COBIT®5 - Assessor

COBIT®isatrademarkofISACA®registeredintheUnitedStatesandothercountries.

Start and finish Course style
LunchCoffee and breaks
M00 - Course introduction 2/12 | 2/249

 Perform a process capability assessment using the Assessor
Guide: using COBIT 5
 Apply the Process Assessment Model (The PAM) in
performing a process capability assessment
 Use the Process Reference Model, in particular to be
able to apply the 37 processes outlined in the PRM
 Apply and analyse the measurement model
in assessing process capability levels
 Apply and analyse the capability dimension
using generic criteria outlined in the PAM
 Identify and assess the roles and responsibilities
in the process capability assessment process
 Perform and assess the 7 steps outlined
in the Assessor Guide
Main goal:
 Attempt Assessor exam with confidence
Secondary goal:
 Benefits and value of IT Governance and COBIT 5 audit
process

 Please share with the class:
 Your name and surname
 Your organization
 Your profession (title, function, job
responsibilities)
 Your familiarity with:
 Project management
 IT management
 IT service management (ITSM)
 Enterprise architecture
 Your experience with IT Governance
 Your personal session expectations

 Foundation Exam
 Paper based and closed book exam
 Only pencil and eraser are allowed
 Simple multiple (ABCD) choice exam
 Only one answer is correct
 50 questions, pass mark is 25 (50%)
 No negative points, no “Tricky Questions”
 No pre-requisite for
Foundation exam
 Sample, one (official)
mock exam is
provided to you
Candidates completing an examination in a language that
is not their mother tongue, will receive additional time

 Target Audience
 Consultants, IT practitioners, Business
managers
 Apply the COBIT 5 good practice
continual improvement lifecycle
approach to GEIT, tailored to suit the
needs of a specific enterprise. In
particular

 Target Audience
 Internal and external (Lead) Auditors
 Perform a process capability
assessment using the Assessor Guide:
using COBIT 5
 Apply the Process Assessment Model
 Identify and assess
the roles and
responsibilities

COBIT5 main publication is COBIT 5 - A
Business Framework for the Governance
and Management of Enterprise IT:
• ISBN-13: 978-1604202373
COBIT5 syllabus section code and title
OV Overview and Key Features of COBIT 5
PR The COBIT 5 Principles
EN The COBIT 5 Enablers
IM Introduction to COBIT 5 Implementation
PC Process Capability Assessment Model
Syllabus Handbook Page
Module slide number / total module slides
Slide number /
total slides
Module number
and name
COBIT5
handbook page
COBIT5 syllabus
section code

quizlet.com/67599656/

twitter.com/mirodabrowski
linkedin.com/in/miroslawdabrowski
google.com/+miroslawdabrowski
miroslaw_dabrowski
www.miroslawdabrowski.com
Mirosław Dąbrowski
Agile Coach, Trainer, Consultant
(former JEE/PHP developer, UX/UI designer, BA/SA)
Creator Writer / Translator Trainer / Coach
• Creator of 50+ mind maps from PPM and related
topics (2mln views): miroslawdabrowski.com
• Lead author of more than 50+ accredited materials
from PRINCE2, PRINCE2 Agile, MSP, MoP, P3O, ITIL,
M_o_R, MoV, PMP, Scrum, AgilePM, DSDM, CISSP,
CISA, CISM, CRISC, CGEIT, TOGAF, COBIT5 etc.
• Creator of 50+ interactive mind maps from PPM
topics: mindmeister.com/users/channel/2757050
• Product Owner of biggest Polish project
management portal: 4PM: 4pm.pl (15.000+ views
each month)
• Editorial Board Member of Official PMI Poland
Chapter magazine: “Strefa PMI”: strefapmi.pl
• Official PRINCE2 Agile, AgilePM, ASL2, BiSL methods
translator for Polish language
• English speaking, international, independent
trainer and coach from multiple domains.
• Master Lead Trainer
• 11+ years in training and coaching / 15.000+ hours
• 100+ certifications
• 5000+ people trained and coached
• 25+ trainers trained and coached
linkedin.com/in/miroslawdabrowski
Agile Coach / Scrum Master PM / IT architect Notable clients
• 8+ years of experience with Agile projects as a
Scrum Master, Product Owner and Agile Coach
• Coached 25+ teams from Agile and Scrum
• Agile Coach coaching C-level executives
• Scrum Master facilitating multiple teams
experienced with UX/UI + Dev teams
• Experience multiple Agile methods
• Author of AgilePM/DSDM Project Health Check
Questionnaire (PHCQ) audit tool
• Dozens of mobile and ecommerce projects
• IT architect experienced in IT projects with budget
above 10mln PLN and timeline of 3+ years
• Experienced with (“traditional”) projects under high
security, audit and compliance requirements based
on ISO/EIC 27001
• 25+ web portal design and development and
mobile application projects with iterative,
incremental and adaptive approach
ABB, AGH, Aiton Caldwell, Asseco, Capgemini, Deutsche Bank,
Descom, Ericsson, Ericpol, Euler Hermes, General Electric,
Glencore, HP Global Business Center, Ideo, Infovide-Matrix,
Interia, Kemira, Lufthansa Systems, Media-Satrun Group,
Ministry of Defense (Poland), Ministry of Justice (Poland),
Nokia Siemens Networks, Oracle, Orange, Polish Air Force,
Proama, Roche, Sabre Holdings, Samsung Electronics, Sescom,
Scania, Sopra Steria, Sun Microsystems, Tauron Polish Energy,
Tieto, University of Wroclaw, UBS Service Centre, Volvo IT…
miroslawdabrowski.com/about-me/clients-and-references/
Accreditations/certifications (selected): CISA, CISM, CRISC, CASP, Security+, Project+, Network+, Server+, Approved
Trainer: (MoP, MSP, PRINCE2, PRINCE2 Agile, M_o_R, MoV, P3O, ITIL Expert, RESILIA), ASL2, BiSL, Change Management,
Facilitation, Managing Benefits, COBIT5, TOGAF 8/9L2, OBASHI, CAPM, PSM I, SDC, SMC, ESMC, SPOC, AEC, DSDM Atern,
DSDM Agile Professional, DSDM Agile Trainer-Coach, AgilePM, OCUP Advanced, SCWCD, SCBCD, SCDJWS, SCMAD, ZCE 5.0,
ZCE 5.3, MCT, MCP, MCITP, MCSE-S, MCSA-S, MCS, MCSA, ISTQB, IQBBA, REQB, CIW Web Design / Web Development /
Web Security Professional, Playing Lean Facilitator, DISC D3 Consultant, SDI Facilitator, Certified Trainer Apollo 13 ITSM
Simulation …

1. Introduction to COBIT 5 Assessor
2. Introduction to the COBIT 5 Process Assessment Model (PAM)
3. Overview of the COBIT 5 Process Assessment Model (PAM)
4. Process Dimension and Process Performance Indicators
5. Process Capability Indicators
6. Generic Work Products (GWPs)
7. Roles, Responsibilities and Competencies
8. Initiate an Assessment
9. Scope an Assessment
10. Plan an Assessment and Brief the teams
and management
11. Data Collection
12. Data Validation
13. Analyse and rate the process attributes
and capability levels
14. Prepare and present assessment reports
M01 - Introduction to COBIT 5 Assessor 2/33 | 14/249

 The Syllabus is based on these two guides.
 The Assessor training and certification is a ‘Practitioner-Level training and certification course’ that
focuses on ‘how’ to apply the PAM and ‘how’ to analyse the results.
 It is a mandatory requirement for all candidates to have passed the Foundation
Exam before applying for and attending to Assessor level training and certification
exam
“The Assessor Guide: Using
COBIT 5” provides the main
guidance on performing a
process capability
assessment, the roles,
responsibilities and
competences required and
the key steps required,
from assessment initiation
to reporting of the
assessment results.
“The Process Assessment
Model (PAM): using COBIT 5”
which is the model used by
assessor to perform an
assessment is used by
candidate to reference the
process content to be used
in the assessment.

 The target audience for this training
certificate is:
 Internal and external Auditors who want to
add process capability assessments to the
scope of their audits.
 IT auditors who want to add process
capability assessments to the scope of their
audits.
 Consultants who want to be allowed to
perform independent process assessments
on behalf of their clients.

“There are few things as useless, if not as dangerous, as
the right answer to the wrong question.”
“There are no such things as the one right
organization. There are only organisations,
each of which has distinct strengths, distinct
limitations and specific applications.
A given organisation structure fits certain tasks,
in certain conditions and at certain times.”
Peter Drucker

Route maps or plans reflect the
choices we make to guide our
organisations to our selected and
defined destination
 Models – Frameworks – Good
Practices help us make sense of the
context and the challenges we face …
they provide Roadmaps
One generation’s Good Practice
soon becomes the status quo
for the next generation …

Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
Audit
COBIT1
2005/720001998
Evolution
1996 2012
Val IT 2.0
(2008)
Risk IT
(2009)
BMIS
(2010)
©2013ISACA.AllRightsReserved.
COBIT 5 ties together all
ISACA knowledge assets,
i.e.
• COBIT 4.1
• Val IT™
• Risk IT
• Business Model for
Information Security™
(BMIS™)
• ITAssurance
Framework™ (ITAF™);
• Taking Governance
orward (TGF),
• Board Briefing on IT
Governance, 2nd
Edition.

Owners and
Stakeholders
Accountable Delegate
Governing
Body
Monitor Set Direction
Management
Operations
and Execution
Instruct and
Align
Report
Stakeholder Drivers
(Environment, Technology
Evolution, ...)
Benefits
Realisation
Resource
Optimisation
Risk
Optimisation
Stakeholder Needs
Enabler Goals
IT-related Goals
Enterprise Goals
C4.1 Mapping
Appendix A
Roles &
Descriptions for
RACIs
(pages 76-77)
RACI

COBIT 5 Enterprise Goals
BSC Dimension
Relation to Governance Objectives
Financial
Enterprise Goal
Benefits
Realisation
Risk
Optimisation
Resource
Optimisation
Customer
Internal
Learning and
Growth
1. Stakeholder value of business investments
2. Portfolio of competitive products and services
15. Compliance with internal policies
4. Compliance with external laws and regulations
5. Financial transparency
6. Customer-oriented service culture
7. Business service continuity and availability
8. Agile responses to a changing business environment
9. Information-based strategic decision making
10. Optimisation of service delivery costs
11. Optimisation of business process functionality
12. Optimisation of business process costs
13. Managed business change programmes
14. Operational and staff productivity
3. Managed business risk (safeguarding of assets)
16. Skilled and motivated people
17. Product and business innovation culture
P
P
P
P
P S
P P
P P
P P
P P
P P S
P P
S P P
P
P
P S
P S
P
S S
S
P
P
S

COBIT 5 Enterprise Goals
ITBSC
Dimension
Financial
Information and Related Technology Goal
Customer
Internal
Learning and
Growth
Alignment of IT and business strategy
Transparency of IT costs, benefits and risk
Optimisation of IT assets, resources and capabilities
IT compliance and support for business compliance with external laws and regulations
IT compliance with internal policies
Managed IT-related business risk
Realised benefits from IT-enabled investments and services portfolio
Delivery of IT services in line with business requirements
Adequate use of applications, information and technology solutions
IT agility
Security of information, processing infrastructure and applications
Enablement and support of business processes by integrating applications and technology
into business processes
Delivery of programmes delivering benefits, on time, on budget, and meeting requirements
and quality standards
Availability of reliable and useful information for decision making
Commitment of executive management for making IT-related decisions
Competent and motivated business and IT personnel
Knowledge, expertise and initiatives for business innovation
10
11
12
13
14
16
15
17
02
03
04
05
06
07
09
08
01

Evaluate, Direct and Monitor
EDM01 Ensure Governance Framework Setting EDM03 Ensure Risk Optimisation
and Maintenance EDM04 Ensure Resource Optimisation
EDM02 Ensure Benefits Delivery EDM05 Ensure Stakeholder Transparency
Processes for Governance of Enterprise IT
Align, Plan and Organise
APO01 Manage the IT Management Framework APO08 Manage Relationships
APO02 Manage Strategy APO09 Manage Service Agreements
APO03 Manage Enterprise Architecture APO10 Manage Suppliers
APO04 Manage Innovation APO11 Manage Quality
APO05 Manage Portfolio APO12 Manage Risk
APO06 Manage Budget and Costs APO13 Manage Security
APO07 Manage Human Resources
Processes for Management of Enterprise IT
Build, Acquire and Implement
BAI01 Manage Programmes and Projects BAI07 Manage Change Acceptance
BAI02 Manage Requirements Definition and Transitioning
BAI03 Manage Solutions Identification and Build BAI08 Manage Knowledge
BAI04 Manage Availability and Capacity BAI09 Manage Assets
BAI05 Manage Organisational Change Enablement BAI010 Manage Configuration
BAI06 Manage Changes
Deliver, Service and Support
DSS01 Manage Operations DSS04 Manage Continuity
DSS02 Manage Service Requests and Incidents DSS05 Manage Security Services
DSS03 Manage Problems DSS06 Manage Business Process
Controls
Monitor, Evaluate
and Assess
MEA01 Monitor,
Evaluate and Assess
Performance and
Conformance
MEA02 Monitor,
Evaluate and Assess
the System of
Internal
Control
MEA03 Monitor,
Evaluate and Assess
Compliance With
External
Requirements

Process Name
Area:
Domain:
Process Purpose Statement
Process Description

Management Practices
Activities
Inputs Outputs
From Description DescriptionFrom
RACI Chart:
The process supports the achievement of a set of primary IT-related goals:
IT-related Goal Related Metrics
Process Goals and Metrics
Process Goal Related Metrics
Process Name Area:
Domain:
Process Description
Related Guidance
Related Standard Detailed Reference

Activities
Management
Practices
Activities
RACI Chart:
The process supports the ...
IT-related Goal
Process Goals and Metrics
Process Goal
Process Name
Process Description
Related Guidance
Related Standard & Reference
Process Name:DSS04 Manage Continuity
Process Description
Establish and maintain a plan to enable the business and IT to respond to
incidents and disruptions in order to continue operation of critical business
processes and required IT services and maintain availability of information
at a level acceptable to the enterprise..
Continue critical business operations and maintain availability of
information at a level acceptable to the enterprise in the event of a
significant disruption.
Management Practices
Inputs Outputs
DSS04.01 Define the business continuity policy, objectives and
scope. 4
DSS04.02 Maintain a continuity strategy. 9
DSS04.03 Develop and implement a business continuity
response. 8
DSS04.04 Exercise, test and review the BCP. 6
DSS04.05 Review, maintain and improve the continuity plan. 4
DSS04.06 Conduct continuity plan training. 3
DSS04.07 Manage backup arrangements. 5
DSS04.08 Conduct post-resumption review. 4

From Key
Practices
Information security risk treatment plan
Outputs to all Processes
Output Description
APO13.02
COBIT 5 Outputs
Destination
All EDM; All APO; All BAI; All DSS; All MEA
Outputs to all Governance Processes
From Key
Practices
DestinationOutput Description
Outputs to all Management Processes
From Key
Practices
Output Description Destination
All EDM
Decision-making model
Enterprise governance guiding principles
Feedback on governance effectiveness and performance
EDM01.01
EDM01.01
EDM01.01
EDM01.02
EDM01.03
Authority levels
Enterprise governance communications
All EDM
All EDM
All EDM
All EDM
All APO; All BAI; All DSS; All MEACommunication ground rulesAPO01.01
APO01.03
APO01.04
APO01.07
APO02.06
IT-related policies
Communications on IT objectives
Process improvement opportunities
Communications package
All APO; All BAI; All DSS; All MEA

ChiefExecutiveOfficer
Board
Steering(Programmes/Projects)Committee
ValueManagementOffice
ChiefOperatingOfficer
BusinessExecutives
BusinessProcessOwners
StrategyExecutiveCommittee
ProjectManagementOffice
ChiefFinancialOfficer
ChiefRiskOfficer
ChiefInformationSecurityOfficer
ArchitectureBoard
EnterpriseRiskCommittee
HeadHumanResources
Compliance
Audit
ChiefInformationOfficer
HeadArchitect
HeadDevelopment
HeadITOperations
HeadITAdministration
ServiceManager
InformationSecurityManager
BusinessContinuityManager
PrivacyOfficer
Generic Process RACI Chart:
Management Practice 1
Management Practice … n
The Roles and
Organisational Structures
used in the process RACI
charts for each Key
Management Practice are
defined/described on
pages 75-77 of the COBIT
5 Framework

 We have just looked at the layout of a COBIT 5 RACI chart.
 We have all experienced situations where job titles have proved misleading.
 We will give each of you a list of the job role descriptions / definitions for you to
reflect upon where responsibility lies within your organisation for these activities.
 After 15mins we will provide each of you with a copy of the COBIT 5 RACI roles
and their descriptions / definitions to compare with your input
 After a further 10 mins we will spend 10 mins discussing the exercise and your
experience in comparing / contrasting and challenging your organisation and
COBIT 5.

COBIT 5 Roles and Organisation Structures
Role/Structure
Board
Definition/Description
The group of the most senior executives and/or non-executive directors of the enterprise who
are accountable for the governance of the enterprise and have overall control of its resources
CEO The highest-ranking officer who is in charge of the total management of the enterprise
CFO The most senior official of the enterprise who is accountable for all aspects of financial
management, including financial risk and controls and reliable and accurate accounts
Chief Operating
Officer (COO)
The most senior official of the enterprise who is accountable for the operation of the enterprise
CRO The most senior official of the enterprise who is accountable for all aspects of risk management
across the enterprise. An IT risk officer function may be established to oversee IT-related risk.
CIO The most senior official of the enterprise who is responsible for aligning IT and business
strategies and accountable for planning, resourcing and managing the delivery of IT services and
solutions to support enterprise objectives
Chief
Information
Security
Officer (CISO))
The most senior official of the enterprise who is accountable for the security of enterprise
information in all its forms
Business
Executive
A senior management individual accountable for the operation of a specific business unit or
subsidiary
Business Process
Owner
An individual accountable for the performance of a process in realising its objectives, driving
process improvement and approving process changes

Role/Structure Definition/Description
Strategy
(IT Executive)
Committee
A group of senior executives appointed by the board to ensure that the board is involved in, and
kept informed of, major IT-related matters and decisions. The committee is accountable for
managing the portfolios of IT-enabled investments, IT services and IT assets, ensuring that value
is delivered and risk is managed. The committee is normally chaired by a board member, not by
the CIO.
(Project and
Programme)
Steering
Committees
A group of stakeholders and experts who are accountable for guidance of programmes and
projects, including management and monitoring of plans, allocation of resources, delivery of
benefits and value, and management of programme and project risk
Architecture
Board
A group of stakeholders and experts who are accountable for guidance on enterprise
architecture-related matters and decisions, and for setting architectural policies and standards
Enterprise Risk
Committee
The group of executives of the enterprise who are accountable for the enterprise-level
collaboration and consensus required to support enterprise risk management (ERM) activities
and decisions. An IT risk council may be established to consider IT risk in more detail and advise
the enterprise risk committee.
Head of HR The most senior official of an enterprise who is accountable for planning and policies with
respect to all human resources in that enterprises
Compliancee The function in the enterprise responsible for guidance on legal, regulatory and contractual
compliance
Audit The function in the enterprise responsible for provision of internal audits
Head of
Architecture
A senior individual accountable for the enterprise architecture process

Information
Security
Manager
The function responsible for supporting programme and project managers, and gathering,
assessing and reporting information about the conduct of their programmes and constituent
projects
Head of
Development
A senior individual accountable for IT-related solution development processes
Head of IT
Operations
A senior individual accountable for the IT operational environments and infrastructure
Head of IT
Administration
A senior individual accountable for IT-related records and responsible for supporting IT-related
administrative matters
Programme and
Project
Management
Office (PMO)
The function that acts as the secretariat for managing investment and service portfolios,
including assessing and advising on investment opportunities and business cases, recommending
value governance/management methods and controls, and reporting on progress on sustaining
and creating value from investments and services
Value
Management
Office
(VMO)
An individual who manages, designs, oversees and/or assesses an enterprise’s information
security
Service Manager An individual who manages the development, implementation, evaluation and ongoing
management of new and existing products and services for a specific customer (user) or group of
customers (users)

Business
Continuity
Manager
An individual who manages, designs, oversees and/or assesses an enterprise’s business
continuity capability, to ensure that the enterprise’s critical functions continue to operate
following disruptive events
Privacy Officer An individual who is responsible for monitoring the risk and business impacts of privacy laws and
for guiding and co-ordinating the implementation of policies and activities that will ensure that
the privacy directives are met. Also called data protection officer.

Owners and
Stakeholders
Accountable Delegate
Governing
Body
Monitor Set Direction
Management
Operations
and Execution
Instruct and
Align
Report
Stakeholder Drivers
(Environment, Technology
Evolution, ...)
Benefits
Realisation
Resource
Optimisation
Risk
Optimisation
Stakeholder Needs
Process and Enabler Goals
IT-related Goals
Enterprise Goals
C4.1 Mapping
Appendix A
Roles &
Descriptions for
RACIs
(pages 76-77)
RACI
Governance &
Management
Questions on IT
(page 22)
Mapping to Goals
(Appendix D)

Governance and Management Questions on IT
Internal Stakeholders
• Board
• Chief executive officer (CEO)
• Chief financial officer (CFO)
• Chief information officer
(CIO)
• Chief risk officer (CRO)
• Business executives
• Business process owners
• Business managers
• Risk managers
• Security managers
• Service managers
• Human resource (HR)
• managers
• Internal audit
• Privacy officers
• IT users
• IT managers
• Etc.
Internal Stakeholder Questions
• How do I get value from the use of IT? Are end users satisfied with the
quality of the IT service?
• How do I manage performance of IT?
• How can I best exploit new technology for new strategic opportunities?
• How do I best build and structure my IT department?
• How dependent am I on external providers? How well are IT outsourcing
agreements being managed? How do I obtain assurance over external
providers?
• What are the (control) requirements for information?
• Did I address all IT-related risk?
• Am I running an efficient and resilient IT operation?
• How do I control the cost of IT? How do I use IT resources in the most
effective and efficient manner?
• What are the most effective and efficient sourcing options?
• Do I have enough people for IT? How do I develop and maintain their skills,
and how do I manage their performance?
• How do I improve business agility through a more flexible IT environment?
External Stakeholders External Stakeholder Questions

Governance &

1. Principles, Policies and Frameworks
3. Organisational
Structures
4. Culture, Ethics
and Behaviour
2. Processes
5. Information
Resources
6. Services,
Infrastructure and
Applications
7. People, Skills
and Competencies

EnablerPerformance
Management
Are Stakeholder
Needs Addressed?
Goals
• Intrinsic Quality
• Contextual Quality
(Relevance,
Effectiveness)
• Accessibility and
Security
Stakeholders
• Internal
Stakeholders
• External
Stakeholders
EnablerDimension
Are Enabler Goals
Achieved?
Life Cycle
• Plan
• Design
• Build/Acquire/
Create/Implement
• Use/Operate
• Evaluate/Monitor
• Update/Dispose
Is life Cycle
Managed?
Good Practices
• Practices
• Work products
(Inputs/Outputs)
Are Good
Practices Applied?
Metrics for Achievement of Goals
(Lag Indicators)
Metrics for Application of Practice
(Lead Indicators)

“Enterprises should follow existing internal
business case and investment justification
approaches, if they exist, and use this example and
the guidance in the COBIT 5 Implementation Guide
to help focus on all of the issues that should be
addressed. Further guidance on developing
business cases can be found in COBIT 5 process
APO05 and in the The Business Case Guide: Using
Val ITTM 2.0.”
Governance andEnablers

I hope you enjoyed
this presentation. If so,
please like, share and
leave a comment
below.
Endorsements on
LinkedIn are also
highly appreciated! 
(your feedback = more free stuff)

MIROSLAWDABROWSKI.COM/downloads

COBIT®5 - Assessor

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to COBIT®5 - Assessor

Similar to COBIT®5 - Assessor (20)

More from Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker

More from Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker (8)

Recently uploaded

Recently uploaded (20)

COBIT®5 - Assessor