Aligning COBIT 5.0 and ISO/IEC 38500

Edit subtitles

0:00 - 0:02

Greetings everyone and welcome in
0:02 - 0:04

today's webinar. Today, we will be
0:04 - 0:06

discussing a very interesting topic from
0:06 - 0:08

risk and management portfolio topic
0:08 - 0:12

regarding the aligning cobit 5 and ISO
0:12 - 0:15

38,500 for effective IT governance. My
0:15 - 0:17

name is Alba Keqa, the PCB organizer of this
0:17 - 0:21

webinar, and the guest for today is Mr
0:21 - 0:23

Orlando Olumide, the chief trainer for
0:23 - 0:26

training heist limited. Olease write your
0:26 - 0:27

questions and comments in the question
0:27 - 0:29

box in the right hand control panel. and
0:29 - 0:31

Mr. Orlando will answer to them
0:31 - 0:32

accordingly in the end of the
0:32 - 0:34

presentation please. Mr. Orlando, you may
0:34 - 0:37

start the presentation. Thank you. Okay, so
0:37 - 0:40

good. It's afternoon where I am, so
0:40 - 0:42

good afternoon everybody. I hope
0:42 - 0:44

everybody can hear me clearly, all right.
0:44 - 0:47

My name is Orlando once again, and
0:47 - 0:49

it's my pleasure to be here. And I will
0:49 - 0:52

be driving this webinar today,
0:52 - 0:54

aligning kid 5 and ISO
0:54 - 0:56

38500. that's a mistake actually. It's
0:56 - 1:01

meant to ISO 38500, not, not 38 5,000, Alma,
1:01 - 1:04

so please dear. We'll change that
1:04 - 1:05

before we put it up. Finally, it's going
1:05 - 1:07

to be ISO
1:07 - 1:11

38500 for effective IT governance. Okay.
1:11 - 1:14

So, I've been doing it for definitely
1:14 - 1:16

more than a decade, possibly a decade and
1:16 - 1:19

a half that I've been doing it, and
1:19 - 1:21

especially around it management and
1:21 - 1:23

governance all right. So I've been
1:23 - 1:27

exposed to the methodology called COBIT from
1:27 - 1:30

the organization called ISO/IEC.
1:30 - 1:34

They are also the owners of
1:34 - 1:37

qualifications like CESA and CM, I've
1:37 - 1:39

been exposed to the methodology from
1:39 - 1:41

version three. I think now had to be
1:41 - 1:45

around 2003 thereabout version
1:45 - 1:47

three of COBITS, and I've been familiar with
1:47 - 1:50

version three version four version 4.1,
1:50 - 1:52

and the latest of them now which is
1:52 - 1:57

called COBIT 5, is the fifth version of
1:57 - 1:59

COBIT. And I've been familiar with them, and
1:59 - 2:01

I know what it is in terms of using IT
2:01 - 2:03

for IT governance, but about a couple of
2:03 - 2:06

years ago. I also came in contact with um
2:06 - 2:08

ISO
2:08 - 2:13

38500, which is corporate governance.
2:13 - 2:15

Corporate governance for the
2:15 - 2:17

management of
2:17 - 2:20

IT as a standard. So when you look at the
2:20 - 2:23

new, that new document, you see that very
2:23 - 2:27

much they, they referred a lot to COBIT 5
2:27 - 2:31

inside of the document in itself. Okay.
2:31 - 2:33

The actual name for it is Corporate
2:33 - 2:37

governance of IT, all right. So, 38500 so a
2:37 - 2:40

lot of they referred a lot to COBIT 5. Inside
2:40 - 2:43

of it, so by doing work for various
2:43 - 2:46

clients, I noticed that if I'm going to
2:46 - 2:48

be able to do this effectively, if I'm
2:48 - 2:51

going to be able to do deliver ISO 38500
2:51 - 2:54

effectively to a client or for a client.
2:54 - 2:56

I have to literally be an expert at
2:56 - 2:59

using COBIT 5 because COBIT 5 is the
2:59 - 3:01

extended document that provides the
3:01 - 3:04

guidelines, and a lot of guidance for
3:04 - 3:06

how to actually get an organization
3:06 - 3:09

certified on ISO 38500. So that's why we
3:09 - 3:11

came up with this topic, and it's my
3:11 - 3:13

pleasure to be here. Okay, I'll quickly
3:13 - 3:17

move on. So, I've said in here. Let me
3:17 - 3:20

just do this,
3:20 - 3:24

okay. So I said, "What does COBIT have to
3:24 - 3:26

offer, and what is contained in the
3:26 - 3:30

extensive body of knowledge?" COBIT 5,
3:30 - 3:33

as far as version 4, COBIT 5 used to
3:33 - 3:37

be a 400+ page document when they
3:37 - 3:41

came up with COBIT 5 almost two years ago.
3:41 - 3:43

They completely blew it open, and it's
3:43 - 3:45

become a much more broad and a bigger
3:45 - 3:49

document than what it used to be. okay. So
3:49 - 3:53

now, COBIT is probably like almost 700 pages
3:53 - 3:57

of work that is even
3:57 - 4:01

being improved and added more more
4:01 - 4:03

more documents are added onto it on a
4:03 - 4:05

daily basis. So we're going to look at
4:05 - 4:07

what it's got to offer, and we're going
4:07 - 4:09

to look at what is the complimentary
4:09 - 4:12

value that ISO 38500 brings to an
4:12 - 4:15

organization. So, well that's going to be
4:15 - 4:17

the key point that we're going to be
4:17 - 4:21

looking at today. Okay, so COBIT used to be
4:21 - 4:24

one one one document, as I said you could
4:24 - 4:27

it gives to a 400 plus page document. But
4:27 - 4:29

now, COBIT 5 is a family of documents. There is
4:29 - 4:32

the 94/95 page document, which is the
4:32 - 4:34

framework, which is like the baseline
4:34 - 4:37

document that provides guidance to the
4:37 - 4:39

other parts then there the other
4:39 - 4:41

document that we call the enabling
4:41 - 4:44

process and the enabling information. And
4:44 - 4:46

we also now have the professional
4:46 - 4:50

guides, and as of today, you've got
4:50 - 4:52

implementation information security
4:52 - 4:54

assurance risk. So if you just, what I
4:54 - 4:57

have on the board on on this slide says
4:57 - 5:01

that there, what, one, two, three, four,
5:01 - 5:05

five, six, seven documents as of today
5:05 - 5:06

and none of those documents, all of them
5:06 - 5:09

go about a 100 page, plus some of them
5:09 - 5:13

go as much as 200 pages. So you're right
5:13 - 5:14

to say that as of today, COBIT is the
5:14 - 5:17

Thousand Pages what of guidance for an
5:17 - 5:19

organization that is looking to do IT
5:19 - 5:23

governance. Okay, and it's, it's well,
5:23 - 5:25

it's still relatively brand new, very few
5:25 - 5:27

organizations are the ones that have
5:27 - 5:29

come up with it, or sorry that are that
5:29 - 5:32

have adopted it as are today. So still
5:32 - 5:35

very much brand new. And, it's going to,
5:35 - 5:37

it is the, it is the document when it
5:37 - 5:38

comes to IT governance. It is the
5:38 - 5:41

guidance for the entire world when it
5:41 - 5:43

comes to IT governance. And as I go
5:43 - 5:44

through this slide, you will see why it
5:44 - 5:47

is extremely important, and why people
5:47 - 5:50

who do IT governance need to have a huge
5:50 - 5:52

level of expertise using COBIT, and why
5:52 - 5:55

anybody who's looking to do ISO, ISO
5:55 - 5:58

38500 also needs to be able to know COBIT
5:58 - 6:00

adequately. Otherwise, they will not be
6:00 - 6:03

able to effectively deliver ISO 38500
6:03 - 6:05

because the document in itself does
6:05 - 6:09

refer to COBIT a lot, okay. All right. So
6:09 - 6:10

once again, you've got this diagram that
6:10 - 6:12

shows a lot of the documents. So it said
6:12 - 6:15

that about at least seven documents as
6:15 - 6:18

today which will amount to about a
6:18 - 6:21

pages worth of guidance for IT
6:21 - 6:25

governance, okay. Good, so one of the
6:25 - 6:26

things that COBIT talks about and anybody
6:26 - 6:28

who's been doing COBIT for a while will
6:28 - 6:30

remember that
6:30 - 6:33

in version four, it had something. it
6:33 - 6:34

called it. the characteristics of
6:34 - 6:35

information where it talks about
6:35 - 6:38

efficiency, accuracy, effectiveness. And it
6:38 - 6:39

came up with seven different
6:39 - 6:42

characteristics of information. They're
6:42 - 6:44

still very much relevant. So, COBIT uses
6:44 - 6:47

the concept of information. It
6:47 - 6:49

doesn't, so a lot of people think that
6:49 - 6:52

it's about the technology, no. It is about
6:52 - 6:54

information, so when you say Information
6:54 - 6:57

technology primary is information
6:57 - 7:00

technology is secondary. So COBIT really does
7:00 - 7:02

look at information and says, "Information
7:02 - 7:05

is a key resource for the enterprise." And
7:05 - 7:06

an organization needs to be able to
7:06 - 7:09

manage their information adequately from
7:09 - 7:10

when it is created to when it is
7:10 - 7:13

destroyed all right. Just to say that you
7:13 - 7:15

know the increasingly information is the
7:15 - 7:17

lifeline or the blood of the
7:17 - 7:20

organization. So it's very important that
7:20 - 7:24

that anybody, any organization clearly
7:24 - 7:27

understands the value of information
7:27 - 7:28

when you want to do IT governance. You
7:28 - 7:30

don't start from technology. This is how
7:30 - 7:33

COBIT is different from IT. This is how COBIT
7:33 - 7:35

is different from Toga or any of those
7:35 - 7:38

other methodologies. It is complimentary
7:38 - 7:39

and it relies on a lot of those other
7:39 - 7:43

methodologies, but very most importantly
7:43 - 7:46

is the fact that the information in
7:46 - 7:49

itself is what it is that drives the
7:49 - 7:51

organization, okay. Information is the
7:51 - 7:52

blood is the lifeline of the
7:52 - 7:55

organization. And it's, it has to be
7:55 - 7:56

adequately and
7:56 - 7:59

appropriately managed, okay. So, this is
7:59 - 8:02

very very important in fact in the COBIT
8:02 - 8:04

document, you have loads and loads of
8:04 - 8:06

pages that talks about information and
8:06 - 8:08

describes information. The information
8:08 - 8:10

life cycle how it's created how IT
8:10 - 8:13

should be managed. We needs to work with
8:13 - 8:15

it you know it's, it's extensive when it
8:15 - 8:19

comes to its description of information,
8:19 - 8:22

okay. I'll go on quickly. So, what are the
8:22 - 8:24

business concerns that have made us
8:24 - 8:26

develop the COBIT guide or the COBIT document
8:26 - 8:29

in itself first and foremost, obviously,
8:29 - 8:31

as I said, is to ensure that the quality
8:31 - 8:33

of information that is used within the
8:33 - 8:34

business can be
8:34 - 8:37

reliable because business decisions are
8:37 - 8:40

made based on information. So, it's
8:40 - 8:42

it's important that the
8:42 - 8:44

business is guaranteed that the
8:44 - 8:46

information that they have is clear and
8:46 - 8:49

it's useful. Now, we say well generate
8:49 - 8:51

business value from IT enabled
8:51 - 8:54

investment. So the business just
8:54 - 8:58

interested in, that IT
8:58 - 9:00

delivers value to them. So it's important
9:00 - 9:05

and it is critical that every
9:05 - 9:09

every where
9:14 - 9:16

information
9:16 - 9:18

driven, you cannot manage information
9:18 - 9:24

appropriately, orology, adequately except
9:28 - 9:31

you,
9:35 - 9:37

andrology
9:37 - 9:42

that you know in line regulations that you stay
9:42 - 9:44

in line with everything that with
9:44 - 9:46

regards to the organizations. These are
9:46 - 9:49

real business concerns that have driven
9:49 - 9:53

why COBIT has been created and developed
9:53 - 9:57

uh for the use of the Enterprise, okay. So
9:57 - 9:59

apart from the concerns what is driving
9:59 - 10:00

this,
10:00 - 10:03

right, what's driving this and COBIT has. In
10:03 - 10:05

fact, in this slide, I only put about five
10:05 - 10:08

of them COBIT talks about 11 things that are
10:08 - 10:11

driving the development of COBIT, right. One
10:11 - 10:13

of them obviously is saying that you
10:13 - 10:15

know to provide stakeholders with a lot
10:15 - 10:17

of comfort, right. If you look at the
10:17 - 10:19

first point, it says determining what
10:19 - 10:21

they expect from information and related
10:21 - 10:23

technology benefits acceptable level of
10:23 - 10:26

risk, at what cost. So, this is very
10:26 - 10:27

important. These are the things that are
10:27 - 10:30

driving the use and development of
10:30 - 10:32

COBIT addressing the dependency of
10:32 - 10:34

enterprise success on external
10:34 - 10:37

business and it such as Cloud
10:37 - 10:40

providers and service providers. So this
10:40 - 10:43

conversation rings true. Remember in IT,
10:43 - 10:46

IT speaks about having your three
10:46 - 10:49

types of service providers, and your four
10:49 - 10:53

types of suppliers. IT says,
10:53 - 10:55

you should look at the categorization of
10:55 - 10:57

your suppliers because every IT
10:57 - 11:00

department, every IT department has a set
11:00 - 11:03

of service providers, and a set of
11:03 - 11:05

suppliers so it's important that that is
11:05 - 11:07

managed dealing with the amount of
11:07 - 11:09

information that the enterprise has got
11:09 - 11:12

to deal with. So if you look at big data
11:12 - 11:15

and all the conversation around all
11:15 - 11:16

the conversation, around big data, all the
11:16 - 11:19

conversation around the cloud usage and
11:19 - 11:21

storage it's all dealing with
11:21 - 11:23

information, and ensuring that the
11:23 - 11:25

business has adequate information when
11:25 - 11:27

they need them. Yesterday night, I was
11:27 - 11:29

still reading an article that was
11:29 - 11:33

focused on on how hard has
11:33 - 11:35

metamorphosized into spark and how spark
11:35 - 11:38

has metamorphized into a new one. The,
11:38 - 11:41

and everybody's talking about how these
11:41 - 11:43

huge database systems are helping
11:43 - 11:44

organizations with regards to storage,
11:44 - 11:47

and how information is been provided. So,
11:47 - 11:49

that's important also the technology
11:49 - 11:52

changes everybody, every day. There's a
11:52 - 11:53

new invention from a technology, from
11:53 - 11:55

technology provider whether it's
11:55 - 11:58

Microsoft or Cisco or it's Oracle or
11:58 - 12:00

Citrix or vmw.
12:00 - 12:02

There's a new conversation on a daily
12:02 - 12:08

basis with regards to IT. So IT
12:08 - 12:09

needs to be managed adequately because
12:09 - 12:12

also the investment in IT has become
12:12 - 12:16

very much material, right. Further to that
12:16 - 12:20

innovation, so I take, I mean I work
12:20 - 12:21

with organizations in trying to help
12:21 - 12:23

them develop their Innovation
12:23 - 12:26

capabilities. Now, one one consistent
12:26 - 12:29

conversation that keeps coming up is,
12:29 - 12:32

"How can we innovate?" And I say, you can't
12:32 - 12:34

innovate without IT. This is 2015 IT.
12:34 - 12:37

cannot be done. The how well you can
12:37 - 12:39

innovate is very much dependent on how
12:39 - 12:41

well you know how to use it. So
12:41 - 12:43

whether you're using websites whether
12:43 - 12:44

you're using social media, whether you're
12:44 - 12:47

using mobile apps, it all comes down to
12:47 - 12:51

that so because of these varying
12:51 - 12:53

issues right. Those are the drivers for
12:53 - 12:57

the development of COBIT 5 in itself. So let
12:57 - 12:59

me quickly get to this COBIT talks about
12:59 - 13:03

five principles. ISO 38500 also talks
13:03 - 13:06

about six principles, all right. Each of
13:06 - 13:08

the principles have been named
13:08 - 13:11

differently and are addressing
13:11 - 13:12

different things, but there's an
13:12 - 13:14

alignment between the five principles
13:14 - 13:17

that are in COBIT 5 and the six principles
13:17 - 13:21

that is 38500 speaks about. The core
13:21 - 13:25

of the COBIT document is around these five
13:25 - 13:28

principles meeting stakeholders, needs
13:28 - 13:30

covering the Enterprise ENT to end
13:30 - 13:33

applying a single integrated framework
13:33 - 13:35

enabling a holistic approach and
13:35 - 13:38

separating governance from management.
13:38 - 13:41

These are the five principles that
13:41 - 13:43

drive an organization from a COBIT
13:43 - 13:45

perspective. And I'll quickly go into
13:45 - 13:47

them so number one says meeting
13:47 - 13:49

stakeholder needs IT says that the idea
13:49 - 13:51

behind information. And information
13:51 - 13:54

technology will be to give comfort to
13:54 - 13:56

stakeholders to meet their needs
13:56 - 13:58

actually COBIT came up with a with a list of
13:58 - 14:01

22
14:01 - 14:05

broad needs of businesses. I mean 22
14:05 - 14:08

needs of businesses with regards to
14:08 - 14:10

the needs of businesses. A long list of
14:10 - 14:14

22 items that are that most businesses
14:14 - 14:15

will find out are their stakeholder
14:15 - 14:18

needs, right. Also, within stakeholder
14:18 - 14:19

needs, it talks about the concept of
14:19 - 14:21

value creation and since the value
14:21 - 14:23

creation in itself is a governance
14:23 - 14:26

objective, just like strategy. It is a
14:26 - 14:30

governance objective, right. I mean, if you,
14:30 - 14:31

as I said once again, if you've been
14:31 - 14:35

doing COBIT for a while is see what the
14:35 - 14:38

value creation relies on what benefit
14:38 - 14:40

realization, ensuring that you optimize
14:40 - 14:43

risk and you optimize resources. So those
14:43 - 14:45

three key things are very important when
14:45 - 14:48

you think about value, and says here
14:48 - 14:49

clearly, enterprises exist to create
14:49 - 14:52

value for their stakeholders. So when
14:52 - 14:53

we're talking about stakeholders here, we
14:53 - 14:55

mean both internal and external
14:55 - 14:57

stakeholders. So you've got to think
14:57 - 14:58

about what is important to the
14:58 - 15:00

stakeholders and how
15:00 - 15:02

information, tech information and
15:02 - 15:06

related technology can help provide
15:06 - 15:08

that value to stakeholders. So that's
15:08 - 15:10

what governance is, about, it's about also
15:10 - 15:12

it's also about negotiating. IT's about
15:12 - 15:14

negotiating, and deciding among different
15:14 - 15:17

stakeholders their value interest and
15:17 - 15:18

the government governance system should
15:18 - 15:21

consider all stakeholders when making a
15:21 - 15:23

all these decisions around benefit
15:23 - 15:26

realization and risk optimization and
15:26 - 15:27

resource
15:27 - 15:29

optimization. So it's important and
15:29 - 15:31

essential that you understand that who
15:31 - 15:33

are the stakeholders and what exactly
15:33 - 15:35

are their requirements, especially from a
15:35 - 15:40

value perspective. Okay, so COBIT is,
15:40 - 15:44

everybody needs to, to go register on
15:44 - 15:46

the on, the ISAKA website, so that they
15:46 - 15:48

can get their own personalized versions
15:48 - 15:52

of the kit document because you,
15:52 - 15:55

you, IT does, IT's a brilliant, IT's a
15:55 - 15:58

brilliant set of documentation, IT comes.
15:58 - 16:01

IT's got 17 Enterprise goals that it
16:01 - 16:03

came up with saying that these are the
16:03 - 16:07

top 17 things that are important to an
16:07 - 16:09

organization. Then it came up with
16:09 - 16:13

another 17 related IT goals. And then IT
16:13 - 16:15

puts up a metric that aligns the
16:15 - 16:18

Enterprise goals to the IT goals using
16:18 - 16:20

primary and secondary relationships. IT
16:20 - 16:22

was brilliant, was the work of a genius.
16:22 - 16:25

In reality, and I already mentioned to
16:25 - 16:28

you, IT came up with 22 stakeholder
16:28 - 16:30

needs or business needs, needs. So all
16:30 - 16:32

these are within the document, and he
16:32 - 16:35

uses the popular balance score card
16:35 - 16:37

so IT just didn't come up with 17 things
16:37 - 16:40

as a long list. It came up with 17
16:40 - 16:43

different things aligned to the seven
16:43 - 16:45

perspectives of the balance score card.
16:45 - 16:48

So it was really brilliant work. So, you
16:48 - 16:50

can look at the financial objectives of
16:50 - 16:52

a business, the customer objectives, the
16:52 - 16:55

internal process objectives and the
16:55 - 16:57

people objectives of a business on the
16:57 - 17:00

Enterprise. And also from an IT
17:00 - 17:03

perspective, and he shows how these 22
17:03 - 17:06

business needs are cascaded into 17
17:06 - 17:09

Enterprise goals, cascaded into 17 IT
17:09 - 17:11

related goals before we then come up
17:11 - 17:13

with what is referred to as the enaer
17:13 - 17:16

goals. So, this is real good guidance for
17:16 - 17:19

IT departments everywhere to be able to
17:19 - 17:22

use to drive uh their work with regards
17:22 - 17:26

to COBIT in itself, all right. So the next
17:26 - 17:28

principle, I should have put principle
17:28 - 17:31

two here. Says IT covers the entire
17:31 - 17:34

Enterprise. COBIT is not just for a
17:34 - 17:37

department, it's not just for a unit. It's
17:37 - 17:40

not just for the head office. COBIT covers
17:40 - 17:43

the entire organization, end to end, so
17:43 - 17:46

when COBIT uses the concept of end to end. It
17:46 - 17:49

means IT covers the entire organization
17:49 - 17:52

from beginning to the end, all right. So
17:52 - 17:53

IT's integrated governance for the
17:53 - 17:55

entire organization. IT covers all
17:55 - 17:58

functions and processes within the
17:58 - 18:00

business whether they're internal or
18:00 - 18:02

external. So it doesn't matter the
18:02 - 18:04

department, you cannot say that, "Oh, a
18:04 - 18:06

particular department is exempt," no. All
18:06 - 18:08

the department in the organization are
18:08 - 18:11

adequately covered and look looked after
18:11 - 18:15

within the COBIT document, okay. Then, he
18:15 - 18:16

talks about something called a
18:16 - 18:19

governance approach. Once again, it brings
18:19 - 18:21

some roles together. And he says that
18:21 - 18:23

there's a set of roles called the owners,
18:23 - 18:24

and the
18:24 - 18:26

stakeholders. You can call that the
18:26 - 18:28

people the shareholders of the business,
18:28 - 18:30

and the delate their governance
18:30 - 18:32

responsibility. They delegate it to the
18:32 - 18:34

govern, to the governing body. The
18:34 - 18:37

governing body in turn is accountable
18:37 - 18:39

to the stakeholders. That's very
18:39 - 18:41

important. The governing body sets
18:41 - 18:44

directions for management. So that
18:44 - 18:46

management will be the third set of
18:46 - 18:48

people that we're talking about here or
18:48 - 18:51

the, their set of roles management and
18:51 - 18:54

management in in turn is monitored
18:54 - 18:57

by by the government body. So, the
18:57 - 19:00

government body sets direction for
19:00 - 19:03

and, they also
19:03 - 19:05

monitor the things that they've set. The
19:05 - 19:07

objectives that have been set for them
19:07 - 19:09

finally management instructs and aligns
19:09 - 19:11

operations and execution. And they, in
19:11 - 19:14

turn, they report, they report to
19:14 - 19:17

management. So this is very important
19:17 - 19:19

delegation, in terms of understanding, who
19:19 - 19:21

the owners and stakeholders are the
19:21 - 19:23

government body. The management and in
19:23 - 19:26

turn and finally operations and
19:26 - 19:28

execution. So these are four roles and
19:28 - 19:30

this talks about governance. So, I think
19:30 - 19:33

governance is a board conversation. There
19:33 - 19:35

should be a subcomittee at the board
19:35 - 19:36

level, not just at the management level
19:36 - 19:39

at the board level for IT governance. And
19:39 - 19:42

this is not the IT steering committee.
19:42 - 19:43

This is a different committee looking at
19:43 - 19:46

the governance of IT. The third principle
19:46 - 19:48

here talks about applying a single
19:48 - 19:50

integrated framework, and all it just
19:50 - 19:52

says in here is that you know COBIT works
19:52 - 19:55

with every other framework is before
19:55 - 19:57

they developed. COBIT had loads of other
19:57 - 20:00

documents. But, IT risks it. All sorts of
20:00 - 20:03

other documents hope it
20:03 - 20:06

integrates clearly and cleanly with all
20:06 - 20:08

those documents. Number two: to integrate
20:08 - 20:10

COBIT integrates with everything. Whether
20:10 - 20:13

it's TOA for Enterprise, architecture, IT
20:13 - 20:16

for IT service management, or any of the
20:16 - 20:19

ISO standards. They're all adequately
20:19 - 20:22

integrated with COBIT with COBIT. Okay, number
20:22 - 20:24

four. IT talks about the holistic
20:24 - 20:27

approach. So this holistic approach says
20:27 - 20:29

that, you know, there are seven enablers
20:29 - 20:32

and from a from a COBIT perspective, these
20:32 - 20:34

seven things are the things that enable
20:34 - 20:38

an organization to achieve IT governance.
20:38 - 20:40

First and foremost is the principles, the
20:40 - 20:42

policies and the frameworks. Number two
20:42 - 20:44

are the processes. Number three is the
20:44 - 20:47

governance are the organizational
20:47 - 20:49

structures. Four is the culture, the
20:49 - 20:52

ethics and the behavior of the people.
20:52 - 20:55

Five is information, Six is Services,
20:55 - 20:56

infrastructure and application and
20:56 - 21:00

Finally, it is people skills and their
21:00 - 21:04

competences. So, holistic approach
21:04 - 21:06

literally just says that, you know what.
21:06 - 21:07

You've got to look at these seven things.
21:07 - 21:09

IT calls them
21:09 - 21:12

enablers. So you can and if you can see
21:12 - 21:14

from the list. Some of them are soft. Some
21:14 - 21:15

of them are
21:15 - 21:17

hard. So if you look at the things that
21:17 - 21:20

are soft is principles, processes,
21:20 - 21:22

organization of the structure, culture,
21:22 - 21:24

ethics. The concept of information
21:24 - 21:27

people's skills and competences. These
21:27 - 21:28

are a lot of the things that people
21:28 - 21:32

would do it, usually forget about they
21:32 - 21:34

forget about this. They leave IT out. They
21:34 - 21:36

don't take it into consideration and COBIT
21:36 - 21:38

says that you've got to, you've got to
21:38 - 21:40

take these seven enablers, that's what it
21:40 - 21:42

calls them. COBIT has got this brilliant
21:42 - 21:45

diagram where it connects the seven of
21:45 - 21:47

them, and you can see Information,
21:47 - 21:50

services, infrastructure and people below
21:50 - 21:51

all of them connecting to the central
21:51 - 21:54

backbone the in, this instance is like
21:54 - 21:57

the ESB like the Enterprise service. BS
21:57 - 21:59

here is the principle the IES, and the
21:59 - 22:01

Frameworks that are adopted by the IT or
22:01 - 22:05

by the organization in itself. So IT's
22:05 - 22:07

brilliant when IT comes to getting
22:07 - 22:09

this done. That's what IT calls
22:09 - 22:12

holistic, all right. And finally COBIT
22:12 - 22:15

talks about, okay. Before that, it talks
22:15 - 22:17

about enabling process and this enabling
22:17 - 22:19

process says that each of those seven
22:19 - 22:22

enablers that we've looked at IT
22:22 - 22:24

provides adequate guidance to ask a
22:24 - 22:26

couple of questions. I actually have a
22:26 - 22:29

document that I did where I created
22:29 - 22:31

the seven
22:31 - 22:36

enablers on the as R headers. And I
22:36 - 22:39

put stakeholder goals, life cycles and
22:39 - 22:42

good practices as column headers. So for
22:42 - 22:44

each of those enablers, you will have
22:44 - 22:45

stakeholders that are
22:45 - 22:48

applicable goals that are
22:48 - 22:51

applicable life cycle that is applicable
22:51 - 22:54

to each of them, and good practices that
22:54 - 22:56

means for seven different enablers for
22:56 - 23:00

each one of them, yeah. COBIT talks about
23:00 - 23:01

their stakeholders their goals, their
23:01 - 23:03

life cycle and their good practices. It
23:03 - 23:06

was great work. It's brilliant work that
23:06 - 23:09

was done further to that, he also talks
23:09 - 23:11

about performance management, which says
23:11 - 23:14

that you know what those seven enablers.
23:14 - 23:16

How do we judge them in terms of their
23:16 - 23:18

performance? What are the metrics that we
23:18 - 23:21

can use to measure whether they are
23:21 - 23:23

happening
23:23 - 23:25

effectively wise? So it will ask you
23:25 - 23:28

these generic questions saying that a
23:28 - 23:30

stakeholder needs a addressed enable
23:30 - 23:33

goals achieved, then say that is life
23:33 - 23:35

cycle management, and are good practices
23:35 - 23:37

applied. And of course, if you look at
23:37 - 23:38

this, it clearly shows that some of them
23:38 - 23:40

are leading indicators, and some of them
23:40 - 23:43

are lagging indicators, so to speak. So
23:43 - 23:45

some of them, they're before the fact
23:45 - 23:47

it's they're like critical success
23:47 - 23:49

factors like the lead indicators, you put
23:49 - 23:53

them in place ahead of time before time
23:53 - 23:55

while the lagging indicators are after
23:55 - 23:56

you, you. Those are, that's how you will
23:56 - 23:58

check whether things are functioning
23:58 - 23:59

effectively.
23:59 - 24:03

So it's kind of a post is the post
24:03 - 24:05

indicators while the lead indicators
24:05 - 24:08

they are pre-indicators okay. So, the
24:08 - 24:10

fifth principle, which is also, which is
24:10 - 24:13

really where I think,
24:13 - 24:16

I think this is the high, this is the
24:16 - 24:18

high point of of this entire thing. It
24:18 - 24:21

talks about separating governance from
24:21 - 24:24

management I think this is the, this is
24:24 - 24:27

the high point of everything. When COBIT came
24:27 - 24:30

up, we're 37
24:30 - 24:31

different
24:31 - 24:36

processes, and amongst the 37 he CED out
24:36 - 24:39

four five of them and called them
24:39 - 24:42

governance processes. And IT then created
24:42 - 24:45

five domains, and one of those domains is
24:45 - 24:48

a governance domain. I think it was the
24:48 - 24:52

wor I think it is great because hearing
24:52 - 24:54

lies a real difference because a lot of
24:54 - 24:56

people are confused, and say what does
24:56 - 24:58

itel give that COBIT does not give. What does
24:58 - 25:00

COBIT have that this does not have? The key
25:00 - 25:04

thing is that COBIT emphasizes five
25:04 - 25:06

processes that are strictly governance
25:06 - 25:10

processes, not management processes. So COBIT
25:10 - 25:12

makes a clear distinction between what
25:12 - 25:16

is the governance of IT and what is the
25:16 - 25:20

management of IT. Okay, so governance
25:20 - 25:21

ensures that stakeholder needs
25:21 - 25:24

conditions and options are evaluated.
25:24 - 25:26

Management plans, builds and runs and
25:26 - 25:29

monitors the in alignment with direction
25:29 - 25:32

that has been sent. This is key and this
25:32 - 25:34

is fundamental that you understand the
25:34 - 25:36

difference between
25:36 - 25:42

governance and management. Okay so before
25:42 - 25:44

I go to the what I'll consider to do the
25:44 - 25:46

most important slide of this entire
25:46 - 25:49

presentation, I'll stop here first
25:49 - 25:51

which is this slide that. So there are
25:51 - 25:55

four domains. The first domain is called
25:55 - 26:00

the EDM, right. Evaluate direct monitor,
26:00 - 26:02

right, which is the governance domain and
26:02 - 26:04

then the other four domains, which you
26:04 - 26:07

call the nickname for them. I like to say
26:07 - 26:10

it's plan, build, run and monitor. Even
26:10 - 26:13

though that's not the full name, right.
26:13 - 26:17

So but those are, that's how the the
26:17 - 26:19

the that's what I, I like to call the
26:19 - 26:23

nicknames of these four domains. And it's
26:23 - 26:24

important that you understand all these
26:24 - 26:28

four domains adequately. APO means align
26:28 - 26:29

plan and organize.
26:29 - 26:32

BAI means build acquire and Implement.
26:32 - 26:36

RUN means deliver service and support,
26:36 - 26:37

and the final one, which is called
26:37 - 26:41

monitor, talks about monitor
26:41 - 26:43

evaluate and assess. I've also done some
26:43 - 26:46

other documents where I've aligned those
26:46 - 26:49

four primarily to itel to try and draw
26:49 - 26:53

parallels between itel, and these four
26:53 - 26:55

domains but itel does not speak about
26:55 - 26:58

governance. Governance primary is champion
26:58 - 27:01

and described by COBIT, and hearing Li is
27:01 - 27:03

the great thing when it comes to COBIT. So
27:03 - 27:05

these are the five domains. If I move
27:05 - 27:08

into this diagram, and if you, if you have,
27:08 - 27:09

if you can't remember anything that I've
27:09 - 27:12

said, and if you forget this entire
27:12 - 27:15

presentation. Do not forget this slide.
27:15 - 27:17

This slide is the single most important
27:17 - 27:22

slide um uh on this presentation. And it
27:22 - 27:26

talks about these five domains, and it
27:26 - 27:29

then brings the 37 different processes
27:29 - 27:31

it brings them into these five domains.
27:31 - 27:33

I'm going to need you to look at this. So,
27:33 - 27:36

if you look at the top five, the top five
27:36 - 27:39

are all governance ensuring. The
27:39 - 27:40

governance framework setting and
27:40 - 27:42

maintenance benefits delivery risk
27:42 - 27:45

optimization, resource optimization,
27:45 - 27:47

stakeholder transparency. They all belong
27:47 - 27:50

to COBIT to the governance domain then we
27:50 - 27:53

move to align, plan and organize and
27:53 - 27:55

there you see the IT management
27:55 - 27:57

framework is literally find the itle
27:57 - 27:59

there talks about man strategy, you can
27:59 - 28:02

see manage enterprise, architecture. It's
28:02 - 28:05

referring to TOA there, manage innovation,
28:05 - 28:09

manage portfolio right budget and cost
28:09 - 28:10

financial management. That's what it's
28:10 - 28:13

saying human resources, relationship
28:13 - 28:16

service agreements, supply management
28:16 - 28:20

quality managing risk, and finally
28:20 - 28:23

managing security. So there, the 13 of
28:23 - 28:27

them under align, plan and organize and
28:27 - 28:28

some of you who are very familiar with
28:28 - 28:32

it, we already see some similarities in
28:32 - 28:34

that, all right. So, it has borrowed
28:34 - 28:36

some of them, but it has made it much
28:36 - 28:38

more extensive. So it also has build
28:38 - 28:42

acquire and Implement which align to the
28:42 - 28:44

things that you will find under service
28:44 - 28:47

design in it, right. One of the great
28:47 - 28:49

things I like about this, it's separated.
28:49 - 28:51

IT's brought up the conversation of
28:51 - 28:53

program and project management, which IT
28:53 - 28:55

does not focus on the law, and it's
28:55 - 28:57

brought up the conversation around
28:57 - 28:59

organizational change, which is
28:59 - 29:01

brilliant. This is not talking about
29:01 - 29:04

chain management as IT people understand
29:04 - 29:06

it like RFCs and things like that. This
29:06 - 29:08

is talking about organizational chain
29:08 - 29:10

management, then he also talks about
29:10 - 29:12

deliver services, support, manage
29:12 - 29:14

operations, which is very much like
29:14 - 29:16

operations and itle. And finally, it's got
29:16 - 29:18

monitor, evaluate and assess, which is
29:18 - 29:21

very much like CSI. So there are very
29:21 - 29:24

there a lot of alignment between COBIT and
29:24 - 29:27

COBIT, but the brilliant portion in here are
29:27 - 29:29

the things that IT cover, and the
29:29 - 29:31

governance layer that is on this diagram.
29:31 - 29:33

Once again, if you can't remember this
29:33 - 29:35

entire presentation, and you can't
29:35 - 29:38

remember anything that we must have said.
29:38 - 29:42

Please remember, this particular slide
29:42 - 29:45

as it is. These are the 37 processes for
29:45 - 29:46

governance and management is called the
29:46 - 29:49

process reference model, and there are 37
29:49 - 29:53

of them, right. It is extensive. It is a
29:53 - 29:54

brilliant piece of work that has been
29:54 - 29:57

done, and anybody who is in IT governance
29:57 - 29:58

needs to be familiar with this tech
29:58 - 30:04

seven um, uh, IT processes, all right. Good.
30:04 - 30:08

So, there's a. there, there a full document
30:08 - 30:10

that COBIT's got. The, the document is
30:10 - 30:12

called the implementation guidance
30:12 - 30:14

documen,t and it gives a lot of guidance
30:14 - 30:17

in terms of how do you use COBIT? How do
30:17 - 30:19

you get value out of COIT? What triggers
30:19 - 30:22

COBIT usage? Who should be using COBIT
30:22 - 30:25

during the life cycle of an organization?
30:25 - 30:27

When should they use COBIT? So, it's also a
30:27 - 30:29

really great document. It's one of the
30:29 - 30:32

seven documents that I described
30:32 - 30:34

up, and it just gives implementation
30:34 - 30:37

guidance on how COBIT is is meant to be
30:37 - 30:41

used, okay. So it does talk about some
30:41 - 30:44

some success factors for implementation
30:44 - 30:47

top management everybody knows that IT
30:47 - 30:49

governance belongs to the board, and the
30:49 - 30:51

board has to show that they really do
30:51 - 30:54

know and understand IT governance. All
30:54 - 30:55

parties supporting the governance
30:55 - 30:58

and mental processes to understand the
30:58 - 30:59

the
30:59 - 31:02

an IT objective tailoring COBIT. So COBIT does
31:02 - 31:04

require a lot of expertise, so I work
31:04 - 31:06

with a lot of organizations. Sometimes
31:06 - 31:08

that are struggling from they know what
31:08 - 31:10

COBIT is they have the documentation. They
31:10 - 31:13

bought IT, but they still don't how to
31:13 - 31:15

use IT. So IT doesn't need a lot of
31:15 - 31:16

tailoring. So that an organization can
31:16 - 31:20

get adequate value from IT, okay. And
31:20 - 31:22

there a lot of factors within the
31:22 - 31:24

the internal and exteral enterprise
31:24 - 31:25

environment that must be taken into
31:25 - 31:27

consideration the ethics of the
31:27 - 31:29

organization. Their mission, their goals,
31:29 - 31:31

their operative model. Their
31:31 - 31:33

management style, their risk capital. All
31:33 - 31:36

that has got to be adequately taken into
31:36 - 31:38

consideration, all right. So this is
31:38 - 31:40

another great piece of work that was
31:40 - 31:42

done COBIT. It's called the
31:42 - 31:45

implementation life cycle. It's also very
31:45 - 31:47

brilliant. IT decides to look at the
31:47 - 31:49

implementation, not just thinking about
31:49 - 31:51

IT from a project or program perspective,
31:51 - 31:53

but IT looks at it from four different
31:53 - 31:56

perspectives. First and foremost, is IT
31:56 - 31:57

would ask you the same questions that?
31:57 - 32:00

You have on in itle used to be called
32:00 - 32:03

the or, it's called the CSI approach
32:03 - 32:05

where it says that, you know, you just ask
32:05 - 32:07

you some questions. Where are we now?
32:07 - 32:08

Where do we want to be? Where do we need
32:08 - 32:11

to be? How do we get there? All those
32:11 - 32:13

questions, right. But IT then brings the
32:13 - 32:15

next layer. We talks about program
32:15 - 32:17

management, and he says that, you know,
32:17 - 32:19

what from a program perspective? How do
32:19 - 32:22

we manage implementation from a program
32:22 - 32:24

perspective that he says that there's
32:24 - 32:27

another layer which a lot of IT people
32:27 - 32:28

fail to realize?
32:28 - 32:30

I've suffered a lot from that we talks
32:30 - 32:33

about change enablement, IT projects are
32:33 - 32:36

change projects. They organizational
32:36 - 32:38

change initiatives, and every
32:38 - 32:40

organization needs to adequately manage
32:40 - 32:43

those change initiatives, to be able to
32:43 - 32:46

get adequate, adequate value from this.
32:46 - 32:49

So it's important, and it's extremely
32:49 - 32:51

essential that you drive this from a
32:51 - 32:54

change perspective. Otherwise, you will
32:54 - 32:56

not get value out of using the
32:56 - 32:59

methodology like COBIT. Finally, he also
32:59 - 33:00

talks about the continual Improvement
33:00 - 33:02

life cycle, which is really good which
33:02 - 33:05

also just says that, you know, how do we
33:05 - 33:07

ensure that whatever good work we've
33:07 - 33:08

done today is sustained within the
33:08 - 33:11

organization? So the sustenance of the
33:11 - 33:13

great work that is done. The measurement
33:13 - 33:16

and sustenance is very much almost
33:16 - 33:18

aligns to, you know, the seven step
33:18 - 33:21

Improvement life cycle in itel, is what
33:21 - 33:24

this is about. So this is also another
33:24 - 33:26

great piece of work done by COBIT that just
33:26 - 33:29

allows you to look at uh implementation
33:29 - 33:31

of COBIT in itself, not just thinking about
33:31 - 33:34

it from a project or program perspective,
33:34 - 33:36

but also thinking about IT as a change
33:36 - 33:38

initiative, and finally thinking about
33:38 - 33:42

how will the initiative be sustained
33:42 - 33:43

within the
33:43 - 33:47

organization, all right. Great, so COBIT
33:47 - 33:51

borrows from COBIT, borrows a lot of
33:51 - 33:55

measurements from ISO, okay. There's a
33:55 - 33:57

method. There's an ISO standard called
33:57 - 34:00

1550 War, which a lot of people are not
34:00 - 34:02

familiar with. He also borrows from
34:02 - 34:05

cmmi because cmmi talks about both
34:05 - 34:08

maturity and capability models. And I
34:08 - 34:11

can't really go into the details of that,
34:11 - 34:13

but if you if you know K4 and if you
34:13 - 34:14

know, most organizations, most people
34:14 - 34:17

speak about their, the maturity of
34:17 - 34:19

their processes, so they talk about a
34:19 - 34:22

maturity model. A lot of organizations
34:22 - 34:25

talk about a maturity model. The maturity
34:25 - 34:28

of their processes,
34:28 - 34:31

right. COBIT goes further because cmmi also
34:31 - 34:33

goes further. If you look at cmmi for
34:33 - 34:36

development, specifically IT, not only
34:36 - 34:38

speaks about maturity of processes but
34:38 - 34:41

then also looks at the
34:41 - 34:44

capability. Capability is at a much lower
34:44 - 34:47

level, so while maturity is looking at it
34:47 - 34:50

at a much higher level capability goes
34:50 - 34:52

into details and allows you to look at
34:52 - 34:56

processes at a low level, right. So, the
34:56 - 35:00

capability talks about level 0 1 2 3 4
35:00 - 35:03

and 5: incomplete, performed, managed,
35:03 - 35:05

established, predictable and optimized.
35:05 - 35:08

And the C document goes into a lot of
35:08 - 35:10

explanation into before you can judge an
35:10 - 35:13

organization and say your supply
35:13 - 35:16

management is established. How did you
35:16 - 35:18

arrive at that? What did they score? How
35:18 - 35:20

did you look at it? What was the criteria?
35:20 - 35:22

All that information is included in
35:22 - 35:25

some of the co-documents, but it's good
35:25 - 35:27

to understand that you can look at
35:27 - 35:29

processes, not just from a maturity
35:29 - 35:34

perspective, but also from a capability
35:34 - 35:36

perspective, all right. There been, there's
35:36 - 35:39

been there's one of the webinars
35:39 - 35:41

that I did hold with PCB, and we talked
35:41 - 35:45

about we looked at cmmi. Specifically, so
35:45 - 35:47

this is really great so you can look at
35:47 - 35:49

this it says you know incomplete perform
35:49 - 35:51

managed, and what is the criteria of the
35:51 - 35:53

description for you to say that an
35:53 - 35:55

organization is at any of these levels
35:55 - 35:58

of capability. So this is really
35:58 - 36:01

and this is great, all right. So enough
36:01 - 36:03

about COBIT. So, that I don't spend the
36:03 - 36:04

entire day speaking about COBIT once again
36:04 - 36:08

as I said you really cannot do ISO 38500.
36:08 - 36:11

except you know COBIT because the ISO 38
36:11 - 36:15

500 document in itself does refer COBIT in
36:15 - 36:18

itself. So you can't really work with the
36:18 - 36:20

standard without understanding the best
36:20 - 36:23

practice. And as I've said in time past, a
36:23 - 36:26

lot of the standards are developed from
36:26 - 36:28

best practice. So it's important that an
36:28 - 36:31

organization completely adopts a lot of
36:31 - 36:34

the best practice. So, the stand you can't
36:34 - 36:36

really if an organization wants to
36:36 - 36:37

achieve a proper standard. They need to
36:37 - 36:39

go to ISO
36:39 - 36:41

38500. If the business want to plaque,
36:41 - 36:42

they want to brand themselves they want
36:42 - 36:44

to be able to say to people that you
36:44 - 36:46

know what we've achieved the ISO
36:46 - 36:48

standard for IT governance. Then they
36:48 - 36:49

need to go to ISO
36:49 - 36:52

38500. That is what they need to do. So
36:52 - 36:55

it's important that people understand
36:55 - 36:57

where each of these things complement
36:57 - 37:01

each each other. Where does ISO 38500
37:01 - 37:04

compliment COBIT? When we work for clients,
37:04 - 37:06

we try and ensure that we marry these
37:06 - 37:11

four things together. We marry ISO 38500
37:11 - 37:14

with 27 with 20 and with
37:14 - 37:17

2231 because it's easier to marry them
37:17 - 37:20

from a standard perspective. I've seen
37:20 - 37:22

organizations. Sometimes, they will write
37:22 - 37:24

all the standards that they write COBIT.
37:24 - 37:27

It's not from ISO, so if you're doing ISO,
37:27 - 37:28

it makes sense that you marry the four
37:28 - 37:32

of them from an ISO perspective, all
37:32 - 37:36

right. So this is really good just like
37:36 - 37:40

27,000 relies a lot on the nist document
37:40 - 37:46

in itself. 20,000 relies on itail 38,000,
37:46 - 37:50

38500 relies on COBIT, so it's good that
37:50 - 37:53

you can draw a line and marry this
37:53 - 37:55

together, but I've seen a few
37:55 - 37:59

organizations who are adopting 38 by.
37:59 - 38:00

So as part of that adoption process,
38:00 - 38:02

they've got to really do a lot of COBIT
38:02 - 38:04

work and this is, this would really be
38:04 - 38:08

great and interesting all right. So
38:08 - 38:12

um, so what ISO 38500 focuses primarily on
38:12 - 38:15

governance. It does not speak about the
38:15 - 38:16

extensive part, when you start to look at
38:16 - 38:19

all the 37 processes and all the
38:19 - 38:21

stuff that's got to do with management.
38:21 - 38:23

No, it really just says you know
38:23 - 38:25

directors should govern IT and they
38:25 - 38:28

should do it through three main tasks,
38:28 - 38:30

right. And the number one task is
38:30 - 38:31

evaluate the current and future use of
38:31 - 38:33

IT direct preparation and implementation
38:33 - 38:37

plan. Monitor confirmance. Confirmance so
38:37 - 38:39

the standard in itself sets out six
38:39 - 38:42

principles for good corporate governance.
38:42 - 38:45

So, and this principles they express
38:45 - 38:47

the preferred nehavior with regards to
38:47 - 38:50

decision making, the statement of each
38:50 - 38:52

principle refers to what should happen
38:52 - 38:54

but does not necessarily talk about how
38:54 - 38:56

you should refer to COBIT for that, and each
38:56 - 38:58

of the principles is then tied to to the
38:58 - 39:00

model. So it's good that you see
39:00 - 39:01

something like this. So we talk about the
39:01 - 39:03

business pressures. Business needs
39:03 - 39:06

corporate governance of IT. We talked
39:06 - 39:09

about EDM earlier in COBIT: elevate, direct,
39:09 - 39:12

and monitor and plans and policies.
39:12 - 39:14

Proposals come from the businesses and
39:14 - 39:17

how this affects ICT projects and
39:17 - 39:18

operations.
39:18 - 39:21

So this, this is really what it is. It's
39:21 - 39:23

good to achieve a IT 38500, but you cannot
39:23 - 39:25

achieve 38500, except you've already done
39:25 - 39:28

COBIT I will, I will, I cannot overstress
39:28 - 39:32

that so IT will be good that you, you, you
39:32 - 39:34

know that and that you take that into
39:34 - 39:37

consideration. Okay, good. So I'll move on,
39:37 - 39:40

I'll quickly speak about these five
39:40 - 39:42

principles so that we can round up
39:42 - 39:44

principle. Number one just talks about
39:44 - 39:46

responsibility, so the business and the
39:46 - 39:49

it should collaborate in a
39:49 - 39:52

partnership utilizing appropriate
39:52 - 39:54

communication to ensure that you know it
39:54 - 39:56

is done appropriately. Then the it
39:56 - 39:59

executive themselves, acting on behalf
39:59 - 40:01

of the board and chaired by the board. It's a very,
40:01 - 40:02

It's a very effective mechanism for
40:02 - 40:05

evaluating directing IT directors of
40:05 - 40:06

small
40:06 - 40:08

organizations should get very much
40:08 - 40:10

involved with what is happening. From an
40:10 - 40:13

IT perspective, that's why you see that
40:13 - 40:17

some small organizations,
40:17 - 40:21

literally of IT reports to chief
40:21 - 40:23

operations officer in some organizations.
40:23 - 40:26

So, so talk about responsibility being
40:26 - 40:28

one of the principles, the other
40:28 - 40:30

principle here . It talks about strategy,
40:30 - 40:32

so it says that you know strategy is
40:32 - 40:34

extremely complex. It needs to be
40:34 - 40:36

involved at the strategy level. It should
40:36 - 40:39

not wait till the end. It should not be
40:39 - 40:41

fed secondary information. It needs to
40:41 - 40:44

work closely with the business to ensure
40:44 - 40:46

that you know, they understand the
40:46 - 40:48

strategy, and that they can deliver very
40:48 - 40:50

much in line with the strategy of the
40:50 - 40:53

business. Once again, COBIT does an extremely
40:53 - 40:56

good job of explaining a lot of this. ISO
40:56 - 40:58

38500, when you buy it from the
40:58 - 41:00

site. It's just about, I think it's
41:00 - 41:02

probably less than 20 pages, and it just
41:02 - 41:04

speaks about these things at the high
41:04 - 41:06

level if you really want to get this and
41:06 - 41:08

to understand how we should do it you
41:08 - 41:11

need to refer to the COBIT document, okay.
41:11 - 41:13

And yeah, so IT talks about balance COBIT
41:13 - 41:16

card aligning balance score card from
41:16 - 41:18

the business and the IT balance score
41:18 - 41:20

card. So balance score card is not just
41:20 - 41:22

used by the business is also used by the
41:22 - 41:24

IT department. So you can have, you can
41:24 - 41:27

have an IT balance for then we have what
41:27 - 41:29

is referred to as
41:29 - 41:32

acquisition. And I already mentioned how
41:32 - 41:34

important service providers and vendors
41:34 - 41:39

are within the entire space of
41:39 - 41:42

IT governance. So acquisition of
41:42 - 41:44

anything that is IT in terms of
41:44 - 41:46

resources needs to be looked at
41:46 - 41:48

adequately. It needs to be managed. It
41:48 - 41:50

needs to be aligned, and you need to
41:50 - 41:52

ensure that you get the adequate return
41:52 - 41:55

on investment. You've got to pick the
41:55 - 41:56

right technology. You've got to pick the
41:56 - 41:58

right technology
41:58 - 42:01

provider. These things are very important
42:01 - 42:04

before value can be delivered. So
42:04 - 42:06

technology has got to be both fits for
42:06 - 42:09

Value that are ffor use and fit for purpose
42:09 - 42:11

in itself. So it's got to meet both the
42:11 - 42:15

utility and the warranty
42:15 - 42:19

components as it is. So IT solutions
42:19 - 42:21

support the business. So acquisition has
42:21 - 42:23

got to be looked at. You don't just allow
42:23 - 42:24

procurement departments, sometimes, that
42:24 - 42:26

do not understand how IT should be
42:26 - 42:29

procured to go ahead with it without
42:29 - 42:32

adequately involving the IT department,
42:32 - 42:34

okay. Or the people who know about IT so
42:34 - 42:35

there must be a lot of governance around
42:35 - 42:37

the acquisition of IT. That's what this
42:37 - 42:40

is saying. And principle four, once again
42:40 - 42:41

is talking about
42:41 - 42:43

performance says the performance is, got
42:43 - 42:44

to be looked at. You've got to come up
42:44 - 42:47

with your csfs and your kpis and all
42:47 - 42:49

this to be adequately looked at in terms
42:49 - 42:53

of performance management. We
42:53 - 42:55

looked at lagging indicators, leading
42:55 - 42:58

indicators key goal indicators, key
42:58 - 42:59

performance
42:59 - 43:02

indicators and performance in itself
43:02 - 43:04

even needs to be sustained, and you know
43:04 - 43:06

what they say, "If you can't measure it,
43:06 - 43:08

then it does not exist." So it's important
43:08 - 43:10

that you understand how performance
43:10 - 43:12

works how performance measurement should
43:12 - 43:15

be done. And how if you need to build the
43:15 - 43:17

performance scorecard, how it should be
43:17 - 43:20

done for it and the metrics that you're
43:20 - 43:22

using for IT governance. Are they the
43:22 - 43:24

appropriate metrics, and do they provide
43:24 - 43:26

the right information. So apart from
43:26 - 43:28

performance is also the concept of
43:28 - 43:31

conformance. Conformance just says that
43:31 - 43:32

IT governance we should be worried about
43:32 - 43:34

regulatory issues. We should be worried
43:34 - 43:36

about statutary issues. We should be
43:36 - 43:39

worried about whether we're meeting
43:39 - 43:41

everything that's got to do with law and
43:41 - 43:44

order. Meeting all of them in place and
43:44 - 43:46

you know so it's for in a lot of
43:46 - 43:49

countries. ISO 27,000, ISO 20,000 even
43:49 - 43:52

ISO 38500 is not a nice to have. It's a
43:52 - 43:55

must have, especially in the financial
43:55 - 43:58

services industry. So the conversation
43:58 - 44:00

around meeting regulatory requirements
44:00 - 44:01

is a boardroom discussion that needs to
44:01 - 44:03

be had and had
44:03 - 44:06

regularly. And that's what conformance
44:06 - 44:08

is referring to, right. So are we
44:08 - 44:09

conforming to everything that has been
44:09 - 44:12

laid down. Finally, there's a people
44:12 - 44:14

element to IT. Do we have the right
44:14 - 44:16

people? Are people doing the right things
44:16 - 44:18

are they adequately trained? Do we have
44:18 - 44:20

the right skills within the IT
44:20 - 44:22

department to deliver value to the
44:22 - 44:25

business, you know? Within an ISO, there's
44:25 - 44:27

not one of the things you look at within
44:27 - 44:30

an ISO assessment in an organization.
44:30 - 44:32

Do they have skilled people? Do they have
44:32 - 44:34

trained people? So these things are very
44:34 - 44:36

important for a human behavior
44:36 - 44:38

perspective. And it's very important and
44:38 - 44:40

essential that all this is adequately
44:40 - 44:44

done. So that's primarily it from an ISO
44:44 - 44:47

38500 perspective. It really really just
44:47 - 44:50

looks at these seven principles, and
44:50 - 44:53

refers to COBIT a lot. It is really around
44:53 - 44:57

what is it that COBIT does have to offer to
44:57 - 44:58

the organization. Remember what it
44:58 - 45:02

is that I said, that I gave you the 37
45:02 - 45:06

processes within COBIT and how governance
45:06 - 45:09

has been separated from management and
45:09 - 45:11

the person are very important, then I
45:11 - 45:14

showed you this one that talked about
45:14 - 45:16

how IT governance needs to be
45:16 - 45:18

implemented in an organization, not just
45:18 - 45:19

thinking about it from a program
45:19 - 45:22

perspective. But thinking about IT from a
45:22 - 45:25

program change and continual Improvement
45:25 - 45:28

perspective. And finally is about the
45:28 - 45:30

adoption of cmmi capability measurement
45:30 - 45:34

capability model for using it within IT
45:34 - 45:36

governance, not just using the maturity
45:36 - 45:38

model. So this is a significant
45:38 - 45:42

Improvement on of version five over
45:42 - 45:45

the COBIT version four as it is,
45:45 - 45:47

all right. So and of course, the six
45:47 - 45:50

principles that are discussed under ISO
45:50 - 45:54

38500 so primarily. That is it. There's
45:54 - 45:56

not a whole lot that is about, about this
45:56 - 45:58

beyond this. I believe we're going to
45:58 - 46:00

put this up on the internet and
46:00 - 46:02

people can download it and they can
46:02 - 46:04

listen to this again, and they can
46:04 - 46:06

download some of the materials. All the
46:06 - 46:07

diagrams and a lot of those things
46:07 - 46:10

belong directly to Isaka and I've
46:10 - 46:11

already said mentioned that in my
46:11 - 46:14

presentation, so for you to
46:14 - 46:17

effectively do IT governance or for you
46:17 - 46:19

to have effective IT governance. You've
46:19 - 46:21

got to marry these two. You've got to
46:21 - 46:25

marry COBIT 5 and ISO 38500 effectively
46:25 - 46:26

for an
46:26 - 46:28

organization, okay, okay. Thank you very
46:28 - 46:31

much. I would like to take the questions
46:31 - 46:33

now. Thank you very much for this
46:33 - 46:36

presentation, Mr. Orlando. We have a
46:36 - 46:39

few questions over here. I will start and
46:39 - 46:42

you may answer, just a few of them.
46:42 - 46:44

The first one is are there other
46:44 - 46:47

major are there any other major
46:47 - 46:51

differences among COBIT 4.1 and COBIT
46:51 - 46:56

5.0. Well, there quite a bit a lot of the
46:56 - 46:58

differences apart from the use of
46:58 - 47:00

maturity and capability there. There's a
47:00 - 47:03

couple of other differences. The way of
47:03 - 47:05

course, I mean, they've separated it.
47:05 - 47:07

They've added the governance layer to IT,
47:07 - 47:10

and the process is here now 37, which is
47:10 - 47:12

much more than what you used to have in
47:12 - 47:17

um uh COBIT 4 in itself. And um the way the
47:17 - 47:20

extra documents have also been done. It's
47:20 - 47:22

much broader than what it is. The older
47:22 - 47:26

COBIT did not take risk IT. V-IT, all those
47:26 - 47:29

documents into consideration. But 5 has
47:29 - 47:31

added all of them. So all I'm, all I'll say
47:31 - 47:34

that there probably a 50% difference
47:34 - 47:37

between 4 and 5. So it's quite huge in
47:37 - 47:40

terms of the additions that have been
47:40 - 47:43

added onto
47:43 - 47:47

it. Thank you. The next question is, "Can
47:47 - 47:49

I use COBIT 5 as a statement for
47:49 - 47:52

criteria for specific audit
47:52 - 47:56

conclusions?" Oh, yes so very, very much.
47:56 - 47:58

A lot in fact, a lot of people when it
47:58 - 48:01

comes to their audit the controls and
48:01 - 48:04

the findings and the conclusions. A lot
48:04 - 48:05

of what it is that is being used by a
48:05 - 48:07

lot of organizations is taken directly
48:07 - 48:08

out of COBIT
48:08 - 48:12

5 as of today. So yes, you can use it for
48:12 - 48:13

your audit conclusions, and you can use
48:13 - 48:16

it to defend and substantiate your
48:16 - 48:18

position once. Once you follow through
48:18 - 48:20

with COBIT there, can't be anything
48:20 - 48:21

higher than
48:21 - 48:25

that, okay. Yes, thank you. The third
48:25 - 48:28

question is, "Which businesses are
48:28 - 48:30

using more COBIT
48:30 - 48:33

5?" Every industry. Every single
48:33 - 48:35

industry: financial services probably
48:35 - 48:37

possibly be number one.
48:37 - 48:38

Telecommunications,
48:38 - 48:41

manufacturing services, industry,
48:41 - 48:43

everybody. There's no better
48:43 - 48:45

governance. IT governance. Methodology in
48:45 - 48:48

the world that COBIT 5 right now. So
48:48 - 48:50

everybody who is concerned about IT
48:50 - 48:52

governance in every single industry is
48:52 - 48:53

using COBIT.
48:53 - 48:56

Thank you. The next question is,
48:56 - 49:00

what is the difference between ISO
49:00 - 49:06

38,500 2015 and ISO 38,500
49:06 - 49:08

2008? What was the other one that you
49:08 - 49:10

said? I didn't hear
49:10 - 49:13

that. I didn't, I didn't get
49:13 - 49:15

that. May I repeat the
49:15 - 49:18

question? Yes, please. What is the
49:18 - 49:20

difference between ISO
49:20 - 49:24

38,500 2015 with ISO
49:24 - 49:28

38,500 2008.
49:28 - 49:31

Oh yeah. Well I mean the the 2015 version
49:31 - 49:33

is better aligned to COBIT. That's the
49:33 - 49:36

primarily, that's it. So the 2015 version
49:36 - 49:39

it refers to COBIT 5 in fact, it really
49:39 - 49:42

does it's really about COBIT 5. It just
49:42 - 49:44

provides some extra guidance that I
49:44 - 49:47

showed within those principles but
49:47 - 49:49

it's better aligned. The older version,
49:49 - 49:51

the
49:51 - 49:54

2008 referred to the older COBIT a bit,
49:54 - 49:57

but this new one really refers to COBIT 5.
49:57 - 49:58

The major
49:58 - 50:01

difference. And the last question is,
50:01 - 50:03

is the COBIT 5 framework superior to the
50:03 - 50:04

other
50:04 - 50:09

frameworks as such as ITAL and ISO
50:09 - 50:11

27,000
50:11 - 50:14

series? I don't think it's, it's about
50:14 - 50:17

superiority. That's a, that's not a word
50:17 - 50:19

that I want to use, but I would say it's
50:19 - 50:23

much more complete. IT looks at it from a
50:23 - 50:25

much broader perspective, looks at the
50:25 - 50:27

business more thoroughly,
50:27 - 50:30

and then you know brings in much more
50:30 - 50:34

than how IT looks at it. It's beyond
50:34 - 50:36

service management is beyond enterprise
50:36 - 50:38

architecture. It is beyond all the things.
50:38 - 50:41

So I'll say, it's much more holistic, much
50:41 - 50:44

more complete um in comparison, but I
50:44 - 50:45

would say
50:45 - 50:48

superior. Thank you again, Mr. Orlando,
50:48 - 50:51

for this excellent presentation. I
50:51 - 50:53

want to thank all the attendees as well
50:53 - 50:54

for taking the time out of your business
50:54 - 50:57

schedule to join us. We hope you enjoy
50:57 - 50:59

this webinar. We have received all your
50:59 - 51:01

questions, and because the time is limited
51:01 - 51:02

we will answer to your question
51:02 - 51:05

individually by email. Please check PCB's
51:05 - 51:08

webinar schedule in our website www.
51:08 - 51:11

pcb.com or our official social
51:11 - 51:13

media network since next week, we are
51:13 - 51:15

organizing webinars on interesting
51:15 - 51:18

topics. Next Monday on 9th of October, we
51:18 - 51:21

are hosting a webinar on the topic ISO
51:21 - 51:24

21,500: a guidance to project managers on
51:24 - 51:27

ISO 21,500 project management
51:27 - 51:29

standard. Thank you again, and see you in
51:29 - 51:32

the next webinars, thank you. Mr.
51:32 - 51:34

Orlando. All right, thank you very much.
51:34 - 51:38

Thank you, much appreciated. Alright.

Title:: Aligning COBIT 5.0 and ISO/IEC 38500
Description:: more » « less
Video Language:: English
Duration:: 51:37

	OEVIDEOS edited English subtitles for Aligning COBIT 5.0 and ISO/IEC 38500
	OEVIDEOS edited English subtitles for Aligning COBIT 5.0 and ISO/IEC 38500
	OEVIDEOS edited English subtitles for Aligning COBIT 5.0 and ISO/IEC 38500
	OEVIDEOS edited English subtitles for Aligning COBIT 5.0 and ISO/IEC 38500
	OEVIDEOS edited English subtitles for Aligning COBIT 5.0 and ISO/IEC 38500
	OEVIDEOS edited English subtitles for Aligning COBIT 5.0 and ISO/IEC 38500

English subtitles

Revisions Compare revisions

Revision 6 Edited

OEVIDEOS
Revision 5 Edited

OEVIDEOS
Revision 4 Edited

OEVIDEOS
Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	6	OEVIDEOS
	5	OEVIDEOS
	4	OEVIDEOS
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

Aligning COBIT 5.0 and ISO/IEC 38500

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)