COBIT 5 Enablers – Principles, Policies and Frameworks
In COBIT, ‘Principles, Policies, and Frameworks’ are the communication mechanisms used to convey a governing body/ management’s directions and instructions for the organization in support of governance objectives.
Each enabler, including principles, policies, and frameworks, is broken down into four generic enabler dimensions. Each of these dimensions contains enabler-specific information.
The principles, policies, and frameworks-specific enabler dimensions are:
Stakeholders can be internal or external to the organization and include the board and executive management, compliance officers, risk managers, internal and external auditors, service providers and customers, and regulatory agencies.
Some stakeholders define and set policies, while others simply have to comply with policies.
Goals and metrics:
Principles need to be limited in number and should express as clearly as possible the core values of the enterprise.
Good policies are effective (meaning they achieve the stated purpose), efficient (meaning they are implemented using the minimum amount of resources), and non-intrusive (meaning they appear logical for those who have to comply with them).
Governance and management frameworks should provide management with structure, guidance, tools, etc., that support the proper governance and management of IT. So frameworks should be comprehensive, open and flexible, current and available, and accessible to all stakeholders.
Frameworks provide a structure to define consistent guidance, navigation, creation, and maintenance of policies.
Good practices require that policies be part of an overall governance and management framework. This provides a structure into which all policies should fit and clearly link with the underlying principles.
Specifically, good practices for policies require that we consider their scope and validity, the consequences of failing to comply with the policy, how to handle exceptions, and how they will be monitored.