Alan Calder on IT Governance, information security & ISO 27001

THE KING CODE OF GOVERNANCE PRINCIPLES (known as KING 3 or KING III) is still (in my opinion) the most advanced and useful of the world’s corporate governance codes. I’m a particular admirer of the fact that the King Committee included coverage of IT Governance in the Code, identified frameworks such as CObIT and the international standard ISO/IEC 38500 as providing useful starting points, and set out seven specific IT governance principles for company directors to follow.

I obviously agree with the King Committee that there is no ‘one size suits all’ approach to IT governance, and that every organisation has to develop its own approach to the subject, extracting those elements that will be useful to it from the existing frameworks and standards. That, after all, is the one of the driving thoughts behind the Calder-Moir framework - that, and the belief that one should be able to intelligently draw simultaneously on more than one framework. I’ve been particularly encouraged by the number of South African companies that have turned to our IT Governance Framework Toolkit to help them implement IT governance in their organisations.

Some evidence is emerging that that ISO/IEC 38500, the best practice standard for IT governance, is catching on. We’ve certainly seen steady demand for copies of the ISO38500 standard itself, as well for the ISO38500 Pocket Guide and, more importantly, the ISO38500 IT Governance Framework Toolkit.

Regarding Liken’s survey, Rowlands says, “We were impressed by the strength of support for ISO/IEC: 38500. Against the unfolding economic panorama, could it be that this is a more suitable measure of corporate IT governance and a catalyst for sound asset management?

“Cost savings and efficient usage seem now to be the primary drivers as organisations place a greater emphasis on controlling software and hardware usage rather than managing inventory and licensing.”

“ISO38500 is a catch-all IT governance standard and it’s much more attainable for a lot of businesses and it will give the directors of those businesses a sense that they are doing things the right way.”

In a nutshell, ISO38500 provides practical, straightforward guidance for directors as to how they should go about ensuring that their IT operations are doing the right things - and doing the right things, cost-effectively, is going to be a critical component for all organisations of surviving the tough economic conditions that we are currently experiencing.