CobiT 4.

1 to COBIT 5 mapping

CobiT 4.1 Control objectives

AC1 AC1 AC1 AC1 AC1 AC1 AC2 AC3 AC4 AC5 AC6 PO1.1 PO1.2 PO1.3 PO1.4 PO1.4 PO1.4 PO1.5 PO1.6 PO2.1 PO2.2 PO2.3 PO2.4 PO3.1 PO3.1 PO3.2 PO3.2 PO3.2 PO3.2 PO3.2 PO3.2 PO3.3 PO3.3 PO3.4 AC1 Source Data Preparation and Authorisation AC1 Source Data Preparation and Authorisation AC1 Source Data Preparation and Authorisation AC1 Source Data Preparation and Authorisation AC1 Source Data Preparation and Authorisation AC1 Source Data Preparation and Authorisation AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks AC4 Processing Integrity and validity AC5 Output Review, Reconciliation and Error Handling AC6 Transaction Authentication and Integrity PO1.1 IT Value Management PO1.2 Business-IT Alignment PO1.3 Assessment of Current Capability and Performance PO1.4 IT Strategic Plan PO1.4 IT Strategic Plan PO1.4 IT Strategic Plan PO1.5 IT Tactical Plans PO1.6 IT Portfolio Management PO2.1 Enterprise Information Architecture Model PO2.2 Enterprise Data Dictionary and Data Syntax Rules PO2.3 Data Classification Scheme PO2.4 Integrity Management PO3.1 Technological Direction Planning PO3.1 Technological Direction Planning PO3.2 Technical Infrastructure Plan PO3.2 Technical Infrastructure Plan PO3.2 Technical Infrastructure Plan PO3.2 Technical Infrastructure Plan PO3.2 Technical Infrastructure Plan PO3.2 Technical Infrastructure Plan PO3.3 Monitor Future Trends and Regulations PO3.3 Monitor Future Trends and Regulations PO3.4 Technology Standards

COBIT 5 process /practice Ids DSS06.02 DSS06.03 BAI03.02 BAI03.03 BAI03.05 BAI03.07 DSS06.02 DSS06.02 DSS06.02 DSS06.02 DSS06.02 EDM02 APO02.01 APO02.02 APO02.03 APO02.04 APO02.05 APO02.05 APO05.05 APO03.02 APO03.02 APO03.02 APO01.06 APO02.03 APO04.03 APO02.03 APO02.04 APO02.05 APO04.03 APO04.04 APO04.05 EDM01.01 APO04.03 APO03.05

CobiT 4.1 to COBIT 5 mapping

PO3.5 PO4.1 PO4.1 PO4.2 PO4.3 PO4.4 PO4.5 PO4.6 PO4.7 PO4.8 PO4.9 PO4.10 PO4.11 PO4.11 PO4.12 PO4.13 PO4.14 PO4.15 PO5.1 PO5.2 PO5.3 PO5.4 PO5.4 PO5.5 PO6.1 PO6.2 PO6.2 PO6.3 PO6.3 PO6.4 PO6.4 PO6.5 PO7.1 PO7.2 PO7.2 PO7.3

PO3.5 IT Architecture Board PO4.1 IT Process Framework PO4.1 IT Process Framework PO4.2 IT Strategy Committee PO4.3 IT Steering Committee PO4.4 Organisational Placement of the IT Function PO4.5 IT Organisational Structure PO4.6 Establishment of Roles and Responsibilities PO4.7 Responsibility for IT Quality Assurance PO4.8 Responsibility for Risk, Security and Compliance PO4.9 Data and System Ownership PO4.10 Supervision PO4.11 Segregation of Duties PO4.11 Segregation of Duties PO4.12 IT Staffing PO4.13 Key IT Personnel PO4.14 Contracted Staff Policies and Procedures PO4.15 Relationships PO5.1 Financial Management Framework PO5.2 Prioritisation Within IT Budget PO5.3 IT Budgeting PO5.4 Cost Management PO5.4 Cost Management PO5.5 Benefit Management PO6.1 IT Policy and Control Environment PO6.2 Enterprise IT Risk and Control Framework PO6.2 Enterprise IT Risk and Control Framework PO6.3 IT Policies Management PO6.3 IT Policies Management PO6.4 Policy, Standards and Procedures Rollout PO6.4 Policy, Standards and Procedures Rollout PO6.5 Communication of IT Objectives and Direction PO7.1 Personnel Recruitment and Retention PO7.1 Personnel Recruitment and Retention PO7.2 Personnel Competencies PO7.3 Staffing of Roles

APO01.01 APO01.03 APO01.07 APO01.01 APO01.01 APO01.05 APO01.01 APO01.02 APO11.01

Deletedthese specific roles are no longer explicitly specified as a practice.

APO01.06 APO01.02 APO01.02 DSS08.02 APO07.01 APO07.02 APO07.06 APO01.01 APO06.01 APO06.02 APO06.03 APO06.04 APO06.05 APO05.06 APO01.03 EDM03.02 APO01.03 APO01.03 APO01.08 APO01.03 APO01.08 APO01.04 APO07.01 APO07.05 APO07.03 APO01.02

CobiT 4.1 to COBIT 5 mapping

PO7.3 PO7.4 PO7.5 PO7.6 PO7.6 PO7.7 PO7.8 PO8.1 PO8.2 PO8.3 PO8.3 PO8.4 PO8.5 PO8.6 PO9.1 PO9.1 PO9.2 PO9.3 PO9.3 PO9.4 PO9.4 PO9.5 PO9.6 PO9.6 PO10.1 PO10.2 PO10.3 PO10.4 PO10.5 PO10.6 PO10.7 PO10.8 PO10.9 PO10.10 PO10.11 PO10.12

PO7.3 Staffing of Roles PO7.4 Personnel Training PO7.5 Dependence Upon Individuals PO7.6 Personnel Clearance Procedures PO7.6 Personnel Clearance Procedures PO7.7 Employee Job Performance Evaluation PO7.8 Job Change and Termination PO8.1 Quality Management System PO8.2 IT Standards and Quality Practices PO8.3 Development and Acquisition Standards ; PO8.3 Development and Acquisition Standards ; PO8.4 Customer Focus APO11.03 PO8.5 Continuous Improvement APO11.06 PO8.6 Quality Measurement, Monitoring and Review PO9.1 IT Risk Management Framework PO9.1 IT Risk Management Framework PO9.2 Establishment of Risk Context PO9.3 Event Identification PO9.3 Event Identification PO9.4 Risk Assessment PO9.4 Risk Assessment PO9.5 Risk Response PO9.6 Maintenance and Monitoring of a Risk Action Plan PO9.6 Maintenance and Monitoring of a Risk Action Plan PO10.1 Programme Management Framework PO10.2 Project Management Framework PO10.3 Project Management Approach PO10.4 Stakeholder Commitment PO10.5 Project Scope Statement PO10.6 Project Phase Initiation PO10.7 Integrated Project Plan PO10.8 Project 5esources PO10.9 Project Risk Management PO10.10 Project Quality Plan PO10.11 Project Change control PO10.12 Project Planning of Assurance Methods

APO07.01 APO07.03 APO07.02 APO07.01 APO07.06 APO07.04 APO07.01 APO11.01 APO11.02 APO11.02 APO11.05 APO11.03 APO11.06 APO11.04 EDM03.02 APO01.03 APO12.03 APO12.01 APO12.03 APO12.02 APO12.04 APO12.06 APO12.04 APO12.05 BAI01.01 BAI01.01 BAI01.01 BAI01.03 BAI01.07 BAI01.07 BAI01.08 BAI01.08 BAI01.10 BAI01.09 BAI01.11 BAI01.08

CobiT 4.1 to COBIT 5 mapping

PO10.13 PO10.13 PO10.14 AI1.1 AI1.2 AI1.3 AI1.4 AI2.1 AI2.2 AI2.3 AI2.4 AI2.4 AI2.4 AI2.4 AI2.5 AI2.5 AI2.6 AI2.7 AI2.7 AI2.8 AI2.9 AI2.10 AI3.1 AI3.2 AI3.2 AI3.3 AI3.4 AI3.4 AI4.1 AI4.2 AI4.2 AI4.2 AI4.2 AI4.3 AI4.3 AI4.3

PO10.13 Project Performance Measurement, Reporting and Monitoring BAI01.06 PO10.13 Project Performance Measurement, Reporting and Monitoring BAI01.11 PO10.14 Project Closure BAI01.13 AI1.1 Definition and Maintenance of Business Functional and Technical Requirements BAI02.01 AI1.2 Risk Analysis Report BAI02.03 AI1.3 Feasibility Study and Formulation of Alternative Courses of Action BAI02.02 AI1.4 Requirements and Feasibility Decision and Approval BAI02.04 AI2.1 High-level Design BAI03.01 AI2.2 Detailed Design BAI03.02 AI2.3 Application Control and Auditability BAI03.05 AI2.4 Application Security and Availability ; BAI03.01 AI2.4 Application Security and Availability ; BAI03.02 AI2.4 Application Security and Availability ; BAI03.03 AI2.4 Application Security and Availability ; BAI03.05 AI2.5 Configuration and Implementation of Acquired Application Software BAI03.03 AI2.5 Configuration and Implementation of Acquired Application Software BAI03.05 AI2.6 Major Upgrades to Existing Systems BAI03.10 AI2.7 Development of Application Software BAI03.03 AI2.7 Development of Application Software BAI03.04 AI2.8 Software Quality Assurance BAI03.06 AI2.9 Applications Requirements Management BAI03.09 AI2.10 Application Software Maintenance BAI03.10 AI3.1 Technological Infrastructure Acquisition Plan BAI03.04 AI3.2 Infrastructure Resource Protection and Availability BAI03.03 AI3.2 Infrastructure Resource Protection and Availability DSS02.03 AI3.3 Infrastructure Maintenance BAI03.10 AI3.4 Feasibility Test Environment BAI03.07 AI3.4 Feasibility Test Environment BAI03.08 AI4.1 Planning for Operational Solutions BAI05.05 AI4.2 Knowledge Transfer to Business Management BAI08.01 AI4.2 Knowledge Transfer to Business Management BAI08.02 AI4.2 Knowledge Transfer to Business Management BAI08.03 AI4.2 Knowledge Transfer to Business Management BAI08.04 AI4.3 Knowledge Transfer to End Users BAI08.01 AI4.3 Knowledge Transfer to End Users BAI08.02 AI4.3 Knowledge Transfer to End Users BAI08.03

CobiT 4.1 to COBIT 5 mapping

AI4.3 AI4.4 AI4.4 AI4.4 AI4.4 AI5.1 AI5.2 AI5.2 AI5.3 AI5.4 AI6.1 AI6.1 AI6.1 AI6.1 AI6.2 AI6.3 AI6.4 AI6.5 AI7.1 AI7.2 AI7.2 AI7.3 AI7.4 AI7.5 AI7.6 AI7.7 AI7.8 AI7.9 DS1.1 DS1.1 DS1.1 DS1.1 DS1.1 DS1.1 DS1.2 DS1.2

AI4.3 Knowledge Transfer to End Users AI4.4 Knowledge Transfer to Operations and Support Staff AI4.4 Knowledge Transfer to Operations and Support Staff AI4.4 Knowledge Transfer to Operations and Support Staff AI4.4 Knowledge Transfer to Operations and Support Staff AI5.1 Procurement Control AI5.2 Supplier Contract Management AI5.2 Supplier Contract Management AI5.3 Supplier Selection AI5.4 IT Resources Acquisition AI6.1 Change Standards and Procedures AI6.1 Change Standards and Procedures AI6.1 Change Standards and Procedures AI6.1 Change Standards and Procedures AI6.2 Impact Assessment, Prioritisation and Authorisation AI6.3 Emergency Changes AI6.4 Change Status Tracking and Reporting AI6.5 Change Closure and Documentation AI7.1 Training AI7.2 Test Plan AI7.2 Test Plan AI7.3 Implementation Plan AI7.4 Test Environment AI7.5 System and Data Conversion AI7.6 Testing of Changes AI7.7 Final Acceptance Test AI7.8 Promotion to Production AI7.9 Post-implementation Review DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.2 Definition of Services DS1.2 Definition of Services

BAI08.04 BAI08.01 BAI08.02 BAI08.03 BAI08.04 BAI03.04 APO10.01 APO10.03 APO10.02 APO10.03 BAI06.01 BAI06.02 BAI06.03 BAI06.04 BAI06.01 BAI06.02 BAI06.03 BAI06.04 BAI05.05 BAI07.01 BAI07.03 BAI07.01 BAI07.04 BAI07.02 BAI07.05 BAI07.05 BAI07.06 BAI07.08 APO09.01 APO09.02 APO09.03 APO09.04 APO09.05 APO09.06 APO09.01 APO09.01

CobiT 4.1 to COBIT 5 mapping

DS1.2 DS1.3 DS1.4 DS1.5 DS1.6 DS2.1 DS2.2 DS2.3 DS2.4 DS3.1 DS3.2 DS3.2 DS3.3 DS3.4 DS3.5 DS4.1 DS4.1 DS4.2 DS4.3 DS4.4 DS4.4 DS4.5 DS4.6 DS4.7 DS4.8 DS4.9 DS4.10 DS5.1 DS5.1 DS5.2 DS5.3 DS5.4 DS5.5 DS5.6 DS5.7 DS5.8

DS1.2 Definition of Services DS1.3 Service Level Agreements DS1.4 Operating Level Agreements DS1.5 Monitoring and Reporting of Service Level Achievements DS1.6 Review of Service Level Agreements and Contracts DS2.1 Identification of All Supplier Relationships DS2.2 Supplier Relationship Management DS2.3 Supplier Risk Management DS2.4 Supplier Performance Monitoring DS3.1 Performance and Capacity Planning DS3.2 Current Performance and Capacity DS3.2 Current Performance and Capacity DS3.3 Future Performance and Capacity DS3.4 IT Resources Availability DS3.5 Monitoring and Reporting DS4.1 IT Continuity Framework DS4.1 IT Continuity Framework DS4.2 IT Continuity Plans DS4.3 Critical IT Resources DS4.4 Maintenance of the IT Continuity Plan DS4.4 Maintenance of the IT Continuity Plan DS4.5 Testing of the IT Continuity Plan DS4.6 IT Continuity Plan Training DS4.7 Distribution of the IT Continuity Plan DS4.8 IT Services Recovery and Resumption DS4.9 Offsite Backup Storage DS4.10 Post-resumption Review DS5.1 Management of IT Security DS5.1 Management of IT Security DS5.2 IT Security Plan DS5.3 Identity Management DS5.4 User Account Management DS5.5 Security Testing, Surveillance and Monitoring DS5.6 Security Incident Definition DS5.7 Protection of Security Technology DS5.8 Cryptographic Key Management

APO09.01 APO09.04 APO09.04 APO09.05 APO09.06 APO10.01 APO10.03 APO10.04 APO10.05 BAI04.03 BAI04.01 BAI04.02 BAI04.01 BAI04.05 BAI04.04 DSS04.01 DSS04.02 DSS04.03 DSS04.04 DSS04.02 DSS04.06 DSS04.05 DSS04.07 DSS04.03 DSS04.04 DSS04.08 DSS04.09 APO13.01 APO13.03 APO13.02 DSS05.04 DSS05.04 DSS05.07 DSS02.01 DSS05.05 DSS05.03

CobiT 4.1 to COBIT 5 mapping

DS5.9 DS5.10 DS5.11 DS6.1 DS6.2 DS6.3 DS6.4 DS7.1 DS7.2 DS7.3 DS8.1 DS8.2 DS8.2 DS8.2 DS8.3 DS8.4 DS8.4 DS8.5 DS9.1 DS9.1 DS9.1 DS9.1 DS9.2 DS9.3 DS9.3 DS9.3 DS10.1 DS10.2 DS10.3 DS10.3 DS10.4 DS11.1 DS11.2 DS11.2 DS11.3 DS11.4

DS5.9 Malicious Software Prevention, Detection and Correction DS5.10 Network Security DS5.11 Exchange of Sensitive Data DS6.1 Definition of Services DS6.2 IT Accounting DS6.3 Cost Modelling and Charging DS6.4 Cost Model Maintenance DS7.1 Identification of Education and Training Needs DS7.2 Delivery of Training and Education DS7.3 Evaluation of Training Received DS8.1 Service Desk DS8.2 Registration of Customer Queries DS8.2 Registration of Customer Queries DS8.2 Registration of Customer Queries DS8.3 Incident Escalation DS8.4 Incident Closure DS8.4 Incident Closure DS8.5 Reporting and Trend Analysis DS9.1 Configuration Repository and Baseline DS9.1 Configuration Repository and Baseline DS9.1 Configuration Repository and Baseline DS9.1 Configuration Repository and Baseline DS9.2 Identification and Maintenance of Configuration Items DS9.3 Configuration Integrity Review DS9.3 Configuration Integrity Review DS9.3 Configuration Integrity Review DS10.1 Identification and Classification of Problems DS10.2 Problem Tracking and Resolution DS10.3 Problem Closure DS10.3 Problem Closure DS10.4 Integration of Configuration, Incident and Problem Management DS11.1 Business Requirements for Data Management DS11.2 Storage and Retention Arrangements DS11.2 Storage and Retention Arrangements DS11.3 Media Library Management System DS11.4 Disposal

DSS05.01 DSS05.02 DSS05.02 APO06.04 APO06.01 APO06.04 APO06.04 APO07.03 APO07.03 APO07.03 Deleted DSS02.01 DSS02.02 DSS02.03 DSS02.04 DSS02.05 DSS02.06 DSS02.07 BAI10.01 BAI10.02 BAI10.04 DSS02.01 BAI10.03 BAI10.04 BAI10.05 DSS02.05 DSS03.01 DSS03.02 DSS03.03 DSS03.04 DSS03.05 DSS01.01 DSS04.08 DSS06.04 DSS04.08 DSS05.08

CobiT 4.1 to COBIT 5 mapping

DS11.5 DS11.6 DS11.6 DS11.6 DS12.1 DS12.1 DS12.1 DS12.2 DS12.3 DS12.4 DS12.5 DS13.1 DS13.2 DS13.3 DS13.4 DS13.5 ME1.1 ME1.2 ME1.2 ME1.3 ME1.4 ME1.5 ME1.6 ME2.1 ME2.1 ME2.2 ME2.3 ME2.4 ME2.5 ME2.5 ME2.5 ME2.6 ME2.7 ME3.1 ME3.2

DS11.5 Backup and Restoration DS11.6 Security Requirements for Data Management DS11.6 Security Requirements for Data Management DS11.6 Security Requirements for Data Management DS12.1 Site Selection and Layout DS12.1 Site Selection and Layout DS12.1 Site Selection and Layout DS12.2 Physical Security Measures DS12.3 Physical Access DS12.4 Protection Against Environmental Factors DS12.5 Physical Facilities Management DS13.1 Operations Procedures and Instructions DS13.2 Job Scheduling DS13.3 IT Infrastructure Monitoring DS13.4 Sensitive Documents and Output Devices DS13.5 Preventive Maintenance for Hardware ME1.1 Monitoring Approach ME1.2 Definition and Collection of Monitoring Data ME1.2 Definition and Collection of Monitoring Data ME1.3 Monitoring Method ME1.4 Performance Assessment ME1.5 Board and Executive Reporting ME1.6 Remedial Actions ME2.1 Monitoring of Internal Control Framework ME2.1 Monitoring of Internal Control Framework ME2.2 Supervisory Review ME2.3 Control Exceptions ME2.4 Control Self-assessment ME2.5 Assurance of Internal Control ME2.5 Assurance of Internal Control ME2.5 Assurance of Internal Control ME2.6 Internal Control at Third Parties ME2.7 Remedial Actions ME3.1 Identification of External Legal, Regulatory and Contractual Compliance Requirements ME3.2 Optimisation of Response to External Requirements

DSS04.08 DSS01.01 DSS05.08 DSS06.05 DSS01.04 DSS01.05 DSS05.05 DSS05.05 DSS05.05 DSS01.04 DSS01.05 DSS01.01 DSS01.01 DSS01.03 DSS05.06 BAI09.02 MEA01.01 MEA01.02 MEA01.03 MEA01.03 MEA01.04 MEA01.04 MEA01.05 MEA02.01 MEA02.02 MEA02.01 MEA02.04 MEA02.03 MEA02.06 MEA02.07 MEA02.08 MEA02.01 MEA02.04 MEA03.01 MEA03.02

CobiT 4.1 to COBIT 5 mapping

ME3.3 ME3.4 ME3.5 ME4.1 ME4.2 ME4.3 ME4.4 ME4.5 ME4.6 ME4.6 ME4.6 ME4.6 ME4.7 ME4.7 ME4.7 ME4.7

ME3.3 Evaluation of Compliance With External Requirements ME3.4 Positive Assurance of Compliance ME3.5 Integrated Reporting ME4.1 Establishment of an IT Governance Framework ME4.2 Strategic Alignment ME4.3 Value Delivery ME4.4 Resource Management ME4.5 Risk Management ME4.6 Performance Measurement ME4.6 Performance Measurement ME4.6 Performance Measurement ME4.6 Performance Measurement ME4.7 Independent Assurance ME4.7 Independent Assurance ME4.7 Independent Assurance ME4.7 Independent Assurance

MEA03.03 MEA03.04 MEA03.04 EDM01

DeletedIn COBIT 5, alignment is considered to be the result of all governance and management activities.

EDM02 EDM04 EDM03 EDM01.03; EDM02.03; EDM03.03; EDM04.03 MEA02.05 MEA02.06 MEA02.07 MEA02-08

COBIT 5 to CobiT 4 mapping

10

CobiT 5 Key Governance/Management Practice

APO01 Manage the IT Management Framework APO01.01 Define the organisational structure APO01.01 Define the organisational structure APO01.01 Define the organisational structure APO01.01 Define the organisational structure APO01.01 Define the organisational structure APO01.02 Establish roles and responsibilities. APO01.02 Establish roles and responsibilities. APO01.02 Establish roles and responsibilities. APO01.02 Establish roles and responsibilities. APO01.03 Maintain the enablers of the management system. APO01.03 Maintain the enablers of the management system. APO01.03 Maintain the enablers of the management system. APO01.03 Maintain the enablers of the management system. APO01.03 Maintain the enablers of the management system. APO01.03 Maintain the enablers of the management system. APO01.04 Communicate management objectives and direction APO01.05 Optimise the placement of the IT function APO01.06 Define information (data) and system ownership APO01.06 Define information (data) and system ownership APO01.07 Manage continual improvement of processes. APO01.08 Maintain compliance with policies and procedures. APO01.08 Maintain compliance with policies and procedures. APO02 Manage Strategy APO02.01 Understand enterprise direction. APO02.02 Assess the current environment, capabilities and performance APO02.03 Define the target IT capabilities APO02.03 Define the target IT capabilities APO02.03 Define the target IT capabilities APO02.04 Conduct a gap analysis APO02.04 Conduct a gap analysis APO02.05 Define the strategic plan and road map. APO02.05 Define the strategic plan and road map. APO02.05 Define the strategic plan and road map. APO02.06 Communicate the IT strategy and direction. APO03 Manage Enterprise Architecture APO03.01 Develop the enterprise architecture vision. APO03.02 Define reference architecture APO03.02 Define reference architecture APO03.02 Define reference architecture APO03.03 Select opportunities and solutions APO03.04 Define architecture implementation.

CobiT 4.1. Control Objective

PO3.5 PO4.2 PO4.3 PO4.5 PO4.15 PO4.6 PO4.10 PO4.11 PO7.3 PO4.1 PO6.1 PO6.2 PO6.3 PO6.4 PO9.1 PO6.5 PO4.4 PO2.4 PO4.9 PO4.1 PO6.3 PO6.4 PO1.2 PO1.3 PO1.4 PO3.1 PO3.2 PO1.4 PO3.2 PO1.4 PO1.5 PO3.2 PO3.5 IT Architecture Board PO4.2 IT Strategy Committee PO4.3 IT Steering Committee PO4.5 IT Organisational Structure PO4.15 Relationships PO4.6 Establishment of Roles and Responsibilities PO4.10 Supervision PO4.11 Segregation of Duties PO7.3 Staffing of Roles PO4.1 IT Process Framework PO6.1 IT Policy and Control Environment PO6.2 Enterprise IT Risk and Control Framework PO6.3 IT Policies Management PO6.4 Policy, Standards and Procedures Rollout PO9.1 IT Risk Management Framework PO6.5 Communication of IT Objectives and Direction PO4.4 Organisational Placement of the IT Function PO2.4 Integrity Management PO4.9 Data and System Ownership PO4.1 IT Process Framework PO6.3 IT Policies Management PO6.4 Policy, Standards and Procedures Rollout PO1.2 Business-IT Alignment PO1.3 Assessment of Current Capability and Performance PO1.4 IT Strategic Plan PO3.1 Technological Direction Planning PO3.2 Technical Infrastructure Plan PO1.4 IT Strategic Plan PO3.2 Technical Infrastructure Plan PO1.4 IT Strategic Plan PO1.5 IT Tactical Plans PO3.2 Technical Infrastructure Plan

PO2.1 PO2.2 PO2.3

PO2.1 Enterprise Information Architecture Model PO2.2 Enterprise Data Dictionary and Data Syntax Rules PO2.3 Data Classification Scheme

COBIT 5 to CobiT 4 mapping APO03.05 Provide enterprise architecture services. APO04 Manage Innovation APO04.01 Create an environment conducive to innovation. APO04.02 Maintain an understanding of the enterprise environment APO04.03 Monitor and scan the technology environment APO04.03 Monitor and scan the technology environment APO04.03 Monitor and scan the technology environment APO04.04 Assess the potential of emerging technologies and innovation ideas. APO04.05 Recommend appropriate further initiatives. APO04.06 Monitor the implementation and use of innovation. APO05 Manage Portfolio APO05.01 Establish the target investment mix. APO05.02 Determine the availability and sources of funds. APO05.03 Evaluate and select programmes to fund. APO05.04 Monitor, optimise and report on investment portfolio performance APO05.05 Maintain portfolios. APO05.06 Manage benefits achievement. APO06 Manage Budget and Costs APO06.01 Manage finance and accounting APO06.01 Manage finance and accounting APO06.02 Prioritise resource allocation APO06.03 Create and maintain budgets. APO06.04 Model and allocate costs. APO06.04 Model and allocate costs. APO06.04 Model and allocate costs. APO06.04 Model and allocate costs. APO06.05 Model and allocate costs. APO07 Manage Human Resources APO07.01 Maintain adequate and appropriate staffing. APO07.01 Maintain adequate and appropriate staffing. APO07.01 Maintain adequate and appropriate staffing. APO07.01 Maintain adequate and appropriate staffing. APO07.01 Maintain adequate and appropriate staffing. APO07.02 Identify key IT personnel. APO07.02 Identify key IT personnel. APO07.03 Maintain the skills and competencies of personnel. APO07.03 Maintain the skills and competencies of personnel. APO07.03 Maintain the skills and competencies of personnel. APO07.03 Maintain the skills and competencies of personnel. APO07.03 Maintain the skills and competencies of personnel. APO07.04 Evaluate employee job performance. APO07.05 Plan and track the usage of IT and business human resources. APO07.06 Manage contract staff PO3.4 PO3.4 Technology Standards

11

PO3.1 PO3.2 PO3.3 PO3.2 PO3.2

PO3.1 Technological Direction Planning PO3.2 Technical Infrastructure Plan PO3.3 Monitor Future Trends and Regulations PO3.2 Technical Infrastructure Plan PO3.2 Technical Infrastructure Plan

PO1.6 PO5.5 PO5.1 DS6.2 PO5.2 PO5.3 PO5.4 DS6.1 DS6.3 DS6.4 PO5.4 PO4.12 PO7.1 PO7.3 PO7.6 PO7.8 PO4.13 PO7.5 PO7.2 PO7.4 DS7.1 DS7.2 DS7.3 PO7.7 PO7.2 PO4.14

PO1.6 IT Portfolio Management PO5.5 Benefit Management PO5.1 Financial Management Framework DS6.2 IT Accounting PO5.2 Prioritisation Within IT Budget PO5.3 IT Budgeting PO5.4 Cost Management DS6.1 Definition of Services DS6.3 Cost Modelling and Charging DS6.4 Cost Model Maintenance PO5.4 Cost Management PO4.12 IT Staffing PO7.1 Personnel Recruitment and Retention PO7.3 Staffing of Roles PO7.6 Personnel Clearance Procedures PO7.8 Job Change and Termination PO4.13 Key IT Personnel PO7.5 Dependence Upon Individuals PO7.2 Personnel Competencies PO7.4 Personnel Training DS7.1 Identification of Education and Training Needs DS7.2 Delivery of Training and Education DS7.3 Evaluation of Training Received PO7.7 Employee Job Performance Evaluation PO7.1 Personnel Recruitment and Retention PO4.14 Contracted Staff Policies and Procedures

COBIT 5 to CobiT 4 mapping APO07.06 Manage contract staff APO08 Manage Relationships APO08.01 Understand business expectations. APO08.02 Identify opportunities, risk and constraints for IT to enhance the business. APO08.03 Manage the business relationship. APO08.04 Co-ordinate and communicate. APO08.05 Provide input to the continual improvement of services. APO09 Manage Service Agreements APO09.01 Identify IT services. APO09.01 Identify IT services. APO09.01 Identify IT services. APO09.01 Identify IT services. APO09.02 Catalogue IT-enabled services. APO09.03 Define and prepare service agreements. APO09.04 Monitor and report service levels. APO09.04 Monitor and report service levels. APO09.04 Monitor and report service levels. APO09.05 Review service agreements and contracts. APO09.05 Review service agreements and contracts. PO7.6 PO7.6 Personnel Clearance Procedures

12

DS1.1 DS1.2 DS1.2 DS1.2 DS1.1 DS1.1 DS1.1 DS1.3 DS1.4 DS1.1 DS1.5 DS1.1 DS1.6 AI5.2 DS2.1 AI5.3 AI5.2 AI5.4 DS2.2 DS2.3 DS2.4 PO4.7 PO8.1 PO8.2 PO8.3 PO8.4 PO8.6 PO8.3 PO8.5 PO9.3 PO9.4

DS1.1 Service Level Management Framework DS1.2 Definition of Services DS1.2 Definition of Services DS1.2 Definition of Services DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.1 Service Level Management Framework DS1.3 Service Level Agreements DS1.4 Operating Level Agreements DS1.1 Service Level Management Framework DS1.5 Monitoring and Reporting of Service Level Achievements DS1.1 Service Level Management Framework DS1.6 Review of Service Level Agreements and Contracts AI5.2 Supplier Contract Management DS2.1 Identification of All Supplier Relationships AI5.3 Supplier Selection AI5.2 Supplier Contract Management AI5.4 IT Resources Acquisition DS2.2 Supplier Relationship Management DS2.3 Supplier Risk Management DS2.4 Supplier Performance Monitoring PO4.7 Responsibility for IT Quality Assurance PO8.1 Quality Management System PO8.2 IT Standards and Quality Practices PO8.3 Development and Acquisition Standards ; PO8.4 Customer Focus PO8.6 Quality Measurement, Monitoring and Review PO8.3 Development and Acquisition Standards ; PO8.5 Continuous Improvement PO9.3 Event Identification PO9.4 Risk Assessment

APO09.06 APO09.06 APO10 Manage Suppliers APO10.01 Identify and evaluate supplier relationships and contracts. APO10.01 Identify and evaluate supplier relationships and contracts. APO10.02 Select suppliers. APO10.03 Manage supplier relationships and contracts. APO10.03 Manage supplier relationships and contracts. APO10.03 Manage supplier relationships and contracts. APO10.04 Manage supplier risk. APO10.05 Monitor supplier performance and compliance. APO11 Manage Quality APO11.01 Establish a quality management system (QMS). APO11.01 Establish a quality management system (QMS). APO11.02 Define and manage quality standards, practices and procedures. APO11.02 Define and manage quality standards, practices and procedures. APO11.03 Focus quality management on customers. APO11.04 Perform quality monitoring, control and reviews. APO11.05 Integrate quality management into solutions for development and service delivery. APO11.06 Maintain continuous improvement. APO12 Manage Risk APO12.01 Collect data. APO12.02 Analyse risk.

COBIT 5 to CobiT 4 mapping APO12.03 Maintain a risk profile. APO12.03 Maintain a risk profile. APO12.04 Articulate risk. APO12.04 Articulate risk. APO12.05 Define a risk management action portfolio. APO12.06 Respond to risk. APO13 Manage Security APO13.01 Establish and maintain an ISMS APO13.02 Define and manage an information security risk treatment plan. APO13.03 Monitor and review the ISMS BAI01.01 Maintain a standard approach for programme and project management BAI01.01 Maintain a standard approach for programme and project management BAI01.01 Maintain a standard approach for programme and project management BAI01.02 Initiate a programme. BAI01.03 Manage stakeholder engagement. BAI01.04 Develop and maintain the programme plan. BAI01.05 Launch and execute the programme. BAI01.06 BAI01.07 BAI01.07 BAI01.08 BAI01.08 BAI01.08 BAI01.09 BAI01.10 BAI01.11 BAI01.11 BAI01.12 BAI01.13 BAI01.14 BAI02.01 BAI02.02 BAI02.03 BAI02.04 BAI03.01 BAI03.01 BAI03.02 BAI03.02 BAI03.02 Monitor, control and report on the programme outcomes. Start up and initiate projects within a programme. Start up and initiate projects within a programme. Plan projects Plan projects Plan projects Manage programme and project quality Manage programme and project risk Monitor and control projects Monitor and control projects Manage project resources and work packages. Close a project or iteration Close a programme. Define and maintain business functional and technical requirements. Perform a feasibility study and formulate alternative solutions Manage requirements risk. Obtain approval of requirements and solutions. Design high-level solutions Design high-level solutions Design detailed solution components Design detailed solution components Design detailed solution components PO9.2 PO9.3 PO9.4 PO9.6 PO9.6 PO9.5 DS5.1 DS5.2 DS5.1 PO10.1 PO10.2 PO10.3 PO10.4 PO9.2 Establishment of Risk Context PO9.3 Event Identification PO9.4 Risk Assessment PO9.6 Maintenance and Monitoring of a Risk Action Plan PO9.6 Maintenance and Monitoring of a Risk Action Plan PO9.5 Risk Response DS5.1 Management of IT Security DS5.2 IT Security Plan DS5.1 Management of IT Security PO10.1 Programme Management Framework PO10.2 Project Management Framework PO10.3 Project Management Approach PO10.4 Stakeholder Commitment

13

PO10.13 PO10.5 PO10.6 PO10.7 PO10.8 PO10.12 PO10.10 PO10.9 PO10.11 PO10.13 PO10.14 AI1.1 AI1.3 AI1.2 AI1.4 AI2.1 AI2.4 AC1 AI2.2 AI2.4

PO10.13 Project Performance Measurement, Reporting and Monitoring PO10.5 Project Scope Statement PO10.6 Project Phase Initiation PO10.7 Integrated Project Plan PO10.8 Project 5esources PO10.12 Project Planning of Assurance Methods PO10.10 Project Quality Plan PO10.9 Project Risk Management PO10.11 Project Change control PO10.13 Project Performance Measurement, Reporting and Monitoring PO10.14 Project Closure AI1.1 Definition and Maintenance of Business Functional and Technical Requirements AI1.3 Feasibility Study and Formulation of Alternative Courses of Action AI1.2 Risk Analysis Report AI1.4 Requirements and Feasibility Decision and Approval AI2.1 High-level Design AI2.4 Application Security and Availability ; AC1 Source Data Preparation and Authorisation AI2.2 Detailed Design AI2.4 Application Security and Availability ;

COBIT 5 to CobiT 4 mapping BAI03.03 BAI03.03 BAI03.03 BAI03.03 BAI03.03 BAI03.04 BAI03.04 BAI03.04 BAI03.05 BAI03.05 BAI03.05 BAI03.05 Develop solution components. Develop solution components. Develop solution components. Develop solution components. Develop solution components. Procure solution components. Procure solution components. Procure solution components. Build solutions. Build solutions. Build solutions. Build solutions. AC1 AI2.4 AI2.5 AI2.7 AI3.2 AI2.7 AI3.1 AI5.1 AC1 AI2.3 AI2.4 AI2.5 AI2.8 AC1 AI3.4 AI3.4 AI2.9 AI2.6 AI2.10 AI3.3 DS3.2 DS3.3 DS3.2 DS3.1 DS3.5 DS3.4 AC1 Source Data Preparation and Authorisation AI2.4 Application Security and Availability ; AI2.5 Configuration and Implementation of Acquired Application Software AI2.7 Development of Application Software AI3.2 Infrastructure Resource Protection and Availability AI2.7 Development of Application Software AI3.1 Technological Infrastructure Acquisition Plan AI5.1 Procurement Control AC1 Source Data Preparation and Authorisation AI2.3 Application Control and Auditability AI2.4 Application Security and Availability ; AI2.5 Configuration and Implementation of Acquired Application Software AI2.8 Software Quality Assurance AC1 Source Data Preparation and Authorisation AI3.4 Feasibility Test Environment AI3.4 Feasibility Test Environment AI2.9 Applications Requirements Management AI2.6 Major Upgrades to Existing Systems AI2.10 Application Software Maintenance AI3.3 Infrastructure Maintenance DS3.2 Current Performance and Capacity DS3.3 Future Performance and Capacity DS3.2 Current Performance and Capacity DS3.1 Performance and Capacity Planning DS3.5 Monitoring and Reporting DS3.4 IT Resources Availability

14

BAI03.06 Perform quality assurance. BAI03.07 Prepare for solution testing. BAI03.07 Prepare for solution testing. BAI03.08 Execute solution testing. BAI03.09 Manage changes to requirements. BAI03.10 Maintain solutions. BAI03.10 Maintain solutions. BAI03.10 Maintain solutions. BAI03.11 Define IT services and maintain the service portfolio. BAI04.01 Assess current availability, performance and capacity and create a baseline. BAI04.01 Assess current availability, performance and capacity and create a baseline. BAI04.02 Assess business impact BAI04.03 Plan for new or changed service requirements. BAI04.04 Monitor and review availability and capacity. BAI04.05 Investigate and address availability, performance and capacity issues. BAI05 Manage Organisational Change Enablement BAI05.01 Establish the desire to change BAI05.02 Form an effective implementation team. BAI05.03 Communicate desired vision. BAI05.04 Empower role players and identify short-term wins. BAI05.05 Enable operation and use. BAI05.05 Enable operation and use. BAI05.06 Embed new approaches. BAI05.07 Sustain changes. BAI06 Manage Changes BAI06.01 Evaluate, prioritise and authorise change requests. BAI06.01 Evaluate, prioritise and authorise change requests. BAI06.02 Manage emergency changes. BAI06.02 Manage emergency changes.

AI4.1 AI7.1

AI4.1 Planning for Operational Solutions AI7.1 Training

AI6.1 AI6.2 AI6.1 AI6.3

AI6.1 Change Standards and Procedures AI6.2 Impact Assessment, Prioritisation and Authorisation AI6.1 Change Standards and Procedures AI6.3 Emergency Changes

COBIT 5 to CobiT 4 mapping BAI06.03 Track and report change status. BAI06.03 Track and report change status. BAI06.04 Close and document the changes. BAI06.04 Close and document the changes. BAI07 Manage Change Acceptance and Transitioning BAI07.01 Establish an implementation plan. BAI07.01 Establish an implementation plan. BAI07.02 Plan business process, system and data conversion. BAI07.03 Plan acceptance tests. BAI07.04 Establish a test environment. BAI07.05 Perform acceptance tests. BAI07.05 Perform acceptance tests. BAI07.06 Promote to production and manage releases. BAI07.07 Provide early production support. Perform a post-implementation review BAI07.08 BAI08 Manage Knowledge BAI08.01 Nurture and facilitate a knowledge-sharing culture. BAI08.01 Nurture and facilitate a knowledge-sharing culture. BAI08.01 Nurture and facilitate a knowledge-sharing culture. BAI08.02 Identify and classify sources of information. BAI08.02 Identify and classify sources of information. BAI08.02 Identify and classify sources of information. BAI08.03 Organise and contextualise information into knowledge. BAI08.03 Organise and contextualise information into knowledge. BAI08.03 Organise and contextualise information into knowledge. BAI08.04 Use and share knowledge BAI08.04 Use and share knowledge BAI08.04 Use and share knowledge BAI08.05 Evaluate and retire information. BAI09 Manage Assets BAI09.01 Identify and record current assets. BAI09.02 Manage critical assets BAI09.03 Manage the asset life cycle BAI09.04 Optimise asset costs. BAI09.05 Optimise asset costs. BAI10 Manage Configuration BAI10.01 Establish and maintain a configuration model. BAI10.02 Establish and maintain a configuration repository and baseline. BAI10.03 Maintain and control configuration items. BAI10.04 Produce status and configuration reports. Produce status and configuration reports BAI10.04 BAI10.05 Verify and review integrity of the configuration repository. DSS01 Manage Operations AI6.1 AI6.4 AI6.1 AI6.5 AI7.2 AI7.3 AI7.5 AI7.2 AI7.4 AI7.6 AI7.7 AI7.8 AI7.9 AI4.2 AI4.3 AI4.4 AI4.2 AI4.3 AI4.4 AI4.2 AI4.3 AI4.4 AI4.2 AI4.3 AI4.4 AI6.1 Change Standards and Procedures AI6.4 Change Status Tracking and Reporting AI6.1 Change Standards and Procedures AI6.5 Change Closure and Documentation AI7.2 Test Plan AI7.3 Implementation Plan AI7.5 System and Data Conversion AI7.2 Test Plan AI7.4 Test Environment AI7.6 Testing of Changes AI7.7 Final Acceptance Test AI7.8 Promotion to Production AI7.9 Post-implementation Review AI4.2 Knowledge Transfer to Business Management AI4.3 Knowledge Transfer to End Users AI4.4 Knowledge Transfer to Operations and Support Staff AI4.2 Knowledge Transfer to Business Management AI4.3 Knowledge Transfer to End Users AI4.4 Knowledge Transfer to Operations and Support Staff AI4.2 Knowledge Transfer to Business Management AI4.3 Knowledge Transfer to End Users AI4.4 Knowledge Transfer to Operations and Support Staff AI4.2 Knowledge Transfer to Business Management AI4.3 Knowledge Transfer to End Users AI4.4 Knowledge Transfer to Operations and Support Staff

15

DS13.5

DS13.5 Preventive Maintenance for Hardware

DS9.1 DS9.1 DS9.2 DS9.1 DS9.3 DS9.3

DS9.1 Configuration Repository and Baseline DS9.1 Configuration Repository and Baseline DS9.2 Identification and Maintenance of Configuration Items DS9.1 Configuration Repository and Baseline DS9.3 Configuration Integrity Review DS9.3 Configuration Integrity Review

COBIT 5 to CobiT 4 mapping DSS01.01 Perform operational procedures. DSS01.01 Perform operational procedures. DSS01.01 Perform operational procedures. DSS01.01 Perform operational procedures. DSS01.02 Manage outsourced IT services DSS01.03 Monitor IT infrastructure DSS01.04 Manage the environment DSS01.04 Manage the environment DSS01.05 Manage facilities. DSS01.05 Manage facilities. DSS02 Manage Service Requests and Incidents DSS02.01 Define incident and service request classification schemes. DSS02.01 Define incident and service request classification schemes. DSS02.01 Define incident and service request classification schemes. DSS02.02 Record, classify and prioritise requests and incidents. DSS02.03 Verify, approve and fulfil service requests. DSS02.03 Verify, approve and fulfil service requests. DSS02.04 Investigate, diagnose and allocate incidents. DSS02.05 Resolve and recover from incidents. DSS02.05 Resolve and recover from incidents. DSS02.06 Close service requests and incidents. DSS02.07 Track status and produce reports. DSS03 Manage Problems DSS03.01 Identify and classify problems. DSS03.02 Investigate and diagnose problems. DSS03.03 Raise known errors. DSS03.04 Resolve and close problems. DSS03.05 Perform proactive problem management. DS11.1 DS11.6 DS13.1 DS13.2 DS13.3 DS12.1 DS12.4 DS12.1 DS12.5 DS5.6 DS8.2 DS9.1 DS8.2 AI3.2 DS8.2 DS8.3 DS8.4 DS9.3 DS8.4 DS8.5 DS10.1 DS10.2 DS10.3 DS10.3 DS10.4 DS4.1 DS4.1 DS4.4 DS4.2 DS4.7 DS4.3 DS4.8 DS4.5 DS4.4 DS4.6 DS4.9 DS11.2 DS11.3 DS11.1 Business Requirements for Data Management DS11.6 Security Requirements for Data Management DS13.1 Operations Procedures and Instructions DS13.2 Job Scheduling DS13.3 IT Infrastructure Monitoring DS12.1 Site Selection and Layout DS12.4 Protection Against Environmental Factors DS12.1 Site Selection and Layout DS12.5 Physical Facilities Management DS5.6 Security Incident Definition DS8.2 Registration of Customer Queries DS9.1 Configuration Repository and Baseline DS8.2 Registration of Customer Queries AI3.2 Infrastructure Resource Protection and Availability DS8.2 Registration of Customer Queries DS8.3 Incident Escalation DS8.4 Incident Closure DS9.3 Configuration Integrity Review DS8.4 Incident Closure DS8.5 Reporting and Trend Analysis DS10.1 Identification and Classification of Problems DS10.2 Problem Tracking and Resolution DS10.3 Problem Closure DS10.3 Problem Closure DS10.4 Integration of Configuration, Incident and Problem Management DS4.1 IT Continuity Framework DS4.1 IT Continuity Framework DS4.4 Maintenance of the IT Continuity Plan DS4.2 IT Continuity Plans DS4.7 Distribution of the IT Continuity Plan DS4.3 Critical IT Resources DS4.8 IT Services Recovery and Resumption DS4.5 Testing of the IT Continuity Plan DS4.4 Maintenance of the IT Continuity Plan DS4.6 IT Continuity Plan Training DS4.9 Offsite Backup Storage DS11.2 Storage and Retention Arrangements DS11.3 Media Library Management System

16

DSS04 Manage Continuity DSS04.01 Define the business continuity policy, objectives and scope DSS04.02 Maintain a continuity strategy. DSS04.02 Maintain a continuity strategy. DSS04.03 Develop and implement a business continuity response. DSS04.03 Develop and implement a business continuity response. DSS04.04 Exercise, test and review the BCP. DSS04.04 Exercise, test and review the BCP. DSS04.05 Review, maintain and improve the continuity plan DSS04.06 Conduct continuity plan training DSS04.07 Manage backup arrangements DSS04.08 Conduct post-resumption review. DSS04.08 Conduct post-resumption review. DSS04.08 Conduct post-resumption review.

COBIT 5 to CobiT 4 mapping DSS04.08 Conduct post-resumption review. DSS04.09 DSS05 Manage Security Services DSS05.01 Protect against malware. DS11.5 DS4.10 DS5.9 DS5.10 DS5.11 DS5.8 DS5.3 DS5.4 DS5.7 DS12.1 DS12.2 DS12.3 DS13.4 DS5.5 DS11.4 DS11.6 DS11.5 Backup and Restoration DS4.10 Post-resumption Review DS5.9 Malicious Software Prevention, Detection and Correction DS5.10 Network Security DS5.11 Exchange of Sensitive Data DS5.8 Cryptographic Key Management DS5.3 Identity Management DS5.4 User Account Management DS5.7 Protection of Security Technology DS12.1 Site Selection and Layout DS12.2 Physical Security Measures DS12.3 Physical Access DS13.4 Sensitive Documents and Output Devices DS5.5 Security Testing, Surveillance and Monitoring DS11.4 Disposal DS11.6 Security Requirements for Data Management

17

DSS05.02 Manage network and connectivity security. DSS05.02 Manage network and connectivity security. DSS05.03 Manage endpoint security. DSS05.04 Manage user identity and logical access. DSS05.04 Manage user identity and logical access. DSS05.05 Manage physical access to IT assets. DSS05.05 Manage physical access to IT assets. DSS05.05 Manage physical access to IT assets. DSS05.05 Manage physical access to IT assets. DSS05.06 Manage sensitive documents and output devices. DSS05.07 Monitor the infrastructure for security-related events. DSS05.08 DSS05.08 DSS06 Manage Business Process Controls DSS06.01 Align control activities embedded in business processes with enterprise objectives DSS06.02 Control the processing of information. DSS06.02 Control the processing of information. DSS06.02 Control the processing of information. DSS06.02 Control the processing of information. DSS06.02 Control the processing of information. DSS06.02 Control the processing of information. DSS06.03 Manage roles, responsibilities, access privileges and levels of authority DSS06.04 Manage errors and exceptions. DSS06.05 Ensure traceability of information events DSS06.06 Secure information assets. DSS08.02 EDM01 Ensure Governance Framework Setting and Maintenance EDM01.01 Evaluate the governance system. EDM01.01 Evaluate the governance system EDM01.02 Evaluate the governance system. EDM01.03 Evaluate the governance system. EDM01.03 Monitor the governance system EDM02 Ensure Benefits Delivery EDM02.01 Evaluate value optimisation EDM02.02 Direct value optimisation EDM02.03 Monitor value optimisation EDM02.01 Evaluate value optimisation EDM02.02 Direct value optimisation

AC1 AC2 AC3 AC4 AC5 AC6 AC1 DS11.2 DS11.6 PO4.11 ME4.1 PO3.3 ME4.1 ME4.1 ME4.6 PO1.1 PO1.1 PO1.1 ME4.3 ME4.3

AC1 Source Data Preparation and Authorisation AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks AC4 Processing Integrity and validity AC5 Output Review, Reconciliation and Error Handling AC6 Transaction Authentication and Integrity AC1 Source Data Preparation and Authorisation DS11.2 Storage and Retention Arrangements DS11.6 Security Requirements for Data Management PO4.11 Segregation of Duties ME4.1 Establishment of an IT Governance Framework PO3.3 Monitor Future Trends and Regulations ME4.1 Establishment of an IT Governance Framework ME4.1 Establishment of an IT Governance Framework ME4.6 Performance Measurement PO1.1 IT Value Management PO1.1 IT Value Management PO1.1 IT Value Management ME4.3 Value Delivery ME4.3 Value Delivery

COBIT 5 to CobiT 4 mapping EDM02.03 Monitor value optimisation EDM02.03 Monitor value optimisation EDM03 Ensure Risk Optimisation EDM03.01 Evaluate risk management EDM03.02 Direct risk management EDM03.03 Monitor risk management EDM03.02 Direct risk management EDM03.02 Direct risk management EDM03.03 Monitor risk management EDM04 Ensure Resource Optimisation EDM04.01 Evaluate resource management EDM04.02 Direct resource management EDM04.03 Monitor resource management EDM04.03 Monitor resource management EDM05 Ensure Stakeholder Transparency EDM05.01 Evaluate stakeholder reporting requirements. EDM05.02 Direct stakeholder communication and reporting. EDM05.03 Monitor stakeholder communication. MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA01.01 Establish a monitoring approach. MEA01.02 Set performance and conformance targets MEA01.03 Collect and process performance and conformance data. MEA01.03 Collect and process performance and conformance data. MEA01.04 Analyse and report performance MEA01.04 Analyse and report performance MEA01.05 Ensure the implementation of corrective actions. MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA02.01 Monitor internal controls MEA02.01 Monitor internal controls MEA02.01 Monitor internal controls MEA02.02 Review business process controls effectiveness MEA02.03 Perform control self-assessments. MEA02.04 Identify and report control deficiencies. MEA02.04 Identify and report control deficiencies. MEA02.05 Ensure that assurance providers are independent and qualified. MEA02.06 Plan assurance initiatives. MEA02.06 Plan assurance initiatives. MEA02.07 Scope assurance initiatives. MEA02.07 Scope assurance initiatives. MEA02.08 Execute assurance initiatives. MEA02-08 Execute assurance initiatives. MEA03 Monitor, Evaluate and Assess Compliance with External Requirements ME4.3 ME4.6 ME4.5 ME4.5 ME4.5 PO9.1 PO6.2 ME4.6 ME4.4 ME4.4 ME4.4 ME4.6 ME4.3 Value Delivery ME4.6 Performance Measurement ME4.5 Risk Management ME4.5 Risk Management ME4.5 Risk Management PO9.1 IT Risk Management Framework PO6.2 Enterprise IT Risk and Control Framework ME4.6 Performance Measurement ME4.4 Resource Management ME4.4 Resource Management ME4.4 Resource Management ME4.6 Performance Measurement

18

ME1.1 ME1.2 ME1.2 ME1.3 ME1.4 ME1.5 ME1.6 ME2.1 ME2.2 ME2.6 ME2.1 ME2.4 ME2.3 ME2.7 ME4.7 ME2.5 ME4.7 ME2.5 ME4.7 ME2.5 ME4.7

ME1.1 Monitoring Approach ME1.2 Definition and Collection of Monitoring Data ME1.2 Definition and Collection of Monitoring Data ME1.3 Monitoring Method ME1.4 Performance Assessment ME1.5 Board and Executive Reporting ME1.6 Remedial Actions ME2.1 Monitoring of Internal Control Framework ME2.2 Supervisory Review ME2.6 Internal Control at Third Parties ME2.1 Monitoring of Internal Control Framework ME2.4 Control Self-assessment ME2.3 Control Exceptions ME2.7 Remedial Actions ME4.7 Independent Assurance ME2.5 Assurance of Internal Control ME4.7 Independent Assurance ME2.5 Assurance of Internal Control ME4.7 Independent Assurance ME2.5 Assurance of Internal Control ME4.7 Independent Assurance

COBIT 5 to CobiT 4 mapping MEA03.01 MEA03.02 MEA03.03 MEA03.04 MEA03.04 Identify external compliance requirements. Optimise response to external requirements. Confirm external compliance Obtain assurance of external compliance. Obtain assurance of external compliance. ME3.1 ME3.2 ME3.3 ME3.4 ME3.5 PO4.8 DS8.1 ME4.2 ME3.1 Identification of External Legal, Regulatory and Contractual Compliance Requirements ME3.2 Optimisation of Response to External Requirements ME3.3 Evaluation of Compliance With External Requirements ME3.4 Positive Assurance of Compliance ME3.5 Integrated Reporting PO4.8 Responsibility for Risk, Security and Compliance DS8.1 Service Desk ME4.2 Strategic Alignment

19

Istilah-istilah yang digunakan pada Process Maturity/Capability

Capability Levels COBIT 4.1 MM Level Berdasarkan ISO/IEC 15504 Arti dari Capability Level Berdasarkan ISO/IEC 15504
Peningkatan secara terus menerus sampai mencapai tujuan yang relevan pada keadaan terkini dan berpedoman pada enterprise goal. Beroperasi pada limit/batasan yang telah didefinisikan untuk mencapai process outcome yang diinginkan. Diimplementasikan menggunakan proses yangterdefinisi yang berpotensi untuk meraih process outcome yang diinginkan Diimplementasikan dalam proses yang teratur (perencanaan, pemantauan dan penyesuaian) yang dibangun secara benar untuk mengontrol dan memeilihara hasil pekerjaan. Peraihan tujuan dari proses Belum di implementasikan atau belum ada/sedikit bukti telah adanya peraihan secara sistematis dari tujuan adanya proses.

5 -- Optimizing 4 -- Manage and measurable

5 -- Optimized

4 -- Predictable

3 -- Defined

3 -- Established

N/A N/A 2 -- Repetable 1 -- Ad hoc 0 --Non-existent

2 -- Managed 1 -- Performed

0 --Incomplite

/Capability
Konteks
Sudut pandang enterprise / Pengetahuan corporate

Sudut pandang individu/ pengathuan individual