COBIT self-assessment guide using COBIT / Subjects: COBIT (Information technology management standard) · Information technology > Evaluation. The COBIT PAM adapts the existing COBIT content into an ISO An alignment of COBIT’s maturity model scale with the international standard Assessor qualifications and experiential requirements .. (COSO Guidance ). ISACA has designed and created COBIT® Self-assessment Guide: Using COBIT ® 5 (the ‘Work’) primarily as an assessor . The Measurement Framework.
|Published (Last):||10 June 2007|
|PDF File Size:||16.72 Mb|
|ePub File Size:||10.63 Mb|
|Price:||Free* [*Free Regsitration Required]|
We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system.
Share buttons are a little assessot lower. Published by Latrell Liscomb Modified over 4 years ago. Lead into the next slide with differences and say: An outcome is an artefact, a significant change of state or the meeting of specified constraints. Outcomes Os Number Description DS1-O1 A service management framework is in place to define the organisational structure for service level management, covering the base definitions of services, roles, tasks and responsibilities of internal and external service providers and customers.
DS1-BP5 Monitor and report end-to-end service level performance.
DS1-BP8 Create a service improvement plan. All other levels and attributes PA2. REVEAL Process results or performance Management of work products of the process Management of the process performance Definition of the process Deployment of the process Measurement and control of the process Innovation and optimisation of the process Lets take a look at a couple of these in a little more detail so you can get a sense for what they mean.
As a result of full achievement of this attribute, the process achieves its defined outcomes. This attribute is fully achieved when the process achieves its defined ysing. On this slide and cobbit next one — walk through an example of process attributes PA1 and PA2. As a result of full achievement of this attribute: Objectives for the performance of the process are identified.
Performance of the process is aseessor and monitored.
Performance of the process is adjusted to meet plans. Responsibilities and authorities for performing the process are defined, assigned and communicated. Resources and information necessary for performing the process are identified, made available, allocated and used.
Interfaces between the involved parties are managed to ensure effective communication and clear assignment of responsibility.
Requirements for the work products of the process are defined. Requirements for documentation and control of the work products are defined. Work products are appropriately identified, documented and controlled.
Work products are reviewed aswessor accordance with planned arrangements and adjusted as necessary to meet requirements. The next attributes relate to management of the process and associated work products: Process objectives have been defined. The process performance is planned and monitored. Process performance is adjusted to meet plans.
Responsibilities and authorities are defined, assigned and communicated. Resource and information requirements are identified, allocated and used. There is effective communication between parties and clear assignment of responsibilities. Requirements for the work products have been defined. Requirements for documentation and control of the work products have been defined. The work products are identified, gudie and controlled consistent with the definitions. Work products are reviewed and adjusted as necessary to meet the requirements.
We will walk through an example of these shortly. Provide the basis for repeatability across assessments A rating is assigned based on objective, validated evidence for each process attribute Traceability needs to be maintained between an attribute rating and the objective evidence used in determining that rating As implied by their name, indicators do not represent requirements of a process.
They represent a common starting point for assessment, which increases the consistency of assessor judgment and enhances the repeatability of the results. The indicators provide a framework for assessment that helps to ensure that: The assignment of a rating for a given Process Attribute needs to be supported by objective, validated evidence. The traceability of the rating and the supporting evidence needs to be maintained.
Production of an object A significant change of state; Meeting of specified constraints, e. BP Achieve the process outcomes. There is evidence that the intent of base practice is being performed. Work products are produced that provide evidence of process outcomes, as outlined in section 3.
The Assessor then needs to assess whether there is sufficient evidence that PA1. Note that this is the level where the detailed and specific process requirements from the Process Reference Model are used. The assessor then reaches a conclusion as to the extent to which the attribute has been achieved.
Is performance of the process planned and monitored? Is performance of the process adjusted to meet plans? Are responsibilities and authorities for performing the process defined, assigned and communicated? Are resources and information necessary for performing the process identified, made available, allocated and used? Are interfaces between the involved parties managed to ensure effective communication and clear assignment of responsibility? In this case, the assessor would be trying to determine the extent to which the elements of PA2.
From level 2 onwards you are no longer using the PRM; you are looking primarily at the attribute goals or objectives, called generic outcomes and generic practices and generic work products in the PAM section 4. Have requirements for documentation and control of the work products been defined?
Are work products appropriately identified, documented and controlled? Are work products reviewed in accordance with planned arrangements and adjusted as necessary to meet requirements?
There is only enough time today to walk through the assessment process at a very high level. Detailed discussion of the process for a compliant assessment is provided in an Assessor Guide.
In addition, simplified guidance has been developed in a Self-assessment Guide to completing assessments for those wanting to perform a simple, judgement based self assessment as a precursor to a more formal compliant assessment.
This figure is reproduced from ISO: We will quickly review the key elements of each of these activities. Initiation Identify the sponsor and define the purpose of the assessment: Why it is being carried out? Define the scope of the assessment: Which processes are being assessed? What constraints, if any, apply to the assessment?
ISACA’s COBIT® Assessment Programme
Identify any additional information that needs to be gathered Select the assessment participants, the assessment team and define the roles of team members Define assessment inputs and outputs: Have them approved by the sponsor The objective of the initiation phase is to ensure that there is a common understanding with the sponsor on the purpose and scope of the assessment, and to identify the individuals with the appropriate competencies to ensure a successful assessment.
Recall, it is highly unlikely an guode would assess all 34 COBIT processes, so a scoping tool kit has been provided, see next slides for outline and scoping example.
The aim of the scoping as part of Assessment Initiation is to focus on the assessment on the business needs ueing the enterprise. These are available in the tool kit There is a six Step Selection Process: Step 1 Identify relevant business drivers for the IT processes assessment. Planning the Assessment Asxessor assessment plan describing all activities performed in conducting the assessment is: Developed Documented together with An assessment assesosr Identify the project scope Secure the necessary resources to perform the assessment Determine the method of collating, reviewing, validating and documenting the information required for the assessment Co-ordinate assessment activities with the organisational unit being assessed The Assessment Planning phase includes such things as: Determine the assessment activities.
Determine the necessary resources and schedule for the assessment. Define how the assessment data will be collected, recorded, stored, analysed and presented with reference to the assessment tool. Define the planned outputs of the assessment. Assessment outputs desired by the sponsor in addition to those required as part of the assessment record are identified and described. Guife conformance to requirements.
Detail how the assessment will meet all the requirements in the standard. Potential risk factors and mitigation strategies are documented, prioritised and tracked through assessment planning.
All identified risks will be monitored throughout the assessment. Co-ordinate assessment logistics with the Axsessor Assessment Co-ordinator. Review and obtain acceptance of the plan.
ISACA publishes COBIT process assessment model – Infosecurity Magazine
The sponsor identifies who will approve the assessment plan. The plan, including the assessment schedule and logistics for site visits is reviewed and approved. Briefing The assessment team leader ensures that the assessment team understands the assessment: Input Process Output Brief the organisational unit on the performance of the assessment: PAM, assessment scope, scheduling, constraints, roles and responsibilities, resource requirements, etc.
Ensure that the team understands the approach defined in the documented process, gudie assessment inputs and outputs, and is proficient in using the assessment tool. Brief the organisational guid. Explain the assessment purpose, scope, constraints, and model. Stress the confidentiality cogit and the benefit of assessment outputs. Present the assessment schedule.
Ensure that the staff members understand what is being undertaken and their role in the process.