Professional Documents
Culture Documents
net/publication/326507013
CITATIONS READS
0 878
4 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Rafael Almeida on 31 July 2018.
Abstract—The assessment of Enterprise Governance of IT their responsibilities in support of business/IT alignment and
(EGIT) frameworks and standards such as COBIT 5 and ISO the creation of business value from IT-enabled business
27001, when adopted simultaneously, implies an unreasonable investments." [1]. This definition is based on the IT
effort because each framework and standard defines its own scope, Governance Institute [2] definition, which emphasizes that
definitions, and terminologies. Using these frameworks and EGIT should be a focus area of corporate governance.
standards independently prevents organizations from achieving the
full benefits of EGIT since there are limitations on their application Examples of process mechanisms are EGIT frameworks,
to specific Information Technology (IT) areas. Also, as these best practices, and ISO standards that encourage behaviors
frameworks and standards overlap, at a time when organizations consistent with the organization’s mission, strategy, values,
strive to be efficient and effective, it seems counterintuitive to be norms, and culture [3]. The term ‘EGIT practices’ is used
wasting resources by having different organizational departments throughout this paper to refer to all frameworks, best practices
handling both approaches independently. Thus, the primary goal of and ISO standards described in the paper.
this paper is to facilitate the COBIT 5 and ISO 27001 simultaneous
assessment. To reach this goal, an Enterprise Architecture (EA) Some of these practices are available to provide guidelines
metamodel representation of ISO 27001 and its mapping to COBIT in multiple dimensions of IT organizations, e.g., Information
5 is proposed using ArchiMate as the EA modeling language. The Security Management System (ISMS) and IT Governance
ISO 27001 metamodel is also extended with ISO/IEC Technical Processes. Others are widely used in the industry to improve
Specification (TS) 33052 and ISO/IEC TS 33072 because these the competitiveness of organizations or are required as
standards propose a Process Reference Model and a Process mandatory practices, becoming a regulatory practice in specific
Assessment Model for Information Security management, which market niches [4].
are essential models to assess ISO 27001 and COBIT 5
simultaneously. A field study was conducted in the Portuguese Navy This situation allows organizations to select and
regarding the COBIT 5 Manage Service Requests and Incidents complement their processes from the practices which fit their
process and its corresponding controls in ISO 27001 through the contexts well [5]. However, independently of the EGIT
mapped ISO/ IEC TS 33052 processes. practices to be used, its implementation requires specific
experience and knowledge, along with a high degree of effort
Keywords—ArchiMate, COBIT 5, Enterprise Architecture, and investment, as key factors for it to be successful. All this
Field Study, ISO 27001, ISO/IEC TS 33052, ISO/IEC TS 33072 signifies that the task is not easy and there is a significant risk
Process Capability Assessment. of failure [6].
Researchers agree that COBIT, ITIL, and ISO 27001 are
I. INTRODUCTION amongst the most valuable and popular practices currently
Given the relatively new-found vital importance of being adopted and adapted by organizations [7], [8], [9].
Information Technology (IT) for all types of organizations, One of the five principles of COBIT 5 is Applying a Single,
Enterprise Governance of IT (EGIT) has gained a new focus Integrated Framework [10], which means that COBIT 5 can
[1]. EGIT can be defined as "an integral part of corporate serve as the overarching practice for EGIT. Leveraging this
governance and addresses the definition and implementation of principle can help organizations attain and maintain ISO 27001
processes, structures and relational mechanisms in the certification through the continual improvement guidelines
organization that enable both business and IT people to execute described in COBIT 5.
A. COBIT 5 E. ArchiMate
COBIT 5 is based on five principles: meeting stakeholder
Lankhorst [36] enumerates several languages that are useful
needs; covering the enterprise end-to-end; applying a single,
for modeling IT and business such as BPMN, EPC (ARIS), and
integrated framework; enabling a holistic approach; and
UML. ArchiMate does not intend to replace these languages.
separating governance from management [10]. Together these
ArchiMate is typically used for high-level processes and their
principles would allow enterprises to assemble and deploy an
relations to the enterprise context, but it is not intended for
effective EGIT and management practice and thus support an
detailed workflow modeling [37]. BPMN supports detailed
outstanding balance between benefits realization, risk
sub-process and task modeling down to the level of executable
management and resources [10].
specifications, but lacks the broader enterprise context, for
COBIT 5 evolution unified ISACA's three practices: Val example, to model the goals and requirements that a process
IT, a value delivery focused practice; Risk IT, a risk has to fulfill [37]. Moreover, several concepts in ArchiMate
management focused practice and previous COBIT versions. were strongly inspired by UML. The most obvious is the
Hence this allowed COBIT 5 to cover the lifecycle of application component concept, which corresponds to the UML
governance and management within the scope of enterprise IT component. This close linkage facilitates a continuous
[1]. development chain between higher-level EA models described
in ArchiMate notation and lower-level solution architecture and
B. ISO 27001 implementation models in UML [38].
ISO 27001 provides requirements for implementing, Since the motivational layer is essential to model EGIT
maintaining and improving an Information Security practices, for example, in COBIT 5 the needs, drivers, and
Management System (ISMS) [30]. Organizations implement goals are core concepts that cannot be ignored, ArchiMate
this practice to address security requirements in a consistent, seemed to be the most suitable language for this research.
repeatable and auditable manner [31]. An ISMS provides risk Finally, ArchiMate can be used to model the full enterprise
management processes such that it preserves confidentiality, complexity in a compelling way that is also an important
integrity, and availability of information. It is of the utmost aspect, since in this research the authors modeled a real-world
importance that this risk management process is integrated with scenario.
the organization's processes and information security is
included holistically within the scope of process design, In June 2016 a new version of ArchiMate was released. The
information systems, and controls. ArchiMate 3.0 [39] Specification is a significant update to the
ArchiMate 2.1 Specification [40]. In this research, the authors
used ArchiMate 2.1 to model the common concepts between
C. COBIT PAM the two versions and ArchiMate 3.0 for modeling the Strategic
Layer presented in the Proposal Section.
COBIT 5 PAM is a model that aims at assessing the
capability of a COBIT 5 process. It scales six process capability
levels defined on an ordinal scale, which starts from incomplete F. EGIT Complexity
to optimizing processes [32].
Complexity, in general, can be defined as “property of a
COBIT PAM is based on ISO/IEC 15504 [33], [34], which language [representation] expression which makes it difficult to
means it relies on a global reference for conducting process formulate its overall behavior, even when given almost
capability assessments. From an assessment perspective, complete information about its atomic components and their
COBIT 5 PAM break down each process into Base Practices inter-relations.” [41]. Choosing this generic and overarching
specific to each process and take into account generic practices, definition enables the adoption to various fields of application
which are not restricted to any particular process. and incorporates specific complexity theories, views and
paradigms [42].
Complex systems can be understood as a heterogeneous V. PROPOSAL
amount of elements with diverse interrelations and One of the most important processes regarding IT in
dependencies [43], [44], [45]. In this context, complexity can COBIT 5 is the ISM domain that covers the confidentiality,
be divided into multiple dimensions. Namely, these are task- integrity, and availability of information [11]. Since this area is
related complexity, structural complexity and time-related covered in more detail by ISO 27001, the best option to meet
complexity/dynamics [41], [46]. While structural complexity ISM in COBIT 5 is mapping it with the ISO 27001 practice
can be quantitatively measured [47], the remaining dimensions [11]. The purpose of this kind of mappings is to provide a
often depend on the subjective reception of an object by the simplified and integrated way for complementary use of
observer [48], [49]. This observation leads to a differentiation COBIT and ISO 27001 for ISM in modern organizations
between real or structural complexity and perceived complexity following the Plan, Do, Check, Act approach for continuous
[50], [51]. improvement present in this practice.
Due to the fact that there is a clear need for methodological Mainly, there are two reasons to start with the conceptual
support for current tasks and challenges of EGIT, metamodels metamodeling of COBIT 5 [23]. COBIT 5 is well structured in
can be a helpful support for analysis. the representation allows domains, processes, and other components and, therefore,
the comparison of different frameworks on an abstract level. closed and self-contained. Also, COBIT is holistic and
[23] Once the components are extracted, frameworks can be represents (nearly) all tasks and processes that an IT
examined and analyzed. Thus, other frameworks can be organization should carry out. ISO 27001 was chosen because
checked for completeness with the aid of the metamodel [23]. it is a security practice for ISMS that is a highly dynamic and
complex task due to the constant change in the IT domain [55].
IV. RELATED WORK
In this paper the authors propose to use ArchiMate, as the
In this section, the authors present previous works towards EA language, to model ISO 27001 metamodels, enabling in
the alignment of COBIT and ISO 27001. this way the integration with COBIT 5, facilitating in this way
their simultaneous assessment. Therefore, we can state that in
A. Aligning COBIT and ISO 27001 this proposal two are artifacts (models) are designed and
Alignment between COBIT and ISO 27001 has been developed: one regarding the ISO 27001 as a standalone
approached by several researchers [6], [7], [11], [52]. However, practice and the other regarding the integration between ISO
these researchers either map EGIT practices at a very abstract 27001 and COBIT 5. Agreeing with [29] we consider that
level, just matching process similarity criteria [41], or have instantiating abstract artifacts (in this case models) is a way of
mapped previous versions that have been superseded such as evaluating them, instead of viewing instantiations as artifacts to
COBIT 4.1 and ISO 27001:2005 [6], [7], [11]. Despite these evaluate.
obstacles, such researchers provide valuable guidance Moreover, the authors applied the principles proposed by
regarding the alignment of the current versions of COBIT and Schütte and Rotthowe [56] and the guidelines proposed by
ISO 27001, as these works establish a sound, peer-reviewed Goeken and Alter [23] to represent ISO 27001 as a conceptual
mappings – albeit “deprecated” – useful as comparison metamodel, ensuring in this way a solid theoretical foundation
baselines for new mappings, thus avoiding ‘bad’ mappings to the (meta)model.
introduced by the authors’ best-knowledge approach.
Moreover, as far as the authors are aware, just a few A. ISO 27001 Metamodel
approaches propose to model and integrate EGIT practices To develop a metamodel for ISO 27001 using ArchiMate,
using ArchiMate as the architecture’s modeling language, the authors first mapped the main ISO 27001 concepts to
enabling the integration of these EGIT practices in a standard- ArchiMate concepts, as shown in Table 1.
based EA representation.
To the best of our knowledge, we did not find a relevant
However, the authors would like to highlight two papers method to obtain such a mapping. Therefore, the authors
that contributed to this research: Almeida et al. [53] mapped, propose a method to map COBIT 5 and ISO 27001 based on a
modeled and integrated COBIT 5 and COSO in ArchiMate. consensus decision-making process. Consensus may be defined
Another research [54] proposed a model that uses TIPA for professionally as an acceptable resolution, one that can be
ITIL, COBIT PAM and ArchiMate to analyze the impact of supported, even if not the first option of each. The authors
ITIL implementation on COBIT processes performance, and followed the following steps: 1. each author performed an in-
vice-versa. depth analysis of the literature review; 2. each author defines
In this paper, the authors decided to use the COBIT 5 the concepts they believe are essential in the ISO 27001
metamodel proposed by [54] since it seems to fill all the core metamodel; 3. all the authors meet to compare the concepts and
concepts of COBIT 5 and the scope of this research. define which ones will be used in the final metamodel; 4. all
the authors map the chosen ISO 27001 concepts to the
Therefore, we would like to claim that the extant literature ArchiMate concepts; 5. ask ISO 27001 (with a certain
is limited in providing concrete contingencies that can assist knowledge of ArchiMate) specialists to validate the models.
organizations to understand and develop successful strategies These steps are briefly explained below. This process lasted
for the adoption and assessment of EGIT practices eight months since it is an iterative process.
simultaneously, and so we believe that we identified a crucial
niche in the literature.
TABLE I. ISO 27001 AND ARCHIMATE ONTOLOGICAL MAPPING
Regarding the secondary participants, a semi-structured can claim that, in this first iteration of the DSRM, this is a
interview was conducted with three relevant IT department relative to the absence of artifact evaluation. It means that
leaders (STI, DITIC, and NCIRC). The interviewees were there is no comparable artifact to compare this proposal.
expert IT personnel with extensive knowledge of the scope of
the service request and incident management, as well as ISMS. Additionally to the method for evaluation, [29] also propose
In this meeting, the authors presented the models and the field a set of criteria that can be used to evaluate a Design Science
study findings, and received valuable feedback. Moreover, Research proposal.
some structured quantitative data were collected to evaluate the Taking into account the system view of the proposed
proposal. Each interviewee was asked to fill a short survey model, the criteria dimensions that are relevant to this
based on the relevant evaluation criteria recommended by [29]. evaluation were the goal, and structure system dimensions.
The survey was composed of five short questions as shown These dimensions define a subset of criteria that evaluate the
in Table 5. They were asked to each answer in a six point scale models regarding their efficacy, validity, and generality (for the
where “0 –Completely Disagree” and “5 –Completely Agree”. goal dimension), and completeness, simplicity, clarity, and
Due to space limitations we can only present a subset of the homomorphism (for the structure dimension).
questions asked: “Do you consider that the proposed artifacts to As mentioned, a semi-structured interview was conducted,
be useful to support decision-making and process improvement as well as a short survey with a small set of questions to
recommendations in your organization?”; “Do you consider qualitatively assess the participants’ sensibility towards the
that by applying these artifacts to IT transformation based on criteria before mentioned pertaining to the goal and structure
Enterprise Governance of IT (EGIT) Practices (such as COBIT, dimensions. Regarding efficacy, validity, and generality, the
ITIL, ISOs) would they be useful in clarifying stakeholders authors collected positive feedback as the secondary
about IT functions performed (description of “as-is” state)?” participants (IT team leaders) considered to have obtained a
Regarding the level of evaluation, this proposal was clearer view of their organization’s as-is state in regard to the
evaluated via the instantiation of the model, and so, it can be scope of the field study performed. The participants also
considered an ex-post evaluation. Finally, the relativeness of indicated that they believed such a field study could be applied
the evaluation, and since there is no comparable artifact, we to other IT areas within the organization to assist key
stakeholders in understanding IT transformation.
From the open-ended interviews and survey the authors feedback from specialists. In the future, the authors also plan to
would like to highlight comments such as “the models contain add our models into an EA Management software that will
the primary modules that enable the clear description of the allow us to automatically answer questions such as “How many
organization’s functions”, “the models contain information resources do we have allocated to comply with a given ISO
relevant to support IT transformation” which indicate that the 27001 control?”, which is an important feature for auditing in
participants identified some degree of completeness, clarity, the digital age.
and homomorphism regarding the instantiated viewpoint of
their organization. For future work it would also interesting to develop a
Maturity Model for ISO 27001, to assess the maturity of the
However, some limitations were also identified. None of information security management of an organization.
the interviewees were deeply familiar with the ArchiMate
language. However, after a brief explanation, they were capable REFERENCES
of easily identifying the concepts and perceive the existing
[1] S. De Haes and W. Van Grembergen. Enterprise Governance of
relationships in the models. They suggested that in the Information Technology: Achieving Strategic Alignment and Value
organizational environment some training would be required to Featuring COBIT 5. New York, U.S.A: Springer Verlag, 2015.
increase the skills and knowledge of all collaborators. This [2] IT Governance Institute. “Board briefing on IT governance”.
feedback is not unexpected as these ArchiMate models are Information Technology Governance Institute, 2003.
targeted at EA practitioners. However, like BPMN is widely [3] P. Weill.. “Don't Just Lead, Govern: How Top-Performing Firms Govern
used for specifying organization business processes, ArchiMate IT.” MIS Quarterly Executive, 3(1) 1-17, 2004.
can also become widespread in organizations. As the [4] C. Pardo, F. J. Pino, F. Garcia, M. T. Baldassarre and M. Piattini. “From
ArchiMate language is considered to be easy to learn and chaos to the systematic harmonization of multiple reference models: A
understand [61], the authors believe that some criticism harmonization framework applied in two case studies”. Journal of
Systems and Software, 86(1), 125-143, 2013.
regarding this language is exaggerated. The feedback allowed
[5] C. Pardo, F. J. Pino, F. García, M. Piattini and M. T. Baldassarre. “An
us to point out that any increased complexity by using Ontology for the Harmonization of Multiple standards and Models.”
ArchiMate is largely overcome by the reduced difficulty in Computer Standards & Interfaces, 34, 48-59, 2012.
understanding and assessing COBIT 5 and ISO 27001 [6] I. Aaen. “Software Process improvement: Blueprints versus Recipes.”
simultaneously. IEEE Software Journal, 86-93, 2003.
[7] S. Sahibudin, M. Sharifi, and M. Ayat. “Combining ITIL, COBIT, and
ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in
VIII. CONCLUSION Organizations”. Asia International Conference on Modeling, 2008.
The primary goal of this research is to facilitate the [8] T. Coleman, and A. Chatfield. “Promises and Successful Practice in IT
simultaneous assessment of COBIT 5 and ISO 27001 by Governance: a Survey of Australian Senior IT Managers.” In: 15th
proposing visual models as a complement to their current Pacific Asian Conference on Information Systems: Quality Research in
Pacific, PACIS 2011. Queensland (pp. 1-15), 2011.
textual representation. Tackling the complexity of the elements
of both COBIT 5 and ISO 27001 with the visual representation [9] R. S. Debreceny, and G. L. Gray. “IT Governance and Process Maturity:
a Multinational Field Study.” Journal of Information Systems, vol. 27,
helps organizations, as they will find it less complex to no. 1, pp. 157-188, 2011.
understand and assess both approaches simultaneously, [10] ISACA. COBIT 5: A Business Framework for the Governance and
realizing business benefits that are complementary and Management of Enterprise IT. ISACA, 2012.
interrelated. [11] R. Sheikhpour, and N. Modiri. “An Approach to Map COBIT Processes
to ISO/IEC 27001 Information Security Management Controls”.
This statement was validated in practice by the field study International Journal of Security and its Applications, 13-28, 2012.
and the interviews performed. These models allowed us to then [12] M. E. Porter, and V. E. Millar. “How information gives you competitive
simultaneously assess a selected process within an organization advantage.” Harvard Business Review, 63(4), 149-160, 1985.
from a COBIT 5 and ISO 27001 perspective. Not only were we [13] M. T. Dlamini, J. H. Eloff, and M. M. Eloff. "Information security: The
able to establish the “as-is” state of this process through a moving target." computers & security, 28.3-4, 189-198, 2009.
COBIT process capability Level 1 assessment but also to [14] International Standard Organization. Information Technology – Process
perform an assessment into the COBIT capability level 2 as to Assessment – Process Reference Model for Information Security
gather additional information and thus propose process Management, ISO Technical Specification 33052, 2016.
improvement recommendations for the organization. [15] International Standard Organization . Information Technology – Security
Techniques – Information Security Management Systems –
This research has some limitations. First of all, the collected Requirements, 2nd edn. ISO Standard 27001, 2013.
data was limited to the Portuguese Navy. Also, due to space [16] M. Nicho and S. Muamaar. “Towards a Taxonomy of Challenges in an
limitations, the survey applied is only described but not Integrated IT Governance Framework Implementation.” Journal of
International Technology and Information Management, 2016.
thoroughly presented and thus the qualitative data collected
from interviews was not totally represented in this article. [17] S. Biffl, D. Winkler, R. Höhn, H. Wetzel. “Software process
improvement in Europe: potential of the new V-modell XT and research
However, the authors intend to use these data to discuss and issues”. Software Process: Improvement and Practice 11, 229–238, 2006.
present further research. Finally, EA models size, level of detail [18] M. Gehrmann. “Combining ITIL, COBIT, and ISO/IEC 27002 for
and complexity can make its analysis by human means only a Structuring Comprehensive Information Technology for Management in
hard task [36]. Organizations”. NAVUS: Revista de Gestão e Tecnologia, pp. 66-77,
2012.
Nevertheless, the authors are still performing more [19] M. Vicente, N. Gama and M. Mira da Silva. “Using ArchiMate to
interviews and collecting more data from other organizations as represent ITIL Metamodel.” In: IEEE International Conference on
well as pursuing validation of the mappings by receiving more Business Informatics (CBI), pp. 270-275, 2013.
[20] R. Pereira, and M. Mira da Silva, M. Designing a new integrated IT http://pubs.opengroup.org/architecture/archimate3-doc/ (visited on
Governance and IT Management framework based on both scientific and 20/10/2017), 2016.
practitioner viewpoint. International Journal of Enterprise Information [40] The Open Group. ArchiMate® 2.1. Retrieved from The Open Group
Systems (IJEIS), 8(4), 1–43, 2012. Publications http://pubs.opengroup.org/architecture/archimate2-doc/
[21] A. Pajić, O. Pantelić, and B. Stanojević. “Representing IT performance (visited on 10/08/2017), 2013.
management as metamodel”. International Journal of Computers [41] B. Edmonds, “What Is Complexity? -The Philosophy of Complexity Per
Communications & Control, 9(6), 758-767, 2014. Se with Application to Some Examples in Evolution,” The evolution of
[22] Y. Bartens, S. De Haes, L. Eggert, L. Heilig, K. Maes, F. Schulte and S. complexity, 1995.
Voß. “A visualization approach for reducing the perceived complexity of [42] Bartens, Y., De Haes, S., Lamoen, Y., Schulte, F., & Voss, S. (2015,
COBIT 5”. In International Conference on Design Science Research in January). On the way to a minimum baseline in IT governance: using
Information Systems. Springer, Cham, pp. 403-407, 2014. expert views for selective implementation of COBIT 5. In System
[23] M. Goeken, and S. Alter. “Towards Conceptual Metamodeling of IT Sciences (HICSS), 2015 48th Hawaii International Conference on (pp.
Governance Frameworks Approach-Use-Benefits.” In: IEEE 42nd 4554-4563). IEEE.
Hawaii International Conference on System Sciences. Hawaii: IEEE, [43] B. Morel and R. Ramanujam, “Through the Looking Glass of
2009. Complexity: The Dynamics of Organizations as Adaptive and Evolving
[24] A. Hevner, S. March, J. Park and S. Ram. “Design Science in Systems,” Organization Science, vol. 10, no. 3, pp. 278–293, 1999.
Information Systems Research.” MIS Quarterly, 78-105, 2004. [44] J. R. Blau and W. McKinley, “Ideas, Complexity, and Innovation.,”
[25] J. G. Walls, G. R. Widmeyer and O. A. El Sawy. “Assessing information Administrative Science Quarterly, vol. 24, no. 2, pp. 200–219, 1979.
system design theory in perspective: how useful was our 1992 initial [45] S. C. Sommer and C. H. Loch, “Selectionism and Learning in Projects
rendition?” JITTA: Journal of Information Technology Theory and with Complexity and Unforeseeable Uncertainty,” Management Science,
Application, 6(2), 43, 2004. vol. 50, no. 10, pp. 1334–1347, 2004.
[26] A. G. L. Romme. “Making a difference: Organization as design.” [46] M. T. Pich, C. H. Loch, and A. D. Meyer, “On Uncertainty, Ambiguity,
Organization Science, 14(5), 558-573, 2003. and Complexity in Project Management,” Management Science, vol. 48,
[27] K. De Maere and S. De Haes. "Is the Design Science Approach fit for IT no. 8, pp. 1008–1023, 2002.
Governance Research?" In: 16th European Conference on Research [47] B. Shalit, “Structural Ambiguity and Limits to Coping,” Journal Of
Methods in Business and Management, ECRM, 2017. Human Stress, vol. 3, no. 4, pp. 32–45, 1977.
[28] K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee. “A [48] P. Checkland, Systems Thinking, Systems Practice. Hoboken, NJ: John
design science research methodology for information systems Wiley & Sons, 1999.
research”. Journal of management information systems, 24(3), 45-77,
2007. [49] W. J. Orlikowski and D. Robey, “Information Technology and the
Structuring of Organizations,” Information Systems Research, vol. 2, no.
[29] N. Prat, L. Comyn-Wattiau and J. Akoka. “Artifact Evaluation in 2, pp. 143–169, Jun. 1991.
Information Systems Design-Science Research: A Holistic View.” In:
[50] S. L. Schlindwein and R. Ison, “Human Knowing and Perceived
18th Pacific Asia Conference on Information Systems. Chengdu, China,
2014. Complexity: Implications for Systems Practice.,” Emergence:
Complexity & Organization, vol. 6, no. 3, 2004.
[30] International Standard Organization. Information Technology - Security
techniques - Information security management systems - overview and [51] B. Hasan, “Examining the Effects of Computer Self- Efficacy and
vocabulary. ISO Standard 27000, 3rd edition, 2014. System Complexity on Technology Acceptance,” Information Resources
Management Journal, vol. 20, no. 3, pp. 76–88, 33 2007.
[31] M. Nicho and S. Muamaar. “Towards a Taxonomy of Challenges in an
Integrated IT Governance Framework Implementation.” Journal of [52] K. Haufe, R. Colomo-Palacios, S. Dzombeta, K. Brandis and V.
International Technology and Information Management, 2016. Stantchev. “Security Management Standards: A Mapping.” Procedia
Computer Science, 755-761, 2016.
[32] ISACA. COBIT 5 Process Assessment Model (PAM): Using COBIT 5.
ISACA, 2013. [53] R. Almeida, P. Pinto and M. Mira da Silva. “Using ArchiMate to Assess
COBIT 5 and ITIL Implementations”. In: 25th International Conference
[33] International Standard Organization. ISO/IEC 15504-1 (2004). on Information Systems Development (ISD). Poland, 2016.
Information technology - Process Assessment - Part 1: Concept and
Vocabulary, International Organization for Standardization (ISO) and [54] R. Almeida, P. Pinto and M. Mira da Silva. “Using ArchiMate to
International Electrotechnical Commission (IEC), 2004. Integrate COBIT 5 and COSO Metamodels”. European, Mediterranean
& Middle Eastern Conference on Information Systems (EMCIS).
[34] International Standard Organization. ISO/IEC 15504-2 (2003). Software Krakow, Poland, 2016.
Engineering - Process Assessment - Part 2: Performing an Assessment,
[55] D. Milicevic and M. Goeken. “Ontology-Based Evaluation of ISO
International Organization for Standardization (ISO) and International
Electrotechnical Commission (IEC), 2003. 27001”. Conference on e-Business, e-Service and e-Society, pp. 93-102.
Berlin: Heidelberg, 2010.
[35] International Standard Organization. International Standard Technical
[56] Schütte, R., and Rotthowe, T., The Guidelines of Modeling- an approach
Specification ISO/IEC TS 33072 (2016). Information technology
to enhance the quality in information models. In Ling, Ram, Lee (Eds.)
Process assessment Process capability assessment model for Information
Security Management, 2016. Conceptual Modeling - ER 98. Singapore, 16.-19.11.98, (1998), pp. 240-
254.
[36] M. Lankhorst, M. Enterprise Architecture at Work: Modeling,
Communication and Analysis. The Enterprise Engineering Series, 3rd [57] N. K. Denzin. The research act: A theoretical introduction to
edition. Springer, 2013. sociological methods. Chicago: Aldine, 1970.
[37] M. Lankhorst and J. Niehof. Combining ArchiMate® 3.0 with Other [58] J. Kimchi, B. Polivka and J. S. Stevenson. “Triangulation: Operational
definitions.” Nursing Research, 40(6), 364-366, 1991.
Standards – BPMN. BiZZdesign. URL:
http://blog.bizzdesign.com/combining-archimate-3.0-with-other- [59] E. S. Mitchell. “Multiple triangulation: A methodology for nursing
standards-bpmn (visited on 01/11/2017), 2016. science.” Advances in Nursing Science, 8(3), 18-26, 1986.
[38] M. Lankhorst and J. Niehof. Combining ArchiMate® 3.0 with Other [60] B. Barafort, V. Betry, S. Cortina, M. Picard, M. St-Jean, A. Renault and
Standards – UML / SysML/ ERD. BiZZdesign. URL: O. Valdés. ITSM Process Assessment Supporting ITIL. (J. Chittenden,
http://blog.bizzdesign.com/combining-archimate-3.0-with-other- Ed.). Van Haren Publishing, 2009.
standards-uml-/-sysml-/-erd (visited on 01/11/2017), 2016. [61] M. Lankhorst and H. van Drunen (2007). Enterprise Architecture
[39] The Open Group. ArchiMate 3.0.1 Specification. Retrieved from The Development and Modelling. Combining TOGAF and ArchiMate.
Open Group Publications: