What goes into a COBIT 5.0 Assessment?July 18, 2017
In order to find a single assessment framework to tie up ISO 27001:2013, ISO 20000-1:2011, ISO 22301:2012 and ISO 31000 requirements, I was searching for a comprehensive IT governance methodology. That is when I took interest in CO-BIT (Control Objectives for Information and related Technology). After completing a COBIT Foundation and COBIT Assessor course, I understood that this framework can become a strong factor in enabling entities in achieving its primary goals for IT governance. This framework will also enable transformation of organizational practices and create improved processes.
The opportunity to implement my learning in the COBIT Assessor course came with the requirement of a COBIT based as-sessment for an Oman based entity. This entity required an in depth analysis of their situation at the time, in order to devel-op an IT Strategy for the next 3 years. The entity was not certified for any management systems (such as ISO 27001, ISO 20000, ISO 22301 or ISO 31000).
Prior to embarking on this journey, that will commit the organization to potential costs, re-structuring and a reshuffling of its work culture, the organization needs to conduct an in-depth analysis of its current state and as a first step identify which pro-cesses are applicable to the entity’s vision.
My process for conducting the COBIT 5.0 assessment focused on the following:
- Identify areas of concern for the client.
- Map these areas of concern to the relevant COBIT 5.0 Process
- Develop a COBIT 5.0 control assessment questionnaire for each audit.
- Conduct meetings with client departments
- Analyse evidences, document and validate results.
To identify applicable processes, we looked at areas which required improvement. After several brainstorming sessions the client agreed to conduct an evaluation to cover some processes associated with the areas of concern. For the purpose of this case study, I will take into consideration one of the biggest issues faced by the client.
The following questions were asked to assess the current state of the change management pro-cess
• Is there a procedure defined for evaluating prioritizing and authorizing changes?
• Are templates defined for logging changes?
• Are changes evaluated to determine the impact of the change on business processes and IT services?
• Are changes evaluated for effects and risks to the operational environment?
• Is a change manager assigned?
• Is a change committee defined?
• Does the change committee review each change prior to implementation?
• Is emergency change management a predefined process?
• Is the definition of what classifies as an emergency change understood within the IT De-partment?
• How many emergency changes are implemented each week?
• What is the nature of the emergency changes implemented in the IT Department?
• Are emergency changes reviewed post implementation to identify learnings from the change?
• Are change status defined?
• Is a communication matrix defined for each type of change?
• Is a submission timeline defined for different kind of changes?
• Does the CAB review the status of changes on a weekly basis?
• Does the CAB conduct a review of the changes post implementation?
Post the assessment meetings, all the findings were collated to assign a maturity level to the process. Maturity ratings to the process were assigned as per the below ratings:
The data collection and analysis activity resulted in multiple findings all the processes which were assessed at the client loca-tion. In the duration of the gap assessment it was seen that the client is running a risk to its business without a documented and strict IT Change Management Process. The entity does not have any process to manage the complex configurations and its infrastructure information. This may lead to errors in IT Service Delivery, thus affecting the overall customer satisfaction. We also observed that many IT teams were working in silos and hence information sharing and knowledge management within IT is low.
ITs’ existing tools and reporting have immense scope for improvement. We found that IT is already working towards achieving better tooling and reporting solutions.
Though it was important for the entity to focus on implementation of multiple processes, a big-bang approach could be detrimental given the width and range of ITs’ work. Hence, it was recommended that the entity targets an initial implementation some key processes and then embark on rolling out the remaining processes in a phased manner. The client was advised to plan for ISO 27001:2013, ISO 20000-1:2011, ISO 22301:2012 and ISO 31000 compliance projects. In parallel the client was advised to improve on the existing configuration management tools in order to have better visibility over the infrastructure. The output of the assessment resulted in a 3 year plan for the client to improve processes in all areas of IT.
The process for the assessment is also applicable to any other entity planning to emabrk on a COBIT 5.0 compliance journey.