It’s worth briefly considering the differences between a standard and a framework to set the context for this topic because each has different implications for use[1].
‘Standards’ are broadly defined as rules or characteristics established by a recognized body that provide for common and repeated use. The use of standards is typically mandated by policy. In many cases where an organization is required to adhere to (or ‘implement’) a standard, the requirement generally falls on the organization to consider the standard in its entirety, rather than just portions of the standard.
On the other hand, a ‘framework’ can be defined as a conceptual model consisting of defined components and clear relationships between those components. A framework should be (a) flexible, (b) allow for the addition of new content within the scope of the model, and (c) support the integration of related standards, frameworks, and regulations (this will be addressed in a later paper in this series).
So, at one level the differences are clear – a framework is optional while a standard will usually be mandated by policy. Importantly, a framework can accommodate certain changes in its basic ‘shape’ (or components), and will also allow for changes to the content of these components. There are also ways in which standards and frameworks are similar, such as the industry they are relevant to and the subject matter to which they apply.
To provide a little more context, the following are standards: ISO27001 and ISO31000. These next examples, on the other hand, are frameworks: SABSA, ITIL, COBIT 2019, TOGAF (now referred to as a standard by the Open Group), and the NIST Cybersecurity Framework.
To end this outline of standards and frameworks usage, it’s worth considering what a ‘requirement’ is under the law. For example, the GDPR[2] (Article 32) requires in certain cases that organizations ‘… shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk …’. An organization’s Data Protection policy is likely to define specific behavioral requirements or rules that must be met, and it will typically reference standards, procedures, and guidelines. Here we can see the difference between following mandated organizational requirements and choosing which framework to implement.
As we’re focussing on the use of COBIT 2019, we’ll be looking at different ways in which it can be used to suit a particular organization. For the avoidance of doubt, it’s worth repeating how COBIT 2019 defines itself as ‘a framework for the governance and management of enterprise information and technology aimed at the whole enterprise’.
COBIT 2019 has been constructed so that it can be used to understand the whole organization, not just as per our earlier definition, but also in terms of providing a best-practice approach in which relevant elements[3] can be considered for use.
Importantly, we should recognize that it is very unlikely that organizations are completely devoid of any governance structures and processes regarding their information and technology. This brings us to a basic and recognized rule of thumb for COBIT 2019: that we should recognize what is already in place and adopt what has been, or currently is, successful, while at the same time identifying where we can improve areas by referencing and using COBIT 2019.
It’s worth saying that trying to implement everything that is available from the COBIT 2019 product family[4] is probably not the best approach to start with, simply because you’ll end up focussing on the framework rather than the benefits that it will bring to your organization and stakeholders. In fact, COBIT 2019 itself recognizes this and suggests that, when looking at implementation, we should not consider too prescriptive an approach and instead use it as ‘a guide to avoid pitfalls, leverage the latest good practices, and assist in the creation of successful governance and management outcomes over time’.
Firstly, you should recognize that you’ll most likely need to design and implement a custom governance solution (based on COBIT 2019) simply because there is no one-size-fits-all approach. Equally, you must take into account your organization’s processes, structures, information flows, behaviors, culture, technologies, other frameworks, and so on. This will provide a unique view of your organization while still recognizing certain common requirements like threat management, changes in regulations or industries, etc. COBIT 2019 will help you understand these factors in terms of specific constructs called ‘design factors’ (not discussed in this paper).
The next step requires that you consider the COBIT 2019 Core Model, which contains some 40 generic governance and management objectives, related processes, and other very useful information including sample metrics and maturity targets. The Core Model should provide the basis for your understanding of where COBIT 2019 can help, as well as how its structure can help those just starting out to recognize and integrate other elements, guidance, and references to separate standards and frameworks.
Once you’ve understood the various elements of COBIT 2019, in particular the Core Model and the 11 Design Factors, and their impact (very useful for customizing COBIT 2019), you’ll then need to consider the four-phase governance system design workflow[5], which requires that you:
· Understand the enterprise context and strategy
· Determine the initial scope of the governance system
· Refine the scope of the governance system
· Finish the governance system design
This workflow is designed with 17 sub-steps that provide recommendations to help you prioritize what governance and management objectives you need to achieve, the target capability level that you should aim for in each area, and the customization or variants of each component that will need to be taken into account.
Once you’ve completed the design and prioritization stages, you would then move to the more detailed COBIT 2019 Implementation Guide. This provides insight into improvement initiatives from three perspectives:
- Program management
- Change enablement
- Continual improvement across seven phases
We are reminded in the framework that, to establish and use COBIT 2019 effectively, we should always consider the purpose of doing so, which is to establish normal business practices and a sustainable approach to governing and managing your information and technology.
To support all your efforts in establishing such a framework, you will also have available to you a COBIT 2019 Governance System Design Toolkit from ISACA, which helps during the four-step workflow process. This detailed toolkit is used to help understand the amount of detail required for the design of your governance system.
One last gem that COBIT 2019 provides is the Goals Cascade, which outlines a simple yet powerful technique for understanding how stakeholder needs are transformed into actionable strategies. Generic Enterprise Goals and Alignment Goals are provided (with mappings and a set of sample metrics). These two types of goals can be used to help prepare your organization for using COBIT 2019 effectively (remember that, as with most things in the framework, the goals are extensible and customizable to reflect the needs and requirements of your organization).
As with all governance and management, this will be specific to your organization. Considering the existing activities and structures that may be working well in your organization you should use COBIT 2019 to help you identify the most effective route through without trying to be 100% compliant with the framework itself. COBIT 2019 is a framework that should be tailored for your organization to address information and technology governance and management strategy. Just as importantly, COBIT 2019 will also help you sustain these over time.
[1] Please note that we’re focussing on standards and framework to set the context for using COBIT 2019 and that a more complete discussion would include related concepts such as policies, guidelines, procedures, principles, regulations, etc.
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[3] We’re using the term ‘areas’ here to mean a portion of or part of, because COBIT 2019 defines and uses the term ‘components’ in a specific way
[4] www.isaca.org/resources/cobit
[5] See Chapter 4, COBIT 2019 Design Guide
