Mapping IT Governance to Software Development Process: From
COBIT 5 to GI-Tropos
Vu H. A. Nguyen
1
, Manuel Kolp
1
, Yves Wautelet
2
and Samedi Heng
1
1
LouRIM-CEMIS, Universit
´
e Catholique de Louvain, Belgium
2
KULeuven, Faculty of Economics and Business, Belgium
Keywords:
IT Governance, Software Process, COBIT 5, GI-Tropos.
Abstract:
Mapping IT Governance principles from frameworks like COBIT 5 to Requirements-Driven Software Proces-
ses such as (GI-) Tropos or even RUP-based ones allows IT managers to propose governance and management
rules for software development to cope with stakeholders’ requirements. On the one hand, IT Governance in
software engineering has to ensure that software organization business processes meet strategic requirements
of the organization. On the other hand, requirements-driven software methods are development processes
using high-level social-oriented models to drive the software life cycle both in terms of project management
and deductive iterative engineering techniques. Typically, such methods are well-suited for the inclusion and
adaptation of governance principles immediately into the software development life cycle. To consolidate
both perspectives, this paper proposes a generic framework allowing mapping IT governance principles to the
GI-Tropos software processes.
1 INTRODUCTION
Software engineering (Sommerville, 2010) is devo-
ted to support human activities and cope with socio-
intentional problems through business modeling and
requirements engineering techniques at the strategic
level (Wautelet and Kolp, 2016). Information techno-
logy (IT) governance is defined as a framework that
ensures the effective and efficient use of IT support
and enables the achievement of its corporate strategies
and objectives. IT governance reflects the alignment
of IT strategy with the organization strategy to offer
value-added for business based on corporate gover-
nance objectives (Weill, 2004). The goal of IT gover-
nance is to ensure that “the results of a software orga-
nizations business processes meet the strategic requi-
rements of the organization (Chulani et al., 2008). In
software engineering, the software development pro-
cess (or life cycle) is a structure of the development
of a software product. It is a set of distinct phases
to produce the software. Most IT governance studies
have focused on more wide-ranging fields than soft-
ware engineering. Therefore, few specific research
has been completed on software development life cy-
cle governance, including mappings from IT gover-
nance rules to software processes.
IT governance deals with the decision rights and
accountability framework for encouraging desirable
behaviors in the use of IT (Weill, 2004). It reflects
broader corporate governance principles while focu-
sing on the management of information systems to
achieve enterprise-level performance and KPIs. Since
IT outcomes are often hard to quantify, organizati-
ons must assign responsibility for desired outcomes
and assess how well they achieve them in terms of
quality management. IT governance should not be
considered isolated since it is linked to other key en-
terprise assets for instance financial, human, intel-
lectual property, physical and relationships. Conse-
quently, IT governance can share mechanisms such
as executive committees and budget processes with
other asset governance processes, thereby coordina-
ting enterprise-wide decision-making processes. A
few standardized supporting references may be use-
ful guides to IT governance. Some of them are
ISO/IEC 38500:2008 Corporate governance of infor-
mation technology (Calder, 2008) and COBIT (Con-
trol Objectives for Information and related Techno-
logy) (ISACA, 2012).
The ISO/IEC 38500:2008 international standard
provides a framework for effective governance of in-
formation technology to assist (IT) managers at the
highest level of organizations to understand and ful-
fill their legal, regulatory, and ethical obligations in
respect of their organizations effective, efficient, and
acceptable use of IT (Chaudhuri, 2011). It is orga-
Nguyen, V., Kolp, M., Wautelet, Y. and Heng, S.
Mapping IT Governance to Software Development Process: From COBIT 5 to GI-Tropos.
DOI: 10.5220/0006703706650672
In Proceedings of the 20th International Conference on Enterprise Information Systems (ICEIS 2018), pages 665-672
ISBN: 978-989-758-298-1
Copyright
c
2019 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
665
nized into three prime sections, specifically, Scope,
Framework and Guidance. ISO/IEC 38500 is applica-
ble to organizations of all sizes, including public and
private companies, government entities, and not-for-
profit organizations. By comprising definitions, prin-
ciples and a model, the framework sets out six prin-
ciples for good corporate governance of IT: Respon-
sibility, Strategy, Acquisition, Performance, Confor-
mance and Human Behavior.
COBIT, a popular IT governance and control fra-
mework, is formalized by the IT Governance Institute
(ITGI). As a whole, COBIT offers a reference model
of 37 IT processes found in an organization. Each
process consists of process inputs and outputs, key
process activities, process objectives, performance
measures and an elementary maturity model. Further-
more, COBIT provides a set of controls over infor-
mation technology and organizes them around a logi-
cal framework of IT-related processes and enablers
(Haes and Grembergen, 2015).
Following COBIT 5 (ISACA, 2012) principles de-
picted in Figure 1, a distinction can be introduced
between governance and management with each en-
terprise projected to apply several processes of both
types. The difference lies within the objectives of
the business activities. Governance processes cope
with the stakeholders’ governance objectives value
delivery, risk optimization and resource optimization
and include practices and activities for evaluating
strategic options, providing direction to IT and mo-
nitoring the outcome (Evaluate, Direct and Monitor
(EDM) - corresponding to the ISO/IEC 38500 stan-
dard concepts). This domain contains ve governance
processes and EDM practices are defined within each
process. Management processes in agreement with
their definitions of management, practices and acti-
vities – cover the responsibility of planning, building,
running or monitoring enterprise IT to provide end-to-
end coverage of corporate information systems. Even
though the outcome of governance and management
processes is different and proposed to a different au-
dience, all processes require planning, building or
implementation, execution and monitoring activities
within the process and in the context of the process
itself (ISACA, 2012).
COBIT 5 provides a process reference model
which defines and describes a number of governance
and management processes in detail. It represents all
the processes usually found in an enterprise relating
to IT activities, offering a common reference model
consistent with operational IT and business managers.
The proposed process model is not the only possibi-
lity but it forms a complete and comprehensive model.
Every enterprise must define and/or customize its own
COBIT5
Principles
1. Meeting
Stakeholder
Needs
2. Covering
the
Enterprise
End to End
3. Applying a
Single
Integrated
Framework
4. Enabling a
Holistic
Approach
5. Separating
Governance
From
Management
Figure 1: COBIT 5 Principles.
set of processes, taking into account the specific situ-
ation. One of the most important and critical steps
towards efficient governance is the incorporation of
an operational model and a common language for all
parts of the enterprise involved in IT processes. It also
provides a framework for measuring, monitoring and
auditing IT performance, communicating with service
providers, and integrating best business practices.
This paper proposes a generic framework allowing
mapping IT governance rules and constraints to soft-
ware processes. The framework uses strategic mo-
deling techniques and techniques to represent the or-
ganizational setting but also governance and manage-
ment structures. Then, we will discuss the adoption of
this framework within particular processes in order to
map IT governance principles to requirements-driven
software specification, in which, COBIT 5 should be
tackled.
This paper is organized as follows. Section 2
overviews our proposed development template called
Governance I-Tropos (GI-Tropos) for requirements-
driven software process and IT governance alignment.
Section 3 proposes the generic mapping framework
while Section 4 illustrate the mapping between IT go-
vernance best practices to requirements-driven soft-
ware development process. Section 5 introduces a
case study for validation. Finally, Section 6 conclu-
des the paper and points out further work.
2 GI-Tropos
Iterative Tropos (I-Tropos) (Wautelet et al., 2011)
is an extension of Tropos (Castro et al., 2002), a
requirements-driven development methodology using
the i* modeling framework (Yu et al., 2011) that sup-
ports iterative (Kruchten, 2003) and agent develop-
ICEIS 2018 - 20th International Conference on Enterprise Information Systems
666
ment (Mylopoulos et al., 2002). It is a develop-
ment process using coarse-grained (i.e., high-level)
and social-oriented requirement models to drive the
software development both in terms of project mana-
gement (PMI, 2013) and deductive forward engineer-
ing (transformational) techniques. Traditional Tropos
phases are considered as groups of iterations that are
workflows with a minor milestone with the purpose of
being compliant with the most generic terminology.
Tropos consists of five phases: Early Requirements,
Late Requirements, Architectural Design, Detailed
Design and Implementation. These phases do not fol-
low the traditional sequence of requirements analy-
sis, design, coding, integration, and test. In I-Tropos,
the Organizational Modeling and Requirements En-
gineering disciplines respectively correspond to Tro-
pos’ Early and Late Requirements phases. The Archi-
tectural and Detailed Design disciplines correspond to
the same stages of the traditional Tropos process. I-
Tropos not only includes core disciplines (i.e., Orga-
nizational Modeling, Requirements Engineering, Ar-
chitectural Design, Detailed Design, Implementation,
Test and Deployment) but also supports disciplines to
handle Risk Management, Time Management, Qua-
lity Management and Software Process Management
(Wautelet, 2008).
Software development is thus envisaged on the ba-
sis of the IT services it provides; it can thus be adapted
adequately in the perspective of IT governance. The
research method we have followed uses a bottom-up
approach, I-Tropos was considered as a given and va-
lidated framework and has been enhanced with a (IT
services) governance level. Following (Wautelet and
Kolp, 2016), IT Services are coarse-grained structures
aligned with the core values of the organization, i.e.,
what (added) value it provides to the external world.
GI-Tropos, an extension of I-Tropos, has been
proposed in (Nguyen et al., 2017) for aligning
requirements-driven software processes with IT go-
vernance. This extension aims to enable governing
and managing requirements-driven software proces-
ses to cope with stakeholders’ requirements and ex-
pectations in the context of business aspects. Figure 2
represents the GI-Tropos process in a classical itera-
tive perspective based on a series of disciplines illus-
trated in the vertical dimension and a series of phases
illustrated in the horizontal dimension. Disciplines
of GI-Tropos are grouped in and transversal to each
phase. They can be deployed in several iterations by
phase depending on each software project characteris-
tics. Consequently, the disciplines of GI-Tropos can
be repeated iteratively and the effort/workload spent
on each discipline varies from one iteration to anot-
her.
From a systems development perspective, GI-
Tropos has the four following phases redefining (Set-
ting, Blueprinting, Building, Setuping) and improving
those of I-Tropos plus a new one, Operation, to ope-
rate the system in the perspective of IT enterprise go-
vernance and management. It also adds up core pro-
cesses of governance (Evaluate, Direct, and Monitor)
and management (Plan, Deploy, Deliver, and Assess).
In terms of disciplines, GI-Tropos includes all I-
Tropos ones plus four new ones: Software Processes
Governance, Change & Risk Management, Quality
Management, Knowledge Management. These new
disciplines ensure that software processes are evalu-
ated, directed and monitored to meet stakeholders’
requirements and achieve value added by aligning
requirements-driven software processes with IT go-
vernance rules and constraints. They also enable iden-
tifying, analyzing and assessing changes and risks as
well as developing strategies to manage them. Moreo-
ver, these disciplines ensure that quality expected and
contracted with stakeholders is achieved throughout
the system. Finally, they enable acquiring, storing and
utilizing knowledge for such things as problem sol-
ving, dynamic and deep learning, strategic planning,
decision making and business processes.
GI-Tropos also proposed a Strategic Rationale
model for software processes governance as depicted
in Figure 3. It has three main actors depending on
each other (Operator, IT Service Management Bo-
ard, IT Governance Board), resources (Organizational
structures, IT infrastructure), goals (Implementing IT
management structure, Continuous operating IT ser-
vices), qualities (Organization strategies, IT services
quality), and tasks (Business processes modeling, IT
development & operations).
The IT Governance Board decides on the services
and the environmental factors (risks, quality factors).
The scope of the governance decisions relevant for
GI-Tropos is thus only IT services. The IT Service
Management Board allows aligning requirements-
driven software processes with IT governance. The
IT Service Management Board is thus a management
board, not a governance one.
In the Strategic Rationale model, the IT Gover-
nance Board performs three tasks (Evaluate, Direct,
and Monitor) corresponding to the three governance
core processes (Evaluate, Direct, and Monitor) re-
spectively. The IT Service Management Board per-
forms four tasks (Plan, Deploy, Deliver and Assess)
corresponding to the four management core proces-
ses (Plan, Deploy, Deliver and Assess) respectively.
The Plan task depends on the Direct task based on
the Policies resource and the Monitor task depends
on the Assess task based on the Performance quality.
Mapping IT Governance to Software Development Process: From COBIT 5 to GI-Tropos
667
PHASES
Disciplines
Setting Blueprinting Building Setuping Operation
Organizational
modeling
Organizational
modeling
Organizational
modeling
Organizational
modeling
Organizational
modeling
Organizational
modeling
Organizational
modeling
Organizational
modeling
Requirements
Engineering
Requirements
Engineering
Requirements
Engineering
Requirements
Engineering
Requirements
Engineering
Requirements
Engineering
Requirements
Engineering
Requirements
Engineering
Architectural
Design
Architectural
Design
Architectural
Design
Architectural
Design
Architectural
Design
Architectural
Design
Architectural
Design
Architectural
Design
Detailed Design Detailed Design Detailed Design Detailed Design Detailed Design Detailed Design Detailed Design Detailed Design
Implementation Implementation Implementation Implementation Implementation Implementation Implementation Implementation
Test Test Test Test Test Test Test Test
Deployment Deployment Deployment Deployment Deployment Deployment Deployment Deployment
Software Project
Management
Software Project
Management
Software Project
Management
Software Project
Management
Software Project
Management
Software Project
Management
Software Project
Management
Software Project
Management
Software
Processes
Governance
Software
Processes
Governance
Software
Processes
Governance
Software
Processes
Governance
Software
Processes
Governance
Software
Processes
Governance
Software
Processes
Governance
Software
Processes
Governance
Change & Risk
Management
Change & Risk
Management
Change & Risk
Management
Change & Risk
Management
Change & Risk
Management
Change & Risk
Management
Change & Risk
Management
Change & Risk
Management
Quality
Management
Quality
Management
Quality
Management
Quality
Management
Quality
Management
Quality
Management
Quality
Management
Quality
Management
Knowledge
Management
Knowledge
Management
Knowledge
Management
Knowledge
Management
Knowledge
Management
Knowledge
Management
Knowledge
Management
Knowledge
Management
Specify
Requirements
Produce
Architecture
Release
Framework
IT Service
go-live
IT Service
go-live
I-Tropos
Figure 2: GI-Tropos iterative process framework.
Operator
IT Service
Management
Board
IT
Governance
Board
IT
Infrastructure
IT services
quality
Organizational
structures
Organization
strategies
Implements IT
management
structure
Business
processes
modelling
IT
development
& operations
Continuous
operate
IT services
Deploy
Plan
Assess
Deliver
Evaluate
Direct
Monitor
Performance
Policies
Actor
Resource
Quality
Task
Goal
Dependency link
Legend
:
prior-to
Figure 3: GI-Tropos Strategic Rationale model.
3 GENERIC MAPPING
We describe below the proposed generic framework
allowing mapping IT governance rules and con-
straints to software processes. As pointed out, this fra-
mework includes governance processes (Evaluate, Di-
rect, Monitor) and management processes (Plan, De-
ploy, Deliver, Assess). Figure 4 illustrates IT Gover-
nance to GI-Tropos transformation. These processes
summarized as follows:
The Evaluate process ensures that stakeholders
needs, conditions and options are evaluated to de-
termine balanced, agreed-on enterprise objectives
to be achieved. It allows examining and judging
current and future use of IT, including strategy
proposals, supplying arrangements, considering
internal and external pressures, evaluating conti-
nuously, considering current and future business
needs and objectives: competitive advantage and
specific strategies.
The Direct process enables setting direction
through prioritization and decision making. It as-
signs responsibility, directs preparation and im-
plementation of IT plans and policies, sets directi-
ICEIS 2018 - 20th International Conference on Enterprise Information Systems
668
GI-Tropos Framework
Setting Blueprinting Building Setuping Operation
Mapping Processes
GI-Tropos Governance Processes
GI-Tropos Management Processes
Evaluate
Direct Monitor
Plan Deploy Deliver
Assess
Performance
Policies
Proposals
Figure 4: IT Governance to GI-Tropos transformation.
ons for IT investments, establishes sound behavior
in IT use through policies, properly plans transi-
tion of project to operational status, encourages
culture of good IT governance, directs submission
of proposals identifying needs.
The Monitor process enables monitoring per-
formance and compliance against agreed-on di-
rection and objectives. It allows monitoring and
measuring IT performance, assures that perfor-
mance is in accordance with plans and business
objectives, ensures that IT conforms with external
obligations (regulatory, legislation, common law,
and contractual), ensures that IT conforms with
internal work practices.
The Plan process plans activities in alignment
with the direction set by the governance body to
achieve the enterprise’s objectives. It covers the
use of information and technology and how best it
can be used in an organization to help achieve the
organization’s goals and objectives. It also high-
lights the organizational and infrastructural form
IT is to take in order to achieve the optimal results
and to generate the most benefits from the use of
IT.
The Deploy process deploys activities in align-
ment with the direction set by the governance
body to achieve the enterprise’s objectives. It
identifies IT requirements, acquires the techno-
logy, and implements it within the enterprise’s
current business processes.
The Deliver process delivers activities in align-
ment with the direction set by the governance
body to achieve the enterprise’s objectives. It fo-
cuses on the delivery aspects of the information
technology. It covers areas such as the execu-
tion of the software system within the IT system
and its results, in addition to the support processes
that enable the effective and efficient execution of
these IT systems.
The Assess process assesses activities in align-
ment with the direction set by the governance
body to achieve the enterprise’s objectives. It de-
als with the enterprise’s strategy in assessing its
needs and whether or not the current IT system
still meets the objectives for which it was desig-
ned and the controls necessary to comply with re-
gulatory requirements. It also covers the issue of
an independent assessment of the effectiveness of
IT system in its ability to meet business objectives
and the enterprises control processes by internal
and external auditors.
4 FROM COBIT 5 TO GI-Tropos
This section illustrates the global mapping of CO-
BIT 5 governance processes to the GI-Tropos soft-
ware life-cycle. It is based on the mapping of the
inputs and outputs of COBIT 5 governance proces-
ses to the software processes artifacts that need to be
governed.
COBIT 5 contains five governance processes in
which Evaluate, Direct and Monitor (EDM) practices
are defined within each process. They can be summa-
rized as Table 1 below:
Table 1: COBIT 5 governance processes.
o
EDM01.03 Monitor the governance system
o
o
o
o
EDM05.03
Monitor stakeholder communication
Table 2: Mapping COBIT 5 governance processes to GI-
Tropos.
Table 2: Mapping COBIT 5 governance processes to GI-Tropos
COBIT 5 governance processes
GI-Tropos phase EDM01 EDM02 EDM03 EDM04 EDM05
Setting EDM01.01 EDM02.01 EDM03.01 EDM04.01 EDM05.01
Blueprinting EDM01.02 EDM02.02 EDM03.02 EDM04.02 EDM05.02
Building EDM01.03 EDM02.03 EDM03.03 EDM04.03 EDM05.03
Setuping n/a n/a n/a n/a n/a
Operation n/a n/a n/a n/a n/a
Table 3: Mapping COBIT 5 governance processes to GI-
Tropos Setting phase
holders requirements and expectations, gathering and
formalizing system requirements, defining the project
scope, assessing critical risks, and establishing an ini-
tial baseline for the software system architecture. It
also measures, estimates and minimizes development
risks and plans for compliance.
In the Blueprinting phase, governance decisions
on IT services are directed. The blueprinting phase
prototypes and further evaluates the decisions taken
on IT service through a practical mock-up. The goal
of this is to get field feedback to better understand el-
ements that could not be fully understood previously.
Governance decisions on IT services could here still
be changed or adapted at coarse-grained level. The
mapping includes describing an information archi-
Table 4: Mapping COBIT 5 governance processes to GI-
Tropos Blueprinting phase
Table 5: Mapping COBIT 5 governance processes to GI-
Tropos Building phase
tecture, forming framework for technology planning,
defining organization and processes, describing de-
The mapping is summarized in Table 2. The fol-
lowing tables target each phase one by one: Table 3
illustrates the specific mapping from COBIT 5 to the
Mapping IT Governance to Software Development Process: From COBIT 5 to GI-Tropos
669
GI-Tropos Setting phase respectively in terms of in-
puts and outputs, Table 4 illustrates the mapping to
the GI-Tropos Blueprinting phase, and Table 5 illus-
trates the mapping COBIT 5 to the GI-Tropos Buil-
ding phase.
Table 3: Mapping COBIT 5 governance processes to GI-
Tropos Setting phase.
COBIT 5 governance processes GI-Tropos Setting phase
Input EDM01.01
Communications of changed compliance requirements
Business environment trends
Regulations
Governance/decision making model
Constitution/bylaws/statutes of organisation
The source of problem
statement (real
business case vs.
developer’s wish)
Use case and
requirements
EDM02.01
Strategic road map
Investment return expectations
Selected programmes with return on investment (ROI)
milestones
Benefit results and related communication
Stage-gate review results
Project roadmap,
timeline and resource
constraints
EDM03.01
Emerging risk issues and factors
Enterprise risk management principles
Effort level and risks
EDM04.01
Gaps and changes required to realise target capability
Skill development plans
Decision results of supplier evaluations
EDM05.01
Actions to improve value delivery
Risk management issues for the board
Feedback on allocation and effectiveness of resources
and capabilities
Refined scope
Output
EDM01.01
Enterprise governance guiding principles
Decision-making model
Authority levels
Process exists to
ensure right
stakeholders are
engaged, agreed upon
project roadmap is
defined, and resource
pool, delivery timeline
and risks are identified
Requirement
document reviewed
and signed off from all
major stakeholders
(business,
development and
testing teams)
EDM02.01
Evaluation of strategic alignment
Evaluation of investment and services portfolios
EDM03.01
Risk appetite guidance
Approved risk tolerance levels
Evaluation of risk management activities
EDM04.01
Guiding principles for allocation of resources and
capabilities
Guiding principles for enterprise architecture
Approved resources plan
EDM05.01
Evaluation of enterprise reporting requirements
Reporting and communication principles
Table 4: Mapping COBIT 5 governance processes to GI-
Tropos Blueprinting phase.
COBIT 5 governance processes
GI-Tropos
Blueprinting phase
Input EDM03.02
Aggregated risk profile, including status of risk
management actions
Enterprise risk management (ERM) profiles and
mitigation plans
Alignment with
corporate IT
Non functional
requirements like
performance, security
Design guidelines
EDM05.02
Risk analysis and risk profile reports for stakeholders
Output
EDM01.02
Enterprise governance communications
Reward system approach
Architecture Review
Design review
EDM02.02
Investment types and criteria
Requirements for stage-gate reviews
EDM03.02
Risk management policies
Key objectives to be monitored for risk management
Approved process for measuring risk management
EDM04.02
Communication of resourcing strategies
Assigned responsibilities for resource management
Principles for safeguarding resources
EDM05.02
Rules for validating and approving mandatory reports
Escalation guidelines
Table 5: Mapping COBIT 5 governance processes to GI-
Tropos Building phase.
COBIT 5 governance processes GI-Tropos Building phase
Input EDM01.03
Performance reports
Status and results of actions
Results of benchmarking and other evaluations
Results of internal control monitoring and reviews
Results of reviews of self-assessments
Assurance plans
Compliance confirmations
Reports of non-compliance issues and root causes
Compliance assurance reports
Obligations
Audit reports
Code quality
Feature
implementation
Test plan and strategy
Test results and
coverage
Score card on non-
functional
requirements
EDM02.03
Investment portfolio performance reports
EDM03.03
Risk analysis results
Opportunities for acceptance of greater risk
Results of third-party risk assessments
Risk analysis and risk profile reports for stakeholders
EDM05.03
Assurance review report
Assurance review results
Output
EDM01.03
Feedback on governance effectiveness and
performance
Code review
Code coverage
Feature demo
Review of test plan,
strategy, coverage,
and results
Review of non-
functional
requirements score
card or compliance
report
EDM02.03
Feedback on portfolio and programme performance
Actions to improve value delivery
EDM03.03
Remedial actions to address risk management
deviations
Risk management issues for the board
EDM04.03
Feedback on allocation and effectiveness of resources
and capabilities
Remedial actions to address resource management
deviations
EDM05.03
Assessment of reporting effectiveness
During Setting, governance decisions on services
are evaluated. This phase determines ‘WHAT’ IT ser-
vices need to be taken into account and also ‘WHY’
they need to be considered in order to determine en-
vironmental factors faced by IT services, i.e. thre-
ats and quality factors. The mapping ensures con-
trolling the operational environment, specifying the
stakeholders requirements and expectations, gather-
ing and formalizing system requirements, defining the
project scope, assessing critical risks, and establishing
an initial baseline for the software system architec-
ture. It also measures, estimates and minimizes deve-
lopment risks and plans for compliance.
In the Blueprinting phase, governance decisions
on IT services are directed. The blueprinting phase
prototypes and further evaluates the decisions taken
on IT service through a practical mock-up. The goal
of this is to get field feedback to better understand
elements that could not be fully understood previ-
ously. Governance decisions on IT services could
here still be changed or adapted at coarse-grained le-
vel. The mapping includes describing an information
architecture, forming framework for technology plan-
ning, defining organization and processes, describing
development investment, managing human resources,
developing quality management system, developing
project management framework.
During Building, governance decisions on servi-
ICEIS 2018 - 20th International Conference on Enterprise Information Systems
670
ces are monitored. The building phase fully imple-
ments decisions taken on IT services. Governance
decisions on IT services could here be changed or
adapted on a fine-grained level only. Contrarily to I-
Tropos, the deployment of IT Services is continuous
within the Building phase. The mapping ensures im-
plementing software system counterparts totally the
stakeholders requirements and expectations. It con-
sists of managing business goals and requirements
continuously, designing and developing resource, va-
lidating and measuring quality, measuring develop-
ment and ongoing costs, estimating value, measuring
and reviewing risk with different stakeholders based
on initial prototyping result. It also manages projects
based on alignment between goals and software engi-
neering concerns.
In the Setuping phase, governance decisions on
services are deployed and delivered. The mapping en-
sures delivering software system counterparts totally
implementing the stakeholders requirements and ex-
pectations.
During the Operation phase, governance decisi-
ons on services are assessed. The mapping ensures
monitoring and managing effort and other metrics to
enable control and future planning, managing appli-
cations and information to maximize usage and flex-
ibility, prioritizing risks, tracking actual values of ef-
fort, encountering compliance needs. It also manages
projects based on alignment between goals and soft-
ware engineering concerns.
5 CASE STUDY
The validation of this framework should to be under-
taken deeply based on case studies to support the ap-
plication of this method. Currently, ARUM (Adap-
tive Production Management) (ARUM, 2013) is being
studied in the framework of an European Union fun-
ded project. The aim is to improve planning and cont-
rol systems for complex, small-lot products manufac-
turing, such as aircraft, and ships.
Figure 5 describes the work plan of ARUM pro-
ject. First, the ARUM work plan starts with cap-
turing and analyzing of the end-users’ requirements
(WP1) and the definition of use cases (WP2) for the
ARUM project. Then, the specification and adap-
tation/development of technical bricks (WP3, WP4,
WP5, WP6) required for the ARUM solution and the
overall architecture will be developed. Finally the
end-users will be heavily involved again in technical
trails, assessment and benchmarking activities for va-
lidation the ARUM solution against today’s automa-
tion control and optimization solutions (WP7, WP8).
Finishing stage is the demonstration, dissemination
and exploitation of ARUM results (WP9, WP10).
Figure 5: ARUM work plan (ARUM, 2013).
The ARUM project is evaluated, directed and mo-
nitored by the mapping COBIT 5 governance proces-
ses to the system development life cycle. It enabled
achieving the project’s objectives. Table 6 presents
the mapping COBIT 5 governance processes and GI-
Tropos phases to ARUM work plan. Mapping COBIT
5 governance processes to ARUM work plan (system
development processes) aims to ensure that the pro-
ject will be governed efficiently. First, the mapping
starts with processes considering stakeholder needs,
conditions and options. Then, it performs processes
to set IT plans and policies, and direct IT investments
to establish IT behavior. Finally, it ends with proces-
ses measure IT performance and ensure compliance.
Table 6: Mapping COBIT 5 governance proceses and GI-
Tropos phases to ARUM work plan.
COBIT 5
governance
processes
GI-Tropos
phase
ARUM
work
plan
Objectives
EDM01.01
EDM02.01
EDM03.01
EDM04.01
EDM05.01
Setting WP1
WP2
WP3
Examining and judging current and future use of IT
include strategy proposals, supply arrangements;
Considering internal and external pressures
(technological changes, economic
trends, social trends, and political influences);
Evaluating continuously; considering current and
future business needs and objectives: competitive
advantage and specific strategies.
EDM01.02
EDM02.02
EDM03.02
EDM04.02
EDM05.02
Blueprint-
ing
WP4
WP5
Assigning responsibility and directing preparation
and implementation of IT plans and policies;
Setting directions for IT investments.
Establishing sound behaviour in IT use through
policies;
Planning transition of project to operational status
properly;
Encouraging culture of good IT governance;
Directing submission of proposals identifying needs.
EDM01.03
EDM02.03
EDM04.03
EDM03.03
EDM05.03
Building WP6
WP7
Monitoring and measuring IT performance;
Assuring that performance is in accordance with
plans and business objectives;
Ensuring that IT conforms with external obligations
(regulatory, legislation, common law, and
contractual);
Ensuring that IT conforms with internal work
practices.
n/a Setuping WP8 n/a
n/a
Operation
WP9
n/a
Mapping IT Governance to Software Development Process: From COBIT 5 to GI-Tropos
671
6 CONCLUSION
In software development and IT project methods, go-
vernance can be viewed as evaluating, directing and
monitoring software processes all along the life cycle.
Mapping IT Governance best practices like COBIT 5
to a requirements-driven software processes such as
GI-Tropos enables coping with stakeholders’ requi-
rements and expectations. Contributions of this pa-
per consist of the specifications to emphasize integra-
tion and mapping IT governance rules and constraints
to requirements-driven software processes based on
the software processes artifacts that need governance.
The paper proposes a new identification of critical
moments in the software development life cycle for
IT governance since the main objective of this map-
ping was to deliver an efficient governance for soft-
ware development that meets stakeholders’ needs and
expectations. On the one hand, the strengths of GI-
Tropos are to systematically offer structure and di-
rection through the whole software processes gover-
nance and enable tailoring the process to the project
needs. On the other hand, GI-Tropos also points out
how to establish governance rules to the software pro-
cesses with the principles of IT governance to apply
in the software processes.
COBIT 5 can be implemented in software deve-
lopment processes by a proper mapping. This map-
ping is performed based on the software processes ar-
tifacts that need to be governed and COBIT 5 gover-
nance processes’ inputs and outputs. Our proposed
mapping indicates how to carry out governance pro-
cesses for a collaborative software development life
cycle.
Further work points to other additional practices
that need to be integrated in this mapping to propose
a completed mapping framework taking into conside-
ration, for instance, IT management, project mana-
gement and agile practices (Ambler and Lines, 2012;
Kruchten, 2013; Luna et al., 2015) for managing the
day-to-day activities and reacting to changing require-
ments and feedback. In addition, a CASE tool should
be developed to help designing and implementing all
the processes defined in this paper.
REFERENCES
Ambler, S. W. and Lines, M. (2012). Disciplined Agile De-
livery: A Practitioner’s Guide to Agile Software Deli-
very in the Enterprise. IBM Press, 1st edition.
ARUM (2013). Adaptive Production Management project:
http://arum-project.eu/.
Calder, A. (2008). ISO/IEC 38500: The IT Governance
Standard. IT Governance Publishing.
Castro, J., Kolp, M., and Mylopoulos, J. (2002). To-
wards requirements-driven information systems engi-
neering: the Tropos project. Inf. Syst., 27(6):365–389.
Chaudhuri, A. (2011). Enabling effective IT Gover-
nance: Leveraging ISO/IEC 38500:2008 and COBIT
to achieve Business-IT alignment. EDPACS, 44(2):1–
18.
Chulani, S., Williams, C., and Yaeli, A. (2008). Software
development governance and its concerns. In Procee-
dings of the 1st International Workshop on Software
Development Governance, SDG ’08, pages 3–6, New
York, NY, USA. ACM.
Haes, S. D. and Grembergen, W. V. (2015). Enterprise Go-
vernance of Information Technology: Achieving Alig-
nment and Value, Featuring COBIT 5. Springer Pu-
blishing Company, Incorporated, 2nd edition.
ISACA (2012). COBIT 5. ISA.
Kruchten, P. (2003). The Rational Unified Process: An In-
troduction. Addison-Wesley, 3rd edition.
Kruchten, P. (2013). Contextualizing agile software deve-
lopment. Journal of Software: Evolution and Process,
25(4):351–361.
Luna, A. J. H. d. O., Kruchten, P., and Moura, H. P. d.
(2015). Agile governance theory: conceptual deve-
lopment. CoRR, abs/1505.06701.
Mylopoulos, J., Kolp, M., and Giorgini, P. (2002). Agent-
oriented software development. In Hellenic Confe-
rence on Artificial Intelligence, pages 3–17. Springer
Berlin Heidelberg.
Nguyen, V. H. A., Kolp, M., Wautelet, Y., and Heng, S.
(2017). Aligning Requirements-driven Software Pro-
cesses with IT Governance. In ICSOFT 2017 - Pro-
ceedings of the 12th International Conference on Soft-
ware and Data Technologies, Madrid, Spain, 24-26
July, 2017, pages 338–345.
PMI (2013). A Guide To The Project Management Body Of
Knowledge. Project Management Institute.
Sommerville, I. (2010). Software Engineering. Addison-
Wesley Publishing Company, USA, 9th edition.
Wautelet, Y. (2008). A goal-driven project management
framework for multiagent software development: The
case of I-Tropos. PhD thesis, Universite catholique de
Louvain.
Wautelet, Y. and Kolp, M. (2016). Business and model-
driven development of BDI multi-agent systems. Neu-
rocomputing, 182:304–321.
Wautelet, Y., Kolp, M., and Poelmans, S. (2011).
Requirements-driven iterative project planning. In
Software and Data Technologies - 6th International
Conference, ICSOFT 2011, Seville, Spain, July 18-21,
2011. Revised Selected Papers, pages 121–135.
Weill, P., R. J. (2004). IT governance: How Top Performers
Manage IT Decision Rights for Superior Results, Wa-
tertown, MA: Harvard Business School Press.
Yu, E., Giorgini, P., Maiden, N., and Mylopoulos, J. (2011).
Social Modeling for Requirements Engineering. The
MIT Press.
ICEIS 2018 - 20th International Conference on Enterprise Information Systems
672