Stratégie ISACA - AG AFAI

AG 15 Janvier 2015

ISACA1

AFAI

Patrick Stachtchenko AFAI : 15 janvier 2015

ISACA en résumé : Membership• 121 K au 30 Nov 2014 (+4%)

– NA 55 K, Europe 32 K, Asia 25 K, LA 5 K, Oceania 4 K

– Europe 32 K• UK 4,9 K Spain 1,6 K• Germany 2,4 K Switzerland 1,4 K• South Africa 2,3 K Italy 1,3 K• Nigeria 1,9 K Kenya 1,3 K• Netherlands 1,7 K Belgium 0,9 K

– France 0,9 K (pas dans le top 10 européen)

– Plus de membres au Québec avec une population 10X <

– Très fort potentiel de croissance

– Professional, Student (1,8K), Academic (0,8K), RetiredMembership (0,3K)

Patrick Stachtchenko AFAI : 15 janvier 2015 2

ISACA en résumé : Certification

Candidats Total

• CISA 19 K 107 K

• CISM 5 K 24 K

• CRISC 2 K 17 K

• CGEIT 1 K 6 K

• Depuis 2013, certificats proposés: COBIT 5, Cybersecurity

• CISA proposé en 11 langues

• 333 CISA en France!

• Fort potentiel de croissance


ISACA en résumé : Education• Conférences/Workshops dans 5 régions

– CACS dans chaque région

– EUROCACS 2014 Madrid• Conférence de 3 jours (5 tracks)

• + 8 Workshops (1 ou 2 jours)

– Autres : « COBIT 5 » (2j), « Governance, Risk and Control » (3j),..

• On line training

– Webinars (1 h): > 35 webinars en 2014• Ex : Data Protection and Privacy: How what you don’t know can hurt you

– Virtual Conferences (1 day)• Evolving Security for a Maturing Cloud

• Training Courses

– Training Weeks

– On site training

– Elearning CampusPatrick Stachtchenko AFAI : 15 janvier 2015 4

ISACA en résumé : Knowledge 2014• White papers

– Issues that have just begun to, or will soon impact enterprise operations

• Research projects

• Knowledge Center– Over 100 topics

– Discussions, Documents and Publications, Events and Online Learning, Journal Articles, User Contributed External Links, Wikis, Blog Posts

• Academia– Model Curricula

– Teaching Material (for Academia advocates)

• Elibrary– All ISACA publications

– 525 external books

• Career Center


ISACA en résumé : Knowledge 2014

• Deliver, Service and Support Audit/Assurance Programs 1-6 (25 p / process)

• A Global Look at IT Audit Best Practices (45 p)

• IT Control Objectives for Sarbanes Oxley using COBIT 5, 3rd Edition (142 p)

• Build, Acquire and Implement Audit/Assurance Programs 1-10 (25 p / process)

• Risk Scenarios Using COBIT 5 for Risk (294 p)

• Align, Plan and Organize Audit/Assurance Programs 1-13 (25 p / process)

• European Cybersecurity Implementation Series– Overview (26 pages)

– Assurance (24 pages)

– Resilience (25 pages)

– Risk Guidance (24 pages)

– Audit/Assurance Program (47 pages)



• Cybersecurity : What the Board of Directors Needs to Ask? (20 p)

• Implementating the NIST Cybersecurity Framework (108 p)

• COBIT 5 Principles : Where did they come from? (12 p)

• Advance Persistent Threat Awareness Study Results (20 p)

• ITAF 3rd Edition (148 p)

• Controls and Assurance in the Cloud : Using COBIT 5 (266 p)

• Relating the COSO Internal Control Integrated Framework and COBIT (22 p)

• Vendor Management Using COBIT 5 (178 p)

• Evaluate, Direct and Monitor Programs 1-5 (25 p / process)

• Genrating Value from Big Data Analytics (12 p)



• Security as a Service (18 p)

• COBIT 5 : Enabling Information (90 p)

• Advanced Persistent Threats : How to manage the Risk to YourBusiness? (132 p)

• COBIT 5 for Risk (244 p)

• Configuration Management Using COBIT 5 (88 p)

• Privacy and Big Data (12 p)

• Transforming Cybersecurity (190 p)

• COBIT 5 for Assurance (318 p)



• Responding to Targeted Cyberattacks (88 p)

• Cloud Governance : Questions Boards of Directors Need to Ask? (9 p)

• Big Data : Impacts and Benefits (14 p)

• Software Assurance Audit/Assurance Program (35 p)

• Identity Management Audit/Assurance Program (40 p)

• COBIT Assessment Programme Using COBIT 5 (144 p)

• Outsourced IT Environments Audit/Assurance Program (39 p)

• Personally Identifiable Information Audit/Assurance Program (34 p)


ISACA en résumé : Knowledge 2015• DevOps Series 1st Q

• Getting Started With Governance 1st Q

• Industrial Control Systems (ICS) 2nd Q

• Internal Controls 1st Q

• Operational Risk Management/Basel Using COBIT 5 ?

• PCI DSS (Payment Card Industry Data Security Standard) 1st Q

• Security, Audit and Control Features SAP ERP, 4th Edition 1st Q

• + Travaux des comités et task forces (Emerging Business and Technology Committee, Privacy Task Force, Audit/Assurance Programs based on COBIT 5, etc…)


Ensemble du knowledge développé en respectant les principes de COBIT 5

ISACA en résumé : Organisation projet Knowledge

• Board of Directors• Strategy Advisory Council

• Knowledge Board

• Framework Committee• Guidance and Practices Committee• Emerging Business and Technology Committee

• Task Force• Development Team• Expert Reviewers


ISACA en résumé : Organisation projet KnowledgeBoard of Directors


President Robert E Stroud, CGEIT, CRISC USA

VP Steven Babb, CGEIT, CRISC, ITIL United Kingdom

VP Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD Australia

VP Rob Clyde, CISM USA

VP Ramsés Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt Spain

VP Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA USA

VPR Vittal Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, COBIT 5 Foundation Accredited Trainer

India

Director Debbie Lew, CISA, CRISC USA

Director Frank Yam, CISA, CCP, CFE, CFSA, CIA, FFA, FHKCS, FHKIoD, FHKITJC Hong Kong

DirectorAlexander Zapata Lenis, CISA, CGEIT, CRISC, COBIT Certified Assessor, COBIT 5 Implementation, PMP, ISO 22301 Lead Implementer, ITIL, ISO 27001 Foundations

Mexico

PP Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA Australia

PP Greg Grocholski, CISA USA


Governance Advisory Council


Chair Marios Damianides, CISA, CISM USA

Member Lynn Lawton, CISA, CRISC Russian Federation

Member Michael Cangemi USA

Member Gregory T. Grocholski, CISA USA

Member Jeff Spivey, CRISC USA

Member Robert E Stroud, CGEIT, CRISC USA

Member Tony Hayes, CGEIT Australia

Member Howard Nicholson, CISA, CGEIT, CRISC Australia


Knowledge Board


Chair Steven Babb, CGEIT, CRISC United Kingdom

Member Sushil Chatterji, CGEIT Singapore

Member Rosemary Amato, CISA Netherlands

Member Neil Barlow, CISA, CISM, CRISC United Kingdom

Member Jamie Pasfield, CGEIT United Kingdom

Member Ivan Lopez, CISA, CISM Germany

Member Charlie Blanchard, CISA, CISM, CRISC USA

Member Phil Lageschulte, CGEIT USA

Member Anthony Noble, CISA USA


Framework Committee


Chair Sushil Chatterji, CGEIT Singapore

Member Andre Pitkowski, CGEIT, CRISC Brasil

Member Sylvia Tosar, CGEIT Uruguay

Member Jimmy Heschl, CISA, CISM, CGEIT Austria

Member David Cau France (Lux)

Member Tichaona Zororo, CISA, CISM, CGEIT, CRISC South Africa

Member Joanne De Vito De Palma USA

Member Katherine McIntosh, CISA USA

Member Paras Shah, CISA, CGEIT, CRISC Australia


Practices and Guidance Committee


Chair Phil James Lageschulte, CGEIT USA

Member Siang Jun Julia Yeo, CISA, CRISC Singapore

Member Aureo Monteiro Tavares da Silva, CISM, CGEIT Brasil

Member M. Yves Marcel Le Roux, CISM France

Member James Seaman, CISM, CRISC United Kingdom

Member Nikolaos Zacharopoulos, CISA Germany

Member John Erick Jasinski, CISA, CGEIT USA

Member Jotham Nyamari, CISA USA

Member Gurvinder P. Singh, CISA, CISM, CRISC Australia


Emerging Business and Technology Committee


Chair Jamie Pasfield, CGEIT United Kingdom

Member William Gee, CISA, CRISC China

Member Victor Chapela, CRISC Mexico

Member Bhavesh Bhagat, CISM, CGEIT USA

Member Daniel Blum USA

Member Norman Marks USA

Member Usha Devarajah Australia


Cybersecurity Task Force


Chair Eddie Schwartz, CISA, CISM, CISSP, MCSE, PMP USA

Member Manuel Aceves, CISA, CISM, CGEIT, CRISC, CISSP, FCITSM Mexico

Member Sanjay Bahl, CISM, CIPP India

Member Neil Patrick Barlow, CISA, CISM, CRISC, CISSP UK

Member Brent Conran, CISA, CISM, CISSP USA

Member Derek Grocke Australia

Member Samuel Linares, CISA, CISM, CGEIT, CRISC, CISSP, GICSP Spain

Member Marc Sachs USA


Development Team


Lead Rolf M. von Roessing, CISA, CISM, CGEIT, CISSP, FBCI Switzerland

Member Vilius Benetis, Ph.D., CISA, CRISC Lithuania

Member Christos K. Dimitriadis Ph.D., CISA, CISM, CRISC Greece

Member Ivo Ivanovs, CISA, CISM, MCSE Latvia

Member Samuel Linares, CISA, CISM, CGEIT, CRISC, CISSP, GICSP Spain

Member Charlie McMurdie UK

Member Andreas Teuscher, CISA, CGEIT, CRISC Germany


Expert Reviewers


Expert Jesper Hansen, CISM, CRISC, CISSP, ESL Denmark

Expert Martins Kalkis, CISM Latvia

Expert Aare Reintam, CISA Estonia

Expert Andrea Rigoni UK

Expert Marc Vael Ph.D., CISA, CISM, CGEIT, CRISC, CISSP Belgium

ISACA en résumé : Journal

• Journal : 2014 et 2015 (60 pages par numéro et 6 numéros par an)

– Data Privacy

– The IS Audit Transformation

– Big Data

– Governance and Management of IT

– Mobile Devices

– Cybersecurity

– Analytics and Risk Intelligence

• En 2015, articles disponibles tous les 15 jours.


ISACA en résumé : Solidité Financière• Revenues

– 47,0 M$ en 2013– 43,5 M$ en 2012

• Certification 40%• Membership 29%• Education 16%• Publications 9%• Autres 6%

• Résultats– 6,9 M$ en 2013– 7,7 M$ en 2012

• Réserves– 72,0 M$ en 2013– 65,1 M$ en 2012


ISACA en résumé COBIT 5 : Etude Globale sur la Gouvernance 2014

23AFAI : 15 janvier 2015

Patrick Stachtchenko

Stratégie ISACA 2022


« By 2022, ISACA should become the foremost global

organization on the topic of trust in and value from information

and information systems, providing constituents with distinctive

knowledge and services. ISACA must also provide an expanded

set of offerings to help constituents and others enhance the

governance and management of information and information

systems assets in order to enhance trust in and capture optimal

value from IS investments. »


Stratégie ISACA 2022 : Objectifs

Stratégie ISACA 2022 : Cibles


ISACA : Structures de GouvernanceGovernance

• ISACA Board of Directors and IT Governance Institute Board of Trustees– Governance Advisory Council– Strategic Advisory Council– Finance Committee– Leadership Development Committee– Audit Committee

• Board and Committee Volunteers by Geographic Area:– Area 1: Asia– Area 2: Central and South America– Area 3: Europe and Africa– Area 4: North America– Area 5: Oceania


ISACA : Structures de GouvernanceCredentialing : Certification and Career Management Board

• CGEIT Certification Committee– CGEIT Test Enhancement Subcommittee

• CISA Certification Committee– CISA Test Enhancement Subcommittee

• CISM Certification Committee– CISM Test Enhancement Subcommittee

• CRISC Certification Committee– CRISC Test Enhancement Subcommittee

• Professional Standards and Career Management Committee– Academic Program Subcommittee

Knowledge : Knowledge Board

• Knowledge Management and Education Committee– Conference Program Development Subcommittee– Publications Subcommittee

• Emerging Business and Technology Committee• Framework Committee• Guidance & Practices Committee


Relations : Relations Board

• Chapter Support Committee• Communities Committee

• Young Professionals Subcommittee• Enterprise Advocacy Committee• Membership Growth & Retention

Committee• Student and Academic

Subcommittee• Professional Advocacy Committee

• ISO Liaison Subcommittee• GRA Committee

• GRA Regional Subcommittee Area 1• GRA Regional Subcommittee Area 2• GRA Regional Subcommittee Area 3• GRA Regional Subcommittee Area 4• GRA Regional Subcommittee Area 5

+ Task Forces

ISACA : Structures de Gouvernance316 personnes dans les comités (hors task forces, experts, etc..)NA : 121, EU 75: , AS : 47, LA : 40, OC : 33

• USA 104

• Australie 28

• UK 20

• Canada 17

• India 12

• Singapore 9

• Mexico 9

• Germany 7

• Japan 7

• Argentine 7

• Brazil 7

• China 5

• South Africa 5

• Kenya 5


• 3 pays : 4 personnes• 5 pays : 3 personnes• 11 pays : 2 personnes

• France : 1 ou 2 personnes

30

COBIT 5


Copyright ISACA

Illustration : Approche vue globale– COBIT 5 Framework

• A Business Framework for the Governance and Management of Enterprise IT (94 p)

– COBIT 5 Enabler Guides• Processes (37 IT processes) (230 p), Information (Business and IT) (90 p), …

– COBIT 5 Professional Guides• Implementation (78 p) + Toolkit (17 fichiers), Risk (244 p) and Risk Scenarios (294 p), Assurance (318 p),

Security (220 p), …

– Practices and Guidance using COBIT 5• Configuration Management (88 p), Vendor Management (178 p), ... • COBIT Assessment Program : Model (144 p), Self Assessment (24 p), User Guide

– White Papers / Vision Series / Studies / Surveys• Social Media, Business Benefits and Security, Governance and Assurance Perspectives (10 p)• Cloud Computing, Business Benefits with Security, Governance and Assurance Perspectives (10 p)• Big Data Impacts and Benefits (14 p), Top Business / Technology Issues Survey Results (34 p), …

– Professionals Standards and Guidance• ITAF, A Professional Practices Framework for IS Audit / Assurance, 3rd Edition (148 p)?

– Audit/Assurance Programs• EDM/APO/DSS/BAI (25p /P), Software Assurance (35 p), Outsourcing IT Environments (39 p), BYOD (39 p), …

– Knowledge Center (Over 100 topics : for each topic discussions, documents and publications, events, journal articles, external links, wikis, blog posts)• Performance Management, Business Analytics, Casinos and Gambling, Solvency 2, OS/400,…

– COBIT Focus (4 x year) : COBIT Case studies, Articles, Updates, …

– COBIT 5 Online : Multiphase project. Capabilities for accessing, understanding and applying COBIT 5


Illustration : Approche vue spécifique Sécurité de l’information

– COBIT 5 Professional Guides • Information Security (220 p)

– Practices and Guidance using COBIT 5 • Securing Mobile Devices (138 p), Transforming Cyber Security (190 p), European

Cybersecurity Implementation Series (146 p),…

– White Papers / Vision Series / Studies / Surveys• Cybersecurity : What the Board of Directors Needs to Ask? (20 p)• Security as a Service: Business Benefits with Security, Governance and Assurance

Perspectives (18p)• Business Continuity Management, Emerging Trends (15 p)• Web Application Security, Business and Risk Considerations (16 p)• Security Considerations for Cloud Computing (80 p)• Advanced Persistent Threat Awareness Study Results (20 p), …

– Audit / Assurance programs • VPN Security (33 p), Biometrics (47 p), Voice-over Internet Protocol (VoIP) (42 p), …

– Knowledge Center• Security Tools, Physical Security, Network Security, …

– COBIT 5 Online• Specific Security View


COBIT 5 Deliverables : A Business Framework for the Governance and Management of Enterprise IT (94 pages)

• Executive Summary

• Overview of COBIT 5

• Principle 1 : Meeting Stakeholders Needs

• Principle 2 : Covering the Enterprise from End-to-end

• Principle 3 : Applying a Single Integrated Framework

• Principle 4 : Enabling a Holistic Approach

• Principle 5 : Separating Governance from Management

• Implementation Guidance

• The COBIT 5 Process Capability Model

• Appendices

33Patrick Stachtchenko AFAI : 15 janvier 2015

COBIT 5 Deliverables : A Business Framework for the Governance and Management of Enterprise IT• Appendix A : References

• Appendix B : Detailed Mapping 17 Enterprise Goals –17 IT- related Goals

• Appendix C : Detailed Mapping 17 IT‐related Goals – 32 IT-related Processes

• Appendix D : 22 Stakeholder Needs and 17 Enterprise Goals

• Appendix E : Mapping of COBIT 5 with most relevant related standards and frameworks (ISO/IEC 38500, ITIL V3 2011 - ISO/IEC 20000, ISO/IEC 27000 Series, ISO/IEC 3100 Series, TOGAF, CMMI, PRINCE2)

• Appendix F : Comparison between COBIT 5 Information Reference Model and the COBIT 4.1 information criteria

• Appendix G : Detailed description of COBIT 5 Enablers

• Appendix H : Glossary

• Appendix G: Detailed description of COBIT 5 Enablers• Introduction • COBIT 5 Enabler : Principles, Policies and Frameworks• COBIT 5 Enabler : Processes• COBIT 5 Enabler : Organisational Structures• COBIT 5 Enabler : Culture, Ethics and Behaviour• COBIT 5 Enabler : Information• COBIT 5 Enabler : Services, Infrastructures and Applications• COBIT 5 Enabler : People, Skills and Competencies


COBIT 5 Deliverables : Enabling Processes (230 pages)• Introduction

• The Goals Cascade and Metrics for Enterprise Goals and IT-related Goals – COBIT 5 Goals Cascade : Stakeholders Drivers, Stakeholders Needs, Enterprise Goals, IT Goals, Enabler Goals– Using the COBIT 5 Goals Cascade– Metrics : Enterprise, IT

• The COBIT 5 Process Model– Enabler Performance Management

• The COBIT 5 Process Reference Model– Governance and Management Processes (5 governance processes and 32 management processes)– Reference Model

• COBIT 5 Process Reference Guide Contents– Generic Guidance for Processes :

• EDM : Evaluate, Direct and Monitor • APO : Align, Plan and Organize• BAI : Build, Acquire and Implement• DSS : Deliver, Service and Support• MEA : Monitor, Evaluate and Assess

• Appendix A : Mapping between COBIT 5 and legacy ISACA Frameworks (COBIT 4.1, Val IT 2.0, Risk IT Management Practices)

• Appendix B : Detailed Mapping 17 Enterprise Goals and 17 IT-related Goals

• Appendix C : Detailed Mapping 17 IT-related Goals and 37 IT‐related Processes

35

• 129 IT Process Goals• 266 IT Process Goal Metrics• 207 IT Practices• 26 business and IT roles in IT Practices• 1108 IT Activities

17 Enterprise Goals, 17 IT-related Goals, 59 IT-related Goals metrics


COBIT 5 Deliverables : Enabling Processes

• Process identification : Label, Name, Area, Domain

• Process description

• Process purpose statement

• IT goals and metrics supported

• 17 IT Goals, 59 IT-related Goals Metrics

• Process goals and metrics • Governance : 15 IT Process Goals and 37 IT Process Goal metrics• Management : 114 IT Process Goals and 229 IT Process Goal metrics

• RACI chart • 26 Business and IT Roles concerned with the 207 IT Practices

• Detailed description of the process practices• Description, inputs and outputs with origin/destination, activities • Governance : 12 IT Governance Practices and 79 IT Governance Activities• Management : 195 IT Management Practices and 1029 IT Management Activities

• Related guidance


COBIT 5 Deliverables : Enabling Information (90 pages)• Introduction: Benefits, Target Audience, Prerequisite Knowledge, Overview and Scope

• COBIT 5 Principles applied to Information– COBIT 5 Principles

• Goals Cascade for the Enterprise (Function Goals)• Examples of Information Items that support the Enterprise Value Chain Goals (Governance, Management

and Operations Items for 8 Functional areas : Human Resources (22 items), Procurement (20 items), …)• Examples of Information Items supporting IT-related Goals (Quality Criteria, Related Metrics) (69 items)

• The COBIT 5 Information Model– COBIT 5 Information Model Overview

• Information Stakeholders : Examples for Customer Data (8), IT Strategy (8), Supply Chain Software Specification Document (6), Hospital Patient Records (9) (Description, Stakes)

• Information Goals : Examples for each of the 15 information quality criteria• Lifecycle : Examples for Supplier Information, Retention Requirements, IT Change Management Data• Good Practices : Examples for the 11 information attributes

– Additional Examples of COBIT 5 Information Model Use• 5 sample use cases : Building IS Specifications, Definition of Information Protection Requirements, etc.. • Comprehensive Information Item Description : Illustration for Risk Profile (Lifecycle and stakeholders, Goals,

Good Practices, Link to other enablers)

• Addressing Information Governance and Management Issues Using COBIT 5– Information Governance and Management Issues Reviewed in this Chapter (9 issues)

• For each Issue : Issue Description and Business Context, Affected Information, Affected Goals, Enablers to Address the Issue

• Appendix A : Reference to other Guidance (DAMA-DMBOK Framework, ISO 15489-1:2001)• Appendix B : Example Information Items Supporting Functional Area Goals (8 areas, 179 items)• Appendix C : Example Information Items Supporting IT-related Goals (1 area, 69 items) 37


COBIT 5 Deliverables : Information Security (220 pages)

• Executive Summary: Introduction, Drivers, Benefits, Target Audience, Conventions

• Information Security• Information Security Defined• COBIT 5 Principles

• Using COBIT 5 Enablers for Implementing Information Security in Practice• Introduction• Enabler : Principles, Policies and Frameworks • Enabler : Processes • Enabler : Organizational Structures • Enabler : Culture, Ethics and Behaviour• Enabler : Information • Enabler : Services, Infrastructure and Applications • Enabler : People, Skills and Competencies

• Adapting COBIT 5 for Information Security to the Enterprise Environment• Introduction• Implementing Information Security Initiatives• Using COBIT 5 to connect to other frameworks, models, good practices and standards

• Appendix A to G : Detailed Guidance for each of the 7 categories of enablers

• Appendix H : Detailed Mappings

• Acronyms, Glossary 38Patrick Stachtchenko AFAI : 15 janvier 2015

COBIT 5 Deliverables : Information Security• Appendix A Detailed Guidance : Principles, Policies and Frameworks

• 3 high level security principles with 12 elements : Objective and description• 13 types of policies : scope, validity, goals (5 driven by security function, 8 driven by other functions)

• Appendix B Detailed Guidance Processes (see next page)

• Appendix C Detailed Guidance : Organizational Structures• 5 types of security-related organizational structures : Composition, Mandate, Operating principles,

Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs

• Appendix D Detailed Guidance : Culture, Ethics and Behaviour• 8 types of security-related expected behaviours

• Appendix E Detailed Guidance : Information • 34 types of security-related information stakeholders• 10 types of security related information : goals, life cycle, good practice

• Appendix F Detailed Guidance : Services, Infrastructure and Applications • 10 types of security services : 27 security-related service capabilities (supporting technology, benefit,

quality goal, metric)

• Appendix G Detailed Guidance : People, Skills and Competencies• 7 types of security set of skills and competencies : description, experience, education, qualifications,

knowledge, technical skills, behavioural skills, related role structure

• Appendix H Detailed Mappings (ISO/IEC 27001, ISO/IEC 27002, ISF, NIST)39Patrick Stachtchenko AFAI : 15 janvier 2015

COBIT 5 Deliverables : Information Security Processes Enabler

• Process Identification : Label, Name, Area, Domain

• Process Description

• Process Purpose Statement

• Security-specific Process Goals and Metrics

• Governance : 8 Security Process Goals and 17 Security Process Goals related Metrics• Management : 71 Security Process Goals and 137 Security Process Goals related Metrics

• Security-specific Process Practices, Inputs/Outputs and Activities

• Description of governance/management practice, security-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, security-specific activities in addition to COBIT 5 activities

• Governance : 12 Security Governance Practices and 31 Security Governance Activities• Management : 176 Security Management Practices and 347 Security Management Activities

• Related Guidance


COBIT 5 Deliverables : Risk (244 pages)• Executive Summary: Introduction, Terminology, Drivers, Benefits, Target Audience, Overview

and Guidance on use of Publication, Prerequisite Knowledge

• Risk and Risk Management• The Governance Objective : Value Creation• Risk : Risk Categories, Risk Duality, Interrelationship between Inherent, Current and Residual Risk• Scope of Publication (Two Perspectives on Risk : Risk Function and Risk Management Perspectives)• Applying the COBIT 5 Principles to Managing Risks

• The Risk Function Perspective• Introduction to Enablers• The 7 Enablers

• The Risk Management Perspective and using COBIT 5 Enablers• Core Risk Processes• Risk Scenarios• Generic Risk Scenarios• Risk Aggregation• Risk Response

• How this Publication Aligns with Other Standards• ISO 31000, ISO/IEC 27005:2011, COSO ERM

• Appendix A : Glossary

• Appendix B : Detailed Risk Governance and Management Enablers

• Appendix C : Core Risk Management Processes

• Appendix D : Using COBIT 5 Enablers to Mitigate IT Risk Scenarios (20 scenarios)

• Appendix E : Comparison of Risk IT with COBIT 5

• Appendix F : Comprehensive Risk Scenario Template41Patrick Stachtchenko AFAI : 15 janvier 2015

COBIT 5 Deliverables : Risk• Appendix A. Detailed Guidance : Principles, Policies and Frameworks

• 7 high level risk principles : Principle and Explanation• 18 types of risk policies : Scope, Validity, Management Commitment and Accountability, Risk

Governance, Risk Management Framework

• Appendix B. Detailed Guidance Processes (see next page)• 12 key risk function supporting processes

• 2 key risk management supporting processes

• Appendix C. Detailed Guidance : Organizational Structures• 5 key risk-related organizational structures : Composition, Mandate, Operating principles, Span of

control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs

• 17 other relevant structures for Risk : Description, Role in risk process

• Appendix D. Detailed Guidance : Culture, Ethics and Behavior• 8 types of general behavior, 8 types of risk professional behavior, 7 types of management behavior

• Appendix E. Detailed Guidance : Information • 13 types of risk related information items : stakeholders, stakes, goals, life cycle, good practices, links

to other enablers

• Appendix F. Detailed Guidance : Services, Infrastructure and Applications • 6 types of risk services (description, goal, benefit, good practice, stakeholders, metric)

• 3 types of risk infrastructure (description), 5 types of risk applications (description)

• Appendix G. Detailed Guidance : People, Skills and Competencies• 11 types of risk set of skills and competencies (description) and 2 risk roles (description, experience,

education, qualifications, knowledge, technical skills, behavioral skills, related role structure)42Patrick Stachtchenko AFAI : 15 janvier 2015

COBIT 5 Deliverables : Risk




• Risk-specific Process Goals and Metrics• Risk Function

• Governance : 5 Risk Process Goals and 12 Risk Process Goals related Metrics• Management : 14 Risk Process Goals and 24 Risk Process Goals related Metrics

• Risk-specific Process Practices, Inputs/Outputs and Activities

• Description of governance/management practice, risk-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, risk-specific activities in addition to COBIT 5 activities

• Risk Function• Governance : 9 Risk Governance Practices and 28 Risk Governance Activities• Management : 50 Risk Management Practices and 80 Risk Management Activities

• Risk Management• Governance : 2 Risk Governance Practices and 12 Risk Governance Activities (69 actions)• Management : 6 Risk Management Practices and 26 Risk Management Activities (103 actions)


COBIT 5 Deliverables : Assurance (318 pages)• Executive Summary: Introduction and Objectives, Drivers, Benefits, Target Audience,

Document Overview and Guidance on its use, Prerequisite Knowledge

• Assurance• Assurance defined : 3 party relationship, subject matter, suitable criteria, execution, conclusion • Scope of Publication: Two Perspectives, Assurance Function and Assurance • Principles of providing Assurance (Engagement types)

• Assurance Function Perspective : Using COBIT 5 Enablers for Governing and Managing an Assurance Function

• Introduction to Enablers• The 7 Enablers

• Assessment Perspective : Providing Assurance Over a Subject Matter• Core Assurance Processes• Introduction and Overview of the Assessment Approach• Determine the scope of the Assurance Initiative (Phase A)

• 3 aspects to be taken into account (stakeholders, goals, 7 enablers), 14 steps, an example• Understand the Enablers, Set Suitable Assessment Criteria and Perform the Assessment (Phase B)

• Achievement of goals (2 steps), 7 enablers (37 steps)• Generic Approach for Communicating on an Assurance Initiative (Phase C)

• 2 aspects (document and communicate) and 5 steps

• How this publication relates to other Standards• ITAF, 2nd Edition, International Professional Practices Framework (IPPF) for Internal Auditing

Standards 2013, Statement on Standards for Attestation Engagements N° 16 (SSAE 16)

• Appendix A : Glossary

• Appendix B : Detailed Enablers For Assurance Governance and Management

• Appendix C : Core Assurance Processes

• Appendix D : Example Audit / Assurance Programmes (3 examples : Change Management, Risk Management, BYOD)


COBIT 5 Deliverables : Assurance• Appendix A. Detailed Guidance : Principles, Policies and Frameworks

• 4 areas : Covered by ITAF, 2nd Edition (18 sections of ITAF)

• Appendix B. Detailed Guidance Processes (see next page)• 11 key processes supporting assurance provisioning

• 3 key core assurance processes

• Appendix C. Detailed Guidance : Organizational Structures• 4 key assurance-related organizational structures : Composition, Mandate, Operating principles,

Span of control, Authority level, Delegation rights, Escalation path, RACI chart, Inputs/Outputs

• 12 other relevant structures for Assurance : Description, Stake in Assurance provisioning

• Appendix D. Detailed Guidance : Culture, Ethics and Behavior• 5 types of enterprise wide behavior, 8 types of assurance professional behavior, 10 types of

management behavior : Behavior, Key Objective/Suitable criteria/outcome, Communication/Enforcement actions, Incentives and rewards actions, Raising awareness actions

• Appendix E. Detailed Guidance : Information • 18 types of information items supporting assurance : stakeholders, stakes, goals, life cycle, good

practices, links to other enablers• 5 types of additional information items input : description

• Appendix F. Detailed Guidance : Services, Infrastructure and Applications • 8 types of assurance services (description, goal, benefit, good practice, stakeholders)

• 8 types of assurance supporting applications (description, goal, benefit, good practice, stakeholders)

• Appendix G. Detailed Guidance : People, Skills and Competencies• 16 types of assurance set of skills and competencies : description, experience, education,

qualifications, knowledge, technical skills, behavioral skills45


COBIT 5 Deliverables : Assurance




• Assurance-specific Process Goals and Metrics• Processes Supporting Assurance Provisioning

• Governance : 8 Assurance Process Goals and 11 Assurance Process Goals related Metrics• Management : 11 Assurance Process Goals and 19 Assurance Process Goals related Metrics

• Core Assurance Processes• Management : 11 Assurance Process Goals and 17 Assurance Process Goals related Metrics

• Assurance-specific Process Practices, Inputs/Outputs and Activities

• Description of governance/management practice, assurance-specific inputs and outputs in addition to COBIT 5 inputs and outputs with origin/destination, assurance-specific activities in addition to COBIT 5 activities

• Processes Supporting Assurance Provisioning • Governance : 9 Assurance Governance Practices and 28 Assurance Governance Activities• Management : 50 Assurance Management Practices and 80 Assurance Management Activities

• Core Assurance Processes• Management : 17 Core Assurance Practices and 88 Core Assurance Activities (124 actions)


COBIT 5 Deliverables : Implementation (78 pages)

• Introduction

• Positioning GEIT

• Taking the first steps towards GEIT

• Identifying implementation challenges and success factors

• Enabling change

• Implementation life cycle tasks, roles and responsibilities

• Using the COBIT 5 components

• Appendix A : Mapping Pain Points to COBIT 5 Processes

• Appendix B : Example Decision Matrix

• Appendix C : Mapping Example Risk Scenarios to COBIT 5 Processes

• Appendix D : Example Business Case

• Appendix E : COBIT 4.1 Maturity Attribute Table


COBIT 5 Deliverables : Securing Mobile Devices (138 pages)

• Introduction : What is a mobile device? Mobile Device Use – Past Present Future

• Mobile Device Impact on Business and Society : Mobility and Flexibility, Patterns of Work, Organizational Perimeter, Other Impacts

• Threats, Vulnerabilities and Associated Risks : Physical, Organizational, Technical

• Security Governance : Business Case, Standardized Enterprise Solutions, BYOD, Combines Scenario, Private Use of Mobile Devices, Defining the Business Case

• Security Management for Mobile Devices : Categories and Classification, Existing Security Controls, 7 Enablers

• Hardening Mobile Devices : Device and SIM card, Permanent Storage, Removable Storage and Devices, Connectivity, Remote Functionality

• Mobile Device Security Assurance: Auditing and Reviewing Mobile Devices, Investigation and Forensics for Mobile Devices

• Guiding Principles for Mobile Device Security : 8 principles

• Appendix A. Mappings of COBIT 5 and COBIT 5 for Information Security

• Appendix B. Hardening Mobile Devices

• Appendix C. Sample Audit Steps in Forensics and Investigation


49

COBIT 5 Online

Patrick Stachtchenko AFAI : 15 janvier 2015Copyright ISACA

ISACA has begun a project to create a replacement for COBIT Online, which will support COBIT 5

The new online service will include features such as :

• Access to publications in the COBIT 5 product family

• Access to other, non-COBIT, ISACA content and current, relevant GEIT material

• Ability to customize COBIT to fit the needs of your enterprise with access for multiple users

• Access to tools : Goals planner, RACI Planner,…

These capabilities will be made available in a phased schedule, providing greater functionality through the course of the year-long rollout.

COBIT 5 Online