Show Menu

Cobit Cheat Sheet Cheat Sheet by

Cobit Cheat Sheet about cobit

Kegagalan Tata Kelola TI

High Cost, Low Impact
Matang Tapi Tidak Bermanfaat
Kebijakan yang Tidak Konkret
Melupakan Tujuan “Tata Kelola”
Ambisus namun Tidak Terukur
Tata Kelola Hanya untuk Formalitas
Gagal Memahami Kebutuhan

Cobit 5 vs Cobit 2019

Cobit 2019 Improves

Flexib­ility and openness
Currency and relevance
Prescr­iptive applic­ation
Perfor­mance management of IT

What Is COBIT and What Is It Not?

A framework for the governance and management of enterprise I&T
A full descri­ption of the whole IT enviro­nment of an enterprise
COBIT defines the components to build and sustain a governance system
A framework to organize business processes
COBIT defines the design factors that should be considered by the enterprise to build a best fit governance system
An (IT-) technical framework to manage all technology
COBIT is flexible and allows guidance on new topics to be added
COBIT does not make or prescribe any IT-related decisions

Cobit Principles

Governance System
Governance Framework
Provide Stakeh­older Value
Based on Conceptual Model
Holistic Approach
Open and Flexible
Dynamic Governance System
Aligned to Major Standards
Governance Distint From Mgmt
Tailored to Enterprise Needs
E2E Governance System

Governance and Management Objectives

• A governance or management objective always relates to one process (with an identical or similar name) and a series of related components of other types to help achieve the objective
• A governance objective relates to a governance process while a management objective relates to a management process.

Governance and Management Objectives

Governance Objectives
Management objectives
Evaluate, Direct and Monitor
Align, Plan and Organize
Build, Acquire and Implement
Deliver, Service and Support
Monitor, Evaluate and Assess

Components of the Governance System

Organi­zat­ional Structures
Princi­ples, Policies and Frameworks
Culture, Ethics and Behavior
People, Skills and Compet­encies
Services, Infras­tru­cture and Applic­ations

Types of Components

Generic components are described in the COBIT core model and apply in principle to any situation.
Variants are based on generic components but are tailored for a specific purpose or context within a focus area (e.g., for inform­ation security, DevOps, a particular regula­tion)

Focus Areas


Goals Cascade

The goals cascade further supports transl­ation of enterprise goals into priorities for alignment goals.
• Enterprise goals have been consol­idated, reduced, updated and clarified
• Alignment goals emphasize the alignment of all IT efforts with business object­ives.

COBIT Perfor­mance Management (CPM) Principles

The CPM should be simple to understand and use
The CPM should be consistent with, and support, the COBIT conceptual model
The CPM should provide reliable, repeatable and relevant results
The CPM must be flexible, so it can support the requir­ements of different organi­zations with different priorities and needs
The CPM should support different types of assess­ment, from self-a­sse­ssments to formal appraisals or audits

COBIT Perfor­mance Management (CPM) Overview

Process activities are associated to capability levels
Other governance and management component types (e.g., organi­zat­ional struct­ures, inform­ation) may also have capability levels defined for them in future guidance
Maturity levels are associated with focus areas (i.e., a collection of governance and management objectives and underlying compon­ents) and will be achieved if all required capability levels are achieved

Capability Levels for Processes

Didn't do
Have template
Quantative calculated
Continuous Improv­ement

Governance System Design Workflow

Impact of Design Factors

Management Objective Priority and Target Capability Levels
Component Variations
Specific Focus Areas

Maturity Levels for Focus Areas

Incomplete—Work may or may not be completed toward achieving the purpose of governance and management objectives in the focus area.
Initial—Work is completed, but the full goal and intent of the focus area are not yet achieved.
Managed—Planning and perfor­mance measur­ement take place, although not yet in a standa­rdized way.
Defined—Enter­pri­sewide standards provide guidance across the enterp­rise.
Quanti­tative—The enterprise is data driven, with quanti­tative perfor­mance improv­ement.
Optimizing—The enterprise is focused on continuous improv­ement.

Implem­ent­ation Road Map

COBIT Implem­ent­ation Approach

What are the drivers?
Where are we now?
Where do we want to be?
What needs to be done?
How do we get there?
Did we get there?
How do we keep the momentum going?

Roles and Organi­zat­ional Structures

Group of the most senior executives and/or nonexe­cutive directors accoun­table for governance and overall control of enterprise resources
Executive Committee
Group of senior executives appointed by the board to ensure that the board is involved in, and kept informed of, major decisions
Chief Executive Officer
Highes­t-r­anking officer charged with the total management of the enterprise
Chief Inform­ation Officer
Most senior official respon­sible for aligning IT and business strategies and accoun­table for planning, resourcing and managing delivery of I&T services and solutions
Chief Technology Officer
Most senior official tasked with technical aspects of I&T, including managing and monitoring decisions related to I&T services, solutions and infras­tru­ctures

Cobit Objectives


EDM01 - Ensured Governance Framework Setting and Mainte­nance
Provide a consistent approach integrated and aligned with the enterprise governance approach. I&­T-r­elated decisions are made in line with the enterp­rise’s strategies and objectives and desired value is realized. To that end, ensure that I&­T-r­elated processes are overseen effect­ively and transp­are­ntly; compliance with legal, contra­ctual and regulatory requir­ements is confirmed; and the governance requir­ements for board members are met.
EDM02 - Ensured Benefits Delivery
Secure optimal value from I&­T-e­nabled initia­tives, services and assets; cost-e­ffi­cient delivery of solutions and services; and a reliable and accurate picture of costs and likely benefits so that business needs are supported effect­ively and effici­ently.
EDM03 - Ensured Risk Optimi­zation
Ensure that I&­T-r­elated enterprise risk does not exceed the enterp­rise’s risk appetite and risk tolerance, the impact of I&T risk to enterprise value is identified and managed, and the potential for compliance failures is minimized.
EDM04 - Ensured Resource Optimi­zation
Ensure that the resource needs of the enterprise are met in the optimal manner, I&T costs are optimized, and there is an increased likelihood of benefit realiz­ation and readiness for future change.
EDM05 - Ensured Stakeh­older Engagement
Ensure that stakeh­olders are supportive of the I&T strategy and road map, commun­ication to stakeh­olders is effective and timely, and the basis for reporting is establ­ished to increase perfor­mance. Identify areas for improv­ement, and confirm that I&­T-r­elated objectives and strategies are in line with the enterp­rise’s strategy.


APO01 - Managed I&T Management Framework
Implement a consistent management approach for enterprise governance requir­ements to be met, covering governance components such as management processes; organi­zat­ional struct­ures; roles and respon­sib­ili­ties; reliable and repeatable activi­ties; inform­ation items; policies and proced­ures; skills and compet­encies; culture and behaviour; and services, infras­tru­cture and applic­ations.
APO02 - Managed Strategy
Support the digital transf­orm­ation strategy of the organi­zation and deliver the desired value through a road map of increm­ental changes. Use a holistic I&T approach, ensuring that each initiative is clearly connected to an overar­ching strategy. Enable change in all different aspects of the organi­zation, from channels and processes to data, culture, skills, operating model and incent­ives.
APO03 - Managed Enterprise Archit­ecture
Represent the different building blocks that make up the enterprise and its interr­ela­tio­nships as well as the principles guiding their design and evolution over time, to enable a standard, responsive and efficient delivery of operat­ional and strategic object­ives.
APO04 - Managed Innovation
Achieve compet­itive advantage, business innova­tion, improved customer experi­ence, and improved operat­ional effect­iveness and efficiency by exploiting I&T develo­pments and emerging techno­logies.
APO05 - Managed Portfolio
Optimize the perfor­mance of the overall portfolio of programs in response to individual program, product and service perfor­mance and changing enterprise priorities and demand.
APO06 - Managed Budget and Costs
Foster a partne­rship between IT and enterprise stakeh­olders to enable the effective and efficient use of I&­T-r­elated resources and provide transp­arency and accoun­tab­ility of the cost and business value of solutions and services. Enable the enterprise to make informed decisions regarding the use of I&T solutions and services.
APO07 - Managed Human Resources
Optimize human resources capabi­lities to meet enterprise objectives
APO08 - Managed Relati­onships
Enable the right knowledge, skills and behaviors to create improved outcomes, increased confid­ence, mutual trust and effective use of resources that stimulate a productive relati­onship with business stakeh­olders.
APO09 - Managed Service Agreements
Ensure that I&T products, services and service levels meet current and future enterprise needs
APO10 - Managed Vendors
Optimize available I&T capabi­lities to support the I&T strategy and road map, minimize the risk associated with nonper­forming or noncom­pliant vendors, and ensure compet­itive pricing.
APO11 - Managed Quality
Ensure consistent delivery of technology solutions and services to meet the quality requir­ements of the enterprise and satisfy stakeh­older needs
APO12 - Managed Risk
Integrate the management of I&­T-r­elated enterprise risk with overall enterprise risk management (ERM) and balance the costs and benefits of managing I&T- related enterprise risk
APO13 - Managed Security
Keep the impact and occurrence of inform­ation security incidents within the enterp­rise’s risk appetite levels.
APO14 - Managed Data
Ensure effective utiliz­ation of the critical data assets to achieve enterprise goals and object­ives.


BAI01- Managed Programs
Realize desired business value and reduce the risk of unexpected delays, costs and value erosion. To do so, improve commun­ica­tions to and involv­ement of business and end users, ensure the value and quality of program delive­rables and follow up of projects within the programs, and maximize program contri­bution to the investment portfolio
BAI02 - Managed Requir­ements Definition
Create optimal solutions that meet enterprise needs while minimizing risk.
BAI03 - Managed Solutions Identi­fic­ation and Build
Ensure agile and scalable delivery of digital products and services. Establish timely and cost-e­ffe­ctive solutions (techn­ology, business processes and workflows) capable of supporting enterprise strategic and operat­ional object­ives.
BAI04 - Managed Availa­bility and Capacity
Maintain service availa­bility, efficient management of resources and optimi­zation of system perfor­mance through prediction of future perfor­mance and capacity requir­ements.
BAI05 - Managed Organi­zat­ional Change
Prepare and commit stakeh­olders for business change and reduce the risk of failure.
BAI06 - Managed IT Changes
Enable fast and reliable delivery of change to the business. Mitigate the risk of negatively impacting the stability or integrity of the changed enviro­nment.
BAI07 - Managed IT Change Acceptance and Transi­tioning
Implement solutions safely and in line with the agreed expect­ations and outcomes
BAI08 - Managed Knowledge
Provide the knowledge and inform­ation required to support all staff in the governance and management of enterprise I&T and allow for informed decision making.
BAI09 - Managed Assets
Account for all I&T assets and optimize the value provided by their use.
BAI10 - Managed Config­uration
Provide sufficient inform­ation about service assets to enable the service to be effect­ively managed. Assess the impact of changes and deal with service incidents
BAI11 - Managed Projects
Realize defined project outcomes and reduce the risk of unexpected delays, costs and value erosion by improving commun­ica­tions to and involv­ement of business and end users. Ensure the value and quality of project delive­rables and maximize their contri­bution to the defined programs and investment portfolio.

BAI06 - Change Types

- Standard changes
- Normal Changes
- Emergency Changes

BAI06 - The Purpose of the Change Control

• Change is the addition, modifi­cation, or removal of anything that could have a direct or indirect effect on services
• The purpose of the change control practice is to maximize the number of successful service and product changes by ensuring that risks have been properly assessed, author­izing changes to proceed, and managing the change schedule
• The scope of change control is defined by each organi­zation. It will typically include all IT infras­tru­cture, applic­ations, docume­nta­tion, processes, supplier relati­ons­hips, and anything else that might directly or indirectly impact a product or service
• The person or group who authorizes a change is known as a change authority
• The change schedule is used to help plan changes, assist in commun­ica­tion, avoid conflicts and assign resources


DSS01 - Managed Operations
Deliver I&T operat­ional product and service outcomes as planned.
DSS02 - Managed Service Requests and Incidents
Achieve increased produc­tivity and minimize disrup­tions through quick resolution of user queries and incidents. Assess the impact of changes and deal with service incidents. Resolve user requests and restore service in response to incidents.
DSS03 - Managed Problems
Increase availa­bility, improve service levels, reduce costs, improve customer conven­ience and satisf­action by reducing the number of operat­ional problems, and identify root causes as part of problem resolu­tion.
DSS04 - Managed Continuity
Adapt rapidly, continue business operations and maintain availa­bility of resources and inform­ation at a level acceptable to the enterprise in the event of a signif­icant disruption (e.g., threats, opport­uni­ties, demands).
DSS05 - Managed Security Services
Minimize the business impact of operat­ional inform­ation security vulner­abi­lities and incidents.
DSS06 - Managed Business Process Controls
Maintain inform­ation integrity and the security of inform­ation assets handled within business processes in the enterprise or its outsourced operation.


MEA01 - Managed Perfor­mance and Confor­mance Monitoring
Provide transp­arency of perfor­mance and confor­mance and drive achiev­ement of goals.
MEA02 - Managed System of Internal Control
Obtain transp­arency for key stakeh­olders on the adequacy of the system of internal controls and thus provide trust in operat­ions, confidence in the achiev­ement of enterprise objectives and an adequate unders­tanding of residual risk
MEA03 - Managed Compliance With External Requir­ements
Ensure that the enterprise is compliant with all applicable external requir­ements.
MEA04 - Managed Assurance
Enable the organi­zation to design and develop efficient and effective assurance initia­tives, providing guidance on planning, scoping, executing and following up on assurance reviews, using a road map based on well-a­ccepted assurance approa­ches.

Design factors

Design factors are factors that can influence the design of an enterp­rise’s governance system and position it for success in the use of I&T

Design Factors

Enterprise Startegy
Organi­zations typically have a primary strategy and, at most, one secondary strategy
Enterprise Goals
supporting the enterprise strategy— Enterprise strategy is realized by the achiev­ement of (a set of) enterprise goals. These goals are defined in the COBIT framework, structured along the Balanced Scorecard (BSC) dimensions
Risk Profile
of the enterprise and current issues in relation to I&­T—The risk profile identifies the sort of I&­Tre­lated risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk appetite
I&­T-R­elated Issues
A related method for an I&T risk assessment for the enterprise is to consider which I&­Tre­lated issues it currently faces, or, in other words, what I&­T-r­elated risk has materi­alized
Threat Landscape
The threat landscape under which the enterprise operates can be classified
Compliance Requir­ements
The compliance requir­ements to which the enterprise is subject can be classified according to the categories
Role of IT
The role of IT for the enterprise can be classified
Source Model for IT
The sourcing model the enterprise adopts can be classified
IT Implem­ent­ation Methods
The methods the enterprise adopts can be classified
Technology Adoption Startegy
The technology adoption strategy can be classified
Enterprise Size
Two catego­ries, as are identified for the design of an enterp­rise’s governance system

DF - Enterprise Strategy

Strategy Archetype
The enterprise has a focus on growing (reven­ues).
Innova­tion/ Differ­ent­iation
The enterprise has a focus on offering different and/or innovative products and services to their clients.
Cost Leadership
The enterprise has a focus on short-term cost minimi­zation.
Client Servic­e/S­tab­ility
The enterprise has a focus on providing stable and client­-or­iented service.

DF - Enterprise Goals

Balanced Scorecard (BSC) Dimension
Enterprise Goal
Portfolio of compet­itive products and services
Managed business risk
Compliance with external laws and regula­tions
Quality of financial inform­ation
Custom­er-­ori­ented service culture
Busine­ss-­service continuity and availa­bility
Quality of management inform­ation
Optimi­zation of internal business process functi­onality
Optimi­zation of business process costs
Staff skills, motivation and produc­tivity
Compliance with internal policies
Managed digital transf­orm­ation programs
Product and business innovation

DF - Threat Landscape

The enterprise is operating under what are considered normal threat levels.
Due to its geopol­itical situation, industry sector or particular profile, the enterprise is operating in a high- threat enviro­nment.

DF - Role of IT

Not crucial
Running and continuity
Driver for innovating
Critical for both running and innovating

DF - Sourcing Model for IT


DF - IT Implem­ent­ation Methods


DF - Technology Adoption Strategy

First mover
Slow adopter


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          IT architecture and strategy Cheat Sheet