Effectively addressing the challenges posed by the COVID-19 crisis requires not just a management system but a governance system that is designed with a primary focus on stakeholder needs and continually serving customers. This governance system requires the involvement of senior management in establishing an accountability structure and decision-making mechanism to respond dynamically to changing challenges. Risk assessments are an excellent tool to reduce uncertainty when making decisions, but they are often misapplied when not directly connected to an overall decision-making process. COBIT® 2019 provides not only a framework of a governance system but also a knowledge repository to implement it in all types of enterprises regardless of size. The benefits of implementing a governance system using COBIT 2019 are holistic and can be used for various types of challenges faced by the enterprises; however, COVID-19 is specifically being used as a case study because it is one of the biggest challenges that all types of enterprises are facing. Being resilient despite today’s ongoing challenges is the most important objective for every enterprise. From access issues to cyberthreats, risk optimization and meeting stakeholder needs, new challenges are constantly emerging.
Successful enterprises have demonstrated how to mitigate the risk factors of COVID-19 by ensuring resilient operations that are built on a governance system of appropriate processes and controls.
The article, "Using COBIT 2019 to Proactively Mitigate the Impact of COVID-19," highlights the challenges, such as uncertainty in delivering regular services to customers due to unavailability of required processes, people and technology due to COVID-19 and working to demonstrate resiliency.1 The most effective way to meet these challenges is to go beyond controls and implement a governance system. The key attributes of a governance system are dynamic decision-making mechanisms, a risk management strategy and appropriate processes and systems. This governance system can empower enterprises to meet the challenges of COVID-19 and achieve greater resilience by building robust processes that facilitate achieving enterprise objectives. Successful enterprises have demonstrated that this is a key differentiator in mitigating the various risk factors of COVID-19 by ensuring resilient operations that are built on a governance system of appropriate processes and controls.
COBIT® can be used as a business framework to implement enterprise governance of IT (EGIT) for deploying new and existing digital platforms and technologies to survive and thrive through the challenging times. Enterprises can implement a systematic approach for using COBIT 2019 components as a benchmark, customizing them as required to build an effective governance system with specific focus from a business continuity perspective. IT is valuable for enterprises to understand how to effectively use COBIT’s specific components and the knowledge repository to develop key strategies and steps for business continuity using customization. The following steps can be adapted for COBIT implementation from any perspective/criteria as required.
Seven Steps for Customizing COBIT 2019
The 2 key principles used in selecting or customizing any COBIT guidance are applicability and value addition. This can be derived based on the responses to the following questions:
- Is the guidance applicable to the enterprise? If the answer is no, then it is not considered. If it is yes, then the second question is asked.
- Is the guidance valuable to the enterprise and will it bring value in terms of risk mitigation or process improvement? If the answer is yes, then the guidance can be used as a benchmark to map with current policies/procedures and to either define or refine a process or identify areas of improvement.
There are 7 steps enterprises should use when selecting and customizing COBIT 2019.
Step 1: Identify Stakeholder Needs
The primary focus of any enterprise when dealing with a crisis such as COVID-19 is to ensure minimum business disruption by ensuring maximum resiliency of enterprise operations. This is achieved through the implementation of an appropriate business continuity strategy supported by relevant policies and procedures.
Step 2: Identify Enterprise Goals and Alignment Goals
Based on stakeholder needs, the enterprise goals (EG) and relevant alignment goals (AG) must be selected. Figure1 illustrates how to map COBIT 2019 to navigate the enterprise goals and select relevant alignment goals. In a situation such as COVID-19, the focus is to ensure business service continuity and availability and, therefore, in this example, the relevant enterprise goal is EG06 Business service continuity and availability.
Figure 1—Mapping of Enterprise Goals to Alignment Goals
View Larger Image
Source: ISACA®, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
Based on the enterprise goal selected, figure 1 can be used as reference to identify the relevant alignment goals. The following are the related alignment goals as shown in figure 1:
- Primary (the most relevant, denoted by P)
- AG07 Security of information, processing infrastructure and applications, and privacy
- Secondary (may be used if required, denoted by S)
- AG02 Managed I&T-related risk
- AG05 Delivery of I&T services in line with business requirements
For this example, the focus is on only the selection of the primary alignment goal, AG07.
Step 3: Identify the Governance and Management Objectives
Based on AG07, the relevant governance and management objectives are selected, as shown in figure 2.
Figure 2—Mapping of Alignment Goals to Relevant Governance and Management Objectives
View Larger Image
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
The following are the primary governance and management objectives applicable for AG07 (denoted by P):
- Evaluate, Direct and Monitor (EDM)03 Ensured risk optimization
- Align, Plan and Organize (APO)12 Managed risk
- APO13 Managed security
- Build, Acquire and Implement (BAI)10 Managed configuration
- Deliver, Service and Support (DSS)04 Managed continuity
- DSS05 Managed security services
In this example, an enterprise may decide, based on criticality and relevance, to implement or improve processes relating to DSS04 Managed continuity.
Step 4: Select and Customize Goals and Metrics for Enterprise and Alignment Goals
Figure 3 specifically illustrates the objective DSS04 Managed continuity. A sample list of goals and metrics is listed, from which an enterprise can select the most relevant. For example, an enterprise may decide to select the AG05 and EG06.
Figure 3—DSS04 Managed Continuity
View Larger Image
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
The goals and metrics can be customized and integrated as is or they can be used as key goal indicators (KGIs), key performance indicators (KPIs) or key risk indicators (KRIs)/areas as dictated by the enterprise’s reporting and monitoring system.
Step 5: Select and Customize the Components of the Governance and Management
COBIT provides guidance and best practices for each of the 7 components of governance and management (figure 4), which can be selected and customized by the enterprise as required.
Figure 4—COBIT Governance and Management Components
Source: ISACA, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018.
Component: Processes
Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs that support the success of overall information and technology (I&T)-related goals. The COVID-19 pandemic may require changes to existing processes and new processes to be implemented to ensure business continuity.
Figure 5 shows an extract of the COBIT 2019 guidance for the processes component for governance and management objective DSS04. Each of the objectives has a governance and management practice, which, in turn, has a list of relevant activities. Example metrics and related guidance are also available at the practice level and a desired capability level is given for the activities.
Figure 5—Processes Component for DSS04 Managed Continuity
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
The business continuity policy, objectives and scope must be defined. The governance and management objective for DSS04 has 8 management practices (figure 6) and guidance is available for each of them.
Figure 6—Practices Relevant for DSS04 Managed Continuity
| Practice ID | Practice Name |
|---|---|
| DSS04.01 | Define the business continuity policy, objectives and scope. |
| DSS04.02 | Maintain business resilience |
| DSS04.03 | Develop and implement a business continuity response. |
| DSS04.04 | Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP). |
| DSS04.05 | Review, maintain and improve the continuity plans. |
| DSS04.06 | Conduct continuity plan training. |
| DSS04.07 | Manage backup arrangements. |
| DSS04.08 | Conduct post-resumption review. |
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
The enterprise may select any or all the governance and management practices relevant to its circumstances and customize each practice further as needed. The enterprise can also decide whether it would like to use the guidance under the practice level or activities level. Figure 5 assumes the enterprise has decided to implement at the activities level; has determined that all 4 activities of DSS 4.01 are applicable; and, based on benchmarking with existing practices, has identified areas of improvement.
Component: Organizational Structures
Organizational structures are the key decision-making entities in an enterprise. The existing organizational structure may have to be reviewed and revised based on the impact of COVID-19 to empower employees to discharge their responsibilities and make effective decisions.
Figure 7 illustrates COBIT 2019’s responsibility and accountability matrix, which is relevant for the identified governance and management objective. This can be used by the enterprise to map its current roles and responsibilities and identify if there any gaps in assigning accountability/responsibility for key management practice areas.
Figure 7—Organizational Structures Component for DSS04 Managed Continuity
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
Figure 7 assumes the enterprise in this example has identified the highlighted management practices as areas where responsibility has not been clearly established; hence, it has decided to assign responsibility/accountability at specific organizational levels. This assignment of responsibility/accountability is also included in the job definition/description for the positions identified. In cases where the relevant designations are not available, an enterprise may have to consider combining certain roles as required as long as it can be done without compromising on principles of security.
Component: Information
Information is pervasive throughout any organization and includes all information produced and used by the enterprise. COBIT focuses on the information required for the effective functioning of the governance system of the enterprise. Information requirements of employees working from home or other remote locations due to COVID-19 need to be managed by ensuring availability and by implementing appropriate security.
Figure 8 shows the COBIT 2019 guidance that is used to improve documentation as required in terms of inputs and outputs. In addition, the contents from policies and procedures are used to map and update policies and procedures as applicable. This helps the enterprise benchmark its existing documentation and identify areas of improvement. It also helps in cross-referencing with other relevant policies and procedures.
Figure 8—Information Flows and Items Component for DSS04 Managed Continuity
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
The enterprise in this example has identified the need to improve the documentation process in DSS04.02 and DSS04.03 and has decided to develop detailed documentation for each of the input and output areas. Care should be taken to ensure that cross-references to and relationships with other governance and management objectives are understood and mapped clearly as required.
Component: People, Skills and Competencies
People, skills and competencies are required for good decisions, execution of corrective actions and successful completion of all activities. Employee onboarding and regular training to work in new environments and situations due to COVID-19 are required.
Figure 9 gives an example of the COBIT 2019 information on the relevant people, skills and competencies and related guidance.
Figure 9—People, Skills and Competencies Component for DSS04 Managed Continuity
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
The example enterprise has identified the need to define the job skill requirements for continuity management and has decided to use the related guidance from Skills Framework for the Information Age V62 (figure 9). The guidance helps enterprises develop the needed skill requirements, integrating them into the enterprise’s job definition matrix and training staff to develop the pertinent skills.
Component: Principles, Policies and Procedures
Principles, policies and procedures translate desired behavior into practical guidance for day-to-day management. These must be reviewed and updated based on the demands of changing situations resulting from COVID-19 to ensure the delivery of products and services on a continuous basis.
Figure 10 outlines an extract of COBIT 2019’s guidance on the relevant policies and procedures and the description applicable for the governance and management objective as identified. This helps in benchmarking and improving key policies and procedures as required.
Figure 10—Principles, Policies and Procedures Component for DSS04 Managed Continuity
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
The example enterprise has determined that there is a lack of sufficient policies and procedures in crisis management and has decided to develop the appropriate documents to cover specific areas such as I&T security, network management, data security and privacy.
Component: Culture, Ethics and Behavior
The culture, ethics and behavior of individuals and the enterprise are often underestimated as factors in the success of governance and management activities. As employees are empowered to work from home or elsewhere, monitoring may not be as rigorous. Hence, the need to reinforce this component is critical for effective risk management.
Figure 11 reflects an extract of COBIT 2019’s guidance on culture, ethics and behavior, which helps in setting the tone by senior management and establishing a system of regular communication.
Figure 11—Culture, Ethics and Behavior Component for DSS04 Managed Continuity
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
Figure 11 reflects that the example enterprise has identified a lack of regular communication from the senior management to all levels of management, clearly outlining the culture, ethics and behavior defined in the enterprise’s mission and vision. The enterprise has identified a laxity in the approach to implementing business continuity and disaster recovery procedures and has decided to communicate regularly to the staff and ensure adherence.
Component: Services, Infrastructure and Applications
Services, infrastructure and applications provide the enterprise with the governance system for I&T processing.
Figure 12 shows an example of COBIT 2019’s guidance on services, infrastructure and applications. The focus is on understanding the essential services, infrastructure and applications for meeting the relevant governance and management objective.
Figure 12—Services, Infrastructure and Applications Component for DSS04 Managed Continuity
Source: ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018.
Based on benchmarking against COBIT 2019, the example enterprise has determined that it is critically dependent on external vendors for hosting services and remote desktop services. However, its contractual agreements do not specify a standard level of service for each of these critical areas. The enterprise has decided to review and update the terms of agreement to ensure that a minimum level of service as required for the enterprise is maintained by vendors and there are appropriate punitive clauses in case of deficiency of service.
It is not necessary for an enterprise to select all the components for implementation. Depending on the need, the enterprise may decide to select guidance only from specific components. Further, in each of the components, the selection and implementation of relevant guidance would depend on the value the guidance brings to the enterprise. COBIT 2019 components provide generic and ready-made guidance on the critical factors that facilitate in implementing an integrated control and governance system with appropriate customization.
Step 6: Prepare Customized COBIT Contents and Integrate Them Into Enterprise Practices
The enterprise can use the relevant content extracted from COBIT and customize it further by adding guidance from relevant regulations (as applicable) and other related guidance. This should then be translated and updated in specific policies and procedures, standards, and guidelines that are integrated into specific areas of enterprise documentation. Further, relevant KGIs and KPIs should be added as required for each of the KGAs so that performance can be measured and monitored as per established standards. Job responsibilities are then updated and selected staff is trained to perform according to the updated standards and procedures, thus integrating the COBIT 2019 content into the day-to-day work of the enterprise’s operations.
Step 7: Implement Performance and Monitoring Measures to Confirm Results and Take Remedial Action
The governing body should be updated on the changes required and the benefits of these changes. Approval must be obtained to implement the new approach as outlined in the project plan and based on criticality, deliverables and milestones. Approval must also be obtained for the necessary budget and implementing the changes in the enterprise, using relevant performance measurement metrics for all KGAs of operations, with relevant KGIs and KPIs. These are reported and monitored on a regular basis to ensure compliance and value delivery.
Conclusion
ISACA has developed the COBIT® 2019 Design Guide and Toolkit: Designing an Information Technology Governance Solution which that provides the complete content relating to the COBIT process component in an Excel worksheet. This is extremely helpful in selecting and customizing COBIT content as required by adding additional columns such as "Applicable" and "Valuable," and filtering and extracting content as required. Further, the applicable content can be copied in another column with the header "Customized" and edited as applicable to the enterprise and adding contents in additional rows as needed.
COBIT 2019 has a rich repository of guidance that can be used for implementing not only controls but a governance system. The key differentiator of a governance system is the involvement of top management in directing and controlling the use of enterprise IT for achieving objectives using appropriate decision-making mechanisms, a responsibility and accountability matrix and a monitoring system. COBIT 2019 content can be identified and selected as required using the mapping tables of enterprise goals, alignment goals, and governance and management objectives, and how content from each of the 7 components of the governance and management system can be identified, selected and customized to address enterprise needs.
The critical aspect to remember in any COBIT implementation is to navigate through the vast repository and select relevant content. It is important to remember that COBIT content is generic in nature and needs to be customized. This is where understanding of enterprise requirements, organization structure, business processes, technology deployed, and policies and procedures becomes important, so the customization is appropriate and relevant. No automated tool can do this. Professionals and business domain experts with subject matter knowledge and knowledge of COBIT play an important role in any COBIT implementation.
Endnotes
1 Rafeq, A.; "Using COBIT 2019 to Proactively Mitigate the Impact of COVID-19", ISACA®Journal, 16 February 2021
2 SFIA Foundation, SFIA6: The Complete Reference Guide 2015
Abdul Rafeq, CISA, FCA
Is the managing director of Wincer Infotech Limited. He has been a COBIT evangelist, user and trainer since the first edition of COBIT.
Narasimhan Elangovan, CISA, CDPSE, FCA
Is a partner at KEN & Co. He is an information systems auditor, a governance professional and a privacy practitioner.