COBIT Indicators for Agile Software Development

In this blog, we are going to talk about the different COBIT controls which can be mapped to Agile software development process. After reading this we can determine if Scrum based software development process can be compliant with the auditing criteria as described in COBIT indicators.

First, let’s talk about how Agile came into existence and what is Agile.

Agile: Earlier the industry relied on Waterfall model of SDLC for software development but as time passed by, concerns were raised because the time gap between gathering requirements and delivering the final product was huge. By the time a working model was delivered the client would need more features or the software that was developed would need an upgrade. This led to cancellation of many projects based on the waterfall model. This growing frustration in the industry made a small group of people come together and come up with an alternative to the existing waterfall model. The outcome of this meeting was Agile Manifesto.

The agile manifesto has four foundation values and twelve supporting principles which can be used in any software development project using agile methodology. I will cover this in detail in the next blog.

Agile takes an iterative approach to deliver the software in increments rather than delivering the entire product in one go. It breaks down the projects into bits, prioritizes the bits with customer’s approval and then delivers a shippable product increment in one or two week’s cycle.

There are different methods of Agile software development but in this blog we will be focusing on Scrum Method.

Scrum: Scrum follows an incremental product development approach. It has a repeatable work cycle of around 3-4 weeks (depends on company’s process) to develop a shippable product increment. This work cycle is called as Sprint. Scrum has 3 roles Product Owner, Scrum Master and Scrum Team.

• Product Owner is responsible to explain and prioritize the requirement for each sprint
• Scrum Master’s job is to facilitate the daily scrum meeting and take care of any impediments 
• Scrum Team is the one who actually builds the potentially shippable product increment

Each Scrum usually has the following 5 processes:

1. Backlog Grooming: Product Owner gives an overview of all the user stories required for the developing the product. The stories captured in this meeting form the “Product Backlog”.
2. Sprint Planning: In Sprint Planning the product owner explains each story to the team. The team gives weightage to each story which is known as “Story Point Estimation”. Based on this the team will prepare the task estimates. Scrum Master then prepares the sprint backlog based on the team’s velocity.
3. Daily Scrum (Standup meeting): In this meeting only three things are discussed:
        3.1 What you did yesterday?
        3.2 What are you going to do today?
        3.3 What are the impediments you are facing?
4. Sprint Review: In this meeting the team reviews the completed work and the work which was not completed as per the plan. The team also gives a demo of completed work to the stakeholders, this process is also called as “show and tell”.
5. Sprint Retrospective: The team meets at the end of each sprint to discuss the pros and cons of the sprint and what should be changed to improve the efficiency of work.

Now let’s see what is COBIT and which different COBIT indicators will make Scrum Methodology of Agile Software development compliant with auditing criteria.

COBIT: Control Objectives for Information and Related Technologies (COBIT) is an IT governance framework created by the Information Systems Audit and Controls Association (ISACA). COBIT focuses on IT controls which is useful for IT Management, users and auditors. COBIT 4.1 has 34 high level process in 4 process domains with 210 control objectives. 

The 4 process domains are follows:

1. Plan and Organize
2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate

In this blog I am going to list down the indicators of COBIT process which will help us in assessing the software development process using Scrum methodology. The selection of process and its indicators are based on the auditing guidelines for SDLC. The below table has the list of COBIT process and indicators.

COBIT Process	COBIT Indicators
PO7 Manage IT Human Resources	PO7.2 Personnel Competencies
	PO7.3 Staffing of Roles
PO8 Manage Quality	PO8.2 IT Standards and Quality Practices
	PO8.3 Development and Acquisition Standards
PO10 Manage Projects	PO10.1 Program Management Framework
	PO10.9 Project Risk Management
	PO10.10 Project Quality Plan
	PO10.11 Project Change Control
	PO10.13 Project Performance Measurement, Reporting and Monitoring
	PO10.14 Project Closure
AI1 Identify Automated Solutions	AI1.1 Define and Maintain Business Functional and Technical Requirements
	AI1.3 Feasibility and Alternate Course of Action
AI6 Manage Changes	AI6.1 Change Standards and Procedures
AI7 Install and Accredit Solutions and Changes	AI7.1 Training
	AI7.2 Test Plan
	AI7.5 System and Data Conversion
	AI7.8 Promotion to Production
DS5 Ensure Systems Security	DS5.2 IT Security Plan
	DS5.3 Identity Management

Conclusion: This blog helps us in identifying different indicators of COBIT process which can be mapped to software development process using Scrum methodology. Thus, with the help of these COBIT indicators we can measure the performance of our process and also understand if our process is compliant with the information systems auditing criteria.

About Author:

Akash Poojary is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, he actively contributes to the areas of Technology and Information Security. He can be contacted at: akash.poojary@spluspl.com