Alan Calder on IT Governance, information security & ISO 27001

While Forrester’s recent report says that Green IT initiatives persist, in spite of budget cut backs and other challenges facing IT teams today, the reality is more likely to be that savvy IT leaders recognise that Green IT initiatives can make a substantial contribution to reducing the direct cost of running the IT infrastructure.

Gary Hird, for instance, has led the John Lewis Partnership’s Green IT strategy for some time and he talks about JLP went about this in Green IT in Practice, now in its second edition.  It’s a fascinating and practical description of how one large retail organisation set about driving down its IT costs, reducing its carbon footprint and meeting customer requirements.

Other writers have also addressed these issues: George Spafford focused on the Governance of Green IT, which has a particular focus on managing energy consumption. The recent emergence of EN16001 should give a boost to those looking for a structured approach to energy management.

There is lots of information, advice - and case studies - available for organisations that want to tackle Green IT.

I came across an interesting post on Ireland’s Security Watch blog making the topical connection between bird flu scares and business continuity planning. It rightly points out that a disaster can strike from unlikely sources when you least expect it.

BCP is a very topical subject generally, given the recent introduction of the BS25999 standard. This finally provides a way for organisations to PROVE that they have a robust plan in place to ensure that their business can withstand adverse events. With our increasingly global and interdependent supply chains, more and more organisations are coming under pressure to reassure their major customers and business partners that they are a safe bet.

To help organisations get to grips with the new Standard and the competitive advantage that being certificated represents, we have just published several new books:

* We have brought out a second edition of Disaster Recovery & Business Continuity, a quick guide for small organisations and busy executives. This is based on last year’s successful book but updated to reflect the particular requirements of the new BS25999 Standard.
* For people needing a quick introductory overview of business continuity management we have launched a new BS25999 Pocket Guide. This sets out all the key facts and is a great tool for organisations that are implementing, or set to implement, a business continuity plan and management system. If you need to share practical knowledge between many project team members this is also a very cost effective way of doing it.
* Lastly, to support the take-up of the new Standard we have launched Business Continuity and BS25999: A Combined Glossary. No previous glossary has adequately addressed the full range of terms likely to be useful to a business continuity practitioner. In this book, we have drawn not only from BS25999 but also a wide range of related standards and frameworks, including ITIL and ISO27001, to create a standardised set of terms that should enable professionals to conduct global conversations based on a shared understanding.

It is interesting to note that the “spin-free” new administration of Gordon Brown may be making moves to sweep the NHS IT reform programme under the carpet. The recent resignation of the forthright Richard Granger at Connecting for Health has removed a lightning rod for the project and it is now reported that two of its most vocal government supporters have been moved to other roles.
Here is the striking thing: OGC (Office of Government Commerce) is the developer and owner of two world-recognised best practice frameworks: Prince2, for managing IT programmes and IT projects, and ITIL, for IT Service Management. Prince2 was developed to help government IT projects come in on time, to budget and on specification. ITIL focuses on the need to understand customer (i.e. user requirements) and to develop and deliver services that align with business needs. Both are part of a normal IT governance framework, and both have quite signally failed in the NHS Connecting for Health programme.

We’ve seen Grainger go, and others moved on, but we haven’t seen any overt attempt to rectify the governance failures that led to the current parlous situation in which a national project is behind timetable, over budget and not meeting specification. A delivery-focused government would start off by overhauling the governance framework put in place for this framework, not just on changing faces – maybe Brown and his ministers need a lesson – from one of their own departments – on how these things should be done.

IT Governance, as Jason Cole points out, is more than project management, more than regulatory compliance, more than CobiT or ITIL or ISO 27001.

It’s also somewhat more than his article suggests. There are three books that tackle this subject, a Weill and Ross book (How Top Performers Manage IT for Superior Results) from Harvard Business Press, a compact and concise guide for Directors (IT Governance: Guidelines for Directors) and IT Governance Today: a Practitioner’s Handbook.

Even more usefully, there is a new framework that pulls together all components of IT governance (the Calder-Moir IT Governance Framework) and the related IT Governance Framework - Toolkit that is designed to help organizations of all sizes make a start with tackling IT governance at their own pace and in their own way - and at a cost somewhat less than is likely to be extracted by a substantial consultancy provider.

With all these resources so easily available, there’s no need for anyone to wonder what IT governance actually is, or to work out how to get started with realising the real business benefits of implementing an IT governance framework.

A recent statement by Aidan Lawes, CEO of the itSMF, had him expresssing a belief that ITIL should be about integration - rather than alignment - with the business, and that there are now only business processes. That’s completely right - and there is a key point there for all IT governance practitioners - even for CobiT!

CSO Online from reports from Australia that ITIL is fast gaining popularity around the world, spurred on by regulatory factors such as SOX - read their article here. We’ve also seen a steep increase in demand for ITIL information so we’ve put together what we believe is the most comprehensive specialised ITIL and IT Service Management shop on the web, offering books, toolkits and exam-based distance learning products. Have a look here and let us know if there’s anything you can’t find.

ISO 27001 is of course an ideal solution to businesses that need to ensure they comply with Sarbanes Oxley IT control requirements. I’ll be doing a webinar on 25 January in collaboration with Compliance Online to discuss precisely how the standard draws together CobiT, ITIL and ISO 17799 to create the necessary multi-layered solution. Topics to be covered will include:

* Current and future governance and compliance requirements
* The role of enterprise risk management
* Linkages and similarities between state, national and international regulations
* Why the traditional approach to regulatory compliance no longer works
* Business risks arising from legal contradictions, overlaps and loopholes
* Scale and impact on corporate brand, market position and share value of regulatory failure
* Key governance requirements of directors
* Role of best practice frameworks Linkage between compliance requirements and best practice frameworks
* Background and history of CobiT, ITIL and ISO 17799 - similarities and differences
* Importance of the CobiT/ITIL/ISO17799 joint framework
* Benefits of deploying this best practice framework
* Critical success factors in deploying this framework

For more information or to make a booking, click here.