Mapping of enterprise governance of it practices metamodels

Abstract

The paper proposes a metamodel for ISO 27001 and its mapping with COBIT 5 using ArchiMate, an Enterprise Architecture (EA) modeling language. The metamodel’s purpose is to reduce the perceived complexity of implementing these Enterprise Governance of IT (EGIT) practices simultaneously. For the ontological mapping to be complete, the metamodel is extended with the ISO Technical Specification 33052 and 33072 which propose a Process Reference Model and a Process Assessment Model respectively, specifying Base Practices and Information Items from the ISO TS 33072 – composing the ISO TS 33052 processes - mapped to ISO 27001 controls. By applying best-known metamodeling techniques and modeling principles in conjunction with the use of EA models we further simplify the understanding of different EGIT practices by providing a standard based visualization on how these practices work together. Furthermore, we present the mapping and modeling of a COBIT 5 process and respective ISO 27001 controls as an example. The paper concludes by summarizing the considerations and techniques used in this research, as well as discussing limitations and future work in this domain.