COBIT 2019 – New capability level assessment model

COBIT 5 uses the Process Assessment Model (PAM) based on ISO 15504, whereas COBIT 2019 supports a Capability Maturity Model Integration, CMMI-based process-capability scheme, ranging from zero to five. If you can recall, ISACA purchased CMMI in March 2016, so it was a logical progression to incorporate CMMI into COBIT 2019.

The capability level is a measure of how well a process is implemented and performing, and this article will touch on using “BAI04: Managed Availability and Capacity” to get to a capability level of two for availability and capacity management, says Alan Foley, director at MentPro.

BAI04: Managed availability and capacity

COBIT 2019 has 40 processes defined (three more than COBIT 5), and one of them is BAI04: managed availability and capacity.

Let’s start by defining what the purpose of this process is:

“Maintain service availability, efficient management of resources and optimisation of system performance through prediction of future performance and capacity requirements.”

It’s great that availability and capacity are grouped in the same management objective, as there is a lot of synergy and dependency on each other to achieve business value; however, this management objective is woefully inadequately defined, as there are some basic fundamentals missing.

The glaringly obvious one that was missed in COBIT 5 and now has also been missed again in COBIT 2019 is the dependency on a proper configuration baseline as defined in BAI10, both availability and capacity require a definitive reference from both a configuration item (CI) and vital business function (VBF) perspective.

Nowhere in the COBIT 2019 definition of BAI04 does it require BAI10 managed processes output as input to the BAI04 process; this is absolutely crucial. In a previous article, I discussed what can be achieved with availability management at an infrastructure level: this can be found here

The BAI04 process covers capacity to a fair degree, but is very sparse when it comes to availability management activities required to archive at least a capability level of two for availability management. It would have been great if extra availability activities were included and mapped to a capability level, but this seems to have been missed by ISACA authors.

Example metrics and capability levels

COBIT 2019 now maps the capability levels (two and up) against each management practice activity within each managed practice; this is extremely useful if you want to set your organisation a goal of achieving a capability level of, say, two. In COBIT 5, you would have had to make an assumption as to what activities will need to have performed for each process where you want to improve your capability level.

This is a good start, but more work is definitely required here. I mentioned previously that availability activities are not properly defined in each managed practice, so if you apply this approach to measure your availability management process, you have no COBIT 2019 recognised measurement “standard” to gauge your capability level against.

What should have been added to BAI04

* BAI10.01: Establish and maintain a configuration model and BAI10.02 configuration baseline as input to BAI04 in the component: information flows and items section of the management objective.
* Additional breakdown of availability management activities in each BAI04 management practice.
* Mapping of capability level and associated metrics specific to availability management.


There are definitely some improvements in COBIT 2019 and the layout has been improved, but you will individually need to flesh out and improve on the activities in the BAI04 management practices if you really want to archive a capability level of two or more for availability management.

By the way, no reference is made to capability levels of zero or one in any of the management objectives. Another new change on the horizon, planned for January 2019, is the release of ITIL 4, which is tipped to be more “business value” focused; let’s hope it lives up to its expectations. Hopefully the ITIL and COBIT teams shared and discussed common ITSM strategies… let’s wait and see.

Alan Foley is a certified COBIT 5 implementation professional and works with customers to improve and mature their availability and capacity management processes. He can be found on LinkedIn or on e-mail; for more information on availability and capacity services offered, please visit