CHAPTER 4: PRINCIPLES AND MODEL FOR GOOD GOVERNANCE OF IT

This, the fourth chapter of ISO/IEC 38500, contains the meat of the matter, the most important part of the Standard, and the core of the Standard’s concept of IT governance. It identifies six principles of good IT governance, and three main tasks for which governing bodies are responsible.

Six principles

The six principles – which are intended to guide decision-making – of good IT governance are:

1Responsibility;

2Strategy;

3Acquisition;

4Performance;

5Conformance; and

6Human behaviour.

The principle of responsibility recognises that those responsible for IT within organisations must understand and accept their responsibilities in respect of the supply and demand for IT. They must also have the authority to perform the actions for which they are responsible. This principle encompasses the notion of ‘accountability’.

Strategy recognises that an organisation’s business strategy should take into account current and future IT capabilities; conversely, the IT strategy should reflect the requirements of the business strategy. This notion is often described as business–IT alignment, as though the requirement is a surprising one!

Acquisition is the principle that stakeholders should applaud: it argues that IT investment decision-making should be clear and transparent, with an appropriate balance between cost and opportunity, with a clear understanding of risk and both a long- and a short-term view.

The principle of performance recognises that IT should be ‘fit for purpose’. IT systems must deliver the planned capacity and capability, and associated risks must be mitigated, to provide the intended benefits. Performance requires ongoing monitoring; IT service management is one way of expressing this principle in action.

IT underpins financial accounting, and houses, supports and manipulates data on which the organisation’s survival depends; the principle of conformance requires the organisation to ensure that IT complies with all regulatory and contractual requirements; standards such as ISO/IEC 27001 have a key role to play here.

IT, of course, is part of an organisation that depends primarily on its people; the sixth principle, human behaviour, requires IT policies, practices and decisions to respect human behaviour (which is one of the defined terms in the Standard).

The IT governance model

ISO/IEC 38500 proposes a model for IT governance, which is set out in Figure 1. This model, which is derived from the original version published in AS 8015:2005, is a clear and simple one that clearly contextualises the governing body’s role in respect of IT governance.

Figure 1: Model for governance of IT¹¹

Under this model, governing bodies have three main tasks to ensure effective governance: evaluate, direct and monitor.

Evaluate

ISO/IEC 38500 says governing bodies should evaluate the current and future use of IT (including strategies, implementation plans, supply arrangements, and so on, whether this is internal, external or some combination of both). They should take account of pressures acting on the business, including technological change, economic and other trends, and politics; evaluations should be regular, and be informed by and consider current and future business needs and objectives.

Direct

The governing body must assign responsibility for implementation of IT strategies and policies. It must therefore hold management to account for delivery of those plans. Plans set the direction for IT investment, operation and projects, while policies are directional and should help establish sound behaviour.

This action encompasses the requirement for good, transparent and timely information from management to the board about the progress of IT operations and projects, thus putting the board in a position to ensure that IT projects move smoothly into the operational phase without more disruption than planned for. As IT projects are usually high-risk undertakings with non-trivial consequences in the event of failure or budget excess, this aspect of just this one IT governance action could have a significant effect on improving rates of IT project success.

Monitor

Those directors who want timely information that will enable them to act must first implement monitoring systems that will tell them what is going on – and which will alert them to any failures to comply with regulation, statute or contract. Internal audit is as much a part of effective monitoring as is clear management accountability and meaningful performance reporting.

Accountability

ISO/IEC 38500 makes a very clear statement in this chapter: “accountability for the effective, efficient and acceptable use and delivery of IT by an organisation remains with the governing body and cannot be delegated.”¹²

¹¹Original image copyright ISO/IEC 2015

¹²ISO/IEC 38500:2015, Clause 4.2.