Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement Master Thesis in MSc Business Information Systems Pascal Bürgy (08-650-350) University of Applied Sciences and Arts Northwestern Switzerland // MSc Business Information Systems // 5. Semester PT. // Prof. Dr. Petra Maria Asprion // V1.0 – 21. January 2016 . Master Of Science FHNW Business Information Systems 2 Master Thesis in Business Information Systems | Pascal Bürgy University of Applied Sciences and Arts Northwestern Switzerland School of Business Abstract Keywords Process, Maturity Measurement, Quality Management, ISO 9001:2015, COBIT 5 PAM, Small and Mid-Sized Enterprises (SME), Swiss based, Glaux Soft AG, Master Thesis, Design Science Research ISO 9001:2015 is a widespread standard for quality management – also and espe- cially within the IT industry. As with every standard or best practice, quality manage- ment systems require a continuous improvement whose characteristics are defined on a high-level basis within ISO 9001:2015. Respectively, companies develop individ- ual improvement approaches, which makes comparison and industry benchmarking impossible. Therefore, this study establishes a COBIT 5 PAM based maturity measurement in- strument for ISO 9001 based process models, wherewith ISO 9001 certified compa- nies will be able to assess their individual process models along the standardized maturity measurement instruments of COBIT 5 PAM. This study analyses, based on a design science research approach, the current scientific and practical literature about quality management and process maturity measurement as well as that about respective combination approaches of these fields. With this foundation, a compre- hensive mapping of ISO 9001:2015 and COBIT 5 PAM needs to be defined. This map- ping then is the baseline for a prototype that allows process maturity measurement for ISO 9001 certified process models. Finally, this prototype need to be validated within a qualitative case study. Based on the combination of ISO 9001:2015 and COBIT 5 PAM on process level, the Process Improvement Prototype (PIP) is developed. This prototype covers two activ- ities, which participating companies need to perform. On the one hand, the PIP sup- ports its users when mapping their individual process maps with a generic ISO 9001:2015 process map (GPM-IT). This generalization, on the other hand, allows the execution of the PIPs second activity, whereas the measurement tools of COBIT 5 PAM are applied to define the capability level of individual ISO 9001:2015 processes and establish respective process improvement initiatives. The PIP has been validated within a practical environment together with Glaux Soft AG, a Swiss-based software development SME. Thereby, its overall usability is ap- proved by mapping Glaux Softs individual ISO 9001 processes with the generic pro- cesses of the GPM-IT and furthermore, by performing a process maturity measure- ment iteration with the PIPs tools and techniques. Thereby, certain limitations and improvement ideas are identified and either directly addressed within the study or highlighted as possible prospective research activities. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 3 . I. Content Overview 1 Introduction ........................................................................................................................ 13 This chapter contains preliminary information about the study topic and its background. Furthermore, the framework of the study, containing study purpose, thesis statement and other aspects, is defined. 2 Theoretical Foundation ........................................................................................................ 18 Within the second chapter, theoretical and scientific aspects of the topic are analysed. Thereby, both the topics quality management and process maturity measurement as well as respective combination approaches are in focus. 3 Research Methodology ........................................................................................................ 35 Chapter number three highlights the relevant research corner stones for the study as well as, in more detail, the different steps and activities of the design science research framework of Hevner & Chatterjee (2010). 4 Components of a Measurement Framework ......................................................................... 38 This chapter focuses on the definition of necessary components that allow a target-aimed combination of ISO 9001:2015 and COBIT 5 PAM. 5 ISO 9001:2015 Process Improvement Prototype ................................................................... 47 The Process Improvement Prototype is defined within chapter 5, whereas every aspect of the respective measurement tool invented within this study is explained. 6 Prototype Validation ........................................................................................................... 70 Chapter 6 contains the validation of the Process Improvement Prototype, wherefore a company is selected along defined criteria. Within the practical setup of this company, the potential of the prototype is analysed. 7 Conclusion ........................................................................................................................... 80 Within the conclusion, the coverage of the research objectives defined within chapter one are evaluated. Furthermore, lessons learned and ideas for prospective research initiatives are provided. 8 Bibliography ........................................................................................................................ 84 Chapter 8 contains the detailed bibliography of the study, categorized along internal, scientific, practice-oriented and graphics-only resources. 9 Appendix ............................................................................................................................. 88 The ninth and last chapter of the study contains six appendixes, which substantiate different contents of the study. Master Of Science FHNW Business Information Systems 4 Master Thesis in Business Information Systems | Pascal Bürgy II. Table of Contents 1 Introduction ........................................................................................................................ 13 1.1 Background .......................................................................................................................................... 13 1.2 Purpose of the Study ........................................................................................................................... 14 1.3 Thesis Statement and Research Objectives ......................................................................................... 15 1.4 Limitations and Scope .......................................................................................................................... 15 1.5 Relevance............................................................................................................................................. 16 1.6 Research Methodology ........................................................................................................................ 17 2 Theoretical Foundation ........................................................................................................ 18 2.1 Literature Review Process ................................................................................................................... 18 2.2 Standards and Instruments ................................................................................................................. 19 2.2.1 Perceptions ........................................................................................................................................................................... 19 2.2.2 Opportunities ........................................................................................................................................................................ 20 2.2.3 Risks ...................................................................................................................................................................................... 21 2.3 Quality Management ........................................................................................................................... 22 2.3.1 Quality .................................................................................................................................................................................. 22 2.3.2 Quality Management ............................................................................................................................................................ 24 2.3.3 Quality Management System ................................................................................................................................................ 26 2.3.4 Quality Management Standard ............................................................................................................................................. 27 2.3.5 Quality Management in Software Development................................................................................................................... 29 2.4 Process Maturity Measurement .......................................................................................................... 29 2.4.1 Process .................................................................................................................................................................................. 29 2.4.2 Process Reference Models .................................................................................................................................................... 29 2.4.3 Process Maturity ................................................................................................................................................................... 32 2.4.4 Process Maturity Measurement ........................................................................................................................................... 33 2.5 Combinations ....................................................................................................................................... 34 3 Research Methodology ........................................................................................................ 35 3.1 Research Corner Stones ....................................................................................................................... 35 3.2 Design Research Steps ......................................................................................................................... 36 3.2.1 Awareness............................................................................................................................................................................. 36 3.2.2 Suggestion............................................................................................................................................................................. 36 3.2.3 Development ........................................................................................................................................................................ 37 3.2.4 Evaluation ............................................................................................................................................................................. 37 3.2.5 Conclusion ............................................................................................................................................................................ 37 4 Components of a Measurement Framework ......................................................................... 38 4.1 Combining Standards & Frameworks .................................................................................................. 38 4.1.1 Combination Dimensions ...................................................................................................................................................... 38 4.1.2 Combination Level ................................................................................................................................................................ 38 4.2 Specific Combination Levels ................................................................................................................ 39 4.2.1 Methodology ........................................................................................................................................................................ 39 4.2.2 Process .................................................................................................................................................................................. 40 4.2.3 Indicator ................................................................................................................................................................................ 40 4.2.4 Maturity Level ....................................................................................................................................................................... 40 4.3 Mapping on Process Level ................................................................................................................... 41 4.4 Generic Process Landscape for IT SMEs .............................................................................................. 41 4.4.1 IT Process Map of the Swiss Federal Administration............................................................................................................. 41 4.4.2 Extensions to the Swiss Federal IT Process Map ................................................................................................................... 42 4.4.3 Generic ISO 9001:2015 Process Model for IT SMEs (GPM-IT) ............................................................................................... 43 4.5 ISO 9001:2015 versus COBIT 5 PAM Mapping Approach .................................................................... 44 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 5 . 5 ISO 9001:2015 Process Improvement Prototype ................................................................... 47 5.1 Overview .............................................................................................................................................. 47 5.2 Process Model Mapping ...................................................................................................................... 48 5.2.1 Process Model....................................................................................................................................................................... 48 5.2.2 Comparison ........................................................................................................................................................................... 49 5.2.3 Connection ............................................................................................................................................................................ 50 5.3 Process Maturity Measurement .......................................................................................................... 51 5.3.1 Process .................................................................................................................................................................................. 51 5.3.2 Scope .................................................................................................................................................................................... 52 5.3.3 Measurement ....................................................................................................................................................................... 53 5.3.4 Level ...................................................................................................................................................................................... 54 5.3.5 Improvement ........................................................................................................................................................................ 54 5.4 Process Maturity Levels ....................................................................................................................... 55 5.4.1 Level 1 – Performed Process ................................................................................................................................................. 55 5.4.2 Level 2 – Managed Process ................................................................................................................................................... 61 5.4.3 Level 3 – Established Process ................................................................................................................................................ 63 5.4.4 Level 4 – Predictable Process ................................................................................................................................................ 65 5.4.5 Level 5 – Optimising Process ................................................................................................................................................. 67 5.5 Rating System ...................................................................................................................................... 69 6 Prototype Validation ........................................................................................................... 70 6.1 Company Selection Criteria ................................................................................................................. 70 6.2 Participating Company – Glaux Soft AG............................................................................................... 71 6.2.1 Facts and Figures of Glaux Soft AG........................................................................................................................................ 71 6.2.2 An Outline on evidence – Glaux Softs Product Baseline ....................................................................................................... 71 6.2.3 ISO 9001:2015 Process Map of Glaux Soft AG....................................................................................................................... 71 6.3 Process Model Mapping in Practice .................................................................................................... 73 6.4 Process Maturity Measurement in Practice ........................................................................................ 74 6.4.1 Defining and Scoping Processes with the PIP ........................................................................................................................ 74 6.4.2 Measuring Process Maturity with the PIP ............................................................................................................................. 76 6.4.3 Defining Process Improvements with the PIP ....................................................................................................................... 77 6.5 Analysis of Generated Results and Insights ......................................................................................... 78 7 Conclusion ........................................................................................................................... 80 7.1 Research Question Coverage ............................................................................................................... 80 7.1.1 ISO 9001:2015 and COBIT 5 Mapping ................................................................................................................................... 80 7.1.2 Prototyping a Process Measurement Model ......................................................................................................................... 81 7.1.3 Validating the Usability of the Developed Measurement Model .......................................................................................... 81 7.2 Lessons Learned................................................................................................................................... 82 7.3 Prospective Research........................................................................................................................... 83 8 Bibliography ........................................................................................................................ 84 8.1 Internal university-related resources .................................................................................................. 84 8.2 Scientific papers & nonfictions ............................................................................................................ 84 8.3 Practice-oriented literature & resources ............................................................................................. 86 8.4 Used Graphics (not directly mentioned in text) .................................................................................. 87 Master Of Science FHNW Business Information Systems 6 Master Thesis in Business Information Systems | Pascal Bürgy 9 Appendix ............................................................................................................................. 88 9.1 Appendix A – Structured Literature Review ........................................................................................ 89 9.2 Appendix B – Generic Process Map for IT SMEs in Detail .................................................................... 92 9.2.1 Process 01 – IT Management ................................................................................................................................................ 93 9.2.2 Process 04 – IT Steering ........................................................................................................................................................ 94 9.2.3 Process 08 – Maintain IT-Processes ...................................................................................................................................... 95 9.2.4 Process 10 – Strategic Marketing .......................................................................................................................................... 95 9.2.5 Process 05 – Solution Development & Deployment ............................................................................................................. 96 9.2.6 Process 06 – Operate IT-Infrastructure & -Services .............................................................................................................. 97 9.2.7 Process 07 – User Support .................................................................................................................................................... 99 9.2.8 Process 11 – Sales ............................................................................................................................................................... 100 9.2.9 Process 02 – Skills Development ......................................................................................................................................... 101 9.2.10 Process 03 – Procurement .................................................................................................................................................. 101 9.2.11 Process 09 – Support Financial Management ..................................................................................................................... 102 9.3 Appendix C – Generic Process Map and COBIT 5 Detailed Process Mapping ................................... 103 9.3.1 Process 01 – IT Management .............................................................................................................................................. 103 9.3.2 Process 04 – IT Steering ...................................................................................................................................................... 107 9.3.3 Process 08 – Maintain IT-Processes .................................................................................................................................... 109 9.3.4 Process 10 – Strategic Marketing ........................................................................................................................................ 111 9.3.5 Process 05 – Solution Development & Deployment ........................................................................................................... 112 9.3.6 Process 06 – Operate IT-Infrastructure & -Services ............................................................................................................ 116 9.3.7 Process 07 – User Support .................................................................................................................................................. 120 9.3.8 Process 11 – Sales ............................................................................................................................................................... 121 9.3.9 Process 02 – Skills Development ......................................................................................................................................... 122 9.3.1 Process 03 – Procurement .................................................................................................................................................. 123 9.3.2 Process 09 – Support Financial Management ..................................................................................................................... 124 9.4 Appendix D – Glaux Soft's Process Map in Detail .............................................................................. 125 9.5 Appendix E – Generic Process and Glaux Soft's Detailed Process Mapping ...................................... 126 9.6 Appendix F – Process Improvement Prototype (PIP)......................................................................... 127 9.6.1 Tool No. 1 – Process Model Mapping ................................................................................................................................. 127 9.6.2 Tool No. 2 – Process Definition & Scoping .......................................................................................................................... 127 9.6.3 Tool No. 3 – Process Maturity Measurement ..................................................................................................................... 127 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 7 . III. List of Figures Figure 1 Limitation & Scope of the Planned Study ........................................................................................................................................... 16 Figure 2 Rigor vs. Relevance of the Planned Study .......................................................................................................................................... 16 Figure 3 Design Science Research Framework (adapted from Hevner & Chatterjee (2010)) ........................................................................... 17 Figure 4 Upcoming Chapters & Contents ......................................................................................................................................................... 17 Figure 5 Literature Review Process (according to Hart (1998)) ........................................................................................................................ 18 Figure 6 Framework Introduction – Opportunities (adapted from Repp et al. (2008)) .................................................................................... 20 Figure 7 Framework Introduction – Risks (adapted from Repp et al. (2008)) .................................................................................................. 21 Figure 8 Quality (adapted from Schmitt (2015)) .............................................................................................................................................. 22 Figure 9 Economic Quality (adapted from Schmitt (2015)) .............................................................................................................................. 23 Figure 10 Quality Target (own illustration - adapted from Benes & Groh (2014)) ........................................................................................... 25 Figure 11 Quality Management Disciplines (adapted from Müller (2004)) ...................................................................................................... 25 Figure 12 Quality Management Disciplines (adapted from Thom & Ritz (2000)) ............................................................................................. 26 Figure 13 Functional Chain of a QMS (adapted from KMU Portal des Bundes (2015)) .................................................................................... 27 Figure 14 ISO 9001:2015 Process Model (adapted from Hermann (2009))...................................................................................................... 27 Figure 15 COBIT 5 Process Model (adapted from ISACA (2013c)) .................................................................................................................... 30 Figure 16 COBIT 5 Principles (adapted from ISACA (2013c)) ............................................................................................................................ 31 Figure 17 COBIT 5 Enablers (adapted from ISACA (2013c)) .............................................................................................................................. 31 Figure 18 COBIT 5 PAM Capability Levels (adapted from ISACA (2013b)) ........................................................................................................ 32 Figure 19 COBIT 5 PAM Maturity Measurement .............................................................................................................................................. 33 Figure 20 Mapping of ISO 9001:2000 and CMMI (from Mutafelija and Stromberg (2003)) ............................................................................. 34 Figure 21 Research Corner Stones (adapted from Saunders et al. (2009)) ...................................................................................................... 35 Figure 22 Design Science Research Framework (adapted from Hevner & Chatterjee (2010)) ......................................................................... 36 Figure 23 Design Science Research Cycles (adapted from Hevner & Chatterjee (2010)) ................................................................................. 37 Figure 24 Generic Levels of Combination (own visualisation) .......................................................................................................................... 38 Figure 25 Different Mapping Levels (own visualisation) .................................................................................................................................. 39 Figure 26 Combination on “Methodology”-Level............................................................................................................................................. 39 Figure 27 Combination on “Process”-Level ...................................................................................................................................................... 40 Figure 28 Combination on “Indicator”-Level .................................................................................................................................................... 40 Figure 29 Combination on “Maturity Level”-Level ........................................................................................................................................... 40 Figure 30 Map ISO 9001:2015 and COBIT 5 PAM ............................................................................................................................................. 41 Figure 31 Swiss Federal IT Process Map (from ISB (2015)) ............................................................................................................................... 42 Figure 32 Generic ISO 9001:2015 Process Model for IT SMEs (GPM-IT) (adapted from ISB (2015)) ................................................................ 43 Figure 33 Process Improvement Prototype (PIP) ............................................................................................................................................. 47 Figure 34 PIP ISO 9001:2015 Process Model Mapping Steps ........................................................................................................................... 48 Figure 35 Generic ISO 9001:2015 Process Model for IT SMEs (GPM-IT) (adapted from ISB (2015)) ................................................................ 48 Figure 36 Generic & Specific ISO 9001:2015 Process Mapping Tool ................................................................................................................ 50 Figure 37 PIP Maturity Measurement Procedure (adapted from ISACA (2013a)) ............................................................................................ 51 Figure 38 PIP Targeted Capability Level Definition (adapted from ISACA (2013a)) .......................................................................................... 52 Figure 39 PIP Process Maturity Measurement (adapted from ISACA (2013a)) ................................................................................................ 53 Figure 40 PIP process Capability Level Calculation (adapted from ISACA (2013a)) .......................................................................................... 54 Figure 41 COBIT 5 PAM Capability Levels (adapted from ISACA (2013b)) ........................................................................................................ 55 Figure 42 COBIT 5 PAM Maturity Measurement .............................................................................................................................................. 69 Figure 43 Company Selection Criteria .............................................................................................................................................................. 70 Figure 44 Glaux Soft’s ISO 9001 Process Model (adapted from Glaux Soft AG (2015c)) .................................................................................. 72 Figure 45 Glaux Soft’s Targeted Process Capability Levels ............................................................................................................................... 75 Figure 46 Glaux Soft’s Process Maturity Measurement ................................................................................................................................... 76 Figure 47 Glaux Soft’s Resulting Process Capability Levels .............................................................................................................................. 76 Figure 48 Insight Importance & Categories ...................................................................................................................................................... 79 Figure 49 Generic ISO 9001:2015 Process Model for IT SMEs (GPM-IT) (adapted from ISB (2015)) ................................................................ 92 Master Of Science FHNW Business Information Systems 8 Master Thesis in Business Information Systems | Pascal Bürgy IV. List of Tables Table 1 Five Perspectives of Quality of David A. Garvin (according to Paul (2009)) ......................................................................................... 23 Table 2 The Four Absolutes of Quality (according to Crosby (1979)) ............................................................................................................... 24 Table 3 The Five Quality Management Disciplines (according to Müller (2004)) ............................................................................................. 25 Table 4 Eight Quality Management Principles (from International Standardisation Organisation (2012)) ...................................................... 28 Table 5 Additional Process Description Terms (from ISACA (2013c)) ............................................................................................................... 30 Table 6 COBIT 5 PAM & ISO/IEC 15504 Capability Levels (from ISACA (2013b)) .............................................................................................. 32 Table 7 COBIT 5 PAM & ISO/IEC 15504 Rating Stages (from ISACA (2013b)) ................................................................................................... 34 Table 8 Combination Dimensions .................................................................................................................................................................... 38 Table 9 Mapping Generic ISO 9001:2015 and COBIT 5 Processes .................................................................................................................... 46 Table 10 PIP Weighting Aspects ....................................................................................................................................................................... 49 Table 11 PIP Mapping Statuses ........................................................................................................................................................................ 49 Table 12 COBIT 5 Enterprise Goals (adapted from ISACA (2013a)) .................................................................................................................. 51 Table 13 COBIT 5 IT-related Goals (from ISACA (2013a)) ................................................................................................................................. 52 Table 14 Generic Process Improvement Measures .......................................................................................................................................... 54 Table 15 PIP process Outcomes Filtration ........................................................................................................................................................ 55 Table 16 PA1.1 Process Performance............................................................................................................................................................... 60 Table 17 PA2.1 Performance Management (from ISACA (2013b)) ................................................................................................................... 61 Table 18 PA2.2 Work Product Management (from ISACA (2013b)) ................................................................................................................. 62 Table 19 PA3.1 Process Definition (from ISACA (2013b)) ................................................................................................................................. 63 Table 20 PA3.2 Process Development (from ISACA (2013b)) ........................................................................................................................... 64 Table 21 PA4.1 Process Measurement (from ISACA (2013b)) .......................................................................................................................... 65 Table 22 PA4.2 Process Control (from ISACA (2013b)) ..................................................................................................................................... 66 Table 23 PA5.1 Process Innovation (from ISACA (2013b)) ............................................................................................................................... 67 Table 24 PA5.2 Process Optimization (from ISACA (2013b)) ............................................................................................................................ 68 Table 25 COBIT 5 PAM & ISO/IEC 15504 Rating Stages (from ISACA (2013b)) ................................................................................................. 69 Table 26 Mapping Glaux Softs and Generic ISO 9001:2015 Processes ............................................................................................................. 74 Table 27 Enterprise goal selection of Glaux Soft AG ........................................................................................................................................ 74 Table 28 Defined Process Improvement Initiatives .......................................................................................................................................... 77 Table 29 Generated Results and Insights ......................................................................................................................................................... 79 Table 30 Structured Literature Review ............................................................................................................................................................ 91 Table 31 ISB Process 01 – IT Management (from ISB (2015))........................................................................................................................... 93 Table 32 ISB Process 04 – IT Steering (from ISB (2015)) ................................................................................................................................... 94 Table 33 ISB Process 08 – Maintain IT-Processs (from ISB (2015)) ................................................................................................................... 95 Table 34 Adapted Process 10 – Strategic Marketing (adapted from Glaux Soft AG (2015c)) ........................................................................... 95 Table 35 ISB Process 05 – Solution Development & Deployment (from ISB (2015)) ........................................................................................ 96 Table 36 ISB Process 06 – Operate IT-Infrastructure & -Services (from ISB (2015)) ......................................................................................... 98 Table 37 ISB Process 07 – User Support (from ISB (2015)) ............................................................................................................................... 99 Table 38 Adapted Process 11 – Sales (adapted from Glaux Soft AG (2015c)) ................................................................................................ 100 Table 39 ISB Process 02 – Skills Development (from ISB (2015)) ................................................................................................................... 101 Table 40 ISB Process 03 – Procurement (from ISB (2015)) ............................................................................................................................. 101 Table 41 ISB Process 09 – Support Financial Management (from ISB (2015)) ................................................................................................ 102 Table 42 Detailed Mapping: Process 01 <> EDM01 ........................................................................................................................................ 103 Table 43 Detailed Mapping: Process 01 <> EDM03 ........................................................................................................................................ 104 Table 44 Detailed Mapping: Process 01 <> APO01 ........................................................................................................................................ 104 Table 45 Detailed Mapping: Process 01 <> APO02 ........................................................................................................................................ 105 Table 46 Detailed Mapping: Process 01 <> APO03 ........................................................................................................................................ 105 Table 47 Detailed Mapping: Process 01 <> MEA01 ........................................................................................................................................ 106 Table 48 Detailed Mapping: Process 01 <> MEA03 ........................................................................................................................................ 106 Table 49 Detailed Mapping: Process 04 <> EDM04 ........................................................................................................................................ 107 Table 50 Detailed Mapping: Process 04 <> APO05 ........................................................................................................................................ 107 Table 51 Detailed Mapping: Process 04 <> APO09 ........................................................................................................................................ 108 Table 52 Detailed Mapping: Process 04 <> APO12 ........................................................................................................................................ 108 Table 53 Detailed Mapping: Process 08 <> APO11 ........................................................................................................................................ 109 Table 54 Detailed Mapping: Process 08 <> DSS06 ......................................................................................................................................... 109 Table 55 Detailed Mapping: Process 08 <> MEA02 ........................................................................................................................................ 110 Table 56 Detailed Mapping: Process 10 <> EDM05 ........................................................................................................................................ 111 Table 57 Detailed Mapping: Process 10 <> APO08 ........................................................................................................................................ 111 Table 58 Detailed Mapping: Process 05 <> EDM02 ........................................................................................................................................ 112 Table 59 Detailed Mapping: Process 05 <> APO04 ........................................................................................................................................ 112 Table 60 Detailed Mapping: Process 05 <> BAI01 .......................................................................................................................................... 113 Table 61 Detailed Mapping: Process 05 <> BAI02 .......................................................................................................................................... 113 Table 62 Detailed Mapping: Process 05 <> BAI05 .......................................................................................................................................... 114 Table 63 Detailed Mapping: Process 05 <> BAI06 .......................................................................................................................................... 114 Table 64 Detailed Mapping: Process 05 <> BAI07 .......................................................................................................................................... 115 Table 65 Detailed Mapping: Process 05 <> BAI08 .......................................................................................................................................... 115 Table 66 Detailed Mapping: Process 06 <> APO13 ........................................................................................................................................ 116 Table 67 Detailed Mapping: Process 06 <> BAI03 .......................................................................................................................................... 116 Table 68 Detailed Mapping: Process 06 <> BAI04 .......................................................................................................................................... 117 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 9 . Table 69 Detailed Mapping: Process 06 <> BAI10 .......................................................................................................................................... 117 Table 70 Detailed Mapping: Process 06 <> DSS01 ......................................................................................................................................... 118 Table 71 Detailed Mapping: Process 06 <> DSS03 ......................................................................................................................................... 118 Table 72 Detailed Mapping: Process 06 <> DSS04 ......................................................................................................................................... 119 Table 73 Detailed Mapping: Process 06 <> DSS05 ......................................................................................................................................... 119 Table 74 Detailed Mapping: Process 07 <> DSS02 ......................................................................................................................................... 120 Table 75 Detailed Mapping: Process 11 <> No COBIT 5 Process Available ..................................................................................................... 121 Table 76 Detailed Mapping: Process 02 <> APO07 ........................................................................................................................................ 122 Table 77 Detailed Mapping: Process 03 <> APO10 ........................................................................................................................................ 123 Table 78 Detailed Mapping: Process 03 <> BAI09 .......................................................................................................................................... 123 Table 79 Detailed Mapping: Process 09 <> APO06 ........................................................................................................................................ 124 Master Of Science FHNW Business Information Systems 10 Master Thesis in Business Information Systems | Pascal Bürgy V. Document Information Purpose of document This document contains a master thesis, written in the scope of the eponymous module at the University of Applied Sciences Northwestern Switzerland, FHNW. The objective of the paper is to develop a process maturity measurement approach for ISO 9001:2015 certified quality management systems of Swiss-based SME IT compa- nies. Change Management The following steps were necessary to create the current document. Version Date Person Remarks D0.1 24. August 2015 Pascal Bürgy Document initiated / Take-over of MTRP document D0.2 24. August 2015 Pascal Bürgy Document structure extended D0.3 12. September 2015 Pascal Bürgy MTRP document elements adapted and extended D0.4 18. September 2015 Pascal Bürgy Theory “Combination Standards and Frameworks” added D0.5 20. September 2015 Pascal Bürgy Combination levels described D0.6 29. September 2015 Pascal Bürgy Process level mapping described D0.7 05. October 2015 Pascal Bürgy Preparation generic process model & process mapping D0.8 20. October 2015 Pascal Bürgy Optimisation according to supervisor feedback D0.9 31. October 2015 Pascal Bürgy Generic ISO 9001:2015 process map for IT SMEs added D0.10 16. November 2015 Pascal Bürgy ISO 9001:2015 and COBIT 5 process mapping (incl. appendix C) D0.11 23. November 2015 Pascal Bürgy ISB process map description added (appendix B) D0.12 25. November 2015 Pascal Bürgy Glaux Soft and ISO 9001:2015 process mapping (incl. appendix E) D0.13 27. November 2015 Pascal Bürgy Glaux Soft process map description added (incl. appendix D) D0.14 29. November 2015 Pascal Bürgy PIP process landscape & mapping steps defined D0.15 30. November 2015 Pascal Bürgy PIP maturity level descriptions added D0.16 02. December 2015 Pascal Bürgy PIP rating system added D0.17 03. December 2015 Pascal Bürgy Glaux Soft company description added D0.18 05. December 2015 Pascal Bürgy PIP process maturity measurement added D0.19 06. December 2015 Pascal Bürgy Master Thesis keywords defined D0.20 07. December 2015 Pascal Bürgy Structure of chapter 6 (Evaluation) refined D0.21 08. December 2015 Pascal Bürgy Optimisation according to supervisor feedback D0.22 18. December 2015 Pascal Bürgy Evaluation documented D0.23 20. December 2015 Pascal Bürgy Conclusion and research objective coverage added D0.24 21. December 2015 Pascal Bürgy Prospective research described D0.25 28. December 2015 Pascal Bürgy Corrections due to internal review RC0.26 29. December 2015 Pascal Bürgy Corrections & adaptions / Abstract added RC0.27 07. January 2016 Pascal Bürgy Optimisation according to supervisor feedback RC0.28 20. January 2016 Pascal Bürgy Optimisation according to spell check RC0.29 21. January 2016 Pascal Bürgy Final corrections & adaptions D = Draft , RC = Release Candidate , V = Release / Ready for Assessment Approvals This document has been approved by the following people. Version Date Person Remarks D0.6 20. October 2015 Petra M. Asprion Review the current state of the document D0.17 07. December 2015 Petra M. Asprion Review the current state of the document D0.24 25. December 2015 Pascal Bürgy Internal review of entire document RC0.26 31. December 2015 Petra M. Asprion Review of entire document RC0.27 20. January 2016 Douglas Andrews Spell Check RC0.28 21. January 2016 Pascal Bürgy Internal review of entire document V1.0 21. January 2016 Pascal Bürgy Release / Ready for Assessment Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 11 . Basic Document Parameters Document title File name Measure Process Maturity for Quality Assurance MT_5_BuergyPascal_MeasureProcessMaturi- Systems tyForQMS.docx Remarks File size This document was generated during the module “Mas- 1785 Kilobytes * ter Thesis” at FHNW and contains the entire master the- sis of Pascal Bürgy. * This value correlates to the Word document. Author / Editor Version Bürgy Pascal V1.0 Creation Date Status 24. August 2015 Release / Ready for Assessment Statement of Justification This project is submitted in partial fulfilment of the fifth semester's requirements of the Degree of Master in Business Information Systems at the University of Applied Sciences and Arts Northwestern Switzerland. All the supporting literature referred to on this report has been properly referenced according to the Harvard refer- encing guide. The complete work was exclusively created for this particular subject reaching the academic limi- tations, without any plagiarism. Olten, in January 2016 Master Of Science FHNW Business Information Systems 12 Master Thesis in Business Information Systems | Pascal Bürgy 1 Introduction Within this chapter, relevant and scientific essentials of the planned study are provided including a detailed prob- lem derivation as well as the definition of the thesis statement, research questions and objectives. 1.1 Background Regarding the evolution within information technology (among others highlighted by Quack (2014) and Rüter et al. (2010)) and the resulting increased IT-dependency of most businesses (stated by Andenmatten (2012a)), the management of quality within information technology became an important aspect. However, developing or- ganisational capabilities that ensure a comprehensive alignment towards qualitative effectiveness and efficiency is a complex and occasionally cost-intensive endeavour (Pfeifer & Schmitt (2010)). Therefore, industries and or- ganisations developed tool sets that should facilitate the implementation of the necessary disciplines, so-called quality management systems. According to the British Department of Trade & Industry (2015), a quality management system can be defined as follows: “A set of co-ordinated activities to direct and control an organisation in order to continually improve the effective- ness and efficiency of its performance.” Beside this short and concise definition, other formulations highlight special aspects of quality management. For example, the aim of being compliant with laws and regulations as well as the idea of strictly focussing on cus- tomer needs (Business Dictionary (2015)) whereas other sources (ISO 9000 Store (2015)) highlight the specific process orientation of all key activities within a quality management system. Along these aspects, various quality management system standards and reference models were developed dur- ing the last decades. Thereby, as stated by Schroll (2006), the Capability Maturity Model Integration (CMMI), the European Foundation for Quality Management (EFQM) model, ISO 9001, ISO 15504 as well as the IT Infrastruc- ture Library (ITIL) are the five approaches with the highest importance within the IT industry. All these ap- proaches cover essential elements of common quality management systems. Thereby ISO 9001 is still the most widespread approach for quality management in Europe according to Gvoic (2013). This standard, initially pub- lished in 1987 and currently available in the latest released version 2015, defines minimal requirements for or- ganisations, which need to be fulfilled in order to transform a certain input into an added value output in form of products and services that are compliant with customer and / or legal expectations. Furthermore, ISO 9001:2015 clearly asks for continual improvement based on the well-known PDCA-cycle of Walter Deming (In- ternational Standardisation Organisation (2012)), but without defining concrete measures and approaches to determine and improve maturity of systems and processes. As ISO 9001:2015 is a standard and should be appli- cable for various industry sectors, its definitions are formulated on a generic high-level basis. Due to this focus, the standard is too generic to apply directly in practice. Companies and entire industries usually enlarge the ISO 9001:2015 process model with an adequate amount of (sub-) processes. The result of that is that most certified companies using ISO 9001 have completely different process models. Nonetheless, some best practice approaches have been established within certain industry branches as needs and mechanics of compa- nies within the same industry are usually quite similar. Beside ISO 9001, which is very well known and applicable within many branches and industries, other best prac- tices such as EFQM or COBIT have been developed with an exclusive focus on IT (Rohloff (2003)). Their descrip- tions and instructions are much more concrete, what means that COBIT 5, a widespread example of IT govern- ance frameworks, provides a standardized process model that needs to be adapted. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 13 . COBIT 5 does not only provide a detailed process model, but also a specific model that allows the measurement of process maturity. This model is a supplement of COBIT 5 and is called Process Assessment Model (PAM). Thereby PAM provides six maturity levels with related measurement instruments along which the establishment and anchoring of every process within a company can be measured. An adaption of COBIT 5 PAM best practices within the well-known ISO 9001:2015 standard may lead to a power- ful IT governance and a high quality management instrument for IT enterprises by combining ISO 9001’s external marketing and flexibility power with COBIT 5’s best practices for internal improvement. This concept is the focus of the planned study. 1.2 Purpose of the Study ISO 9001:2015 is, as described within the previous chapter, an industrial standard. This means it is addressed to a wide variety of different industry sectors and enterprises, which makes a certain high-level focus necessary. ISO 9001:2015 only provides a rough process model, composed of four processes, that according to SAI Global Limited (2015) needs to be fulfilled in order to reach a respective certification. In fact, the corporate reality of most enterprises is much more difficult so that more detailed processes are necessary to be able to operate in daily business. Accordingly, industries and enterprises usually split the four basic processes into a detailed pro- cess model. This leads to the situation that, at least in theory, every certified enterprise may have a completely individual process model. As superficial as its process model, ISO 9001:2015 defines its efforts towards continuous improvement of a qual- ity management system. The standard generally only asks for continuous improvement as a black box and state the PDCA-cycle of Walter Deming to be a possibility to achieve (International Standardisation Organisation (2015a)). Concrete approaches of how a current state of a quality management system should be measured and how the maturity of a single process should be classified in order to identify the virtue of undertaken improve- ment measures are not provided. Thus, companies and industry branches are asked to develop individual ap- proaches for the maturity measurement of ISO 9001:2015 processes. Although the elementary definition of the ISO 9001:2015 standard and the concomitant flexibility of how to adapt it in practice can be considered as an advantage, the related uncertainty has two major disadvantages. First, due to the missing guidelines, the possibility and necessity of designing one’s own process models and individual improvement mechanics usually leads to a non-circumstantial increase in cost and needed time to achieve a quality management system that is fit for use. As increased costs based on a fixed improvement po- tential within a company lead to a longer return on investment period, the endeavour of establishing an ISO 9001 quality management system loses a certain part of its allure. Another disadvantage is that individual approaches within process models and continuous improvement efforts, for example in how to measure and classify the maturity of a process with a given objective, do not allow the benchmarking of measurement results in comparison with other companies or industries. With that, a huge po- tential of common best practices, which usually state a “learn from the best”-approach (Angermeier 2015), is lost. Both of these disadvantages may lead a given enterprise to invest only into its process model and establish only rudimentary improvement mechanics, which may be enough to achieve the respective certification. According to Repenning & Sterman (2002), the practice has showed that process models without a strong continuous im- provement tend to erode over time, which, in the long term, may lead to a loss of the ISO 9001 certification. None of these insights are new to the establishment of an ISO 9001 certified quality management system. There- fore efforts have already been undertaken to combine the characteristics of ISO 9001 with best practices which Master Of Science FHNW Business Information Systems 14 Master Thesis in Business Information Systems | Pascal Bürgy provide a fixed process model and which are in possession of a respective improvement and maturity measure- ment instrument. Thereby CMMI (Capability Maturity Model Integration) has usually been used as the best prac- tice approach to combine with ISO 9001. However, as Yoo et al. (2006) has highlighted, the different focuses of ISO 9001 and CMMI is a problem for a target-aimed combination in practice. 1.3 Thesis Statement and Research Objectives The potential of combining ISO 9001:2015 with IT governance best practice approaches was identified. To ad- dress the described problems and focus on the related challenges when targeting such a combination, this re- search is going to establish a COBIT 5 PAM based maturity measurement instrument for ISO 9001 based process models. Respectively, the thesis statement is as follows: The continuous improvement mechanics of the ISO 9001:2015 standard can be enhanced by adapting the COBIT 5 PAM reference model. Based on this statement, relevant research questions can be derived. These questions accumulate the thesis statement and guide the research in the desired direction.  How can COBIT 5 domains and processes be mapped with respective elements of the ISO 9001:2015 process model in order to adapt COBIT 5 PAM?  How can COBIT 5 PAM be used for ISO 9001:2015 based business processes such as marketing, sales or facility management?  How is COBIT 5 and the related PAM framework capable of ensuring maturity measurement and (indus- try) benchmarking within common ISO 9001:2015 process landscapes? According to the identified problem as well as to the thesis statement and the derived research questions, the following research objectives have been defined:  Modelling relevant relationships between ISO 9001:2015 and COBIT 5 and developing a generic mapping table to align the respective processes.  Prototyping a process measurement model applicable for ISO 9001:2015 based on the COBIT 5 PAM capability indicators.  Validating the usability of the developed measurement model (qualitative case study approach). Those objectives will guide the planned study. This study can be considered successful as soon as these objectives are achieved. 1.4 Limitations and Scope In order to keep a clear focus as well as to balance the planned study within the relevant temporal and contextual borders, some limitations and restrictions need to be defined. Therefore, the intention of this study is to support process maturity measurement only for ISO 9001 certified process models that follow the basic rule set of the standard. Furthermore, the focus is set on process models of software development companies that are catego- rized as small or mid-sized enterprises in Switzerland. This limitation allows a clear focus on process models, which are influenced by governmental restrictions of only one single country. Together with the decision to leave out explicit processes and disciplines which only large companies are faced with, the planned study gains a clear focus towards a qualitative case study within the desired field (see figure 1). Regarding the defined scope, process models that do not follow the ISO 9001 standard are not within the scope of the planned study. Process models of others than SME software development companies in Switzerland are also not relevant for this study. Finally, this study will not deal with any quantitative attempts. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 15 . Figure 1 L imitat ion & Scope of the Planned Study 1.5 Relevance The measurement of process maturity within ISO 9001 process models is a topic with both theoretical and prac- tical relevance. From a scientific point of view, the combination of the ISO 9001:2015 standard with common best practices such as CMMI or EFQM provides major benefits in measuring and classifying process maturity within ISO 9001 process models. The planned study will provide a similar approach using COBIT 5 PAM as measurement instrument. As COBIT 5 PAM and the respective combination with ISO 9001:2015 are relatively new, not much scientific work has been done so far in this area. This study will try to eliminate essential drawbacks from former studies such as Yoo et al. (2006) had. From the practical point of view, this planned study is addressing a challenge ISO 9001 certified companies have to deal with in daily business. With this approach, a toolset can be developed and established to allow such companies to benefit from the best practices of COBIT 5 and the related PAM framework without losing the ability to adapt this measurement framework to an individual ISO 9001 certified process model. Based on these outlines, the planned study may be positioned as shown in figure 2 according to Dilger (2012) and Riehle (2011). Figure 2 Rigor vs. Relevance of the Planned Study Master Of Science FHNW Business Information Systems 16 Master Thesis in Business Information Systems | Pascal Bürgy 1.6 Research Methodology The study is inspired by an interpretivist research philosophy including an inductive research approach to achieve the research objectives defined within chapter 1.3. Furthermore, the study is guided by an exploratory purpose as well as by the design science research framework (see figure 3) as the underlying research strategy. Awareness Suggestion Development Evaluation Conclusion •Proposal •Tentative •Artifact •Performance •Results Design (Prototype) Measure Figure 3 Des ign Sc ience Research Framework (adapted from Hevner & Chatterjee (2010)) With this strategy in mind, in the study a triangulated approach is used. Together with a cross-sectional, limited time horizon, this research framework leads to various techniques and procedures such as in depth literature research and investigations along qualitative data samples. Thereby this literature is not only used for securing the awareness of the problem but as well for the formulation of the suggestive tentative design and even more it is the baseline for the development of the prototype model. Based on the described research approach, the chapters of the master thesis are as pictured in figure 4. Chapter 2 Essentials of Quality Process Maturity Essentials of COBIT 5 Theoretical Mgmt. & ISO Measurement Foundation and PAM9001:2015 Approaches Chapter 3 Research Research Corner Stones Design Research Steps Methodology Chapter 4 ISO 9001:2015 Process ISO 9001:2015 & Components of a Framework Mapping Landscape for IT COBIT 5 PAM Mapping Measurement Baseline Framework (GPM-IT) Approach Chapter 5 PIP PIP PIP The ISO 9001:2015 PIP Process Mo- Maturity Maturity Lev- Process Improve- Overview ment Prototype del Mapping Measurement els & Rating Chapter 6 Outline on the ISO 9001:2015 PIP in Revealed Results & Prototype Validation attending Company Pratice Insights Chapter 7 Research Question Lessons Learned Prospective Research Conclusion Coverage Figure 4 Upcoming Chapters & Contents The study is situated within the field of action research what means that the author is performing research within a concrete field of activity, in which he is himself active (Adelman (1993)). Therefore, the author states its own independence from outer influences in order to keep a clear and neutral focus for the present study. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 17 . 2 Theoretical Foundation Based on the introduction and the defined research objectives, this chapter is going to analyse the theoretical foundation within the field of study. Thereby in a first step, the process of literature review is described. After- wards, the basic theory along quality management and process maturity measurement is analysed. Finally, an overview about former studies along the combination of both topics is given. 2.1 Literature Review Process According to Hart (1998), a clearly defined process is necessary in order to be able to perform a sustainable and target-oriented literature review. Therefore, to prepare a rigor scientific basis for the planned study, the used procedure is visualized in figure 5. 1. Terms Identify relevant concepts 2. Languages Define relevant research languages 3. Libraries Search within common libraries 4. Practice Enrich with knowledge from practical organisations 5. Overview Provide an overview over all relevant literature 6. Extract Summarize the relevant knowledge Figure 5 L iterature Review Process (according to Hart (1998)) First, the planned study and its surrounding fields need to be categorized into several terms of knowledge - based on keywords. Therefore, a number of global and for each of them, various subordinate concepts have been ex- plored. Along those structured keywords, further research can be guided. Within a second step, the relevant languages for research must be defined. Because the planned study is focused on Swiss based companies, English literature as well as German and probably even French or Italian literature may be relevant. Therefore, the search for the keywords defined within step 1 will be extended by translating the keywords into the above-mentioned languages. Based on that, common scientific libraries such as NEBIS, Springer Link, Hanser e-Library, IEEE or Google Books will be analysed within a third step. Then, the identified scientific literature will be enriched by adapting practical knowledge out of standards and best practices from sources such as the International Standardisation Organisa- tion (ISO) or ISACA. Afterwards, all relevant scientific and practical literature found will be categorized within a structured literature overview during a fifth step. This list can be found within Appendix A (Structured Literature Review). Finally, a concentrated extract of relevant knowledge will be provided. This extract can be found within the subsequent sub chapters of this chapter 2. Master Of Science FHNW Business Information Systems 18 Master Thesis in Business Information Systems | Pascal Bürgy 2.2 Standards and Instruments As mentioned in chapter 1.1 of this study, encroachments within a company’s strategy, structure and organisa- tion may cause extensive cost and essential risks. Not only for this reason, but also because of a certain similarity in challenges and boundaries different companies are faced with, industries have looked for normalized ap- proaches that allow a single company to benefit from experiences of others. The result of this aspiration are standards and best practices, which are defined for many business aspects. 2.2.1 Perceptions According to Strompen (2015), a standard is defined as a set of rules that has the objective of unifying a tangible good or an intangible procedure. Thereby various elements such as products (paper, screws, …), laws (legal norms), ethical and social merits or working processes and organisational forms may be standardized. In every case, the main objective of a standard is to facilitate reusability and comparability of the unified element across different stakeholders such as people, companies, industries or even countries. Due to the versatility of standardized elements, establishment and maintenance of standards is a complex en- deavour. Therefore, this task can be organized on three levels (Deutsches Institut für Normierung (2015)). On the lowest level, there are national norming institutes such as SN (Schweizerische Normenvereinigung) in Swit- zerland or DIN (Deutsches Institut für Normierung) in Germany. Standards released by these associations are valid only within the respective country. On a second level, there are transnational, European institutions such as CEN (Comité Européen de Normalisation) or ETSI (European Telecommunications Standards Institute) and on the top level, international institutes such as ISO (International Standardisation Organisation) or IEC (Interna- tional Electrotechnical Commission) exist. Over these three levels, the adaption of superior standards is manda- tory for all associated institutions and countries. Thereby the name of the standard indicates the initial publisher even if a standard is now valid on a higher level. A common characteristic of every standard is its description on a very high-level basis and its focus strictly on results but not how the result is achieved. For example, the standard DIN A4 only defines the size of a respective paper. Its diameter and even more the way it is produced are not part of the standard (Kuhn (1996)). In contrast, a best practice (sometimes as well called good practice, industry standard or de-facto standard) de- scribes an attempt of unifying a certain topic by adapting an approved procedure of another company that is usually a leading player within the respective industry branch (Angermeier (2015)). Thereby, best practices have been developed over time and are usually described and maintained by the propagating company or a third party contractor. Different from a standard, a best practice is a complete set of rules, guidelines and documentations that de- scribes the respective topic in detail (Rohloff 2003)). Because a best practice is in fact a documentation of the as- is-state of the propagating company, best practices usually contain fine-grained process models with clearly de- fined inputs and outputs as well as specific guidelines for implementation and further improvement of the prac- tice. This detailed documentation may help in understanding the concrete idea behind, but it is often an obstacle in adapting the complete best practice. This because a full implementation would mean adapting the entire com- pany along the industry leader which is not possible due to cultural and other boundaries. This means that best practices first are a recommendation on how to address a certain business challenge. As a contrast to best practices, sometimes as well “worst practices” are provided which highlight a practice that was not useful. Thereby other companies may benefit as well when preventing errors others already have made. Best practices are most widespread in industry in order to adapt production procedures. Also in IT, best practices such as COBIT or ITIL are widespread. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 19 . 2.2.2 Opportunities Both standards and best practices, as they have similar objectives, are often titled under the term “Framework”. According to Repp et al. (2008), the introduction of a framework within a company generates various opportu- nities, which are visualized in figure 6. Figure 6 Framework Introduction – Opportunities (adapted from Repp et al. (2008)) Repp et al. (2008) states that scientific literature as well as expert interviews highlight an improvement of per- formance and support capabilities as an important opportunity when introducing an IT governance framework. Besides that, experts state that an improved risk management, the support of compliance attempts as well as the common language within the organisation are further possible opportunities when introducing a framework. The literature highlights the best practice use, improved internal controls and an improvement in information security as positive aspects. Therefore, a certain difference between theory and practice is evident. Nonetheless, the study from Repp (2008) has showed that companies can benefit from the introduction of an IT governance framework. Master Of Science FHNW Business Information Systems 20 Master Thesis in Business Information Systems | Pascal Bürgy 2.2.3 Risks The introduction of standards and / or best practices is a complex organisational project, meaning that there are many potential risks, visualized within figure 7, that need to be handled. Figure 7 Framework Introduction – R isks (adapted from Repp et al. (2008)) An important risk when introducing a framework is the resistance against organisational or cultural changes what is highlighted by literature as well as interviews. Furthermore and according to practical experience, missing knowledge and experience, the missing inclusion within existing risk management systems as well as the care- lessness of employees are important risks. In contrast, scientific resources state a missing management commit- ment, the overlapping introduction of frameworks and insufficient implementation instructions as major intro- duction risks of IT governance frameworks. Once again, differences between literature and practice are recog- nizable. As Repp et al. (2008) have investigated various IT governance frameworks, which means standards and best practices, with different focuses, the mentioned benefits and risks may be transferred to quality management. Therefore, the respective theoretical baseline is provided within the next chapter. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 21 . 2.3 Quality Management The management and controlling of quality are important fields within the activity of IT. Therefore, this chapter is going to shine on its basic elements (quality and its management) and specific topics (e.g. quality management systems, standards and their relevance) around quality in IT and related standards. 2.3.1 Quality According to the Gabler Business Dictionary (2015), the term quality can be defined along two different mean- ings. On the one hand, in a neutral definition interprets quality as the sum of all characteristics of a given object. On the other hand, quality can be defined in a valued way, whereas the term defines the goodness of all charac- teristics of an object. Within the present study, the second, interpretation of the term “quality” is mainly in focus. Respectively, the common definition of quality from the International Standardisation Organisation (2015d), which is stated within the ISO 9000:2015 standard, enriches the attempt of the Gabler Business Dictionary (2015): “Quality is the degree to which a set of inherent characteristics fulfils requirements.” Related to the definition stated above, quality can be seen as the level of superposition of market requirements and company achievements (see figure 8). Figure 8 Qual ity (adapted from Schmitt (2015)) However, according to Schmitt (2015), the comprehension of quality should be extended. Thereby the aspect of market requirements is unaltered but the aspect of company achievements should be divided into company alignment and company abilities. This because quality should consider economic aspects such as resource opti- mization and profitability in order to ensure long-term company success. In a visualized form, this way of inter- preting economic quality can be shown as in figure 9. Master Of Science FHNW Business Information Systems 22 Master Thesis in Business Information Systems | Pascal Bürgy Target Market Requirements ECONOMIC QUALITY Actual Actual Company Alignment Company Abilities Actual Company Achievements Figure 9 Economic Qual ity (adapted from Schmitt (2015)) Nevertheless, quality is not only categorized along its contribution to the economic success of a company. Ac- cording to Paul (2009), quality may also be structured along different perspectives, which were initially defined by David A. Garvin. According to these perspectives, quality is perceived and interpreted in five different ways as in table 1. Perspective Description Transcendental quality This perspective perceives quality as an absolute and universally recognizable, not finally definable measure. This perspective states that quality is only sensible with a given amount of experience. It interprets quality as a non-measurable perfection. Product-related quality In comparison, the product-related perspective states that quality is measurable at any time. Furthermore, this approach states that qualitative differences can be quantitatively visualized. User-related quality User-related quality includes the necessary ability of products to meet individual customer requirements. This means that the chosen option is not the best one but those that fits best for the designated purpose. Process-related quality This perspective defines quality as the satisfaction of specification and regulations. It means that good quality can only be reached if specific requirements are met. Worth-related quality Finally, worth-related quality describes the fulfilment of an achievement at acceptable cost. The idea behind is that over fulfilment is accepted but not rewarded by customers. Table 1 Five Perspect ives of Qual ity of David A. Garvin (according to Paul (2009)) Based on the different interpretations of quality, it becomes clear that this field of activity is very dynamic. There- fore and because quality is a topic that affects every business, Philipp B. Crosby has defined four basic absolutes for quality which are common for every endeavour within this field. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 23 . Absolute The idea behind Quality is conformance to the requirements. In order to be able to do “it” right, people within an organisation need to know what is meant with “it”. Therefore, it is necessary that all ac- tions, which are relevant to run a company or produce a product or a service, are defined and agreed. The system of quality is prevention. The best way to achieve quality is to prevent errors. Therefore, a quality management system should prevent doing things wrong. To achieve that, Crosby states regular trainings, examples and discipline to be good instruments. Finally, the entire company must commit to a prevention- oriented culture. The performance standard is “Zero Defects”. The third absolute is set against the “close enough” mentality that must not be tolerated. According to Crosby, errors are simply too costly to ig- nore. Therefore, the entire company needs to transform towards the so-called “Zero Defects” culture. The measurement of quality is the price of The fourth and last of Crosby’s absolutes states that non-conformance non-conformance. can be used as a measure of efficiency and effectiveness of a company. Table 2 The Four Absolutes of Qual ity (according to Crosby (1979)) Based on these absolutes mentioned in table 2 as well as based on a concise interpretation of the term quality, the establishment of a quality-oriented culture is possible. However, as such attempts need a constant mainte- nance in order not to erode over time, continuous management of quality is inevitable. 2.3.2 Quality Management The management of quality is an ongoing topic almost every company is faced with. As companies and businesses are conquered by constant change, quality management also has to react to such changes in order to provide a constant or even improved level of quality. Thereby the discipline of quality management may be examined from two different points of view – a hierarchical and a functional. First looking at the hierarchical aspects of quality management, this management discipline covers three related management areas, which are allocated on different levels (adapted from Benes & Groh (2014)). Thereby the first and lowest management area is test management. Within this section, usually allocated in a company’s operative level, the focus is on the quality of products (or services), thus answering the question “What should be qualitatively managed?”. One level above, process management is located. This management area is often a task allocated to the man- agement level. Thereby process management focuses on the quality of processes, where the bold question “How should it (meaning the product defined on level 1) be qualitatively managed?” should be answered. Finally, on the third and highest level, the area of strategy management is located. Focusing on the quality of systems, which means the entire company and even its surrounding stakeholders, this quality management level answers the question “Who is responsible for quality management?”. Thereby strategy management is usually a task allocated to the board of directors. According to Benes & Groh (2014), all three levels of quality management need to enforce each other in order to achieve quality as it is defined in the previous chapter. The typical mode of operation is top-down, meaning first defining strategic quality aspects, which lead to respective processes, which finally lead to qualitatively ex- cellent products or services. This collaboration is shown in figure 10 using the metaphor of a target disk. It is easy to hit the biggest circle of test management (by initiating operative test and quality endeavours), but achieving this circle alone is not suf- ficient to win. Therefore, a consequent aim toward the quality bull’s eye (as well as on all other smaller circles) is necessary to gain enough points in time. In the end the game will be won on outermost circle (the operational test management) as low points, are need, at the end to hit the exact number of points in order to win. Master Of Science FHNW Business Information Systems 24 Master Thesis in Business Information Systems | Pascal Bürgy Test Management Process Management Strategy Management What? How? Who? QUALITY 3 2 1 Quality of Systems Quality of Processes Quality of Products Figure 10 Qual ity Target (own i l lustrat ion - adapted from Benes & Groh (2014) ) Beside this hierarchical view, quality management can be considered on a functional view as well. This includes, according to Müller (2004), that quality management consists of different disciplines (see figure 11). Quality Management Quality Quality Planning Quality Steering Quality Check Quality Assurance Improvement Figure 11 Qual ity Management Discipl ines (adapted from Mül ler (2004)) Thereby, every discipline has its specific “raison d’être” that is described in table 3, down below. Quality Management Discipline Description Quality Planning Focuses on external quality requirements of markets and customers. Based on that, planning of internal quality objectives with respect to boundaries such as resources is performed. Quality Steering The implementation of elements planned within quality planning. This discipline focuses on the fulfilment of quality requirements. Quality Check Contains the concrete examination of the quality of products and ser- vices. Quality Assurance This discipline focuses on the indemnity of defined quality require- ments. Quality Improvement The generation of a culture of continuous improvement of processes and other factors of quality. This discipline is the engine of every quality management. Table 3 The Five Qual ity Management Discipl ines (according to Mül ler (2004) ) All these disciplines together are able to form “quality management” as an initiative to guide a company towards quality. Thereby, every discipline has its specific task within the overall system. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 25 . Quality Level Quality Improvement Quality Quality Check Planning Quality Steering Quality Assurance Time Figure 12 Qual ity Management Discipl ines (adapted from Thom & Ritz (2000) ) The quality management disciplines visualized in figure 12 can be used on every hierarchical level previously introduced. Vice-versa, every hierarchical level of quality management has direct influence on the single quality management disciplines. Therefore, quality management needs to be viewed as one big endeavour of a com- pany, independent from hierarchical or function. 2.3.3 Quality Management System Based on the deliberations within the previous chapters, it becomes clear that the management of quality is a challenging task for companies. Therefore and because of the fact that quality management generates equal challenges for companies out of different branches and of different sizes, specific quality management systems were developed. According to the KMU Portal des Bundes (2015), a quality management system should allow a company to pro- vide products and services on a constant and defined level of quality. Thereby quality management systems usually provide a set of processes as well as defined roles and functionalities, which are based on the theoretical insights on quality and its management. Contrary to the concrete approach, a quality management system is not primarily focused on short-term im- provements. Even more, it evolves its full economic potential only in the mid- and long-term. This is on the one hand because the establishment of a QMS generates high efforts and cost. On the other hand, quality manage- ment affects people what leads to cultural changes when introducing a QMS. Such changes need time until they provide the desired improvements. Nonetheless, the introduction of a quality management system may launch a functional chain that supports the long-term success of a company. Thereby, according to the KMU Portal des Bundes (2015), both an increase in productivity (due to an improvement in process and system quality) as well as in quality of a company’s output (due to an improvement in product quality) can be reached. Basis for such positive effects is a close involvement of the company’s employees as they are finally in charge when it comes to the transformation of a quality man- agement system into daily practice (see figure 13). Master Of Science FHNW Business Information Systems 26 Master Thesis in Business Information Systems | Pascal Bürgy Increased Decreasing Management Productivity Cost Initiates Involve Longterm Quality Employees Success Management Increased Out- Satisfied Customer put Quality & Purchaser Figure 13 Funct ional Chain of a QMS (adapted from KMU Portal des Bundes (2015)) During the last years, various standards and best practice for quality management systems were developed. Thereby, EFQM (European Foundation of Quality Management) as well as ISO 9001:2015 are the most wide- spread approaches for quality management in Europe (Schroll (2006)). 2.3.4 Quality Management Standard Based on the clear focus of the present study on ISO 9001:2015, this chapter focuses on the related and well- known standard in version 2015. The standards basic process model is shown in figure 14: Figure 14 ISO 9001:2015 Process Model (adapted from Hermann (2009)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 27 . Based on the process model in figure 14, the standard allows the development of company specific process land- scapes. Thereby ISO 9001:2015 strictly focuses on a value added and efficient transformation of requirements into a measurable benefit for the customer on the one hand. On the other hand, the ISO 9001:2015 standard also puts a focal point on the continuous improvement of a company. Therefore and according to the Interna- tional Standardisation Organisation (2015a), the well-known PDCA-life cycle of Walter Deming (Deming (1982)) is an essential part of the present process model. Beside the process model defined within the standard of ISO 9001:2015, the entire rule set provided by the International Standardisation Organisation contains further assistance for companies, which focuses on qualita- tive effectiveness. For example, the standard ISO 9000 contains a set of eight quality management principles, which are listed within table 4. Principle Official Description 1. Customer focus Organizations depend on their customers and therefore should under- stand current and future customer needs, should meet customer re- quirements and strive to exceed customer expectations. 2. Leadership Leaders establish unity of purpose and direction of the organization. They should create and maintain the internal environment in which people can become fully involved in achieving the organization’s objec- tives. 3. Involvement of people People at all levels are the essence of an organization and their full in- volvement enables their abilities to be used for the organization’s bene- fit. 4. Process approach A desired result is achieved more efficiently when activities and related resources are managed as a process. 5. System approach to management Identifying, understanding and managing interrelated processes as a system contributes to the organization’s effectiveness and efficiency in achieving its objectives. 6. Continual improvement Continual improvement of the organization’s overall performance should be a permanent objective of the organization. 7. Factual approach to decision making Effective decisions are based on the analysis of data and information. 8. Mutually beneficial supplier relationships An organization and its suppliers are interdependent and a mutually beneficial relationship enhances the ability of both to create value. Table 4 Eight Qual ity Management Pr incip les ( from Internat ional S tandardisat ion Organisation (2012)) Based on these principles, the development and the long-term maintenance of a quality management system within a company become possible. Thereby, the ISO 9000 family and especially the standard ISO 9001:2015 have been established as the leading guideline along quality management (Gvoic (2013)) which means that they are the most widespread approach compared to other relevant quality management systems. These are, accord- ing to Schroll (2006), the Capability Maturity Model Integration (CMMI), the European Foundation for Quality Management (EFQM) model, ISO 9001, ISO 15504 as well as the IT Infrastructure Library (ITIL). In Switzerland, over 12’000 companies received an ISO 9001 certification until the end of 2013 whereas overall in Europe, around 485’000 are certified according to the International Standardisation Organisation (2015b). This means that, compared to the overall population (where Swiss people contributed around 1.10 % to the European population in 2013) Switzerland has a factor 2.25 higher propagation of ISO 9001 certified companies compared to the European average. Thereby and according to Schmutz (2013), most of the certified companies in Switzer- land are SME companies. Finally when establishing an ISO 9001:2015 compatible quality management system in a Swiss based company, the KMU Portal des Bundes (2015) estimates the cost of implementation as being around 30’000 to 50’000 Swiss francs depending on the concrete starting point / compatibility of existing processes of the respective company. In general, this means that an adequate return on investment (ROI) is achievable when taking into account the potential benefits mentioned in this chapter. Master Of Science FHNW Business Information Systems 28 Master Thesis in Business Information Systems | Pascal Bürgy 2.3.5 Quality Management in Software Development As mentioned in the introduction chapter, quality management has become a very important topic within soft- ware development. This fact becomes visible when taking a look at the ISO Survey of Management System Stand- ard Certifications (International Standardisation Organisation (2015b)). These statistics show that the IT industry, as a relatively young industry sector, is already ranked 12 out of 39 regarding the number of certified companies within the field. The number of approximately 27’000 worldwide certificates is of course quite small compared with the leading metal industry with almost 117’000 issued certificates by the end of 2013. However, taking a closer look highlights that the increase of certified companies in IT exceeds the increase in metal industry by more than 15% since 1998. Summing up, these digits underline the fact that IT companies around the globe are considering quality manage- ment as an important topic / management activity. 2.4 Process Maturity Measurement Beside quality management, process maturity measurement is the second major field of activity within the pre- sent study. Respectively, this chapter is going to highlight the essential elements within this topic along a theo- retical baseline. 2.4.1 Process The basic element of process maturity measurement is the organisational construct “process” itself. According to Schmelzer & Sesselmann (2010), it can be defined as follows: A process consists of a sequence of activities, which generate a certain output out of a set of inputs. This generic definition is true for every form of process. In fact, various forms of processes such as value creation processes, business processes or classical working processes can be distinguished. Thereby the focus of common maturity models is mainly set on business processes, which are defined by Schmelzer & Sesselmann (2010) as follows: A business process consists of a cross-functional and cross-organisational intersection of value added activities which generate a performance expected by the customer and which implement process goals derived from business strategy. According to this more concrete definition, the keyword “process” is going to be used within the present study. 2.4.2 Process Reference Models In daily practice, companies and organisations consist of a set of various business processes by which long-term success is ensured. As these sets of processes are usually very similar for companies in the same industry sector, certain reference models have been developed to provide a standard and comparable process landscape. For IT, ITIL V3, CMMI as well as COBIT 5 are the most widespread process reference models. Due to the specific focus of this study, COBIT 5 is analysed in more detail. The COBIT 5 process model (see figure 15) is split into five different areas called EDM (Evaluate, Direct and Mon- itor), APO (Align, Plan and Organise), BAI (Build, Acquire and Implement), DSS (Deliver, Service and Support) and MEA (Monitor, Evaluate and Assess). Thereby one of these areas (EDM) focuses on strategic governance while the four other areas are used for operational management of IT. Furthermore, each of these areas is designed to cover a management topic companies out of information technology are faced with. Overall and according to ISACA (2013), 37 single processes are allocated to these five areas. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 29 . Figure 15 COBIT 5 Process Model (adapted from ISACA (2013c)) Beside a categorized landscape along these 37 processes, COBIT 5 provides even more, detailed information about every single process. Thereby, the following areas listed in table 5 are covered: Terms Description Process Description The description of a process is enriching its name provided within the process model with additional information. Process Purpose Statement Within the purpose statement, the exact goal of the process related to the entire process landscape is described. Outcomes (Os) This section provides a list of process outcomes. Best Practices (BPs) Best practices are linked to a specific outcome and provide guidelines in order to generate the defined outcome as well as to fulfil the process purpose. Work Products (WPs) Work products are concrete results, which can be figured either as an Inputs input or as an output of a process. As well as best practices, they are Outputs linked with a respective outcome. Characteristics This section defines special aspects of a certain work product. Table 5 Addit ional Process Descript ion Terms ( from ISACA (2013c)) But COBIT 5, as an IT-governance reference model, does not only provide process-related information and guide- lines, but also a detailed set of information and best practices along which the introduction of a respective pro- cess model may be successful for a company. One important part within this section are COBIT 5 so-called prin- ciples visualized in figure 16. Master Of Science FHNW Business Information Systems 30 Master Thesis in Business Information Systems | Pascal Bürgy 1. Meeting Stakeholder Needs 5. Separating 2. Covering Governance the From Enterprise Management End-to-end COBIT 5 Principles 3. Applying a 4. Enabling a Single Holistic Integrated Approach Framework Figure 16 COBIT 5 Pr incip les (adapted from ISACA (2013 c)) However, according to ISACA (2013c) as well as based on Malzahn (2009), processes themselves are not the only critical success factor when defining a process landscape. There are many other factors of influence that deter- mine, whether such an implementation will be successful or not. COBIT 5 is considers this proven fact by defining the so-called seven enablers (see figure 17). Figure 17 COBIT 5 Enablers (adapted from ISACA (2013c)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 31 . Finally, when combining the process model mentioned in figure 15 together with all the additional information and guidelines, IT companies are able set up a standardized and effective organisational structure. However, once initialized, every process model needs to be maintained. 2.4.3 Process Maturity According to Repenning & Sterman (2002), the long-term success of any organisational structure needs to be maintained by strong and ongoing improvement measures. Process landscapes, which are not continuously ques- tioned and adapted along economic developments, are going to erode over time. In order to ignite the continuous improvement of processes, processes needs to be classified according to how good this process is at the current moment. Thereby various aspects such process performance, controlling and others are analysed. Based on such analyses, each process is classified within a model usually containing different levels of process maturity. Level 5: Optimizing Level 4: Predictable •PA5.1 Level 3: Process Established •PA4.1 Innovation Level 2: Process •PA5.2 Managed •PA3.1 Measurement Process Level 1: Process •PA4.2 Optimization Performed •PA2.1 Definition Process Level 0: Performance •PA3.2 Control Incomplete •PA1.1 Process Mgmt. Process Performance •PA2.2 Development Work Product Mgmt. Figure 18 COBIT 5 PAM Capabil ity Levels (adapted from ISACA (2013b)) As seen in figure 18 and described within table 6, COBIT 5’s process assessment model, called PAM, contains six different levels of process maturity, starting from level 0 assigned for completely incomplete processes and mov- ing up to level 5 for comprehensively optimized processes (ISACA (2013b)). Level Official Description 0 Incomplete The process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the process purpose. 1 Performed The implemented process achieves its process purpose. 2 Managed The previously described performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work prod- ucts are appropriately established, controlled and maintained. 3 Established The previously described managed process is now implemented using a defined process that is capable of achieving its process outcomes. 4 Predictable The previously described established process now operates within de- fined limits to achieve its process outcomes. 5 Optimized The previously described predictable process is continuously improved to meet relevant current and projected business goals. Table 6 COBIT 5 PAM & ISO/IEC 15504 Capabil i ty Levels (from ISACA (2013b)) These so-called COBIT 5 PAM capability levels are closely related to the respective standard ISO/IEC 15504, which contains exactly the same capability levels. This standard, also called SPICE for software process improvement and capability determination, was initially developed in 1993, for CMM (Capability Maturity Model), another process maturity measurement model. Nonetheless, the successor of CMM – CMMI – today uses a slightly dif- ferent maturity model containing five levels from 1 to 5 (International Standardisation Organisation (2003)). Master Of Science FHNW Business Information Systems 32 Master Thesis in Business Information Systems | Pascal Bürgy Along these maturity levels, processes within a company’s process landscape can be categorized according to their specific strengths and weaknesses. Therefore, the task of categorizing processes according to their maturity levels should be initiated by a company's management. However, according to COBIT 5’s principle number five mentioned within figure 16, the execution of process governance, what includes maturity categorization, should be clearly divided from the management of the process model. 2.4.4 Process Maturity Measurement Along the capability levels introduced within the previous chapter, processes can be categorized. However, the concrete measurement itself is a complicated endeavour as companies are different and their interpretation of reference model guidelines may vary. Even more, according to Andenmatten (2012b), wrong measuring or meas- uring process maturity with wrong objectives can lead to inadequate incentives within a company. This means that a company process and its involved employees probably delivers desired results, a measurement too close to theoretical baselines may result in a low maturity level, what of course may cause frustration within a actually well running part of a company. To address such challenges, process maturity models like COBIT 5 PAM as well as the respective international standard ISO/IEDC 33001:2015 (International Standardisation Organisation (2015c)) contain measurement archi- tectures that respect the company and process specific conditions. Figure 19 COBIT 5 PAM Matur ity Measurement As shown within figure 19, maturity measurement in COBIT 5 PAM is based on so-called process attributes (PA), which are divided into process performance indicators (adapted only on level 1) and process capability attribute indicators (used on level 2 to 5). Thereby every process attribute is directly allocated to a capability level. While performance indicators are individual for every single process and are used to determine whether a pro- cess has reached level 1 or not, process capability attribute indicators are generic for all processes. Thereby, process capability attribute indicators contain generic practices (GP) and generic work products (GWP), which should be present within a process in order to reach a certain level. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 33 . Finally, every attribute can be measured along a four-stage classification model; this model is a part of ISO/IEC 15504. The classification stages are described within table 7. Stage Official Description N (Not achieved / 0 – 15%) There is little or no evidence of achievement of the defined attribute in the assessed process. P (Partially achieved / >15 – 50%) There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achieve- ment of the attribute may be unpredictable. L (Largely achieved / >50 – 85%) There is evidence of a systematic approach to, and significant achieve- ment of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process. F (Fully achieved / >85 – 100%) There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No signif- icant weaknesses related to this attribute exist in the assessed process. Table 7 COBIT 5 PAM & ISO/IEC 15504 Rating Stages ( from ISACA (2013b)) In conclusion, by combining a detailed process model with additional information and guidelines as well as with a maturity measurement model, the use of process reference models, such as COBIT 5, allow for the establish- ment and maintenance of a goal-oriented and value added process landscape. 2.5 Combinations The theoretical elaboration in the area of quality management and process maturity measurement has shown that a combination of ISO 9001:2015 standard for quality management systems with a process reference model can be worthy. Respectively, the awareness for the advantages of such a combination is not a new insight. A first attempt, described by Paulk (1995), tried to combine ISO 9001 with in that time the well-known, Capability Maturity Model (CMM). Focusing primarily on similarities and differences of both ISO 9001 and CMM, Paulk (1995) stated that a sensible co-existence of both approaches providing mutual reinforcements is possible. The paper also identified huge challenges concerning the completely different focus of both approaches related to granularity level (standard versus best practice) and subject (quality versus process improvement). Finally, Paulk (1995) stated that ISO 9001 and CMM have significant overlapping, but that a concrete mapping will not lead to success. With the detachment of CMM by its successor CMMI, further analyses according the combination with ISO 9001:2000 have been done. For example, Yoo et al (2004) and Yoo et al (2006) have propagated a mapping model (see figure 20) which guide the implementation of CMMI for ISO 9001 certified companies. Figure 20 Mapping of ISO 9001:2000 and CMMI (from Mutafeli ja and Stromberg (2003)) Beside the combination with CMMI, further analyses of e. g. Bayo-Moriones (2011) highlights the combination potential of ISO 9001 and EFQM, while Aldowaisan & Youssef (2004) concretely focuses on the implementation of an incremental ISO 9001 quality management system within small enterprises. All these studies mention the necessity of strong continuous improvement measures within ISO 9001 QMS. These studies also mention diffi- culties regarding different focuses and contexts of the single standards and best practices. Master Of Science FHNW Business Information Systems 34 Master Thesis in Business Information Systems | Pascal Bürgy 3 Research Methodology This chapter describes the appropriate research strategy of the study. Thereby the research cornerstones as well as the concrete research chronology are determined in detail. 3.1 Research Corner Stones According to Saunders et al. (2009), every research project is guided and defined by a specific research method- ology. Thereby, this methodology consists of various aspects, which are usually organized and visualized within a so-called research onion. For this study, the adapted form of this onion is shown in figure 21. Philosophy Interpretivism Approach Inductive Purpose Exploratory Strategy Design Research Choice Mixed-Method Research Time Horizon Cross-Sectional Techniques Samples, investi- gation Figure 21 Research Corner Stones (adapted from Saunders et al. (2009)) On the outermost sphere of the research methodology, the basic philosophy is defined. Thereby this study is arranged around an interpretivist research philosophy. This because, according to Saunders et al. (2009), an in- terpretivist study is well suited for research topics around organisational behaviour. Furthermore, Walsham (1993) defines interpretivism as a form of study that generally attempts to understand a certain topic along the meaning a society assigns to it. Thereby the understanding of the entire context of a topic relishes a high im- portance, what is true for the present study. Beside the philosophy, a research project is also guided by a specific research approach. This approach is clearly inductive for the present study as an advanced problem understanding is the basis for the development of a process maturity measurement model for quality management systems. Furthermore, an inductive research ap- proach allows a flexible structure to be able to react on changing boundaries during research which is necessary Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 35 . due to the imminent release of ISO 9001:2015, which could directly influence the present study. In addition, according to Saunders et al. (2009), inductive research has a focus on qualitative, rather small samples of data, which is true for this study as well. Regarding the research purpose, this study is guided by an exploratory purpose, as the aim is to explore new insights by allowing QMS process maturity measurement through the combination of two well-known standards and best practices. This main objective also guides the present study towards the so-called design science re- search strategy of Hevner & Chatterjee (2010) (see figure 22). This because the resolution of a problem and the generation of a new model or artefact is in focus (Hinkelmann & Witschel (2014)). Awareness Suggestion Development Evaluation Conclusion (see 3.2.1) (see 3.2.2) (see 3.2.3) (see 3.2.4) (see 3.2.5) •Proposal •Tentative •Artifact •Performance •Results Design (Protoype) Measure Figure 22 Des ign Sc ience Research Framework (adapted from Hevner & Chatter jee (2010)) Based on the defined purpose and strategy, research choices can be defined. The present study is following a mixed-method research choice. The reason is the fact that the study has, due to its research purpose, a qualita- tive focus, which is aggregated by quantitative data collected during the review of relevant literature (Saunders et al. (2009)). Taking into focus the temporal aspect of the planned study, its time horizon is cross sectional. According to Saun- ders et al. (2009), this means the study highlights the defined topic during a given and limited period. Throughout the fixed length of a master thesis, this limitation is clearly true. Finally, all these research aspects lead to the selection of a certain set of research techniques and procedures. As for the planned study, a huge amount of well-documented literature and practical samples are available, these techniques are mainly focused on such samples and further investigations along the literature. Further research techniques such as interviews or questionnaires (Hinkelmann & Witschel (2014)) are not used. 3.2 Design Research Steps According to the design science research framework of Hevner & Chatterjee (2010), every single step within this process is guided by specific objectives, which focus on target-aimed research. Thereby, the overall objective is to generate a competitive advantage by adapting scientific knowledge along a practical problem which is defined, according to Beckman & Barry (2007), as design thinking. Therefore, every step in the study is described. 3.2.1 Awareness This very first step contains the development of the scientific baseline. It includes the definition of relevant re- search attributes such as thesis statement and research objectives as well as the detailed investigation of the literature as described within chapter 2.1. Additionally, the appropriate research methodology is determined. 3.2.2 Suggestion Within this part of the research process, the literature compiled and analysed in the previous research will be used to determine possible solutions for approaches in order to develop a maturity measurement prototype for ISO 9001 certified process models. As various solutions are conceivable, this step will also include a weighting of specific strengths and weaknesses of every single approach. By the end of this step, the preferred solution ap- proach needs to be defined along the theoretical baseline. Master Of Science FHNW Business Information Systems 36 Master Thesis in Business Information Systems | Pascal Bürgy 3.2.3 Development The development of the prototype is based on the revealed insights of the suggestion phase. Thereby, a concrete model to measure process maturity in ISO 9001 process models will be defined. For this, the design science research cycles defined by Hevner & Chatterjee (2010) need to be taken into focus. Figure 23 Des ign Sc ience Research Cycles (adapted from Hevner & Chatterjee (2010)) As figure 23 illustrates, the research work along the design science approach is about balancing the environ- ment and the theoretical knowledge base. On the one hand, research activities collect practice-oriented re- quirements and test fulfilment by performing field trials within a so-called relevance cycle. On the other hand, design science research is influenced by a theoretical knowledge base (see chapter 2 of this study) which is grounding the performed research. Thereby, new insights provided by research activities may lead to an adap- tion of the knowledge base. The research activities themselves are performed within an iterative sequence of building new artefacts and evaluating them along theory and practice. The orientation along the design science research strategy of He- vner & Chatterjee (2010) means that both perspectives need to be taken into account. On the one hand practi- cal requirements represented in a qualitative form by Glaux Soft AG, the supporting company within the quali- tative case study (see chapter 6). On the other hand, theoretical baselines when developing a prototype that allows the measurement of process maturity within ISO 9001 process models. According to Hess et al. (2014), this procedure is typical for design- and practice-oriented research endeavours in Europe. 3.2.4 Evaluation Within the evaluation step, the previous developed prototype will be tested alongside the current ISO 9001 cer- tified process model of the selected unit of analysis (Glaux Soft AG). Thereby on the one hand, maturity levels should result for Glaux Soft’s processes, which allow the company to set priorities along further improvement measures. As Glaux Soft AG will be faced with a full ISO 9001:2015 recertification by the end of 2016, this evalu- ation should help setting the right priorities in order to regain the respective ISO 9001:2015 certification at that given point. On the other hand, the practical adaption of the prototype should allow further improvement of the process maturity measurement model towards a target-aimed instrument deliverable in daily practice. 3.2.5 Conclusion Within the last step of the design science research strategy, the entire research project will be concluded regard- ing its specific potential at that given time. At the same time, still existing limitations will be described in order to classify the performed work from both a practical as well as a theoretical point of view. Finally, an outline of possible next steps should be provided. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 37 . 4 Components of a Measurement Framework Based on the insights described within the previous chapters, a relevant approach of measuring process maturity for quality management systems is to combine both ISO 9001:2015 and COBIT 5 PAM. 4.1 Combining Standards & Frameworks A combination between different standards and / or frameworks has to be performed in a structured way (Alter & Goeken (2009)). Based on this combination, various aspects of a target-aimed combination could be derived. This led to the individual development of the following mapping approach for two different standards and / or frameworks. 4.1.1 Combination Dimensions When combining two different standards or frameworks within the field of IT governance, their mapping is influ- enced by two dimensions: The similarity potential, meaning the grade of how many elements from one method- ology can be adapted within another one, needs to be taken into account. The second dimension is the aspect of mapping granularity, describing how good a single element of one methodology can be mapped with a similar element of another. In Table 8, the two dimensions are described in detail. Combination Dimension Low Level High Level Similarity Potential A low similarity potential means a combina- A high similarity potential describes a com- tion of two standards or frameworks where bination of standards or frameworks that only few elements of the one methodology allows the reuse of many elements of one can be used within the other. Respectively methodology within the other. In conse- most concepts need to be individually de- quence, none or only few elements need to veloped or adapted. be individually developed or adapted. Mapping Granularity A low level of mapping granularity describes A high level of mapping granularity means a a combination of two standards or frame- combination of two standards or frame- works on a rough level. Respectively, similar works where similar elements of both elements of both methodologies cannot be methodologies can be mapped within de- mapped with each other or only on a vague tail. Respectively, such a mapping is com- level what makes such a combination diffi- prehensible and clear. cult to comprehend. Table 8 Combinat ion Dimensions Regardless of the field of activity, the concrete standards, or frameworks that should be mapped with each other, these two combination dimensions mentioned within table 8 always act in the same way. Thereby, similarity potential and mapping granularity interact with one other meaning that, the higher the similarity potential of a certain combination, the lower the mapping granularity and vice versa. Therefore, a trade-off needs to be defined for every specific combination of two standards or frameworks. 4.1.2 Combination Level Another aspect of the combination of different standards and frameworks is the level on which a respective combination is performed. In general, as described by ISACA (2010), these levels can be rather high-, meaning a maximised similarity potential and minimal mapping granularity, or low-level whereas the mapping granularity is maximised and similarity potential is low. These levels are visualised within figure 24. Figure 24 Generic Levels of Combinat ion (own visualisat ion) Master Of Science FHNW Business Information Systems 38 Master Thesis in Business Information Systems | Pascal Bürgy Different from for the combination dimensions, certain levels of combination need to be defined specifically for each desired combination, meaning that individual aspects and characteristics of the standards and frameworks need to be taken into account. Within the following chapters, these technologies will be used toward the achieve- ment of the defined study objectives. 4.2 Specific Combination Levels Based on the combination procedure explained within the previous chapter, the specific levels for the desired combination of ISO 9001:2015 and COBIT 5 PAM need to be defined. Thereby, the four levels presented in figure 25 are relevant. Figure 25 Dif ferent Mapping Levels (own v isual isation) Each level has a specific similarity potential and a given mapping granularity. On the highest level, a combination of the methodology level is conceivable whereas on the lowest level, a mapping on maturity levels is possible. In between, the more balanced combination approaches on process and indicator level are situated. All of these four levels need to be investigated in order to be able to select the right level of combination for the desired combination of ISO 9001:2015 and COBIT 5 PAM. Respectively, they are described in detail in the following text. 4.2.1 Methodology A combination of ISO 9001:2015 and COBIT 5 PAM on methodology level describes a mapping of both entire methodologies with each other. This is, due to the different characteristics and focuses of both ISO 9001:2015 and COBIT 5 PAM, not possible. Respectively, this hypothetic combination level has a granularity mapping of zero (see figure 25) which indicates the lack of mapping possibilities. Adapting such a combination in practice would lead to the usage of both methodologies independent from each other. ISO 9001:2015 would still have no comparable maturity measurement methodologies (see figure 26). Therefore, no synergies can be generated which finally leads to a non-optimal operation in daily business. Figure 26 Combination on “Methodology” -Level Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 39 . 4.2.2 Process One level below, a mapping of ISO 9001:2015 and COBIT 5 PAM on process level is conceivable. The basic idea behind this is to map the processes of ISO 9001:2015 and COBIT 5 PAM which have similar characteristics such as purpose, input & outputs and others. By doing that, all aspects of COBIT 5 PAM such as indicators, practices and maturity levels, which are allocated along a specific COBIT 5 process, can be reused within the desired pro- totype (see figure 27). Respectively, the similarity potential is quite high (see figure 25). Regarding the mapping granularity, both methodologies are process-oriented which in general makes a mapping possible. However, the different focuses of both methodologies may lead to a missing mapping of for example sales and marketing processes in ISO 9001:2015 that are not present in COBIT 5. Therefore, the mapping granu- larity is even low (see figure 25). Figure 27 Combination on “Process” -Level 4.2.3 Indicator Furthermore, a mapping of the desired standards and frameworks on indicator level is possible. This means that specific indicators and practices need to be developed along the ISO 9001:2015 process model (see figure 28) which drives the similarity potential to an even lower level (see figure 25). On the other hand, the mapping granularity is quite high because a mapping on such a low level generates many more contact points (meant by every single indicator and practice). Respectively, a mapping on indicator-level will be much easier to realize than on the previous levels. Figure 28 Combination on “Indicator” -Level 4.2.4 Maturity Level On the lowest level, a combination on maturity levels is another hypothetic possibility. Hypothetic because such a combination in fact is an ISO 9001:2015 specific replica of COBIT 5 PAM (see figure 29) what leads to a similarity potential of zero (see figure 25). However, the mapping granularity is maximised in this case because it is possible to redesign the elements of COBIT 5 PAM with direct focus on the requirements of an ISO 9001:2015 related process model. However, as for a mapping on methodology level, such a combination is not a mapping of both approaches at all. Figure 29 Combination on “Matur ity Level” -Level Master Of Science FHNW Business Information Systems 40 Master Thesis in Business Information Systems | Pascal Bürgy 4.3 Mapping on Process Level Based on the performed analyses in previous chapters, the most useful mapping for ISO 9001:2015 and COBIT 5 PAM will result by a combination on the process level. This because all elements of COBIT 5 PAM can be reused while having a suitable mapping granularity. Figure 30 Map ISO 9001:2015 and COBIT 5 PAM By mapping both standards / frameworks on the process level, it is on the one hand possible to reuse the entire maturity measurement expertise of COBIT 5 PAM. Therewith a lowering of the specific analysis and measurement potential of COBIT 5 PAM can be prevented. This because, different from with a mapping on indicator-level, most of its given elements and functionalities are reused as a whole (see figure 30). On the other hand, the process model of ISO 9001:2015 can be used as a common entering point into the Process Improvement Prototype (see chapter 5). As it is common to adapt and refine the high-level process model of the ISO-standard (see figure 14), a usage of the prototype will generate a certain recognition value. Furthermore, a combination of two standards and / or frameworks on process level is a common approach within the field of IT-governance. While Glenfis AG (2011) is performing a respective mapping between COBIT 5 and ITIL Edition 2011, ISACA (2010) is operating in the a very similar manner when mapping COBIT 4.1 with the FFIEC (US Federal Financial Institutions Examination Council) IT Examination Handbook. 4.4 Generic Process Landscape for IT SMEs The decision to combine ISO 9001:2015 and COBIT 5 PAM on process level is an essential baseline for the gener- ation of the Process Improvement Prototype. However, by combining ISO 9001:2015 and COBIT 5 PAM on pro- cess level, the necessity of a generic, ISO 9001:2015-adapted process map is obvious. This process map general- izes individual aspects of the ISO 9001 certified process models, which will be assessed with the Process Improve- ment Prototype. 4.4.1 IT Process Map of the Swiss Federal Administration While dealing with SME IT companies in Switzerland, it became clear that almost all of these companies are handling information about their processes and internal organisation confidentially. Therefore, the development of a generic ISO 9001:2015 process map from examples of different companies within the target audience has become a non-realistic endeavour. Respectively, a different solution approach had to be developed. As some of the contacted companies mentioned the generic IT process landscape of the Swiss federal admin- istration as the starting point of their individual process maps (among others Lemberg (2015)), further analyses of this process model have showed a close interlinkage with the cornerstones defined by the ISO 9001:2015 standard (ISB (2015)). Therefore, the present study defines this process model as the central element of the generic ISO 9001:2015 process landscape. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 41 . The Swiss federal IT process map (see figure 31) is a process framework consisted of nine different processes, which are in close cooperation with each other and are categorized within three process categories. Figure 31 Swiss Federa l IT Process Map ( from ISB (2015)) Three management processes are focused on strategic challenges within the IT whereas three core processes are covering daily activities within information technology. Finally, three support processes encourage the six management and core processes with specific services and solutions. Every single process has its specific activities, objectives, input, outputs and roles that are necessary to perform the process in its desired way. For further details, please see Appendix B (Generic Process Map for IT SMEs in Detail). 4.4.2 Extensions to the Swiss Federal IT Process Map The Swiss federal IT process map, as mentioned within the previous chapter, covers most of the organisational topics Swiss based SME companies are faced with. However, as this process model is focused on IT departments within the federal administration, two important fields of activity, which are focused on external interaction with customers, are not covered within this process model – marketing and sales. Therefore, the Swiss federal IT process map must be expanded with two additional processes in order to meet the requirements of the generic ISO 9001:2015 process model for IT SMEs (GPM-IT). On the one hand, a strategic management process called "Strategic Marketing" has been added to the process model. The objective of this process is to ensure an adequate external and internal communication with all stake- holders. This includes the management and maintenance of communication channels as well as the definition of respective CI/CD-regulations and best practices. Master Of Science FHNW Business Information Systems 42 Master Thesis in Business Information Systems | Pascal Bürgy On the other hand, an additional core process called "Sales" is added to the process model. Within this process, sustainable customer relationships should be established in order to ensure the long-term survival of the com- pany. Thereby, this new process is an upstream process for all other core processes. Both new processes are linked with the existing nine processes mentioned within the Swiss federal IT process map. Details along these specific in- and outputs as well as along the defined roles for these processes are as well available within Appendix B (Generic Process Map for IT SMEs in Detail). 4.4.3 Generic ISO 9001:2015 Process Model for IT SMEs (GPM-IT) Based on the Swiss federal IT process map and combined with the necessary extensions, a generic ISO 9001:2015 process model for small and mid-sized IT companies in Switzerland (GPM-IT) can be defined. Figure 32 Generic ISO 9001:2015 Process Model for IT SMEs (GPM-IT) (adapted from ISB (2015)) As visualized within figure 32, the generic ISO 9001:2015 process model consists of 11 processes. Based on these processes, every single IT company should be able to match its specific ISO 9001:2015 processes with one of these generic processes. Respectively the process improvement prototype (see chapter 5) becomes usable. Within a next step, each of these 11 generic processes needs to be mapped with one or more processes out of the COBIT 5 framework in order to be able to use the defined maturity measurement technologies, which are allocated to every COBIT 5 process within COBIT 5 PAM framework. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 43 . 4.5 ISO 9001:2015 versus COBIT 5 PAM Mapping Approach Based on the GPM-IT (figure 32), each process is mapped with one or more of the COBIT 5 processes (see table 9). Along this mapping, the relevant process maturity measurement capabilities of COBIT 5 PAM can be derived. Within the table below, the left column indicates the process of the GPM-IT that is mapped with the COBIT 5 processes presented in the right column. The mapping accuracy of the two processes is can be seen in the middle column. A higher accuracy means processes that are more congruent. Generic ISO 9001:2015 Process Mapping Accuracy COBIT 5 Process Evaluate, Direct and Monitor (EDM) EDM01 Ensure Governance Framework Setting and Maintenance Evaluate, Direct and Monitor (EDM) EDM03 Ensure Risk Optimization Align, Plan and Organise (APO) APO01 Manage the IT Management Framework Management Process Align, Plan and Organise (APO) 01 IT Management APO02 Manage Strategy Align, Plan and Organise (APO) APO03 Manage Enterprise Architecture Monitor, Evaluate and Assess (MEA) MEA01 Monitor, Evaluate and Assess Per- formance and Conformance Monitor, Evaluate and Assess (MEA) MEA03 Monitor, Evaluate and Assess Compliance With External Requirements Evaluate, Direct and Monitor (EDM) EDM04 Ensure Resource Optimization Align, Plan and Organise (APO) APO05 Manage Portfolio Management Process 04 IT Steering Align, Plan and Organise (APO) APO09 Manage Service Agreements Align, Plan and Organise (APO) APO12 Manage Risk Align, Plan and Organise (APO) APO11 Manage Quality Management Process Deliver, Service and Support (DSS) 08 Maintain IT-Processes DSS06 Manage Business Process Controls Monitor, Evaluate and Assess (MEA) MEA02 Monitor, Evaluate and Assess the System of Internal Control Master Of Science FHNW Business Information Systems 44 Master Thesis in Business Information Systems | Pascal Bürgy Generic ISO 9001:2015 Process Mapping Accuracy COBIT 5 Process Evaluate, Direct and Monitor (EDM) EDM05 Ensure Stakeholder Transparency Management Process 10 Strategic Marketing Align, Plan and Organise (APO) APO08 Manage Relationships Evaluate, Direct and Monitor (EDM) EDM02 Ensure Benefits Delivery Align, Plan and Organise (APO) APO04 Manage Innovation Build, Acquire and Implement (BAI) BAI01 Manage Programmes and Projects Build, Acquire and Implement (BAI) BAI02 Manage Requirements Definition Core Process 05 Solution Development & Deployment Build, Acquire and Implement (BAI) BAI05 Manage Organisational Change En- ablement Build, Acquire and Implement (BAI) BAI06 Manage Changes Build, Acquire and Implement (BAI) BAI07 Manage Change Acceptance and Transitioning Build, Acquire and Implement (BAI) BAI08 Manage Knowledge Align, Plan and Organise (APO) APO13 Manage Security Build, Acquire and Implement (BAI) BAI03 Manage Solutions, Identification and Build Build, Acquire and Implement (BAI) BAI04 Manage Availability and Capacity Core Process 06 Operate IT-Infrastructure & -Services Build, Acquire and Implement (BAI) BAI10 Manage Configuration Deliver, Service and Support (DSS) DSS01 Manage Operations Deliver, Service and Support (DSS) DSS03 Manage Problems Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 45 . Generic ISO 9001:2015 Process Mapping Accuracy COBIT 5 Process Deliver, Service and Support (DSS) DSS04 Manage Continuity Core Process 06 Operate IT-Infrastructure & -Services Deliver, Service and Support (DSS) DSS05 Manage Security Services Deliver, Service and Support (DSS) Core Process DSS02 Manage Service Requests and Inci- 07 User Support dents Core Process No comparable COBIT 5 process is availa- 11 Sales ble. Support Process Align, Plan and Organise (APO) 02 Skills Development APO07 Manage Human Resources Align, Plan and Organise (APO) APO10 Manage Suppliers Support Process 03 Procurement Build, Acquire and Implement (BAI) BAI09 Manage Assets Support Process Align, Plan and Organise (APO) 09 Support Financial Management APO06 Manage Budget and Costs Table 9 Mapping Generic ISO 9001:2015 and COBIT 5 P rocesses Table 9 shows that all generic processes except process 11 (Sales) are covered by at least one COBIT 5 process. Respectively, individual processes allocated around the sales topic and mapped with process 11 will not be as- sessed within the planned prototype. This because COBOT 5 does not address the sales topic. For all other indi- vidual processes, this mapping, described in detail within Appendix C (Generic Process Map and COBIT 5 Detailed Process Mapping), allows the usage of specific maturity measurement elements of COBIT 5 PAM in order to assess a certain ISO 9001:2015 process, which allows the categorization and future optimization of such pro- cesses. Master Of Science FHNW Business Information Systems 46 Master Thesis in Business Information Systems | Pascal Bürgy 5 ISO 9001:2015 Process Improvement Prototype The Process Improvement Prototype (PIP) is based on the previous chapters. Respectively, the prototype con- tains methodologies that allow the mapping of individual ISO 9001:2015 processes with a process of the GPM- IT. Furthermore, various process maturity measurement tools, which allow the analysis and categorisation of typical ISO 9001:2015 processes in IT, are provided. 5.1 Overview The PIP covers two major fields of activity, which continuously interact with each other as outputs of the one activity become inputs of the other and vice versa. This linkage as well as particular processes of those two fields are visualized in figure 33. Figure 33 Process Improvement Prototype (PIP) The elements of the Process Improvement Prototype (PIP) are described in further details within the following chapters. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 47 . 5.2 Process Model Mapping One major activity of the PIP allows the allocation of company-specific ISO 9001:2015 processes with the given processes of the GPM-IT. The necessary steps are shown in figure 34. Step 1 Step 2 Step 3 Process Model Comparison Connection (see 5.2.1) (see 5.2.2) (see 5.2.3) Figure 34 PIP ISO 9001:2015 Process Model Mapping Steps Along these three steps, the mapping of the two process models, the basis for all other maturity measurement tasks, are possible. 5.2.1 Process Model The PIP operates based on the GPM-IT (figure 35) which is described in detail in Appendix B (Generic Process Map for IT SMEs in Detail) of the study. Figure 35 Generic ISO 9001:2015 Process Model for IT SMEs (GPM-IT) (adapted from ISB (2015)) Based on this process model, users of the PIP need to allocate their individual ISO 9001:2015 processes by per- forming the activities described within the next subchapters. Master Of Science FHNW Business Information Systems 48 Master Thesis in Business Information Systems | Pascal Bürgy 5.2.2 Comparison The mapping of an individual ISO 9001:2015 process with one of the eleven processes of the GPM-IT needs to be performed in a structured way. Therefore, the PIP provides an instrument, which allows the analysis and comparison of two given processes along five different aspects. This comparison is described within table 10. Aspect Description Weighting Process Inputs This aspect focuses on the inputs a given process con- sumes from its environment. The more similar process inputs are, the more equal are two processes in general. Process Outputs Every process should provide a given work result that is defined as an output to its environment as well as to other processes (where such a work product is an in- For every aspect, the individual, sub- put). Similar outputs therefore are an evidence for re- jective coverage of the two selected lated processes. processes is defined in a percentage Process Objectives Every process is performed with a given objective in way. mind. Therefore, comparable process objectives may lead to very comparable processes. To detect the overall mapping accu- Process Activities Within every process, one or more activity is performed racy, the average of each of the five that support the reach of the objectives as well as the compared aspects is calculated. production of the defined outputs. Again, similar activi- ties usually lead to similar processes. Process Roles Within every process, certain roles are involved. There- fore, similar roles and responsibilities may be an evi- dence for a high mapping potential of two processes. Table 10 PIP Weighting Aspects With these five weighting aspects, combined within an overall mapping accuracy, a very detailed categorisation of a given process combination can be defined. However, these detailed results need to be categorized in a more general way in order to be able to determine whether a performed comparison is adequate or not. Therefore, the PIP provides as a second instrument a three-step status concept (see table 11) that allows a gen- eral categorisation of a given comparison. Status Description Overall Mapping Accuracy Green Process mappings with this status have a high overall mapping accuracy. >= 80 % Their usage within the PIP needs no further action. Yellow Process mappings with a yellow mapping status can be used for the PIP, but >= 50 % - < 80 % further analyses should be done in order to identify the present differences. Probably, a better mapping with another process of the GPM-IT can be achieved. Red Process mappings with status red cannot be used within the PIP as their < 50 % differences are too fundamental. Therefore, the usage of the standardized process maturity measurement components may lead to wrong results. Table 11 PIP Mapping Statuses Based on these two supporting instruments, a mapping of every individual ISO 9001:2015 process with one of the eleven processes of the GPM-IT should be achievable. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 49 . 5.2.3 Connection Both the GPM-IT and the instruments defined within the previous chapter are adapted within the following mapping tool. This tool, listed as tool number 1 within the overview of the PIP (see figure 33) as well as within Appendix F (Process Improvement Prototype (PIP)), supports the definition of a proper process mapping neces- sary for the usage of the PIP in practice. Figure 36 Generic & Specif ic ISO 9001:2015 Process Mapping Tool Master Of Science FHNW Business Information Systems 50 Master Thesis in Business Information Systems | Pascal Bürgy 5.3 Process Maturity Measurement Within the Process Improvement Prototype, the second major component is to measure process maturity. This is organised along a five step procedure (see figure 37) which is closely related to the COBIT 5 self-assessment process (ISACA (2013a)). Step 1 Step 2 Step 3 Step 4 Step 5 Process Scope Measurement Level Improvement (see 5.3.1) see (5.3.2) (see 5.3.3) (see 5.3.4) (see 5.3.5) Figure 37 PIP Maturity Measurement Procedure (adapted from ISACA (2013a)) Once generic and specific ISO 9001:2015 process maps are combined (see chapter 5.2), the sequential execution of the PIP maturity measurement procedure guides its users towards a structured process maturity measure- ment that allows target-aimed improvements within the process landscape. Thereby, the five necessary steps are described within the following subchapters. 5.3.1 Process As a first step, the processes that should be assessed within the individual, specific ISO 9001:2015 process map need to be defined. This is done along the defined enterprise and IT-related goals hierarchy of the COBIT 5 as- sessment scoping tool (ISACA (2013a)). Therein, 17 common enterprise goals, shown in table 12, are defined and categorized along the four perspectives of the Balanced Scorecard. BSC Enterprise Goal IT-related Goals (ITRG) Relevant Generic ISO Perspective 9001:2015 Processes Financial 1. Stakeholder value of business in- 01, 03, 05, 06, 07, 08, 09, 11, 01, 02, 03, 04, 05, 06, 07, 08, vestments 12, 13, 14, 16, 17 09, 10 2. Portfolio of competitive products 01, 03, 05, 07, 08, 09, 11, 12, 01, 02, 03, 04, 05, 06, 07, 08, and services 13, 14, 16, 17 09, 10 3. Managed business risk (safeguard- 01, 04, 06, 07, 08, 09, 10, 12, 01, 02, 03, 04, 05, 06, 07, 08, ing of assets) 13, 14, 15, 16 09, 10 4. Compliance with external laws and 02, 04, 07, 10, 14, 15 01, 03, 04, 05, 06, 07 regulations 5. Financial transparency 06 01, 03, 04, 05, 06, 09, 10 Customer 6. Customer-oriented service culture 01, 05, 07, 08, 09, 12, 13, 16, 01, 02, 03, 04, 05, 06, 07, 08, 17 09, 10 7. Business service continuity and 01, 04, 07, 08, 10, 14 01, 03, 04, 05, 06, 07 availability 8. Agile responses to a changing busi- 01, 03, 04, 05, 07, 09, 11, 12, 01, 02, 03, 04, 05, 06, 07, 08, ness environment 16 09, 10 9. Information-based strategic deci- 01, 03, 06, 07, 08, 09, 14, 17 01, 02, 03, 04, 05, 06, 07, 08, sion making 09, 10 10. Optimisation of service delivery 01, 05, 06, 08, 11, 12, 13 01, 02, 03, 04, 05, 06, 08, 09, costs 10 Internal 11. Optimisation of business process 01, 03, 07, 08, 09, 11, 12, 14, 01, 02, 03, 04, 05, 06, 07, 08, functionality 17 10 12. Optimisation of business process 01, 05, 06, 07, 08, 11, 12, 13 01, 02, 03, 04, 05, 06, 07, 08, costs 09, 10 13. Managed business change pro- 01, 03, 04, 07, 09, 11, 12, 13, 01, 02, 03, 04, 05, 06, 07, 08, grammes 17 10 14. Operational and staff productivity 05, 08, 09, 11, 12, 16 01, 02, 03, 04, 05, 06, 08, 09, 10 15. Compliance with internal policies 02, 04, 10, 15 01, 03, 04, 05, 06, 07, 08 Learning 16. Skilled and motivated people 01, 03, 04, 07, 08, 09, 16, 17 01, 02, 03, 04, 05, 06, 07, 08, 10 17. Product and business innovation 05, 07, 08, 09, 11, 12, 16, 17 01, 02, 03, 04, 05, 06, 07, 08, culture 09, 10 Table 12 COBIT 5 Enterpr ise Goals (adapted from ISACA (2013a)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 51 . Additionally, and as mentioned within the above table, every enterprise goal is expanded with one or more IT- related goal (ITRG). Thereby, the following 17 IT-related goals (see table 13) are defined. IT-related Goal Official Description ITRG 01 Alignment of IT and business strategy ITRG 02 IT compliance and support for business compliance with external laws and regulations ITRG 03 Commitment of executive management for making IT-related decisions ITRG 04 Managed IT-related business risk ITRG 05 Realised benefits from IT-enabled investments and services portfolio ITRG 06 Transparency of IT costs, benefits and risk ITRG 07 Delivery of IT services in line with business requirements ITRG 08 Adequate use of applications, information and technology solutions ITRG 09 IT agility ITRG 10 Security of information, processing infrastructure and applications ITRG 11 Optimisation of IT assets, resources and capabilities ITRG 12 Enablement and support of business processes by integrating applications and technology into business processes ITRG 13 Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards ITRG 14 Availability of reliable and useful information for decision making ITRG 15 IT compliance with internal policies ITRG 16 Competent and motivated business and IT personnel ITRG 17 Knowledge, expertise and initiatives for business innovation Table 13 COBIT 5 IT-re lated Goals (from ISACA (2013a)) Along the combination of enterprise and IT-related goals, the user of the PIP can derive relevant processes (see table 12) for his assessment by choosing those enterprise goals that are relevant for his specific situation and his objectives. This because every IT-related goal is linked with one or more COBIT 5 processes and through the process mapping described in chapter 4.5 as well with one or more processes of the GPM-IT. Thereby the linkage between enterprise and IT-related goals as well as the linkage between IT-related goals and COBIT 5 processes are separated in two different priorities (ISACA (2013a)). The Process Improvement Prototype respects this fact by considering only linkages of high priority in order to support its users in setting their assess- ment focus on the most valuable or challengeable areas of their individual process map. 5.3.2 Scope Once step 1 is finished, the PIP highlights all processes out of the individual ISO 9001:2015 process map of the user that will be assessed. For each of these, the targeted capability level that should be achieved needs to be defined. This is done within the second tool of the PIP which is show in figure 38 below: Figure 38 PIP Targeted Capabi l ity Level Defin ition (adapted from ISACA (2013a)) In order to be able to define the targeted capability level for every process, the specific situation of the company as well as other influences from the company's environment need to be taken into account. Therefore, every targeted process capability level reflects a subjective analysis and decision. Master Of Science FHNW Business Information Systems 52 Master Thesis in Business Information Systems | Pascal Bürgy 5.3.3 Measurement With the baseline of defined processes and targeted capability levels, the actual process maturity measurement can be performed. Therefore, the PIP provides another helpful instrument (mentioned as tool number 3) which is shown below in figure 39. Figure 39 PIP Process Matur ity Measurement (adapted from ISACA (201 3a)) Process maturity measurement within the Process Improvement Prototype is defined based on the techniques of COBIT 5 PAM (ISACA (2013a)) and ISO 33001:2015 (International Standardisation Organisation (2015c)). There- fore, every specific process need to fulfil its defined outcomes as listed within chapter 5.4.1 to reach level 1 while for level 2 – 5, the respective generic practices and generic work products listed within chapters 5.4.2 to 5.4.5 have to be achieved. Thereby, the COBIT 5 rating system described within chapter 5.5 builds the baseline to answer the question whether an outcome or a generic practice / work product is achieved or not. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 53 . 5.3.4 Level As soon as all relevant, individual processes are assessed, the PIPs tool number 3 (see figure 40) automatically calculates the reached capability level for every single process. Figure 40 PIP process Capabi l i ty Level Ca lculation (adapted from ISACA (2013a)) Together with the respective targeted capability levels, users of the PIP can perform a gap analysis that highlights valuable room for improvement within their individual process maps. 5.3.5 Improvement Based on achieved and targeted capability level analyses for every process, users of the PIP in a last step are able to define respective improvement measures for their most valuable or most divergent processes. Thus, all pro- cess improvement measures need to be individually adjusted for the respective process, its current state, as well as it specific objectives. Nonetheless, various generic process improvement measures are listed within table 14 below. Improvement Measure Description Training A potential improvement measure may be an additional and / or advanced training session for the users of a process. Adjust TAR Sometimes, involved roles are not able to operate a process in the desired way due to missing or incorrect TAR (tasks, authorities and responsibilities). Therefore, a redesign of respective profiles may lead to an improvement of a certain process. Redesign Process In case that a process is no longer reflecting the practice within a company, a redesign of the process becomes necessary. Thereby the process and its aspects can be ad- justed to the changed environment. Redefine Process Owner In certain circumstances, a process needs a new or another process owner. This may lead to new initiatives within the given process environment what may result in an improved process performance within the scope of a future maturity measurement run. Process Automation Often, the performance and especially the stability of a process can be improved by automating repetitive parts of the process. This usually leads to lowering of errors and temporal disruptions. Table 14 Generic Process Improvement Measures Once the defined process improvement measures are completed, the process maturity measurement procedure may be performed again in order to visualize a potential increase in process capability levels. Master Of Science FHNW Business Information Systems 54 Master Thesis in Business Information Systems | Pascal Bürgy 5.4 Process Maturity Levels As the PIP is based on COBIT 5 PAM, its specific process maturity levels (see figure 41) are directly reused without any further adaptions within step 3 of the process maturity measurement activity (see chapter 5.3.3). Level 5: Optimizing Level 4: Predictable •PA5.1 Level 3: Process Established •PA4.1 Innovation Level 2: Process •PA5.2 Managed •PA3.1 Measurement Process Level 1: Process •PA4.2 Optimization Performed •PA2.1 Definition Process Level 0: Performance •PA3.2 Control Incomplete •PA1.1 Process Mgmt. Process Performance •PA2.2 Development Work Product Mgmt. Figure 41 COBIT 5 PAM Capabil ity Levels (adapted from ISACA (2013b)) Respectively, every single process is levelled between zero and five. These levels, used within ISO/IEC 15504 as well, are described in detail within chapter 2.4.3 of this study. For every level, COBIT 5 PAM defines concrete measurements, which need to be fulfilled. These levels are described within the following subchapters. 5.4.1 Level 1 – Performed Process The achievement of level 1 is assessed along so-called process performance indicators. Different from the indi- cators for level 2 – 5, these indicators are specific for every single process within the reference model. Thereby level 1 only focuses on the performance of a process in general. This is done by the following process attribute. PA1.1 Process Performance Within this process attribute, the achievement of the specific process outcomes for every process is measured. Thereby, the standardized COBIT 5 process outcomes are grouped along the generic ISO 9001:2015 process map for IT SMEs and the respective mapping described in chapter 4.5. Generic ISO 9001:2015 process Number of Process Outcomes Number of Process Outcomes (without filtration) (with filtration) 01 IT Management 24 16 04 IT Steering 16 09 08 Maintain IT-Processes 10 04 10 Strategic Marketing 06 03 05 Solution Development & Deployment 34 17 06 Operate IT-Infrastructure & -Services 25 17 07 User Support 03 03 11 Sales 00 00 02 Skills Development 02 02 03 Procurement 05 05 09 Support Financial Management 04 04 Table 15 PIP process Outcomes Fi ltrat ion With this baseline in mind (see table 15), the amount of achievable outcomes is quite high for various generic processes. Therefore, the Process Improvement Prototype only requires the fulfilment of high priority outcomes to reach a level 1 capability level. Within this context, high priority outcomes are those which are linked with a COBIT 5 process that has a green mapping status, meaning an overall mapping accuracy of 80 percent or higher. With this filtration, the amount of outcomes per process is lowered as in table 15. Based on this, the achievable process outcomes per process are shown in table 16: Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 55 . COBIT 5 Process Outcomes Process Process Outcome EDM01-01 Strategic decision-making model for IT is effective and aligned with the enter- prise's internal and external environment Evaluate, Direct and Monitor (EDM) and stakeholder requirements. EDM01 Ensure Governance Frame- EDM01-02 The governance system for IT is work Setting and Maintenance embedded in the enterprise. EDM01-03 Assurance is obtained that the governance system for IT is operating effec- tively. APO01-01 An effective set of policies is de- Align, Plan and Organise (APO) fined and maintained. APO01 Manage the IT Management APO01-02 Everyone is aware of the policies Framework and how they should be implemented. APO02-01 All aspects of the IT strategy are aligned with the enterprise strategy. APO02-02 The IT strategy is cost-effective, appropriate, realistic, achievable, enter- prise-focused and balanced. APO02-03 Clear and concrete short-term Align, Plan and Organise (APO) goals can be derived from, and traced back APO02 Manage Strategy to, specific long-term initiatives, and can then be translated into operational plans. Management Process APO02-04 IT is a value driver for the enter- 01 IT Management prise. APO02-05 There is awareness of the IT strategy and a clear assignment of account- ability for delivery. APO03-01 The architecture and standards are effective in supporting the enterprise. APO03-02 A portfolio of enterprise architec- ture services supports agile enterprise change. APO03-03 Appropriate and up-to-date do- Align, Plan and Organise (APO) main and/or federated architectures exist APO03 Manage Enterprise Architec- that provide reliable architecture infor- ture mation. APO03-04 A common enterprise architec- ture framework and methodology as well as an integrated architecture repository are used to enable re-use efficiencies across the enterprise. Monitor, Evaluate and Assess (MEA) MEA03-01 All external compliance require- MEA03 Monitor, Evaluate and As- ments are identified. sess Compliance With External Re- MEA03-02 External compliance require- quirements ments are adequately addressed. Master Of Science FHNW Business Information Systems 56 Master Thesis in Business Information Systems | Pascal Bürgy COBIT 5 Process Outcomes Process Process Outcome APO05-01 An appropriate investment mix is defined and aligned with enterprise strat- egy. APO05-02 Sources of investment funding are identified and available. APO05-03 Programme business cases are evaluated and prioritised before funds are Align, Plan and Organise (APO) allocated. APO05 Manage Portfolio APO05-04 A comprehensive and accurate view of the investment portfolio perfor- Management Process mance exists. 04 IT Steering APO05-05 Investment programme changes are reflected in the relevant IT service, asset and resource portfolios. APO05-06 Benefits have been realised due to benefit monitoring. APO09-01 The enterprise can effectively uti- lise IT services as defined in a catalogue. Align, Plan and Organise (APO) APO09-02 Service agreements reflect enter- APO09 Manage Service Agreements prise needs and the capabilities of IT. APO09-03 IT services perform as stipulated in service agreements. MEA02-01 Processes, resources and infor- mation meet enterprise internal control sys- tem requirements. MEA02-02 All assurance initiatives are Monitor, Evaluate and Assess (MEA) Management Process planned and executed effectively. MEA02 Monitor, Evaluate and As- 08 Maintain IT-Processes MEA02-03 Independent assurance that the sess the System of Internal Control system of internal control is operational and effective is provided. MEA02-04 Internal control is established and deficiencies are identified and reported. EDM05-01 Stakeholder reporting is in line with stakeholder requirements. Evaluate, Direct and Monitor (EDM) Management Process EDM05-02 Reporting is complete, timely EDM05 Ensure Stakeholder Trans- 10 Strategic Marketing and accurate. parency EDM05-03 Communication is effective and stakeholders are satisfied. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 57 . COBIT 5 Process Outcomes Process Process Outcome APO04-01 Enterprise value is created through the qualification and staging of the most appropriate advances and innovations in technology, IT methods and solutions. APO04-02 Enterprise objectives are met Align, Plan and Organise (APO) with improved quality benefits and/or re- APO04 Manage Innovation duced cost as a result of the identification and implementation of innovative solutions. APO04-03 Innovation is promoted and ena- bled and forms part of the enterprise cul- ture. BAI01-01 Relevant stakeholders are en- gaged in the programmes and projects. BAI01-02 The scope and outcomes of pro- grammes and projects are viable and aligned with objectives. BAI01-03 Programme and project plans are Build, Acquire and Implement (BAI) likely to achieve the expected outcomes. BAI01 Manage Programmes and BAI01-04 The programme and project activi- Projects ties are executed according to the plans. BAI01-05 There are sufficient programme Core Process and project resources to perform activities 05 Solution Development & De- according to the plans. ployment BAI01-06 The programme and project ex- pected benefits are achieved and accepted. BAI06-01 Authorised changes are made in a timely manner and with minimal errors. BAI06-02 Impact assessments reveal the ef- fect of the change on all affected compo- Build, Acquire and Implement (BAI) nents. BAI06 Manage Changes BAI06-03 All emergency changes are re- viewed and authorised after the change. BAI06-04 Key stakeholders are kept in- formed of all aspects of the change. BAI07-01 Acceptance testing meets stake- holder approval and takes into account all aspects of the implementation and conver- sion plans. Build, Acquire and Implement (BAI) BAI07-02 Releases are ready for promotion BAI07 Manage Change Acceptance into production with stakeholder readiness and Transitioning and support. BAI07-03 Releases are promoted success- fully, are stable and meet expectations. BAI07-04 Lessons learned contribute to fu- ture releases. Master Of Science FHNW Business Information Systems 58 Master Thesis in Business Information Systems | Pascal Bürgy COBIT 5 Process Outcomes Process Process Outcome BAI04-01 The availability plan anticipates the business expectation of critical capacity requirements. Build, Acquire and Implement (BAI) BAI04 Manage Availability and Ca- BAI04-02 Capacity, performance and availa- pacity bility meet requirements. BAI04-03 Availability, performance and ca- pacity issues are identified and routinely re- solved. Build, Acquire and Implement (BAI) BAI10-01 Configuration repository is accu- BAI10 Manage Configuration rate, complete and up to date. DSS01-01 Operational activities are per- Deliver, Service and Support (DSS) formed as required and scheduled. DSS01 Manage Operations DSS01-02 Operations are monitored, meas- ured, reported and remediated. Deliver, Service and Support (DSS) DSS03-01 IT-related problems are resolved DSS03 Manage Problems so that they do not reoccur. DSS04-01 Business-critical information is available to the business in line with mini- mum required service levels. DSS04-02 Sufficient resilience is in place for Core Process critical services. 06 Operate IT-Infrastructure & - Deliver, Service and Support (DSS) DSS04-03 Service continuity tests have veri- Services DSS04 Manage Continuity fied the effectiveness of the plan. DSS04-04 An up-to-date continuity plan re- flects current business requirements. DSS04-05 Internal and external parties have been trained in the continuity plan. DSS05-01 Networks and communications security meet business needs. DSS05-02 Information processed on, stored on and transmitted by endpoint devices is protected. DSS05-03 All users are uniquely identifiable and have access rights in accordance with Deliver, Service and Support (DSS) their business role. DSS05 Manage Security Services DSS05-04 Physical measures have been im- plemented to protect information from un- authorised access, damage and interference when being processed, stored or transmit- ted. DSS05-05 Electronic information is properly secured when strored (sic!), transmitted or destroyed. DSS02-01 IT-related services are available for use. Deliver, Service and Support (DSS) DSS02-02 Incidents are resolved according Core Process DSS02 Manage Service Requests to agreed-on service levels. 07 User Support and Incidents DSS02-03 Service requests are dealt with ac- cording to agreed-on service levels and to the satisfaction of users. Core Process - - 11 Sales APO07-01 The IT organisational structure and relationships are flexible and respon- Support Process Align, Plan and Organise (APO) sive. 02 Skills Development APO07 Manage Human Resources APO07-02 Human resources are effectively and efficiently managed. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 59 . COBIT 5 Process Outcomes Process Process Outcome APO10-01 Suppliers perform as agreed. Align, Plan and Organise (APO) APO10-02 Supplier risk is assessed and APO10 Manage Suppliers properly addressed. Support Process APO10-03 Supplier relationships are work- 03 Procurement ing effectively. BAI09-01 Licences are compliant and Build, Acquire and Implement (BAI) aligned with business need. BAI09 Manage Assets BAI09-02 Assets are maintained at optimal levels. APO06-01 A transparent and complete budget for IT accurately reflects planned ex- penditures. Support Process APO06-02 The allocation of IT resources for Align, Plan and Organise (APO) IT initiatives is prioritised based on enter- 09 Support Financial Manage- APO06 Manage Budget and Costs prise needs. ment APO06-03 Costs for services are allocated in an equitable way. APO06-04 Budgets can be accurately com- pared to actual costs. Table 16 PA1.1 Process Performance Master Of Science FHNW Business Information Systems 60 Master Thesis in Business Information Systems | Pascal Bürgy 5.4.2 Level 2 – Managed Process Different from level one, level 2 is analysed along so-called process capability attribute indicators, which are generic for every COBIT 5 process. Thereby, level 2 processes are managed in a way that are planned, monitored and adjusted as well as their work products which are established, controlled and maintained (ISACA (2013b)). To ensure these management aspects, COBIT 5 PAM defines two process attributes (PAs). PA2.1 Performance Management The first process attribute focuses on the management of the performance of a certain process. Thereby, the following six elements (see table 17) need to be fulfilled: Result of Full Achievement Generic Practices (GPs) Generic Work Products (GWPs) a. Objectives for the performance of the GP 2.1.1 Identify the objectives for GWP 1.0 Process documentation process are identified. the performance of the process. The should outline the process scope. performance objectives, scoped to- GWP 2.0 Process plan should pro- gether with assumptions and con- vide details of the process perfor- straints, are defined and communi- mance objectives. cated. b. Performance of the process is planned GP 2.1.2 Plan and monitor the per- GWP 2.0 Process plan should pro- and monitored. formance of the process to fulfil the vide details of the process perfor- identified objectives. Basic mance objectives. measures of process performance GWP 9.0 Process performance rec- linked to business objectives are es- ords should provide details of the tablished and monitored. They in- outcomes. clude key milestones, required activ- ities, estimates and schedules. c. Performance of the process is adjusted GP 2.1.3 Adjust the performance of GWP 4.0 Quality record should pro- to meet plans. the process. Action is taken when vide details of action taken when planned performance is not performance is not achieved. achieved. Actions include identifica- tion of process performance issues and adjustment of plans and sched- ules as appropriate. d. Responsibilities and authorities for GP 2.1.4 Define responsibilities and GWP 1.0 Process documentation performing the process are defined, as- authorities for performing the pro- should provide details of the process signed and communicated. cess. The key responsibilities and owner and who is responsible, ac- authorities for performing the key countable, consulted and/or in- activities of the process are defined, formed (RACI). assigned and communicated. The GWP 2.0 Process plan should in- need for process performance expe- clude details of the process commu- rience, knowledge and skills is de- nication plan as well as process per- fined. formance experience, skills require- ment. e. Resources and information necessary GP 2.1.5 Identify and make availa- GWP 2.0 Process plan should pro- for performing the process are identified, ble resources to perform the pro- vide details of the process training made available, allocated and used. cess according to plan. Resources plan and process resourcing plan. and information necessary for per- forming the key activities of the pro- cess are identified, made available, allocated and used. f. Interfaces between the involved par- GP 2.1.6 Manage the interfaces be- GWP 1.0 Process documentation ties are managed to ensure effective tween involved parties. The individ- should provide details of the individ- communication and clear assignment of uals and groups involved with the uals and groups involved (suppliers, responsibility. process are identified, responsibili- customers and RACI). ties are defined and effective com- GWP 2.0 Process plan should pro- munication mechanisms are in vide details of the process commu- place. nication plan. Table 17 PA2.1 Performance Management ( from ISACA (2013b)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 61 . PA2.2 Work Product Management While PA2.1 is focusing on the management of the process performance, this PA2.2 is analysing the management of respective work products. Thereby the following four elements (see table 18) are important: Result of Full Achievement Generic Practices (GPs) Generic Work Products (GWPs) a. Requirements for the work products of GP 2.2.1 Define the requirements GWP 3.0 Quality plan should pro- the process are defined. for the work products, including vide details of quality criteria and content structure and quality crite- work product content and structure. ria. b. Requirements for documentation and GP 2.2.2 Define the requirements GWP 1.0 Process documentation control of the work products are defined. for documentation and control of should provide details of controls the work products. This should in- (control matrix). clude identification of dependen- GWP 3.0 Quality plan should pro- cies, approvals and traceability of vide details of work product, quality requirements. criteria, documentation require- ments and change control. c. Work products are appropriately iden- GP 2.2.3 Identify, document and GWP 3.0 Quality plan should pro- tified, documented and controlled. control the work products. Work vide details of work product, quality products are subject to change con- criteria, documentation require- trol, versioning and configuration ments and change control. management as appropriate. d. Work products are reviewed in accord- GP 2.2.4 Review and adjust work GWP 4.0 Quality records should ance with planned arrangements and ad- products to meet the defined re- provide an audit trail of reviews un- justed as necessary to meet require- quirements. Work products are sub- dertaken. ments. ject to review against requirements in accordance with planned arrange- ments and any issues arising are re- solved. Table 18 PA2.2 Work Product Management (from ISACA (2013b)) Master Of Science FHNW Business Information Systems 62 Master Thesis in Business Information Systems | Pascal Bürgy 5.4.3 Level 3 – Established Process As for maturity level 2, level 3 is analysed along generic process capability attribute indicators. Whereas level 2 focuses in on process management, level 3 has a focus on definition and establishment of processes. Again, two PAs are available. PA3.1 Process Definition The first PA of level 3 analyses the extent to which a process that supports the deployment of the defined COBIT 5 process is established and maintained. Thereby, five different elements (see table 19) need to be analysed: Result of Full Achievement Generic Practices (GPs) Generic Work Products (GWPs) a. A standard process, including appropri- GP 3.1.1 Define the standard pro- GWP 5.0 Policies and standards ate tailoring guidelines, is defined that cess that will support the deploy- should provide details of the organi- describes the fundamental elements that ment of the defined process. A sational objectives for the process, must be incorporated into a defined pro- standard process is defined that minimum standards of performance, cess. identifies the fundamental process standard procedures, and reporting elements and provides guidance and and monitoring requirements. The procedures to support implementa- evidential requirement at this level tion and guidance on how it can be is not just that policies and stand- tailored when needed. ards exist, but that they are applied across the organisation. b. The sequence and interaction of the GP 3.1.2 Determine the sequence GWP 5.0 Policies and standards standard process with other processes and interaction between processes should provide a process mapping are determined. so that they work as an integrated with details of standard processes system of processes. The standard and expected sequences and inter- process sequence and interaction action. The evidential requirement with other processes are deter- at this level is not just that policies mined and maintained when a pro- and standards exist, but that they cess is implemented in different are applied across the organisation. parts of the organisation. c. Required competencies and roles for GP 3.1.3 Identify the roles and com- GWP 5.0 Policies and standards performing a process are identified as petencies for performing the stand- should provide details of roles and part of the standard process. ard process. competencies for performing. The evidential requirement at this level is not just that policies and stand- ards exist, but that they are applied across the organisation. d. Required infrastructure and work envi- GP 3.1.4 Identify the required infra- GWP 5.0 Policies and standards ronment for performing a process are structure and work environment should identify minimum required identified as part of the standard pro- for performing the standard pro- infrastructure and work environ- cess. cess. The infrastructure (facilities, ment for performing the process. tools, methods, etc.) and work envi- The evidential requirement at this ronment for performing the stand- level is not just that policies and ard process are identified. standards exist, but that they are applied across the organisation. e. Suitable methods for monitoring the GP 3.1.5 Determine suitable meth- GWP 5.0 Policies and standards effectiveness and suitability of the pro- ods to monitor the effectiveness should provide details of the organi- cess are determined. and suitability of the standard pro- sational objectives for process, mini- cess, including ensuring that appro- mum standards of performance, priate criteria and data needed to standard procedures, and reporting monitor the effectiveness and suita- and monitoring requirements. The bility of the process are defined, and evidential requirement at this level establishing the need to conduct in- is not just that policies and stand- ternal audit and management re- ards exist, but that they are applied view. across the organisation. GWP 4.0 Quality records and GWP 9.0 Process performance records should provide evidence of reviews undertaken. Table 19 PA3.1 Process Defin it ion ( from ISACA (2013b)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 63 . PA3.2 Process Deployment A second PA on level 3 is focuses on the ability of a process to support the achievement of its outcomes by ensuring an efficient deployment. This is achieved by the following six elements (see table 20). Result of Full Achievement Generic Practices (GPs) Generic Work Products (GWPs) a. A defined process is deployed based GP 3.2.1 Deploy a defined process GWP 5.0 Policies and standards on an appropriately selected and/or tai- that satisfies the context. When the should define the standards to be lored standard process. same process is used within differ- followed across all implementations ent areas of the organisation, it is of the process. The evidential re- based on a standard process, tai- quirement at this level is not just lored as appropriate, with conform- that policies and standards exist, but ance to the requirements of the de- that they are applied across the or- fined process verified. ganisation. b. Required roles, responsibilities and au- GP 3.2.2 Assign and communicate GWP 5.0 Policies and standards thorities for performing the defined pro- roles, responsibilities and authori- should provide details, responsibili- cess are assigned and communicated. ties for performing the defined pro- ties and authorities for performing cess. When the same process is used the activities of process. The eviden- within different areas of the organi- tial requirement at this level is not sation, the authorities and roles for just that policies and standards ex- performing the activities of process ist, but that they are applied across are assigned and communicated. the organisation. c. Personnel performing the defined pro- GP 3.2.3 Ensure necessary compe- GWP 1.0 Process documentation cess are competent on the basis of ap- tencies for performing the defined should provide details of competen- propriate education, training and experi- process. When the same process is cies and training requirements. ence. used within different areas of the GWP 2.0 Process plan should in- organisation, the appropriate com- clude details of the process commu- petencies for assigned personnel are nication plan, training plan and re- identified and suitable training is sourcing plan for each instance of available for those deploying the de- the process. fined process. d. Required resources and information GP 3.2.4 Provide resources and in- GWP 2.0 Process plan should in- necessary for performing the defined formation to support the perfor- clude details of the resourcing plan process are made available, allocated mance of the defined process. for each instance of the process. and used. When the same process is used within different areas of the organi- sation, the required human re- sources and information to perform the process are made available, allo- cated and used. e. Required infrastructure and work envi- GP 3.2.5 Provide adequate process GWP 2.0 Process plan should in- ronment for performing the defined pro- infrastructure to support the perfor- clude details of the process infra- cess are made available, managed and mance of the defined process. structure and work environment for maintained. When the same process is used each instance of the process. within different areas of the organi- sation, the required organisational support, infrastructure and work en- vironment are made available, allo- cated and used. f. Appropriate data are collected and an- GP 3.2.6 Collect and analyse data GWP 4.0 Quality records and GWP alysed as a basis for understanding the about performance of the process 9.0 Process performance records behaviour of the process to demonstrate to demonstrate its suitability and ef- should provide evidence of reviews its suitability and effectiveness, and to fectiveness. Data required to moni- undertaken tools for each instance evaluate where continuous improvement tor the effectiveness and suitability of the process. of the process across the organisa- of the process can be made. tion are defined, collected and ana- lysed as a basis for continual im- provement. Table 20 PA3.2 Process Development (from ISACA (2013b)) Master Of Science FHNW Business Information Systems 64 Master Thesis in Business Information Systems | Pascal Bürgy 5.4.4 Level 4 – Predictable Process COBIT 5 PAM’s maturity level 4 is measured along the following, generic process capability attribute indicators. Thereby the focus is set on process operation within previously defined limits. As for the other maturity levels, two process attributes (PAs) ensure the achievement of this level. PA4.1 Process Measurement This PA measures the extent to which performance measurement guides process performance towards the achievement of process performance and business objectives. This is achieved by the six elements in table 21: Result of Full Achievement Generic Practices (GPs) Generic Work Products (GWPs) a. Process information needs in support GP 4.1.1 Identify process infor- GWP 6.0 Process improvement plan of relevant defined business goals are es- mation needs, in relation with busi- should provide process improve- tablished. ness goals. The business goals and ment objectives and proposed Im- process stakeholder information provement actions. needs have been established as a basis for determining the process performance measurement objec- tives. b. Process measurement objectives are GP 4.1.2 Derive process measure- GWP 7.0 Process measurement derived from process information needs. ment objectives from process infor- plan should provide details of pro- mation needs. Measurement objec- posed measurement objectives. tives are based on the defined pro- cess measurement objectives. c. Quantitative objectives for process GP 4.1.3 Establish quantitative ob- GWP 7.0 Process measurement performance in support of relevant busi- jectives for the performance of the plan should provide details of pro- ness goals are established. defined process, according to the posed measurement measures and alignment of the process with the indicators. business goals Quantitative meas- urement objectives are established that explicitly reflect business goals and have been verified as realistic and useful with organisational man- agement and process owner(s). d. Measures and frequency of measure- GP 4.1.4 Identify product and pro- GWP 7.0 Process measurement ment are identified and defined in line cess measures that support the plan should provide details of pro- with process measurement objectives achievement of the quantitative ob- posed measures and indicators to- and quantitative objectives for process jectives for process performance. gether with data collection proce- performance. Detailed measures for products and dures and analytical procedures. process are identified, together with the frequency of data collection and measurement as well as verification mechanisms. e. Results of measurement are collected, GP 4.1.5 Collect product and pro- GWP 7.0 Process measurement analysed and reported in order to moni- cess measurement results through plan should provide details of pro- tor the extent to which the quantitative performing the defined process. posed analytical procedures. objectives for process performance are Product and process measurement GWP 9.0 Process performance rec- met. results are collected, analysed and ords should provide details of meas- reported according to a defined urements collected and analysed. plan. f. Measurement results are used to char- GP 4.1.6 Use the results of the de- GWP 9.0 Process performance rec- acterise process performance. fined measurement to monitor and ords should provide details of meas- verify the achievement of the pro- urements collected and analysed. cess performance objectives. The re- sults of the defined measurement are analysed to verify achievement against the process performance ob- jectives. Appropriate techniques are used to understand process performance and capability within defined control limits. Table 21 PA4.1 Process Measurement (from ISACA (2013b)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 65 . PA4.2 Process Control The second PA is focusing on the quantitative management a process in order to operate this process stable, capable and predicable within defined limits. Five elements (see table 22) need to be taken into account for that: Result of Full Achievement Generic Practices (GPs) Generic Work Products (GWPs) a. Analysis and control techniques are GP 4.2.1 Determine analysis and GWP 1.0 Process documentation determined and applied where applica- control techniques appropriate to should provide details of controls ble. control the process performance. (control matrix). Methods of measuring the effective- GWP 8.0 Process control plan ness of process control are defined should exist that specifies for each and validated. process the measurement approach. b. Control limits of variation are estab- GP 4.2.2 Define parameters suitable GWP 8.0 Process control plan lished for normal process performance. to control the process performance. should exist that specifies for each The standard process definition is control limits for normal perfor- modified to include methods for mance. process control and control limits are established. c. Measurement data are analysed for GP 4.2.3 Analyse process and prod- GWP 9.0 Process performance rec- special causes of variation. uct measurement results to identify ord should provide details of meas- variations in process performance. urements collected and analysed. The results of process control meas- urements are analysed to determine issues of concern and forwarded for action. d. Corrective actions are taken to address GP 4.2.4 Identify and implement GWP 9.0 Process performance rec- special causes of variation. corrective actions to address assign- ord should provide details of meas- able causes. Corrective action is urements collected and analysed taken to address process control and corrective action taken. concerns and results are monitored and evaluated. e. Control limits are re-established (as GP 4.2.5 Re-establish control limits GWP 8.0 Process control plan necessary) following corrective action. following corrective action. Process should exist that specifies control control limits are appropriately limits for normal performance. modified after corrective action is taken. Table 22 PA4.2 Process Control ( from ISACA (2013b)) Master Of Science FHNW Business Information Systems 66 Master Thesis in Business Information Systems | Pascal Bürgy 5.4.5 Level 5 – Optimising Process Generic process capability attribute indicators are used as well to determine maturity level 5 for a specific pro- cess. Thereby, such a process is continuously improved in order to meet current and future business goals. Two PAs are established to measure the fulfilment of level 5. PA5.1 Process Innovation The first PA focuses on the ability to identify changes to a process due to the analysis of variances on process performance as well as due to the analysis of new and innovative approaches to the definition and deployment of the process. Five elements (see table 23) are important: Result of Full Achievement Generic Practices (GPs) Generic Work Products (GWPs) a. Process improvement objectives for GP 5.1.1 Define the process im- GWP 7.0 Process improvement plan the process are defined that support the provement objectives for the pro- should provide process improve- relevant business goals. cess that supports the relevant busi- ment objectives and proposed im- ness goals. Directions to process in- provement actions. novations are set. Quantitative and qualitative process improvement objectives—based on the potential for process innovation as well as business vision and goals— have been defined and documented. b. Appropriate data are analysed to iden- GP 5.1.2 Analyse measurement GWP 9.0 Process performance rec- tify common causes of variations in pro- data of the process to identify real ords should provide details of meas- cess performance. and potential variations in process urements collected and analysed. performance. Process performance data are analysed to identify varia- tions in process performance to- gether with the root cause of com- mon process performance issues. c. Appropriate data are analysed to iden- GP 5.1.3 Identify improvement op- GWP 6.0 Process improvement plan tify opportunities for best practice and portunities of the process based on should provide details of analysis innovation. innovation and best practices. Pro- against best practice. cess improvement opportunities are identified based on comparison with industry best practices. d. Improvement opportunities derived GP 5.1.4 Derive improvement op- GWP 6.0 Process improvement plan from new technologies and process con- portunities of the process from new should provide details of analysis of cepts are identified. technologies and process concepts. technology improvement opportuni- Process improvement opportunities ties. are identified based on review and analysis of emerging technological and process concept innovations, taking into account business envi- ronment changes including emerg- ing business risks. e. An implementation strategy is estab- GP 5.1.5 Define an implementation GWP 6.0 Process improvement plan lished to achieve the process improve- strategy based on long-term im- should provide details of the imple- ment objectives. provement vision and objectives. A mentation strategy for process im- process improvement strategy is de- provement. fined and validated based on long- term improvement goals and objec- tives. Commitment to improvement is demonstrated by organisational management and process owner(s). Table 23 PA5.1 Process Innovation (from ISACA (2013b)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 67 . PA5.2 Process Optimization The second PA of level 5 focuses on the ability to perform changes to process definition, management and per- formance in an effective way in order to achieve given improvement objectives. Thereby, three elements (see table 24) are relevant: Result of Full Achievement Generic Practices (GPs) Generic Work Products (GWPs) a. Impact of all proposed changes is as- GP 5.2.1 Assess the impact of each GWP 6.0 Process improvement plan sessed against the objectives of the de- proposed change against the objec- should provide details of the re- fined process and standard process. tives of the defined and standard quired process improvement project process. The impact of proposed quality approach. changes is assessed against the ob- jectives of the process and to deter- mine the impact on product quality and process performance as well as other related processes. b. Implementation of all agreed changes GP 5.2.2. Manage the implementa- GWP 6.0 Process improvement plan is managed to ensure that any disruption tion of agreed changes to selected should provide details of the imple- to the process performance is under- areas of the defined and standard mentation strategy for process im- stood and acted on. process according to the implemen- provement and evidence of changes tation strategy. The implementation in: of agreed changes is managed in ac- cordance with defined change man- - GWP 1.0 Process documentation agement and change enablement - GWP 3.0 Quality plan processes. - GWP 5.0 Policies and standards c. Based on actual performance, effec- GP 5.2.3 Based on actual perfor- GWP 6.0 Process improvement plan tiveness of process change is evaluated mance, evaluate the effectiveness should provide details of the re- against the defined product require- of process change against process quired process improvement project ments and process objectives to deter- performance, capability objectives quality approach. mine whether results are due to common and business goals. The effective- ness of the changes made to the or special causes. process is measured, evaluated and reported after implementation. Table 24 PA5.2 Process Optimizat ion ( from ISACA (2013b)) Master Of Science FHNW Business Information Systems 68 Master Thesis in Business Information Systems | Pascal Bürgy 5.5 Rating System The measurement and rating of processes and maturity levels within the PIP, as described in step 3 of the process maturity measurement activity (see chapter 5.3.3), is performed along the defined instruments of COBIT 5 PAM. These instruments and their connections are shown in figure 42. Figure 42 COBIT 5 PAM Matur ity Measurement As mentioned in the previous chapter and within chapter 2.4.4 of the theoretical foundation of the study, both process performance and process capability attribute indicators are categorized along four rating stages (see table 25) which show the amount of fulfilment of defined process requirements. Stage Official Description N (Not achieved / 0 – 15%) There is little or no evidence of achievement of the defined attribute in the assessed process. P (Partially achieved / >15 – 50%) There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achieve- ment of the attribute may be unpredictable. L (Largely achieved / >50 – 85%) There is evidence of a systematic approach to, and significant achieve- ment of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process. F (Fully achieved / >85 – 100%) There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No signif- icant weaknesses related to this attribute exist in the assessed process. Table 25 COBIT 5 PAM & ISO/IEC 15504 R ating Stages ( from ISACA (2013b)) In order to achieve a certain maturity level, every rated process attribute (PA) of the given level needs to be largely (L) or fully (F) achieved. Furthermore, all PAs of below maturity levels need to be fully (F) achieved. So for example, to reach a maturity level 3, both PAs 3.1 and 3.2 need to be largely (L) or fully (F) achieved and PAs 1.1, 2.1 and 2.2 all need to be fully (F) achieved. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 69 . 6 Prototype Validation After the definition of the PIP, its potential needs to be validated within a practice-oriented environment. There- fore, this chapter presents the respective company providing the practical framework as well as the systematic usage of the PIP. 6.1 Company Selection Criteria In order to be able to setup a realistic, practice-oriented and target-aimed evaluation scenario, a respective com- pany needs to be selected. Thereby, the following criteria, visualized within figure 43, are relevant. Swiss-based Small or Mid- Interest in Sized Process Enterprise Improvement Company (SME) Selection Criteria ISO 9001 Software certified Development Figure 43 Company Selection Criteria A company that fits into the study limitations (see chapter 1.4) is necessary. This means, the evaluating company must be a Swiss-based and SME software development company which has an ISO 9001 certified quality man- agement system and a respective process model. Additionally, the respective company should be actively inter- ested in improving its own processes. This because the evaluating company is not only asked to provide its documented process model and further material resources but also temporal resources as its management and process owners need to be directly in- volved into the evaluation of the Process Improvement Prototype (PIP) and the company's process measurement process. With all these requirements in mind and the potential deliverables of the PIP as compensation for the company prepared, potential companies were contacted. Master Of Science FHNW Business Information Systems 70 Master Thesis in Business Information Systems | Pascal Bürgy 6.2 Participating Company – Glaux Soft AG According to the outlines of the previous chapter, the evaluation of the Process Improvement Prototype (PIP) was performed within the practical environment of a concrete company. This company is Glaux Soft AG. 6.2.1 Facts and Figures of Glaux Soft AG Glaux Soft AG is a Swiss based SME-company located in Bern. The company, founded in 1996, focuses on speci- fication, development and operation of complex information technology solutions (Glaux Soft AG (2015a)). The optimization of their customer’s business processes is usually the central aspect of these systems. With 51 em- ployees, Glaux Soft serves a variety of customers in all industrial sectors. Beside various governmental institu- tions, huge multinational companies (e.g. Swatch, Thales) and important Swiss based companies (such as Swisscom and Post), Glaux Soft is also a key partner to many small and mid-sized companies all over the German- speaking area of Switzerland. As of 2014, Glaux Soft AG was certified for its ISO 9001 quality management system. 6.2.2 An Outline on evidence – Glaux Softs Product Baseline An important part of Glaux Soft’s strategy and daily business is a standardized XRM-platform (XRM stands for anything relationship management) called Evidence. Evidence is a business application platform that provides various standard functions for software applications, such as user and role management, and a wide set of com- mon interfaces (Glaux Soft AG (2015b)). With its modular based architecture and extensions, it can easily be run as a CRM-, service or case management system. Most of the Evidence applications, which cover nearly 100% of all Glaux Soft software projects, are more than just isolated address and data management systems. They are usually integrated in an existing IT environment in order to obtain and provide business critical data from and to other systems. Software projects involving Evidence often cover topics such as analysing a customer’s enterprise architecture and existing business processes to maximize benefits of automated processes. 6.2.3 ISO 9001:2015 Process Map of Glaux Soft AG As described within the previous sections, Glaux Soft AG operates based on a certified ISO 9001 quality manage- ment system. The respective process map was developed in 2013 and certified at the beginning of 2014. Since then, the process map and every single process has been continuously improved and adapted to the changing environment of the company. Still today, the company struggles with setting the right priorities for these improvement measures as its pro- cesses cannot be measured and compared to objectives in detail. Therefore, the company was willing to partici- pate within the evaluation phase of the present study. By the end of 2015, the ISO 9001 process map of Glaux Soft AG contained 19 processes in total whereas they are divided into the well-known three process groups of management-, core and support processes. Every process is defined by various inputs and outputs as well as by described objectives and concrete activities. Furthermore, every process is managed by a process owner. While in the execution of the process, one or more further roles may be involved (Glaux Soft AG (2015c)). Based on these cornerstones, the visualization of Glaux Soft's process map can be shown as in figure 44. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 71 . Figure 44 Glaux Soft’s ISO 9001 Process Model (adapted from Glaux Soft AG (2015c)) For further information of these processes and their detailed aspects, please see Appendix D (Glaux Soft's Process Map in Detail). Master Of Science FHNW Business Information Systems 72 Master Thesis in Business Information Systems | Pascal Bürgy 6.3 Process Model Mapping in Practice Based on the company's process map described within the previous chapter, the Process Improvement Prototype is set into practice. As a first step, Glaux Soft's individual ISO 9001 processes are mapped with the generic ISO 9001:2015 process map for IT SMEs. Along the outlines described in chapter 5.2 and by using the respective tool number 1 of the PIP, the following process mapping (see table 26) was derived. Glaux Soft Process Mapping Accuracy Generic ISO 9001:2015 Process Management Process Management Process 11 Business Planning & Controlling 01 IT Management Management Process Management Process 12 Organisation 01 IT Management Management Process Management Process 13 Risk & Crisis Management 01 IT Management Management Process Support Process 14 Human Resources 02 Skills Development Management Process Management Process 15 Information & Communication 10 Strategic Marketing Management Process Management Process 16 Improvement Process 08 Maintain IT-Processes Management Process Core Process 17 Management of Internal Projects 05 Solution Development & Deployment Core Process Management Process 21 Resource Planning & Controlling 04 IT Steering Core Process Core Process 22 Sales 11 Sales Core Process Core Process 23 Product Management 05 Solution Development & Deployment Core Process Core Process 24 Project Execution 05 Solution Development & Deployment Core Process Core Process 25 Maintenance & Support 07 User Support Core Process Core Process 27 Customer Retention 07 User Support Support Process Core Process 31 Operative Marketing 11 Sales Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 73 . Glaux Soft Process Mapping Accuracy Generic ISO 9001:2015 Process Support Process Support Process 32 Procurement 03 Procurement Support Process Support Process 33 Accounting 09 Support Financial Management Support Process Core Process 34 IT-Management 06 Operate IT-Infrastructure & -Services Support Process Core Process 35 Document- & Data-Management 06 Operate IT-Infrastructure & -Services Support Process Core Process 36 Source Control 06 Operate IT-Infrastructure & -Services Table 26 Mapping Glaux Softs and Generic ISO 9001:2015 Processes 6.4 Process Maturity Measurement in Practice Based on the mapping provided in the previous chapter, which is as well described in detail within Appendix E (Generic Process and Glaux Soft's Detailed Process Mapping), the specific maturity measurement elements of the PIP (see chapter 5.3) can now be used for Glaux Softs individual ISO 9001:2015 processes. 6.4.1 Defining and Scoping Processes with the PIP Based on the performed process mapping (see chapter 6.3), Glaux Soft’s management, together with the respec- tive process owners, has defined the relevant COBIT 5 enterprise goals (see chapter 5.3.1) for Glaux Soft as in table 27. BSC Enterprise Goal Selected by Perspective Glaux Soft AG Financial 1. Stakeholder value of business investments 2. Portfolio of competitive products and services x 3. Managed business risk (safeguarding of assets) x 4. Compliance with external laws and regulations x 5. Financial transparency Customer 6. Customer-oriented service culture x 7. Business service continuity and availability 8. Agile responses to a changing business environment x 9. Information-based strategic decision making 10. Optimisation of service delivery costs x Internal 11. Optimisation of business process functionality x 12. Optimisation of business process costs 13. Managed business change programmes 14. Operational and staff productivity x 15. Compliance with internal policies Learning 16. Skilled and motivated people x 17. Product and business innovation culture x Table 27 Enterpr ise goal select ion of Glaux Soft AG With these enterprise goals as the baseline, the Process Improvement Prototype automatically has calculated the relevant processes for Glaux Soft's specific situation. In this case, the generic processes 01 – 10 are in focus, what means that all of Glaux Soft's processes except number 22 and 31 need to be evaluated. Master Of Science FHNW Business Information Systems 74 Master Thesis in Business Information Systems | Pascal Bürgy Based on this calculation, Glaux Soft's executives have defined the targeted process capability levels by analysing the defined COBIT 5 process attributes in chapter 5.4. Thereby the following targeted capability levels were de- fined (see figure 45): Figure 45 Glaux Soft’s Targeted Process Capabi l i ty Levels Within the defined targeted capability levels, there is a regularity discernible. Glaux Softs executives have defined a targeted level three for all core processes and the most important management and support processes. How- ever, level two is targeted for remaining management and support processes. The basic idea behind is the settled conviction that every defined process is at least performed, whereas the company’s objectives should be defined even higher. On the other hand, the general maturity of Glaux Softs management system that was established at the beginning of 2014 makes targeted capability levels higher than level three unrealistic. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 75 . 6.4.2 Measuring Process Maturity with the PIP With the targeted capability levels in mind, the maturity measurement for all relevant processes of Glaux Soft was performed by involving the respective process owners. In order to gather the relevant practical influence for the prototype evaluation, the measurement took place in December 2015 right before the annual external ad- herence audit of Glaux Soft’s ISO 9001 management system. The respective results are shown in figure 46. Figure 46 Glaux Soft’s Process Maturity Measurement The maturity measurement of Glaux Soft’s processes, which were defined within chapter 6.4.1, has showed that, as expected by Glaux Soft’s executives, all measured processes at least reach a level one capability level, which means that the COBIT 5 process outcomes, which are relevant for the PIP, are all largely or fully achieved. Fur- thermore, many processes have reached even higher capability levels (see figure 47). Figure 47 Glaux Soft’s Result ing Process Capabil ity Levels Master Of Science FHNW Business Information Systems 76 Master Thesis in Business Information Systems | Pascal Bürgy Overall, three out of 17 measured processes have reached their targeted capability levels. For the majority of the remaining processes, the gap in maturity is one level whereas for three processes, a gap of two maturity levels was identified. 6.4.3 Defining Process Improvements with the PIP Based on the performed process maturity measurement and the identified gaps in process maturity, various process improvement initiatives were defined by Glaux Softs executives. For every process the desired initiative as well as a timeline for its fulfilment have been defined as shown in Table 28. Glaux Soft Improvement Initiative Deadline Process 11 In order to improve work product management for all three processes, further sup- 30.06.2016 12 porting tools such as checklists, definitions of done (DOD) and others should be es- 13 tablished. Additionally, the involved staff will run a further, specific training. 14 The process already reaches its targeted capability level 2. - 15 The process already reaches its targeted capability level 2. - 16 This process should further be established within the company. Therefore, a slight 30.06.2016 process redesign (in order to even better meet the changed ISO 9001:2015 require- ments) as well as additional training is planned. 17 Due to close interlinkage with process 24 and the defined improvement initiatives - for this process, process 17 will not be improved at the current moment. After fin- ishing process improvement of P24, synergies for P17 and based on that, potential further P17-specific improvements will be analysed. 21 The measurement has showed that P21 is closely caught between strategic influ- 30.06.2016 ences of P11 – P13 and operative boundaries out of product and project manage- ment. Therefore, P21 and its roles should become a more solid hierarchical founda- tion by adjusting relevant TAR (tasks, authorities and responsibilities). 22 The process cannot be measured with the PIP and is therefore not in focus. - 23 The process measurement and even before practical influences have showed a 30.06.2016 changed environment within product management. Therefore, the process need to be readapted to practice, wherefore an interdisciplinary process improvement team was designated. 24 Already before the process measurement, an improvement team was set up with 31.03.2016 25 the objective to redesign the process for more practical relevance. This team will 30.06.2016 continue with its task be considering the insights of the process measurement. 27 Customer retention is a topic that is covered by P27, but as well by processes 22, 24 - and 25. This distribution of responsibilities makes the proper performance of P27 difficult. As both P23 and P24 are currently redesigned, an individual improvement of P27 is deferred until the influences of the changed P23 and P24 are foreseeable. 31 The process cannot be measured with the PIP and is therefore not in focus. - 32 The process is currently not in focus for concrete improvement initiatives as higher - prioritized initiatives of other processes need to be performed first. 33 The process already reaches its targeted capability level 2. - 34 The process should be further enforced by performing additional staff training espe- 30.06.2016 cially for disciplines related to IT-security. Therefore, isolated process changes may be necessary. 35 Both processes are currently not in focus for concrete improvement initiatives as - 36 higher prioritized initiatives of other processes need to be performed first. Table 28 Def ined Process Improvement Initiat ives Overall, Glaux Soft’s management system, metered on its age of two years, is very well established. Nonetheless, concrete improvement initiatives were defined for many processes. All these initiatives, independent from their complexity and elaborateness, have the objective to further improve the benefit of the single process as well as of the complete management system. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 77 . 6.5 Analysis of Generated Results and Insights Within the previous chapter of the evaluation, the Process Improvement Prototype (PIP) was set into practice and the concrete activities and results for Glaux Soft AG were described. However, this chapter is focused on the PIP itself and the insights, problems and challenges its usage within the environment of Glaux Soft has generated. Therefore, personal opinions of the involved staff at Glaux Soft were collected and analysed. Based on that, the following insights, listed within table 29, were generated. No. Insight Category 01 After a basic training and with some instant support, the PIP in its current setup is usable for Potential people with a respective background in (business) process management. 02 The PIP addresses Glaux Softs practical requirements of process measurement and maturity Potential categorization in an appropriate way. The generated measurements lead to concrete im- provement initiatives, whose may lead to improved processes in future. 03 Within the context of the annual external adherence audit, both external auditors showed Potential their interest for the PIP and the generated results. 04 Although with some limitations (see below), the combination of COBIT 5 PAM and ISO Potential 9001:2015 works in practice. Process outcomes and generic practices as well as work prod- ucts of COBIT 5 are applicable and recognizable within certified ISO 9001:2015 process mod- els. 05 As already mentioned within chapter 4.5, the Process Improvement Prototype (PIP) provides Limitation no measurement methodology for processes that are allocated within the field of sales. This due to fact, that COBIT 5 does not cover the respective discipline. According to that, Glaux Soft's processes 22 and 31 could not have been analysed as they are mapped to the generic ISO 9001:2015 process number 11. 06 The interpretation of "company IT", meaning IT as a department of a company, by COBIT 5 is Limitation different from the "IT company" character of Glaux Soft AG, describing an IT only company in the respective industry sector. Respectively, a certain adaption of COBIT 5 aspects such as process outcomes or work products is necessary, what makes the measurement more inaccu- rate. 07 The PIP aggregates process outcomes of various COBIT 5 processes within one generic IT pro- Limitation cess. In the situation of Glaux Soft, the content of one such generic process is again split within multiple specific processes. This unitization of outcomes and processes exacerbates the measurement of capability level one as necessary outcomes of one generic process in some cases are provided by various specific processes. In these cases, the process model as a whole reaches level 1, while every single process measured for itself shows missing out- comes, what must lead to a level zero capability level. 08 The mapping of 37 COBIT 5 processes with 11 generic processes represents a major generali- Limitation zation of the process model. This leads to the situation that most COBIT 5 enterprise goals, which are indirectly mapped with the COBIT 5 processes, demand the evaluation of almost all generic processes. Therefore as in the case of Glaux Soft, the selection of only one single en- terprise goal requires the evaluation of the entire process model. 09 Based on insight number 8, Glaux Softs executives tend to the definition of rather low tar- Limitation geted capability levels as they had in mind the quantitative amount of process measurements to be performed. This conclusion, based on the awaited workload, negatively influences the practical usage of the PIP. 10 In its current state, the PIP and the respective Microsoft Excel tool need to be adapted for Limitation every participating company. This leads to a sophisticated reutilization. 11 During the measurement of Glaux Softs process 25 (Maintenance & Support), it became clear Optimization that the initial mapping to the generic process number 6 (Operate IT-Infrastructure & -Ser- vices) was suboptimal. Therefore, the mapping of P25 was changed to the generic process number 7 (User Support). 12 While using the PIP, the process maturity measurement element was extended with the visu- Optimization alization of the respective generic process for every specific process. As for the measurement of capability level one specific outcomes need to be assessed, this visualization simplifies the usage of the PIP. Master Of Science FHNW Business Information Systems 78 Master Thesis in Business Information Systems | Pascal Bürgy No. Insight Category 13 To simplify the comparison of targeted and resulting capability levels for every process, the Optimization PIP was extended with a coloured status display. This status is green as long as the resulting level is equal or higher than the targeted capability level. In case the resulting level undercuts the targeted level, the status is red. Again, such a visualization increases the usability of the PIP in practice. 14 The descriptive structure of Glaux Softs management system directly covers the process at- Practical Finding tribute 2.1 (Performance Management) and its requirements. As Glaux Softs description of processes is based on common best practices in the field of ISO 9001:2015, this PA coverage may be true for other certified company as well. Table 29 Generated Results and Ins ights Every result and insight, already categorized within the above table, has its specific importance for the practical usage of the Process Improvement Prototype (PIP). Therefore, the following figure 48 defines the relative im- portance of every insight. Figure 48 Insight Importance & Categories Based on the defined importance, two potentials and one practical finding are stated as very important, meaning that their positive influence actively supports the deployment of the PIP in practice. Respectively, these aspects may be further carved out. On the other hand, two limitations are critical, which means that those insights are massively lower the PIP's practical relevance. Furthermore, various insights of all categories are stated as major, what means that they should be further im- proved or used, whereas as minor insights cover "nice to have"-details, which may be interesting in future, but are not further relevant for the practical setup of the PIP. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 79 . 7 Conclusion This conclusive chapter focuses on the coverage of the defined research questions as well as on revealed lessons learned. Additionally, further useful fields of activity for future research and optimization of the PIP are desig- nated. 7.1 Research Question Coverage Does the Process Improvement Prototype (PIP) and the related study have the ability to fulfil the defined expec- tations? To answer this question, the present chapter analyses the individual attainment of the three research goals defined initially in chapter 1.3 of the study. 7.1.1 ISO 9001:2015 and COBIT 5 Mapping The first research objective has focused on the study cornerstone of combining both standards / methodologies ISO 9001:2015 and COBIT 5 PAM. The detailed formulation of the objective is as follows: Modelling relevant relationships between ISO 9001:2015 and COBIT 5 and developing a generic mapping table to align the respective processes. Initial research within this study has proven that a combination of quality management systems (such as ISO 9001:2015) and maturity measurement frameworks (such as COBIT 5 PAM) can work. Within chapter 2.5, various attempts are documented and analysed. Based on the potential and problems of these earlier endeavours, this study first has analysed possible ways of combining two different standard and / or methodologies (see chapter 4.1, 4.2 and 4.3). With the resulting deci- sion to combine ISO 9001:2015 and COBIT 5 PAM on process level, a detailed mapping of both standards and methodologies, available within appendix C (Generic Process Map and COBIT 5 Detailed Process Mapping), was created and summarized within chapter 4.5. As a further baseline for this mapping, a generic process model attempt for ISO 9001 certified, Swiss-based soft- ware development SMEs was defined in advance. Therefore, the common IT process map of the Swiss federal administration was reused and extended to create the generic ISO 9001:2015 process map for IT SMEs (see chap- ter 4.4). Additionally, the process mapping of ISO 9001:2015 and COBIT 5 PAM is based on a specific policy that is now an essential part of the Process Improvement Prototype (PIP) and is documented within chapter 5.2.2. Overall, the feasibility of a mapping between ISO 9001:2015 and COBIT 5 PAM with the intention to measure maturity of certified ISO 9001:2015 processes is approved. Identified limitations, especially the non-coverage of the sales discipline within COBIT 5, are delimited and documented (see chapter 6.5) with the idea of being a prospective study topic in chapter 7.3. Master Of Science FHNW Business Information Systems 80 Master Thesis in Business Information Systems | Pascal Bürgy 7.1.2 Prototyping a Process Measurement Model The second research objective has governed the creation of a prototype that is able to measure the maturity of ISO 9001:2015 process models by using the instruments and tools of COBIT 5 PAM. In detail: Prototyping a process measurement model applicable for ISO 9001:2015 based on the COBIT 5 PAM capability indi- cators. With this research objective in mind and the previously described process mapping between ISO 9001:2015 and COBIT 5 PAM in hand, the development of a respective prototype with the name Process Improvement Prototype (PIP) was started. Therefore, the process model mapping approach, which has already been used for the men- tioned mapping between ISO 9001:2015 and COBIT 5 PAM, was refined and documented (see chapter 5.2.2). Furthermore, a respective tool (see Appendix F (Process Improvement Prototype (PIP))), together with a three step mapping process was developed that allows users of PIP the mapping of their individual ISO 9001:2015 processes with one of the generic ISO 9001:2015 processes for IT SMEs of the PIP. As a second aspect of the prototype, the essentials of COBIT 5 regarding process definition and scoping, including the given enterprise and IT related goals of COBIT 5, were adapted for a target-aimed usage within the PIP. This means that mentioned goals have been relinked to the relevant processes of the generic ISO 9001:2015 process map for IT SMEs, which now allows a user of the PIP to select assessable processes by selecting enterprise goals, which are relevant within the specific situation of the users company (see chapter 5.3.1). Furthermore, this sec- ond element of the PIP contains helpful instruments, which guides the user towards proper defined targeted capability level for its own, specific processes (see chapter 5.3.2). The third element of the PIP is the measurement tool itself, which is again closely linked with the respective COBIT 5 tools. This tool, described within chapter 5.3.3 and available within Appendix F (Process Improvement Prototype (PIP)), allows the definition of a resulting capability level for all assessed processes by using metrics and rating systems of COBIT 5 (see chapter 5.3, 5.4 and 5.5). Finally, the PIP as well guides the user along the definition of potential improvement initiatives. By taking these three elements of the PIP in account, the respective research question is fulfilled. Nonetheless, further optimization potential (see chapter 6.5) was revealed during the evaluation of the PIP, which leads to respective prospective research endeavours described within chapter 7.3. 7.1.3 Validating the Usability of the Developed Measurement Model The last research objective has asked for a qualitative evaluation of the study perceptions, the formulation of which is detailed as follows: Validating the usability of the developed measurement model (qualitative case study approach). After finishing the Process Improvement Prototype (PIP), the selection of an appropriate company was started. Therefore, the study scope (see chapter 1.4 and 6.1) was used to generate respective selection criteria. There- with, Glaux Soft AG (chapter 6.2) was selected, whereas first the mapping of the company's processes (see chap- ter 6.2.3) along the generic ISO 9001:2015 processes (see chapter 6.3) was performed by using the respective tool number 1 of the PIP. Once its processes were mapped, the company, meaning its executives and process owners, has defined enter- prise goals, assessable processes and respective targeted capability levels by using the second instrument of the PIP (described in chapter 6.4.1). During this process, various improvement potential for the PIP was identified and adaptions, as described in chapter 6.5, were performed. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 81 . Finally, a process assessment was performed (as in chapter 6.4.2) and different improvement initiatives (see chapter 6.4.3) have been defined by using the baseline of the PIP. Thereby, again some adaptions have been made on the PIP and its tools and instruments. Overall, the performed qualitative case study has highlighted the potential of the PIP to become a worthy instru- ment within the areas of process maturity measurement and continuous improvement for ISO 9001:2015 certi- fied companies. Notwithstanding the various limitations, which are addressed directly during the study or are highlighted as prospective research elements (see chapter 7.3), the prototype and therewith the study have reached its defined goals. 7.2 Lessons Learned During the development of this study, several superior insights were generated. For example, scientific resources (among others Gvoic (2013)) and practical observations (see chapter 6.2) have showed the importance of quality management for software development companies in Switzerland. Respectively, literature and practice hold available various different approaches for quality management along the ISO 9001 standard. Thereby, this indi- vidualisation is both boon and bane at the same time. Bane because companies have plenty of possibilities to meet their own, specific requirements within the boundaries of the respective standard, which of course is one major reason for the international and cross-industrial success of the ISO 9001 standard for quality management. Boon in contrary because the wealth of different approaches and characteristics makes the development of ge- neric tools such as the Process Improvement Prototype (PIP) even more difficult. Another, more procedure-oriented insight is that companies handle information related to their quality manage- ment systems much more confidentially than initially expected. Respectively, the procedure for this study had to be redesigned during its development, as the initial plan of collecting various companies' process models in order to develop the generic ISO 9001:2015 process map for IT SMEs was not realistic. However, by using the Swiss federal IT process map, an adequate alternative was found. Furthermore, an important insight concerning COBIT 5 is that the respective methodology is clearly focused on IT departments within bigger companies. This fact led to multiple challenges and problems, among others the missing sales processes, which are currently the most serious limitation of the Process Improvement Prototype (PIP). However, other consequences of this insight such as the need for interpretation of COBIT 5 outcomes are considerable as well. Finally and protruding, it became clear that both the combination of different standards and methodologies on process level as well as the reuse of elements of the one within the other framework is suitable to generate practical benefits. Respectively, the development of the PIP within the present study can be stated as a successful intermediate goal. Nonetheless of several limitations and future improvement potential, the PIP in its current state has proved its operability within a qualitative case study. Master Of Science FHNW Business Information Systems 82 Master Thesis in Business Information Systems | Pascal Bürgy 7.3 Prospective Research Based on the result of the qualitative case study as well as on the conclusive reflection, several prospective re- search fields for further improvement of the Process Improvement Prototype (PIP) are identified and described. First, as highlighted at various points of the study, assessment of sales processes is currently not possible with the PIP, as COBIT 5 does not cover the respective topic within its process model. However, almost every Swiss- based software development SME has such processes within its process model. Therefore, further research ac- tivities should be performed in order to identify a possibility as to how to extend the existing prototype with additional sales measures. Thereby, one possible approach is to use other methodologies such as ValIT, which has a more generic focus and is not as IT specific as COBIT 5 or ITIL V3. Another worthy field of prospective research is the further optimization of the PIPs tools and techniques. In its current state, the PIP is defined within a Microsoft Excel sheet, what allows on the one hand automated calcula- tions of various elements. However, on the other hand, the necessary formulas are currently closely related to Glaux Soft’s number and structure of processes. Respectively, work that is more comprehensive needs to be done to adapt the PIP to another company and to their specific process model. Therefore, the further generali- zation of excel sheet and formulas or even the development of an own application may be useful. Finally, as a third potential field of activity, investments into the further generalization of the PIP within the IT sector should be done. Currently, the PIP only fits for SME software development companies, whereas only a qualitative case study has been done to approve the respective fit. Therefore, further quantitative analyses and / or an extension in scope towards other company types and sizes within the IT sector are necessary. Moreover, as a long-term endeavour, the PIP may be adapted for other industry sectors as well as for companies outside Switzerland. However, both of these extensions will generate massive adaptions to the PIP due to the current underlying IT process model of the Swiss federal administration. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 83 . 8 Bibliography 8.1 Internal university-related resources Hinkelmann, Knut; Witschel, Hans Friedrich (2014): How to choose a research methodology?, Course theory in module PORP (Practice-oriented Research Project), University of Applied Sciences Northwestern Switzerland, School of Business, Olten (Switzerland). 8.2 Scientific papers & nonfictions Adelman, Clem (1993): Kurt Lewin and the Origins of Action Research, Educational Action Research, University of Reading, Reading (Great Britain). Aldowaisan, Tariq A.; Youssef, Ashraf S. (2004): An ISO 9001:2000-based framework for realizing quality in small businesses, Department of Industrial and Management Systems Engineering, College of Engineering and Petro- leum, Kuwait University, Safat (Kuwait). Alter, Stefanie; Goeken, Matthias (2009): Konzeptionelle Metamodelle von IT-Governance-Referenzmodellen als Basis der Kombination und Integration in einer Multi-Modell-Umgebung, Frankfurt School of Finance & Manage- ment, Frankfurt (Germany). Bayo-Moriones, Alberto; Merino-Diaz-de-Cerio, Javier; Escamilla-de-León, Sergio Antonio, Selvam, Rejina Mary (2011): The Impact of ISO 9000 and EFQM on the Use of Fexible Work Practices, Universidad Pública de Navarra, Departamento de Gestión de Empresas, Campus de Arrosadía, Pamplona (Spain). Beckmann, Sara L.; Barry, Michael (2007): Innovation as a Learning Process, Embedding Design Thinking, Univer- sity of California, Berkeley (USA). Benes, Georg M. E.; Groh, Peter E. (2014): Grundlagen des Qualitätsmanagement, 3rd Edition, Carl Hanser Verlag GmbH & Co. KG, Munich (Germany). Crosby, Philip B. (1979): Quality is free, the art of making quality certain, McGraw-Hill, New York (United States). Deming, Walter E. (1982): Out of the Crisis, Massachusetts Institute of Technology (MIT), Cambridge (United States). De Vries, M. (2012): A Process Reuse Identification Framework Using an Alignment Model, PhD Thesis, University of Pretoria, Pretoria (South Africa). Dilger, Alexander (2012): Rigor, wissenschaftliche und praktische Relevanz, Discussion Paper, Institute for Orga- nisational Economics, Westfälische Wilhelms-Universität Münster, Münster (Germany). Ellis, Timothy J.; Levy, Yair (2008): Framework of Problem-Based Research, A Guide for Novice Researchers on the Development of a Research-Worthy Problem, Graduate School of Computer and Information Sciences, Nova Southeastern University, Fort Lauderdale (USA). Fischer, Nikolaus; Smolnik, Stefan (2013): The Impact of Mobile Computing on Individuals, Organizations, and Society, Synthesis of Existing Literature and Directions for Future Research, 46th Hawaii International Conference on System Sciences, IEEE Computer Society, Washington DC (USA). Hart, Chris (1998): Doing a Literature Review, Releasing the Social Science Research Imagination, SAGE Publica- tions, Thousand Oaks (USA). Hermann, Joachim (2009): Ein Qualitätsmanagementsystem (QMS) für Lehre und Studium an der TU Berlin, Tech- nische Universität Berlin, Berlin (Germany). Hess, Thomas; Matt, Christian; Hilbers, Konrad (2014): Bekannte und weniger bekannte Wege zu praxisrelevanter Forschung in der Wirtschaftsinformatik, Ludwig-Maximilians-Universität München (LMU), Institut für Wirt- schaftsinformatik und Neue Medien, Munich (Germany). Master Of Science FHNW Business Information Systems 84 Master Thesis in Business Information Systems | Pascal Bürgy Hevner, Alan R.; Chatterjee, Samir (2010): Design Research in Information Systems, Theory & Practice, 1st Edition, Springer Science + Business Media LLC, New York (USA). Kahl, Timo (2009): Das Information Modeling Maturity Model, Ein Reifegradmodell für die Informationsmodel- lierung, Logos Verlag Berlin GmbH, Berlin (Germany). Kuhn, Markus (1996): International Standard Paper Sizes, Computer Laboratory, University of Cambridge, Cam- bridge (United Kingdom). Lebek, Benedikt; Uffen, Jörg; Breitner, Michael H.; Neumann, Markus; Hohler, Bernd (2013): Employees’ Infor- mation Security Awareness and Behavior, A Literature Review, 46th Hawaii International Conference on System Sciences, IEEE Computer Society, Washington DC (USA). Lee, Ming-Chang; Chang, to (2006): Applying TQM, CMM and ISO 9001 in Knowledge Management for software development process improvement, Department of Information Management, Taiwan (Taiwan). Malzahn, Dirk (2009): Assessing – Learning – Improving, An Integrated Approach for Self-Assessment and Process Improvement Systems, 4th International Conference on Systems, IEEE Computer Society, Washington DC (USA). Mutafelija, Boris; Stromberg, Harvey (2003): Exploring CMMI-ISO 9001:2000 Synergy when Developing a Process Improvement Strategy, SEPG 2003 Conference, BearingPoint Inc. & Hughes Network Systems, Boston (USA). Müller, Christian (2004): Grundlagen des Qualitätsmanagement, MPA Abschlussworkshop, Barbara Bredner, Sta- tistische Beratung & Lösungen, Unna (Germany). Paul, Philipp (2009): Vom Qualitätsmanagement zum Total Quality Management, Ullrich Präzisionstechnik, Bens- hausen (Germany). Paulk, Mark C. (1995): How ISO 9001 Compares with the CMM, Institute for Software Research, School of Com- puter Science, Carnegie Mellon University, Pittsburgh (USA). Pfeifer, Tilo; Schmitt, Robert (2010): Qualitätsmanagement, Strategien Methoden Techniken, 4nd Edition, Carl Hanser Verlag GmbH & Co. KG, Munich (Germany). Repenning, Nelson P.; Sterman, John D. (2002): Capability Traps and Self-Confirming Attribution Errors in the Dynamics of Process Improvement, Sloan School of Management Massachusetts Institute of Technology, Cam- bridge (USA). Repp, Nicolas; Mauthe, Andreas U., Steinmetz, Ralf (2008): Chancen und Risiken bei der Einführung von IT-Gover- nance-Frameworks, Ergebnisse einer qualitativen Untersuchung in Grossbritannien, Fachgebiet Multimedia kom- munikation, Technische Universität Darmstadt, Darmstadt (Germany). Riehle, Dirk (2011): Software research and the Industry, Rigor vs. Relevance, or: What is the size of a Disserta- tion?, Available: http://dirkriehle.com/2011/04/20/rigor-vs-relevance-or-what-is-the-size-of-a-dissertation/ (Access: 21. April 2015). Rohloff, Michael (2003): IT-Governance: Modell und ausgewählte Beispiele für die Umsetzung, Siemens AG, Mu- nich (Germany). Russell, Steve (2010): ISO 9000:2000 and the EFQM Excellence Model: Competition or co-operation?, Business Improvement & Total Quality, Lloyds Register Quality Assurance Limited, Coventry (England). Rüter, Andreas; Schröder, Jürgen; Göldner, Axel; Niebuhr, Jens (Hrsg.) (2010): IT-Governance in der Praxis, Er- folgreiche Positionierung der IT im Unternehmen, 2nd Edition, Springer-Verlag GmbH, Heidelberg (Germany). Saunders, Mark N. K.; Rojon, Céline (2011): On the Attributes of a Critical Literature Review, School of Manage- ment, University of Surrey, Guildford (United Kingdom). Saunders, Mark N. K.; Lewis, Philip; Thornhill, Adrian (2009): Research Methods for Business Students, 5th Edition, Pearson Education Limited, Harlow (England). Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 85 . Schmelzer, Hermann J.; Sesselmann, Wolfgang (2010): Geschäftsprozessmanagement in der Praxis, Carl Hanser Verlag GmbH & Co. KG, Munich (Germany). Schmitt, Robert (2015): Unternehmerisches Qualitätsmanagement, Das unternehmerische Qualitätsverständnis, Available: http://www.aachener-qualitaetsmanagement-modell.de/das-unternehmerische-qualitatsverstand- nis/ (Access: 11. May 2015). Schroll, Johann (2006): Qualitätsmanagement im IT-Bereich, ISO 9001 und ITIL® im Vergleich, GRIN Verlag GmbH, Munich (Germany). Strompen, Norbert (2015): Definition Normen – Standards, Begriffsbestimmung und Erläuterungen, IHK Koblenz, Koblenz (Germany). Thaller, Georg E. (1997): Der individuelle Software-Prozess, DIN EN ISO 9001 für Klein- und Mittelbetriebe, BHV Software GmbH, Kaarst (Germany). Thom, N.; Ritz, A. (2000): Public Management, Innovative Konzepte zur Führung im öffentlichen Sektor, GWV, Wiesbaden (Germany). Walsham, Geoff (1993): Interpreting Information Systems in Organizations, John Wiley & Sons, Chichester (Great Britain). Yoo, Chanwoo; Yoon, Junho; Lee, Byungjeong; Lee, Chongwon; Lee, Jinyoung; Hyun, Seunghun; Wu, Chisu (2004): An Integrated Model of ISO 9001:2000 and CMMI for ISO Registered Organizations, 11th Asia-Pacific Soft- ware Engineering Conference, IEEE Computer Society, Washington DC (USA). Yoo, Chanwoo; Yoon, Junho; Lee, Byungjeong; Lee, Chongwon; Lee, Jinyoung; Hyun, Seunghun; Wu, Chisu (2006): A unified model for the implementation of both ISO 9001:2000 and CMMI by ISO-certified organiza- tions, SE Lab, School of Computer Science and Engineering, Seoul National University, Seoul (South Korea). Zelt, Saskia; Uebernickel, Falk; Brenner, Walter (2013): Managing Global IT Delivery Networks, A Literature Re- view from the Supplier’s Perspective, 46th Hawaii International Conference on System Sciences, IEEE Computer Society, Washington DC (USA). 8.3 Practice-oriented literature & resources Andenmatten, Martin (2012a): Erfolg durch Serviceorientierung, Swiss IT Magazine, Available: http://www. itmagazine.ch/Artikel/49275/Erfolg_durch_Serviceorientierung.html, Swiss IT Media, Thalwil (Switzerland). Andenmatten, Martin (2012b): Prozess Assessment, Wer misst, misst Mist, Available: https://blog.itil.org/ 2012/10/cobit/prozess-assessment-wer-misst-misst-mist (Access: 18. June 2015). Angermeier, Dr. Georg (2015): Best Practice Approach, Definition, Available: https://www.projektmaga- zin.de/glossarterm/best-practice (Access: 18. April 2015). British Department of Trade & Industry (2015): Quality Management Systems, Definition, Available: http:// www.businessballs.com/dtiresources/quality_management_systems_QMS.pdf (Access: 30. March 2015). Business Dictionary (2015): Definition of Quality Management System, Available: http://www.businessdiction- ary.com/definition/quality-management-system-QMS.html (Access: 30. March 2015). Deutsches Institut für Normierung (2015): Koordinierung der Normungsarbeit, Ziele der Normungsarbeit, Available: http://www.din.de/cmd?level=tpl-unterrubrik&languageid=de&cmssubrubid=ziele (Access: 11. May 2015). Gabler Business Dictionary (2015): Definition of the term quality, Available: http://wirtschaftslexikon.ga- bler.de/Archiv/55799/qualitaet-v6.html (Access: 01. June 2015). Glaux Soft AG (2015a): Company Webpage – About Us, Online: https://www.glauxsoft.com/ueber-uns.html (Access: 07. December 2015). Master Of Science FHNW Business Information Systems 86 Master Thesis in Business Information Systems | Pascal Bürgy Glaux Soft AG (2015b): Company Webpage – evidence, Online: https://www.glauxsoft.com/evidence.html (Ac- cessed: 07. December 2015). Glaux Soft AG (2015c): Glaux Soft AG – Description of the ISO 9001:2015 Quality Management System, Internal Documentation, Glaux Soft AG, Bern (Switzerland). Glenfis AG (2011): ITIL Edition 2011 - COBIT 5 Mapping, Glenfis AG, Zurich (Switzerland). Gvoic, Marina (2013): Der aktuelle ISO-Survey 2013 stellt die Daten zur Verbreitung der ISO-Zertifizierungen vor, Arbeitswohlfahrt Bundesverband e.V., Berlin (Germany). International Standardisation Organisation (2003): ISO 15504-2:2003, Information technology, Process assess- ment, Part 2: Performing an assessment, 1st Edition, ISO, Vernier (Switzerland). International Standardisation Organisation (2012): Quality Management Principles, ISO, Vernier (Switzerland). International Standardisation Organisation (2015a): ISO 9001:2015, Quality Management Systems – Require- ments, 5th Edition, ISO, Vernier (Switzerland). International Standardisation Organisation (2015b): The ISO Survey, Available: http://www.iso.org/iso/iso-sur- vey (Access: 16. June 2015). International Standardisation Organisation (2015c): ISO/IEC 33001:2015, Process Assessment, Concepts and Ter- minology, 1st Edition, ISO, Vernier (Switzerland). International Standardisation Organisation (2015d): ISO 9000:2015, Quality Management, 4th Edition, ISO, Ver- nier (Switzerland). ISACA (2013a): COBIT 5, Using COBIT 5 – Self Assessment Guide, ISACA, Rolling Meadows (USA). ISACA (2013b): Process Assessment Model (PAM), Using COBIT 5, ISACA, Rolling Meadows (USA). ISACA (2013c): COBIT 5, A Business Framework for the Governance and Management of Enterprise IT, ISACA, Rolling Meadows (USA). ISACA (2010): COBIT Mapping, Mapping of FFIEC with COBIT 4.1, ISACA, Rolling Meadows (USA). ISB (2015): Prozesslandkarte, Informatikprozesse in der Bundesverwaltung, Release 3 vom 12.08.2015, Informa- tiksteuerungsorgan des Bundes, Bern (Switzerland). ISO 9000 Store (2015): Definition of Quality Management System, Available: http://the9000store.com/what-is- iso-9001-quality-management-system.aspx (Access: 30. March 2015). KMU Portal des Bundes (2015): Qualitätsmanagementsysteme (QMS) nach ISO 9001, Available: http://www.kmu.admin.ch/kmu-betreiben/03293/03294/03295/index.html?lang=de (Access: 27. April 2015). Lemberg, Sabine (2015): Clarifications about the provision of information about ISO 9001:2015 process models (Interview / Discussion from 22. October 2015). Quack, Karin (2014): IT-Kompass 2014, IT und Fachbereiche nähern sich an, Available: http://www.computerwo- che.de/a/it-und-fachbereiche-naehern-sich-an,2555787 (Access: 20. June 2015). SAI Global Limited (2015): Certification along ISO 9001:2008, Available: http://www.saiglobal.com/Assur- ance/quality-business-management/ISO9001.htm (Access: 18. April 2015). Schmutz, Christoph G. (2013): Ein Massstab für konstante Qualität, Warum Unternehmen sich zertifizieren las- sen, Available: http://www.nzz.ch/ein-massstab-fuer-konstante-qualitaet-1.18106375 (Access: 16. June 2015). 8.4 Used Graphics (not directly mentioned in text) Illustration Quality Assurance (Page 1): title image of the paper, http://wordsrevealed.com/wp-content/up- loads/2014/02/aaaa.jpg, Words revealed, Rome (Italy). Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 87 . 9 Appendix This chapter contains various appendixes, which substantiate different contents of the study that are provided in a summarized form within the previous chapters. In order to ensure a comprehensive overview of the different appendixes, the following list summarizes each appendix. Appendix A – Structured Literature Review ............................................................................... 89 The structured literature review contains a list of all resources used within the study. It contains a fine granular categorization of the resources as described within chapter 2.1. Appendix B – Generic Process Map for IT SMEs in Detail ............................................................ 92 This appendix provides further information concerning the GPM-IT defined in chapter 4.4. All processes are de- scribed in detail regarding the common process aspects of inputs, outputs, objectives, activities, process owners and roles. Appendix C – Generic Process Map and COBIT 5 Detailed Process Mapping .............................. 103 The mapping between the GPM-IT and COBIT 5 introduced in chapter 4.5 is enriched with further information within this appendix. Along common process aspects of inputs, outputs, objectives, activities, process owners and roles, the respective mapping accuracy is calculated and justified. Appendix D – Glaux Soft's Process Map in Detail ...................................................................... 125 This appendix provides further information concerning Glaux Softs ISO 9001 process model introduced in chapter 6.2.3. All processes are described in detail regarding the common process aspects of inputs, outputs, objectives, activities, process owners and roles. Appendix E – Generic Process and Glaux Soft's Detailed Process Mapping ............................... 126 The mapping between the GPM-IT and Glaux Softs ISO 9001 process model introduced in chapter 6.3 is enriched with further information within this appendix. Along common process aspects of inputs, outputs, objectives, activities, process owners and roles, the respective mapping accuracy is calculated and justified. Appendix F – Process Improvement Prototype (PIP) ................................................................ 127 The last appendix contains further information and clarifications about the PIP and its three specific tools, which are provided within a separate Microsoft Excel file. Important Notice: This master thesis is available in two different versions – an internal and external one. Within the external, pub- lished version, appendixes D and E are removed due to the confidentiality of the respective contents. Master Of Science FHNW Business Information Systems 88 Master Thesis in Business Information Systems | Pascal Bürgy 9.1 Appendix A – Structured Literature Review The structured literature review (see table 27) provides an overview over all relevant literature that was used in order to generate the present study. Thereby every source is categorized along the keywords defined during the process of literature review. Reference Quality IT Governance Process Maturity Mapping Research (for detailed references see chapter 8) Adelman (1993) x x Aldowaisan & Youssef x x x (2004) Alter & Goeken (2009) x x Andenmatten (2012a) x Andenmatten (2012b) x x Angermeier (2015) x Crosby (1979) x Bayo-Moriones et al. (2011) x x x x Beckman & Barry (2007) x Benes & Groh (2014) x British Department of Trade x & Industry (2000) Business Dictionary (2015) x Deutsches Institut für x Normierung (2015) Deming (1982) x De Vries (2012) x Dilger (2012) x Ellis & Levy (2008) x Fischer & Smolnik (2013) x x Gabler Business Dictionary x (2015) Glaux Soft AG (2015a) x Glaux Soft AG (2015b) x Glaux Soft AG (2015c) x x x x Glenfis AG (2011) x Gvoic (2013) x Hart (1998) x Hevner & Chatterjee (2010) x x Hermann (2009) x Hess et al. (2014) x Hinkelmann & Witschel x x (2014) International Standardisa- x x tion Organisation (2003) International Standardisa- x x tion Organisation (2012) International Standardisa- x x tion Organisation (2015a) International Standardisa- x x tion Organisation (2015b) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 89 Framework & Standard ISO/IEC 9001 EFQM Quality Management System Business- / IT-Alignment IT Governance Model COBIT 5 (incl. COBIT 4.1) Process Improvement Self-Assessment COBIT 5 PAM CMMI ISO/IEC 9001 CMMI COBIT 5 PAM (incl. COBIT 4.1) EFQM Literature Review Research Methodology Research Design Other Resources . Reference Quality IT Governance Process Maturity Mapping Research (for detailed references see chapter 8) International Standardisa- x x tion Organisation (2015c) International Standardisa- x x tion Organisation (2015d) ISACA (2013a) x x x ISACA (2013b) x x ISACA (2013c) x ISACA (2010) x x ISB (2015) x x x ISO 9000 Store (2015) x x Kahl (2009) x KMU Portal des Bundes x (2015) Kuhn (1996) x Lebek et al. (2013) x Lee & Chang (2006) x x Lemberg (2015) x x x Malzahn (2009) x x Mutafelija & Stromberg x x (2003) Müller (2004) x Paul (2009) x Paulk (1995) x x Pfeifer & Schmitt (2010) x Quack (2014) x Repenning & Sterman x (2002) Repp et al. (2008) x x x Riehle (2011) x Rohloff (2003) x x x x Russell (2010) x x Rüter et al. (2010) x SAI Global Limited (2015) x Saunders & Rojon (2011) x Saunders et al. (2009) x x x Schmelzer & Sesselmann x x (2010) Schmitt (2015) x Schmutz (2013) x x Schroll (2006) x x x x x Strompen (2015) x Thaller (1997) x x Thom & Ritz (2000) x Walsham (1993) x Yoo et al. (2004) x x Yoo et al. (2006) x x Master Of Science FHNW Business Information Systems 90 Master Thesis in Business Information Systems | Pascal Bürgy Framework & Standard ISO/IEC 9001 EFQM Quality Management System Business- / IT-Alignment IT Governance Model COBIT 5 (incl. COBIT 4.1) Process Improvement Self-Assessment COBIT 5 PAM CMMI ISO/IEC 9001 CMMI COBIT 5 PAM (incl. COBIT 4.1) EFQM Literature Review Research Methodology Research Design Other Resources Reference Quality IT Governance Process Maturity Mapping Research (for detailed references see chapter 8) Zelt et al. (2013) x x Table 30 Structured L iterature Review Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 91 Framework & Standard ISO/IEC 9001 EFQM Quality Management System Business- / IT-Alignment IT Governance Model COBIT 5 (incl. COBIT 4.1) Process Improvement Self-Assessment COBIT 5 PAM CMMI ISO/IEC 9001 CMMI COBIT 5 PAM (incl. COBIT 4.1) EFQM Literature Review Research Methodology Research Design Other Resources . 9.2 Appendix B – Generic Process Map for IT SMEs in Detail The generic ISO 9001:2015 process map for IT SMEs (as in figure 49) contains eleven different processes, which are categorized in management, core and support processes. Thereby the resulting process model looks as fol- lows: Figure 49 Generic ISO 9001:2015 Process Model for IT SMEs (GPM-IT) (adapted from ISB (2015)) Within this appendix, which is based on ISB (2015) and in parts adapted from Glaux Soft (2015c), the single pro- cesses and their individual attributes are described in detail. As the cited resources are written in German only, the process details are provided in the respective language. Master Of Science FHNW Business Information Systems 92 Master Thesis in Business Information Systems | Pascal Bürgy 9.2.1 Process 01 – IT Management Aspect Official Description Inputs - Ausnahmebedarf (04, 05, 06) - Controllingberichte (04) - Finanz- & Kostendaten (09) - freigegebenes Informatikportfolio (04) - Geschäftsprozess-Anforderungen (01) - Geschäftsstrategien (01) - Legislaturziele des Bundesrates (01) - SCO-Bericht (04) Outputs - Ausnahmeentscheid (04) - IKT-Prüfbericht (04) - IKT-Vorgaben aus P01 (02, 03, 04, 05, 06, 07, 08, 09) - Masterplan aus IKT-Strategie (04) - Messdaten (08) - Programm-Handbuch (05) - Programm-Informationen (04) - Studienbedarf (04) Objectives - Eine optimale Informatikunterstützung der Geschäftsprozesse in der Bundesverwaltung ist sichergestellt. - IKT-Vorgaben sind aktualisiert und IKT-Standards sind eingehalten. - IKT-Programme sind umgesetzt. Activities 01.01 Strategische Informatikplanung (SIP) - IKT-Strategie entwickeln - IKT-Strategie nachführen 01.02 IKT-Standards festlegen - IKT-Standard entwickeln - IKT-Standard pflegen - IKT-Standard ausser Kraft setzen 01.03 Einhaltung von IKT-Vorgaben überprüfen - Einhaltung von IKT-Vorgaben überprüfen 01.04 Ausnahmen von IKT-Vorgaben gewähren - Ausnahmen von IKT-Vorgaben gewähren 01.05 Unternehmensarchitektur-Planung - Unternehmensarchitektur entwickeln - Unternehmensarchitektur nachführen 01.06 IKT-Programme umsetzen - IKT Programm - Programm identifizieren - IKT Programm - Programm definieren - IKT Programmumsetzung führen - IKT Programm - Programm abschliessen Process Owner n. a. Roles - Auftraggeber/in (AG) - Geschäftsprozess-Verantwortliche/r (GPV) - IKT-Auditor/in - Informatiksicherheitsbeauftragte/r (ISB) - Lösungsarchitekt/in (ARCH) - Programm-Delegierte/r (PDL) - Programm-Manager/in (PGM) - Projektleiter/in (PL) - Standard-Administrator/in (STA) - Strategieverantwortliche/r (STV) - Unternehmensarchitekt/in (UA) Table 31 ISB Process 01 – IT Management ( from ISB (2015)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 93 . 9.2.2 Process 04 – IT Steering Aspect Official Description Inputs - Änderungsantrag (RFC) & Änderungsauftrag (MAC) (07) - Ausnahmeentscheid (01) - Auswertungen über erbrachte IKT-Leistungen (06) - Bedarf nach IKT-Service (05) - Bedarfserfüllung (03) - Betriebsanforderungen für SLA (05) - Finanzkennzahlen und Reports (09) - Geschäftsprozess-Anforderungen (01) - IKT-Prüfbericht (01) - IKT-Vorgaben aus P01 (01) - Konsolidierte Inventarinformationen (06) - Konsolidierter Changeplan (05) - Masterplan aus IKT-Strategie (01) - Plankostenkalkulation für LV (09) - Programm-Informationen (01) - Projektstatus (05) - Servicekatalog (06) - Serviceverbesserungsplan (06) - Stand Zahlungs- und Verpflichtungskredite (09) - Studienbedarf (01) - verfügbare Zahlungs- und Verpflichtungskredite (09) Outputs - abgeschlossene DLV & SLA (09) - ACO-, SCO-, PCO-Bericht (09) - Änderungsantrag (RFC) (05) - Änderungsauftrag (MAC) (05) - Ausnahmebedarf (01) - Bedarfsanforderung (03) - Controllingberichte (01) - freigegebenes Informatikportfolio (AG, 01, 09) - genehmigter Serviceverbesserungsplan (06) - ICO-Vorgaben (05) - Informationen über Kundenzufriedenheit (07) - Informationen über Trends (06) - Kundenzufriedenheit (04) - Messdaten (08) - nachgeführter Servicekatalog (06) - Projektanmeldung oder SCO-Bericht (05) - Projektentscheide (05) - Projektvereinbarung (AG) - SCO-Bericht (01) - SLA (04, 05, 06, 07) Objectives - Unterstützung und Optimierung der Geschäftsprozesse durch den Einsatz von IKT-Mitteln. Activities 04.02 Informatikportfolio führen - Informatikportfolio führen 04.04 Studien führen - Studien führen 04.05 Projekte führen - Projekte führen 04.06 Anwendungen und IKT-Services führen - SLA für IKT-Services aus Servicekatalog abschliessen - SLA für individuelle IKT-Services abschliessen - Erbrachte Leistungen periodisch überprüfen Process Owner n. a. Roles - Accountmanager/in (AM) - Anwendungs-Verantwortliche/r (AV) - Auftraggeber/in (AG) - Geschäftsprozess-Verantwortliche/r (GPV) - Informatikcontrollingbeauftragte/r (ICB) - Informatiksicherheitsbeauftragte/r (ISB) - Integrationsmanager/in (IM) - Lösungsarchitekt/in (ARCH) - Produktverantwortliche/r (PRV) - Projektleiter/in (PL) - Servicekatalog-Verantwortliche/r (SKV) - Serviceverantwortliche/r (SRV) - Unternehmensarchitekt/in (UA) Table 32 ISB Process 04 – IT S teer ing (from ISB (2015)) Master Of Science FHNW Business Information Systems 94 Master Thesis in Business Information Systems | Pascal Bürgy 9.2.3 Process 08 – Maintain IT-Processes Aspect Official Description Inputs - Freigabe Prozessrelease (08) - IKT-Vorgaben aus P01 (01) - Messdaten (01, 02, 03, 04, 05, 06, 07, 08, 09) - Prozessanregungen (Prozessanwender) - Verbesserungsvorschläge (Prozessanwender) Outputs - Änderungsmitteilungen (08) - Änderungsmitteilungen (Prozessanwender) - Ausbildung (Prozessanwender) - Ausbildungsunterlagen (Ausbildungsunterlagen) - Messdaten (08) - Prozessänderungen (Prozessdokumentation) - Prozessindex (08) - Verbesserungsanträge (08) Objectives - Der Prozess ' P08 IKT-Prozesse pflegen' definiert das Prozessmanagementsystem und stellt die kontinuierliche Verbesserung der IKT-Prozesse sicher. Activities 08.01 Prozess messen - Individuelles Prozessassessment durchführen - Periodisches Prozessassessment durchführen - Prozess messen 08.02 Prozess verbessern - Prozess verbessern 08.03 Prozessänderung einführen - Prozessänderung einführen Process Owner n. a. Roles - Prozesseigner/in (PE) - Prozessverantwortliche/r Bund (PVB) - Prozessverantwortliche/r Departement (PVD) Table 33 ISB Process 08 – Mainta in IT -Processs (from ISB (2015)) 9.2.4 Process 10 – Strategic Marketing Aspect Official Description Inputs - IKT-Vorgaben aus P01 (01) - verfügbare Zahlungs- und Verpflichtungskredite (09) Outputs - Zielgerichtete Kommunikation (07) - Marketinginformationen (01) - Messdaten (08) Objectives - Sicherstellen einer stufen- und zielgruppengerechten, rechtzeitigen, kontinuierlichen und verlässlichen Kom- munikation. Activities 10.01 Management von Informations- & Kommunikationsplattformen 10.02 Definition CI-/CD-Vorgaben Process Owner n. a. Roles - Marketing Manager Table 34 Adapted Process 10 – Strateg ic Marketing (adapted from Glaux Soft AG (2015c)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 95 . 9.2.5 Process 05 – Solution Development & Deployment Aspect Official Description Inputs - Änderungsantrag (RFC) (04, 06, 07) - Änderungsauftrag (MAC) (07) - Bedarfserfüllung (02, 03) - Betriebsanforderungen (06) - Betriebsanforderungen und Informationen für Lösung (06) - Einkaufsinformation (03) - Existierende Konfigurationsinformationen (06) - ICO-Vorgaben (04) - IKT-Vorgaben aus P01 (01) - individueller IKT-Ausbildungsbedarf (02) - Inventarinformationen (06) - Programm-Handbuch (01) - Projektanmeldung oder SCO-Bericht (04) - Projektentscheide (04) - SLA (04) - Stand Zahlungs- und Verpflichtungskredite (09) - Supportanforderungen und Informationen für Lösung (07) Outputs - aktivierte Lösung (06) - Ausnahmebedarf (01) - Bedarf nach IKT-Service (04) - Bedarfsanforderung (03) - Betriebsanforderungen für SLA (04) - Changestatus (07) - Konsolidierter Changeplan (04, 06, 07) - Lösungsbeschreibung für Betrieb (06) - Lösungsbeschreibungen für Support (07) - Messdaten (08) - Pflichtenheft (03) - projektspezifische Ausbildungsanforderungen (02, 05) - Projektstatus (04) - Projektvereinbarung (09) - Veränderte Konfigurationsinformationen (06) Objectives - Der Prozess 'P05 Lösungen entwickeln und einführen' definiert Abläufe, um IKT-Vorhaben und IKT-Changes bezüglich Qualität, Dauer, Kosten und Funktion zur vollsten Zufriedenheit des Auftraggebers abzuwickeln und zum Betreiben in die produktive Umgebung einzuführen. Activities 05.01 IKT-Vorhaben initialisieren 05.02 Lösungsvorschläge skizzieren 05.03 Lösung designen 05.04 Lösung realisieren 05.05 Lösung einführen 05.06 IKT-Vorhaben abschliessen IKT-Change abwickeln (ohne Projekt) - IKT-Change einführen - IKT-Change initialisieren (Koordination und Planung) Process Owner n. a. Roles - Accountmanager/in (AM) - Auftraggeber/in (AG) - Change Manager/in - Geschäftsprozess-Verantwortliche/r (GPV) - Informatiksicherheitsbeauftragte/r (ISB) - Integrationsmanager/in (IM) - ISDS-Verantwortliche/r (ISDSV) - Lösungsarchitekt/in (ARCH) - Projektleiter/in (PL) - Qualitätsverantwortliche/r (QV) - Servicekatalog-Verantwortliche/r (SKV) - Serviceverantwortliche/r (SRV) Table 35 ISB Process 05 – Solution Development & Deployment (from ISB (2015)) Master Of Science FHNW Business Information Systems 96 Master Thesis in Business Information Systems | Pascal Bürgy 9.2.6 Process 06 – Operate IT-Infrastructure & -Services Aspect Official Description Inputs - aktivierte Lösung (05) - Auftrag für Sicherstellung und Wiederherstellung (07) - Bedarfserfüllung (03) - Finanzkennzahlen und Reports (09) - genehmigter Serviceverbesserungsplan (04) - IKT-Vorgaben aus P01 (01) - Informationen über Trends (04) - Konsolidierter Changeplan (05) - Lösungsbeschreibung für Betrieb (05) - nachgeführter Servicekatalog (04) - Referenznummer Anlagebuchhaltung (09) - SLA (04) - Status Problemlösung (07) - Unterstützungsplan (07) - Veränderte Konfigurationsinformationen (05) Outputs - Analysierte Informationen und Problemmeldungen (07) - Änderungsantrag (RFC) (05) - Ausnahmebedarf (01) - Auswertungen über erbrachte IKT-Leistungen (04) - Bedarfsanforderung (03) - Betriebsänderungen (07) - Betriebsanforderungen (05) - Betriebsinformationen (07) - Existierende Konfigurationsinformationen (05) - IKT-Leistung (Kunde) - Inventarinformationen (09) - Inventarinformationen (05) - Konsolidierte Inventarinformationen (04) - Messdaten (08) - Problemmeldung (07) - Reports über Leistungen, Kapazitäten (09) - Servicekatalog (04) - Serviceverbesserungsplan (04) - Status Problemlösung (07) Objectives - Erbringung (planen, durchführen und steuern) von operationellen IKT-Dienstleistungen im Rahmen der festge- legten Service Level Agreements und unter Einhaltung des Budgets. - Erreichung der vorgegebenen Kundenzufriedenheit. - Liefern der Grundlagen und Empfehlungen damit die Verfügbarkeitsanforderungen aller IKT-Services gemäss den Service Level Agreements wirtschaftlich und nachhaltig erfüllt sind. - Definieren und Einführen von den notwendigen Datenschutz- und Sicherheitsmassnahmen gemäss den Wei- sungen des Bundes zur Gewährleistung der Sicherheit von Personen, Informatikobjekten und Infrastruktur. - Planung und Durchführung aller Massnahmen welche nach Sicherstellung und Wiederherstellung konsistente Zustände aller erforderlichen Objekten (Betriebssysteme, Anwendungen, Daten und Geschäftsfunktionen) ge- währleisten. - Erfüllung der Sicherstellungs- und Wiederherstellungsanforderungen aller erforderlichen Objekte gemäss Ser- vice Level Agreements. - Erfüllung der Anforderungen aus der Katastrophenvorsorge bezüglich Sicherstellung und Wiederherstellung. - Systematische Inventarisierung von IKT-Objekten gemäss Vorgaben. - Konsistente und aktuelle Konfigurationsinformationen werden zur Verfügung gestellt. - Änderungen der Konfigurationsinformationen aus dem Prozess P05 Lösungen entwickeln werden laufend nachgeführt. - Einhaltung der vereinbarten Zeit- und Durchsatzanforderungen. - Wirtschaftliche und rechtzeitige Sicherstellung der Leistung- und Kapazität der IKT-Infrastruktur. Activities 06.01 Konfigurationsinformationen erstellen und unterhalten - Anforderungen an Konfigurationsinformationen definieren - Konfigurationsinformationen erfassen und pflegen - Konfigurationsinformationen verwalten und verifizieren 06.02 Verfügbarkeit steuern - Verfügbarkeit analysieren und rapportieren - Verfügbarkeit messen und überwachen - Verfügbarkeit planen 06.03 Sicherstellung und Wiederherstellung steuern - Bedürfnisse identifizieren - Plan und Prozeduren realisieren - Resultate analysieren und rapportieren - Sicherstellung und Wiederherstellung verbessern - Sicherstellung durchführen Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 97 . Aspect Official Description - Wiederherstellung durchführen 06.04 Leistung und Kapazität steuern - Leistung & Kapazität analysieren und rapportieren - Leistung und Kapazität messen und überwachen - Leistung und Kapazität planen 06.05 Betrieb steuern und aufrecht erhalten - Ressourcen mit Verpflichtungen abstimmen - Erbringung der Dienstleistungen ermöglichen - Dienstleistungen ausführen - Dienstleistungen aufrecht erhalten 06.06 IKT-Inventar bewirtschaften - Inventarverfahren definieren - Hardware erfassen (Direktlieferung an Kunden) - Hardware erfassen (Lieferung über Inventarlager) - Software erfassen - Inventarinformationen auswerten - Inventarinformationen unterhalten und verifizieren Process Owner n. a. Roles - Auftraggeber/in (AG) - Beschaffungskoordinator/in - Change Manager/in - Informatiksicherheitsbeauftragte/r (ISB) - Integrationsmanager/in (IM) - Produktverantwortliche/r (PRV) - Serviceverantwortliche/r (SRV) Table 36 ISB Process 06 – Operate IT - Infrastructure & -Services (from ISB (2015)) Master Of Science FHNW Business Information Systems 98 Master Thesis in Business Information Systems | Pascal Bürgy 9.2.7 Process 07 – User Support Aspect Official Description Inputs - Analysierte Informationen und Problemmeldungen (06) - Anliegen (Kunde) - Betriebsänderungen (06) - Betriebsinformationen (06) - Changestatus (05) - IKT-Vorgaben aus P01 (01) - Informationen über Kundenzufriedenheit (04) - Konsolidierter Changeplan (05) - Lösungsbeschreibungen für Support (05) - Meldung (Kunde) - Problemmeldung (06) - SLA (04) - Status Problemlösung (06) Outputs - Änderungsantrag (RFC) (04, 05) - Änderungsauftrag (MAC) (04, 05) - Auftrag für Sicherstellung und Wiederherstellung (06) - Auswertungen über erbrachte IKT-Leistungen (04) - Information über problemverursachende Komponenten (03) - Messdaten (08) - Reports über Leistungen, Kapazitäten (09) - Status der Anliegen, Probleme oder Störungen (Kunde) - Status Problemlösung (06) - Supportanforderungen und Informationen für Lösung (05) - Unterstützungsplan (06) Objectives - Sicherstellung der Benutzerunterstützung gemäss Service Level Vereinbarungen und schnellstmögliche Wie- derherstellung der IKT-Services bei Störungen. - Betrieb eines Kommunikationszentrums mit qualitativ hochstehender und kompetenter Auskunftsbereitschaft und hoher Erreichbarkeit. - Etablierung von klaren Kommunikationsschnittstellen zum Leistungsbezüger und den internen und externen Service-Anbietern. - Strukturierte, effiziente und termingerechte Problembehandlung unter optimaler Nutzung der Ressourcen. - Schaffen der besten Voraussetzungen für eine eindeutige Zuweisung der Probleme zur Ausarbeitung von Lö- sungen. - Reduktion der auftretenden Störungen durch Ermitteln der Ursachen und Auswirkungen der Probleme (reaktiv und proaktiv). Activities 07.01 Leistungsbezüger unterstützen - Unterstützungsdienste planen und vorbereiten - Störungen bearbeiten - Informations- und Serviceanliegen bearbeiten - MAC-Anliegen bearbeiten - Unterstützungsdienste messen, auswerten & überwachen 07.02 Probleme behandeln - Probleme bearbeiten Process Owner n. a. Roles - Benutzer-Unterstützer/in (BU) Table 37 ISB Process 07 – User Support ( from ISB (2015)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 99 . 9.2.8 Process 11 – Sales Aspect Official Description Inputs - Verkaufschance (11) - Kundenentscheid - IKT-Vorgaben aus P01 (01) Outputs - Angebot (Kunde) - Auftrag für Change (04) - Infrastruktur bereitstellen (06) - Messdaten (08) Objectives - Vertragsabschluss mit langfristig profitablen und auf unser Portfolio passenden Kunden Activities 11.01 Verkauf Process Owner n. a. Roles - Accountmanager/in (AM) - Vertriebsleiter - Administration - Projektleiter/in (PL) - Service Desk Table 38 Adapted Process 11 – Sales (adapted from Glaux Soft AG (2015c)) Master Of Science FHNW Business Information Systems 1 00 Master Thesis in Business Information Systems | Pascal Bürgy 9.2.9 Process 02 – Skills Development Aspect Official Description Inputs - allgemeine Ausbildungsanforderungen (02) - IKT-Ausbildungsanforderungen (02) - IKT-Vorgaben aus P01 (01) - projektspezifische Ausbildungsanforderungen (05) - Rollenträgerprofil (Stellendaten, Personaldaten) - Stellenbeschreibung (Stellendaten, Personaldaten) Outputs - aktualisierte IKT-Ausbildungsempfehlungen (02) - Bedarfserfüllung (05) - individueller IKT-Ausbildungsbedarf (05) - individueller IKT-Ausbildungsbedarf (Prozessanwender) - Messdaten (08) Objectives - Der Prozess P02 "Fähigkeiten entwickeln" unterstützt die Linienvorgesetzten bei der Entwicklung der Fähigkei- ten der IKT-Rollenträger. Activities 02.01 Ausbildungsempfehlungen ausarbeiten 02.02IKT-Gap-Analyse ausführen Process Owner n. a. Roles - Prozessverantwortliche/r Bund (PVB) Table 39 ISB Process 02 – Ski l l s Development ( from ISB (2015)) 9.2.10 Process 03 – Procurement Aspect Official Description Inputs - Angebot (Lieferant) - Bedarfsanforderung (05, 06) - Bedarfsanforderung (04) - IKT-Vorgaben aus P01 (01) - Information über problemverursachende Komponenten (07) - Pflichtenheft (05) Outputs - Bedarfserfüllung (04, 05, 06) - Bestellung (Lieferant) - Einkaufsinformation (05) - Messdaten (08) - Vertrag (Lieferant) - Zahlungsanweisung (09) Objectives - Übergeordnetes Ziel des Prozesses P03 'Güter und Dienstleistungen beschaffen' ist die bedarfsgerechte und effiziente Versorgung aller Verwaltungseinheiten der Bundesverwaltung mit Informatikgütern und Dienstleis- tungen. Activities 03.01 Bedarfsanforderung 03.02 Angebotsabwicklung 03.03 Bestellabwicklung 03.04 Lieferung / Leistungserbringung 03.05 Rechnungsabwicklung 03.06 Auftragskontrolle Process Owner n. a. Roles - Auftraggeber/in (AG) - Beschaffungskoordinator/in - Integrationsmanager/in (IM) - Zentrale/r Beschaffer/in Table 40 ISB Process 03 – Procurement (from ISB (2015)) Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 101 . 9.2.11 Process 09 – Support Financial Management Aspect Official Description Inputs - abgeschlossene DLV (04) - abgeschlossene SLA (04) - ACO-, SCO-, PCO-Bericht (04) - freigegebenes Informatikportfolio (04) - IKT-Vorgaben aus P01 (01) - Inventarinformationen (06) - Projektvereinbarung (05) - Reports über Leistungen, Kapazitäten (06, 07) - Zahlungsanweisung (03) Outputs - Finanz- & Kostendaten (01) - Finanzkennzahlen und Reports (04, 06) - Messdaten (08) - Plankostenkalkulation für LV (04) - Referenznummer Anlagebuchhaltung (06) - Stand Zahlungs- und Verpflichtungskredite (04, 05) - verfügbare Zahlungs- und Verpflichtungskredite (04) Objectives - Die benötigten IT-Ressourcen können bei den IT-LE sowie LB geplant, gesteuert und transparent dargestellt werden. - Der wirtschaftliche Einsatz der Informatikmittel wird u.a. mit einer KLR sowie einem Verrechnungspreissystem instrumentell unterstützt. - Der finanzielle Supportprozess unterstützt umfassend die IT-Geschäftsprozesse (Kernprozesse). Activities 09.01 Finanzplanung & Budgetierung 09.02 Haushaltsvollzug 09.03 Jahresrechnung Process Owner n. a. Roles - Accountmanager/in (AM) - Finanzchef/in (FCV) - Finanzcontroller/in (FCOV) - Informatikcontrollingbeauftragte/r (ICB) - Integrationsmanager/in (IM) - Kostenobjekt-Verantwortliche/r (KOV) Table 41 ISB Process 09 – Support F inancia l Management (from ISB (2015)) Master Of Science FHNW Business Information Systems 1 02 Master Thesis in Business Information Systems | Pascal Bürgy 9.3 Appendix C – Generic Process Map and COBIT 5 Detailed Process Mapping An essential part of the Process Improvement Prototype (PIP) is the mapping of every process of the generic ISO 9001:2015 process map for IT SMEs with one or more respective CPOBIT 5 processes in order to be able to adapt the corresponding process maturity measurement instruments. Therefore, this appendix provides a detailed mapping between the mentioned reference models that is aggregated within chapter 4.5. Thereby, this mapping was generated by analysing and comparing ISACA (2013c) and ISB (2015). Important: Every mapping attempt has a header with basic information and a body with the detailed mapping. Within the header, the compared COBIT 5 process, a status (green = mapping accuracy is ≥ 80 %; yellow 50 % - 79 %; red < 50 %) and the overall mapping accuracy (average of the compared process aspects) is mentioned. Within the body, the two processes are compared along the process aspects inputs, outputs, objectives, activities and roles. For every aspect, a subjective percentage value of interference is defined. 9.3.1 Process 01 – IT Management COBIT 5 Process EDM01 Ensure Governance Framework Setting and Maintenance Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 01 -> EDM01 Inputs Expected are mainly strategic inputs 060 % The process explicitly asks for compli- (from business) including defined com- ance baselines as an input. The ambi- pliance borders. ent strategy is not directly mentioned. Outputs The process provides an IT-strategy 080 % Governance guiding principles as well baseline for other processes including as other regulations are provided. regulations and other instructions. Objectives The strategic management of IT, the ful- 080 % The purpose is: "Provide a consistent filment of compliance requirements as approach integrated and aligned with well as the support of business pro- the enterprise governance approach." cesses are in focus. Activities Overall, the focus is set on strategic IT 080 % The management of the governance management with all its included tasks system is in focus. and responsibilities. Roles Involved are typical management roles as well as creative operational IT roles such as solutions architects. TOTAL 080 % Table 42 Deta iled Mapping: Process 01 <> EDM01 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 103 . COBIT 5 Process EDM03 Ensure Risk Optimization Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 01 -> EDM03 Inputs Expected are mainly strategic inputs 040 % The process only asks for inputs to- (from business) including defined com- wards its risk management discipline. pliance borders. Outputs The process provides an IT-strategy 060 % This process provides risk management baseline for other processes including related baselines for all other pro- regulations and other instructions. cesses. Objectives The strategic management of IT, the ful- 060 % The purpose is: "Ensure that IT-related filment of compliance requirements as enterprise risk does not exceed risk ap- well as the support of business pro- petite and risk tolerance, the impact of cesses are in focus. IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised." Activities Overall, the focus is set on strategic IT 060 % The process covers strategic risk man- management with all its included tasks agement disciplines. and responsibilities. Roles Involved are typical management roles as well as creative operational IT roles such as solutions architects. TOTAL 060 % Table 43 Deta iled Mapping: Process 01 <> EDM03 COBIT 5 Process APO01 Manage the IT Management Framework Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 01 -> APO01 Inputs Expected are mainly strategic inputs 080 % Various strategic plans, resources, prin- (from business) including defined com- ciples and policies are needed. pliance borders. Outputs The process provides an IT-strategy 080 % Organisational data security related baseline for other processes including regulations are provided. regulations and other instructions. Objectives The strategic management of IT, the ful- 100 % The purpose is to provide a consistent filment of compliance requirements as management approach for the govern- well as the support of business pro- ance system. cesses are in focus. Activities Overall, the focus is set on strategic IT 080 % The process covers activities concern- management with all its included tasks ing organisation and structure of the and responsibilities. system. Roles Involved are typical management roles as well as creative operational IT roles such as solutions architects. TOTAL 090 % Table 44 Deta iled Mapping: Process 01 <> APO01 Master Of Science FHNW Business Information Systems 1 04 Master Thesis in Business Information Systems | Pascal Bürgy COBIT 5 Process APO02 Manage Strategy Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 01 -> APO02 Inputs Expected are mainly strategic inputs 080 % Various strategic plans, resources, prin- (from business) including defined com- ciples and policies are needed. pliance borders. Outputs The process provides an IT-strategy 080 % Strategic outcomes such as IT-related baseline for other processes including goals and others are provided. regulations and other instructions. Objectives The strategic management of IT, the ful- 100 % The purpose is to align strategic IT filment of compliance requirements as plans with business goals. well as the support of business pro- cesses are in focus. Activities Overall, the focus is set on strategic IT 100 % The process covers activities concern- management with all its included tasks ing the strategic IT planning. and responsibilities. Roles Involved are typical management roles as well as creative operational IT roles such as solutions architects. TOTAL 090 % Table 45 Deta iled Mapping: Process 01 <> APO02 COBIT 5 Process APO03 Manage Enterprise Architecture Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 01 -> APO03 Inputs Expected are mainly strategic inputs 080 % Various strategic plans, resources, prin- (from business) including defined com- ciples and policies are needed. pliance borders. Outputs The process provides an IT-strategy 060 % The process provides different archi- baseline for other processes including tecture models regarding information, regulations and other instructions. processes and others. Objectives The strategic management of IT, the ful- 080 % The purpose is to define and maintain filment of compliance requirements as the different aspects of a system within well as the support of business pro- a consistent architecture. cesses are in focus. Activities Overall, the focus is set on strategic IT 080 % The process covers activities to define management with all its included tasks and maintain the (strategic) architec- and responsibilities. ture of a company. Roles Involved are typical management roles as well as creative operational IT roles such as solutions architects. TOTAL 080 % Table 46 Deta iled Mapping: Process 01 <> APO03 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 105 . COBIT 5 Process MEA01 Monitor, Evaluate and Assess Performance and Conformance Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 01 -> MEA01 Inputs Expected are mainly strategic inputs 060 % Inputs are various strategic measures (from business) including defined com- and indicators as well as strategic base- pliance borders. lines. Outputs The process provides an IT-strategy 040 % The process provides various monitor- baseline for other processes including ing deliverables such as reports, re- regulations and other instructions. quirements and others. Objectives The strategic management of IT, the ful- 060 % The purpose is: "Provide transparency filment of compliance requirements as of performance and conformance and well as the support of business pro- drive achievement of goals." cesses are in focus. Activities Overall, the focus is set on strategic IT 060 % The process organises the monitoring management with all its included tasks within the system and generates re- and responsibilities. spective reports and analyses. Roles Involved are typical management roles as well as creative operational IT roles such as solutions architects. TOTAL 060 % Table 47 Deta iled Mapping: Process 01 <> MEA01 COBIT 5 Process MEA03 Monitor, Evaluate and Assess Compliance With Ext. Requirements Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 01 -> MEA03 Inputs Expected are mainly strategic inputs 080 % Inputs are internal and external compli- (from business) including defined com- ance requirements and respective au- pliance borders. dit results. Outputs The process provides an IT-strategy 080 % The process provides actions and other baseline for other processes including measures within the field of compli- regulations and other instructions. ance. Objectives The strategic management of IT, the ful- 100 % The purpose is: "Ensure that the enter- filment of compliance requirements as prise is compliant with all applicable well as the support of business pro- external requirements." cesses are in focus. Activities Overall, the focus is set on strategic IT 080 % The process analyses external compli- management with all its included tasks ance regulations and the company's and responsibilities. fulfilment of these requirements. Roles Involved are typical management roles as well as creative operational IT roles such as solutions architects. TOTAL 090 % Table 48 Deta iled Mapping: Process 01 <> MEA03 Master Of Science FHNW Business Information Systems 1 06 Master Thesis in Business Information Systems | Pascal Bürgy 9.3.2 Process 04 – IT Steering COBIT 5 Process EDM04 Ensure Resource Optimization Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 04 -> EDM04 Inputs The process receives strategic baselines 080 % The process needs information about as well as operational influences from resource needs, available skills and project, operation as well as from fi- supplier capabilities. nance. Outputs SLAs, projects, data about customer sat- 060 % The process provides information isfaction and other operational IT steer- about resources, architecture, capabili- ing elements are provided. ties and others. Objectives The objective is to support and optimise 080 % The purpose is to meet resource re- business processes by using IT. quirements while monitoring IT cost. Activities Various activities related to the opera- 060 % The process covers all aspects towards tional IT management such as portfolio a target-aimed resource management. management and others. Roles Various leading IT roles such as princi- pals, operation responsibles, account manager and others. TOTAL 070 % Table 49 Deta iled Mapping: Process 04 <> EDM04 COBIT 5 Process APO05 Manage Portfolio Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 04 -> APO05 Inputs The process receives strategic baselines 100 % The process needs information about as well as operational influences from the strategic road map, service topics project, operation as well as from fi- and other operational elements. nance. Outputs SLAs, projects, data about customer sat- 060 % The process provides programme infor- isfaction and other operational IT steer- mation and reports. ing elements are provided. Objectives The objective is to support and optimise 080 % The purpose is: "Optimise the perfor- business processes by using IT. mance of the overall portfolio of pro- grammes in response to programme and service performance and changing enterprise priorities and demands." Activities Various activities related to the opera- 060 % The process covers portfolio and in- tional IT management such as portfolio vestment management. management and others. Roles Various leading IT roles such as princi- pals, operation responsibles, account manager and others. TOTAL 080 % Table 50 Deta iled Mapping: Process 04 <> APO05 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 107 . COBIT 5 Process APO09 Manage Service Agreements Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 04 -> APO09 Inputs The process receives strategic baselines 080 % The process needs information re- as well as operational influences from sources, the architecture, budgets, pro- project, operation as well as from fi- grammes and others. nance. Outputs SLAs, projects, data about customer sat- 060 % The process provides actions, audits isfaction and other operational IT steer- and other elements in order to meet ing elements are provided. SLAs. Objectives The objective is to support and optimise 100 % The purpose is: "Ensure that IT services business processes by using IT. and service levels meet current and fu- ture enterprise needs." Activities Various activities related to the opera- 100 % Activities related to service manage- tional IT management such as portfolio ment (including agreements, levels and management and others. other aspects). Roles Various leading IT roles such as princi- pals, operation responsibles, account manager and others. TOTAL 090 % Table 51 Deta iled Mapping: Process 04 <> APO09 COBIT 5 Process APO12 Manage Risk Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 04 -> APO12 Inputs The process receives strategic baselines 080 % The process consumes strategic risk as well as operational influences from guidelines as well as information along project, operation as well as from fi- business impacts and others. nance. Outputs SLAs, projects, data about customer sat- 040 % The process provides risk scenarios and isfaction and other operational IT steer- other measures to reduce risks. ing elements are provided. Objectives The objective is to support and optimise 060 % The purpose to manage risk on an IT business processes by using IT. operational level. Activities Various activities related to the opera- 060 % The process covers the discipline of risk tional IT management such as portfolio management with its different tasks management and others. and responsibilities. Roles Various leading IT roles such as princi- pals, operation responsibles, account manager and others. TOTAL 0660 % Table 52 Deta iled Mapping: Process 04 <> APO12 Master Of Science FHNW Business Information Systems 1 08 Master Thesis in Business Information Systems | Pascal Bürgy 9.3.3 Process 08 – Maintain IT-Processes COBIT 5 Process APO11 Manage Quality Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 08 -> APO11 Inputs The process needs information about 080 % The process requires strategic quality strategic baselines as well as data of aspects as well as review results and process performance of other pro- plans. cesses. Outputs Outputs are process optimization ideas, 060 % Quality management outcomes are changes processes as well as training se- provided. quences for process users. Objectives The process maintains the process 060 % The purpose is to ensure constant qual- model and ensures the continuous im- ity of solutions and services. provement of the model. Activities Activities are to measure, optimise and 080 % Aspects of quality management includ- document processes and changes. ing continuous improvement and oth- ers. Roles Organisational roles such as process owners and management responsibles. TOTAL 070 % Table 53 Deta iled Mapping: Process 08 <> APO11 COBIT 5 Process DSS06 Manage Business Process Controls Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 08 -> DSS06 Inputs The process needs information about 040 % The process requires information about strategic baselines as well as data of data classification, resources and other process performance of other pro- elements of the system. cesses. Outputs Outputs are process optimization ideas, 060 % The process provides information changes processes as well as training se- about process effectiveness and other quences for process users. aspects. Objectives The process maintains the process 060 % The purpose is to maintain information model and ensures the continuous im- integrity within business processes. provement of the model. Activities Activities are to measure, optimise and 060 % The process covers the analysis of in- document processes and changes. formation processing regarding pro- cesses, roles and other aspects. Roles Organisational roles such as process owners and management responsibles. TOTAL 060 % Table 54 Deta iled Mapping: Process 08 <> DSS06 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 109 . COBIT 5 Process MEA02 Monitor, Evaluate and Assess the System of Internal Control Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 08 -> MEA02 Inputs The process needs information about 080 % Various audit results from internal and strategic baselines as well as data of external disciplines. process performance of other pro- cesses. Outputs Outputs are process optimization ideas, 080 % The process provides information changes processes as well as training se- about current system state as well as quences for process users. plans and practices for improvement. Objectives The process maintains the process 060 % The purpose is: "Obtain transparency model and ensures the continuous im- for key stakeholders on the adequacy provement of the model. of the system of internal controls and thus provide trust in operations, confi- dence in the achievement of enterprise objectives and an adequate under- standing of residual risk." Activities Activities are to measure, optimise and 080 % The process covers the analyses of the document processes and changes. system as well as the ignition of initia- tives for improvement. Roles Organisational roles such as process owners and management responsibles. TOTAL 060 % Table 55 Deta iled Mapping: Process 08 <> MEA02 Master Of Science FHNW Business Information Systems 1 10 Master Thesis in Business Information Systems | Pascal Bürgy 9.3.4 Process 10 – Strategic Marketing COBIT 5 Process EDM05 Ensure Stakeholder Transparency Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 10 -> EDM05 Inputs The process requires strategic baselines 040 % The process receives information about as well as information from financial value delivers, risk management and management. others. Outputs Outputs are target-aimed communica- 080 % The process provides communication tion endeavours as well as strategic in- principles and reporting requirements. puts. Objectives The objective is to ensure a stakeholder- 100 % The purpose is to make the communi- aimed, continuous and stable communi- cation with stakeholder effective. cation. Activities The process covers activities allocated 080 % Activities cover the management of within communication (channel man- stakeholders and communication. agement, CI/CD-management and oth- ers). Roles The process is performed by a market- ing manager. TOTAL 080 % Table 56 Deta iled Mapping: Process 10 <> EDM05 COBIT 5 Process APO08 Manage Relationships Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 10 -> APO08 Inputs The process requires strategic baselines 080 % The process receives strategic and op- as well as information from financial erational information. management. Outputs Outputs are target-aimed communica- 080 % The process provides communication tion endeavours as well as strategic in- plans and other internal analyses to- puts. wards relationship management. Objectives The objective is to ensure a stakeholder- 060 % The purpose is: "Create improved out- aimed, continuous and stable communi- comes, increased confidence, and trust cation. in IT and effective use of resources." Activities The process covers activities allocated 060 % Activities cover the management of re- within communication (channel man- lationship between business and IT. agement, CI/CD-management and oth- ers). Roles The process is performed by a market- ing manager. TOTAL 070 % Table 57 Deta iled Mapping: Process 10 <> APO08 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 111 . 9.3.5 Process 05 – Solution Development & Deployment COBIT 5 Process EDM02 Ensure Benefits Delivery Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 05 -> EDM02 Inputs The process requires various strategic 080 % Required are information about strat- and operational management infor- egy, programmes, portfolios and other mation as well as financial baselines. aspects of the system. Outputs The process provides project infor- 040 % The process provides strategic actions mation as well as information about ser- along value delivery. vice requirements and other aspects. Objectives The objective is to manage IT projects 060 % The purpose is: "Secure optimal value along time, cost, resources and quality. from IT-enabled initiatives, services and assets." Activities The process covers typical project man- 060 % The process covers disciplines along agement disciplines such as conception, value optimization. realisation and others. Roles Typical project roles such as project manager and other creative IT roles are involved. TOTAL 060 % Table 58 Deta iled Mapping: Process 05 <> EDM02 COBIT 5 Process APO04 Manage Innovation Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 05 -> APO04 Inputs The process requires various strategic 080 % The process asks for enterprise SWOT and operational management infor- and technology baselines. mation as well as financial baselines. Outputs The process provides project infor- 080 % The process provides innovation plans mation as well as information about ser- and other aspects. vice requirements and other aspects. Objectives The objective is to manage IT projects 080 % The process ensures a competitive ad- along time, cost, resources and quality. vantage for the company. Activities The process covers typical project man- 060 % The process covers disciplines along in- agement disciplines such as conception, novation and technology management. realisation and others. Roles Typical project roles such as project manager and other creative IT roles are involved. TOTAL 080 % Table 59 Deta iled Mapping: Process 05 <> APO04 Master Of Science FHNW Business Information Systems 1 12 Master Thesis in Business Information Systems | Pascal Bürgy COBIT 5 Process BAI01 Manage Programmes and Projects Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 05 -> BAI01 Inputs The process requires various strategic 080 % Various information about pro- and operational management infor- grammes, portfolios, skills and other mation as well as financial baselines. aspects are needed. Outputs The process provides project infor- 100 % Project and programme information is mation as well as information about ser- provided. vice requirements and other aspects. Objectives The objective is to manage IT projects 100 % The objective is to realise business ben- along time, cost, resources and quality. efits in order to perform projects. Activities The process covers typical project man- 100 % Typical project management disciplines agement disciplines such as conception, are covered within the process. realisation and others. Roles Typical project roles such as project manager and other creative IT roles are involved. TOTAL 100 % Table 60 Deta iled Mapping: Process 05 <> BAI01 COBIT 5 Process BAI02 Manage Requirements Definition Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 05 -> BAI02 Inputs The process requires various strategic 060 % The process needs information about and operational management infor- data classification, architecture princi- mation as well as financial baselines. ples and other elements. Outputs The process provides project infor- 060 % Information about requirements defini- mation as well as information about ser- tion are provided. vice requirements and other aspects. Objectives The objective is to manage IT projects 080 % The purpose is: "Create feasible opti- along time, cost, resources and quality. mal solutions that meet enterprise needs while minimising risk." Activities The process covers typical project man- 060 % Aspects of requirements management agement disciplines such as conception, are covered. realisation and others. Roles Typical project roles such as project manager and other creative IT roles are involved. TOTAL 070 % Table 61 Deta iled Mapping: Process 05 <> BAI02 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 113 . COBIT 5 Process BAI05 Manage Organisational Change Enablement Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 05 -> BAI05 Inputs The process requires various strategic 060 % The process needs information about and operational management infor- stakeholders, requirements and other mation as well as financial baselines. organisational aspects. Outputs The process provides project infor- 060 % The process provides change manage- mation as well as information about ser- ment and acceptance elements. vice requirements and other aspects. Objectives The objective is to manage IT projects 060 % The purpose is: "Prepare and commit along time, cost, resources and quality. stakeholders for business change and reduce the risk of failure." Activities The process covers typical project man- 080 % Covered are typical (project) marketing agement disciplines such as conception, activities and others. realisation and others. Roles Typical project roles such as project manager and other creative IT roles are involved. TOTAL 070 % Table 62 Deta iled Mapping: Process 05 <> BAI05 COBIT 5 Process BAI06 Manage Changes Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 05 -> BAI06 Inputs The process requires various strategic 080 % The process needs information about and operational management infor- solutions, problems and desired mation as well as financial baselines. changes and adaptions. Outputs The process provides project infor- 080 % Provided are change plan and docu- mation as well as information about ser- mentations as well as other aspects of vice requirements and other aspects. (project) change management. Objectives The objective is to manage IT projects 080 % The purpose is to enable the system to along time, cost, resources and quality. be able to deliver changes fast and reli- able. Activities The process covers typical project man- 100 % The process covers change and project agement disciplines such as conception, management activities. realisation and others. Roles Typical project roles such as project manager and other creative IT roles are involved. TOTAL 090 % Table 63 Deta iled Mapping: Process 05 <> BAI06 Master Of Science FHNW Business Information Systems 1 14 Master Thesis in Business Information Systems | Pascal Bürgy COBIT 5 Process BAI07 Manage Change Acceptance and Transitioning Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 05 -> BAI07 Inputs The process requires various strategic 060 % Required are change plans, test results and operational management infor- and other implementation aspects. mation as well as financial baselines. Outputs The process provides project infor- 080 % The process provides release plans and mation as well as information about ser- other respective elements. vice requirements and other aspects. Objectives The objective is to manage IT projects 080 % The purpose is the safe implementa- along time, cost, resources and quality. tion of solutions into operation. Activities The process covers typical project man- 080 % The process covers test and release agement disciplines such as conception, management activities. realisation and others. Roles Typical project roles such as project manager and other creative IT roles are involved. TOTAL 080 % Table 64 Deta iled Mapping: Process 05 <> BAI07 COBIT 5 Process BAI08 Manage Knowledge Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 05 -> BAI08 Inputs The process requires various strategic 060 % Required is information about existing and operational management infor- knowledge, solutions and operation. mation as well as financial baselines. Outputs The process provides project infor- 080 % The process provides structured and mation as well as information about ser- documented knowledge. vice requirements and other aspects. Objectives The objective is to manage IT projects 060 % The purpose is to maintain and extend along time, cost, resources and quality. knowledge in order to be able to sup- port solution development. Activities The process covers typical project man- 060 % The process covers typical knowledge agement disciplines such as conception, management tasks and responsibilities. realisation and others. Roles Typical project roles such as project manager and other creative IT roles are involved. TOTAL 080 % Table 65 Deta iled Mapping: Process 05 <> BAI08 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 115 . 9.3.6 Process 06 – Operate IT-Infrastructure & -Services COBIT 5 Process APO13 Manage Security Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 06 -> APO13 Inputs The process requires strategic and oper- 060 % The process needs information about ational management guidelines as well the enterprise security approach and as information out of projects, user sup- other related aspects. port and financial management. Outputs The process provides information about 080 % The process provides security policies IT operation and its influences on pro- and other measures towards an im- jects, users and others. proved security. Objectives The objective is to operate, manage and 080 % The purpose is: "Keep the impact and maintain IT services. occurrence of information security inci- dents within the enterprise’s risk appe- tite levels." Activities All activities along operation, configura- 060 % Typical IT security management activi- tion and security management are cov- ties are covered within the process. ered within the process. Roles Structured IT roles such as service, prod- uct or change manager are involved. TOTAL 070 % Table 66 Deta iled Mapping: Process 06 <> APO13 COBIT 5 Process BAI03 Manage Solutions, Identification and Build Status Yellow Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 06 -> BAI03 Inputs The process requires strategic and oper- 080 % Required are various information along ational management guidelines as well risk, architecture, development, quality as information out of projects, user sup- and other areas. port and financial management. Outputs The process provides information about 060 % The process provides test plans, specifi- IT operation and its influences on pro- cations, service definitions and other jects, users and others. aspects. Objectives The objective is to operate, manage and 060 % The purpose is: "Establish timely and maintain IT services. cost-effective solutions capable of sup- porting enterprise strategic and opera- tional objectives." Activities All activities along operation, configura- 060 % Solution and component management tion and security management are cov- are covered within this process. ered within the process. Roles Structured IT roles such as service, prod- uct or change manager are involved. TOTAL 070 % Table 67 Deta iled Mapping: Process 06 <> BAI03 Master Of Science FHNW Business Information Systems 1 16 Master Thesis in Business Information Systems | Pascal Bürgy COBIT 5 Process BAI04 Manage Availability and Capacity Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 06 -> BAI04 Inputs The process requires strategic and oper- 080 % The process needs information about ational management guidelines as well risk, specifications and solutions. as information out of projects, user sup- port and financial management. Outputs The process provides information about 080 % The process provides information IT operation and its influences on pro- about availability and capacity. jects, users and others. Objectives The objective is to operate, manage and 100 % The purpose is to maintain the service maintain IT services. availability. Activities All activities along operation, configura- 080 % Availability and capacity management tion and security management are cov- activities including respective monitor- ered within the process. ing tasks are covered. Roles Structured IT roles such as service, prod- uct or change manager are involved. TOTAL 090 % Table 68 Deta iled Mapping: Process 06 <> BAI04 COBIT 5 Process BAI10 Manage Configuration Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 06 -> BAI10 Inputs The process requires strategic and oper- 080 % The process needs information about ational management guidelines as well release plans, change status and inven- as information out of projects, user sup- tories. port and financial management. Outputs The process provides information about 080 % The process provides information IT operation and its influences on pro- about the current configuration. jects, users and others. Objectives The objective is to operate, manage and 060 % The purpose is: "Provide sufficient in- maintain IT services. formation about service assets to ena- ble the service to be effectively man- aged, assess the impact of changes and deal with service incidents." Activities All activities along operation, configura- 080 % The process covers activities around tion and security management are cov- the establishment and maintenance of ered within the process. various configuration elements. Roles Structured IT roles such as service, prod- uct or change manager are involved. TOTAL 080 % Table 69 Deta iled Mapping: Process 06 <> BAI10 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 117 . COBIT 5 Process DSS01 Manage Operations Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 06 -> DSS01 Inputs The process requires strategic and oper- 100 % The process needs information about ational management guidelines as well SLAs, operation plans and service defi- as information out of projects, user sup- nitions. port and financial management. Outputs The process provides information about 080 % Logs, incident tickets, policies, sched- IT operation and its influences on pro- ules and other operational elements jects, users and others. are provided. Objectives The objective is to operate, manage and 100 % The purpose is: "Deliver IT operational maintain IT services. service outcomes as planned." Activities All activities along operation, configura- 100 % The process covers activities around tion and security management are cov- the operation of services, infrastruc- ered within the process. ture and environments. Roles Structured IT roles such as service, prod- uct or change manager are involved. TOTAL 100 % Table 70 Deta iled Mapping: Process 06 <> DSS01 COBIT 5 Process DSS03 Manage Problems Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 06 -> DSS03 Inputs The process requires strategic and oper- 060 % The process needs incident descrip- ational management guidelines as well tions, root causes, logs and other in- as information out of projects, user sup- puts. port and financial management. Outputs The process provides information about 080 % The process provides resolved prob- IT operation and its influences on pro- lems and other, related elements. jects, users and others. Objectives The objective is to operate, manage and 080 % The purpose is to increase availability, maintain IT services. improve service levels, prevent prob- lems and reduce cost. Activities All activities along operation, configura- 080 % The process covers problem manage- tion and security management are cov- ment tasks and responsibilities. ered within the process. Roles Structured IT roles such as service, prod- uct or change manager are involved. TOTAL 080 % Table 71 Deta iled Mapping: Process 06 <> DSS0 3 Master Of Science FHNW Business Information Systems 1 18 Master Thesis in Business Information Systems | Pascal Bürgy COBIT 5 Process DSS04 Manage Continuity Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 06 -> DSS04 Inputs The process requires strategic and oper- 080 % The process needs information about ational management guidelines as well SLAs and risk profiles. as information out of projects, user sup- port and financial management. Outputs The process provides information about 080 % The process provides guidelines, regu- IT operation and its influences on pro- lations and requirements along the jects, users and others. continuity of IT assets. Objectives The objective is to operate, manage and 080 % The purpose is to continue critical busi- maintain IT services. ness operations. Activities All activities along operation, configura- 080 % The process covers activities along the tion and security management are cov- identification of critical assets as well ered within the process. as the definition and maintenance of respective assets. Roles Structured IT roles such as service, prod- uct or change manager are involved. TOTAL 080 % Table 72 Deta iled Mapping: Process 06 <> DSS04 COBIT 5 Process DSS05 Manage Security Services Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 06 -> DSS05 Inputs The process requires strategic and oper- 060 % The process needs information about ational management guidelines as well SLAs, data classifications and other in- as information out of projects, user sup- formation architecture aspects. port and financial management. Outputs The process provides information about 080 % The process provides security policies IT operation and its influences on pro- and other operational security ele- jects, users and others. ments. Objectives The objective is to operate, manage and 080 % The purpose is: "Minimise the business maintain IT services. impact of operational information se- curity vulnerabilities and incidents." Activities All activities along operation, configura- 080 % The process covers various operational tion and security management are cov- security management tasks and re- ered within the process. sponsibilities. Roles Structured IT roles such as service, prod- uct or change manager are involved. TOTAL 080 % Table 73 Deta iled Mapping: Process 06 <> DSS05 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 119 . 9.3.7 Process 07 – User Support COBIT 5 Process DSS02 Manage Service Requests and Incidents Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 07 -> DSS02 Inputs The process needs information out of 080 % The process requires information about customer requests, operation and pro- SLAs, current configuration and other ject and change management as well as operational aspects. about strategic IT aspects. Outputs The process provides information about 080 % Provided is information about the sta- customer requirements and other oper- tus of requests and incidents. ational aspects. Objectives The objective of the process is to sup- 080 % The purpose is: "Achieve increased port users as well as to manage prob- productivity and minimise disruptions lems and incidents. through quick resolution of user que- ries and incidents." Activities The activities of the process cover the 080 % The process covers activities around re- aspects of user support and problem quest fulfilment and user support. management. Roles User supporter and service desk em- ployees perform the process. TOTAL 080 % Table 74 Deta iled Mapping: Process 07 <> DSS02 Master Of Science FHNW Business Information Systems 1 20 Master Thesis in Business Information Systems | Pascal Bürgy 9.3.8 Process 11 – Sales COBIT 5 Process No comparable COBIT 5 process is available Status Red Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 11 -> n. a. Inputs This process uses inputs directly from 000 % No comparable COBIT 5 process is customers such as sales offers and buy- available. ing decisions. Additionally strategic IT aspects are consumed. Outputs Provided are offers for customers, 000 % change requests and needs for infra- structure services. Objectives The objective is to generate profitable 000 % long-term contracts and portfolios with customers. Activities The process covers all relevant sales ac- 000 % tivities. Roles Important roles for this process are the Head of Distribution as well as account managers. TOTAL 000 % Table 75 Deta iled Mapping: Process 11 <> No COBIT 5 Process Available Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 121 . 9.3.9 Process 02 – Skills Development COBIT 5 Process APO07 Manage Human Resources Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 02 -> APO07 Inputs The process needs information about 080 % The process consumes information strategic IT baselines as well as about about the resource situation, the docu- current projects. mented knowledge as well as of other organisational sources. Outputs Provided are adapted training routines 100 % The process provides HR plans, skills as well as fulfilled requirements out of development plans and other aspects projects and operation. of skills management. Objectives The objective of the process is to de- 100 % The purpose is: "Optimise human re- velop and monitor the skills of the IT sources capabilities to meet enterprise staff. objectives." Activities Activities cover the analysis and devel- 080 % The process covers activities around HR opment of IT skills within a company. and skills management. Roles A HR manager performs the process. TOTAL 090 % Table 76 Deta iled Mapping: Process 02 <> APO07 Master Of Science FHNW Business Information Systems 1 22 Master Thesis in Business Information Systems | Pascal Bürgy 9.3.1 Process 03 – Procurement COBIT 5 Process APO10 Manage Suppliers Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 03 -> APO10 Inputs The process consumes quotes of suppli- 100 % The process consumes acquisition ers as well as internal needs, strategic plans and supplier contracts. baselines and financial inputs. Outputs The process provides purchase infor- 080 % The process provides various supplier mation, data about contracts and pay- and procurement information. ments. Objectives The process is focused on target-aimed 080 % The purpose is: "Minimise the risk as- supply with external goods and services sociated with non-performing suppliers for the entire company. and ensure competitive pricing." Activities The process covers activities around 100 % The process covers typical supplier procurement, management of pur- management tasks and responsibilities. chases and others. Roles Procurement managers and other man- agement roles perform the process. TOTAL 090 % Table 77 Deta iled Mapping: Process 03 <> APO10 COBIT 5 Process BAI09 Manage Assets Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 03 -> BAI09 Inputs The process consumes quotes of suppli- 060 % The process consumes asset invento- ers as well as internal needs, strategic ries and configuration repositories. baselines and financial inputs. Outputs The process provides purchase infor- 080 % The process provides asset registers mation, data about contracts and pay- and updated inventories. ments. Objectives The process is focused on target-aimed 080 % The purpose is: "Account for all IT as- supply with external goods and services sets and optimise the value provided for the entire company. by these assets." Activities The process covers activities around 080 % The process covers typical asset man- procurement, management of pur- agement tasks and responsibilities. chases and others. Roles Procurement managers and other man- agement roles perform the process. TOTAL 080 % Table 78 Deta iled Mapping: Process 03 <> BAI09 Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 123 . 9.3.2 Process 09 – Support Financial Management COBIT 5 Process APO06 Manage Budget and Costs Status Green Overall Mapping Accuracy Aspect Generic ISO 9001:2015 Process Percentage COBIT 5 Process -> Process 09 -> APO06 Inputs The process consumes financial infor- 060 % The process needs information about mation from different processes as well service and investment portfolios. as strategic baselines. Outputs The process provides information about 100 % The process provides budget and cost financial indicators. plans as well as information for finan- cial management. Objectives The objective of the process is to man- 100 % The objective is to ensure transparent age financial resources and to support and efficient financial management of the management with respective data. IT elements. Activities The process covers financial planning 080 % The activities within the process cover and budgeting as well as other financial cost management, budgeting and ac- activities. counting. Roles Involved roles are the CFO, account manager and other similar roles. TOTAL 080 % Table 79 Deta iled Mapping: Process 09 <> APO06 Master Of Science FHNW Business Information Systems 1 24 Master Thesis in Business Information Systems | Pascal Bürgy 9.4 Appendix D – Glaux Soft's Process Map in Detail Within this external and published version of the study, this appendix is removed due to the confidentiality its content. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 125 . 9.5 Appendix E – Generic Process and Glaux Soft's Detailed Process Mapping Within this external and published version of the study, this appendix is removed due to the confidentiality its content. Master Of Science FHNW Business Information Systems 1 26 Master Thesis in Business Information Systems | Pascal Bürgy 9.6 Appendix F – Process Improvement Prototype (PIP) The Process Improvement Prototype (PIP) is arranged within a separate Microsoft Excel document with name "Appendix F - Process Improvement Prototype.xlsx ". This document is available as an independent part of this study and contains the following three worksheets, which all represent a tool of the PIP. 9.6.1 Tool No. 1 – Process Model Mapping This tool guides the users of the PIP when mapping its own, specific ISO 9001:2015 process model with the ge- neric ISO 9001:2015 process map for IT SMEs. 9.6.2 Tool No. 2 – Process Definition & Scoping The second tool of the PIP supports its users when selecting the processes to be assessed as well as when defining targeted capability levels for the respective processes. 9.6.3 Tool No. 3 – Process Maturity Measurement The third PIP-tool is the maturity measurement tool itself that supports the users of the PIP when running a process maturity measurement iteration. Measure Process Maturity for Quality Management Systems COBIT 5 PAM for ISO 9001:2015 Maturity Measurement 127 Acknowledgement Special thanks to the following individuals and institu- tions, without whose help this present master thesis would not have been realized: Prof. Dr. Petra M. Asprion Supervisor & Support Andreas Martin Module Coordination Glaux Soft AG Mandate Andreas Ressnig Company Representative Douglas Andrews Editing & Spell Check Manuela Blaser Comprehension Check