Design Guide Chapter 1 - 3

Question 1

A Governance or management objective

Answer 1

Always relates to one objective

Question 2

A governance objetive relates to a

Answer 2

Governance process

Question 3

A management objective relates to a

Answer 3

Management process

Question 4

Boards and executive management are typically accountable for

Answer 4

Governance Process

Question 5

Management processes are the domain of

Answer 5

Senior and Middle Management

Question 6

Governance Objectives are grouped in

Answer 6

Evaluate, Direct and Monitor (EDM)

Question 7

EDM - Evaluate, Direct and Monitor

Answer 7

Governing body evaluates strategic options, directs senior management and monitors the achievement of the strategy

Question 8

Management objectives are

Answer 8

APO - Align, Plan, and Organize
BAI - Build Acquire, and Implement
DSS - Deliver, Service, and Support
MEA - Monitor, Evaluate and Assess

Question 9

APO

Answer 9

Align, Plan, and Organize - Addresses the overall organization, Strategy, and supporting activities for I&T

Question 10

BAI

Answer 10

Build, Acquire, and Implement - treats the definition, acquisition, and implementation of I&T solutions and their integration in the business process.

Question 11

DSS

Answer 11

Deliver, Service, and Support - Addresses operational delivery and support of I&T services, including security.

Question 12

MEA

Answer 12

Monitor, Evaluate, and Assess - Addresses performance monitoring and conformance of I&T with internal performance targets, internal control objectives and external requirements.

Question 13

EDM01

Answer 13

Ensured governance framework setting and maintenance

Question 14

EDM02

Answer 14

Ensured benefits delivery

Question 15

EDM03

Answer 15

Ensured risk optimization

Question 16

EDM04

Answer 16

Ensured resource optimization

Question 17

EDM05

Answer 17

Ensured stakeholder engagement

Question 18

APO01

Answer 18

Managed I&T Management Framework

Question 19

APO02

Answer 19

Managed Strategy

Question 20

APO3

Answer 20

Managed Enterprise Arquitecture

Question 21

APO04

Answer 21

Managed Innovation

Question 22

APO05

Answer 22

Managed Portfolio

Question 23

APO06

Answer 23

Managed Budget and Costs

Question 24

APO07

Answer 24

Managed Human Resources

Question 25

APO08

Answer 25

Managed Relationships

Question 26

APO09

Answer 26

Managed Service Agreements

Question 27

APO10

Answer 27

Managed Vendors

Question 28

APO11

Answer 28

Managed Quality

Question 29

APO12

Answer 29

Managed Risks

Question 30

APO13

Answer 30

Managed Security

Question 31

APO14

Answer 31

Managed Data

Question 32

BAI01

Answer 32

Managed Programs

Question 33

BAI02

Answer 33

Managed Requirement Definitions

Question 34

BAI03

Answer 34

Managed Solution Identification and build

Question 35

BAI04

Answer 35

Managed Availability and Capacity

Question 36

BAI05

Answer 36

Managed Organization Change

Question 37

BAI06

Answer 37

Managed IT Changes

Question 38

BAI07

Answer 38

Managed IT Change Acceptance and Transitioning

Question 39

BAI08

Answer 39

Managed Knowledge

Question 40

BAI09

Answer 40

Managed Assets

Question 41

BAI10

Answer 41

Managed Configuration

Question 42

BAI11

Answer 42

Management Projects

Question 43

DSS01

Answer 43

Managed Operations

Question 44

DSS02

Answer 44

Managed Service Requests and Incidents

Question 45

DSS03

Answer 45

Managed Problems

Question 46

DSS04

Answer 46

Managed Continuity

Question 47

DSS05

Answer 47

Managed Security Service

Question 48

DSS06

Answer 48

Managed Business Process Control

Question 49

MEA01

Answer 49

Managed Performance and Conforming Monitoring

Question 50

MEA02

Answer 50

Managed System and Internal Control

Question 51

MEA03

Answer 51

Managed Compliance with External Requirements

Question 52

MEA04

Answer 52

Managed Assurance

Question 53

Components are factors that

Answer 53

Individually and collectively, contribute to the good operations of the enterprises governance system over I&T

Question 54

Components interact with each other

Answer 54

resulting in a holistic governance system for I&T

Question 55

Components can be of different types:

Answer 55

Processes; Organizational Structures; Policies and Procedures; Information items; Culture and behavior; Skills and Competencies; and services, infrastructure, and applications.

Question 56

Generic Component are

Answer 56

the described in the COBIT Core Model; apply in any situation, but need to be customized.

Question 57

Variant Components are

Answer 57

based on generic components but tailored for a specific context or purpose within a focus area.

Question 58

Focus Area

Answer 58

Describe a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their governance.

Question 59

Examples of Focus Areas

Answer 59

Small and Middle Enterprises;
Cybersecurity;
Digital Transformation;
Cloud Computing;
Privacy;
DevOps.

Question 60

Capability Levels (CMMI - Capability Mature Model Integration)

Answer 60

Measure for how well a process is implemented and performing.

Question 61

Capability Level - 0

Answer 61

*Lack of any basic capability;
*Incomplete approach to addressing governance and management purpose;
*May or may not be meeting the intent of any process practice.

Question 62

Capability Level - 1

Answer 62

The process more or less achieves its purpose through the application of an incomplete set of activities that can be characterized initial or intuitive - not very organized

Question 63

Capability Level - 2

Answer 63

The process achieves its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed.

Question 64

Capability Level - 3

Answer 64

The process achieves its purpose in a much more organized way using organizational assets. Processes are typically well-defined.

Question 65

Capability Level - 4

Answer 65

The process achieves its purpose, as well defined, and its performance is (quantitatively) measured.

Question 66

Capability Level - 5

Answer 66

The process achieves its purpose, is well defined, performance is measured to improve performance and continuous improvement is pursued.

Question 67

Capability Level - Any level at 3 or up is called …

Answer 67

Higher

Question 68

Capability Level - Anything below 3 is called …

Answer 68

Lower

Question 69

Design Factors are

Answer 69

Factors that can influence the design of an enterprise’s governance system and position it for success in the use of I&T.

Question 70

The Design Factors are:

Answer 70

Enterprise Strategy
Enterprise Goal
Risk Profile
I&T Related Issues
Threat Landscape
Compliance Requirements
Role of IT
Sourcing Model for IT
IT implementation Methods
Technology Adoption Strategy
Enterprise Size

Question 71

Enterprise Strategy

Answer 71

Enterprises can have different strategies, which can be expressed as one or more of the archetypes.

Organizations typically have a primary strategy and, at most, one secondary strategy.

Question 72

Example of Enterprise Strategies

Answer 72

**Growth/Acquisition - The enterprise has a focus on growing revenues.
**Innovation/Differentiation - The enterprise has a focus on offering different and/or innovative products and services to their clients.
**Cost Leadership - The enterprise has a focus on short-term cost minimization
**Client Service/Stability - The enterprise has a focus on providing a stable and client-oriented service.

Question 73

Enterprise goals

Answer 73

Supporting the enterprise strategy - Enterprise strategy is realized by the achievement of (a set of) enterprise goals. These goals are defined in the COBIT framework, and structured along the balanced scorecard (BSC) dimensions:
Financial
Customer
Internal
Growth

Question 74

Enterprise Goal - Financial

Answer 74

EG01 - Portfolio of competitive products and services
EG02 - Managed business risk
EG03 - Compliance with external laws and regulations
EG04 - Quality of financial information

Question 75

Enterprise Goal - Customer

Answer 75

EG05 - Customer-oriented service culture
EG06 - Business service continuity and availability
EG07 - Quality of management information

Question 76

Enterprise Goal - Internal

Answer 76

EG08 - Optimization of internal business process functionality
EG09 - Optimization of business process costs
EG10 - Staff skills, motivation and productivity
EG11 - Compliance with internal policies

Question 77

Enterprise Goal - Growth

Answer 77

EG12 - Managed digital transformation programs
EG13 - Product and business innovation

Question 78

Risk Profile

Answer 78

The enterprise and current issues in relation to I&T—The risk profile identifies the sort of IT related risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk appetite.

Question 79

Risk Category

1.-IT-investment decision making, portfolio definition, and maintenance

Answer 79

Risk Scenarios
A. Programs selected for implementation misaligned with corporate strategy and priorities
B. Failure of IT-related Investments to support digital strategy of the enterprise
C. Selection of wrong software (in terms of cost, performance, features, compatibility,
redundancy, etc.) for acquisition and implementation
D. Selection of wrong infrastructure (in terms of cost, performance, features,
compatibility, etc.) for implementation
E. Duplication or important overlaps between different investment initiatives
F. Long-term incompatibility between new investment programs and enterprise
architecture
G. Misallocation, inefficient manage

Question 80

Risk Category

2.-Program and projects lifecycle management

Answer 80

A. Failure of senior management to terminate failing projects (due to cost explosion, excessive delays, scope creep, and changed business priorities)
B. Budget overruns for I&T projects
C. Lack of quality of I&T projects
D. Late delivery of I&T projects
E. Failure of third-party outsourcers to deliver projects as per contractual agreements
(any combination of exceeded budgets, quality problems, missing functionality,
late delivery)

Question 81

Risk Category

3.-IT cost and oversight

Answer 81

A. Extensive dependency on, and use of, user-created, user-defined, user-maintained
applications and ad hoc solutions
B. Excess cost and/or ineffectiveness of I&T-related purchases outside of the I&T
procurement process
C. Inadequate requirements leading to ineffective Service Level Agreements (SLAs)
D. Lack of funds for I&T related investments

Question 82

Risk Category

4.-IT expertise, skills and behavior

Answer 82

A. Lack or mismatch of IT-related skills within IT (e.g., due to new technologies or
working methods)
B. Lack of business understanding by IT staff that affects service delivery/project quality
C. Inability to recruit and retain IT staff
D. Recruitment of unsuitable profiles because of lack of due diligence in the recruitment
process
E. Lack of I&T training
F. Overreliance for I&T services on key staff

Question 83

Risk Category

5.-Enterprise/IT architecture

Answer 83

A. Complex, inflexible enterprise architecture (EA), obstructing further evolution and
expansion, and leading to missed business opportunities
B. Failure to timely adopt and exploit new infrastructure or abandon obsolete
infrastructure
C. Failure to timely adopt and exploit new software (functionality, optimization, etc.)
or to abandon obsolete applications
D. Undocumented EA leading to inefficiencies and duplications
E. Excessive number of exceptions on enterprise architecture standards

Question 84

Risk category

6.-IT operational infrastructure incidents

Answer 84

A. Accidental damaging of IT equipment
B. Errors by IT staff (during backup, during upgrades of systems, during maintenance
of systems, etc.)
C. Incorrect information input by IT staff or system users
D. Destruction of data center (sabotage, etc.) by staff
E. Theft of device with sensitive data
F. Theft of a key infrastructure component
G. Erroneous configuration of hardware components
H. Intentional tampering with hardware (security devices, etc.)
I. Abuse of access rights from prior roles to access IT infrastructure
J. Loss of backup media or backups not checked for effectiveness
K. Loss of data by cloud provider
L. Operational-service interruption by cloud providers

Question 85

Risk Category

7.-Unauthorized actions

Answer 85

A. Tampering with software
B. Intentional modification or manipulation of software leading to incorrect data
C. Intentional modification or manipulation of software leading to fraudulent actions
D. Unintentional modification of software leading to inaccurate results
E. Unintentional configuration and change-management errors

Question 86

Risk Category

8.- Software adoption/usage problems

Answer 86

A. Nonadoption of new application software by users
B. Inefficient use of new software by users

Question 87

Risk Categoty

9.-Hardware incidents

Answer 87

A. System instability in wake of installing new infrastructure, leading to operational
incidents (e.g., BYOD program)
B. Inability of systems to handle transaction volumes when user volumes increase
C. Inability of systems to handle load when new applications or initiatives are deployed
D. Utilities failure (telecom, electricity)
E. Hardware failure due to overheating and/or other environmental conditions like
humidity
F. Damaging of hardware components leading to destruction of data by internal staff
G. Loss/disclosure of portable media containing sensitive data (CD, USB-drives,
portable disks, etc.)
H. Extended resolution time or support delays in case of hardware incidents

Question 88

Risk Category

10.-Software failures

Answer 88

A. Inability to use the software to realize desired outcomes (e.g., failure to make
required business model or organizational changes)
B. Implementation of immature software (early adopters, bugs, etc.)
C. Operational glitches when new software is made operational
D. Regular software malfunctioning of critical application software
E. Obsolete application software (outdated, poorly documented, expensive to
maintain, difficult to extend, not integrated in current architecture, etc.)
F. Inability to revert back to former versions in case of operational issues with a new
version
G. Software-induced corrupted data(base) leading to inaccessible data

Question 89

Risk Category

11.-Logical attacks (hacking, malware,etc.)

Answer 89

A. Unauthorized (internal) users trying to break into systems
B. Service interruption due to denial-of-service (DoS) attack
C. Website defacement
D. Malware attack
E. Industrial espionage
F. Hacktivism
G. Disgruntled employee implements a time bomb which leads to data loss
H. Company data stolen through unauthorized access gained by a phishing attack
I. Foreign government attacks on critical systems

Question 90

Risk Category

12.-Third-party/supplier incidents

Answer 90

A. Inadequate performance of outsourcer in large-scale, long-term outsourcing
arrangement (e.g., through lack of supplier due diligence regarding financial
viability, delivery capability and sustainability of supplier’s service)
B. Accepting unreasonable terms of business from IT suppliers
C. Inadequate support and services delivered by vendors, not in line with SLA
D. Noncompliance with software license agreements (use and/or distribution of
unlicensed software)
E. Inability to transfer to alternative suppliers due to overreliance or overdependence
on current supplier
F. Purchase of IT services (especially cloud services) by the business without
consultation /involvement of IT, resulting in inability to integrate the service with inhouse
services.
G. Inadequate or unenforced SLA to obtain agreed services and penalties in case of
noncompliance

Question 91

Risk Category

13.-Noncompliance

Answer 91

A. Noncompliance with national or international regulations (e.g., privacy, accounting,
manufacturing, environmental, etc.)
B. Lack of awareness of potential regulatory changes that may have a business
impact
C. Operational obstacles caused by regulations
D. Failure to comply with internal procedures

Question 92

Risk Category

14.-Geopolitical issues

Answer 92

A. Lack of access due to disruptive incident in other premises
B. Government interference and national policies impacting the business
C. Targeted action from government-sponsored groups or agencies

Question 93

Risk Category

15.-Industrial action

Answer 93

A. Facilities and building inaccessible because of labor union strike
B. Third-party providers unable to provide services because of strike
C. Key staff unavailable through industrial action (e.g., transportation or utilities strike)

Question 94

Risk Category

16.-Acts of nature

Answer 94

A. Earthquake destroying or damaging important IT infrastructure
B. Tsunami destroying critical premises
C. Major storms and tropical cyclone or tornado damaging critical infrastructure
D. Major wildfire
E. Flooding
F. Rising water table leaving critical location unusable
G. Rising temperature rendering critical locations uneconomical to operate

Question 95

Risk Category

17.-Technology-based innovation

Answer 95

A. Failure to identify new and important technology trends
B. Failure to appreciate the value and potential of new technologies
C. Failure to adopt and exploit new technologies in a timely manner (functionality,
process optimization, etc.)
D. Failure to provide technology support new business models

Question 96

Risk Category

18.-Environmental

Answer 96

A. Environmentally unfriendly equipment (e.g., power consumption, packaging)

Question 97

Risk Category

19.-Data and information management

Answer 97

A. Discovery of sensitive information by unauthorized persons due to inefficient
retaining/archiving/disposing of information
B. Intentional illicit or malicious modification of data
C. Unauthorized disclosure of sensitive information through email or social media
D. Loss of IP and/or leakage of competitive information

Question 98

I&T-related issues

Answer 98

A related method for an I&T risk assessment for the enterprise is to consider which I&Trelated issues it currently faces, or, in other words, what I&T-related risk has materialized.

Question 99

I&T-related issues A

Answer 99

Frustration between different IT entities across the organization because of a perception of low contribution to business value

Question 100

I&T-related issues B

Answer 100

Frustration between business departments (i.e., the IT customer) and the IT department because of failed initiatives or a perception of low contribution to business value

Question 101

I&T-related issues C

Answer 101

Significant IT related incidents, such as data loss, security breaches, project failure, application errors, etc. linked to IT

Question 102

I&T-related issues D

Answer 102

Service delivery problems by the IT outsourcer(s)

Question 103

I&T-related issues E

Answer 103

Failures to meet IT related regulatory or contractual requirements

Question 104

I&T-related issues F

Answer 104

Regular audit findings or other assessment reports about poor IT performance or reported IT quality or service problems

Question 105

I&T-related issues G

Answer 105

Substantial hidden and rogue IT spending, that is, IT spending by user departments outside the control of the normal IT investment decision mechanisms and approved budgets

Question 106

I&T-related issues H

Answer 106

Duplications or overlaps between various initiatives or other forms of wasting resources

Question 107

I&T-related issues I

Answer 107

Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction

Question 108

I&T-related issues J

Answer 108

IT-enabled changes or projects frequently failing to meet business needs and delivered late or over budget

Question 109

I&T-related issues K

Answer 109

Reluctance by board members, executives or senior management to engage with IT, or lack of committed business sponsors for IT

Question 110

I&T-related issues L

Answer 110

Complex IT operating model and/or unclear decision mechanisms for IT-related decisions

Question 111

I&T-related issues M

Answer 111

Excessively high cost of IT

Question 112

I&T-related issues N

Answer 112

Obstructed or failed implementations of new initiatives or innovations caused by the current IT architecture and system

Question 113

I&T-related issues O

Answer 113

Gap between business and technical knowledge which leads to business users and IT and/or technology specialists speaking different languages

Question 114

I&T-related issues P

Answer 114

Regular issues with data quality and integration of data across various sources

Question 115

I&T-related issues Q

Answer 115

High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put in operation

Question 115

I&T-related issues Q

Answer 115

High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put in operation

Question 116

I&T-related issues R

Answer 116

Business departments implementing their own information solutions with little or no involvement of the enterprise IT department

Question 117

I&T-related issues S

Answer 117

Ignorance and/or noncompliance with security and privacy regulations

Question 118

I&T-related issues T

Answer 118

Inability to exploit new technologies or to innovate using I&T

Question 119

Threat landscape

Answer 119

The threat landscape under which the enterprise operates can be classified

Question 120

Threat landscape - Normal

Answer 120

The enterprise is operating under what are considered normal threat levels

Question 121

Threat landscape - High

Answer 121

Due to its geopolitical situation, industry sector or particular profile, the enterprise is
operating in a high-threat environment.

Question 122

Compliance requirements

Answer 122

The compliance requirements to which the enterprise is subject to and can be classified
according to the categories:
**Low compliance requirements
**Normal compliance requirements
**High compliance requirements

Question 123

Low compliance requirements

Answer 123

The enterprise is subject to a minimal set of regular compliance requirements that
are lower than average.

Question 124

Low compliance requirements

Answer 124

The enterprise is subject to a minimal set of regular compliance requirements that
are lower than average.

Question 125

Normal compliance requirements

Answer 125

The enterprise is subject to a set of regular compliance requirements that are
common across different industries.

Question 126

High compliance requirements

Answer 126

The enterprise is subject to higher than average compliance requirements, most
often related to industry sector or geopolitical conditions.

Question 127

Role of IT

Answer 127

The role of IT for the enterprise can be classified as Support, Factory, Turnaround and Strategic.

Question 128

Role of IT - Support

Answer 128

IT is not crucial for the running and continuity of the business process and services, nor for their innovation.

Question 129

Role of IT - Factory

Answer 129

When IT fails, there is an immediate impact on the running and continuity of the business processes and services. However, IT is not seen as a driver for innovating business processes and services.

Question 130

Role of IT - Turnaround

Answer 130

IT is seen as a driver for innovating business processes and services. At this moment, however, there is not a critical dependency of IT for the current running and continuity of the business processes and services.

Question 131

Role of IT - Strategic

Answer 131

IT is critical for both running and innovating the organization’s business processes and services.

Question 132

Sourcing model for IT

Answer 132

The sourcing model the enterprise adopts can be classified as:
**Outsourcing
**Cloud
**Insourced
**Hybrid

Question 133

Sourcing model for IT - Outsourcing

Answer 133

The enterprise calls upon the services of a third party to provide IT services.

Question 134

Sourcing model for IT - Cloud

Answer 134

The enterprise maximizes the use of the cloud for providing IT services to its users.

Question 135

Sourcing model for IT - Insourced

Answer 135

The enterprise provides for their own IT staff and services.

Question 136

Sourcing model for IT - Hybrid

Answer 136

A mixed model is applied, combining the three models above in varying degrees.

Question 137

IT implementation methods

Answer 137

The methods the enterprise adopts can be classified as noted:
**Agile
**DevOps
**Traditional
**Hybrid

Question 138

IT implementation methods - Agile

Answer 138

The enterprise uses Agile development working methods for its software development.

Question 139

IT implementation methods - DevOps

Answer 139

The enterprise uses DevOps working methods for software building, deployment and operations.

Question 140

IT implementation methods - Traditional

Answer 140

The enterprise uses a more classic approach towards software development (waterfall) and separates software development and operations.

Question 141

IT implementation methods - Hybrid

Answer 141

The enterprise uses a mix of traditional and modern IT implementation, often referred to as “bimodal IT.”

Question 142

Technology adoption strategy

Answer 142

The technology adoption strategy can be classified as listed:
**First mover
**Follower
**Slow adopter

Question 143

Technology adoption strategy - First mover

Answer 143

The enterprise generally adopts new technologies as early as possible and tries to
gain first-mover advantage.

Question 144

Technology adoption strategy - Follower

Answer 144

The enterprise typically waits for new technology to become mainstream and proven
before adopting them.

Question 145

Technology adoption strategy - Slow adopter

Answer 145

The enterprise is very late with their adoption of new technologies.

Question 146

Enterprise size

Answer 146

Two categories:
**Large enterprise (default) - Enterprises with more than 250 full-time employees (FTEs)
**Small and medium enterprise - Enterprise with 50 to 250 FTEs

Question 147

Why is There no Industry Sector Design Factor?

Answer 147

Every industry sector has its own unique set of requirements regarding expectations from the use of I&T. However, it is possible to capture the key characteristics of an industry sector by a combination of the design factors listed in the preceding tables.

Question 148

Impact of Design Factors

Answer 148

Design factors influence in different ways the tailoring of the governance system of an enterprise. This publication distinguishes three different types of impact:

1.-Management Objective Priority and Target Capability Levels
2.-Component Variations
3.-Specific Focus Areas

Question 149

Impact of Design Factors - Management objective priority/selection

Answer 149

The COBIT core model contains 40 governance. and management
objectives, each consisting of the process and a number of related components. They are intrinsically equivalent; there is no natural order of priority among them. However, design factors can influence this equivalence and make some governance and management objectives more important than others.

Example: When an enterprise identifies the most relevant enterprise goal(s) from the enterprise goal list and applies the goals cascade, this will lead to a selection of priority management objectives. For example, when EG01 Portfolio of competitive products and services is ranked as very high by an enterprise, this will make management objective APO05 Managed portfolio an important part of this enterprise’s governance system.

Example: An enterprise that is very risk averse will give more priority to management objectives that aspire to govern and manage risk and security. Governance and management objectives EDM03 Ensured risk optimization,
APO12 Managed risk, APO13 Managed security and DSS05 Managed security services will become important parts of that enterprise’s governance system and will have higher target capability levels defined for them.

Example: An enterprise in which the role of IT is strategic and crucial to the success of the business will requirehigh involvement of IT-related roles in organizational structures, a thorough understanding of business by IT professionals (and vice versa), and a focus on strategic processes such as APO02 Managed strategy and APO08 Managed relationships.

Question 150

Impact of Design Factors - Component Variation

Answer 150

Components are required to achieve governance and management objectives. Design
factors can mandate specific variations of components or can influence the importance of components.

Example: Small and medium enterprises might not need the full set of roles and organizational structures as laid out in the COBIT core model, but may use a reduced set instead. This reduced set of governance and management objectives and the included components is defined in the small and medium enterprise focus area.

Example: An enterprise which operates in a highly regulated environment will attribute more importance to documented work products and policies and procedures and to some roles, e.g., the compliance officer function.

Example: An enterprise that uses DevOps in solution development and operations will require specific activities, organizational structures, culture, etc., focused on BAI03 Managed solutions identification and build and DSS01 Managed operations.

Question 151

Impact of Design Factors - Need for specific focus area guidance

Answer 151

Some design factors, such as threat landscape, specific risk, target development methods, infrastructure set-up, will drive the need for variation of the core COBIT model content to a specific context.

Example: Enterprises adopting a DevOps approach will require a governance system that has a variant of several generic COBIT processes, described in the DevOps focus area guidance for COBIT.

Example: Small and medium enterprises have less staff, fewer IT resources, and shorter and more direct reporting lines, and differ in many more aspects from large enterprises. For that reason, their governance system for I&T will have to be less onerous, compared to large enterprises. This is described in the SME focus area guidance of COBIT.