DISCUSS THIS ARTICLE
Tips for Understanding the COBIT 5
Enabler of Process
By Lisa Young, CISA, CISM
COBIT Focus | 8 February 2016
The concept of process improvement has been around for centuries. Some of the earliest efforts to improve the
1
efficiency of work began during the Industrial Revolution in the US and Europe. Eli Whitney observed how much
work was needed to remove cotton seeds from the boll by hand and invented a machine to automate the process
2
in 1793. Fast forward to 1911 when Fredrick Taylor published The Principles of Scientific Management, in which he
proposed that optimizing and simplifying jobs would yield greater productivity. In 1987, the first version of the
International Organization for Standardization (ISO) ISO 9000 standard for quality management was introduced.
Process management, performed with an eye toward quality in product and service delivery, are at the heart of the
Deming Prize, the Malcolm Baldridge National Quality Award and the European Foundation for Quality
Management (EFQM) Excellence Award, all of which grew out of the Total Quality Management movement of the
1980s. These examples are cited not as a history lesson, but as an argument asserting that the successful
achievement of an organization’s strategic objectives is impacted by the performance of its people and its
processes. An organization that practices quality management deploys defined, controlled, repeatable and
measurable processes in a systemic way to guarantee that organized activities happen the way they are planned.
This concept is at the heart of the Plan-Do-Check-Act model for continuous improvement credited to Dr. W. Edwards
3
Deming.
An organization that practices quality management deploys
defined, controlled, repeatable and measurable processes in a
systemic way to guarantee that organized activities happen the
way they are planned.
Processes and the associated detailed procedures are what we develop, document and then use to enable people
to perform their work in a consistent and repeatable manner. Processes are often thought of as the “what to do”
and generally define the roles required to perform the process. A procedure is often the “how to do it” and
generally defines the single role that will perform the procedure. While process is often described as one leg of the
people-process-technology triad, it may also be considered the glue that unifies the other aspects to achieve
organizational objectives.
1|Page
It is essential when organizing a functional discipline that each function be established in an orderly way that can be
measured and controlled. Otherwise, why do it? Change for the sake of change or to comply with a new compliance
mandate rarely results in significant improvement or business benefit. Setting a process improvement objective
that is tied to improved capability to manage risk, increased efficiency in managing incidents, lowered numbers of
controls implemented or other business benefit sets the context for the change efforts.
Processes may include tools, methods, technology, people and practices to achieve goals in an ordered way. ISACA
defines process as an interrelated set of cross‐functional activities or events that result in the delivery of a specific
product or service to a customer. The activities defined in a process are generally aided by a reference model such
®
as COBIT 5, ITIL or the CERT Resilience Management Model (CERT-RMM) and may also reference the
appropriate compliance guidelines, standards or regulations that have to be considered when performing the
process.
®
When deciding the appropriate process areas to focus on for the process definition or improvement, consider
areas:
 That may be causing “pain”
 In which the organization needs to develop competency
 That align with regulatory or industry initiatives
 That align with organizational objectives or other initiatives
 That support other process improvement initiatives such as Six Sigma
As you think about the time and effort needed to develop a process, ask yourself the following questions:
 Is the process important to the achievement of business goals or committed service level agreements (SLAs)
with customers?
 Is there only one person who knows how to do the task?
 Do many people perform the task or is the task a shared responsibility?
If the answer to any of these questions is yes, then a defined process is needed. The benefits of using processes,
especially for information security, incident handling and risk management activities, include:
 A picture is worth a thousand words. For example, showing someone the path of personally identifiable
information (PII) as it flows through a third-party cloud in a visual process map is invaluable in demonstrating
and communicating the risk that needs to be managed. This can enhance organizational agility to respond to
changing business circumstances.
 Having a defined process for a shared task means that all who perform the activity do so in a consistent and
high-quality way. This is especially important for tasks that need to be performed by staff with different
experience levels to deliver a consistent and superior product or level of customer service.
 A defined process provides the means to control the variation in the delivery of a service or product. Policies or
standards that are important to the organization can be designed into the process so that conformance is
inherent in the delivery of the process. This is especially important to enhance knowledge transfer and integrate
new members of the team faster.
 Productivity is increased when all who perform the process have a standard way to do so. This avoids rework
and can be especially critical if the organization is considering outsourcing some of its current processes to a
supplier or expanding organizational services in another geographic region.
However, before you can use processes to achieve the stated benefits, the process must be defined, documented
and available in a process asset library for all to use. Here are some tips for getting started with defining a process:
1. What is the reason for performing the process? The process definition should be defined along with the scope
and activities that occur in the process along with the roles responsible for performing the tasks.
2. What are the inputs needed to perform the process and what are the outputs, or work products, that are
generated by the process? This is where a common language and taxonomy of terms can be used to
standardize the descriptors and provide a common understanding across the organization.
3. What does the process look like? A graphical depiction of the process activities is critical. The graphic may also
2|Page
include a map of the roles, both internal and external, that are required to perform the process.
4. What are the controls, policies, standards or guidelines that must be considered when performing the process?
This can be used to determine if the process is as efficient as it could be or demonstrate an excessive buildup of
controls that has occurred over time. It will also help in understanding if the process is aligned with the
organizational policies that are expected to be carried out by the process.
5. What conditions, or dependencies must be performed before beginning a process? And what requirements
must be met before ending the process? This provides a double check that the process as defined matches the
process as performed in practice.
For those organizations that are looking to break down silos in functional areas, taking a process approach is often
a foundational step. Process integration, or convergence, relies on a set of integrated processes and procedures
that support the delivery of a product or service so that a holistic view of the business outcomes drives the work. A
defined process provides a means to establish a baseline from which to measure the implementation or
institutionalization of the current process. Once the processes are repeatable, they can be measured. Once they are
measureable, they can be assessed for improvement. The defined process provides a road map for specific areas of
improvement in the context of the organization’s business objectives and unique risk environment.
Lisa Young, CISA, CISM
Is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information
security conferences worldwide.
Endnotes
1
Eli Whitney, 1765-1825, was a US inventor best known for inventing the cotton gin. Eli
2
WitneyMuseum and Workshop
Frederick W. Taylor, 1856-1915, was a US engineer and inventor who is considered the father of scientific management. Encyclopaedia
Britannica
3
W. Edwards Deming, Ph.D., 1900-1993, was a US statistician, engineer, author and consultant. The
W. Edwards Deming Institute
3|Page