Appendix A: COBIT 5 Processes and Other Frameworks and Standards Used – Governance of Enterprise IT based on COBIT®5


COBIT® Process No. COBIT® Process Name Related Guidance Frameworks and Standards
EDM01 Ensure Governance Framework Setting and Maintenance COSO, ISO/IEC 38500, King III, OECD
EDM02 Ensure Benefits Delivery COSO, ISO/IEC 38500, King III
EDM03 Ensure Risk Optimisation COSO/ERM, ISO/IEC 31000, ISO/IEC 38500, King III
EDM04 Ensure Resource Optimisation ISO/IEC 38500, King III, TOGAF® 9
EDM05 Ensure Stakeholder Transparency COSO, ISO/IEC 38500, King III
APO01 Manage the IT Management Framework ISO/IEC 20000, ISO/IEC 27002
APO02 Manage Strategy ITIL 2011
APO03 Manage Enterprise Architecture TOGAF® 9
APO04 Manage Innovation None
APO05 Manage Portfolio ISO/IEC 20000, ITIL 2011, SFIA
APO06 Manage Budget and Costs ISO/IEC 20000, ITIL 2011
APO07 Manage Human Resources ISO27002, SFIA
APO08 Manage Relationships ISO/IEC 20000, ITIL 2011
APO09 Manage Service Agreements ISO/IEC 20000, ITIL 2011
APO10 Manage Suppliers ISO/IEC 20000, ITIL 2011, PMBOK®
APO11 Manage Quality ISO 9001:2008
APO12 Manage Risk ISO27001:2005, ISO/IEC 27002:2011, ISO/IEC 31000
APO13 Manage Security ISO/IEC 27001:2005, ISO27002:2011, NIST SP800-53 Rev 1
BAI01 Manage Programmes and Projects PMBOK®, PRINCE2
BAI02 Manage Requirements Definitions ITIL 2011
BAI03 Manage Solutions Identification and Build None
BAI04 Manage Availability and Capacity ISO/IEC 20000, ITIL 2011
BAI05 Manage Organisational Change Enablement Kotter (1996), Leading Change, Boston, Harvard Business School Press
BAI06 Manage Changes ISO/IEC 20000, ITIL 2011
BAI07 Manage Change Acceptance and Transitioning ISO/IEC 20000, ITIL 2011, PMBOK®, PRINCE2
BAI08 Manage Knowledge ITIL 2011
BAI09 Manage Assets ITIL 2011
BAI10 Manage Configuration ISO/IEC 20000, ITIL 2011
DSS01 Manage Operations ITIL 2011
DSS02 Manage Service Requests and Incidents ISO/IEC 20000, ISO27002, ITIL 2011
DSS03 Manage Problems ISO/IEC 20000, ITIL 2011
DSS04 Manage Continuity BS 25999-2007 (now ISO22301:2012), ISO/IEC 27002:2011, ITIL 2011
DSS05 Manage Security Services ISO/IEC 27002:2011, NIST SP800-53 Rev 1, ITIL 2011
DSS06 Manage Business Process Controls None
MEA01 Monitor, Evaluate and Assess Performance and Conformance ISO/IEC 20000, ITIL 2011
MEA02 Monitor, Evaluate and Assess the System of Internal Controls None
MEA03 Monitor, Evaluate and Assess Compliance with External Requirements None