COBIT 2019 governance objectives and SFIA
The recent publication of COBIT 2019 included a mapping of SFIA skills to the People, Skills and Competencies component of the COBIT 2019 Governance and management objectives-detailed guidance document.
Backgound
COBIT is the globally accepted framework for optimizing enterprise IT governance.
The recent publication of COBIT 2019 included a mapping of SFIA skills to COBIT 2019 governance and management objectives ...
- this mapping is listed in component D. People, Skills and Competencies of the COBIT 2019 governance and management objectives-detailed guidance document.
Note - COBIT is a comprehensive resource. As such an explanation of its purpose, structure and content is beyond the scope of this article.
However, COBIT 2019 does not reference the most recent version of SFIA ...
- SFIA 8 published in September 2021 is the most recent version of SFIA and includes significant updates to skills and readability
In line with this update, here are suggestions for updating the Component D. references to SFIA 7.
This mapping was created by ...
- using the COBIT 2019 to SFIA 7 mapping as a baseline
- doing a detailed analysis of each of the governance/management objectives to derive the relevant SFIA skill. The main source is component A (process and activities).
- the rationale is that to perform the activities listed in component A requires the SFIA skills which are listed in component D.
Note - a mapping to SFIA competency levels is outside the scope of this exercise.
If you are not familiar with the SFIA skills...
- the guiding principles describe how to use SFIA
- every SFIA skill listed in the table has a full description and skill-at-a-level descriptions.
- links are provided to the detailed SFIA skill descriptions
Evaluate, Direct and Monitor (EDM) |
||
| Governance/Management Objectives | Description | Indicative SFIA 8 skills |
| EDM01 - Ensured Governance Framework Setting and Maintenance | Analyze and articulate the requirements for the governance of enterprise I&T. Put in place and maintain governance components with clarity of authority and responsibilities to achieve the enterprise’s mission, goals and objectives. | Governance GOVN |
| EDM02 - Ensured Benefits Delivery | Optimize the value to the business from investments in business processes, IT services and IT assets. | Benefits management BENM |
| Investment appraisal INVA | ||
| Portfolio management POMG | ||
| Systems development management DLMG | ||
| Technology service management ITMG | ||
| EDM03 - Ensured Risk Optimization | Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. | Risk management BURM |
| EDM04 - Ensured Resource Optimization | Ensure that adequate and sufficient IT-related capabilities (people, process and technology) are available to support enterprise objectives effectively at optimal cost. | Financial management FMIT |
| Portfolio management POMG | ||
| Demand management DEMM | ||
| Service level management SLMO | ||
| Resourcing RESC | ||
| Technology service management ITMG | ||
| Systems development management DLMG | ||
| EDM05 - Ensured Stakeholder Engagement | Ensure that stakeholders are identified and engaged in the I&T governance system and that enterprise I&T performance and conformance measurement and reporting are transparent, with stakeholders approving the goals and metrics and necessary remedial actions. | Governance GOVN |
| Stakeholder relationship management RLMT | ||
Align, Plan and Organize (APO) |
||
| Governance/Management Objectives | Description | Indicative SFIA 8 skills |
| APO01 - Managed I&T Management Framework | Design the management system for enterprise I&T based on enterprise goals and other design factors. Based on this design, implement all required components of the management system. | Governance GOVN |
| Technology service management ITMG | ||
| Organisation design and implementation ORDI | ||
| Organisational capability development OCDV | ||
| Performance management PEMT | ||
| Service level management SLMO | ||
| APO02 - Managed Strategy | Provide a holistic view of the current business and I&T environment, the future direction, and the initiatives required to migrate to the desired future environment. Ensure that the desired level of digitization is integral to the future direction and the I&T strategy. Assess the organization’s current digital maturity and develop a road map to close the gaps. With the business, rethink internal operations as well as customer-facing activities. Ensure focus on the transformation journey across the organization. Leverage enterprise architecture building blocks, governance components and the organization’s ecosystem, including externally provided services and related capabilities, to enable reliable but agile and efficient response to strategic objectives. | Strategic planning ITSP |
| Enterprise and business architecture STPL | ||
| Emerging technology monitoring EMRG | ||
| Business process improvement BPRE | ||
| Investment appraisal INVA | ||
| Organisational capability development OCDV | ||
| APO03 - Managed Enterprise Architecture | Establish a common architecture consisting of business process, information, data, application and technology architecture layers. Create key models and practices that describe the baseline and target architectures, in line with the enterprise and I&T strategy. Define requirements for taxonomy, standards, guidelines, procedures, templates and tools, and provide a linkage for these components. Improve alignment, increase agility, improve quality of information and generate potential cost savings through initiatives such as re-use of building block components. | Enterprise and business architecture STPL |
| Information management IRMG | ||
| Data management DATM | ||
| APO04 - Managed Innovation | Maintain an awareness of I&T and related service trends and monitor emerging technology trends. Proactively identify innovation opportunities and plan how to benefit from innovation in relation to business needs and the defined I&T strategy. Analyze what opportunities for business innovation or improvement can be created by emerging technologies, services or I&T-enabled business innovation; through existing established technologies; and by business and IT process innovation. Influence strategic planning and enterprise architecture decisions. | Innovation INOV |
| Research RSCH | ||
| Emerging technology monitoring EMRG | ||
| Investment appraisal INVA | ||
| APO05 - Managed Portfolio | Execute the strategic direction set for investments in line with the enterprise architecture vision and I&T road map. Consider the different categories of investments and the resources and funding constraints. Evaluate, prioritize and balance programs and services, managing demand within resource and funding constraints, based on their alignment with strategic objectives, enterprise worth and risk. Move selected programs into the active products or services portfolio for execution. Monitor the performance of the overall portfolio of products and services and programs, proposing adjustments as necessary in response to program, product or service performance or changing enterprise priorities. | Portfolio management POMG |
| Investment appraisal INVA | ||
| Benefits management BENM | ||
| Portfolio, programme and project support PROF | ||
| APO06 - Managed Budget and Costs | Manage the I&T-related financial activities in both the business and IT functions, covering budget, cost and benefit management and prioritization of spending through the use of formal budgeting practices and a fair and equitable system of allocating costs to the enterprise. Consult stakeholders to identify and control the total costs and benefits within the context of the I&T strategic and tactical plans. Initiate corrective action where needed. | Financial management FMIT |
| APO07 - Managed Human Resources | Provide a structured approach to ensure optimal recruitment/acquisition, planning, evaluation and development of human resources (both internal and external). | Workforce planning WFPL |
| Resourcing RESC | ||
| Organisation design and implementation ORDI | ||
| Performance management PEMT | ||
| Professional development PDSV | ||
| Competency assessment LEDA | ||
| Employee experience EEXP | ||
| Knowledge management KNOW | ||
| Learning and development management ETMG | ||
| APO08 - Managed Relationships | Manage relationships with business stakeholders in a formalized and transparent way that ensures mutual trust and a combined focus on achieving the strategic goals within the constraints of budgets and risk tolerance. Base relationships on open and transparent communication, a common language, and the willingness to take ownership and accountability for key decisions on both sides. Business and IT must work together to create successful enterprise outcomes in support of the enterprise objectives. | Stakeholder relationship management RLMT |
| APO09 - Managed Service Agreements | Align I&T-enabled products and services and service levels with enterprise needs and expectations, including identification, specification, design, publishing, agreement, and monitoring of I&T products and services, service levels and performance indicators. | Service level management SLMO |
| Service catalogue management SCMG | ||
| Demand management DEMM | ||
| Measurement MEAS | ||
| APO10 - Managed Vendors | Manage I&T-related products and services provided by all types of vendors to meet enterprise requirements. This includes the search for and selection of vendors, management of relationships, management of contracts, and reviewing and monitoring of vendor performance and vendor ecosystem (including upstream supply chain) for effectiveness and compliance. | Sourcing SORC |
| Supplier management SUPP | ||
| Contract management ITCM | ||
| APO11 - Managed Quality | Define and communicate quality requirements in all processes, procedures and related enterprise outcomes. Enable controls, ongoing monitoring, and the use of proven practices and standards in continuous improvement and efficiency efforts. | Quality management QUMG |
| Quality assurance QUAS | ||
| Organisational capability development OCDV | ||
| Measurement MEAS | ||
| Knowledge management KNOW | ||
| APO12 - Managed Risk | Continually identify, assess and reduce I&T-related risk within tolerance levels set by enterprise executive management. | Risk management BURM |
| Information assurance INAS | ||
| APO13 - Managed Security | Define, operate and monitor an information security management system. | Information security SCTY |
| Information assurance INAS | ||
| Enterprise and business architecture STPL | ||
| Security operations SCAD | ||
| APO14 - Managed Data | Achieve and sustain effective management of the enterprise data assets across the data life cycle, from creation through delivery, maintenance and archiving. | Data management DATM |
| Information management IRMG | ||
| Personal data protection PEDP | ||
| Information assurance INAS | ||
| Quality management QUMG | ||
| Data modelling and design DTAN | ||
| Storage management STMG | ||
| Enterprise and business architecture STPL | ||
Build, Acquire and Implement (BAI) |
||
| Governance/Management Objectives | Description | Indicative SFIA 8 skills |
| BAI01 - Managed Programs | Manage all programs from the investment portfolio in alignment with enterprise strategy and in a coordinated way, based on a standard program management approach. Initiate, plan, control, and execute programs, and monitor expected value from the program. | Programme management PGMG |
| Investment appraisal INVA | ||
| Benefits management BENM | ||
| Stakeholder relationship management RLMT | ||
| BAI02 - Managed Requirements Definition | Identify solutions and analyze requirements before acquisition or creation to ensure that they align with enterprise strategic requirements covering business processes, applications, information/data, infrastructure and services. Coordinate the review of feasible options with affected stakeholders, including relative costs and benefits, risk analysis, and approval of requirements and proposed solutions. | Requirements definition and management REQM |
| Business situation analysis BUSA | ||
| Feasibility assessment FEAS | ||
| Business process improvement BPRE | ||
| Solution architecture ARCH | ||
| Systems design DESN | ||
| User research URCH | ||
| User experience analysis UNAN | ||
| User experience design HCEV | ||
| BAI03 - Managed Solutions Identification and Build | Establish and maintain identified products and services (technology, business processes and workflows) in line with enterprise requirements covering design, development, procurement/sourcing and partnering with vendors. Manage configuration, test preparation, testing, requirements management and maintenance of business processes, applications, information/data, infrastructure and services. | Systems development management DLMG |
| Technology service management ITMG | ||
| Solution architecture ARCH | ||
| Sourcing SORC | ||
| Information assurance INAS | ||
| Information security SCTY | ||
| Data modelling and design DTAN | ||
| Systems design DESN | ||
| Network design NTDS | ||
| Database design DBDS | ||
| Configuration management CFMG | ||
| Hardware design HWDE | ||
| Software design SWDN | ||
| Storage management STMG | ||
| Programming/software development PROG | ||
| Real time/embedded systems development RESD | ||
| Software configuration PORT | ||
| Testing TEST | ||
| Systems integration and build SINT | ||
| Release and deployment RELM | ||
| Acceptance testing BPTS | ||
| Measurement MEAS | ||
| Quality assurance QUAS | ||
| Quality management QUMG | ||
| BAI04 - Managed Availability and Capacity | Balance current and future needs for availability, performance and capacity with cost-effective service provision. Include assessment of current capabilities, forecasting of future needs based on business requirements, analysis of business impacts, and assessment of risk to plan and implement actions to meet the identified requirements. | Availability management AVMT |
| Capacity management CPMG | ||
| Service catalogue management SCMG | ||
| Measurement MEAS | ||
| BAI05 - Managed Organizational Change | Maximize the likelihood of successfully implementing sustainable enterprise-wide organizational change quickly and with reduced risk. Cover the complete life cycle of the change and all affected stakeholders in the business and IT. | Organisational change management CIPM |
| Stakeholder relationship management RLMT | ||
| Organisation design and implementation ORDI | ||
| Knowledge management KNOW | ||
| Learning and development management ETMG | ||
| BAI06 - Managed IT Changes | Manage all changes in a controlled manner, including standard changes and emergency maintenance relating to business processes, applications and infrastructure. This includes change standards and procedures, impact assessment, prioritization and authorization, emergency changes, tracking, reporting, closure, and documentation. | Change control CHMG |
| Configuration management CFMG | ||
| BAI07 - Managed IT Change Acceptance and Transitioning | Formally accept and make operational new solutions. Include implementation planning, system and data conversion, acceptance testing, communication, release preparation, promotion to production of new or changed business processes and I&T services, early production support, and a post-implementation review. | Acceptance testing BPTS |
| Service acceptance SEAC | ||
| User experience evaluation USEV | ||
| Penetration testing PENT | ||
| Testing TEST | ||
| Release and deployment RELM | ||
| BAI08 - Managed Knowledge | Maintain the availability of relevant, current, validated and reliable knowledge and management information to support all process activities and to facilitate decision making related to the governance and management of enterprise I&T. Plan for the identification, gathering, organizing, maintaining, use and retirement of knowledge. | Knowledge management KNOW |
| Information management IRMG | ||
| Content authoring INCA | ||
| Content publishing ICPM | ||
| BAI09 - Managed Assets | Manage I&T assets through their life cycle to make sure that their use delivers value at optimal cost, they remain operational (fit for purpose), and they are accounted for and physically protected. Ensure that those assets that are critical to support service capability are reliable and available. Manage software licenses to ensure that the optimal number are acquired, retained and deployed in relation to required business usage, and the software installed is in compliance with license agreements. | Asset management ASMG |
| Systems installation and removal HSIN | ||
| BAI10 - Managed Configuration | Define and maintain descriptions and relationships among key resources and capabilities required to deliver I&T-enabled services. Include collecting configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository. | Configuration management CFMG |
| BAI11 - Managed Projects | Manage all projects that are initiated within the enterprise in alignment with enterprise strategy and in a coordinated way based on the standard project management approach. Initiate, plan, control and execute projects, and close with a post-implementation review. | Project management PRMG |
| Stakeholder relationship management RLMT | ||
| Portfolio, programme and project support PROF | ||
Deliver, Service and Support (DSS) |
||
| Governance/Management Objectives | Description | Indicative SFIA 8 skills |
| DSS01 - Managed Operations | Coordinate and execute the activities and operational procedures required to deliver internal and outsourced I&T services. Include the execution of predefined standard operating procedures and the required monitoring activities. | Technology service management ITMG |
| IT infrastructure ITOP | ||
| Application support ASUP | ||
| Database administration DBAD | ||
| Network support NTAS | ||
| Security operations SCAD | ||
| Storage management STMG | ||
| Supplier management SUPP | ||
| Facilities management DCMA | ||
| DSS02 - Managed Service Requests and Incidents | Provide timely and effective response to user requests and resolution of all types of incidents. Restore normal service; record and fulfil user requests; and record, investigate, diagnose, escalate and resolve incidents. | Customer service support CSMG |
| Incident management USUP | ||
| Application support ASUP | ||
| Network support NTAS | ||
| IT infrastructure ITOP | ||
| DSS03 - Managed Problems | Identify and classify problems and their root causes. Provide timely resolution to prevent recurring incidents. Provide recommendations for improvements. | Problem management PBMG |
| Knowledge management KNOW | ||
| Application support ASUP | ||
| Network support NTAS | ||
| IT infrastructure ITOP | ||
| DSS04 - Managed Continuity | Establish and maintain a plan to enable the business and IT organizations to respond to incidents and quickly adapt to disruptions. This will enable continued operations of critical business processes and required I&T services and maintain availability of resources, assets and information at a level acceptable to the enterprise. | Continuity management COPL |
| Storage management STMG | ||
| DSS05 - Managed Security Services | Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges. Perform security monitoring. Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges. Perform security monitoring. | Information security SCTY |
| Security operations SCAD | ||
| Penetration testing PENT | ||
| Vulnerability assessment VUAS | ||
| Network support NTAS | ||
| IT infrastructure ITOP | ||
| Facilities management DCMA | ||
| Learning delivery ETDL | ||
| DSS06 - Managed Business Process Controls | Define and maintain appropriate business process controls to ensure that information related to and processed by in-house or outsourced business processes satisfies all relevant information control requirements. Identify the relevant information control requirements. Manage and operate adequate input, throughput and output controls (application controls) to ensure that information and information processing satisfy these requirements. | Information security SCTY |
| Information assurance INAS | ||
| Security operations SCAD | ||
| Audit AUDT | ||
Monitor, Evaluate and Assess (MEA) |
||
| Governance/Management Objectives | Description | Indicative SFIA 8 skills |
| MEA01 - Managed Performance and Conformance Monitoring | Collect, validate and evaluate enterprise and alignment goals and metrics. Monitor that processes and practices are performing against agreed performance and conformance goals and metrics. Provide reporting that is systematic and timely. | Audit AUDT |
| Measurement MEAS | ||
| Quality assurance QUAS | ||
| MEA02 - Managed System of Internal Control | Continuously monitor and evaluate the control environment, including self-assessments and self-awareness. Enable management to identify control deficiencies and inefficiencies and to initiate improvement actions. Plan, organize and maintain standards for internal control assessment and process control effectiveness. | Audit AUDT |
| MEA03 - Managed Compliance With External Requirements | Evaluate that I&T processes and I&T-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with; integrate IT compliance with overall enterprise compliance. | Audit AUDT |
| Information assurance INAS | ||
| Information management IRMG | ||
| Personal data protection PEDP | ||
| MEA04 - Managed Assurance | Plan, scope and execute assurance initiatives to comply with internal requirements, laws, regulations and strategic objectives. Enable management to deliver adequate and sustainable assurance in the enterprise by performing independent assurance reviews and activities. | Audit AUDT |
| Information assurance INAS | ||
| Quality assurance QUAS | ||