The global skills and competency framework for the digital world

COBIT 2019 governance objectives and SFIA

The recent publication of COBIT 2019 included a mapping of SFIA skills to the People, Skills and Competencies component of the COBIT 2019 Governance and management objectives-detailed guidance document.

Background

COBIT is the globally accepted framework for optimizing enterprise IT governance.

The recent publication of COBIT 2019 included a mapping of SFIA skills to COBIT 2019 governance and management objectives ...

  • this mapping is listed in component D. People, Skills and Competencies of the COBIT 2019 governance and management objectives-detailed guidance document.

Note - COBIT is a comprehensive resource. As such an explanation of its purpose, structure and content is beyond the scope of this article.

However, COBIT 2019 does not reference the most recent version of SFIA ...

  • SFIA 8 published in September 2021 is the most recent version of SFIA and includes significant updates to skills and readability 

In line with this update, here are suggestions for updating the Component D. references to SFIA 7.

This mapping was created by ...

  • using the COBIT 2019 to SFIA 7 mapping as a baseline
  • doing a detailed analysis of each of the governance/management objectives to derive the relevant SFIA skill. The main source is component A (process and activities).
  • the rationale is that to perform the activities listed in component A requires the SFIA skills which are listed in component D.

Note - a mapping to SFIA competency levels is outside the scope of this exercise.

If you are not familiar with the SFIA skills...
  • the guiding principles describe how to use SFIA
  • every SFIA skill listed in the table has a full description and skill-at-a-level descriptions. 
  • links are provided to the detailed SFIA skill descriptions

Evaluate, Direct and Monitor (EDM)

Governance/Management Objectives Description Indicative SFIA 8 skills
EDM01 - Ensured Governance Framework Setting and Maintenance Analyze and articulate the requirements for the governance of enterprise I&T. Put in place and maintain governance components with clarity of authority and responsibilities to achieve the enterprise’s mission, goals and objectives. Governance GOVN
EDM02 - Ensured Benefits Delivery Optimize the value to the business from investments in business processes, IT services and IT assets.  Benefits management BENM
Investment appraisal INVA
Portfolio management POMG
Systems development management DLMG
Technology service management ITMG
EDM03 - Ensured Risk Optimization Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. Risk management BURM
EDM04 - Ensured Resource Optimization Ensure that adequate and sufficient IT-related capabilities (people, process and technology) are available to support enterprise objectives effectively at optimal cost. Financial management FMIT
Portfolio management POMG
Demand management DEMM
Service level management SLMO
Resourcing RESC
Technology service management ITMG
Systems development management DLMG
EDM05 - Ensured Stakeholder Engagement Ensure that stakeholders are identified and engaged in the I&T governance system and that enterprise I&T performance and conformance measurement and reporting are transparent, with stakeholders approving the goals and metrics and necessary remedial actions. Governance GOVN
Stakeholder relationship management RLMT

Align, Plan and Organize (APO)

Governance/Management Objectives Description Indicative SFIA 8 skills
APO01 - Managed I&T Management Framework Design the management system for enterprise I&T based on enterprise goals and other design factors. Based on this design, implement all required components of the management system. Governance GOVN
Technology service management ITMG
Organisation design and implementation ORDI
Organisational capability development OCDV
Performance management PEMT
Service level management SLMO
APO02 - Managed Strategy Provide a holistic view of the current business and I&T environment, the future direction, and the initiatives required to migrate to the desired future environment. Ensure that the desired level of digitization is integral to the future direction and the I&T strategy. Assess the organization’s current digital maturity and develop a road map to close the gaps. With the business, rethink internal operations as well as customer-facing activities. Ensure focus on the transformation journey across the organization. Leverage enterprise architecture building blocks, governance components and the organization’s ecosystem, including externally provided services and related capabilities, to enable reliable but agile and efficient response to strategic objectives. Strategic planning ITSP
Enterprise and business architecture STPL
Emerging technology monitoring EMRG
Business process improvement BPRE
Investment appraisal INVA
Organisational capability development OCDV
APO03 - Managed Enterprise Architecture Establish a common architecture consisting of business process, information, data, application and technology architecture layers. Create key models and practices that describe the baseline and target architectures, in line with the enterprise and I&T strategy. Define requirements for taxonomy, standards, guidelines, procedures, templates and tools, and provide a linkage for these components. Improve alignment, increase agility, improve quality of information and generate potential cost savings through initiatives such as re-use of building block components. Enterprise and business architecture STPL
Information management IRMG
Data management DATM
APO04 - Managed Innovation Maintain an awareness of I&T and related service trends and monitor emerging technology trends. Proactively identify innovation opportunities and plan how to benefit from innovation in relation to business needs and the defined I&T strategy. Analyze what opportunities for business innovation or improvement can be created by emerging technologies, services or I&T-enabled business innovation; through existing established technologies; and by business and IT process innovation. Influence strategic planning and enterprise architecture decisions. Innovation INOV
Research RSCH
Emerging technology monitoring EMRG
Investment appraisal INVA
APO05 - Managed Portfolio Execute the strategic direction set for investments in line with the enterprise architecture vision and I&T road map. Consider the different categories of investments and the resources and funding constraints. Evaluate, prioritize and balance programs and services, managing demand within resource and funding constraints, based on their alignment with strategic objectives, enterprise worth and risk. Move selected programs into the active products or services portfolio for execution. Monitor the performance of the overall portfolio of products and services and programs, proposing adjustments as necessary in response to program, product or service performance or changing enterprise priorities. Portfolio management POMG
Investment appraisal INVA
Benefits management BENM
Portfolio, programme and project support PROF
APO06 - Managed Budget and Costs Manage the I&T-related financial activities in both the business and IT functions, covering budget, cost and benefit management and prioritization of spending through the use of formal budgeting practices and a fair and equitable system of allocating costs to the enterprise. Consult stakeholders to identify and control the total costs and benefits within the context of the I&T strategic and tactical plans. Initiate corrective action where needed. Financial management FMIT
APO07 - Managed Human Resources Provide a structured approach to ensure optimal recruitment/acquisition, planning, evaluation and development of human resources (both internal and external). Workforce planning WFPL
Resourcing RESC
Organisation design and implementation ORDI
Performance management PEMT
Professional development PDSV
Competency assessment LEDA
Employee experience EEXP
Knowledge management KNOW
Learning and development management ETMG
APO08 - Managed Relationships Manage relationships with business stakeholders in a formalized and transparent way that ensures mutual trust and a combined focus on achieving the strategic goals within the constraints of budgets and risk tolerance. Base relationships on open and transparent communication, a common language, and the willingness to take ownership and accountability for key decisions on both sides. Business and IT must work together to create successful enterprise outcomes in support of the enterprise objectives. Stakeholder relationship management RLMT
APO09 - Managed Service Agreements Align I&T-enabled products and services and service levels with enterprise needs and expectations, including identification, specification, design, publishing, agreement, and monitoring of I&T products and services, service levels and performance indicators. Service level management SLMO
Service catalogue management SCMG
Demand management DEMM
Measurement MEAS
APO10 - Managed Vendors Manage I&T-related products and services provided by all types of vendors to meet enterprise requirements. This includes the search for and selection of vendors, management of relationships, management of contracts, and reviewing and monitoring of vendor performance and vendor ecosystem (including upstream supply chain) for effectiveness and compliance. Sourcing SORC
Supplier management SUPP
Contract management ITCM
APO11 - Managed Quality Define and communicate quality requirements in all processes, procedures and related enterprise outcomes. Enable controls, ongoing monitoring, and the use of proven practices and standards in continuous improvement and efficiency efforts. Quality management QUMG
Quality assurance QUAS
Organisational capability development OCDV
Measurement MEAS
Knowledge management KNOW
APO12 - Managed Risk Continually identify, assess and reduce I&T-related risk within tolerance levels set by enterprise executive management. Risk management BURM
Information assurance INAS
APO13 - Managed Security Define, operate and monitor an information security management system. Information security SCTY
Information assurance INAS
Enterprise and business architecture STPL
Security operations  SCAD
APO14 - Managed Data Achieve and sustain effective management of the enterprise data assets across the data life cycle, from creation through delivery, maintenance and archiving. Data management DATM
Information management IRMG
Personal data protection PEDP
Information assurance INAS
Quality management QUMG
Data modelling and design DTAN
Storage management STMG
Enterprise and business architecture STPL

Build, Acquire and Implement (BAI)

Governance/Management Objectives Description Indicative SFIA 8 skills
BAI01 - Managed Programs Manage all programs from the investment portfolio in alignment with enterprise strategy and in a coordinated way, based on a standard program management approach. Initiate, plan, control, and execute programs, and monitor expected value from the program. Programme management PGMG
Investment appraisal INVA
Benefits management BENM
Stakeholder relationship management RLMT
BAI02 - Managed Requirements Definition Identify solutions and analyze requirements before acquisition or creation to ensure that they align with enterprise strategic requirements covering business processes, applications, information/data, infrastructure and services. Coordinate the review of feasible options with affected stakeholders, including relative costs and benefits, risk analysis, and approval of requirements and proposed solutions. Requirements definition and management REQM
Business situation analysis BUSA
Feasibility assessment FEAS
Business process improvement BPRE
Solution architecture ARCH
Systems design DESN
User research URCH
User experience analysis UNAN
User experience design HCEV
BAI03 - Managed Solutions Identification and Build Establish and maintain identified products and services (technology, business processes and workflows) in line with enterprise requirements covering design, development, procurement/sourcing and partnering with vendors. Manage configuration, test preparation, testing, requirements management and maintenance of business processes, applications, information/data, infrastructure and services. Systems development management DLMG
Technology service management ITMG
Solution architecture ARCH
Sourcing SORC
Information assurance INAS
Information security SCTY
Data modelling and design DTAN
Systems design DESN
Network design NTDS
Database design DBDS
Configuration management CFMG
Hardware design HWDE
Software design SWDN
Storage management STMG
Programming/software development PROG
Real time/embedded systems development RESD
Software configuration PORT
Testing TEST
Systems integration and build SINT
Release and deployment RELM
Acceptance testing BPTS
Measurement MEAS
Quality assurance QUAS
Quality management QUMG
BAI04 - Managed Availability and Capacity Balance current and future needs for availability, performance and capacity with cost-effective service provision. Include assessment of current capabilities, forecasting of future needs based on business requirements, analysis of business impacts, and assessment of risk to plan and implement actions to meet the identified requirements. Availability management AVMT
Capacity management CPMG
Service catalogue management SCMG
Measurement MEAS
BAI05 - Managed Organizational Change Maximize the likelihood of successfully implementing sustainable enterprise-wide organizational change quickly and with reduced risk. Cover the complete life cycle of the change and all affected stakeholders in the business and IT. Organisational change management CIPM
Stakeholder relationship management RLMT
Organisation design and implementation ORDI
Knowledge management KNOW
Learning and development management ETMG
BAI06 - Managed IT Changes Manage all changes in a controlled manner, including standard changes and emergency maintenance relating to business processes, applications and infrastructure. This includes change standards and procedures, impact assessment, prioritization and authorization, emergency changes, tracking, reporting, closure, and documentation. Change control CHMG
Configuration management CFMG
BAI07 - Managed IT Change Acceptance and Transitioning Formally accept and make operational new solutions. Include implementation planning, system and data conversion, acceptance testing, communication, release preparation, promotion to production of new or changed business processes and I&T services, early production support, and a post-implementation review. Acceptance testing BPTS
Service acceptance SEAC
User experience evaluation USEV
Penetration testing PENT
Testing TEST
Release and deployment RELM
BAI08 - Managed Knowledge Maintain the availability of relevant, current, validated and reliable knowledge and management information to support all process activities and to facilitate decision making related to the governance and management of enterprise I&T. Plan for the identification, gathering, organizing, maintaining, use and retirement of knowledge. Knowledge management KNOW
Information management IRMG
Content authoring INCA
Content publishing ICPM
BAI09 - Managed Assets Manage I&T assets through their life cycle to make sure that their use delivers value at optimal cost, they remain operational (fit for purpose), and they are accounted for and physically protected. Ensure that those assets that are critical to support service capability are reliable and available. Manage software licenses to ensure that the optimal number are acquired, retained and deployed in relation to required business usage, and the software installed is in compliance with license agreements. Asset management ASMG
Systems installation and removal HSIN
 
BAI10 - Managed Configuration Define and maintain descriptions and relationships among key resources and capabilities required to deliver I&T-enabled services. Include collecting configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository. Configuration management CFMG
BAI11 - Managed Projects Manage all projects that are initiated within the enterprise in alignment with enterprise strategy and in a coordinated way based on the standard project management approach. Initiate, plan, control and execute projects, and close with a post-implementation review. Project management PRMG
Stakeholder relationship management RLMT
Portfolio, programme and project support PROF

Deliver, Service and Support (DSS)

Governance/Management Objectives Description Indicative SFIA 8 skills
DSS01 - Managed Operations Coordinate and execute the activities and operational procedures required to deliver internal and outsourced I&T services. Include the execution of predefined standard operating procedures and the required monitoring activities. Technology service management ITMG
IT infrastructure ITOP
Application support ASUP
Database administration DBAD
Network support  NTAS
Security operations SCAD
Storage management STMG
Supplier management SUPP
Facilities management DCMA
DSS02 - Managed Service Requests and Incidents Provide timely and effective response to user requests and resolution of all types of incidents. Restore normal service; record and fulfil user requests; and record, investigate, diagnose, escalate and resolve incidents. Customer service support CSMG
Incident management USUP
Application support ASUP
Network support  NTAS
IT infrastructure ITOP
DSS03 - Managed Problems Identify and classify problems and their root causes. Provide timely resolution to prevent recurring incidents. Provide recommendations for improvements. Problem management PBMG
Knowledge management KNOW
Application support ASUP
Network support  NTAS
IT infrastructure ITOP
DSS04 - Managed Continuity Establish and maintain a plan to enable the business and IT organizations to respond to incidents and quickly adapt to disruptions. This will enable continued operations of critical business processes and required I&T services and maintain availability of resources, assets and information at a level acceptable to the enterprise. Continuity management COPL
Storage management STMG
DSS05 - Managed Security Services Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges. Perform security monitoring. Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges. Perform security monitoring. Information security SCTY
Security operations SCAD
Penetration testing PENT
Vulnerability assessment VUAS
Network support NTAS
IT infrastructure ITOP
Facilities management DCMA
Learning delivery ETDL
DSS06 - Managed Business Process Controls Define and maintain appropriate business process controls to ensure that information related to and processed by in-house or outsourced business processes satisfies all relevant information control requirements. Identify the relevant information control requirements. Manage and operate adequate input, throughput and output controls (application controls) to ensure that information and information processing satisfy these requirements. Information security SCTY
Information assurance INAS
Security operations SCAD
Audit AUDT

Monitor, Evaluate and Assess (MEA)

Governance/Management Objectives Description Indicative SFIA 8 skills
MEA01 - Managed Performance and Conformance Monitoring Collect, validate and evaluate enterprise and alignment goals and metrics. Monitor that processes and practices are performing against agreed performance and conformance goals and metrics. Provide reporting that is systematic and timely. Audit AUDT
Measurement MEAS
Quality assurance QUAS
MEA02 - Managed System of Internal Control Continuously monitor and evaluate the control environment, including self-assessments and self-awareness. Enable management to identify control deficiencies and inefficiencies and to initiate improvement actions. Plan, organize and maintain standards for internal control assessment and process control effectiveness. Audit AUDT
MEA03 - Managed Compliance With External Requirements Evaluate that I&T processes and I&T-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with; integrate IT compliance with overall enterprise compliance. Audit AUDT
Information assurance INAS
Information management  IRMG
Personal data protection PEDP
 MEA04 - Managed Assurance Plan, scope and execute assurance initiatives to comply with internal requirements, laws, regulations and strategic objectives. Enable management to deliver adequate and sustainable assurance in the enterprise by performing independent assurance reviews and activities. Audit AUDT
Information assurance INAS
Quality assurance QUAS