Alan Calder on IT Governance, information security & ISO 27001

THE KING CODE OF GOVERNANCE PRINCIPLES (known as KING 3 or KING III) is still (in my opinion) the most advanced and useful of the world’s corporate governance codes. I’m a particular admirer of the fact that the King Committee included coverage of IT Governance in the Code, identified frameworks such as CObIT and the international standard ISO/IEC 38500 as providing useful starting points, and set out seven specific IT governance principles for company directors to follow.

I obviously agree with the King Committee that there is no ‘one size suits all’ approach to IT governance, and that every organisation has to develop its own approach to the subject, extracting those elements that will be useful to it from the existing frameworks and standards. That, after all, is the one of the driving thoughts behind the Calder-Moir framework - that, and the belief that one should be able to intelligently draw simultaneously on more than one framework. I’ve been particularly encouraged by the number of South African companies that have turned to our IT Governance Framework Toolkit to help them implement IT governance in their organisations.

IT Governance, as Jason Cole points out, is more than project management, more than regulatory compliance, more than CobiT or ITIL or ISO 27001.

It’s also somewhat more than his article suggests. There are three books that tackle this subject, a Weill and Ross book (How Top Performers Manage IT for Superior Results) from Harvard Business Press, a compact and concise guide for Directors (IT Governance: Guidelines for Directors) and IT Governance Today: a Practitioner’s Handbook.

Even more usefully, there is a new framework that pulls together all components of IT governance (the Calder-Moir IT Governance Framework) and the related IT Governance Framework – Toolkit that is designed to help organizations of all sizes make a start with tackling IT governance at their own pace and in their own way – and at a cost somewhat less than is likely to be extracted by a substantial consultancy provider.

With all these resources so easily available, there’s no need for anyone to wonder what IT governance actually is, or to work out how to get started with realising the real business benefits of implementing an IT governance framework.

A recent statement by Aidan Lawes, CEO of the itSMF, had him expresssing a belief that ITIL should be about integration – rather than alignment – with the business, and that there are now only business processes. That’s completely right – and there is a key point there for all IT governance practitioners – even for CobiT!

What is IT governance? What does it include or exclude? Who is responsible for it? These questions are frequently asked in the Blogosphere and elsewhere. Right now it’s the subject of some interesting discussion at Andrew Clifford’s IT Toolbox blog, which includes a good post by Andrew and some quality observations from others. However, the answers are less elusive than some debate suggests.

IT governance does have a formal definition: “IT governance is a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.” (IT Governance: Guidelines for Directors, p20.)

Because it deals with all aspects of governance of IT, it includes system governance. Andrew is absolutely correct in identifying that there are significant systems issues – and I would argue that these issues exist primarily because of an absence of IT governance, in the sense that the organizational governance framework has failed to consider what information and, therefore, what systems requirements the organization will have.

IT governance should be owned by the board. It’s not an IT management responsibility any more than financial governance is a financial functional responsibility. Governance is the board’s job. The board is quite capable of governing IT, if it would only put its mind to it. There are a number of respectable IT governance frameworks that reflect this fundamental principle, including CobiT, the Australian Standard AS 8015:2005 and the IT Governance framework identified in ‘IT Governance Today: a Practitioner’s Handbook’.

ISO 27001 is of course an ideal solution to businesses that need to ensure they comply with Sarbanes Oxley IT control requirements. I’ll be doing a webinar on 25 January in collaboration with Compliance Online to discuss precisely how the standard draws together CobiT, ITIL and ISO 17799 to create the necessary multi-layered solution. Topics to be covered will include:

* Current and future governance and compliance requirements
* The role of enterprise risk management
* Linkages and similarities between state, national and international regulations
* Why the traditional approach to regulatory compliance no longer works
* Business risks arising from legal contradictions, overlaps and loopholes
* Scale and impact on corporate brand, market position and share value of regulatory failure
* Key governance requirements of directors
* Role of best practice frameworks Linkage between compliance requirements and best practice frameworks
* Background and history of CobiT, ITIL and ISO 17799 – similarities and differences
* Importance of the CobiT/ITIL/ISO17799 joint framework
* Benefits of deploying this best practice framework
* Critical success factors in deploying this framework

For more information or to make a booking, click here.

The recently launched ‘Aligning Cobit, ITIL and ISO 17799 for Business Benefit‘ is a welcome step toward making IT governance more usable for most organizations. There has long been confusion over which of these three frameworks is really an IT governance framework; for an equal length of time, the answer has been that each is a component of such a framework, as I proposed in IT Governance Today: a Practitioner’s Handbook earlier this year.

While I’m delighed at this progress, there is (as I’ve already argued) further still to go in integrating and simplifying IT governance frameworks, and I will be taking this further in the 2nd edition of the Practitioner’s Handbook when it is published early next year.

It’s been a long summer, and blogging has had to take a back seat to managing the fast growth of our business, IT Governance Ltd. Sales of books and tools through www.itgovernance.co.uk has continued to increase substantially month on month. We’ve expanded our product range, adding a TSO (The Stationery Office) distributorship as well as books from van Haren. As a result of these two agreements, we now have an outstanding collection of ITIL, BS15000 and related titles available through the website. We also now offer, amongst our project governance titles, the new Prince2 books and supporting tools. An inexpensive Pocket Guide to IT Governance, dealing with CobiT principles is the first, we hope, of a number of CobiT titles.

Excitingly, we are also now able to offer electronic versions of the two information security standards and we are in the final stages of negotiations to add several significant information security management products to the site as well.

This all means that we’re having to get additional office space as well as recruiting more back office people to support our websales and marketing activity, as well as to drive forward our publishing business.

We continue to observe information security stupidity and are increasingly fascinated that this form of stupidity seems to become more succesful the larger the company. It seems to turn Darwin on his head, that the least useful approaches are the ones that appear to win out – when business slows down, it’ll be worth thinking about.