How we work

How we work

We provide a bespoke service that helps organisations to unlock the IT Value by transforming IT Investments into Business Value.  Our services include overall and full IT Governance implementation and management, IT Auditing, IT Projects Advisory and Assurance, and Enterprise Risk Management.  Also included is consulting on ISO27001, POPI, and COBIT requirements.

Our approach is to align the services we provide with the clients’ key strategic requirements, ensuring that the client’s unique requirements are taken into account when we design the solutions.

We endeavour to partner with business executives and owners to unlock IT value to achieve business strategies, objectives and goals.  Ensuring that the tone at the top is correct, we advise management to tactically align their Information Technology (IT) strategy with the business strategy.  Consequently, this will ensure that what is delivered from an IT point of view, will ultimately increase the value of the organisation.

COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.

COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.

(COBIT was originally an acronym for Control Objectives for Information and related Technology. Now it is so well-known that just COBIT is used to identify the framework.)

Based on five principles and seven enablers (see below), COBIT 5 uses governance and management practices to describe actions that are examples of good practices to effect governance and management over enterprise IT.

COBIT 5 clearly differentiates between the key areas of governance and management. To align with ISO/IEC 38500, COBIT 5 presents governance in terms of Evaluate, Direct and Monitor. These come directly from the standard’s “Model for Corporate governance of IT.”

While no longer focusing on control objectives, COBIT does promote the use of a process assessment approach to determining an enterprises status. This differs from the CMMI (Capability Maturity Model Integration, or CMMI, is a process model that provides a clear definition of what an organisation should do to promote behaviours that lead to improved performance.) approach used in COBIT 4.1, which promoted a maturity model approach. The process assessment approach comes from ISO/IEC 15504 (Information technology – Process assessment).

COBIT 5 is based on five key principles for governance and management of enterprise IT:

  • Principle 1: Meeting Stakeholder Needs — Enterprises exist to create value for their stakeholders by maintaining a balance between the realisation of benefits and the optimisation of risk and use of resources. COBIT 5 provides all of the required processes and other enablers to support business value creation through the use of IT. Because every enterprise has different objectives, an enterprise can customise COBIT 5 to suit its own context through the goals cascade, translating high-level enterprise goals into manageable, specific, IT-related goals and mapping these to specific processes and practices.
  • Principle 2: Covering the Enterprise End-to-End — COBIT 5 integrates governance of enterprise IT into enterprise governance:
    • It covers all functions and processes within the enterprise; COBIT 5 does not focus only on the “IT function”, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.
    • It considers all IT-related governance and management enablers to be enterprise wide and end-to-end, i.e., inclusive of everything and everyone — internal and external — that is relevant to governance and management of enterprise information and related IT.
  • Principle 3: Applying a Single, Integrated Framework — There are many IT-related standards and best practices, each providing guidance on a subset of IT activities. COBIT 5 aligns with other relevant standards and frameworks at a high level, and thus can serve as the overarching framework for governance and management of enterprise IT.
  • Principle 4: Enabling a Holistic Approach — Efficient and effective governance and management of enterprise IT require a holistic approach, taking into account several interacting components. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. Enablers are broadly defined as anything that can help to achieve the objectives of the enterprise. The COBIT 5 framework defines seven categories of enablers:
    • Principles, Policies and Frameworks
    • Processes
    • Organisational Structures
    • Culture, Ethics and Behaviour
    • Information
    • Services, Infrastructure and Applications
    • People, Skills and Competencies
  • Principle 5: Separating Governance From Management — The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes. COBIT 5’s view on this key distinction between governance and management is:
    • Governance: Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives. In most enterprises, overall governance is the responsibility of the board of directors under the leadership of the chairperson. Specific governance responsibilities may be delegated to special organisational structures at an appropriate level, particularly in larger, complex enterprises.
    • Management: Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. In most enterprises, management is the responsibility of the executive management under the leadership of the chief executive officer (CEO).

Together, these five principles enable the enterprise to build an effective governance and management framework that optimises information and technology investment and use for the benefit of stakeholders.

The published standards related to “information technology – security techniques” are:

ISO/IEC 27000Information security management systems — Overview and vocabulary
ISO/IEC 27001Information technology – Security Techniques – Information security management systems — Requirements. The older ISO/IEC 27001:2005 standard relied on the Plan-Do-Check-Act cycle; the newer ISO/IEC 27001:2013 does not, but has been updated in other ways to reflect changes in technologies and in how organisations manage information.
ISO/IEC 27002Code of practice for information security management
ISO/IEC 27003Information security management system implementation guidance
ISO/IEC 27004Information security management — Measurement
ISO/IEC 27005Information security risk management
ISO/IEC 27006Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27007Guidelines for information security management systems auditing (focused on the management system)
ISO/IEC TR 27008Guidance for auditors on ISMS controls (focused on the information security controls)
ISO/IEC 27010Information security management for inter-sector and inter-organisational communications
ISO/IEC 27011Information security management guidelines for telecommunications organisations based on ISO/IEC 27002
ISO/IEC 27013Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
ISO/IEC 27014Information security governance.
ISO/IEC TR 27015Information security management guidelines for financial services
ISO/IEC 27017Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
ISO/IEC 27031Guidelines for information and communication technology readiness for business continuity
ISO/IEC 27032Guideline for cybersecurity
ISO/IEC 27033-1Network security – Part 1: Overview and concepts
ISO/IEC 27033-2Network security – Part 2: Guidelines for the design and implementation of network security
ISO/IEC 27033-3Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues
ISO/IEC 27033-5Network security – Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
ISO/IEC 27034-1Application security – Part 1: Guideline for application security
ISO/IEC 27035Information security incident management
ISO/IEC 27036-3Information security for supplier relationships – Part 3: Guidelines for information and communication technology supply chain security
ISO/IEC 27037Guidelines for identification, collection, acquisition and preservation of digital evidence
ISO 27799Information security management in health using ISO/IEC 27002. The purpose of ISO 27799 is to provide guidance to health organisations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002

In preparation:

ISO/IEC 27019Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
ISO/IEC 27033IT network security, a multi-part standard based on ISO/IEC 18028:2006 (parts 1-3 are published already)
ISO/IEC 27036Guidelines for security in supplier relationships
ISO/IEC 27038Specification for redaction of digital documents
ISO/IEC 27039Intrusion detection and protection systems
ISO/IEC 27040Guideline on storage security
ISO/IEC 27041Assurance for digital evidence investigation methods
ISO/IEC 27042Analysis and interpretation of digital evidence
ISO/IEC 27043Digital evidence investigation principles and processes

TBC

Contact Us

Phone

082 887 1770

Email

info@egra.co.za