Enabling Processes
Enabling Processes
Enabling Processes
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CHAPTER 5<br />
COBIT 5 PROCESS REFERENCE GUIDE CONTENTS<br />
APO01 Process Practices, Inputs/Outputs and Activities (cont.)<br />
APO01.01 Activities<br />
1. Define the scope, internal and external functions, internal and external roles, and capabilities and decision rights required, including those IT activities<br />
performed by third parties.<br />
2. Identify decisions required for the achievement of enterprise outcomes and the IT strategy, and for the management and execution of IT services.<br />
3. Establish the involvement of stakeholders who are critical to decision making (accountable, responsible, consulted or informed).<br />
4. Align the IT-related organisation with enterprise architecture organisational models.<br />
5. Define the focus, roles and responsibilities of each function within the IT-related organisational structure.<br />
6. Define the management structures and relationships to support the functions and roles of management and execution, in alignment with the<br />
governance direction set.<br />
7. Establish an IT strategy committee (or equivalent) at the board level. This committee should ensure that governance of IT, as part of enterprise<br />
����������� �� ���������� ���������� ������ �� ��������� ���������� ��� ������ ����� ����������� �� ������ �� ��� ���� ������<br />
8. Establish an IT steering committee (or equivalent) composed of executive, business and IT management to determine prioritisation of IT-enabled<br />
���������� ���������� �� ���� ���� ��� ������������ �������� �������� ��� ����������� ����� ������ �� �������� ��� ������� �������� ���������� ���<br />
monitor service levels and service improvements.<br />
�� ������� ���������� ��� ���� ���������� ��������� ���������� �������� ����������� ������� ���������� ������� ��������� ����������� ��� ���������� ��<br />
well as required inputs for and expected outcomes of meetings.<br />
10. Define ground rules for communication by identifying communication needs, and implementing plans based on those needs, considering top-down,<br />
bottom-up and horizontal communication.<br />
11. Establish and maintain an optimal co-ordination, communication and liaison structure between the business and IT functions within the enterprise<br />
and with entities outside the enterprise.<br />
12. Regularly verify the adequacy and effectiveness of the organisational structure.<br />
Management Practice Inputs Outputs<br />
APO01.02 Establish roles and responsibilities.<br />
From Description Description To<br />
Establish, agree on and communicate roles and<br />
EDM01.01 Authority levels Definition of IT-related DSS05.04<br />
responsibilities of IT personnel, as well as other<br />
roles and responsibilities<br />
stakeholders with responsibilities for enterprise IT, that<br />
������� ������� ������� �������� ����� ��� �� ���������� EDM04.02 Assigned responsibilities Definition of supervisory APO07.01<br />
��� �������� ����������� ���������� ����������������<br />
for resource management practices<br />
and accountability.<br />
APO07.03 � ����� ����������� �����<br />
� ������ ��� ������������<br />
matrix<br />
APO11.01 Quality management<br />
system (QMS) roles,<br />
responsibilities and<br />
decision rights<br />
APO13.01 Information security<br />
management system<br />
(ISMS) scope statement<br />
DSS06.03 � ��������� ������<br />
of authority<br />
� ��������� ����� ���<br />
responsibilities<br />
Activities<br />
1. Establish, agree on and communicate IT-related roles and responsibilities for all personnel in the enterprise, in alignment with business needs and<br />
����������� ������� ��������� ���������������� ��� ����������������� ���������� ��� �������� ������ ��� ����������<br />
2. Consider requirements from enterprise and IT service continuity when defining roles, including staff back-up and cross-training requirements.<br />
3. Provide input to the IT service continuity process by maintaining up-to-date contact information and role descriptions in the enterprise.<br />
4. Include in role and responsibility descriptions adherence to management policies and procedures, the code of ethics, and professional practices.<br />
5. Implement adequate supervisory practices to ensure that roles and responsibilities are properly exercised, to assess whether all personnel have<br />
sufficient authority and resources to execute their roles and responsibilities, and to generally review performance. The level of supervision should be in<br />
line with the sensitivity of the position and extent of responsibilities assigned.<br />
6. Ensure that accountability is defined through roles and responsibilities.<br />
7. Structure roles and responsibilities to reduce the possibility for a single role to compromise a critical process.<br />
Personal Copy of: Mr. Dong Hong Wang<br />
53<br />
Align, Plan and Organise