D
I’m nervous about whether Appendix C is complete, for a multinational NYSE listed company with about USD600M turnover in the medical area. I can see a lot more that could be in scope (devil in the detail).
We have applied Cobit in a company 50 times larger than yours, you shouldn’t worry about that.
I’m also interested whether any of the illustrative controls have been shown to be weak or out of scope.
The illustrative controls are… well… just illustrative. This may the reason you are getting frustrated with the lack of a firm answer to your questions.
What is important is the control objectives as these represent the risks that you are expected to control, the ITGI paper narrows down the list of Cobit objectives to the ones that you need to meet for Sox. The illustrative controls represent, typically, how you might control those risks and many companies have sought to include these in their organisational IT standards. However you could implement none of these and still be controlled or all of them and not be. What is required is on a system by system basis to determine what controls are appropriate for that system in your organisation the illustrative controls can help you in this but it ultimately requires judgement.
I know that life would be much easier if you could just follow a checklist, but sorrylife ain’t like that any more.