Creating Mature Policies and Processes with COBIT 2019 and the CMMI Framework

10.07.24 12:46 By Daniel Sitton

Creating Effective Policies and Processes with COBIT 2019 and Gauging Process Maturity Using the CMMI Framework

In my 20 years in Banking IT and Cybersecurity making sure that our IT governance and management practices were effective, is critical to running a smooth IT/IS Operation and lowering risk. Two powerful frameworks that helped me achieve this are COBIT 2019 and the Capability Maturity Model Integration (CMMI). This article will guide you through creating policies and processes using COBIT 2019 and how to use the CMMI framework to gauge process maturity, all in an easy-to-understand manner.  There is a huge difference between saying you have a policy/process and managing them to be effective and showing the evidence. 

If you are still here I know what you are thinking.  You need a full time person to implement this. This would be the end goal as you grow and want to implement an IT Governance role. You have to right-size these solutions.  Take the meat of this and use it to make things better where you are at right now.  Get the processes documented, go through and assess them with your team and rate them on the maturity scale, and when you write your strategic plan mention you are going to continually develop and improve policies and processes.  Tell your team or make a note for yourself, "I'm going to take these 3 processes and move them from a 1 to a 3.  That's a huge win!  Go you!  Keep at it, do what you can, and don't kill yourself.  Remember to report these to the Executives on you progress the following year.  You can always call Guardian to  help or walk through it with you.

Understanding COBIT 2019

COBIT 2019 (Control Objectives for Information and Related Technologies) is a comprehensive framework for managing and governing enterprise IT. It provides a set of best practices, tools, and models to help organizations achieve their IT governance goals. COBIT 2019 focuses on aligning IT with business objectives, ensuring value delivery, and managing risks.  I know it sounds boring but hang in there with me.  Once you start rolling with this, it gets much better and everything is easier to understand and everyone knows what needs to be done, and who's doing it. 

Key Components of COBIT 2019:

  1. Governance and Management Objectives: These are divided into five domains: Evaluate, Direct, and Monitor (EDM); Align, Plan, and Organize (APO); Build, Acquire, and Implement (BAI); Deliver, Service, and Support (DSS); and Monitor, Evaluate, and Assess (MEA).
  2. Design Factors: These factors help tailor the COBIT framework to the specific needs of an organization, considering aspects like enterprise strategy, goals, risk profile, and compliance requirements.
  3. Goals Cascade: This mechanism translates stakeholder needs into actionable goals and objectives for the organization.

Creating Policies and Processes with COBIT 2019

Step 1: Identify Stakeholder Needs Begin by understanding the needs and expectations of your stakeholders. This includes internal stakeholders (employees, management) and external stakeholders (customers, regulators).

Step 2: Define Governance and Management Objectives Using the COBIT 2019 framework, define the governance and management objectives that align with your stakeholder needs. For example, if data security is a priority, focus on objectives related to risk management and compliance.

Step 3: Tailor the Framework Using Design Factors Consider the design factors specific to your organization, such as its size, industry, regulatory environment, and strategic goals. Tailor the COBIT framework to address these factors effectively.

Step 4: Develop Policies and Processes Create detailed policies and processes that align with the defined objectives. Ensure these policies are clear, actionable, and enforceable. For instance, if you are focusing on data security, develop policies for data encryption, access control, and incident response.

Step 5: Implement and Communicate Implement the policies and processes across the organization. Communicate them effectively to all stakeholders, ensuring everyone understands their roles and responsibilities.

Step 6: Monitor and Evaluate Regularly monitor and evaluate the effectiveness of the policies and processes. Use metrics and KPIs to assess performance and make necessary adjustments.

Gauging Process Maturity with the CMMI Framework

The Capability Maturity Model Integration (CMMI) framework helps organizations assess the maturity of their processes and identify areas for improvement. It provides a structured approach to process improvement, focusing on five maturity levels:

  1. Initial (Level 1): Processes are unpredictable, poorly controlled, and reactive.
  2. Managed (Level 2): Processes are planned, documented, and executed in accordance with policy.
  3. Defined (Level 3): Processes are well-characterized and understood, and are described in standards, procedures, tools, and methods.
  4. Quantitatively Managed (Level 4): Processes are measured and controlled using quantitative techniques.
  5. Optimizing (Level 5): Focus is on continuous process improvement through incremental and innovative changes.

Using CMMI to Gauge Process Maturity:

Step 1: Conduct a Process Assessment Begin by conducting a thorough assessment of your current processes. Identify which processes are in place and how they are being executed.


Step 2: Determine the Current Maturity Level Using the CMMI framework, determine the current maturity level of each process. This involves evaluating the consistency, documentation, and control of the processes.


Step 3: Identify Gaps and Areas for Improvement Identify gaps between the current maturity level and the desired maturity level. Highlight areas where processes need to be standardized, documented, or controlled more effectively.


Step 4: Develop an Improvement Plan Create a detailed plan to address the identified gaps. This plan should include specific actions, timelines, and responsible parties for improving process maturity.


Step 5: Implement and Monitor Improvements Implement the improvement plan and monitor progress regularly. Use metrics and KPIs to track the effectiveness of the improvements and make adjustments as needed.


     Step 6: Aim for Continuous Improvement Strive for continuous process improvement by regularly reassessing process maturity and making incremental changes. Encourage a culture of innovation and improvement within the organization.


By leveraging my 20 years of experience in banking cybersecurity and the expertise of Guardian Technology Group, we can systematically enhance these critical processes. Using the CMMI framework to gauge process maturity allows us to identify areas for improvement and strategically plan for continuous enhancement throughout the year. This approach ensures that our processes are not only efficient and effective but also aligned with our long-term strategic goals, ultimately leading to greater organizational success and resilience.

Let’s connect to discuss how we can help your organization achieve these improvements and secure a robust future.