Traduzido COBIT 2019 - Governance-Management-Objectives-Practices-Activities - Nov2018

Management Awareness Diagnostic 1-Controlling IT
Risk Quem faz?

Importância = Qual a importância para a organização
em uma escala de 1 (nada) a 5 (muito)
Performance = Quão bem é feito a partir de 1 (muito bem)
até 5 (não sei ou mal)
Formalidade = Existência de um contrato, um SLA ou um documento claro
procedimento (Sim, Não ou ?)
Auditado = Sim, Não ou ?
Responsável = Nome ou 'não sei'
Outros Autopass
COBIT 2019 Dominios e Objetivos
Performance
Formalizado
TI Autopass
Importance
Tecsomobi
Terceiros
Auditado
Não Sei
Governança
Avaliar, Direcionar e Monitorar
EDM01 Garantia de Configuração e Manutenção da Estrutura de Governança
EDM02 Garantir a entrega de benefícios
EDM03 Garantir a otimização de riscos
EDM04 Garantir a otimização de recursos
EDM05 Garantir o engajamento das partes interessadas
Gestão
Alinhar, planejar e organizar
APO01 Estrutura de I&T gerenciada
APO02 Estratégia gerenciada
APO03 Arquitetura corporativa gerenciada
APO04 Inovação Gerenciada
APO05 Gestão de Portfólio
APO06 Gestão de Orçamento e Custos
APO07 Gestão de Recursos Humanos
APO08 Gestão de Relacionamentos
APO09 Contratos de Serviços Gerenciados
APO10 Gestão de Fornecedores
APO11 Gestão da Qualidade
APO12 Gestão de Riscos
APO13 Gestão de Segurança
APO14 Gestão de Dados
Construir, Adquirir e Operar
BAI01 Gestão de Programas
BAI02 Definição de requisitos gerenciados
BAI03 Identificação e Construção de Soluções Gerenciadas
BAI04 Gestãod e Capacidade e disponibilidade
BAI05 Gestão de Mudança Organizacional
BAI06 Gestãod e Mudanças de TI
BAI07 Gerenciando a aceitação e transição de mudanças de TI
BAI08 Gestão do conhecimento
BAI09 Gestão de Ativos
BAI10 Gestão de configuração
BAI11 Gestão de Projetos
Entrega, Serviço e Suporte
DSS01 Gestão de Operações
DSS02 Gestão de Solicitações e Incidentes
DSS03 Gestão de Problemas
DSS04 Gestão de continuidade de Serviços de TI
DSS05 Gestãod e Srviços de Segurança
DSS06 Gerenciamento de Processos de Negócios
Monitorar, avaliar e avaliar
MEA01 Desempenho gerenciado e monitoramento de conformidade
MEA02 Sistema Gerenciado de Controle Interno
MEA03 Conformidade gerenciada com requisitos externos
MEA04 Garantia Gerenciada
Copyright 2007 IT Governance Institute. All rights reserved.

Management Awareness Diagnostic 1-Controlling IT
Quem é responsável?
Rita Rodrigues
Rita Rodrigues
Rita Rodrigues
Rita Rodrigues
Rita Rodrigues
Zilda Hessel
Zilda Hessel
Rodrigo Costa
Não Sei
Rita Rodrigues
Rita Rodrigues
Brenda
Todos
Todos
Rita Rodrigues
Rita Rodrigues
Rita Rodrigues
Rodrigo Costa
Douglas
Moacir
Moacir
Moacir
Rodrigo
Rita
Adriano
Adriano
Moacir
Rodrigo
Rodrigo
Moacir
Adriano
Adriano
Adriano
Rodrigo Costa
Rodrigo Costa
Não sei
Rita
Wagner
Wagner
Não sei
Copyright 2007 IT Governance Institute. All rights reserved.

Listed below are the practices associated with each of the governance and management objectives in COBIT® 2019.
The practices are sorted in the order in which they appear in COBIT® 2019 Framework: Governance and Management O
Objectives: 40
Practices: 231
Area Domain Objective ID Objective Objective Description
Governance Avaliar, EDM01 Definição e Analisar e articular os requisitos para a

Direcionar e manutenção da governança de TI da empresa.
Monitorar estrutura de Implementar e manter componentes
governança garantida de governança com clareza de
autoridade e responsabilidades para
atingir a missão, metas e objetivos da
empresa.
3
Objectives: 40
Practices: 231
Governance Avaliar, EDM02 Garantia de Entrega de Otimize o valor para o negócio a partir
Direcionar e Benefícios de investimentos em processos de
Monitorar negócios, serviços de I&T e ativos de
I&T.
4
Objectives: 40
Practices: 231
Governance Avaliar, EDM03 Avaliar, Direcionar e Garantir que o apetite e a tolerância

Direcionar e Monitorar ao risco da empresa sejam
Monitorar compreendidos, articulados e
comunicados, e que o risco para o
valor da empresa relacionado ao uso
de I&T seja identificado e gerenciado.
5
Objectives: 40
Practices: 231
Governance Avaliar, EDM04 Otimização de recursos Garantir que os recursos adequados e

Direcionar e garantida suficientes relacionados a negócios e
Monitorar I&T (pessoas, processos e tecnologia)
estejam disponíveis para apoiar os
objetivos da empresa de forma eficaz
e a um custo ideal.
6
Objectives: 40
Practices: 231
Governance Avaliar, EDM05 Garantia de Garantir que as partes interessadas

Direcionar e engajamento das sejam identificadas e engajadas no
Monitorar partes interessadas sistema de governança de I&T e que a
medição e os relatórios de
desempenho e conformidade de I&T
da empresa sejam transparentes, com
as partes interessadas aprovando as
metas e métricas e as ações corretivas
necessárias.
7
Objectives: 40
Practices: 231
Gestão Alinhar, APO01 Estrutura de Projetar o sistema de gerenciamento

planejar e gerenciamento de I&T para I&T empresarial com base nos
organizar gerenciada objetivos da empresa e outros fatores
de design. Com base neste projeto,
implemente todos os componentes
necessários do sistema de gestão.
8
Objectives: 40
Practices: 231
9
Objectives: 40
Practices: 231
10
Objectives: 40
Practices: 231
11
Objectives: 40
Practices: 231
12
Objectives: 40
Practices: 231
Gestão Alinhar, APO02 Estratégia Gerenciada Fornecer uma visão holística do

planejar e ambiente atual de negócios e I&T, a
organizar direção futura e as iniciativas
necessárias para migrar para o
ambiente futuro desejado. Garantir
que o nível desejado de digitalização
seja parte integrante da direção futura
e da estratégia de I&T. Avalie a
maturidade digital atual da
organização e desenvolva um roteiro
para fechar as lacunas. Com o
negócio, repense as operações
internas, bem como as atividades
voltadas para o cliente. Garanta o foco
na jornada de transformação em toda
a organização. Aproveite os blocos de
construção da arquitetura corporativa,
os componentes de governança e o
ecossistema da organização, incluindo
serviços fornecidos externamente e
recursos relacionados, para permitir
uma resposta confiável, mas ágil e
eficiente aos objetivos estratégicos.
13
Objectives: 40
Practices: 231
14
Objectives: 40
Practices: 231
15
Objectives: 40
Practices: 231
Gestão Alinhar, APO03 Arquitetura corporativa Estabelecer uma arquitetura comum

planejar e gerenciada que consista em camadas de
organizar arquitetura de processos de negócios,
informações, dados, aplicativos e
tecnologia. Crie modelos-chave e
práticas que descrevam as
arquiteturas de linha de base e de
destino, de acordo com a estratégia
corporativa e de I&T. Definir requisitos
para taxonomia, padrões, diretrizes,
procedimentos, modelos e
ferramentas, e fornecer uma ligação
para esses componentes. Melhore o
alinhamento, aumente a agilidade,
melhore a qualidade das informações
e gere potenciais economias de custos
por meio de iniciativas como a
reutilização de componentes de
blocos de construção.
16
Objectives: 40
Practices: 231
17
Objectives: 40
Practices: 231
18
Objectives: 40
Practices: 231
Alinhar, APO04 Inovação Gerenciada Mantenha um conhecimento das

planejar e tendências de I&T e serviços
organizar relacionados e monitore as tendências
tecnológicas emergentes. Identificar
proativamente oportunidades de
inovação e planejar como se
beneficiar da inovação em relação às
necessidades do negócio e à
estratégia de I&T definida. Analisar
quais oportunidades de inovação ou
melhoria de negócios podem ser
criadas por tecnologias emergentes,
serviços ou inovação de negócios
habilitados para I&T; através de
Gestão tecnologias já existentes; e pela
inovação de processos de negócios e
TI. Influenciar decisões de
planejamento estratégico e
arquitetura corporativa.
19
Objectives: 40
Practices: 231
20
Objectives: 40
Practices: 231
21
Objectives: 40
Practices: 231
Gestão Alinhar, APO05 Portfólio Gerenciado Executar o direcionamento estratégico

planejar e definido para investimentos em linha
organizar com a visão da arquitetura corporativa
e roadmap de I&T. Considere as
diferentes categorias de investimentos
e os recursos e restrições de
financiamento. Avaliar, priorizar e
equilibrar programas e serviços,
gerenciando a demanda dentro das
restrições de recursos e
financiamento, com base em seu
alinhamento com objetivos
estratégicos, valor e risco da empresa.
Mova programas selecionados para o
portfólio de produtos ou serviços
ativos para execução. Monitorar o
desempenho do portfólio geral de
produtos e serviços e programas,
propondo ajustes conforme
necessário em resposta ao
desempenho do programa, produto
ou serviço ou mudança de prioridades
da empresa.
22
Objectives: 40
Practices: 231
23
Objectives: 40
Practices: 231
Gestão Alinhar, APO06 Orçamento e Custos Gerenciar as atividades financeiras

planejar e Gerenciados relacionadas à I&T, tanto nas funções
organizar de negócios quanto de TI, cobrindo
orçamento, gerenciamento de custos
e benefícios e priorização de gastos
por meio do uso de práticas formais
de orçamento e um sistema justo e
equitativo de alocação de custos para
a empresa. Consultar as partes
interessadas para identificar e
controlar os custos e benefícios totais
dentro do contexto dos planos
estratégicos e táticos de I&T. Inicie
ações corretivas quando necessário.
24
Objectives: 40
Practices: 231
25
Objectives: 40
Practices: 231
Gestão Alinhar, APO07 Gestão de Recursos Fornecer uma abordagem estruturada

planejar e Humanos para garantir o
organizar recrutamento/aquisição,
planejamento, avaliação e
desenvolvimento ideais de recursos
humanos (internos e externos).
26
Objectives: 40
Practices: 231
27
Objectives: 40
Practices: 231
28
Objectives: 40
Practices: 231
Gestão Alinhar, APO08 Relacionamentos Gerenciar relacionamentos com

planejar e gerenciados stakeholders do negócio de forma
organizar formalizada e transparente que
garanta confiança mútua e foco
combinado no alcance dos objetivos
estratégicos dentro das restrições de
orçamentos e tolerância a riscos.
Baseie as relações na comunicação
aberta e transparente, numa
linguagem comum e na vontade de
assumir a apropriação e a
responsabilidade pelas decisões-chave
de ambos os lados. Negócios e TI
devem trabalhar juntos para criar
resultados empresariais bem-
sucedidos em apoio aos objetivos da
empresa.
29
Objectives: 40
Practices: 231
30
Objectives: 40
Practices: 231
Gestão Alinhar, APO09 Contratos de Serviços Alinhe produtos e serviços habilitados

planejar e Gerenciados para I&T e níveis de serviço com as
organizar necessidades e expectativas da
empresa, incluindo identificação,
especificação, projeto, publicação,
acordo e monitoramento de produtos
e serviços de I&T, níveis de serviço e
indicadores de desempenho.
31
Objectives: 40
Practices: 231
32
Objectives: 40
Practices: 231
Gestão Alinhar, APO10 Fornecedores Gerencie produtos e serviços

planejar e Gerenciados relacionados a I&T fornecidos por
organizar todos os tipos de fornecedores para
atender aos requisitos corporativos.
Isso inclui a busca e seleção de
fornecedores, gerenciamento de
relacionamentos, gerenciamento de
contratos e revisão e monitoramento
do desempenho do fornecedor e do
ecossistema de fornecedores
(incluindo a cadeia de suprimentos
upstream) para eficácia e
conformidade.
33
Objectives: 40
Practices: 231
34
Objectives: 40
Practices: 231
Gestão Alinhar, APO11 Qualidade Gerenciada Definir e comunicar requisitos de

planejar e qualidade em todos os processos,
organizar procedimentos e resultados
empresariais relacionados. Permitir
controles, monitoramento contínuo e
o uso de práticas e padrões
comprovados em esforços de
melhoria contínua e eficiência.
35
Objectives: 40
Practices: 231
36
Objectives: 40
Practices: 231
Gestão Alinhar, APO12 Risco Gerenciado Identificar, avaliar e reduzir

planejar e continuamente o risco relacionado à
organizar I&T, dentro dos níveis de tolerância
estabelecidos pela gerência executiva
da empresa.
37
Objectives: 40
Practices: 231
Gestão Alinhar, APO13 Segurança Gerenciada Definir, operar e monitorar um

planejar e sistema de gestão de segurança da
organizar informação e privacidade.
38
Objectives: 40
Practices: 231
39
Objectives: 40
Practices: 231
Gestão Alinhar, APO14 Dados gerenciados Alcance e mantenha o gerenciamento

planejar e eficaz dos ativos de dados
organizar corporativos em todo o ciclo de vida
dos dados, desde a criação até a
entrega, manutenção e arquivamento.
40
Objectives: 40
Practices: 231
41
Objectives: 40
Practices: 231
42
Objectives: 40
Practices: 231
Gestão Construir, BAI01 Gestão de Programas Gerenciar todos os programas da

Adquirir e carteira de investimentos em
Implementar alinhamento com a estratégia
empresarial e de forma coordenada,
com base em uma abordagem padrão
de gerenciamento de programas.
Iniciar, planejar, controlar e executar
programas e monitorar o valor
esperado do programa.
43
Objectives: 40
Practices: 231
44
Objectives: 40
Practices: 231
45
Objectives: 40
Practices: 231
Gestão Construir, BAI02 Gestão de requisitos Identifique soluções e analise os

Adquirir e requisitos antes da aquisição ou
Implementar criação para garantir que eles estejam
alinhados com os requisitos
estratégicos da empresa, abrangendo
processos de negócios, aplicativos,
informações/dados, infraestrutura e
serviços. Coordenar a revisão de
opções viáveis com as partes
interessadas afetadas, incluindo
custos e benefícios relativos, análise
de risco e aprovação de requisitos e
soluções propostas.
46
Objectives: 40
Practices: 231
47
Objectives: 40
Practices: 231
Gestão Construir, BAI03 Identificação e Estabelecer e manter produtos e

Adquirir e construção de soluções serviços identificados (tecnologia,
Implementar gerenciadas processos de negócios e fluxos de
trabalho) em linha com os requisitos
da empresa, abrangendo projeto,
desenvolvimento,
aquisição/fornecimento e parceria
com fornecedores. Gerenciar
configuração, preparação de testes,
testes, gerenciamento de requisitos e
manutenção de processos de
negócios, aplicativos,
informações/dados, infraestrutura e
serviços.
48
Objectives: 40
Practices: 231
49
Objectives: 40
Practices: 231
50
Objectives: 40
Practices: 231
51
Objectives: 40
Practices: 231
52
Objectives: 40
Practices: 231
Gestão Construir, BAI04 Gestão de Equilibre as necessidades atuais e

Adquirir e Disponibilidade e futuras de disponibilidade,
Implementar capacidade desempenho e capacidade com a
prestação de serviços econômica.
Inclua avaliação dos recursos atuais,
previsão de necessidades futuras com
base nos requisitos de negócios,
análise de impactos nos negócios e
avaliação de risco para planejar e
implementar ações para atender aos
requisitos identificados.
53
Objectives: 40
Practices: 231
54
Objectives: 40
Practices: 231
Gestão Construir, BAI05 Gestão da Mudança Maximize a probabilidade de

Adquirir e Organizacional implementar com sucesso mudanças
Implementar organizacionais sustentáveis em toda
a empresa rapidamente e com risco
reduzido. Cobrir o ciclo de vida
completo da mudança e todas as
partes interessadas afetadas nos
negócios e na TI.
55
Objectives: 40
Practices: 231
56
Objectives: 40
Practices: 231
Gestão Construir, BAI06 Gestão de mudanças Gerencie todas as mudanças de forma

Adquirir e de TI controlada, incluindo mudanças
Implementar padrão e manutenção de emergência
relacionadas a processos de negócios,
aplicativos e infraestrutura. Isso inclui
padrões e procedimentos de
alteração, avaliação de impacto,
priorização e autorização, alterações
de emergência, rastreamento,
relatórios, fechamento e
documentação.
57
Objectives: 40
Practices: 231
Gestão Construir, BAI07 Gerenciamento de Aceitar formalmente e operacionalizar

Adquirir e Aceitação e Transição novas soluções. Inclua planejamento
Implementar de Mudanças de TI de implementação, conversão de
sistemas e dados, testes de aceitação,
comunicação, preparação de
lançamentos, promoção para
produção de processos de negócios
novos ou alterados e serviços de I&T,
suporte inicial à produção e uma
revisão pós-implementação.
58
Objectives: 40
Practices: 231
59
Objectives: 40
Practices: 231
60
Objectives: 40
Practices: 231
Gestão Construir, BAI08 Gestão de Manter a disponibilidade de

Adquirir e Conhecimento conhecimento e informações
Implementar gerenciais relevantes, atuais, validadas
e confiáveis para apoiar todas as
atividades do processo e facilitar a
tomada de decisões relacionadas à
governança e gestão de TI da
empresa.
61
Objectives: 40
Practices: 231
62
Objectives: 40
Practices: 231
Gestão Construir, BAI09 Gestão de ativos Gerencie ativos de I&T ao longo de

Adquirir e seu ciclo de vida para garantir que seu
Implementar uso forneça valor a um custo ideal,
eles permaneçam operacionais
(adequados à finalidade) e sejam
contabilizados e fisicamente
protegidos. Certifique-se de que os
ativos essenciais para oferecer
suporte à capacidade de serviço sejam
confiáveis e estejam disponíveis.
Gerencie licenças de software para
garantir que o número ideal seja
adquirido, retido e implantado em
relação ao uso comercial necessário, e
que o software instalado esteja em
conformidade com os contratos de
licença.
63
Objectives: 40
Practices: 231
64
Objectives: 40
Practices: 231
Gestão Construir, BAI10 Gestão de configuração Defina e mantenha descrições e

Adquirir e relacionamentos entre os principais
Implementar recursos e capacidades necessários
para fornecer serviços habilitados para
I&T. Inclua a coleta de informações de
configuração, o estabelecimento de
linhas de base, a verificação e
auditoria de informações de
configuração e a atualização do
repositório de configuração.
65
Objectives: 40
Practices: 231
Gestão Construir, BAI11 Gestão de projetos Gerenciar todos os projetos que são
Adquirir e iniciados dentro da empresa em
Implementar alinhamento com a estratégia da
empresa e de forma coordenada com
base na abordagem padrão de
gerenciamento de projetos. Iniciar,
planejar, controlar e executar
projetos, e fechar com uma revisão
pós-implementação.
66
Objectives: 40
Practices: 231
67
Objectives: 40
Practices: 231
68
Objectives: 40
Practices: 231
69
Objectives: 40
Practices: 231
Gestão Entrega, DSS01 Gestão de Operações Coordenar e executar as atividades e

Serviço e procedimentos operacionais
Suporte necessários à prestação de serviços
internos e terceirizados de I&T. Incluir
a execução de procedimentos
operacionais padrão predefinidos e as
atividades de monitoramento
necessárias.
70
Objectives: 40
Practices: 231
Management Deliver, DSS02 Solicitações de serviço Fornecer resposta oportuna e eficaz às

Service and gerenciadas e solicitações dos usuários e resolução
Support incidentes de todos os tipos de incidentes.
Restaurar o serviço normal; registrar e
atender às solicitações dos usuários; e
registrar, investigar, diagnosticar,
escalar e resolver incidentes.
71
Objectives: 40
Practices: 231
72
Objectives: 40
Practices: 231
Gestão Entrega, DSS03 Gestão de Problemas Identificar e classificar problemas e

Serviço e suas causas raízes. Forneça resolução
Suporte oportuna para evitar incidentes
recorrentes. Fornecer recomendações
para melhorias.
73
Objectives: 40
Practices: 231
Gestão Entrega, DSS04 Gestão da Estabeleça e mantenha um plano para

Serviço e Continuidade permitir que as organizações de
Suporte negócios e de TI respondam a
incidentes e se adaptem rapidamente
a interrupções. Isso permitirá
operações contínuas de processos de
negócios críticos e serviços de I&T
necessários e manterá a
disponibilidade de recursos, ativos e
informações em um nível aceitável
para a empresa.
74
Objectives: 40
Practices: 231
75
Objectives: 40
Practices: 231
76
Objectives: 40
Practices: 231
Gestão Entrega, DSS05 Gestão de Serviços de Proteja as informações corporativas pa

Serviço e Segurança
Suporte
77
Objectives: 40
Practices: 231
78
Objectives: 40
Practices: 231
Gestão Entrega, DSS06 Controles gerenciados Definir e manter controles de

Serviço e de processos de processos de negócios apropriados
Suporte negócios para garantir que as informações
relacionadas e processadas por
processos de negócios internos ou
terceirizados satisfaçam todos os
requisitos relevantes de controle de
informações. Identificar os requisitos
de controle de informações
relevantes. Gerencie e opere controles
adequados de entrada, taxa de
transferência e saída (controles de
aplicativos) para garantir que as
informações e o processamento de
informações atendam a esses
requisitos.
79
Objectives: 40
Practices: 231
80
Objectives: 40
Practices: 231
81
Objectives: 40
Practices: 231
Gestão Monitorar, MEA01 Desempenho Colete, valide e avalie metas e

avaliar e gerenciado e métricas corporativas e de
avaliar monitoramento de alinhamento. Monitore o desempenho
conformidade dos processos e práticas em relação às
metas e métricas de desempenho e
conformidade acordadas. Fornecer
relatórios sistemáticos e oportunos.
82
Objectives: 40
Practices: 231
Gestão Monitorar, MEA02 Gestão de controles Monitorar e avaliar continuamente o

avaliar e Internos ambiente de controle, incluindo
avaliar autoavaliações e autoconhecimento.
Permitir que a gestão identifique
deficiências e ineficiências de controle
e inicie ações de melhoria. Planejar,
organizar e manter padrões de
avaliação de controles internos e
efetividade do controle de processos.
83
Objectives: 40
Practices: 231
84
Objectives: 40
Practices: 231
Gestão Monitorar, MEA03 Conformidade Avaliar se os processos de I&T e os

avaliar e gerenciada com processos de negócios suportados por
avaliar requisitos externos I&T estão em conformidade com leis,
regulamentos e requisitos contratuais.
Obter a garantia de que os requisitos
foram identificados e cumpridos;
integrar a conformidade de TI com a
conformidade geral da empresa.
85
Objectives: 40
Practices: 231
Gestão Monitorar, MEA04 Gestão de Garantias Planejar, definir o escopo e executar

avaliar e iniciativas para atender aos requisitos
avaliar internos, leis, regulamentos e
objetivos estratégicos. Permitir que a
gerência forneça garantia adequada e
sustentável na empresa, realizando
análises e atividades de avaliadores
independentes.
86
Objectives: 40
Practices: 231
87
Objectives: 40
Practices: 231
88
anagement objectives in COBIT® 2019.
amework: Governance and Management Objectives.
Gerencie licenças de software para manter o número ideal de licenças e dar suporte aos r
Objective Purpose Statement Practice ID Practice Name Responsável
Fornecer uma abordagem consistente EDM01.01 Avaliar o sistema Rita Rodrigues

integrada e alinhada com a abordagem de de governança.
governança corporativa. As decisões
relacionadas a I&T são tomadas de acordo
com as estratégias e objetivos da empresa e
o valor desejado é realizado. Para esse fim,
garantir que os processos relacionados a
I&T sejam supervisionados de forma eficaz
e transparente; seja confirmado o
cumprimento dos requisitos legais,
contratuais e regulamentares; e os
requisitos de governança para os
conselheiros são atendidos.
EDM01.02 Direcionar o Rita Rodrigues

sistema de
governança.
89
EDM01.03 Monitorar o Rita Rodrigues

sistema de
governança.
Garantir o valor ideal de iniciativas, serviços EDM02.01 Estabeleça o mix Rita Rodrigues
e ativos habilitados para I&T; entrega de investimentos
econômica de soluções e serviços; e uma alvo.
imagem confiável e precisa dos custos e
benefícios prováveis para que as
necessidades de negócios sejam suportadas
de forma eficaz e eficiente.
EDM02.02 Avalie a Rita Rodrigues

otimização de
valor.
90
EDM02.03 Otimização direta Rita Rodrigues

de valor.
EDM02.04 Monitore a Rita Rodrigues

otimização de
valor.
Garantir que o risco empresarial EDM03.01 Avaliar a gestão de Rita Rodrigues

relacionado à I&T não exceda o apetite ao riscos.
risco e a tolerância ao risco da empresa, o
impacto do risco de I&T no valor da
empresa seja identificado e gerenciado e o
potencial de falhas de conformidade seja
minimizado.
EDM03.02 Gestão direta de Rita Rodrigues

riscos.
91
EDM03.03 Monitorar a Rita Rodrigues

gestão de riscos.
Garantir que as necessidades de recursos EDM04.01 Avalie o Rita Rodrigues

da empresa sejam atendidas da maneira gerenciamento de
ideal, os custos de I&T sejam otimizados e recursos.
haja uma maior probabilidade de realização
de benefícios e prontidão para mudanças
futuras.
EDM04.02 Gerenciamento Rita Rodrigues

direto de recursos.
EDM04.03 Monitorar o Rita Rodrigues

gerenciamento de
recursos.
92
Garantir que as partes interessadas apoiem EDM05.01 Avaliar o Rita Rodrigues

a estratégia e o roteiro de I&T, que a engajamento das
comunicação com as partes interessadas partes
seja eficaz e oportuna e que a base para o interessadas e os
relato seja estabelecida para aumentar o requisitos de
desempenho. Identifique áreas de melhoria relatórios.
e confirme se os objetivos e estratégias
relacionados à I&T estão alinhados com a
estratégia da empresa.
EDM05.02 Engajamento, Rita Rodrigues

comunicação e
reporte direto das
partes
interessadas..
93
EDM05.03 Monitore o Rita Rodrigues

engajamento dos
stakeholders.
Implementar uma abordagem de gestão APO01.01 Projetar o sistema Rita Rodrigues

consistente para que os requisitos de de gestão para
governança corporativa sejam atendidos, I&T. empresarial
abrangendo componentes de governança,
como processos de gestão; estruturas
organizacionais; papéis e responsabilidades;
atividades confiáveis e repetíveis; itens de
informação; políticas e procedimentos;
habilidades e competências; cultura e
comportamento; e serviços, infraestrutura
e aplicações
94
APO01.02 Comunicar Rita Rodrigues

objetivos de
gestão, direção e
decisões tomadas.
APO01.03 Implementar Rita Rodrigues

processos de
gestão (para
apoiar o alcance
dos objetivos de
governança e
gestão).
APO01.04 Definir e Rita Rodrigues

implementar as
estruturas
organizacionais.
95
APO01.05 Estabeleça papéis Rita Rodrigues

e
responsabilidades.
APO01.06 Estabeleça papéis Rita Rodrigues

e
responsabilidades.
.
APO01.07 Definir Moacir

informações
(dados) e
propriedade do
sistema.
APO01.08 Definir habilidades Rita Rodrigues

e competências
alvo.
96

comunicar
políticas e
procedimentos.

implementar
infraestrutura,
serviços e
aplicações para
suportar o sistema
de governança e
gestão.
97
APO01.11 Gerenciar a Rita Rodrigues

melhoria contínua
do sistema de
gestão de I&T.
98
Apoiar a estratégia de transformação digital APO02.01 Entenda o Rita Rodrigues

da organização e entregar o valor desejado contexto e a
através de um roteiro de mudanças direção da
incrementais. Use uma abordagem holística empresa.
de I&T, garantindo que cada iniciativa
esteja claramente conectada a uma
estratégia abrangente. Permitir mudanças
em todos os diferentes aspectos da
organização, desde canais e processos até
dados, cultura, habilidades, modelo
operacional e incentivos.
99
APO02.02 Avalie as Moacir

capacidades
atuais, o
desempenho e a
maturidade digital
da empresa.
APO02.03 Defina os recursos Moacir

digitais de destino.
APO02.04 Realize uma Moacir

análise de gaps.
APO02.05 Definir o plano Moacir

estratégico e o
roadmap.
100
APO02.06 Comunicar a Rita Rodrigues

estratégia e
direção de I&T..
101
Representar os diferentes blocos de APO03.01 Desenvolver a Rodrigo

construção que compõem a empresa e suas visão da
inter-relações, bem como os princípios que arquitetura
orientam seu projeto e evolução ao longo corporativa.
do tempo, para permitir uma entrega
padrão, ágil e eficiente dos objetivos
operacionais e estratégicos.
102
APO03.02 Definir arquitetura Rodrigo

de referência.
APO03.03 Selecione Rodrigo

oportunidades e
soluções.
103
APO03.04 Definir Rodrigo

implementação de
arquitetura.
APO03.05 Fornecer serviços Rodrigo

de arquitetura
corporativa.
104
Obtenha vantagem competitiva, inovação APO04.01 Criar um ambiente Moacir

nos negócios, melhor experiência do cliente propício à
e maior eficácia e eficiência operacional inovação.
explorando desenvolvimentos de I&T e
tecnologias emergentes.
105
APO04.02 Manter uma Moacir

compreensão do
ambiente
corporativo.
APO04.03 Monitore e analise Moacir

o ambiente de
tecnologia.
106
APO04.04 Avaliar o potencial Moacir

de tecnologias
emergentes e
ideias inovadoras.
APO04.05 Recomendar Moacir

outras iniciativas
apropriadas.
APO04.06 Monitorar a Moacir

implementação e
o uso da inovação.
107
Otimize o desempenho do portfólio geral APO05.01 Determinar a Rita Rodrigues

de programas em resposta ao desempenho disponibilidade e
individual de programas, produtos e as fontes de
serviços e à mudança de prioridades e recursos.
demandas da empresa.
108
APO05.02 Avaliar e Rita Rodrigues

selecionar
programas para
financiar.
APO05.03 Monitorar, Rita Rodrigues

otimizar e reportar
o desempenho da
carteira de
investimentos..
APO05.04 Manter portfólios. Rita Rodrigues
APO05.05 Gerencie a Rita Rodrigues

conquista de
benefícios.
109
Promover uma parceria entre as partes APO06.01 Gerenciar finanças Rita Rodrigues
interessadas de TI e da empresa para e contabilidade.
permitir o uso efetivo e eficiente dos
recursos relacionados à I&T e fornecer
transparência e responsabilidade do custo e
do valor comercial das soluções e serviços.
Permitir que a empresa tome decisões
informadas sobre o uso de soluções e
serviços de I&T.
110
APO06.02 Priorize a alocação Rita Rodrigues

de recursos.
APO06.03 Criar e manter Rita Rodrigues

orçamentos.
APO06.04 Modelar e alocar Rita Rodrigues

custos.
111
APO06.05 Gerenciar custos. Rita Rodrigues
Otimize as capacidades de recursos APO07.01 Adquirir e manter Rita Rodrigues

humanos para atender aos objetivos da pessoal adequado
empresa. e adequado.
APO07.02 Identifique o Rita Rodrigues

pessoal-chave de
TI.
112
APO07.03 Manter as Rita Rodrigues

habilidades e
competências do
time
APO07.04 Avaliar e Rita Rodrigues

reconhecer/recom
pensar o
desempenho
profissional dos
funcionários.
113
APO07.05 Planeje e Rita Rodrigues

acompanhe o uso
de recursos
humanos de TI e
de negócios.
APO07.06 Gerenciar equipe Rita Rodrigues

contratada.
114
Capacitar o conhecimento, habilidades e APO08.01 Entender as Rita Rodrigues

comportamentos certos para criar melhores expectativas do
resultados, aumento da confiança, negócio.
confiança mútua e uso eficaz de recursos
que estimulem um relacionamento
produtivo com as partes interessadas do
negócio.
115
APO08.02 Alinhar a Rita Rodrigues

estratégia de I&T
com as
expectativas do
negócio e
identificar
oportunidades
para a TI melhorar
o negócio.
APO08.03 Gerenciar o Rita Rodrigues

relacionamento
comercial.
APO08.04 Coordenar e Rita Rodrigues

comunicar.
116
APO08.05 Fornecer subsídios Rita Rodrigues

para a melhoria
contínua dos
serviços.
Garantir que os produtos, serviços e níveis APO09.01 Identificar serviços Rita Rodrigues
de serviço de I&T atendam às necessidades de I&T.
atuais e futuras da empresa.
APO09.02 Catalogar serviços Rita Rodrigues

habilitados para
I&T.
117
APO09.03 Definir e preparar Rita Rodrigues

contratos de
serviço.
APO09.04 Monitore e relate Rita Rodrigues

os níveis de
serviço.
APO09.05 Revisão de Rita Rodrigues

acordos e
contratos de
serviços.
118
Otimize os recursos de I&T disponíveis para APO10.01 Identificar e Rita Rodrigues

dar suporte à estratégia e ao roteiro de I&T, avaliar
minimize o risco associado a fornecedores relacionamentos e
inadimplentes ou não compatíveis e contratos com
garanta preços competitivos. fornecedores.
APO10.02 Selecione Rita Rodrigues

fornecedores.
119
APO10.03 Gerenciar Rita Rodrigues

relacionamentos e
contratos com
fornecedores.
APO10.04 Gerenciar o risco Rita Rodrigues

do fornecedor.
APO10.05 Monitore o Rita Rodrigues

desempenho e a
conformidade do
fornecedor.
120
Garantir a entrega consistente de soluções APO11.01 Estabelecer um Rita Rodrigues

e serviços de tecnologia para atender aos sistema de gestão
requisitos de qualidade da empresa e da qualidade
satisfazer as necessidades das partes (SGQ).
interessadas.
APO11.02 Focar a gestão da Rita Rodrigues

qualidade nos
clientes.
121
APO11.03 Gerencie padrões, Rita Rodrigues

práticas e
procedimentos de
qualidade e
integre a gestão
da qualidade em
processos-chave e
soluções.
APO11.04 Realizar Rita Rodrigues

monitoramento,
controle e revisões
de qualidade.
122
APO11.05 Manter a melhoria Rita Rodrigues

contínua.
Integre o gerenciamento do risco APO12.01 Coletar dados. Rita Rodrigues

empresarial relacionado à I&T com o
gerenciamento geral do risco empresarial
(ERM) e equilibre os custos e benefícios do
gerenciamento do risco empresarial
relacionado à I&T.
APO12.02 Analise o risco. Rita Rodrigues
APO12.03 Manter um perfil Rita Rodrigues

de risco.
123
APO12.04 Risco articulado. Rita Rodrigues
APO12.05 Definir um Rita Rodrigues

portfólio de ações
de gerenciamento
de riscos.
APO12.06 Responda ao risco. Rita Rodrigues
Mantenha o impacto e a ocorrência de APO13.01 Estabelecer e Rodrigo

incidentes de segurança e privacidade da manter um
informação dentro dos níveis de apetite de sistema de gestão
risco da empresa. de segurança da
informação (SGSI).
124
APO13.02 Definir e gerenciar Rodrigo

um plano de
tratamento de
riscos de
segurança da
informação.
APO13.03 Monitorar e Rodrigo

revisar o sistema
de gestão de
segurança da
informação (SGSI).
125
Garanta a utilização eficaz dos ativos de APO14.01 Definir e Douglas

dados críticos para atingir as metas e comunicar a
objetivos da empresa. estratégia de
gerenciamento de
dados da
organização e as
funções e
responsabilidades.
APO14.02 Definir e manter Douglas

um glossário de
negócios
consistente.
APO14.03 Estabelecer os Douglas

processos e a
infraestrutura
para o
gerenciamento de
metadados.
126
APO14.04 Defina uma Douglas

estratégia de
qualidade de
dados.
APO14.05 Estabelecer Douglas

metodologias,
processos e
ferramentas de
criação de perfis
de dados.
APO14.06 Garantir uma Douglas

abordagem de
avaliação da
qualidade dos
dados.
APO14.07 Defina a Douglas

abordagem de
limpeza de dados.
127
APO14.08 Gerenciar o ciclo Douglas

de vida dos ativos
de dados.
APO14.09 Suporte ao Douglas

arquivamento e
retenção de
dados.
APO14.10 Gerencie arranjos Douglas

de backup e
restauração de
dados.
128
Perceba o valor de negócios desejado e BAI01.01 Manter uma Rita Rodrigues

reduza o risco de atrasos inesperados, abordagem
custos e erosão de valor. Para isso, padrão para o
melhorar a comunicação e o envolvimento gerenciamento de
das empresas e dos usuários finais, garantir programas.
o valor e a qualidade das entregas do
programa e o acompanhamento dos
projetos dentro dos programas e maximizar
a contribuição do programa para o portfólio
de investimentos.
BAI01.02 Inicie um Rita Rodrigues

programa.
129
BAI01.03 Gerencie o Rita Rodrigues

engajamento das
partes
interessadas.
BAI01.04 Desenvolver e Rita Rodrigues

manter o plano do
programa.
BAI01.05 Inicie e execute o Rita Rodrigues

programa.
130
BAI01.06 Monitorar, Rita Rodrigues

controlar e
reportar os
resultados do
programa.
BAI01.07 Gerenciar a Rita Rodrigues

qualidade do
programa.
BAI01.08 Gerenciar o risco Rita Rodrigues

do programa.
131
BAI01.09 Feche um Rita Rodrigues

programa.
Crie soluções ideais que atendam às BAI02.01 Definir e manter Moacir

necessidades da empresa e, ao mesmo os requisitos
tempo, minimizem os riscos. funcionais e
técnicos do
negócio.
132
BAI02.02 Realizar um Moacir

estudo de
viabilidade e
formular soluções
alternativas.
BAI02.03 Gerenciar o risco Moacir

de requisitos.
BAI02.04 Obter aprovação Moacir

de requisitos e
soluções.
133
Garanta a entrega ágil e escalável de BAI03.01 Projetar soluções Moacir

produtos e serviços digitais. Estabelecer de alto nível.
soluções oportunas e econômicas
(tecnologia, processos de negócios e fluxos
de trabalho) capazes de suportar os
objetivos estratégicos e operacionais da
empresa.
134
BAI03.02 Projetar Moacir

componentes
detalhados da
solução.
BAI03.03 Desenvolver Moacir

componentes da
solução.
135
BAI03.04 Adquirir Moacir

componentes da
solução.
BAI03.05 Construa soluções. Moacir
BAI03.06 Executar garantia Moacir

de qualidade (QA).
136
BAI03.07 Prepare-se para o Moacir

teste da solução.
BAI03.08 Executar testes de Moacir

solução.
BAI03.09 Gerenciar Moacir

alterações nos
requisitos.
BAI03.10 Manter soluções. Moacir
137
BAI03.11 Definir produtos e Moacir

serviços de TI e
manter o portfólio
de serviços.
BAI03.12 Projetar soluções Moacir

com base na
metodologia de
desenvolvimento
definida.
138
Manter a disponibilidade do serviço, o BAI04.01 Avalie a Rodrigo

gerenciamento eficiente dos recursos e a disponibilidade, o
otimização do desempenho do sistema por desempenho e a
meio da previsão de requisitos futuros de capacidade atuais
desempenho e capacidade. e crie uma linha de
base.
BAI04.02 Avaliar o impacto Rodrigo

nos negócios.
139
BAI04.03 Planeje requisitos Rodrigo

de serviço novos
ou alterados.
BAI04.04 Monitore e analise Rodrigo

a disponibilidade e
a capacidade.
BAI04.05 Investigar e Rodrigo

resolver
problemas de
disponibilidade,
desempenho e
capacidade.
140
Preparar e comprometer as partes BAI05.01 Estabeleça o Rita Rodrigues

interessadas para a mudança de negócios e desejo de mudar.
reduzir o risco de falha.
BAI05.02 Formar uma Rita Rodrigues

equipe de
implementação
eficaz.
BAI05.03 Comunique a visão Rita Rodrigues

desejada.
141
BAI05.04 Capacite os Rita Rodrigues

envolvidos e
identifique ganhos
de curto prazo.
BAI05.05 Habilitar operação Rita Rodrigues

e uso.
BAI05.06 Incorpore novas Rita Rodrigues

abordagens.
BAI05.07 Sustentar Rita Rodrigues

mudanças.
142
Permita a entrega rápida e confiável de BAI06.01 Avaliar, priorizar e Adriano

mudanças para o negócio. Reduza o risco autorizar
de afetar negativamente a estabilidade ou a solicitações de
integridade do ambiente alterado. alteração.
BAI06.02 Gerenciar Adriano

alterações de
emergência.
143
BAI06.03 Acompanhe e Adriano

relate o status das
alterações.
BAI06.04 Feche e Adriano

documente as
alterações.
Implementar soluções com segurança e em BAI07.01 Estabeleça um Adriano

linha com as expectativas e resultados plano de
acordados. implementação.
144
BAI07.02 Planejar processos Adriano

de negócios,
sistema e
conversão de
dados.
BAI07.03 Planejar testes de Adriano

aceitação.
BAI07.04 Estabeleça um Adriano

ambiente de teste.
BAI07.05 Realizar testes de Adriano

aceitação.
145
BAI07.06 Promover a Adriano

produção e
gerenciar
lançamentos.
BAI07.07 Fornecer suporte Adriano

antecipado à
produção.
BAI07.08 Execute uma Adriano

revisão pós-
implementação.
146
Fornecer o conhecimento e as informações BAI08.01 Identificar e Rita Rodrigues

necessárias para apoiar toda a equipe na classificar fontes
governança e gestão de TI empresarial e de informação
permitir a tomada de decisões informadas. para governança e
gestão de T&T.
BAI08.02 Organizar e Rita Rodrigues

contextualizar
informações em
conhecimento.
BAI08.03 Use e compartilhe Rita Rodrigues

conhecimento.
147
BAI08.04 Avaliar e atualizar Rita Rodrigues

ou aposentar
informações.
148
Contabilizar todos os ativos de I&T e BAI09.01 Identificar e Rodrigo

otimizar o valor proporcionado pelo seu registrar o ativo
uso. circulante.
149
BAI09.02 Gerencie ativos Rodrigo

críticos.
BAI09.03 Gerencie o ciclo de Rodrigo

vida do ativo.
BAI09.04 Otimize o valor Rodrigo

dos ativos.
BAI09.05 Gerenciar licenças. Rodrigo
150
Forneça informações suficientes sobre BAI10.01 Estabelecer e Rodrigo

ativos de serviço para permitir que o manter um
serviço seja gerenciado com eficiência. modelo de
Avaliar o impacto das alterações e lidar com configuração.
incidentes de serviço.
BAI10.02 Estabelecer e Rodrigo

manter um
repositório de
configuração e
linha de base.
BAI10.03 Manter e Rodrigo

controlar itens de
configuração.
151
BAI10.04 Produzir relatórios Rodrigo

de status e
configuração.
BAI10.05 Verifique e revise Rodrigo

a integridade do
repositório de
configuração.
Realize os resultados definidos do projeto e BAI11.01 Manter uma Moacir

reduza o risco de atrasos inesperados, abordagem
custos e erosão de valor, melhorando as padrão para o
comunicações e o envolvimento dos gerenciamento de
negócios e dos usuários finais. Garantir o projetos.
valor e a qualidade das entregas dos
projetos e maximizar sua contribuição para
os programas definidos e o portfólio de
investimentos.
152
BAI11.02 Iniciar e iniciar um Moacir

projeto.
BAI11.03 Gerencie o Moacir

engajamento das
partes
interessadas.
BAI11.04 Desenvolver e Moacir

manter o plano do
projeto.
153
BAI11.05 Gerenciar a Moacir

qualidade do
projeto.
BAI11.06 Gerenciar o risco Moacir

do projeto.
BAI11.07 Acompanhar e Moacir

controlar projetos.
154
BAI11.08 Gerenciar recursos Moacir

do projeto e
pacotes de
trabalho.
BAI11.09 Feche um projeto Moacir

ou iteração.
155
Forneça resultados operacionais de DSS01.01 Executar Rodrigo

produtos e serviços de I&T conforme procedimentos
planejado. operacionais.
DSS01.02 Gerenciar serviços Rodrigo

terceirizados de
I&T.
DSS01.03 Monitorar a Rodrigo

infraestrutura de
I&T.
DSS01.04 Gerenciar o Rodrigo

ambiente.
156
DSS01.05 Gerenciar Rodrigo

instalações.
Obtenha maior produtividade e minimize DSS02.01 Definir esquemas Adriano

interrupções por meio da resolução rápida de classificação
de consultas e incidentes do usuário. para incidentes e
Avaliar o impacto das alterações e lidar com solicitações de
incidentes de serviço. Resolva solicitações serviço.
de usuários e restaure o serviço em
resposta a incidentes.
DSS02.02 Verificar, aprovar Adriano

e atender
solicitações de
serviço.
157
DSS02.03 Verificar, aprovar Adriano

e atender
solicitações de
serviço.
DSS02.04 Investigar, Adriano

diagnosticar e
alocar incidentes.
DSS02.05 Resolver e Adriano

recuperar de
incidentes.
DSS02.06 Feche solicitações Adriano

de serviço e
incidentes.
DSS02.07 Acompanhe o Adriano

status e produza
relatórios.
158
Aumente a disponibilidade, melhore os DSS03.01 Identificar e Adriano

níveis de serviço, reduza custos, melhore a classificar
conveniência e a satisfação do cliente problemas.
reduzindo o número de problemas
operacionais e identifique as causas básicas
como parte da resolução de problemas.
DSS03.02 Investigar e Adriano

diagnosticar
problemas.
DSS03.03 Levante erros Adriano

conhecidos.
DSS03.04 Resolver e fechar Adriano

problemas.
159
DSS03.05 Realizar Adriano

gerenciamento
proativo de
problemas.
Adapte-se rapidamente, continue as DSS04.01 Definir a política Rita Rodrigues

operações de negócios e mantenha a de continuidade
disponibilidade de recursos e informações de negócios,
em um nível aceitável para a empresa no objetivos e
caso de uma interrupção significativa (por escopo.
exemplo, ameaças, oportunidades,
demandas).
160
DSS04.02 Manter a Rita Rodrigues

resiliência dos
negócios.
DSS04.03 Desenvolver e Rita Rodrigues

implementar uma
resposta de
continuidade de
negócios.
DSS04.04 Exercício, teste e Rita Rodrigues

revisão do plano
de continuidade
de negócios (PCN)
e plano de
resposta a
desastres (DRP).
161
DSS04.05 Revisar, manter e Rita Rodrigues

melhorar os
planos de
continuidade.
DSS04.06 Realizar Rita Rodrigues

treinamento do
plano de
continuidade.
DSS04.07 Gerenciar arranjos Rita Rodrigues

de backup.
DSS04.08 Realizar revisão Rita Rodrigues

pós-retomada.
162
Minimize o impacto nos negócios de DSS05.01 Proteja-se contra Rodrigo

vulnerabilidades e incidentes operacionais software mal-
de segurança e privacidade da informação. intencionado.
DSS05.02 Gerencie a Rodrigo

segurança de rede
e conectividade.
DSS05.03 Gerenciar a Rodrigo

segurança do
endpoint.
DSS05.04 Gerenciar a Rodrigo

identidade do
usuário e o acesso
lógico.
163
DSS05.05 Gerencie o acesso Rodrigo

físico aos ativos de
I&T.
DSS05.06 Gerencie Rodrigo

documentos
confidenciais e
dispositivos de
saída.
DSS05.07 Gerencie Rodrigo

vulnerabilidades e
monitore a
infraestrutura
para eventos
relacionados à
segurança.
164
Manter a integridade das informações e a DSS06.01 Alinhe as Rodrigo

segurança dos ativos de informação atividades de
tratados dentro dos processos de negócios controle
na empresa ou em sua operação incorporadas nos
terceirizada. processos de
negócios com os
objetivos da
empresa.
165
DSS06.02 Controlar o Rodrigo

processamento
das informações.
DSS06.03 Gerencie funções, Rodrigo

responsabilidades,
privilégios de
acesso e níveis de
autoridade.
DSS06.04 Gerenciar erros e Rodrigo

exceções.
166
DSS06.05 Garantir a Rodrigo

rastreabilidade e a
responsabilidade
pelos eventos de
informação.
DSS06.06 Proteja os ativos Rodrigo

de informação.
167
Fornecer transparência de desempenho e MEA01.01 Estabeleça uma Rita Rodrigues

conformidade e impulsionar o alcance de abordagem de
metas. monitoramento.
MEA01.02 Defina metas de Rita Rodrigues

desempenho e
conformidade.
MEA01.03 Coletar e Rita Rodrigues

processar dados
de desempenho e
conformidade.
MEA01.04 Analisar e reportar Rita Rodrigues

desempenho.
168
MEA01.05 Garantir a Rita Rodrigues

implementação de
ações corretivas.
Obter transparência para as principais MEA02.01 Monitorar Rita Rodrigues

partes interessadas sobre a adequação do controles internos.
sistema de controles internos e, assim,
proporcionar confiança nas operações,
confiança no alcance dos objetivos da
empresa e uma compreensão adequada do
risco residual.
169
MEA02.02 Revisar a eficácia Rita Rodrigues

dos controles de
processos de
negócios.
MEA02.03 Realizar Rita Rodrigues

autoavaliações de
controle.
MEA02.04 Identificar e Rita Rodrigues

reportar
deficiências de
controle.
170
Certifique-se de que a empresa está em MEA03.01 Identificar Rita Rodrigues

conformidade com todos os requisitos requisitos de
externos aplicáveis. conformidade
externos.
MEA03.02 Otimize a resposta Rita Rodrigues

aos requisitos
externos.
MEA03.03 Confirme a Rita Rodrigues

conformidade
externa.
171
MEA03.04 Obter garantia de Rita Rodrigues

conformidade
externa.
Planejar, definir o escopo e executar MEA04.01 Garantir que os Rita Rodrigues

iniciativas de asseguração para atender aos provedores de
requisitos internos, leis, regulamentos e garantia sejam
objetivos estratégicos. Permitir que a independentes e
gerência forneça garantia adequada e qualificados.
sustentável na empresa, realizando análises
e atividades de asseguração
independentes.
MEA04.02 Desenvolver o Rita Rodrigues

planejamento
baseado em risco
das iniciativas de
asseguração.
172
MEA04.03 Determinar os Rita Rodrigues

objetivos da
iniciativa de
asseguração.
MEA04.04 Defina o escopo Rita Rodrigues

da iniciativa de
garantia.
MEA04.05 Definir o programa Rita Rodrigues

de trabalho para a
iniciativa de
garantia.
MEA04.06 Executar a Rita Rodrigues

iniciativa de
garantia, com foco
na eficácia do
projeto.
173
MEA04.07 Executar a Rita Rodrigues

iniciativa de
asseguração, com
foco na eficácia
operacional.
MEA04.08 Reportar e Rita Rodrigues

acompanhar a
iniciativa de
asseguração.
MEA04.09 Acompanhamento Rita Rodrigues

de recomendações
e ações.
174
ftware para manter o número ideal de licenças e dar suporte aos requisitos de negócios. Certifique-se de que o número de licenças possuídas seja suficiente para co
Practice Description
Identifique e envolva-se continuamente com as partes interessadas

da empresa, documente uma compreensão dos requisitos e avalie o
design atual e futuro da governança de TI corporativa.
Informar os líderes sobre os princípios de governança de I&T e

obter seu apoio, adesão e comprometimento. Orientar as
estruturas, processos e práticas de governança de T&7 em linha
com os princípios de governança acordados, modelos decisórios e
níveis de autoridade. Defina as informações necessárias para a
tomada de decisões informadas.
175
Monitorar a eficácia e o desempenho da governança de I&T. Avaliar

se o sistema de governança e os mecanismos implementados
(incluindo estruturas, princípios e processos) estão operando de
forma eficaz e fornecer supervisão apropriada de I&T para permitir
a criação de valor.
Revisar e garantir a clareza das estratégias corporativas e de I&T e

dos serviços atuais. Definir um mix de investimentos adequado com
base no custo, alinhamento com a estratégia, tipo de benefício para
os programas do portfólio, grau de risco e medidas financeiras,
como custo e retorno esperado sobre o investimento (ROI) ao longo
de todo o ciclo de vida econômico. Ajustar as estratégias de
empresa e I&T quando necessário.
Avalie continuamente o portfólio de investimentos, serviços e ativos

habilitados para I&T para determinar a probabilidade de atingir os
objetivos da empresa e entregar valor. Identificar e avaliar
quaisquer mudanças na direção da gestão que otimizem a criação
de valor.
176
Princípios e práticas diretas de gerenciamento de valor para

permitir a realização de valor ideal a partir de investimentos
habilitados para I&T durante todo o seu ciclo de vida econômico.
Verificar a resolução satisfatória de incidentes e/ou o atendimento

das solicitações e encerrar.
Examinar e avaliar continuamente o efeito do risco no uso atual e

futuro de I&T na empresa. Considere se o apetite de risco da
empresa é apropriado e assegure-se de que o risco para o valor da
empresa relacionado ao uso de I&T seja identificado e gerenciado.
Orientar o estabelecimento de práticas de gerenciamento de riscos

para fornecer segurança razoável de que as práticas de
gerenciamento de riscos de I&T são apropriadas e que o risco real
de I&T não excede o apetite de risco do conselho.
177
Monitorar as principais metas e métricas dos processos de gestão

de riscos. Determine como os desvios ou problemas serão
identificados, rastreados e relatados para correção.
Continually examine and evaluate the current and future need for
business and I&T resources (financial and human), options for
resourcing (including sourcing strategies), and allocation and
management principles to meet the needs of the enterprise in the
optimal manner.
Garantir a adoção de princípios de gerenciamento de recursos para

permitir o uso otimizado dos recursos de negócios e I&T ao longo
de todo o seu ciclo de vida econômico.
Monitore as principais metas e métricas dos processos de

gerenciamento de recursos. Determine como os desvios ou
problemas serão identificados, rastreados e relatados para
correção.
178
Examinar e avaliar continuamente os requisitos atuais e futuros

para engajamento e relatórios das partes interessadas (incluindo
relatórios exigidos por requisitos regulamentares) e comunicação a
outras partes interessadas. Estabelecer princípios para o
engajamento e a comunicação com as partes interessadas.
Assegurar o estabelecimento de envolvimento, comunicação e

relatórios efetivos das partes interessadas, incluindo mecanismos
para garantir a qualidade e a integridade das informações,
supervisionar o relato obrigatório e criar uma estratégia de
comunicação para as partes interessadas.
179
Monitorar os níveis de engajamento dos stakeholders e a

efetividade da comunicação com os stakeholders. Avaliar os
mecanismos para garantir a precisão, confiabilidade e eficácia e
verificar se os requisitos das diferentes partes interessadas em
termos de relatórios e comunicação são atendidos.
Projetar um sistema de gestão sob medida para as necessidades da

empresa. As necessidades de gestão da empresa são definidas
através do uso da cascata de metas e pela aplicação de fatores de
projeto. Garantir que os componentes de governança estejam
integrados e alinhados com a filosofia de governança e gestão e o
estilo operacional da empresa.
180
Comunicar a conscientização e promover a compreensão do

alinhamento e dos objetivos de I&T para as partes interessadas em
toda a empresa. Comunique-se em intervalos regulares sobre
decisões importantes relacionadas à I&T e seu impacto para a
organização.
Defina os níveis de capacidade do processo alvo e a prioridade de

implementação com base no design do sistema de gerenciamento.
Implementar as estruturas organizacionais internas e estendidas

necessárias (por exemplo, comitês) de acordo com o projeto do
sistema de gestão, permitindo uma tomada de decisão eficaz e
eficiente. Garantir que os conhecimentos necessários em tecnologia
e informação sejam incluídos na composição das estruturas de
gestão.
181
Definir e comunicar funções e responsabilidades para a I&T.

empresarial, incluindo níveis de autoridade, responsabilidades e
prestação de contas.
Posicione os recursos de TI na estrutura organizacional geral para

refletir a importância estratégica e a dependência operacional da TI
dentro da empresa. A linha de relatórios do CIO e a representação
da TI na alta administração devem ser proporcionais à importância
da I&T dentro da empresa.
Definir e manter responsabilidades pela propriedade de

informações (dados) e sistemas de informação. Garantir que os
proprietários classifiquem as informações e os sistemas e os
protejam de acordo com sua classificação.
Definir as habilidades e competências necessárias para atingir os

objetivos de gestão relevantes.
182
Implementar procedimentos para manter a conformidade e a

medição de desempenho das políticas e outros componentes da
estrutura de controle. Fazer valer as consequências do
descumprimento ou do desempenho inadequado. Acompanhe as
tendências e o desempenho e considere-os no projeto futuro e na
melhoria da estrutura de controle.
Definir e implementar infraestrutura, serviços e aplicativos para

suportar o sistema de governança e gerenciamento (por exemplo,
repositórios de arquitetura, sistema de gerenciamento de riscos,
ferramentas de gerenciamento de projetos, ferramentas de
rastreamento de custos e ferramentas de monitoramento de
incidentes).
183
Melhore continuamente os processos e outros componentes do

sistema de gerenciamento para garantir que eles possam cumprir
os objetivos de governança e gerenciamento. Considere as
diretrizes de implementação do COBIT, os padrões emergentes, os
requisitos de conformidade, as oportunidades de automação e o
feedback das partes interessadas.
184
Compreender o contexto empresarial (impulsionadores da

indústria, regulamentos relevantes, base para a concorrência), a sua
forma atual de trabalhar e o seu nível de ambição em termos de
digitalização.
185
Avaliar o desempenho dos serviços de I&T atuais e desenvolver

uma compreensão dos negócios atuais e das capacidades de I&T
(internas e externas). Avalie a maturidade digital atual da empresa
e seu apetite por mudanças.
Com base na compreensão do contexto e da direção da empresa,

defina os produtos e serviços de I&T de destino e os recursos
necessários. Considere padrões de referência, práticas
recomendadas e tecnologias emergentes validadas.
Identifique lacunas entre os ambientes atual e de destino e

descreva as alterações de alto nível na arquitetura corporativa.
Desenvolva uma estratégia digital holística, em cooperação com as

partes interessadas relevantes, e detalhe um roteiro que defina as
etapas incrementais necessárias para atingir as metas e objetivos.
Garanta o foco na jornada de transformação por meio da nomeação
de uma pessoa que ajude a liderar a transformação digital e
impulsione o alinhamento entre negócios e I&T.
186
Criar consciência e compreensão dos objetivos e direção de

negócios e I&T, conforme capturado na estratégia de I&T, por meio
da comunicação com as partes interessadas e usuários apropriados
em toda a empresa.
187
A visão de arquitetura fornece uma descrição de primeiro corte e

de alto nível das arquiteturas de linha de base e de destino,
cobrindo os domínios de negócios, informações, dados, aplicativos
e tecnologia. A visão de arquitetura fornece ao patrocinador uma
ferramenta-chave para vender os benefícios dos recursos propostos
para as partes interessadas dentro da empresa. A visão da
arquitetura descreve como os novos recursos (em linha com a
estratégia e os objetivos de I&T) atenderão às metas e objetivos
estratégicos da empresa e abordarão as preocupações das partes
interessadas quando implementados.
188
A arquitetura de referência descreve as arquiteturas atual e de

destino para os domínios de negócios, informações, dados,
aplicativos e tecnologia.
Racionalize as lacunas entre as arquiteturas de linha de base e de

destino, levando em conta as perspectivas técnicas e de negócios, e
agrupe-as logicamente em pacotes de trabalho de projeto. Integre
o projeto com quaisquer programas de investimento habilitados
para I&T relacionados para garantir que as iniciativas arquitetônicas
estejam alinhadas e habilitem essas iniciativas como parte da
mudança geral da empresa. Faça disso um esforço colaborativo com
as principais partes interessadas da empresa de negócios e TI para
avaliar a prontidão de transformação da empresa e identificar
oportunidades, soluções e todas as restrições de implementação.
189
Criar um plano viável de implementação e migração em

alinhamento com os portfólios de programas e projetos. Certifique-
se de que o plano seja estreitamente coordenado para entregar
valor e que os recursos necessários estejam disponíveis para
concluir o trabalho necessário.
Fornecer serviços de arquitetura corporativa dentro da empresa

que incluem orientação e monitoramento de projetos de
implementação, formalização de formas de trabalho por meio de
contratos de arquitetura e medição e comunicação do valor da
arquitetura e monitoramento de conformidade.
190
Crie um ambiente propício à inovação, considerando métodos

como cultura, recompensa, colaboração, fóruns de tecnologia e
mecanismos para promover e capturar ideias dos funcionários.
191
Trabalhar com as partes interessadas relevantes para entender seus

desafios. Manter uma compreensão adequada da estratégia
empresarial, do ambiente competitivo e de outras restrições, para
que as oportunidades possibilitadas pelas novas tecnologias possam
ser identificadas.
Configure um processo de observação de tecnologia para realizar

monitoramento sistemático e varredura do ambiente externo da
empresa para identificar tecnologias emergentes que têm o
potencial de criar valor (por exemplo, realizando a estratégia da
empresa, otimizando custos, evitando a obsolescência e habilitando
melhor os processos empresariais e de I&T). Monitore o mercado, o
cenário competitivo, os setores da indústria e as tendências legais e
regulatórias para poder analisar tecnologias emergentes ou ideias
de inovação no contexto empresarial.
192
Analisar tecnologias emergentes identificadas e/ou outras

sugestões inovadoras de I&T para entender seu potencial de
negócios. Trabalhar com as partes interessadas para validar as
suposições sobre o potencial das novas tecnologias e inovação.
Avaliar e monitorar os resultados das iniciativas de prova de

conceito e, se favorável, gerar recomendações para outras
iniciativas. Obtenha o apoio das partes interessadas.
Monitorar a implementação e o uso de tecnologias e inovações

emergentes durante a adoção, a integração e durante todo o ciclo
de vida econômico para garantir que os benefícios prometidos
sejam alcançados e identificar as lições aprendidas.
193
Determinar fontes potenciais de recursos, diferentes opções de

financiamento e as implicações da fonte de financiamento nas
expectativas de retorno do investimento.
194
Com base nos requisitos para o mix geral de portfólio de

investimentos e no plano estratégico e roteiro de I&T, avalie e
priorize os casos de negócios do programa e decida sobre propostas
de investimento. Alocar fundos e iniciar programas.
Monitore e otimize regularmente o desempenho da carteira de

investimentos e dos programas individuais ao longo de todo o ciclo
de vida do investimento. Garantir o acompanhamento contínuo do
alinhamento do portfólio com a estratégia de I&T.
Manter carteiras de programas e projetos de investimento,

produtos e serviços de I&T e ativos de I&T.
Monitore os benefícios de fornecer e manter produtos, serviços e
recursos de TI apropriados, com base no caso de negócios acordado
e atual.
195
Estabelecer e manter um método para gerenciar e contabilizar

todos os custos, investimentos e depreciações relacionados à I&T,
como parte integrante dos sistemas financeiros e contas da
empresa. Relatório utilizando os sistemas de medição financeira da
empresa.
196
Implementar um processo decisório para priorizar a alocação de

recursos e estabelecer regras para investimentos discricionários por
unidades de negócios individuais. Inclua o uso potencial de
prestadores de serviços externos e considere as opções de compra,
desenvolvimento e aluguel.
Preparar um orçamento que reflita as prioridades de investimento

com base no portfólio de programas habilitados para I&T e serviços
de I&T.
Estabeleça e utilize um modelo de custeio de I&T baseado, por

exemplo, na definição do serviço. Essa abordagem garante que a
alocação dos custos dos serviços seja identificável, mensurável e
previsível, e incentiva o uso responsável dos recursos, inclusive os
fornecidos pelos prestadores de serviços. Revisar e comparar
regularmente o modelo de custo/chargeback para manter sua
relevância e adequação às atividades de negócios e TI em evolução.
197
Implemente um processo de gerenciamento de custos que compare

os custos reais com o orçamento. Os custos devem ser monitorados
e relatados. Os desvios em relação ao orçamento devem ser
identificados atempadamente e o seu impacto nos processos e
serviços empresariais avaliado.
Avalie os requisitos de pessoal interno e externo regularmente ou

em cima de grandes alterações nos ambientes corporativos ou
operacionais ou de TI para garantir que a empresa tenha recursos
humanos suficientes para dar suporte às metas e objetivos da
empresa.
Identifique o pessoal-chave de TI. Use a captura de conhecimento

(documentação), o compartilhamento de conhecimento, o
planejamento de sucessão e o backup da equipe para minimizar a
dependência de um único indivíduo executando uma função de
trabalho crítica.
198
Definir e gerenciar as habilidades e competências requeridas do

pessoal. Verificar regularmente se o pessoal tem as competências
para cumprir suas funções com base em sua educação, treinamento
e/ou experiência. Verifique se essas competências estão sendo
mantidas, utilizando programas de qualificação e certificação
quando apropriado. Proporcionar aos funcionários aprendizado
contínuo e oportunidades de manter seus conhecimentos,
habilidades e competências em um nível necessário para atingir os
objetivos da empresa.
Realizar avaliações de desempenho oportunas e regulares em

relação a objetivos individuais derivados de metas corporativas,
padrões estabelecidos, responsabilidades específicas do trabalho e
estrutura de habilidades e competências. Implementar um processo
de remuneração/reconhecimento que recompense o alcance bem-
sucedido das metas de desempenho.
199
Compreenda e acompanhe a demanda atual e futura por recursos

humanos de negócios e TI com responsabilidades por TI
corporativa.
Garantir que os consultores e o pessoal contratado que apoiam a

empresa com habilidades de I&T conheçam e cumpram as políticas
da organização e atendam aos requisitos contratuais acordados.
200
Compreenda as questões de negócios atuais, os objetivos e as

expectativas de I&T. Garanta que os requisitos sejam
compreendidos, gerenciados e comunicados, e seu status acordado
e aprovado.
201
Alinhe as estratégias de I&T com os objetivos e expectativas de

negócios atuais para permitir que a TI seja um parceiro de valor
agregado para os negócios e um componente de governança para
melhorar o desempenho corporativo.
Gerenciar o relacionamento entre a organização de serviços de TI e

seus parceiros de negócios. Garantir que os papéis e
responsabilidades de relacionamento sejam definidos e atribuídos,
e a comunicação seja facilitada.
Trabalhar com todas as partes interessadas relevantes e coordenar

a entrega de ponta a ponta dos serviços e soluções de I&T
fornecidos ao negócio.
202
Melhore e evolua continuamente os serviços habilitados para I&T e

a prestação de serviços para a empresa para se alinhar aos
objetivos corporativos em constante mudança e aos requisitos de
tecnologia.
Analise os requisitos de negócios e o grau em que os serviços

habilitados para I&T e os níveis de serviço oferecem suporte aos
processos de negócios. Discutir e concordar com a empresa sobre
serviços e níveis de serviço potenciais. Comparar os níveis de
serviço potenciais com o portfólio de serviços atual; identificar
serviços novos ou alterados ou opções de nível de serviço.
Definir e manter um ou mais catálogos de serviços para grupos-alvo

relevantes. Publique e mantenha serviços habilitados para I&T em
tempo real nos catálogos de serviços.
203
Definir e preparar contratos de serviços com base nas opções dos

catálogos de serviços. Incluir acordos operacionais internos.
Monitore os níveis de serviço, relate as conquistas e identifique

tendências. Fornecer as informações de gerenciamento apropriadas
para auxiliar o gerenciamento de desempenho.
Realizar revisões periódicas dos contratos de serviço e revisar

quando necessário.
204
Pesquise e identifique continuamente fornecedores e categorize-os

em tipo, significado e criticidade. Estabelecer critérios de avaliação
de fornecedores e contratos. Revisar o portfólio geral de
fornecedores e contratos existentes e alternativos.
Selecionar fornecedores de acordo com uma prática justa e formal

para garantir um melhor ajuste viável com base em requisitos
especificados. Os requisitos devem ser otimizados com a
contribuição de potenciais fornecedores.
205
Formalizar e gerenciar o relacionamento com fornecedores para

cada fornecedor. Gerenciar, manter e monitorar contratos e
prestação de serviços. Garantir que os contratos novos ou alterados
estejam em conformidade com os padrões da empresa e os
requisitos legais e regulamentares. Lidar com disputas contratuais.
Identificar e gerenciar riscos relacionados à capacidade dos

fornecedores de fornecer continuamente serviços seguros,
eficientes e eficazes. Isso também inclui os subcontratados ou
fornecedores upstream que são relevantes na prestação de serviços
do fornecedor direto.
Analise periodicamente o desempenho geral do fornecedor, a

conformidade com os requisitos do contrato e a relação custo-
benefício. Resolva os problemas identificados.
206
Estabelecer e manter um sistema de gestão da qualidade (SGQ) que

forneça uma abordagem padrão, formal e contínua para a gestão
da qualidade da informação. O SGQ deve permitir que a tecnologia
e os processos de negócios se alinhem aos requisitos de negócios e
ao gerenciamento da qualidade empresarial.
Focar a gestão da qualidade nos clientes, determinando seus

requisitos e garantindo a integração nas práticas de gestão da
qualidade.
207
Identificar e manter padrões, procedimentos e práticas para

processos-chave para orientar a empresa no cumprimento da
intenção dos padrões de gestão da qualidade (SGQ) acordados. Essa
atividade deve estar alinhada com os requisitos da estrutura de
controle de I&T. Considere a certificação para processos-chave,
unidades organizacionais, produtos ou serviços.
Monitorar a qualidade dos processos e serviços de forma contínua,

em linha com os padrões de gestão da qualidade. Definir, planejar e
implementar medições para monitorar a satisfação do cliente com a
qualidade, bem como o valor fornecido pelo sistema de gestão da
qualidade (SGQ). As informações coletadas devem ser usadas pelo
proprietário do processo para melhorar a qualidade.
208
Manter e comunicar regularmente um plano geral de qualidade que

promova a melhoria contínua. O plano deve definir a necessidade e
os benefícios da melhoria contínua. Coletar e analisar dados sobre o
sistema de gestão da qualidade (SGQ) e melhorar sua eficácia.
Corrigir não conformidades para evitar recorrências.
Identificar e coletar dados relevantes para permitir a identificação,

análise e relatórios eficazes de riscos relacionados à I&T.
Desenvolver uma visão fundamentada sobre o risco real de I&T, em

apoio às decisões de risco.
Manter um inventário de atributos de risco e risco conhecidos,
incluindo frequência esperada, impacto potencial e respostas.
Documente recursos, capacidades e atividades de controle atuais
relacionadas a itens de risco.
209
Comunicar informações sobre o estado atual das exposições e

oportunidades relacionadas à I&T, em tempo hábil, a todas as
partes interessadas necessárias para uma resposta apropriada.
Gerencie oportunidades para reduzir o risco a um nível aceitável

como portfólio.
Responder em tempo hábil a eventos de risco materializados com

medidas efetivas para limitar a magnitude da perda.
Estabelecer e manter um sistema de gerenciamento de segurança

da informação (SGSI) que forneça uma abordagem padrão, formal e
contínua para o gerenciamento de segurança e privacidade das
informações. Certifique-se de que o sistema ofereça suporte a
tecnologia segura e processos de negócios alinhados com os
requisitos de negócios, segurança corporativa e gerenciamento de
privacidade empresarial.
210
Mantenha um plano de segurança da informação que descreva

como o risco à segurança da informação deve ser gerenciado e
alinhado com a estratégia e a arquitetura corporativas. Garantir que
as recomendações para implementar melhorias de segurança sejam
baseadas em casos de negócios aprovados, implementadas como
parte integrante do desenvolvimento de serviços e soluções e
operadas como parte integrante da operação de negócios.
Manter e comunicar regularmente a necessidade e os benefícios da

melhoria contínua em segurança da informação. Coletar e analisar
dados sobre o sistema de gestão de segurança da informação
(SGSI), e melhorar sua eficácia. Corrigir não conformidades para
evitar recorrências.
211
Definir como gerenciar e melhorar os ativos de dados da

organização, em linha com a estratégia e os objetivos da empresa.
Comunicar a estratégia de gestão de dados a todas as partes
interessadas. Atribua funções e responsabilidades para garantir que
os dados corporativos sejam gerenciados como ativos críticos e que
a estratégia de gerenciamento de dados seja implementada e
mantida de maneira eficaz e sustentável.
Crie, aprove, atualize e promova termos e definições de negócios

consistentes para promover o uso compartilhado de dados em toda
a organização.
Estabelecer os processos e a infraestrutura para especificar e

estender metadados sobre os ativos de dados da organização,
promover e apoiar o compartilhamento de dados, garantir o uso
compatível dos dados, melhorar a capacidade de resposta às
mudanças de negócios e reduzir o risco relacionado aos dados.
212
Defina uma estratégia integrada em toda a organização para

alcançar e manter o nível de qualidade de dados (como
complexidade, integridade, precisão, integridade, validade,
rastreabilidade e pontualidade) necessário para dar suporte às
metas e objetivos de negócios.
Implemente metodologias, processos, práticas, ferramentas e

modelos padronizados de criação de perfil de dados que podem ser
aplicados em vários repositórios de dados e armazenamentos de
dados.
Fornecer uma abordagem sistemática para medir e avaliar a

qualidade dos dados de acordo com processos e técnicas, e em
relação às regras de qualidade dos dados.
Defina os mecanismos, regras, processos e métodos para validar e

corrigir dados de acordo com regras de negócios predefinidas.
213
Garantir que a organização entenda, mapeie, inventarie e controle

seus fluxos de dados através dos processos de negócios ao longo do
ciclo de vida dos dados, desde a criação ou aquisição até a
aposentadoria.
Garantir que a manutenção de dados atenda aos requisitos

organizacionais e normativos de disponibilidade de dados
históricos. Garantir que os requisitos legais e normativos para
arquivamento e retenção de dados sejam atendidos
Gerencie a disponibilidade de dados críticos para garantir a

continuidade operacional.
214
Manter uma abordagem padrão para o gerenciamento de

programas.
Inicie um programa para confirmar os benefícios esperados e obter

autorização para prosseguir. Isso inclui concordar com o patrocínio
do programa, confirmar o mandato do programa por meio da
aprovação do business case conceitual, nomear membros do
conselho ou comitê do programa, produzir o resumo do programa,
revisar e atualizar o business case, desenvolver um plano de
realização de benefícios e obter aprovação dos patrocinadores para
prosseguir.
215
Gerencie o engajamento das partes interessadas para garantir uma

troca ativa de informações precisas, consistentes e oportunas para
todas as partes interessadas relevantes. Isso inclui planejar,
identificar e engajar as partes interessadas e gerenciar suas
expectativas.
Formular um programa para estabelecer as bases iniciais. Posicione-

o para uma execução bem-sucedida, formalizando o escopo do
trabalho e identificando entregas que satisfaçam as metas e
entreguem valor. Manter e atualizar o plano do programa e o
business case durante todo o ciclo de vida econômico do programa,
garantindo o alinhamento com os objetivos estratégicos e
refletindo o status atual e os insights obtidos até o momento.
Lançar e executar o programa para adquirir e direcionar os recursos

necessários para atingir as metas e benefícios do programa
conforme definido no plano do programa. De acordo com os
critérios de revisão de stage-gate ou release, prepare-se para
revisões de stage-gate, iteration ou release para relatar o progresso
e defender o financiamento até o seguinte stage-gate ou revisão de
lançamento.
216
Monitore e controle o desempenho em relação ao plano durante

todo o ciclo de vida econômico do investimento, cobrindo a entrega
da solução no nível do programa e o valor/resultado no nível da
empresa. Reportar o desempenho ao comitê diretivo do programa
e aos patrocinadores.
Elaborar e executar um plano de gestão da qualidade, processos e

práticas alinhadas com os padrões de gestão da qualidade (SGQ).
Descrever a abordagem para a qualidade e implementação do
programa. O plano deve ser formalmente revisto e acordado por
todas as partes envolvidas e incorporado no plano do programa
integrado.
Eliminar ou minimizar riscos específicos associados aos programas

através de um processo sistemático de planejamento, identificação,
análise, resposta, monitoramento e controle das áreas ou eventos
com potencial para causar mudanças indesejadas. Definir e registrar
qualquer risco enfrentado pelo gerenciamento do programa.
217
Retirar o programa da carteira de investimentos ativa quando

houver concordância de que o valor desejado foi alcançado ou
quando estiver claro que não será alcançado dentro dos critérios de
valor estabelecidos para o programa.
Com base no business case, identifique, priorize, especifique e

concorde com informações de negócios, requisitos funcionais,
técnicos e de controle, cobrindo o escopo/entendimento de todas
as iniciativas necessárias para alcançar os resultados esperados da
solução de negócios habilitada para I&T.
218
Realizar um estudo de viabilidade de potenciais soluções

alternativas, avaliar sua viabilidade e selecionar a opção preferida.
Se apropriado, implemente a opção selecionada como um piloto
para determinar possíveis melhorias.
Identificar, documentar, priorizar e mitigar riscos funcionais,

técnicos e relacionados ao processamento de informações
associados aos requisitos corporativos, premissas e solução
proposta.
Coordenar o feedback das partes interessadas afetadas. Em etapas-

chave pré-determinadas, obtenha aprovação e aprovação do
patrocinador do negócio ou proprietário do produto em relação a
requisitos funcionais e técnicos, estudos de viabilidade, análises de
risco e soluções recomendadas.
219
Desenvolver e documentar projetos de alto nível para a solução em

termos de tecnologia, processos de negócios e fluxos de trabalho.
Use técnicas de desenvolvimento ágil em fases ou rápidas. Garantir
o alinhamento com a estratégia de I&T e arquitetura corporativa.
Reavalie e atualize os projetos quando ocorrerem problemas
significativos durante as fases de projeto detalhado ou construção,
ou à medida que a solução evolui. Aplicar uma abordagem centrada
no usuário; garantir que as partes interessadas participem
ativamente do design e aprovem cada versão.
220
Desenvolver, documentar e elaborar projetos detalhados

progressivamente. Utilizar técnicas de desenvolvimento ágil
faseadas ou rápidas acordadas e apropriadas, abordando todos os
componentes (processos de negócios e controles automatizados e
manuais relacionados, suporte a aplicativos de I&T, serviços de
infraestrutura e produtos de tecnologia e parceiros/fornecedores).
Garantir que o projeto detalhado inclua SLAs (contratos de nível de
serviço) internos e externos e acordos de nível operacional (OLAs).
Desenvolva componentes da solução progressivamente em um

ambiente separado, de acordo com projetos detalhados seguindo
padrões e requisitos de desenvolvimento e documentação, garantia
de qualidade (QA) e aprovação. Garantir que todos os requisitos de
controle nos processos de negócios, aplicativos de suporte de I&T e
serviços de infraestrutura, serviços e produtos de tecnologia e
serviços de parceiros/fornecedores sejam atendidos.
221
Adquirir componentes da solução, com base no plano de aquisição,

de acordo com os requisitos e projetos detalhados, princípios e
padrões de arquitetura e os procedimentos gerais de aquisição e
contrato, requisitos de controle de qualidade e padrões de
aprovação da empresa. Garantir que todos os requisitos legais e
contratuais sejam identificados e tratados pelo fornecedor.
Instale e configure soluções e integre-as com as atividades do

processo de negócios. Durante a configuração e integração de
hardware e software de infraestrutura, implemente medidas de
controle, segurança, privacidade e auditabilidade para proteger os
recursos e garantir a disponibilidade e a integridade dos dados.
Atualize o catálogo de produtos ou serviços para refletir as novas
soluções.
Desenvolver, utilizar e executar um plano de QA alinhado com o

SGQ para obter a qualidade especificada na definição de requisitos
e nas políticas e procedimentos de qualidade da empresa.
222
Estabeleça um plano de teste e os ambientes necessários para

testar os componentes individuais e integrados da solução. Inclua
os processos de negócios e serviços de suporte, aplicativos e
infraestrutura.
Durante o desenvolvimento, execute testes continuamente

(incluindo testes de controle), de acordo com o plano de teste
definido e as práticas de desenvolvimento no ambiente apropriado.
Envolva proprietários de processos de negócios e usuários finais na
equipe de teste. Identifique, registre e priorize erros e problemas
identificados durante os testes.
Acompanhe o status de requisitos individuais (incluindo todos os

requisitos rejeitados) durante todo o ciclo de vida do projeto.
Gerenciar a aprovação de alterações nos requisitos.
Desenvolver e executar um plano para a manutenção de

componentes de solução e infraestrutura. Inclua revisões periódicas
em relação às necessidades de negócios e requisitos operacionais.
223
Definir e concordar com produtos ou serviços de TI novos ou

alterados e opções de nível de serviço. Documente definições de
produtos e serviços novos ou alterados e opções de nível de serviço
a serem atualizadas no portfólio de produtos e serviços.
Projetar, desenvolver e implementar soluções com a metodologia

de desenvolvimento adequada (i.e., cascata, Agile ou I&t bimodal),
de acordo com a estratégia e requisitos gerais.
224
Avalie a disponibilidade, o desempenho e a capacidade dos serviços

e recursos para garantir que a capacidade e o desempenho
justificáveis em termos de custo estejam disponíveis para dar
suporte às necessidades dos negócios e atender aos SLAs (contratos
de nível de serviço). Crie linhas de base de disponibilidade,
desempenho e capacidade para comparação futura.
Identificar serviços importantes para a empresa. Mapeie serviços e

recursos para processos de negócios e identifique dependências de
negócios. Garantir que o impacto de recursos indisponíveis seja
totalmente acordado e aceito pelo cliente. Para funções vitais de
negócios, certifique-se de que os requisitos de disponibilidade
possam ser atendidos por SLA (contrato de nível de serviço).
225
Planeje e priorize as implicações de disponibilidade, desempenho e

capacidade das necessidades de negócios e requisitos de serviço em
constante mudança.
Monitorar, medir, analisar, relatar e revisar disponibilidade,

desempenho e capacidade. Identificar desvios das linhas de base
estabelecidas. Revise os relatórios de análise de tendências,
identificando quaisquer problemas e variações significativos. Iniciar
ações quando necessário e garantir que todas as questões
pendentes sejam abordadas.
Resolva desvios investigando e resolvendo problemas de

disponibilidade, desempenho e capacidade identificados.
226
Entenda o escopo e o impacto da mudança desejada. Avalie a

prontidão e a disposição das partes interessadas para a mudança.
Identificar ações que motivem a aceitação e a participação das
partes interessadas para que a mudança funcione com sucesso.
Estabeleça uma equipe de implementação eficaz, reunindo

membros apropriados, criando confiança e estabelecendo metas
comuns e medidas de eficácia.
Comunicar a visão desejada para a mudança na linguagem das

pessoas afetadas por ela. A comunicação deve ser feita pela alta
administração e incluir a justificativa e os benefícios da mudança; os
impactos de não fazer a mudança; e a visão, o roteiro e o
envolvimento exigido dos vários intervenientes.
227
Capacite aqueles com funções de implementação atribuindo

responsabilidade. Ministrar treinamentos e alinhar estruturas
organizacionais e processos de RH. Identifique e comunique ganhos
de curto prazo que são importantes de uma perspectiva de
habilitação de mudança.
Planejar e implementar todos os aspectos técnicos, operacionais e

de uso para que todos aqueles que estão envolvidos no futuro
ambiente estadual possam exercer sua responsabilidade.
Incorpore novas abordagens acompanhando as mudanças

implementadas, avaliando a eficácia da operação e do plano de uso
e sustentando a conscientização contínua por meio de comunicação
regular. Tome medidas corretivas conforme apropriado (que podem
incluir a imposição de conformidade).
Sustentar mudanças por meio de treinamento efetivo de novos

funcionários, campanhas de comunicação contínuas,
comprometimento contínuo da alta administração, monitoramento
da adoção e compartilhamento de lições aprendidas em toda a
empresa.
228
Avalie todas as solicitações de alteração para determinar o impacto

nos processos de negócios e nos serviços de I&T e para avaliar se a
mudança afetará negativamente o ambiente operacional e
introduzirá riscos inaceitáveis. Garantir que as alterações sejam
registradas, priorizadas, categorizadas, avaliadas, autorizadas,
planejadas e programadas.
Gerencie cuidadosamente as alterações de emergência para

minimizar outros incidentes. Certifique-se de que a mudança de
emergência seja controlada e ocorra de forma segura. Verifique se
as alterações de emergência são adequadamente avaliadas e
autorizadas após a alteração.
229
Mantenha um sistema de rastreamento e relatórios para

documentar alterações rejeitadas e comunicar o status das
alterações aprovadas, em processo e concluídas. Certifique-se de
que as alterações aprovadas sejam implementadas conforme
planejado.
Sempre que as alterações forem implementadas, atualize a solução,

a documentação do usuário e os procedimentos afetados pela
alteração.
Estabeleça um plano de implementação que abranja a conversão de

sistemas e dados, critérios de teste de aceitação, comunicação,
treinamento, preparação de lançamento, promoção para produção,
suporte inicial à produção, um plano de fallback/backup e uma
revisão pós-implementação. Obter aprovação das partes
relevantes.
230
Prepare-se para o processo de negócios, dados de serviços de I&T e

migração de infraestrutura como parte dos métodos de
desenvolvimento da empresa. Inclua trilhas de auditoria e um plano
de recuperação caso a migração falhe.
Estabeleça um plano de teste com base em padrões de toda a

empresa que definem funções, responsabilidades e critérios de
entrada e saída. Certifique-se de que o plano seja aprovado pelas
partes relevantes.
Definir e estabelecer um ambiente de teste seguro representativo

do processo de negócios planejado e do ambiente de operações de
TI em termos de desempenho, capacidade, segurança, controles
internos, práticas operacionais, qualidade de dados, requisitos de
privacidade e cargas de trabalho.
Alterações de teste de forma independente, de acordo com o plano

de teste definido, antes da migração para o ambiente operacional
ativo.
231
Promover a solução aceita para o negócio e operações. Quando

apropriado, execute a solução como uma implementação piloto ou
em paralelo com a solução antiga por um período definido e
compare o comportamento e os resultados. Se ocorrerem
problemas significativos, reverta para o ambiente original com base
no plano de fallback/backup. Gerenciar versões de componentes da
solução.
Por um período de tempo acordado, forneça suporte antecipado

aos usuários e operações de I&T para resolver problemas e ajudar a
estabilizar a nova solução.
Conduza uma revisão pós-implementação para confirmar

resultados e resultados, identificar lições aprendidas e desenvolver
um plano de ação. Avalie o desempenho real e os resultados do
serviço novo ou alterado em relação ao desempenho esperado e
aos resultados esperados pelo usuário ou cliente.
232
Identificar, validar e classificar diversas fontes de informações

internas e externas necessárias para permitir a governança e o
gerenciamento de I&T, incluindo documentos de estratégia,
relatórios de incidentes e informações de configuração que
progridem do desenvolvimento às operações antes de entrar em
operação.
Organize as informações com base em critérios de classificação.

Identificar e criar relações significativas entre os elementos de
informação e permitir o uso de informações. Identifique
proprietários e aproveite e implemente níveis de informações
definidas pela empresa de acesso a informações de gerenciamento
e recursos de conhecimento.
Propagar os recursos de conhecimento disponíveis para as partes

interessadas relevantes e comunicar como esses recursos podem
ser usados para atender a diferentes necessidades (por exemplo,
resolução de problemas, aprendizagem, planejamento estratégico e
tomada de decisões).
233
Meça o uso e avalie a atualidade e a relevância das informações.

Atualize informações ou aposente informações obsoletas.
234
Manter um registro atualizado e preciso de todos os ativos de I&T

necessários para fornecer serviços e que são de propriedade ou
controlados pela organização com uma expectativa de benefício
futuro (incluindo recursos com valor econômico, como hardware ou
software). Garanta o alinhamento com o gerenciamento de
configuração e o gerenciamento financeiro.
235
Identifique os ativos que são essenciais no fornecimento de

recursos de serviço. Maximize sua confiabilidade e disponibilidade
para atender às necessidades dos negócios.
Gerencie ativos desde a aquisição até o descarte. Garantir que os

ativos sejam utilizados da forma mais eficaz e eficiente possível e
sejam contabilizados e protegidos fisicamente até que sejam
adequadamente aposentados.
Revise regularmente a base geral de ativos para identificar

maneiras de otimizar o valor em alinhamento com as necessidades
dos negócios.
Gerencie licenças de software para manter o número ideal de

licenças e dar suporte aos requisitos de negócios. Certifique-se de
que o número de licenças possuídas seja suficiente para cobrir o
software instalado em uso.
236
Estabelecer e manter um modelo lógico dos serviços, ativos,

infraestrutura e registro de itens de configuração (ICs), incluindo as
relações entre eles. Incluir as IC consideradas necessárias para gerir
os serviços de forma eficaz e para fornecer uma descrição única e
fiável dos ativos de um serviço.
Estabeleça e mantenha um repositório de gerenciamento de

configuração e crie linhas de base de configuração controladas.
Mantenha um repositório atualizado de itens de configuração (CIs)

preenchendo todas as alterações de configuração.
237
Definir e produzir relatórios de configuração sobre alterações de

status de itens de configuração.
Revise periodicamente o repositório de configuração e verifique a

integridade e a correção em relação ao destino desejado.
Manter uma abordagem padrão para o gerenciamento de projetos

que permita a revisão de governança e gerenciamento, a tomada
de decisões e as atividades de gerenciamento de entrega. Essas
atividades devem se concentrar consistentemente no valor e nas
metas do negócio (ou seja, requisitos, riscos, custos, cronograma e
metas de qualidade).
238
Definir e documentar a natureza e o escopo do projeto para

confirmar e desenvolver um entendimento comum do escopo do
projeto entre as partes interessadas. A definição deve ser
formalmente aprovada pelos patrocinadores do projeto.
Gerencie o engajamento das partes interessadas para garantir uma

troca ativa de informações precisas, consistentes e oportunas que
cheguem a todas as partes interessadas relevantes. Isso inclui
planejar, identificar e engajar as partes interessadas e gerenciar
suas expectativas.
Estabelecer e manter um plano de projeto formal, aprovado e

integrado (abrangendo recursos de negócios e TI) para orientar a
execução e o controle do projeto durante toda a vida útil do
projeto. O âmbito dos projetos deve ser claramente definido e
associado à criação ou ao reforço da capacidade empresarial.
239
Elaborar e executar um plano de gestão da qualidade, processos e

práticas alinhadas com os padrões de gestão da qualidade (SGQ).
Descrever a abordagem para a qualidade e implementação do
projeto. O plano deve ser formalmente revisto e acordado por
todas as partes interessadas e incorporado nos planos de projeto
integrados.
Eliminar ou minimizar riscos específicos associados a projetos

através de um processo sistemático de planejamento, identificação,
análise, resposta, monitoramento e controle das áreas ou eventos
com potencial para causar mudanças indesejadas. Definir e registrar
qualquer risco enfrentado pelo gerenciamento de projetos.
Meça o desempenho do projeto em relação aos principais critérios

de desempenho do projeto, como cronograma, qualidade, custo e
risco. Identificar quaisquer desvios em relação às metas esperadas.
Avaliar o impacto dos desvios no projeto e no programa geral e
reportar os resultados às principais partes interessadas.
240
Gerencie pacotes de trabalho de projeto colocando requisitos

formais para autorizar e aceitar pacotes de trabalho e atribuindo e
coordenando recursos de negócios e TI apropriados.
No final de cada projeto, versão ou iteração, exija que as partes

interessadas do projeto verifiquem se o projeto, versão ou iteração
entregou os resultados necessários em termos de recursos e
contribuiu conforme esperado para os benefícios do programa.
Identificar e comunicar quaisquer atividades pendentes necessárias
para alcançar os resultados planejados do projeto e/ou benefícios
do programa. Identifique e documente lições aprendidas para
projetos, versões, iterações e programas futuros.
241
Manter e executar procedimentos operacionais e tarefas

operacionais de forma confiável e consistente.
Gerenciar a operação de serviços terceirizados de I&T para manter

a proteção das informações corporativas e a confiabilidade da
prestação de serviços.
Monitorar a infraestrutura de I&T e eventos relacionados.

Armazene informações cronológicas suficientes em logs de
operações para reconstruir e revisar sequências de tempo de
operações e outras atividades que cercam ou dão suporte a
operações.
Manter medidas de proteção contra fatores ambientais. Instale

equipamentos e dispositivos especializados para monitorar e
controlar o ambiente.
242
Gerencie instalações, incluindo equipamentos de energia e

comunicações, de acordo com leis e regulamentos, requisitos
técnicos e de negócios, especificações de fornecedores e diretrizes
de saúde e segurança.
Definir esquemas e modelos de classificação para incidentes e

solicitações de serviço.
Verificar, aprovar e atender solicitações de serviço.
243
Selecione os procedimentos de solicitação apropriados e verifique

se as solicitações de serviço atendem aos critérios de solicitação
definidos. Obtenha aprovação, se necessário, e atenda às
solicitações.
Identifique e registre sintomas de incidentes, determine possíveis

causas e aloque para resolução.
Documente, aplique e teste as soluções ou soluções alternativas

identificadas. Execute ações de recuperação para restaurar o
serviço relacionado a E&T.
Verificar a resolução satisfatória de incidentes e/ou o atendimento

das solicitações e encerrar.
Rastreie, analise e relate regularmente incidentes e atendimento de

solicitações. Examinar tendências para fornecer informações para
melhoria contínua.
244
Definir e implementar critérios e procedimentos para identificar e

relatar problemas. Inclua classificação, categorização e priorização
de problemas.
Investigue e diagnostique problemas usando especialistas

relevantes no assunto para avaliar e analisar as causas básicas.
Assim que as causas raiz dos problemas forem identificadas, crie

registros de erros conhecidos, documente soluções alternativas
apropriadas e identifique possíveis soluções.
Identificar e iniciar soluções sustentáveis abordando a causa raiz.

Levante solicitações de alteração por meio do processo de
gerenciamento de alterações estabelecido, se necessário, para
resolver erros. Garantir que o pessoal afetado esteja ciente das
ações tomadas e dos planos desenvolvidos para prevenir a
ocorrência de incidentes futuros.
245
Coletar e analisar dados operacionais (especialmente registros de

incidentes e alterações) para identificar tendências emergentes que
possam indicar problemas. Registre registros de problemas para
habilitar a avaliação.
Definir a política e o escopo de continuidade de negócios, alinhados

com os objetivos da empresa e das partes interessadas, para
melhorar a resiliência dos negócios.
246
Avalie as opções de resiliência dos negócios e escolha uma

estratégia econômica e viável que garanta a continuidade da
empresa, a recuperação de desastres e a resposta a incidentes
diante de um desastre ou outro incidente ou interrupção
importante.
Desenvolver um plano de continuidade de negócios (BCP) e um

plano de recuperação de desastres (DRP) com base na estratégia.
Documente todos os procedimentos necessários para que a
empresa continue as atividades críticas em caso de incidente.
Testar a continuidade regularmente para exercitar planos em

relação a resultados predeterminados, manter a resiliência dos
negócios e permitir o desenvolvimento de soluções inovadoras.
247
Conduzir uma revisão gerencial da capacidade de continuidade em

intervalos regulares para garantir sua adequação, adequação e
eficácia contínuas. Gerencie as alterações nos planos de acordo
com o processo de controle de alterações para garantir que os
planos de continuidade sejam mantidos atualizados e reflitam
continuamente os requisitos reais dos negócios.
Fornecer a todas as partes interessadas sessões de treinamento

internas e externas regulares sobre procedimentos e suas funções e
responsabilidades em caso de interrupção.
Mantenha a disponibilidade de informações críticas para os

negócios.
Avaliar a adequação do plano de continuidade de negócios (PCN) e

do plano de resposta a desastres (DRP) após a retomada bem-
sucedida dos processos e serviços de negócios após uma
interrupção.
248
Implemente e mantenha medidas preventivas, detectivas e

corretivas (especialmente patches de segurança atualizados e
controle de vírus) em toda a empresa para proteger os sistemas de
informação e a tecnologia contra software mal-intencionado (por
exemplo, malware, ransomware, vírus, worms, spyware, spam).
Use medidas de segurança e procedimentos de gerenciamento

relacionados para proteger as informações em todos os métodos de
conectividade.
Certifique-se de que os pontos de extremidade (por exemplo,

laptop, desktop, servidor e outros dispositivos móveis e de rede ou
software) estejam protegidos em um nível igual ou maior do que os
requisitos de segurança e privacidade definidos para as informações
processadas, armazenadas ou transmitidas.
Garantir que todos os usuários tenham direitos de acesso às

informações de acordo com a política de privacidade e os requisitos
de negócios da unidade de negócios. Coordenar com unidades de
negócios que gerenciam seus próprios direitos de acesso dentro dos
processos de negócios.
249
Definir e implementar procedimentos (incluindo procedimentos

emergenciais) para conceder, limitar e revogar o acesso a
instalações, edifícios e áreas, de acordo com a necessidade do
negócio. O acesso às instalações, edifícios e áreas deve ser
justificado, autorizado, registado e controlado. Este requisito aplica-
se a todas as pessoas que entram nas instalações, incluindo pessoal,
pessoal temporário, clientes, vendedores, visitantes ou quaisquer
outros terceiros.
Estabelecer salvaguardas físicas, práticas contábeis e

gerenciamento de estoque apropriados em relação a ativos
sensíveis de I&T, como formulários especiais, instrumentos
negociáveis, impressoras para fins especiais ou tokens de
segurança.
Usando um portfólio de ferramentas e tecnologias (por exemplo,

ferramentas de detecção de intrusão), gerencie vulnerabilidades e
monitore a infraestrutura para acesso não autorizado. Garantir que
as ferramentas, tecnologias e detecção de segurança estejam
integradas com o monitoramento geral de eventos e o
gerenciamento de incidentes.
250
Avalie e monitore continuamente a execução das atividades do

processo de negócios e controles relacionados (com base no risco
da empresa), para garantir que os controles de processamento
estejam alinhados com as necessidades dos negócios.
251
Operar a execução das atividades do processo de negócios e

controles relacionados, com base no risco da empresa. Garantir que
o processamento de informações seja válido, completo, preciso,
oportuno e seguro (ou seja, reflita o uso comercial legítimo e
autorizado).
Gerenciar funções de negócios, responsabilidades, níveis de

autoridade e segregação de funções necessárias para dar suporte
aos objetivos do processo de negócios. Autorizar o acesso a todos
os ativos de informação relacionados aos processos de informações
de negócios, incluindo aqueles sob a custódia da empresa, TI e
terceiros. Isso garante que a empresa saiba onde os dados estão e
quem está manipulando os dados em seu nome.
Gerencie exceções e erros de processos de negócios e facilite a

correção, executando ações corretivas definidas e escalando
conforme necessário. Esse tratamento de exceções e erros fornece
garantia da precisão e integridade do processo de informações de
negócios.
252
Garantir que as informações comerciais possam ser rastreadas até

um evento de negócios originário e associadas a partes
responsáveis. Essa capacidade de descoberta fornece garantia de
que as informações de negócios são confiáveis e foram processadas
de acordo com os objetivos definidos.
Proteger ativos de informações acessíveis pela empresa por meio

de métodos aprovados, incluindo informações em formato
eletrônico (por exemplo, dispositivos de mídia portáteis, aplicativos
de usuário e dispositivos de armazenamento ou outros métodos
que criam novos ativos de qualquer forma), informações em
formato físico (por exemplo, documentos de origem ou relatórios
de saída) e informações durante o trânsito. Isso beneficia os
negócios, fornecendo proteção completa das informações.
253
Envolva-se com as partes interessadas para estabelecer e manter

uma abordagem de monitoramento para definir os objetivos, o
escopo e o método para medir a solução de negócios e a prestação
de serviços e a contribuição para os objetivos da empresa. Integre
essa abordagem ao sistema de gestão de desempenho corporativo.
Trabalhar com as partes interessadas para definir, revisar

periodicamente, atualizar e aprovar metas de desempenho e
conformidade dentro do sistema de medição de desempenho.
Colete e processe dados oportunos e precisos alinhados com as

abordagens corporativas.
Revisar e reportar periodicamente o desempenho em relação às

metas. Use um método que forneça uma visão geral sucinta do
desempenho de I&T e se encaixe no sistema de monitoramento
corporativo.
254
Auxiliar as partes interessadas na identificação, início e

acompanhamento de ações corretivas para tratar anomalias.
Monitorar, comparar e melhorar continuamente o ambiente de

controle de I&T e a estrutura de controle para atender aos objetivos
organizacionais.
255
Revise a operação dos controles, incluindo evidências de

monitoramento e teste, para garantir que os controles dentro dos
processos de negócios operem de forma eficaz. Incluir atividades
para manter evidências da operação eficaz dos controles por meio
de mecanismos como testes periódicos, monitoramento contínuo,
avaliações independentes, centros de comando e controle e centros
de operação de rede. Essas evidências garantem que a empresa que
controla atenda aos requisitos relacionados às responsabilidades
comerciais, regulatórias e sociais.
Incentivar a gestão e os proprietários de processos a melhorar os

controles de forma proativa por meio de um programa contínuo de
autoavaliação que avalia a integridade e a eficácia do controle da
gestão sobre processos, políticas e contratos.
Identificar deficiências de controle e analisar e identificar suas

causas subjacentes. Escale as deficiências de controle e reporte às
partes interessadas.
256
Em uma base contínua, monitore as mudanças nas leis,

regulamentos e outros requisitos externos locais e internacionais e
identifique mandatos para conformidade de uma perspectiva de
I&T
Revisar e ajustar políticas, princípios, normas, procedimentos e

metodologias para garantir que os requisitos legais, regulamentares
e contratuais sejam atendidos e comunicados. Considere adotar e
adaptar padrões do setor, códigos de boas práticas e orientações de
boas práticas.
Confirmar a conformidade das políticas, princípios, normas,

procedimentos e metodologias com os requisitos legais,
regulamentares e contratuais.
257
Obter e reportar garantia de conformidade e aderência a políticas,

princípios, normas, procedimentos e metodologias. Confirme se as
ações corretivas para resolver as lacunas de conformidade foram
fechadas em tempo hábil.
Garantir que as entidades que executam a garantia sejam

independentes da função, grupos ou organizações no escopo. As
entidades que executam a garantia devem demonstrar uma atitude
e aparência adequadas, competência nas habilidades e
conhecimentos necessários para executar a garantia e adesão aos
códigos de ética e normas profissionais.
Determinar os objetivos de garantia com base em avaliações do

ambiente e contexto interno e externo, o risco de não atingir as
metas da empresa e as oportunidades associadas ao alcance das
mesmas metas.
258
Definir e concordar com todas as partes interessadas sobre os

objetivos da iniciativa de asseguração.
Definir e acordar com todas as partes interessadas o escopo da

iniciativa de asseguração, com base nos objetivos de asseguração.
Definir um programa de trabalho detalhado para a iniciativa de

asseguração, estruturado de acordo com os objetivos de gestão e
componentes de governança no escopo.
Executar a iniciativa de garantia planejada. Validar e confirmar o

design dos controles internos em vigor. Além disso, e
especificamente em atribuições de auditoria interna, considere a
relação custo-benefício do projeto do componente de governança.
259
Executar a iniciativa de garantia planejada. Testar se os controles

internos em vigor são adequados e suficientes. Testar o resultado
dos principais objetivos de gestão no âmbito da iniciativa de
garantia.
Emitir pareceres de asseguração positivos, quando apropriado, e

recomendações de melhoria relacionadas ao desempenho
operacional identificado, à conformidade externa e às deficiências
de controle interno.
Concordar, acompanhar e implementar as recomendações de

melhoria identificadas.
260
uídas seja suficiente para cobrir o software instalado em uso.
261
Listed below are the practices associated with each of the governance and management processes in COBIT® 2019.
The practices are sorted in the order in which they appear in COBIT® 2019 Framework: Governance and Management Objectives.
Objectives: 40
New in
Area Domain Objective ID Objective Objective Description Objective Purpose Statement New in In 4.1
COBIT
COBIT 5
2019
Governance Evaluate, Direct and Monitor EDM01 Ensured Governance Framework Setting and Maintenance Analyze and articulate the requirements for the governance of Provide a consistent approach integrated and aligned with the
enterprise I&T. Put in place and maintain governance components with enterprise governance approach. I&T-related decisions are made in line
clarity of authority and responsibilities to achieve the enterprise's with the enterprise's strategies and objectives and desired value is
mission, goals and objectives. realized. To that end, ensure that I&T-related processes are overseen
effectively and transparently; compliance with legal, contractual and
regulatory requirements is confirmed; and the governance requirements
for board members are met.
Governance Evaluate, Direct and Monitor EDM02 Ensured Benefits Delivery Optimize the value to the business from investments in business Secure optimal value from I&T-enabled initiatives, services and assets;
processes, I&T services and I&T assets. cost-efficient delivery of solutions and services; and a reliable and
accurate picture of costs and likely benefits so that business needs are
supported effectively and efficiently.
Governance Evaluate, Direct and Monitor EDM03 Ensured Risk Optimization Ensure that the enterprise's risk appetite and tolerance are understood, Ensure that I&T-related enterprise risk does not exceed the enterprise's
articulated and communicated, and that risk to enterprise value related risk appetite and risk tolerance, the impact of I&T risk to enterprise
to the use of I&T is identified and managed. value is identified and managed, and the potential for compliance
failures is minimized.
Governance Evaluate, Direct and Monitor EDM04 Ensured Resource Optimization Ensure that adequate and sufficient business and I&T-related resources Ensure that the resource needs of the enterprise are met in the optimal
(people, process and technology) are available to support enterprise manner, I&T costs are optimized, and there is an increased likelihood of
objectives effectively and, at optimal cost. benefit realization and readiness for future change.
Governance Evaluate, Direct and Monitor EDM05 Ensured Stakeholder Engagement Ensure that stakeholders are identified and engaged in the I&T Ensure that stakeholders are supportive of the I&T strategy and road
governance system and that enterprise I&T performance and map, communication to stakeholders is effective and timely, and the
conformance measurement and reporting are transparent, with basis for reporting is established to increase performance. Identify areas
stakeholders approving the goals and metrics and necessary remedial for improvement, and confirm that I&T-related objectives and strategies
actions. are in line with the enterprise’s strategy.
Management Align, Plan and Organize APO01 Managed I&T Management Framework Design the management system for enterprise I&T based on enterprise Implement a consistent management approach for enterprise
goals and other design factors. Based on this design, implement all governance requirements to be met, covering governance components
required components of the management system. such as management processes; organizational structures; roles and
responsibilities; reliable and repeatable activities; information items;
policies and procedures; skills and competencies; culture and behavior;
and services, infrastructure and applications.
Management Align, Plan and Organize APO02 Managed Strategy Provide a holistic view of the current business and I&T environment, the Support the digital transformation strategy of the organization and
future direction, and the initiatives required to migrate to the desired deliver the desired value through a road map of incremental changes.
future environment. Ensure that the desired level of digitization is Use a holistic I&T approach, ensuring that each initiative is clearly
integral to the future direction and the I&T strategy. Assess the connected to an overarching strategy. Enable change in all different
organization’s current digital maturity and develop a road map to close aspects of the organization, from channels and processes to data,
the gaps. With the business, rethink internal operations as well as culture, skills, operating model and incentives.
customer-facing activities. Ensure focus on the transformation journey
across the organization. Leverage enterprise architecture building
blocks, governance components and the organization's ecosystem,
including externally provided services and related capabilities, to enable
reliable but agile and efficient response to strategic objectives.
Management Align, Plan and Organize APO03 Managed Enterprise Architecture Establish a common architecture consisting of business process, Represent the different building blocks that make up the enterprise and Yes
information, data, application and technology architecture layers. Create its interrelationships as well as the principles guiding their design and
key models and practices that describe the baseline and target evolution over time, to enable a standard, responsive and efficient
architectures, in line with the enterprise and I&T strategy. Define delivery of operational and strategic objectives.
requirements for taxonomy, standards, guidelines, procedures,
templates and tools, and provide a linkage for these components.
Improve alignment, increase agility, improve quality of information and
generate potential cost savings through initiatives such as re-use of
building block components.
Management Align, Plan and Organize APO04 Managed Innovation Maintain an awareness of I&T and related service trends and monitor Achieve competitive advantage, business innovation, improved Yes
emerging technology trends. Proactively identify innovation customer experience, and improved operational effectiveness and
opportunities and plan how to benefit from innovation in relation to efficiency by exploiting I&T developments and emerging technologies.
business needs and the defined I&T strategy. Analyze what
opportunities for business innovation or improvement can be created
by emerging technologies, services or I&T-enabled business innovation;
through existing established technologies; and by business and IT
process innovation. Influence strategic planning and enterprise
architecture decisions.
Page 262
New in
COBIT
COBIT 5
2019
Management Align, Plan and Organize APO05 Managed Portfolio Execute the strategic direction set for investments in line with the Optimize the performance of the overall portfolio of programs in Yes
enterprise architecture vision and I&T road map. Consider the different response to individual program, product and service performance and
categories of investments and the resources and funding constraints. changing enterprise priorities and demand.
Evaluate, prioritize and balance programs and services, managing
demand within resource and funding constraints, based on their
alignment with strategic objectives, enterprise worth and risk. Move
selected programs into the active products or services portfolio for
execution. Monitor the performance of the overall portfolio of products
and services and programs, proposing adjustments as necessary in
response to program, product or service performance or changing
enterprise priorities.
Management Align, Plan and Organize APO06 Managed Budget and Costs Manage the I&T-related financial activities in both the business and IT Foster a partnership between IT and enterprise stakeholders to enable Yes
functions, covering budget, cost and benefit management and the effective and efficient use of I&T-related resources and provide
prioritization of spending through the use of formal budgeting practices transparency and accountability of the cost and business value of
and a fair and equitable system of allocating costs to the enterprise. solutions and services. Enable the enterprise to make informed
Consult stakeholders to identify and control the total costs and benefits decisions regarding the use of I&T solutions and services.
within the context of the I&T strategic and tactical plans. Initiate
corrective action where needed.
Management Align, Plan and Organize APO07 Managed Human Resources Provide a structured approach to ensure optimal Optimize human resources capabilities to meet enterprise objectives.
recruitment/acquisition, planning, evaluation and development of
human resources (both internal and external).
Management Align, Plan and Organize APO08 Managed Relationships Manage relationships with business stakeholders in a formalized and Enable the right knowledge, skills and behaviors to create improved Yes
transparent way that ensures mutual trust and a combined focus on outcomes, increased confidence, mutual trust and effective use of
achieving the strategic goals within the constraints of budgets and risk resources that stimulate a productive relationship with business
tolerance. Base relationships on open and transparent communication, a stakeholders.
common language, and the willingness to take ownership and
accountability for key decisions on both sides. Business and IT must
work together to create successful enterprise outcomes in support of
the enterprise objectives.
Management Align, Plan and Organize APO09 Managed Service Agreements Align I&T-enabled products and services and service levels with Ensure that I&T products, services and service levels meet current and
enterprise needs and expectations, including identification, future enterprise needs.
specification, design, publishing, agreement, and monitoring of I&T
products and services, service levels and performance indicators.
Management Align, Plan and Organize APO10 Managed Vendors Manage I&T-related products and services provided by all types of Optimize available I&T capabilities to support the I&T strategy and road
vendors to meet enterprise requirements. This includes the search for map, minimize the risk associated with nonperforming or noncompliant
and selection of vendors, management of relationships, management of vendors, and ensure competitive pricing.
contracts, and reviewing and monitoring of vendor performance and
vendor ecosystem (including upstream supply chain) for effectiveness
and compliance.
Management Align, Plan and Organize APO11 Managed Quality Define and communicate quality requirements in all processes, Ensure consistent delivery of technology solutions and services to meet
procedures and related enterprise outcomes. Enable controls, ongoing the quality requirements of the enterprise and satisfy stakeholder
monitoring, and the use of proven practices and standards in continuous needs.
improvement and efficiency efforts.
Management Align, Plan and Organize APO12 Managed Risk Continually identify, assess and reduce I&T-related risk within tolerance Integrate the management of I&T-related enterprise risk with overall
levels set by enterprise executive management. enterprise risk management (ERM) and balance the costs and benefits of
managing I&T-related enterprise risk.
Management Align, Plan and Organize APO13 Managed Security Define, operate and monitor an information security system. Keep the impact and occurrence of information security privacy Yes
incidents within the enterprise’s risk appetite levels.
Management Align, Plan and Organize APO14 Managed Data Achieve and sustain effective management of the enterprise data assets Ensure effective utilization of the critical data assets to achieve Yes
across the data life cycle, from creation through delivery, maintenance enterprise goals and objectives.
and archiving.
Management Build, Acquire and Implement BAI01 Managed Programs Manage all programs from the investment portfolio in alignment with Realize desired business value and reduce the risk of unexpected delays,
enterprise strategy and in a coordinated way, based on a standard costs and value erosion. To do so, improve communications to and
program management approach. Initiate, plan, control, and execute involvement of business and end users, ensure the value and quality of
programs, and monitor expected value from the program. program deliverables and follow up of projects within the programs, and
maximize program contribution to the investment portfolio.
Management Build, Acquire and Implement BAI02 Managed Requirements Definition Identify solutions and analyze requirements before acquisition or Create optimal solutions that meet enterprise needs while minimizing
creation to ensure that they align with enterprise strategic requirements risk.
covering business processes, applications, information/data,
infrastructure and services. Coordinate the review of feasible options
with affected stakeholders, including relative costs and benefits, risk
analysis, and approval of requirements and proposed solutions.
Page 263
New in
COBIT
COBIT 5
2019
Management Build, Acquire and Implement BAI03 Managed Solutions Identification and Build Establish and maintain identified products and services (technology, Ensure agile and scalable delivery of digital products and services.
business processes and workflows) in line with enterprise requirements Establish timely and cost-effective solutions (technology, business
covering design, development, procurement/sourcing and partnering processes and workflows) capable of supporting enterprise strategic and
with vendors. Manage configuration, test preparation, testing, operational objectives.
requirements management and maintenance of business processes,
applications, information/data, infrastructure and services.
Management Build, Acquire and Implement BAI04 Managed Availability and Capacity Balance current and future needs for availability, performance and Maintain service availability, efficient management of resources and
capacity with cost-effective service provision. Include assessment of optimization of system performance through prediction of future
current capabilities, forecasting of future needs based on business performance and capacity requirements.
requirements, analysis of business impacts, and assessment of risk to
plan and implement actions to meet the identified requirements.
Management Build, Acquire and Implement BAI05 Managed Organizational Change Maximize the likelihood of successfully implementing sustainable Prepare and commit stakeholders for business change and reduce the Yes
enterprisewide organizational change quickly and with reduced risk. risk of failure.
Cover the complete life cycle of the change and all affected stakeholders
in the business and IT.
Management Build, Acquire and Implement BAI06 Managed IT Changes Manage all changes in a controlled manner, including standard changes Enable fast and reliable delivery of change to the business. Mitigate the
and emergency maintenance relating to business processes, applications risk of negatively impacting the stability or integrity of the changed
and infrastructure. This includes change standards and procedures, environment.
impact assessment, prioritization and authorization, emergency
changes, tracking, reporting, closure, and documentation.
Management Build, Acquire and Implement BAI07 Managed IT Change Acceptance and Transitioning Formally accept and make operational new solutions. Include Implement solutions safely and in line with the agreed expectations and
implementation planning, system and data conversion, acceptance outcomes.
testing, communication, release preparation, promotion to production
of new or changed business processes and I&T services, early production
support, and a post-implementation review.
Management Build, Acquire and Implement BAI08 Managed Knowledge Maintain the availability of relevant, current, validated and reliable Provide the knowledge and information required to support all staff in Yes
knowledge and management information to support all process the governance and management of enterprise I&T and allow for
activities and to facilitate decision making related to the governance and informed decision making.
management of enterprise I&T. Plan for the identification, gathering,
organizing, maintaining, use and retirement of knowledge.
Management Build, Acquire and Implement BAI09 Managed Assets Manage I&T assets through their life cycle to make sure that their use Account for all I&T assets and optimize the value provided by their use. Yes
delivers value at optimal cost, they remain operational (fit for purpose),
and they are accounted for and physically protected. Ensure that those
assets that are critical to support service capability are reliable and
available. Manage software licenses to ensure that the optimal number
are acquired, retained and deployed in relation to required business
usage, and the software installed is in compliance with license
agreements.
Management Build, Acquire and Implement BAI10 Managed Configuration Define and maintain descriptions and relationships among key resources Provide sufficient information about service assets to enable the service
and capabilities required to deliver I&T-enabled services. Include to be effectively managed. Assess the impact of changes and deal with
collecting configuration information, establishing baselines, verifying service incidents.
and auditing configuration information, and updating the configuration
repository.
Management Build, Acquire and Implement BAI11 Managed Projects Manage all projects that are initiated within the enterprise in alignment Realize defined project outcomes and reduce the risk of unexpected Yes
with enterprise strategy and in a coordinated way based on the delays, costs and value erosion by improving communications to and
standard project management approach. Initiate, plan, control and involvement of business and end users. Ensure the value and quality of
execute projects, and close with a post-implementation review. project deliverables and maximize their contribution to the defined
programs and investment portfolio.
Management Deliver, Service and Support DSS01 Managed Operations Coordinate and execute the activities and operational procedures Deliver I&T operational product and service outcomes as planned.
required to deliver internal and outsourced I&T services. Include the
execution of predefined standard operating procedures and the
required monitoring activities.
Management Deliver, Service and Support DSS02 Managed Service Requests and Incidents Provide timely and effective response to user requests and resolution of Achieve increased productivity and minimize disruptions through quick
all types of incidents. Restore normal service; record and fulfil user resolution of user queries and incidents. Assess the impact of changes
requests; and record, investigate, diagnose, escalate and resolve and deal with service incidents. Resolve user requests and restore
incidents. service in response to incidents.
Management Deliver, Service and Support DSS03 Managed Problems Identify and classify problems and their root causes. Provide timely Increase availability, improve service levels, reduce costs, improve
resolution to prevent recurring incidents. Provide recommendations for customer convenience and satisfaction by reducing the number of
improvements. operational problems, and identify root causes as part of problem
resolution.
Management Deliver, Service and Support DSS04 Managed Continuity Establish and maintain a plan to enable the business and IT Adapt rapidly, continue business operations and maintain availability of
organizations to respond to incidents and quickly adapt to disruptions. resources and information at a level acceptable to the enterprise in the
This will enable continued operations of critical business processes and event of a significant disruption (e.g., threats, opportunities, demands).
required I&T services and maintain availability of resources, assets and
information at a level acceptable to the enterprise.
Page 264
New in
COBIT
COBIT 5
2019
Management Deliver, Service and Support DSS05 Managed Security Services Protect enterprise information to maintain the level of information Minimize the business impact of operational information security Yes
security risk acceptable to the enterprise in accordance with the security vulnerabilities and incidents.
policy. Establish and maintain information security roles and access
privileges. Perform security monitoring.
Management Deliver, Service and Support DSS06 Managed Business Process Controls Define and maintain appropriate business process controls to ensure Maintain information integrity and the security of information assets Yes
that information related to and processed by in-house or outsourced handled within business processes in the enterprise or its outsourced
business processes satisfies all relevant information control operation.
requirements. Identify the relevant information control requirements.
Manage and operate adequate input, throughput and output controls
(application controls) to ensure that information and information
processing satisfy these requirements.
Management Monitor, Evaluate and Assess MEA01 Managed Performance and Conformance Monitoring Collect, validate and evaluate enterprise and alignment goals and Provide transparency of performance and conformance and drive
metrics. Monitor that processes and practices are performing against achievement of goals.
agreed performance and conformance goals and metrics. Provide
reporting that is systematic and timely.
Management Monitor, Evaluate and Assess MEA02 Managed System of Internal Control Continuously monitor and evaluate the control environment, including Obtain transparency for key stakeholders on the adequacy of the system
self-assessments and self-awareness. Enable management to identify of internal controls and thus provide trust in operations, confidence in
control deficiencies and inefficiencies and to initiate improvement the achievement of enterprise objectives and an adequate
actions. Plan, organize and maintain standards for internal control understanding of residual risk.
assessment and process control effectiveness.
Management Monitor, Evaluate and Assess MEA03 Managed Compliance With External Requirements Evaluate that I&T processes and I&T-supported business processes are Ensure that the enterprise is compliant with all applicable external
compliant with laws, regulations and contractual requirements. Obtain requirements.
assurance that the requirements have been identified and complied
with; integrate IT compliance with overall enterprise compliance.
Management Monitor, Evaluate and Assess MEA04 Managed Assurance Plan, scope and execute assurance initiatives to comply with internal Enable the organization to design and develop efficient and effective Yes
requirements, laws, regulations and strategic objectives. Enable assurance initiatives, providing guidance on planning, scoping, executing
management to deliver adequate and sustainable assurance in the and following up on assurance reviews, using a road map based on well-
enterprise by performing independent assurance reviews and activities. accepted assurance approaches.
Page 265
Objectives: 40
Practices: 231
Governance Evaluate, EDM01 Ensured Governance Analyze and articulate the

Direct and Framework Setting and requirements for the governance of
Monitor Maintenance enterprise I&T. Put in place and
maintain governance components
with clarity of authority and
responsibilities to achieve the
enterprise's mission, goals and
objectives.
266
Objectives: 40
Practices: 231
Governance Evaluate, EDM02 Ensured Benefits Optimize the value to the business
Direct and Delivery from investments in business
Monitor processes, I&T services and I&T assets.
267
Objectives: 40
Practices: 231
268
Objectives: 40
Practices: 231
Governance Evaluate, EDM03 Ensured Risk Ensure that the enterprise's risk
Direct and Optimization appetite and tolerance are
Monitor understood, articulated and
communicated, and that risk to
enterprise value related to the use of
I&T is identified and managed.
269
Objectives: 40
Practices: 231
Governance Evaluate, EDM04 Ensured Resource Ensure that adequate and sufficient
Direct and Optimization business and I&T-related resources
Monitor (people, process and technology) are
available to support enterprise
objectives effectively and, at optimal
cost.
270
Objectives: 40
Practices: 231
Governance Evaluate, EDM05 Ensured Stakeholder Ensure that stakeholders are identified
Direct and Engagement and engaged in the I&T governance
Monitor system and that enterprise I&T
performance and conformance
measurement and reporting are
transparent, with stakeholders
approving the goals and metrics and
necessary remedial actions.
271
Objectives: 40
Practices: 231
Management Align, Plan APO01 Managed I&T Design the management system for
and Organize Management enterprise I&T based on enterprise
Framework goals and other design factors. Based
on this design, implement all required
components of the management
system.
272
Objectives: 40
Practices: 231
273
Objectives: 40
Practices: 231
274
Objectives: 40
Practices: 231
275
Objectives: 40
Practices: 231
276
Objectives: 40
Practices: 231
Management Align, Plan APO02 Managed Strategy Provide a holistic view of the current
and Organize business and I&T environment, the
future direction, and the initiatives
required to migrate to the desired
future environment. Ensure that the
desired level of digitization is integral
to the future direction and the I&T
strategy. Assess the organization’s
current digital maturity and develop a
road map to close the gaps. With the
business, rethink internal operations
as well as customer-facing activities.
Ensure focus on the transformation
journey across the organization.
Leverage enterprise architecture
building blocks, governance
components and the organization's
ecosystem, including externally
provided services and related
capabilities, to enable reliable but
agile and efficient response to
strategic objectives.
277
Objectives: 40
Practices: 231
278
Objectives: 40
Practices: 231
279
Objectives: 40
Practices: 231
Management Align, Plan APO03 Managed Enterprise Establish a common architecture

and Organize Architecture consisting of business process,
information, data, application and
technology architecture layers. Create
key models and practices that
describe the baseline and target
architectures, in line with the
enterprise and I&T strategy. Define
requirements for taxonomy,
standards, guidelines, procedures,
templates and tools, and provide a
linkage for these components.
Improve alignment, increase agility,
improve quality of information and
generate potential cost savings
through initiatives such as re-use of
building block components.
280
Objectives: 40
Practices: 231
281
Objectives: 40
Practices: 231
282
Objectives: 40
Practices: 231
Management Align, Plan APO04 Managed Innovation Maintain an awareness of I&T and
and Organize related service trends and monitor
emerging technology trends.
Proactively identify innovation
opportunities and plan how to benefit
from innovation in relation to business
needs and the defined I&T strategy.
Analyze what opportunities for
business innovation or improvement
can be created by emerging
technologies, services or I&T-enabled
business innovation; through existing
established technologies; and by
business and IT process innovation.
Influence strategic planning and
enterprise architecture decisions.
283
Objectives: 40
Practices: 231
284
Objectives: 40
Practices: 231
285
Objectives: 40
Practices: 231
Management Align, Plan APO05 Managed Portfolio Execute the strategic direction set for
and Organize investments in line with the enterprise
architecture vision and I&T road map.
Consider the different categories of
investments and the resources and
funding constraints. Evaluate,
prioritize and balance programs and
services, managing demand within
resource and funding constraints,
based on their alignment with
strategic objectives, enterprise worth
and risk. Move selected programs into
the active products or services
portfolio for execution. Monitor the
performance of the overall portfolio of
products and services and programs,
proposing adjustments as necessary in
response to program, product or
service performance or changing
enterprise priorities.
286
Objectives: 40
Practices: 231
287
Objectives: 40
Practices: 231
Management Align, Plan APO06 Managed Budget and Manage the I&T-related financial
and Organize Costs activities in both the business and IT
functions, covering budget, cost and
benefit management and prioritization
of spending through the use of formal
budgeting practices and a fair and
equitable system of allocating costs to
the enterprise. Consult stakeholders
to identify and control the total costs
and benefits within the context of the
I&T strategic and tactical plans.
Initiate corrective action where
needed.
288
Objectives: 40
Practices: 231
289
Objectives: 40
Practices: 231
Management Align, Plan APO07 Managed Human Provide a structured approach to

and Organize Resources ensure optimal
recruitment/acquisition, planning,
evaluation and development of
human resources (both internal and
external).
290
Objectives: 40
Practices: 231
291
Objectives: 40
Practices: 231
292
Objectives: 40
Practices: 231
Management Align, Plan APO08 Managed Relationships Manage relationships with business
and Organize stakeholders in a formalized and
transparent way that ensures mutual
trust and a combined focus on
achieving the strategic goals within
the constraints of budgets and risk
tolerance. Base relationships on open
and transparent communication, a
common language, and the willingness
to take ownership and accountability
for key decisions on both sides.
Business and IT must work together to
create successful enterprise outcomes
in support of the enterprise
objectives.
293
Objectives: 40
Practices: 231
294
Objectives: 40
Practices: 231
Gestão Alinhar, APO09 Contratos de Serviços Alinhe produtos e serviços habilitados

planejar e Gerenciados para I&T e níveis de serviço com as
organizar necessidades e expectativas da
empresa, incluindo identificação,
especificação, projeto, publicação,
acordo e monitoramento de produtos
e serviços de I&T, níveis de serviço e
indicadores de desempenho.
295
Objectives: 40
Practices: 231
Management Align, Plan APO10 Managed Vendors Manage I&T-related products and
and Organize services provided by all types of
vendors to meet enterprise
requirements. This includes the search
for and selection of vendors,
management of relationships,
management of contracts, and
reviewing and monitoring of vendor
performance and vendor ecosystem
(including upstream supply chain) for
effectiveness and compliance.
296
Objectives: 40
Practices: 231
297
Objectives: 40
Practices: 231
Management Align, Plan APO11 Managed Quality Define and communicate quality
and Organize requirements in all processes,
procedures and related enterprise
outcomes. Enable controls, ongoing
monitoring, and the use of proven
practices and standards in continuous
improvement and efficiency efforts.
298
Objectives: 40
Practices: 231
299
Objectives: 40
Practices: 231
Management Align, Plan APO12 Managed Risk Continually identify, assess and reduce
and Organize I&T-related risk within tolerance levels
set by enterprise executive
management.
300
Objectives: 40
Practices: 231
Management Align, Plan APO13 Managed Security Define, operate and monitor a system
and Organize for information security and privacy
management.
301
Objectives: 40
Practices: 231
302
Objectives: 40
Practices: 231
Management Align, Plan APO14 Managed Data Achieve and sustain effective
and Organize management of the enterprise data
assets across the data life cycle, from
creation through delivery,
maintenance and archiving.
303
Objectives: 40
Practices: 231
304
Objectives: 40
Practices: 231
305
Objectives: 40
Practices: 231
Management Build, BAI01 Managed Programs Manage all programs from the
Acquire and investment portfolio in alignment with
Implement enterprise strategy and in a
coordinated way, based on a standard
program management approach.
Initiate, plan, control, and execute
programs, and monitor expected
value from the program.
306
Objectives: 40
Practices: 231
307
Objectives: 40
Practices: 231
308
Objectives: 40
Practices: 231
309
Objectives: 40
Practices: 231
Management Build, BAI02 Managed Identify solutions and analyze

Acquire and Requirements requirements before acquisition or
Implement Definition creation to ensure that they align with
enterprise strategic requirements
covering business processes,
applications, information/data,
infrastructure and services.
Coordinate the review of feasible
options with affected stakeholders,
including relative costs and benefits,
risk analysis, and approval of
requirements and proposed solutions.
310
Objectives: 40
Practices: 231
311
Objectives: 40
Practices: 231
Management Build, BAI03 Managed Solutions Establish and maintain identified

Acquire and Identification and Build products and services (technology,
Implement business processes and workflows) in
line with enterprise requirements
covering design, development,
procurement/sourcing and partnering
with vendors. Manage configuration,
test preparation, testing,
requirements management and
maintenance of business processes,
applications, information/data,
infrastructure and services.
312
Objectives: 40
Practices: 231
313
Objectives: 40
Practices: 231
314
Objectives: 40
Practices: 231
315
Objectives: 40
Practices: 231
316
Objectives: 40
Practices: 231
Management Build, BAI04 Managed Availability Balance current and future needs for
Acquire and and Capacity availability, performance and capacity
Implement with cost-effective service provision.
Include assessment of current
capabilities, forecasting of future
needs based on business
requirements, analysis of business
impacts, and assessment of risk to
plan and implement actions to meet
the identified requirements.
317
Objectives: 40
Practices: 231
318
Objectives: 40
Practices: 231
Management Build, BAI05 Managed Maximize the likelihood of successfully

Acquire and Organizational Change implementing sustainable
Implement enterprisewide organizational change
quickly and with reduced risk. Cover
the complete life cycle of the change
and all affected stakeholders in the
business and IT.
319
Objectives: 40
Practices: 231
320
Objectives: 40
Practices: 231
Management Build, BAI06 Managed IT Changes Manage all changes in a controlled

Acquire and manner, including standard changes
Implement and emergency maintenance relating
to business processes, applications
and infrastructure. This includes
change standards and procedures,
impact assessment, prioritization and
authorization, emergency changes,
tracking, reporting, closure, and
documentation.
321
Objectives: 40
Practices: 231
Management Build, BAI07 Managed IT Change Formally accept and make operational
Acquire and Acceptance and new solutions. Include
Implement Transitioning implementation planning, system and
data conversion, acceptance testing,
communication, release preparation,
promotion to production of new or
changed business processes and I&T
services, early production support,
and a post-implementation review.
322
Objectives: 40
Practices: 231
323
Objectives: 40
Practices: 231
324
Objectives: 40
Practices: 231
Management Build, BAI08 Managed Knowledge Maintain the availability of relevant,

Acquire and current, validated and reliable
Implement knowledge and management
information to support all process
activities and to facilitate decision
making related to the governance and
management of enterprise I&T. Plan
for the identification, gathering,
organizing, maintaining, use and
retirement of knowledge.
325
Objectives: 40
Practices: 231
326
Objectives: 40
Practices: 231
Management Build, BAI09 Managed Assets Manage I&T assets through their life
Acquire and cycle to make sure that their use
Implement delivers value at optimal cost, they
remain operational (fit for purpose),
and they are accounted for and
physically protected. Ensure that
those assets that are critical to
support service capability are reliable
and available. Manage software
licenses to ensure that the optimal
number are acquired, retained and
deployed in relation to required
business usage, and the software
installed is in compliance with license
agreements.
327
Objectives: 40
Practices: 231
328
Objectives: 40
Practices: 231
Management Build, BAI10 Managed Configuration Define and maintain descriptions and
Acquire and relationships among key resources
Implement and capabilities required to deliver
I&T-enabled services. Include
collecting configuration information,
establishing baselines, verifying and
auditing configuration information,
and updating the configuration
repository.
329
Objectives: 40
Practices: 231
Management Build, BAI11 Managed Projects Manage all projects that are initiated
Acquire and within the enterprise in alignment
Implement with enterprise strategy and in a
coordinated way based on the
standard project management
approach. Initiate, plan, control and
execute projects, and close with a
post-implementation review.
330
Objectives: 40
Practices: 231
331
Objectives: 40
Practices: 231
332
Objectives: 40
Practices: 231
333
Objectives: 40
Practices: 231
Management Deliver, DSS01 Managed Operations Coordinate and execute the activities
Service and and operational procedures required
Support to deliver internal and outsourced I&T
services. Include the execution of
predefined standard operating
procedures and the required
monitoring activities.
334
Objectives: 40
Practices: 231
Management Deliver, DSS02 Managed Service Provide timely and effective response
Service and Requests and Incidents to user requests and resolution of all
Support types of incidents. Restore normal
service; record and fulfil user
requests; and record, investigate,
diagnose, escalate and resolve
incidents.
335
Objectives: 40
Practices: 231
Management Deliver, DSS03 Managed Problems Identify and classify problems and
Service and their root causes. Provide timely
Support resolution to prevent recurring
incidents. Provide recommendations
for improvements.
336
Objectives: 40
Practices: 231
337
Objectives: 40
Practices: 231
Management Deliver, DSS04 Managed Continuity Establish and maintain a plan to

Service and enable the business and IT
Support organizations to respond to incidents
and quickly adapt to disruptions. This
will enable continued operations of
critical business processes and
required I&T services and maintain
availability of resources, assets and
information at a level acceptable to
the enterprise.
338
Objectives: 40
Practices: 231
339
Objectives: 40
Practices: 231
Management Deliver, DSS05 Managed Security Protect enterprise information to mainta

Service and Services
Support
340
Objectives: 40
Practices: 231
341
Objectives: 40
Practices: 231
342
Objectives: 40
Practices: 231
Management Deliver, DSS06 Managed Business Define and maintain appropriate

Service and Process Controls business process controls to ensure
Support that information related to and
processed by in-house or outsourced
business processes satisfies all
relevant information control
requirements. Identify the relevant
information control requirements.
Manage and operate adequate input,
throughput and output controls
(application controls) to ensure that
information and information
processing satisfy these requirements.
343
Objectives: 40
Practices: 231
344
Objectives: 40
Practices: 231
Management Monitor, MEA01 Managed Performance Collect, validate and evaluate

Evaluate and and Conformance enterprise and alignment goals and
Assess Monitoring metrics. Monitor that processes and
practices are performing against
agreed performance and conformance
goals and metrics. Provide reporting
that is systematic and timely.
345
Objectives: 40
Practices: 231
346
Objectives: 40
Practices: 231
Management Monitor, MEA02 Managed System of Continuously monitor and evaluate

Evaluate and Internal Control the control environment, including
Assess self-assessments and self-awareness.
Enable management to identify
control deficiencies and inefficiencies
and to initiate improvement actions.
Plan, organize and maintain standards
for internal control assessment and
process control effectiveness.
347
Objectives: 40
Practices: 231
348
Objectives: 40
Practices: 231
Management Monitor, MEA03 Managed Compliance Evaluate that I&T processes and I&T-
Evaluate and With External supported business processes are
Assess Requirements compliant with laws, regulations and
contractual requirements. Obtain
assurance that the requirements have
been identified and complied with;
integrate IT compliance with overall
enterprise compliance.
349
Objectives: 40
Practices: 231
Management Monitor, MEA04 Managed Assurance Plan, scope and execute assurance
Evaluate and initiatives to comply with internal
Assess requirements, laws, regulations and
strategic objectives. Enable
management to deliver adequate and
sustainable assurance in the
enterprise by performing independent
assurance reviews and activities.
350
Objectives: 40
Practices: 231
351
Objectives: 40
Practices: 231
352
Objective Purpose Statement Practice ID Practice Name Practice Description
Provide a consistent approach integrated EDM01.01 Evaluate the Continually identify and engage with the enterprise's
and aligned with the enterprise governance governance stakeholders, document an understanding of the
approach. I&T-related decisions are made system. requirements, and evaluate the current and future
in line with the enterprise's strategies and design of governance of enterprise I&T.
objectives and desired value is realized. To
that end, ensure that I&T-related processes
are overseen effectively and transparently;
compliance with legal, contractual and
regulatory requirements is confirmed; and
the governance requirements for board
members are met.
EDM01.02 Direct the Inform leaders on I&T governance principles and obtain
governance their support, buy-in and commitment. Guide the
system. structures, processes and practices for the governance
of I&T in line with the agreed governance principles,
decision-making models and authority levels. Define the
information required for informed decision making.
353
EDM01.03 Monitor the Monitor the effectiveness and performance of the

governance enterprise’s governance of I&T. Assess whether the
system. governance system and implemented mechanisms
(including structures, principles and processes) are
operating effectively and provide appropriate oversight
of I&T to enable value creation.
Secure optimal value from I&T-enabled EDM02.01 Establish the Review and ensure clarity of the enterprise and I&T
initiatives, services and assets; cost-efficient target investment strategies and current services. Define an appropriate
delivery of solutions and services; and a mix. investment mix based on cost, alignment with strategy,
reliable and accurate picture of costs and type of benefit for the programs in the portfolio, degree
likely benefits so that business needs are of risk, and financial measures such as cost and expected
supported effectively and efficiently. return on investment (ROI) over the full economic life
cycle. Adjust the enterprise and I&T strategies where
necessary.
354
EDM02.02 Evaluate value Continually evaluate the portfolio of I&T-enabled

optimization. investments, services and assets to determine the
likelihood of achieving enterprise objectives and
delivering value. Identify and evaluate any changes in
direction to management that will optimize value
creation.
EDM02.03 Direct value Direct value management principles and practices to

optimization. enable optimal value realization from I&T-enabled
investments throughout their full economic life cycle.
EDM02.04 Monitor value Monitor key goals and metrics to determine whether the
optimization. enterprise receives expected value and benefit from
I&T-enabled investments and services. Identify
significant issues and consider corrective actions.
355
Ensure that I&T-related enterprise risk does EDM03.01 Evaluate risk Continually examine and evaluate the effect of risk on
not exceed the enterprise's risk appetite management. the current and future use of I&T in the enterprise.
and risk tolerance, the impact of I&T risk to Consider whether the enterprise's risk appetite is
enterprise value is identified and managed, appropriate and ensure that risk to enterprise value
and the potential for compliance failures is related to the use of I&T is identified and managed.
minimized.
EDM03.02 Direct risk Direct the establishment of risk management practices

management. to provide reasonable assurance that I&T risk
management practices are appropriate and that actual
I&T risk does not exceed the board’s risk appetite.
EDM03.03 Monitor risk Monitor the key goals and metrics of the risk
management. management processes. Determine how deviations or
problems will be identified, tracked and reported for
remediation.
356
Ensure that the resource needs of the EDM04.01 Evaluate resource Continually examine and evaluate the current and future
enterprise are met in the optimal manner, management. need for business and I&T resources (financial and
I&T costs are optimized, and there is an human), options for resourcing (including sourcing
increased likelihood of benefit realization strategies), and allocation and management principles to
and readiness for future change. meet the needs of the enterprise in the optimal manner.
EDM04.02 Direct resource Ensure the adoption of resource management principles

management. to enable optimal use of business and I&T resources
throughout their full economic life cycle.
EDM04.03 Monitor resource Monitor the key goals and metrics of the resource
management. management processes. Determine how deviations or
problems will be identified, tracked and reported for
remediation.
357
Ensure that stakeholders are supportive of EDM05.01 Evaluate Continually examine and evaluate current and future
the I&T strategy and road map, stakeholder requirements for stakeholder engagement and reporting
communication to stakeholders is effective engagement and (including reporting mandated by regulatory
and timely, and the basis for reporting is reporting requirements), and communication to other
established to increase performance. requirements. stakeholders. Establish principles for engaging and
Identify areas for improvement, and communicating with stakeholders.
confirm that I&T-related objectives and
strategies are in line with the enterprise’s
strategy.
EDM05.02 Direct stakeholder Ensure the establishment of effective stakeholder

engagement, involvement, communication and reporting, including
communication mechanisms for ensuring the quality and completeness
and reporting. of information, overseeing mandatory reporting, and
creating a communication strategy for stakeholders.
358
EDM05.03 Monitor Monitor stakeholder engagement levels and the

stakeholder effectiveness of stakeholder communication. Assess
engagement. mechanisms for ensuring accuracy, reliability and
effectiveness, and ascertain whether the requirements
of different stakeholders in terms of reporting and
communication are met.
Implement a consistent management APO01.01 Design the Design a management system tailored to the needs of
approach for enterprise governance management the enterprise. Management needs of the enterprise are
requirements to be met, covering system for defined through the use of the goals cascade and by
governance components such as enterprise I&T. application of design factors. Ensure the governance
management processes; organizational components are integrated and aligned with the
structures; roles and responsibilities; enterprise’s governance and management philosophy
reliable and repeatable activities; and operating style.
information items; policies and procedures;
skills and competencies; culture and
behavior; and services, infrastructure and
applications
359
APO01.02 Communicate Communicate awareness and promote understanding of

management alignment and I&T objectives to stakeholders
objectives, throughout the enterprise. Communicate at regular
direction and intervals on important I&T-related decisions and their
decisions made. impact for the organization.
APO01.03 Implement Define target process capability levels and

management implementation priority based on the management
processes (to system design.
support the
achievement of
governance and
management
objectives).
APO01.04 Define and Put in place the required internal and extended
implement the organizational structures (e.g., committees) per the
organizational management system design, enabling effective and
structures. efficient decision making. Ensure that required
technology and information knowledge is included in the
composition of management structures.
360
APO01.05 Establish roles and Define and communicate roles and responsibilities for
responsibilities. enterprise I&T, including authority levels, responsibilities
and accountability.
APO01.06 Optimize the Position the IT capabilities in the overall organizational

placement of the structure to reflect the strategic importance and
IT function. operational dependency of IT within the enterprise. The
reporting line of the CIO and representation of IT within
senior management should be commensurate with the
importance of I&T within the enterprise.
APO01.07 Define information Define and maintain responsibilities for ownership of

(data) and system information (data) and information systems. Ensure that
ownership. owners classify information and systems and protect
them in line with their classification.
APO01.08 Define target skills Define the required skills and competencies to achieve
and competencies. relevant management objectives.
361
APO01.09 Define and Put in place procedures to maintain compliance with and
communicate performance measurement of policies and other
policies and components of the control framework. Enforce the
procedures. consequences of noncompliance or inadequate
performance. Track trends and performance and
consider these in the future design and improvement of
the control framework.
APO01.10 Define and Define and implement infrastructure, services and

implement applications to support the governance and
infrastructure, management system (e.g., architecture repositories, risk
services and management system, project management tools, cost-
applications to tracking tools and incident monitoring tools).
support the
governance and
management
system.
362
APO01.11 Manage continual Continually improve processes and other management

improvement of system components to ensure that they can deliver
the I&T against governance and management objectives.
management Consider COBIT implementation guidance, emerging
system. standards, compliance requirements, automation
opportunities and the feedback of stakeholders.
363
Support the digital transformation strategy APO02.01 Understand Understand the enterprise context (industry drivers,
of the organization and deliver the desired enterprise context relevant regulations, basis for competition), its current
value through a road map of incremental and direction. way of working and its ambition level in terms of
changes. Use a holistic I&T approach, digitization.
ensuring that each initiative is clearly
connected to an overarching strategy.
Enable change in all different aspects of the
organization, from channels and processes
to data, culture, skills, operating model and
incentives.
364
APO02.02 Assess current Assess the performance of current I&T services and
capabilities, develop an understanding of current business and I&T
performance and capabilities (both internal and external). Assess current
digital maturity of digital maturity of the enterprise and its appetite for
the enterprise. change.
APO02.03 Define target Based on the understanding of enterprise context and

digital capabilities. direction, define the target I&T products and services
and required capabilities. Consider reference standards,
best practices and validated emerging technologies.
APO02.04 Conduct a gap Identify gaps between current and target environments
analysis. and describe the high-level changes in the enterprise
architecture.
365
APO02.05 Define the Develop a holistic digital strategy, in cooperation with

strategic plan and relevant stakeholders, and detail a road map that
road map. defines the incremental steps required to achieve the
goals and objectives. Ensure focus on the transformation
journey through the appointment of a person who helps
spearhead the digital transformation and drives
alignment between business and I&T.
APO02.06 Communicate the Create awareness and understanding of the business

I&T strategy and and I&T objectives and direction, as captured in the I&T
direction. strategy, through communication to appropriate
stakeholders and users throughout the enterprise.
366
Represent the different building blocks that APO03.01 Develop the The architecture vision provides a first-cut, high-level
make up the enterprise and its enterprise description of the baseline and target architectures,
interrelationships as well as the principles architecture covering the business, information, data, application and
guiding their design and evolution over vision. technology domains. The architecture vision provides
time, to enable a standard, responsive and the sponsor with a key tool to sell the benefits of the
efficient delivery of operational and proposed capabilities to stakeholders within the
strategic objectives. enterprise. The architecture vision describes how the
new capabilities (in line with I&T strategy and objectives)
will meet enterprise goals and strategic objectives and
address stakeholder concerns when implemented.
367
APO03.02 Define reference The reference architecture describes the current and
architecture. target architectures for the business, information, data,
application and technology domains.
APO03.03 Select Rationalize the gaps between baseline and target

opportunities and architectures, accounting for both business and
solutions. technical perspectives, and logically group them into
project work packages. Integrate the project with any
related I&T-enabled investment programs to ensure that
the architectural initiatives are aligned with and enable
these initiatives as part of overall enterprise change.
Make this a collaborative effort with key enterprise
stakeholders from business and IT to assess the
enterprise's transformation readiness, and identify
opportunities, solutions and all implementation
constraints.
368
APO03.04 Define Create a viable implementation and migration plan in

architecture alignment with the program and project portfolios.
implementation. Ensure the plan is closely coordinated to deliver value
and that the required resources are available to
complete the necessary work.
APO03.05 Provide enterprise Provide enterprise architecture services within the

architecture enterprise that include guidance to and monitoring of
services. implementation projects, formalizing ways of working
through architecture contracts, and measuring and
communicating architecture's value and compliance
monitoring.
369
Achieve competitive advantage, business APO04.01 Create an Create an environment that is conducive to innovation,
innovation, improved customer experience, environment considering methods such as culture, reward,
and improved operational effectiveness and conducive to collaboration, technology forums, and mechanisms to
efficiency by exploiting I&T developments innovation. promote and capture employee ideas.
and emerging technologies.
370
APO04.02 Maintain an Work with relevant stakeholders to understand their

understanding of challenges. Maintain an adequate understanding of
the enterprise enterprise strategy, competitive environment and other
environment. constraints, so that opportunities enabled by new
technologies can be identified.
APO04.03 Monitor and scan Set up a technology watch process to perform

the technology systematic monitoring and scanning of the enterprise's
environment. external environment to identify emerging technologies
that have the potential to create value (e.g., by realizing
the enterprise strategy, optimizing costs, avoiding
obsolescence, and better enabling enterprise and I&T
processes). Monitor the marketplace, competitive
landscape, industry sectors, and legal and regulatory
trends to be able to analyze emerging technologies or
innovation ideas in the enterprise context.
371
APO04.04 Assess the Analyze identified emerging technologies and/or other

potential of I&T innovative suggestions to understand their business
emerging potential. Work with stakeholders to validate
technologies and assumptions on the potential of new technologies and
innovative ideas. innovation.
APO04.05 Recommend Evaluate and monitor the results of proof-of-concept

appropriate initiatives and, if favorable, generate recommendations
further initiatives. for further initiatives. Gain stakeholder support.
APO04.06 Monitor the Monitor the implementation and use of emerging

implementation technologies and innovations during adoption,
and use of integration and for the full economic life cycle to ensure
innovation. that the promised benefits are realized and to identify
lessons learned.
372
Optimize the performance of the overall APO05.01 Determine the Determine potential sources of funds, different funding
portfolio of programs in response to availability and options and the implications of the funding source on
individual program, product and service sources of funds. the investment return expectations.
performance and changing enterprise
priorities and demand.
373
APO05.02 Evaluate and Based on requirements for the overall investment

select programs to portfolio mix and the I&T strategic plan and road map,
fund. evaluate and prioritize program business cases and
decide on investment proposals. Allocate funds and
initiate programs.
APO05.03 Monitor, optimize On a regular basis, monitor and optimize the

and report on performance of the investment portfolio and individual
investment programs throughout the entire investment life cycle.
portfolio Ensure continuous follow-up on the alignment of the
performance. portfolio with I&T strategy.
APO05.04 Maintain Maintain portfolios of investment programs and

portfolios. projects, I&T products and services, and I&T assets.
APO05.05 Manage benefits Monitor the benefits of providing and maintaining

achievement. appropriate I&T products, services and capabilities,
based on the agreed and current business case.
374
Foster a partnership between IT and APO06.01 Manage finance Establish and maintain a method to manage and account
enterprise stakeholders to enable the and accounting. for all I&T-related costs, investments and depreciation as
effective and efficient use of I&T-related an integral part of enterprise financial systems and
resources and provide transparency and accounts. Report using the enterprise’s financial
accountability of the cost and business measurement systems.
value of solutions and services. Enable the
enterprise to make informed decisions
regarding the use of I&T solutions and
services.
APO06.02 Prioritize resource Implement a decision-making process to prioritize the

allocation. allocation of resources and establish rules for
discretionary investments by individual business units.
Include the potential use of external service providers
and consider the buy, develop and rent options.
375
APO06.03 Create and Prepare a budget reflecting investment priorities based

maintain budgets. on the portfolio of I&T-enabled programs and I&T
services.
APO06.04 Model and Establish and use an I&T costing model based, for
allocate costs. example, on the service definition. This approach
ensures that allocation of costs for services is
identifiable, measurable and predictable, and
encourages the responsible use of resources, including
those provided by service providers. Regularly review
and benchmark the cost/chargeback model to maintain
its relevance and appropriateness for evolving business
and IT activities.
APO06.05 Manage costs. Implement a cost management process that compares

actual costs against budget. Costs should be monitored
and reported. Deviations from budget should be
identified in a timely manner and their impact on
enterprise processes and services assessed.
376
Optimize human resources capabilities to APO07.01 Acquire and Evaluate internal and external staffing requirements on a
meet enterprise objectives. maintain adequate regular basis or upon major changes to the enterprise or
and appropriate operational or IT environments to ensure that the
staffing. enterprise has sufficient human resources to support
enterprise goals and objectives.
APO07.02 Identify key IT Identify key IT personnel. Use knowledge capture

personnel. (documentation), knowledge sharing, succession
planning and staff backup to minimize reliance on a
single individual performing a critical job function.
377
APO07.03 Maintain the skills Define and manage the skills and competencies required
and competencies of personnel. Regularly verify that personnel have the
of personnel. competencies to fulfill their roles on the basis of their
education, training and/or experience. Verify that these
competencies are being maintained, using qualification
and certification programs where appropriate. Provide
employees with ongoing learning and opportunities to
maintain their knowledge, skills and competencies at a
level required to achieve enterprise goals.
APO07.04 Assess and Conduct timely, regular performance evaluations against

recognize/reward individual objectives derived from enterprise goals,
employee job established standards, specific job responsibilities, and
performance. the skills and competency framework. Implement a
remuneration/recognition process that rewards
successful attainment of performance goals.
378
APO07.05 Plan and track the Understand and track the current and future demand for
usage of IT and business and IT human resources with responsibilities
business human for enterprise I&T. Identify shortfalls and provide input
resources. into sourcing plans, enterprise and IT recruitment
processes, and business and IT recruitment processes.
APO07.06 Manage contract Ensure that consultants and contract personnel who
staff. support the enterprise with I&T skills know and comply
with the organization's policies and meet agreed
contractual requirements.
379
Enable the right knowledge, skills and APO08.01 Understand Understand current business issues, objectives and
behaviors to create improved outcomes, business expectations for I&T. Ensure that requirements are
increased confidence, mutual trust and expectations. understood, managed and communicated, and their
effective use of resources that stimulate a status agreed and approved.
productive relationship with business
stakeholders.
380
APO08.02 Align I&T strategy Align I&T strategies with current business objectives and
with business expectations to enable IT to be a value-add partner for
expectations and the business and a governance component for enhanced
identify enterprise performance.
opportunities for
IT to enhance the
business.
APO08.03 Manage the Manage the relationship between the IT service

business organization and its business partners. Ensure that
relationship. relationship roles and responsibilities are defined and
assigned, and communication is facilitated.
APO08.04 Coordinate and Work with all relevant stakeholders and coordinate the
communicate. end-to-end delivery of I&T services and solutions
provided to the business.
APO08.05 Provide input to Continually improve and evolve I&T-enabled services

the continual and service delivery to the enterprise to align with
improvement of changing enterprise objectives and technology
services. requirements.
381
Garantir que os produtos, serviços e níveis APO09.01 Identificar serviços Analise os requisitos de negócios e o grau em que os
de serviço de I&T atendam às necessidades de I&T. serviços habilitados para I&T e os níveis de serviço
atuais e futuras da empresa. oferecem suporte aos processos de negócios. Discutir e
concordar com a empresa sobre serviços e níveis de
serviço potenciais. Comparar os níveis de serviço
potenciais com o portfólio de serviços atual; identificar
serviços novos ou alterados ou opções de nível de
serviço.
APO09.02 Catalogar serviços Definir e manter um ou mais catálogos de serviços para

habilitados para grupos-alvo relevantes. Publique e mantenha serviços
I&T. habilitados para I&T em tempo real nos catálogos de
serviços.
APO09.03 Definir e preparar Definir e preparar contratos de serviços com base nas
contratos de opções dos catálogos de serviços. Incluir acordos
serviço. operacionais internos.
382
APO09.04 Monitore e relate Monitore os níveis de serviço, relate as conquistas e

os níveis de identifique tendências. Fornecer as informações de
serviço. gerenciamento apropriadas para auxiliar o
gerenciamento de desempenho.
APO09.05 Revisão de Realizar revisões periódicas dos contratos de serviço e

contratos e revisar quando necessário.
contratos de
serviços.
Optimize available I&T capabilities to APO10.01 Identify and Continuously search for and identify vendors and
support the I&T strategy and road map, evaluate vendor categorize them into type, significance and criticality.
minimize the risk associated with relationships and Establish criteria to evaluate vendors and contracts.
nonperforming or noncompliant vendors, contracts. Review the overall portfolio of existing and alternative
and ensure competitive pricing. vendors and contracts.
383
APO10.02 Select vendors. Select suppliers according to a fair and formal practice to
ensure a viable best fit based on specified requirements.
Requirements should be optimized with input from
potential suppliers.
APO10.03 Manage vendor Formalize and manage the supplier relationship for each
relationships and supplier. Manage, maintain and monitor contracts and
contracts. service delivery. Ensure that new or changed contracts
conform to enterprise standards and legal and
regulatory requirements. Deal with contractual disputes.
APO10.04 Manage vendor Identify and manage risk relating to vendors' ability to
risk. continually provide secure, efficient and effective service
delivery. This also includes the subcontractors or
upstream vendors that are relevant in the service
delivery of the direct vendor.
APO10.05 Monitor vendor Periodically review overall vendor performance,

performance and compliance to contract requirements and value for
compliance. money. Address identified issues.
384
Ensure consistent delivery of technology APO11.01 Establish a quality Establish and maintain a quality management system
solutions and services to meet the quality management (QMS) that provides a standard, formal and continuous
requirements of the enterprise and satisfy system (QMS). approach to quality management of information. The
stakeholder needs. QMS should enable technology and business processes
to align with business requirements and enterprise
quality management.
APO11.02 Focus quality Focus quality management on customers by determining

management on their requirements and ensuring integration in quality
customers. management practices.
385
APO11.03 Manage quality Identify and maintain standards, procedures and

standards, practices for key processes to guide the enterprise in
practices and meeting the intent of the agreed quality management
procedures and standards (QMS). This activity should align with I&T
integrate quality control framework requirements. Consider certification
management into for key processes, organizational units, products or
key processes and services.
solutions.
APO11.04 Perform quality Monitor the quality of processes and services on an

monitoring, ongoing basis, in line with quality management
control and standards. Define, plan and implement measurements
reviews. to monitor customer satisfaction with quality as well as
the value provided by the quality management system
(QMS). The information gathered should be used by the
process owner to improve quality.
386
APO11.05 Maintain Maintain and regularly communicate an overall quality

continuous plan that promotes continuous improvement. The plan
improvement. should define the need for, and benefits of, continuous
improvement. Collect and analyze data about the quality
management system (QMS) and improve its
effectiveness. Correct nonconformities to prevent
recurrence.
Integrate the management of I&T-related APO12.01 Collect data. Identify and collect relevant data to enable effective I&T-
enterprise risk with overall enterprise risk related risk identification, analysis and reporting.
management (ERM) and balance the costs
and benefits of managing I&T-related
enterprise risk.
APO12.02 Analyze risk. Develop a substantiated view on actual I&T risk, in

support of risk decisions.
APO12.03 Maintain a risk Maintain an inventory of known risk and risk attributes,
profile. including expected frequency, potential impact and
responses. Document related resources, capabilities and
current control activities related to risk items.
387
APO12.04 Articulate risk. Communicate information on the current state of I&T-

related exposures and opportunities in a timely manner
to all required stakeholders for appropriate response.
APO12.05 Define a risk Manage opportunities to reduce risk to an acceptable

management level as a portfolio.
action portfolio.
APO12.06 Respond to risk. Respond in a timely manner to materialized risk events

with effective measures to limit the magnitude of loss.
Keep the impact and occurrence of APO13.01 Establish and Establish and maintain an information security
information security and privacy incidents maintain an management system (ISMS) that provides a standard,
within the enterprise’s risk appetite levels. information formal and continuous approach to security and privacy
security management for information. Ensure that the system
management supports secure technology and business processes that
system (ISMS). are aligned with business requirements, enterprise
security and enterprise privacy management.
388
APO13.02 Define and Maintain an information security plan that describes

manage an how information security risk is to be managed and
information aligned with enterprise strategy and architecture. Ensure
security risk that recommendations for implementing security
treatment plan. improvements are based on approved business cases,
implemented as an integral part of services and
solutions development, and operated as an integral part
of business operation.
APO13.03 Monitor and Maintain and regularly communicate the need for, and
review the benefits of, continuous improvement in information
information security. Collect and analyze data about the information
security security management system (ISMS), and improve its
management effectiveness. Correct nonconformities to prevent
system (ISMS). recurrence.
389
Ensure effective utilization of the critical APO14.01 Define and Define how to manage and improve the organization's
data assets to achieve enterprise goals and communicate the data assets, in line with enterprise strategy and
objectives. organization's data objectives. Communicate the data management strategy
management to all stakeholders. Assign roles and responsibilities to
strategy and roles ensure that corporate data are managed as critical
and assets and the data management strategy is
responsibilities. implemented and maintained in an effective and
sustainable manner.
APO14.02 Define and Create, approve, update and promote consistent

maintain a business terms and definitions to foster shared data
consistent usage across the organization.
business glossary.
APO14.03 Establish the Establish the processes and infrastructure for specifying
processes and and extending metadata about the organization's data
infrastructure for assets, fostering and supporting data sharing, ensuring
metadata compliant use of data, improving responsiveness to
management. business changes and reducing data-related risk.
390
APO14.04 Define a data Define an integrated, organizationwide strategy to

quality strategy. achieve and maintain the level of data quality (such as
complexity, integrity, accuracy, completeness, validity,
traceability and timeliness) required to support the
business goals and objectives.
APO14.05 Establish data Implement standardized data profiling methodologies,

profiling processes, practices, tools and templates that can be
methodologies, applied across multiple data repositories and data
processes and stores.
tools.
APO14.06 Ensure a data Provide a systematic approach to measure and evaluate

quality assessment data quality according to processes and techniques, and
approach. against data quality rules.
APO14.07 Define the data Define the mechanisms, rules, processes, and methods
cleansing to validate and correct data according to predefined
approach. business rules.
391
APO14.08 Manage the life Ensure that the organization understands, maps,
cycle of data inventories and controls its data flows through business
assets. processes over the data life cycle, from creation or
acquisition to retirement.
APO14.09 Support data Ensure that data maintenance satisfies organizational

archiving and and regulatory requirements for availability of historical
retention. data. Ensure that legal and regulatory requirements for
data archiving and retention are met.
APO14.10 Manage data Manage availability of critical data to ensure operational

backup and continuity.
restore
arrangements.
392
Realize desired business value and reduce BAI01.01 Maintain a Maintain a standard approach for program management
the risk of unexpected delays, costs and standard approach that enables governance and management review,
value erosion. To do so, improve for program decision-making and delivery-management activities.
communications to and involvement of management. These activities should focus consistently on business
business and end users, ensure the value value and goals (i.e., requirements, risk, costs, schedule
and quality of program deliverables and and quality targets).
follow up of projects within the programs,
and maximize program contribution to the
investment portfolio.
BAI01.02 Initiate a program. Initiate a program to confirm expected benefits and

obtain authorization to proceed. This includes agreeing
on program sponsorship, confirming the program
mandate through approval of the conceptual business
case, appointing program board or committee members,
producing the program brief, reviewing and updating the
business case, developing a benefits realization plan, and
obtaining approval from sponsors to proceed.
393
BAI01.03 Manage Manage stakeholder engagement to ensure an active

stakeholder exchange of accurate, consistent and timely information
engagement. for all relevant stakeholders. This includes planning,
identifying and engaging stakeholders and managing
their expectations.
BAI01.04 Develop and Formulate a program to lay the initial groundwork.

maintain the Position it for successful execution by formalizing the
program plan. scope of the work and identifying deliverables that will
satisfy goals and deliver value. Maintain and update the
program plan and business case throughout the full
economic life cycle of the program, ensuring alignment
with strategic objectives and reflecting the current
status and insights gained to date.
394
BAI01.05 Launch and Launch and execute the program to acquire and direct
execute the the resources needed to accomplish the goals and
program. benefits of the program as defined in the program plan.
In accordance with stage-gate or release review criteria,
prepare for stage-gate, iteration or release reviews to
report progress and make the case for funding up to the
following stage-gate or release review.
BAI01.06 Monitor, control Monitor and control performance against plan

and report on the throughout the full economic life cycle of the
program investment, covering solution delivery at the program
outcomes. level and value/outcome at the enterprise level. Report
performance to the program steering committee and the
sponsors.
BAI01.07 Manage program Prepare and execute a quality management plan,

quality. processes and practices that align with quality
management standards (QMS). Describe the approach
to program quality and implementation. The plan should
be formally reviewed and agreed on by all parties
concerned and incorporated into the integrated
program plan.
395
BAI01.08 Manage program Eliminate or minimize specific risk associated with

risk. programs through a systematic process of planning,
identifying, analyzing, responding to, monitoring and
controlling the areas or events with the potential to
cause unwanted change. Define and record any risk
faced by program management.
BAI01.09 Close a program. Remove the program from the active investment
portfolio when there is agreement that the desired value
has been achieved or when it is clear it will not be
achieved within the value criteria set for the program.
396
Create optimal solutions that meet BAI02.01 Define and Based on the business case, identify, prioritize, specify
enterprise needs while minimizing risk. maintain business and agree on business information, functional, technical
functional and and control requirements covering the
technical scope/understanding of all initiatives required to achieve
requirements. the expected outcomes of the proposed I&T-enabled
business solution.
BAI02.02 Perform a Perform a feasibility study of potential alternative

feasibility study solutions, assess their viability and select the preferred
and formulate option. If appropriate, implement the selected option as
alternative a pilot to determine possible improvements.
solutions.
397
BAI02.03 Manage Identify, document, prioritize and mitigate functional,

requirements risk. technical and information processing-related risk
associated with the enterprise requirements,
assumptions and proposed solution.
BAI02.04 Obtain approval of Coordinate feedback from affected stakeholders. At

requirements and predetermined key stages, obtain approval and sign-off
solutions. from the business sponsor or product owner regarding
functional and technical requirements, feasibility
studies, risk analyses and recommended solutions.
398
Ensure agile and scalable delivery of digital BAI03.01 Design high-level Develop and document high-level designs for the
products and services. Establish timely and solutions. solution in terms of technology, business processes and
cost-effective solutions (technology, workflows. Use agreed and appropriate phased or rapid
business processes and workflows) capable Agile development techniques. Ensure alignment with
of supporting enterprise strategic and the I&T strategy and enterprise architecture. Reassess
operational objectives. and update the designs when significant issues occur
during detailed design or building phases, or as the
solution evolves. Apply a user-centric approach; ensure
that stakeholders actively participate in the design and
approve each version.
399
BAI03.02 Design detailed Develop, document and elaborate detailed designs

solution progressively. Use agreed and appropriate phased or
components. rapid Agile development techniques, addressing all
components (business processes and related automated
and manual controls, supporting I&T applications,
infrastructure services and technology products, and
partners/suppliers). Ensure that the detailed design
includes internal and external service level agreements
(SLAs) and operational level agreements (OLAs).
BAI03.03 Develop solution Develop solution components progressively in a

components. separate environment, in accordance with detailed
designs following standards and requirements for
development and documentation, quality assurance
(QA), and approval. Ensure that all control requirements
in the business processes, supporting I&T applications
and infrastructure services, services and technology
products, and partner/vendor services are addressed.
400
BAI03.04 Procure solution Procure solution components, based on the acquisition

components. plan, in accordance with requirements and detailed
designs, architecture principles and standards, and the
enterprise's overall procurement and contract
procedures, QA requirements, and approval standards.
Ensure that all legal and contractual requirements are
identified and addressed by the vendor.
BAI03.05 Build solutions. Install and configure solutions and integrate with
business process activities. During configuration and
integration of hardware and infrastructure software,
implement control, security, privacy and auditability
measures to protect resources and ensure availability
and data integrity. Update the product or services
catalogue to reflect the new solutions.
BAI03.06 Perform quality Develop, resource and execute a QA plan aligned with
assurance (QA). the QMS to obtain the quality specified in the
requirements definition and in the enterprise’s quality
policies and procedures.
401
BAI03.07 Prepare for Establish a test plan and required environments to test
solution testing. the individual and integrated solution components.
Include the business processes and supporting services,
applications and infrastructure.
BAI03.08 Execute solution During development, execute testing continually

testing. (including control testing), in accordance with the
defined test plan and development practices in the
appropriate environment. Engage business process
owners and end users in the test team. Identify, log and
prioritize errors and issues identified during testing.
BAI03.09 Manage changes Track the status of individual requirements (including all
to requirements. rejected requirements) throughout the project life cycle.
Manage the approval of changes to requirements.
BAI03.10 Maintain Develop and execute a plan for the maintenance of

solutions. solution and infrastructure components. Include periodic
reviews against business needs and operational
requirements.
402
BAI03.11 Define IT products Define and agree on new or changed IT products or

and services and services and service level options. Document new or
maintain the changed product and service definitions and service
service portfolio. level options to be updated in the products and services
portfolio.
BAI03.12 Design solutions Design, develop and implement solutions with the
based on the appropriate development methodology (i.e., waterfall,
defined Agile or bimodal I&T), in accordance with the overall
development strategy and requirements.
methodology.
403
Maintain service availability, efficient BAI04.01 Assess current Assess availability, performance and capacity of services
management of resources and optimization availability, and resources to ensure that cost-justifiable capacity
of system performance through prediction performance and and performance are available to support business
of future performance and capacity capacity and needs and deliver against service level agreements
requirements. create a baseline. (SLAs). Create availability, performance and capacity
baselines for future comparison.
BAI04.02 Assess business Identify important services to the enterprise. Map

impact. services and resources to business processes and
identify business dependencies. Ensure that the impact
of unavailable resources is fully agreed on and accepted
by the customer. For vital business functions, ensure
that availability requirements can be satisfied per service
level agreement (SLA).
404
BAI04.03 Plan for new or Plan and prioritize availability, performance and capacity
changed service implications of changing business needs and service
requirements. requirements.
BAI04.04 Monitor and Monitor, measure, analyze, report and review

review availability availability, performance and capacity. Identify
and capacity. deviations from established baselines. Review trend
analysis reports identifying any significant issues and
variances. Initiate actions where necessary and ensure
that all outstanding issues are addressed.
BAI04.05 Investigate and Address deviations by investigating and resolving

address identified availability, performance and capacity issues.
availability,
performance and
capacity issues.
405
Prepare and commit stakeholders for BAI05.01 Establish the Understand the scope and impact of the desired change.
business change and reduce the risk of desire to change. Assess stakeholder readiness and willingness to change.
failure. Identify actions that will motivate stakeholder
acceptance and participation to make the change work
successfully.
BAI05.02 Form an effective Establish an effective implementation team by

implementation assembling appropriate members, creating trust, and
team. establishing common goals and effectiveness measures.
BAI05.03 Communicate Communicate the desired vision for the change in the
desired vision. language of those affected by it. The communication
should be made by senior management and include the
rationale for, and benefits of, the change; the impacts of
not making the change; and the vision, the road map
and the involvement required of the various
stakeholders.
406
BAI05.04 Empower role Empower those with implementation roles by assigning

players and accountability. Provide training and align organizational
identify short- structures and HR processes. Identify and communicate
term wins. short-term wins that are important from a change-
enablement perspective.
BAI05.05 Enable operation Plan and implement all technical, operational and usage
and use. aspects so all those who are involved in the future state
environment can exercise their responsibility.
BAI05.06 Embed new Embed new approaches by tracking implemented

approaches. changes, assessing the effectiveness of the operation
and use plan, and sustaining ongoing awareness through
regular communication. Take corrective measures as
appropriate (which may include enforcing compliance).
BAI05.07 Sustain changes. Sustain changes through effective training of new staff,
ongoing communication campaigns, continued
commitment of top management, monitoring of
adoption and sharing of lessons learned across the
enterprise.
407
Enable fast and reliable delivery of change BAI06.01 Evaluate, prioritize Evaluate all requests for change to determine the impact
to the business. Mitigate the risk of and authorize on business processes and I&T services, and to assess
negatively impacting the stability or change requests. whether change will adversely affect the operational
integrity of the changed environment. environment and introduce unacceptable risk. Ensure
that changes are logged, prioritized, categorized,
assessed, authorized, planned and scheduled.
BAI06.02 Manage Carefully manage emergency changes to minimize

emergency further incidents. Ensure the emergency change is
changes. controlled and takes place securely. Verify that
emergency changes are appropriately assessed and
authorized after the change.
408
BAI06.03 Track and report Maintain a tracking and reporting system to document
change status. rejected changes and communicate the status of
approved, in-process and complete changes. Make
certain that approved changes are implemented as
planned.
BAI06.04 Close and Whenever changes are implemented, update the

document the solution, user documentation and procedures affected
changes. by the change.
Implement solutions safely and in line with BAI07.01 Establish an Establish an implementation plan that covers system and
the agreed expectations and outcomes. implementation data conversion, acceptance testing criteria,
plan. communication, training, release preparation,
promotion to production, early production support, a
fallback/back-up plan, and a post-implementation
review. Obtain approval from relevant parties.
409
BAI07.02 Plan business Prepare for business process, I&T service data and
process, system infrastructure migration as part of the enterprise’s
and data development methods. Include audit trails and a
conversion. recovery plan should the migration fail.
BAI07.03 Plan acceptance Establish a test plan based on enterprisewide standards

tests. that define roles, responsibilities, and entry and exit
criteria. Ensure that the plan is approved by relevant
parties.
BAI07.04 Establish a test Define and establish a secure test environment

environment. representative of the planned business process and IT
operations environment in terms of performance,
capacity, security, internal controls, operational
practices, data quality, privacy requirements and
workloads.
BAI07.05 Perform Test changes independently, in accordance with the

acceptance tests. defined test plan, prior to migration to the live
operational environment.
410
BAI07.06 Promote to Promote the accepted solution to the business and

production and operations. Where appropriate, run the solution as a
manage releases. pilot implementation or in parallel with the old solution
for a defined period and compare behavior and results.
If significant problems occur, revert to the original
environment based on the fallback/back-up plan.
Manage releases of solution components.
BAI07.07 Provide early For an agreed period of time, provide early support to
production users and I&T operations to resolve issues and help
support. stabilize the new solution.
BAI07.08 Perform a post- Conduct a post-implementation review to confirm

implementation outcome and results, identify lessons learned, and
review. develop an action plan. Evaluate actual performance and
outcomes of the new or changed service against
expected performance and outcomes anticipated by the
user or customer.
411
Provide the knowledge and information BAI08.01 Identify and Identify, validate and classify diverse sources of internal
required to support all staff in the classify sources of and external information required to enable governance
governance and management of enterprise information for and management of I&T, including strategy documents,
I&T and allow for informed decision governance and incident reports and configuration information that
making. management of progresses from development to operations before
I&T. going live.
BAI08.02 Organize and Organize information based on classification criteria.

contextualize Identify and create meaningful relationships among
information into information elements and enable use of information.
knowledge. Identify owners, and leverage and implement
enterprise-defined information levels of access to
management information and knowledge resources.
412
BAI08.03 Use and share Propagate available knowledge resources to relevant

knowledge. stakeholders and communicate how these resources can
be used to address different needs (e.g., problem
solving, learning, strategic planning and decision
making).
BAI08.04 Evaluate and Measure the use and evaluate the currency and
update or retire relevance of information. Update information or retire
information. obsolete information.
413
Account for all I&T assets and optimize the BAI09.01 Identify and Maintain an up-to-date, accurate record of all I&T assets
value provided by their use. record current that are required to deliver services and that are owned
assets. or controlled by the organization with an expectation of
future benefit (including resources with economic value,
such as hardware or software). Ensure alignment with
configuration management and financial management.
BAI09.02 Manage critical Identify assets that are critical in providing service
assets. capability. Maximize their reliability and availability to
support business needs.
414
BAI09.03 Manage the asset Manage assets from procurement to disposal. Ensure
life cycle. that assets are utilized as effectively and efficiently as
possible and are accounted for and physically protected
until appropriately retired.
BAI09.04 Optimize asset Regularly review the overall asset base to identify ways
value. to optimize value in alignment with business needs.
BAI09.05 Manage licenses. Manage software licenses to maintain the optimal

number of licenses and support business requirements.
Ensure that the number of licenses owned is sufficient to
cover the installed software in use.
415
Provide sufficient information about service BAI10.01 Establish and Establish and maintain a logical model of the services,
assets to enable the service to be maintain a assets, infrastructure and recording of configuration
effectively managed. Assess the impact of configuration items (CIs), including the relationships among them.
changes and deal with service incidents. model. Include the CIs considered necessary to manage services
effectively and to provide a single, reliable description of
the assets in a service.
BAI10.02 Establish and Establish and maintain a configuration management

maintain a repository and create controlled configuration baselines.
configuration
repository and
baseline.
BAI10.03 Maintain and Maintain an up-to-date repository of configuration items

control (CIs) by populating any configuration changes.
configuration
items.
416
BAI10.04 Produce status Define and produce configuration reports on status

and configuration changes of configuration items.
reports.
BAI10.05 Verify and review Periodically review the configuration repository and
integrity of the verify completeness and correctness against the desired
configuration target.
repository.
Realize defined project outcomes and BAI11.01 Maintain a Maintain a standard approach for project management
reduce the risk of unexpected delays, costs standard approach that enables governance and management review,
and value erosion by improving for project decision-making and delivery-management activities.
communications to and involvement of management. These activities should focus consistently on business
business and end users. Ensure the value value and goals (i.e., requirements, risk, costs, schedule
and quality of project deliverables and and quality targets).
maximize their contribution to the defined
programs and investment portfolio.
417
BAI11.02 Start up and Define and document the nature and scope of the
initiate a project. project to confirm and develop a common
understanding of project scope among stakeholders. The
definition should be formally approved by the project
sponsors.
BAI11.03 Manage Manage stakeholder engagement to ensure an active

stakeholder exchange of accurate, consistent and timely information
engagement. that reaches all relevant stakeholders. This includes
planning, identifying and engaging stakeholders and
managing their expectations.
BAI11.04 Develop and Establish and maintain a formal, approved, integrated

maintain the project plan (covering business and IT resources) to
project plan. guide project execution and control throughout the life
of the project. The scope of projects should be clearly
defined and tied to building or enhancing business
capability.
418
BAI11.05 Manage project Prepare and execute a quality management plan,

quality. processes and practices that align with quality
management standards (QMS). Describe the approach
to project quality and implementation. The plan should
be formally reviewed and agreed on by all parties
concerned and incorporated into the integrated project
plans.
BAI11.06 Manage project Eliminate or minimize specific risk associated with

risk. projects through a systematic process of planning,
identifying, analyzing, responding to, monitoring and
controlling the areas or events with potential to cause
unwanted change. Define and record any risk faced by
project management.
BAI11.07 Monitor and Measure project performance against key project

control projects. performance criteria such as schedule, quality, cost and
risk. Identify any deviations from expected targets.
Assess the impact of deviations on the project and
overall program and report results to key stakeholders.
419
BAI11.08 Manage project Manage project work packages by placing formal

resources and requirements on authorizing and accepting work
work packages. packages and assigning and coordinating appropriate
business and IT resources.
BAI11.09 Close a project or At the end of each project, release or iteration, require
iteration. the project stakeholders to ascertain whether the
project, release or iteration delivered the required
results in terms of capabilities and contributed as
expected to program benefits. Identify and
communicate any outstanding activities required to
achieve planned results of the project and/or benefits of
the program. Identify and document lessons learned for
future projects, releases, iterations and programs.
420
Deliver I&T operational product and service DSS01.01 Perform Maintain and perform operational procedures and
outcomes as planned. operational operational tasks reliably and consistently.
procedures.
DSS01.02 Manage Manage the operation of outsourced I&T services to

outsourced I&T maintain the protection of enterprise information and
services. reliability of service delivery.
DSS01.03 Monitor I&T Monitor the I&T infrastructure and related events. Store
infrastructure. sufficient chronological information in operations logs to
reconstruct and review time sequences of operations
and other activities surrounding or supporting
operations.
DSS01.04 Manage the Maintain measures for protection against environmental

environment. factors. Install specialized equipment and devices to
monitor and control the environment.
421
DSS01.05 Manage facilities. Manage facilities, including power and communications

equipment, in line with laws and regulations, technical
and business requirements, vendor specifications, and
health and safety guidelines.
Achieve increased productivity and DSS02.01 Define Define classification schemes and models for incidents
minimize disruptions through quick classification and service requests.
resolution of user queries and incidents. schemes for
Assess the impact of changes and deal with incidents and
service incidents. Resolve user requests and service requests.
restore service in response to incidents.
DSS02.02 Record, classify Identify, record and classify service requests and
and prioritize incidents and assign a priority according to business
requests and criticality and service agreements.
incidents.
DSS02.03 Verify, approve Select the appropriate request procedures and verify
and fulfill service that the service requests fulfill defined request criteria.
requests. Obtain approval, if required, and fulfill the requests.
422
DSS02.04 Investigate, Identify and record incident symptoms, determine

diagnose and possible causes, and allocate for resolution.
allocate incidents.
DSS02.05 Resolve and Document, apply and test the identified solutions or
recover from workarounds. Perform recovery actions to restore the
incidents. I&T-related service.
DSS02.06 Close service Verify satisfactory incident resolution and/or fulfilment

requests and of requests, and close.
incidents.
DSS02.07 Track status and Regularly track, analyze and report incidents and
produce reports. fulfilment of requests. Examine trends to provide
information for continual improvement.
Increase availability, improve service levels, DSS03.01 Identify and Define and implement criteria and procedures to
reduce costs, improve customer classify problems. identify and report problems. Include problem
convenience and satisfaction by reducing classification, categorization and prioritization.
the number of operational problems, and
identify root causes as part of problem
resolution.
423
DSS03.02 Investigate and Investigate and diagnose problems using relevant

diagnose subject matter experts to assess and analyze root
problems. causes.
DSS03.03 Raise known As soon as root causes of problems are identified, create
errors. known-error records, document appropriate
workarounds and identify potential solutions.
DSS03.04 Resolve and close Identify and initiate sustainable solutions addressing the
problems. root cause. Raise change requests via the established
change management process, if required, to resolve
errors. Ensure that the personnel affected are aware of
the actions taken and the plans developed to prevent
future incidents from occurring.
DSS03.05 Perform proactive Collect and analyze operational data (especially incident
problem and change records) to identify emerging trends that
management. may indicate problems. Log problem records to enable
assessment.
424
Adapt rapidly, continue business operations DSS04.01 Define the Define business continuity policy and scope, aligned with
and maintain availability of resources and business enterprise and stakeholder objectives, to improve
information at a level acceptable to the continuity policy, business resilience.
enterprise in the event of a significant objectives and
disruption (e.g., threats, opportunities, scope.
demands).
DSS04.02 Maintain business Evaluate business resilience options and choose a cost-
resilience. effective and viable strategy that will ensure enterprise
continuity, disaster recovery and incident response in
the face of a disaster or other major incident or
disruption.
DSS04.03 Develop and Develop a business continuity plan (BCP) and disaster
implement a recovery plan (DRP) based on the strategy. Document all
business procedures necessary for the enterprise to continue
continuity critical activities in the event of an incident.
response.
425
DSS04.04 Exercise, test and Test continuity on a regular basis to exercise plans
review the against predetermined outcomes, uphold business
business resilience and allow innovative solutions to be
continuity plan developed.
(BCP) and disaster
response plan
(DRP).
DSS04.05 Review, maintain Conduct a management review of the continuity

and improve the capability at regular intervals to ensure its continued
continuity plans. suitability, adequacy and effectiveness. Manage changes
to the plans in accordance with the change control
process to ensure that continuity plans are kept up to
date and continually reflect actual business
requirements.
DSS04.06 Conduct Provide all concerned internal and external parties with
continuity plan regular training sessions regarding procedures and their
training. roles and responsibilities in case of disruption.
426
DSS04.07 Manage backup Maintain availability of business-critical information.

arrangements.
DSS04.08 Conduct post- Assess the adequacy of the business continuity plan
resumption (BCP) and disaster response plan (DRP) following
review. successful resumption of business processes and
services after a disruption.
Minimize the business impact of DSS05.01 Protect against Implement and maintain preventive, detective and
operational information security and malicious corrective measures (especially up-to-date security
privacy vulnerabilities and incidents. software. patches and virus control) across the enterprise to
protect information systems and technology from
malicious software (e.g., malware, ransomware, viruses,
worms, spyware, spam).
DSS05.02 Manage network Use security measures and related management

and connectivity procedures to protect information over all methods of
security. connectivity.
427
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, and
security. other mobile and network devices or software) are
secured at a level that is equal to or greater than the
defined security and privacy requirements for the
information processed, stored or transmitted.
DSS05.04 Manage user Ensure that all users have information access rights in
identity and logical accordance with the business unit's privacy policy and
access. business requirements. Coordinate with business units
that manage their own access rights within business
processes.
DSS05.05 Manage physical Define and implement procedures (including emergency

access to I&T procedures) to grant, limit and revoke access to
assets. premises, buildings and areas, according to business
need. Access to premises, buildings and areas should be
justified, authorized, logged and monitored. This
requirement applies to all persons entering the
premises, including staff, temporary staff, clients,
vendors, visitors or any other third party.
428
DSS05.06 Manage sensitive Establish appropriate physical safeguards, accounting

documents and practices and inventory management regarding sensitive
output devices. I&T assets, such as special forms, negotiable
instruments, special-purpose printers or security tokens.
DSS05.07 Manage Using a portfolio of tools and technologies (e.g.,

vulnerabilities and intrusion detection tools), manage vulnerabilities and
monitor the monitor the infrastructure for unauthorized access.
infrastructure for Ensure that security tools, technologies and detection
security-related are integrated with general event monitoring and
events. incident management.
429
Maintain information integrity and the DSS06.01 Align control Continually assess and monitor the execution of business
security of information assets handled activities process activities and related controls (based on
within business processes in the enterprise embedded in enterprise risk), to ensure that processing controls align
or its outsourced operation. business processes with business needs.
with enterprise
objectives.
DSS06.02 Control the Operate the execution of the business process activities
processing of and related controls, based on enterprise risk. Ensure
information. that information processing is valid, complete, accurate,
timely and secure (i.e., reflects legitimate and authorized
business use).
430
DSS06.03 Manage roles, Manage business roles, responsibilities, levels of

responsibilities, authority and segregation of duties needed to support
access privileges the business process objectives. Authorize access to all
and levels of information assets related to business information
authority. processes, including those under the custody of the
business, IT and third parties. This ensures that the
business knows where the data are and who is handling
data on its behalf.
DSS06.04 Manage errors Manage business process exceptions and errors and
and exceptions. facilitate remediation, executing defined corrective
actions and escalating as necessary. This treatment of
exceptions and errors provides assurance of the
accuracy and integrity of the business information
process.
DSS06.05 Ensure traceability Ensure that business information can be traced to an

and accountability originating business event and associated with
for information accountable parties. This discoverability provides
events. assurance that business information is reliable and has
been processed in accordance with defined objectives.
431
DSS06.06 Secure Secure information assets accessible by the business

information through approved methods, including information in
assets. electronic form (e.g., portable media devices, user
applications and storage devices, or other methods that
create new assets in any form), information in physical
form (e.g., source documents or output reports) and
information during transit. This benefits the business by
providing end-to-end safeguarding of information.
Provide transparency of performance and MEA01.01 Establish a Engage with stakeholders to establish and maintain a
conformance and drive achievement of monitoring monitoring approach to define the objectives, scope and
goals. approach. method for measuring business solution and service
delivery and contribution to enterprise objectives.
Integrate this approach with the corporate performance
management system.
432
MEA01.02 Set performance Work with stakeholders to define, periodically review,

and conformance update and approve performance and conformance
targets. targets within the performance measurement system.
MEA01.03 Collect and Collect and process timely and accurate data aligned
process with enterprise approaches.
performance and
conformance data.
MEA01.04 Analyze and report Periodically review and report performance against
performance. targets. Use a method that provides a succinct all-
around view of I&T performance and fits within the
enterprise monitoring system.
MEA01.05 Ensure the Assist stakeholders in identifying, initiating and tracking

implementation of corrective actions to address anomalies.
corrective actions.
433
Obtain transparency for key stakeholders MEA02.01 Monitor internal Continuously monitor, benchmark and improve the I&T
on the adequacy of the system of internal controls. control environment and control framework to meet
controls and thus provide trust in organizational objectives.
operations, confidence in the achievement
of enterprise objectives and an adequate
understanding of residual risk.
434
MEA02.02 Review Review the operation of controls, including monitoring

effectiveness of and test evidence, to ensure that controls within
business process business processes operate effectively. Include activities
controls. to maintain evidence of the effective operation of
controls through mechanisms such as periodic testing,
continuous monitoring, independent assessments,
command and control centers, and network operation
centers. This evidence assures the enterprise that
controls meet requirements related to business,
regulatory and social responsibilities.
MEA02.03 Perform control Encourage management and process owners to improve

self-assessments. controls proactively through a continuing program of
self-assessment that evaluates the completeness and
effectiveness of management’s control over processes,
policies and contracts.
MEA02.04 Identify and report Identify control deficiencies and analyze and identify
control their underlying root causes. Escalate control
deficiencies. deficiencies and report to stakeholders.
435
Ensure that the enterprise is compliant with MEA03.01 Identify external On a continuous basis, monitor changes in local and
all applicable external requirements. compliance international laws, regulations and other external
requirements. requirements and identify mandates for compliance
from an I&T perspective.
MEA03.02 Optimize response Review and adjust policies, principles, standards,

to external procedures and methodologies to ensure that legal,
requirements. regulatory and contractual requirements are addressed
and communicated. Consider adopting and adapting
industry standards, codes of good practice, and good
practice guidance.
MEA03.03 Confirm external Confirm compliance of policies, principles, standards,

compliance. procedures and methodologies with legal, regulatory
and contractual requirements.
436
MEA03.04 Obtain assurance Obtain and report assurance of compliance and

of external adherence with policies, principles, standards,
compliance. procedures and methodologies. Confirm that corrective
actions to address compliance gaps are closed in a timely
manner.
Enable the organization to design and MEA04.01 Ensure that Ensure that the entities performing assurance are
develop efficient and effective assurance assurance independent from the function, groups or organizations
initiatives, providing guidance on planning, providers are in scope. The entities performing assurance should
scoping, executing and following up on independent and demonstrate an appropriate attitude and appearance,
assurance reviews, using a road map based qualified. competence in the skills and knowledge necessary to
on well-accepted assurance approaches. perform assurance, and adherence to codes of ethics
and professional standards.
MEA04.02 Develop risk-based Determine assurance objectives based on assessments

planning of of the internal and external environment and context,
assurance the risk of not achieving enterprise goals, and the
initiatives. opportunities associated achievement of the same goals.
437
MEA04.03 Determine the Define and agree with all stakeholders on the objectives
objectives of the of the assurance initiative.
assurance
initiative.
MEA04.04 Define the scope Define and agree with all stakeholders on the scope of
of the assurance the assurance initiative, based on the assurance
initiative. objectives.
MEA04.05 Define the work Define a detailed work program for the assurance
program for the initiative, structured according to the management
assurance objectives and governance components in scope.
initiative.
MEA04.06 Execute the Execute the planned assurance initiative. Validate and
assurance confirm the design of the internal controls in place.
initiative, focusing Additionally, and specifically in internal audit
on design assignments, consider the cost-effectiveness of the
effectiveness. governance component design.
438
MEA04.07 Execute the Execute the planned assurance initiative. Test whether
assurance the internal controls in place are appropriate and
initiative, focusing sufficient. Test the outcome of the key management
on operating objectives in scope of the assurance initiative.
effectiveness.
MEA04.08 Report and follow Provide positive assurance opinions, where appropriate,
up on the and recommendations for improvement relating to
assurance identified operational performance, external compliance
initiative. and internal control weaknesses.
MEA04.09 Follow up on Agree on, follow up and implement the identified

recommendations recommendations for improvement.
and actions.
439
Abaixo estão listadas as atividades associadas a cada uma das práticas de governança e gestão no COBIT® 2019.
As atividades são ordenadas na ordem em que aparecem no COBIT® 2019 Framework: Governance and Management Objectives.
Activities: 1202
Area Domain Objective ID Objective Practice ID Practice Name Activity
Governance Evaluate, Direct EDM01 Ensured EDM01.01 Evaluate the 1. Analisar e identificar os fatores ambientais internos e
and Monitor Governance governance system externos (obrigações legais, regulatórias e contratuais) e
Framework tendências do ambiente de negócios que possam influenciar o
Setting and desenho da governança.
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.01 Evaluate the 2. Determine the significance of I&T and its role with respect
and Monitor Governance governance system to the business.
Framework
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.01 Evaluate the 3. Consider external regulations, laws and contractual
and Monitor Governance governance system obligations and determine how they should be applied within
Framework the governance of enterprise I&T.
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.01 Evaluate the 4. Determine the implications of the overall enterprise
and Monitor Governance governance system control environment with regard to I&T.
Framework
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.01 Evaluate the 5. Alinhar o uso ético e o processamento de informações e
and Monitor Governance governance system seu impacto na sociedade, no ambiente natural e nos
Framework interesses das partes interessadas internas e externas com a
Setting and direção, metas e objetivos da empresa.
Maintenance
440
Governance Evaluate, Direct EDM01 Ensured EDM01.01 Evaluate the 6. Articular princípios que nortearão o desenho da governança
and Monitor Governance governance system e a tomada de decisão de T&7.
Framework
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.01 Evaluate the 7. Determinar o modelo ótimo de tomada de decisão para
and Monitor Governance governance system T&I.
Framework
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.01 Evaluate the 8. Determinar os níveis adequados de delegação de
and Monitor Governance governance system autoridades, incluindo regras de limiar, para decisões de I&T.
Framework
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.02 Direct the governance 1. Comunicar a governança dos princípios de I&T e concordar
and Monitor Governance system. com a gerência executiva sobre o caminho para estabelecer
Framework uma liderança informada e comprometida.
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.02 Direct the governance 2. Estabelecer ou delegar o estabelecimento de estruturas,
and Monitor Governance system. processos e práticas de governança em linha com os princípios
Framework de design acordados.
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.02 Direct the governance 3. Estabelecer um conselho de governança de I&T (ou
and Monitor Governance system. equivalente) no nível do conselho. Esse conselho deve
Framework garantir que a governança da informação e da tecnologia,
Setting and como parte da governança corporativa, seja adequadamente
Maintenance abordada; assessorar no direcionamento estratégico; e
determinar a priorização de programas de investimento
habilitados para I&T, em linha com a estratégia e as
441
Governance Evaluate, Direct EDM01 Ensured EDM01.02 Direct the governance 4. Atribuir responsabilidade, autoridade e responsabilidade
and Monitor Governance system. pelas decisões de I&T em linha com os princípios de conceção
Framework de governação, modelos de tomada de decisão e delegação
Setting and acordados.
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.02 Direct the governance 5. Assegurar que os mecanismos de comunicação e
and Monitor Governance system. comunicação forneçam aos responsáveis pela supervisão e
Framework tomada de decisões informações adequadas.
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.02 Direct the governance 6. Orientar que a equipe siga as diretrizes relevantes de
and Monitor Governance system. comportamento ético e profissional e garantir que as
Framework consequências do não cumprimento sejam conhecidas e
Setting and aplicadas.
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.02 Direct the governance 7. Orientar o estabelecimento de um sistema de recompensas
and Monitor Governance system. para promover mudanças culturais desejáveis.
Framework
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.03 Monitor the

and Monitor Governance governance system. 1. Avaliar a eficácia e o desempenho das partes interessadas
Framework que recebem a responsabilidade delegada e a autoridade para
Setting and a governação da I&T.
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.03 Monitor the 2. Avaliar periodicamente se a governança acordada dos
and Monitor Governance governance system. mecanismos de I&T (estruturas, princípios, processos, etc.)
Framework está estabelecida e operando de forma eficaz.
Setting and
Maintenance
442
Governance Evaluate, Direct EDM01 Ensured EDM01.03 Monitor the 3. Avaliar a efetividade do desenho de governança e
and Monitor Governance governance system. identificar ações para corrigir eventuais desvios encontrados.
Framework
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.03 Monitor the 4. Manter a supervisão da extensão em que a T&T satisfaz as
and Monitor Governance governance system. obrigações (regulatórias, legislativas, de direito comum,
Framework contratuais), políticas internas, normas e diretrizes
Setting and profissionais.
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.03 Monitor the 5. Supervisionar a eficácia e o cumprimento do sistema de
and Monitor Governance governance system. controle da empresa.
Framework
Setting and
Maintenance
Governance Evaluate, Direct EDM01 Ensured EDM01.03 Monitor the 6. Monitorar mecanismos regulares e rotineiros para garantir
and Monitor Governance governance system. que o uso de I&T cumpra com as obrigações relevantes
Framework (regulatórias, legislativas, common law, contratuais), normas e
Setting and diretrizes.
Maintenance
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.01 Establish the target 1. Criar e manter portfólios de programas de investimento
and Monitor Delivery investment mix. habilitados para I&T, serviços de TI e ativos de TI, que formam
a base para o orçamento atual de TI e suportam os planos
táticos e estratégicos de I&T.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.01 Establish the target 2. Obter um entendimento comum entre a TI e as outras
and Monitor Delivery investment mix. funções de negócios sobre as oportunidades potenciais para a
TI habilitar e contribuir para a estratégia empresarial.
443
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.01 Establish the target 3. Identificar as amplas categorias de sistemas de informação,
and Monitor Delivery investment mix. aplicações, dados, serviços de TI, infraestrutura, ativos de I&T,
recursos, habilidades, práticas, controles e relacionamentos
necessários para apoiar a estratégia empresarial.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.01 Establish the target 4. Acordar os objetivos de I&T, levando em conta as inter-
and Monitor Delivery investment mix. relações entre a estratégia empresarial e os serviços, ativos e
outros recursos de I&T. Identificar e alavancar sinergias que
podem ser alcançadas.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.01 Establish the target 5. Definir um mix de investimentos que atinja o equilíbrio
and Monitor Delivery investment mix. certo entre várias dimensões, incluindo um equilíbrio
adequado de retornos de curto e longo prazo, benefícios
financeiros e não financeiros e investimentos de alto e baixo
risco.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.02 Evaluate value 1. Entender os requisitos das partes interessadas; questões
and Monitor Delivery optimization. estratégicas de I&T, como a dependência de I&T; e insights e
capacidades tecnológicas sobre o significado real e potencial
de I&T para a estratégia da empresa.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.02 Evaluate value 2. Compreender os elementos-chave da governança
and Monitor Delivery optimization. necessários para a entrega confiável, segura e econômica do
valor ideal a partir do uso de serviços, ativos e recursos de TI
novos e existentes.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.02 Evaluate value 3. . Compreender e discutir regularmente as oportunidades
and Monitor Delivery optimization. que podem surgir para a empresa a partir de mudanças
possibilitadas por tecnologias atuais, novas ou emergentes, e
otimizar o valor criado a partir dessas oportunidades.
444
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.02 Evaluate value 4. Entender o que constitui valor para a empresa e considerar
and Monitor Delivery optimization. o quão bem ele é comunicado, compreendido e aplicado em
todos os processos da empresa.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.02 Evaluate value 5. Avaliar a eficácia com que as estratégias empresariais e de
and Monitor Delivery optimization. I&T foram integradas e alinhadas dentro da empresa e com os
objetivos da empresa para a entrega de valor.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.02 Evaluate value 6. Compreender e considerar a eficácia dos papéis,
and Monitor Delivery optimization. responsabilidades, responsabilidades e órgãos de tomada de
decisão atuais para garantir a criação de valor a partir de
investimentos, serviços e ativos habilitados para I&T.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.02 Evaluate value 7. Considere o quão bem a gestão de investimentos, serviços
and Monitor Delivery optimization. e ativos habilitados para I&T se alinha com as práticas de
gestão de valor empresarial e gestão financeira.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.02 Evaluate value 8. Avaliar o portfólio de investimentos, serviços e ativos para
and Monitor Delivery optimization. alinhamento com os objetivos estratégicos do
empreendimento; valor da empresa, tanto financeira quanto
não financeira; risco, tanto risco de entrega quanto risco de
benefícios; alinhamento de processos de negócio; eficácia em
termos de usabilidade, disponibilidade e capacidade de
resposta; e eficiência em termos de custo, redundância e
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.03 Direct value 1. Definir e comunicar tipos de carteira e investimento,
and Monitor Delivery optimization. categorias, critérios e ponderações relativas aos critérios para
permitir pontuações globais de valor relativo.
445
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.03 Direct value 2. Definir requisitos para stage-gates e outras revisões para a
and Monitor Delivery optimization. importância do investimento para a empresa e risco
associado, cronogramas de programas, planos de
financiamento e a entrega de recursos e benefícios essenciais
e contribuição contínua para o valor.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.03 Direct value 3. Direcionar a gestão para considerar potenciais usos
and Monitor Delivery optimization. inovadores de I&T que permitam à empresa responder a
novas oportunidades ou desafios, empreender novos
negócios, aumentar a competitividade ou melhorar processos.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.03 Direct value 4. Direcionar quaisquer mudanças necessárias na atribuição
and Monitor Delivery optimization. de responsabilidades e responsabilidades para executar a
carteira de investimentos e entregar valor dos processos de
negócios e serviços.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.03 Direct value 5. Direcionar quaisquer mudanças necessárias no portfólio de
and Monitor Delivery optimization. investimentos e serviços para realinhar com os objetivos e/ou
restrições empresariais atuais e esperados.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.03 Direct value 6. Recomendar a consideração de potenciais inovações,
and Monitor Delivery optimization. mudanças organizacionais ou melhorias operacionais que
possam gerar maior valor para a empresa a partir de
iniciativas habilitadas para I&T.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.03 Direct value 7. Definir e comunicar metas de entrega de valor em nível
and Monitor Delivery optimization. empresarial e medidas de resultados para permitir um
monitoramento eficaz.
446
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.04 Monitor value 1. Definir um conjunto equilibrado de objetivos de
and Monitor Delivery optimization. desempenho, métricas, metas e benchmarks. As métricas
devem abranger medidas de atividade e de resultados,
incluindo indicadores de chumbo e de atraso para os
resultados, bem como um equilíbrio adequado de medidas
financeiras e não financeiras. Revisá-los e concordá-los com a
TI e outras funções de negócios e outras partes interessadas
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.04 Monitor value 2. Recolher dados relevantes, atempados, completos,
and Monitor Delivery optimization. credíveis e precisos para comunicar os progressos realizados
na entrega de valor em relação às metas. Obter uma visão
sucinta, de alto nível e abrangente do desempenho de
portfólio, programa e I&T (capacidades técnicas e
operacionais) que apoie a tomada de decisão. Garantir que os
resultados esperados estão sendo alcançados.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.04 Monitor value 3. Obter relatórios regulares e relevantes de desempenho,
and Monitor Delivery optimization. portfólio, programa e I&T (tecnológico e funcional). Analise o
progresso da empresa em direção às metas identificadas e até
que ponto os objetivos planejados foram alcançados, os
resultados obtidos, as metas de desempenho cumpridas e os
riscos mitigados.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.04 Monitor value 4. Após a revisão dos relatórios, certifique-se de que as ações
and Monitor Delivery optimization. corretivas de gerenciamento apropriadas sejam iniciadas e
controladas.
Governance Evaluate, Direct EDM02 Ensured Benefits EDM02.04 Monitor value 5. Após a revisão dos relatórios, tome as medidas de
and Monitor Delivery optimization. gerenciamento apropriadas conforme necessário para
garantir que o valor seja otimizado.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.01 Evaluate risk 1. Compreender a organização e seu contexto relacionado ao
and Monitor Optimization management. risco de I&T.
447
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.01 Evaluate risk 2. Determinar o apetite de risco da organização, ou seja, o
and Monitor Optimization management. nível de risco relacionado à I&T que a empresa está disposta a
assumir em sua busca pelos objetivos da empresa.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.01 Evaluate risk 3. Determinar níveis de tolerância ao risco contra o apetite ao
and Monitor Optimization management. risco, ou seja, desvios temporariamente aceitáveis do apetite
ao risco.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.01 Evaluate risk 4. Determinar a extensão do alinhamento da estratégia de
and Monitor Optimization management. risco de I&T à estratégia de risco da empresa e garantir que o
apetite ao risco esteja abaixo da capacidade de risco da
organização.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.01 Evaluate risk 5. Avaliar proativamente os fatores de risco de I&T antes das
and Monitor Optimization management. decisões estratégicas pendentes da empresa e garantir que as
considerações de risco façam parte do processo de decisão
estratégica da empresa.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.01 Evaluate risk 6. Avaliar as atividades de gerenciamento de riscos para
and Monitor Optimization management. garantir o alinhamento com a capacidade da empresa de
perdas relacionadas à I&T e a tolerância da liderança a elas.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.01 Evaluate risk 7. Atrair e manter as competências e o pessoal necessários
and Monitor Optimization management. para a Gestão de Riscos de I&T;
448
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.02 Direct risk 1. Direcionar a tradução e integração da estratégia de riscos
and Monitor Optimization management. de I&T às práticas de gestão de riscos e atividades
operacionais.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.02 Direct risk 2. Direcionar o desenvolvimento de planos de comunicação
and Monitor Optimization management. de riscos (abrangendo todos os níveis da empresa).
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.02 Direct risk 3. Implementação direta dos mecanismos apropriados para
and Monitor Optimization management. responder rapidamente à mudança de risco e reportar
imediatamente aos níveis apropriados de gestão, apoiados
por princípios acordados de escalonamento (o que relatar,
quando, onde e como).
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.02 Direct risk 4. Orientar que riscos, oportunidades, problemas e
and Monitor Optimization management. preocupações podem ser identificados e relatados por
qualquer pessoa à parte apropriada a qualquer momento. O
risco deve ser gerido de acordo com as políticas e
procedimentos publicados e encaminhado para os decisores
relevantes.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.02 Direct risk 5. Identificar os principais objetivos e métricas dos processos
and Monitor Optimization management. de governança e gestão de riscos a serem monitorados e
aprovar as abordagens, métodos, técnicas e processos para
capturar e reportar as informações de medição.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.03 Monitor risk 1. Comunicar quaisquer problemas de gestão de riscos ao
and Monitor Optimization management. conselho de administração ou ao comitê executivo.
449
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.03 Monitor risk 2. Monitorar até que ponto o perfil de risco é gerenciado
and Monitor Optimization management. dentro dos limites de apetite e tolerância ao risco da empresa.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.03 Monitor risk 3. Monitorar as principais metas e métricas dos processos de
and Monitor Optimization management. governança e gestão de riscos em relação às metas, analisar a
causa de quaisquer desvios e iniciar ações corretivas para
abordar as causas subjacentes.
Governance Evaluate, Direct EDM03 Ensured Risk EDM03.03 Monitor risk 4. Permitir que as principais partes interessadas analisem o
and Monitor Optimization management. progresso da empresa em direção aos objetivos identificados.
Governance Evaluate, Direct EDM04 Ensured EDM04.01 Evaluate resource 1. A partir das estratégias atuais e futuras, examine as opções
and Monitor Resource management. potenciais para fornecer recursos relacionados à I&t
Optimization (tecnologia, recursos financeiros e humanos) e desenvolva
capacidades para atender às necessidades atuais e futuras
(incluindo opções de fornecimento).
Governance Evaluate, Direct EDM04 Ensured EDM04.01 Evaluate resource 2. Definir os princípios-chave para a alocação de recursos e
and Monitor Resource management. gestão de recursos e capacidades para que a I&T possa
Optimization atender às necessidades da empresa de acordo com as
prioridades e restrições orçamentárias acordadas. Por
exemplo, defina opções de sourcing preferenciais para
determinados serviços e limites financeiros por opção de
sourcing.
Governance Evaluate, Direct EDM04 Ensured EDM04.01 Evaluate resource 3. Revisar e aprovar o plano de recursos e as estratégias de
and Monitor Resource management. arquitetura corporativa para entregar valor e mitigar riscos
Optimization com os recursos alocados.
450
Governance Evaluate, Direct EDM04 Ensured EDM04.01 Evaluate resource 4. Entender os requisitos para alinhar a gestão de recursos de
and Monitor Resource management. I&T com o planejamento financeiro e de recursos humanos
Optimization (RH) da empresa.
Governance Evaluate, Direct EDM04 Ensured EDM04.01 Evaluate resource 5. Definir princípios para o gerenciamento e controle da
and Monitor Resource management. arquitetura corporativa.
Optimization
Governance Evaluate, Direct EDM04 Ensured EDM04.02 Direct resource 1. Atribua responsabilidades pela execução do gerenciamento
and Monitor Resource management. de recursos.
Optimization
Governance Evaluate, Direct EDM04 Ensured EDM04.02 Direct resource 2. Estabelecer princípios relacionados à salvaguarda de
and Monitor Resource management. recursos.
Optimization
Governance Evaluate, Direct EDM04 Ensured EDM04.02 Direct resource 3. Comunicar e conduzir a adoção das estratégias de
and Monitor Resource management. gerenciamento de recursos, princípios e planos de recursos
Optimization acordados e estratégias de arquitetura corporativa.
Governance Evaluate, Direct EDM04 Ensured EDM04.02 Direct resource 4. Alinhe a gestão de recursos com o planejamento financeiro
and Monitor Resource management. e de RH da empresa.
Optimization
451
Governance Evaluate, Direct EDM04 Ensured EDM04.02 Direct resource 5. Definir metas, medidas e métricas para a gestão de
and Monitor Resource management. recursos.
Optimization
Governance Evaluate, Direct EDM04 Ensured EDM04.03 Monitor resource 1. Monitorar a alocação e otimização de recursos de acordo
and Monitor Resource management. com os objetivos e prioridades da empresa utilizando metas e
Optimization métricas acordadas.
Governance Evaluate, Direct EDM04 Ensured EDM04.03 Monitor resource 2. Monitore as estratégias de sourcing relacionadas à I&T, as
and Monitor Resource management. estratégias de arquitetura corporativa e os recursos e recursos
Optimization relacionados aos negócios e à TI para garantir que as
necessidades e objetivos atuais e futuros da empresa possam
ser atendidos.
Governance Evaluate, Direct EDM04 Ensured EDM04.03 Monitor resource 3. Monitore o desempenho dos recursos em relação às metas,
and Monitor Resource management. analise a causa dos desvios e inicie ações corretivas para
Optimization abordar as causas subjacentes.
Governance Evaluate, Direct EDM05 Ensured EDM05.01 Evaluate stakeholder 1. Identificar todas as partes interessadas relevantes em I&T
and Monitor Stakeholder engagement and dentro e fora da empresa. Agrupar partes interessadas em
Engagement reporting categorias de partes interessadas com requisitos semelhantes.
requirements.
Governance Evaluate, Direct EDM05 Ensured EDM05.01 Evaluate stakeholder 2. Examinar e fazer julgamento sobre os requisitos atuais e
and Monitor Stakeholder engagement and futuros de relatórios obrigatórios relacionados ao uso de TI e
Engagement reporting TI dentro da empresa (regulamentação, legislação, direito
requirements. comum, contratual), incluindo extensão e frequência.
452
Governance Evaluate, Direct EDM05 Ensured EDM05.01 Evaluate stakeholder 3. Examinar e fazer julgamentos sobre os requisitos atuais e
and Monitor Stakeholder engagement and futuros de comunicação e relatórios para outras partes
Engagement reporting interessadas relacionados ao uso de TI dentro da empresa,
requirements. incluindo o nível necessário de envolvimento/consulta e
extensão da comunicação/nível de detalhes e condições.
Governance Evaluate, Direct EDM05 Ensured EDM05.01 Evaluate stakeholder 4. Manter princípios para a comunicação com stakeholders
and Monitor Stakeholder engagement and externos e internos, incluindo formatos e canais de
Engagement reporting comunicação, e para a aceitação e aprovação de relatórios por
requirements. parte das partes interessadas.
Governance Evaluate, Direct EDM05 Ensured EDM05.02 Direct stakeholder 1. Orientar o estabelecimento da estratégia de consulta e
and Monitor Stakeholder engagement, comunicação para os stakeholders externos e internos.
Engagement communication and
reporting.
Governance Evaluate, Direct EDM05 Ensured EDM05.02 Direct stakeholder 2. Direcionar a implementação de mecanismos para garantir
and Monitor Stakeholder engagement, que as informações atendam a todos os critérios para
Engagement communication and requisitos obrigatórios de relatórios de I&T para a empresa.
reporting.
Governance Evaluate, Direct EDM05 Ensured EDM05.02 Direct stakeholder 3. Estabelecer mecanismos de validação e aprovação de
and Monitor Stakeholder engagement, relatórios obrigatórios.
reporting.
Governance Evaluate, Direct EDM05 Ensured EDM05.02 Direct stakeholder 4. Estabeleça mecanismos de escalonamento de relatórios.
and Monitor Stakeholder engagement,
reporting.
453
Governance Evaluate, Direct EDM05 Ensured EDM05.03 Monitor stakeholder 1. Avaliar periodicamente a eficácia dos mecanismos para
and Monitor Stakeholder engagement. garantir a exatidão e confiabilidade da notificação obrigatória.
Engagement
Governance Evaluate, Direct EDM05 Ensured EDM05.03 Monitor stakeholder 2. Avaliar periodicamente a eficácia dos mecanismos e os
and Monitor Stakeholder engagement. resultados do envolvimento e da comunicação com os
Engagement stakeholders externos e internos.
Governance Evaluate, Direct EDM05 Ensured EDM05.03 Monitor stakeholder 3. Determinar se os requisitos dos diferentes stakeholders são
and Monitor Stakeholder engagement. atendidos e avaliar os níveis de engajamento dos
Engagement stakeholders.
Management Align, Plan and APO01 Managed I&T APO01.01 Design the 1. Obter uma compreensão da visão, direção e estratégia da
Organize Management management system empresa, bem como do contexto e desafios empresariais
Framework for enterprise I&T. atuais.
Management Align, Plan and APO01 Managed I&T APO01.01 Design the 2. Considere o ambiente interno da empresa, incluindo
Organize Management management system cultura e filosofia de gestão, tolerância a riscos, política de
Framework for enterprise I&T. segurança e privacidade, valores éticos, código de conduta,
responsabilidade e requisitos de integridade de
gerenciamento.
Management Align, Plan and APO01 Managed I&T APO01.01 Design the 3. Aplicar os fatores de cascata e design de metas do COBIT à
Organize Management management system estratégia e ao contexto da empresa para decidir sobre
Framework for enterprise I&T. prioridades para o sistema de gestão e, assim, para
implementação de prioridades de objetivos de gestão.
454
Management Align, Plan and APO01 Managed I&T APO01.01 Design the 4. Validar as prioridades selecionadas para a implementação
Organize Management management system dos objetivos de gestão com boas práticas ou requisitos
Framework for enterprise I&T. específicos do setor (por exemplo, regulamentos específicos
do setor) e com estruturas de governança apropriadas.
Management Align, Plan and APO01 Managed I&T APO01.02 Communicate 1. Fornecer recursos suficientes e qualificados para apoiar o
Organize Management management processo de comunicação.
Framework objectives, direction
and decisions made.
Management Align, Plan and APO01 Managed I&T APO01.02 Communicate 2. Definir regras básicas para a comunicação, identificando
Organize Management management necessidades de comunicação e implementando planos com
Framework objectives, direction base nessas necessidades, considerando a comunicação de
and decisions made. cima para baixo, de baixo para cima e horizontal.
Management Align, Plan and APO01 Managed I&T APO01.02 Communicate 3. Comunicar continuamente os objetivos e a direção de I&T.
Organize Management management Garantir que a comunicação seja apoiada pela gestão
Framework objectives, direction executiva em ações e palavras, utilizando todos os canais
and decisions made. disponíveis.
Management Align, Plan and APO01 Managed I&T APO01.02 Communicate 4. Garantir que as informações comunicadas englobe uma
Organize Management management missão claramente articulada, objetivos de serviço, política de
Framework objectives, direction segurança e privacidade, controles internos, qualidade, código
and decisions made. de ética/conduta, políticas e procedimentos, papéis e
responsabilidades, etc. Comunicar as informações no nível
apropriado de detalhes para os respectivos públicos dentro da
empresa.
Management Align, Plan and APO01 Managed I&T APO01.03 Implement 1. Desenvolver o modelo de processo de metas de governança
Organize Management management de I&T específico para a organização, baseado na seleção de
Framework processes (to support objetivos de gestão prioritários (produção de metas em
the achievement of cascata e exercício de fatores de projeto).
governance and
management
objectives).
455
Management Align, Plan and APO01 Managed I&T APO01.03 Implement 2. Analisar a lacuna entre o modelo de processo alvo para a
Organize Management management organização e as práticas e atividades atuais.
Framework processes (to support
the achievement of
governance and
management
objectives).
Management Align, Plan and APO01 Managed I&T APO01.03 Implement 3. Elaborar um roteiro para a implementação de práticas e
Organize Management management atividades de processo ausentes. Use métricas práticas para
Framework processes (to support acompanhar a implementação bem-sucedida.
the achievement of
governance and
management
objectives).
Management Align, Plan and APO01 Managed I&T APO01.04 Define and implement 1. Identificar as decisões necessárias para o alcance dos
Organize Management the organizational resultados empresariais e da estratégia de I&T e para a gestão
Framework structures. e execução dos serviços de I&T.
Management Align, Plan and APO01 Managed I&T APO01.04 Define and implement 2. Envolver as partes interessadas que são críticas para a
Organize Management the organizational tomada de decisão (responsáveis, responsáveis, consultadas
Framework structures. ou informadas).
Management Align, Plan and APO01 Managed I&T APO01.04 Define and implement 3. Definir o escopo, foco, mandato e responsabilidades de
Organize Management the organizational cada função dentro da organização relacionada a I&T, em
Framework structures. linha com a direção de governança.
Management Align, Plan and APO01 Managed I&T APO01.04 Define and implement 4. Definir o escopo das funções internas e externas, das
Organize Management the organizational funções internas e externas e das capacidades e direitos de
Framework structures. decisão necessários para abranger todas as práticas, inclusive
as realizadas por terceiros.
456
Management Align, Plan and APO01 Managed I&T APO01.04 Define and implement 5. Alinhar a organização relacionada à I&T com os modelos
Organize Management the organizational organizacionais de arquitetura corporativa.
Framework structures.
Management Align, Plan and APO01 Managed I&T APO01.04 Define and implement 6. Estabelecer um comitê diretivo de I&T (ou equivalente)
Organize Management the organizational composto por executivos, negócios e gerenciamento de I&T
Framework structures. para acompanhar o status dos projetos, resolver conflitos de
recursos e monitorar níveis de serviço e melhorias de serviço.
Management Align, Plan and APO01 Managed I&T APO01.04 Define and implement 7. Fornecer diretrizes para cada estrutura de gestão (incluindo
Organize Management the organizational mandato, objetivos, participantes da reunião, cronograma,
Framework structures. acompanhamento, supervisão e supervisão), bem como os
insumos necessários e os resultados esperados das reuniões.
Management Align, Plan and APO01 Managed I&T APO01.04 Define and implement 8. Verificar regularmente a adequação e eficácia das
Organize Management the organizational estruturas organizacionais.
Framework structures.
Management Align, Plan and APO01 Managed I&T APO01.05 Establish roles and 1. Estabelecer, concordar e comunicar funções e
Organize Management responsibilities. responsabilidades relacionadas à I&T para todo o pessoal da
Framework empresa, em alinhamento com as necessidades e objetivos do
negócio. Delinear claramente responsabilidades e
responsabilidades, especialmente para a tomada de decisões
e aprovações.
Management Align, Plan and APO01 Managed I&T APO01.05 Establish roles and 2. Considere os requisitos de continuidade de serviços
Organize Management responsibilities. corporativos e de I&T ao definir funções, incluindo requisitos
Framework de backup de pessoal e treinamento cruzado.
457
Management Align, Plan and APO01 Managed I&T APO01.05 Establish roles and 3. Fornecer informações para o processo de continuidade do
Organize Management responsibilities. serviço de I&T, mantendo atualizadas as informações de
Framework contato e as descrições de funções na empresa.
Management Align, Plan and APO01 Managed I&T APO01.05 Establish roles and 4. Incluir requisitos específicos nas descrições de funções e
Organize Management responsibilities. responsabilidades em relação à aderência às políticas e
Framework procedimentos de gestão, ao código de ética e às práticas
profissionais.
Management Align, Plan and APO01 Managed I&T APO01.05 Establish roles and 5. Garantir que a prestação de contas seja definida por meio
Organize Management responsibilities. de papéis e responsabilidades.
Framework
Management Align, Plan and APO01 Managed I&T APO01.05 Establish roles and 6. Estruturar papéis e responsabilidades para reduzir a
Organize Management responsibilities. possibilidade de uma única função comprometer um processo
Framework crítico.
Management Align, Plan and APO01 Managed I&T APO01.05 Establish roles and 7. Implementar práticas de supervisão adequadas para
Organize Management responsibilities. garantir que as funções e responsabilidades sejam
Framework adequadamente exercidas, para avaliar se todo o pessoal tem
autoridade e recursos suficientes para executar suas funções
e responsabilidades e, em geral, para revisar o desempenho.
O nível de supervisão deve ser alinhado com a sensibilidade
do cargo e a extensão das responsabilidades atribuídas.
Management Align, Plan and APO01 Managed I&T APO01.06 Optimize the 1. Entender o contexto para a colocação da função de TI,
Organize Management placement of the IT incluindo avaliação da estratégia empresarial e modelo
Framework function. operacional (centralizado, federado, descentralizado, híbrido),
importância da I&T, situação e opções de sourcing.
458
Management Align, Plan and APO01 Managed I&T APO01.06 Optimize the 2. Identificar, avaliar e priorizar opções de posicionamento
Organize Management placement of the IT organizacional, sourcing e modelos operacionais.
Framework function.
Management Align, Plan and APO01 Managed I&T APO01.06 Optimize the 3. Definir colocação da função de TI e obter acordo.
Organize Management placement of the IT
Framework function.
Management Align, Plan and APO01 Managed I&T APO01.07 Define information 1. Fornecer diretrizes para garantir uma classificação
Organize Management (data) and system adequada e consistente dos itens de informação em toda a
Framework ownership. empresa.
Management Align, Plan and APO01 Managed I&T APO01.07 Define information 2. Criar e manter um inventário de informações (sistemas e
Organize Management (data) and system dados) que inclua uma listagem de proprietários, custodiantes
Framework ownership. e classificações. Inclua sistemas que são terceirizados e
aqueles para os quais a propriedade deve permanecer dentro
da empresa.
Management Align, Plan and APO01 Managed I&T APO01.07 Define information 3. Avaliar e distinguir entre dados, informações e sistemas
Organize Management (data) and system críticos (de alto valor) e não críticos. Garantir a proteção
Framework ownership. adequada para cada categoria.
Management Align, Plan and APO01 Managed I&T APO01.08 Define target skills 1. Identificar as habilidades e competências necessárias para
Organize Management and competencies. atingir os objetivos de gestão selecionados.
Framework
459
Management Align, Plan and APO01 Managed I&T APO01.08 Define target skills 2. Analisar a lacuna entre as competências e capacidades alvo
Organize Management and competencies. para a empresa e as competências atuais da força de trabalho.
Framework Consulte APO07—Recursos Humanos Gerenciados para
desenvolvimento de habilidades e práticas de gestão.
Management Align, Plan and APO01 Managed I&T APO01.09 Define and 1. Criar um conjunto de políticas para impulsionar as
Organize Management communicate policies expectativas de controle de TI sobre tópicos-chave relevantes,
Framework and procedures. como qualidade, segurança, privacidade, confidencialidade,
controles internos, uso de ativos de I&T, ética e direitos de
propriedade intelectual (PI).
Management Align, Plan and APO01 Managed I&T APO01.09 Define and 2. Implementar e aplicar políticas de I&T uniformemente para
Organize Management communicate policies toda a equipe relevante, para que elas sejam incorporadas e
Framework and procedures. se tornem partes integrantes das operações corporativas.
Management Align, Plan and APO01 Managed I&T APO01.09 Define and 3. Avalie e atualize as políticas pelo menos uma vez por ano
Organize Management communicate policies para acomodar ambientes operacionais ou de negócios em
Framework and procedures. mudança.
Management Align, Plan and APO01 Managed I&T APO01.10 Define and implement 1. Identificar objetivos de gerenciamento prioritários que
Organize Management infrastructure, podem ser alcançados pela automação de serviços, aplicativos
Framework services and ou infraestrutura.
applications to
support the
governance and
management system.
Management Align, Plan and APO01 Managed I&T APO01.10 Define and implement 2. Selecionar e implementar as ferramentas mais adequadas e
Organize Management infrastructure, comunicar às partes interessadas.
Framework services and
applications to
support the
governance and
management system.
460
Management Align, Plan and APO01 Managed I&T APO01.10 Define and implement 2. Selecionar e implementar as ferramentas mais adequadas e
Organize Management infrastructure, comunicar às partes interessadas.
Framework services and
applications to
support the
governance and
management system.
Management Align, Plan and APO01 Managed I&T APO01.11 Manage continual 1. Avaliar regularmente o desempenho dos componentes do
Organize Management improvement of the quadro e tomar as medidas adequadas.
Framework I&T management
system.
Management Align, Plan and APO01 Managed I&T APO01.11 Manage continual 2. Identificar processos críticos para os negócios com base em
Organize Management improvement of the drivers de desempenho e conformidade e riscos relacionados.
Framework I&T management Avaliar a capacidade e identificar metas de melhoria. Analise
system. lacunas de capacidade e controle. Identificar opções para
melhorar ou redesenhar o processo.
Management Align, Plan and APO01 Managed I&T APO01.11 Manage continual 3. Priorizar iniciativas de melhoria com base em potenciais
Organize Management improvement of the benefícios e custos. Implementar melhorias acordadas, operar
Framework I&T management como prática normal de negócios e definir metas e métricas
system. de desempenho para permitir o monitoramento das
melhorias.
Management Align, Plan and APO01 Managed I&T APO01.11 Manage continual 4. Considere maneiras de melhorar a eficiência e a eficácia
Organize Management improvement of the (por exemplo, por meio de treinamento, documentação,
Framework I&T management padronização e/ou automação de processos).
system.
Management Align, Plan and APO01 Managed I&T APO01.11 Manage continual 5. Aplicar práticas de gestão da qualidade para atualizar o
Organize Management improvement of the processo.
system.
461
Management Align, Plan and APO01 Managed I&T APO01.11 Manage continual 6. Aposentar componentes de governança desatualizados
Organize Management improvement of the (processos, itens de informação, políticas, etc.).
system.
Management Align, Plan and APO02 Managed APO02.01 Enable change in all 1. Desenvolver e manter uma compreensão do ambiente
Organize Strategy different aspects of externo da empresa.
the organization, from
channels and
processes to data,
culture, skills,
operating model and
Management Align, Plan and APO02 Managed APO02.01 Enable change in all 2. Desenvolver e manter uma compreensão da forma atual de
Organize Strategy different aspects of trabalhar, incluindo o ambiente operacional, a arquitetura
the organization, from corporativa (domínios de negócios, informações, dados,
channels and aplicativos e tecnologia), a cultura empresarial e os desafios
processes to data, atuais.
culture, skills,
operating model and
Management Align, Plan and APO02 Managed APO02.01 Enable change in all 3. Desenvolver e manter uma compreensão da direção futura
Organize Strategy different aspects of da empresa, incluindo a estratégia, metas e objetivos da
the organization, from empresa. Entenda o nível de ambição da empresa em termos
channels and de digitalização, que pode incluir uma série de objetivos cada
processes to data, vez mais aspiracionais, desde cortar custos, aumentar a
culture, skills, centralidade no cliente ou chegar ao mercado mais
operating model and rapidamente digitalizando operações internas, até criar fluxos
Management Align, Plan and APO02 Managed APO02.01 Enable change in all 4. Identificar as principais partes interessadas e obter
Organize Strategy different aspects of informações sobre suas necessidades.
the organization, from
channels and
processes to data,
culture, skills,
operating model and
Management Align, Plan and APO02 Managed APO02.02 Assess current 1. Desenvolver uma linha de base dos negócios atuais e
Organize Strategy capabilities, capacidades e serviços de I&T. Inclua avaliação de serviços
performance and provisionados externamente, governança de I&T e habilidades
digital maturity of the e competências relacionadas a I&T em toda a empresa.
enterprise.
462
Management Align, Plan and APO02 Managed APO02.02 Assess current 2. Avaliar a maturidade digital em diferentes dimensões (por
Organize Strategy capabilities, exemplo, capacidade da liderança de alavancar a tecnologia,
performance and nível de risco tecnológico aceito, abordagem à inovação,
digital maturity of the cultura e nível de conhecimento dos usuários). Avalie o
enterprise. apetite por mudanças.
Management Align, Plan and APO02 Managed APO02.03 Define target digital 2. Avaliar a maturidade digital em diferentes dimensões (por
Organize Strategy capabilities. exemplo, capacidade da liderança de alavancar a tecnologia,
nível de risco tecnológico aceito, abordagem à inovação,
cultura e nível de conhecimento dos usuários). Avalie o
apetite por mudanças.
Management Align, Plan and APO02 Managed APO02.03 Define target digital 2. Definir objetivos e metas de I&T de alto nível e especificar
Organize Strategy capabilities. sua contribuição para os objetivos da empresa.
Management Align, Plan and APO02 Managed APO02.03 Define target digital 2. Definir objetivos e metas de I&T de alto nível e especificar
Organize Strategy capabilities. sua contribuição para os objetivos da empresa.
Management Align, Plan and APO02 Managed APO02.03 Define target digital 4. Determinar as capacidades, metodologias e abordagens
Organize Strategy capabilities. organizacionais de I&T necessárias para realizar o portfólio de
produtos e serviços de I&T definido. Considere diferentes
metodologias de desenvolvimento (Agile, scrum, waterfall, TI
bimodal), dependendo dos requisitos de negócio. Considere
como cada um poderia ajudar a realizar os objetivos de I&T.
Management Align, Plan and APO02 Managed APO02.04 Conduct a gap 1. Identificar todas as lacunas e mudanças necessárias para
Organize Strategy analysis. realizar o ambiente alvo.
463
Management Align, Plan and APO02 Managed APO02.04 Conduct a gap 2. Descrever mudanças de alto nível na arquitetura
Organize Strategy analysis. corporativa (domínios de negócios, informações, dados,
aplicativos e tecnologia).
Management Align, Plan and APO02 Managed APO02.04 Conduct a gap 3. Considere as implicações de alto nível de todas as lacunas.
Organize Strategy analysis. Avaliar o impacto de possíveis mudanças nos modelos
operacionais de negócios e I&T, capacidades de pesquisa e
desenvolvimento de I&T e programas de investimento em
I&T.
Management Align, Plan and APO02 Managed APO02.04 Conduct a gap 4. Considere o valor de possíveis mudanças nos recursos de
Organize Strategy analysis. negócios e TI, nos serviços de I&T e na arquitetura
corporativa, e as implicações se nenhuma mudança for
realizada.
Management Align, Plan and APO02 Managed APO02.04 Conduct a gap 5. Refine a definição do ambiente de destino e prepare uma
Organize Strategy analysis. declaração de valor descrevendo os benefícios do ambiente
de destino.
Management Align, Plan and APO02 Managed APO02.05 Define the strategic 1. Definir iniciativas necessárias para fechar lacunas entre os
Organize Strategy plan and road map. ambientes atual e alvo. Integrar iniciativas em uma estratégia
coerente de I&T que alinhe I&T com todos os aspectos do
negócio.
Management Align, Plan and APO02 Managed APO02.05 Define the strategic 2. Detalhar um roteiro que defina as etapas incrementais
Organize Strategy plan and road map. necessárias para atingir as metas e objetivos da estratégia de
I&T. Garantir que sejam incluídas ações para treinar pessoas
com novas habilidades, apoiar a adoção de novas tecnologias,
sustentar mudanças em toda a organização, etc.
464
Management Align, Plan and APO02 Managed APO02.05 Define the strategic 3. Considere o ecossistema externo (parceiros empresariais,
Organize Strategy plan and road map. fornecedores, start-ups, etc.) para ajudar a apoiar a execução
do roteiro.
Management Align, Plan and APO02 Managed APO02.05 Define the strategic 4. Agrupar ações em programas e/ou projetos com um
Organize Strategy plan and road map. objetivo ou entrega claros. Para cada projeto, identifique os
requisitos de recursos de alto nível, cronograma, orçamento
de investimento/operacional, risco, impacto da mudança, etc.
Management Align, Plan and APO02 Managed APO02.05 Define the strategic 5. Determinar dependências, sobreposições, sinergias e
Organize Strategy plan and road map. impactos entre projetos e priorizar.
Management Align, Plan and APO02 Managed APO02.05 Define the strategic
Organize Strategy plan and road map. 6. Finalizar roadmap, indicando cronograma relativo e
interdependências de projetos.
Management Align, Plan and APO02 Managed APO02.05 Define the strategic 7. Garanta o foco na jornada de transformação. Nomeie um
Organize Strategy plan and road map. defensor da transformação digital e do alinhamento entre
negócios e TI (Chief Digital Officer [CDO] ou outra função
tradicional de C-suite).
Management Align, Plan and APO02 Managed APO02.05 Define the strategic 8. Obter apoio e aprovação formal do plano das partes
Organize Strategy plan and road map. interessadas.
465
Management Align, Plan and APO02 Managed APO02.05 Define the strategic 9. Traduzir objetivos em resultados mensuráveis
Organize Strategy plan and road map. representados por métricas (o que) e metas (quanto). Garantir
que os resultados e as medidas se correlacionem com os
benefícios da empresa.
Management Align, Plan and APO02 Managed APO02.06 Communicate the I&T 1. Desenvolver um plano de comunicação abrangendo as
Organize Strategy strategy and mensagens necessárias, públicos-alvo, mecanismos/canais de
direction. comunicação e horários.
Management Align, Plan and APO02 Managed APO02.06 Communicate the I&T 2. Preparar um pacote de comunicação que entregue o plano
Organize Strategy strategy and de forma eficaz, utilizando as mídias e tecnologias disponíveis.
direction.
Management Align, Plan and APO02 Managed APO02.06 Communicate the I&T 3. Desenvolver e manter uma rede para endossar, apoiar e
Organize Strategy strategy and conduzir a estratégia de I&T.
direction.
Management Align, Plan and APO02 Managed APO02.06 Communicate the I&T 4. Obter feedback e atualizar o plano de comunicação e
Organize Strategy strategy and entrega conforme necessário.
direction.
Management Align, Plan and APO03 Managed APO03.01 Develop the 1. Identificar as principais partes interessadas e suas
Organize Enterprise enterprise preocupações/objetivos. Defina os principais requisitos
Architecture architecture vision. corporativos a serem atendidos, bem como as visões de
arquitetura a serem desenvolvidas para satisfazer os
requisitos das partes interessadas.
466
Management Align, Plan and APO03 Managed APO03.01 Develop the 2. Identificar objetivos empresariais e direcionadores
Organize Enterprise enterprise estratégicos. Defina restrições que devem ser abordadas,
Architecture architecture vision. incluindo restrições de toda a empresa e específicas do
projeto (por exemplo, tempo, cronograma, recursos etc.).
Management Align, Plan and APO03 Managed APO03.01 Develop the 3. Alinhar os objetivos da arquitetura com as prioridades
Organize Enterprise enterprise estratégicas do programa.
Architecture architecture vision.
Management Align, Plan and APO03 Managed APO03.01 Develop the 4. Compreenda as capacidades e metas da empresa e, em
Organize Enterprise enterprise seguida, identifique opções para realizar essas metas.
Management Align, Plan and APO03 Managed APO03.01 Develop the 5. Avalie a prontidão da empresa para a mudança.
Organize Enterprise enterprise
Management Align, Plan and APO03 Managed APO03.01 Develop the 6. Definir o escopo da arquitetura de linha de base e da
Organize Enterprise enterprise arquitetura de destino. Enumere itens que estão no escopo,
Architecture architecture vision. bem como aqueles fora do escopo. (A arquitetura de linha de
base e de destino não precisa ser descrita com o mesmo nível
de detalhes.)
Management Align, Plan and APO03 Managed APO03.01 Develop the 7. Compreender as metas e objetivos estratégicos atuais da
Organize Enterprise enterprise empresa. Trabalhar dentro do processo de planejamento
Architecture architecture vision. estratégico para garantir que as oportunidades de arquitetura
corporativa relacionadas à I&T sejam aproveitadas no
desenvolvimento do plano estratégico.
467
Management Align, Plan and APO03 Managed APO03.01 Develop the 8. Com base nas preocupações das partes interessadas,
Organize Enterprise enterprise requisitos de capacidade de negócios, escopo, restrições e
Architecture architecture vision. princípios, crie a visão da arquitetura (ou seja, a visão de alto
nível das arquiteturas de linha de base e de destino).
Management Align, Plan and APO03 Managed APO03.01 Develop the 9. Confirmar e elaborar princípios de arquitetura, incluindo
Organize Enterprise enterprise princípios corporativos. Certifique-se de que todas as
Architecture architecture vision. definições existentes estejam atualizadas. Esclareça quaisquer
áreas de ambiguidade.
Management Align, Plan and APO03 Managed APO03.01 Develop the 10. Identificar o risco de mudança empresarial associado à
Organize Enterprise enterprise visão da arquitetura. Avaliar o nível inicial de risco (por
Architecture architecture vision. exemplo, crítico, marginal ou insignificante). Desenvolver uma
estratégia de mitigação para cada risco significativo.
Management Align, Plan and APO03 Managed APO03.01 Develop the 11. Desenvolver um business case de conceito de arquitetura
Organize Enterprise enterprise corporativa e esboço de planos e declaração de trabalho de
Architecture architecture vision. arquitetura. Aprovação segura para iniciar um projeto
alinhado e integrado com a estratégia empresarial.
Management Align, Plan and APO03 Managed APO03.01 Develop the 12. Definir as propostas de valor, metas e métricas da
Organize Enterprise enterprise arquitetura alvo.
Management Align, Plan and APO03 Managed APO03.02 Define reference 1. Manter um repositório de arquitetura contendo padrões,
Organize Enterprise architecture. componentes reutilizáveis, artefatos de modelagem,
Architecture relacionamentos, dependências e visualizações, para permitir
a uniformidade da organização e manutenção da arquitetura.
468
Management Align, Plan and APO03 Managed APO03.02 Define reference 2. Selecione pontos de vista de referência do repositório de
Organize Enterprise architecture. arquitetura que permitam ao arquiteto demonstrar como as
Architecture preocupações das partes interessadas são abordadas na
arquitetura.
Management Align, Plan and APO03 Managed APO03.02 Define reference 3. Para cada ponto de vista, selecione os modelos necessários
Organize Enterprise architecture. para suportar a visão específica necessária. Use ferramentas
Architecture ou métodos selecionados e o nível apropriado de
decomposição.
Management Align, Plan and APO03 Managed APO03.02 Define reference 4. Desenvolver descrições de domínio de arquitetura de linha
Organize Enterprise architecture. de base, usando o escopo e o nível de detalhe necessários
Architecture para suportar a arquitetura de destino e, na medida do
possível, identificando blocos de construção de arquitetura
relevantes a partir do repositório de arquitetura.
Management Align, Plan and APO03 Managed APO03.02 Define reference 5. Mantenha um modelo de arquitetura de processo como
Organize Enterprise architecture. parte das descrições da linha de base e do domínio de
Architecture destino. Padronizar as descrições e documentação dos
processos. Defina os papéis e responsabilidades dos
tomadores de decisão do processo, proprietário do processo,
usuários do processo, equipe do processo e quaisquer outras
partes interessadas do processo que devam estar envolvidas.
Management Align, Plan and APO03 Managed APO03.02 Define reference 6. Manter um modelo de arquitetura da informação como
Organize Enterprise architecture. parte das descrições de linha de base e domínio de destino,
Architecture consistente com a estratégia corporativa para adquirir,
armazenar e usar dados de forma otimizada para apoiar a
tomada de decisão.
Management Align, Plan and APO03 Managed APO03.02 Define reference 7. Verifique a consistência e precisão interna dos modelos de
Organize Enterprise architecture. arquitetura. Realizar uma análise de lacunas entre a linha de
Architecture base e o destino. Priorize lacunas e defina componentes
novos ou modificados que devem ser desenvolvidos para a
arquitetura de destino. Resolver incompatibilidades,
inconsistências ou conflitos dentro da arquitetura de destino.
469
Management Align, Plan and APO03 Managed APO03.02 Define reference 8. Conduzir uma revisão formal das partes interessadas,
Organize Enterprise architecture. examinando a arquitetura proposta em relação à intenção
Architecture original do projeto de arquitetura e à declaração do trabalho
de arquitetura.
Management Align, Plan and APO03 Managed APO03.02 Define reference 9. Finalizar arquiteturas de negócios, informações, dados,
Organize Enterprise architecture. aplicações e domínios de tecnologia. Crie um documento de
Architecture definição de arquitetura.
Management Align, Plan and APO03 Managed APO03.03 Select opportunities 1. Determine e confirme os principais atributos de alteração
Organize Enterprise and solutions. da empresa. Considere a cultura corporativa, o impacto
Architecture potencial da cultura na implementação da arquitetura e os
recursos da empresa para a transição.
Management Align, Plan and APO03 Managed APO03.03 Select opportunities 2. Identifique quaisquer drivers corporativos que restringiriam
Organize Enterprise and solutions. a sequência de implementação. Inclua uma revisão dos planos
Architecture estratégicos e de negócios da empresa e da linha de negócios.
Considere a maturidade atual da arquitetura corporativa.
Management Align, Plan and APO03 Managed APO03.03 Select opportunities 3. Revisar e consolidar os resultados da análise de lacunas
Organize Enterprise and solutions. entre as arquiteturas de linha de base e de destino. Avaliar
Architecture implicações com relação a potenciais soluções,
oportunidades, interdependências e alinhamento com os
programas atuais habilitados para I&T.
Management Align, Plan and APO03 Managed APO03.03 Select opportunities 4. Avaliar requisitos, lacunas, soluções e outros fatores para
Organize Enterprise and solutions. identificar um conjunto mínimo de requisitos funcionais cuja
Architecture integração em pacotes de trabalho levaria a uma
implementação mais eficiente e eficaz da arquitetura alvo.
470
Management Align, Plan and APO03 Managed APO03.03 Select opportunities 5. Conciliar os requisitos consolidados com as potenciais
Organize Enterprise and solutions. soluções.
Architecture
Management Align, Plan and APO03 Managed APO03.03 Select opportunities 6. Refinar as dependências iniciais e identificar restrições nos
Organize Enterprise and solutions. planos de implementação e migração. Compile um relatório
Architecture de análise de dependência.
Management Align, Plan and APO03 Managed APO03.03 Select opportunities 7. Confirme a prontidão da empresa e o risco associado à
Organize Enterprise and solutions. transformação da empresa.
Architecture
Management Align, Plan and APO03 Managed APO03.03 Select opportunities 8. Formular estratégia de alto nível para implementação e
Organize Enterprise and solutions. migração. Implemente a arquitetura de destino (e organize
Architecture qualquer arquitetura de transição) de acordo com a
estratégia, os objetivos e os cronogramas gerais da empresa.
Management Align, Plan and APO03 Managed APO03.03 Select opportunities 9. Identificar e agrupar os principais pacotes de trabalho em
Organize Enterprise and solutions. um conjunto coerente de programas e projetos, respeitando a
Architecture direção e a abordagem para a implementação estratégica da
empresa.
Management Align, Plan and APO03 Managed APO03.03 Select opportunities 10. Desenvolver arquiteturas de transição onde o escopo de
Organize Enterprise and solutions. mudança exigido pela arquitetura de destino requer uma
Architecture abordagem incremental.
471
Management Align, Plan and APO03 Managed APO03.04 Define architecture 1. Estabelecer itens necessários no plano de implementação e
Organize Enterprise implementation. migração como parte do planejamento do programa e do
Architecture projeto. Garantir que o plano esteja alinhado com os
requisitos dos tomadores de decisão relevantes.
Management Align, Plan and APO03 Managed APO03.04 Define architecture

Organize Enterprise implementation. 2. Confirme incrementos e fases da arquitetura de transição.
Architecture Atualize o documento de definição de arquitetura.
Management Align, Plan and APO03 Managed APO03.04 Define architecture 3. Definir e concluir a implementação da arquitetura e o plano
Organize Enterprise implementation. de migração, incluindo os requisitos de governança
Architecture relevantes. Integrar o plano, atividades e dependências no
planejamento do programa e do projeto.
Management Align, Plan and APO03 Managed APO03.04 Define architecture 4. Comunicar o roteiro arquitetônico definido às partes
Organize Enterprise implementation. interessadas relevantes. Informar as partes interessadas sobre
Architecture a definição da arquitetura alvo, diretrizes e princípios de
arquitetura, portfólio de serviços, etc.
Management Align, Plan and APO03 Managed APO03.05 Provide enterprise 1. Confirme o escopo e as prioridades e forneça orientação
Organize Enterprise architecture services. para o desenvolvimento e a implantação de soluções (por
Architecture exemplo, usando arquitetura orientada a serviços).
Management Align, Plan and APO03 Managed APO03.05 Provide enterprise 2. Gerencie os requisitos de arquitetura corporativa e ofereça
Organize Enterprise architecture services. suporte aos negócios e à TI com consultoria e experiência em
Architecture princípios, modelos e blocos de construção de arquitetura.
Garanta que as novas implementações (bem como as
alterações na arquitetura atual) estejam alinhadas com os
princípios e requisitos da arquitetura corporativa.
472
Management Align, Plan and APO03 Managed APO03.05 Provide enterprise 3. Gerenciar portfólio de serviços de arquitetura corporativa e
Organize Enterprise architecture services. garantir alinhamento com objetivos estratégicos e
Architecture desenvolvimento de soluções.
Management Align, Plan and APO03 Managed APO03.05 Provide enterprise 4. Identifique as prioridades da arquitetura corporativa. Alinhe
Organize Enterprise architecture services. as prioridades aos direcionadores de valor. Defina e colete
Architecture métricas de valor e meça e comunique o valor da arquitetura
corporativa.
Management Align, Plan and APO03 Managed APO03.05 Provide enterprise 5. Estabelecer um fórum de tecnologia para fornecer
Organize Enterprise architecture services. diretrizes arquitetônicas, aconselhar projetos e orientar a
Architecture seleção de tecnologia. Medir a conformidade com normas e
diretrizes, incluindo a conformidade com requisitos externos e
relevância interna de negócios.
Management Align, Plan and APO04 Managed APO04.01 Create an 1. Criar um plano de inovação que inclua apetite ao risco, uma
Organize Innovation environment proposta de orçamento para iniciativas de inovação e
conducive to objetivos de inovação.
innovation.
Management Align, Plan and APO04 Managed APO04.01 Create an 2. Fornecer infraestrutura que possa ser um componente de
Organize Innovation environment governança para a inovação (por exemplo, ferramentas de
conducive to colaboração para melhorar o trabalho entre localizações
innovation. geográficas e/ou divisões).
Management Align, Plan and APO04 Managed APO04.01 Create an 3. Manter uma equipe capacitada para o programa enviar
Organize Innovation environment ideias de inovação e criar uma estrutura de tomada de
conducive to decisão apropriada para avaliar e levar as ideias adiante.
innovation.
473
Management Align, Plan and APO04 Managed APO04.01 Create an 4. Incentivar ideias de inovação de clientes, fornecedores e
Organize Innovation environment parceiros de negócios.
conducive to
innovation.
Management Align, Plan and APO04 Managed APO04.02 Maintain an 1. Manter uma compreensão dos impulsionadores da
Organize Innovation understanding of the indústria e dos negócios, da estratégia empresarial e de I&T,
enterprise das operações empresariais e dos desafios atuais. Aplique o
environment. entendimento para identificar potencial de tecnologia de
valor agregado e inovar I&T.
Management Align, Plan and APO04 Managed APO04.02 Maintain an 2. Realizar reuniões regulares com unidades de negócios,
Organize Innovation understanding of the divisões e/ou outras entidades interessadas para entender os
enterprise problemas de negócios atuais, gargalos de processo ou outras
environment. restrições onde tecnologias emergentes ou inovação em I&T
podem criar oportunidades.
Management Align, Plan and APO04 Managed APO04.02 Maintain an 3. Understand enterprise investment parameters for
Organize Innovation understanding of the innovation and new technology so appropriate strategies are
enterprise developed.
environment.
Management Align, Plan and APO04 Managed APO04.03 Monitor and scan the 1. Understand enterprise appetite and potential for
Organize Innovation technology technology innovation. Focus awareness efforts on the most
environment. opportune technology innovations.
Management Align, Plan and APO04 Managed APO04.03 Monitor and scan the 2. Set up a technology watch process and perform research
Organize Innovation technology and scanning of the external environment, including
environment. appropriate websites, journals and conferences, to identify
emerging technologies and their potential value to the
enterprise.
474
Management Align, Plan and APO04 Managed APO04.03 Monitor and scan the 3. Consult third-party experts as necessary to confirm
Organize Innovation technology research or supply information on emerging technologies.
environment.
Management Align, Plan and APO04 Managed APO04.03 Monitor and scan the 4. Capture I&T-innovation ideas from staff and review for
Organize Innovation technology potential implementation.
environment.
Management Align, Plan and APO04 Managed APO04.04 Assess the potential 1. Evaluate identified technologies, considering aspects such
Organize Innovation of emerging as time to reach maturity, inherent risk (including potential
technologies and legal implications), fit with enterprise architecture and value
innovative ideas. potential, in line with enterprise and I&T strategy.
Management Align, Plan and APO04 Managed APO04.04 Assess the potential 2. Identify issues that may need to be resolved or validated
Organize Innovation of emerging through a proof-of-concept initiative.
technologies and
innovative ideas.
Management Align, Plan and APO04 Managed APO04.04 Assess the potential 3. Scope the proof-of-concept initiative, including desired
Organize Innovation of emerging outcomes, required budget, time frames and responsibilities.
technologies and
innovative ideas.
Management Align, Plan and APO04 Managed APO04.04 Assess the potential 4. Obtain approval for the proof-of-concept initiative.
Organize Innovation of emerging
technologies and
innovative ideas.
475
Management Align, Plan and APO04 Managed APO04.04 Assess the potential 5. Conduct proof-of-concept initiatives to test emerging
Organize Innovation of emerging technologies or other innovation ideas. Identify issues and
technologies and determine whether implementation or rollout should be
innovative ideas. considered based on feasibility and potential ROI.
Management Align, Plan and APO04 Managed APO04.05 Recommend 1. Document proof-of-concept results, including guidance and
Organize Innovation appropriate further recommendations for trends and innovation programs.
initiatives.
Management Align, Plan and APO04 Managed APO04.05 Recommend 2. Communicate viable innovation opportunities into the I&T
Organize Innovation appropriate further strategy and enterprise architecture processes.
initiatives.
Management Align, Plan and APO04 Managed APO04.05 Recommend 3. Analyze and communicate reasons for rejected proof-of-
Organize Innovation appropriate further concept initiatives.
initiatives.
Management Align, Plan and APO04 Managed APO04.05 Recommend 4. Follow up on proof-of-concept initiatives to measure actual
Organize Innovation appropriate further investment.
initiatives.
Management Align, Plan and APO04 Managed APO04.06 Monitor the 1. Capture lessons learned and opportunities for
Organize Innovation implementation and improvement.
use of innovation.
476
Management Align, Plan and APO04 Managed APO04.06 Monitor the 2. Ensure that innovation initiatives align with enterprise and
Organize Innovation implementation and I&T strategy. Monitor alignment continuously. Adjust
use of innovation. innovation plan, if required.
Management Align, Plan and APO04 Managed APO04.06 Monitor the 3. Assess new technology or I&T innovations implemented as
Organize Innovation implementation and part of I&T strategy and enterprise architecture development.
use of innovation. Evaluate level of adoption during program management of
initiatives.
Management Align, Plan and APO04 Managed APO04.06 Monitor the 4. Identify and assess potential value of innovation.
Organize Innovation implementation and
use of innovation.
Management Align, Plan and APO05 Managed APO05.01 Determine the 1. Understand current availability and commitment of funds,
Organize Portfolio availability and current approved spend and actual spend to date.
sources of funds.
Management Align, Plan and APO05 Managed APO05.01 Determine the 2. Identify options for additional funding of I&T-enabled
Organize Portfolio availability and investments, considering both internal and external sources.
sources of funds.
Management Align, Plan and APO05 Managed APO05.01 Determine the 3. Determine the implications of the funding source on the
Organize Portfolio availability and investment return expectations.
sources of funds.
477
Management Align, Plan and APO05 Managed APO05.02 Evaluate and select 1. Identify and classify investment opportunities in line with
Organize Portfolio programs to fund. investment portfolio categories. Specify expected enterprise
outcome(s), initiatives required to achieve expected
outcome(s), high-level costs, dependencies and risk. Specify
methodology for measuring outcomes, cost and risk.
Management Align, Plan and APO05 Managed APO05.02 Evaluate and select 2. Perform detailed assessment of all program business cases.
Organize Portfolio programs to fund. Evaluate strategic alignment, enterprise benefit, risk and
availability of resources.
Management Align, Plan and APO05 Managed APO05.02 Evaluate and select 3. Assess impact of adding potential programs on overall
Organize Portfolio programs to fund. investment portfolio, including changes that might be
required to other programs.
Management Align, Plan and APO05 Managed APO05.02 Evaluate and select 4. Decide which candidate programs should be moved to the
Organize Portfolio programs to fund. active investment portfolio. Decide whether rejected
programs should be held for future consideration or provided
with seed funding to determine if business case can be
improved or discarded.
Management Align, Plan and APO05 Managed APO05.02 Evaluate and select 5. Determine required milestones for each selected
Organize Portfolio programs to fund. program's full economic life cycle. Allocate and reserve total
program funding per milestone. Move the program into the
active investment portfolio.
Management Align, Plan and APO05 Managed APO05.02 Evaluate and select 6. Establish procedures to communicate the cost, benefit and
Organize Portfolio programs to fund. risk-related aspects of portfolios for consideration in budget
prioritization, cost management and benefit management
processes.
478
Management Align, Plan and APO05 Managed APO05.03 Monitor, optimize and 1. Review portfolio regularly to identify and exploit synergies,
Organize Portfolio report on investment eliminate duplication among programs, and identify and
portfolio mitigate risk.
performance.
Management Align, Plan and APO05 Managed APO05.03 Monitor, optimize and 2. When changes occur, reevaluate and reprioritize portfolio
Organize Portfolio report on investment to ensure alignment with business and I&T strategy. Maintain
portfolio target mix of investments so that the portfolio optimizes
performance. overall value. Programs may be changed, deferred or retired,
and new programs may be initiated, to rebalance and
optimize portfolio.
Management Align, Plan and APO05 Managed APO05.03 Monitor, optimize and 3. Adjust enterprise targets, forecasts, budgets and, if
Organize Portfolio report on investment required, degree of monitoring to reflect expenditures and
portfolio enterprise benefits attributable to programs in the active
performance. investment portfolio. Charge back program expenditures.
Establish flexible budgeting processes so that promising
projects get resources to scale quickly.
Management Align, Plan and APO05 Managed APO05.03 Monitor, optimize and 4. Develop metrics to measure I&T contribution to the
Organize Portfolio report on investment enterprise. Establish appropriate performance targets
portfolio reflecting required I&T and enterprise capability targets. Use
performance. guidance from external experts and benchmark data to
develop metrics.
Management Align, Plan and APO05 Managed APO05.03 Monitor, optimize and 5. Provide an accurate view of the performance of the
Organize Portfolio report on investment investment portfolio to all stakeholders.
portfolio
performance.
Management Align, Plan and APO05 Managed APO05.03 Monitor, optimize and 6. Provide reports for senior management’s review of
Organize Portfolio report on investment enterprise progress towards identified goals, stating what still
portfolio needs to be spent and accomplished over given time frames.
performance.
479
Management Align, Plan and APO05 Managed APO05.03 Monitor, optimize and 7. In regular performance monitoring, include information on
Organize Portfolio report on investment the extent to which planned objectives have been achieved,
portfolio risk mitigated, capabilities created, deliverables obtained and
performance. performance targets met.
Management Align, Plan and APO05 Managed APO05.03 Monitor, optimize and 8. Identify deviations for budget vs. actual spend and
Organize Portfolio report on investment expected ROI on investments.
portfolio
performance.
Management Align, Plan and APO05 Managed APO05.04 Maintain portfolios. 1. Create and maintain portfolios of I&T-enabled investment
Organize Portfolio programs, I&T services and I&T assets, which form the basis
for the current I&T budget and support the I&T tactical and
strategic plans.
Management Align, Plan and APO05 Managed APO05.04 Maintain portfolios. 2. Work with service delivery managers to maintain the
Organize Portfolio service portfolios. Work with operations managers, product
managers and architects to maintain the asset portfolios.
Prioritize portfolios to support investment decisions.
Management Align, Plan and APO05 Managed APO05.04 Maintain portfolios. 3. Remove a program from the active investment portfolio
Organize Portfolio when the desired enterprise benefits have been achieved or
when it is clear that benefits will not be achieved within the
value criteria set for the program.
Management Align, Plan and APO05 Managed APO05.05 Manage benefits 1. Use the agreed metrics and track how benefits are
Organize Portfolio achievement. achieved, how they evolve throughout the life cycle of
programs and projects, how they are being delivered from I&T
products and services, and how they compare to internal and
industry benchmarks. Communicate results to stakeholders.
480
Management Align, Plan and APO05 Managed APO05.05 Manage benefits 2. Implement corrective action when achieved benefits
Organize Portfolio achievement. significantly deviate from expected benefits. Update the
business case for new initiatives and implement business
process and service improvements as required.
Management Align, Plan and APO05 Managed APO05.05 Manage benefits 3. Consider obtaining guidance from external experts,
Organize Portfolio achievement. industry leaders and comparative benchmarking data to test
and improve the metrics and targets.
Management Align, Plan and APO06 Managed Budget APO06.01 Manage finance and 1. Define processes, inputs, outputs and responsibilities for
Organize and Costs accounting. the financial management and accounting of I&T in alignment
with the enterprise budgeting and cost accounting policies
and approach. Define how to analyze and report (to whom
and how) on the I&T budget control process.
Management Align, Plan and APO06 Managed Budget APO06.01 Manage finance and 2. Define a classification scheme to identify all I&T-related
Organize and Costs accounting. cost elements (capital expenditures [capex] vs. operational
expenses [opex], hardware, software, people, etc.). Identify
how they are captured.
Management Align, Plan and APO06 Managed Budget APO06.01 Manage finance and 3. Use financial information to provide input to business
Organize and Costs accounting. cases for new investments in I&T assets and services.
Management Align, Plan and APO06 Managed Budget APO06.01 Manage finance and 4. Ensure that costs are maintained in the I&T assets and
Organize and Costs accounting. services portfolios.
481
Management Align, Plan and APO06 Managed Budget APO06.01 Manage finance and 5. Establish and maintain practices for financial planning and
Organize and Costs accounting. the optimization of recurring operational costs to deliver
maximum value to the enterprise for the least expenditure.
Management Align, Plan and APO06 Managed Budget APO06.02 Prioritize resource 1. Rank all I&T initiatives and budget requests based on
Organize and Costs allocation. business cases and strategic and tactical priorities. Establish
procedures to determine budget allocations and cutoff.
Management Align, Plan and APO06 Managed Budget APO06.02 Prioritize resource 2. Allocate business and IT resources (including external
Organize and Costs allocation. service providers) within the high-level budget allocations for
I&T-enabled programs, services and assets. Consider the
options for buying or developing capitalized assets and
services vs. externally utilized assets and services on a pay-for-
use basis.
Management Align, Plan and APO06 Managed Budget APO06.02 Prioritize resource 3. Establish a procedure to communicate budget decisions
Organize and Costs allocation. and review them with the business unit budget holders.
Management Align, Plan and APO06 Managed Budget APO06.02 Prioritize resource 4. Identify, communicate and resolve significant impacts of
Organize and Costs allocation. budget decisions on business cases, portfolios and strategy
plans. For example, this may include when budgets require
revision due to changing enterprise circumstances or when
they are not sufficient to support strategic objectives or
business case objectives).
Management Align, Plan and APO06 Managed Budget APO06.02 Prioritize resource 5. Obtain ratification from the executive committee for the
Organize and Costs allocation. I&T budget implications that negatively impact the entity’s
strategic or tactical plans. Suggest actions to resolve these
impacts.
482
Management Align, Plan and APO06 Managed Budget APO06.03 Create and maintain 1. Implement a formal I&T budget, including all expected I&T
Organize and Costs budgets. costs of I&T-enabled programs, services and assets.
Management Align, Plan and APO06 Managed Budget APO06.03 Create and maintain 2. When creating the budget, consider the following
Organize and Costs budgets. components: alignment with the business; alignment with the
sourcing strategy; authorized sources of funding; internal
resource costs, including personnel, information assets and
accommodations; third-party costs, including outsourcing
contracts, consultants and service providers; capital and
operational expenses; and cost elements that depend on the
Management Align, Plan and APO06 Managed Budget APO06.03 Create and maintain 3. Document the rationale to justify contingencies and review
Organize and Costs budgets. them regularly.
Management Align, Plan and APO06 Managed Budget APO06.03 Create and maintain 4. Instruct process, service and program owners, as well as
Organize and Costs budgets. project and asset managers, to plan budgets.
Management Align, Plan and APO06 Managed Budget APO06.03 Create and maintain 5. Review the budget plans and make decisions about budget
Organize and Costs budgets. allocations. Compile and adjust the budget based on changing
enterprise needs and financial considerations.
Management Align, Plan and APO06 Managed Budget APO06.03 Create and maintain 6. Record, maintain and communicate the current I&T
Organize and Costs budgets. budget, including committed expenditures and current
expenditures, considering I&T projects recorded in the I&T-
enabled investment portfolios and operation and
maintenance of asset and service portfolios.
483
Management Align, Plan and APO06 Managed Budget APO06.03 Create and maintain 7. Monitor the effectiveness of the different aspects of
Organize and Costs budgets. budgeting.
Management Align, Plan and APO06 Managed Budget APO06.03 Create and maintain 8. Use the monitoring results to implement improvements
Organize and Costs budgets. and ensure that future budgets are more accurate, reliable
and cost-effective.
Management Align, Plan and APO06 Managed Budget APO06.04 Model and allocate 1. Decide on a cost allocation model that enables fair,
Organize and Costs costs. transparent, repeatable and comparable allocation of I&T-
related costs to users. A basic allocation model example is the
even spread of shared I&T-related costs. This is a very simple
allocation model that is easy to apply; however, depending on
the context of the enterprise, it is often viewed as unfair and
it does not encourage responsible use of resources. An
Management Align, Plan and APO06 Managed Budget APO06.04 Model and allocate 2. Inspect service definition catalogs to identify services
Organize and Costs costs. subject to user chargeback and those that are shared services.
Management Align, Plan and APO06 Managed Budget APO06.04 Model and allocate 3. Design the cost model to be transparent enough to allow
Organize and Costs costs. users to identify their actual usage and charges by using
categories and cost drivers that make sense for the user (e.g.,
cost per help desk call, cost per software license) and to better
enable predictability of I&T costs and efficient and effective
utilization of I&T resources. Analyze cost drivers (time spent
per activity, expenses, portion of fixed vs. variable costs, etc.).
Management Align, Plan and APO06 Managed Budget APO06.04 Model and allocate 4. Explain the cost model principles and outcome to key
Organize and Costs costs. stakeholders. Obtain their feedback for further fine-tuning
toward a transparent and comprehensive model.
484
Management Align, Plan and APO06 Managed Budget APO06.04 Model and allocate 5. Obtain approval of key stakeholders and communicate the
Organize and Costs costs. I&T costing model to the management of user departments.
Management Align, Plan and APO06 Managed Budget APO06.04 Model and allocate 6. Communicate important changes in the cost/chargeback
Organize and Costs costs. model principles to key stakeholders and management of user
departments.
Management Align, Plan and APO06 Managed Budget APO06.05 Manage costs. 1. Obtain approval of key stakeholders and communicate the
Organize and Costs I&T costing model to the management of user departments.
Management Align, Plan and APO06 Managed Budget APO06.05 Manage costs. 2. Establish time scales for the operation of the cost
Organize and Costs management process in line with budgeting and accounting
requirements and timeline.
Management Align, Plan and APO06 Managed Budget APO06.05 Manage costs. 3. Define a method for the collection of relevant data to
Organize and Costs identify deviations in budget vs. actuals, investment ROI,
service cost trends, etc.
Management Align, Plan and APO06 Managed Budget APO06.05 Manage costs. 4. Define how costs are consolidated for the appropriate
Organize and Costs levels in the enterprise (central IT vs. IT budget within
business departments) and how they will be presented to the
stakeholders. The reports provide information on costs per
cost category, budget vs. actuals status, top spending, etc., to
enable the timely identification of required corrective actions.
485
Management Align, Plan and APO06 Managed Budget APO06.05 Manage costs. 5. Instruct those responsible for cost management to capture,
Organize and Costs collect and consolidate the data, and present and report the
data to the appropriate budget owners. Budget analysts and
owners jointly analyze deviations and compare performance
to internal and industry benchmarks. They should establish
and maintain the overheads allocation method. The result of
the analysis provides an explanation of significant deviations
Management Align, Plan and APO06 Managed Budget APO06.05 Manage costs. 6. Ensure that the appropriate levels of management review
Organize and Costs the results of the analysis and approve suggested corrective
actions.
Management Align, Plan and APO06 Managed Budget APO06.05 Manage costs. 7. Ensure that changes in cost structures and enterprise
Organize and Costs needs are identified and budgets and forecasts are revised as
required.
Management Align, Plan and APO06 Managed Budget APO06.05 Manage costs. 8. At regular intervals, and especially when budgets are cut
Organize and Costs due to financial constraints, identify ways to optimize costs
and introduce efficiencies without jeopardizing services.
Management Align, Plan and APO07 Managed Human APO07.01 Acquire and maintain 1. Evaluate staffing requirements on a regular basis or upon
Organize Resources adequate and major changes. Ensure that both the enterprise and the IT
appropriate staffing. function have sufficient resources to support enterprise goals
and objectives, business processes and controls, and I&T-
enabled initiatives adequately and appropriately.
Management Align, Plan and APO07 Managed Human APO07.01 Acquire and maintain 2. Maintain business and IT personnel recruitment and
Organize Resources adequate and retention processes in line with the overall enterprise’s
appropriate staffing. personnel policies and procedures.
486
Management Align, Plan and APO07 Managed Human APO07.01 Acquire and maintain 3. Establish flexible resource arrangements, such as the use of
Organize Resources adequate and transfers, external contractors and third-party service
appropriate staffing. arrangements, to support changing business needs.
Management Align, Plan and APO07 Managed Human APO07.01 Acquire and maintain 4. Include background checks in the IT recruitment process
Organize Resources adequate and for employees, contractors and vendors. The extent and
appropriate staffing. frequency of these checks should depend on the sensitivity
and/or criticality of the function.
Management Align, Plan and APO07 Managed Human APO07.02 Identify key IT 1. As a security precaution, provide guidelines on a minimum
Organize Resources personnel. time of annual vacation to be taken by key individuals.
Management Align, Plan and APO07 Managed Human APO07.02 Identify key IT 2. Take appropriate actions regarding job changes, especially
Organize Resources personnel. job terminations.
Management Align, Plan and APO07 Managed Human APO07.02 Identify key IT 3. Use knowledge capture (documentation), knowledge
Organize Resources personnel. sharing, succession planning, staff backup, cross-training and
job rotation initiatives to minimize reliance on a single
individual performing a critical job function.
Management Align, Plan and APO07 Managed Human APO07.02 Identify key IT 4. Regularly test staff backup plans.
Organize Resources personnel.
487
Management Align, Plan and APO07 Managed Human APO07.03 Maintain the skills and 1. Identify currently available skills and competencies of
Organize Resources competencies of internal and external resources.
personnel.
Management Align, Plan and APO07 Managed Human APO07.03 Maintain the skills and 2. Identify gaps between required and available skills.
Organize Resources competencies of Develop action plans, such as training (technical and
personnel. behavioral skills), recruitment, redeployment and changed
sourcing strategies, to address the gaps on an individual and
collective basis.
Management Align, Plan and APO07 Managed Human APO07.03 Maintain the skills and 3. Review training materials and programs on a regular basis.
Organize Resources competencies of Ensure adequacy with respect to changing enterprise
personnel. requirements and their impact on necessary knowledge, skills
and abilities.
Management Align, Plan and APO07 Managed Human APO07.03 Maintain the skills and 4. Provide access to knowledge repositories to support the
Organize Resources competencies of development of skills and competencies.
personnel.
Management Align, Plan and APO07 Managed Human APO07.03 Maintain the skills and 5. Develop and deliver training programs based on
Organize Resources competencies of organizational and process requirements, including
personnel. requirements for enterprise knowledge, internal control,
ethical conduct, security and privacy.
Management Align, Plan and APO07 Managed Human APO07.03 Maintain the skills and 6. Conduct regular reviews to assess the evolution of the skills
Organize Resources competencies of and competencies of the internal and external resources.
personnel. Review succession planning.
488
Management Align, Plan and APO07 Managed Human APO07.04 Assess and 1. Consider functional/enterprise goals as the context for
Organize Resources recognize/reward setting individual goals.
employee job
performance.
Management Align, Plan and APO07 Managed Human APO07.04 Assess and 2. Set individual goals aligned with the relevant I&T and
Organize Resources recognize/reward enterprise goals. Base goals on specific, measurable,
employee job achievable, relevant and time-bound (SMART) objectives that
performance. reflect core competencies, enterprise values and skills
required for the role(s).
Management Align, Plan and APO07 Managed Human APO07.04 Assess and 3. Provide timely feedback regarding performance against the
Organize Resources recognize/reward individual’s goals.
employee job
performance.
Management Align, Plan and APO07 Managed Human APO07.04 Assess and 4. Provide specific instructions for the use and storage of
Organize Resources recognize/reward personal information in the evaluation process, in compliance
employee job with applicable personal data and employment legislation.
performance.
Management Align, Plan and APO07 Managed Human APO07.04 Assess and 5. Compile 360-degree performance evaluation results.
Organize Resources recognize/reward
employee job
performance.
Management Align, Plan and APO07 Managed Human APO07.04 Assess and 6. Provide formal career planning and professional
Organize Resources recognize/reward development plans based on the results of the evaluation
employee job process to encourage competency development and
performance. opportunities for personal advancement and to reduce
dependence on key individuals. Provide employee coaching
on performance and conduct whenever appropriate.
489
Management Align, Plan and APO07 Managed Human APO07.04 Assess and 7. Implement a remuneration/recognition process that
Organize Resources recognize/reward rewards appropriate commitment, competency development
employee job and successful attainment of performance goals. Ensure that
performance. the process is applied consistently and in line with
organizational policies.
Management Align, Plan and APO07 Managed Human APO07.04 Assess and 8. Implement and communicate a disciplinary process.
Organize Resources recognize/reward
employee job
performance.
Management Align, Plan and APO07 Managed Human APO07.05 Plan and track the 1. Create and maintain an inventory of business and IT
Organize Resources usage of IT and human resources.
business human
resources.
Management Align, Plan and APO07 Managed Human APO07.05 Plan and track the 2. Understand the current and future demand for human
Organize Resources usage of IT and resources to support the achievement of I&T objectives and to
business human deliver services and solutions based on the portfolio of
resources. current I&T-related initiatives, the future investment portfolio
and day-to-day operational needs.
Management Align, Plan and APO07 Managed Human APO07.05 Plan and track the 3. Identify shortfalls and provide input into sourcing plans as
Organize Resources usage of IT and well as enterprise and IT recruitment processes. Create and
business human review the staffing plan, keeping track of actual usage.
resources.
Management Align, Plan and APO07 Managed Human APO07.05 Plan and track the 4. Maintain adequate information on the time spent on
Organize Resources usage of IT and different tasks, assignments, services or projects.
business human
resources.
490
Management Align, Plan and APO07 Managed Human APO07.06 Manage contract 1. Implement contract staff policies and procedures.
Organize Resources staff.
Management Align, Plan and APO07 Managed Human APO07.06 Manage contract 2. At the commencement of the contract, obtain formal
Organize Resources staff. agreement from contractors that they are required to comply
with the enterprise’s I&T control framework, such as policies
for security clearance, physical and logical access control, use
of facilities, information confidentiality requirements, and
nondisclosure agreements.
Management Align, Plan and APO07 Managed Human APO07.06 Manage contract 3. Advise contractors that management reserves the right to
Organize Resources staff. monitor and inspect all usage of IT resources, including email,
voice communications, and all programs and data files.
Management Align, Plan and APO07 Managed Human APO07.06 Manage contract 4. As part of their contracts, provide contractors with a clear
Organize Resources staff. definition of their roles and responsibilities, including explicit
requirements to document their work to agreed standards
and formats.
Management Align, Plan and APO07 Managed Human APO07.06 Manage contract 5. Review contractors’ work and base the approval of
Organize Resources staff. payments on the results.
Management Align, Plan and APO07 Managed Human APO07.06 Manage contract 6. In formal and unambiguous contracts, define all work
Organize Resources staff. performed by external parties.
491
Management Align, Plan and APO07 Managed Human APO07.06 Manage contract 7. Conduct periodic reviews to ensure that contract staff have
Organize Resources staff. signed and agreed on all necessary agreements.
Management Align, Plan and APO07 Managed Human APO07.06 Manage contract 8. Conduct periodic reviews to ensure that contractors’ roles
Organize Resources staff. and access rights are appropriate and in line with agreements.
Management Align, Plan and APO08 Managed APO08.01 Understand business 1. Identify business stakeholders, their interests and their
Organize Relationships expectations. areas of responsibilities.
Management Align, Plan and APO08 Managed APO08.01 Understand business 2. Review current enterprise direction, issues, strategic
Organize Relationships expectations. objectives, and alignment with enterprise architecture.
Management Align, Plan and APO08 Managed APO08.01 Understand business 3. Understand the current business environment, process
Organize Relationships expectations. constraints or issues, geographical expansion or contraction,
and industry/regulatory drivers.
Management Align, Plan and APO08 Managed APO08.01 Understand business 4. Maintain an awareness of business processes and
Organize Relationships expectations. associated activities. Understand demand patterns that relate
to service volumes and use.
492
Management Align, Plan and APO08 Managed APO08.01 Understand business 5. Manage expectations by ensuring that business units
Organize Relationships expectations. understand priorities, dependencies, financial constraints and
the need to schedule requests.
Management Align, Plan and APO08 Managed APO08.01 Understand business 6. Clarify business expectations for I&T-enabled services and
Organize Relationships expectations. solutions. Ensure that requirements are defined with
associated business acceptance criteria and metrics.
Management Align, Plan and APO08 Managed APO08.01 Understand business 7. Confirm that there is agreement between IT and all
Organize Relationships expectations. business departments on expectations and how they will be
measured. Ensure that this agreement is confirmed by all
stakeholders.
Management Align, Plan and APO08 Managed APO08.02 Align I&T strategy 1. Position IT as a partner to the business. Play a proactive
Organize Relationships with business role in identifying and communicating with key stakeholders
expectations and on opportunities, risk and constraints. This includes current
identify opportunities and emerging technologies, services and business process
for IT to enhance the models.
business.
Management Align, Plan and APO08 Managed APO08.02 Align I&T strategy 2. Collaborate on major new initiatives with portfolio,
Organize Relationships with business program and project management. Ensure the involvement of
expectations and the IT organization from the start of a new initiative by
identify opportunities providing value-add advice and recommendations (e.g., for
for IT to enhance the business case development, requirements definition, solution
business. design) and by taking ownership for I&T work streams.
Management Align, Plan and APO08 Managed APO08.03 Manage the business 1. Assign a relationship manager as a single point of contact
Organize Relationships relationship. for each significant business unit. Ensure that a single
counterpart is identified in the business organization and the
counterpart has business understanding, sufficient technology
awareness and the appropriate level of authority.
493
Management Align, Plan and APO08 Managed APO08.03 Manage the business 2. Manage the relationship in a formalized and transparent
Organize Relationships relationship. way that ensures a focus on achieving a common and shared
goal of successful enterprise outcomes in support of strategic
goals and within the constraint of budgets and risk tolerance.
Management Align, Plan and APO08 Managed APO08.03 Manage the business 3. Define and communicate a complaints and escalation
Organize Relationships relationship. procedure to resolve any relationship issues.
Management Align, Plan and APO08 Managed APO08.03 Manage the business 4. Ensure that key decisions are agreed and approved by
Organize Relationships relationship. relevant accountable stakeholders.
Management Align, Plan and APO08 Managed APO08.03 Manage the business 5. Plan specific interactions and schedules based on mutually
Organize Relationships relationship. agreed objectives and common language (service and
performance review meetings, review of new strategies or
plans, etc.).
Management Align, Plan and APO08 Managed APO08.04 Coordinate and 1. Coordinate and communicate changes and transition
Organize Relationships communicate. activities such as project or change plans, schedules, release
policies, release known errors, and training awareness.
Management Align, Plan and APO08 Managed APO08.04 Coordinate and 2. Coordinate and communicate operational activities, roles
Organize Relationships communicate. and responsibilities, including the definition of request types,
hierarchical escalation, major outages (planned and
unplanned), and content and frequency of service reports.
494
Management Align, Plan and APO08 Managed APO08.04 Coordinate and 3. Take ownership of the response to the business for major
Organize Relationships communicate. events that may influence the relationship with the business.
Provide direct support if required.
Management Align, Plan and APO08 Managed APO08.04 Coordinate and 4. Maintain an end-to-end communication plan that defines
Organize Relationships communicate. the content, frequency and recipients of service delivery
information, including status of value delivered and any risk
identified.
Management Align, Plan and APO08 Managed APO08.05 Provide input to the 1. Perform customer and provider satisfaction analysis.
Organize Relationships continual Ensure that issues are addressed; report results and status.
improvement of
services.
Management Align, Plan and APO08 Managed APO08.05 Provide input to the 2. Work together to identify, communicate and implement
Organize Relationships continual improvement initiatives.
improvement of
services.
Management Align, Plan and APO08 Managed APO08.05 Provide input to the 3. Work with service management and process owners to
Organize Relationships continual ensure that I&T-enabled services and service management
improvement of processes are continually improved and the root causes of any
services. issues are identified and resolved.
Management Align, Plan and APO09 Managed Service APO09.01 Identify I&T services. 1. Assess current I&T services and service levels to identify
Organize Agreements gaps between existing services and the business activities they
support. Identify areas for improvement of existing services
and service level options.
495
Management Align, Plan and APO09 Managed Service APO09.01 Identify I&T services. 2. Analyze, study and estimate future demand and confirm
Organize Agreements capacity of existing I&T-enabled services.
Management Align, Plan and APO09 Managed Service APO09.01 Identify I&T services. 3. Analyze business process activities to identify the need for
Organize Agreements new or redesigned I&T services.
Management Align, Plan and APO09 Managed Service APO09.01 Identify I&T services. 4. Compare identified requirements to existing service
Organize Agreements components in the portfolio. If possible, package existing
service components (I&T services, service level options and
service packages) into new service packages to meet
identified business requirements.
Management Align, Plan and APO09 Managed Service APO09.01 Identify I&T services. 5. Regularly review the portfolio of I&T services with portfolio
Organize Agreements management and business relationship management to
identify obsolete services. Agree on retirement and propose
change.
Management Align, Plan and APO09 Managed Service APO09.01 Identify I&T services. 6. Where possible, match demands to service packages and
Organize Agreements create standardized services to obtain overall efficiencies.
Management Align, Plan and APO09 Managed Service APO09.02 Catalog I&T-enabled 1. Publish in catalogues relevant live I&T-enabled services,
Organize Agreements services. service packages and service level options from the portfolio.
496
Management Align, Plan and APO09 Managed Service APO09.02 Catalog I&T-enabled 2. Continually ensure that the service components in the
Organize Agreements services. portfolio and the related service catalogues are complete and
up to date.
Management Align, Plan and APO09 Managed Service APO09.02 Catalog I&T-enabled 3. Inform business relationship management of any updates
Organize Agreements services. to the service catalogues.
Management Align, Plan and APO09 Managed Service APO09.03 Define and prepare 1. Analyze requirements for new or changed service
Organize Agreements service agreements. agreements received from business relationship management
to ensure that the requirements can be matched. Consider
aspects such as service times, availability, performance,
capacity, security, privacy, continuity, compliance and
regulatory issues, usability, demand constraints, and data
quality.
Management Align, Plan and APO09 Managed Service APO09.03 Define and prepare 2. Draft customer service agreements based on the services,
Organize Agreements service agreements. service packages and service level options in the relevant
service catalogues.
Management Align, Plan and APO09 Managed Service APO09.03 Define and prepare 3. Finalize customer service agreements with business
Organize Agreements service agreements. relationship management.
Management Align, Plan and APO09 Managed Service APO09.03 Define and prepare 4. Determine, agree on and document internal operational
Organize Agreements service agreements. agreements to underpin the customer service agreements, if
applicable.
497
Management Align, Plan and APO09 Managed Service APO09.03 Define and prepare 5. Liaise with supplier management to ensure that
Organize Agreements service agreements. appropriate commercial contracts with external service
providers underpin the customer service agreements, if
applicable.
Management Align, Plan and APO09 Managed Service APO09.04 Monitor and report 1. Establish and maintain measures to monitor and collect
Organize Agreements service levels. service level data.
Management Align, Plan and APO09 Managed Service APO09.04 Monitor and report 2. Evaluate performance and provide regular and formal
Organize Agreements service levels. reporting of service agreement performance, including
deviations from the agreed values. Distribute this report to
business relationship management.
Management Align, Plan and APO09 Managed Service APO09.04 Monitor and report 3. Perform regular reviews to forecast and identify trends in
Organize Agreements service levels. service level performance. Incorporate quality management
practices in the service monitoring.
Management Align, Plan and APO09 Managed Service APO09.04 Monitor and report 4. Provide the appropriate management information to aid
Organize Agreements service levels. performance management.
Management Align, Plan and APO09 Managed Service APO09.04 Monitor and report 5. Agree on action plans and remediations for any
Organize Agreements service levels. performance issues or negative trends.
498
Management Align, Plan and APO09 Managed Service APO09.05 Review service 1. Regularly review service agreements according to the
Organize Agreements agreements and agreed terms to ensure that they are effective and up to date.
contracts. When appropriate, take into account changes in
requirements, I&T-enabled services, service packages or
service level options.
Management Align, Plan and APO09 Managed Service APO09.05 Review service 2. When needed, revise the existing service agreement with
Organize Agreements agreements and the service provider. Agree on and update the internal
contracts. operational agreements.
Management Align, Plan and APO10 Managed APO10.01 Identify and evaluate 1. Continuously scan the enterprise landscape in search for
Organize Vendors vendor relationships new partners and vendors that can provide complementary
and contracts. capabilities and support the realization of the I&T strategy,
road map and enterprise objectives.
Management Align, Plan and APO10 Managed APO10.01 Identify and evaluate 2. Establish and maintain criteria relating to type, significance
Organize Vendors vendor relationships and criticality of vendors and vendor contracts, enabling a
and contracts. focus on preferred and important vendors.
Management Align, Plan and APO10 Managed APO10.01 Identify and evaluate 3. Identify, record and categorize existing vendors and
Organize Vendors vendor relationships contracts according to defined criteria to maintain a detailed
and contracts. register of preferred vendors that need to be managed
carefully.
Management Align, Plan and APO10 Managed APO10.01 Identify and evaluate 4. Establish and maintain vendor and contract evaluation
Organize Vendors vendor relationships criteria to enable overall review and comparison of vendor
and contracts. performance in a consistent way.
499
Management Align, Plan and APO10 Managed APO10.01 Identify and evaluate 5. Periodically evaluate and compare the performance of
Organize Vendors vendor relationships existing and alternative vendors to identify opportunities or a
and contracts. compelling need to reconsider current vendor contracts.
Management Align, Plan and APO10 Managed APO10.02 Select vendors. 1. Review all requests for information (RFIs) and requests for
Organize Vendors proposals (RFPs) to ensure that they clearly define
requirements (e.g., enterprise requirements for security and
privacy of information, operational business and I&T
processing requirements, priorities for service delivery) and
include a procedure to clarify requirements. The RFIs and RFPs
should allow vendors sufficient time to prepare their
Management Align, Plan and APO10 Managed APO10.02 Select vendors. 2. Evaluate RFIs and RFPs in accordance with the approved
Organize Vendors evaluation process/criteria and maintain documentary
evidence of the evaluations. Verify the references of
candidate vendors.
Management Align, Plan and APO10 Managed APO10.02 Select vendors. 3. Select the vendor that best fits the RFP. Document and
Organize Vendors communicate the decision, and sign the contract.
Management Align, Plan and APO10 Managed APO10.02 Select vendors. 4. In the specific case of software acquisition, include and
Organize Vendors enforce the rights and obligations of all parties in the
contractual terms. These rights and obligations may include
ownership and licensing of IP; maintenance; warranties;
arbitration procedures; upgrade terms; and fit for purpose,
including security, privacy, escrow and access rights.
Management Align, Plan and APO10 Managed APO10.02 Select vendors. 5. In the specific case of acquisition of development
Organize Vendors resources, include and enforce the rights and obligations of all
parties in the contractual terms. These rights and obligations
may include ownership and licensing of IP; fit for purpose,
including development methodologies; testing; quality
management processes, including required performance
criteria; performance reviews; basis for payment; warranties;
500
Management Align, Plan and APO10 Managed APO10.02 Select vendors. 6. Obtain legal advice on resource development acquisition
Organize Vendors agreements regarding ownership and licensing of IP.
Management Align, Plan and APO10 Managed APO10.02 Select vendors. 7. In the specific case of acquisition of infrastructure, facilities
Organize Vendors and related services, include and enforce the rights and
obligations of all parties in the contractual terms. These rights
and obligations may include service levels, maintenance
procedures, access controls, security, privacy, performance
review, basis for payment and arbitration procedures.
Management Align, Plan and APO10 Managed APO10.03 Manage vendor 1. Assign relationship owners for all vendors and make them
Organize Vendors relationships and accountable for the quality of service(s) provided.
contracts.
Management Align, Plan and APO10 Managed APO10.03 Manage vendor 2. Specify a formal communication and review process,
Organize Vendors relationships and including vendor interactions and schedules.
contracts.
Management Align, Plan and APO10 Managed APO10.03 Manage vendor 3. Agree on, manage, maintain and renew formal contracts
Organize Vendors relationships and with the vendor. Ensure that contracts conform to enterprise
contracts. standards and legal and regulatory requirements.
Management Align, Plan and APO10 Managed APO10.03 Manage vendor 4. Include provisions in contracts with key service vendors for
Organize Vendors relationships and review of the vendor site and internal practices and controls
contracts. by management or independent third parties. Agree on
independent audit and assurance controls of the operational
environments of vendors providing outsourced services to
confirm that agreed requirements are being adequately
addressed.
501
Management Align, Plan and APO10 Managed APO10.03 Manage vendor 5. Use established procedures to deal with contract disputes.
Organize Vendors relationships and Whenever possible, first use effective relationships and
contracts. communications to overcome service problems.
Management Align, Plan and APO10 Managed APO10.03 Manage vendor 6. Define and formalize roles and responsibilities for each
Organize Vendors relationships and service vendor. Where several vendors combine to provide a
contracts. service, consider allocating a lead contractor role to one of
the vendors to take responsibility for an overall contract.
Management Align, Plan and APO10 Managed APO10.03 Manage vendor 7. Evaluate the effectiveness of the relationship and identify
Organize Vendors relationships and necessary improvements.
contracts.
Management Align, Plan and APO10 Managed APO10.03 Manage vendor 8. Define, communicate and agree on ways to implement
Organize Vendors relationships and required improvements to the relationship.
contracts.
Management Align, Plan and APO10 Managed APO10.04 Manage vendor risk. 1. When preparing the contract, provide for potential service
Organize Vendors risk by clearly defining service requirements, including
software escrow agreements, alternative vendors or standby
agreements to mitigate possible vendor failure; security and
protection of IP; privacy; and any legal or regulatory
requirements.
Management Align, Plan and APO10 Managed APO10.04 Manage vendor risk. 2. Identify, monitor and, where appropriate, manage risk
Organize Vendors relating to the vendor’s ability to deliver service efficiently,
effectively, securely, confidentially, reliably and continually.
Integrate critical internal IT management processes with those
of the outsourced service providers, covering, for example,
performance and capacity planning, change management, and
configuration management.
502
Management Align, Plan and APO10 Managed APO10.04 Manage vendor risk. 3. Assess the larger ecosystem of the vendor and identify,
Organize Vendors monitor, and, where appropriate, manage risk related to the
subcontractors and upstream vendors influencing the
vendor's ability to deliver service efficiently, effectively,
securely, reliably and continually.
Management Align, Plan and APO10 Managed APO10.05 Monitor vendor 1. Request independent reviews of vendor internal practices
Organize Vendors performance and and controls, if necessary.
compliance.
Management Align, Plan and APO10 Managed APO10.05 Monitor vendor 2. Define and document criteria to monitor vendor
Organize Vendors performance and performance aligned with service level agreements. Ensure
compliance. that the vendor regularly and transparently reports on agreed
criteria.
Management Align, Plan and APO10 Managed APO10.05 Monitor vendor 3. Monitor and review service delivery to ensure that the
Organize Vendors performance and vendor is providing an acceptable quality of service, meeting
compliance. requirements and adhering to contract conditions.
Management Align, Plan and APO10 Managed APO10.05 Monitor vendor 4. Review vendor performance and value for money. Ensure
Organize Vendors performance and that the vendor is reliable and competitive, compared with
compliance. alternative vendors and market conditions.
Management Align, Plan and APO10 Managed APO10.05 Monitor vendor 5. Monitor and evaluate externally available information
Organize Vendors performance and about the vendor and the vendor's supply chain.
compliance.
503
Management Align, Plan and APO10 Managed APO10.05 Monitor vendor 6. Record and assess review results periodically and discuss
Organize Vendors performance and them with the vendor to identify needs and opportunities for
compliance. improvement.
Management Align, Plan and APO11 Managed Quality APO11.01 Establish a quality 1. Ensure that the I&T control framework and the business
Organize management system and IT processes include a standard, formal and continuous
(QMS). approach to quality management that is aligned with
enterprise requirements. Within the I&T control framework
and the business and IT processes, identify quality
requirements and criteria (e.g., based on legal requirements
and requirements from customers).
Management Align, Plan and APO11 Managed Quality APO11.01 Establish a quality 2. Define roles, tasks, decision rights and responsibilities for
Organize management system quality management in the organizational structure.
(QMS).
Management Align, Plan and APO11 Managed Quality APO11.01 Establish a quality 3. Obtain input from management and external and internal
Organize management system stakeholders on the definition of quality requirements and
(QMS). quality management criteria.
Management Align, Plan and APO11 Managed Quality APO11.01 Establish a quality 4. Regularly monitor and review the QMS against agreed
Organize management system acceptance criteria. Include feedback from customers, users
(QMS). and management.
Management Align, Plan and APO11 Managed Quality APO11.01 Establish a quality 5. Respond to discrepancies in review results to continuously
Organize management system improve the QMS.
(QMS).
504
Management Align, Plan and APO11 Managed Quality APO11.02 Focus quality 1. Focus quality management on customers by determining
Organize management on internal and external customer requirements and ensuring
customers. alignment of the I&T standards and practices. Define and
communicate roles and responsibilities concerning conflict
resolution between the user/customer and the IT
organization.
Management Align, Plan and APO11 Managed Quality APO11.02 Focus quality 2. Manage the business needs and expectations for each
Organize management on business process, IT operational service and new solutions.
customers. Maintain their quality acceptance criteria.
Management Align, Plan and APO11 Managed Quality APO11.02 Focus quality 3. Communicate customer requirements and expectations
Organize management on throughout the business and IT organization.
customers.
Management Align, Plan and APO11 Managed Quality APO11.02 Focus quality 4. Periodically obtain customer views on business process and
Organize management on service provisioning and IT solution delivery. Determine the
customers. impact on I&T standards and practices and ensure that
customer expectations are met and actioned.
Management Align, Plan and APO11 Managed Quality APO11.02 Focus quality 5. Capture quality acceptance criteria for inclusion in SLAs.
Organize management on
customers.
Management Align, Plan and APO11 Managed Quality APO11.03 Manage quality 1. Define the quality management standards, practices and
Organize standards, practices procedures in line with the I&T control framework’s
and procedures and requirements and enterprise quality management criteria and
integrate quality policies.
management into key
processes and
solutions.
505
Management Align, Plan and APO11 Managed Quality APO11.03 Manage quality 2. Integrate the required quality management practices in key
Organize standards, practices processes and solutions across the organization.
and procedures and
integrate quality
management into key
processes and
solutions.
Management Align, Plan and APO11 Managed Quality APO11.03 Manage quality 3. Consider the benefits and costs of quality certifications.
Organize standards, practices
and procedures and
integrate quality
management into key
processes and
solutions.
Management Align, Plan and APO11 Managed Quality APO11.03 Manage quality 4. Effectively communicate the quality management
Organize standards, practices approach (e.g., through regular, formal quality training
and procedures and programs).
integrate quality
management into key
processes and
solutions.
Management Align, Plan and APO11 Managed Quality APO11.03 Manage quality 5. Record and monitor quality data. Use industry good
Organize standards, practices practices for reference when improving and tailoring the
and procedures and enterprise's quality practices.
integrate quality
management into key
processes and
solutions.
Management Align, Plan and APO11 Managed Quality APO11.03 Manage quality 6. Regularly review the continued relevance, efficiency and
Organize standards, practices effectiveness of specific quality management processes.
and procedures and Monitor the achievement of quality objectives.
integrate quality
management into key
processes and
solutions.
Management Align, Plan and APO11 Managed Quality APO11.04 Perform quality 1. Prepare and conduct quality reviews for key organizational
Organize monitoring, control processes and solutions.
and reviews.
506
Management Align, Plan and APO11 Managed Quality APO11.04 Perform quality 2. For these key organizational processes and solutions,
Organize monitoring, control monitor goal-driven quality metrics aligned to overall quality
and reviews. objectives.
Management Align, Plan and APO11 Managed Quality APO11.04 Perform quality 3. Ensure that management and process owners regularly
Organize monitoring, control review quality management performance against defined
and reviews. quality metrics.
Management Align, Plan and APO11 Managed Quality APO11.04 Perform quality 4. Analyze overall quality management performance results.
Organize monitoring, control
and reviews.
Management Align, Plan and APO11 Managed Quality APO11.04 Perform quality 5. Report the quality management performance review
Organize monitoring, control results and initiate improvements where appropriate.
and reviews.
Management Align, Plan and APO11 Managed Quality APO11.05 Maintain continuous 1. Establish a platform to share good practices and capture
Organize improvement. information on defects and mistakes to enable learning from
them.
Management Align, Plan and APO11 Managed Quality APO11.05 Maintain continuous 2. Identify examples of excellent quality delivery processes
Organize improvement. that can benefit other services or projects. Share these with
the service and project delivery teams to encourage
improvement.
507
Management Align, Plan and APO11 Managed Quality APO11.05 Maintain continuous 3. Identify recurring examples of quality defects. Determine
Organize improvement. their root cause, evaluate their impact and result, and agree
on improvement actions with the service and/or project
delivery teams.
Management Align, Plan and APO11 Managed Quality APO11.05 Maintain continuous 4. Provide employees with training in the methods and tools
Organize improvement. of continual improvement.
Management Align, Plan and APO11 Managed Quality APO11.05 Maintain continuous 5. Benchmark the results of the quality reviews against
Organize improvement. internal historical data, industry guidelines, standards and
data from similar types of enterprises.
Management Align, Plan and APO12 Managed Risk APO12.01 Collect data. 1. Establish and maintain a method for the collection,
Organize classification and analysis of I&T risk-related data.
Management Align, Plan and APO12 Managed Risk APO12.01 Collect data. 2. Record relevant and significant I&T risk-related data on the
Organize enterprise’s internal and external operating environment.
Management Align, Plan and APO12 Managed Risk APO12.01 Collect data. 3. Adopt or define a risk taxonomy for consistent definitions
Organize of risk scenarios and impact and likelihood categories.
508
Management Align, Plan and APO12 Managed Risk APO12.01 Collect data. 4. Record data on risk events that have caused or may cause
Organize business impacts as per the impact categories defined in the
risk taxonomy. Capture relevant data from related issues,
incidents, problems and investigations.
Management Align, Plan and APO12 Managed Risk APO12.01 Collect data. 5. Survey and analyze the historical I&T risk data and loss
Organize experience from externally available data and trends, industry
peers through industry-based event logs, databases, and
industry agreements for common event disclosure.
Management Align, Plan and APO12 Managed Risk APO12.01 Collect data. 6. For similar classes of events, organize the collected data
Organize and highlight contributing factors. Determine common
contributing factors across multiple events.
Management Align, Plan and APO12 Managed Risk APO12.01 Collect data. 7. Determine the specific conditions that existed or were
Organize absent when risk events occurred and the way the conditions
affected event frequency and loss magnitude.
Management Align, Plan and APO12 Managed Risk APO12.01 Collect data. 8. Perform periodic event and risk factor analysis to identify
Organize new or emerging risk issues and to gain an understanding of
the associated internal and external risk factors.
Management Align, Plan and APO12 Managed Risk APO12.02 Analyze risk. 1. Define the appropriate scope of risk analysis efforts,
Organize considering all risk factors and/or the business criticality of
assets.
509
Management Align, Plan and APO12 Managed Risk APO12.02 Analyze risk. 2. Build and regularly update I&T risk scenarios; I&T-related
Organize loss exposures; and scenarios regarding reputational risk,
including compound scenarios of cascading and/or
coincidental threat types and events. Develop expectations
for specific control activities and capabilities to detect.
Management Align, Plan and APO12 Managed Risk APO12.02 Analyze risk. 3. Estimate the frequency (or likelihood) and magnitude of
Organize loss or gain associated with I&T risk scenarios. Take into
account all applicable risk factors and evaluate known
operational controls.
Management Align, Plan and APO12 Managed Risk APO12.02 Analyze risk. 4. Compare current risk (I&T-related loss exposure) to risk
Organize appetite and acceptable risk tolerance. Identify unacceptable
or elevated risk.
Management Align, Plan and APO12 Managed Risk APO12.02 Analyze risk. 5. Propose risk responses for risk exceeding risk appetite and
Organize tolerance levels.
Management Align, Plan and APO12 Managed Risk APO12.02 Analyze risk. 6. Specify high-level requirements for projects or programs
Organize that will implement the selected risk responses. Identify
requirements and expectations for appropriate key controls
for risk mitigation responses.
Management Align, Plan and APO12 Managed Risk APO12.02 Analyze risk. 7. Validate the risk analysis and business impact analysis (BIA)
Organize results before using them in decision making. Confirm that the
analysis aligns with enterprise requirements and verify that
estimations were properly calibrated and scrutinized for bias.
510
Management Align, Plan and APO12 Managed Risk APO12.02 Analyze risk. 8. Analyze cost/benefit of potential risk response options
Organize such as avoid, reduce/mitigate, transfer/share, and accept
and exploit/seize. Confirm the optimal risk response.
Management Align, Plan and APO12 Managed Risk APO12.03 Maintain a risk profile. 1. Inventory business processes and document their
Organize dependency on I&T service management processes and IT
infrastructure resources. Identify supporting personnel,
applications, infrastructure, facilities, critical manual records,
vendors, suppliers and outsourcers.
Management Align, Plan and APO12 Managed Risk APO12.03 Maintain a risk profile. 2. Determine and agree on which I&T services and IT
Organize infrastructure resources are essential to sustain the operation
of business processes. Analyze dependencies and identify
weak links.
Management Align, Plan and APO12 Managed Risk APO12.03 Maintain a risk profile. 3. Aggregate current risk scenarios by category, business line
Organize and functional area.
Management Align, Plan and APO12 Managed Risk APO12.03 Maintain a risk profile. 4. Regularly capture all risk profile information and
Organize consolidate it into an aggregated risk profile.
Management Align, Plan and APO12 Managed Risk APO12.03 Maintain a risk profile. 5. Capture information on the status of the risk action plan
Organize for inclusion in the I&T risk profile of the enterprise.
511
Management Align, Plan and APO12 Managed Risk APO12.03 Maintain a risk profile. 6. Based on all risk profile data, define a set of risk indicators
Organize that allow the quick identification and monitoring of current
risk and risk trends.
Management Align, Plan and APO12 Managed Risk APO12.03 Maintain a risk profile. 7. Capture information on I&T risk events that have
Organize materialized for inclusion in the IT risk profile of the
enterprise.
Management Align, Plan and APO12 Managed Risk APO12.04 Articulate risk. 1. Report the results of risk analysis to all affected
Organize stakeholders in terms and formats useful to support
enterprise decisions. Whenever possible, include probabilities
and ranges of loss or gain along with confidence levels, to
enable management to balance risk-return.
Management Align, Plan and APO12 Managed Risk APO12.04 Articulate risk. 2. Provide decision makers with an understanding of worst-
Organize case and most-probable scenarios, I&T-related loss exposures
and significant reputation, legal and regulatory
considerations, or any other impact category as per the risk
taxonomy.
Management Align, Plan and APO12 Managed Risk APO12.04 Articulate risk. 3. Report the current risk profile to all stakeholders. Include
Organize information on the effectiveness of the risk management
process, control effectiveness, gaps, inconsistencies,
redundancies, remediation status and their impacts on the
risk profile.
Management Align, Plan and APO12 Managed Risk APO12.04 Articulate risk. 4. On a periodic basis, for areas with relative risk and risk
Organize capacity parity, identify I&T-related opportunities that would
allow the acceptance of greater risk and enhanced growth
and return.
512
Management Align, Plan and APO12 Managed Risk APO12.04 Articulate risk. 5. Review the results of objective third-party assessments and
Organize internal audit and quality assurance reviews. Include them in
the risk profile. Review identified gaps and I&T-related loss
exposures to determine the need for additional risk analysis.
Management Align, Plan and APO12 Managed Risk APO12.05 Define a risk 1. Maintain an inventory of control activities that are in place
Organize management action to mitigate risk and that enable risk to be taken in line with
portfolio. the risk appetite and tolerance. Classify control activities and
map them to specific I&T risk scenarios and aggregations of
I&T risk scenarios.
Management Align, Plan and APO12 Managed Risk APO12.05 Define a risk 2. Determine whether each organizational entity monitors
Organize management action risk and accepts accountability for operating within its
portfolio. individual and portfolio tolerance levels.
Management Align, Plan and APO12 Managed Risk APO12.05 Define a risk 3. Define a balanced set of project proposals designed to
Organize management action reduce risk and/or projects that enable strategic enterprise
portfolio. opportunities, considering costs, benefits, effect on current
risk profile and regulations.
Management Align, Plan and APO12 Managed Risk APO12.06 Respond to risk. 1. Prepare, maintain and test plans that document the
Organize specific steps to take when a risk event may cause a
significant operational or development incident with serious
business impact. Ensure that plans include pathways of
escalation across the enterprise.
Management Align, Plan and APO12 Managed Risk APO12.06 Respond to risk. 2. Apply the appropriate response plan to minimize the
Organize impact when risk incidents occur.
513
Management Align, Plan and APO12 Managed Risk APO12.06 Respond to risk. 3. Categorize incidents and compare I&T-related loss
Organize exposures against risk tolerance thresholds. Communicate
business impacts to decision makers as part of reporting and
update the risk profile.
Management Align, Plan and APO12 Managed Risk APO12.06 Respond to risk. 4. Examine past adverse events/losses and missed
Organize opportunities and determine root causes.
Management Align, Plan and APO12 Managed Risk APO12.06 Respond to risk. 5. Communicate root cause, additional risk response
Organize requirements and process improvements to appropriate
decision makers. Ensure that the cause, response
requirements and process improvement are included in risk
governance processes.
Management Align, Plan and APO13 Managed APO13.01 Establish and 1. Define the scope and boundaries of the information
Organize Security maintain an security management system (ISMS) in terms of the
information security characteristics of the enterprise, the organization, its location,
management system assets and technology. Include details of, and justification for,
(ISMS). any exclusions from the scope.
Management Align, Plan and APO13 Managed APO13.01 Establish and 2. Define an ISMS in accordance with enterprise policy and
Organize Security maintain an the context in which the enterprise operates.
information security
management system
(ISMS).
Management Align, Plan and APO13 Managed APO13.01 Establish and 3. Align the ISMS with the overall enterprise approach to the
Organize Security maintain an management of security.
management system
(ISMS).
514
Management Align, Plan and APO13 Managed APO13.01 Establish and 4. Obtain management authorization to implement and
Organize Security maintain an operate or change the ISMS.
management system
(ISMS).
Management Align, Plan and APO13 Managed APO13.01 Establish and 5. Prepare and maintain a statement of applicability that
Organize Security maintain an describes the scope of the ISMS.
management system
(ISMS).
Management Align, Plan and APO13 Managed APO13.01 Establish and 6. Define and communicate Information security
Organize Security maintain an management roles and responsibilities.
management system
(ISMS).
Management Align, Plan and APO13 Managed APO13.01 Establish and 7. Communicate the ISMS approach.
Organize Security maintain an
management system
(ISMS).
Management Align, Plan and APO13 Managed APO13.02 Define and manage an 1. Formulate and maintain an information security risk
Organize Security information security treatment plan aligned with strategic objective and the
and privacy risk enterprise architecture. Ensure that the plan identifies the
treatment plan. appropriate and optimal management practices and security
solutions, with associated resources, responsibilities and
priorities for managing identified information security risk.
Management Align, Plan and APO13 Managed APO13.02 Define and manage an 2. Maintain as part of the enterprise architecture an
Organize Security information security inventory of solution components that are in place to manage
and privacy risk security-related risk.
treatment plan.
515
Management Align, Plan and APO13 Managed APO13.02 Define and manage an 3. Develop proposals to implement the information security
Organize Security information security risk treatment plan, supported by suitable business cases that
and privacy risk include consideration of funding and allocation of roles and
treatment plan. responsibilities.
Management Align, Plan and APO13 Managed APO13.02 Define and manage an 4. Provide input to the design and development of
Organize Security information security management practices and solutions selected from the
and privacy risk information security risk treatment plan.
treatment plan.
Management Align, Plan and APO13 Managed APO13.02 Define and manage an 5. Implement information security and privacy training and
Organize Security information security awareness programs.
and privacy risk
treatment plan.
Management Align, Plan and APO13 Managed APO13.02 Define and manage an 6. Integrate the planning, design, implementation and
Organize Security information security monitoring of information security and privacy procedures
and privacy risk and other controls capable of enabling prompt prevention,
treatment plan. detection of security events, and response to security
incidents.
Management Align, Plan and APO13 Managed APO13.02 Define and manage an 7. Define how to measure the effectiveness of the selected
Organize Security information security management practices. Specify how these measurements are
and privacy risk to be used to assess effectiveness to produce comparable and
treatment plan. reproducible results.
Management Align, Plan and APO13 Managed APO13.03 Monitor and review 1. Undertake regular reviews of the effectiveness of the ISMS.
Organize Security the information Include meeting ISMS policy and objectives and reviewing
security management security and privacy practices.
system (ISMS).
516
Management Align, Plan and APO13 Managed APO13.03 Monitor and review 2. Conduct ISMS audits at planned intervals.
Organize Security the information
security management
system (ISMS).
Management Align, Plan and APO13 Managed APO13.03 Monitor and review 3. Undertake a management review of the ISMS on a regular
Organize Security the information basis to ensure that the scope remains adequate and
security management improvements in the ISMS process are identified.
system (ISMS).
Management Align, Plan and APO13 Managed APO13.03 Monitor and review 4. Record actions and events that could have an impact on
Organize Security the information the effectiveness or performance of the ISMS.
security management
system (ISMS).
Management Align, Plan and APO13 Managed APO13.03 Monitor and review 5. Provide input to the maintenance of the security plans to
Organize Security the information take into account the findings of monitoring and reviewing
security management activities.
system (ISMS).
Management Align, Plan and APO14 Managed Data APO14.01 Define and 1. Establish a data management function with responsibility
Organize communicate the for managing activities that support data management
organization's data objectives.
management strategy
and roles and
responsibilities.
Management Align, Plan and APO14 Managed Data APO14.01 Define and 2. Specify roles and responsibilities to support the
Organize communicate the management of data and the interaction between governance
organization's data and the data management function.
management strategy
and roles and
responsibilities.
517
Management Align, Plan and APO14 Managed Data APO14.01 Define and 3. Ensure that business and technology collaboratively
Organize communicate the develop the organization’s data management strategy. Make
organization's data sure that data management objectives, priorities and scope
management strategy reflect enterprise objectives, are consistent with data
and roles and management policies and regulation, and are approved by all
responsibilities. stakeholders.
Management Align, Plan and APO14 Managed Data APO14.01 Define and 4. Communicate data management objectives, priorities and
Organize communicate the scope and adjust them as needed, based upon feedback.
organization's data
management strategy
and roles and
responsibilities.
Management Align, Plan and APO14 Managed Data APO14.01 Define and 5. Use metrics to assess and monitor the achievement of
Organize communicate the objectives for data management.
organization's data
management strategy
and roles and
responsibilities.
Management Align, Plan and APO14 Managed Data APO14.01 Define and 6. Monitor the sequence plan for implementation of the data
Organize communicate the management strategy. Update it as needed, based on
organization's data progress reviews.
management strategy
and roles and
responsibilities.
Management Align, Plan and APO14 Managed Data APO14.01 Define and 7. Use statistical and other quantitative techniques to
Organize communicate the evaluate the effectiveness of strategic data management
organization's data objectives in achieving business objectives. Make
management strategy modifications as needed, based on metrics.
and roles and
responsibilities.
Management Align, Plan and APO14 Managed Data APO14.01 Define and 8. Ensure that the organization researches innovative
Organize communicate the business processes and emerging regulatory requirements to
organization's data ensure that the data management program is compatible with
management strategy future business needs.
and roles and
responsibilities.
518
Management Align, Plan and APO14 Managed Data APO14.01 Define and 9. Make contributions to industry best practices for data
Organize communicate the management strategy development and implementation.
organization's data
management strategy
and roles and
responsibilities.
Management Align, Plan and APO14 Managed Data APO14.02 Define and maintain a 1. Ensure that standard business terms are readily available
Organize consistent business and communicated to relevant stakeholders.
glossary.
Management Align, Plan and APO14 Managed Data APO14.02 Define and maintain a 2. Ensure that each business term added to the business
Organize consistent business glossary has a unique name and unique definition.
glossary.
Management Align, Plan and APO14 Managed Data APO14.02 Define and maintain a 3. Use standard industry business terms and definitions, as
Organize consistent business appropriate, in the business glossary.
glossary.
Management Align, Plan and APO14 Managed Data APO14.02 Define and maintain a 4. Establish, document and follow a process to define,
Organize consistent business manage, use and maintain the business glossary. For example,
glossary. new initiatives should apply standard business terms as part
of the data requirements definition process to ensure
consistency of language. This will help achieve comparability
of the content and facilitate data sharing across the
organization.
Management Align, Plan and APO14 Managed Data APO14.02 Define and maintain a 5. Ensure that new development, data integration and data
Organize consistent business consolidation efforts apply standard business terms as part of
glossary. the data requirements definition process.
519
Management Align, Plan and APO14 Managed Data APO14.02 Define and maintain a 6. Integrate the business glossary into the organization’s
Organize consistent business metadata repository, with appropriate access permissions.
glossary.
Management Align, Plan and APO14 Managed Data APO14.03 Establish the 1. Establish and follow a metadata management process.
Organize processes and
infrastructure for
metadata
management.
Management Align, Plan and APO14 Managed Data APO14.03 Establish the 2. Ensure that metadata documentation captures data
Organize processes and interdependencies.
infrastructure for
metadata
management.
Management Align, Plan and APO14 Managed Data APO14.03 Establish the 3. Establish and follow metadata categories, properties and
Organize processes and standards.
infrastructure for
metadata
management.
Management Align, Plan and APO14 Managed Data APO14.03 Establish the 4. Develop and use metadata to perform impact analysis on
Organize processes and potential data changes.
infrastructure for
metadata
management.
Management Align, Plan and APO14 Managed Data APO14.03 Establish the 5. Populate the organization’s metadata repository with
Organize processes and additional categories and classifications of metadata
infrastructure for according to a phased implementation plan. Link it to
metadata architecture layers.
management.
520
Management Align, Plan and APO14 Managed Data APO14.03 Establish the 6. Validate metadata and any changes to metadata against
Organize processes and the existing architecture.
infrastructure for
metadata
management.
Management Align, Plan and APO14 Managed Data APO14.03 Establish the 7. Ensure that the organization has developed an integrated
Organize processes and metamodel deployed across all platforms.
infrastructure for
metadata
management.
Management Align, Plan and APO14 Managed Data APO14.03 Establish the 8. Ensure that metadata types and data definitions support
Organize processes and consistent import, subscription and consumption practices.
infrastructure for
metadata
management.
Management Align, Plan and APO14 Managed Data APO14.03 Establish the 9. Use measures and metrics to evaluate the accuracy and
Organize processes and adoption of metadata.
infrastructure for
metadata
management.
Management Align, Plan and APO14 Managed Data APO14.03 Establish the 10. Evaluate planned data changes for impact on the
Organize processes and metadata repository. Continuously improve metadata
infrastructure for capture, change and refinement processes.
metadata
management.
Management Align, Plan and APO14 Managed Data APO14.04 Define a data quality 1. Define a data quality strategy in collaboration with
Organize strategy. business and technology stakeholders, approved by executive
management, and managed. The strategy should facilitate
moving from the current to the target state. It should also
explicitly align with business objectives and the organization’s
data management strategy.
521
Management Align, Plan and APO14 Managed Data APO14.04 Define a data quality 2. Ensure that the data quality strategy is followed across the
Organize strategy. organization and is accompanied by corresponding policies,
processes and guidelines.
Management Align, Plan and APO14 Managed Data APO14.04 Define a data quality 3. Anchor the policies, processes and governance contained
Organize strategy. in the data quality strategy across the data life cycle. Mandate
corresponding processes in the system development life cycle
methodology.
Management Align, Plan and APO14 Managed Data APO14.04 Define a data quality 4. Develop, monitor and maintain a sequence plan for data
Organize strategy. quality improvement efforts across the organization.
Management Align, Plan and APO14 Managed Data APO14.04 Define a data quality 5. To evaluate progress, monitor plans to meet the goals and
Organize strategy. objectives of the data quality strategy.
Management Align, Plan and APO14 Managed Data APO14.04 Define a data quality 6. Systematically collect stakeholder reports of data quality
Organize strategy. issues. Include their expectations for improving data quality in
the data quality strategy. Measure and monitor them.
Management Align, Plan and APO14 Managed Data APO14.05 Establish data 1. Define and standardize data profiling methodologies,
Organize profiling processes, practices, tools and results templates. Ensure that
methodologies, profiling processes are reusable and leveraged across multiple
processes and tools. data stores and shared data repositories.
522
Management Align, Plan and APO14 Managed Data APO14.05 Establish data 2. Engage data management to identify core shared data sets
Organize profiling that are regularly profiled and monitored.
methodologies,
processes and tools.
Management Align, Plan and APO14 Managed Data APO14.05 Establish data 3. In data profiling efforts, include evaluation of the
Organize profiling conformity of data content with its approved metadata and
methodologies, standards.
Management Align, Plan and APO14 Managed Data APO14.05 Establish data 4. During a data profiling activity, compare actual issues to
Organize profiling the statistically predicted issues, based on historical profiling
methodologies, results.
Management Align, Plan and APO14 Managed Data APO14.05 Establish data 5. Ensure that results are centrally stored, systematically
Organize profiling monitored and analyzed with respect to statistics and metrics.
methodologies, Provide the resulting insight to data quality improvements
processes and tools. over time.
Management Align, Plan and APO14 Managed Data APO14.05 Establish data 6. Create real-time or near real-time automated profiling
Organize profiling reports for all critical data feeds and repositories.
methodologies,
Management Align, Plan and APO14 Managed Data APO14.06 Ensure a data quality 1. Periodically conduct data quality assessments, according to
Organize assessment approach. an approved frequency per the data quality assessment
policy. Ensure that data governance determines the key set of
attributes by subject area for data quality assessments.
523
Management Align, Plan and APO14 Managed Data APO14.06 Ensure a data quality 2. Include recommendations for remediation, with supporting
Organize assessment approach. rationale, in data quality assessment results.
Management Align, Plan and APO14 Managed Data APO14.06 Ensure a data quality 3. Assess data quality, using established thresholds and
Organize assessment approach. targets for each selected quality dimension.
Management Align, Plan and APO14 Managed Data APO14.06 Ensure a data quality 4. Systematically generate data quality measurement reports,
Organize assessment approach. based on criticality of attributes and data volatility.
Management Align, Plan and APO14 Managed Data APO14.06 Ensure a data quality 5. Continuously review and improve data quality assessment
Organize assessment approach. and reporting processes.
Management Align, Plan and APO14 Managed Data APO14.07 Define the data 1. Establish and maintain a data cleansing policy.
Organize cleansing approach.
Management Align, Plan and APO14 Managed Data APO14.07 Define the data 2. Maintain data change history through cleansing activities.
Organize cleansing approach.
524
Management Align, Plan and APO14 Managed Data APO14.07 Define the data 3. Establish methods for correcting the data and define those
Organize cleansing approach. methods within a plan. Methods may include multiple
repository comparison, verification against a valid source,
logic checks, referential integrity or range tolerance.
Management Align, Plan and APO14 Managed Data APO14.07 Define the data 4. In service level agreements, include data quality criteria to
Organize cleansing approach. hold data providers accountable for cleansed data.
Management Align, Plan and APO14 Managed Data APO14.08 Manage the life cycle 1. Map and align the requirements of data consumers and
Organize of data assets. producers.
Management Align, Plan and APO14 Managed Data APO14.08 Manage the life cycle 2. Define business process-to-data mappings. Maintain them
Organize of data assets. and periodically review them for compliance.
Management Align, Plan and APO14 Managed Data APO14.08 Manage the life cycle 3. Follow a defined process for collaborative agreements with
Organize of data assets. respect to shared data and data usage within business
processes.
Management Align, Plan and APO14 Managed Data APO14.08 Manage the life cycle 4. Implement data flows and full data-to-process life cycle
Organize of data assets. maps for shared data for each major business process at the
organizational level.
525
Management Align, Plan and APO14 Managed Data APO14.08 Manage the life cycle 5. Ensure that changes to shared data sets or target data sets
Organize of data assets. for a specific business purpose are managed by data
governance structures, with relevant stakeholder
engagement.
Management Align, Plan and APO14 Managed Data APO14.08 Manage the life cycle 6. Use metrics to expand approved shared data reuse and
Organize of data assets. eliminate process redundancy.
Management Align, Plan and APO14 Managed Data APO14.09 Support data 1. Ensure that policies mandate management of data history,
Organize archiving and including retention, destruction and audit trail requirements.
retention.
Management Align, Plan and APO14 Managed Data APO14.09 Support data 2. Ensure the existence of a defined method that guarantees
Organize archiving and accessibility to the historical data necessary to support
retention. business needs.
Management Align, Plan and APO14 Managed Data APO14.09 Support data 3. Use policy and processes to control access, transmittal and
Organize archiving and modifications to historical and archived data.
retention.
Management Align, Plan and APO14 Managed Data APO14.09 Support data 4. Ensure that the organization has a prescribed data
Organize archiving and warehouse repository that provides access to historical data
retention. for meeting analytics needs supporting business processes.
526
Management Align, Plan and APO14 Managed Data APO14.10 Manage data backup 1. Define a schedule to ensure correct backup of all critical
Organize and restore data, taking into account frequency, type of backup, security,
arrangements. privacy and other criteria.
Management Align, Plan and APO14 Managed Data APO14.10 Manage data backup 2. Define requirements for on-site and off-site storage of
Organize and restore backup data, taking into account volume, capacity and
arrangements. retention period, in alignment with the business
requirements.
Management Align, Plan and APO14 Managed Data APO14.10 Manage data backup 3. Establish a testing schedule for backup data. Ensure that
Organize and restore the data can be restored correctly without drastically
arrangements. impacting business.
Management Build, Acquire BAI01 Managed BAI01.01 Maintain a standard 1. Maintain and enforce a standard approach to program
and Implement Programs approach for program management, aligned to the enterprise’s specific environment
management. and with good practice based on defined process and use of
appropriate technology. Ensure that the approach covers the
full life cycle and disciplines to be followed, including the
management of scope, resources, risk, cost, quality, time,
communication, stakeholder involvement, procurement,
Management Build, Acquire BAI01 Managed BAI01.01 Maintain a standard 2. Put in place a program office or project management office
and Implement Programs approach for program (PMO) that maintains the standard approach for program and
management. project management across the organization. The PMO
supports all programs and projects by creating and
maintaining required project documentation templates,
providing training and best practices for program/project
managers, tracking metrics on the use of best practices for
Management Build, Acquire BAI01 Managed BAI01.01 Maintain a standard 3. Evaluate lessons learned based on the use of the program
and Implement Programs approach for program management approach and update the approach accordingly.
management.
527
Management Build, Acquire BAI01 Managed BAI01.02 Initiate a program. 1. Agree on program sponsorship. Appoint a program
and Implement Programs board/committee with members who have strategic interest
in the program, responsibility for investment decision making,
will be significantly impacted by the program and will be
required to enable delivery of the change.
Management Build, Acquire BAI01 Managed BAI01.02 Initiate a program. 2. Appoint a dedicated manager for the program, with the
and Implement Programs commensurate competencies and skills to manage the
program effectively and efficiently.
Management Build, Acquire BAI01 Managed BAI01.02 Initiate a program. 3. Confirm the program mandate with sponsors and
and Implement Programs stakeholders. Articulate the strategic objectives for the
program, potential strategies for delivery, improvement and
benefits that are expected, and how the program fits with
other initiatives.
Management Build, Acquire BAI01 Managed BAI01.02 Initiate a program. 4. Develop a detailed business case for a program. Involve all
and Implement Programs key stakeholders to develop and document a complete
understanding of the expected enterprise outcomes, how
they will be measured, the full scope of initiatives required,
the risk involved and the impact on all aspects of the
enterprise. Identify and assess alternative courses of action to
achieve the desired enterprise outcomes.
Management Build, Acquire BAI01 Managed BAI01.02 Initiate a program. 5. Develop a benefits realization plan that will be managed
and Implement Programs throughout the program to ensure that planned benefits
always have owners and are achieved, sustained and
optimized.
Management Build, Acquire BAI01 Managed BAI01.02 Initiate a program. 6. Prepare the initial (conceptual) program business case,
and Implement Programs providing essential decision-making information regarding
purpose, contribution to business objectives, expected value
created, time frames, etc. Submit it for approval.
528
Management Build, Acquire BAI01 Managed BAI01.03 Manage stakeholder 1. Plan how stakeholders inside and outside the enterprise
and Implement Programs engagement. will be identified, analyzed, engaged and managed through
the life cycle of the projects.
Management Build, Acquire BAI01 Managed BAI01.03 Manage stakeholder 2. Identify, engage and manage stakeholders by establishing
and Implement Programs engagement. and maintaining appropriate levels of coordination,
communication and liaison to ensure that they are involved in
the program.
Management Build, Acquire BAI01 Managed BAI01.03 Manage stakeholder 3. Analyze stakeholder interests and requirements.
and Implement Programs engagement.
Management Build, Acquire BAI01 Managed BAI01.03 Manage stakeholder 4. Follow a defined process for collaborative agreements with
and Implement Programs engagement. respect to shared data and data usage within business
processes.
Management Build, Acquire BAI01 Managed BAI01.04 Develop and maintain 1. Specify funding, cost, schedule and interdependencies of
and Implement Programs the program plan. multiple projects.
Management Build, Acquire BAI01 Managed BAI01.04 Develop and maintain 2. Define and document the program plan covering all
and Implement Programs the program plan. projects. Include what is needed to bring about changes to
the enterprise; its purpose, mission, vision, values, culture,
products and services; business processes; people skills and
numbers; relationships with stakeholders, customers,
suppliers and others; technology needs; and organizational
restructuring required to achieve the program's expected
529
Management Build, Acquire BAI01 Managed BAI01.04 Develop and maintain 3. Ensure that there is effective communication of program
and Implement Programs the program plan. plans and progress reports among all projects and with the
overall program. Ensure that any changes made to individual
plans are reflected in the other enterprise program plans.
Management Build, Acquire BAI01 Managed BAI01.04 Develop and maintain 4. Maintain the program plan to ensure that it is up to date
and Implement Programs the program plan. and reflects alignment with current strategic objectives, actual
progress and material changes to outcomes, benefits, costs
and risk. Have the business drive the objectives and prioritize
the work throughout to ensure that the program, as designed,
will meet enterprise requirements. Review progress of
individual projects and adjust the projects as necessary to
Management Build, Acquire BAI01 Managed BAI01.04 Develop and maintain 5. Throughout the program's economic life, update and
and Implement Programs the program plan. maintain the business case and a benefits register to identify
and define key benefits arising from undertaking the program.
Management Build, Acquire BAI01 Managed BAI01.04 Develop and maintain 6. Prepare a program budget that reflects the full economic
and Implement Programs the program plan. life cycle costs and the associated financial and nonfinancial
benefits.
Management Build, Acquire BAI01 Managed BAI01.05 Launch and execute 1. Plan, resource and commission the necessary projects
and Implement Programs the program. required to achieve the program results, based on funding
review and approvals at each stage-gate review.
Management Build, Acquire BAI01 Managed BAI01.05 Launch and execute 2. Manage each program or project to ensure that decision
and Implement Programs the program. making and delivery activities are focused on value by
achieving benefits for the business and goals in a consistent
manner, addressing risk, and achieving stakeholder
requirements.
530
Management Build, Acquire BAI01 Managed BAI01.05 Launch and execute 3. Establish agreed stages of the development process
and Implement Programs the program. (development checkpoints). At the end of each stage,
facilitate formal discussions of approved criteria with the
stakeholders. After successful completion of functionality,
performance and quality reviews, and before finalizing stage
activities, obtain formal approval and sign-off from all
stakeholders and the sponsor/business process owner.
Management Build, Acquire BAI01 Managed BAI01.05 Launch and execute 4. Undertake a benefits realization process throughout the
and Implement Programs the program. program to ensure that planned benefits always have owners
and are likely to be achieved, sustained and optimized.
Monitor benefits delivery and report against performance
targets at the stage-gate or iteration and release reviews.
Perform root cause analysis for deviations from the plan and
identify and address any necessary remedial actions.
Management Build, Acquire BAI01 Managed BAI01.05 Launch and execute 5. Plan audits, quality reviews, phase/stage-gate reviews and
and Implement Programs the program. reviews of realized benefits.
Management Build, Acquire BAI01 Managed BAI01.06 Monitor, control and 1. Update operational I&T portfolios to reflect changes that
and Implement Programs report on the program result from the program in the relevant I&T service, asset or
outcomes. resource portfolios.
Management Build, Acquire BAI01 Managed BAI01.06 Monitor, control and 2. Monitor and control the performance of the overall
and Implement Programs report on the program program and the projects within the program, including
outcomes. contributions of the business and IT to the projects. Report in
a timely, complete and accurate fashion. Reporting may
include schedule, funding, functionality, user satisfaction,
internal controls and acceptance of accountabilities.
Management Build, Acquire BAI01 Managed BAI01.06 Monitor, control and 3. Monitor and control performance against enterprise and
and Implement Programs report on the program I&T strategies and goals. Report to management on enterprise
outcomes. changes implemented, benefits realized against the benefits
realization plan and the adequacy of the benefits realization
process.
531
Management Build, Acquire BAI01 Managed BAI01.06 Monitor, control and 4. Monitor and control IT services, assets and resources
and Implement Programs report on the program created or changed as a result of the program. Note
outcomes. implementation and in-service dates. Report to management
on performance levels, sustained service delivery and
contribution to value.
Management Build, Acquire BAI01 Managed BAI01.06 Monitor, control and 5. Manage program performance against key criteria (e.g.,
and Implement Programs report on the program scope, schedule, quality, benefits realization, costs, risk,
outcomes. velocity), identify deviations from the plan and take timely
remedial action when required.
Management Build, Acquire BAI01 Managed BAI01.06 Monitor, control and 6. Monitor individual project performance related to delivery
and Implement Programs report on the program of the expected capabilities, schedule, benefits realization,
outcomes. costs, risk or other metric. Identify potential impacts on
program performance and take timely remedial action when
required.
Management Build, Acquire BAI01 Managed BAI01.06 Monitor, control and 7. In accordance with stage-gate, release or iteration review
and Implement Programs report on the program criteria, undertake reviews to report on the progress of the
outcomes. program so that management can make go/no-go or
adjustment decisions and approve further funding up to the
following stage-gate, release or iteration.
Management Build, Acquire BAI01 Managed BAI01.07 Manage program 1. Identify assurance tasks and practices required to support
and Implement Programs quality. the accreditation of new or modified systems during program
planning, and include them in the integrated plans. Ensure
that the tasks provide assurance that internal controls and
security/privacy solutions meet the defined requirements.
Management Build, Acquire BAI01 Managed BAI01.07 Manage program 2. To provide quality assurance for the program deliverables,
and Implement Programs quality. identify ownership and responsibilities, quality review
processes, success criteria and performance metrics.
532
Management Build, Acquire BAI01 Managed BAI01.07 Manage program 3. Define any requirements for independent validation and
and Implement Programs quality. verification of the quality of deliverables in the plan.
Management Build, Acquire BAI01 Managed BAI01.07 Manage program 4. Perform quality assurance and control activities in
and Implement Programs quality. accordance with the quality management plan and QMS.
Management Build, Acquire BAI01 Managed BAI01.08 Manage program risk. 1. Establish a formal risk management approach aligned with
and Implement Programs the enterprise risk management (ERM) framework. Ensure
that the approach includes identifying, analyzing, responding
to, mitigating, monitoring and controlling risk.
Management Build, Acquire BAI01 Managed BAI01.08 Manage program risk. 2. Assign to appropriately skilled personnel the responsibility
and Implement Programs for executing the enterprise’s risk management process within
a program and ensuring that this is incorporated into the
solution development practices. Consider allocating this role
to an independent team, especially if an objective viewpoint is
required or a program is considered critical.
Management Build, Acquire BAI01 Managed BAI01.08 Manage program risk. 3. Perform the risk assessment of identifying and quantifying
and Implement Programs risk continuously throughout the program. Manage and
communicate risk appropriately within the program
governance structure.
Management Build, Acquire BAI01 Managed BAI01.08 Manage program risk. 4. Identify owners for actions to avoid, accept or mitigate risk.
and Implement Programs
533
Management Build, Acquire BAI01 Managed BAI01.09 Close a program. 1. Bring the program to an orderly closure, including formal
and Implement Programs approval, disbanding of the program organization and
supporting function, validation of deliverables, and
communication of retirement.
Management Build, Acquire BAI01 Managed BAI01.09 Close a program. 2. Review and document lessons learned. Once the program
and Implement Programs is retired, remove it from the active investment portfolio.
Move any resulting capabilities to an operational asset
portfolio to ensure that value continues to be created and
sustained.
Management Build, Acquire BAI01 Managed BAI01.09 Close a program. 3. Put accountability and processes in place to ensure that
and Implement Programs the enterprise continues to optimize value from the service,
asset or resources. Additional investments may be required at
some future time to ensure that this occurs.
Management Build, Acquire BAI02 Managed BAI02.01 Define and maintain 1. Ensure that all stakeholder requirements, including
and Implement Requirements business functional relevant acceptance criteria, are considered, captured,
Definition and technical prioritized and recorded in a way that is understandable to all
requirements. stakeholders, recognizing that the requirements may change
and will become more detailed as they are implemented.
Management Build, Acquire BAI02 Managed BAI02.01 Define and maintain 2. Express business requirements in terms of how the gap
and Implement Requirements business functional between current and desired business capabilities need to be
Definition and technical addressed and how the user (employee, client, etc.) will
requirements. interact with and use the solution.
Management Build, Acquire BAI02 Managed BAI02.01 Define and maintain 3. Specify and prioritize information, functional and technical
and Implement Requirements business functional requirements, based on the user experience design and
Definition and technical confirmed stakeholder requirements.
requirements.
534
Management Build, Acquire BAI02 Managed BAI02.01 Define and maintain 4. Ensure requirements meet enterprise policies and
and Implement Requirements business functional standards, enterprise architecture, strategic and tactical I&T
Definition and technical plans, in-house and outsourced business and IT processes,
requirements. security requirements, regulatory requirements, people
competencies, organizational structure, business case, and
enabling technology.
Management Build, Acquire BAI02 Managed BAI02.01 Define and maintain 5. Include information control requirements in the business
and Implement Requirements business functional processes, automated processes and I&T environments to
Definition and technical address information risk and to comply with laws, regulations
requirements. and commercial contracts.
Management Build, Acquire BAI02 Managed BAI02.01 Define and maintain 6. Confirm acceptance of key aspects of the requirements,
and Implement Requirements business functional including enterprise rules, user experience, information
Definition and technical controls, business continuity, legal and regulatory compliance,
requirements. auditability, ergonomics, operability and usability, safety,
confidentiality, and supporting documentation.
Management Build, Acquire BAI02 Managed BAI02.01 Define and maintain 7. Track and control scope, requirements and changes
and Implement Requirements business functional through the life cycle of the solution as understanding of the
Definition and technical solution evolves.
requirements.
Management Build, Acquire BAI02 Managed BAI02.01 Define and maintain 8. Define and implement a requirements definition and
and Implement Requirements business functional maintenance procedure and a requirements repository that
Definition and technical are appropriate for the size, complexity, objectives and risk of
requirements. the initiative that the enterprise is considering undertaking.
Management Build, Acquire BAI02 Managed BAI02.01 Define and maintain 9. Validate all requirements through approaches such as peer
and Implement Requirements business functional review, model validation or operational prototyping.
Definition and technical
requirements.
535
Management Build, Acquire BAI02 Managed BAI02.02 Perform a feasibility 1. Identify required actions for solution acquisition or
and Implement Requirements study and formulate development based on the enterprise architecture. Take into
Definition alternative solutions. account scope and/or time and/or budget limitations.
Management Build, Acquire BAI02 Managed BAI02.02 Perform a feasibility 2. Review the alternative solutions with all stakeholders.
and Implement Requirements study and formulate Select the most appropriate one based on feasibility criteria,
Definition alternative solutions. including risk and cost.
Management Build, Acquire BAI02 Managed BAI02.02 Perform a feasibility 3. Translate the preferred course of action into a high-level
and Implement Requirements study and formulate acquisition/development plan that identifies resources to be
Definition alternative solutions. used and stages requiring a go/no-go decision.
Management Build, Acquire BAI02 Managed BAI02.02 Perform a feasibility 4. Define and execute a feasibility study, pilot or basic
and Implement Requirements study and formulate working solution that clearly and concisely describes the
Definition alternative solutions. alternative solutions and measures how these would satisfy
the business and functional requirements. Include an
evaluation of their technological and economic feasibility.
Management Build, Acquire BAI02 Managed BAI02.03 Manage requirements 1. Identify quality, functional and technical requirements risk
and Implement Requirements risk. (due to, for example, lack of user involvement, unrealistic
Definition expectations, developers adding unnecessary functionality,
unrealistic assumptions, etc.).
Management Build, Acquire BAI02 Managed BAI02.03 Manage requirements 2. Determine appropriate risk response to requirements risk.
and Implement Requirements risk.
Definition
536
Management Build, Acquire BAI02 Managed BAI02.03 Manage requirements 3. Analyze the identified risk by estimating probability and
and Implement Requirements risk. impact on budget and schedule. Evaluate budgetary impact of
Definition appropriate risk response actions.
Management Build, Acquire BAI02 Managed BAI02.04 Obtain approval of 1. Ensure that the business sponsor or product owner makes
and Implement Requirements requirements and the final choice of solution, acquisition approach and high-
Definition solutions. level design, according to the business case. Obtain necessary
approvals from affected stakeholders (e.g., business process
owner, enterprise architect, operations manager, security,
privacy officer).
Management Build, Acquire BAI02 Managed BAI02.04 Obtain approval of 2. Obtain quality reviews throughout, and at the end of, each
and Implement Requirements requirements and key project stage, iteration or release. Assess the results
Definition solutions. against the original acceptance criteria. Have business
sponsors and other stakeholders sign off on each successful
quality review.
Management Build, Acquire BAI03 Managed BAI03.01 Design high-level 1. Establish a high-level design specification that translates
and Implement Solutions solutions. the proposed solution into a high-level design for business
Identification processes, supporting services, workflows, applications,
and Build infrastructure, and information repositories capable of
meeting business and enterprise architecture requirements.
Management Build, Acquire BAI03 Managed BAI03.01 Design high-level 2. Involve appropriately qualified and experienced user
and Implement Solutions solutions. experience designers and IT specialists in the design process
Identification to make sure that the design provides a solution that
and Build optimally uses the proposed I&T capabilities to enhance the
business process.
Management Build, Acquire BAI03 Managed BAI03.01 Design high-level 3. Create a design that complies with the organization's
and Implement Solutions solutions. design standards. Ensure that it maintains a level of detail that
Identification is appropriate for the solution and development method and
and Build consistent with business, enterprise and I&T strategies, the
enterprise architecture, security/privacy plan and applicable
laws, regulations and contracts.
537
Management Build, Acquire BAI03 Managed BAI03.01 Design high-level 4. After quality assurance approval, submit the final high-level
and Implement Solutions solutions. design to the project stakeholders and the sponsor/business
Identification process owner for approval based on agreed criteria. This
and Build design will evolve throughout the project as understanding
grows.
Management Build, Acquire BAI03 Managed BAI03.02 Design detailed 1. Design progressively the business process activities and
and Implement Solutions solution components. work flows that need to be performed in conjunction with the
Identification new application system to meet the enterprise objectives,
and Build including the design of the manual control activities.
Management Build, Acquire BAI03 Managed BAI03.02 Design detailed 2. Design the application processing steps. These steps
and Implement Solutions solution components. include specification of transaction types and business
Identification processing rules, automated controls, data
and Build definitions/business objects, use cases, external interfaces,
design constraints, and other requirements (e.g., licensing,
legal, standards and internationalization/localization).
Management Build, Acquire BAI03 Managed BAI03.02 Design detailed 3. Classify data inputs and outputs according to enterprise
and Implement Solutions solution components. architecture standards. Specify the source data collection
Identification design. Document the data inputs (regardless of source) and
and Build validation for processing transactions as well as the methods
for validation. Design the identified outputs, including data
sources.
Management Build, Acquire BAI03 Managed BAI03.02 Design detailed 4. Design the system/solution interface, including any
and Implement Solutions solution components. automated data exchange.
Identification
and Build
Management Build, Acquire BAI03 Managed BAI03.02 Design detailed 5. Design data storage, location, retrieval and recoverability.
and Implement Solutions solution components.
Identification
and Build
538
Management Build, Acquire BAI03 Managed BAI03.02 Design detailed 6. Design appropriate redundancy, recovery and backup.
and Implement Solutions solution components.
Identification
and Build
Management Build, Acquire BAI03 Managed BAI03.02 Design detailed 7. Design the interface between the user and the system
and Implement Solutions solution components. application so that it is easy to use and self-documenting.
Identification
and Build
Management Build, Acquire BAI03 Managed BAI03.02 Design detailed 8. Consider the impact of the solution’s need for
and Implement Solutions solution components. infrastructure performance, being sensitive to the number of
Identification computing assets, bandwidth intensity and time sensitivity of
and Build the information.
Management Build, Acquire BAI03 Managed BAI03.02 Design detailed 9. Proactively evaluate for design weaknesses (e.g.,
and Implement Solutions solution components. inconsistencies, lack of clarity, potential flaws) throughout the
Identification life cycle. Identify improvements when required.
and Build
Management Build, Acquire BAI03 Managed BAI03.02 Design detailed 10. Provide an ability to audit transactions and identify root
and Implement Solutions solution components. causes of processing errors.
Identification
and Build
Management Build, Acquire BAI03 Managed BAI03.03 Develop solution 1. Within a separate environment, develop the proposed
and Implement Solutions components. detailed design for business processes, supporting services,
Identification applications, infrastructure and information repositories.
and Build
539
Management Build, Acquire BAI03 Managed BAI03.03 Develop solution 2. When third-party providers are involved with the solution
and Implement Solutions components. development, ensure that maintenance, support,
Identification development standards and licensing are addressed and
and Build adhered to in contractual obligations.
Management Build, Acquire BAI03 Managed BAI03.03 Develop solution 3. Track change requests and design, performance and
and Implement Solutions components. quality reviews. Ensure active participation of all impacted
Identification stakeholders.
and Build
Management Build, Acquire BAI03 Managed BAI03.03 Develop solution 4. Document all solution components according to defined
and Implement Solutions components. standards. Maintain version control over all developed
Identification components and associated documentation.
and Build
Management Build, Acquire BAI03 Managed BAI03.03 Develop solution 5. Assess the impact of solution customization and
and Implement Solutions components. configuration on the performance and efficiency of acquired
Identification solutions and on interoperability with existing applications,
and Build operating systems and other infrastructure. Adapt business
processes as required to leverage the application capability.
Management Build, Acquire BAI03 Managed BAI03.03 Develop solution 6. Ensure that responsibilities for using high-security or
and Implement Solutions components. restricted-access infrastructure components are clearly
Identification defined and understood by those who develop and integrate
and Build infrastructure components. Their use should be monitored
and evaluated.
Management Build, Acquire BAI03 Managed BAI03.04 Procure solution 1. Create and maintain a plan for the acquisition of solution
and Implement Solutions components. components. Consider future flexibility for capacity additions,
Identification transition costs, risk and upgrades over the lifetime of the
and Build project.
540
Management Build, Acquire BAI03 Managed BAI03.04 Procure solution 2. Review and approve all acquisition plans. Consider risk,
and Implement Solutions components. costs, benefits and technical conformance with enterprise
Identification architecture standards.
and Build
Management Build, Acquire BAI03 Managed BAI03.04 Procure solution 3. Assess and document the degree to which acquired
and Implement Solutions components. solutions require adaptation of business process to leverage
Identification the benefits of the acquired solution.
and Build
Management Build, Acquire BAI03 Managed BAI03.04 Procure solution 4. Follow required approvals at key decision points during the
and Implement Solutions components. procurement processes.
Identification
and Build
Management Build, Acquire BAI03 Managed BAI03.04 Procure solution 5. Record receipt of all infrastructure and software
and Implement Solutions components. acquisitions in an asset inventory.
Identification
and Build
Management Build, Acquire BAI03 Managed BAI03.05 Build solutions. 1. Integrate and configure business and IT solution
and Implement Solutions components and information repositories in line with detailed
Identification specifications and quality requirements. Consider the role of
and Build users, business stakeholders and the process owner in the
configuration of business processes.
Management Build, Acquire BAI03 Managed BAI03.05 Build solutions. 2. Complete and update business process and operational
and Implement Solutions manuals, where necessary, to account for any customization
Identification or special conditions unique to the implementation.
and Build
541
Management Build, Acquire BAI03 Managed BAI03.05 Build solutions. 3. Consider all relevant information control requirements in
and Implement Solutions solution component integration and configuration. Include
Identification implementation of business controls, where appropriate, into
and Build automated application controls such that processing is
accurate, complete, timely, authorized and auditable.
Management Build, Acquire BAI03 Managed BAI03.05 Build solutions. 4. Implement audit trails during configuration and integration
and Implement Solutions of hardware and infrastructural software to protect resources
Identification and ensure availability and integrity.
and Build
Management Build, Acquire BAI03 Managed BAI03.05 Build solutions. 5. Consider when the effect of cumulative customizations and
and Implement Solutions configurations (including minor changes that were not
Identification subjected to formal design specifications) requires a high-level
and Build reassessment of the solution and associated functionality.
Management Build, Acquire BAI03 Managed BAI03.05 Build solutions. 6. Configure acquired application software to meet business
and Implement Solutions processing requirements.
Identification
and Build
Management Build, Acquire BAI03 Managed BAI03.05 Build solutions. 7. Define product and service catalogues for relevant internal
and Implement Solutions and external target groups, based on business requirements.
Identification
and Build
Management Build, Acquire BAI03 Managed BAI03.05 Build solutions. 8. Ensure the interoperability of solution components with
and Implement Solutions supporting tests, preferably automated.
Identification
and Build
542
Management Build, Acquire BAI03 Managed BAI03.06 Perform quality 1. Define a QA plan and practices include, for example,
and Implement Solutions assurance (QA). specification of quality criteria, validation and verification
Identification processes, definition of how quality will be reviewed,
and Build necessary qualifications of quality reviewers, and roles and
responsibilities for the achievement of quality.
Management Build, Acquire BAI03 Managed BAI03.06 Perform quality 2. Frequently monitor the solution quality based on project
and Implement Solutions assurance (QA). requirements, enterprise policies, adherence to development
Identification methodologies, quality management procedures and
and Build acceptance criteria.
Management Build, Acquire BAI03 Managed BAI03.06 Perform quality 3. Employ, as appropriate, code inspection, test-driven
and Implement Solutions assurance (QA). development practices, automated testing, continuous
Identification integration, walk-throughs and testing of applications. Report
and Build on outcomes of the monitoring process and testing to the
application software development team and IT management.
Management Build, Acquire BAI03 Managed BAI03.06 Perform quality 4. Monitor all quality exceptions and address all corrective
and Implement Solutions assurance (QA). actions. Maintain a record of all reviews, results, exceptions
Identification and corrections. Repeat quality reviews, where appropriate,
and Build based on the amount of rework and corrective action.
Management Build, Acquire BAI03 Managed BAI03.07 Prepare for solution 1. Create an integrated test plan and practices commensurate
and Implement Solutions testing. with the enterprise environment and strategic technology
Identification plans. Ensure that the integrated test plan and practices will
and Build enable the creation of suitable testing and simulation
environments to help verify that the solution will operate
successfully in the live environment and deliver the intended
results and that controls are adequate.
Management Build, Acquire BAI03 Managed BAI03.07 Prepare for solution 2. Create a test environment that supports the full scope of
and Implement Solutions testing. the solution. Ensure that the test environment reflects, as
Identification closely as possible, real-world conditions, including the
and Build business processes and procedures, range of users,
transaction types, and deployment conditions.
543
Management Build, Acquire BAI03 Managed BAI03.07 Prepare for solution 3. Create test procedures that align with the plan and
and Implement Solutions testing. practices and allow evaluation of the operation of the solution
Identification in real-world conditions. Ensure that the test procedures
and Build evaluate the adequacy of the controls, based on
enterprisewide standards that define roles, responsibilities
and testing criteria, and are approved by project stakeholders
and the sponsor/business process owner.
Management Build, Acquire BAI03 Managed BAI03.07 Prepare for solution 4. Document and save the test procedures, cases, controls
and Implement Solutions testing. and parameters for future testing of the application.
Identification
and Build
Management Build, Acquire BAI03 Managed BAI03.08 Execute solution 1. Undertake testing of solutions and their components in
and Implement Solutions testing. accordance with the testing plan. Include testers independent
Identification from the solution team, with representative business process
and Build owners and end users. Ensure that testing is conducted only
within the development and test environments.
Management Build, Acquire BAI03 Managed BAI03.08 Execute solution 2. Use clearly defined test instructions, as defined in the test
and Implement Solutions testing. plan. Consider the appropriate balance between automated
Identification scripted tests and interactive user testing.
and Build
Management Build, Acquire BAI03 Managed BAI03.08 Execute solution 3. Undertake all tests in accordance with the test plan and
and Implement Solutions testing. practices. Include the integration of business processes and IT
Identification solution components and of nonfunctional requirements (e.g.,
and Build security, privacy, interoperability, usability).
Management Build, Acquire BAI03 Managed BAI03.08 Execute solution 4. Identify, log and classify (e.g., minor, significant and
and Implement Solutions testing. mission-critical) errors during testing. Repeat tests until all
Identification significant errors have been resolved. Ensure that an audit
and Build trail of test results is maintained.
544
Management Build, Acquire BAI03 Managed BAI03.08 Execute solution 5. Record testing outcomes and communicate results of
and Implement Solutions testing. testing to stakeholders in accordance with the test plan.
Identification
and Build
Management Build, Acquire BAI03 Managed BAI03.09 Manage changes to 1. Assess the impact of all solution change requests on the
and Implement Solutions requirements. solution development, the original business case and the
Identification budget. Categorize and prioritize them accordingly.
and Build
Management Build, Acquire BAI03 Managed BAI03.09 Manage changes to 2. Track changes to requirements, enabling all stakeholders to
and Implement Solutions requirements. monitor, review and approve the changes. Ensure that the
Identification outcomes of the change process are fully understood and
and Build agreed on by all the stakeholders and the sponsor/business
process owner.
Management Build, Acquire BAI03 Managed BAI03.09 Manage changes to 3. Apply change requests, maintaining the integrity of
and Implement Solutions requirements. integration and configuration of solution components. Assess
Identification the impact of any major solution upgrade and classify it
and Build according to agreed objective criteria (such as enterprise
requirements), based on the outcome of analysis of the risk
involved (such as impact on existing systems and processes or
security/privacy), cost-benefit justification and other
Management Build, Acquire BAI03 Managed BAI03.10 Maintain solutions. 1. Develop and execute a plan for the maintenance of
and Implement Solutions solution components. Include periodic reviews against
Identification business needs and operational requirements such as patch
and Build management, upgrade strategies, risk, privacy, vulnerabilities
assessment and security requirements.
Management Build, Acquire BAI03 Managed BAI03.10 Maintain solutions. 2. Assess the significance of a proposed maintenance activity
and Implement Solutions on current solution design, functionality and/or business
Identification processes. Consider risk, user impact and resource availability.
and Build Ensure that business process owners understand the effect of
designating changes as maintenance.
545
Management Build, Acquire BAI03 Managed BAI03.10 Maintain solutions. 3. In the event of major changes to existing solutions that
and Implement Solutions result in significant change in current designs and/or
Identification functionality and/or business processes, follow the
and Build development process used for new systems. For maintenance
updates, use the change management process.
Management Build, Acquire BAI03 Managed BAI03.10 Maintain solutions. 4. Ensure that the pattern and volume of maintenance
and Implement Solutions activities are analyzed periodically for abnormal trends that
Identification indicate underlying quality or performance problems,
and Build cost/benefit of major upgrade, or replacement in lieu of
maintenance.
Management Build, Acquire BAI03 Managed BAI03.11 Define IT products 1. Propose definitions of the new or changed IT products and
and Implement Solutions and services and services to ensure that they are fit for purpose. Document the
Identification maintain the service proposed definitions in the portfolio list of products and
and Build portfolio. services to be developed.
Management Build, Acquire BAI03 Managed BAI03.11 Define IT products 2. Propose new or changed service level options (service
and Implement Solutions and services and times, user satisfaction, availability, performance, capacity,
Identification maintain the service security, privacy, continuity, compliance and usability) to
and Build portfolio. ensure that the IT products and services are fit for use.
Document the proposed service options in the portfolio.
Management Build, Acquire BAI03 Managed BAI03.11 Define IT products 3. Interface with business relationship management and
and Implement Solutions and services and portfolio management to agree on the proposed product and
Identification maintain the service service definitions and service level options.
and Build portfolio.
Management Build, Acquire BAI03 Managed BAI03.11 Define IT products 4. If product or service change falls within agreed approval
and Implement Solutions and services and authority, build the new or changed IT products and services
Identification maintain the service or service level options. Otherwise, pass the change to
and Build portfolio. portfolio management for investment review.
546
Management Build, Acquire BAI03 Managed BAI03.12 Design solutions 1. Analyze and assess the impact of choosing a development
and Implement Solutions based on the defined methodology (i.e., waterfall, Agile, bimodal) on the available
Identification development resources, architecture requirements, configuration settings
and Build methodology. and system rigidity.
Management Build, Acquire BAI03 Managed BAI03.12 Design solutions 2. Establish the appropriate development methodology and
and Implement Solutions based on the defined organizational approach that delivers the proposed solution
Identification development efficiently and effectively and that is capable of meeting
and Build methodology. business, architecture and system requirements. Adapt
processes as required to the chosen strategy.
Management Build, Acquire BAI03 Managed BAI03.12 Design solutions 3. Establish the needed project teams as defined by the
and Implement Solutions based on the defined chosen development methodology. Provide sufficient training.
Identification development
and Build methodology.
Management Build, Acquire BAI03 Managed BAI03.12 Design solutions 4. Consider applying a dual system, if required, in which
and Implement Solutions based on the defined cross-functional groups (digital factories) focus on developing
Identification development one product or process using a different technology,
and Build methodology. operational, or managerial methodology from the rest of the
company. Embedding these groups in business units has the
advantage of spreading the new culture of agile development
and making this digital factory approach the norm.
Management Build, Acquire BAI04 Managed BAI04.01 Assess current 1. Consider the following (current and forecasted) in the
and Implement Availability and availability, assessment of availability, performance and capacity of
Capacity performance and services and resources: customer requirements, business
capacity and create a priorities, business objectives, budget impact, resource
baseline. utilization, IT capabilities and industry trends.
Management Build, Acquire BAI04 Managed BAI04.01 Assess current 2. Identify and follow up on all incidents caused by
and Implement Availability and availability, inadequate performance or capacity.
Capacity performance and
capacity and create a
baseline.
547
Management Build, Acquire BAI04 Managed BAI04.01 Assess current 3. Monitor actual performance and capacity usage against
and Implement Availability and availability, defined thresholds, supported, where necessary, with
Capacity performance and automated software.
capacity and create a
baseline.
Management Build, Acquire BAI04 Managed BAI04.01 Assess current 4. Regularly evaluate the current levels of performance for all
and Implement Availability and availability, processing levels (business demand, service capacity and
Capacity performance and resource capacity) by comparing them against trends and
capacity and create a SLAs. Take into account changes in the environment.
baseline.
Management Build, Acquire BAI04 Managed BAI04.02 Assess business 1. Identify only those solutions or services that are critical in
and Implement Availability and impact. the availability and capacity management process.
Capacity
Management Build, Acquire BAI04 Managed BAI04.02 Assess business 2. Map the selected solutions or services to the application(s)
and Implement Availability and impact. and infrastructure (IT and facility) on which they depend to
Capacity enable a focus on critical resources for availability planning.
Management Build, Acquire BAI04 Managed BAI04.02 Assess business 3. Collect data on availability patterns from logs of past
and Implement Availability and impact. failures and performance monitoring. Use modeling tools that
Capacity help predict failures based on past usage trends and
management expectations of new environment or user
conditions.
Management Build, Acquire BAI04 Managed BAI04.02 Assess business 4. Based on the collected data, create scenarios that describe
and Implement Availability and impact. future availability situations to illustrate a variety of potential
Capacity capacity levels needed to achieve the availability performance
objective.
548
Management Build, Acquire BAI04 Managed BAI04.02 Assess business 5. Based on the scenarios, determine the likelihood that the
and Implement Availability and impact. availability performance objective will not be achieved.
Capacity
Management Build, Acquire BAI04 Managed BAI04.02 Assess business 6. Determine the impact of the scenarios on the business
and Implement Availability and impact. performance measures (e.g., revenue, profit, customer
Capacity services). Engage the business-line, functional (especially
finance) and regional leaders to understand their evaluation
of impact.
Management Build, Acquire BAI04 Managed BAI04.02 Assess business 7. Ensure that business process owners fully understand and
and Implement Availability and impact. agree to the results of this analysis. From the business
Capacity owners, obtain a list of unacceptable risk scenarios that
require a response to reduce risk to acceptable levels.
Management Build, Acquire BAI04 Managed BAI04.03 Plan for new or 1. Identify availability and capacity implications of changing
and Implement Availability and changed service business needs and improvement opportunities. Use
Capacity requirements. modeling techniques to validate availability, performance and
capacity plans.
Management Build, Acquire BAI04 Managed BAI04.03 Plan for new or 2. Review availability and capacity implications of service
and Implement Availability and changed service trend analysis.
Capacity requirements.
Management Build, Acquire BAI04 Managed BAI04.03 Plan for new or 3. Ensure that management performs comparisons of actual
and Implement Availability and changed service demand on resources against forecasted supply and demand
Capacity requirements. to evaluate current forecasting techniques and make
improvements where possible.
549
Management Build, Acquire BAI04 Managed BAI04.03 Plan for new or 4. Prioritize needed improvements and create cost-justifiable
and Implement Availability and changed service availability and capacity plans.
Capacity requirements.
Management Build, Acquire BAI04 Managed BAI04.03 Plan for new or 5. Adjust the performance and capacity plans and SLAs based
and Implement Availability and changed service on realistic, new, proposed and/or projected business
Capacity requirements. processes and supporting services, applications and
infrastructure changes. Also include reviews of actual
performance and capacity usage, including workload levels.
Management Build, Acquire BAI04 Managed BAI04.04 Monitor and review 1. Provide capacity reports to the budgeting processes.
and Implement Availability and availability and
Capacity capacity.
Management Build, Acquire BAI04 Managed BAI04.04 Monitor and review 2. Establish a process for gathering data to provide
and Implement Availability and availability and management with monitoring and reporting information for
Capacity capacity. availability, performance and capacity workload of all I&T-
related resources.
Management Build, Acquire BAI04 Managed BAI04.04 Monitor and review 3. Provide regular reporting of the results in an appropriate
and Implement Availability and availability and form for review by IT and business management and
Capacity capacity. communication to enterprise management.
Management Build, Acquire BAI04 Managed BAI04.04 Monitor and review 4. Integrate monitoring and reporting activities in the
and Implement Availability and availability and iterative capacity management activities (monitoring, analysis,
Capacity capacity. tuning and implementations).
550
Management Build, Acquire BAI04 Managed BAI04.05 Investigate and 1. Obtain guidance from vendor product manuals to ensure
and Implement Availability and address availability, an appropriate level of performance availability for peak
Capacity performance and processing and workloads.
capacity issues.
Management Build, Acquire BAI04 Managed BAI04.05 Investigate and 2. Define an escalation procedure for swift resolution in case
and Implement Availability and address availability, of emergency capacity and performance problems.
capacity issues.
Management Build, Acquire BAI04 Managed BAI04.05 Investigate and 3. Identify performance and capacity gaps based on
and Implement Availability and address availability, monitoring current and forecasted performance. Use the
Capacity performance and known availability, continuity and recovery specifications to
capacity issues. classify resources and allow prioritization.
Management Build, Acquire BAI04 Managed BAI04.05 Investigate and 4. Define corrective actions (e.g., shifting workload,
and Implement Availability and address availability, prioritizing tasks or adding resources when performance and
Capacity performance and capacity issues are identified).
capacity issues.
Management Build, Acquire BAI04 Managed BAI04.05 Investigate and 5. Integrate required corrective actions into the appropriate
and Implement Availability and address availability, planning and change management processes.
capacity issues.
Management Build, Acquire BAI05 Managed BAI05.01 Establish the desire to 1. Assess the scope and impact of the envisioned change, the
and Implement Organizational change. various stakeholders who are affected, the nature of the
Change impact on and involvement required from each stakeholder
group, and the current readiness and ability to adopt the
change.
551
Management Build, Acquire BAI05 Managed BAI05.01 Establish the desire to 2. To establish the desire to change, identify, leverage and
and Implement Organizational change. communicate current pain points, negative events, risk,
Change customer dissatisfaction and business problems, as well as
initial benefits, future opportunities and rewards, and
competitive advantages.
Management Build, Acquire BAI05 Managed BAI05.01 Establish the desire to 3. Issue key communications from the executive committee
and Implement Organizational change. or CEO to demonstrate commitment to the change.
Change
Management Build, Acquire BAI05 Managed BAI05.01 Establish the desire to 4. Provide visible leadership from senior management to
and Implement Organizational change. establish direction and to align, motivate and inspire
Change stakeholders to desire the change.
Management Build, Acquire BAI05 Managed BAI05.02 Form an effective 1. Identify and assemble an effective core implementation
and Implement Organizational implementation team. team that includes appropriate members from business and IT
Change with the capacity to spend the required amount of time and
contribute knowledge and expertise, experience, credibility,
and authority. Consider including external parties such as
consultants to provide an independent view or to address skill
gaps. Identify potential change agents within different parts of
Management Build, Acquire BAI05 Managed BAI05.02 Form an effective 2. Create trust within the core implementation team through
and Implement Organizational implementation team. carefully planned events with effective communication and
Change joint activities.
Management Build, Acquire BAI05 Managed BAI05.02 Form an effective 3. Develop a common vision and goals that support the
and Implement Organizational implementation team. enterprise objectives.
Change
552
Management Build, Acquire BAI05 Managed BAI05.03 Communicate desired 1. Develop a vision communication plan to address the core
and Implement Organizational vision. audience groups, their behavioral profiles and information
Change requirements, communication channels, and principles.
Management Build, Acquire BAI05 Managed BAI05.03 Communicate desired 2. Deliver the communication at appropriate levels of the
and Implement Organizational vision. enterprise, in accordance with the plan.
Change
Management Build, Acquire BAI05 Managed BAI05.03 Communicate desired 3. Reinforce the communication through multiple forums and
and Implement Organizational vision. repetition.
Change
Management Build, Acquire BAI05 Managed BAI05.03 Communicate desired 4. Make all levels of leadership accountable for
and Implement Organizational vision. demonstrating the vision.
Change
Management Build, Acquire BAI05 Managed BAI05.03 Communicate desired 5. Check understanding of the desired vision and respond to
and Implement Organizational vision. any issues highlighted by staff.
Change
Management Build, Acquire BAI05 Managed BAI05.04 Empower role players 1. Plan the training opportunities staff will need to develop
and Implement Organizational and identify short- the appropriate skills and attitudes to feel empowered.
Change term wins.
553
Management Build, Acquire BAI05 Managed BAI05.04 Empower role players 2. Identify, prioritize and deliver opportunities for quick wins.
and Implement Organizational and identify short- These could be related to current known areas of difficulty or
Change term wins. external factors that need to be addressed urgently.
Management Build, Acquire BAI05 Managed BAI05.04 Empower role players 3. Leverage delivered quick wins by communicating the
and Implement Organizational and identify short- benefits to those impacted to show the vision is on track.
Change term wins. Fine-tune the vision, keep leaders on board and build
momentum.
Management Build, Acquire BAI05 Managed BAI05.04 Empower role players 4. Identify organizational structures compatible with the
and Implement Organizational and identify short- vision; if required, make changes to ensure alignment.
Change term wins.
Management Build, Acquire BAI05 Managed BAI05.04 Empower role players 5. Align HR processes and measurement systems (e.g.,
and Implement Organizational and identify short- performance evaluation, compensation decisions, promotion
Change term wins. decisions, recruiting and hiring) to support the vision.
Management Build, Acquire BAI05 Managed BAI05.04 Empower role players 6. Identify and manage leaders who continue to resist needed
and Implement Organizational and identify short- change.
Change term wins.
Management Build, Acquire BAI05 Managed BAI05.05 Enable operation and 1. Develop a plan for operation and use of the change. The
and Implement Organizational use. plan should communicate and build on realized quick wins,
Change address behavioral and cultural aspects of the broader
transition, and increase buy-in and engagement. Ensure that
the plan covers a holistic view of the change and provides
documentation (e.g., procedures), mentoring, training,
coaching, knowledge transfer, enhanced immediate post-go-
554
Management Build, Acquire BAI05 Managed BAI05.05 Enable operation and 2. Implement the operation and use plan. Define and track
and Implement Organizational use. success measures, including hard business measures and
Change perception measures that indicate how people feel about a
change. Take remedial action as necessary.
Management Build, Acquire BAI05 Managed BAI05.06 Embed new 1. Make process owners accountable for normal day-to-day
and Implement Organizational approaches. operations.
Change
Management Build, Acquire BAI05 Managed BAI05.06 Embed new 2. Celebrate successes and implement reward and
and Implement Organizational approaches. recognition programs to reinforce the change.
Change
Management Build, Acquire BAI05 Managed BAI05.06 Embed new 3. Provide ongoing awareness through regular
and Implement Organizational approaches. communication of the change and its adoption.
Change
Management Build, Acquire BAI05 Managed BAI05.06 Embed new 4. Use performance measurement systems to identify root
and Implement Organizational approaches. causes for low adoption. Take corrective action.
Change
Management Build, Acquire BAI05 Managed BAI05.06 Embed new 5. Conduct compliance audits to identify root causes for low
and Implement Organizational approaches. adoption. Recommend corrective action.
Change
555
Management Build, Acquire BAI05 Managed BAI05.07 Sustain changes. 1. Sustain and reinforce the change through regular
and Implement Organizational communication that demonstrates top management
Change commitment.
Management Build, Acquire BAI05 Managed BAI05.07 Sustain changes. 2. Provide mentoring, training, coaching and knowledge
and Implement Organizational transfer to new staff to sustain the change.
Change
Management Build, Acquire BAI05 Managed BAI05.07 Sustain changes. 3. Perform periodic reviews of the operation and use of the
and Implement Organizational change. Identify improvements.
Change
Management Build, Acquire BAI05 Managed BAI05.07 Sustain changes. 4. Capture lessons learned relating to implementation of the
and Implement Organizational change. Share knowledge across the enterprise.
Change
Management Build, Acquire BAI06 Managed IT BAI06.01 Evaluate, prioritize 1. Use formal change requests to enable business process
and Implement Changes and authorize change owners and IT to request changes to business process,
requests. infrastructure, systems or applications. Make sure that all
such changes arise only through the change request
management process.
Management Build, Acquire BAI06 Managed IT BAI06.01 Evaluate, prioritize 2. Categorize all requested changes (e.g., business process,
and Implement Changes and authorize change infrastructure, operating systems, networks, application
requests. systems, purchased/packaged application software) and relate
affected configuration items.
556
Management Build, Acquire BAI06 Managed IT BAI06.01 Evaluate, prioritize 3. Prioritize all requested changes based on the business and
and Implement Changes and authorize change technical requirements; resources required; and the legal,
requests. regulatory and contractual reasons for the requested change.
Management Build, Acquire BAI06 Managed IT BAI06.01 Evaluate, prioritize 4. Formally approve each change by business process owners,
and Implement Changes and authorize change service managers and IT technical stakeholders, as
requests. appropriate. Changes that are low-risk and relatively frequent
should be pre-approved as standard changes.
Management Build, Acquire BAI06 Managed IT BAI06.01 Evaluate, prioritize 5. Plan and schedule all approved changes.
and Implement Changes and authorize change
requests.
Management Build, Acquire BAI06 Managed IT BAI06.01 Evaluate, prioritize 6. Plan and evaluate all requests in a structured fashion.
and Implement Changes and authorize change Include an impact analysis on business process, infrastructure,
requests. systems and applications, business continuity plans (BCPs) and
service providers to ensure that all affected components have
been identified. Assess the likelihood of adversely affecting
the operational environment and the risk of implementing the
change. Consider security, privacy, legal, contractual and
Management Build, Acquire BAI06 Managed IT BAI06.01 Evaluate, prioritize 7. Consider the impact of contracted services providers (e.g.,
and Implement Changes and authorize change of outsourced business processing, infrastructure, application
requests. development and shared services) on the change
management process. Include integration of organizational
change management processes with change management
processes of service providers and the impact on contractual
terms and SLAs.
Management Build, Acquire BAI06 Managed IT BAI06.02 Manage emergency 1. Define what constitutes an emergency change.
and Implement Changes changes.
557
Management Build, Acquire BAI06 Managed IT BAI06.02 Manage emergency 2. Ensure that a documented procedure exists to declare,
and Implement Changes changes. assess, approve preliminarily, authorize after the change and
record an emergency change.
Management Build, Acquire BAI06 Managed IT BAI06.02 Manage emergency 3. Verify that all emergency access arrangements for changes
and Implement Changes changes. are appropriately authorized, documented and revoked after
the change has been applied.
Management Build, Acquire BAI06 Managed IT BAI06.02 Manage emergency 4. Monitor all emergency changes and conduct post-
and Implement Changes changes. implementation reviews involving all concerned parties. The
review should consider and initiate corrective actions based
on root causes such as problems with business process,
application system development and maintenance,
development and test environments, documentation and
manuals, and data integrity.
Management Build, Acquire BAI06 Managed IT BAI06.03 Track and report 1. Categorize change requests in the tracking process (e.g.,
and Implement Changes change status. rejected, approved but not yet initiated, approved and in
process, and closed).
Management Build, Acquire BAI06 Managed IT BAI06.03 Track and report 2. Implement change status reports with performance
and Implement Changes change status. metrics to enable management review and monitoring of both
the detailed status of changes and the overall state (e.g., aged
analysis of change requests). Ensure that status reports form
an audit trail so changes can subsequently be tracked from
inception to eventual disposition.
Management Build, Acquire BAI06 Managed IT BAI06.03 Track and report 3. Monitor open changes to ensure that all approved changes
and Implement Changes change status. are closed in a timely fashion, depending on priority.
558
Management Build, Acquire BAI06 Managed IT BAI06.03 Track and report 4. Maintain a tracking and reporting system for all change
and Implement Changes change status. requests.
Management Build, Acquire BAI06 Managed IT BAI06.04 Close and document 1. Include changes in the documentation within the
and Implement Changes the changes. management procedure. Examples of documentation include
business and IT operational procedures, business continuity
and disaster recovery documentation, configuration
information, application documentation, help screens, and
training materials.
Management Build, Acquire BAI06 Managed IT BAI06.04 Close and document 2. Define an appropriate retention period for change
and Implement Changes the changes. documentation and pre- and post-change system and user
documentation.
Management Build, Acquire BAI06 Managed IT BAI06.04 Close and document 3. Subject documentation to the same level of review as the
and Implement Changes the changes. actual change.
Management Build, Acquire BAI07 Managed IT BAI07.01 Establish an 1. Create an implementation plan that reflects the broad
and Implement Change implementation plan. implementation strategy, the sequence of implementation
Acceptance and steps, resource requirements, inter-dependencies, criteria for
Transitioning management acceptance of the production implementation,
installation verification requirements, transition strategy for
production support, and update of business continuity plans.
Management Build, Acquire BAI07 Managed IT BAI07.01 Establish an 2. From external solution providers, obtain commitment to
and Implement Change implementation plan. their involvement in each step of the implementation.
Acceptance and
Transitioning
559
Management Build, Acquire BAI07 Managed IT BAI07.01 Establish an 3. Identify and document the fallback and recovery
and Implement Change implementation plan. processes.
Acceptance and
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.01 Establish an 4. Confirm that all implementation plans are approved by
and Implement Change implementation plan. technical and business stakeholders and reviewed by internal
Acceptance and audit, as appropriate.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.01 Establish an 5. Formally review the technical and business risk associated
and Implement Change implementation plan. with implementation. Ensure that the key risk is considered
Acceptance and and addressed in the planning process.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.02 Plan business process, 1. Define a business process, I&T service data and
and Implement Change system and data infrastructure migration plan. In developing the plan,
Acceptance and conversion. consider, for example, hardware, networks, operating
Transitioning systems, software, transaction data, master files, backups and
archives, interfaces with other systems (both internal and
external), possible compliance requirements, business
procedures, and system documentation.
Management Build, Acquire BAI07 Managed IT BAI07.02 Plan business process, 2. In the business process conversion plan, consider all
and Implement Change system and data necessary adjustments to procedures, including revised roles
Acceptance and conversion. and responsibilities and control procedures.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.02 Plan business process, 3. Confirm that the data conversion plan does not require
and Implement Change system and data changes in data values unless absolutely necessary for
Acceptance and conversion. business reasons. Document changes made to data values,
Transitioning and secure approval from the business process data owner.
560
Management Build, Acquire BAI07 Managed IT BAI07.02 Plan business process, 4. Plan retention of backup and archived data to conform to
and Implement Change system and data business needs and regulatory or compliance requirements.
Acceptance and conversion.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.02 Plan business process, 5. Rehearse and test the conversion before attempting a live
and Implement Change system and data conversion.
Acceptance and conversion.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.02 Plan business process, 6. Coordinate and verify the timing and completeness of the
and Implement Change system and data conversion cutover so there is a smooth, continuous transition
Acceptance and conversion. with no loss of transaction data. Where necessary, in the
Transitioning absence of any other alternative, freeze live operations.
Management Build, Acquire BAI07 Managed IT BAI07.02 Plan business process, 7. Plan to back up all systems and data taken at the point
and Implement Change system and data prior to conversion. Maintain audit trails to enable the
Acceptance and conversion. conversion to be retraced. Ensure that there is a recovery plan
Transitioning that covers rollback of migration and fallback to previous
processing should the migration fail.
Management Build, Acquire BAI07 Managed IT BAI07.02 Plan business process, 8. In the data conversion plan, incorporate methods for
and Implement Change system and data collecting, converting and verifying data to be converted, and
Acceptance and conversion. identifying and resolving any errors found during conversion.
Transitioning Include comparing the original and converted data for
completeness and integrity.
Management Build, Acquire BAI07 Managed IT BAI07.02 Plan business process, 9. Consider the risk of conversion problems, business
and Implement Change system and data continuity planning and fallback procedures in the business
Acceptance and conversion. process, data and infrastructure migration plan where there
Transitioning are risk management, business needs or
regulatory/compliance requirements.
561
Management Build, Acquire BAI07 Managed IT BAI07.03 Plan acceptance tests. 1. Develop and document the test plan, which aligns to the
and Implement Change program, project quality plan and relevant organizational
Acceptance and standards. Communicate and consult with appropriate
Transitioning business process owners and IT stakeholders.
Management Build, Acquire BAI07 Managed IT BAI07.03 Plan acceptance tests. 2. Ensure that the test plan reflects an assessment of risk
and Implement Change from the project and that all functional and technical
Acceptance and requirements are tested. Based on assessment of the risk of
Transitioning system failure and faults on implementation, include in the
plan requirements for performance, stress, usability, pilot,
security testing and privacy.
Management Build, Acquire BAI07 Managed IT BAI07.03 Plan acceptance tests. 3. Ensure that the test plan addresses the potential need for
and Implement Change internal or external accreditation of outcomes of the test
Acceptance and process (e.g., financial or regulatory requirements).
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.03 Plan acceptance tests. 4. Ensure that the test plan identifies necessary resources to
and Implement Change execute testing and evaluate the results. Examples of
Acceptance and resources may be construction of test environments and use
Transitioning of staff time for the test group, including potential temporary
replacement of test staff in the production or development
environments. Ensure that stakeholders are consulted on the
resource implications of the test plan.
Management Build, Acquire BAI07 Managed IT BAI07.03 Plan acceptance tests. 5. Ensure that the test plan identifies testing phases
and Implement Change appropriate to the operational requirements and
Acceptance and environment. Examples of such testing phases include unit
Transitioning test, system test, integration test, user acceptance test,
performance test, stress test, data conversion test, security
test, privacy test, operational readiness test, and backup and
recovery tests.
Management Build, Acquire BAI07 Managed IT BAI07.03 Plan acceptance tests. 6. Confirm that the test plan considers test preparation
and Implement Change (including site preparation), training requirements, installation
Acceptance and or an update of a defined test environment,
Transitioning planning/performing/documenting/retaining test cases, error
and problem handling, correction and escalation, and formal
approval.
562
Management Build, Acquire BAI07 Managed IT BAI07.03 Plan acceptance tests. 7. Confirm that all test plans are approved by stakeholders,
and Implement Change including business process owners and IT, as appropriate.
Acceptance and Stakeholders may include application development managers,
Transitioning project managers and business process end users.
Management Build, Acquire BAI07 Managed IT BAI07.03 Plan acceptance tests. 8. Ensure that the test plan establishes clear criteria for
and Implement Change measuring the success of undertaking each testing phase.
Acceptance and Consult the business process owners and IT stakeholders in
Transitioning defining the success criteria. Determine that the plan
establishes remediation procedures when the success criteria
are not met. For example, if there is a significant failure in a
testing phase, the plan should provide guidance on whether
Management Build, Acquire BAI07 Managed IT BAI07.04 Establish a test 1. Create a database of test data that are representative of
and Implement Change environment. the production environment. Sanitize data used in the test
Acceptance and environment from the production environment according to
Transitioning business needs and organizational standards. For example,
consider whether compliance or regulatory requirements
oblige the use of sanitized data.
Management Build, Acquire BAI07 Managed IT BAI07.04 Establish a test 2. Protect sensitive test data and results against disclosure,
and Implement Change environment. including access, retention, storage and destruction. Consider
Acceptance and the effect of interaction of organizational systems with those
Transitioning of third parties.
Management Build, Acquire BAI07 Managed IT BAI07.04 Establish a test 3. Put in place a process to enable proper retention or
and Implement Change environment. disposal of test results, media and other associated
Acceptance and documentation that will enable adequate review and
Transitioning subsequent analysis or efficient retesting as required by the
test plan. Consider the effect of regulatory or compliance
requirements.
Management Build, Acquire BAI07 Managed IT BAI07.04 Establish a test 4. Ensure that the test environment is representative of the
and Implement Change environment. future business and operational landscape. Include business
Acceptance and process procedures and roles, likely workload stress,
Transitioning operating systems, necessary application software, database
management systems, and network and computing
infrastructure found in the production environment.
563
Management Build, Acquire BAI07 Managed IT BAI07.04 Establish a test 5. Ensure that the test environment is secure and incapable
and Implement Change environment. of interacting with production systems.
Acceptance and
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 1. Review the categorized log of errors found in the testing
and Implement Change tests. process by the development team. Verify that all errors have
Acceptance and been remediated or formally accepted.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 2. Evaluate the final acceptance against the success criteria
and Implement Change tests. and interpret the final acceptance testing results. Present
Acceptance and them in a form that is understandable to business process
Transitioning owners and IT, so an informed review and evaluation can take
place.
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 3. Approve the acceptance, with formal sign-off by the
and Implement Change tests. business process owners, third parties (as appropriate) and IT
Acceptance and stakeholders prior to promotion.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 4. Ensure that testing of changes is undertaken in accordance
and Implement Change tests. with the testing plan. Ensure that the testing is designed and
Acceptance and conducted by a test group that is independent from the
Transitioning development team. Consider the extent to which business
process owners and end users are involved in the test group.
Ensure that testing is conducted only within the test
environment.
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 5. Ensure that the tests and anticipated outcomes are in
and Implement Change tests. accordance with the defined success criteria set out in the
Acceptance and testing plan.
Transitioning
564
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 6. Consider using clearly defined test instructions (scripts) to
and Implement Change tests. implement the tests. Ensure that the independent test group
Acceptance and assesses and approves each test script to confirm that it
Transitioning adequately addresses test success criteria set out in the test
plan. Consider using scripts to verify the extent to which the
system meets security and privacy requirements.
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 7. Consider the appropriate balance between automated
and Implement Change tests. scripted tests and interactive user testing.
Acceptance and
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 8. Undertake tests of security in accordance with the test
and Implement Change tests. plan. Measure the extent of security weaknesses or loopholes.
Acceptance and Consider the effect of security incidents since construction of
Transitioning the test plan. Consider the effect on access and boundary
controls. Consider privacy.
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 9. Undertake tests of system and application performance in
and Implement Change tests. accordance with the test plan. Consider a range of
Acceptance and performance metrics (e.g., end-user response times and
Transitioning database management system update performance).
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 10. When undertaking testing, ensure that the fallback and
and Implement Change tests. rollback elements of the test plan have been addressed.
Acceptance and
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.05 Perform acceptance 11. Identify, log and classify (e.g., minor, significant, mission-
and Implement Change tests. critical) errors during testing. Ensure that an audit trail of test
Acceptance and results is available. In accordance with the test plan,
Transitioning communicate results of testing to stakeholders to facilitate
bug fixing and further quality enhancement.
565
Management Build, Acquire BAI07 Managed IT BAI07.06 Promote to 1. Prepare for transfer of business procedures and supporting
and Implement Change production and services, applications and infrastructure from testing to the
Acceptance and manage releases. production environment in accordance with organizational
Transitioning change management standards.
Management Build, Acquire BAI07 Managed IT BAI07.06 Promote to 2. Determine the extent of pilot implementation or parallel
and Implement Change production and processing of the old and new systems in line with the
Acceptance and manage releases. implementation plan.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.06 Promote to 3. Promptly update relevant business process and system
and Implement Change production and documentation, configuration information and contingency
Acceptance and manage releases. plan documents, as appropriate.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.06 Promote to 4. Ensure that all media libraries are updated promptly with
and Implement Change production and the version of the solution component being transferred from
Acceptance and manage releases. testing to the production environment. Archive the existing
Transitioning version and its supporting documentation. Ensure that
promotion to production of systems, application software and
infrastructure is under configuration control.
Management Build, Acquire BAI07 Managed IT BAI07.06 Promote to 5. Where distribution of solution components is conducted
and Implement Change production and electronically, control automated distribution to ensure that
Acceptance and manage releases. users are notified, and distribution occurs only to authorized
Transitioning and correctly identified destinations. In the release process,
include backup procedures to enable the distribution of
changes to be reviewed in the event of a malfunction or error.
Management Build, Acquire BAI07 Managed IT BAI07.06 Promote to 6. Where distribution takes physical form, keep a formal log
and Implement Change production and of what items have been distributed, to whom, where they
Acceptance and manage releases. have been implemented, and when each has been updated.
Transitioning
566
Management Build, Acquire BAI07 Managed IT BAI07.07 Provide early 1. Provide additional resources, as required, to end users and
and Implement Change production support. support personnel until the release has stabilized.
Acceptance and
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.07 Provide early 2. Provide additional I&T systems resources, as required, until
and Implement Change production support. the release is in a stable operational environment.
Acceptance and
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.08 Perform a post- 1. Establish procedures to ensure that post-implementation
and Implement Change implementation reviews identify, assess and report on the extent to which the
Acceptance and review. following events have occurred: enterprise requirements have
Transitioning been met; expected benefits have been realized; the system is
considered usable; internal and external stakeholder
expectations are met; unexpected impacts on the enterprise
have occurred; key risk is mitigated; and the change
Management Build, Acquire BAI07 Managed IT BAI07.08 Perform a post- 2. Consult business process owners and IT technical
and Implement Change implementation management in the choice of metrics for measurement of
Acceptance and review. success and achievement of requirements and benefits.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.08 Perform a post- 3. Conduct the post-implementation review in accordance
and Implement Change implementation with the organizational change management process. Engage
Acceptance and review. business process owners and third parties, as appropriate.
Transitioning
Management Build, Acquire BAI07 Managed IT BAI07.08 Perform a post- 4. Consider requirements for post-implementation review
and Implement Change implementation arising from outside business and IT (e.g., internal audit, ERM,
Acceptance and review. compliance).
Transitioning
567
Management Build, Acquire BAI07 Managed IT BAI07.08 Perform a post- 5. Agree on and implement an action plan to address issues
and Implement Change implementation identified in the post-implementation review. Engage business
Acceptance and review. process owners and IT technical management in the
Transitioning development of the action plan.
Management Build, Acquire BAI08 Managed BAI08.01 Identify and classify 1. Identify potential knowledge users, including owners of
and Implement Knowledge sources of information who may need to contribute and approve
information for knowledge. Obtain knowledge requirements and sources of
governance and information from identified users.
management of I&T.
Management Build, Acquire BAI08 Managed BAI08.01 Identify and classify 2. Consider content types (procedures, processes, structures,
and Implement Knowledge sources of concepts, policies, rules, facts, classifications), artefacts
information for (documents, records, video, voice), and structured and
governance and unstructured information (experts, social media, email, voice
management of I&T. mail, Rich Site Summary (RSS) feeds).
Management Build, Acquire BAI08 Managed BAI08.01 Identify and classify 3. Classify sources of information based on a content
and Implement Knowledge sources of classification scheme (e.g., information architecture model).
information for Map sources of information to the classification scheme.
governance and
management of I&T.
Management Build, Acquire BAI08 Managed BAI08.01 Identify and classify 4. Collect, collate and validate information sources based on
and Implement Knowledge sources of information validation criteria (e.g., understandability,
information for relevance, importance, integrity, accuracy, consistency,
governance and confidentiality, currency and reliability).
management of I&T.
Management Build, Acquire BAI08 Managed BAI08.02 Organize and 1. Identify shared attributes and match sources of
and Implement Knowledge contextualize information, creating relationships among information sets
information into (information tagging).
knowledge.
568
Management Build, Acquire BAI08 Managed BAI08.02 Organize and 2. Create views to related data sets, considering stakeholder
and Implement Knowledge contextualize and organizational requirements.
information into
knowledge.
Management Build, Acquire BAI08 Managed BAI08.02 Organize and 3. Devise and implement a scheme to manage unstructured
and Implement Knowledge contextualize knowledge not available through formal sources (e.g., expert
information into knowledge).
knowledge.
Management Build, Acquire BAI08 Managed BAI08.02 Organize and 4. Publish and make knowledge accessible to relevant
and Implement Knowledge contextualize stakeholders, based on roles and access mechanisms.
information into
knowledge.
Management Build, Acquire BAI08 Managed BAI08.03 Use and share 1. Set management expectations and demonstrate
and Implement Knowledge knowledge. appropriate attitude regarding the usefulness of knowledge
and the need to share knowledge related to the governance
and management of enterprise I&T.
Management Build, Acquire BAI08 Managed BAI08.03 Use and share 2. Identify potential knowledge users by knowledge
and Implement Knowledge knowledge. classification.
Management Build, Acquire BAI08 Managed BAI08.03 Use and share 3. Transfer knowledge to knowledge users, based on a needs
and Implement Knowledge knowledge. gap analysis and effective learning techniques. Create an
environment, tools and artifacts that support the sharing and
transfer of knowledge. Ensure appropriate access controls are
in place, in line with defined knowledge classification.
569
Management Build, Acquire BAI08 Managed BAI08.03 Use and share 4. Measure the use of knowledge tools and elements and
and Implement Knowledge knowledge. evaluate the impact on governance processes.
Management Build, Acquire BAI08 Managed BAI08.03 Use and share 5. Improve information and knowledge for governance
and Implement Knowledge knowledge. processes that show knowledge gaps.
Management Build, Acquire BAI08 Managed BAI08.04 Evaluate and update 1. Define the controls for knowledge retirement and retire
and Implement Knowledge or retire information. knowledge accordingly.
Management Build, Acquire BAI08 Managed BAI08.04 Evaluate and update 2. Evaluate the usefulness, relevance and value of knowledge
and Implement Knowledge or retire information. elements. Update outdated information that still has
relevance and value to the organization. Identify related
information that is no longer relevant to the enterprise’s
knowledge requirements and retire or archive according to
policy.
Management Build, Acquire BAI09 Managed Assets BAI09.01 Identify and record 1. Identify all owned assets in an asset register that records
and Implement current assets. current status. Assets are reported on the balance sheet; they
are bought or created to increase the value of a firm or
benefit the enterprise's operations (e.g., hardware and
software). Identify all owned assets and maintain alignment
with the change management and configuration management
processes, the configuration management system, and the
Management Build, Acquire BAI09 Managed Assets BAI09.01 Identify and record 2. Identify legal, regulatory or contractual requirements that
and Implement current assets. need to be addressed when managing the asset.
570
Management Build, Acquire BAI09 Managed Assets BAI09.01 Identify and record 3. Verify that the assets are fit for purpose (i.e., in a useful
and Implement current assets. condition).
Management Build, Acquire BAI09 Managed Assets BAI09.01 Identify and record 4. Ensure accounting for all assets.
and Implement current assets.
Management Build, Acquire BAI09 Managed Assets BAI09.01 Identify and record 5. Verify the existence of all owned assets by performing
and Implement current assets. regular physical and logical inventory checks and
reconciliation. Include the use of software discovery tools.
Management Build, Acquire BAI09 Managed Assets BAI09.01 Identify and record 6. Determine on a regular basis whether each asset continues
and Implement current assets. to provide value. If so, estimate the expected useful life for
delivering value.
Management Build, Acquire BAI09 Managed Assets BAI09.02 Manage critical 1. Identify assets that are critical in providing service
and Implement assets. capability by referencing requirements in service definitions,
SLAs and the configuration management system.
Management Build, Acquire BAI09 Managed Assets BAI09.02 Manage critical 2. On a regular basis, consider the risk of failure or need for
and Implement assets. replacement of each critical asset.
571
Management Build, Acquire BAI09 Managed Assets BAI09.02 Manage critical 3. Communicate to affected customers and users the
and Implement assets. expected impact (e.g., performance restrictions) of
maintenance activities.
Management Build, Acquire BAI09 Managed Assets BAI09.02 Manage critical 4. Incorporate planned downtime in an overall production
and Implement assets. schedule. Schedule the maintenance activities to minimize the
adverse impact on business processes.
Management Build, Acquire BAI09 Managed Assets BAI09.02 Manage critical 5. Maintain the resilience of critical assets by applying regular
and Implement assets. preventive maintenance. Monitor performance and, if
required, provide alternative and/or additional assets to
minimize the likelihood of failure.
Management Build, Acquire BAI09 Managed Assets BAI09.02 Manage critical 6. Establish a preventive maintenance plan for all hardware,
and Implement assets. considering cost/benefit analysis, vendor recommendations,
risk of outage, qualified personnel and other relevant factors.
Management Build, Acquire BAI09 Managed Assets BAI09.02 Manage critical 7. Establish maintenance agreements involving third-party
and Implement assets. access to organizational I&T facilities for on-site and off-site
activities (e.g., outsourcing). Establish formal service contracts
containing or referring to all necessary security and privacy
conditions, including access authorization procedures, to
ensure compliance with the organizational security/privacy
policies and standards.
Management Build, Acquire BAI09 Managed Assets BAI09.02 Manage critical 8. Ensure that remote access services and user profiles (or
and Implement assets. other means used for maintenance or diagnosis) are active
only when required.
572
Management Build, Acquire BAI09 Managed Assets BAI09.02 Manage critical 9. Monitor performance of critical assets by examining
and Implement assets. incident trends. Where necessary, take action to repair or
replace.
Management Build, Acquire BAI09 Managed Assets BAI09.03 Manage the asset life 1. Procure all assets based on approved requests and in
and Implement cycle. accordance with the enterprise procurement policies and
practices.
Management Build, Acquire BAI09 Managed Assets BAI09.03 Manage the asset life 2. Source, receive, verify, test and record all assets in a
and Implement cycle. controlled manner, including physical labeling as required.
Management Build, Acquire BAI09 Managed Assets BAI09.03 Manage the asset life 3. Approve payments and complete the process with
and Implement cycle. suppliers according to agreed contract conditions.
Management Build, Acquire BAI09 Managed Assets BAI09.03 Manage the asset life 4. Deploy assets following the standard implementation life
and Implement cycle. cycle, including change management and acceptance testing.
Management Build, Acquire BAI09 Managed Assets BAI09.03 Manage the asset life 5. Allocate assets to users, with acceptance of responsibilities
and Implement cycle. and sign-off, as appropriate.
573
Management Build, Acquire BAI09 Managed Assets BAI09.03 Manage the asset life 6. Whenever possible, reallocate assets when they are no
and Implement cycle. longer required due to a change of user role, redundancy
within a service, or retirement of a service.
Management Build, Acquire BAI09 Managed Assets BAI09.03 Manage the asset life 7. Plan, authorize and implement retirement-related
and Implement cycle. activities, retaining appropriate records to meet ongoing
business and regulatory needs.
Management Build, Acquire BAI09 Managed Assets BAI09.03 Manage the asset life 8. Dispose of assets securely, considering, for example, the
and Implement cycle. permanent deletion of any recorded data on media devices
and potential damage to the environment.
Management Build, Acquire BAI09 Managed Assets BAI09.03 Manage the asset life 9. Dispose of assets responsibly when they serve no useful
and Implement cycle. purpose due to retirement of all related services, obsolete
technology or lack of users with regard to environmental
impact.
Management Build, Acquire BAI09 Managed Assets BAI09.04 Optimize asset value. 1. On a regular basis, review the overall asset base,
and Implement considering whether it is aligned with business requirements.
Management Build, Acquire BAI09 Managed Assets BAI09.04 Optimize asset value. 2. Assess maintenance costs, consider reasonableness, and
and Implement identify lower-cost options. Include, where necessary,
replacement with new alternatives.
574
Management Build, Acquire BAI09 Managed Assets BAI09.04 Optimize asset value. 3. Review warranties and consider value-for-money and
and Implement replacement strategies to determine lowest-cost options.
Management Build, Acquire BAI09 Managed Assets BAI09.04 Optimize asset value. 4. Use capacity and utilization statistics to identify
and Implement underutilized or redundant assets that could be considered
for disposal or replacement to reduce costs.
Management Build, Acquire BAI09 Managed Assets BAI09.04 Optimize asset value. 5. Review the overall base to identify opportunities for
and Implement standardization, single sourcing, and other strategies that may
lower procurement, support and maintenance costs.
Management Build, Acquire BAI09 Managed Assets BAI09.04 Optimize asset value. 6. Review the overall state to identify opportunities to
and Implement leverage emerging technologies or alternative sourcing
strategies to reduce costs or increase value-for-money.
Management Build, Acquire BAI09 Managed Assets BAI09.05 Manage licenses. 1. Maintain a register of all purchased software licenses and
and Implement associated license agreements.
Management Build, Acquire BAI09 Managed Assets BAI09.05 Manage licenses. 2. On a regular basis, conduct an audit to identify all instances
and Implement of installed licensed software.
575
Management Build, Acquire BAI09 Managed Assets BAI09.05 Manage licenses. 3. Compare the number of installed software instances with
and Implement the number of licenses owned. Ensure that the license
compliance measurement method is compliant with the
license and contractual requirements.
Management Build, Acquire BAI09 Managed Assets BAI09.05 Manage licenses. 4. When instances are lower than the number owned, decide
and Implement whether there is a need to retain or terminate licenses,
considering the potential to save on unnecessary
maintenance, training and other costs.
Management Build, Acquire BAI09 Managed Assets BAI09.05 Manage licenses. 5. When instances are higher than the number owned,
and Implement consider first the opportunity to uninstall instances that are
no longer required or justified, and then, if necessary,
purchase additional licenses to comply with the license
agreement.
Management Build, Acquire BAI09 Managed Assets BAI09.05 Manage licenses. 6. On a regular basis, consider whether better value can be
and Implement obtained by upgrading products and associated licenses.
Management Build, Acquire BAI10 Managed BAI10.01 Establish and 1. Define and agree on the scope and level of detail for
and Implement Configuration maintain a configuration management (i.e., which services, assets and
configuration model. infrastructure configurable items to include).
Management Build, Acquire BAI10 Managed BAI10.01 Establish and 2. Establish and maintain a logical model for configuration
and Implement Configuration maintain a management, including information on CI types, attributes,
configuration model. relationship types, relationship attributes and status codes.
576
Management Build, Acquire BAI10 Managed BAI10.02 Establish and 1. Identify and classify CIs and populate the repository.
and Implement Configuration maintain a
configuration
repository and
baseline.
Management Build, Acquire BAI10 Managed BAI10.02 Establish and 2. Create, review and formally agree on configuration
and Implement Configuration maintain a baselines of a service, application or infrastructure.
configuration
repository and
baseline.
Management Build, Acquire BAI10 Managed BAI10.03 Maintain and control 1. Regularly identify all changes to CIs.
and Implement Configuration configuration items.
Management Build, Acquire BAI10 Managed BAI10.03 Maintain and control 2. To ensure completeness and accuracy, review proposed
and Implement Configuration configuration items. changes to CIs against the baseline.
Management Build, Acquire BAI10 Managed BAI10.03 Maintain and control 3. Update configuration details for approved changes to CIs.
and Implement Configuration configuration items.
Management Build, Acquire BAI10 Managed BAI10.03 Maintain and control 4. Create, review and formally agree on changes to
and Implement Configuration configuration items. configuration baselines whenever needed.
577
Management Build, Acquire BAI10 Managed BAI10.04 Produce status and 1. Identify status changes of CIs and report against the
and Implement Configuration configuration reports. baseline.
Management Build, Acquire BAI10 Managed BAI10.04 Produce status and 2. Match all configuration changes with approved requests
and Implement Configuration configuration reports. for change to identify any unauthorized changes. Report
unauthorized changes to change management.
Management Build, Acquire BAI10 Managed BAI10.04 Produce status and 3. Identify reporting requirements from all stakeholders,
and Implement Configuration configuration reports. including content, frequency and media. Produce reports
according to the identified requirements.
Management Build, Acquire BAI10 Managed BAI10.05 Verify and review 1. Periodically verify live configuration items against the
and Implement Configuration integrity of the configuration repository by comparing physical and logical
configuration configurations and using appropriate discovery tools, as
repository. required.
Management Build, Acquire BAI10 Managed BAI10.05 Verify and review 2. Report and review all deviations for approved corrections
and Implement Configuration integrity of the or action to remove any unauthorized assets.
configuration
repository.
Management Build, Acquire BAI10 Managed BAI10.05 Verify and review 3. Periodically verify that all physical configuration items, as
and Implement Configuration integrity of the defined in the repository, physically exist. Report any
configuration deviations to management.
repository.
578
Management Build, Acquire BAI10 Managed BAI10.05 Verify and review 4. Set and periodically review the target for completeness of
and Implement Configuration integrity of the the configuration repository based on business need.
configuration
repository.
Management Build, Acquire BAI10 Managed BAI10.05 Verify and review 5. Periodically compare the degree of completeness and
and Implement Configuration integrity of the accuracy against targets and take remedial action, as
configuration necessary, to improve the quality of the repository data.
repository.
Management Build, Acquire BAI11 Managed BAI11.01 Maintain a standard 1. Maintain and enforce a standard approach to project
and Implement Projects approach for project management aligned to the enterprise’s specific environment
management. and with good practice based on defined process and use of
appropriate technology. Ensure that the approach covers the
full life cycle and disciplines to be followed, including the
management of scope, resources, risk, cost, quality, time,
communication, stakeholder involvement, procurement,
Management Build, Acquire BAI11 Managed BAI11.01 Maintain a standard 2. Provide appropriate project management training and
and Implement Projects approach for project consider certification for project managers.
management.
Management Build, Acquire BAI11 Managed BAI11.01 Maintain a standard 3. Put in place a project management office (PMO) that
and Implement Projects approach for project maintains the standard approach for program and project
management. management across the organization. The PMO supports all
projects by creating and maintaining required project
documentation templates, providing training and best
practices for project managers, tracking metrics on the use of
best practices for project management, etc. In some cases,
Management Build, Acquire BAI11 Managed BAI11.01 Maintain a standard 4. Evaluate lessons learned on the use of the project
and Implement Projects approach for project management approach. Update the good practices, tools and
management. templates accordingly.
579
Management Build, Acquire BAI11 Managed BAI11.02 Start up and initiate a 1. To create a common understanding of project scope
and Implement Projects project. among stakeholders, provide them a clear written statement
defining the nature, scope and deliverables of every project.
Management Build, Acquire BAI11 Managed BAI11.02 Start up and initiate a 2. Ensure that each project has one or more sponsors with
and Implement Projects project. sufficient authority to manage execution of the project within
the overall program.
Management Build, Acquire BAI11 Managed BAI11.02 Start up and initiate a 3. Ensure that key stakeholders and sponsors within the
and Implement Projects project. enterprise (business and IT) agree on and accept the
requirements for the project, including definition of project
success (acceptance) criteria and key performance indicators
(KPIs).
Management Build, Acquire BAI11 Managed BAI11.02 Start up and initiate a 4. Appoint a dedicated manager for the project. Ensure that
and Implement Projects project. the individual has the required understanding of technology
and business and the commensurate competencies and skills
to manage the project effectively and efficiently.
Management Build, Acquire BAI11 Managed BAI11.02 Start up and initiate a 5. Ensure that the project definition describes the
and Implement Projects project. requirements for a project communication plan that identifies
internal and external project communications.
Management Build, Acquire BAI11 Managed BAI11.02 Start up and initiate a 6. With the approval of stakeholders, maintain the project
and Implement Projects project. definition throughout the project, reflecting changing
requirements.
580
Management Build, Acquire BAI11 Managed BAI11.02 Start up and initiate a 7. To track the execution of a project, put in place
and Implement Projects project. mechanisms such as regular reporting and stage-gate, release
or phase reviews, to occur in a timely manner and with
appropriate approval.
Management Build, Acquire BAI11 Managed BAI11.03 Manage stakeholder 1. Plan how stakeholders inside and outside the enterprise
and Implement Projects engagement. will be identified, analyzed, engaged and managed through
the life cycle of the project.
Management Build, Acquire BAI11 Managed BAI11.03 Manage stakeholder 2. Identify, engage and manage stakeholders by establishing
and Implement Projects engagement. and maintaining appropriate levels of co-ordination,
communication and liaison to ensure they are involved in the
project.
Management Build, Acquire BAI11 Managed BAI11.03 Manage stakeholder 3. Analyze stakeholder interests, requirements and
and Implement Projects engagement. engagement. Take remedial actions as required.
Management Build, Acquire BAI11 Managed BAI11.04 Develop and maintain 1. Develop a project plan that provides information to enable
and Implement Projects the project plan. management to control project progress progressively. The
plan should include details of project deliverables and
acceptance criteria, required internal and external resources
and responsibilities, clear work breakdown structures and
work packages, estimates of resources required,
milestones/release plan/phases, key dependencies, budget
Management Build, Acquire BAI11 Managed BAI11.04 Develop and maintain 2. Maintain the project plan and any dependent plans (e.g.,
and Implement Projects the project plan. risk plan, quality plan, benefits realization plan). Ensure that
the plans are up to date and reflect actual progress and
approved material changes.
581
Management Build, Acquire BAI11 Managed BAI11.04 Develop and maintain 3. Ensure that there is effective communication of project
and Implement Projects the project plan. plans and progress reports. Ensure that any changes made to
individual plans are reflected in other plans.
Management Build, Acquire BAI11 Managed BAI11.04 Develop and maintain 4. Determine the activities, interdependencies and required
and Implement Projects the project plan. collaboration and communication within the project and
among multiple projects within a program.
Management Build, Acquire BAI11 Managed BAI11.04 Develop and maintain 5. Ensure that each milestone is accompanied by a significant
and Implement Projects the project plan. deliverable requiring review and sign-off.
Management Build, Acquire BAI11 Managed BAI11.04 Develop and maintain 6. Establish a project baseline (e.g., cost, schedule, scope,
and Implement Projects the project plan. quality) that is appropriately reviewed, approved and
incorporated into the integrated project plan.
Management Build, Acquire BAI11 Managed BAI11.05 Manage project 1. To provide quality assurance for the project deliverables,
and Implement Projects quality. identify ownership and responsibilities, quality review
processes, success criteria and performance metrics.
Management Build, Acquire BAI11 Managed BAI11.05 Manage project 2. Identify assurance tasks and practices required to support
and Implement Projects quality. the accreditation of new or modified systems during project
planning. Include them in the integrated plans. Ensure that
the tasks provide assurance that internal controls and security
and privacy solutions meet the defined requirements.
582
Management Build, Acquire BAI11 Managed BAI11.05 Manage project 3. Define any requirements for independent validation and
and Implement Projects quality. verification of the quality of deliverables in the plan.
Management Build, Acquire BAI11 Managed BAI11.05 Manage project 4. Perform quality assurance and control activities in
and Implement Projects quality. accordance with the quality management plan and QMS.
Management Build, Acquire BAI11 Managed BAI11.06 Manage project risk. 1. Establish a formal project risk management approach
and Implement Projects aligned with the ERM framework. Ensure that the approach
includes identifying, analyzing, responding to, mitigating,
monitoring and controlling risk.
Management Build, Acquire BAI11 Managed BAI11.06 Manage project risk. 2. Assign to appropriately skilled personnel the responsibility
and Implement Projects for executing the enterprise’s project risk management
process within a project and ensure that this is incorporated
into the solution development practices. Consider allocating
this role to an independent team, especially if an objective
viewpoint is required or a project is considered critical.
Management Build, Acquire BAI11 Managed BAI11.06 Manage project risk. 3. Identify owners for actions to avoid, accept or mitigate risk.
and Implement Projects
Management Build, Acquire BAI11 Managed BAI11.06 Manage project risk. 4. Perform the project risk assessment of identifying and
and Implement Projects quantifying risk continuously throughout the project. Manage
and communicate risk appropriately within the project
governance structure.
583
Management Build, Acquire BAI11 Managed BAI11.06 Manage project risk. 5. Reassess project risk periodically, including at initiation of
and Implement Projects each major project phase and as part of major change request
assessments.
Management Build, Acquire BAI11 Managed BAI11.06 Manage project risk. 6. Maintain and review a project risk register of all potential
and Implement Projects project risk and a risk mitigation log of all project issues and
their resolution. Analyze the log periodically for trends and
recurring problems to ensure that root causes are corrected.
Management Build, Acquire BAI11 Managed BAI11.07 Monitor and control 1. Establish and use a set of project criteria including, but not
and Implement Projects projects. limited to, scope, expected business benefit, schedule, quality,
cost and level of risk.
Management Build, Acquire BAI11 Managed BAI11.07 Monitor and control 2. Report to identified key stakeholders project progress
and Implement Projects projects. within the project, deviations from established key project
performance criteria (such as, but not limited to, the expected
business benefits), and potential positive and negative effects
on the project.
Management Build, Acquire BAI11 Managed BAI11.07 Monitor and control 3. Document and submit any necessary changes to the
and Implement Projects projects. project’s key stakeholders for their approval before adoption.
Communicate revised criteria to project managers for use in
future performance reports.
Management Build, Acquire BAI11 Managed BAI11.07 Monitor and control 4. For the deliverables produced in each iteration, release or
and Implement Projects projects. project phase, gain approval and sign-off from designated
managers and users in the affected business and IT functions.
584
Management Build, Acquire BAI11 Managed BAI11.07 Monitor and control 5. Base the approval process on clearly defined acceptance
and Implement Projects projects. criteria agreed on by key stakeholders before work
commences on the project phase or iteration deliverable.
Management Build, Acquire BAI11 Managed BAI11.07 Monitor and control 6. Assess the project at agreed major stage-gates, releases or
and Implement Projects projects. iterations. Make formal go/no-go decisions based on
predetermined critical success criteria.
Management Build, Acquire BAI11 Managed BAI11.07 Monitor and control 7. Establish and operate a change control system for the
and Implement Projects projects. project so that all changes to the project baseline (e.g., scope,
expected business benefits, schedule, quality, cost, risk level)
are appropriately reviewed, approved and incorporated into
the integrated project plan in line with the program and
project governance framework.
Management Build, Acquire BAI11 Managed BAI11.07 Monitor and control 8. Measure project performance against key project
and Implement Projects projects. performance criteria. Analyze deviations from established key
project performance criteria for cause and assess positive and
negative effects on the project.
Management Build, Acquire BAI11 Managed BAI11.07 Monitor and control 9. Monitor changes to the project and review existing key
and Implement Projects projects. project performance criteria to determine whether they still
represent valid measures of progress.
Management Build, Acquire BAI11 Managed BAI11.07 Monitor and control 10. Recommend and monitor remedial action, when required,
and Implement Projects projects. in line with the project governance framework.
585
Management Build, Acquire BAI11 Managed BAI11.08 Manage project 1. Identify business and IT resource needs for the project and
and Implement Projects resources and work clearly map appropriate roles and responsibilities, with
packages. escalation and decision-making authorities agreed and
understood.
Management Build, Acquire BAI11 Managed BAI11.08 Manage project 2. Identify required skills and time requirements for all
and Implement Projects resources and work individuals involved in the project phases in relation to
packages. defined roles. Staff the roles based on available skills
information (e.g., IT skills matrix).
Management Build, Acquire BAI11 Managed BAI11.08 Manage project 3. Utilize experienced project management and team leader
and Implement Projects resources and work resources with skills appropriate to the size, complexity and
packages. risk of the project.
Management Build, Acquire BAI11 Managed BAI11.08 Manage project 4. Consider and clearly define the roles and responsibilities of
and Implement Projects resources and work other involved parties, including finance, legal, procurement,
packages. HR, internal audit and compliance.
Management Build, Acquire BAI11 Managed BAI11.08 Manage project 5. Clearly define and agree on the responsibility for
and Implement Projects resources and work procurement and management of third-party products and
packages. services, and manage the relationships.
Management Build, Acquire BAI11 Managed BAI11.08 Manage project 6. Identify and authorize the execution of the work according
and Implement Projects resources and work to the project plan.
packages.
586
Management Build, Acquire BAI11 Managed BAI11.08 Manage project 7. Identify project plan gaps and provide feedback to the
and Implement Projects resources and work project manager to remediate.
packages.
Management Build, Acquire BAI11 Managed BAI11.09 Close a project or 1. Obtain stakeholder acceptance of project deliverables and
and Implement Projects iteration. transfer ownership.
Management Build, Acquire BAI11 Managed BAI11.09 Close a project or 2. Define and apply key steps for project closure, including
and Implement Projects iteration. post-implementation reviews that assess whether a project
attained desired results.
Management Build, Acquire BAI11 Managed BAI11.09 Close a project or 3. Plan and execute post-implementation reviews to
and Implement Projects iteration. determine whether projects delivered expected results.
Improve the project management and system development
process methodology.
Management Build, Acquire BAI11 Managed BAI11.09 Close a project or 4. Identify, assign, communicate and track any uncompleted
and Implement Projects iteration. activities required to ensure the project delivered the
required results in terms of capabilities and the results
contributed as expected to the program benefits.
Management Build, Acquire BAI11 Managed BAI11.09 Close a project or 5. Regularly, and upon completion of the project, collect
and Implement Projects iteration. lessons learned from the project participants. Review them
and the key activities that led to delivered benefits and value.
Analyze the data and make recommendations for improving
the current project and the project management method for
future projects.
587
Management Deliver, Service DSS01 Managed DSS01.01 Perform operational 1. Develop and maintain operational procedures and related
and Support Operations procedures. activities to support all delivered services.
Management Deliver, Service DSS01 Managed DSS01.01 Perform operational 2. Maintain a schedule of operational activities and perform
and Support Operations procedures. the activities.
Management Deliver, Service DSS01 Managed DSS01.01 Perform operational 3. Verify that all data expected for processing are received
and Support Operations procedures. and processed completely, accurately and in a timely manner.
Deliver output in accordance with enterprise requirements.
Support restart and reprocessing needs. Ensure that users are
receiving the right outputs in a secure and timely manner.
Management Deliver, Service DSS01 Managed DSS01.01 Perform operational 4. Manage the performance and throughput of the scheduled
and Support Operations procedures. activities.
Management Deliver, Service DSS01 Managed DSS01.01 Perform operational 5. Monitor incidents and problems dealing with operational
and Support Operations procedures. procedures and take appropriate action to improve reliability
of operational tasks performed.
Management Deliver, Service DSS01 Managed DSS01.02 Manage outsourced 1. Ensure that the enterprise’s requirements for security of
and Support Operations I&T services. information processes adhere to contracts and SLAs with third
parties hosting or providing services.
588
Management Deliver, Service DSS01 Managed DSS01.02 Manage outsourced 2. Ensure that the enterprise’s operational business and IT
and Support Operations I&T services. processing requirements and priorities for service delivery
adhere to contracts and SLAs with third parties hosting or
providing services.
Management Deliver, Service DSS01 Managed DSS01.02 Manage outsourced 3. Integrate critical internal IT management processes with
and Support Operations I&T services. those of outsourced service providers. This should cover, for
example, performance and capacity planning, change
management, configuration management, service request and
incident management, problem management, security
management, business continuity, and the monitoring of
process performance and reporting.
Management Deliver, Service DSS01 Managed DSS01.02 Manage outsourced 4. Plan for independent audit and assurance of the
and Support Operations I&T services. operational environments of outsourced providers to confirm
that agreed requirements are being adequately addressed.
Management Deliver, Service DSS01 Managed DSS01.03 Monitor I&T 1. Log events. Identify the level of information to be
and Support Operations infrastructure. recorded, based on a consideration of risk and performance.
Management Deliver, Service DSS01 Managed DSS01.03 Monitor I&T 2. Identify and maintain a list of infrastructure assets that
and Support Operations infrastructure. need to be monitored, based on service criticality and the
relationship between configuration items and services that
depend on them.
Management Deliver, Service DSS01 Managed DSS01.03 Monitor I&T 3. Define and implement rules that identify and record
and Support Operations infrastructure. threshold breaches and event conditions. Find a balance
between generating spurious minor events and significant
events so event logs are not overloaded with unnecessary
information.
589
Management Deliver, Service DSS01 Managed DSS01.03 Monitor I&T 4. Produce event logs and retain them for an appropriate
and Support Operations infrastructure. period to assist in future investigations.
Management Deliver, Service DSS01 Managed DSS01.03 Monitor I&T 5. Ensure that incident tickets are created in a timely manner
and Support Operations infrastructure. when monitoring identified deviations from defined
thresholds.
Management Deliver, Service DSS01 Managed DSS01.03 Monitor I&T 6. Establish procedures for monitoring event logs. Conduct
and Support Operations infrastructure. regular reviews.
Management Deliver, Service DSS01 Managed DSS01.04 Manage the 1. Identify natural and man-made disasters that might occur
and Support Operations environment. in the area where the IT facilities are located. Assess the
potential effect on the IT facilities.
Management Deliver, Service DSS01 Managed DSS01.04 Manage the 2. Identify how I&T equipment, including mobile and off-site
and Support Operations environment. equipment, is protected against environmental threats.
Ensure that the policy limits or excludes eating, drinking and
smoking in sensitive areas, and prohibits storage of stationery
and other supplies that pose a fire hazard within computer
rooms.
Management Deliver, Service DSS01 Managed DSS01.04 Manage the 3. Keep the IT sites and server rooms clean and in a safe
and Support Operations environment. condition at all times (i.e., no mess, no paper or cardboard
boxes, no filled dustbins, no flammable chemicals or
materials).
590
Management Deliver, Service DSS01 Managed DSS01.04 Manage the 4. Situate and construct IT facilities to minimize and mitigate
and Support Operations environment. susceptibility to environmental threats (e.g., theft, air, fire,
smoke, water, vibration, terror, vandalism, chemicals,
explosives). Consider specific security zones and/or fireproof
cells (e.g., locating production and development
environments/servers away from each other).
Management Deliver, Service DSS01 Managed DSS01.04 Manage the 5. Compare measures and contingency plans against
and Support Operations environment. insurance policy requirements and report results. Address
points of noncompliance in a timely manner.
Management Deliver, Service DSS01 Managed DSS01.04 Manage the 6. Respond to environmental alarms and other notifications.
and Support Operations environment. Document and test procedures, which should include
prioritization of alarms and contact with local emergency
response authorities. Train personnel in these procedures.
Management Deliver, Service DSS01 Managed DSS01.04 Manage the 7. Regularly monitor and maintain devices that proactively
and Support Operations environment. detect environmental threats (e.g., fire, water, smoke,
humidity).
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 1. Examine the IT facilities’ requirement for protection
and Support Operations against power fluctuations and outages, in conjunction with
other business continuity planning requirements. Procure
suitable uninterruptible supply equipment (e.g., batteries,
generators) to support business continuity planning.
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 2. Regularly test the uninterruptible power supply’s
and Support Operations mechanisms. Ensure that power can be switched to the supply
without any significant effect on business operations.
591
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 3. Ensure that the facilities housing the I&T systems have
and Support Operations more than one source for dependent utilities (e.g., power,
telecommunications, water, gas). Separate the physical
entrance of each utility.
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 4. Confirm that cabling external to the IT site is located
and Support Operations underground or has suitable alternative protection.
Determine that cabling within the IT site is contained within
secured conduits, and access to wiring cabinets is restricted to
authorized personnel. Properly protect cabling against
damage caused by fire, smoke, water, interception and
interference.
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 5. Ensure that cabling and physical patching (data and phone)
and Support Operations are structured and organized. Cabling and conduit structures
should be documented (e.g., blueprint building plan and
wiring diagrams).
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 6. On regular basis, educate personnel on health and safety
and Support Operations laws, regulations, and relevant guidelines. Educate personnel
on fire and rescue drills to ensure knowledge and actions
taken in case of fire or similar incidents.
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 7. Ensure that IT sites and equipment are maintained
and Support Operations according to the supplier’s recommended service intervals
and specifications. Ensure that maintenance is carried out
only by authorized personnel.
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 8. Analyze the facilities housing’s high-availability systems for
and Support Operations redundancy and fail-over cabling requirements (external and
internal).
592
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 9. Ensure that IT sites and facilities are in ongoing compliance
and Support Operations with relevant health and safety laws, regulations, guidelines,
and vendor specifications.
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 10. Record, monitor, manage and resolve facilities incidents
and Support Operations in line with the I&T incident management process. Make
available reports on facilities incidents for which disclosure is
required by laws and regulations.
Management Deliver, Service DSS01 Managed DSS01.05 Manage facilities. 11. Analyze physical alterations to IT sites or premises to
and Support Operations reassess the environmental risk (e.g., fire or water damage).
Report results of this analysis to business continuity and
facilities management.
Management Deliver, Service DSS02 Managed Service DSS02.01 Define classification 1. Define incident and service request classification and
and Support Requests and schemes for incidents prioritization schemes, and criteria for problem registration.
Incidents and service requests. Use this information to ensure consistent approaches for
handling and informing users about problems and conducting
trend analysis.
Management Deliver, Service DSS02 Managed Service DSS02.01 Define classification 2. Define incident models for known errors to enable efficient
and Support Requests and schemes for incidents and effective resolution.
Incidents and service requests.
Management Deliver, Service DSS02 Managed Service DSS02.01 Define classification 3. Define service request models according to service request
and Support Requests and schemes for incidents type to enable self-help and efficient service for standard
Incidents and service requests. requests.
593
Management Deliver, Service DSS02 Managed Service DSS02.01 Define classification 4. Define incident escalation rules and procedures, especially
and Support Requests and schemes for incidents for major incidents and security incidents.
Management Deliver, Service DSS02 Managed Service DSS02.01 Define classification 5. Define knowledge sources on incidents and requests and
and Support Requests and schemes for incidents describe how to use them.
Management Deliver, Service DSS02 Managed Service DSS02.02 Record, classify and 1. Log all service requests and incidents, recording all relevant
and Support Requests and prioritize requests and information, so they can be handled effectively and a full
Incidents incidents. historical record can be maintained.
Management Deliver, Service DSS02 Managed Service DSS02.02 Record, classify and 2. To enable trend analysis, classify service requests and
and Support Requests and prioritize requests and incidents by identifying type and category.
Incidents incidents.
Management Deliver, Service DSS02 Managed Service DSS02.02 Record, classify and 3. Prioritize service requests and incidents based on the SLA
and Support Requests and prioritize requests and service definition of business impact and urgency.
Incidents incidents.
Management Deliver, Service DSS02 Managed Service DSS02.03 Verify, approve and 1. Verify entitlement for service requests using, where
and Support Requests and fulfill service requests. possible, a predefined process flow and standard changes.
Incidents
594
Management Deliver, Service DSS02 Managed Service DSS02.03 Verify, approve and 2. Obtain financial and functional approval or sign-off, if
and Support Requests and fulfill service requests. required, or predefined approvals for agreed standard
Incidents changes.
Management Deliver, Service DSS02 Managed Service DSS02.03 Verify, approve and 3. Fulfill the requests by performing the selected request
and Support Requests and fulfill service requests. procedure. Where possible, use self-help automated menus
Incidents and predefined request models for frequently requested
items.
Management Deliver, Service DSS02 Managed Service DSS02.04 Investigate, diagnose 1. Identify and describe relevant symptoms to establish the
and Support Requests and and allocate incidents. most probable causes of the incidents. Reference available
Incidents knowledge resources (including known errors and problems)
to identify possible incident resolutions (temporary
workarounds and/or permanent solutions).
Management Deliver, Service DSS02 Managed Service DSS02.04 Investigate, diagnose 2. If a related problem or known error does not already exist
and Support Requests and and allocate incidents. and if the incident satisfies agreed criteria for problem
Incidents registration, log a new problem.
Management Deliver, Service DSS02 Managed Service DSS02.04 Investigate, diagnose 3. Assign incidents to specialist functions if deeper expertise
and Support Requests and and allocate incidents. is needed. Engage the appropriate level of management,
Incidents where and if needed.
Management Deliver, Service DSS02 Managed Service DSS02.05 Resolve and recover 1. Select and apply the most appropriate incident resolutions
and Support Requests and from incidents. (temporary workaround and/or permanent solution).
Incidents
595
Management Deliver, Service DSS02 Managed Service DSS02.05 Resolve and recover 2. Record whether workarounds were used for incident
and Support Requests and from incidents. resolution.
Incidents
Management Deliver, Service DSS02 Managed Service DSS02.05 Resolve and recover 3. Perform recovery actions, if required.
and Support Requests and from incidents.
Incidents
Management Deliver, Service DSS02 Managed Service DSS02.05 Resolve and recover 4. Document incident resolution and assess if the resolution
and Support Requests and from incidents. can be used as a future knowledge source.
Incidents
Management Deliver, Service DSS02 Managed Service DSS02.06 Close service requests 1. Verify with the affected users that the service request has
and Support Requests and and incidents. been fulfilled satisfactorily or the incident has been resolved
Incidents satisfactorily and within an agreed/acceptable period of time.
Management Deliver, Service DSS02 Managed Service DSS02.06 Close service requests 2. Close service requests and incidents.
and Support Requests and and incidents.
Incidents
Management Deliver, Service DSS02 Managed Service DSS02.07 Track status and 1. Monitor and track incident escalations and resolutions and
and Support Requests and produce reports. request handling procedures to progress toward resolution or
Incidents completion.
596
Management Deliver, Service DSS02 Managed Service DSS02.07 Track status and 2. Identify information stakeholders and their needs for data
and Support Requests and produce reports. or reports. Identify reporting frequency and medium.
Incidents
Management Deliver, Service DSS02 Managed Service DSS02.07 Track status and 3. Produce and distribute timely reports or provide controlled
and Support Requests and produce reports. access to online data.
Incidents
Management Deliver, Service DSS02 Managed Service DSS02.07 Track status and 4. Analyze incidents and service requests by category and
and Support Requests and produce reports. type. Establish trends and identify patterns of recurring issues,
Incidents SLA breaches or inefficiencies.
Management Deliver, Service DSS02 Managed Service DSS02.07 Track status and 5. Use the information as input to continual improvement
and Support Requests and produce reports. planning.
Incidents
Management Deliver, Service DSS03 Managed DSS03.01 Identify and classify 1. Identify problems through the correlation of incident
and Support Problems problems. reports, error logs and other problem identification resources.
Management Deliver, Service DSS03 Managed DSS03.01 Identify and classify 2. Handle all problems formally with access to all relevant
and Support Problems problems. data. Include information from the IT change management
system and IT configuration/asset and incident details.
597
Management Deliver, Service DSS03 Managed DSS03.01 Identify and classify 3. Define appropriate support groups to assist with problem
and Support Problems problems. identification, root cause analysis and solution determination
to support problem management. Determine support groups
based on predefined categories, such as hardware, network,
software, applications and support software.
Management Deliver, Service DSS03 Managed DSS03.01 Identify and classify 4. Define priority levels through consultation with the
and Support Problems problems. business to ensure that problem identification and root cause
analysis are handled in a timely manner according to the
agreed SLAs. Base priority levels on business impact and
urgency.
Management Deliver, Service DSS03 Managed DSS03.01 Identify and classify 5. Report the status of identified problems to the service desk
and Support Problems problems. so customers and IT management can be kept informed.
Management Deliver, Service DSS03 Managed DSS03.01 Identify and classify 6. Maintain a single problem management catalog to register
and Support Problems problems. and report problems identified. Use the catalog to establish
audit trails of the problem management processes, including
the status of each problem (i.e., open, reopen, in progress or
closed).
Management Deliver, Service DSS03 Managed DSS03.02 Investigate and 1. Identify problems that may be known errors by comparing
and Support Problems diagnose problems. incident data with the database of known and suspected
errors (e.g., those communicated by external vendors).
Classify problems as known errors.
Management Deliver, Service DSS03 Managed DSS03.02 Investigate and 2. Associate the affected configuration items to the
and Support Problems diagnose problems. established/known error.
598
Management Deliver, Service DSS03 Managed DSS03.02 Investigate and 3. Produce reports to communicate the progress in resolving
and Support Problems diagnose problems. problems and to monitor the continuing impact of problems
not solved. Monitor the status of the problem-handling
process throughout its life cycle, including input from IT
change and configuration management.
Management Deliver, Service DSS03 Managed DSS03.03 Raise known errors. 1. As soon as the root causes of problems are identified,
and Support Problems create known-error records and develop a suitable
workaround.
Management Deliver, Service DSS03 Managed DSS03.03 Raise known errors. 2. Identify, evaluate, prioritize and process (via IT change
and Support Problems management) solutions to known errors, based on a
cost/benefit business case and business impact and urgency.
Management Deliver, Service DSS03 Managed DSS03.04 Resolve and close 1. Close problem records either after confirmation of
and Support Problems problems. successful elimination of the known error or after agreement
with the business on how to alternatively handle the problem.
Management Deliver, Service DSS03 Managed DSS03.04 Resolve and close 2. Inform the service desk of the schedule for problem
and Support Problems problems. closure (e.g., the schedule for fixing the known errors, the
possible workaround or the fact that the problem will remain
until the change is implemented) and the consequences of the
approach taken. Keep affected users and customers informed
as appropriate.
Management Deliver, Service DSS03 Managed DSS03.04 Resolve and close 3. Throughout the resolution process, obtain regular reports
and Support Problems problems. from IT change management on progress in resolving
problems and errors.
599
Management Deliver, Service DSS03 Managed DSS03.04 Resolve and close 4. Monitor the continuing impact of problems and known
and Support Problems problems. errors on services.
Management Deliver, Service DSS03 Managed DSS03.04 Resolve and close 5. Review and confirm the success of resolutions of major
and Support Problems problems. problems.
Management Deliver, Service DSS03 Managed DSS03.04 Resolve and close 6. Make sure the knowledge learned from the review is
and Support Problems problems. incorporated into a service review meeting with the business
customer.
Management Deliver, Service DSS03 Managed DSS03.05 Perform proactive 1. Capture problem information related to I&T changes and
and Support Problems problem incidents and communicate it to key stakeholders.
management. Communicate via reports and periodic meetings among
incident, problem, change and configuration management
process owners to consider recent problems and potential
corrective actions.
Management Deliver, Service DSS03 Managed DSS03.05 Perform proactive 2. Ensure that process owners and managers from incident,
and Support Problems problem problem, change and configuration management meet
management. regularly to discuss known problems and future planned
changes.
Management Deliver, Service DSS03 Managed DSS03.05 Perform proactive 3. Identify and initiate sustainable solutions (permanent fixes)
and Support Problems problem addressing the root cause. Raise change requests via the
management. established change management processes.
600
Management Deliver, Service DSS03 Managed DSS03.05 Perform proactive 4. To enable the enterprise to monitor the total costs of
and Support Problems problem problems, capture change efforts resulting from problem
management. management process activities (e.g., fixes to problems and
known errors) and report on them.
Management Deliver, Service DSS03 Managed DSS03.05 Perform proactive 5. Produce reports to monitor problem resolution against the
and Support Problems problem business requirements and SLAs. Ensure the proper escalation
management. of problems, such as escalating to a higher management level
according to agreed criteria, contacting external vendors, or
referring to the change advisory board to increase the priority
of an urgent request for change (RFC) to implement a
temporary workaround.
Management Deliver, Service DSS03 Managed DSS03.05 Perform proactive 6. To optimize the use of resources and reduce workarounds,
and Support Problems problem track problem trends.
management.
Management Deliver, Service DSS04 Managed DSS04.01 Define the business 1. Identify internal and outsourced business processes and
and Support Continuity continuity policy, service activities that are critical to the enterprise operations
objectives and scope. or necessary to meet legal and/or contractual obligations.
Management Deliver, Service DSS04 Managed DSS04.01 Define the business 2. Identify key stakeholders and roles and responsibilities for
and Support Continuity continuity policy, defining and agreeing on continuity policy and scope.
objectives and scope.
Management Deliver, Service DSS04 Managed DSS04.01 Define the business 3. Define and document the agreed minimum policy
and Support Continuity continuity policy, objectives and scope for business resilience.
601
Management Deliver, Service DSS04 Managed DSS04.01 Define the business 4. Identify essential supporting business processes and
and Support Continuity continuity policy, related I&T services.
Management Deliver, Service DSS04 Managed DSS04.02 Maintain business 1. Identify potential scenarios likely to give rise to events that
and Support Continuity resilience. could cause significant disruptive incidents.
Management Deliver, Service DSS04 Managed DSS04.02 Maintain business 2. Conduct a business impact analysis to evaluate the impact
and Support Continuity resilience. over time of a disruption to critical business functions and the
effect that a disruption would have on them.
Management Deliver, Service DSS04 Managed DSS04.02 Maintain business 3. Establish the minimum time required to recover a business
and Support Continuity resilience. process and supporting I&T, based on an acceptable length of
business interruption and maximum tolerable outage.
Management Deliver, Service DSS04 Managed DSS04.02 Maintain business 4. Determine the conditions and owners of key decisions that
and Support Continuity resilience. will cause the continuity plans to be invoked.
Management Deliver, Service DSS04 Managed DSS04.02 Maintain business 5. Assess the likelihood of threats that could cause loss of
and Support Continuity resilience. business continuity. Identify measures that will reduce the
likelihood and impact through improved prevention and
increased resilience.
602
Management Deliver, Service DSS04 Managed DSS04.02 Maintain business 6. Analyze continuity requirements to identify possible
and Support Continuity resilience. strategic business and technical options.
Management Deliver, Service DSS04 Managed DSS04.02 Maintain business 7. Identify resource requirements and costs for each strategic
and Support Continuity resilience. technical option and make strategic recommendations.
Management Deliver, Service DSS04 Managed DSS04.02 Maintain business 8. Obtain executive business approval for selected strategic
and Support Continuity resilience. options.
Management Deliver, Service DSS04 Managed DSS04.03 Develop and 1. Define the incident response actions and communications
and Support Continuity implement a business to be taken in the event of disruption. Define related roles
continuity response. and responsibilities, including accountability for policy and
implementation.
Management Deliver, Service DSS04 Managed DSS04.03 Develop and 2. Ensure that key suppliers and outsource partners have
and Support Continuity implement a business effective continuity plans in place. Obtain audited evidence as
continuity response. required.
Management Deliver, Service DSS04 Managed DSS04.03 Develop and 3. Define the conditions and recovery procedures that would
and Support Continuity implement a business enable resumption of business processing. Include updating
continuity response. and reconciliation of information databases to preserve
information integrity.
603
Management Deliver, Service DSS04 Managed DSS04.03 Develop and 4. Develop and maintain operational BCPs and DRPs that
and Support Continuity implement a business contain the procedures to be followed to enable continued
continuity response. operation of critical business processes and/or temporary
processing arrangements. Include links to plans of outsourced
service providers.
Management Deliver, Service DSS04 Managed DSS04.03 Develop and 5. Define and document the resources required to support
and Support Continuity implement a business the continuity and recovery procedures, considering people,
continuity response. facilities and IT infrastructure.
Management Deliver, Service DSS04 Managed DSS04.03 Develop and 6. Define and document the information backup
and Support Continuity implement a business requirements required to support the plans. Include plans and
continuity response. paper documents as well as data files. Consider the need for
security and off-site storage.
Management Deliver, Service DSS04 Managed DSS04.03 Develop and 7. Determine required skills for individuals involved in
and Support Continuity implement a business executing the plan and procedures.
continuity response.
Management Deliver, Service DSS04 Managed DSS04.03 Develop and 8. Distribute the plans and supporting documentation
and Support Continuity implement a business securely to appropriately authorized interested parties. Make
continuity response. sure the plans and documentation are accessible under all
disaster scenarios.
Management Deliver, Service DSS04 Managed DSS04.04 Exercise, test and 1. Define objectives for exercising and testing the business,
and Support Continuity review the business technical, logistical, administrative, procedural and
continuity plan (BCP) operational systems of the plan to verify completeness of the
and disaster response BCP and DRP in meeting business risk.
plan (DRP).
604
Management Deliver, Service DSS04 Managed DSS04.04 Exercise, test and 2. Define and agree on stakeholder exercises that are realistic
and Support Continuity review the business and validate continuity procedures. Include roles and
continuity plan (BCP) responsibilities and data retention arrangements that cause
and disaster response minimum disruption to business processes.
plan (DRP).
Management Deliver, Service DSS04 Managed DSS04.04 Exercise, test and 3. Assign roles and responsibilities for performing continuity
and Support Continuity review the business plan exercises and tests.
continuity plan (BCP)
and disaster response
plan (DRP).
Management Deliver, Service DSS04 Managed DSS04.04 Exercise, test and 4. Schedule exercises and test activities as defined in the
and Support Continuity review the business continuity plans.
plan (DRP).
Management Deliver, Service DSS04 Managed DSS04.04 Exercise, test and 5. Conduct a post-exercise debriefing and analysis to consider
and Support Continuity review the business the achievement.
plan (DRP).
Management Deliver, Service DSS04 Managed DSS04.04 Exercise, test and 6. Based on the results of the review, develop
and Support Continuity review the business recommendations for improving the current continuity plans.
plan (DRP).
Management Deliver, Service DSS04 Managed DSS04.05 Review, maintain and 1. On a regular basis, review the continuity plans and
and Support Continuity improve the capability against any assumptions made and current business
continuity plans. operational and strategic objectives.
605
Management Deliver, Service DSS04 Managed DSS04.05 Review, maintain and 2. On a regular basis, review the continuity plans to consider
and Support Continuity improve the the impact of new or major changes to enterprise
continuity plans. organization, business processes, outsourcing arrangements,
technologies, infrastructure, operating systems and
application systems.
Management Deliver, Service DSS04 Managed DSS04.05 Review, maintain and 3. Consider whether a revised business impact assessment
and Support Continuity improve the may be required, depending on the nature of the change.
continuity plans.
Management Deliver, Service DSS04 Managed DSS04.05 Review, maintain and 4. Recommend changes in policy, plans, procedures,
and Support Continuity improve the infrastructure, and roles and responsibilities. Communicate
continuity plans. them as appropriate for management approval and
processing via the IT change management process.
Management Deliver, Service DSS04 Managed DSS04.06 Conduct continuity 1. Roll out BCP and DRP awareness and training.
and Support Continuity plan training.
Management Deliver, Service DSS04 Managed DSS04.06 Conduct continuity 2. Define and maintain training requirements and plans for
and Support Continuity plan training. those performing continuity planning, impact assessments,
risk assessments, media communication and incident
response. Ensure that the training plans consider frequency of
training and training delivery mechanisms.
Management Deliver, Service DSS04 Managed DSS04.06 Conduct continuity 3. Develop competencies based on practical training,
and Support Continuity plan training. including participation in exercises and tests.
606
Management Deliver, Service DSS04 Managed DSS04.06 Conduct continuity 4. Based on the exercise and test results, monitor skills and
and Support Continuity plan training. competencies.
Management Deliver, Service DSS04 Managed DSS04.07 Manage backup 1. Back up systems, applications, data and documentation
and Support Continuity arrangements. according to a defined schedule. Consider frequency
(monthly, weekly, daily, etc.), mode of backup (e.g., disk
mirroring for real-time backups vs. DVD-ROM for long-term
retention), type of backup (e.g., full vs. incremental), and type
of media. Consider also automated online backups, data types
(e.g., voice, optical), creation of logs, critical end-user
Management Deliver, Service DSS04 Managed DSS04.07 Manage backup 2. Define requirements for on-site and off-site storage of
and Support Continuity arrangements. backup data that meet the business requirements. Consider
the accessibility required to back up data.
Management Deliver, Service DSS04 Managed DSS04.07 Manage backup 3. Periodically test and refresh archived and backup data.
and Support Continuity arrangements.
Management Deliver, Service DSS04 Managed DSS04.07 Manage backup 4. Ensure that systems, applications, data and documentation
and Support Continuity arrangements. maintained or processed by third parties are adequately
backed up or otherwise secured. Consider requiring return of
backups from third parties. Consider escrow or deposit
arrangements.
Management Deliver, Service DSS04 Managed DSS04.08 Conduct post- 1. Assess adherence to the documented BCP and DRP.
and Support Continuity resumption review.
607
Management Deliver, Service DSS04 Managed DSS04.08 Conduct post- 2. Determine the effectiveness of the plans, continuity
and Support Continuity resumption review. capabilities, roles and responsibilities, skills and competencies,
resilience to the incident, technical infrastructure, and
organizational structures and relationships.
Management Deliver, Service DSS04 Managed DSS04.08 Conduct post- 3. Identify weaknesses or omissions in the plans and
and Support Continuity resumption review. capabilities and make recommendations for improvement.
Obtain management approval for any changes to the plans
and apply via the enterprise change control process.
Management Deliver, Service DSS05 Managed DSS05.01 Protect against 1. Install and activate malicious software protection tools on
and Support Security Services malware. all processing facilities, with malicious software definition files
that are updated as required (automatically or semi-
automatically).
Management Deliver, Service DSS05 Managed DSS05.01 Protect against 2. Filter incoming traffic, such as email and downloads, to
and Support Security Services malware. protect against unsolicited information (e.g., spyware,
phishing emails).
Management Deliver, Service DSS05 Managed DSS05.01 Protect against 3. Communicate malicious software awareness and enforce
and Support Security Services malware. prevention procedures and responsibilities. Conduct periodic
training about malware in email and Internet usage. Train
users to not open, but report, suspicious emails and to not
install shared or unapproved software.
Management Deliver, Service DSS05 Managed DSS05.01 Protect against 4. Distribute all protection software centrally (version and
and Support Security Services malware. patch-level) using centralized configuration and IT change
management.
608
Management Deliver, Service DSS05 Managed DSS05.01 Protect against 5. Regularly review and evaluate information on new
and Support Security Services malware. potential threats (e.g., reviewing vendors’ products and
services security advisories).
Management Deliver, Service DSS05 Managed DSS05.02 Manage network and 1. Allow only authorized devices to have access to corporate
and Support Security Services connectivity security. information and the enterprise network. Configure these
devices to force password entry.
Management Deliver, Service DSS05 Managed DSS05.02 Manage network and 2. Implement network filtering mechanisms, such as firewalls
and Support Security Services connectivity security. and intrusion detection software. Enforce appropriate policies
to control inbound and outbound traffic.
Management Deliver, Service DSS05 Managed DSS05.02 Manage network and 3. Apply approved security protocols to network connectivity.
and Support Security Services connectivity security.
Management Deliver, Service DSS05 Managed DSS05.02 Manage network and 4. Configure network equipment in a secure manner.
Management Deliver, Service DSS05 Managed DSS05.02 Manage network and 5. Encrypt information in transit according to its classification.
609
Management Deliver, Service DSS05 Managed DSS05.02 Manage network and 6. Based on risk assessments and business requirements,
and Support Security Services connectivity security. establish and maintain a policy for security of connectivity.
Management Deliver, Service DSS05 Managed DSS05.02 Manage network and 7. Establish trusted mechanisms to support the secure
and Support Security Services connectivity security. transmission and receipt of information.
Management Deliver, Service DSS05 Managed DSS05.02 Manage network and 8. Carry out periodic penetration testing to determine
and Support Security Services connectivity security. adequacy of network protection.
Management Deliver, Service DSS05 Managed DSS05.02 Manage network and 9. Carry out periodic testing of system security to determine
and Support Security Services connectivity security. adequacy of system protection.
Management Deliver, Service DSS05 Managed DSS05.03 Manage endpoint 1. Configure operating systems in a secure manner.
and Support Security Services security.
Management Deliver, Service DSS05 Managed DSS05.03 Manage endpoint 2. Implement device lockdown mechanisms.
610
Management Deliver, Service DSS05 Managed DSS05.03 Manage endpoint 3. Manage remote access and control (e.g., mobile devices,
and Support Security Services security. teleworking).
Management Deliver, Service DSS05 Managed DSS05.03 Manage endpoint 4. Manage network configuration in a secure manner.
Management Deliver, Service DSS05 Managed DSS05.03 Manage endpoint 5. Implement network traffic filtering on endpoint devices.
Management Deliver, Service DSS05 Managed DSS05.03 Manage endpoint 6. Protect system integrity.
Management Deliver, Service DSS05 Managed DSS05.03 Manage endpoint 7. Provide physical protection of endpoint devices.
Management Deliver, Service DSS05 Managed DSS05.03 Manage endpoint 8. Dispose of endpoint devices securely.
611
Management Deliver, Service DSS05 Managed DSS05.03 Manage endpoint 9. Manage malicious access through email and web browsers.
and Support Security Services security. For example, block certain websites and deactivate click-
through on links for smartphones.
Management Deliver, Service DSS05 Managed DSS05.03 Manage endpoint 10. Encrypt information in storage according to its
and Support Security Services security. classification.
Management Deliver, Service DSS05 Managed DSS05.04 Manage user identity 1. Maintain user access rights in accordance with business
and Support Security Services and logical access. function, process requirements and security policies. Align the
management of identities and access rights to the defined
roles and responsibilities, based on least-privilege, need-to-
have and need-to-know principles.
Management Deliver, Service DSS05 Managed DSS05.04 Manage user identity 2. Administer all changes to access rights (creation,
and Support Security Services and logical access. modifications and deletions) in a timely manner based only on
approved and documented transactions authorized by
designated management individuals.
Management Deliver, Service DSS05 Managed DSS05.04 Manage user identity 3. Segregate, reduce to the minimum number necessary and
and Support Security Services and logical access. actively manage privileged user accounts. Ensure monitoring
on all activity on these accounts.
Management Deliver, Service DSS05 Managed DSS05.04 Manage user identity 4. Uniquely identify all information processing activities by
and Support Security Services and logical access. functional roles. Coordinate with business units to ensure that
all roles are consistently defined, including roles that are
defined by the business itself within business process
applications.
612
Management Deliver, Service DSS05 Managed DSS05.04 Manage user identity 5. Authenticate all access to information assets based on the
and Support Security Services and logical access. individual's role or business rules. Coordinate with business
units that manage authentication within applications used in
business processes to ensure that authentication controls
have been properly administered.
Management Deliver, Service DSS05 Managed DSS05.04 Manage user identity 6. Ensure that all users (internal, external and temporary) and
and Support Security Services and logical access. their activity on IT systems (business application, IT
infrastructure, system operations, development and
maintenance) are uniquely identifiable.
Management Deliver, Service DSS05 Managed DSS05.04 Manage user identity 7. Maintain an audit trail of access to information dependent
and Support Security Services and logical access. upon its sensitivity and regulatory requirements.
Management Deliver, Service DSS05 Managed DSS05.04 Manage user identity 8. Perform regular management review of all accounts and
and Support Security Services and logical access. related privileges.
Management Deliver, Service DSS05 Managed DSS05.05 Manage physical 1. Log and monitor all entry points to IT sites. Register all
and Support Security Services access to I&T assets. visitors, including contractors and vendors, to the site.
Management Deliver, Service DSS05 Managed DSS05.05 Manage physical 2. Ensure all personnel display properly approved
and Support Security Services access to I&T assets. identification at all times.
613
Management Deliver, Service DSS05 Managed DSS05.05 Manage physical 3. Require visitors to be escorted at all times while on-site.
and Support Security Services access to I&T assets.
Management Deliver, Service DSS05 Managed DSS05.05 Manage physical 4. Restrict and monitor access to sensitive IT sites by
and Support Security Services access to I&T assets. establishing perimeter restrictions, such as fences, walls, and
security devices on interior and exterior doors.
Management Deliver, Service DSS05 Managed DSS05.05 Manage physical 5. Manage requests to allow appropriately authorized access
and Support Security Services access to I&T assets. to the computing facilities.
Management Deliver, Service DSS05 Managed DSS05.05 Manage physical 6. Ensure that access profiles remain current. Base access to
and Support Security Services access to I&T assets. IT sites (server rooms, buildings, areas or zones) on job
function and responsibilities.
Management Deliver, Service DSS05 Managed DSS05.05 Manage physical 7. Conduct regular physical information security awareness
and Support Security Services access to I&T assets. training.
Management Deliver, Service DSS05 Managed DSS05.06 Manage sensitive 1. Establish procedures to govern the receipt, use, removal
and Support Security Services documents and and disposal of sensitive documents and output devices into,
output devices. within, and outside of the enterprise.
614
Management Deliver, Service DSS05 Managed DSS05.06 Manage sensitive 2. Ensure cryptographic controls are in place to protect
and Support Security Services documents and sensitive electronically stored information.
output devices.
Management Deliver, Service DSS05 Managed DSS05.06 Manage sensitive 3. Assign access privileges to sensitive documents and output
and Support Security Services documents and devices based on the least-privilege principle, balancing risk
output devices. and business requirements.
Management Deliver, Service DSS05 Managed DSS05.06 Manage sensitive 4. Establish an inventory of sensitive documents and output
and Support Security Services documents and devices, and conduct regular reconciliations.
output devices.
Management Deliver, Service DSS05 Managed DSS05.06 Manage sensitive 5. Establish appropriate physical safeguards over sensitive
and Support Security Services documents and documents.
output devices.
Management Deliver, Service DSS05 Managed DSS05.06 Manage sensitive 6. Put cryptographic controls in place to ensure the
and Support Security Services documents and protection of sensitive information (confidentiality,
output devices. authenticity, integrity).
Management Deliver, Service DSS05 Managed DSS05.07 Manage 1. Continually use a portfolio of supported technologies,
and Support Security Services vulnerabilities and services and assets (e.g., vulnerability scanners, fuzzers and
monitor the sniffers, protocol analyzers) to identify information security
infrastructure for vulnerabilities.
security-related
events.
615
Management Deliver, Service DSS05 Managed DSS05.07 Manage 2. Define and communicate risk scenarios so they can be
and Support Security Services vulnerabilities and easily recognized and the likelihood and impacts understood.
monitor the
infrastructure for
security-related
events.
Management Deliver, Service DSS05 Managed DSS05.07 Manage 3. Regularly review the event logs for potential incidents.
and Support Security Services vulnerabilities and
monitor the
infrastructure for
security-related
events.
Management Deliver, Service DSS05 Managed DSS05.07 Manage 4. Ensure that security-related incident tickets are created in
and Support Security Services vulnerabilities and a timely manner when monitoring identifies potential
monitor the incidents.
infrastructure for
security-related
events.
Management Deliver, Service DSS05 Managed DSS05.07 Manage 5. Log security-related events and retain records for
and Support Security Services vulnerabilities and appropriate period.
monitor the
infrastructure for
security-related
events.
Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 1. Identify and document the necessary control activities for
and Support Business Process embedded in business key business processes to satisfy control requirements for
Controls processes with strategic, operational, reporting and compliance objectives.
enterprise objectives.
Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 2. Prioritize control activities based on the inherent risk to the
and Support Business Process embedded in business business. Identify key controls.
Controls processes with
616
Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 3. Ensure ownership of key control activities.
and Support Business Process embedded in business
Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 4. Implement automated controls.
and Support Business Process embedded in business
Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 5. Continually monitor control activities on an end-to-end
and Support Business Process embedded in business basis to identify opportunities for improvement.
Management Deliver, Service DSS06 Managed DSS06.01 Align control activities 6. Continually improve the design and operation of business
and Support Business Process embedded in business process controls.
Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 1. Authenticate the originator of transactions and verify that
and Support Business Process of information. the individual has the authority to originate the transaction.
Controls
Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 2. Ensure adequate segregation of duties regarding the
and Support Business Process of information. origination and approval of transactions.
Controls
617
Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 3. Verify that transactions are accurate, complete and valid.
and Support Business Process of information. Controls may include sequence, limit, range, validity,
Controls reasonableness, table look-ups, existence, key verification,
check digit, completeness, duplicate and logical relationship
checks, and time edits. Validation criteria and parameters
should be subject to periodic reviews and confirmations.
Validate input data and edit or, where applicable, send back
Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 4. Without compromising original transaction authorization
and Support Business Process of information. levels, correct and resubmit data that were erroneously input.
Controls Where appropriate for reconstruction, retain original source
documents for the appropriate amount of time.
Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 5. Maintain the integrity and validity of data throughout the
and Support Business Process of information. processing cycle. Ensure that detection of erroneous
Controls transactions does not disrupt processing of valid transactions.
Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 6. Handle output in an authorized manner, deliver it to the
and Support Business Process of information. appropriate recipient and protect the information during
Controls transmission. Verify the accuracy and completeness of the
output.
Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 7. Maintain the integrity of data during unexpected
and Support Business Process of information. interruptions in business processing. Confirm data integrity
Controls after processing failures.
Management Deliver, Service DSS06 Managed DSS06.02 Control the processing 8. Before passing transaction data between internal
and Support Business Process of information. applications and business/operational functions (inside or
Controls outside the enterprise), check for proper addressing,
authenticity of origin and integrity of content. Maintain
authenticity and integrity during transmission or transport.
618
Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 1. Allocate roles and responsibilities based on approved job
and Support Business Process responsibilities, access descriptions and business process activities.
Controls privileges and levels
of authority.
Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 2. Allocate levels of authority for approval of transactions,
and Support Business Process responsibilities, access transaction limits and any other decisions relating to the
Controls privileges and levels business process, based on approved job roles.
of authority.
Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 3. Allocate roles for sensitive activities so there is a clear
and Support Business Process responsibilities, access segregation of duties.
of authority.
Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 4. Allocate access rights and privileges based on the minimum
and Support Business Process responsibilities, access that is required to perform job activities, based on pre-defined
Controls privileges and levels job roles. Remove or revise access rights immediately if the
of authority. job role changes or a staff member leaves the business
process area. Periodically review to ensure that the access is
appropriate for the current threats, risk, technology and
business need.
Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 5. On a regular basis, provide awareness and training
and Support Business Process responsibilities, access regarding roles and responsibilities so that everyone
Controls privileges and levels understands their responsibilities; the importance of controls;
of authority. and the security, integrity, confidentiality and privacy of
company information in all its forms.
Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 6. Ensure administrative privileges are sufficiently and
and Support Business Process responsibilities, access effectively secured, tracked and controlled to prevent misuse.
of authority.
619
Management Deliver, Service DSS06 Managed DSS06.03 Manage roles, 7. Periodically review access control definitions, logs and
and Support Business Process responsibilities, access exception reports. Ensure that all access privileges are valid
Controls privileges and levels and aligned with current staff members and their allocated
of authority. roles.
Management Deliver, Service DSS06 Managed DSS06.04 Manage errors and 1. Review errors, exceptions and deviations.
and Support Business Process exceptions.
Controls
Management Deliver, Service DSS06 Managed DSS06.04 Manage errors and 2. Follow up, correct, approve and resubmit source
and Support Business Process exceptions. documents and transactions.
Controls
Management Deliver, Service DSS06 Managed DSS06.04 Manage errors and 3. Maintain evidence of remedial actions.
and Support Business Process exceptions.
Controls
Management Deliver, Service DSS06 Managed DSS06.04 Manage errors and 4. Define and maintain procedures to assign ownership for
and Support Business Process exceptions. errors and exceptions, correct errors, override errors and
Controls handle out-of-balance conditions.
Management Deliver, Service DSS06 Managed DSS06.04 Manage errors and 5. Report relevant business information process errors in a
and Support Business Process exceptions. timely manner to perform root cause and trending analysis.
Controls
620
Management Deliver, Service DSS06 Managed DSS06.05 Ensure traceability 1. Capture source information, supporting evidence and the
and Support Business Process and accountability for record of transactions.
Controls information events.
Management Deliver, Service DSS06 Managed DSS06.05 Ensure traceability 2. Define retention requirements, based on business
and Support Business Process and accountability for requirements, to meet operational, financial reporting and
Controls information events. compliance needs.
Management Deliver, Service DSS06 Managed DSS06.05 Ensure traceability 3. Dispose of source information, supporting evidence and
and Support Business Process and accountability for the record of transactions in accordance with the retention
Controls information events. policy.
Management Deliver, Service DSS06 Managed DSS06.06 Secure information 1. Restrict use, distribution and physical access of information
and Support Business Process assets. according to its classification.
Controls
Management Deliver, Service DSS06 Managed DSS06.06 Secure information 2. Provide acceptable use awareness and training.
and Support Business Process assets.
Controls
Management Deliver, Service DSS06 Managed DSS06.06 Secure information 3. Apply data classification and acceptable use and security
and Support Business Process assets. policies and procedures to protect information assets under
Controls the control of the business.
621
Management Deliver, Service DSS06 Managed DSS06.06 Secure information 4. Identify and implement processes, tools and techniques to
and Support Business Process assets. reasonably verify compliance.
Controls
Management Deliver, Service DSS06 Managed DSS06.06 Secure information 5. Report to business and other stakeholders on violations
and Support Business Process assets. and deviations.
Controls
Management Monitor, MEA01 Managed MEA01.01 Establish a monitoring 1. Identify stakeholders (e.g., management, process owners
Evaluate and Performance and approach. and users).
Assess Conformance
Monitoring
Management Monitor, MEA01 Managed MEA01.01 Establish a monitoring 2. Engage with stakeholders and communicate the enterprise
Evaluate and Performance and approach. requirements and objectives for monitoring, aggregating and
Assess Conformance reporting, using common definitions (e.g., business glossary,
Monitoring metadata and taxonomy), baselining and benchmarking.
Management Monitor, MEA01 Managed MEA01.01 Establish a monitoring 3. Align and continually maintain the monitoring and
Evaluate and Performance and approach. evaluation approach with the enterprise approach and the
Assess Conformance tools to be used for data gathering and enterprise reporting
Monitoring (e.g., business intelligence applications).
Management Monitor, MEA01 Managed MEA01.01 Establish a monitoring 4. Agree on the types of goals and metrics (e.g., conformance,
Evaluate and Performance and approach. performance, value, risk), taxonomy (classification and
Assess Conformance relationships between goals and metrics) and data (evidence)
Monitoring retention.
622
Management Monitor, MEA01 Managed MEA01.01 Establish a monitoring 5. Request, prioritize and allocate resources for monitoring,
Evaluate and Performance and approach. consider appropriateness, efficiency, effectiveness and
Assess Conformance confidentiality.
Monitoring
Management Monitor, MEA01 Managed MEA01.01 Establish a monitoring 6. Periodically validate the approach used and identify new or
Evaluate and Performance and approach. changed stakeholders, requirements and resources.
Assess Conformance
Monitoring
Management Monitor, MEA01 Managed MEA01.01 Establish a monitoring 7. Agree on a life cycle management and change control
Evaluate and Performance and approach. process for monitoring and reporting. Include improvement
Assess Conformance opportunities for reporting, metrics, approach, baselining and
Monitoring benchmarking.
Management Monitor, MEA01 Managed MEA01.02 Set performance and 1. Define the goals and metrics. Periodically review them with
Evaluate and Performance and conformance targets. stakeholders to identify any significant missing items and
Assess Conformance define reasonableness of targets and tolerances.
Monitoring
Management Monitor, MEA01 Managed MEA01.02 Set performance and 2. Evaluate whether the goals and metrics are adequate, that
Evaluate and Performance and conformance targets. is, specific, measurable, achievable, relevant and time-bound
Assess Conformance (SMART).
Monitoring
Management Monitor, MEA01 Managed MEA01.02 Set performance and 3. Communicate proposed changes to performance and
Evaluate and Performance and conformance targets. conformance targets and tolerances (relating to metrics) with
Assess Conformance key due diligence stakeholders (e.g., legal, audit, HR, ethics,
Monitoring compliance, finance).
623
Management Monitor, MEA01 Managed MEA01.02 Set performance and 4. Publish changed targets and tolerances to users of this
Evaluate and Performance and conformance targets. information.
Assess Conformance
Monitoring
Management Monitor, MEA01 Managed MEA01.03 Collect and process 1. Collect data from defined processes (automated, where
Evaluate and Performance and performance and possible).
Assess Conformance conformance data.
Monitoring
Management Monitor, MEA01 Managed MEA01.03 Collect and process 2. Assess efficiency (effort in relation to insight provided) and
Evaluate and Performance and performance and appropriateness (usefulness and meaning) of collected data
Assess Conformance conformance data. and validate the data's integrity (accuracy and completeness).
Monitoring
Management Monitor, MEA01 Managed MEA01.03 Collect and process 3. Aggregate data to support measurement of agreed
Evaluate and Performance and performance and metrics.
Monitoring
Management Monitor, MEA01 Managed MEA01.03 Collect and process 4. Align aggregated data to the enterprise reporting approach
Evaluate and Performance and performance and and objectives.
Monitoring
Management Monitor, MEA01 Managed MEA01.03 Collect and process 5. Use suitable tools and systems for the processing and
Evaluate and Performance and performance and analysis of data.
Monitoring
624
Management Monitor, MEA01 Managed MEA01.04 Analyze and report 1. Design process performance reports that are concise, easy
Evaluate and Performance and performance. to understand, and tailored to various management needs
Assess Conformance and audiences. Facilitate effective, timely decision making
Monitoring (e.g., scorecards, traffic light reports). Ensure that the cause
and effect between goals and metrics are communicated in an
understandable manner.
Management Monitor, MEA01 Managed MEA01.04 Analyze and report 2. Distribute reports to the relevant stakeholders.
Evaluate and Performance and performance.
Assess Conformance
Monitoring
Management Monitor, MEA01 Managed MEA01.04 Analyze and report 3. Analyze the cause of deviations against targets, initiate
Evaluate and Performance and performance. remedial actions, assign responsibilities for remediation, and
Assess Conformance follow up. At appropriate times, review all deviations and
Monitoring search for root causes, where necessary. Document the issues
for further guidance if the problem recurs. Document results.
Management Monitor, MEA01 Managed MEA01.04 Analyze and report 4. Where feasible, integrate performance and compliance
Evaluate and Performance and performance. into individual staff members’ performance objectives and link
Assess Conformance achievement of performance targets to the organizational
Monitoring reward compensation system.
Management Monitor, MEA01 Managed MEA01.04 Analyze and report 5. Compare the performance values to internal targets and
Evaluate and Performance and performance. benchmarks and, where possible, to external benchmarks
Assess Conformance (industry and key competitors).
Monitoring
Management Monitor, MEA01 Managed MEA01.04 Analyze and report 6. Analyze trends in performance and compliance and take
Evaluate and Performance and performance. appropriate action.
Assess Conformance
Monitoring
625
Management Monitor, MEA01 Managed MEA01.04 Analyze and report 7. Recommend changes to the goals and metrics, where
Evaluate and Performance and performance. appropriate.
Assess Conformance
Monitoring
Management Monitor, MEA01 Managed MEA01.05 Ensure the 1. Review management responses, options and
Evaluate and Performance and implementation of recommendations to address issues and major deviations.
Assess Conformance corrective actions.
Monitoring
Management Monitor, MEA01 Managed MEA01.05 Ensure the 2. Ensure that the assignment of responsibility for corrective
Evaluate and Performance and implementation of action is maintained.
Monitoring
Management Monitor, MEA01 Managed MEA01.05 Ensure the 3. Track the results of actions committed.
Evaluate and Performance and implementation of
Monitoring
Management Monitor, MEA01 Managed MEA01.05 Ensure the 4. Report the results to the stakeholders.
Evaluate and Performance and implementation of
Monitoring
Management Monitor, MEA02 Managed System MEA02.01 Monitor internal 1. Identify the boundaries of the internal control system. For
Evaluate and of Internal controls. example, consider how organizational internal controls take
Assess Control into account outsourced and/or offshore development or
production activities.
626
Management Monitor, MEA02 Managed System MEA02.01 Monitor internal 2. Assess the status of external service providers’ internal
Evaluate and of Internal controls. controls. Confirm that service providers comply with legal and
Assess Control regulatory requirements and contractual obligations.
Management Monitor, MEA02 Managed System MEA02.01 Monitor internal 3. Perform internal control monitoring and evaluation
Evaluate and of Internal controls. activities based on organizational governance standards and
Assess Control industry-accepted frameworks and practices. Also include
monitoring and evaluation of the efficiency and effectiveness
of managerial supervisory activities.
Management Monitor, MEA02 Managed System MEA02.01 Monitor internal 4. Ensure that control exceptions are promptly reported,
Evaluate and of Internal controls. followed up and analyzed, and appropriate corrective actions
Assess Control are prioritized and implemented according to the risk
management profile (e.g., classify certain exceptions as a key
risk and others as a non-key risk).
Management Monitor, MEA02 Managed System MEA02.01 Monitor internal 5. Consider independent evaluations of the internal control
Evaluate and of Internal controls. system (e.g., by internal audit or peers).
Assess Control
Management Monitor, MEA02 Managed System MEA02.01 Monitor internal 6. Maintain the internal control system, considering ongoing
Evaluate and of Internal controls. changes in business and I&T risk, the organizational control
Assess Control environment, and relevant business and I&T processes. If gaps
exist, evaluate and recommend changes.
Management Monitor, MEA02 Managed System MEA02.01 Monitor internal 7. Regularly evaluate the performance of the control
Evaluate and of Internal controls. framework, benchmarking against industry accepted
Assess Control standards and good practices. Consider formal adoption of a
continuous improvement approach to internal control
monitoring.
627
Management Monitor, MEA02 Managed System MEA02.02 Review effectiveness 1. Understand and prioritize risk to organizational objectives.
Evaluate and of Internal of business process
Assess Control controls.
Management Monitor, MEA02 Managed System MEA02.02 Review effectiveness 2. Identify key controls and develop a strategy suitable for
Evaluate and of Internal of business process validating controls.
Management Monitor, MEA02 Managed System MEA02.02 Review effectiveness 3. Identify information that will indicate whether the internal
Evaluate and of Internal of business process control environment is operating effectively.
Management Monitor, MEA02 Managed System MEA02.02 Review effectiveness 4. Maintain evidence of control effectiveness.
Evaluate and of Internal of business process
Management Monitor, MEA02 Managed System MEA02.02 Review effectiveness 5. Develop and implement cost-effective procedures to
Evaluate and of Internal of business process obtain this information in line with applicable information
Assess Control controls. quality criteria.
Management Monitor, MEA02 Managed System MEA02.03 Perform control self- 1. Define an agreed, consistent approach for performing
Evaluate and of Internal assessments. control self-assessments and coordinating with internal and
Assess Control external auditors.
628
Management Monitor, MEA02 Managed System MEA02.03 Perform control self- 2. Maintain evaluation plans, and scope and identify
Evaluate and of Internal assessments. evaluation criteria for conducting self-assessments. Plan the
Assess Control communication of results of the self-assessment process to
business, IT and general management and the board. Consider
internal audit standards in the design of self-assessments.
Management Monitor, MEA02 Managed System MEA02.03 Perform control self- 3. Determine the frequency of periodic self-assessments,
Evaluate and of Internal assessments. considering the overall effectiveness and efficiency of ongoing
Assess Control monitoring.
Management Monitor, MEA02 Managed System MEA02.03 Perform control self- 4. Assign responsibility for self-assessment to appropriate
Evaluate and of Internal assessments. individuals to ensure objectivity and competence.
Assess Control
Management Monitor, MEA02 Managed System MEA02.03 Perform control self- 5. Provide for independent reviews to ensure objectivity of
Evaluate and of Internal assessments. the self-assessment and enable the sharing of internal control
Assess Control good practices from other enterprises.
Management Monitor, MEA02 Managed System MEA02.03 Perform control self- 6. Compare the results of the self-assessments against
Evaluate and of Internal assessments. industry standards and good practices.
Assess Control
Management Monitor, MEA02 Managed System MEA02.03 Perform control self- 7. Summarize and report outcomes of self-assessments and
Evaluate and of Internal assessments. benchmarking for remedial actions.
Assess Control
629
Management Monitor, MEA02 Managed System MEA02.04 Identify and report 1. Communicate procedures for escalation of control
Evaluate and of Internal control deficiencies. exceptions, root cause analysis, and reporting to process
Assess Control owners and I&T stakeholders.
Management Monitor, MEA02 Managed System MEA02.04 Identify and report 2. Consider related enterprise risk to establish thresholds for
Evaluate and of Internal control deficiencies. escalation of control exceptions and breakdowns.
Assess Control
Management Monitor, MEA02 Managed System MEA02.04 Identify and report 3. Identify, report and log control exceptions. Assign
Evaluate and of Internal control deficiencies. responsibility for resolving them and reporting on the status.
Assess Control
Management Monitor, MEA02 Managed System MEA02.04 Identify and report 4. Decide which control exceptions should be communicated
Evaluate and of Internal control deficiencies. to the individual responsible for the function and which
Assess Control exceptions should be escalated. Inform affected process
owners and stakeholders.
Management Monitor, MEA02 Managed System MEA02.04 Identify and report 5. Follow up on all exceptions to ensure that agreed-on
Evaluate and of Internal control deficiencies. actions have been addressed.
Assess Control
Management Monitor, MEA02 Managed System MEA02.04 Identify and report 6. Identify, initiate, track and implement remedial actions
Evaluate and of Internal control deficiencies. arising from control assessments and reporting.
Assess Control
630
Management Monitor, MEA03 Managed MEA03.01 Identify external 1. Assign responsibility for identifying and monitoring any
Evaluate and Compliance With compliance changes of legal, regulatory and other external contractual
Assess External requirements. requirements relevant to the use of IT resources and the
Requirements processing of information within the business and IT
operations of the enterprise.
Management Monitor, MEA03 Managed MEA03.01 Identify external 2. Identify and assess all potential compliance requirements
Evaluate and Compliance With compliance and the impact on I&T activities in areas such as data flow,
Assess External requirements. privacy, internal controls, financial reporting, industry-specific
Requirements regulations, intellectual property, health and safety.
Management Monitor, MEA03 Managed MEA03.01 Identify external 3. Assess the impact of I&T-related legal and regulatory
Evaluate and Compliance With compliance requirements on third-party contracts related to IT
Assess External requirements. operations, service providers and business trading partners.
Requirements
Management Monitor, MEA03 Managed MEA03.01 Identify external 4. Define the consequences of noncompliance.
Evaluate and Compliance With compliance
Assess External requirements.
Requirements
Management Monitor, MEA03 Managed MEA03.01 Identify external 5. Obtain independent counsel, where appropriate, on
Evaluate and Compliance With compliance changes to applicable laws, regulations and standards.
Requirements
Management Monitor, MEA03 Managed MEA03.01 Identify external 6. Maintain an up-to-date log of all relevant legal, regulatory
Evaluate and Compliance With compliance and contractual requirements; their impact and required
Assess External requirements. actions.
Requirements
631
Management Monitor, MEA03 Managed MEA03.01 Identify external 7. Maintain a harmonized and integrated overall register of
Evaluate and Compliance With compliance external compliance requirements for the enterprise.
Requirements
Management Monitor, MEA03 Managed MEA03.02 Optimize response to 1. Regularly review and adjust policies, principles, standards,
Evaluate and Compliance With external procedures and methodologies for their effectiveness in
Assess External requirements. ensuring necessary compliance and addressing enterprise risk.
Requirements Use internal and external experts, as required.
Management Monitor, MEA03 Managed MEA03.02 Optimize response to 2. Communicate new and changed requirements to all
Evaluate and Compliance With external relevant personnel.
Requirements
Management Monitor, MEA03 Managed MEA03.03 Confirm external 1. Regularly evaluate organizational policies, standards,
Evaluate and Compliance With compliance. procedures and methodologies in all functions of the
Assess External enterprise to ensure compliance with relevant legal and
Requirements regulatory requirements in relation to the processing of
information.
Management Monitor, MEA03 Managed MEA03.03 Confirm external 2. Address compliance gaps in policies, standards and
Evaluate and Compliance With compliance. procedures on a timely basis.
Assess External
Requirements
Management Monitor, MEA03 Managed MEA03.03 Confirm external 3. Periodically evaluate business and IT processes and
Evaluate and Compliance With compliance. activities to ensure adherence to applicable legal, regulatory
Assess External and contractual requirements.
Requirements
632
Management Monitor, MEA03 Managed MEA03.03 Confirm external 4. Regularly review for recurring patterns of compliance
Evaluate and Compliance With compliance. failures and assess lessons learned.
Assess External
Requirements
Management Monitor, MEA03 Managed MEA03.03 Confirm external 5. Based on review and lessons learned, improve policies,
Evaluate and Compliance With compliance. standards, procedures, methodologies, and associated
Assess External processes and activities.
Requirements
Management Monitor, MEA03 Managed MEA03.04 Obtain assurance of 1. Obtain regular confirmation of compliance with internal
Evaluate and Compliance With external compliance. policies from business and IT process owners and unit heads.
Assess External
Requirements
Management Monitor, MEA03 Managed MEA03.04 Obtain assurance of 2. Perform regular (and, where appropriate, independent)
Evaluate and Compliance With external compliance. internal and external reviews to assess levels of compliance.
Assess External
Requirements
Management Monitor, MEA03 Managed MEA03.04 Obtain assurance of 3. If required, obtain assertions from third-party I&T service
Evaluate and Compliance With external compliance. providers on levels of their compliance with applicable laws
Assess External and regulations.
Requirements
Management Monitor, MEA03 Managed MEA03.04 Obtain assurance of 4. If required, obtain assertions from business partners on
Evaluate and Compliance With external compliance. levels of their compliance with applicable laws and regulations
Assess External as they relate to intercompany electronic transactions.
Requirements
633
Management Monitor, MEA03 Managed MEA03.04 Obtain assurance of 5. Integrate reporting on legal, regulatory and contractual
Evaluate and Compliance With external compliance. requirements at an enterprisewide level, involving all business
Assess External units.
Requirements
Management Monitor, MEA03 Managed MEA03.04 Obtain assurance of 6. Monitor and report on noncompliance issues and, where
Evaluate and Compliance With external compliance. necessary, investigate the root cause.
Assess External
Requirements
Management Monitor, MEA04 Managed MEA04.01 Ensure that assurance 1. Establish adherence to applicable codes of ethics and
Evaluate and Assurance providers are standards (e.g., Code of Professional Ethics of ISACA) and
Assess independent and (industry- and geography-specific) assurance standards (e.g.,
qualified. IT Audit and Assurance Standards of ISACA and the
International Auditing and Assurance Standards Board’s
[IAASB’s] International Framework for Assurance
Engagements [IAASB Assurance Framework]).
Management Monitor, MEA04 Managed MEA04.01 Ensure that assurance 2. Establish independence of assurance providers.
Evaluate and Assurance providers are
Assess independent and
qualified.
Management Monitor, MEA04 Managed MEA04.01 Ensure that assurance 3. Establish competency and qualification of assurance
Evaluate and Assurance providers are providers.
Assess independent and
qualified.
Management Monitor, MEA04 Managed MEA04.02 Develop risk-based 1. Understand the enterprise strategy and priorities.
Evaluate and Assurance planning of assurance
Assess initiatives.
634
Management Monitor, MEA04 Managed MEA04.02 Develop risk-based 2. Understand the internal context of the enterprise. This
Evaluate and Assurance planning of assurance understanding will help the assurance professional to better
Assess initiatives. assess the enterprise goals and the relative importance of
enterprise and alignment goals, as well as the most important
threats to these goals. In turn, this will assist in defining a
better and more relevant scope for the assurance
engagement.
Management Monitor, MEA04 Managed MEA04.02 Develop risk-based 3. Understand the external context of the enterprise. This
Evaluate and Assurance planning of assurance understanding will help the assurance professional to better
Assess initiatives. understand the enterprise goals and the relative importance
of enterprise and alignment goals, as well as the most
important threats to these goals. In turn, this will assist in
defining a better and more relevant scope for the assurance
engagement.
Management Monitor, MEA04 Managed MEA04.02 Develop risk-based 4. Develop an overall yearly plan for assurance initiatives
Evaluate and Assurance planning of assurance containing the consolidated assurance objectives.
Assess initiatives.
Management Monitor, MEA04 Managed MEA04.03 Determine the 1. Define the assurance objective of the assurance initiative
Evaluate and Assurance objectives of the by identifying the stakeholders of the assurance initiative and
Assess assurance initiative. their interests.
Management Monitor, MEA04 Managed MEA04.03 Determine the 2. Agree on the high-level objectives and the organizational
Evaluate and Assurance objectives of the boundaries of the assurance engagement.
Assess assurance initiative.
Management Monitor, MEA04 Managed MEA04.03 Determine the 3. Consider the use of the COBIT Goals Cascade and its
Evaluate and Assurance objectives of the different levels to express the assurance objective.
635
Management Monitor, MEA04 Managed MEA04.03 Determine the 4. Ensure that the objectives of the assurance engagement
Evaluate and Assurance objectives of the consider all three value objective components: delivering
Assess assurance initiative. benefits that support strategic objectives, optimizing the risk
that strategic objectives are not achieved and optimizing
resource levels required to achieve the strategic objectives.
Management Monitor, MEA04 Managed MEA04.04 Define the scope of 1. Define all governance components in scope of the review,
Evaluate and Assurance the assurance that is, the principles, policies and frameworks; processes;
Assess initiative. organizational structures; culture, ethics and behavior;
information; services, infrastructure and applications; people,
skills and competences
Management Monitor, MEA04 Managed MEA04.04 Define the scope of 2. Based on the scope definition, define an engagement plan,
Evaluate and Assurance the assurance considering information to be collected and stakeholders to
Assess initiative. be interviewed.
Management Monitor, MEA04 Managed MEA04.04 Define the scope of 3. Confirm and refine the scope based on an understanding of
Evaluate and Assurance the assurance the enterprise architecture.
Assess initiative.
Management Monitor, MEA04 Managed MEA04.04 Define the scope of 4. Refine the scope of the assurance engagement, based on
Evaluate and Assurance the assurance available resources.
Assess initiative.
Management Monitor, MEA04 Managed MEA04.05 Define the work 1. Define detailed steps for collecting and evaluating
Evaluate and Assurance program for the information from management controls within scope. Focus
Assess assurance initiative. on assessing the definition and application of good practices,
related to control design, and achievement of control
objectives, related to control effectiveness.
636
Management Monitor, MEA04 Managed MEA04.05 Define the work 2. Understand the context of the management objectives and
Evaluate and Assurance program for the the supporting management controls that are put in place.
Assess assurance initiative. Understand how these management controls contribute to
the achievement of the alignment goals and enterprise goals.
Management Monitor, MEA04 Managed MEA04.05 Define the work 3. Understand all stakeholders and their interests.
Evaluate and Assurance program for the
Management Monitor, MEA04 Managed MEA04.05 Define the work 4. Agree on the expected good practices for the management
Evaluate and Assurance program for the controls.
Management Monitor, MEA04 Managed MEA04.05 Define the work 5. Should a management control be weak, define practices to
Evaluate and Assurance program for the identify residual risk (in preparation for reporting).
Management Monitor, MEA04 Managed MEA04.05 Define the work 6. Understand the life cycle stage of the management
Evaluate and Assurance program for the controls and agree on expected values.
Management Monitor, MEA04 Managed MEA04.06 Execute the assurance 1. Refine the understanding of the IT assurance subject.
Evaluate and Assurance initiative, focusing on
Assess design effectiveness.
637
Management Monitor, MEA04 Managed MEA04.06 Execute the assurance 2. Refine the scope of the IT assurance subject.
Evaluate and Assurance initiative, focusing on
Management Monitor, MEA04 Managed MEA04.06 Execute the assurance 3. Observe/inspect and review the management control
Evaluate and Assurance initiative, focusing on approach. Validate the design with the control owner for
Assess design effectiveness. completeness, relevancy, timeliness and measurability.
Management Monitor, MEA04 Managed MEA04.06 Execute the assurance 4. Ask the control owner whether the responsibilities for the
Evaluate and Assurance initiative, focusing on governance component and overall accountability have been
Assess design effectiveness. assigned. Confirm the response. Test whether accountability
and responsibilities are understood and accepted. Verify that
the right skills and the necessary resources are available.
Management Monitor, MEA04 Managed MEA04.06 Execute the assurance 5. Reconsider the balance of prevention vs. detection and
Evaluate and Assurance initiative, focusing on correction types of management control activities.
Management Monitor, MEA04 Managed MEA04.06 Execute the assurance 6. Consider the effort spent in maintaining the management
Evaluate and Assurance initiative, focusing on controls and the associated cost/effectiveness.
Management Monitor, MEA04 Managed MEA04.07 Execute the assurance 1. Assess whether the expected outcomes for each of the
Evaluate and Assurance initiative, focusing on management controls in scope are achieved. That is, assess
Assess operating the effectiveness of the management control (control
effectiveness. effectiveness).
638
Management Monitor, MEA04 Managed MEA04.07 Execute the assurance 2. Ensure that the assurance professional tests the outcome
Evaluate and Assurance initiative, focusing on or effectiveness of the management control by looking for
Assess operating direct and indirect evidence of the impact on the
effectiveness. management controls goals. This implies the direct and
indirect substantiation of measurable contribution of the
management goals to the alignment goals, thereby recording
direct and indirect evidence of actually achieving the expected
Management Monitor, MEA04 Managed MEA04.07 Execute the assurance 3. Determine whether the assurance professional obtains
Evaluate and Assurance initiative, focusing on direct or indirect evidence for selected items/periods by
Assess operating applying a selection of testing techniques to ensure that the
effectiveness. management control under review is working effectively.
Ensure that the assurance professional also performs a limited
review of the adequacy of the management control results
and determines the level of substantive testing and additional
Management Monitor, MEA04 Managed MEA04.07 Execute the assurance 4. Investigate whether a management control can be made
Evaluate and Assurance initiative, focusing on more efficient and if its design can be more effective by
Assess operating optimizing steps or looking for synergies with other
effectiveness. management controls.
Management Monitor, MEA04 Managed MEA04.08 Report and follow up 1. Document the impact of control weaknesses.
Evaluate and Assurance on the assurance
Assess initiative.
Management Monitor, MEA04 Managed MEA04.08 Report and follow up 2. Communicate with management during execution of the
Evaluate and Assurance on the assurance initiative so there is a clear understanding of the work
Assess initiative. performed and agreement on and acceptance of the
preliminary findings and recommendations.
Management Monitor, MEA04 Managed MEA04.08 Report and follow up 3. Provide management with a report (aligned with the terms
Evaluate and Assurance on the assurance of reference, scope and agreed reporting standards) that
Assess initiative. supports the results of the initiative and enables a clear focus
on key issues and important actions.
639
Management Monitor, MEA04 Managed MEA04.08 Report and follow up 4. Supervise the assurance activities and make sure the work
Evaluate and Assurance on the assurance done is complete, meets objectives and is of an acceptable
Assess initiative. quality. Revise the approach or detailed steps if quality gaps
occur.
Management Monitor, MEA04 Managed MEA04.09 Follow up on 1. Agree on and implement internally, within the
Evaluate and Assurance recommendations organization, the necessary actions that need to be taken to
Assess and actions. resolve identified weaknesses and gaps.
Management Monitor, MEA04 Managed MEA04.09 Follow up on 2. Follow up, within the organization, to determine whether
Evaluate and Assurance recommendations corrective actions were taken and internal control weaknesses
Assess and actions. were resolved.
640

Traduzido COBIT 2019 - Governance-Management-Objectives-Practices-Activities - Nov2018

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Traduzido COBIT 2019 - Governance-Management-Objectives-Practices-Activities - Nov2018

Enviado por

Direitos autorais:

Formatos disponíveis

Management Awareness Diagnostic 1-Controlling IT

Risk Quem faz?

Copyright 2007 IT Governance Institute. All rights reserved.

Copyright 2007 IT Governance Institute. All rights reserved.

Governance Avaliar, EDM01 Definição e Analisar e articular os requisitos para a

Governance Avaliar, EDM03 Avaliar, Direcionar e Garantir que o apetite e a tolerância

Governance Avaliar, EDM04 Otimização de recursos Garantir que os recursos adequados e

Governance Avaliar, EDM05 Garantia de Garantir que as partes interessadas

Gestão Alinhar, APO01 Estrutura de Projetar o sistema de gerenciamento

Gestão Alinhar, APO02 Estratégia Gerenciada Fornecer uma visão holística do

Gestão Alinhar, APO03 Arquitetura corporativa Estabelecer uma arquitetura comum

Alinhar, APO04 Inovação Gerenciada Mantenha um conhecimento das

Gestão Alinhar, APO05 Portfólio Gerenciado Executar o direcionamento estratégico

Gestão Alinhar, APO06 Orçamento e Custos Gerenciar as atividades financeiras

Gestão Alinhar, APO07 Gestão de Recursos Fornecer uma abordagem estruturada

Gestão Alinhar, APO08 Relacionamentos Gerenciar relacionamentos com

Gestão Alinhar, APO09 Contratos de Serviços Alinhe produtos e serviços habilitados

Gestão Alinhar, APO10 Fornecedores Gerencie produtos e serviços

Gestão Alinhar, APO11 Qualidade Gerenciada Definir e comunicar requisitos de

Gestão Alinhar, APO12 Risco Gerenciado Identificar, avaliar e reduzir

Gestão Alinhar, APO13 Segurança Gerenciada Definir, operar e monitorar um

Gestão Alinhar, APO14 Dados gerenciados Alcance e mantenha o gerenciamento

Gestão Construir, BAI01 Gestão de Programas Gerenciar todos os programas da

Gestão Construir, BAI02 Gestão de requisitos Identifique soluções e analise os

Gestão Construir, BAI03 Identificação e Estabelecer e manter produtos e

Gestão Construir, BAI04 Gestão de Equilibre as necessidades atuais e

Gestão Construir, BAI05 Gestão da Mudança Maximize a probabilidade de

Gestão Construir, BAI06 Gestão de mudanças Gerencie todas as mudanças de forma

Gestão Construir, BAI07 Gerenciamento de Aceitar formalmente e operacionalizar

Gestão Construir, BAI08 Gestão de Manter a disponibilidade de

Gestão Construir, BAI09 Gestão de ativos Gerencie ativos de I&T ao longo de

Gestão Construir, BAI10 Gestão de configuração Defina e mantenha descrições e

Gestão Entrega, DSS01 Gestão de Operações Coordenar e executar as atividades e

Management Deliver, DSS02 Solicitações de serviço Fornecer resposta oportuna e eficaz às

Gestão Entrega, DSS03 Gestão de Problemas Identificar e classificar problemas e

Gestão Entrega, DSS04 Gestão da Estabeleça e mantenha um plano para

Gestão Entrega, DSS05 Gestão de Serviços de Proteja as informações corporativas pa

Gestão Entrega, DSS06 Controles gerenciados Definir e manter controles de

Gestão Monitorar, MEA01 Desempenho Colete, valide e avalie metas e

Gestão Monitorar, MEA02 Gestão de controles Monitorar e avaliar continuamente o

Gestão Monitorar, MEA03 Conformidade Avaliar se os processos de I&T e os

Gestão Monitorar, MEA04 Gestão de Garantias Planejar, definir o escopo e executar

Fornecer uma abordagem consistente EDM01.01 Avaliar o sistema Rita Rodrigues

EDM01.02 Direcionar o Rita Rodrigues

EDM01.03 Monitorar o Rita Rodrigues

EDM02.02 Avalie a Rita Rodrigues

EDM02.03 Otimização direta Rita Rodrigues

EDM02.04 Monitore a Rita Rodrigues

Garantir que o risco empresarial EDM03.01 Avaliar a gestão de Rita Rodrigues

EDM03.02 Gestão direta de Rita Rodrigues

EDM03.03 Monitorar a Rita Rodrigues

Garantir que as necessidades de recursos EDM04.01 Avalie o Rita Rodrigues

EDM04.02 Gerenciamento Rita Rodrigues

EDM04.03 Monitorar o Rita Rodrigues

Garantir que as partes interessadas apoiem EDM05.01 Avaliar o Rita Rodrigues

EDM05.02 Engajamento, Rita Rodrigues

EDM05.03 Monitore o Rita Rodrigues

Implementar uma abordagem de gestão APO01.01 Projetar o sistema Rita Rodrigues

APO01.02 Comunicar Rita Rodrigues

APO01.03 Implementar Rita Rodrigues

APO01.04 Definir e Rita Rodrigues

APO01.05 Estabeleça papéis Rita Rodrigues

APO01.06 Estabeleça papéis Rita Rodrigues