues was

performed. Here, the results of this diagnostic are translated into
priorities for governance and management objectives.
• Map I&T issues to governance and management objectives.
• Each I&T-related issue is associated to one or more governance
or management objective. Each governance or management objective can
influence the I&T-related issue.
111
111
I&T RELATED ISSUES – DESIGN FACTOR 4

MAPPING TABLES
Figure A.5 Mapping Table – Mapping I&T-Related Issues to Governance and Management Objectives
The mappings use a scale

from zero (0) to four (4).
4 indicates the most
influence.
0 indicates the absence of
any relationship.
112 Reference: COBIT 2019 Design Guide, Appendix E
112
11
6/12/2024
3/7
STEP 2 CONCLUSION
Proceeding Forward:
At the end of Step 2, all elements are
available to define the initial scope of a
customized governance system:
Choose to elaborate
Prioritized governance and current initial design
and resolve differences.
management objectives indicate
which governance and management
objectives should be the focus.
Wait until Step 4 and
Guidance on specific governance combine different inputs
components can potentially also be with scope refinements
from Step 3.
included in the initial design.
113
STEPS 1 AND 2: EXERCISE AND GROUP DISCUSSION
114
114
3/7
STEP 3: REFINE THE SCOPE OF THE GOVERNANCE SYSTEM
121
121
REFINE THE SCOPE OF THE GOVERNANCE SYSTEM
Step 3 identifies refinements to the initial scope of the governance system,

based on the remaining set of design factors.
Und erstand 3. Refine the the
the initial scope of the
the enterprise scope of the governance
context and governance governance system
122
3/7
REFINE THE SCOPE OF THE GOVERNANCE SYSTEM
The result of each consideration of a design factor is a ranked list of governance and
management objectives. In this step, the governance system designer will:
Step 1 Step 2 Step 3
Walk through each design Determine whether each For applicable design
factor (DF) from DF5 design factor is applicable. factors, determine which of
Threat landscape through the potential values—or
DF11 Enterprise size. which combination of
potential values—is most
applicable to the
enterprise.
123
THREAT LANDSCAPE – DESIGN FACTOR 5
Decide which combination of values best fits the current situation of the enterprise
and consider the listed guidance for governance and management objectives,
components and focus areas. Include the pertinent information on the design canvas
for resolution and conclusion in Step 4.
Figure 4.3—Governance and Management Objectives Priority Mapped to Threat Landscape Design Factor
Design
Governance and Management Objectives
Factor Components Focus Area Variants
Priority
Value
High Important governance and management Important organizational structures include: Information security
objectives include: • Security strategy committee focus area
• EDM01, EDM03 • Chief information security officer (CISO)
• APO01, APO03, APO10, APO12, APO13, Important culture and behavior aspects include:
APO14 • Security awareness
• BAI06, BAI10 Information flows include:
• DSS02, DSS04, DSS05, DSS06 • Security policy
• MEA01, MEA03, MEA04 • Security strategy
Normal As per the initial scope definition N/A COBIT core model
124
12
6/12/2024
3/7
COMPLIANCE REQUIREMENTS – DESIGN FACTOR 6
Decide which combination of values best fits the current situation of the enterprise.
Consider the listed guidance for governance and management objectives,
components and focus areas, and include the pertinent information on the design
canvas for resolution and conclusion in Step 4.
Figure 4.4—Governance andManagement Objectives Priority Mapped to Compliance Requirements Design Factor
Design
Governance and Management Objectives Focus Area
Factor Com ponents
Priority Variants
Value
High Important governance and management objectives Importance of compliance function: COBIT core model
include: • High relevance of documentation (information items) and policies
• EDM01, EDM03 and procedures
• APO12
• MEA03, MEA04
Normal As per the initial scope definition N/A COBIT core model
Low As per the initial scope definition N/A COBIT core model
125
THE ROLE OF IT – DESIGN FACTOR 7
Figure 4.5—Governance and Management Objectives Priority Mapped to Role of IT Design Factor
Design
Governance and Management
Factor Com ponents Focus Area Variants
Objectives Priority
Value
Support • As per the initial scope definition • N/A COBIT core model
Factory Important governance and management • N/A Information security

objectives include: focus area
• EDM03
• DSS01, DSS02, DSS03, DSS04
Turnaround Important governance and management • N/A DevOps focus area
objectives include:
• APO02, APO04
• BAI02, BAI03
126
3/7
THE ROLE OF IT – DESIGN FACTOR 7 (CONTINUED)
Figure 4.5—Governance and Management Objectives Priority Mapped to Role of IT Design Factor
Design
Governance and Management
Objectives Priority
Value
Strategic Important governance and management Typical bimodal components include: Digital transformation
objectives include: • Organizational structures focus area
• EDM01, EDM02, EDM03 ▪ Chief digital officer
• APO02, APO04, APO05, APO12, • Skills and competencies
APO13 ▪ Staff w ho can w ork in an ambidextrous environment that
• BAI02, BAI03 combines both exploration and exploitation
• DSS01, DSS02, DSS03, DSS04, • Processes
DSS05 ▪ A portfolio and innovation process that integrates exploration
and exploitation of digital transformation opportunities
127
SOURCING MODEL FOR IT – DESIGN FACTOR 8
Figure 4.6—Governance and Management Objectives Priority Mapped to Sourcing Model for IT Design Factor
Design
Priority
Value
Outsourcing Important management objectives include: • N/A Vendor management focus
• APO09, APO10 area
• MEA01
Cloud Important management objectives include: • N/A Cloud focus area
• APO09, APO10
• MEA01
Insourced • As per the initial scope definition • N/A COBIT core model
Hybrid Combination of guidance for the three specific options
128
3/7
IT IMPLEMENTATION METHODS – DESIGN FACTOR 9
Figure 4.7—Governance and Management Objectives Priority Mapped to IT Implementation Methods Design Factor
Design
Priority
Value
Agile Important management objectives include: • Important and specific roles as identified in the Agile focus area Agile focus area
• BAI02, BAI03, BAI06 guidance
DevOps Important management objectives include: • Important and specific roles as identified in the DevOps focus DevOps focus area
• BAI03 area guidance
Traditional • As per the initial scope definition • N/A COBIT core model
Hybrid Combination of guidance for the three specific options
129
TECHNOLOGY ADOPTION STRATEGY – DESIGN FACTOR 10
Figure 4.8—Governance and Management Objectives Priority Mapped to Technology Adoption Strategy Design Factor
Design
Priority
Value
First Mover Important governance and management • N/A DevOps focus area
objectives include: Digital transformation focus
• EDM01, EDM02 area
• APO02, APO04, APO05, APO08
• BAI01, BAI02, BAI03, BAI05, BAI07,
BAI11
• MEA01
Follow er Important management objectives include: • N/A COBIT core model
• APO02, APO04
• BAI01
Slow • As per the initial scope definition • N/A COBIT core model
Adopter
130
13
6/12/2024
3/7
ENTERPRISE SIZE – DESIGN FACTOR 11
Figure 4.9—Governance and Management Objectives Priority Mapped to Enterprise Size Design Factor
Design
Priority
Value
Large • As per the initial scope definition • N/A COBIT core model
Small/ • As per the initial scope definition • As applicable in the SME focus area description SME focus area
Medium
131
STEP 3 CONCLUSION
At the end of Step 3, the enterprise will

have identified a series of potential
refinements for the initial governance
system and put them all on the canvas for
consolidation during Step 4 of the design
workflow.
The following refinements are typically

expressed similar to outcome from Step 2:
prioritized governance and management
objectives, important components for the
governance system, and specific focus
area guidance.
132
3/7
STEP 4: RESOLVE CONFLICTS AND CONCLUDE GOVERNANCE

SYSTEM DESIGN
133
133
RESOLVE CONFLICTS AND CONCLUDE THE GOVERNANCE

SYSTEM DESIGN
As the last step in the design process, Step 4 brings together all inputs from previous
steps to conclude the governance system design, as depicted in the diagram on the
following slide. The resulting governance system must reflect careful consideration of all
inputs—understanding that these inputs may sometimes conflict.
Und erstand the initial 3. Refine the the
the enterprise scope of the scope of the
governance
context and governance governance system
134
3/7
RESOLVE CONFLICTS AND CONCLUDE

THE GOVERNANCE SYSTEM DESIGN
Tailored Governance System
Step 1: Step 2: Step 3: Refine Step 4: Resolve

Understand the Determine the the scope of the conflicts and
enterprise initial scope of governance conclude the
strategy the governance system governance Tailored System
system • Scope Refinement system design
• Initial Scope
135
135
RESOLVE PRIORITY CONFLICTS
The following outputs from previous steps

will be considered before any conclusion
is made:
• Initial design of the governance system, as
obtained during Step 2, based on the
enterprise strategy, enterprise goals, risk
profile and I&T-related issues.
• This initial design probably reflects some
diverging sets of prioritized management
objectives.
• Scope refinements obtained in Step 3
through the analysis of remaining design
factors and diverging sets of priorities.
136
14
6/12/2024
3/7
RESOLUTION STRATEGIES
The workflow can be applied to different situations,

requiring different strategies for conclusion.
• Analyze the data and results after applying design
factors in the context of its goals for implementing a
governance program.
Governance system design

• Review governance and management objectives and
analyze current performance level(s).
• Take the results of these assessments into account
when defining the road map toward the target
governance system.
• Looking first of all for quick wins (i.e., those initiatives
entailing limited effort, but yielding high benefit).
137
RESOLUTION APPROACH
There are no universally applicable guidelines for

resolving competing or conflicting priorities valid
across all enterprise contexts. However, a few
recommendations to approach include:
• Include all key stakeholders
• Consider the generic nature of COBIT guidance and the
mapping tables
• Specific context of the enterprise may require deviations
138
3/7
CONCLUDE THE GOVERNANCE SYSTEM DESIGN
The conclusion of this phase must result in one design for the governance system for
enterprise I&T. This includes prioritized governance and management objectives, target
capability levels, governance components requiring attention and focus area guidance.
Conclude Sustain
139
CONCLUDING THE DESIGN
The conclusion of the design phase must result in one design for
the governance system for enterprise I&T. This design will include:
• Prioritized governance and management objectives
• A variety of target capability levels for processes (or equivalent performance
targets for other components)
• A governance component requiring specific attention due to a particular
issue or circumstance
• Focus area guidance complementing the core COBIT guidance (when
available, necessary and appropriate)
140
3/7
SUSTAINING THE GOVERNANCE

SYSTEM
• Result of the last step in the governance design
workflow is a well-designed governance system.
• A governance system is inherently dynamic.

• Strategies can change, important investment
programs are launched, threat landscapes
change, technologies change, etc.
• This should be reviewed on a regular basis and

changes should be made when necessary.
• Use the COBIT 2019 Implementation Guide for

continuous improvement.
141
STEPS 3 AND 4: EXERCISE AND GROUP DISCUSSION
142
142
15
6/12/2024
3/7
TOOLKIT INTRODUCTION
157
157
TOOLKIT INTRODUCTION
The COBIT Design Guide companion toolkit is an Excel®

spreadsheet-based tool that facilitates the application of
the governance system design workflow explained in
Module 5.
This module offers a basic understanding of the toolkit and

an understanding of how the results are generated.
The toolkit as downloaded shows the values illustrated in

this module.
To use the tool, change the values to fit the enterprise

context.
A governance or management objective always relates to

one process and a series of related components of other
types to help achieve the objective.
158
3/7
WALKTHROUGH AND EXAMPLE
159
159
STEP 1 AND 2: DETERMINE THE INITIAL SCOPE OF THE

GOVERNANCE SYSTEM
1.
2. Determine 3. Refine the 4. Conclude
Understand the initial the
the scope of the scope of the governance
enterpr ise governance
governance system system
context a nd system design
strategy
In these steps of the governance design workflow, the strategy, goals, risk profile and I&T-
related issues of the enterprise are assessed. The steps assess the first four design factors
(as defined in Module 3) to determine their impact on the initial design of a governance
system: 1. Enterprise strategy, 2. Enterprise goals (via the goals cascade), 3. IT risk profile
and 4. I&T-related issues.
160
3/7
ENTERPRISE STRATEGY (DESIGN FACTOR 1)
Input • Each of the four possible values for the enterprise strategy design factor—growth/acquisition,
innovation/differentiation, cost leadership, client services/stability—must be rated between 1 (not
important) and 5 (most important).
• It is recommended to maintain sufficient spread between values.
Calculation • The toolkit performs a matrix calculation of the entered values for Design Factor 1 Enterprise
strategy with the mapping table for design factor 1, resulting in a score for each
governance/management objective.
• The toolkit performs a second matrix calculation of a baseline set of values for design factor 1 with
the mapping table for design factor 1, resulting in a baseline score for each
• The toolkit then calculates a relative importance for each governance/management objective as the
relative difference between both sets of values, expressed as a percentage and rounded to 5. This
number can be positive or negative, indicating that a governance/management objective is more or
less important when compared to the baseline score.
Output • The output section of this tab contains the calculated relative importance of each of the 40 COBIT®
2019 governance and management objectives.
• The results are represented in table format, as a bar chart and as a spider diagram.
161
ENTERPRISE STRATEGY (DESIGN FACTOR 1)
162
16
6/12/2024
3/7
ENTERPRISE GOALS (DESIGN FACTOR 2)
Input • Each of the thirteen enterprise goals must be rated between 1 (not important) and 5
(most important).
• Using the generic enterprise goals, determine the most important goals for the enterprise.
It is advisable to select the top three to five most important enterprise goals; too many high-priority
goals will lead to less meaningful goals cascade results.
Calculation • The tool performs a double matrixcalculation between (1) the rated enterprise goals and the
mapping table between enterprise goals and IT alignment goals, and (2) the result of the first matrix
calculation and the mapping table between IT alignment goals and governance/management
objectives.
• The tool performs a second set of matrix calculations of a baseline set of values for Design Factor 2
Enterprise goals, resulting in a baseline score for each governance/management objective.
• The tool then calculates the relative importance for each governance/management objective as the
number can be positi ve or negati ve, indicating that a go vernance/management objecti ve is more or
Output • The output section of this sheet contains the calculated relative importance of each of the 40 COBIT
163
ENTERPRISE GOALS AND APPLYING THE GOALS CASCADE

(DESIGN FACTOR 2)
164
3/7
RISK PROFILE OF THE ENTERPRISE (DESIGN FACTOR 3)
Input • Each of the 19 risk categories contained in the risk profile design factor must be rated as follows:
▪ Impact of the risk should it occur, as a value between 1 (not important) and 5 (critical)
▪ Likelihood of the risk to occur, as a value between 1 (very unlikely) and 5 (very likely)
▪ The tool assigns a risk rating (very high, high, normal, low) to each risk category, based on the
combination of the impact and likelihood ratings.
▪ It is recommended to maintain sufficient spread between values.
Calculation • The tool performs a matrix calculation of the risk ratings with the mapping table for Design Factor 3
Risk profile, resulting in a score for each governance/management objective.
• The tool performs a second matrix calculation of a baseline set of risk ratings for design factor 3 with
• The tool then calculates a relative importance for each governance/management objective as the
number can be positive or negative, indicating that governance/management objective is more or
Output • The output section of this tool contains the calculated relative importance of each of the 40 COBIT
165
RISK PROFILE OF THE ENTERPRISE (DESIGN FACTOR 3)
166
3/7
CURRENT I&T RELATED ISSUES OF THE ENTERPRISE

(DESIGN FACTOR 4)
Input • Each of the 20 I&T-related issues for the I&T-related issues design factor must be rated between 1
(no issue) and 3 (serious issue). Numbers 1, 2 or 3 should be keyed into the tool; the tool will then
automatically translate values into a symbol, based on the tool’s key for this rating.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 4 I&T-Related Issues
with the mapping table for design factor 4, resulting in a score for each governance/management
objective.
• The tool performs a second matrix calculation of a baseline set of values for design factor 4 with the
mapping table for design factor 4, resulting in a baseline score for each governance/management
objective.
Output • The output section of this tab contains the calculated relative importance of each of the 40 COBIT
167
CURRENT I&T RELATED ISSUES OF THE ENTERPRISE

(DESIGN FACTOR 4)
168
17
6/12/2024
3/7
CONCLUSION
Input • N/A
Calculation • The tool performs a weighted summation of the calculated governance/management objectives
importance scores related to the first four design factors.
• Weights can be entered on the canvas tab and are set to 1 by default. The weighting can be
changed, if, for example, the enterprise strategy is of greater importance than enterprise goals,
risk or I&T-related issues.
• The achieved results are then normalized on a scale of 100 (both positive and negative) and
reflected on the Step 2 summary tab.
▪ The highest value (positive or negative) obtains a score of 100.
▪ All other values are then prorated against this value.
• The resulting list of scores not only provides a reliable view of the relative importance of all
governance/management objectives against each other, but also gives an indication of the absolute
importance. This output allows an enterprise not only to prioritize governance/management
objectives against each other, but also to define adequate target capability levels.
Output • The Step 2 summary tab contains the calculated relative importance of each of the 40 COBIT 2019
• The results are represented in table format (on the canvas tab), and as a bar chart (Step 2 summary
tab).
169
CONCLUSION
170
3/7
STEP 3: REFINE THE SCOPE OF THE GOVERNANCE SYSTEM
3. Refine the
Unders tand the initial scope of the the
the enter prise scope of the governance
governance
context and governance system system
strategy system design
In this step, the initial scope of the governance system is further refined based on the
assessment of the remaining design factors.
171
THREAT LANDSCAPE (DESIGN FACTOR 5)
Input • Each of the two possible values (high and normal) for the threat landscape design factor must be
rated between 0% and 100%. The sum of both values must be 100%.
• For many enterprises, 100% will be assigned to one of the categories. The option is available to
assign percentages where a portion of enterprise operations is subject to a high threat landscape,
while others are subject to a more normal threat landscape.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 5 Threat landscape
with the mapping table for design factor 5, resulting in a score for each governance/management
objective.
objective.
• The tool then calculates the relative importance for each governance/management objective as the
number can be positi ve or negati ve, indicating that a go vernance/management objecti ve is more or
Output • The output of this tab contains the calculated relative importance of each of the 40 COBIT® 2019
172
3/7
THREAT LANDSCAPE (DESIGN FACTOR 5)
173
COMPLIANCE REQUIREMENTS (DESIGN FACTOR 6)
Input • Each of the three possible values for the compliance requirements design factor must be rated
between 0% and 100%. The sum of all three values must be 100%.
• For many enterprises, 100% will be assigned to one of the categories. However, the option is
available to assign different percentages, if the enterprise’s IT landscape is quite vast, and certain
parts are subject to strict compliance regulation, while other parts are subject to less strict regulation.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 6 Compliance
Requirements with the mapping table for design factor 6, resulting in a score for each
objective.
174
18
6/12/2024
3/7
COMPLIANCE REQUIREMENTS (DESIGN FACTOR 6)
175
THE ROLE OF IT (DESIGN FACTOR 7)
Input • Each of the four possible values for the role of IT design factor—support, factory, turnaround and
strategic—must be rated between 1 (not important) and 5 (most important).
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 7 Role of IT with the
mapping table for design factor 7, resulting in a score for each governance/management objective.
objective.
relative difference between both sets of values, expressed as a percentage and rounded to 5.
This number can be positive or negative, indicating that a governance/management objective is
more or less important when compared to the baseline score.
176
3/7
THE ROLE OF IT (DESIGN FACTOR 7)

177
SOURCING MODEL FOR IT (DESIGN FACTOR 8)
Input • Each of the three possible values for the sourcing model for IT design factor—outsourcing, cloud
and insourcing—must be rated between 0% and 100%. The sum of all three values must be 100%.
• Note that there is a fourth category—the hybrid classification. This is not denoted in the tool,
because, by definition, assigning percentages to more than one of the other three values creates a
hybrid model.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 8 Sourcing Model for
IT with its corresponding mapping table, resulting in a score for each governance/management
objective.
objective.
178
3/7
SOURCING MODEL FOR IT (DESIGN FACTOR 8)
179
IT IMPLEMENTATION METHODS (DESIGN FACTOR 9)
Input • Each of the three possible values for the IT implementation methods design factor— Agile, DevOps
and traditional—must be rated between 0% and 100%. The sum of all three values must be 100%.
• Note that there is a fourth category—the hybrid classification. This is not denoted in the tool
because, by definition, assigning percentages to more than one of the other three values creates a
hybrid model.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 9 IT Implementation
Methods with the mapping table for design factor 9, resulting in a score for each
objective.
180
19
6/12/2024
3/7
IT IMPLEMENTATION METHODS (DESIGN FACTOR 9)
181
TECHNOLOGY ADOPTION STRATEGY (DESIGN FACTOR 10)
Input • Each of the three possible values for the technology adoption strategy design factor—first mover,
follower, slow adopter—must be rated between 0% and 100%. The sum of all three values must be
100%.
• For many enterprises, 100% may be assigned to one of the categories. However, the option is
available to assign different percentages, if the enterprise’s IT landscape is quite vast, and different
areas adopt technology at difference paces.
Calculation • The tool performs a matrix calculation of the entered values for Design Factor 10 Technology
Adoption Strategy with the mapping table for design factor 10, resulting in a score for each
• The tool performs a second matrix calculation of a baseline set of values for design factor 10 with
182
3/7
TECHNOLOGY ADOPTION STRATEGY (DESIGN FACTOR 10)
183
ENTERPRISE SIZE (DESIGN FACTOR 11)
The enterprise size design factor

only indicates whether the small and medium
enterprise focus area guidance should be used,
instead of the core COBIT guidance.
The size of an enterprise has no impact on the

priority and target capability levels of
Note: This design factor is not part of the COBIT

2019 Design Toolkit.
184
3/7
CONCLUSION
Input • N/A
Calculation • The tool performs a weighted summation of the calculated governance/management objectives
importance scores related to the design factors 5 through 10 and combines it with the results of Step
2 Initial design of the governance system.
• Weights can be entered on the canvas tab and are set to 1 by default. The weighting can be
changed, if, for example, compliance requirements are of greater importance (because the
enterprise operates in a highly regulated industry).
• The achieved results are then normalized on a scale of 100.
▪ The highest value (positive or negative) obtains a score of 100.
▪ All other values are then prorated against this value.
• The resulting list of scores not only provides a reliable view of the relative importance of all
governance/management objectives against each other, but also gives an indication of the absolute
importance. This output allows an enterprise not only to prioritize governance/management
objectives against each other, but also to define adequate target capability levels.
Output • The Step 3 summary tab contains the calculated relative importance of each of the 40 COBIT® 2019
• The results are represented in table format (on the canvas tab) and as a bar chart (on the Step 3
summary tab)
185
CONCLUSION
186
20
6/12/2024
3/7
COBIT 2019 IMPLEMENTATION GUIDE
195
195
OBJECTIVES AND SCOPE OF THE

IMPLEMENTATION GUIDE
COBIT 2019 Implementation Guide: Implementing
and Optimizing an Information and Technology
Governance Solution is the fourth publication in the
COBIT 2019 suite of products.
Reflects enhanced understanding of and practical

experience with EGIT implementations, lessons
learned while applying and using previous versions
of COBIT, and updates made to ISACA’s guidance.
Provides good practices for implementing and

optimizing an I&T governance system based on a
continual improvement life cycle approach and
tailored to suit the enterprise’s specific needs.
Reference: COBIT 2019 Implementation Guide, Chapter 1
196
3/7
OBJECTIVES AND SCOPE OF THE

IMPLEMENTATION GUIDE
The COBIT 2019 Implementation Guide emphasizes
an enterprise-wide view of governance of I&T.
I&T are pervasive in enterprises; it is neither

possible nor good practice to separate business and
IT-related activities.
Implemented as an integral part of enterprise

governance, covering the full end-to-end business
and IT functional areas of responsibility.
197
OBJECTIVES AND SCOPE OF THE IMPLEMENTATION GUIDE
Why do some governance system implementations fail?

• They are not initiated and then managed properly as programs to ensure benefits are realized.
Governance programs need to be:

• Sponsored by executive management
• Properly scoped
• Defined with attainable objectives
• Program management is addressed as an integral part of the implementation life cycle.
198
3/7
OBJECTIVES AND SCOPE OF THE IMPLEMENTATION GUIDE
Assumed that while a program and project approach is recommended to effectively drive
improvement initiatives, the goal is also to establish:
• Normal business practice
• Sustainable approach to governing and managing enterprise I&T
The implementation approach is based on empowering business and IT stakeholders

and role players to take ownership of IT-related governance and management decisions
and activities by facilitating and enabling change.
The implementation program is closed when the process for focusing on IT-related
priorities and governance improvement is generating a measurable benefit, and the
program has become embedded in ongoing business activity.
199
TARGET AUDIENCE A certain level of

experience and a
thorough understanding
of the enterprise are
required to benefit from
Business this guide.
Audit Security Privacy
Departments
Such experience and
understanding allow
users to customize the
Target Audience core COBIT guidance,
which is generic in
nature, into tailored and
Others
focused guidance for
Risk IT External Involved in the enterprise, taking
Management Professionals Professionals EGIT context into account.
Implementation
200
21
6/12/2024
3/7
IMPLEMENTATION AND DESIGN

GUIDES
The Design Guide workflow has a number

of connection points with the
Implementation Guide
The design guide elaborates a set of

tasks defined in the Implementation
Guide.
Reference: COBIT 2019 Design Guide, Chapter 5

201
DESIGN GUIDE AND IMPLEMENTATION GUIDE RELATIONSHIPS
The workflow explained in the COBIT 2019 Design Guide elaborates a set of tasks defined in the
Implementation Guide and has the following connection points:
COBIT Implementation Guide COBIT Design Guide
Phase 1
What are the drivers? Step 1 – Understand the enterprise context and strategy
(Continuous improvement [CI] Tasks)
Phase 2 Step 2 – Determine the initial scope of the governance system

Where are we now? Step 3 – Refine the scope of the governance system
(CI Tasks) Step 4 – Conclude the governance system design
Phase 3
Where do we want to be? Step 4 – Conclude the governance system design
(CI Tasks)
202 Reference: COBIT 2019 Framew ork: Design Guide, Chapter 5
202
3/7
POSITIONING I&T GOVERNANCE
203
203
UNDERSTANDING THE CONTEXT OF A GOVERNANCE SYSTEM
EGIT does not occur in a vacuum. Implementation takes place in different conditions
and circumstances determined by numerous factors in the internal and external
environment, such as:
• The community’s ethics and culture The enterprise’s:

• Governing laws, regulations and • Reason for existence, mission, vision,
policies goals and values
• International standards • Governance policies and practices
• Industry practices • Culture and management style
• The economic and competitive • Models for roles and responsibilities
environment • Business plans and strategic intentions
• Technology advancements and • Operating model and level of maturity
evolution
• The threat landscape
204
3/7
IMPORTANCE OF EGIT
Globally, enterprises—whether public or private, large or

small—increasingly understand that information is a key
Research has shown
resource and technology is a strategic asset, both critical to that enterprises with
success. Why is EGIT important? poorly designed or
• I&T is critical to enterprise success. adopted approaches
• I&T has the potential for business transformation. to EGIT perform
worse in aligning
• I&T often represents a very significant investment. business and I&T
• The networked economy presents a spectrum of IT-related risk. strategies and
• EGIT addresses the complex regulatory environment faced by processes.
enterprises.
205
EGIT OUTCOMES
Fundamentally, EGIT is concerned with

value delivery from digital transformation
and the mitigation of business risk that
results from digital transformation.
More specifically, three main outcomes

can be expected after successful adoption
of EGIT:
• Benefits realization
• Risk optimization
• Resource optimization
206
22
6/12/2024
3/7
COBIT AS AN I&T FRAMEWORK
Over the years, best-practice frameworks have been developed and

promoted to assist in in understanding, designing and implementing
EGIT.
COBIT 2019 builds on and integrates more than 25 years of

development in this field.
From its foundation in the IT audit community, COBIT has developed

into a broader and more comprehensive I&T governance and
management framework.
COBIT continues to establish itself as a generally accepted

framework for I&T governance.
207
207 Reference: COBIT 2019 Framew ork: Introduction and Methodology, Chapter 1: Introduction
207
LEVERAGING COBIT AND INTEGRATING

FRAMEWORKS
COBIT considers an enterprise view and aligns with governance good

practices.
COBIT outlines a general approach as well as references other

detailed standards.
COBIT is a single, overarching framework.
COBIT can be tailored to meet the needs of the enterprise.
Aligning with COBIT should result in faster and more efficient

assurance initiatives.
208
208
3/7
CREATING THE APPROPRIATE ENVIRONMENT
209
209
It is important for the appropriate context to exist when implementing

EGIT improvements. This helps ensure that the initiative is governed
and adequately guided and supported by management.
• An appropriate environment should be created and maintained.
• Ensure that EGIT is implemented as an integral part of an overall

governance approach within the enterprise.
• Include direction and oversight of the implementation initiative,

including guiding principles.
• Provide sufficient commitment, direction and control of activities.
210
210
3/7
A common approach to formalize EGIT and provide a mechanism for

executive and board oversight and direction of I&T-related activities is
to establish an I&T governance board.
• Acts on behalf of the board of directors

• Responsible for how I&T is used within the enterprise and for
making key I&T-related decisions
• Have a clearly defined mandate and is best chaired by a business

executive
• Representation includes chief information officer, chief digital

officer, chief technology officer, senior managers, internal audit,
security and risk.
211
211
ROLES IN CREATING THE APPROPRIATE ENVIRONMENT
212
23
6/12/2024
3/7
ROLES IN CREATING THE APPROPRIATE ENVIRONMENT
213
GOVERNANCE IMPLEMENTATION ROADMAP
214
214
3/7
IMPLEMENTATION GUIDE PURPOSE AND SCOPE
The continual improvement life cycle

approach allows enterprises to address
the complexity and challenges typically
encountered during EGIT
implementation. There are three
interrelated components to the life
cycle.
• The core EGIT continual improvement life
cycle
• Change enablement (addressing
behavioral and cultural aspects of
implementation or improvement)
• Program management
215 Reference: COBIT 2019 Framew ork: Introduction and Methodology, Chapter 8: Implementing Enterprise Governance of IT
215
IMPLEMENTATION ROAD MAP
T he COBIT 2019 Implementation

Guide emphasizes an enterprise-
wide view of governance of I&T. It
recognizes that I&T are pervasive
in enterprises and that it is neither
possible nor good practice to
separate business and IT-related
activities.
216 Reference: COBIT 2019 Implementation Guide, Chapter 3
216
3/7
PHASE 1 WHAT ARE THE DRIVERS?
Phase 1 identifies current change drivers and

creates at a desire to change then expressed in an
outline of a business case.
• A change driver is an internal or external event,
condition or key issue that serves as a stimulus for
change.
• Events, trends (industry, market or technical),
performance shortfalls, software implementations
and even the goals of the enterprise
• Risk associated with implementation of the
program itself is described in the business case
and managed throughout the life cycle.
• Preparing, maintaining and monitoring a business
case are fundamental and important disciplines for
justifying, supporting and then ensuring successful
outcomes for any initiative.
217
PHASE 2 WHERE ARE WE NOW?
Phase 2 aligns I&T-related objectives with

enterprise strategies and risk, and prioritizes
the most important enterprise goals,
alignment goals and processes.
• The COBIT 2019 Design Guide provides
several design factors to help with the
selection.
• The enterprise must identify critical
governance and management objectives and
underlying processes that are of sufficient
capability to ensure successful outcomes.
• Management needs to know its current
capability and where deficiencies may exist.
This can be achieved by a process capability
assessment of the current status of the
selected processes.
218
24
6/12/2024
3/7
PHASE 3 WHERE DO WE WANT TO BE?
Phase 3 sets a target for improvement

followed by a gap analysis to identify
potential solutions.
• Some solutions will be quick wins and
others more challenging, long-term tasks.
• Priority should be given to projects that
are easier to achieve and likely to give the
greatest benefit.
• Longer-term tasks should be broken down
into manageable pieces.
219
PHASE 4 WHAT NEEDS TO BE DONE?
Phase 4 describes how to plan feasible

and practical solutions by defining
projects supported by justifiable
business cases and a change plan for
implementation.
• A well-developed business case can help

ensure the project’s benefits are identified
and continually monitored.
220
3/7
PHASE 5 HOW DO WE GET THERE?
Phase 5 provides for implementing the

proposed solutions.
• Day-to-day practices
• Establishing measures
• Monitoring systems to ensure business
alignment is achieved and performance can
be measured.
Success requires engagement, awareness
and communication, understanding and
commitment of top management, and
ownership by the affected business and IT
process owners.
221
PHASE 6 DID WE GET THERE?
Phase 6 focuses on sustainable

transition of the improved governance
and management practices into normal
business operations.
• Further focuses on monitoring
achievement of the improvements
• Using the performance metrics and
expected benefits
222
3/7
PHASE 7 HOW DO WE KEEP THE MOMENTUM GOING?
Phase 7 reviews the overall success of the

initiative, identifies further governance or
management requirements and reinforces
the need for continual improvement. It also
prioritizes further opportunities to improve
the governance system.
• Program and project management is based on
good practices
• Provides for checkpoints at each of the seven
phases to ensure that the program’s
performance is on track
• Business case and risk are updated and
planning for the next phase is adjusted as
appropriate. Assumed that the enterprise’s
standard approach would be followed.
223

(CONTINUED)
Further guidance on program and
project management can also be found
in COBIT management objectives:
• BAI01 Managed programs
• BAI11 Managed projects
Although reporting is not mentioned
explicitly in any of the phases, it is a
continual thread through all of the
phases and iterations.
224
25
6/12/2024
3/7
TRIGGER EVENTS FOR GOVERNANCE IMPROVEMENT
225
225
PAIN POINTS AND TRIGGER EVENTS
Many factors can indicate a need for new or revised EGIT

practices and can reveal complex networks of underlying
issues. Using pain points or trigger events can:
• Relate the business case for improvement to concrete stakeholder A sense of urgency
issues within the enterprise
• Assists in buy-in may be necessary to
kick-start
• Support quick wins
implementation.
226
3/7
TYPICAL PAINT POINTS
New or revised EGIT practices can typically or help address

the following symptoms. A short list of these includes:
These are also listed
• Frustration between different IT entities across the organization in the Design Guide
because of a perception of low contribution to business value. under Design Factor
4 I&T-related issues
• Frustration between business departments and the IT department as well and are
because of failed initiatives or a perception of low contribution to illustrated in Module
business value. 4 of this training.
• Significant I&T-related incidents, such as data loss, security
breaches, project failure, application errors, linked to IT.
• Service delivery problems by the IT outsourcer(s).
• Failure to meet IT-related regulatory or contractual requirements.
227
TRIGGER EVENTS
In addition to paint points, other events in the enterprise’s internal and external
environments can signal or trigger a focus on EGIT and drive it high on the enterprise
agenda.
• Merger, acquisition or divestiture • Enterprise-wide governance focus or

project
• Shifts in the market, economy or
competitive position • New leadership
• Changes in business operating model • External audit or consultant assessments
or sourcing arrangements
• New business strategy or priority
• New regulatory or compliance
• Desire to significantly improve the value
requirements
gained from I&T
• Significant technology change or
paradigm shifts
228
3/7
INTERNAL STAKEHOLDERS
Overview of Internal EGIT Stakeholders
Internal Stakeholders Important High-Level Accountabilities Interest in the Implementation Program

and Responsibilities Outcomes
Board and executive Set the overall direction, context and objectives The board and executive management are interested in
m anagement for the improvement program and ensure alignment w ith the obtaining the maximum business benefits fromthe
enterprise business strategy governance and risk implementation program. They w ant to ensure that all
management. Provide visible support and commitment for the relevant, required issues and areas are addressed; required
initiative, including the roles of sponsoring and promoting the activities are undertaken; and expected outcomes are
initiative. Approve the outcomes of the program, and ensure successfully delivered.
envisioned benefits are attained and corrective measures are
taken as appropriate. Ensure that the required resources
(financial, human and other) are available to the initiative.
Set the direction at the top and lead by example.
Business management and Provide applicable business resources to the core These stakeholders w ould like the programto result in
business process owners implementation team. Work w ith IT to ensure that the better alignment of I&T w ith the overall business
outcomes of the improvement program are aligned to and environment and their specific areas.
appropriate for the business environment of the enterprise,
value is delivered, and risk is managed. Visibly support the
improvement program and w ork w ith IT to address any issues
that are experienced. Ensure that the business is adequately
involved during implementation and in the transition to use.
231

Chief information Provide leadership to the program and applicable IT resources The CIO w ants to ensure that all EGIT implementation
officer (CIO) to the core implementation team. Work w ith business objectives are attained. For the CIO, the program should
management and executives to set the appropriate objectives, result in mechanisms that w ill continually improve the
direction and approach for the program. relationship w ith, and alignment to, the business (including
having a shared view on I&T performance); lead to better
management of IT supply and demand; and improve the
management of I&T-related business risk.
IT m anagement and IT Provide leadership for applicable w ork streams of the program These stakeholders w ould like the programto result in
process owners and resources to the implementation team. Give key input into better alignment of I&T w ith the overall business
(such as the head of operations, the assessment of current performance and setting of environment and their specific areas.
chief architect, IT security improvement targets for process areas w ith the respective
manager, privacy officer, business domains. Provide input on relevant good practices that should
continuity management specialist) be incorporated and related expert advice. Ensure that the
business case and program plan are realistic and achievable.
Com pliance, risk Participate as required throughout the program and provide These stakeholders w ant to ensure that the initiative
m anagement and legal compliance, risk management and legal inputs on relevant establishes or improves the mechanisms for ensuring legal
experts issues. Ensure alignment w ith the overall ERM approach and and contract compliance and effective I&T-related business
confirm relevant compliance and risk management objectives risk management, and alignment of these mechanisms to
are met, issues are considered and benefits are attained. any enterprise-wide approaches that may exist.
Provide guidance as required during implementation.
232
26
6/12/2024
3/7

Internal audit Participate as required throughout the program and provide These stakeholders are interested in the outcomes of the
audit inputs on relevant issues. Provide advice on current implementation program related to control practices and
issues being experienced and input on control practices and approaches, and how the mechanisms that are established
approaches. Review the feasibility of business cases and or improved w ill enable current audit findings to be
implementation plans. Provide advice and guidance as addressed.
required during implementation. Potentially verify assessment
results independently.
Im plementation team Direct, design, control, drive and execute the end-to-end The team w ants to ensure that all envisioned outcomes of
(combined business program from the identification of objectives and requirements the EGIT initiative are obtained and maximized.
and IT team, consisting to the eventual evaluation of the program against business
of individuals from case objectives and the identification of new triggers and
previously listed objectives for further implementation or improvement cycles.
stakeholder categories) Ensure skills transfer during the transition from the
implementation environment to the operation, use and
maintenance environments.
Users Support EGIT by performing specific roles and responsibilities These stakeholders are interested in the impact(s) the
as assigned to them. initiative w ill have on their day-today lives—their jobs, roles
and responsibilities, and activities.
Customers Customers are part of the extended value chain
and have expectations regarding delivery of
services, products, etc.
233
EXTERNAL STAKEHOLDERS
External Stakeholders Interest in the Implementation Program Outcomes
Customers and society Organizations exist to serve customers. Thus, customers are directly affected by the degree to w hich an enterprise’s EGIT
objectives are met. If an enterprise is exposed in the security and privacy domain, such as through loss of customer banking
data, the customer w ill be affected, and thus has an interest in the successful outcomes of the EGIT implementation program.
IT service providers Enterprise management should ensure that there is alignment and interface between the enterprise’s ow n overall EGIT
and the governance and management of the services provided by IT service providers.
Regulators Regulators are interested in w hether the implementation program outcomes satisfy and/or provide structures and
mechanisms to satisfy all applicable regulatory and compliance requirements.
Shareholders Shareholders may partially base investment decisions on the state of an enterprise’s corporate and EGIT governance and
(w here relevant) its record of accomplishment in this area.
External auditors External auditors may be able to rely on I&T-related controls more fully as a result of an effective implementation program,
as substantiated by an audit. They are also interested in regulatory compliance aspects and financial reporting.
Business partners Business partners that use automated electronic transactions with the enterprise could have an interest in the outcomes
(e.g., suppliers) of the implementation program w ith respect to improved information security, integrity and timeliness. They may also be
interested in regulatory compliance and international standards certifications that could be outcomes of the program.
234
3/7
INDEPENDENT ASSURANCE AND AUDIT
Increasingly, boards and executive management seek independent

advice and opinions regarding critical I&T functions and services.
There is also a general increase in the need to demonstrate
compliance with national and international regulations.
It is important to take these stakeholders and their interests into

account when defining the EGIT implementation plan:
• Internal auditors
• External auditors
• ISO/IEC standards auditors
• Professionals commissioned to provide an assessment on IT services and
processes.
235
235
MODULE 7 SUMMARY
236
236
3/7
PHASE 1 WHAT ARE THE DRIVERS?
Phase objective
• Obtain an understanding of the program
background and objectives and current
governance approach.
• Define the initial program concept business
case.
• Obtain the buy-in and commitment of all key
stakeholders.
Phase description
• Articulate the compelling reasons to act.
• Define the program background, objectives,
current governance culture, and initial
business case.
• Obtain buy-in and commitment of all key
stakeholders.
241
PHASE 1 KEY STAKEHOLDERS
Figure 6.2—Phase 1 Roles
When you are… Your role in this phase is to…
Board and executive Provide guidance regarding stakeholder needs (including customer needs), business strategy,
priorities, objectives and guiding principles with respect to EGIT. Approve the high-level approach.
Business management Together with IT, ensure that stakeholder needs and business objectives are stated with sufficient
clarity to enable translation into business goals for I&T. Provide input to understanding of risk and
priorities.
IT management Gather requirements and objectives from all stakeholders, gaining consensus on approach and
scope. Provide expert advice and guidance regarding IT matters.
Internal Audit Provide advice and challenge proposed activities and actions, ensuring that objective and balanced
decisions are made. Provide input on current issues. Provide advice regarding controls and risk
management practices and approaches.
Risk, compliance, Provide advice and guidance regarding risk, compliance and legal matters. Ensure that the
and legal management-proposed approach is likely to meet risk, compliance and legal requirements.
242
27
6/12/2024
3/7
PHASE 1 TASKS
Recognize the need to Establish the desire to

act: change: Initiate the program:
• Identify the governance • Analyze the environment • Provide high-level

context, business and IT in which the change strategic direction and set
pain points and events. needs to be enabled. high-level program
• Identify business and • Determine ongoing or • Define and assign high-
governance drivers. planned enterprise level roles within the
• Identify compliance initiatives. program
requirements. • Understand the breadth • Develop an outline
• Identify priorities and and depth of the change. business case indicating
business strategy • Identify stakeholders the success factors
dependent on IT. involved in the initiative • Obtain executive
• Define EGIT policy, from different areas of the sponsorship.
objectives, guiding enterprise
principles and high-level • Determine the ability to
improvement targets. implement the change.
243
PHASE 1 INPUTS AND OUTPUTS

Inputs
Enterprise policies, strategies, Business case outline

governance and business plans and High-level roles and responsibilities
audit reports
Identified stakeholder map, including
Major initiatives support and involvement required,
Inputs that indicate current IT pain influence and impact, and agreed
points understanding of the efforts required to
Useful and relevant industry overviews,
manage human change
case studies and success stories Program wake-up call (all stakeholders)
Specific customer requirements, Program kick-off communication (key
marketing and servicing strategy, stakeholders)
Outputs
market position, enterprise vision and

mission statements
244
3/7
PHASE 1 RACI CHART
245
PHASE 1 CHALLENGES, ROOT CAUSES AND

SUCCESS FACTORS
For each
This is a list of typical challenges that may be encountered in implementation
Phase 1 of the implementation lifecycle. phase, the
• Lack of senior management buy-in, commitment and Implementation Guide
identifies challenges,
support
root causes and
success factors.
• Difficulty in demonstrating value and benefits
For these phase one
• Difficulty in getting the required business participation challenges, refer to
Figure 4.1 for a
• Difficulty in identifying stakeholders and role players
further description of
• Lack of current enterprise policy and direction root causes and
success factors.
• Weak current enterprise governance
246
3/7
PHASE 1 AVAILABLE RESOURCES
• COBIT ® 2019 Design Guide (design factors)

• COBIT ® 2019 Framework: Governance and Management
Objectives (particularly EDM01, APO01, MEA01) and
COBIT ® 2019 Framework: Introduction and Methodology,
Chapter 9, Getting Started With COBIT: Making the Case,
www.isaca.org/cobit
• The example decision matrix in the appendix of this
publication
• ISACA supporting products currently listed at
www.isaca.org
247
PHASE 2: WHERE ARE WE NOW?
248
248
28
6/12/2024
3/7
PHASE 2 WHERE ARE WE NOW?
Phase objectives
• Ensure the program team knows and understands
the enterprise goals.
• Identify the critical processes or other enablers
addressed in the improvement plan.
• Identify the appropriate management practices for
each selected process.
• Obtain an understanding of the enterprise’s
present and future attitude toward risk.
• Determine the current capability of the selected
processes.
• Understand the enterprise’s capacity and
capability for change.
Phase description
• This phase identifies the enterprise and alignment
goals and illustrates how I&T contributes to
enterprise goals via solutions and services.
249
Board and executive Verify and interpret the results/conclusions of assessments.
Business Assist IT in determining the reasonableness of current assessments by providing the

management customer view.
IT management Ensure open and fair assessment of IT activities. Guide assessment of current practice.
Obtain consensus.
Internal Audit Provide advice, input and assistance to current-state assessments. If required,
independently verify assessment results.
Risk, compliance, Review assessments to ensure that risk, compliance and legal issues have been
and legal considered adequately.
250
3/7
PHASE 2 TASKS
Form a powerful Define problems and

Assess the current state:
implementation team: opportunities:
• Identify key enterprise and • Assemble a core team from • Review and evaluate the
supporting alignment goals. the business and IT with the outline business case,
• Identify key governance appropriate knowledge, program feasibility and
issues and weaknesses expertise, profile, potential ROI.
related to the current and experience, credibility and • Assign roles, responsibilities
required future solutions authority. and process ownership.
and services. • Identify and manage any • Ensure commitment and
• Assess benefit/value potential vested interests support of affected
enablement risk, existing within the team to stakeholders in program
program/project delivery create the required level of definition and execution.
and service delivery/IT trust. • Identify challenges and
operations risk. • Identify change agents with success factors
• Assess performance. whom the core team can
work.
251
PHASE 2 SELECTED INPUTS AND OUTPUTS

Inputs
Outline business case Agreed alignment goals and impact

Roles and responsibilities Selected governance and management
objectives
Identified stakeholder map
Current performance levels of selected
Program wake-up call governance and management
Business and IT plans and strategies objectives
IT process descriptions, policies, Risk acceptance position and profile
standards, procedures, technical Strengths on which to build
specifications
Evaluated outline business case
Understanding of business and IT
Outputs
contribution Agreed understanding of the issues

and challenges
252
3/7
PHASE 2 RACI CHART
253

SUCCESS FACTORS
For each
This is a list of typical challenges that may be encountered in
implementation
Phase 2 of the implementation lifecycle. Refer to Figure 4.2 in
phase, the
the Implementation Guide for the associated root causes and Implementation Guide
success factors. Note that these are the same for both identifies challenges,
phases 2 and 3. root causes and
success factors. For
Inability to gain and sustain support for improvement these phase one
objectives challenges, refer to
Figure 4.2 for a
Communication gap between IT and the business further description of
root causes and
Cost of improvements outweighing perceived benefits
success factors.
Lack of trust and good relationships between IT and the
enterprise
254
29
6/12/2024
3/7
PHASE 3 WHERE DO WE WANT TO BE?
Phase objectives
• Determine the targeted capability for processes
within governance and management objectives.
• Determine gaps
• Translate gaps into improvement opportunities.
• Create a detailed business case and high-level
program plan from gathered information.
Phase description
Based on assessed current-state process
capability levels, an appropriate target capability
level should be determined for each process.
257
Board and executive Set priorities, time scales and expectations regarding the future capability required from
I&T.
Business Assist IT with the setting of capability targets. Ensure that the envisaged solutions are
management aligned to enterprise goals.
IT management Apply professional judgment in formulating improvement priority plans and initiatives.
Obtain consensus on a required capability target. Ensure that the envisaged solution is
aligned to alignment goals.
Internal audit Provide advice and assist with target-state positioning and gap priorities. If required,
independently verify assessment results.
Risk, compliance, Review plans to ensure that risk, compliance and legal issues have been addressed
and legal adequately.
258
3/7
PHASE 3 TASKS
Describe and communicate

Define target state: Define the road map:
desired outcomes:
• Define and identify • Secure participation • Set program direction,
improvement targets • Describe the high-level road scope, benefits and
• Based on performance and map to achieve the vision objectives at a high level
conformance, decide initial, and involvement required of • Ensure alignment of the
ideal short- and long-term various stakeholders objectives with business
target capability levels for • Set the tone at the top by and IT strategies
each process using senior management • Consider risk and adjust the
• Analyze gaps to deliver key messages scope accordingly
• Collate gaps into potential • Use change agents to • Consider change
improvements communicate informally and enablement implications
• Identify unmitigated residual formally • Obtain necessary budgets
risk and ensure its formal • Capture communication • Define program
acceptance feedback adapting the accountabilities and
strategy accordingly responsibilities
259

Inputs
Agreed enterprise goals and impact on Target capability rating for selected
alignment goals processes
Current capability rating for selected Description of improvement
processes opportunities
Risk acceptance position and risk Risk response document, including risk
profile not mitigated
Change agents in different parts and at Change enablement plan and
different levels in the enterprise objectives
Evaluated outline business case Detailed business case
Outputs
Internal and external capability High-level program plan

benchmarks
260
3/7
PHASE 3 RACI CHART
261

SUCCESS FACTORS
For each
Phase 3 of the implementation lifecycle. Refer to Figure 4.2 in phase, the
success factors. Note that these are the same for both identifies challenges,
phases 2 and 3. root causes and
success factors.
Inability to gain and sustain support for improvement
For these phase one
objectives
challenges, refer to
Communication gap between IT and the business Figure 4.2 for a further
description of root
Cost of improvements outweighing perceived benefits causes and success
factors.
Lack of trust and good relationships between IT and the
enterprise
262
30
6/12/2024
3/7
PHASE 4: WHAT NEEDS TO BE DONE?
269
269
PHASE 4 WHAT NEEDS TO BE DONE?
Phase objectives
• Translate improvement opportunities into
justifiable contributing projects.
• Prioritize and focus on high-impact projects.
• Integrate the improvement projects into the
overall program plan.
• Execute quick wins.
Phase description
Prioritize potential initiatives into formal and
justifiable projects.
270
3/7
Board and executive Consider and challenge proposals, support justified actions, provide budgets, and set priorities as
appropriate.
Business management Together with IT, ensure that the proposed improvement actions are aligned with agreed
enterprise and IT-related goals and that any activities requiring business input or action are
supported. Ensure that required business resources are allocated and available. Agree with IT on
the metrics for measuring the outcomes of the improvement program.
IT management Ensure viability and reasonableness of the program plan. Ensure that the plan is achievable, and
resources are available to execute the plan. Consider the plan together with priorities of the
enterprise’s portfolio of I&T-enabled investments to decide a basis for investment funding.
Internal audit Provide independent assurance that issues identified are valid, business cases are objectively and
accurately presented, and plans appear achievable. Provide expert advice and guidance where
appropriate.
Risk, compliance, Ensure that any identified risk, compliance and legal issues are being addressed, and that
and legal proposals conform with any relevant policies or regulations.
271
PHASE 4 TASKS
Design and build: Empower role players: Develop the program plan:
• Consider potential benefit and • Obtain buy-in • Organize potential projects

ease of implementation for • Design change response into the overall program.
each improvement. plans • Ensure that the program
• Plot improvements onto an • Identify quick wins conforms to strategic goals
opportunity grid. • Build on any existing and that I&T has a balanced
• Focus on alternatives strengths identified in phase 2 set of initiatives
showing high benefit/high to realize quick wins, where • Develop a change plan.
ease of implementation. possible. • Identify and agree on metrics
• Consider alternatives. • Identify strengths in existing for measuring the outcomes
• Prioritize, select, and analyze enterprise processes that • Define a portfolio of projects.
improvements. could be leveraged. • Define required deliverables.
• Agree on projects to be • Nominate project steering
included in the business case committees.
for approval. • Establish project plans and
• Record unapproved projects reporting.
and initiatives in a register for
potential future consideration.
272
3/7

Inputs
Target maturity rating for selected Improvement project definitions

processes Defined change response plans
Description of improvement Identified quick wins
opportunities
Record of unapproved projects
Risk response document
Program plan that sequences individual
Change enablement plan and
objectives plans with allocated resources, priorities
and deliverables
Communication strategy and
communication of the change vision Project plans and reporting procedures
enabled through committed resources
Detailed business case such as skills and investment
Outputs
Strengths identified in earlier phases Success metrics
273
PHASE 4 RACI CHART
274
31
6/12/2024
3/7

SUCCESS FACTORS For each
implementation
This is a list of typical challenges that may be encountered in phase, the
Phase 4 of the implementation lifecycle: Implementation Guide
identifies challenges,
• Failure to understand the environment root causes and
success factors.
• Various levels of complexity (technical, organizational,
operating model) For these phase one
• Difficulty in understanding COBIT and associated Figure 4.3 for a further
frameworks, procedures and practices description of root
causes and success
• Resistance to change factors.
• Failure to adopt improvements
• Difficulty in integrating internal governance approach with
the governance models of outsourcing partners
275
• COBIT 2019 Framework: Introduction and

Methodology (governance and management
objectives, components of the governance
system), www.isaca.org/cobit
• COBIT 2019 Framework: Governance and
Management Objectives (APO5, APO12, BAI01,
BAI11, goals and metrics)
• ISACA supporting products as currently listed at
www.isaca.org
276
3/7
PHASE 5: HOW DO WE GET THERE?
277
277
PHASE 5 HOW DO WE GET THERE?
Phase objectives
• Implement the detailed improvement projects.
• Leverage enterprise program and project
management capabilities, standards and
practices.
• Monitor, measure and report on project progress.
Phase description
The approved improvement projects are now ready
for implementation. Solutions defined by the
program can now be acquired or developed and
implemented into the enterprise.
278
3/7

Board and executive Monitor implementation and provide support and direction as required.
Business management Take ownership for business participation in the implementation, especially where business
processes are affected, and IT processes require user/customer involvement.
IT management Make sure that the implementation includes the full scope of activities required (e.g., policy and
process changes, technology solutions, organizational changes, new roles and responsibilities,
other enablers); ensure that implementations are practical, achievable, and likely to be adopted
and used. Make sure that process owners are involved, buy into the new approach and own the
resulting processes. Resolve issues and manage risk as encountered during the implementation.
Internal audit Review and provide input during implementation to avoid after-the-fact identification of missing
enablers and especially key controls. Provide guidance on implementation of control aspects.
If required, provide a project/implementation risk review service, monitoring risk that could
jeopardize implementation and providing independent feedback to the program and project teams.
Risk, compliance, Provide guidance as required on risk, compliance and legal aspects during implementation.
and legal
279
PHASE 5 TASKS
Implement improvements: Enable operation and use: Execute the plan:
• Develop and/or acquire • Build on the momentum and • Ensure that the execution of
solutions that include the full credibility. the program is based on an
scope of activities required. • Communicate quick-win up-to-date and integrated
• Adopt and adapt available successes and recognize and (business and IT) plan of the
guidance to suit the reward those involved. projects within the program.
enterprise’s approach to • Implement the change • Direct and monitor the
policies and procedures. response plans. contribution of all the projects
• Test the practicality and • Communicate roles and in the program.
suitability of the solutions in responsibilities. • Provide regular update
the real working environment. • Define measures of success. reports to stakeholders.
• Roll out the solutions, • Close the loop and ensure • Document and monitor
considering any existing that all change requirements significant program risk and
processes and migration have been addressed. issues and agree on
requirements. • Monitor the change remediation actions.
enablement effectiveness and • Approve any major changes
take corrective action where to the program and project
necessary. plans.
280
32
6/12/2024
3/7
Inputs
Improvement project definitions Implemented improvements
Defined change response plans Implemented change response plans
Identified quick wins Realized quick wins and visibility of
Record of unapproved projects change success
Program plan with allocated Success communications
resources, priorities and deliverables Defined and communicated roles and
Project plans and reporting responsibilities in the business-as-usual
procedures environment
Success metrics Project change logs and issue/risk logs
Project definitions, plans, change Defined business and perception success
Outputs
strategy and response plans measures
Integrated program and project plans Benefits tracked to monitor realization
281
PHASE 5 RACI CHART
282
3/7

SUCCESS FACTORS For each
implementation phase,
This is a list of typical challenges that may be encountered in the Implementation
Phase 5 of the implementation lifecycle. Guide identifies
challenges, root
Failure to realize implementation commitments causes and success
factors.
Trying to do too much at once; tackling overly complex, overly
difficult or simply too many problems For these phase one
IT and/or business in fire-fighting mode Figure 4.4 for a further
description of root
Lack of required skills and competencies, such as causes and success
understanding governance, management, business, factors.
processes, soft skills
283
COBIT 2019 Framework: Governance and

Management Objectives (all objectives as good
practice input, BAI01, BAI11), www.isaca.org/cobit
ISACA supporting products as currently listed at

www.isaca.org
284
3/7
PHASE 6: DID WE GET THERE?
285
285
PHASE 6 DID WE GET THERE?
Phase objective
• Integrate the metrics for project performance
and benefits realization.
Phase description
Monitor the described program improvements
via alignment goals and process goals using
suitable techniques such as an IT balanced
scorecard (BSC) and benefits register to verify
the change outcomes have been achieved.
286
33
6/12/2024
3/7

Board and executive Assess performance in meeting the original objectives and confirm realization of desired outcomes.
Consider the need to redirect future activities and take corrective action. Assist in the resolution of
significant issues, if required.
Business management Provide feedback and consider the effectiveness of the business’s contribution to the initiative. Use
positive results to improve current business-related activities. Use lessons learned to adapt and improve
the business’s approach to future initiatives.
IT management Provide feedback and consider the effectiveness of IT’s contribution to the initiative. Use positive
results to improve current IT-related activities. Monitor projects based on project criticality as they
are developing, using both program management and project management techniques. Be prepared to
change the plan and/or cancel one or more projects or take other corrective action, if early indications
show that a project is off track and may not meet critical milestones. Use lessons learned to adapt and
improve IT’s approach to future initiatives.
Internal audit Provide independent assessment of the overall efficiency and effectiveness of the initiative. Provide
feedback and consider the effectiveness of audit’s contribution to the initiative. Use positive results to
improve current audit-related activities. Use lessons learned to adapt and improve audit’s approach to
future initiatives.
Risk, compliance, Assess whether the initiative has improved the ability of the enterprise to identify and manage risk
and legal and legal, regulatory and contractual requirements. Provide feedback and make any necessary
recommendations for improvements.
287
PHASE 6 TASKS
Operate and measure Embed new approaches Realize benefits
• Set targets for each • New ways of working • Monitor performance

metric become part of the against objectives
• Obtain and gather enterprise’s culture • Monitor investment
measures • Leverage pockets of performance
• Investigate variances excellence to provide a • Document lessons
• Develop and agree on source of inspiration learned
proposed corrective • Maintain the
measures communication strategy
• Adjust long-term targets to achieve ongoing
based on experience awareness and highlight
successes
• Communicate results
from performance • Ensure open
monitoring to all communication among
interested stakeholders all to resolve issues
288
3/7

Inputs
Implemented improvements Updated project and program scorecards

Implemented change response plans Change effectiveness measures (both
Realized quick wins and success business and perception measures)
communications Report explaining scorecard results
Defined and communicated roles and Improvements entrenched in operations
responsibilities
Key metrics added into ongoing IT
Project change and issue/risk logs performance measurement approach
Defined business and perception
success measures
Alignment goals and IT process goals
Outputs
Existing measures and/or scorecards

Business case benefits
Change response plans and strategy
289
PHASE 6 RACI CHART
290
3/7

SUCCESS FACTORS
For each
success factors. Note: the challenges noted here are the identifies challenges,
same challenges identified for Phase 7. root causes and
success factors.
For these phase one

• Failure to adopt or apply improvements challenges, refer to
Figure 4.5 for a further
• Difficulty in showing or proving benefits description of root
causes and success
• Lost interest and momentum, change fatigue factors.
291
COBIT 2019 Framework: Governance and

Management Objectives (as good practice input and
EDM05, APO05, BAI01, BAI11, MEA01),
www.isaca.org/cobit
ISACA supporting products as currently listed at
www.isaca.org
292
34
6/12/2024
3/7
PHASE 7: HOW DO WE KEEP THE MOMENTUM GOING?
293
293
Phase objectives
• Assess the results and experience gained from the
program.
• Record and share any lessons learned.
• Ensure that new, required actions drive further
iterations of the life cycle.
• Continually monitor performance and ensure
results are regularly reported.
• Drive commitment and ownership of all
accountabilities and responsibilities.
Phase description
This phase enables the team to determine whether
the program delivered against expectations.
294
3/7

Board and executive Provide direction, set objectives, and allocate roles and responsibilities for the enterprise’s
ongoing approach to, and improvement of, EGIT. Continue to set the tone at the top, develop
organizational structures, and encourage a culture of good governance and accountability for I&T
among business and IT executives. Ensure that IT is aware of and, as appropriate, involved in,
new business objectives and requirements in as timely a manner as possible.
Business management Provide support and commitment by continuing to work positively with IT to improve EGIT and
make it business as usual. Verify that new EGIT objectives are aligned with current enterprise
objectives.
IT management Drive and provide strong leadership to sustain the momentum of the improvement program.
Engage in governance activities as part of normal business practice. Create policies, standards
and processes to ensure that governance becomes business as usual.
Internal audit Provide objective and constructive input, encourage self-assessment, and provide assurance to
management that governance is working effectively, thus building confidence in I&T. Provide
ongoing audits based on an integrated governance approach, using criteria shared with IT and the
business based on the COBIT 2019 framework.
Risk, compliance, Work with IT and the business to anticipate legal and regulatory requirements.
and legal Identify and respond to I&T-related risk as a normal activity in EGIT.
295
PHASE 7 TASKS
Review program
Monitor and evaluate: Sustain: effectiveness:
• Identify new governance • Provide conscious • At program closure, ensure
objectives and requirements reinforcement and ongoing that a program review takes
• Gather feedback communication place and approve
• Measure and report actual • Confirm conformance to conclusions
results against originally objectives and requirements • Review program
established project measures • Continually monitor the effectiveness
• Perform a facilitated project effectiveness of the change
review process • Implement corrective action
• Look for additional high- plans where required
impact, low-cost opportunities • Provide feedback on
to further improve EGIT performance and publicize
• Identify lessons learned successes
• Communicate requirements • Build on lessons learned
for further improvements • Share knowledge from the
initiative to the broader
enterprise
296
3/7

Inputs
Updated project and program Recommendations for further EGIT

scorecards activities after a period of normalization
Change effectiveness measures (both Stakeholder satisfaction survey
business and perception measures) Documented success stories and lessons
Report explaining scorecard results learned
Postimplementation review report Ongoing communication plan
Performance reports Performance reward scheme
Business and IT strategy
New triggers such as new regulatory
Outputs
requirements
297
PHASE 7 RACI CHART
298
35
6/12/2024
3/7

SUCCESS FACTORS
For each
success factors. Note: the challenges noted here are the identifies challenges,
same challenges identified for Phase 6. root causes and
success factors.
For these phase one

• Failure to adopt or apply improvements challenges, refer to
Figure 4.5 for a further
• Difficulty in showing or proving benefits description of root
causes and success
• Lost interest and momentum, change fatigue factors.
299
• COBIT 2019 Framework: Governance and

Management Objectives (EDM01, APO01, BAI08,
MEA01), www.isaca.org/cobit
• ISACA supporting products as currently listed at
www.isaca.org
300
3/7
DECISION MATRIX
Appendix A of the Implementation Guide outlines key topic areas

that require clear decision making roles and responsibilities.
This is an example of how to identify key topic areas requiring clear

decision-making roles and responsibilities.
It is provided as a guide and can be modified and adapted to suit

an enterprise’s specific organization and requirements.
313
313
313
EXAMPLE DECISION MATRIX

Responsible, Accountable, Consulted, Informed
(RACI)
Steering (Programs/Projects)
Enterprise Risk Committee
Business Process Owners

I&T Governance Board
Executive Committee
Portfolio Manager
IT Management
Employees
Committee
Decision Topic Scope

Governance • Integrating w ith enterprise governance A/R R C C R I
• Establishing principles, structures, objectives
Enterprise strategy • Defining enterprise goals and objectives A/R R C C R I

• Deciding w here and how I&T can enable and support enterprise objectives
I&T policies • Providing accurate, understandable and approved policies, I A C R C C

• procedures, guidelines and other documentation to stakeholders
• Developing and rolling out I&T policies
• Ensuring that policies result in beneficial outcomes in accordance with guiding
principles
• Enforcing I&T policies
I&T strategy • Incorporating IT and business management in the translation of business I A C I R C C
requirements into service offering and developing strategies to deliver these
services in a transparent and effective manner.
• Engaging w ith business and senior management in aligning I&T strategic
planning w ith current and future business needs
• Understanding current I&T capabilities
• Providing a prioritization scheme for business objective that quantifies business
314 requirements
314
3/7
EXAMPLE DECISION MATRIX (CONTINUED)

(RACI)

Executive Committee
Portfolio Manager
IT Management
Employees
Committee

I&T direction • Providing appropriate platforms for the business applications and services in I C C A/R C C
line w ith the defined I&T architecture and information & technology standards
• Producing an information and technology provisioning plan
I&T methods and • Establishing transparent, flexible and responsive IT organizational structures I C C I I A/R I I
framew orks and defining and implementing I&T processes that integrate ow ners, roles and
responsibilities into business and decision processes
• Defining a practical I&T process framework
• Establishing appropriate organizational bodies and structure
• Defining roles and responsibilities
Enterprise architecture • Defining and implementing architecture and standards that recognize and A C C I I R R C
leverage technology opportunities
• Establishing a forum to guide architecture and verify compliance
• Establishing the architecture plan balanced against cost, risk and requirements
• Defining the information architecture, including the establishment of an
enterprise data model that incorporates a data classification scheme
• Ensuring the accuracy of the information architecture and data model
• Assigning data ow nership
• Classifying information using an agreed classification scheme
315
315

(RACI)

Executive Committee
Portfolio Manager
IT Management
Employees
Committee

I&T-enabled investment • Making effective and efficient I&T-enabled investment and portfolio decisions I A C C R
and portfolio • Forecasting and allocating budgets
prioritization • Defining formal investment criteria
• Measuring and assessing business value against forecast
I&T-enabled • Setting and tracking I&T budgets in line w ith I&T strategy and investment I A R C C/I C/I C/I
investment and decisions
program prioritization • Measuring and assessing business value against forecast
• Defining a program and project management approach that is applied to I&T-
enabled business projects and enables stakeholder participation in, and
monitoring of, project risk and progress
• Defining and enforcing programand project framew orks and approach
• Issuing project management guidelines
• Performing project planning for each project detailed in the project portfolio
316
316
36
6/12/2024
3/7

(RACI)

Executive Committee
Portfolio Manager
IT Management
Employees
Committee
Managing, monitoring • Identifying service requirements, agreeing on service levels and monitoring the I A R R R I
and evaluating SLAs achievement of service levels
• Formalizing internal and external agreements in line w ith requirements and
delivery capabilities
• Reporting on service level achievements (reports and meetings)
• Identifying and communicating new and updated service requirements to
strategic planning
• Meeting operational service levels for scheduled data processing, protecting
sensitive output, and monitoring and maintaining infrastructure
IT application • Identifying technically feasible and cost-effective solutions I I C A/R C C
management • Defining business and technical requirements
• Undertaking feasibility studies as defined in the development standards
• Approving (or rejecting) requirements and feasibility study results
• Ensuring that there is a timely and cost-effective development or acquisition
process
• Translating business requirements into design specifications
• Selecting appropriate development and maintenance standards (waterfall, Agile,
DevOps, etc.) and adhering to the standards for all modifications
• Separating development, testing and operational activities
317
317

(RACI)

Executive Committee
Portfolio Manager
IT Management
Employees
Committee
IT infrastructure • Operating the IT environment in line w ith agreed service levels and defined I I C A/R C C
instructions
• Maintaining the IT infrastructure
I&T security • Defining I&T security policies, plans and procedures and monitoring, detecting, I A R R R C/I
reporting and resolving security vulnerabilities and incidents
• Understanding security requirements, including privacy and cybersecurity,
vulnerabilities and threats, in line w ith business requirements and impact
• Managing user identities and authorizations in a standardized manner
• Testing security regularly
318
318
3/7

(RACI)

Executive Committee
Portfolio Manager
IT Management
Employees
Committee

Procurement and • Acquiring and maintaining I&T resources that respond to the delivery strategy, I I C A/R C C
contracts establishing an integrated and standardized IT infrastructure, and reducing IT
procurement risk
• Obtaining professional legal and contractual advice
• Defining procurement procedures and standards
• Procuring requested hardware, software and services in line w ith defined
procedures
I&T compliance • Identifying all applicable law s, regulations and contracts; defining the C/I A C A/R C C/I
corresponding level of I&T compliance; and optimizing IT processes to reduce
the risk of noncompliance
• Identifying legal, regulatory and contractual requirements related to I&T
• Assessing the impact of compliance requirements
• Monitoring and reporting on compliance w ith these requirements
319
319
GROUP DISCUSSION
320
320
37

COBIT Design2

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

COBIT Design2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

COBIT Design2

Uploaded by

Copyright:

Available Formats

6/12/2024

• Course Introduction • Governance Design Toolkit

• COBIT 2019 Basic Concepts • Implementing and Optimizing I&T

COURSE LEARNING OBJECTIVES SESSION ONE

3. Describe the current design factors in COBIT 2019.

4. Apply the design factor concept to identify relevant values.

6. Describe the design workflow of a governance system.

7. Use the steps in the design workflow for governance systems.

COBIT 2019 ARCHITECTURE

COBIT 2019 PRODUCT PRODUCTS

COBIT® 2019 Framework: Introduction and Methodology

COBIT® 2019 Framework: Governance and Management Objectives

COBIT® 2019 Design Guide: Designing an Information and

COBIT® 2019 Implementation Guide: Implementing and Optimizing an

GOVERNANCE AND MANAGEMENT OBJECTIVES

EDM APO BAI DSS MEA

COMPONENTS OF A GOVERNANCE SYSTEM

Principles, People, Skills

A focus area describes a certain governance topic, domain or

44 Reference: COBIT 2019 Design Guide, Chapter 1

COBIT PERFORMANCE MANAGEMENT

• Provide reliable, repeatable and relevant results

COBIT PERFORMANCE MANAGEMENT OVERVIEW

The CPM model largely aligns to and extends CMMI® Development

COBIT PERFORMANCE MANAGEMENT OVERVIEW

PROCESS CAPABILITY LEVELS

FOCUS AREA MATURITY LEVELS

DESIGN FACTOR 1: ENTERPRISE STRATEGY

Figure 2.5—Enterprise Strategy Design Factor

46 Reference: COBIT 2019 Design Guide, Chapter 2

DESIGN FACTOR 2: ENTERPRISE GOALS

Figure 2.6—Enterprise GoalsDesign Factor

balanced scorecard (BSC) EG07 Customer Quality of management information

47 Reference: COBIT 2019 Design Guide, Chapter 2

DESIGN FACTOR 3: RISK PROFILE

The risk profile identifies the sort of I&T-

48 Reference: COBIT 2019 Design Guide, Chapter 2

DESIGN FACTOR 3: RISK PROFILE

49 Reference: COBIT 2019 Design Guide, Chapter 2

DESIGN FACTOR 4: I&T RELATED ISSUES

50 Reference: COBIT 2019 Design Guide, Chapter 2

DESIGN FACTOR 4: I&T RELATED ISSUES (CONTINUED)

I Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction.

M Excessively high cost of IT.

51 Reference: COBIT 2019 Design Guide, Chapter 2

DESIGN FACTOR 4: I&T RELATED ISSUES (CONTINUED)

T Inability to exploit new technologies or to innovate using I&T.

52 Reference: COBIT 2019 Design Guide, Chapter 2

DESIGN FACTOR 5: THREAT LANDSCAPE

53 Reference: COBIT 2019 Design Guide, Chapter 2

DESIGN FACTOR 6: COMPLIANCE REQUIREMENTS

The compliance requirements to which the enterprise is subject can be classified

High compliance The enterprise is subject to higher-than-average compliance

54 Reference: COBIT 2019 Design Guide, Chapter 2

DESIGN FACTOR 7: ROLE OF IT

The role of IT for the enterprise can be classified as shown below.

Figure 2.11—Role of IT Design Factor