School of Information Systems

Comparing COBIT 4.1 and COBIT 5.0 (Part 2)

What is the differences between COBIT 4.1 and COBIT 5.0 ?

According to ISACA (2012), there are 9 major areas of changes in COBIT 5 content and how they may impact GEIT (Governance Enterprise of Information Technology) Implementation/Improvement. The nine major areas of changes are:

  1. New GEIT Principles
  • Val IT and Risk IT frameworks are principles-based.
  • Feedback indicated that principles are easy to understand and put into an enterprise context, allowing value to be derived from the supporting guidance more effectively.
  • COBIT 5 Principles:

1

Source:  COBIT® 5, figure 2. © 2012 ISACA®  All rights reserved

       2.  Increased Focus on Enablers

  • COBIT 4.1 did not have enablers! Yes it did—they were not called enablers but they were there, explicitly or implicitly!

2

Source:  COBIT® 5, figure 12. © 2012 ISACA®  All rights reserved

  • Information, infrastructure, applications (services) and people (people, skills and competencies) were COBIT 4.1 resources.
  • Principles, policies and frameworks were mentioned in a few COBIT 4.1 processes.
  • Processes were central to COBIT 4.1 use.
  • Organisational structure was implied through the responsible, accountable, consulted or informed (RACI) roles and their definitions.
  • Culture, ethics and behaviour were mentioned in a few COBIT 4.1 processes.

3.  New Process Reference Model

  • COBIT 5 is based on a revised process reference model with a new governance domain and several new and modified processes that now cover enterprise activities end-to-end, i.e., business and IT function areas.
  • COBIT 5 consolidates COBIT 4.1, Val IT and Risk IT into one framework, and has been updated to align with current best practices, e.g., ITIL V3 2011, TOGAF.
  • The new model can be used as a guide for adjusting as necessary the enterprise’s own process model (just like COBIT 4.1).

3

Source:  COBIT® 5, figure 16. © 2012 ISACA®  All rights reserved

       4.  New and Modified Processes

  • COBIT 5 introduces five new governance processes that have leveraged and improved COBIT 4.1, Val IT and Risk IT governance approaches.

This guidance:

1. Helps enterprises to further refine and strengthen executive management-level GEIT practices and activitie

2. Supports GEIT integration with existing enterprise governance practices and isaligned with  ISO/IEC 38500

  • —  COBIT 5 has clarified management level processes and integrated COBIT 4.1, Val IT and Risk IT content into one process reference model
  • —  There are several new and modified processes that reflect current thinking, in particular:
  1. APO03 Manage enterprise architecture.
  2. APO04 Manage innovation.
  3. APO05 Manage portfolio.
  4. APO06 Manage budget and costs.
  5. APO08 Manage relationships.
  6. APO13 Manage security.
  7. BAI05 Manage organisational change enablement.
  8. BAI08 Manage knowledge.
  9. BAI09 Manage assets.
  10. DSS05 Manage security service.
  11. DSS06 Manage business process controls.
  • COBIT 5 processes now cover end-to-end business and IT activities, i.e., a full enterprise-level view.
  • This provides for a more holistic and complete coverage of practices reflecting the pervasive enterprisewide nature of IT use.
  • It makes the involvement, responsibilities and accountabilities of business stakeholders in the use of IT more explicit and transparent.

5.  Practices and Activities

  • The COBIT 5 governance or management practices are equivalent to the COBIT 4.1 control objectives and Val IT and Risk IT processes.

www.isaca.org/Journal/Past-Issues/2011/Volume-4/Pages/Where-Have-All-the-Control-Objectives-Gone.aspx

  • The COBIT 5 activities are equivalent to the COBIT 4.1 control practices and Val IT and Risk IT management practices.
  • COBIT 5 integrates and updates all ofthe previous content into the one new model, making it easier for users to understand and use this material when implementing improvements.

6.  Goals and Metrics

  • COBIT 5 follows the same goal and metric concepts as COBIT 4.1, Val IT and Risk IT, but these are renamed enterprise goals, IT-related goals and process goals reflecting an enterprise level view.
  • COBIT 5 provides a revised goals cascade based on enterprise goals driving IT-related goals and then supported by critical processes.
  • COBIT 5 provides examples of goals and metrics at the enterprise, process and management practice levels. This is a change to COBIT 4.1, Val IT and Risk IT, which went down one level lower.

7.  Inputs and Outputs

  • COBIT 5 provides inputs and outputs for every management practice, whereas COBIT 4.1 only provided these at the process level.
  • This provides additional detailed guidance for designing processes to include essential work products and to assist with interprocess integration.

8.   RACI Charts

  • COBIT 5 provides RACI charts describing roles and responsibilities in a similar way to COBIT 4.1, Val IT and Risk IT.
  • COBIT 5 provides a more complete, detailed and clearer range of generic business and IT role players and charts than COBIT 4.1 for each management practice, enabling better definition of role player responsibilities or level of involvement when designing and implementing processes.

9.  Process Capability Maturity Models and Assessments

  • COBIT 5 discontinues the COBIT 4.1, Val IT and Risk IT CMM-based capability maturity modelling approach.
  • COBIT 5 will be supported by a new process capability assessment approach based on ISO/IEC 15504, and theCOBIT Assessment Programme has already been established for COBIT 4.1 as an alternative to the CMM approach.

www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx

  • The COBIT 4.1, Val IT and Risk IT CMM-based approaches are not considered compatible with  the ISO/IEC 15504 approach because the methods use different attributes and measurement scales
  • The COBIT Assessment Programme approach is considered by ISACA to be more robust, reliable and repeatable as a process capability assessment method.
  • The COBIT Assessment Programme supports:
  1. Formal assessments by accredited assessors (assessor training is being developed)
  2. Less rigorous self-assessments for internal gap analysis and process improvement planning
  • The COBIT Assessment Programme, in the future, will also potentially enable an enterprise to obtain an independent and certified assessments aligned to the ISO/IEC standard.