COBIT5

1. EDM01 Ensure Governance Framework Setting and Maintenance Analyse and articulate the requirements for the governance of enterprise IT, and put in place and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals and objectives.
2. EDM01.01 Evaluate the governance system Continually identify and engage with the enterprise’s stakeholders, document an understanding of the requirements, and make a judgement on the current and future design of governance of enterprise IT.
3. EDM01.02 Direct the governance system Inform leaders and obtain their support, buy-in and commitment. Guide the structures, processes and practices for the governance of IT in line with agreed-on governance design principles, decision-making models and authority levels. Define the information required for informed decision making.
4. EDM01.03 Monitor the governance system Monitor the effectiveness and performance of the enterprise’s governance of IT. Assess whether the governance system and implemented mechanisms (including structures, principles and processes) are operating effectively and provide appropriate oversight of IT.
5. EDM02 Ensure Benefits Delivery Optimise the value contribution to the business from the business processes, IT services and IT assets resulting from investments made by IT at acceptable costs.
6. EDM02.01 Evaluate value optimisation Continually evaluate the portfolio of IT-enabled investments, services and assets to determine the likelihood of achieving enterprise objectives and delivering value at a reasonable cost. Identify and make judgement on any changes in direction that need to be given to management to optimise value creation.
7. EDM02.02 Direct value optimisation Direct value management principles and practices to enable optimal value realisation from IT-enabled investments throughout their full economic life cycle.
8. EDM02.03 Monitor value optimisation Monitor the key goals and metrics to determine the extent to which the business is generating the expected value and benefits to the enterprise from IT-enabled investments and services. Identify significant issues and consider corrective actions.
9. EDM03 Ensure Risk Optimisation Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed.
10. EDM03.01 Evaluate risk management Continually examine and make judgement on the effect of risk on the current and future use of IT in the enterprise. Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is identified and managed.
11. EDM03.02 Direct risk management Direct the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.
12. EDM03.03 Monitor risk management Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be identified, tracked and reported for remediation.
13. EDM04 Ensure Resource Optimisation Ensure that adequate and sufficient IT-related capabilities (people, process and technology) are available to support enterprise objectives effectively at optimal cost.
14. EDM04.01 Evaluate resource management Continually examine and make judgement on the current and future need for IT-related resources, options for resourcing (including sourcing strategies), and allocation and management principles to meet the needs of the enterprise in the optimal manner.
15. EDM04.02 Direct resource management Ensure the adoption of resource management principles to enable optimal use of IT resources throughout their full economic life cycle.
16. EDM04.03 Monitor resource management Monitor the key goals and metrics of the resource management processes and establish how deviations or problems will be identified, tracked and reported for remediation.
17. EDM05 Ensure Stakeholder Transparency Ensure that enterprise IT performance and conformance measurement and reporting are transparent, with stakeholders approving the goals and metrics and the necessary remedial actions.
18. EDM05.01 Evaluate stakeholder reporting requirements Continually examine and make judgement on the current and future requirements for stakeholder communication and reporting, including both mandatory reporting requirements (e.g., regulatory) and communication to other stakeholders. Establish the principles for communication.
19. EDM05.02 Direct stakeholder communication and reporting Ensure the establishment of effective stakeholder communication and reporting, including mechanisms for ensuring the quality and completeness of information, oversight of mandatory reporting, and creating a communication strategy for stakeholders.
20. EDM05.03 Monitor stakeholder communication Monitor the effectiveness of stakeholder communication. Assess mechanisms for ensuring accuracy, reliability and effectiveness, and ascertain whether the requirements of different stakeholders are met.
21. APO01 Manage the IT Management Framework Clarify and maintain the governance of enterprise IT mission and vision. Implement and maintain mechanisms and authorities to manage information and the use of IT in the enterprise in support of governance objectives in line with guiding principles and policies.
22. APO01.01 Define the organisational structure Establish an internal and extended organisational structure that reflects business needs and IT priorities. Put in place the required management structures (e.g., committees) that enable management decision making to take place in the most effective and efficient manner.
23. APO01.02 Establish roles and responsibilities Establish, agree on and communicate roles and responsibilities of IT personnel, as well as other stakeholders with responsibilities for enterprise IT, that clearly reflect overall business needs and IT objectives and relevant personnel’s authority, responsibilities and accountability.
24. APO01.03 Maintain the enablers of the management system Maintain the enablers of the management system and control environment for enterprise IT, and ensure that they are integrated and aligned with the enterprise’s governance and management philosophy and operating style. These enablers include the clear communication of expectations/requirements. The management system should encourage cross-divisional co-operation and teamwork, promote compliance and continuous improvement, and handle process deviations (including failure).
25. APO01.04 Communicate management objectives and direction Communicate awareness and understanding of IT objectives and direction to appropriate stakeholders and users throughout the enterprise.
26. APO01.05 Optimise the placement of the IT function Position the IT capability in the overall organisational structure to reflect an enterprise model relevant to the importance of IT within the enterprise, specifically its criticality to enterprise strategy and the level of operational dependence on IT. The reporting line of the CIO should be commensurate with the importance of IT within the enterprise.
27. APO01.06 Define information (data) and system ownership Define and maintain responsibilities for ownership of information (data) and information systems. Ensure that owners make decisions about classifying information and systems and protecting them in line with this classification.
28. APO01.07 Manage continual improvement of processes Assess, plan and execute the continual improvement of processes and their maturity to ensure that they are capable of delivering against enterprise, governance, management and control objectives. Consider COBIT process implementation guidance, emerging standards, compliance requirements, automation opportunities, and the feedback of process users, the process team and other stakeholders. Update the process and consider impacts on process enablers.
29. APO01.08 Maintain compliance with policies and procedures Put in place procedures to maintain compliance with and performance measurement of policies and other enablers of the control framework, and enforce the consequences of non-compliance or inadequate performance. Track trends and performance and consider these in the future design and improvement of the control framework.
30. APO02 Manage Strategy Provide a holistic view of the current business and IT environment, the future direction, and the initiatives required to migrate to the desired future environment. Leverage enterprise architecture building blocks and components, including externally provided services and related capabilities to enable nimble, reliable and efficient response to strategic objectives.
31. APO02.01 Understand enterprise direction Consider the current enterprise environment and business processes, as well as the enterprise strategy and future objectives. Consider also the external environment of the enterprise (industry drivers, relevant regulations, basis for competition).
32. APO02.02 Assess the current environment, capabilities and performance Assess the performance of current internal business and IT capabilities and external IT services, and develop an understanding of the enterprise architecture in relation to IT. Identify issues currently being experienced and develop recommendations in areas that could benefit from improvement. Consider service provider differentiators and options and the financial impact and potential costs and benefits of using external services.
33. APO02.03 Define the target IT capabilities Define the target business and IT capabilities and required IT services. This should be based on the understanding of the enterprise environment and requirements; the assessment of the current business process and IT environment and issues; and consideration of reference standards, good practices and validated emerging technologies or innovation proposals.
34. APO02.04 Conduct a gap analysis Identify the gaps between the current and target environments and consider the alignment of assets (the capabilities that support services) with business outcomes to optimise investment in and utilisation of the internal and external asset base. Consider the critical success factors to support strategy execution.
35. APO02.05 Define the strategic plan and road map Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT-related goals will contribute to the enterprise’s strategic goals. Include how IT will support IT-enabled investment programmes, business processes, IT services and IT assets. Direct IT to define the initiatives that will be required to close the gaps, the sourcing strategy and the measurements to be used to monitor achievement of goals, then prioritise the initiatives and combine them in a high-level road map.
36. APO02.06 Communicate the IT strategy and direction Create awareness and understanding of the business and IT objectives and direction, as captured in the IT strategy, through communication to appropriate stakeholders and users throughout the enterprise.
37. APO03 Manage Enterprise Architecture Establish a common architecture consisting of business process, information, data, application and technology architecture layers for effectively and efficiently realising enterprise and IT strategies by creating key models and practices that describe the baseline and target architectures. Define requirements for taxonomy, standards, guidelines, procedures, templates and tools, and provide a linkage for these components. Improve alignment, increase agility, improve quality of information and generate potential cost savings through initiatives such as re-use of building block components.
38. APO03.01 Develop the enterprise architecture vision The architecture vision provides a first-cut, high-level description of the baseline and target architectures, covering the business, information, data, application and technology domains. The architecture vision provides the sponsor with a key tool to sell the benefits of the proposed capability to stakeholders within the enterprise. The architecture vision describes how the new capability will meet enterprise goals and strategic objectives and address stakeholder concerns when implemented.
39. APO03.02 Define reference architecture The reference architecture describes the current and target architectures for the business, information, data, application and technology domains.
40. APO03.03 Select opportunities and solutions Rationalise the gaps between baseline and target architectures, taking both business and technical perspectives, and logically group them into project work packages. Integrate the project with any related IT-enabled investment programmes to ensure that the architectural initiatives are aligned with and enable these initiatives as part of overall enterprise change. Make this a collaborative effort with key enterprise stakeholders from business and IT to assess the enterprise’s transformation readiness, and identify opportunities, solutions and all implementation constraints.
41. APO03.04 Define architecture implementation Create a viable implementation and migration plan in alignment with the programme and project portfolios. Ensure that the plan is closely co-ordinated to ensure that value is delivered and the required resources are available to complete the necessary work.
42. APO03.05 Provide enterprise architecture services The provision of enterprise architecture services within the enterprise includes guidance to and monitoring of implementation projects, formalising ways of working through architecture contracts, and measuring and communicating architecture’s value-add and compliance monitoring.
43. APO04 Manage Innovation Maintain an awareness of information technology and related service trends, identify innovation opportunities, and plan how to benefit from innovation in relation to business needs. Analyse what opportunities for business innovation or improvement can be created by emerging technologies, services or IT-enabled business innovation, as well as through existing established technologies and by business and IT process innovation. Influence strategic planning and enterprise architecture decisions.
44. APO04.01 Create an environment conducive to innovation Create an environment that is conducive to innovation, considering issues such as culture, reward, collaboration, technology forums, and mechanisms to promote and capture employee ideas.
45. APO04.02 Maintain an understanding of the enterprise environment Work with relevant stakeholders to understand their challenges. Maintain an adequate understanding of enterprise strategy and the competitive environment or other constraints so that opportunities enabled by new technologies can be identified.
46. APO04.03 Monitor and scan the technology environment Perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging technologies that have the potential to create value (e.g., by realising the enterprise strategy, optimising costs, avoiding obsolescence, and better enabling enterprise and IT processes). Monitor the marketplace, competitive landscape, industry sectors, and legal and regulatory trends to be able to analyse emerging technologies or innovation ideas in the enterprise context.
47. APO04.04 Assess the potential of emerging technologies and innovation ideas Analyse identified emerging technologies and/or other IT innovation suggestions. Work with stakeholders to validate assumptions on the potential of new technologies and innovation.
48. APO04.05 Recommend appropriate further initiatives Evaluate and monitor the results of proof-of-concept initiatives and, if favourable, generate recommendations for further initiatives and gain stakeholder support.
49. APO04.06 Monitor the implementation and use of innovation Monitor the implementation and use of emerging technologies and innovations during integration, adoption and for the full economic life cycle to ensure that the promised benefits are realised and to identify lessons learned.
50. APO05 Manage Portfolio Execute the strategic direction set for investments in line with the enterprise architecture vision and the desired characteristics of the investment and related services portfolios, and consider the different categories of investments and the resources and funding constraints. Evaluate, prioritise and balance programmes and services, managing demand within resource and funding constraints, based on their alignment with strategic objectives, enterprise worth and risk. Move selected programmes into the active services portfolio for execution. Monitor the performance of the overall portfolio of services and programmes, proposing adjustments as necessary in response to programme and service performance or changing enterprise priorities.
51. APO05.01 Establish the target investment mix Review and ensure clarity of the enterprise and IT strategies and current services. Define an appropriate investment mix based on cost, alignment with strategy, and financial measures such as cost and expected ROI over the full economic life cycle, degree of risk, and type of benefit for the programmes in the portfolio. Adjust the enterprise and IT strategies where necessary.
52. APO05.02 Determine the availability and sources of funds Determine potential sources of funds, different funding options and the implications of the funding source on the investment return expectations.
53. APO05.03 Evaluate and select programmes to fund Based on the overall investment portfolio mix requirements, evaluate and prioritise programme business cases, and decide on investment proposals. Allocate funds and initiate programmes.
54. APO05.04 Monitor, optimise and report on investment portfolio performance On a regular basis, monitor and optimise the performance of the investment portfolio and individual programmes throughout the entire investment life cycle.
55. APO05.05 Maintain portfolios Maintain portfolios of investment programmes and projects, IT services and IT assets.
56. APO05.06 Manage benefits achievement Monitor the benefits of providing and maintaining appropriate IT services and capabilities, based on the agreed-on and current business case.
57. APO06 Manage Budget and Costs Manage the IT-related financial activities in both the business and IT functions, covering budget, cost and benefit management, and prioritisation of spending through the use of formal budgeting practices and a fair and equitable system of allocating costs to the enterprise. Consult stakeholders to identify and control the total costs and benefits within the context of the IT strategic and tactical plans, and initiate corrective action where needed.
58. APO06.01 Manage finance and accounting Establish and maintain a method to account for all IT-related costs, investments and depreciation as an integral part of the enterprise financial systems and chart of accounts to manage the investments and costs of IT. Capture and allocate actual costs, analyse variances between forecasts and actual costs, and report using the enterprise’s financial measurement systems.
59. APO06.02 Prioritise resource allocation Implement a decision-making process to prioritise the allocation of resources and rules for discretionary investments by individual business units. Include the potential use of external service providers and consider the buy, develop and rent options.
60. APO06.03 Create and maintain budgets Prepare a budget reflecting the investment priorities supporting strategic objectives based on the portfolio of IT-enabled programmes and IT services.
61. APO06.04 Model and allocate costs Establish and use an IT costing model based on the service definition, ensuring that allocation of costs for services is identifiable, measurable and predictable, to encourage the responsible use of resources including those provided by service providers. Regularly review and benchmark the appropriateness of the cost/chargeback model to maintain its relevance and appropriateness to the evolving business and IT activities.
62. APO06.05 Manage costs Implement a cost management process comparing actual costs to budgets. Costs should be monitored and reported and, in the case of deviations, identified in a timely manner and their impact on enterprise processes and services assessed.
63. APO07 Manage Human Resources Provide a structured approach to ensure optimal structuring, placement, decision rights and skills of human resources. This includes communicating the defined roles and responsibilities, learning and growth plans, and performance expectations, supported with competent and motivated people.
64. APO07.01 Maintain adequate and appropriate staffing Evaluate staffing requirements on a regular basis or upon major changes to the enterprise or operational or IT environments to ensure that the enterprise has sufficient human resources to support enterprise goals and objectives. Staffing includes both internal and external resources.
65. APO07.02 Identify key IT personnel Identify key IT personnel while minimising reliance on a single individual performing a critical job function through knowledge capture (documentation), knowledge sharing, succession planning and staff backup.
66. APO07.03 Maintain the skills and competencies of personnel Define and manage the skills and competencies required of personnel. Regularly verify that personnel have the competencies to fulfil their roles on the basis of their education, training and/or experience, and verify that these competencies are being maintained, using qualification and certification programmes where appropriate. Provide employees with ongoing learning and opportunities to maintain their knowledge, skills and competencies at a level required to achieve enterprise goals.
67. APO07.04 Evaluate employee job performance Perform timely performance evaluations on a regular basis against individual objectives derived from the enterprise’s goals, established standards, specific job responsibilities, and the skills and competency framework. Employees should receive coaching on performance and conduct whenever appropriate.
68. APO07.05 Plan and track the usage of IT and business human resources Understand and track the current and future demand for business and IT human resources with responsibilities for enterprise IT. Identify shortfalls and provide input into sourcing plans, enterprise and IT recruitment processes sourcing plans, and business and IT recruitment processes.
69. APO07.06 Manage contract staff Ensure that consultants and contract personnel who support the enterprise with IT skills know and comply with the organisation’s policies and meet agreed-on contractual requirements.
70. APO08 Manage Relationships Manage the relationship between the business and IT in a formalised and transparent way that ensures a focus on achieving a common and shared goal of successful enterprise outcomes in support of strategic goals and within the constraint of budgets and risk tolerance. Base the relationship on mutual trust, using open and understandable terms and common language and a willingness to take ownership and accountability for key decisions.
71. APO08.01 Understand business expectations Understand current business issues and objectives and business expectations for IT. Ensure that requirements are understood, managed and communicated, and their status agreed on and approved.
72. APO08.02 Identify opportunities, risk and constraints for IT to enhance the business Identify potential opportunities for IT to be an enabler of enhanced enterprise performance.
73. APO08.03 Manage the business relationship Manage the relationship with customers (business representatives). Ensure that relationship roles and responsibilities are defined and assigned, and communication is facilitated.
74. APO08.04 Co-ordinate and communicate Work with stakeholders and co-ordinate the end-to-end delivery of IT services and solutions provided to the business.
75. APO08.05 Provide input to the continual improvement of services Continually improve and evolve IT-enabled services and service delivery to the enterprise to align with changing enterprise and technology requirements.
76. APO09 Manage Service Agreements Align IT-enabled services and service levels with enterprise needs and expectations, including identification, specification, design, publishing, agreement, and monitoring of IT services, service levels and performance indicators.
77. APO09.01 Identify IT services Analyse business requirements and the way in which IT-enabled services and service levels support business processes. Discuss and agree on potential services and service levels with the business, and compare them with the current service portfolio to identify new or changed services or service level options.
78. APO09.02 Catalogue IT-enabled services Define and maintain one or more service catalogues for relevant target groups. Publish and maintain live IT-enabled services in the service catalogues.
79. APO09.03 Define and prepare service agreements Define and prepare service agreements based on the options in the service catalogues. Include internal operational agreements.
80. APO09.04 Monitor and report service levels Monitor service levels, report on achievements and identify trends. Provide the appropriate management information to aid performance management.
81. APO09.05 Review service agreements and contracts Conduct periodic reviews of the service agreements and revise when needed.
82. APO10 Manage Suppliers Manage IT-related services provided by all types of suppliers to meet enterprise requirements, including the selection of suppliers, management of relationships, management of contracts, and reviewing and monitoring of supplier performance for effectiveness and compliance.
83. APO10.01 Identify and evaluate supplier relationships and contracts Identify suppliers and associated contracts and categorise them into type, significance and criticality. Establish supplier and contract evaluation criteria and evaluate the overall portfolio of existing and alternative suppliers and contracts.
84. APO10.02 Select suppliers Select suppliers according to a fair and formal practice to ensure a viable best fit based on specified requirements. Requirements should be optimised with input from potential suppliers.
85. APO10.03 Manage supplier relationships and contracts Formalise and manage the supplier relationship for each supplier. Manage, maintain and monitor contracts and service delivery. Ensure that new or changed contracts conform to enterprise standards and legal and regulatory requirements. Deal with contractual disputes.
86. APO10.04 Manage supplier risk Identify and manage risk relating to suppliers’ ability to continually provide secure, efficient and effective service delivery.
87. APO10.05 Monitor supplier performance and compliance Periodically review the overall performance of suppliers, compliance to contract requirements, and value for money, and address identified issues.
88. APO11 Manage Quality Define and communicate quality requirements in all processes, procedures and the related enterprise outcomes, including controls, ongoing monitoring, and the use of proven practices and standards in continuous improvement and efficiency efforts.
89. APO11.01 Establish a quality management system (QMS) Establish and maintain a QMS that provides a standard, formal and continuous approach to quality management for information, enabling technology and business processes that are aligned with business requirements and enterprise quality management.
90. APO11.02 Define and manage quality standards, practices and procedures Identify and maintain requirements, standards, procedures and practices for key processes to guide the enterprise in meeting the intent of the agreed-on QMS. This should be in line with the IT control framework requirements. Consider certification for key processes, organisational units, products or services.
91. APO11.03 Focus quality management on customers Focus quality management on customers by determining their requirements and ensuring alignment with the quality management practices.
92. APO11.04 Perform quality monitoring, control and reviews Monitor the quality of processes and services on an ongoing basis as defined by the QMS. Define, plan and implement measurements to monitor customer satisfaction with quality as well as the value the QMS provides. The information gathered should be used by the process owner to improve quality.
93. APO11.05 Integrate quality management into solutions for development and service delivery Incorporate relevant quality management practices into the definition, monitoring, reporting and ongoing management of solutions development and service offerings.
94. APO11.06 Maintain continuous improvement Maintain and regularly communicate an overall quality plan that promotes continuous improvement. This should include the need for, and benefits of, continuous improvement. Collect and analyse data about the QMS, and improve its effectiveness. Correct non-conformities to prevent recurrence. Promote a culture of quality and continual improvement.
95. APO12 Manage Risk Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.
96. APO12.01 Collect data Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting.
97. APO12.02 Analyse risk Develop useful information to support risk decisions that take into account the business relevance of risk factors.
98. APO12.03 Maintain a risk profile Maintain an inventory of known risk and risk attributes (including expected frequency, potential impact and responses) and of related resources, capabilities and current control activities.
99. APO12.04 Articulate risk Provide information on the current state of IT-related exposures and opportunities in a timely manner to all required stakeholders for appropriate response.
100. APO12.05 Define a risk management action portfolio Manage opportunities to reduce risk to an acceptable level as a portfolio.
101. APO12.06 Respond to risk Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events.
102. APO13 Manage Security Define, operate and monitor a system for information security management.
103. APO13.01 Establish and maintain an information security management system (ISMS) Establish and maintain an ISMS that provides a standard, formal and continuous approach to security management for information, enabling secure technology and business processes that are aligned with business requirements and enterprise security management.
104. APO13.02 Define and manage an information security risk treatment plan Maintain an information security plan that describes how information security risk is to be managed and aligned with the enterprise strategy and enterprise architecture. Ensure that recommendations for implementing security improvements are based on approved business cases and implemented as an integral part of services and solutions development, then operated as an integral part of business operation.
105. APO13.03 Monitor and review the ISMS Maintain and regularly communicate the need for, and benefits of, continuous information security improvement. Collect and analyse data about the ISMS, and improve the effectiveness of the ISMS. Correct non-conformities to prevent recurrence. Promote a culture of security and continual improvement.
106. BAI01 Manage Programmes and Projects Manage all programmes and projects from the investment portfolio in alignment with enterprise strategy and in a co-ordinated way. Initiate, plan, control, and execute programmes and projects, and close with a post-implementation review.
107. BAI01.01 Maintain a standard approach for programme and project management Maintain a standard approach for programme and project management that enables governance and management review and decision making and delivery management activities focussed on achieving value and goals (requirements, risk, costs, schedule, quality) for the business in a consistent manner.
108. BAI01.02 Initiate a programme Initiate a programme to confirm the expected benefits and obtain authorisation to proceed. This includes agreeing on programme sponsorship, confirming the programme mandate through approval of the conceptual business case, appointing programme board or committee members, producing the programme brief, reviewing and updating the business case, developing a benefits realisation plan, and obtaining approval from sponsors to proceed.
109. BAI01.03 Manage stakeholder engagement Manage stakeholder engagement to ensure an active exchange of accurate, consistent and timely information that reaches all relevant stakeholders. This includes planning, identifying and engaging stakeholders and managing their expectations.
110. BAI01.04 Develop and maintain the programme plan "Formulate a programme to lay the initial groundwork and to position it for successful execution by formalising the scope of the work to be accomplished and identifying the deliverables that will satisfy its goals and deliver value. Maintain and update the programme plan and business case throughout the full economic life cycle of the programme, ensuring alignment with strategic objectives and reflecting the current status and updated insights gained to date.
111. "
112. BAI01.05 Launch and execute the programme Launch and execute the programme to acquire and direct the resources needed to accomplish the goals and benefits of the programme as defined in the programme plan. In accordance with stage-gate or release review criteria, prepare for stage-gate, iteration or release reviews to report on the progress of the programme and to be able to make the case for funding up to the following stage-gate or release review.
113. BAI01.06 Monitor, control and report on the programme outcomes Monitor and control programme (solution delivery) and enterprise (value/outcome) performance against plan throughout the full economic life cycle of the investment. Report this performance to the programme steering committee and the sponsors.
114. BAI01.07 Start up and initiate projects within a programme Define and document the nature and scope of the project to confirm and develop amongst stakeholders a common understanding of project scope and how it relates to other projects within the overall IT-enabled investment programme. The definition should be formally approved by the programme and project sponsors.
115. BAI01.08 Plan projects Establish and maintain a formal, approved integrated project plan (covering business and IT resources) to guide project execution and control throughout the life of the project. The scope of projects should be clearly defined and tied to building or enhancing business capability.
116. BAI01.09 Manage programme and project quality Prepare and execute a quality management plan, processes and practices, aligned with the QMS that describes the programme and project quality approach and how it will be implemented. The plan should be formally reviewed and agreed on by all parties concerned and then incorporated into the integrated programme and project plans.
117. BAI01.10 Manage programme and project risk Eliminate or minimise specific risk associated with programmes and projects through a systematic process of planning, identifying, analysing, responding to, and monitoring and controlling the areas or events that have the potential to cause unwanted change. Risk faced by programme and project management should be established and centrally recorded.
118. BAI01.11 Monitor and control projects Measure project performance against key project performance criteria such as schedule, quality, cost and risk. Identify any deviations from the expected. Assess the impact of deviations on the project and overall programme, and report results to key stakeholders.
119. BAI01.12 Manage project resources and work packages Manage project work packages by placing formal requirements on authorising and accepting work packages, and assigning and co-ordinating appropriate business and IT resources.
120. BAI01.13 Close a project or iteration At the end of each project, release or iteration, require the project stakeholders to ascertain whether the project, release or iteration delivered the planned results and value. Identify and communicate any outstanding activities required to achieve the planned results of the project and the benefits of the programme, and identify and document lessons learned for use on future projects, releases, iterations and programmes.
121. BAI01.14 Close a programme Remove the programme from the active investment portfolio when there is agreement that the desired value has been achieved or when it is clear it will not be achieved within the value criteria set for the programme.
122. BAI02 Manage Requirements Definition Identify solutions and analyse requirements before acquisition or creation to ensure that they are in line with enterprise strategic requirements covering business processes, applications, information/data, infrastructure and services. Co-ordinate with affected stakeholders the review of feasible options including relative costs and benefits, risk analysis, and approval of requirements and proposed solutions.
123. BAI02.01 Define and maintain business functional and technical requirements Based on the business case, identify, prioritise, specify and agree on business information, functional, technical and control requirements covering the scope/understanding of all initiatives required to achieve the expected outcomes of the proposed IT-enabled business solution.
124. BAI02.02 Perform a feasibility study and formulate alternative solutions Perform a feasibility study of potential alternative solutions, assess their viability and select the preferred option. If appropriate, implement the selected option as a pilot to determine possible improvements.
125. BAI02.03 Manage requirements risk Identify, document, prioritise and mitigate functional, technical and information processing-related risk associated with the enterprise requirements and proposed solution.
126. BAI02.04 Obtain approval of requirements and solutions Co-ordinate feedback from affected stakeholders and, at predetermined key stages, obtain business sponsor or product owner approval and sign-off on functional and technical requirements, feasibility studies, risk analyses and recommended solutions.
127. BAI03 Manage Solutions Identification and Build Establish and maintain identified solutions in line with enterprise requirements covering design, development, procurement/sourcing and partnering with suppliers/vendors. Manage configuration, test preparation, testing, requirements management and maintenance of business processes, applications, information/data, infrastructure and services.
128. BAI03.01 Design high-level solutions Develop and document high-level designs using agreed-on and appropriate phased or rapid agile development techniques. Ensure alignment with the IT strategy and enterprise architecture. Reassess and update the designs when significant issues occur during detailed design or building phases or as the solution evolves. Ensure that stakeholders actively participate in the design and approve each version.
129. BAI03.02 Design detailed solution components Develop, document and elaborate detailed designs progressively using agreed-on and appropriate phased or rapid agile development techniques, addressing all components (business processes and related automated and manual controls, supporting IT applications, infrastructure services and technology products, and partners/suppliers). Ensure that the detailed design includes internal and external SLAs and OLAs.
130. BAI03.03 Develop solution components Develop solution components progressively in accordance with detailed designs following development methods and documentation standards, quality assurance (QA) requirements, and approval standards. Ensure that all control requirements in the business processes, supporting IT applications and infrastructure services, services and technology products, and partners/suppliers are addressed.
131. BAI03.04 Procure solution components Procure solution components based on the acquisition plan in accordance with requirements and detailed designs, architecture principles and standards, and the enterprise’s overall procurement and contract procedures, QA requirements, and approval standards. Ensure that all legal and contractual requirements are identified and addressed by the supplier.
132. BAI03.05 Build solutions Install and configure solutions and integrate with business process activities. Implement control, security and auditability measures during configuration, and during integration of hardware and infrastructural software, to protect resources and ensure availability and data integrity. Update the services catalogue to reflect the new solutions.
133. BAI03.06 Perform quality assurance (QA) Develop, resource and execute a QA plan aligned with the QMS to obtain the quality specified in the requirements definition and the enterprise’s quality policies and procedures.
134. BAI03.07 Prepare for solution testing Establish a test plan and required environments to test the individual and integrated solution components, including the business processes and supporting services, applications and infrastructure.
135. BAI03.08 Execute solution testing Execute testing continually during development, including control testing, in accordance with the defined test plan and development practices in the appropriate environment. Engage business process owners and end users in the test team. Identify, log and prioritise errors and issues identified during testing.
136. BAI03.09 Manage changes to requirements Track the status of individual requirements (including all rejected requirements) throughout the project life cycle and manage the approval of changes to requirements.
137. BAI03.10 Maintain solutions Develop and execute a plan for the maintenance of solution and infrastructure components. Include periodic reviews against business needs and operational requirements.
138. BAI03.11 Define IT services and maintain the service portfolio Define and agree on new or changed IT services and service level options. Document new or changed service definitions and service level options to be updated in the services portfolio.
139. BAI04 Manage Availability and Capacity Balance current and future needs for availability, performance and capacity with cost-effective service provision. Include assessment of current capabilities, forecasting of future needs based on business requirements, analysis of business impacts, and assessment of risk to plan and implement actions to meet the identified requirements.
140. BAI04.01 Assess current availability, performance and capacity and create a baseline Assess availability, performance and capacity of services and resources to ensure that cost-justifiable capacity and performance are available to support business needs and deliver against SLAs. Create availability, performance and capacity baselines for future comparison.
141. BAI04.02 Assess business impact Identify important services to the enterprise, map services and resources to business processes, and identify business dependencies. Ensure that the impact of unavailable resources is fully agreed on and accepted by the customer. Ensure that, for vital business functions, the SLA availability requirements can be satisfied.
142. BAI04.03 Plan for new or changed service requirements Plan and prioritise availability, performance and capacity implications of changing business needs and service requirements.
143. BAI04.04 Monitor and review availability and capacity Monitor, measure, analyse, report and review availability, performance and capacity. Identify deviations from established baselines. Review trend analysis reports identifying any significant issues and variances, initiating actions where necessary, and ensuring that all outstanding issues are followed up.
144. BAI04.05 Investigate and address availability, performance and capacity issues Address deviations by investigating and resolving identified availability, performance and capacity issues.
145. BAI05 Manage Organisational Change Enablement Maximise the likelihood of successfully implementing sustainable enterprisewide organisational change quickly and with reduced risk, covering the complete life cycle of the change and all affected stakeholders in the business and IT.
146. BAI05.01 Establish the desire to change Understand the scope and impact of the envisioned change and stakeholder readiness/willingness to change. Identify actions to motivate stakeholders to accept and want to make the change work successfully.
147. BAI05.02 Form an effective implementation team Establish an effective implementation team by assembling appropriate members, creating trust, and establishing common goals and effectiveness measures.
148. BAI05.03 Communicate desired vision Communicate the desired vision for the change in the language of those affected by it. The communication should be made by senior management and include the rationale for, and benefits of, the change, the impacts of not making the change; and the vision, the road map and the involvement required of the various stakeholders.
149. BAI05.04 Empower role players and identify short-term wins Empower those with implementation roles by ensuring that accountabilities are assigned, providing training, and aligning organisational structures and HR processes. Identify and communicate short-term wins that can be realised and are important from a change enablement perspective.
150. BAI05.05 Enable operation and use Plan and implement all technical, operational and usage aspects such that all those who are involved in the future state environment can exercise their responsibility.
151. BAI05.06 Embed new approaches Embed the new approaches by tracking implemented changes, assessing the effectiveness of the operation and use plan, and sustaining ongoing awareness through regular communication. Take corrective measures as appropriate, which may include enforcing compliance.
152. BAI05.07 Sustain changes Sustain changes through effective training of new staff, ongoing communication campaigns, continued top management commitment, adoption monitoring and sharing of lessons learned across the enterprise.
153. BAI06 Manage Changes Manage all changes in a controlled manner, including standard changes and emergency maintenance relating to business processes, applications and infrastructure. This includes change standards and procedures, impact assessment, prioritisation and authorisation, emergency changes, tracking, reporting, closure and documentation.
154. BAI06.01 Evaluate, prioritise and authorise change requests Evaluate all requests for change to determine the impact on business processes and IT services, and to assess whether change will adversely affect the operational environment and introduce unacceptable risk. Ensure that changes are logged, prioritised, categorised, assessed, authorised, planned and scheduled.
155. BAI06.02 Manage emergency changes Carefully manage emergency changes to minimise further incidents and make sure the change is controlled and takes place securely. Verify that emergency changes are appropriately assessed and authorised after the change.
156. BAI06.03 Track and report change status Maintain a tracking and reporting system to document rejected changes, communicate the status of approved and in-process changes, and complete changes. Make certain that approved changes are implemented as planned.
157. BAI06.04 Close and document the changes Whenever changes are implemented, update accordingly the solution and user documentation and the procedures affected by the change.
158. BAI07 Manage Change Acceptance and Transitioning Formally accept and make operational new solutions, including implementation planning, system and data conversion, acceptance testing, communication, release preparation, promotion to production of new or changed business processes and IT services, early production support, and a post-implementation review.
159. BAI07.01 Establish an implementation plan Establish an implementation plan that covers system and data conversion, acceptance testing criteria, communication, training, release preparation, promotion to production, early production support, a fallback/backout plan, and a post-implementation review. Obtain approval from relevant parties.
160. BAI07.02 Plan business process, system and data conversion Prepare for business process, IT service data and infrastructure migration as part of the enterprise’s development methods, including audit trails and a recovery plan should the migration fail.
161. BAI07.03 Plan acceptance tests Establish a test plan based on enterprisewide standards that define roles, responsibilities, and entry and exit criteria. Ensure that the plan is approved by relevant parties.
162. BAI07.04 Establish a test environment Define and establish a secure test environment representative of the planned business process and IT operations environment, performance and capacity, security, internal controls, operational practices, data quality and privacy requirements, and workloads.
163. BAI07.05 Perform acceptance tests Test changes independently in accordance with the defined test plan prior to migration to the live operational environment.
164. BAI07.06 Promote to production and manage releases Promote the accepted solution to the business and operations. Where appropriate, run the solution as a pilot implementation or in parallel with the old solution for a defined period and compare behaviour and results. If significant problems occur, revert back to the original environment based on the fallback/backout plan. Manage releases of solution components.
165. BAI07.07 Provide early production support Provide early support to the users and IT operations for an agreed-on period of time to deal with issues and help stabilise the new solution.
166. BAI07.08 Perform a post-implementation review Conduct a post-implementation review to confirm outcome and results, identify lessons learned, and develop an action plan. Evaluate and check the actual performance and outcomes of the new or changed service against the predicted performance and outcomes (i.e., the service expected by the user or customer).
167. BAI08 Manage Knowledge Maintain the availability of relevant, current, validated and reliable knowledge to support all process activities and to facilitate decision making. Plan for the identification, gathering, organising, maintaining, use and retirement of knowledge.
168. BAI08.01 Nurture and facilitate a knowledge-sharing culture Devise and implement a scheme to nurture and facilitate a knowledge-sharing culture.
169. BAI08.02 Identify and classify sources of information Identify, validate and classify diverse sources of internal and external information required to enable effective use and operation of business processes and IT services.
170. BAI08.03 Organise and contextualise information into knowledge Organise information based on classification criteria. Identify and create meaningful relationships between information elements and enable use of information. Identify owners and define and implement levels of access to knowledge resources.
171. BAI08.04 Use and share knowledge Propagate available knowledge resources to relevant stakeholders and communicate how these resources can be used to address different needs (e.g., problem solving, learning, strategic planning and decision making).
172. BAI08.05 Evaluate and retire information Measure the use and evaluate the currency and relevance of information. Retire obsolete information.
173. BAI09 Manage Assets Manage IT assets through their life cycle to make sure that their use delivers value at optimal cost, they remain operational (fit for purpose), they are accounted for and physically protected, and those assets that are critical to support service capability are reliable and available. Manage software licences to ensure that the optimal number are acquired, retained and deployed in relation to required business usage, and the software installed is in compliance with licence agreements.
174. BAI09.01 Identify and record current assets Maintain an up-to-date and accurate record of all IT assets required to deliver services and ensure alignment with configuration management and financial management.
175. BAI09.02 Manage critical assets Identify assets that are critical in providing service capability and take steps to maximise their reliability and availability to support business needs.
176. BAI09.03 Manage the asset life cycle Manage assets from procurement to disposal to ensure that assets are utilised as effectively and efficiently as possible and are accounted for and physically protected.
177. BAI09.04 Optimise asset costs Regularly review the overall asset base to identify ways to optimise costs and maintain alignment with business needs.
178. BAI09.05 Manage licences Manage software licences so that the optimal number of licences is maintained to support business requirements and the number of licences owned is sufficient to cover the installed software in use.
179. BAI10 Manage Configuration Define and maintain descriptions and relationships between key resources and capabilities required to deliver IT-enabled services, including collecting configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository.
180. BAI10.01 Establish and maintain a configuration model Establish and maintain a logical model of the services, assets and infrastructure and how to record configuration items (CIs) and the relationships amongst them. Include the CIs considered necessary to manage services effectively and to provide a single reliable description of the assets in a service.
181. BAI10.02 Establish and maintain a configuration repository and baseline Establish and maintain a configuration management repository and create controlled configuration baselines.
182. BAI10.03 Maintain and control configuration items Maintain an up-to-date repository of configuration items by populating with changes.
183. BAI10.04 Produce status and configuration reports Define and produce configuration reports on status changes of configuration items.
184. BAI10.05 Verify and review integrity of the configuration repository Periodically review the configuration repository and verify completeness and correctness against the desired target.
185. DSS01 Manage Operations Co-ordinate and execute the activities and operational procedures required to deliver internal and outsourced IT services, including the execution of pre-defined standard operating procedures and the required monitoring activities.
186. DSS01.01 Perform operational procedures Maintain and perform operational procedures and operational tasks reliably and consistently.
187. DSS01.02 Manage outsourced IT services Manage the operation of outsourced IT services to maintain the protection of enterprise information and reliability of service delivery.
188. DSS01.03 Monitor IT infrastructure Monitor the IT infrastructure and related events. Store sufficient chronological information in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or supporting operations.
189. DSS01.04 Manage the environment Maintain measures for protection against environmental factors. Install specialised equipment and devices to monitor and control the environment.
190. DSS01.05 Manage facilities Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business requirements, vendor specifications, and health and safety guidelines.
191. DSS02 Manage Service Requests and Incidents Provide timely and effective response to user requests and resolution of all types of incidents. Restore normal service; record and fulfil user requests; and record, investigate, diagnose, escalate and resolve incidents.
192. DSS02.01 Define incident and service request classification schemes Define incident and service request classification schemes and models.
193. DSS02.02 Record, classify and prioritise requests and incidents Identify, record and classify service requests and incidents, and assign a priority according to business criticality and service agreements.
194. DSS02.03 Verify, approve and fulfil service requests Select the appropriate request procedures and verify that the service requests fulfil defined request criteria. Obtain approval, if required, and fulfil the requests.
195. DSS02.04 Investigate, diagnose and allocate incidents Identify and record incident symptoms, determine possible causes, and allocate for resolution.
196. DSS02.05 Resolve and recover from incidents Document, apply and test the identified solutions or workarounds and perform recovery actions to restore the IT-related service.
197. DSS02.06 Close service requests and incidents Verify satisfactory incident resolution and/or request fulfilment, and close.
198. DSS02.07 Track status and produce reports Regularly track, analyse and report incident and request fulfilment trends to provide information for continual improvement.
199. DSS03 Manage Problems Identify and classify problems and their root causes and provide timely resolution to prevent recurring incidents. Provide recommendations for improvements.
200. DSS03.01 Identify and classify problems Define and implement criteria and procedures to report problems identified, including problem classification, categorisation and prioritisation.
201. DSS03.02 Investigate and diagnose problems Investigate and diagnose problems using relevant subject management experts to assess and analyse root causes.
202. DSS03.03 Raise known errors As soon as the root causes of problems are identified, create known-error records and an appropriate workaround, and identify potential solutions.
203. DSS03.04 Resolve and close problems Identify and initiate sustainable solutions addressing the root cause, raising change requests via the established change management process if required to resolve errors. Ensure that the personnel affected are aware of the actions taken and the plans developed to prevent future incidents from occurring.
204. DSS03.05 Perform proactive problem management Collect and analyse operational data (especially incident and change records) to identify emerging trends that may indicate problems. Log problem records to enable assessment.
205. DSS04 Manage Continuity Establish and maintain a plan to enable the business and IT to respond to incidents and disruptions in order to continue operation of critical business processes and required IT services and maintain availability of information at a level acceptable to the enterprise.
206. DSS04.01 Define the business continuity policy, objectives and scope Define business continuity policy and scope aligned with enterprise and stakeholder objectives.
207. DSS04.02 Maintain a continuity strategy Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure enterprise recovery and continuity in the face of a disaster or other major incident or disruption.
208. DSS04.03 Develop and implement a business continuity response Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the enterprise to continue its critical activities.
209. DSS04.04 Exercise, test and review the BCP Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated.
210. DSS04.05 Review, maintain and improve the continuity plan Conduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements.
211. DSS04.06 Conduct continuity plan training Provide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption.
212. DSS04.07 Manage backup arrangements Maintain availability of business-critical information.
213. DSS04.08 Conduct post-resumption review Assess the adequacy of the BCP following the successful resumption of business processes and services after a disruption.
214. DSS05 Manage Security Services Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.
215. DSS05.01 Protect against malware Implement and maintain preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the enterprise to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).
216. DSS05.02 Manage network and connectivity security Use security measures and related management procedures to protect information over all methods of connectivity.
217. DSS05.03 Manage endpoint security Ensure that endpoints (e.g., laptop, desktop, server, and other mobile and network devices or software) are secured at a level that is equal to or greater than the defined security requirements of the information processed, stored or transmitted.
218. DSS05.04 Manage user identity and logical access Ensure that all users have information access rights in accordance with their business requirements and co-ordinate with business units that manage their own access rights within business processes.
219. DSS05.05 Manage physical access to IT assets Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs, including emergencies. Access to premises, buildings and areas should be justified, authorised, logged and monitored. This should apply to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.
220. DSS05.06 Manage sensitive documents and output devices Establish appropriate physical safeguards, accounting practices and inventory management over sensitive IT assets, such as special forms, negotiable instruments, special-purpose printers or security tokens.
221. DSS05.07 Monitor the infrastructure for security-related events Using intrusion detection tools, monitor the infrastructure for unauthorised access and ensure that any events are integrated with general event monitoring and incident management.
222. DSS06 Manage Business Process Controls Define and maintain appropriate business process controls to ensure that information related to and processed by in-house or outsourced business processes satisfies all relevant information control requirements. Identify the relevant information control requirements and manage and operate adequate controls to ensure that information and information processing satisfy these requirements.
223. DSS06.01 Align control activities embedded in business processes with enterprise objectives Continually assess and monitor the execution of the business process activities and related controls, based on enterprise risk, to ensure that the processing controls are aligned with business needs.
224. DSS06.02 Control the processing of information Operate the execution of the business process activities and related controls, based on enterprise risk, to ensure that information processing is valid, complete, accurate, timely, and secure (i.e., reflects legitimate and authorised business use).
225. DSS06.03 Manage roles, responsibilities, access privileges and levels of authority Manage the business roles, responsibilities, levels of authority and segregation of duties needed to support the business process objectives. Authorise access to any information assets related to business information processes, including those under the custody of the business, IT and third parties. This ensures that the business knows where the data are and who is handling data on its behalf.
226. DSS06.04 Manage errors and exceptions Manage business process exceptions and errors and facilitate their correction. Include escalation of business process errors and exceptions and the execution of defined corrective actions. This provides assurance of the accuracy and integrity of the business information process.
227. DSS06.05 Ensure traceability of Information events and accountabilities Ensure that business information can be traced to the originating business event and accountable parties. This enables traceability of the information through its life cycle and related processes. This provides assurance that information that drives the business is reliable and has been processed in accordance with defined objectives.
228. DSS06.06 Secure information assets Secure information assets accessible by the business through approved methods, including information in electronic form (such as methods that create new assets in any form, portable media devices, user applications and storage devices), information in physical form (such as source documents or output reports) and information during transit. This benefits the business by providing end-to-end safeguarding of information.
229. MEA01 Monitor, Evaluate and Assess Performance and Conformance Collect, validate and evaluate business, IT and process goals and metrics. Monitor that processes are performing against agreed-on performance and conformance goals and metrics and provide reporting that is systematic and timely.
230. MEA01.01 Establish a monitoring approach Engage with stakeholders to establish and maintain a monitoring approach to define the objectives, scope and method for measuring business solution and service delivery and contribution to enterprise objectives. Integrate this approach with the corporate performance management system.
231. MEA01.02 Set performance and conformance targets Work with stakeholders to define, periodically review, update and approve performance and conformance targets within the performance measurement system.
232. MEA01.03 Collect and process performance and conformance data Collect and process timely and accurate data aligned with enterprise approaches.
233. MEA01.04 Analyse and report performance Periodically review and report performance against targets, using a method that provides a succinct all-around view of IT performance and fits within the enterprise monitoring system.
234. MEA01.05 Ensure the implementation of corrective actions Assist stakeholders in identifying, initiating and tracking corrective actions to address anomalies.
235. MEA02 Monitor, Evaluate and Assess the System of Internal Control Continuously monitor and evaluate the control environment, including self-assessments and independent assurance reviews. Enable management to identify control deficiencies and inefficiencies and to initiate improvement actions. Plan, organise and maintain standards for internal control assessment and assurance activities.
236. MEA02.01 Monitor internal controls Continuously monitor, benchmark and improve the IT control environment and control framework to meet organisational objectives.
237. MEA02.02 Review business process controls effectiveness Review the operation of controls, including a review of monitoring and test evidence, to ensure that controls within business processes operate effectively. Include activities to maintain evidence of the effective operation of controls through mechanisms such as periodic testing of controls, continuous controls monitoring, independent assessments, command and control centres, and network operations centres. This provides the business with the assurance of control effectiveness to meet requirements related to business, regulatory and social responsibilities.
238. MEA02.03 Perform control self-assessments Encourage management and process owners to take positive ownership of control improvement through a continuing programme of self-assessment to evaluate the completeness and effectiveness of management’s control over processes, policies and contracts.
239. MEA02.04 Identify and report control deficiencies Identify control deficiencies and analyse and identify their underlying root causes. Escalate control deficiencies and report to stakeholders.
240. MEA02.05 Ensure that assurance providers are independent and qualified Ensure that the entities performing assurance are independent from the function, groups or organisations in scope. The entities performing assurance should demonstrate an appropriate attitude and appearance, competence in the skills and knowledge necessary to perform assurance, and adherence to codes of ethics and professional standards.
241. MEA02.06 Plan assurance initiatives Plan assurance initiatives based on enterprise objectives and strategic priorities, inherent risk, resource constraints, and sufficient knowledge of the enterprise.
242. MEA02.07 Scope assurance initiatives Define and agree with management on the scope of the assurance initiative, based on the assurance objectives.
243. MEA02.08 Execute assurance initiatives Execute the planned assurance initiative. Report on identified findings. Provide positive assurance opinions, where appropriate, and recommendations for improvement relating to identified operational performance, external compliance and internal control system residual risk.
244. MEA03 Monitor, Evaluate and Assess Compliance with External Requirements Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance.
245. MEA03.01 Identify external compliance requirements On a continuous basis, identify and monitor for changes in local and international laws, regulations and other external requirements that must be complied with from an IT perspective.
246. MEA03.02 Optimise response to external requirements Review and adjust policies, principles, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated. Consider industry standards, codes of good practice, and good practice guidance for adoption and adaptation.
247. MEA03.03 Confirm external compliance Confirm compliance of policies, principles, standards, procedures and methodologies with legal, regulatory and contractual requirements.
248. MEA03.04 Obtain assurance of external compliance Obtain and report assurance of compliance and adherence with policies, principles, standards, procedures and methodologies. Confirm that corrective actions to address compliance gaps are closed in a timely manner.
249.