Alan Calder on IT Governance, information security & ISO 27001

To help Human Resources and Training Managers get the most from their budgets we have introduced our new IT Governance Training Passports. In a single purchase, these allow organisations to acquire any combination of IT training, tools and support services from the most comprehensive one-stop shop on the Web. Discounts are offered on all chosen items, whether used immediately or at a future date, making them ideal for public and private sector organisations needing to purchase training ahead of their annual budget deadlines.

Training Passports are offered in three grades: Bronze (£5,000 + VAT), Silver (£10,000 + VAT) and Gold (£15,000 + VAT). Through IT Governance’s Training Gateway, Training Passport holders can access the Web’s widest range of accredited, professional IT training, which is available across the UK, and receive discounts of up to 30 percent:

* On every classroom course, including Basel II, BCM & BS25999, CISA, Cisco, CISM, CISSP, EC Ethical Hacking, HDI, ISO20000, ISO27001, ITILv2, ITILv3, ITIL bridging, Microsoft, MoR, MSP, Prince2 and Sarbanes Oxley.
* On every distance or e-learning course.
* On every exam guide, subject manual or other training material.

All bookings are made through IT Governance’s friendly and efficient team of training consultants, who can advise on how to get the maximum benefit from a Training Passport. Furthermore, these consultants can advise of additional late-booking discounts that IT Governance is often able to negotiate with training suppliers.

These discounts and the variety of options available allow HR and Training Managers to get the maximum value from their existing budgets. As purchasers receive just a single invoice for multiple courses and products, rather than needing internal expenditure approvals for each, this also saves significant administrative time and effort.

Although Training Passports enable courses to be purchased in advance, they offer flexibility, since delegates’ details need only be finalised at a later stage once the ideal course and location have been chosen. They also assure organisations of the most up-to-date training, as each Passport remains valid for all courses and products offered by IT Governance until it has been fully used.

I came across an interesting post on Ireland’s Security Watch blog making the topical connection between bird flu scares and business continuity planning. It rightly points out that a disaster can strike from unlikely sources when you least expect it.

BCP is a very topical subject generally, given the recent introduction of the BS25999 standard. This finally provides a way for organisations to PROVE that they have a robust plan in place to ensure that their business can withstand adverse events. With our increasingly global and interdependent supply chains, more and more organisations are coming under pressure to reassure their major customers and business partners that they are a safe bet.

To help organisations get to grips with the new Standard and the competitive advantage that being certificated represents, we have just published several new books:

* We have brought out a second edition of Disaster Recovery & Business Continuity, a quick guide for small organisations and busy executives. This is based on last year’s successful book but updated to reflect the particular requirements of the new BS25999 Standard.
* For people needing a quick introductory overview of business continuity management we have launched a new BS25999 Pocket Guide. This sets out all the key facts and is a great tool for organisations that are implementing, or set to implement, a business continuity plan and management system. If you need to share practical knowledge between many project team members this is also a very cost effective way of doing it.
* Lastly, to support the take-up of the new Standard we have launched Business Continuity and BS25999: A Combined Glossary. No previous glossary has adequately addressed the full range of terms likely to be useful to a business continuity practitioner. In this book, we have drawn not only from BS25999 but also a wide range of related standards and frameworks, including ITIL and ISO27001, to create a standardised set of terms that should enable professionals to conduct global conversations based on a shared understanding.

It is interesting to note that the “spin-free” new administration of Gordon Brown may be making moves to sweep the NHS IT reform programme under the carpet. The recent resignation of the forthright Richard Granger at Connecting for Health has removed a lightning rod for the project and it is now reported that two of its most vocal government supporters have been moved to other roles.
Here is the striking thing: OGC (Office of Government Commerce) is the developer and owner of two world-recognised best practice frameworks: Prince2, for managing IT programmes and IT projects, and ITIL, for IT Service Management. Prince2 was developed to help government IT projects come in on time, to budget and on specification. ITIL focuses on the need to understand customer (i.e. user requirements) and to develop and deliver services that align with business needs. Both are part of a normal IT governance framework, and both have quite signally failed in the NHS Connecting for Health programme.

We’ve seen Grainger go, and others moved on, but we haven’t seen any overt attempt to rectify the governance failures that led to the current parlous situation in which a national project is behind timetable, over budget and not meeting specification. A delivery-focused government would start off by overhauling the governance framework put in place for this framework, not just on changing faces – maybe Brown and his ministers need a lesson – from one of their own departments – on how these things should be done.

IT Governance, as Jason Cole points out, is more than project management, more than regulatory compliance, more than CobiT or ITIL or ISO 27001.

It’s also somewhat more than his article suggests. There are three books that tackle this subject, a Weill and Ross book (How Top Performers Manage IT for Superior Results) from Harvard Business Press, a compact and concise guide for Directors (IT Governance: Guidelines for Directors) and IT Governance Today: a Practitioner’s Handbook.

Even more usefully, there is a new framework that pulls together all components of IT governance (the Calder-Moir IT Governance Framework) and the related IT Governance Framework – Toolkit that is designed to help organizations of all sizes make a start with tackling IT governance at their own pace and in their own way – and at a cost somewhat less than is likely to be extracted by a substantial consultancy provider.

With all these resources so easily available, there’s no need for anyone to wonder what IT governance actually is, or to work out how to get started with realising the real business benefits of implementing an IT governance framework.

A recent statement by Aidan Lawes, CEO of the itSMF, had him expresssing a belief that ITIL should be about integration – rather than alignment – with the business, and that there are now only business processes. That’s completely right – and there is a key point there for all IT governance practitioners – even for CobiT!

CSO Online from reports from Australia that ITIL is fast gaining popularity around the world, spurred on by regulatory factors such as SOX – read their article here. We’ve also seen a steep increase in demand for ITIL information so we’ve put together what we believe is the most comprehensive specialised ITIL and IT Service Management shop on the web, offering books, toolkits and exam-based distance learning products. Have a look here and let us know if there’s anything you can’t find.

ISO 27001 is of course an ideal solution to businesses that need to ensure they comply with Sarbanes Oxley IT control requirements. I’ll be doing a webinar on 25 January in collaboration with Compliance Online to discuss precisely how the standard draws together CobiT, ITIL and ISO 17799 to create the necessary multi-layered solution. Topics to be covered will include:

* Current and future governance and compliance requirements
* The role of enterprise risk management
* Linkages and similarities between state, national and international regulations
* Why the traditional approach to regulatory compliance no longer works
* Business risks arising from legal contradictions, overlaps and loopholes
* Scale and impact on corporate brand, market position and share value of regulatory failure
* Key governance requirements of directors
* Role of best practice frameworks Linkage between compliance requirements and best practice frameworks
* Background and history of CobiT, ITIL and ISO 17799 – similarities and differences
* Importance of the CobiT/ITIL/ISO17799 joint framework
* Benefits of deploying this best practice framework
* Critical success factors in deploying this framework

For more information or to make a booking, click here.

The recently launched ‘Aligning Cobit, ITIL and ISO 17799 for Business Benefit‘ is a welcome step toward making IT governance more usable for most organizations. There has long been confusion over which of these three frameworks is really an IT governance framework; for an equal length of time, the answer has been that each is a component of such a framework, as I proposed in IT Governance Today: a Practitioner’s Handbook earlier this year.

While I’m delighed at this progress, there is (as I’ve already argued) further still to go in integrating and simplifying IT governance frameworks, and I will be taking this further in the 2nd edition of the Practitioner’s Handbook when it is published early next year.

It’s been a long summer, and blogging has had to take a back seat to managing the fast growth of our business, IT Governance Ltd. Sales of books and tools through www.itgovernance.co.uk has continued to increase substantially month on month. We’ve expanded our product range, adding a TSO (The Stationery Office) distributorship as well as books from van Haren. As a result of these two agreements, we now have an outstanding collection of ITIL, BS15000 and related titles available through the website. We also now offer, amongst our project governance titles, the new Prince2 books and supporting tools. An inexpensive Pocket Guide to IT Governance, dealing with CobiT principles is the first, we hope, of a number of CobiT titles.

Excitingly, we are also now able to offer electronic versions of the two information security standards and we are in the final stages of negotiations to add several significant information security management products to the site as well.

This all means that we’re having to get additional office space as well as recruiting more back office people to support our websales and marketing activity, as well as to drive forward our publishing business.

We continue to observe information security stupidity and are increasingly fascinated that this form of stupidity seems to become more succesful the larger the company. It seems to turn Darwin on his head, that the least useful approaches are the ones that appear to win out – when business slows down, it’ll be worth thinking about.