Given the relatively new-found vital importance of Information Technology (IT) for all types of organizations,Enterprise Governance of IT (EGIT) has gained a new focus
[1]. EGIT can be defined as “an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the
organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT-enabled business investments.” [1]. This definition is based on the IT Governance Institute [2] definition, which emphasizes that EGIT should be a focus area of corporate governance.

Examples of process mechanisms are EGIT frameworks, best practices, and ISO standards that encourage behaviors consistent with the organization’s mission, strategy, values,norms, and culture [3]. The term ‘EGIT practices’ is used throughout this paper to refer to all frameworks, best practices and ISO standards described in the paper.

Some of these practices are available to provide guidelines in multiple dimensions of IT organizations, e.g., Information Security Management System (ISMS) and IT Governance
Processes. Others are widely used in the industry to improve the competitiveness of organizations or are required as mandatory practices, becoming a regulatory practice in specific market niches [4].

This situation allows organizations to select and complement their processes from the practices which fit their contexts well [5]. However, independently of the EGIT
practices to be used, its implementation requires specific experience and knowledge, along with a high degree of effort and investment, as key factors for it to be successful. All this signifies that the task is not easy and there is a significant risk of failure [6].

Researchers agree that COBIT, ITIL, and ISO 27001 are amongst the most valuable and popular practices currently being adopted and adapted by organizations.

One of the five principles of COBIT 5 is Applying a Single, Integrated Framework [10], which means that COBIT 5 can serve as the overarching practice for EGIT. Leveraging this principle can help organizations attain and maintain ISO 27001 certification through the continual improvement guidelines described in COBIT 5.

The fundamental difference between COBIT and ISO 27001 is that ISO 27001 is only focused on information security, whereas COBIT is focused on more general IT domains. Thus, COBIT has broader coverage of general IT topics but does not have as many detailed information security requirements as ISO 27001 [11].

Information security is a critical success factor for organizations that face the transformation process, as information is a source of competitive advantage [12]. Current
information security challenges are evolving, and organizations need to assure that they have adequate security controls in place. Information security has evolved from addressing minor and harmless security breaches to managing those with a huge
impact on organizations’ economic growth [13].

COBIT 5 [10] includes a process reference model (PRM), which defines and describes in detail a number of governance and management processes. PRMs are always related to
a Process Assessment Model (PAM) which holds all details to determine the capability of the processes of the reference model. In turn, ISO/IEC Technical Specification (TS) 33052 [14] describes the processes including the information security management system (ISMS) processes implied by ISO/IEC 27001 [15]. ISO/IEC TS 33072 provides a PAM for information security management.

Depending on what the organization is trying to achieve, one particular practice may be more important than another. When the dynamics of the environment change or other issues take priority, a different practice may take priority.

The increasing demands of the industry coupled with compliance requirements have forced organizations to adopt many EGIT practices simultaneously [16]. Maximizing the
value of intellectual property, managing risk and security and assuring compliance through effective EGIT has never been more important. This situation adds even more complexity to the field since organizations struggle with the perceived complexity and difficulty of adopting several practices at the same time [5] because each practice defines its own scope, definitions, and terminologies [17].

Since all these EGIT practices overlap, using them independently prevents organizations from asserting full IT management and governance because each practice has limitations in its application to the management of specific IT areas [18]. At a time when  rganizations strive to be efficient and effective, it seems counterintuitive to be wasting resources by having different organizational departments handling different practices independently [19] since each EGIT practice overlaps at least in part with other practices [20], [21].

To sum up, the problem that this research intends to help solve is ‘the perceived complexity of understanding and assessing COBIT 5 and ISO 27001 simultaneously’.
Therefore, the primary goal of this research is to facilitate the simultaneous assessment of COBIT 5 and ISO 27001 by proposing visual models as a complement to their current
textual representation. Visual models are essential since they  depict a comprehensible representation, making information more explicit [22] and can also contribute to increasing the theoretical foundation of these practices [23]. Thus, in this paper, an ArchiMate model is proposed as the Enterprise Architecture (EA) language to model ISO 27001, ISO TS 33052 and ISO/IEC 33072, enabling in this way the integration
with COBIT 5, facilitating its simultaneous assessment.

A field study was conducted in the Portuguese Navy regarding the COBIT 5 Manage Service Requests and Incidents process and its corresponding processes in ISO/IEC TS 33052.

The primary goal of this research is to facilitate the simultaneous assessment of COBIT 5 and ISO 27001 by proposing visual models as a complement to their current
textual representation. Tackling the complexity of the elements of both COBIT 5 and ISO 27001 with the visual representation helps organizations, as they will find it less complex to understand and assess both approaches simultaneously, realizing business benefits that are complementary and interrelated.
This statement was validated in practice by the field study and the interviews performed. These models allowed us to then simultaneously assess a selected process within an organization from a COBIT 5 and ISO 27001 perspective. Not only were we
able to establish the “as-is” state of this process through a COBIT process capability Level 1 assessment but also to perform an assessment into the COBIT capability level 2 as to gather additional information and thus propose process improvement recommendations for the organization.
This research has some limitations. First of all, the collected data was limited to the Portuguese Navy. Also, due to space limitations, the survey applied is only described but not thoroughly presented and thus the qualitative data collected from interviews was not totally represented in this article.
However, the authors intend to use these data to discuss and present further research. Finally, EA models size, level of detail and complexity can make its analysis by human means only a  hard task [36].
Nevertheless, the authors are still performing more  interviews and collecting more data from other organizations as well as pursuing validation of the mappings by receiving more feedback from specialists. In the future, the authors also plan to
add our models into an EA Management software that will allow us to automatically answer questions such as “How many resources do we have allocated to comply with a given ISO 27001 control?”, which is an important feature for auditing in
the digital age.
For future work it would also interesting to develop a Maturity Model for ISO 27001, to assess the maturity of the information security management of an organization.


P Milley, B Szijarto, K Svensson, JB Cousins – Evaluation, 2018 – journals.sagepub.com