How we work
How we work
We provide a bespoke service that helps organisations to unlock the IT Value by transforming IT Investments into Business Value. Our services include overall and full IT Governance implementation and management, IT Auditing, IT Projects Advisory and Assurance, and Enterprise Risk Management. Also included is consulting on ISO27001, POPI, and COBIT requirements.
Our approach is to align the services we provide with the clients’ key strategic requirements, ensuring that the client’s unique requirements are taken into account when we design the solutions.
We endeavour to partner with business executives and owners to unlock IT value to achieve business strategies, objectives and goals. Ensuring that the tone at the top is correct, we advise management to tactically align their Information Technology (IT) strategy with the business strategy. Consequently, this will ensure that what is delivered from an IT point of view, will ultimately increase the value of the organisation.
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.
COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.
(COBIT was originally an acronym for Control Objectives for Information and related Technology. Now it is so well-known that just COBIT is used to identify the framework.)
Based on five principles and seven enablers (see below), COBIT 5 uses governance and management practices to describe actions that are examples of good practices to effect governance and management over enterprise IT.
COBIT 5 clearly differentiates between the key areas of governance and management. To align with ISO/IEC 38500, COBIT 5 presents governance in terms of Evaluate, Direct and Monitor. These come directly from the standard’s “Model for Corporate governance of IT.”
While no longer focusing on control objectives, COBIT does promote the use of a process assessment approach to determining an enterprises status. This differs from the CMMI (Capability Maturity Model Integration, or CMMI, is a process model that provides a clear definition of what an organisation should do to promote behaviours that lead to improved performance.) approach used in COBIT 4.1, which promoted a maturity model approach. The process assessment approach comes from ISO/IEC 15504 (Information technology – Process assessment).
COBIT 5 is based on five key principles for governance and management of enterprise IT:
- Principle 1: Meeting Stakeholder Needs — Enterprises exist to create value for their stakeholders by maintaining a balance between the realisation of benefits and the optimisation of risk and use of resources. COBIT 5 provides all of the required processes and other enablers to support business value creation through the use of IT. Because every enterprise has different objectives, an enterprise can customise COBIT 5 to suit its own context through the goals cascade, translating high-level enterprise goals into manageable, specific, IT-related goals and mapping these to specific processes and practices.
- Principle 2: Covering the Enterprise End-to-End — COBIT 5 integrates governance of enterprise IT into enterprise governance:
- It covers all functions and processes within the enterprise; COBIT 5 does not focus only on the “IT function”, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.
- It considers all IT-related governance and management enablers to be enterprise wide and end-to-end, i.e., inclusive of everything and everyone — internal and external — that is relevant to governance and management of enterprise information and related IT.
- Principle 3: Applying a Single, Integrated Framework — There are many IT-related standards and best practices, each providing guidance on a subset of IT activities. COBIT 5 aligns with other relevant standards and frameworks at a high level, and thus can serve as the overarching framework for governance and management of enterprise IT.
- Principle 4: Enabling a Holistic Approach — Efficient and effective governance and management of enterprise IT require a holistic approach, taking into account several interacting components. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. Enablers are broadly defined as anything that can help to achieve the objectives of the enterprise. The COBIT 5 framework defines seven categories of enablers:
- Principles, Policies and Frameworks
- Processes
- Organisational Structures
- Culture, Ethics and Behaviour
- Information
- Services, Infrastructure and Applications
- People, Skills and Competencies
- Principle 5: Separating Governance From Management — The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes. COBIT 5’s view on this key distinction between governance and management is:
- Governance: Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives. In most enterprises, overall governance is the responsibility of the board of directors under the leadership of the chairperson. Specific governance responsibilities may be delegated to special organisational structures at an appropriate level, particularly in larger, complex enterprises.
- Management: Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. In most enterprises, management is the responsibility of the executive management under the leadership of the chief executive officer (CEO).
Together, these five principles enable the enterprise to build an effective governance and management framework that optimises information and technology investment and use for the benefit of stakeholders.
The published standards related to “information technology – security techniques” are:
ISO/IEC 27000 | Information security management systems — Overview and vocabulary |
ISO/IEC 27001 | Information technology – Security Techniques – Information security management systems — Requirements. The older ISO/IEC 27001:2005 standard relied on the Plan-Do-Check-Act cycle; the newer ISO/IEC 27001:2013 does not, but has been updated in other ways to reflect changes in technologies and in how organisations manage information. |
ISO/IEC 27002 | Code of practice for information security management |
ISO/IEC 27003 | Information security management system implementation guidance |
ISO/IEC 27004 | Information security management — Measurement |
ISO/IEC 27005 | Information security risk management |
ISO/IEC 27006 | Requirements for bodies providing audit and certification of information security management systems |
ISO/IEC 27007 | Guidelines for information security management systems auditing (focused on the management system) |
ISO/IEC TR 27008 | Guidance for auditors on ISMS controls (focused on the information security controls) |
ISO/IEC 27010 | Information security management for inter-sector and inter-organisational communications |
ISO/IEC 27011 | Information security management guidelines for telecommunications organisations based on ISO/IEC 27002 |
ISO/IEC 27013 | Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 |
ISO/IEC 27014 | Information security governance. |
ISO/IEC TR 27015 | Information security management guidelines for financial services |
ISO/IEC 27017 | Code of practice for information security controls based on ISO/IEC 27002 for cloud services |
ISO/IEC 27018 | Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors |
ISO/IEC 27031 | Guidelines for information and communication technology readiness for business continuity |
ISO/IEC 27032 | Guideline for cybersecurity |
ISO/IEC 27033-1 | Network security – Part 1: Overview and concepts |
ISO/IEC 27033-2 | Network security – Part 2: Guidelines for the design and implementation of network security |
ISO/IEC 27033-3 | Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues |
ISO/IEC 27033-5 | Network security – Part 5: Securing communications across networks using Virtual Private Networks (VPNs) |
ISO/IEC 27034-1 | Application security – Part 1: Guideline for application security |
ISO/IEC 27035 | Information security incident management |
ISO/IEC 27036-3 | Information security for supplier relationships – Part 3: Guidelines for information and communication technology supply chain security |
ISO/IEC 27037 | Guidelines for identification, collection, acquisition and preservation of digital evidence |
ISO 27799 | Information security management in health using ISO/IEC 27002. The purpose of ISO 27799 is to provide guidance to health organisations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002 |
In preparation:
ISO/IEC 27019 | Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry |
ISO/IEC 27033 | IT network security, a multi-part standard based on ISO/IEC 18028:2006 (parts 1-3 are published already) |
ISO/IEC 27036 | Guidelines for security in supplier relationships |
ISO/IEC 27038 | Specification for redaction of digital documents |
ISO/IEC 27039 | Intrusion detection and protection systems |
ISO/IEC 27040 | Guideline on storage security |
ISO/IEC 27041 | Assurance for digital evidence investigation methods |
ISO/IEC 27042 | Analysis and interpretation of digital evidence |
ISO/IEC 27043 | Digital evidence investigation principles and processes |
TBC
Contact Us
Phone
082 887 1770
info@egra.co.za