Professional Documents
Culture Documents
1 to COBIT 5 mapping
COBIT 5 process /practice Ids DSS06.02 DSS06.03 BAI03.02 BAI03.03 BAI03.05 BAI03.07 DSS06.02 DSS06.02 DSS06.02 DSS06.02 DSS06.02 EDM02 APO02.01 APO02.02 APO02.03 APO02.04 APO02.05 APO02.05 APO05.05 APO03.02 APO03.02 APO03.02 APO01.06 APO02.03 APO04.03 APO02.03 APO02.04 APO02.05 APO04.03 APO04.04 APO04.05 EDM01.01 APO04.03 APO03.05
PO3.5 PO4.1 PO4.1 PO4.2 PO4.3 PO4.4 PO4.5 PO4.6 PO4.7 PO4.8 PO4.9 PO4.10 PO4.11 PO4.11 PO4.12 PO4.13 PO4.14 PO4.15 PO5.1 PO5.2 PO5.3 PO5.4 PO5.4 PO5.5 PO6.1 PO6.2 PO6.2 PO6.3 PO6.3 PO6.4 PO6.4 PO6.5 PO7.1 PO7.2 PO7.2 PO7.3
PO3.5 IT Architecture Board PO4.1 IT Process Framework PO4.1 IT Process Framework PO4.2 IT Strategy Committee PO4.3 IT Steering Committee PO4.4 Organisational Placement of the IT Function PO4.5 IT Organisational Structure PO4.6 Establishment of Roles and Responsibilities PO4.7 Responsibility for IT Quality Assurance PO4.8 Responsibility for Risk, Security and Compliance PO4.9 Data and System Ownership PO4.10 Supervision PO4.11 Segregation of Duties PO4.11 Segregation of Duties PO4.12 IT Staffing PO4.13 Key IT Personnel PO4.14 Contracted Staff Policies and Procedures PO4.15 Relationships PO5.1 Financial Management Framework PO5.2 Prioritisation Within IT Budget PO5.3 IT Budgeting PO5.4 Cost Management PO5.4 Cost Management PO5.5 Benefit Management PO6.1 IT Policy and Control Environment PO6.2 Enterprise IT Risk and Control Framework PO6.2 Enterprise IT Risk and Control Framework PO6.3 IT Policies Management PO6.3 IT Policies Management PO6.4 Policy, Standards and Procedures Rollout PO6.4 Policy, Standards and Procedures Rollout PO6.5 Communication of IT Objectives and Direction PO7.1 Personnel Recruitment and Retention PO7.1 Personnel Recruitment and Retention PO7.2 Personnel Competencies PO7.3 Staffing of Roles
APO01.06 APO01.02 APO01.02 DSS08.02 APO07.01 APO07.02 APO07.06 APO01.01 APO06.01 APO06.02 APO06.03 APO06.04 APO06.05 APO05.06 APO01.03 EDM03.02 APO01.03 APO01.03 APO01.08 APO01.03 APO01.08 APO01.04 APO07.01 APO07.05 APO07.03 APO01.02
PO7.3 PO7.4 PO7.5 PO7.6 PO7.6 PO7.7 PO7.8 PO8.1 PO8.2 PO8.3 PO8.3 PO8.4 PO8.5 PO8.6 PO9.1 PO9.1 PO9.2 PO9.3 PO9.3 PO9.4 PO9.4 PO9.5 PO9.6 PO9.6 PO10.1 PO10.2 PO10.3 PO10.4 PO10.5 PO10.6 PO10.7 PO10.8 PO10.9 PO10.10 PO10.11 PO10.12
PO7.3 Staffing of Roles PO7.4 Personnel Training PO7.5 Dependence Upon Individuals PO7.6 Personnel Clearance Procedures PO7.6 Personnel Clearance Procedures PO7.7 Employee Job Performance Evaluation PO7.8 Job Change and Termination PO8.1 Quality Management System PO8.2 IT Standards and Quality Practices PO8.3 Development and Acquisition Standards ; PO8.3 Development and Acquisition Standards ; PO8.4 Customer Focus APO11.03 PO8.5 Continuous Improvement APO11.06 PO8.6 Quality Measurement, Monitoring and Review PO9.1 IT Risk Management Framework PO9.1 IT Risk Management Framework PO9.2 Establishment of Risk Context PO9.3 Event Identification PO9.3 Event Identification PO9.4 Risk Assessment PO9.4 Risk Assessment PO9.5 Risk Response PO9.6 Maintenance and Monitoring of a Risk Action Plan PO9.6 Maintenance and Monitoring of a Risk Action Plan PO10.1 Programme Management Framework PO10.2 Project Management Framework PO10.3 Project Management Approach PO10.4 Stakeholder Commitment PO10.5 Project Scope Statement PO10.6 Project Phase Initiation PO10.7 Integrated Project Plan PO10.8 Project 5esources PO10.9 Project Risk Management PO10.10 Project Quality Plan PO10.11 Project Change control PO10.12 Project Planning of Assurance Methods
APO07.01 APO07.03 APO07.02 APO07.01 APO07.06 APO07.04 APO07.01 APO11.01 APO11.02 APO11.02 APO11.05 APO11.03 APO11.06 APO11.04 EDM03.02 APO01.03 APO12.03 APO12.01 APO12.03 APO12.02 APO12.04 APO12.06 APO12.04 APO12.05 BAI01.01 BAI01.01 BAI01.01 BAI01.03 BAI01.07 BAI01.07 BAI01.08 BAI01.08 BAI01.10 BAI01.09 BAI01.11 BAI01.08
PO10.13 PO10.13 PO10.14 AI1.1 AI1.2 AI1.3 AI1.4 AI2.1 AI2.2 AI2.3 AI2.4 AI2.4 AI2.4 AI2.4 AI2.5 AI2.5 AI2.6 AI2.7 AI2.7 AI2.8 AI2.9 AI2.10 AI3.1 AI3.2 AI3.2 AI3.3 AI3.4 AI3.4 AI4.1 AI4.2 AI4.2 AI4.2 AI4.2 AI4.3 AI4.3 AI4.3
PO10.13 Project Performance Measurement, Reporting and Monitoring BAI01.06 PO10.13 Project Performance Measurement, Reporting and Monitoring BAI01.11 PO10.14 Project Closure BAI01.13 AI1.1 Definition and Maintenance of Business Functional and Technical Requirements BAI02.01 AI1.2 Risk Analysis Report BAI02.03 AI1.3 Feasibility Study and Formulation of Alternative Courses of Action BAI02.02 AI1.4 Requirements and Feasibility Decision and Approval BAI02.04 AI2.1 High-level Design BAI03.01 AI2.2 Detailed Design BAI03.02 AI2.3 Application Control and Auditability BAI03.05 AI2.4 Application Security and Availability ; BAI03.01 AI2.4 Application Security and Availability ; BAI03.02 AI2.4 Application Security and Availability ; BAI03.03 AI2.4 Application Security and Availability ; BAI03.05 AI2.5 Configuration and Implementation of Acquired Application Software BAI03.03 AI2.5 Configuration and Implementation of Acquired Application Software BAI03.05 AI2.6 Major Upgrades to Existing Systems BAI03.10 AI2.7 Development of Application Software BAI03.03 AI2.7 Development of Application Software BAI03.04 AI2.8 Software Quality Assurance BAI03.06 AI2.9 Applications Requirements Management BAI03.09 AI2.10 Application Software Maintenance BAI03.10 AI3.1 Technological Infrastructure Acquisition Plan BAI03.04 AI3.2 Infrastructure Resource Protection and Availability BAI03.03 AI3.2 Infrastructure Resource Protection and Availability DSS02.03 AI3.3 Infrastructure Maintenance BAI03.10 AI3.4 Feasibility Test Environment BAI03.07 AI3.4 Feasibility Test Environment BAI03.08 AI4.1 Planning for Operational Solutions BAI05.05 AI4.2 Knowledge Transfer to Business Management BAI08.01 AI4.2 Knowledge Transfer to Business Management BAI08.02 AI4.2 Knowledge Transfer to Business Management BAI08.03 AI4.2 Knowledge Transfer to Business Management BAI08.04 AI4.3 Knowledge Transfer to End Users BAI08.01 AI4.3 Knowledge Transfer to End Users BAI08.02 AI4.3 Knowledge Transfer to End Users BAI08.03
AI4.3 AI4.4 AI4.4 AI4.4 AI4.4 AI5.1 AI5.2 AI5.2 AI5.3 AI5.4 AI6.1 AI6.1 AI6.1 AI6.1 AI6.2 AI6.3 AI6.4 AI6.5 AI7.1 AI7.2 AI7.2 AI7.3 AI7.4 AI7.5 AI7.6 AI7.7 AI7.8 AI7.9 DS1.1 DS1.1 DS1.1 DS1.1 DS1.1 DS1.1 DS1.2 DS1.2
AI4.3 Knowledge Transfer to End Users AI4.4 Knowledge Transfer to Operations and Support Staff AI4.4 Knowledge Transfer to Operations and Support Staff AI4.4 Knowledge Transfer to Operations and Support Staff AI4.4 Knowledge Transfer to Operations and Support Staff AI5.1 Procurement Control AI5.2 Supplier Contract Management AI5.2 Supplier Contract Management AI5.3 Supplier Selection AI5.4 IT Resources Acquisition AI6.1 Change Standards and Procedures AI6.1 Change Standards and Procedures AI6.1 Change Standards and Procedures AI6.1 Change Standards and Procedures AI6.2 Impact Assessment, Prioritisation and Authorisation AI6.3 Emergency Changes AI6.4 Change Status Tracking and Reporting AI6.5 Change Closure and Documentation AI7.1 Training AI7.2 Test Plan AI7.2 Test Plan AI7.3 Implementation Plan AI7.4 Test Environment AI7.5 System and Data Conversion AI7.6 Testing of Changes AI7.7 Final Acceptance Test AI7.8 Promotion to Production AI7.9 Post-implementation Review DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.2 Definition of Services DS1.2 Definition of Services
BAI08.04 BAI08.01 BAI08.02 BAI08.03 BAI08.04 BAI03.04 APO10.01 APO10.03 APO10.02 APO10.03 BAI06.01 BAI06.02 BAI06.03 BAI06.04 BAI06.01 BAI06.02 BAI06.03 BAI06.04 BAI05.05 BAI07.01 BAI07.03 BAI07.01 BAI07.04 BAI07.02 BAI07.05 BAI07.05 BAI07.06 BAI07.08 APO09.01 APO09.02 APO09.03 APO09.04 APO09.05 APO09.06 APO09.01 APO09.01
DS1.2 DS1.3 DS1.4 DS1.5 DS1.6 DS2.1 DS2.2 DS2.3 DS2.4 DS3.1 DS3.2 DS3.2 DS3.3 DS3.4 DS3.5 DS4.1 DS4.1 DS4.2 DS4.3 DS4.4 DS4.4 DS4.5 DS4.6 DS4.7 DS4.8 DS4.9 DS4.10 DS5.1 DS5.1 DS5.2 DS5.3 DS5.4 DS5.5 DS5.6 DS5.7 DS5.8
DS1.2 Definition of Services DS1.3 Service Level Agreements DS1.4 Operating Level Agreements DS1.5 Monitoring and Reporting of Service Level Achievements DS1.6 Review of Service Level Agreements and Contracts DS2.1 Identification of All Supplier Relationships DS2.2 Supplier Relationship Management DS2.3 Supplier Risk Management DS2.4 Supplier Performance Monitoring DS3.1 Performance and Capacity Planning DS3.2 Current Performance and Capacity DS3.2 Current Performance and Capacity DS3.3 Future Performance and Capacity DS3.4 IT Resources Availability DS3.5 Monitoring and Reporting DS4.1 IT Continuity Framework DS4.1 IT Continuity Framework DS4.2 IT Continuity Plans DS4.3 Critical IT Resources DS4.4 Maintenance of the IT Continuity Plan DS4.4 Maintenance of the IT Continuity Plan DS4.5 Testing of the IT Continuity Plan DS4.6 IT Continuity Plan Training DS4.7 Distribution of the IT Continuity Plan DS4.8 IT Services Recovery and Resumption DS4.9 Offsite Backup Storage DS4.10 Post-resumption Review DS5.1 Management of IT Security DS5.1 Management of IT Security DS5.2 IT Security Plan DS5.3 Identity Management DS5.4 User Account Management DS5.5 Security Testing, Surveillance and Monitoring DS5.6 Security Incident Definition DS5.7 Protection of Security Technology DS5.8 Cryptographic Key Management
APO09.01 APO09.04 APO09.04 APO09.05 APO09.06 APO10.01 APO10.03 APO10.04 APO10.05 BAI04.03 BAI04.01 BAI04.02 BAI04.01 BAI04.05 BAI04.04 DSS04.01 DSS04.02 DSS04.03 DSS04.04 DSS04.02 DSS04.06 DSS04.05 DSS04.07 DSS04.03 DSS04.04 DSS04.08 DSS04.09 APO13.01 APO13.03 APO13.02 DSS05.04 DSS05.04 DSS05.07 DSS02.01 DSS05.05 DSS05.03
DS5.9 DS5.10 DS5.11 DS6.1 DS6.2 DS6.3 DS6.4 DS7.1 DS7.2 DS7.3 DS8.1 DS8.2 DS8.2 DS8.2 DS8.3 DS8.4 DS8.4 DS8.5 DS9.1 DS9.1 DS9.1 DS9.1 DS9.2 DS9.3 DS9.3 DS9.3 DS10.1 DS10.2 DS10.3 DS10.3 DS10.4 DS11.1 DS11.2 DS11.2 DS11.3 DS11.4
DS5.9 Malicious Software Prevention, Detection and Correction DS5.10 Network Security DS5.11 Exchange of Sensitive Data DS6.1 Definition of Services DS6.2 IT Accounting DS6.3 Cost Modelling and Charging DS6.4 Cost Model Maintenance DS7.1 Identification of Education and Training Needs DS7.2 Delivery of Training and Education DS7.3 Evaluation of Training Received DS8.1 Service Desk DS8.2 Registration of Customer Queries DS8.2 Registration of Customer Queries DS8.2 Registration of Customer Queries DS8.3 Incident Escalation DS8.4 Incident Closure DS8.4 Incident Closure DS8.5 Reporting and Trend Analysis DS9.1 Configuration Repository and Baseline DS9.1 Configuration Repository and Baseline DS9.1 Configuration Repository and Baseline DS9.1 Configuration Repository and Baseline DS9.2 Identification and Maintenance of Configuration Items DS9.3 Configuration Integrity Review DS9.3 Configuration Integrity Review DS9.3 Configuration Integrity Review DS10.1 Identification and Classification of Problems DS10.2 Problem Tracking and Resolution DS10.3 Problem Closure DS10.3 Problem Closure DS10.4 Integration of Configuration, Incident and Problem Management DS11.1 Business Requirements for Data Management DS11.2 Storage and Retention Arrangements DS11.2 Storage and Retention Arrangements DS11.3 Media Library Management System DS11.4 Disposal
DSS05.01 DSS05.02 DSS05.02 APO06.04 APO06.01 APO06.04 APO06.04 APO07.03 APO07.03 APO07.03 Deleted DSS02.01 DSS02.02 DSS02.03 DSS02.04 DSS02.05 DSS02.06 DSS02.07 BAI10.01 BAI10.02 BAI10.04 DSS02.01 BAI10.03 BAI10.04 BAI10.05 DSS02.05 DSS03.01 DSS03.02 DSS03.03 DSS03.04 DSS03.05 DSS01.01 DSS04.08 DSS06.04 DSS04.08 DSS05.08
DS11.5 DS11.6 DS11.6 DS11.6 DS12.1 DS12.1 DS12.1 DS12.2 DS12.3 DS12.4 DS12.5 DS13.1 DS13.2 DS13.3 DS13.4 DS13.5 ME1.1 ME1.2 ME1.2 ME1.3 ME1.4 ME1.5 ME1.6 ME2.1 ME2.1 ME2.2 ME2.3 ME2.4 ME2.5 ME2.5 ME2.5 ME2.6 ME2.7 ME3.1 ME3.2
DS11.5 Backup and Restoration DS11.6 Security Requirements for Data Management DS11.6 Security Requirements for Data Management DS11.6 Security Requirements for Data Management DS12.1 Site Selection and Layout DS12.1 Site Selection and Layout DS12.1 Site Selection and Layout DS12.2 Physical Security Measures DS12.3 Physical Access DS12.4 Protection Against Environmental Factors DS12.5 Physical Facilities Management DS13.1 Operations Procedures and Instructions DS13.2 Job Scheduling DS13.3 IT Infrastructure Monitoring DS13.4 Sensitive Documents and Output Devices DS13.5 Preventive Maintenance for Hardware ME1.1 Monitoring Approach ME1.2 Definition and Collection of Monitoring Data ME1.2 Definition and Collection of Monitoring Data ME1.3 Monitoring Method ME1.4 Performance Assessment ME1.5 Board and Executive Reporting ME1.6 Remedial Actions ME2.1 Monitoring of Internal Control Framework ME2.1 Monitoring of Internal Control Framework ME2.2 Supervisory Review ME2.3 Control Exceptions ME2.4 Control Self-assessment ME2.5 Assurance of Internal Control ME2.5 Assurance of Internal Control ME2.5 Assurance of Internal Control ME2.6 Internal Control at Third Parties ME2.7 Remedial Actions ME3.1 Identification of External Legal, Regulatory and Contractual Compliance Requirements ME3.2 Optimisation of Response to External Requirements
DSS04.08 DSS01.01 DSS05.08 DSS06.05 DSS01.04 DSS01.05 DSS05.05 DSS05.05 DSS05.05 DSS01.04 DSS01.05 DSS01.01 DSS01.01 DSS01.03 DSS05.06 BAI09.02 MEA01.01 MEA01.02 MEA01.03 MEA01.03 MEA01.04 MEA01.04 MEA01.05 MEA02.01 MEA02.02 MEA02.01 MEA02.04 MEA02.03 MEA02.06 MEA02.07 MEA02.08 MEA02.01 MEA02.04 MEA03.01 MEA03.02
ME3.3 ME3.4 ME3.5 ME4.1 ME4.2 ME4.3 ME4.4 ME4.5 ME4.6 ME4.6 ME4.6 ME4.6 ME4.7 ME4.7 ME4.7 ME4.7
ME3.3 Evaluation of Compliance With External Requirements ME3.4 Positive Assurance of Compliance ME3.5 Integrated Reporting ME4.1 Establishment of an IT Governance Framework ME4.2 Strategic Alignment ME4.3 Value Delivery ME4.4 Resource Management ME4.5 Risk Management ME4.6 Performance Measurement ME4.6 Performance Measurement ME4.6 Performance Measurement ME4.6 Performance Measurement ME4.7 Independent Assurance ME4.7 Independent Assurance ME4.7 Independent Assurance ME4.7 Independent Assurance
EDM02 EDM04 EDM03 EDM01.03; EDM02.03; EDM03.03; EDM04.03 MEA02.05 MEA02.06 MEA02.07 MEA02-08
10
PO2.1 Enterprise Information Architecture Model PO2.2 Enterprise Data Dictionary and Data Syntax Rules PO2.3 Data Classification Scheme
COBIT 5 to CobiT 4 mapping APO03.05 Provide enterprise architecture services. APO04 Manage Innovation APO04.01 Create an environment conducive to innovation. APO04.02 Maintain an understanding of the enterprise environment APO04.03 Monitor and scan the technology environment APO04.03 Monitor and scan the technology environment APO04.03 Monitor and scan the technology environment APO04.04 Assess the potential of emerging technologies and innovation ideas. APO04.05 Recommend appropriate further initiatives. APO04.06 Monitor the implementation and use of innovation. APO05 Manage Portfolio APO05.01 Establish the target investment mix. APO05.02 Determine the availability and sources of funds. APO05.03 Evaluate and select programmes to fund. APO05.04 Monitor, optimise and report on investment portfolio performance APO05.05 Maintain portfolios. APO05.06 Manage benefits achievement. APO06 Manage Budget and Costs APO06.01 Manage finance and accounting APO06.01 Manage finance and accounting APO06.02 Prioritise resource allocation APO06.03 Create and maintain budgets. APO06.04 Model and allocate costs. APO06.04 Model and allocate costs. APO06.04 Model and allocate costs. APO06.04 Model and allocate costs. APO06.05 Model and allocate costs. APO07 Manage Human Resources APO07.01 Maintain adequate and appropriate staffing. APO07.01 Maintain adequate and appropriate staffing. APO07.01 Maintain adequate and appropriate staffing. APO07.01 Maintain adequate and appropriate staffing. APO07.01 Maintain adequate and appropriate staffing. APO07.02 Identify key IT personnel. APO07.02 Identify key IT personnel. APO07.03 Maintain the skills and competencies of personnel. APO07.03 Maintain the skills and competencies of personnel. APO07.03 Maintain the skills and competencies of personnel. APO07.03 Maintain the skills and competencies of personnel. APO07.03 Maintain the skills and competencies of personnel. APO07.04 Evaluate employee job performance. APO07.05 Plan and track the usage of IT and business human resources. APO07.06 Manage contract staff PO3.4 PO3.4 Technology Standards
11
PO3.1 Technological Direction Planning PO3.2 Technical Infrastructure Plan PO3.3 Monitor Future Trends and Regulations PO3.2 Technical Infrastructure Plan PO3.2 Technical Infrastructure Plan
PO1.6 PO5.5 PO5.1 DS6.2 PO5.2 PO5.3 PO5.4 DS6.1 DS6.3 DS6.4 PO5.4 PO4.12 PO7.1 PO7.3 PO7.6 PO7.8 PO4.13 PO7.5 PO7.2 PO7.4 DS7.1 DS7.2 DS7.3 PO7.7 PO7.2 PO4.14
PO1.6 IT Portfolio Management PO5.5 Benefit Management PO5.1 Financial Management Framework DS6.2 IT Accounting PO5.2 Prioritisation Within IT Budget PO5.3 IT Budgeting PO5.4 Cost Management DS6.1 Definition of Services DS6.3 Cost Modelling and Charging DS6.4 Cost Model Maintenance PO5.4 Cost Management PO4.12 IT Staffing PO7.1 Personnel Recruitment and Retention PO7.3 Staffing of Roles PO7.6 Personnel Clearance Procedures PO7.8 Job Change and Termination PO4.13 Key IT Personnel PO7.5 Dependence Upon Individuals PO7.2 Personnel Competencies PO7.4 Personnel Training DS7.1 Identification of Education and Training Needs DS7.2 Delivery of Training and Education DS7.3 Evaluation of Training Received PO7.7 Employee Job Performance Evaluation PO7.1 Personnel Recruitment and Retention PO4.14 Contracted Staff Policies and Procedures
COBIT 5 to CobiT 4 mapping APO07.06 Manage contract staff APO08 Manage Relationships APO08.01 Understand business expectations. APO08.02 Identify opportunities, risk and constraints for IT to enhance the business. APO08.03 Manage the business relationship. APO08.04 Co-ordinate and communicate. APO08.05 Provide input to the continual improvement of services. APO09 Manage Service Agreements APO09.01 Identify IT services. APO09.01 Identify IT services. APO09.01 Identify IT services. APO09.01 Identify IT services. APO09.02 Catalogue IT-enabled services. APO09.03 Define and prepare service agreements. APO09.04 Monitor and report service levels. APO09.04 Monitor and report service levels. APO09.04 Monitor and report service levels. APO09.05 Review service agreements and contracts. APO09.05 Review service agreements and contracts. PO7.6 PO7.6 Personnel Clearance Procedures
12
DS1.1 DS1.2 DS1.2 DS1.2 DS1.1 DS1.1 DS1.1 DS1.3 DS1.4 DS1.1 DS1.5 DS1.1 DS1.6 AI5.2 DS2.1 AI5.3 AI5.2 AI5.4 DS2.2 DS2.3 DS2.4 PO4.7 PO8.1 PO8.2 PO8.3 PO8.4 PO8.6 PO8.3 PO8.5 PO9.3 PO9.4
DS1.1 Service Level Management Framework DS1.2 Definition of Services DS1.2 Definition of Services DS1.2 Definition of Services DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.3 Service Level Agreements DS1.4 Operating Level Agreements DS1.1 Service Level Management Framework DS1.5 Monitoring and Reporting of Service Level Achievements DS1.1 Service Level Management Framework DS1.6 Review of Service Level Agreements and Contracts AI5.2 Supplier Contract Management DS2.1 Identification of All Supplier Relationships AI5.3 Supplier Selection AI5.2 Supplier Contract Management AI5.4 IT Resources Acquisition DS2.2 Supplier Relationship Management DS2.3 Supplier Risk Management DS2.4 Supplier Performance Monitoring PO4.7 Responsibility for IT Quality Assurance PO8.1 Quality Management System PO8.2 IT Standards and Quality Practices PO8.3 Development and Acquisition Standards ; PO8.4 Customer Focus PO8.6 Quality Measurement, Monitoring and Review PO8.3 Development and Acquisition Standards ; PO8.5 Continuous Improvement PO9.3 Event Identification PO9.4 Risk Assessment
APO09.06 APO09.06 APO10 Manage Suppliers APO10.01 Identify and evaluate supplier relationships and contracts. APO10.01 Identify and evaluate supplier relationships and contracts. APO10.02 Select suppliers. APO10.03 Manage supplier relationships and contracts. APO10.03 Manage supplier relationships and contracts. APO10.03 Manage supplier relationships and contracts. APO10.04 Manage supplier risk. APO10.05 Monitor supplier performance and compliance. APO11 Manage Quality APO11.01 Establish a quality management system (QMS). APO11.01 Establish a quality management system (QMS). APO11.02 Define and manage quality standards, practices and procedures. APO11.02 Define and manage quality standards, practices and procedures. APO11.03 Focus quality management on customers. APO11.04 Perform quality monitoring, control and reviews. APO11.05 Integrate quality management into solutions for development and service delivery. APO11.06 Maintain continuous improvement. APO12 Manage Risk APO12.01 Collect data. APO12.02 Analyse risk.
COBIT 5 to CobiT 4 mapping APO12.03 Maintain a risk profile. APO12.03 Maintain a risk profile. APO12.04 Articulate risk. APO12.04 Articulate risk. APO12.05 Define a risk management action portfolio. APO12.06 Respond to risk. APO13 Manage Security APO13.01 Establish and maintain an ISMS APO13.02 Define and manage an information security risk treatment plan. APO13.03 Monitor and review the ISMS BAI01.01 Maintain a standard approach for programme and project management BAI01.01 Maintain a standard approach for programme and project management BAI01.01 Maintain a standard approach for programme and project management BAI01.02 Initiate a programme. BAI01.03 Manage stakeholder engagement. BAI01.04 Develop and maintain the programme plan. BAI01.05 Launch and execute the programme. BAI01.06 BAI01.07 BAI01.07 BAI01.08 BAI01.08 BAI01.08 BAI01.09 BAI01.10 BAI01.11 BAI01.11 BAI01.12 BAI01.13 BAI01.14 BAI02.01 BAI02.02 BAI02.03 BAI02.04 BAI03.01 BAI03.01 BAI03.02 BAI03.02 BAI03.02 Monitor, control and report on the programme outcomes. Start up and initiate projects within a programme. Start up and initiate projects within a programme. Plan projects Plan projects Plan projects Manage programme and project quality Manage programme and project risk Monitor and control projects Monitor and control projects Manage project resources and work packages. Close a project or iteration Close a programme. Define and maintain business functional and technical requirements. Perform a feasibility study and formulate alternative solutions Manage requirements risk. Obtain approval of requirements and solutions. Design high-level solutions Design high-level solutions Design detailed solution components Design detailed solution components Design detailed solution components PO9.2 PO9.3 PO9.4 PO9.6 PO9.6 PO9.5 DS5.1 DS5.2 DS5.1 PO10.1 PO10.2 PO10.3 PO10.4 PO9.2 Establishment of Risk Context PO9.3 Event Identification PO9.4 Risk Assessment PO9.6 Maintenance and Monitoring of a Risk Action Plan PO9.6 Maintenance and Monitoring of a Risk Action Plan PO9.5 Risk Response DS5.1 Management of IT Security DS5.2 IT Security Plan DS5.1 Management of IT Security PO10.1 Programme Management Framework PO10.2 Project Management Framework PO10.3 Project Management Approach PO10.4 Stakeholder Commitment
13
PO10.13 PO10.5 PO10.6 PO10.7 PO10.8 PO10.12 PO10.10 PO10.9 PO10.11 PO10.13 PO10.14 AI1.1 AI1.3 AI1.2 AI1.4 AI2.1 AI2.4 AC1 AI2.2 AI2.4
PO10.13 Project Performance Measurement, Reporting and Monitoring PO10.5 Project Scope Statement PO10.6 Project Phase Initiation PO10.7 Integrated Project Plan PO10.8 Project 5esources PO10.12 Project Planning of Assurance Methods PO10.10 Project Quality Plan PO10.9 Project Risk Management PO10.11 Project Change control PO10.13 Project Performance Measurement, Reporting and Monitoring PO10.14 Project Closure AI1.1 Definition and Maintenance of Business Functional and Technical Requirements AI1.3 Feasibility Study and Formulation of Alternative Courses of Action AI1.2 Risk Analysis Report AI1.4 Requirements and Feasibility Decision and Approval AI2.1 High-level Design AI2.4 Application Security and Availability ; AC1 Source Data Preparation and Authorisation AI2.2 Detailed Design AI2.4 Application Security and Availability ;
COBIT 5 to CobiT 4 mapping BAI03.03 BAI03.03 BAI03.03 BAI03.03 BAI03.03 BAI03.04 BAI03.04 BAI03.04 BAI03.05 BAI03.05 BAI03.05 BAI03.05 Develop solution components. Develop solution components. Develop solution components. Develop solution components. Develop solution components. Procure solution components. Procure solution components. Procure solution components. Build solutions. Build solutions. Build solutions. Build solutions. AC1 AI2.4 AI2.5 AI2.7 AI3.2 AI2.7 AI3.1 AI5.1 AC1 AI2.3 AI2.4 AI2.5 AI2.8 AC1 AI3.4 AI3.4 AI2.9 AI2.6 AI2.10 AI3.3 DS3.2 DS3.3 DS3.2 DS3.1 DS3.5 DS3.4 AC1 Source Data Preparation and Authorisation AI2.4 Application Security and Availability ; AI2.5 Configuration and Implementation of Acquired Application Software AI2.7 Development of Application Software AI3.2 Infrastructure Resource Protection and Availability AI2.7 Development of Application Software AI3.1 Technological Infrastructure Acquisition Plan AI5.1 Procurement Control AC1 Source Data Preparation and Authorisation AI2.3 Application Control and Auditability AI2.4 Application Security and Availability ; AI2.5 Configuration and Implementation of Acquired Application Software AI2.8 Software Quality Assurance AC1 Source Data Preparation and Authorisation AI3.4 Feasibility Test Environment AI3.4 Feasibility Test Environment AI2.9 Applications Requirements Management AI2.6 Major Upgrades to Existing Systems AI2.10 Application Software Maintenance AI3.3 Infrastructure Maintenance DS3.2 Current Performance and Capacity DS3.3 Future Performance and Capacity DS3.2 Current Performance and Capacity DS3.1 Performance and Capacity Planning DS3.5 Monitoring and Reporting DS3.4 IT Resources Availability
14
BAI03.06 Perform quality assurance. BAI03.07 Prepare for solution testing. BAI03.07 Prepare for solution testing. BAI03.08 Execute solution testing. BAI03.09 Manage changes to requirements. BAI03.10 Maintain solutions. BAI03.10 Maintain solutions. BAI03.10 Maintain solutions. BAI03.11 Define IT services and maintain the service portfolio. BAI04.01 Assess current availability, performance and capacity and create a baseline. BAI04.01 Assess current availability, performance and capacity and create a baseline. BAI04.02 Assess business impact BAI04.03 Plan for new or changed service requirements. BAI04.04 Monitor and review availability and capacity. BAI04.05 Investigate and address availability, performance and capacity issues. BAI05 Manage Organisational Change Enablement BAI05.01 Establish the desire to change BAI05.02 Form an effective implementation team. BAI05.03 Communicate desired vision. BAI05.04 Empower role players and identify short-term wins. BAI05.05 Enable operation and use. BAI05.05 Enable operation and use. BAI05.06 Embed new approaches. BAI05.07 Sustain changes. BAI06 Manage Changes BAI06.01 Evaluate, prioritise and authorise change requests. BAI06.01 Evaluate, prioritise and authorise change requests. BAI06.02 Manage emergency changes. BAI06.02 Manage emergency changes.
AI4.1 AI7.1
AI6.1 Change Standards and Procedures AI6.2 Impact Assessment, Prioritisation and Authorisation AI6.1 Change Standards and Procedures AI6.3 Emergency Changes
COBIT 5 to CobiT 4 mapping BAI06.03 Track and report change status. BAI06.03 Track and report change status. BAI06.04 Close and document the changes. BAI06.04 Close and document the changes. BAI07 Manage Change Acceptance and Transitioning BAI07.01 Establish an implementation plan. BAI07.01 Establish an implementation plan. BAI07.02 Plan business process, system and data conversion. BAI07.03 Plan acceptance tests. BAI07.04 Establish a test environment. BAI07.05 Perform acceptance tests. BAI07.05 Perform acceptance tests. BAI07.06 Promote to production and manage releases. BAI07.07 Provide early production support. Perform a post-implementation review BAI07.08 BAI08 Manage Knowledge BAI08.01 Nurture and facilitate a knowledge-sharing culture. BAI08.01 Nurture and facilitate a knowledge-sharing culture. BAI08.01 Nurture and facilitate a knowledge-sharing culture. BAI08.02 Identify and classify sources of information. BAI08.02 Identify and classify sources of information. BAI08.02 Identify and classify sources of information. BAI08.03 Organise and contextualise information into knowledge. BAI08.03 Organise and contextualise information into knowledge. BAI08.03 Organise and contextualise information into knowledge. BAI08.04 Use and share knowledge BAI08.04 Use and share knowledge BAI08.04 Use and share knowledge BAI08.05 Evaluate and retire information. BAI09 Manage Assets BAI09.01 Identify and record current assets. BAI09.02 Manage critical assets BAI09.03 Manage the asset life cycle BAI09.04 Optimise asset costs. BAI09.05 Optimise asset costs. BAI10 Manage Configuration BAI10.01 Establish and maintain a configuration model. BAI10.02 Establish and maintain a configuration repository and baseline. BAI10.03 Maintain and control configuration items. BAI10.04 Produce status and configuration reports. Produce status and configuration reports BAI10.04 BAI10.05 Verify and review integrity of the configuration repository. DSS01 Manage Operations AI6.1 AI6.4 AI6.1 AI6.5 AI7.2 AI7.3 AI7.5 AI7.2 AI7.4 AI7.6 AI7.7 AI7.8 AI7.9 AI4.2 AI4.3 AI4.4 AI4.2 AI4.3 AI4.4 AI4.2 AI4.3 AI4.4 AI4.2 AI4.3 AI4.4 AI6.1 Change Standards and Procedures AI6.4 Change Status Tracking and Reporting AI6.1 Change Standards and Procedures AI6.5 Change Closure and Documentation AI7.2 Test Plan AI7.3 Implementation Plan AI7.5 System and Data Conversion AI7.2 Test Plan AI7.4 Test Environment AI7.6 Testing of Changes AI7.7 Final Acceptance Test AI7.8 Promotion to Production AI7.9 Post-implementation Review AI4.2 Knowledge Transfer to Business Management AI4.3 Knowledge Transfer to End Users AI4.4 Knowledge Transfer to Operations and Support Staff AI4.2 Knowledge Transfer to Business Management AI4.3 Knowledge Transfer to End Users AI4.4 Knowledge Transfer to Operations and Support Staff AI4.2 Knowledge Transfer to Business Management AI4.3 Knowledge Transfer to End Users AI4.4 Knowledge Transfer to Operations and Support Staff AI4.2 Knowledge Transfer to Business Management AI4.3 Knowledge Transfer to End Users AI4.4 Knowledge Transfer to Operations and Support Staff
15
DS13.5
DS9.1 Configuration Repository and Baseline DS9.1 Configuration Repository and Baseline DS9.2 Identification and Maintenance of Configuration Items DS9.1 Configuration Repository and Baseline DS9.3 Configuration Integrity Review DS9.3 Configuration Integrity Review
COBIT 5 to CobiT 4 mapping DSS01.01 Perform operational procedures. DSS01.01 Perform operational procedures. DSS01.01 Perform operational procedures. DSS01.01 Perform operational procedures. DSS01.02 Manage outsourced IT services DSS01.03 Monitor IT infrastructure DSS01.04 Manage the environment DSS01.04 Manage the environment DSS01.05 Manage facilities. DSS01.05 Manage facilities. DSS02 Manage Service Requests and Incidents DSS02.01 Define incident and service request classification schemes. DSS02.01 Define incident and service request classification schemes. DSS02.01 Define incident and service request classification schemes. DSS02.02 Record, classify and prioritise requests and incidents. DSS02.03 Verify, approve and fulfil service requests. DSS02.03 Verify, approve and fulfil service requests. DSS02.04 Investigate, diagnose and allocate incidents. DSS02.05 Resolve and recover from incidents. DSS02.05 Resolve and recover from incidents. DSS02.06 Close service requests and incidents. DSS02.07 Track status and produce reports. DSS03 Manage Problems DSS03.01 Identify and classify problems. DSS03.02 Investigate and diagnose problems. DSS03.03 Raise known errors. DSS03.04 Resolve and close problems. DSS03.05 Perform proactive problem management. DS11.1 DS11.6 DS13.1 DS13.2 DS13.3 DS12.1 DS12.4 DS12.1 DS12.5 DS5.6 DS8.2 DS9.1 DS8.2 AI3.2 DS8.2 DS8.3 DS8.4 DS9.3 DS8.4 DS8.5 DS10.1 DS10.2 DS10.3 DS10.3 DS10.4 DS4.1 DS4.1 DS4.4 DS4.2 DS4.7 DS4.3 DS4.8 DS4.5 DS4.4 DS4.6 DS4.9 DS11.2 DS11.3 DS11.1 Business Requirements for Data Management DS11.6 Security Requirements for Data Management DS13.1 Operations Procedures and Instructions DS13.2 Job Scheduling DS13.3 IT Infrastructure Monitoring DS12.1 Site Selection and Layout DS12.4 Protection Against Environmental Factors DS12.1 Site Selection and Layout DS12.5 Physical Facilities Management DS5.6 Security Incident Definition DS8.2 Registration of Customer Queries DS9.1 Configuration Repository and Baseline DS8.2 Registration of Customer Queries AI3.2 Infrastructure Resource Protection and Availability DS8.2 Registration of Customer Queries DS8.3 Incident Escalation DS8.4 Incident Closure DS9.3 Configuration Integrity Review DS8.4 Incident Closure DS8.5 Reporting and Trend Analysis DS10.1 Identification and Classification of Problems DS10.2 Problem Tracking and Resolution DS10.3 Problem Closure DS10.3 Problem Closure DS10.4 Integration of Configuration, Incident and Problem Management DS4.1 IT Continuity Framework DS4.1 IT Continuity Framework DS4.4 Maintenance of the IT Continuity Plan DS4.2 IT Continuity Plans DS4.7 Distribution of the IT Continuity Plan DS4.3 Critical IT Resources DS4.8 IT Services Recovery and Resumption DS4.5 Testing of the IT Continuity Plan DS4.4 Maintenance of the IT Continuity Plan DS4.6 IT Continuity Plan Training DS4.9 Offsite Backup Storage DS11.2 Storage and Retention Arrangements DS11.3 Media Library Management System
16
DSS04 Manage Continuity DSS04.01 Define the business continuity policy, objectives and scope DSS04.02 Maintain a continuity strategy. DSS04.02 Maintain a continuity strategy. DSS04.03 Develop and implement a business continuity response. DSS04.03 Develop and implement a business continuity response. DSS04.04 Exercise, test and review the BCP. DSS04.04 Exercise, test and review the BCP. DSS04.05 Review, maintain and improve the continuity plan DSS04.06 Conduct continuity plan training DSS04.07 Manage backup arrangements DSS04.08 Conduct post-resumption review. DSS04.08 Conduct post-resumption review. DSS04.08 Conduct post-resumption review.
COBIT 5 to CobiT 4 mapping DSS04.08 Conduct post-resumption review. DSS04.09 DSS05 Manage Security Services DSS05.01 Protect against malware. DS11.5 DS4.10 DS5.9 DS5.10 DS5.11 DS5.8 DS5.3 DS5.4 DS5.7 DS12.1 DS12.2 DS12.3 DS13.4 DS5.5 DS11.4 DS11.6 DS11.5 Backup and Restoration DS4.10 Post-resumption Review DS5.9 Malicious Software Prevention, Detection and Correction DS5.10 Network Security DS5.11 Exchange of Sensitive Data DS5.8 Cryptographic Key Management DS5.3 Identity Management DS5.4 User Account Management DS5.7 Protection of Security Technology DS12.1 Site Selection and Layout DS12.2 Physical Security Measures DS12.3 Physical Access DS13.4 Sensitive Documents and Output Devices DS5.5 Security Testing, Surveillance and Monitoring DS11.4 Disposal DS11.6 Security Requirements for Data Management
17
DSS05.02 Manage network and connectivity security. DSS05.02 Manage network and connectivity security. DSS05.03 Manage endpoint security. DSS05.04 Manage user identity and logical access. DSS05.04 Manage user identity and logical access. DSS05.05 Manage physical access to IT assets. DSS05.05 Manage physical access to IT assets. DSS05.05 Manage physical access to IT assets. DSS05.05 Manage physical access to IT assets. DSS05.06 Manage sensitive documents and output devices. DSS05.07 Monitor the infrastructure for security-related events. DSS05.08 DSS05.08 DSS06 Manage Business Process Controls DSS06.01 Align control activities embedded in business processes with enterprise objectives DSS06.02 Control the processing of information. DSS06.02 Control the processing of information. DSS06.02 Control the processing of information. DSS06.02 Control the processing of information. DSS06.02 Control the processing of information. DSS06.02 Control the processing of information. DSS06.03 Manage roles, responsibilities, access privileges and levels of authority DSS06.04 Manage errors and exceptions. DSS06.05 Ensure traceability of information events DSS06.06 Secure information assets. DSS08.02 EDM01 Ensure Governance Framework Setting and Maintenance EDM01.01 Evaluate the governance system. EDM01.01 Evaluate the governance system EDM01.02 Evaluate the governance system. EDM01.03 Evaluate the governance system. EDM01.03 Monitor the governance system EDM02 Ensure Benefits Delivery EDM02.01 Evaluate value optimisation EDM02.02 Direct value optimisation EDM02.03 Monitor value optimisation EDM02.01 Evaluate value optimisation EDM02.02 Direct value optimisation
AC1 AC2 AC3 AC4 AC5 AC6 AC1 DS11.2 DS11.6 PO4.11 ME4.1 PO3.3 ME4.1 ME4.1 ME4.6 PO1.1 PO1.1 PO1.1 ME4.3 ME4.3
AC1 Source Data Preparation and Authorisation AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks AC4 Processing Integrity and validity AC5 Output Review, Reconciliation and Error Handling AC6 Transaction Authentication and Integrity AC1 Source Data Preparation and Authorisation DS11.2 Storage and Retention Arrangements DS11.6 Security Requirements for Data Management PO4.11 Segregation of Duties ME4.1 Establishment of an IT Governance Framework PO3.3 Monitor Future Trends and Regulations ME4.1 Establishment of an IT Governance Framework ME4.1 Establishment of an IT Governance Framework ME4.6 Performance Measurement PO1.1 IT Value Management PO1.1 IT Value Management PO1.1 IT Value Management ME4.3 Value Delivery ME4.3 Value Delivery
COBIT 5 to CobiT 4 mapping EDM02.03 Monitor value optimisation EDM02.03 Monitor value optimisation EDM03 Ensure Risk Optimisation EDM03.01 Evaluate risk management EDM03.02 Direct risk management EDM03.03 Monitor risk management EDM03.02 Direct risk management EDM03.02 Direct risk management EDM03.03 Monitor risk management EDM04 Ensure Resource Optimisation EDM04.01 Evaluate resource management EDM04.02 Direct resource management EDM04.03 Monitor resource management EDM04.03 Monitor resource management EDM05 Ensure Stakeholder Transparency EDM05.01 Evaluate stakeholder reporting requirements. EDM05.02 Direct stakeholder communication and reporting. EDM05.03 Monitor stakeholder communication. MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA01.01 Establish a monitoring approach. MEA01.02 Set performance and conformance targets MEA01.03 Collect and process performance and conformance data. MEA01.03 Collect and process performance and conformance data. MEA01.04 Analyse and report performance MEA01.04 Analyse and report performance MEA01.05 Ensure the implementation of corrective actions. MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA02.01 Monitor internal controls MEA02.01 Monitor internal controls MEA02.01 Monitor internal controls MEA02.02 Review business process controls effectiveness MEA02.03 Perform control self-assessments. MEA02.04 Identify and report control deficiencies. MEA02.04 Identify and report control deficiencies. MEA02.05 Ensure that assurance providers are independent and qualified. MEA02.06 Plan assurance initiatives. MEA02.06 Plan assurance initiatives. MEA02.07 Scope assurance initiatives. MEA02.07 Scope assurance initiatives. MEA02.08 Execute assurance initiatives. MEA02-08 Execute assurance initiatives. MEA03 Monitor, Evaluate and Assess Compliance with External Requirements ME4.3 ME4.6 ME4.5 ME4.5 ME4.5 PO9.1 PO6.2 ME4.6 ME4.4 ME4.4 ME4.4 ME4.6 ME4.3 Value Delivery ME4.6 Performance Measurement ME4.5 Risk Management ME4.5 Risk Management ME4.5 Risk Management PO9.1 IT Risk Management Framework PO6.2 Enterprise IT Risk and Control Framework ME4.6 Performance Measurement ME4.4 Resource Management ME4.4 Resource Management ME4.4 Resource Management ME4.6 Performance Measurement
18
ME1.1 ME1.2 ME1.2 ME1.3 ME1.4 ME1.5 ME1.6 ME2.1 ME2.2 ME2.6 ME2.1 ME2.4 ME2.3 ME2.7 ME4.7 ME2.5 ME4.7 ME2.5 ME4.7 ME2.5 ME4.7
ME1.1 Monitoring Approach ME1.2 Definition and Collection of Monitoring Data ME1.2 Definition and Collection of Monitoring Data ME1.3 Monitoring Method ME1.4 Performance Assessment ME1.5 Board and Executive Reporting ME1.6 Remedial Actions ME2.1 Monitoring of Internal Control Framework ME2.2 Supervisory Review ME2.6 Internal Control at Third Parties ME2.1 Monitoring of Internal Control Framework ME2.4 Control Self-assessment ME2.3 Control Exceptions ME2.7 Remedial Actions ME4.7 Independent Assurance ME2.5 Assurance of Internal Control ME4.7 Independent Assurance ME2.5 Assurance of Internal Control ME4.7 Independent Assurance ME2.5 Assurance of Internal Control ME4.7 Independent Assurance
COBIT 5 to CobiT 4 mapping MEA03.01 MEA03.02 MEA03.03 MEA03.04 MEA03.04 Identify external compliance requirements. Optimise response to external requirements. Confirm external compliance Obtain assurance of external compliance. Obtain assurance of external compliance. ME3.1 ME3.2 ME3.3 ME3.4 ME3.5 PO4.8 DS8.1 ME4.2 ME3.1 Identification of External Legal, Regulatory and Contractual Compliance Requirements ME3.2 Optimisation of Response to External Requirements ME3.3 Evaluation of Compliance With External Requirements ME3.4 Positive Assurance of Compliance ME3.5 Integrated Reporting PO4.8 Responsibility for Risk, Security and Compliance DS8.1 Service Desk ME4.2 Strategic Alignment
19
5 -- Optimized
4 -- Predictable
3 -- Defined
3 -- Established
2 -- Managed 1 -- Performed
0 --Incomplite
/Capability
Konteks
Sudut pandang enterprise / Pengetahuan corporate