@: Why did ISACA select ISO 15504?
ISO 15504 effectively deals with a capability process assessment. It
provides an understandable, logical, repeatable, reliable and robust methodology
for assessing the capability of IT processes (evidentiary requirements).
@: What is the major value of
using the new COBIT Assessment Programme?
a. The value derived from assessments using this
approach includes reliable results that focus the enterprise on the benefits and resource implications
arising from the performance and capability of its IT processes, and provide a sound
basis for benchmarking and improvement, prioritization and planning.
b. There are a number of specific benefits
for COBIT users in taking this approach:
- Focus first
on confirming that a process is achieving its intended purpose anddelivering its required
outcomes as expected.
- Simplification
of the content supporting process assessment.
- Improved
reliability and repeatability of process capability assessment activities and evaluations, reduced
debates and disagreements between
stakeholders on assessment results.
- Increased
usability of process capability assessment results, as the new approach establishes a basis for
more formal, rigorous assessments to
be performed, for both internal and potential external purposes such
as benchmarking.
- Compliance
with a generally accepted process assessment standard (ISO 15504) and therefore strong
support for process assessment approach in the
market.
@:Does the new COBIT Assessment Programme approach replace the
existing COBIT 4.1CMM approach?
a. No, it does not; it is a different approach to assessing process
capability that ISACA has selected to use. COBIT 4.1 CMM remains as published and the option
of applying
a COBIT Assessment Programme approach as an alternative has been made available.
b. However, The CMM approach will not be offered in COBIT 5 because
the new ISO
15504 approach is core to performing a capability process assessment
using COBIT 5 content.
@: What is the difference between the COBIT 4.1 CMM and the new
COBIT Assessment Programme approach?
a. The capability level scale is the same, i.e., 0 to 5 and some of
the level names are very similar, but that is where the similarities end. The attributes
assessed and measured in each approach are NOT the same nor is there a clean cut
relationship between the two sets of attributes.
b. There are no specific requirements to provide evidentiary support
for assessment results in the existing COBIT 4.1 CMM approach, but this is mandatory
in the ISO 15504 approach. Providing such evidence in support of the assessment
produces more robust, repeatable and defensible results.
c. The assessment done under the old COBIT 4.1 CMM approach will
likely result in “higher scores,” due to the subjective averaging approach adopted, and
also due to the more rigorous ISO 15504 requirements for level 1 in the new
approach
@: Will COBIT 5 have the same process capability assessment
approach using ISO 15504? And how will it differ?
a. COBIT 5 has been designed taking into account all of the ISO 15504
process capability assessment requirements. As a result the consistency of
content between the COBIT 5 process content and the COBIT 5 PAM will be improved over
those of COBIT 4.1.
b. For the purposes of applying the COBIT Assessment Programme
approach, the only difference between COBIT 4.1 and COBIT 5 will be the level 1 content
which is specific
and unique to each framework version. Assessment levels 2 to 5 focus on generic process attributes (as defined in ISO 15504) and
are therefore the same for both frameworks.
@:Why would you want to do a COBIT
process capability assessment using COBIT 4.1 when COBIT 5 will be available in
early 2012?
Enterprises have invested in using COBIT 4.1 and will
continue to use it for a number of years—until a driver is encountered for them to consider a
transition to COBIT 5. During this time a formal process capability assessment against
COBIT 4.1 will be of value to them.
@:
How is assessing cloud different
from assessing other services?
There is no difference, cloud services are a subset of IT
services, Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software
as a Service (SaaS). Regardless of the deployment model, private, public etc, cloud
computing is a delivery of a service in the same way as any other IT service delivery; ISACA
cloud publications provide a predefined selection of COBIT processes; the assessment of
the processes itself will be the same for cloud as for any other IT service delivered.
. For more information on
ISACA’s cloud publications visit: www.isaca.org/cloud
@: What other models, frameworks and
approaches have been aligned to ISO 15504?
a. ITIL3 has been mapped to ISO 15504 but only at level 1;
i.e., a Process Reference Model (PRM) has been developed and released via a Tudor
publication. However, to our knowledge no full PAM has been developed.
b. The ISO group responsible for ISO 20000 on IT service
management is also in the process of developing an ISO 15504 PAM
c. COSO has also developed an ISO 15504 PRM (level 1 only)
but not a full PAM.
@:How long on average does a COBIT Assessment take to execute?
a. There is no specific answer to this as it depends on the scope of
the assessment; 3 processes vs. 34/37. It depends on the business need and what
processes management would like to see assessed/improved.
b. ISACA has provided a scoping tool as part of its tool kit to assist
organizations in selecting processes to scope. (See tool kit link on the web site.)
@: If all of the work (heavy lifting) is done to achieve level 1,
which is deemed to be a
major achievement, what is the incentive to go to further levels
of capability? Is it not a “nice to have’?”
a. There is always a cost/benefit trade off in how high a capability
level an organization wants to achieve and indeed many organizations have focused a lot of
their attention at level 1 because this is a major achievement to show that
your processes are meeting fully their purpose.
b. Level 3 is seen by ISACA as the level that enterprises should
aspire to for consistency in the performance of their processes irrespective of the staff
involved.
c. Levels 4 and 5 will depend on the industry and product sector, so
for example to meet a government contract to provide defense technology an
organization may be
required to show a level 5 capability, i.e., “their processes are
optimized.”
@: What tools are available to assist assessors in performing
these process capability assessments?
a. ISACA has provided a tool kit for both the assessor and the self‐assessment
guide.
b. There are also commercial organizations that provide ISO assessment
tools both online and via software download that can be tailored to a specific
organization’s needs.