slp 2 537

Maximizing the Combined Effects of COBIT® 5 and CMMI®: A Guide to Using the Practices Pathways Tool

To aid practitioners and enterprises to use COBIT® and Capability Maturity Model Integration (CMMI)® products together, ISACA has created the COBIT 5/ CMMI V1.3 Practices Pathway Tool showing alignment between the two products. Many practitioners are familiar with either COBIT 5 or CMMI but not the other. This tool is designed as a gateway to initiate practitioners with both. For those who have implemented practices of CMMI, the tool highlights areas of COBIT 5 that may augment those practices. Similarly, those who have implemented the COBIT 5 framework and practices may gain further insight into other, specific CMMI practices that may benefit enterprise governance and/or increase operational efficiency.

For more information on COBIT/CMMI Connections Tools, go to http://www.isaca.org/COBIT-CMMI-Connections.

Maximizing the Combined Effects of COBIT® 5 and CMMI® // 2

Background COBIT 5 is a framework for the governance and management of enterprise IT (GEIT). One of the important features of COBIT has historically been (and still is) the facility with which other guidance – such as regulations, other frameworks, and best practices – can be used effectively in conjunction with COBIT. Through this harmonization, organizations can establish effective governance structures that, at their inception, are compatible with and correlated to their specific operations, their regulatory context, and other key areas.

The Capability Maturity Model Integration (CMMI®) is a world-class performance improvement model for competitive organizations that want to achieve high-performance operations. Building upon an organization’s business performance objectives, CMMI provides a set of practices for improving processes, resulting in a performance improvement system that paves the way for better operations and performance.

In the past, ISACA and others have enabled this harmonization through published “mappings” — documents or tools designed to highlight areas of synergy, overlap, or concurrence between COBIT and other frameworks and guidance. One area of such guidance was the CMMI® for Development (CMMI-DEV) maturity model. The CMMI model provides a mechanism for organizations to understand the capability maturity of the work they do in certain key areas (in this case, software development). Recognizing that capability maturity can be a cornerstone of effective governance performance measurement, ISACA has previously published a mapping document correlating CMMI-DEV 1.2 to COBIT 4.1.

That guidance, while potentially valuable to those for whom both frameworks are in active use, had some limitations. While it provided a unidirectional mechanism for correlating processes, very often practitioners need to go in both directions (starting from either guidance and finding the areas of synergy with the other). Additionally, while a high-level understanding of synergy is useful, there is very often a need to go deeper, e.g., down to the level of specific practices within either set of material.

In response to this and to increase the utility of such a tool, ISACA and CMMI have jointly performed a model analysis of the four version 1.3 CMMI models (CMMI for Development, CMMI for Acquisition, CMMI for Services and People-CMM) and COBIT 5 to provide more detailed guidance down to the practice level. This analysis includes the creation of a “bidirectional” COBIT 5/CMMI Practices Pathway Tool that allows a practitioner to correlate individual practices or sets of practices from either framework and harmonize them with the relevant practices from the other.

This document provides instruction on how to use this tool to maximum effect and the value that can be realized in doing so.

The Purpose of This Guide Just like optimizing processes and programs, a cornerstone of effective governance is continuing improvement, in short, establishing mechanisms where the value of actions can refine, improve, and increase their contribution over time in better service of delivering value to stakeholders. To gauge success, enterprises employing a governance and management framework need to measure the performance of things they do. Similar to the assessment and performance management of programs and practices an organization employs to ensure continuous improvement, so too do the governance structures an enterprise implements need to be measured and refined to ensure continuous improvement.

One axis across which a governance structure can be measured is via a performance improvement model to gague the maturity, reproducibility, consistency of output, and resiliency of a governance structure. While a capability maturity model can be employed at any time to do this (even after a governance structure is already in place), doing so after the fact can introduce complexity and carries the risk of missing key elements. Instead, designing the measurement and assessment methodology for maturity prior to implementation of a governance structure can have advantages: it can make instrumentation and collection of information more efficient, it can mean better alignment of metrics and key performance

Maximizing the Combined Effects of COBIT® 5 and CMMI® // 3

indicators (KPIs) with objectives and goals, and it can lead to areas of opportunity for leveraging one measurement capability across multiple areas. In short, CMMI® for Development, CMMI® for Services, CMMI® for Acquisition, and the People Capability Maturity Model® (collectively referred to as “CMMI” in the remainder of this document) are the premiere products in the performance improvement model market. As such, these products provide a fruitful avenue for assessment of organizational capability maturity and maturity of governance structures as well.

This document describes the COBIT 5/CMMI Practices Pathway Tool, which provides connections between COBIT 5 and CMMI with the intent of identifying and highlighting the related components of each. This is intended to assist in designing or improving governance structures by highlighting both a means of evaluation and providing a source of additional guidance to leverage in measurement and assessment of maturity relative to COBIT 5.

Scope of Alignment and Alignment Criteria It should be noted that the most relevant connection points between the COBIT 5 and CMMI models are practices. While there are synergies at higher levels, each individual practice is potentially an area where practitioners can derive benefit from harmonization of COBIT 5 and CMMI.

With that in mind, the model analysis was performed with the aim of establishing not only alignment between the two, but also the practices in one product that provide clarification or extend the usefulness of a practice in the other. This is where the practitioner may find the most value as the tool showcases those areas of extension.

Because the products were designed for different purposes, they do not align perfectly. Consequently, there are instances where connections between them would not make sense. In those cases, the Practices Pathway Tool will show “Not Covered” as the value for the assignment to that practice. It is also possible for a practice in one product to align with multiple practices in the other. When that occurs, a separate line is used in the Practices Pathway Tool for each assignment. This approach facilitates easier sorting or grouping functions within the Tool.

In determining the connection points between CMMI and COBIT 5 the following were evaluated for each practice in creating the Tool:

1. Is this practice useful in the other model?

2. Can this practice be made better by associating it with a practice in the other model?

If the answers to these questions are “yes,” then an association in the mapping tool is recorded.

Using the COBIT 5/CMMI Practices Pathway Tool It is assumed that the practitioner making use of the Tool has a working knowledge of COBIT 5 and at least a cursory understanding of CMMI. The tool is designed to permit identification of guidance in one model based on input from the other. This can mean starting from CMMI or starting from COBIT. This design feature makes the Tool bi-directional, but also requires some knowledge of the source materials.

The COBIT 5/CMMI Practices Pathway Tool has been constructed in a Microsoft Excel® spreadsheet.

Structure of the Tool The Tool consists of a spreadsheet “grid” correlating the guidance from both CMMI and COBIT. Specific elements of each practice have been given separate columns to provide the user the opportunity to sort and filter the data per his or her own requirements. As delivered, the COBIT 5/CMMI Practices Pathway Tool has the Excel “Filter” turned on.

To specify a practice element to examine, click on the filter drop-down icon and select the element value from the list of values that appear. The Tool will update to show the results of the selected filter.

Following is a step-by-step illustration in using the mapping tool. Two examples will be presented.

Maximizing the Combined Effects of COBIT® 5 and CMMI® // 4

Example One – Leveraging CMMI to find related COBIT Guidance In this example, you will start with CMMI CAM SP 2.1 (Monitor and analyze capacity against thresholds.) and look for all related COBIT 5 practices. The end result should produce:

• APO07.05 (Plan and track the usage of IT and business human resources.),

• EDM04.03 (Monitor resource management.), and

• BAI09.04 (Optimize asset costs.).

ANALY TICAL STEPS:

1. From the drop-down arrow in cell D8 select “Capacity and Availability Management (L3).” The tool will display 16 records as shown in figure 1.

2. Reduce the selection by clicking on the drop-down arrow in cell G8 select “Establish and maintain a strategy for capacity and availability management” from the list of values. The table will reduce again down to 3 records as shown in figure 2.

3. Observe that the related COBIT 5 guidance are shown as practice references in column I, EDM04.02, BAI02.02, and EDM04.01.

4. Delete the filters applied to return the Tool to its default configuration. The Tool will display 1011 records.

FIGURE 1

FIGURE 2

Maximizing the Combined Effects of COBIT® 5 and CMMI® // 5

Example Two – Leverage COBIT to find related CMMI guidance In this example, you will start with COBIT 5 management practice BAI01.06 (Monitor, control and report on the program outcomes.) and look for all related CMMI practices. The end result should produce:

• CMMI WMC SP1.1 Monitor actual values of planning parameters against the work plan.

• CMMI WMC SP1.6 Periodically review the work progress, performance, and issues.

• CMMI WMC SP1.6 Review accomplishments and results at selected milestones.

ANALY TICAL STEPS:

1. From the drop-down arrow in cell H8 select “BAI,” the tool will update to display 376 records. A small portion of the result set is displayed in figure 3.

2. From the drop-down arrow in cell I8 select “BAI01.06,” the tool will update and display 6 records, as show in figure 4.

3. Observe the related CMMI guidance by practice reference in column G, CMMI WMC SP1.1, CMMI WMC SP1.6, CMMI WMC SP1.7, PCMM PM P2, PCMM PM P3, and PCMM PM P7.

FIGURE 3

FIGURE 4

Maximizing the Combined Effects of COBIT® 5 and CMMI® // 6

Additional Uses of the COBIT 5/CMMI Practices Pathway Tool The use of the COBIT 5/CMMI Practices Pathway Tool enables enterprises to look beyond IT resource management (traditional COBIT usage) and software development (traditional CMMI for Development usage) and to consider the broader implication of practice design and its connection to delivery of value to stakeholders. For example, the COBIT EDM domain (Evaluate, Direct, and Monitor) covers the delivery of value through benefits realization, risk optimization, and resource optimization. Since CMMI does not explicitly cover these same areas in the same detail, the CMMI practitioner can make use of the additional guidance in COBIT to improve governance practices they employ in their organization. Likewise, the practitioner employing COBIT can gain additional information and guidance about specific areas that they may be concerned about for areas that the CMMI materials cover in depth; for example, software development, services, acquisition, people, etc.

In addition to these use cases, there are numerous others, many of which are organization-specific. For example, internal control environment management can benefit greatly from examining the connections between the two models. The COBIT practitioner, for example, may wish to consider the capability maturity, cost effectiveness, resilience, and other maturity elements of the controls they field. The ability to measure capability maturity of these areas can provide value both as part of preplanning activities, as part of a long term continual improvement strategy, or as an element of the KPIs they collect and the performance management activities they do.

Maximizing the Combined Effects of COBIT® 5 and CMMI® // 7

Disclaimer This is an educational resource and is not inclusive of all information that may be needed to assure a successful outcome. Readers should apply their own professional judgment to their specific circumstances.

Reservation of Rights © 2017 ISACA. All rights reserved.

ISACA®

ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving

digital world by offering innovative and world-class knowledge, standards, networking,

credentialing and career development. Established in 1969, ISACA is a global nonprofit

association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity

Nexus™ (CSX), a holistic cybersecurity resource, and COBIT®, a business framework to

govern enterprise technology.

CMMI® Institute CMMI Institute (CMMIinstitute.com) is the global leader in the advancement of best

practices in people, process, and technology. The Institute provides the tools and

support for organizations to benchmark their capabilities and build maturity by comparing

their operations to best practices and identifying performance gaps. For over 25 years,

thousands of high-performing organizations in a variety of industries, including aerospace,

finance, healthcare, software, defense, transportation, and telecommunications, have

earned a CMMI maturity level rating and proved they are capable business partners and

suppliers. CMMI Institute is a part of the ISACA family, the global non-profit association

helping professionals to realize the positive potential of technology.

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA

Phone: +1.847.253.1545

Fax: +1.847.253.1443

Email: [email protected]

Web site: www.isaca.org

Provide feedback: www.isaca.org

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center

Follow ISACA on Twitter: https://twitter.com/ISACANews

Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial

Like ISACA on Facebook: www.facebook.com/ISACAHQ