@: Why did ISACA select ISO 15504?
ISO 15504 effectively deals with a capability process assessment. It provides an understandable, logical, repeatable, reliable and robust methodology for assessing the capability of IT processes (evidentiary requirements).
@: What is the major value of using the new COBIT Assessment Programme?
a. The value derived from assessments using this approach includes reliable results that focus the enterprise on the benefits and resource implications arising from the performance and capability of its IT processes, and provide a sound basis for benchmarking and improvement, prioritization and planning.
b. There are a number of specific benefits for COBIT users in taking this approach:
- Focus first on confirming that a process is achieving its intended purpose anddelivering its required
outcomes as expected.
- Simplification of the content supporting process assessment.
- Improved reliability and repeatability of process capability assessment activities and evaluations, reduced
debates and disagreements between stakeholders on assessment results.
- Increased usability of process capability assessment results, as the new approach establishes a basis for
more formal, rigorous assessments to be performed, for both internal and potential external purposes such
- Compliance with a generally accepted process assessment standard (ISO 15504) and therefore strong
support for process assessment approach in the market.
@:Does the new COBIT Assessment Programme approach replace the existing COBIT 4.1CMM approach?
a. No, it does not; it is a different approach to assessing process capability that ISACA has selected to use. COBIT 4.1 CMM remains as published and the option of applying
a COBIT Assessment Programme approach as an alternative has been made available.
b. However, The CMM approach will not be offered in COBIT 5 because the new ISO
15504 approach is core to performing a capability process assessment using COBIT 5 content.
@: What is the difference between the COBIT 4.1 CMM and the new COBIT Assessment Programme approach?
a. The capability level scale is the same, i.e., 0 to 5 and some of the level names are very similar, but that is where the similarities end. The attributes assessed and measured in each approach are NOT the same nor is there a clean cut relationship between the two sets of attributes.
b. There are no specific requirements to provide evidentiary support for assessment results in the existing COBIT 4.1 CMM approach, but this is mandatory in the ISO 15504 approach. Providing such evidence in support of the assessment produces more robust, repeatable and defensible results.
c. The assessment done under the old COBIT 4.1 CMM approach will likely result in “higher scores,” due to the subjective averaging approach adopted, and also due to the more rigorous ISO 15504 requirements for level 1 in the new approach
@: Will COBIT 5 have the same process capability assessment approach using ISO 15504? And how will it differ?
a. COBIT 5 has been designed taking into account all of the ISO 15504 process capability assessment requirements. As a result the consistency of content between the COBIT 5 process content and the COBIT 5 PAM will be improved over those of COBIT 4.1.
b. For the purposes of applying the COBIT Assessment Programme approach, the only difference between COBIT 4.1 and COBIT 5 will be the level 1 content which is specific and unique to each framework version. Assessment levels 2 to 5 focus on generic process attributes (as defined in ISO 15504) and are therefore the same for both frameworks.
@:Why would you want to do a COBIT process capability assessment using COBIT 4.1 when COBIT 5 will be available in early 2012?
Enterprises have invested in using COBIT 4.1 and will continue to use it for a number of years—until a driver is encountered for them to consider a transition to COBIT 5. During this time a formal process capability assessment against COBIT 4.1 will be of value to them.
@: How is assessing cloud different from assessing other services?
There is no difference, cloud services are a subset of IT services, Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Regardless of the deployment model, private, public etc, cloud computing is a delivery of a service in the same way as any other IT service delivery; ISACA cloud publications provide a predefined selection of COBIT processes; the assessment of the processes itself will be the same for cloud as for any other IT service delivered. . For more information on
ISACA’s cloud publications visit: www.isaca.org/cloud
@: What other models, frameworks and approaches have been aligned to ISO 15504?
a. ITIL3 has been mapped to ISO 15504 but only at level 1; i.e., a Process Reference Model (PRM) has been developed and released via a Tudor publication. However, to our knowledge no full PAM has been developed.
b. The ISO group responsible for ISO 20000 on IT service management is also in the process of developing an ISO 15504 PAM
c. COSO has also developed an ISO 15504 PRM (level 1 only) but not a full PAM.
@:How long on average does a COBIT Assessment take to execute?
a. There is no specific answer to this as it depends on the scope of the assessment; 3 processes vs. 34/37. It depends on the business need and what processes management would like to see assessed/improved.
b. ISACA has provided a scoping tool as part of its tool kit to assist organizations in selecting processes to scope. (See tool kit link on the web site.)
@: If all of the work (heavy lifting) is done to achieve level 1, which is deemed to be a
major achievement, what is the incentive to go to further levels of capability? Is it not a “nice to have’?”
a. There is always a cost/benefit trade off in how high a capability level an organization wants to achieve and indeed many organizations have focused a lot of their attention at level 1 because this is a major achievement to show that your processes are meeting fully their purpose.
b. Level 3 is seen by ISACA as the level that enterprises should aspire to for consistency in the performance of their processes irrespective of the staff involved.
c. Levels 4 and 5 will depend on the industry and product sector, so for example to meet a government contract to provide defense technology an organization may be
required to show a level 5 capability, i.e., “their processes are optimized.”
@: What tools are available to assist assessors in performing these process capability assessments?
a. ISACA has provided a tool kit for both the assessor and the self‐assessment guide.
b. There are also commercial organizations that provide ISO assessment tools both online and via software download that can be tailored to a specific organization’s needs.