Using COBIT for IT Organizational Design by Azhar Zia-ur-Rehman, CISA, CRISC, CISM, ISO 27001 LA

The organizational structure of an IT department is usually the result of a series of changes, trials, experiments and political manipulations. It is often adjusted to suit or accommodate individuals. As a result, the organization is sometimes cumbersome and the cause of problems, inefficiency, and excess cost. The process described herein has been developed from experience gained by participating in numerous efforts to redesign and transform IT organizations.

Step 1: Select the Standards
The primary objective is to deliver value to stakeholders from IT-enabled investments. The organizational design should follow standards and good practices so that the resulting design is easy to defend and noncontroversial. Start by selecting from the following set of frameworks, standards, and good practices:

  • COBIT 5—Ensures that all aspects of IT are covered in terms of processes as well as tasks. COBIT 5 also provides the structure needed to ensure that alignment exists from stakeholder requirements through the enterprise and IT-related goals to all enablers.
  • Skills Framework for the Information Age (SFIA V6)—Ensures that all skills that are required have been included and are reflected in the design of job descriptions
  • ISO/IEC 38500:2015—Covers the IT governance aspects in detail
  • ISO/IEC 20000:2011—Covers the service management aspects in detail
  • ISO/IEC 27001:2013—Covers the information security aspects in detail

Some organizations may prefer to add more standards, good practices or local regulations, codes or laws. One of the very helpful codes in this regard is King III (soon to be King IV), which is the corporate governance code from South Africa. It can be used anywhere to design a robust IT governance system. Of the 5 previously listed frameworks, standards and good practices, the first 2 cannot be neglected. Senior management may decide not to consider the remaining 3.

Step 2: The First Iteration
The first iteration of the functional organization comes straight from COBIT 5 and consists of the following functional elements:

  • Board of directors (BoD)
  • Strategy executive committee of the BoD
  • Steering committee (reporting to the chief executive officer [CEO])
  • CEO
  • Chief information officer (CIO)
  • Evaluate, Direct and Monitor (EDM) domain
  • Align, Plan and Organize (APO) domain
  • Build, Acquire and Implement (BAI) domain
  • Deliver, Service and Support (DSS) domain
  • Monitor, Evaluate and Assess (MEA) domain

The accountabilities and responsibilities of these are listed in the various responsible, accountable, consulted and informed (RACI) charts in COBIT 5: Enabling Processes. The accountabilities and responsibilities of the BoD, the strategy committee, the steering committee and all the chief officers (CxOs) can be compiled at this stage from the various RACI charts. The “Activities” listed under the respective processes in the EDM domain spell out the activities in which these entities have to be involved. SFIA V6 can then be used to ensure that all skills needed by these entities have been accounted for and are possessed by various stakeholders. At the conclusion of this step, the accountabilities, responsibilities, and activities of the BoD, the strategy committee, the steering committee and the CxOs have been decided and documented.

Step 3: Design the APO, BAI and DSS Sections
The APO, BAI and DSS domains consists of many subdomains (called processes in COBIT 5). These COBIT 5 processes may need to be grouped to reduce the number of sections and, therefore, the head count. However, in large organizations, each process may be a section by itself. The following are just logical suggestions for possible groupings:

  • APO01 and APO02 may be combined to form a section titled “IT Strategy.”
  • APO03 and APO04 can be combined in a section titled “IT Innovation.”
  • APO05, APO06 and APO07 can, ideally, form the “IT Project Management Office (PMO)” section.
  • APO08, APO09 and APO10 can be combined to form the “Service Level Management” section.
  • APO11 and APO12 can be grouped under the “IT Assurance” section.
  • APO13 forms the “Information Security” (not “IT Security”) section.
  • BAI01 joins the “IT PMO” section, along with APO05, APO06 and APO07 in a medium-sized IT setup. However, it may be a separate section where in-house development is done on a large scale.
  • BAI02, BAI03 and BAI04 should ideally join under a section possibly titled “Application Design.”
  • BAI05, BAI06 and BAI07 form the “IT Change Management” section.
  • BAI08, BAI09 and BAI10 go under the “Asset and Configuration Management” section.
  • DSS01 forms the very important “IT Operations” section.
  • DSS02 and DSS03 combine in the “Incident and Problem Management” section.
  • DSS04 becomes the “Continuity Management” section.
  • DSS05 becomes the “IT Security” (not “Information Security”) section.
  • DSS06 forms the “Controls Management” section.

In small IT organizations, these processes may be combined further, taking care that some segregation is maintained and all listed activities and all related metrics have been assigned.

Step 4: Design the MEA Section
Medium-sized and large IT setups should preferably have an IT assurance section that ensures that IT governance is being done within the IT setup. It should coordinate with internal audit in the planning and conduct of technology audits. It should also coordinate with the corporate compliance department in the planning, implementation and monitoring of laws, codes, standards and good practices.In small IT shops, the MEA section can be either part of internal audit or split between internal audit and corporate compliance.However, in any case, the activities and the related metrics need to be assigned completely.

Step 5: Design the Job Descriptions
Having designed the organization structure, it is necessary to design the respective job descriptions. Job descriptions can be created as a combination of the activities and the related metrics given by COBIT 5 and the activities listed in SFIA V6. The following has to be ensured to finalize the job descriptions:

  • All activities in COBIT 5 have been assigned.
  • All related metrics in COBIT 5 have been assigned.
  • All skills at all levels of responsibility listed in SFIA V6 have been assigned.
  • Any activities, related metrics and skills (at any level of responsibility) that have not been assigned should be listed and their nonassignment justified.

Step 6: Revise the IT Processes
The job descriptions should be synchronized with the IT processes. Therefore, it is necessary that all IT processes are reviewed and the responsibilities therein reassigned to conform to the new job descriptions. IT organization design and maintenance is best done using proper tools. The capabilities required include:

  • Process management
  • Enterprise architecture
  • Risk management
  • Many governance, risk management and compliance (GRC) tools have been assessed and analyzed from the perspective of using them for organization design. A GRC tool that has strong process management capabilities integrated with risk management and enterprise architecture is a must. It is ideal if, in addition, that suite of tools supports a maturity assessment.

The 6-step process described in this article has been used in designing the organization structures in many organizations, big and small, and it works. The activity may take weeks in large organizations and can be as short as a week in small ones. In using this methodology, there is a need for synchronization between the activities listed in COBIT 5 and the skills described in SFIA V6 at different levels of responsibility.Any reorganization deals directly with humans and there is a human factor that may, at times, oppose the recommendations of this methodology. This factor needs to be considered only to the extent that it does not interfere with the requirements of segregation of duties.The final recommendation is that the organization design be done as per theory and then fine-tuned to accommodate the politics.



Menristekdikti meresmikan pelaksanaan Sistem Akreditasi Pendidikan Tinggi Online (SAPTO). BAN-PT mengakui bahwa fasilitas tersebut akan dioperasikan pada Mei 2017. Direktur Dewan Eksekutif BAN-PT, Tcan Basaruddin mengatakan, SAPTO akan memudahkan perguruan tinggi dalam menyampaikan dokumen akreditasi untuk mendapat asesmen kecukupan yang dilakukan asesor di tempat asal asesor. Menurut dia, terobosan itu sebagai bentuk dukungan pada pemerintah yang berkomitmen untuk secara sistematis dan terprogram meningkatkan mutu sektor pendidikan tinggi di Indonesia. Selain SAPTO, juga dikembangan Sistem Akreditasi Nasional (SAN) yang akan menjadi pijakan baru untuk proses akreditasi BAN-PT. SAPTO dan SAN ini akan menjadi pijakan dalam mengembangkan instrumen akreditasi baru sesuai amanat Permenristekdikti No 32/2016. Dalam Permen tersebut BAN-PT berfungsi sebagai organ penyusun kebijakan akreditasi dan menjalankan kebijakan serta proses akreditasi. “Untuk menentukan kelayakan program studi dan perguruan tinggi berdasarkan kriteria yang mengacu pada standar nasional pendidikan tinggi. Selain itu, menjamin mutu Program Studi dan Perguruan Tinggi secara eksternal baik bidang akademik maupun nonakademik untuk melindungi kepentingan mahasiswa dan masyaraka. Menurut Menteri Riset, Teknologi dan Pendidikan Tinggi Mohammad Nasir, Dokumen akreditasi dapat disampaikan secara online, sehingga asesmen cukup dilakukan di tempat asal dan berharap akreditasi perguruan tinggi bisa lebih efektif, dengan satuan biaya yang dapat ditekan hingga 20 persen. Sampai (8/12) BAN-PT telah mengakreditasi 1.044 perguruan tinggi dan 19.011 program studi. Penyelenggaraan proses akreditasi sepenuhnya menggunakan dana APBN. Rata-rata satuan biaya untuk proses akreditasi per institusi adalah Rp. 64.300.000, sedangkan proses akreditasi per program studi adalah Rp. 30.800.000. Pada tahun 2016, BAN-PT telah memproses 276 usulan akreditasi institusi perguruan tinggi dan 3403 program studi.


Sistem Akreditasi Pendidikan Tinggi Online (SAPTO) mulai Mei 2017

Klasifikasi Jurnal ilmiah

Berdasarkan pada peraturan yang berlaku di Indonesia terkait dengan publikasi jurnal, maka jurnal ilmiah dapat dibagi menjadi 4 klasifikasi antara lain:

  1. Jurnal nasional
    Jurnal nasional adalah majalah ilmiah yang memenuhi kriteria sebagai

    • Karya ilmiah ditulis dengan memenuhi kaidah ilmiah dan etika keilmuan;
    • Memiliki ISSN;
    • Memiliki terbitan versi online;
    • Dikelola secara profesional: ketepatan keberkalaan, ketersediaan petunjuk penulisan, identitas jurnal, dll.;
    • Bertujuan menampung/mengkomunikasikan hasil-hasil penelitian ilmiah dan atau konsep ilmiah dalam disiplin ilmu tertentu;
    • Ditujukan kepada masyarakat ilmiah/peneliti yang mempunyai disiplin-disiplin keilmuan yang relevan;
    • Diterbitkan oleh Penerbit/badan Ilmiah/Organisasi Profesi/Perguruan Tinggi dengan unit-unitnya;
    • Bahasa yang digunakan adalah Bahasa Indonesia dan atau Bahasa Inggris dengan abstrak dalam Bahasa Indonesia;
    • Memuat karya ilmiah dari penulis yang berasal dari minimal dua institusi yang berbeda;
    • Mempunyai dewan redaksi/editor yang terdiri dari para ahli dalam bidangnya dan berasal dari minimal dua institusi yang berbeda;
    • Jurnal nasional yang memenuhi kriteria a sampai j dan terindeks oleh DOAJ diberi nilai yang lebih tinggi dari jurnal nasional yaitu maksimal 15.
  2. Jurnal nasional terakreditasi
    Jurnal nasional terakreditasi adalah majalah ilmiah yang memenuhi kriteria sebagai jurnal nasional berdasarkan Peraturan Dirjen Dikti atau Kepala LIPI tentang terbitan berkala ilmiah dan mendapat status terakreditasi dari Direktorat Jenderal Pendidikan Tinggi atau Kepala LIPI dengan masa berlaku hasil akreditasi yang sesuai.
  3. Jurnal internasional
    Jurnal internasional adalah jurnal yang memenuhi kriteria sebagai berikut :

    • Karya ilmiah yang diterbitkan ditulis dengan memenuhi kaidah ilmiah dan etika keilmuan;
    • Memiliki ISSN;
    • Ditulis dengan menggunakan bahasa resmi PBB (Inggris, Perancis, Arab, Rusia, dan Cina);
    • Memiliki terbitan versi online;
    • Dikelola secara profesional;
    • Editorial Board (Dewan Redaksi) adalah pakar di bidangnya dan biasanya berasal dari berbagai negara;
    • Artikel ilmiah yang diterbitkan dalam satu issue berasal dari penulis  berbagai negara;
    • Memuat karya ilmiah dari penulis yang berasal dari berbagai negara dalam setiap penerbitannya.
  4. Jurnal internasional bereputasi
    Jurnal internasional bereputasi adalah jurnal yang memenuhi kriteria jurnal internasional pada point 3 dengan kriteria tambahan terindek oleh database internasional bereputasi (Scopus, Web of Science) dan mempunyai faktor dampak (impact factor) dari Web of Science (Thomson Reuters) atau Scimago  Journal Rank (SJR). Jurnal ini mempunyai urutan tertinggi dalam penilaian karya ilmiah dengan nilai maksimal 40. Jurnal yang memenuhi kriteria jurnal internasional pada point 3 dan terindeks oleh database internasional bereputasi (Scopus dan Web of Science) namun belum mempunyai faktor dampak (impact factor) dari Web of Science (Thomson Reuters) atau Schimago Journal Rank (SJR) menempati urutan kedua dalam penilaian dengan nilai maksimal 30.


Direktorat Pengelolaan Kekayaan Intelektual Ditjen Penguatan Riset dan Pengembangan. Buku Kekuatan 50 Institusi Ilmiah Indonesia.2016

Sharing Session UML with Bu Ferra

UML (Unified Modeling Language) merupakan pengganti dari metode analisis berorientasi object dan design berorientasi object (OOAD&D/object oriented analysis and design) yang dimunculkan sekitar akhir tahun 80-an dan awal tahun 90-an. UML merupakan gabungan dari metode Booch,Rumbaugh (OMT) dan Jacobson. Tetapi UML mencakup lebih luas daripada OOAD. Pada pertengahan saat pengembangan UML, dilakukan standarisasi proses dengan OMG(Object Management Group) dengan harapan UML bakal menjadi bahasa standar pemodelan pada masa yang akan datang (yang sekarang sudah banyak dipakai oleh berbagai kalangan). UML digunakan untuk memodelkan suatu sistem (bukan hanya perangkat lunak) yang menggunakan konsep berorientasi object. Dan juga untuk menciptakan suatu bahasa pemodelan yang dapat digunakan baik oleh manusia maupun mesin. Untuk mendukung Proyek Akhir Mahasiswa dengan mengsingkronkan antara pemodelan dan implementasi, maka KK IT Governance and Enterprise System melaksanakan Kegiatan Sharing Session UML

Hari/Tanggal : Kamis, 22 Desember 2016

Waktu           : 10.00 – 15.00 WIB

Tempat         : Lab Multimedia Dasar (A7)

Pemateri      : Ferra Arik Tridalestari, S.T., M.T.

Why is IT Governance important?

it-govIT Governance covers the culture, organization, policies and practices that provide this kind of oversight and transparency of IT – IT Governance is part of a wider Corporate Governance activity but with its own specific focus. The benefits of good IT risk management, oversight, and clear communication not only reduce the cost and damage caused by IT failures – but also engenders greater trust, teamwork and confidence in the use of IT itself and the people trusted with IT services.   IT Governance has become very topical for a number of reason:

  • IT has a pivotal role to play in improving corporate governance practices.
  • Management’s awareness of IT related risks has increased.
  • There is a focus on IT costs in all organizations.
  • There is a growing realization that more management commitment is needed to improve the management and control of IT activities.


IT Governance Developing a successful governance strategy A Best Practice guide for decision makers in IT