3 Process OrientationDomainsNatural grouping of processes, often matching an organisational domain of responsibilityProcessesA series of joined activities with natural control breaksActivitiesor TasksActions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete.
4 DomainsCOBIT defines IT activities in a generic process model within four domains.Plan and OrganizeAcquire and ImplementDeliver and SupportMonitor and Evaluate
5 Plan and Organise Description Topics Questions This domain covers strategy and tactics, and concerns the identification of how IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place.TopicsStrategy and tacticsVision plannedOrganisation and infrastructureQuestionsAre IT and the business strategy aligned?Is the enterprise achieving optimum use of its resources?Does everyone in the organisation understand the IT objectives?Are IT risks understood and being managed?Is the quality of IT systems appropriate for business needs?
6 Plan and Organise PO1 Define a strategic information technology plan PO2 Define the information architecturePO3 Determine the technological directionPO4 Define the IT organisation and relationshipsPO5 Manage the investment in information technologyPO6 Communicate management aims and directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risksPO10 Manage projectsPO11 Manage quality.
7 Acquire and Implement Description Topics Questions IT solutions To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems.TopicsIT solutionsChanges and maintenanceQuestionsAre new projects likely to deliver solutions that meet business needs?Are new projects likely to deliver on time and within budget?Will the new systems work properly when implemented?Will changes be made without upsetting current business operations?
8 Acquire and Implement AI1 Identify automated solutions AI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructureAI4 Develop and maintain IT proceduresAI5 Install and accredit systemsAI6 Manage changes
9 Deliver and Support Description Topics Questions This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training. To deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls.TopicsDelivery of required servicesSetup of support processesProcessing by application systemsQuestionsAre IT services being delivered in line with business priorities?Are IT costs optimised?Is the work force able to use the IT systems productively and safely?Are adequate security, integrity and availability in place?
10 Deliver and Support DS1 Define and manage service levels DS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and allocate costsDS7 Educate and train usersDS8 Assist and advise customersDS9 Manage the configurationDS10 Manage problems and incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operationsPresent the 13 high-level objectives contained in the Deliver and Support domain.
11 Monitor and Evaluate Description Topics Questions All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain thus addresses management’s oversight of the organisation’s control process and independent assurance provided by internal and external audit or obtained from alternative sources.TopicsAssessment over time, delivering assuranceManagement’s oversight of the control systemPerformance measurementQuestionsCan IT’s performance be measured and can problems be detected before it is too late?Is independent assurance needed to ensure critical areas are operating as intended?
12 Monitor and Evaluate M1 Monitor the process M2 Assess internal control adequacyM3 Obtain independent assuranceM4 Provide for independent audit
13 Business Requirements Quality Requirements:• Quality• Delivery• CostSecurity Requirements• Confidentiality• Integrity• AvailabilityFiduciary Requirements*• Effectiveness and efficiency of operations• Compliance with laws and regulations• Reliability of financial reportingEffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliability of information*Treadway Commission req’s that management must attest to its organisation’s effectiveness and efficiency of operations, reliability of financial reporting (not financial reports), and compliance with laws and regulations.
14 Business Requirements IT Resources IT Processes The resources made available to—and built up by—ITHow IT is organised to respond to the requirementsWhat the stakeholders expect from ITBusiness RequirementsITResourcesIT ProcessesDataApplication systemsTechnologyFacilitiesPeoplePlan and OrganiseAquire and ImplementDeliver and SupportMonitor and EvaluateEffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceInformation reliability
15 DS2 Example - Manage third-party services Drilling Down the COBIT model