Feed on
ISACA just announced the release of COBIT® 5 Design (Exposure Draft). COBIT 5 will consolidate and integrate the COBIT 4.1, Val IT 2.0 and Risk IT frameworks and also draw significantly from the Business Model for Information Security (BMIS) and ITAF

ISACA does a great job of mapping COBIT to other standards. It will be interesting to see how much alignment there is between COBIT 5 and the recent work being done by the National Institute of Standards and Technology (NIST). Just last month, NIST released Special Publication 800-37 Rev. 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” To quote Dan Phillpott over on the Guerilla CISO site, “This document describes the central processes involved in the authorization of information systems that support the federal government. Notice I didn’t say Certification and Accreditation? That’s because C&A is deader than a sheep at a wolf convention. Want to know what replaces it?” Dan suggest picking up a copy of NIST SP 800-37 Rev 1.

Much of the recent focus on risk management is fueled by the need to deal with changing technologies. NIST SP 800-37 rev 1 is not the first NIST document concerning risk management and it certainly will not be the last. Later this year NIST will release SP 800-39 Rev. 1, “Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View” and NIST SP 800-30 Rev. 1, “Guide for Conducting Risk Assessments.” Dr. Ron Ross presented NIST’s view of the next generation of risk management in his talk, “Next Generation Risk Management Information Security Transformation for the Federal Governmen” at the 5th Annual Security Automation Conference.

Quoting from the “Changing Technologies and the Effects on Information System Boundaries” section of NIST SP 800-37 Rev 1.:

Changes to current information technologies and computing paradigms add complications to the traditional tasks of establishing information system boundaries and protecting the missions and business processes supported by organizational information systems. In particular, net-centric architectures (e.g., service-oriented architectures [SOAs], cloud computing) introduce two important concepts: (i) dynamic subsystems; and (ii) external subsystems. While the concepts of dynamic subsystems and external subsystems (described in the following sections) are not new, the pervasiveness and frequency of their invocation in net-centric architectures can present organizations with significant new challenges.

Focusing back to COBIT 5, the planned primary improvements will consist of:

  • Aligning COBIT 5 with ISACA’s TGF initiative as well as recent global governmental and market-driven enterprise and IT governance initiatives, such as sustainability and green IT.
  • Consolidating COBIT 5 into a single overarching framework and knowledge base, providing one consistent and integrated source of guidance.
  • COBIT 5 will be described in a high-level framework publication, providing an explanation of the objectives, scope, format and usage of COBIT 5 and enabling enterprises to strategically plan adoption of COBIT 5 and how to migrate to the new framework.
  • COBIT 5 will consist of a set of publications providing:
    • The content of COBIT 5 required for enterprise implementation and assurance activities
    • Focussed guidance publications on functional, responsibility and organisational views to help
      COBIT users with a specific area of interest to better understand how COBIT can support their role.
  • Clarifying the distinction between governance and management with a revised process model that distinguishes between these domains while also showing how they relate to each other, and with processes integrating both business and IT responsibilities.
  • Aligning with the latest management practices as well as strengthening areas such as decision making, organisational structures, skill requirements, human factors, culture and change enablement. The new structure will be flexible, allowing future ISACA and non-ISACA standards, frameworks, regulations, etc., to be factored in.

If you want to learn more about risk management, a previous post “Risk Assessment: A Starting Point” provides a good starting point with links to some great information sources. Luke O’Connor over on Scribd, has provided some very nice graphics representation titled “How to Assess and Mitigate Risk” (a.k.a. “Six Risk Management Myths“):

ISACA is looking for feedback by the close 12 April 2010. There is also a LinkedIn Group setup by Grzegorz Albinowski where you can discuss and stay informed on COBIT 5 developments.

One Response to “COBIT 5 Joins Together COBIT 4.1, Risk IT, and Val IT 2.0”

  1. Enterprise Risk management is hotly debated topic nowadays. Every Entity whether for profit or not for profit exist to create value for its stakeholder Enterprise Risk management try to ensure that Risk are managed at the level of tolerance and opportunities are channelized for entity’s benefit so as to derive optimum benefit. As per COSO Enterprise Risk Management- Integrated Framework Value is created, preserved or eroded by Management Decisions in all activities from setting strategy to operating enterprise day to day. ERM supports value creations by enabling management to deal effectively with potential future events that create uncertainty.This Website provides a platform to share valuable thought about Enterprise Risk Managements and invites your innovative works for being published .

    Pls visit
    1. http://www.enterprise-risk-management-online.com/free.riskassessment.template.Builder.php
    2. http://www.enterprise-risk-management-online.com/page42.php

    for innovative Risk Assessment models submitted by our contributor

Leave a Reply

Bad Behavior has blocked 936 access attempts in the last 7 days.