The assessment of Enterprise Governance of IT (EGIT) frameworks and standards such as COBIT 5 and ISO 27001, when adopted simultaneously, implies an unreasonable effort because each framework and standard defines its own scope, definitions, and terminologies. Using these frameworks and standards independently prevents organizations from achieving the full benefits of EGIT since there are limitations on their application to specific Information Technology (IT) areas. Also, as these frameworks and standards overlap, at a time when organizations strive to be efficient and effective, it seems counterintuitive to be wasting resources by having different organizational departments handling both approaches independently. Thus, the primary goal of this paper is to facilitate the COBIT 5 and ISO 27001 simultaneous assessment. To reach this goal, an Enterprise Architecture (EA) metamodel representation of ISO 27001 and its mapping to COBIT 5 is proposed using ArchiMate as the EA modeling language. The ISO 27001 metamodel is also extended with ISO/IEC Technical Specification (TS) 33052 and ISO/IEC TS 33072 because these standards propose a Process Reference Model and a Process Assessment Model for Information Security management, which are essential models to assess ISO 27001 and COBIT 5 simultaneously. A field study was conducted in the Portuguese Navy regarding the COBIT 5 Manage Service Requests and Incidents process and its corresponding controls in ISO 27001 through the mapped ISO/ IEC TS 33052 processes.

--

ArchiMate,COBIT 5,Enterprise architecture,Field study,ISO 27001,ISO/IEC TS 33052,ISO/IEC TS 33072 Process capability assessment