Search Knowledge

Category: Framework

Program Management – BAI01 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Build, Acquire and Implement

Managed Program

Manage all programs from the investment portfolio in alignment with enterprise strategy and in a coordinated way, based on a standard program management approach. Initiate, plan, control, and execute programs, and monitor expected value from the program.


Realize desired business value and reduce the risk of unexpected delays, costs and value erosion. To do so, improve communications to and involvement of business and end users, ensure the value and quality of program deliverables and follow up of projects within the programs, and maximize program contribution to the investment portfolio.

Management practices

BAI01.01 Maintain a standard approach for program management.

Maintain a standard approach for program management that enables governance and management review, decision-making and delivery management activities. These activities should focus consistently on business value and goals (i.e., requirements, risk, costs, schedule and quality targets).

BAI01.02 Initiate a program.

Initiate a program to confirm expected benefits and obtain authorization to proceed. This includes agreeing on program sponsorship, confirming the program mandate through approval of the conceptual business case, appointing program board or committee members, producing the program brief, reviewing and updating the business case, developing a benefits realization plan, and obtaining approval from sponsors to proceed.

BAI01.03 Manage stakeholder engagement.

Manage stakeholder engagement to ensure an active exchange of accurate, consistent and timely information for all relevant stakeholders. This includes planning, identifying and engaging stakeholders and managing their expectations.

BAI01.04 Develop and maintain the program plan.

Formulate a program to lay the initial groundwork. Position it for successful execution by formalizing the scope of the work and identifying deliverables that will satisfy goals and deliver value. Maintain and update the program plan and business case throughout the full economic life cycle of the program, ensuring alignment with strategic objectives and reflecting the current status and insights gained to date.

BAI01.05 Launch and execute the program.

Launch and execute the program to acquire and direct the resources needed to accomplish the goals and benefits of the program as defined in the program plan. In accordance with stage-gate or release review

criteria, prepare for stage-gate, iteration or release reviews to report progress and make the case for funding up to the following stage-gate or release review.

BAI01.06 Monitor, control and report on the program outcomes.

Monitor and control performance against plan throughout the full economic life cycle of the investment, covering solution delivery at the program level and value/outcome at the enterprise level. Report performance to the program steering committee and the sponsors.

BAI01.07 Manage program quality.

Prepare and execute a quality management plan, processes and practices that align with quality management standards (QMS). Describe the approach to program quality and implementation. The plan should be formally reviewed and agreed on by all parties concerned and incorporated into the integrated program plan.

BAI01.08 Manage program risk.

Eliminate or minimize specific risk associated with programs through a systematic process of planning, identifying, analyzing, responding to, monitoring and controlling the areas or events with the potential to cause unwanted change. Define and record any risk faced by program management.

BAI01.09 Close a program.

Remove the program from the active investment portfolio when there is agreement that the desired value has been achieved or when it is clear it will not be achieved within the value criteria set for the program.


Programme management PGMG

The identification, planning and coordination of a set of related projects within a programme of business change, to manage their interdependencies in support of specific business strategies and objectives. The maintenance of a strategic view over the set of projects, providing the framework for implementing business initiatives, or large-scale change, by conceiving, maintaining and communicating a vision of the outcome of the programme and associated benefits. (The vision, and the means of achieving it, may change as the programme progresses). Agreement of business requirements, and translation of requirements into operational plans. Determination, monitoring, and review of programme scope, costs, and schedule, programme resources, inter-dependencies and programme risk.

Benefits management BENM

Establishing an approach for forecasting, planning and monitoring the emergence and effective realisation of anticipated benefits. Identifying and implementing the actions needed to optimise the business impact of individual and combined benefits. The confirmation of the achievement of expected benefits.

Requirements Definition Management – BAI02 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Build, Acquire and Implement

Managed Requirements Definition

Identify solutions and analyze requirements before acquisition or creation to ensure that they align with enterprise strategic requirements covering business processes, applications, information/data, infrastructure and services. Coordinate the review of feasible options with affected stakeholders, including relative costs and benefits, risk analysis, and approval of requirements and proposed solutions.


Create optimal solutions that meet enterprise needs while minimizing risk.

Management practices

BAI02.01 Define and maintain business functional and technical


Based on the business case, identify, prioritize, specify and agree on business information, functional, technical and control requirements covering the scope/understanding of all initiatives required to achieve the expected outcomes of the proposed I&T-enabled business solution.

BAI02.02 Perform a feasibility study and formulate alternative solutions.

Perform a feasibility study of potential alternative solutions, assess their viability and select the preferred option. If appropriate, implement the selected option as a pilot to determine possible improvements.

BAI02.03 Manage requirements risk.

Identify, document, prioritize and mitigate functional, technical and information processing-related risk associated with the enterprise requirements, assumptions and proposed solution.

BAI02.04 Obtain approval of requirements and solutions.

Coordinate feedback from affected stakeholders. At predetermined key stages, obtain approval and sign-off from the business sponsor or product owner regarding functional and technical requirements, feasibility studies, risk analyses and recommended solutions.


Requirements definition and management REQM

The elicitation, analysis, specification and validation of requirements and constraints to a level that enables effective development and operations of new or changed software, systems, processes, products and services. The management of requirements throughout the whole of the delivery and operational life cycle of the software, system, processes, products or services. The negotiation of trade-offs that are both acceptable to key stakeholders and within budgetary, technical, regulatory, and other constraints. The adoption and adaptation of requirements management lifecycle models based on the context of the work and selecting appropriately from plan-driven/predictive approaches or more adaptive (iterative and agile) approaches.

User experience analysis UNAN

The identification, analysis, clarification and communication of the context of use in which applications will operate, and of the goals of products, systems or services. Analysis and prioritisation of stakeholders’ user experience needs and definition of required system, product or service attributes, behaviour and performance. The definition and management of user experience and user accessibility requirements for all potential users.

Business analysis BUAN

The methodical investigation, analysis, review and documentation of all or part of a business in terms of business goals, objectives, functions and processes, the information used and the data on which the information is based. The definition of requirements for improving processes and systems, reducing their costs, enhancing their sustainability, and the quantification of potential business benefits. The collaborative creation and iteration of viable specifications and acceptance criteria in preparation for the deployment of information and communication systems. The adoption and adaptation of business analysis approaches based on the context of the work and selecting appropriately from predictive (plan-driven) approaches or adaptive (iterative/agile) approaches.

Solution Identification and Build Management – BAI03 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Build, Acquire and Implement

Managed Solutions Identification and Build

Establish and maintain identified products and services (technology, business processes and workflows) in line with enterprise requirements covering design, development, procurement/sourcing and partnering with vendors. Manage configuration, test preparation, testing, requirements management and maintenance of business processes, applications, information/data, infrastructure and services.


Ensure agile and scalable delivery of digital products and services. Establish timely and cost-effective solutions (technology, business processes and workflows) capable of supporting enterprise strategic and operational objectives.

Management practices

BAI03.01 Design high-level solutions.

Develop and document high-level designs for the solution in terms of technology, business processes and workflows. Use agreed and appropriate phased or rapid Agile development techniques. Ensure alignment with the I&T strategy and enterprise architecture. Reassess and update the designs when significant issues occur during detailed design or building phases, or as the solution evolves. Apply a user centric approach; ensure that stakeholders actively participate in the design and approve each version.

BAI03.02 Design detailed solution components.

Develop, document and elaborate detailed designs progressively. Use agreed and appropriate phased or rapid Agile development techniques, addressing all components (business processes and related automated and manual controls, supporting I&T applications, infrastructure services and technology products, and partners/suppliers). Ensure that the detailed design includes internal and external service level agreements (SLAs) and operational level agreements (OLAs).

BAI03.03 Develop solution components.

Develop solution components progressively in a separate environment, in accordance with detailed designs following standards and requirements for development and documentation, quality assurance (QA), and approval. Ensure that all control requirements in the business processes, supporting I&T applications and infrastructure services, services and technology products, and partner/vendor services are addressed.

BAI03.04 Procure solution components.

Procure solution components, based on the acquisition plan, in accordance with requirements and detailed designs, architecture principles and standards, and the enterprise’s overall procurement and contract procedures, QA requirements, and approval standards. Ensure that all legal and contractual requirements are identified and addressed by the vendor.

BAI03.05 Build solutions.

Install and configure solutions and integrate with business process activities. During configuration and integration of hardware and infrastructure software, implement control, security, privacy and auditability measures to protect resources and ensure availability and data integrity. Update the product or services catalogue to reflect the new solutions.

BAI03.06 Perform quality assurance (QA).

Develop, resource and execute a QA plan aligned with the QMS to obtain the quality specified in the requirements definition and in the enterprise’s quality policies and procedures.

BAI03.07 Prepare for solution testing.

Establish a test plan and required environments to test the individual and integrated solution components. Include the business processes and supporting services, applications and infrastructure.

BAI03.08 Execute solution testing.

During development, execute testing continually (including control testing), in accordance with the defined test plan and development practices in the appropriate environment. Engage business process owners and end users in the test team. Identify, log and prioritize errors and issues identified during testing.

BAI03.09 Manage changes to requirements.

Track the status of individual requirements (including all rejected requirements) throughout the project life cycle. Manage the approval of changes to requirements.

BAI03.10 Maintain solutions.

Develop and execute a plan for the maintenance of solution and infrastructure components. Include periodic reviews against business needs and operational requirements.

BAI03.11 Define IT products and services and maintain the service portfolio.

Define and agree on new or changed IT products or services and service level options. Document new or changed product and service definitions and service level options to be updated in the products and services


BAI03.12 Design solutions based on the defined development methodology.

Design, develop and implement solutions with the appropriate development methodology (i.e., waterfall, Agile or bimodal I&T), in accordance with the overall strategy and requirements.


Solution architecture ARCH

The design and communication of high-level structures to enable and guide the design and development of integrated solutions that meet current and future business needs. In addition to technology components, solution architecture encompasses changes to service, process, organisation, and operating models. The provision of comprehensive guidance on the development of, and modifications to, solution components to ensure that they take account of relevant architectures, strategies, policies, standards and practices (including security) and that existing and planned solution components remain compatible.

Systems design DESN

The design of systems to meet specified requirements, compatible with agreed systems architectures, adhering to corporate standards and within constraints of performance and feasibility. The identification of concepts and their translation into a design which forms the basis for systems construction and verification. The design or selection of components. The development of a complete set of detailed models, properties, and/or characteristics described in a form suitable for implementation. The adoption and adaptation of systems design lifecycle models based on the context of the work and selecting appropriately from predictive (plan-driven) approaches or adaptive (iterative/agile) approaches.

Systems development management DLMG

The planning, estimating and execution of programmes of systems development work to time, budget and quality targets. The identification of the resources needed for systems development and how this will be met with an effective supply capacity. The alignment of systems development activity and deliverables with agreed architectures and standards. The development of roadmaps to communicate future systems development plans. The adoption and adaptation of systems development lifecycle models based on the context of the work and selecting appropriately from predictive (plan-driven) approaches or adaptive (iterative/agile) approaches.

User experience design HCEV

The process of iterative design to enhance user satisfaction by improving the usability and accessibility provided when interacting with a system, product or service. The design of users’ digital and offline tasks, interactions and interfaces to meet usability and accessibility requirements. The refinement of designs in response to user-centred evaluation and feedback and communication of the design to those responsible for design, development and implementation.

Availability and Capacity Management – BAI04 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Build, Acquire and Implement

Managed Availability and Capacity

Balance current and future needs for availability, performance and capacity with cost-effective service provision. Include assessment of current capabilities, forecasting of future needs based on business requirements, analysis of business impacts, and assessment of risk to plan and implement actions to meet the identified requirements.


Maintain service availability, efficient management of resources and optimization of system performance through prediction of future performance and capacity requirements.

Management practices

BAI04.01 Assess current availability, performance and capacity and create a baseline.

Assess availability, performance and capacity of services and resources to ensure that cost-justifiable capacity and performance are available to support business needs and deliver against service level agreements (SLAs). Create availability, performance and capacity baselines for future Comparison

BAI04.02 Assess business impact.

Identify important services to the enterprise. Map services and resources to business processes and identify business dependencies. Ensure that the impact of unavailable resources is fully agreed on and accepted by the customer. For vital business functions, ensure that availability requirements can be satisfied per service level agreement (SLA).

BAI04.03 Plan for new or changed service requirements.

Plan and prioritize availability, performance and capacity implications of changing business needs and service requirements.

BAI04.04 Monitor and review availability and capacity.

Monitor, measure, analyze, report and review availability, performance and capacity. Identify deviations from established baselines. Review trend analysis reports identifying any significant issues and variances. Initiate actions where necessary and ensure that all outstanding issues are addressed.

BAI04.05 Investigate and address availability, performance and capacity issues.

Address deviations by investigating and resolving identified availability, performance and capacity issues.


Availability management AVMT

The definition, analysis, planning, measurement, maintenance and improvement of all aspects of the availability of services, including the availability of power. The overall control and management of service availability to ensure that the level of service delivered in all services is matched to or exceeds the current and future agreed needs of the business, in a cost effective manner.

Capacity management CPMG

The planning, design and management of the capability, functionality and sustainability of service components (including hardware, software, network resources and software/infrastructure as a Service) to meet current and forecast needs in a cost-efficient manner aligned to the business. The modelling of both long-term changes and short-term variations in the level of capacity required to execute the service. The deployment of techniques to control the demand and add/reduce capacity in a cost effective, timely manner to meet changes in demand.

Organizational Change Management – BAI05 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Build, Acquire and Implement

Managed Organisational Change

Maximize the likelihood of successfully implementing sustainable enterprisewide organizational change quickly and with reduced risk. Cover the

complete life cycle of the change and all affected stakeholders in the business and IT.


Prepare and commit stakeholders for business change and reduce the risk of failure.

Management Practices

BAI05.01 Establish the desire to change.

Understand the scope and impact of the desired change. Assess stakeholder readiness and willingness to change. Identify actions that will motivate stakeholder acceptance and participation to make the change work successfully.

BAI05.02 Form an effective implementation team.

Establish an effective implementation team by assembling appropriate members, creating trust, and establishing common goals and effectiveness measures.

BAI05.03 Communicate desired vision.

Communicate the desired vision for the change in the language of those affected by it. The communication should be made by senior management and include the rationale for, and benefits of, the change; the impacts of not making the change; and the vision, the road map and the involvement required of the various stakeholders.

BAI05.04 Empower role players and identify short-term wins.

Empower those with implementation roles by assigning accountability. Provide training and align organizational structures and HR processes. Identify and communicate short-term wins that are important from a change-enablement perspective.

BAI05.05 Enable operation and use.

Plan and implement all technical, operational and usage aspects so all those who are involved in the future state environment can exercise their responsibility.

BAI05.06 Embed new approaches.

Embed new approaches by tracking implemented changes, assessing the effectiveness of the operation and use plan, and sustaining ongoing awareness through regular communication. Take corrective measures as appropriate (which may include enforcing compliance).

BAI05.07 Sustain changes.

Sustain changes through effective training of new staff, ongoing communication campaigns, continued commitment of top management, monitoring of adoption and sharing of lessons learned across the enterprise.


Change implementation planning and management CIPM

The definition and management of the process for deploying and integrating new digital capabilities into the business in a way that is sensitive to and fully compatible with business operations.

Organisation design and implementation ORDI

The planning, design and implementation of an integrated organisation structure and culture including the workplace environment, locations, role profiles, performance measurements, competencies and skills. The facilitation of changes needed to adapt to changes in technologies, society, new operating models and business processes. The identification of key attributes of the required culture and how these can be implemented and reinforced to bring about improved organisational performance.

Change (IT) Management – BAI06 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Build, Acquire and Implement

Managed IT Changes

Manage all changes in a controlled manner, including standard changes and emergency maintenance relating to business processes, applications

and infrastructure. This includes change standards and procedures, impact assessment, prioritization and authorization, emergency changes,

tracking, reporting, closure, and documentation.


Enable fast and reliable delivery of change to the business. Mitigate the risk of negatively impacting the stability or integrity of the changed environment.

Management practices

BAI06.01 Evaluate, prioritize and authorize change requests.

Evaluate all requests for change to determine the impact on business processes and I&T services, and to assess whether change will adversely affect the operational environment and introduce unacceptable risk.

Ensure that changes are logged, prioritized, categorized, assessed, authorized, planned and scheduled.

BAI06.02 Manage emergency changes.

Carefully manage emergency changes to minimize further incidents. Ensure the emergency change is controlled and takes place securely. Verify that emergency changes are appropriately assessed and authorized after the change.

BAI06.03 Track and report change status.

Maintain a tracking and reporting system to document rejected changes and communicate the status of approved, in-process and complete changes. Make certain that approved changes are implemented as planned.

BAI06.04 Close and document the changes.

Whenever changes are implemented, update the solution, user documentation and procedures affected by the change.


Change management – CHMG

The management of change to the service infrastructure including service assets, configuration items and associated documentation. Change management uses requests for change (RFC) for standard or emergency changes, and changes due to incidents or problems to provide effective control and reduction of risk to the availability, performance, security and compliance of the business services impacted by the change.

Change Acceptance (IT) and Transitioning – BAI07 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Build, Acquire and Implement

Managed Change Acceptance and Transitioning

Formally accept and make operational new solutions. Include implementation planning, system and data conversion, acceptance testing,

communication, release preparation, promotion to production of new or changed business processes and I&T services, early production support, and

a post-implementation review.


Implement solutions safely and in line with the agreed expectations and outcomes.

Management Practice

BAI07.01 Establish an implementation plan.

Establish an implementation plan that covers system and data conversion, acceptance testing criteria, communication, training, release preparation, promotion to production, early production support, a fallback/back-up plan, and a post-implementation review. Obtain approval from relevant parties.

BAI07.02 Plan business process, system and data conversion.

Prepare for business process, I&T service data and infrastructure migration as part of the enterprise’s development methods. Include audit trails and a recovery plan should the migration fail.

BAI07.03 Plan acceptance tests.

Establish a test plan based on enterprise wide standards that define roles, responsibilities, and entry and exit criteria. Ensure that the plan is approved by relevant parties.

BAI07.04 Establish a test environment.

Define and establish a secure test environment representative of the planned business process and IT operations environment in terms of performance, capacity, security, internal controls, operational practices, data quality, privacy requirements and workloads.

BAI07.05 Perform acceptance tests.

Test changes independently, in accordance with the defined test plan, prior to migration to the live operational environment.

BAI07.06 Promote to production and manage releases.

Promote the accepted solution to the business and operations. Where appropriate, run the solution as a pilot implementation or in parallel with the old solution for a defined period and compare behavior and results.

If significant problems occur, revert to the original environment based on the fallback/back-up plan. Manage releases of solution components.

BAI07.07 Provide early production support.

For an agreed period of time, provide early support to users and I&T operations to resolve issues and help stabilize the new solution.

BAI07.08 Perform a post-implementation review.

Conduct a post-implementation review to confirm outcome and results,identify lessons learned, and develop an action plan. Evaluate actual performance and outcomes of the new or changed service against expected performance and outcomes anticipated by the user or customer.


Business process testing BPTS

The planning, design, management, execution and reporting of business process tests and usability evaluations. The application of evaluation skills to the assessment of the ergonomics, usability and fitness for purpose of defined processes. This includes the synthesis of test tasks to be performed (from statement of user needs and user interface specification), the design of an evaluation programme, the selection of user samples, the analysis of performance, and inputting results to the development team.

Release and deployment RELM

The management of the processes, systems and functions to package, build, test and deploy changes and updates (which are bounded as “releases”) into a live environment, establishing or continuing the specified service, to enable controlled and effective handover to operational management and the user community. The application of automation to improve the efficiency and quality of releases.

Service acceptance SEAC

The achievement of formal confirmation that service acceptance criteria have been met, and that the service provider is ready to operate the new service when it has been deployed. (Service acceptance criteria are used to ensure that a service meets the defined service requirements, including functionality, operational support, performance and quality requirements).

Testing TEST

The planning, design, management, execution and reporting of tests, using appropriate testing tools and techniques and conforming to agreed process standards and industry specific regulations. The purpose of testing is to ensure that new and amended systems, configurations, packages, or services, together with any interfaces, perform as specified (including security requirements) , and that the risks associated with deployment are adequately understood and documented. Testing includes the process of engineering, using and maintaining testware (test cases, test scripts, test reports, test plans, etc) to measure and improve the quality of the software being tested.

User experience evaluation USEV

Validation of systems, products or services, to assure that the stakeholder and organisational requirements have been met, required practice has been followed, and systems in use continue to meet organisational and user needs. Iterative assessment (from early prototypes to final live implementation) of effectiveness, efficiency, user satisfaction, health and safety, and accessibility to measure or improve the usability of new or existing processes, with the intention of achieving optimum levels of product or service usability.

Knowledge Management – BAI08 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Build, Acquire and Implement

Managed Knowledge

Maintain the availability of relevant, current, validated and reliable knowledge and management information to support all process activities and to facilitate decision making related to the governance and management of enterprise I&T. Plan for the identification, gathering, organizing,maintaining, use and retirement of knowledge.


Provide the knowledge and information required to support all staff in the governance and management of enterprise I&T and allow for informed decision making.

Management practices

BAI08.01 Identify and classify sources of information for governance

and management of I&T.

Identify, validate and classify diverse sources of internal and external information required to enable governance and management of I&T, including strategy documents, incident reports and configuration information that progresses from development to operations before going live.

BAI08.02 Organize and contextualize information into knowledge.

Organize information based on classification criteria. Identify and create meaningful relationships among information elements and enable use of information. Identify owners, and leverage and implement enterprise defined information levels of access to management information and knowledge resources.

BAI08.03 Use and share knowledge.

Propagate available knowledge resources to relevant stakeholders and communicate how these resources can be used to address different needs (e.g., problem solving, learning, strategic planning and decision making).

BAI08.04 Evaluate and update or retire information.

Measure the use and evaluate the currency and relevance of information. Update information or retire obsolete information.

Knowledge management KNOW

The systematic management of vital knowledge to create value for the organisation by capturing, sharing, developing and exploiting the collective knowledge of the organisation to improve performance, support decision making and mitigate risks. The development of a supportive and collaborative knowledge sharing culture to drive the successful adoption of technology solutions for knowledge management. Providing access to informal, tacit knowledge as well as formal, documented, explicit knowledge by facilitating internal and external collaboration and communications.

Assets Management – BAI09 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Build, Acquire and Implement

Managed Assets

Manage I&T assets through their life cycle to make sure that their use delivers value at optimal cost, they remain operational (fit for purpose), and they are accounted for and physically protected. Ensure that those assets that are critical to support service capability are reliable and available.

Manage software licenses to ensure that the optimal number are acquired, retained and deployed in relation to required business usage, and the software installed is in compliance with license agreements.


Account for all I&T assets and optimize the value provided by their use.

Management practices

BAI09.01 Identify and record current assets.

Maintain an up-to-date, accurate record of all I&T assets that are required to deliver services and that are owned or controlled by the organization with an expectation of future benefit (including resources with

economic value, such as hardware or software). Ensure alignment with configuration management and financial management.

BAI09.02 Manage critical assets.

Identify assets that are critical in providing service capability. Maximize their reliability and availability to support business needs.

BAI09.03 Manage the asset life cycle.

Manage assets from procurement to disposal. Ensure that assets are utilized as effectively and efficiently as possible and are accounted for and physically protected until appropriately retired.

BAI09.04 Optimize asset value.

Regularly review the overall asset base to identify ways to optimize value in alignment with business needs.

BAI09.05 Manage licenses.

Manage software licenses to maintain the optimal number of licenses and support business requirements. Ensure that the number of licenses owned is sufficient to cover the installed software in use.


Asset management ASMG

The management of the lifecycle for all managed assets (hardware, software, intellectual property, licences, warranties etc) including security, inventory, compliance, usage and disposal, aiming to protect and secure the corporate assets portfolio, optimise the total cost of ownership and sustainability by minimising operating costs, improving investment decisions and capitalising on potential opportunities. Knowledge and use of international standards for asset management and close integration with security, change, and configuration management are examples of enhanced asset management development.

Systems installation/decommissioning HSIN

The installation, testing, implementation or decommissioning and removal of cabling, wiring, equipment, hardware and associated software, following plans and instructions and in accordance with agreed standards. The testing of hardware and software components, resolution of malfunctions, and recording of results. The reporting of details of hardware and software installed so that configuration management records can be updated.

Configuration Management – BAI10 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Build, Acquire and Implement

Managed Configuration

Define and maintain descriptions and relationships among key resources and capabilities required to deliver I&T-enabled services. Include collecting

configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository.


Provide sufficient information about service assets to enable the service to be effectively managed. Assess the impact of changes and deal with service incidents.

Management practices

BAI10.01 Establish and maintain a configuration model.

Establish and maintain a logical model of the services, assets, infrastructure and recording of configuration items (CIs), including the relationships among them. Include the CIs considered necessary to manage services effectively and to provide a single, reliable description of the assets in a service.

BAI10.02 Establish and maintain a configuration repository and baseline.

Establish and maintain a configuration management repository and create controlled configuration baselines.

BAI10.03 Maintain and control configuration items.

Maintain an up-to-date repository of configuration items (CIs) by populating any configuration changes.

BAI10.04 Produce status and configuration reports.

Define and produce configuration reports on status changes of configuration items.

BAI10.05 Verify and review integrity of the configuration repository.

Periodically review the configuration repository and verify completeness and correctness against the desired target.


Configuration management CFMG

The planning, management, control and governance of organisational, project and service assets and artefacts. The identification, classification and specification of configuration items (CIs) and their inter-relationships. Identifying the configuration and version of source code, software, systems, documents and service dependent CIs at distinct points in time. Systematically controlling changes to the configuration and maintaining the integrity and traceability of the configuration throughout the project, system and/or service life cycle. Identifying and documenting the functional and physical characteristics of CIs, controlling changes to those characteristics, recording and reporting change processing and implementation status. Verifying and auditing CIs for data quality and compliance with specified internal and external requirements.

Next Page »