Principles - getITright 5 Foundation/Cheat... · Principles, policies and frameworks are the vehicle by which governance decisions are institutionalised ... • Detailed activities:

Based on the COBIT5 Foundation Study Guide by SMME (used and adapted with permission)

1

Principles

Principle 1 - Meeting stakeholder needs The governing body is ultimately responsible for setting the direction of the organisation and needs

to account to stakeholders specifically owners or shareholders of the organisation.

• Translate stakeholder needs into strategy.

• Governance is about negotiating and deciding amongst different stakeholders’ value interests.

Value creation = Stakeholder needs There are three main governance objectives:

• Benefits realization

• Risk optimization

• Resource optimization (all IT assets including resources and capabilities)

Stakeholder drivers

• Strategy changes

• Changing business and regulatory environment

• New technologies

Cascade (transform stakeholder needs into an actionable strategy)

• Stakeholder drivers cascade to

• Stakeholder needs cascade to

• Enterprise goals (BSC) cascade t0

• IT-related goals (BSC) cascade to

• Enabler goals (e.g. process goals)

Balanced scorecard (BSC)

• Financial

• Customer

• Internal

• Learning and growth


2

Principle 2 - Covering the enterprise end-to-end

Components of a governance system

• Governance enablers (x 7)

• Governance scope (whole enterprise or part)

• Identifying responsibilities for governance:

• Owners and stakeholders (delegate)

• Governing body (set direction + accountable)

• Management (instruct and align + monitor)

• Operations and execution (report)

Principle 3 - Applying a single integrated framework

Integrated framework

• Aligns with other relevant standards and frameworks

• Is complete in enterprise coverage

• Provides a simple architecture

• Integrates different ISACA frameworks


3

Principle 4 - Enabling a holistic approach

Enablers - Resources

• Principles, policies and frameworks

• Processes

• Organizational structures

• Culture, ethics and behavior

• Information

• Services, infrastructure and applications

• People, skills and competencies

Enabler dimensions (allow an entity to manage its complex interactions) • Stakeholders

• Goals

• Intrinsic quality - The extent to which enablers work accurately, objectively and

provide accurate, objective and reputable results

• Contextual quality - The extent to which enablers and their outcomes are fit for

purpose given the context in which they operate. For example, outcomes should be

relevant, complete, current, appropriate, consistent, understandable and easy to

use.

• Access and security - The extent to which enablers and their outcomes are accessible

and secured, such as:

• Enablers are available when, and if, needed.

• Outcomes are secured, i.e., access is restricted to those entitled and needing

it.

• Life cycle

• Good practices

Enabler performance

• Lag indicators (achievement of goals)

• Are stakeholder needs addressed?

• Are enabler goals achieved?

• Lead indicators (functioning of enabler)

• Is the enabler lifecycle managed?

• Are good practices applied?


4

Principle 5 - Separating governance from management Governance ensures that stakeholder needs, conditions and options are evaluated to

determine balanced, agreed-on enterprise objectives to be achieved; setting direction

through prioritization and decision making; and monitoring performance and compliance

against agreed-on direction and objectives.

Management plans, builds, runs and monitors activities in alignment with the direction

set by the governance body to achieve the enterprise objectives.

Evaluate - Direct - Plan - Build - Run - Monitor - Monitor - Evaluate


5

Enablers Processes A distinction is made between governance and

management processes, including specific sets of

practices and activities for each.

Information Information used for evaluating, directing and

monitoring enterprise IT is exchanged between

governance and management.

Organisational structures Structures can sit in the governance space or the

management space.

Principles, policies and

frameworks

Principles, policies and frameworks are the vehicle by

which governance decisions are institutionalised

within the enterprise.

Culture, ethics and behaviour Is set at the top and is therefore an interaction.

People, skills and competencies Governance and management activities require

different skill sets.

Services, infrastructure and

applications

Services support the governance activities of

evaluating, setting direction and monitoring.

Enabler 1 - Principles, policies and frameworks Governance should set principles and policies.

Principles, policies and frameworks communicate the rules of the enterprise in support of

governance objectives and enterprise values. Principles, policies and frameworks are instruments

to communicate the rules of the enterprise, in support of the governance objectives and

enterprise values, as defined by the board and executive management.

Policies should be aligned with the enterprise’s risk appetite. Policies are a key component of an

enterprise’s system of internal control, whose purpose it is to manage and contain risk. As part of

risk governance activities, the enterprise’s risk appetite is defined, and this risk appetite should be

reflected in the policies. A risk-averse enterprise has stricter policies than a risk-aggressive

enterprise.

Policies need to be revalidated and/or updated at regular intervals.

Principles (express the core values of the enterprise) • limited in number

• put in simple language

Policies (provide detailed guidance on how to put principles into practice, guide

decisions) Policies provide more detailed guidance on how to put principles into practice and they

influence how decision making aligns with the principles. Good policies are:

• Effective - They achieve the stated purpose.

• Efficient - They ensure that principles are implemented in the most efficient way.

• Non-intrusive - They appear logical for those who have to comply with them, i.e., they do not create unnecessary resistance.

Policy can exist at multiple levels of the organisation. Organisational structures can define and implement policies within their span of control, and their activities are also defined by policies.

Frameworks Frameworks are key because they provide a structure to define consistent guidance. For


6

example, a policy framework provides the structure in which a consistent set of policies can be

created and maintained, and it also provides an easy point of navigation within and between

individual policies.

• Comprehensive

• Open and flexible

• Current

• Accessible for stakeholders

Good practice Good practice requires that policies be part of an overall governance and management

framework, providing a (hierarchical) structure into which all policies should fit and clearly make

the link to the underlying principles.

As part of the policy framework, the following items need to be described:

• Scope and validity

• Consequences of failing to comply

• Means for handling exceptions

• How compliance will be checked (compliance requirements)

Generally, recognised governance and management frameworks can provide valuable

guidance on the actual statements to be included in policies.

Relationships

• Principles, policies and frameworks reflect the cultures, ethics and values of the enterprise

• Processes are the most important vehicle for executing policies

• Organizational structures can define and implement policies

• Policies are part of information.


7

Enabler 2 – Processes For each COBIT 5 process, the governance/management practices provide a complete set of

high-level requirements for effective and practical governance and management of

enterprise IT. They are:

Statements of actions to deliver benefits, optimise the level of risk and optimise the use of

resources

Aligned with relevant generally accepted standards and good practices

Generic and therefore needing to be adapted for each enterprise

Covering business and IT role players in the process (end-to-end)

The enterprise governance body and management need to make choices relative to these

governance and management practices by:

Selecting those that are applicable and deciding on those that will be implemented

Adding and/or adapting practices where required

Defining and adding non-IT-related practices for integration in business processes

Choosing how to implement them (frequency, span, automation, etc.)

Accepting the risk of not implementing those that may apply

Sample RACI charts in COBIT is the suggested assignment of the type and level of involvement

on process practices for specific roles and structures in the organisation.

In COBIT, the main actions taken to operate the process are described in activities lactating to

each of the practices. They are defined as ‘guidance to achieve management practices for

successful governance and management of enterprise IT’. The COBIT 5 activities provide the

how, why and what to implement for each governance or management practice to improve

IT performance and/or address IT solution and service delivery risk. This material is of use to:

Management, service providers, end users and IT professionals who need to plan, build,

run or monitor enterprise IT

Assurance professionals who may be asked for their opinions regarding current or

proposed implementations or necessary improvements

A complete set of generic and specific activities that provide one approach consisting

of all the steps that are necessary and sufficient for achieving the key governance

practice (GP)/management practice (MP). They provide high-level guidance, at a level

below the GP/MP, for assessing actual performance and for considering potential

improvements.

For each COBIT process, the governance and management practices provide a complete set

of high-level requirements for effective and practical governance and management of

enterprise IT. They are statements of actions from governance bodies and management. More

details guidance is provided for each practice as a set of activities. Process activities:

Describe a set of necessary and sufficient action-oriented implementation steps to

achieve a governance or management practice

Consider the inputs and outputs of the process

Are based on generally accepted standards and good practices

Support establishment of clear roles and responsibilities

Are non-prescriptive and need to be adapted and developed into specific procedures

appropriate for the enterprise

When executing a process, artefacts (documents, records, etc.) are created – these become

useful when evaluation a process.

A process is defined as a collection of practices influenced by the enterprise’s policies and

procedures that takes input from a number of sources, manipulates the inputs and

produces outputs.

The Process Reference Model Governance Domain The processes in EDM (Evaluate, Direct Monitor) (5)


8

• EDM01 Ensure Governance Framework Setting and Maintenance

• EDM02 Ensure Benefits Delivery

• EDM03 Ensure Risk Optimization

• EDM04 Ensure Resource Optimization

• EDM05 Ensure Stakeholder Transparency

The process Reference Model Management Domain The processes in APO ( Align, Plan Organize) (13)

• APO01 Manage the IT Management Framework

• APO02 Manage Strategy

• APO03 Manage Enterprise Architecture

• APO04 Manage Innovation

• APO05 Manage Portfolio

• APO06 Manage Budget and Costs

• APO07 Manage Human Relations

• APO08 Manage Relationships

• APO09 Manage Service Agreements

• APO10 Manage Suppliers

• APO11 Manage Quality

• APO12 Manage Risk

• APO13 Manage Security

The processes in BAI ( Build, Acquire and Implement) (10)

• BAI01 Manage Programs and Projects

• BAI02 Manage Requirements Definition

• BAI03 Manage Solutions Identification and Build

• BAI04 Manage Availability and Capacity

• BAI05 Manage Organizational Change Enablement

• BAI06 Manage Changes

• BAI07 Manage Changes Acceptance and Transitioning

• BAI08 Manage Knowledge

• BAI09 Manage Assets

• BAI10 Manage Configuration

The processes in DSS (Deliver, Service and Support) (6)

• DSS01 Manage Operations

• DSS02 Manage Service Requests and Incidents

• DSS03 Manage Problems

• DSS04 Manage Continuity

• DSS05 Manage Security Services

• DSS06 Manage Business Process Controls

The processes in MEA (Monitor, Evaluate and Assess) (3)

• MEA01 Monitor, Evaluate and Assess Performance and Conformance

• MEA02 Monitor, Evaluate and Asses the System of Internal Control

• MEA03 Evaluate and Assess Compliance with External Requirements

Stakeholders

• Internal: board, management, staff, business managers, business process owners

• External: customers, business partners, shareholders, regulators

Goals

• Intrinsic goals: quality of the process, in line with good practice, compliant?

• Contextual goals: relevancy of the process, understandable, easy to apply?


9

• Accessibility & Security goals: confidentiality of the process

Life cycle (= generic practices for processes)

• Plan

• Design

• Build/acquire/create/implement

• Use/operate

• Evaluate/monitor

• Update/dispose

Good practice

• Management/Governance practices (MP/GP)

• Statements of actions to deliver benefits

• Aligned with standards and good practices

• Generic, needing to be adapted

• Covering business and IT

• Activities

• Describe implementation steps to achieve GP/MP

• Consider the inputs and outputs of the process

• Based on standards and good practices

• Support establishment of clear roles and responsibilities (defined at the GP/MP level)

• Non-prescriptive

• Detailed activities: from ITIL, ISO 27000, PRINCE2 etc.

• Inputs and outputs:

• Are the process work products/artifacts

• Defined at the GP/MP level

Relationships

• Processes need information as one form of input

• Processes need Organizational structure

• Processes produce and require service capabilities (infrastructure, applications, information..)

• Processes are dependent on other processes

• Processes produce and need policies and procedures to ensure consistent implementation.

Enabler Process Guide Content

• Process identification and its components

• Process description

• Process purpose statement

• Goals cascade information

• Process goals and metrics

• Overview of process practices

RACI

• Responsible: does the job

• Accountable: takes the blame

• Consulted: 2-way communication

• Informed: 1-way communication


10

Enabler 3 - Organizational structures Organisational structures are the key decision-making entities in an enterprise.

Good Practice • Operating principles - The practical arrangements regarding how the structure will operate,

such as frequency of meetings, documentation and housekeeping rules

• Composition - Structures have members, who are internal or external stakeholders.

• Span of control - The boundaries of the organizational structure’s decision rights, e.g. organisational structures can implement policies within their span of control.

• Level of authority - The decisions that the structure is authorized to take

• Delegation of authority - The structure can delegate (a subset of) its decision rights to other structures reporting to it.

• Escalation procedures -The escalation path for a structure describes the required actions in case of problems in making decisions.

The responsibilities and characteristics of the following roles in an organization

• CIO: responsible for aligning the IT strategy with the business strategy

• Program and Project Management Office (PMO): responsible for supporting program and

project managers


11

Enabler 4 - Culture, ethics and behavior

Goals

• Organizational ethics: determined by the values which the enterprise wants to operate

• Individual ethics: determined by personal values

• Individual behaviors, which collectively determine the culture of an enterprise.

• Behavior towards taking risk

• Behavior towards following policy

• Behavior towards negative outcomes

Good practice

• Communication of desired behaviors and the underlying corporate values

• Awareness of desired behavior, strengthened by the example behavior exercised by senior management and other champions

• Incentives to encourage and deterrents to enforce desired behavior.

• Rules and norms, which provide more guidance on desired organizational behavior. This links very clearly to the principles and policies that an enterprise puts in place.

Relationships • Processes can be designed to a level of perfection, but if the stakeholders of the process do not

wish to execute the process activities as intended - i.e., if their behavior is one of non-

compliance - process outcomes will not be achieved.

• Organizational structures can be designed and built according to the textbook, but if their

decisions are not implemented - for reasons of different personal agendas, lack of incentives,

etc. - they will not result in decent governance and management of enterprise IT.

• Principles and policies are a very important communication mechanism for corporate values

and the desired behavior.


12

Enabler 5 - Information

Information, infrastructure and applications are defined as service capabilities – they are

leveraged through processes to deliver internal and external services.

Information criteria • Effectiveness - Information is effective if it meets the needs of the information consumer who

uses the information for a specific task. If the information consumer can perform the task with

the information, then the information is effective.

• Efficiency - Whereas effectiveness considers the information as a product, efficiency relates

more to the process of obtaining and using information, so it aligns to the ‘information as a

service’ view. If information that meets the needs of the information consumer is obtained and

used in an easy way, then the use of information is efficient. This corresponds to the following

information quality goals: believability, accessibility, ease of operation, reputation.

• Integrity - If information has integrity, then it is free of error and complete.

• Reliability - Reliability is often seen as a synonym of accuracy; however, it can also be said that

information is reliable if it is regarded as true and credible. Compared to integrity, reliability is

more subjective, more related to perception, and not just factual.

• Availability - Availability is one of the information quality goals under the accessibility and

security heading.

• Confidentiality - Confidentiality corresponds to restricted access.

• Compliance - Compliance means that information must conform to specifications. Compliance

to regulations is most often a goal or requirement of the use of the information, not so much an

inherent quality of information.

Information cycle

• Business and IT processes generate and process Data.

• Data is transformed into Information.

• Information is transformed into Knowledge.

• Knowledge creates Va lue.

• Value drives Business and IT processes

Use of the Information Model (IM)

• For information specifications (e.g. of a new application or process by using attributes)

• To determine required protection (e.g. for security professionals by using attributes)

• To determine ease of data use (e.g. by using the quality criteria)


13

Enabler 6 - Services, infrastructure and applications

Architecture principles Good practice for service capabilities includes the definition of architecture principles—

Architecture principles are overall guidelines that govern the implementation and use of IT-related

resources within the enterprise. Examples of potential architecture principles are:

• Reuse - Common components of the architecture should be used when designing and

implementing solutions as part of the target or transition architectures.

• Buy vs. build - Solutions should be purchased unless there is an approved rationale for

developing them internally.

• Simplicity - The enterprise architecture should be designed and maintained to be as simple as

possible while still meeting enterprise requirements.

• Agility - The enterprise architecture should incorporate agility to meet changing business needs

in an effective and efficient manner.

• Openness - The enterprise architecture should leverage open industry standards.

Relationships

• Information is one of the service capabilities, and service capabilities are leveraged through

processes to deliver internal and external services.

• Cultural and behavioral aspects are also relevant when a service-oriented culture needs to be

built.

Relationships

• The inputs and outputs of the management processes could include service capabilities, which

are required as inputs or delivered as outputs.

• Service capabilities are leveraged primarily through processes


14

Enabler 7 - People, skills and competencies

Good practice

• Defining skill requirements for each role

• Using other external sources good practices e.g. SFIA

• Mapping skill categories to the COBIT 5 process domains:

• The skills in EDM ( Evaluate, Direct, Monitor)

• Governance of enterprise IT

• The skills in APO ( Align, Plan Organize)

• IT policy formulation

• IT strategy

• Enterprise architecture

• Innovation

• Financial management

• Portfolio management

• The skills in BAI ( Build, Acquire and Implement)

• Business analysis

• Project management

• Usability evaluation

• Requirements definition and management

• Programming

• System ergonomics

• Software decommissioning

• Capacity management

• The skills in DSS (Deliver, Service and Support)

• Availability management

• Problem management

• Service desk and incident management

• Security administration

• IT operations

• Database administration

• The skills in MEA (Monitor, Evaluate and Assess)

• Compliance review

• Performance monitoring

• Controls audit


15

Implementation

Components of the life cycle model • Management of the program

• Change enablement specifically addressing behavior and cultural aspects

• Core continual improvement life cycle.

Question

answered

Program

Management

Change

Enablement

Continual

Improvement

1 What are the

drivers?

Initiate

programme

Establish desire to

change

Recognise need

to act

2 Where are we

now?

Define problems &

opportunities

Form

implementation

team

Assess current

state

3 Where do we

want to be?

Define road-map Communicate

outcome

Define target

state

4 What needs to

be done?

Plan programme Identify role

players

Build

improvements

5 How do we get

there?

Execute plan Operate & use Implement

improvements

6 Did we get

there?

Realise benefits Embed new

approaches

Operate &

measure

7 How do we

keep on

going?

Review

effectiveness

Sustain Monitor &

evaluate

Seven phases of implementation • Phase 1 starts with recognizing and agreeing to the need for an implementation or improvement

initiative. It identifies the current pain points and triggers and creates a desire to change at

executive management levels. (what are the drivers?) CE: establish desire to change.

• Phase 2 is focused on defining the scope of the implementation or improvement initiative using

COBIT’s mapping of enterprise goals to IT-related goals to the associated IT processes, and

considering how risk scenarios could also highlight key processes on which to focus. High-level

diagnostics can also be useful for scoping and understanding high-priority areas on which to focus.

An assessment of the current state is then performed, and issues or deficiencies are identified by

carrying out a process capability assessment. (Where are we now?) CE: form inmplementation

team.

• During phase 3, an improvement target is set, followed by a more detailed analysis leveraging


16

COBIT’s guidance to identify gaps and potential solutions. Some solutions may be quick wins and

others more challenging and longer-term activities. (Where do we want to be?) CE: communicate

outcomes.

• Phase 4 plans practical solutions by defining projects supported by justifiable business cases. A

change plan for implementation is also developed. A well-developed business case helps to ensure

that the project’s benefits are identified and monitored. (What needs to be done?) CE: identify role

players.

• The proposed solutions are implemented into day-to-day practices in phase 5. Measures can be

defined and monitoring established, using COBIT’s goals and metrics to ensure that business

alignment is achieved and maintained and performance can be measured. Success requires the

engagement and demonstrated commitment of top management as well as ownership by the

affected business and IT stakeholders. (How do we get there?) CE: operate and use.

• Phase 6 focuses on the sustainable operation of the new or improved enablers and the monitoring

of the achievement of expected benefits. (Did we get there?) CE: embed new approaches.

• During phase 7, the overall success of the initiative is reviewed, further requirements for the

governance or management of enterprise IT are identified, and the need for continual

improvement is reinforced. (How do we keep the momentum going?) CE: sustain.


17

Use of the implementation life cycle

The internal and external environment factors as they apply to change management

• Ethics and culture

• Applicable laws, regulations and policies

• Mission, vision and values

• Governance policies and practices

• Business plans and strategic intentions

• Operating Model

• Management style

• Risk appetite

• Capabilities and available resources

• Industry practices

Typical pain points

• Business frustration with failed IT initiatives resulting in increased costs & low business return on

investment

• Outsourcing service delivery problems

• Duplicate projects

• Continuous poor audit findings

• Board members and senior management reluctant to engage with IT

Typical Trigger Events Changes in an enterprises internal or external environments are seen as triggers – examples are:

• Mergers, acquisitions and divestments

• New regulatory or compliance requirements

• A shift in the market demand for the company’s products

• Significant technology change

Business case • Tool guiding the creation of business value

• Ongoing view of the viability of a program

• Contents of a good business case

• The business benefits that will be realized

• The business changes required

• The investments needed

• The on-going IT operating costs

• Constraints and dependencies derived from the risk assessment

• Roles, responsibilities and accountabilities relative to the initiative

• How the investment will be monitored


18

Process capability Assessment Model (PAM) Process capability assessments enables governance bodies to set process benchmarks and assist in

measurement and monitoring capabilities. Based on this information improvement planning can

be done that is supported by evidence and justifiable. Process capability assessments is not

measuring performance or compliance.

Terms and concepts of the PAM The COBIT Assessment Model includes:

COBIT Assessor’s Guide – using COBIT 5.0 – providing detailed guidance on how to do

assessments using PAM, and

COBIT Self Assessment Guide – Using COBIT 5.0 – explaining a simplified method that can

easily be used for self-assessment

The six Capability Levels based on ISO 15504

• Level 0 – Incomplete Process

• Level 1 – Performed process - achieves its purpose

• Level 2 – Managed process - managed implementation, work products managed

• Level 3 - Established Process - implemented using a defined process

• Level 4 - Predictable Process - operates within defined limits

• Level 5 – Optimized Process - continuously improved

The nine Attributes based on ISO 15504

• PA 1.1 Process performance

• PA 2.1 Performance management

• PA 2.2 Work product management

• PA 3.1 Process definition

• PA 3.2 Process deployment

• PA 4.1 Process management

• PA 4.2 Process control

• PA 5.1 Process innovation

• PA 5.2 Process optimization

The Rating Scale based on ISO 15504

• N Not achieved 0 to 15% achievement - There is little or no evidence of achievement of the

defined attribute in the assessed process.

• P Partially achieved 15% to 50% achievement - There is evidence of a sound systematic approach

to an achievement of the defined attribute in the assessment approach

• L Largely achieved 50% to 85% achievement - There is evidence of a sound, systematic approach

to the significant achievement of the defined attribute in the assessment

• F Fully achieved 85% to 100% achievement - There is evidence of a complete and systematic

approach to and full achievement of the defined attribute in the assessed approach.

• To achieve a pass for a certain level, a process must be rated L – Largely or F – Fully at that level,

and be rated F- Fully on the lower levels.

• To be able to move onto another capability level all Process Attributes must be F – fully for that

process (if not achieved, the organization needs to improve that particular process attribute to

have a F rating before moving on)

The definition of the following ISO 15504 terms

• A Process Purpose: high level objectives of performing the process and likely outcomes of successful

implementation.

• A Process Outcome: observable result of a process (artifact, change of state, meeting of

constraints)


19

• A Base Practice: activities that contribute to achieving the process purpose.

• A Work Product: an artifact associated with the execution of the process (inputs and outputs)

Understanding the PCM

The Reasons for carrying out a Process Capability Assessment

• ISO 15504 identifies the purpose as an activity that can be performed either as a process

assessment or as a process improvement initiative

• To continuously improve the enterprise’s effectiveness

• To identify the strengths and weaknesses of selected processes based on business need

• To provide a logical, understandable, repeatable, reliable and robust methodology for

assessing the capability of IT-related processes.

The purpose of the 3 guides

• The Process Assessment Model (PAM)

• The Assessor Guide

• The Self-Assessment Guide: can also be used as preparation for a formal assessment

The differences between a Maturity and a Capability Assessment

• A Process Assessment is one that examines the processes used by an organization to determine

whether they are effective in achieving their goals. The assessment characterizes the current

practice within an organizational unit in terms of the capability of the selected processes.

• Organizational maturity is an expression of the extent to which an organization consistently

implements processes within a defined scope that contributes to the achievement of its business

goals (current or projected).

The purpose of a Process Reference Model

• Provides the basis for one or more Process Assessment Models

• Related the PAM to the measurement framework (ISO 15504)

• Provides the basis for the process dimension

The differences between the two dimensions

• The capability dimension as outlined by the 6 capability levels

• A process dimension which deals specifically with the 37 specific COBIT processes outlined in the Process Reference Model (PRM)

The differences between the Generic and Specific attributes. Base Practices (1) & Generic Base Practices (2-5) Specific Work Products (1) & Generic Work Products

(2-5)

The benefits of the COBIT Capability Assessment approach • Improved reliability and repeatability

• Compliance with generally accepted standard

• Increased usability

Is summary process performance indicators being useful in measuring level 1 whilst generic capability indicators apply

to all levels of the PAM.

Documents

Principles - getITright 5 Foundation/Cheat... · Principles, policies and frameworks are the vehicle by which governance decisions are institutionalised ... • Detailed activities: