- •1.1 COBIT as an Information and Technology Governance Framework
- •1.1.1 What Is COBIT and What Is It Not?
- •1.2 Overview of COBIT® 2019
- •1.3 Terminology and Key Concepts of the COBIT Framework
- •1.3.1 Governance and Management Objectives
- •1.3.2 Components of the Governance System
- •1.3.3 Focus Areas
- •Chapter 2 Structure of This Publication and Intended Audience
- •2.1 Structure of This Publication
- •2.2 Intended Audience
- •Chapter 3 Structure of COBIT Governance and Management Objectives
- •3.1 Introduction
- •3.2 Governance and Management Objectives
- •3.3 Goals Cascade
- •3.4 Component: Process
- •3.5 Component: Organizational Structures
- •3.6 Component: Information Flows and Items
- •3.8 Component: Policies and Procedures
- •3.9 Component: Culture, Ethics and Behavior
- •3.10 Component: Services, Infrastructure and Applications
- •Chapter 4 COBIT Governance and Management Objectives—Detailed Guidance
- •COBIT Core Model
- •4.1 Evaluate, Direct and Monitor (EDM)
- •4.2 Align, Plan and Organize (APO)
- •4.3 Build, Acquire and Implement (BAI)
- •4.4 Deliver, Service and Support (DSS)
- •4.5 Monitor, Evaluate and Assess (MEA)
- •Appendices
- •5.1 Appendix A: Goals Cascade—Mapping Tables
- •5.1.1 Mapping Table: Enterprise Goals—Alignment Goals
- •5.1.2 Mapping Table: Alignment Goals—Governance and Management Objectives
- •5.2 Appendix B: Organizational Structures—Overview and Descriptions
- •5.3 Appendix C: Detailed List of References
CHAPTER 5
APPENDICES
Appendices
5.1 Appendix A: Goals Cascade—Mapping Tables
The mapping tables in Appendix A inform the goals cascade. The first table maps alignment goals to enterprise goals; the second table maps governance and management objectives to alignment goals. The “P” in the table refers to primary and the “S” refers to secondary.
5.1.1 Mapping Table: Enterprise Goals—Alignment Goals
Figure 5.1—Mapping Enterprise Goals and Alignment Goals
|
|
EG01 |
EG02 |
EG03 |
EG04 |
EG05 |
EG06 |
EG07 |
EG08 |
EG09 |
EG10 |
EG11 |
EG12 |
EG13 |
|
|
Portfolio of |
|
Compliance |
|
Customer- |
Business |
|
Optimization |
Optimization |
Staff skills, |
|
Managed |
Product |
|
|
competitive |
Managed |
Quality of |
service |
Quality of |
of internal |
Compliance |
||||||
|
|
products |
with external |
oriented |
continuity |
business |
of business |
motivation |
digital |
and |
||||
|
|
and |
business |
laws and |
financial |
service |
and |
management |
process |
process |
and |
with internal |
transformation |
business |
|
|
services |
risk |
regulations |
information |
culture |
availability |
information |
functionality |
costs |
productivity |
policies |
programs |
innovation |
AG01 |
I&T compliance and |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
support for business |
|
S |
P |
|
|
|
|
|
|
|
S |
|
|
|
compliance with external |
|
|
|
|
|
|
|
|
|
|
|||
|
laws and regulations |
|
|
|
|
|
|
|
|
|
|
|
|
|
AG02 |
Managed I&T-related risk |
|
P |
|
|
|
S |
|
|
|
|
|
|
|
AG03 |
Realized benefits from |
S |
|
|
|
S |
|
|
S |
S |
|
|
P |
|
|
I&T-enabled investments |
|
|
|
|
|
|
|
|
|||||
|
and services portfolio |
|
|
|
|
|
|
|
|
|
|
|
|
|
AG04 |
Quality of technology- |
|
|
|
P |
|
|
P |
|
P |
|
|
|
|
|
related financial |
|
|
|
|
|
|
|
|
|
|
|||
|
information |
|
|
|
|
|
|
|
|
|
|
|
|
|
AG05 |
Delivery of I&T services |
P |
|
|
|
S |
S |
|
S |
|
|
|
S |
|
|
in line with business |
|
|
|
|
|
|
|
|
|||||
|
requirements |
|
|
|
|
|
|
|
|
|
|
|
|
|
AG06 |
Agility to turn business |
P |
|
|
|
S |
|
|
S |
|
|
|
S |
S |
|
requirements into |
|
|
|
|
|
|
|
|
|||||
|
operational solutions |
|
|
|
|
|
|
|
|
|
|
|
|
|
AG07 |
Security of information, |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
processing infrastructure |
|
P |
|
|
|
P |
|
|
|
|
|
|
|
|
and applications, and |
|
|
|
|
|
|
|
|
|
|
|
||
|
privacy |
|
|
|
|
|
|
|
|
|
|
|
|
|
AG08 |
Enabling and supporting |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
business processes by |
P |
|
|
|
P |
|
|
S |
|
S |
|
P |
S |
|
integrating applications |
|
|
|
|
|
|
|
||||||
|
and technology |
|
|
|
|
|
|
|
|
|
|
|
|
|
AG09 |
Delivering programs |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
on time, on budget and |
P |
|
|
|
S |
|
|
S |
S |
|
|
P |
S |
|
meeting requirements and |
|
|
|
|
|
|
|
||||||
|
quality standards |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AG10 |
Quality of I&T |
|
|
|
P |
|
|
P |
|
S |
|
|
|
|
management information |
|
|
|
|
|
|
|
|
|
|
||||
AG11 |
I&T compliance with |
|
S |
P |
|
|
|
|
|
|
|
P |
|
|
internal policies |
|
|
|
|
|
|
|
|
|
|
||||
AG12 |
Competent and |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
motivated staff with |
|
|
|
|
S |
|
|
|
|
P |
|
|
|
|
mutual understanding of |
|
|
|
|
|
|
|
|
|
|
|
||
|
technology and business |
|
|
|
|
|
|
|
|
|
|
|
|
|
AG13 |
Knowledge, expertise and |
P |
|
S |
|
|
|
|
|
|
|
|
S |
P |
|
initiatives for business |
|
|
|
|
|
|
|
|
|
||||
|
innovation |
|
|
|
|
|
|
|
|
|
|
|
|
|
297
COBIT® 2019 FRAMEWORK: GOVERNANCE AND MANAGEMENT OBJECTIVES
5.1.2 Mapping Table: Alignment Goals—Governance and Management Objectives
Figure—5.2 Mapping Governance and Management Objectives to Alignment Goals
|
|
AG01 |
AG02 |
AG03 |
AG04 |
AG05 |
AG06 |
AG07 |
AG08 |
AG09 |
AG10 |
AG11 |
AG12 |
AG13 |
|
|
I&T |
|
|
|
|
|
|
Enabling and |
Delivering |
|
|
|
|
|
|
compliance |
|
|
|
|
|
Security of |
|
|
|
|
||
|
|
and support |
|
Realized |
|
|
Agility to turn |
supporting |
programs |
|
|
Competent and |
|
|
|
|
for business |
|
Quality of |
Delivery of |
information, |
business |
on time, on |
|
|
Knowledge, |
|||
|
|
compliance |
|
benefits from |
business |
processing |
processes by |
budget and |
Quality |
I&T |
motivated staff |
|||
|
|
with |
Managed |
I&T-enabled |
technology- |
I&T services |
requirements |
infrastructure |
integrating |
meeting |
with mutual |
expertise and |
||
|
|
external |
investments |
related |
in line with |
into |
and |
applications |
requirements |
of I&T |
compliance |
understanding |
initiatives |
|
|
|
laws and |
I&T-related |
and services |
financial |
business |
operational |
applications, |
and |
and quality |
management |
with internal |
of technology |
for business |
|
|
regulations |
risk |
portfolio |
information |
requirements |
solutions |
and privacy |
technology |
standards |
information |
policies |
and business |
innovation |
EDM01 |
Ensured governance |
P |
S |
P |
|
|
|
|
S |
|
|
S |
|
|
|
framework setting and |
|
|
|
|
|
|
|
|
|||||
|
maintenance |
|
|
|
|
|
|
|
|
|
|
|
|
|
EDM02 |
Ensured benefits delivery |
|
|
P |
|
S |
S |
|
S |
|
|
|
|
S |
EDM03 |
Ensured risk optimization |
S |
P |
|
|
|
|
P |
|
|
|
S |
|
|
EDM04 |
Ensured resource |
|
|
S |
|
S |
S |
|
S |
P |
|
|
S |
|
|
optimization |
|
|
|
|
|
|
|
||||||
EDM05 |
Ensured stakeholder |
|
|
|
S |
|
|
|
|
|
P |
S |
|
|
|
engagement |
|
|
|
|
|
|
|
|
|
|
|||
APO01 |
Managed I&T |
S |
S |
P |
|
S |
|
S |
S |
S |
S |
P |
|
|
|
management framework |
|
|
|
|
|||||||||
APO02 |
Managed strategy |
|
|
S |
|
S |
S |
|
P |
|
|
|
S |
S |
APO03 |
Managed enterprise |
|
|
S |
|
S |
P |
S |
P |
|
|
|
|
|
|
architecture |
|
|
|
|
|
|
|
|
|||||
APO04 |
Managed innovation |
|
|
S |
|
|
P |
|
S |
|
|
|
S |
P |
APO05 |
Managed portfolio |
|
|
P |
|
P |
S |
|
S |
S |
|
|
|
|
APO06 |
Managed budget and |
|
|
S |
P |
|
|
|
|
P |
S |
|
|
|
|
costs |
|
|
|
|
|
|
|
|
|
||||
APO07 |
Managed human |
|
|
S |
|
S |
|
|
|
S |
|
|
P |
P |
|
resources |
|
|
|
|
|
|
|
|
|||||
APO08 |
Managed relationships |
|
|
S |
|
P |
P |
|
S |
S |
|
|
P |
P |
APO09 |
Managed service |
|
|
|
|
P |
|
|
S |
|
|
|
|
|
|
agreements |
|
|
|
|
|
|
|
|
|
|
|
||
APO10 |
Managed vendors |
|
|
|
|
P |
S |
|
|
S |
|
|
|
|
APO11 |
Managed quality |
|
|
S |
S |
S |
|
|
|
P |
P |
|
|
|
APO12 |
Managed risk |
|
P |
|
|
|
|
P |
|
|
|
|
|
|
APO13 |
Managed security |
S |
S |
|
|
|
|
P |
|
|
|
|
|
|
APO14 |
Managed data |
S |
S |
|
S |
|
|
S |
|
|
P |
|
|
|
BAI01 |
Managed programs |
|
|
P |
|
|
S |
|
S |
P |
|
|
|
|
BAI02 |
Managed requirements |
|
|
S |
|
P |
P |
|
S |
P |
|
|
S |
|
|
definition |
|
|
|
|
|
|
|
||||||
BAI03 |
Managed solutions |
|
|
S |
|
P |
P |
|
S |
P |
|
|
|
|
|
identification and build |
|
|
|
|
|
|
|
|
|||||
BAI04 |
Managed availability and |
|
|
|
|
P |
|
S |
|
S |
|
|
|
|
|
capacity |
|
|
|
|
|
|
|
|
|
|
|||
BAI05 |
Managed organizational |
|
|
P |
|
S |
S |
|
P |
P |
|
|
S |
|
|
changes |
|
|
|
|
|
|
|
||||||
BAI06 |
Managed IT changes |
|
S |
|
|
S |
P |
|
S |
|
|
|
|
|
BAI07 |
Managed IT change |
|
S |
|
|
|
P |
|
|
S |
|
|
|
|
|
acceptance and |
|
|
|
|
|
|
|
|
|
|
|||
|
transitioning |
|
|
|
|
|
|
|
|
|
|
|
|
|
BAI08 |
Managed knowledge |
|
|
S |
|
|
S |
|
S |
S |
|
|
P |
P |
BAI09 |
Managed assets |
|
|
|
P |
|
|
|
|
|
S |
|
|
|
BAI10 |
Managed configuration |
|
|
|
|
S |
|
P |
|
|
|
|
|
|
BAI11 |
Managed projects |
|
|
P |
|
S |
P |
|
|
P |
|
|
|
|
DSS01 |
Managed operations |
|
|
|
|
P |
|
|
S |
|
|
|
|
|
DSS02 |
Managed service requests |
|
S |
|
|
P |
|
S |
|
|
|
|
|
|
|
and incidents |
|
|
|
|
|
|
|
|
|
|
|||
DSS03 |
Managed problems |
|
S |
|
|
P |
|
S |
|
|
|
|
|
|
DSS04 |
Managed continuity |
|
S |
|
|
P |
|
P |
|
|
|
|
|
|
DSS05 |
Managed security services |
S |
P |
|
|
S |
|
P |
|
|
|
S |
|
|
DSS06 |
Managed business |
|
S |
|
|
S |
|
S |
P |
|
|
S |
|
|
|
process controls |
|
|
|
|
|
|
|
|
|||||
MEA01 |
Managed performance |
S |
|
S |
|
P |
|
|
|
S |
P |
S |
|
|
|
and conformance |
|
|
|
|
|
|
|
||||||
|
monitoring |
|
|
|
|
|
|
|
|
|
|
|
|
|
MEA02 |
Managed system of |
S |
S |
|
S |
S |
|
S |
|
S |
S |
P |
|
|
|
internal control |
|
|
|
|
|
||||||||
MEA03 |
Managed compliance with |
P |
|
|
|
|
|
|
|
|
|
S |
|
|
|
external requirements |
|
|
|
|
|
|
|
|
|
|
|
||
MEA04 |
Managed assurance |
S |
S |
|
S |
S |
|
S |
|
|
S |
P |
|
|
298