When I was thinking about writing about COBIT, I did not put it on my Blog of enterprise architecture or place it here. I decided to put it here, because I want in the same way visually, establish a proposal of meta-model for this framework of I.T. and also establish a small comparative of as connect with others that are used in different types of industry from different economies that can be useful for everyone and an example of use of basis for collaborative work with other professionals.


We visualize the following possible meta-model for COBIT:

So far, nothing strange. This would be the meta-model that I can capture including elements such as the strategic plan that addresses the main Framework requirements which are the realization of profits, risk and resources optimization and everything to generate corporate governance for a company.

Continuing with the cascade of goals, deliver value, which is what it claims to these major requirements and business goals, the goals of I.T. and goals of enabling processes can be drawn from there. Meanwhile enablers processes I have to provide a desired capacity that also indicates the corporate strategic plan.

The goals of business, I.T, and processes have a metrics that should be implemented to the enabling process. Finally, this process must have activities, process practices and owners for the implementation of this process.

Well, information technology is not a world isolated from the company and the daily operation of a company makes that it must comply with another type of business other than their own standards. Here come frameworks and standards such as ISO, SOX, ITIL, COSO, BCM among others.

Then I would like to propose my own meta-model of Business Continuity Management and as inter – could operate with COBIT and this is in essence a plan.


I decide to use this because to the extent that grow and its operating companies becomes increasingly more critical, it becomes necessary not only to have contingency level infrastructure schemes and hardware and software platforms. The DRP (Disaster Recovery Plan), typically only contains only the part of information technology. The DRP, is an important part of the BCM and I want to use something similar to the standard BS 25999-2 of the BCI (British Continuity Institute) to join the BCM with COBIT.

The essential components of a BCM are:

PEOPLE: are those who work in the Organization, decisions, support processes, operating machines. In this regard, it is important to keep in mind that if under the organizational, professional problems, these individuals submit a good performance.

PROCESSES: diversity of these exist in the Organization, some more important than others, even at the level of stop the entire production process. You have to identify each of them to determine its impact.

TECHNOLOGY: is present in all the places of the organization from the office, in the area of production, distribution and communications between teams. He is not only the use of computer systems, also the processes and control systems, telephone communication. The importance is noticeable when it fails and dispenses it.

COMMUNITY OR SOCIETY: this point is not listed as defined in found ratings but has been considered important to put it here because there are two points where you can focus the impact; Customers are those who acquire or use our services also is directly related to what refers to reputation and brand. This is especially important when incidents are inmates of the organisation, accidents, pollution, general incidents affecting the community.

Based on these main components we make a particular meta-model of a BCM:

Below is a explanation of the meta-model of this plan. The requirement of BCM, arose out of concerns by stakeholders about the faults that may arise in the business and the loss of availability. But to meet the business requirements, must fulfil the standard fully, law, regulations, rules, policies among others. To carry out, it is necessary to create a business continuity program that must contain the key activities:

  • Start and project management.
  • Evaluation and risk control.
  • Business Impact Analysis (BIA).
  • Development of strategies for the Business Continuity.
  • Emergency response. 
  • Development and implementation of the BCM. 
  • Awareness and training program.
  • Maintenance and exercise of the BCM. 
  • Crisis communication. 
  • Coordination with public authorities.

The implementation of these activities must deliver the following results, who finally VALUE for the company, which is seeking COBIT:

  • Manage business continuity.
  • Business resilience to disruption.
  • It protects and ensures the company’s image.
  • It opens new market opportunities and help win new business. 
  • It increases the availability of the business.

Business’ people, other business processes, existing technology in general at the company are which will make possible the fulfilment of the business continuity plan as active parts of the same, both for its implementation and for their maintenance and life cycle.

The union of COBIT and BCM, was performed by the activities that must be carried out in an enabling process of COBIT. The processes of COBIT to help meet this requirement and these business goals related to business continuity are APO012; APO013 and BAI04 to a lesser extent.

If you want to know how to implement COBIT 5 contact me here.