See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/326507013

A Model for Assessing COBIT 5 and ISO 27001 Simultaneously

Conference Paper · July 2018

CITATIONS READS

0 878

4 authors:

Rafael Almeida Renato Lourinho

Technical University of Lisbon Technical University of Lisbon
16 PUBLICATIONS   55 CITATIONS    3 PUBLICATIONS   2 CITATIONS   

SEE PROFILE SEE PROFILE

Miguel Mira da Silva Ruben Filipe de Sousa Pereira

University of Lisbon ISCTE-Instituto Universitário de Lisboa
225 PUBLICATIONS   1,150 CITATIONS    43 PUBLICATIONS   236 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

ePharmacare View project

Healthcare Digital Transformation View project

All content following this page was uploaded by Rafael Almeida on 31 July 2018.

The user has requested enhancement of the downloaded file.

 A Model for Assessing COBIT 5 and ISO 27001
Simultaneously
Renato Lourinho
Rafael Almeida
Business Service Management
Departamento de Engenharia
Compta Business Solutions
Informática
Lisbon, Portugal
Instituto Superior Técnico, Universidade
Renato.Lourinho@compta.pt
de Lisboa
Lisbon, Portugal
rafael.d.almeida@tecnico.ulisboa.pt
Rúben Pereira
Departamento de Ciências e Tecnologias
de Informação
Instituto Universitário de Lisboa
(ISCTE-IUL)
Lisboa, Portugal
Ruben.Filipe.Pereira@iscte-iul.pt
Abstract—The assessment of Enterprise Governance of IT
(EGIT) frameworks and standards such as COBIT 5 and ISO
27001, when adopted simultaneously, implies an unreasonable
effort because each framework and standard defines its own scope,
definitions, and terminologies. Using these frameworks and
standards independently prevents organizations from achieving the
full benefits of EGIT since there are limitations on their application
to specific Information Technology (IT) areas. Also, as these
frameworks and standards overlap, at a time when organizations
strive to be efficient and effective, it seems counterintuitive to be
wasting resources by having different organizational departments
handling both approaches independently. Thus, the primary goal of
this paper is to facilitate the COBIT 5 and ISO 27001 simultaneous
assessment. To reach this goal, an Enterprise Architecture (EA)
metamodel representation of ISO 27001 and its mapping to COBIT
5 is proposed using ArchiMate as the EA modeling language. The
ISO 27001 metamodel is also extended with ISO/IEC Technical
Specification (TS) 33052 and ISO/IEC TS 33072 because these
standards propose a Process Reference Model and a Process
Assessment Model for Information Security management, which
are essential models to assess ISO 27001 and COBIT 5
simultaneously. A field study was conducted in the Portuguese Navy
regarding the COBIT 5 Manage Service Requests and Incidents
process and its corresponding controls in ISO 27001 through the
mapped ISO/ IEC TS 33052 processes.
Keywords—ArchiMate, COBIT 5, Enterprise Architecture,
Field Study, ISO 27001, ISO/IEC TS 33052, ISO/IEC TS 33072
Process Capability Assessment.
I. INTRODUCTION
Given the relatively new-found vital importance of
Information Technology (IT) for all types of organizations,
Enterprise Governance of IT (EGIT) has gained a new focus
[1]. EGIT can be defined as "an integral part of corporate
governance and addresses the definition and implementation of
processes, structures and relational mechanisms in the
organization that enable both business and IT people to execute
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
Miguel Mira da Silva
Departamento de Engenharia
Informática
Instituto Superior Técnico, Universidade
de Lisboa
Lisbon, Portugal
mms@ist.utl.pt
their responsibilities in support of business/IT alignment and
the creation of business value from IT-enabled business
investments." [1]. This definition is based on the IT
Governance Institute [2] definition, which emphasizes that
EGIT should be a focus area of corporate governance.
Examples of process mechanisms are EGIT frameworks,
best practices, and ISO standards that encourage behaviors
consistent with the organization’s mission, strategy, values,
norms, and culture [3]. The term ‘EGIT practices’ is used
throughout this paper to refer to all frameworks, best practices
and ISO standards described in the paper.
Some of these practices are available to provide guidelines
in multiple dimensions of IT organizations, e.g., Information
Security Management System (ISMS) and IT Governance
Processes. Others are widely used in the industry to improve
the competitiveness of organizations or are required as
mandatory practices, becoming a regulatory practice in specific
market niches [4].
This situation allows organizations to select and
complement their processes from the practices which fit their
contexts well [5]. However, independently of the EGIT
practices to be used, its implementation requires specific
experience and knowledge, along with a high degree of effort
and investment, as key factors for it to be successful. All this
signifies that the task is not easy and there is a significant risk
of failure [6].
Researchers agree that COBIT, ITIL, and ISO 27001 are
amongst the most valuable and popular practices currently
being adopted and adapted by organizations [7], [8], [9].
One of the five principles of COBIT 5 is Applying a Single,
Integrated Framework [10], which means that COBIT 5 can
serve as the overarching practice for EGIT. Leveraging this
principle can help organizations attain and maintain ISO 27001
certification through the continual improvement guidelines
described in COBIT 5.
 The fundamental difference between COBIT and ISO
27001 is that ISO 27001 is only focused on information
security, whereas COBIT is focused on more general IT
domains. Thus, COBIT has broader coverage of general IT
topics but does not have as many detailed information security
requirements as ISO 27001 [11].
Information security is a critical success factor for
organizations that face the transformation process, as
information is a source of competitive advantage [12]. Current
information security challenges are evolving, and organizations
need to assure that they have adequate security controls in
place. Information security has evolved from addressing minor
and harmless security breaches to managing those with a huge
impact on organizations’ economic growth [13].
COBIT 5 [10] includes a process reference model (PRM),
which defines and describes in detail a number of governance
and management processes. PRMs are always related to
a Process Assessment Model (PAM) which holds all details to
determine the capability of the processes of the reference
model. In turn, ISO/IEC Technical Specification (TS) 33052
[14] describes the processes including the information security
management system (ISMS) processes implied by ISO/IEC
27001 [15]. ISO/IEC TS 33072 provides a PAM for
information security management.
Depending on what the organization is trying to achieve,
one particular practice may be more important than another.
When the dynamics of the environment change or other issues
take priority, a different practice may take priority.
The increasing demands of the industry coupled with
compliance requirements have forced organizations to adopt
many EGIT practices simultaneously [16]. Maximizing the
value of intellectual property, managing risk and security and
assuring compliance through effective EGIT has never been
more important. This situation adds even more complexity to
the field since organizations struggle with the perceived
complexity and difficulty of adopting several practices at the
same time [5] because each practice defines its own scope,
definitions, and terminologies [17].
Since all these EGIT practices overlap, using them
independently prevents organizations from asserting full IT
management and governance because each practice has
limitations in its application to the management of specific IT
areas [18]. At a time when organizations strive to be efficient
and effective, it seems counterintuitive to be wasting resources
by having different organizational departments handling
different practices independently [19] since each EGIT practice
overlaps at least in part with other practices [20], [21].
To sum up, the problem that this research intends to help
solve is ‘the perceived complexity of understanding and
assessing COBIT 5 and ISO 27001 simultaneously’.
Therefore, the primary goal of this research is to facilitate
the simultaneous assessment of COBIT 5 and ISO 27001 by
proposing visual models as a complement to their current
textual representation. Visual models are essential since they
depict a comprehensible representation, making information
more explicit [22] and can also contribute to increasing the
theoretical foundation of these practices [23]. Thus, in this
paper, an ArchiMate model is proposed as the Enterprise
Architecture (EA) language to model ISO 27001, ISO TS
33052 and ISO/IEC 33072, enabling in this way the integration
with COBIT 5, facilitating its simultaneous assessment.
A field study was conducted in the Portuguese Navy
regarding the COBIT 5 Manage Service Requests and Incidents
process and its corresponding processes in ISO/IEC TS 33052.
II. RESEARCH METHODOLOGY
This research follows the Design Science Research
Methodology (DSRM). DSRM involves a rigorous process to
design artifacts to solve observed problems, to make research
contributions, to evaluate the designs, and to communicate the
results to appropriate audiences [24].
Walls et al. [25] argue that the widespread adoption of
DSRM within the field of Information Systems research will
have more impact on management practice as a result of closer
ties between researchers and practitioners. Hence, [26] posits
academics should conduct design science research more
regularly. Unfortunately, the application of design science
research within the context of EGIT remains relatively low
[27].
DSRM is appropriated for research that seeks to extend the
boundaries of human and organizational capabilities by
creating new and innovative artifact [24]. DSRM differentiates
from other research paradigms because it tries to develop and
reach artifacts that can be proven effective in real-world
scenarios [28].
A methodology can be seen as a system of principles,
practices, and procedures applied to a specific branch of
knowledge. According to [28], a methodology for design
science research would include three elements: conceptual
principles to define what is meant by design science research,
practice rules, and a process for carrying out and presenting the
research. Due to space limitations, in this paper, the authors just
present the process model consisting of six iterative activities in
a nominal sequence proposed by [28]. Each step is described
next with regard to the scope of this research.
• Problem identification and motivation: The
perceived complexity of understanding and
assessing COBIT 5 and ISO 27001
simultaneously,
• Definition of the objectives for the solution: To
facilitate the simultaneous assessment of COBIT 5
and ISO 27001.
• Design and development: Visual models using
the ArchiMate language are proposed as a
compliment to EGIT practices current textual
representation.
• Demonstration: A field study was conducted in
the Portuguese Navy regarding the COBIT 5
Manage Service Requests and Incidents process
and its corresponding processes in ISO/IEC TS
33052.
 • Evaluation: The evaluation was performed using
the method and criteria proposed by [29].
• Communication: Submission to the 20th IEEE
International Conference on Business Informatics
III. THEORETICAL BACKGROUND
In this section, the main concepts that form the basis of this
proposal are described. First, the authors introduce COBIT 5,
ISO 27001, ISO TS 33052 and ISO/IEC 33072. The ArchiMate
language is then presented as the standard language for EA
modeling, along with a brief description of why it was chosen
as the EA modeling language. Finally, we introduce the EGIT
complexity topic.
A. COBIT 5
COBIT 5 is based on five principles: meeting stakeholder
needs; covering the enterprise end-to-end; applying a single,
integrated framework; enabling a holistic approach; and
separating governance from management [10]. Together these
principles would allow enterprises to assemble and deploy an
effective EGIT and management practice and thus support an
outstanding balance between benefits realization, risk
management and resources [10].
COBIT 5 evolution unified ISACA's three practices: Val
IT, a value delivery focused practice; Risk IT, a risk
management focused practice and previous COBIT versions.
Hence this allowed COBIT 5 to cover the lifecycle of
governance and management within the scope of enterprise IT
[1].
B. ISO 27001
ISO 27001 provides requirements for implementing,
maintaining and improving an Information Security
Management System (ISMS) [30]. Organizations implement
this practice to address security requirements in a consistent,
repeatable and auditable manner [31]. An ISMS provides risk
management processes such that it preserves confidentiality,
integrity, and availability of information. It is of the utmost
importance that this risk management process is integrated with
the organization's processes and information security is
included holistically within the scope of process design,
information systems, and controls.
C. COBIT PAM
COBIT 5 PAM is a model that aims at assessing the
capability of a COBIT 5 process. It scales six process capability
levels defined on an ordinal scale, which starts from incomplete
to optimizing processes [32].
COBIT PAM is based on ISO/IEC 15504 [33], [34], which
means it relies on a global reference for conducting process
capability assessments. From an assessment perspective,
COBIT 5 PAM break down each process into Base Practices
specific to each process and take into account generic practices,
which are not restricted to any particular process.
D. ISO/IEC TS 33052 and 33072
ISO/IEC TS 33072 [35] proposes a Process Assessment
Model (PAM) enabling the assessment of processes based on
the ISO 27001 requirements statements. To be able to perform
an assessment, ISO/IEC TS 33072 presents “Base Practices”
and “Information Items” which compose the processes defined
in ISO TS 33052 [14]. Conceptually, these “Base Practices”
and “Information Items” are similar to COBIT 5 own “Base
Practices” and “Work Products”.
Considering this similarity, the inclusion of these concepts
to extend the ISO 27001 metamodel are needed for a closer
mapping with COBIT 5 at a finer granularity level than just
“Process” vs. “Control”.
E. ArchiMate
Lankhorst [36] enumerates several languages that are useful
for modeling IT and business such as BPMN, EPC (ARIS), and
UML. ArchiMate does not intend to replace these languages.
ArchiMate is typically used for high-level processes and their
relations to the enterprise context, but it is not intended for
detailed workflow modeling [37]. BPMN supports detailed
sub-process and task modeling down to the level of executable
specifications, but lacks the broader enterprise context, for
example, to model the goals and requirements that a process
has to fulfill [37]. Moreover, several concepts in ArchiMate
were strongly inspired by UML. The most obvious is the
application component concept, which corresponds to the UML
component. This close linkage facilitates a continuous
development chain between higher-level EA models described
in ArchiMate notation and lower-level solution architecture and
implementation models in UML [38].
Since the motivational layer is essential to model EGIT
practices, for example, in COBIT 5 the needs, drivers, and
goals are core concepts that cannot be ignored, ArchiMate
seemed to be the most suitable language for this research.
Finally, ArchiMate can be used to model the full enterprise
complexity in a compelling way that is also an important
aspect, since in this research the authors modeled a real-world
scenario.
In June 2016 a new version of ArchiMate was released. The
ArchiMate 3.0 [39] Specification is a significant update to the
ArchiMate 2.1 Specification [40]. In this research, the authors
used ArchiMate 2.1 to model the common concepts between
the two versions and ArchiMate 3.0 for modeling the Strategic
Layer presented in the Proposal Section.
F. EGIT Complexity
Complexity, in general, can be defined as “property of a
language [representation] expression which makes it difficult to
formulate its overall behavior, even when given almost
complete information about its atomic components and their
inter-relations.” [41]. Choosing this generic and overarching
definition enables the adoption to various fields of application
and incorporates specific complexity theories, views and
paradigms [42].
 Complex systems can be understood as a heterogeneous
amount of elements with diverse interrelations and
dependencies [43], [44], [45]. In this context, complexity can
be divided into multiple dimensions. Namely, these are task-
related complexity, structural complexity and time-related
complexity/dynamics [41], [46]. While structural complexity
can be quantitatively measured [47], the remaining dimensions
often depend on the subjective reception of an object by the
observer [48], [49]. This observation leads to a differentiation
between real or structural complexity and perceived complexity
[50], [51].
Due to the fact that there is a clear need for methodological
support for current tasks and challenges of EGIT, metamodels
can be a helpful support for analysis. the representation allows
the comparison of different frameworks on an abstract level.
[23] Once the components are extracted, frameworks can be
examined and analyzed. Thus, other frameworks can be
checked for completeness with the aid of the metamodel [23].
IV. RELATED WORK
In this section, the authors present previous works towards
the alignment of COBIT and ISO 27001.
A. Aligning COBIT and ISO 27001
Alignment between COBIT and ISO 27001 has been
approached by several researchers [6], [7], [11], [52]. However,
these researchers either map EGIT practices at a very abstract
level, just matching process similarity criteria [41], or have
mapped previous versions that have been superseded such as
COBIT 4.1 and ISO 27001:2005 [6], [7], [11]. Despite these
obstacles, such researchers provide valuable guidance
regarding the alignment of the current versions of COBIT and
ISO 27001, as these works establish a sound, peer-reviewed
mappings – albeit “deprecated” – useful as comparison
baselines for new mappings, thus avoiding ‘bad’ mappings
introduced by the authors’ best-knowledge approach.
Moreover, as far as the authors are aware, just a few
approaches propose to model and integrate EGIT practices
using ArchiMate as the architecture’s modeling language,
enabling the integration of these EGIT practices in a standard-
based EA representation.
However, the authors would like to highlight two papers
that contributed to this research: Almeida et al. [53] mapped,
modeled and integrated COBIT 5 and COSO in ArchiMate.
Another research [54] proposed a model that uses TIPA for
ITIL, COBIT PAM and ArchiMate to analyze the impact of
ITIL implementation on COBIT processes performance, and
vice-versa.
In this paper, the authors decided to use the COBIT 5
metamodel proposed by [54] since it seems to fill all the core
concepts of COBIT 5 and the scope of this research.
Therefore, we would like to claim that the extant literature
is limited in providing concrete contingencies that can assist
organizations to understand and develop successful strategies
for the adoption and assessment of EGIT practices
simultaneously, and so we believe that we identified a crucial
niche in the literature.
V. PROPOSAL
One of the most important processes regarding IT in
COBIT 5 is the ISM domain that covers the confidentiality,
integrity, and availability of information [11]. Since this area is
covered in more detail by ISO 27001, the best option to meet
ISM in COBIT 5 is mapping it with the ISO 27001 practice
[11]. The purpose of this kind of mappings is to provide a
simplified and integrated way for complementary use of
COBIT and ISO 27001 for ISM in modern organizations
following the Plan, Do, Check, Act approach for continuous
improvement present in this practice.
Mainly, there are two reasons to start with the conceptual
metamodeling of COBIT 5 [23]. COBIT 5 is well structured in
domains, processes, and other components and, therefore,
closed and self-contained. Also, COBIT is holistic and
represents (nearly) all tasks and processes that an IT
organization should carry out. ISO 27001 was chosen because
it is a security practice for ISMS that is a highly dynamic and
complex task due to the constant change in the IT domain [55].
In this paper the authors propose to use ArchiMate, as the
EA language, to model ISO 27001 metamodels, enabling in
this way the integration with COBIT 5, facilitating in this way
their simultaneous assessment. Therefore, we can state that in
this proposal two are artifacts (models) are designed and
developed: one regarding the ISO 27001 as a standalone
practice and the other regarding the integration between ISO
27001 and COBIT 5. Agreeing with [29] we consider that
instantiating abstract artifacts (in this case models) is a way of
evaluating them, instead of viewing instantiations as artifacts to
evaluate.
Moreover, the authors applied the principles proposed by
Schütte and Rotthowe [56] and the guidelines proposed by
Goeken and Alter [23] to represent ISO 27001 as a conceptual
metamodel, ensuring in this way a solid theoretical foundation
to the (meta)model.
A. ISO 27001 Metamodel
To develop a metamodel for ISO 27001 using ArchiMate,
the authors first mapped the main ISO 27001 concepts to
ArchiMate concepts, as shown in Table 1.
To the best of our knowledge, we did not find a relevant
method to obtain such a mapping. Therefore, the authors
propose a method to map COBIT 5 and ISO 27001 based on a
consensus decision-making process. Consensus may be defined
professionally as an acceptable resolution, one that can be
supported, even if not the first option of each. The authors
followed the following steps: 1. each author performed an in-
depth analysis of the literature review; 2. each author defines
the concepts they believe are essential in the ISO 27001
metamodel; 3. all the authors meet to compare the concepts and
define which ones will be used in the final metamodel; 4. all
the authors map the chosen ISO 27001 concepts to the
ArchiMate concepts; 5. ask ISO 27001 (with a certain
knowledge of ArchiMate) specialists to validate the models.
These steps are briefly explained below. This process lasted
eight months since it is an iterative process.
 TABLE I. ISO 27001 AND ARCHIMATE ONTOLOGICAL MAPPING

ISO 27001 ISO 27001 Concept ArchiMate ArchiMate

ArchiMate Concept Description
Concept Description Notation Representation
Need that is stated, generally A statement of need that must be
Requirement implied or obligatory. Requirement realized by a system.
Statement describing what is
Control An end state that a stakeholder intends
to be achieved as a result of Goal
Objective to achieve.
implementing controls.
A behavior element that groups
behavior based on an ordering of
Measure that is modifying Business
Control activities. It is intended to produce a
risk. Process defined set of products of business
services.
Person or group of people
An entity that performs behavior in an
that has its own functions Business
Organization organization such as business
with responsibilities to Actor processes or functions.
achieve its objectives.
Person or group of people
An entity that performs behavior in an
Top who directs and controls an Business organization such as business
Management organization at the highest Actor processes or functions.
level.
Person or entity with the A named specific behavior of a
accountability and authority Business business actor participating in a given
Risk Owner
to manage a risk. Role context.
Policy - intentions, and
direction of an organization.
Information need - insight
Information necessary to manage A driver is defined as something that
Security objectives, goals, risks, and Driver creates, motivates, and fuels the
Needs problems. change in an organization.
External context - external
environment including key
drivers and trends.
The authors started by looking into the literature to analyze research, we see controls as a set of actions that need to be
all the main theories and concepts that could be brought into implemented to ensure that effective control is in place. It is not
this research as shown in the Theoretical Background Section. an isolated requirement but a set of actions that should be
The authors realized that different metamodels could be created fulfilled. After analyzing the different definitions provided by
regarding the same subject. Thus, only after all the authors ArchiMate and ISO 27001, the authors defined “Control” as an
agreed on the concepts that were going to be used in this ArchiMate “Business Process”.
research, we started thinking about which language was going
to be used to model these concepts. The authors chose As this research extends the ISO 27001 metamodel with
ArchiMate due to the reasons already explained. Taking into ISO/IEC TS 33052 and 33072 concepts, these were also
account the ISO 27001 and ArchiMate concepts, one concept ontologically mapped to ArchiMate: “Process” as an
led to different interpretations: The “Control” concept was ArchiMate “Business Process”; “Base Practice” as a “Business
defined as a “Business Process” by some authors and as a Process” and “Information Item” as an ArchiMate “Business
“Requirement” by other authors. Object”. Based on these ontological mappings, the authors
propose the metamodel portrayed in Fig. 1. Some
It happens that controls could be presented through many considerations regarding this ISO 27001 metamodel should be
elements of ArchiMate. ISO 27001 defines a “Control” as a provided:
“measure that is modifying risk.” It also extends this definition
by stating that “Controls include any process, policy, device, “Controls” realize “requirements” by derived relationship
practice, or other actions which modify risk.” Thus, in this through “Control Objectives”; “Requirements” influence
“Control Objectives” meaning that implementation of ISO
27001 should fit an organization's risk management and
processes already in place. Thus, an organization’s information
security needs become drivers which influence requirements,
which in turn influence the controls needed to be implemented.
ISO 27001 presents a set of normative requirements,
including a set of controls for management and mitigation of
the risks associated with the information assets which the
organization seeks to protect. This motivation – namely a
“Driver” in the ArchiMate language – influences which
requirements the organization should implement, whether they
are security, legal or business requirements. Thus, as the
“Information Security Needs” influence the general
“requirements,” so do the choice of those general
“requirements” influence the set of “Controls” (or “Control
categories”).
Also, it is important to note that while ISO/IEC TS 33072
“Information Items” are conceptually equivalent to COBIT’s
“Work Products” as they follow the same logic and metamodel
defined in the ISO 15504 standard (which has been revised by
ISO/IEC 33001:2015), the authors keep the “Information
Items” terminology throughout this paper to distinguish the
COBIT and ISO concepts.
B. COBIT 5 – ISO 27001 – ISO TS 33052/33072 Metamodel
In Fig. 2 a metamodel that encompasses COBIT 5, ISO
27001 and ISO/IEC TS 33052/33072 using ArchiMate is
proposed.
A structural association relates COBIT 5 processes and ISO
27001 controls, meaning they can be mapped from one to
another and vice-versa. Also, a COBIT 5 “Process” can be
composed of one or more ISO 27001 “Control categories.”
Each category contains a single “Control objective” and one or
more “Controls”.
This integration model is based on the mapping between
COBIT 5 “Processes” and ISO 27001 “Controls” performed by
the authors. By semantically assessing the descriptions of both
“Processes”, “Control objectives” and ”Controls”, it was found
that when a COBIT 5 ”Process” is mapped to one or more ISO
27001 “Control categories”, all the “Controls” that belong to
that set are relevant to the COBIT 5 “Process”.
Fig. 1: ISO 27001 and ISO/IEC TS 33052/33072 Metamodel
Fig. 2: COBIT 5 – ISO 27001 – ISO/IEC TS 33052/33072 Metamodel
In this model, the authors decided to model an association
between ISO 27001 “Controls” and a COBIT 5 “Process” due
to the more generalized scope of COBIT 5. This end-to-end
nature of COBIT means that the ISM domain is spread through
nearly all of its processes, which means they are inevitably
related to information assets which can be protected.
Regarding the relationships between “Base Practices”,
while some ISO 27001 “Controls” map exclusively to some
ISO TS 33052 “Process” and vice-versa, and therefore its
related “Base Practices”, this is not always the case, and thus
the authors cannot state that all “Controls” map directly to
these processes; Despite this, all “Controls” map to one or more
“Base Practices” in an ad-hoc relation. Consequently, the same
reasoning applies to “Work Products” and “Information Items”.
VI. DEMONSTRATION
To enable the demonstration and evaluation of the
usefulness and efficacy of the abstract artifact presented in this
paper – the ArchiMate models mapping COBIT 5 and ISO
27001 – the authors assembled an instantiation as a part of the
model-instantiation system view [29]. Based on this holistic
view in contrast to a fragmented view, the successful assembly
of an instantiation constitutes a form of evaluation by itself
[29]. According to the evaluation criteria hierarchy and model
presented by [29], a static system presents one or several
models but no methods, thus being evaluated on the system
dimensions of goal and [model] structure.
The instantiation is then presented as a field study
application of our modelled knowledge as a system within the
scope of this research, which is the mapping of COBIT 5 and
ISO 27001. As a simultaneous implementation of COBIT 5 and
ISO 27001 – even if just a subset – would not contain the
opportunity to compare our findings with a baseline as-is
organizational state, the authors sought to instantiate the model
system as a simultaneous assessment of these practices in an
already established organizational environment as this allows
the authors to evaluate the current as-is state of a certain EGIT
process within the organization, determine the inputs and
outputs produced by that process and then instantiate our
modelled mapping from a bottom-up perspective starting at the
finest detail (inputs/outputs) and drill-up to established base
practices and processes and finally present a mapped result.
To instantiate through an assessment and keep this
demonstration and evaluation succinct, the authors defined that
a subset of COBIT 5 should be the scope, such as a single
management process. The process “DSS02 - Manage Service
Requests and Incidents” was chosen for this instantiation,
which per [41] is representative of a strongly related COBIT
process to ISO 27001 and is a process with a certain level of
maturity within the organization to be assessed.
With this process as a starting point, the authors took a
directional approach for the assessment, evaluating the
organizational process according to COBIT 5 PAM and from
there instantiate our mapping model. The COBIT 5 PAM states
that for a process to be assessed at level 1, a set of performance
indicators must be performed [32]: “Process Outcomes”, “Base
Practices (Management/Governance Practices)” and “Work
Products (Inputs/Outputs)”. These indicators follow a bottom-
up order: a process is performed if it successfully achieves its
stated “Outcomes”, which in turn are achieved if the respective
“Base Practices” are performed, which in turn can be stated that
they are performed if the organization presents evidence of the
respective “Outputs” of each base practice.
As previously stated, this assessment was performed in an
organization, the Portuguese Navy’s IT Oversight division
(Superintendência de Tecnologias de Informação – STI),
specifically in the Computer Incident Response Capability Core
(Núcleo CIRC – NCIRC) responsible for ISM and IT &
Communications Administration (Direção de Tecnologias de
Informação e Comunicação – DITIC) which is responsible for
the service requests and incident Service Desk
In 2015, the Navy’s STI compiled an Administrative
Directive document describing, within the STI’s scope, future
goals and lines of action needed to achieve these goals. From
this documentation, the authors establish the “Stakeholder
Needs” as the process drivers, as well as responsible
stakeholders that assume the “Risk Owner” role. A
motivational instantiation, such as presented in Fig. 3, is
valuable to recognize which organizational capabilities and
assigned resources support the realization of actions that deal
with concrete pain-points.
Fig. 4 shows the resulting ArchiMate viewpoint of the
instantiated concepts with the resulting from the assessment of
the Navy’s service requests and incidents management process.
Following COBIT 5’s PAM, we procured evidence of the
process outputs through our field study observation,
questioning and documentation gathering.
It was assessed that the Navy produced all required outputs
to successfully perform the process at a COBIT 5 PAM Process
Capability level 1, meaning the process Outcomes were
achieved. It was noted that there was a deficiency in keeping
service request catalogs updated and maintained, and thus we
identify this issue as a shortcoming to be improved to achieve
higher Process Capability levels.
Now knowing that there is evidence of the process
execution from a COBIT 5 perspective (denoted by the
“COBIT 5” grouping on the left side of Fig. 4), we can traverse
to the ISM domain through our proposed model. By mapping
these evidence with the corresponding ISO/IEC TS 33072 base
practice outputs it’s possible to quickly identify what
information security deficiencies (according to ISO 27001) are
present in the organization’s process implementation. In this
demonstration, it’s highlighted that information classification
schemes are possibly not up to par with the ISO 27001
standard.
Note that the ISO 27001 controls within the “17.1 –
Business Continuity” control group are marked as red since
they are related to COBIT 5 process inputs, and as such, they
need to be assessed and mapped from the outputs of COBIT 5
other processes than “DSS02 - Manage Service Requests and
Incidents”.
VII. EVALUATION
Prat et al. [29] proposed a generic evaluation method that
varies along four fundamental characteristics: a form of
evaluation, secondary participant, level of evaluation, and
relativeness of evaluation. As previously stated, we evaluate
our proposal mainly by instantiating our proposal. However,
we also collected some feedback from stakeholders.
Regarding the form of evaluation, [29] states that it can be
quantitative or qualitative. In this research, we performed a
qualitative evaluation. Triangulation is the combination of two
or more data sources, investigators, methodologic approaches,
theoretical perspectives [57], [58] or analytical methods [58]
within the same study. To evaluate the proposed metamodels, a
methodological triangulation technique was used since the
authors collected data from several sources: documents, semi-
structured interview, a survey, and a field study (observation).
By using multiple methods, the researcher strives to decrease
the “deficiencies and biases that stem from any single method”
[59] creating “the potential for counterbalancing the flaws or
the weaknesses of one method with the strengths of another.”
According to [60], a process is assessed through evidence
indicators of the way it performs. In this research, we
performed a field study in which we observe users as they
work, taking notes on particular activities and often asking
questions to collect the required process performance evidence.
Fig. 3: Motivational instantiation
 Fig. 4: Management Practices & Inputs/Outputs Instantiation
Regarding the secondary participants, a semi-structured
interview was conducted with three relevant IT department
leaders (STI, DITIC, and NCIRC). The interviewees were
expert IT personnel with extensive knowledge of the scope of
the service request and incident management, as well as ISMS.
In this meeting, the authors presented the models and the field
study findings, and received valuable feedback. Moreover,
some structured quantitative data were collected to evaluate the
proposal. Each interviewee was asked to fill a short survey
based on the relevant evaluation criteria recommended by [29].
The survey was composed of five short questions as shown
in Table 5. They were asked to each answer in a six point scale
where “0 –Completely Disagree” and “5 –Completely Agree”.
Due to space limitations we can only present a subset of the
questions asked: “Do you consider that the proposed artifacts to
be useful to support decision-making and process improvement
recommendations in your organization?”; “Do you consider
that by applying these artifacts to IT transformation based on
Enterprise Governance of IT (EGIT) Practices (such as COBIT,
ITIL, ISOs) would they be useful in clarifying stakeholders
about IT functions performed (description of “as-is” state)?”
Regarding the level of evaluation, this proposal was
evaluated via the instantiation of the model, and so, it can be
considered an ex-post evaluation. Finally, the relativeness of
the evaluation, and since there is no comparable artifact, we
can claim that, in this first iteration of the DSRM, this is a
relative to the absence of artifact evaluation. It means that
there is no comparable artifact to compare this proposal.
Additionally to the method for evaluation, [29] also propose
a set of criteria that can be used to evaluate a Design Science
Research proposal.
Taking into account the system view of the proposed
model, the criteria dimensions that are relevant to this
evaluation were the goal, and structure system dimensions.
These dimensions define a subset of criteria that evaluate the
models regarding their efficacy, validity, and generality (for the
goal dimension), and completeness, simplicity, clarity, and
homomorphism (for the structure dimension).
As mentioned, a semi-structured interview was conducted,
as well as a short survey with a small set of questions to
qualitatively assess the participants’ sensibility towards the
criteria before mentioned pertaining to the goal and structure
dimensions. Regarding efficacy, validity, and generality, the
authors collected positive feedback as the secondary
participants (IT team leaders) considered to have obtained a
clearer view of their organization’s as-is state in regard to the
scope of the field study performed. The participants also
indicated that they believed such a field study could be applied
to other IT areas within the organization to assist key
stakeholders in understanding IT transformation.
 From the open-ended interviews and survey the authors
would like to highlight comments such as “the models contain
the primary modules that enable the clear description of the
organization’s functions”, “the models contain information
relevant to support IT transformation” which indicate that the
participants identified some degree of completeness, clarity,
and homomorphism regarding the instantiated viewpoint of
their organization.
However, some limitations were also identified. None of
the interviewees were deeply familiar with the ArchiMate
language. However, after a brief explanation, they were capable
of easily identifying the concepts and perceive the existing
relationships in the models. They suggested that in the
organizational environment some training would be required to
increase the skills and knowledge of all collaborators. This
feedback is not unexpected as these ArchiMate models are
targeted at EA practitioners. However, like BPMN is widely
used for specifying organization business processes, ArchiMate
can also become widespread in organizations. As the
ArchiMate language is considered to be easy to learn and
understand [61], the authors believe that some criticism
regarding this language is exaggerated. The feedback allowed
us to point out that any increased complexity by using
ArchiMate is largely overcome by the reduced difficulty in
understanding and assessing COBIT 5 and ISO 27001
simultaneously.
VIII. CONCLUSION
The primary goal of this research is to facilitate the
simultaneous assessment of COBIT 5 and ISO 27001 by
proposing visual models as a complement to their current
textual representation. Tackling the complexity of the elements
of both COBIT 5 and ISO 27001 with the visual representation
helps organizations, as they will find it less complex to
understand and assess both approaches simultaneously,
realizing business benefits that are complementary and
interrelated.
This statement was validated in practice by the field study
and the interviews performed. These models allowed us to then
simultaneously assess a selected process within an organization
from a COBIT 5 and ISO 27001 perspective. Not only were we
able to establish the “as-is” state of this process through a
COBIT process capability Level 1 assessment but also to
perform an assessment into the COBIT capability level 2 as to
gather additional information and thus propose process
improvement recommendations for the organization.
This research has some limitations. First of all, the collected
data was limited to the Portuguese Navy. Also, due to space
limitations, the survey applied is only described but not
thoroughly presented and thus the qualitative data collected
from interviews was not totally represented in this article.
However, the authors intend to use these data to discuss and
present further research. Finally, EA models size, level of detail
and complexity can make its analysis by human means only a
hard task [36].
Nevertheless, the authors are still performing more
interviews and collecting more data from other organizations as
well as pursuing validation of the mappings by receiving more
feedback from specialists. In the future, the authors also plan to
add our models into an EA Management software that will
allow us to automatically answer questions such as “How many
resources do we have allocated to comply with a given ISO
27001 control?”, which is an important feature for auditing in
the digital age.
For future work it would also interesting to develop a
Maturity Model for ISO 27001, to assess the maturity of the
information security management of an organization.
REFERENCES
[1] S. De Haes and W. Van Grembergen. Enterprise Governance of
Information Technology: Achieving Strategic Alignment and Value
Featuring COBIT 5. New York, U.S.A: Springer Verlag, 2015.
[2] IT Governance Institute. “Board briefing on IT governance”.
Information Technology Governance Institute, 2003.
[3] P. Weill.. “Don't Just Lead, Govern: How Top-Performing Firms Govern
IT.” MIS Quarterly Executive, 3(1) 1-17, 2004.
[4] C. Pardo, F. J. Pino, F. Garcia, M. T. Baldassarre and M. Piattini. “From
chaos to the systematic harmonization of multiple reference models: A
harmonization framework applied in two case studies”. Journal of
Systems and Software, 86(1), 125-143, 2013.
[5] C. Pardo, F. J. Pino, F. García, M. Piattini and M. T. Baldassarre. “An
Ontology for the Harmonization of Multiple standards and Models.”
Computer Standards & Interfaces, 34, 48-59, 2012.
[6] I. Aaen. “Software Process improvement: Blueprints versus Recipes.”
IEEE Software Journal, 86-93, 2003.
[7] S. Sahibudin, M. Sharifi, and M. Ayat. “Combining ITIL, COBIT, and
ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in
Organizations”. Asia International Conference on Modeling, 2008.
[8] T. Coleman, and A. Chatfield. “Promises and Successful Practice in IT
Governance: a Survey of Australian Senior IT Managers.” In: 15th
Pacific Asian Conference on Information Systems: Quality Research in
Pacific, PACIS 2011. Queensland (pp. 1-15), 2011.
[9] R. S. Debreceny, and G. L. Gray. “IT Governance and Process Maturity:
a Multinational Field Study.” Journal of Information Systems, vol. 27,
no. 1, pp. 157-188, 2011.
[10] ISACA. COBIT 5: A Business Framework for the Governance and
Management of Enterprise IT. ISACA, 2012.
[11] R. Sheikhpour, and N. Modiri. “An Approach to Map COBIT Processes
to ISO/IEC 27001 Information Security Management Controls”.
International Journal of Security and its Applications, 13-28, 2012.
[12] M. E. Porter, and V. E. Millar. “How information gives you competitive
advantage.” Harvard Business Review, 63(4), 149-160, 1985.
[13] M. T. Dlamini, J. H. Eloff, and M. M. Eloff. "Information security: The
moving target." computers & security, 28.3-4, 189-198, 2009.
[14] International Standard Organization. Information Technology – Process
Assessment – Process Reference Model for Information Security
Management, ISO Technical Specification 33052, 2016.
[15] International Standard Organization . Information Technology – Security
Techniques – Information Security Management Systems –
Requirements, 2nd edn. ISO Standard 27001, 2013.
[16] M. Nicho and S. Muamaar. “Towards a Taxonomy of Challenges in an
Integrated IT Governance Framework Implementation.” Journal of
International Technology and Information Management, 2016.
[17] S. Biffl, D. Winkler, R. Höhn, H. Wetzel. “Software process
improvement in Europe: potential of the new V-modell XT and research
issues”. Software Process: Improvement and Practice 11, 229–238, 2006.
[18] M. Gehrmann. “Combining ITIL, COBIT, and ISO/IEC 27002 for
Structuring Comprehensive Information Technology for Management in
Organizations”. NAVUS: Revista de Gestão e Tecnologia, pp. 66-77,
2012.
[19] M. Vicente, N. Gama and M. Mira da Silva. “Using ArchiMate to
represent ITIL Metamodel.” In: IEEE International Conference on
Business Informatics (CBI), pp. 270-275, 2013.
[20] R. Pereira, and M. Mira da Silva, M. Designing a new integrated IT
Governance and IT Management framework based on both scientific and
practitioner viewpoint. International Journal of Enterprise Information
Systems (IJEIS), 8(4), 1–43, 2012.
[21] A. Pajić, O. Pantelić, and B. Stanojević. “Representing IT performance
management as metamodel”. International Journal of Computers
Communications & Control, 9(6), 758-767, 2014.
[22] Y. Bartens, S. De Haes, L. Eggert, L. Heilig, K. Maes, F. Schulte and S.
Voß. “A visualization approach for reducing the perceived complexity of
COBIT 5”. In International Conference on Design Science Research in
Information Systems. Springer, Cham, pp. 403-407, 2014.
[23] M. Goeken, and S. Alter. “Towards Conceptual Metamodeling of IT
Governance Frameworks Approach-Use-Benefits.” In: IEEE 42nd
Hawaii International Conference on System Sciences. Hawaii: IEEE,
2009.
[24] A. Hevner, S. March, J. Park and S. Ram. “Design Science in
Information Systems Research.” MIS Quarterly, 78-105, 2004.
[25] J. G. Walls, G. R. Widmeyer and O. A. El Sawy. “Assessing information
system design theory in perspective: how useful was our 1992 initial
rendition?” JITTA: Journal of Information Technology Theory and
Application, 6(2), 43, 2004.
[26] A. G. L. Romme. “Making a difference: Organization as design.”
Organization Science, 14(5), 558-573, 2003.
[27] K. De Maere and S. De Haes. "Is the Design Science Approach fit for IT
Governance Research?" In: 16th European Conference on Research
Methods in Business and Management, ECRM, 2017.
[28] K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee. “A
design science research methodology for information systems
research”. Journal of management information systems, 24(3), 45-77,
2007.
[29] N. Prat, L. Comyn-Wattiau and J. Akoka. “Artifact Evaluation in
Information Systems Design-Science Research: A Holistic View.” In:
18th Pacific Asia Conference on Information Systems. Chengdu, China,
2014.
[30] International Standard Organization. Information Technology - Security
techniques - Information security management systems - overview and
vocabulary. ISO Standard 27000, 3rd edition, 2014.
[31] M. Nicho and S. Muamaar. “Towards a Taxonomy of Challenges in an
Integrated IT Governance Framework Implementation.” Journal of
International Technology and Information Management, 2016.
[32] ISACA. COBIT 5 Process Assessment Model (PAM): Using COBIT 5.
ISACA, 2013.
[33] International Standard Organization. ISO/IEC 15504-1 (2004).
Information technology - Process Assessment - Part 1: Concept and
Vocabulary, International Organization for Standardization (ISO) and
International Electrotechnical Commission (IEC), 2004.
[34] International Standard Organization. ISO/IEC 15504-2 (2003). Software
Engineering - Process Assessment - Part 2: Performing an Assessment,
International Organization for Standardization (ISO) and International
Electrotechnical Commission (IEC), 2003.
[35] International Standard Organization. International Standard Technical
Specification ISO/IEC TS 33072 (2016). Information technology
Process assessment Process capability assessment model for Information
Security Management, 2016.
[36] M. Lankhorst, M. Enterprise Architecture at Work: Modeling,
Communication and Analysis. The Enterprise Engineering Series, 3rd
edition. Springer, 2013.
[37] M. Lankhorst and J. Niehof. Combining ArchiMate® 3.0 with Other
Standards – BPMN. BiZZdesign. URL:
http://blog.bizzdesign.com/combining-archimate-3.0-with-other-
standards-bpmn (visited on 01/11/2017), 2016.
[38] M. Lankhorst and J. Niehof. Combining ArchiMate® 3.0 with Other
Standards – UML / SysML/ ERD. BiZZdesign. URL:
http://blog.bizzdesign.com/combining-archimate-3.0-with-other-
standards-uml-/-sysml-/-erd (visited on 01/11/2017), 2016.
[39] The Open Group. ArchiMate 3.0.1 Specification. Retrieved from The
Open Group Publications:
View publication stats
http://pubs.opengroup.org/architecture/archimate3-doc/ (visited on
20/10/2017), 2016.
[40] The Open Group. ArchiMate® 2.1. Retrieved from The Open Group
Publications http://pubs.opengroup.org/architecture/archimate2-doc/
(visited on 10/08/2017), 2013.
[41] B. Edmonds, “What Is Complexity? -The Philosophy of Complexity Per
Se with Application to Some Examples in Evolution,” The evolution of
complexity, 1995.
[42] Bartens, Y., De Haes, S., Lamoen, Y., Schulte, F., & Voss, S. (2015,
January). On the way to a minimum baseline in IT governance: using
expert views for selective implementation of COBIT 5. In System
Sciences (HICSS), 2015 48th Hawaii International Conference on (pp.
4554-4563). IEEE.
[43] B. Morel and R. Ramanujam, “Through the Looking Glass of
Complexity: The Dynamics of Organizations as Adaptive and Evolving
Systems,” Organization Science, vol. 10, no. 3, pp. 278–293, 1999.
[44] J. R. Blau and W. McKinley, “Ideas, Complexity, and Innovation.,”
Administrative Science Quarterly, vol. 24, no. 2, pp. 200–219, 1979.
[45] S. C. Sommer and C. H. Loch, “Selectionism and Learning in Projects
with Complexity and Unforeseeable Uncertainty,” Management Science,
vol. 50, no. 10, pp. 1334–1347, 2004.
[46] M. T. Pich, C. H. Loch, and A. D. Meyer, “On Uncertainty, Ambiguity,
and Complexity in Project Management,” Management Science, vol. 48,
no. 8, pp. 1008–1023, 2002.
[47] B. Shalit, “Structural Ambiguity and Limits to Coping,” Journal Of
Human Stress, vol. 3, no. 4, pp. 32–45, 1977.
[48] P. Checkland, Systems Thinking, Systems Practice. Hoboken, NJ: John
Wiley & Sons, 1999.
[49] W. J. Orlikowski and D. Robey, “Information Technology and the
Structuring of Organizations,” Information Systems Research, vol. 2, no.
2, pp. 143–169, Jun. 1991.
[50] S. L. Schlindwein and R. Ison, “Human Knowing and Perceived
Complexity: Implications for Systems Practice.,” Emergence:
Complexity & Organization, vol. 6, no. 3, 2004.
[51] B. Hasan, “Examining the Effects of Computer Self- Efficacy and
System Complexity on Technology Acceptance,” Information Resources
Management Journal, vol. 20, no. 3, pp. 76–88, 33 2007.
[52] K. Haufe, R. Colomo-Palacios, S. Dzombeta, K. Brandis and V.
Stantchev. “Security Management Standards: A Mapping.” Procedia
Computer Science, 755-761, 2016.
[53] R. Almeida, P. Pinto and M. Mira da Silva. “Using ArchiMate to Assess
COBIT 5 and ITIL Implementations”. In: 25th International Conference
on Information Systems Development (ISD). Poland, 2016.
[54] R. Almeida, P. Pinto and M. Mira da Silva. “Using ArchiMate to
Integrate COBIT 5 and COSO Metamodels”. European, Mediterranean
& Middle Eastern Conference on Information Systems (EMCIS).
Krakow, Poland, 2016.
[55] D. Milicevic and M. Goeken. “Ontology-Based Evaluation of ISO
27001”. Conference on e-Business, e-Service and e-Society, pp. 93-102.
Berlin: Heidelberg, 2010.
[56] Schütte, R., and Rotthowe, T., The Guidelines of Modeling- an approach
to enhance the quality in information models. In Ling, Ram, Lee (Eds.)
Conceptual Modeling - ER 98. Singapore, 16.-19.11.98, (1998), pp. 240-
254.
[57] N. K. Denzin. The research act: A theoretical introduction to
sociological methods. Chicago: Aldine, 1970.
[58] J. Kimchi, B. Polivka and J. S. Stevenson. “Triangulation: Operational
definitions.” Nursing Research, 40(6), 364-366, 1991.
[59] E. S. Mitchell. “Multiple triangulation: A methodology for nursing
science.” Advances in Nursing Science, 8(3), 18-26, 1986.
[60] B. Barafort, V. Betry, S. Cortina, M. Picard, M. St-Jean, A. Renault and
O. Valdés. ITSM Process Assessment Supporting ITIL. (J. Chittenden,
Ed.). Van Haren Publishing, 2009.
[61] M. Lankhorst and H. van Drunen (2007). Enterprise Architecture
Development and Modelling. Combining TOGAF and ArchiMate.