COBIT 5 Enabler – Principles, Policies and Frameworks
The ‘Principles, Policies and Frameworks’ is the communication mechanisms necessary to convey the governing body and management’s direction and instructions for the organisation, in support of governance objectives.
Each enabler, including Principles, policies and frameworks, is broken down into four generic enabler dimensions. Each of these dimensions contain enabler specific information.
The Principles, policies and frameworks specific enabler dimensions are:
Stakeholders can be internal or external to the organisation and include the board and executive management, compliance officers, risk managers, internal and external auditors, service providers and customers, and regulatory agencies. Some stakeholders define and set policies and others have to comply with policies.
Goals and metrics:
Principles need to be limited in number and should express as clearly as possible the core values of the enterprise. Good policies are effective, meaning they achieve the stated purpose, efficient, meaning they are implemented using the minimum amount of resources and non-intrusive, meaning they appear logical for those who have to comply with them. Governance and management frameworks should provide management with structure, guidance, tools, etc., that support the proper governance and management of IT. So frameworks should be comprehensive, open and flexible, current and available and accessible to all stakeholders.
Frameworks provide a structure to define consistent guidance, navigation, creation, and maintenance of policies.
Good practices require that policies be part of an overall governance and management framework, providing a structure into which all policies should fit and clearly make the link to the underlying principles. Specifically good practices for policies require that we consider their scope and validity, the consequences of failing to comply with the policy, how to handle exceptions and how they will be monitored.