This topic explains how to select the requirements from authoritative documents applicable to the compliance project. These documents must be previously registered in the Knowledge module, and include frameworks, applicable laws, industry practice codes, organizational standards, or other documents containing legal requirements or good corporate practices.
The requirements will be selected based on the selection of the authoritative documents, which are statements found in the documents representing the indication of the result or the purpose aimed at for compliance purposes and whose compliance will be verified during the project.
1. Access the Compliance module.
2. In the Projects section, click the List Projects option.
3. In the List of Projects section, click Edit next to the project in which you want to select requirements for the scope.
4. In the Inventory tab for the project, click Requirements.
Note: If there is not at least one authoritative document published in the Knowledge module, the system will display an alert. In this case, go to the Knowledge module to create or import the authoritative documents to be used in the project and publish them.
5. Click Add Requirements (see figure below).
6. Select one or more authoritative documents applicable to the project and click Proceed (see figure below).
The system displays the authoritative documents selected in a tree structure.
7.
Select the requirements to be investigated in the project by clicking
Expand (
) and marking the checkboxes next to
each, then click Finish (see figure below).
The system displays a success message.
Note: A project that started with COBIT 5.0 must be completed with the same version. This is, in fact, a very common occurrence: an organization is in the middle of a COBIT 5.0 analysis when COBIT 5.1 is released. The project must be completed normally using COBIT 5.0, and later other audits using this version of the authoritative document can be performed until you feel comfortable migrating to COBIT 5.1.
On exception, the authoritative document can be updated by editing it, but this happens less frequently. Here we have two possible situations:
•Changing the requirements: the requirements are neither included nor removed, but their texts are changed. This does not affect the project. Of the two options, this is the more common.
•Inclusion or removal of requirements: the initial set of requirements is changed and the interviews must be reevaluated. Of the two options, this is the less common. Now there is a choice between closing the analysis using the original authoritative document and doing nothing further (this is believed to be the most common option) or cancelling the project, updating the document, reevaluating the interview, and creating a new project for the new version.