Chapter 8: Other IT governance standards and frameworks

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

CHAPTER 8: OTHER IT GOVERNANCE STANDARDS AND FRAMEWORKS

ISO/IEC 38500 is an overarching framework of principles and guidance for the governing body of an organisation. It deals with the governance of IT, not its management.

A number of frameworks and standards have evolved that provide detailed guidance and support for specific areas of IT activity for which the board is responsible. Each of these frameworks has its own strengths and weaknesses, and each is capable of being used on its own, or in conjunction with one or more of the other frameworks; all can be used within an ISO/IEC 38500 IT governance framework.

The most widely recognised frameworks that can help with both conformance and performance include those below.

COBIT – a framework for the governance and management of enterprise IT. At the time of writing, the latest version is COBIT 2019, and there is a wide range of related professional qualifications.

ISO/IEC 27002:2013 – the international code of best practice for information security, and ISO/IEC 27001:2013, the international specification against which an organisation’s information security management system can be certified as conforming.¹⁸ There are a range of professional qualifications specifically related to ISO/IEC 27001¹⁹, and widely recognised information security certifications such as CISSP^®20 and CISM^®21 cover much of the same ground.

ITIL (IT Infrastructure Library^®) – an integrated set of best-practice recommendations for IT service management. While ITIL 4 was released in 2019, the earlier version is still very much in use around the world.²² There is a well-structured and comprehensive framework of professional certifications for ITIL, which has hundreds of thousands of registered practitioners worldwide.

ISO/IEC 20000 – the associated certification standard for IT service management, and heavily based on ITIL. Professional certifications are available.

Business continuity management is an essential component of IT governance, just as it is of corporate governance generally. ISO 22301²³ is currently the world’s only formal standard for business continuity management. It provides both a specification and a code of practice that can be effectively used within the context of an ISO/IEC 38500 IT governance framework.

Project management expertise has two main strands: the PMBOK^® (Project Management Body of Knowledge) promoted by the Project Management Institute,²⁴ and the PRINCE2^® (Projects in Controlled Environments) school,²⁵ which was begun by the UK Office of Government Commerce and now incorporates MSP (Managing Successful Programmes)²⁶ and MoR (Management of Risk),²⁷ which, between them, provide a solid discipline for the effective management of IT projects. Both project management schools are supported by a structured range of professional qualifications.

Enterprise IT architecture is a key part of effective IT governance and is a specialist discipline that directors may choose to consider early on. The two that are most valuable are the Zachman framework²⁸ and TOGAF^® (The Open Group Architecture Framework).²⁹

There is a wide range of other specialist standards and frameworks for IT management, dealing with issues ranging from capability maturity models and quality management through to procurement and operations frameworks. See below³⁰ for a comprehensive list of frameworks and associated information.

Conformance

Principle 5 of ISO/IEC 38500 states that directors should ensure that their use of IT meets all the requirements of applicable regulations and laws, as well as contractual obligations. The mass of regulation (data protection, privacy, anti-spam, internal control, computer misuse, etc.) relating to organisations is complex and ever-changing. While a number of the standards and frameworks described above will help, it is important to identify the specific regulatory requirements of all those laws and regulations that might apply to the organisation, and to ensure that appropriate conformance actions are taken.

As the regulatory environment becomes more complex, it is increasingly sensible to consider methods that cover multiple requirements, where possible. The IT Governance Cyber Resilience Framework, for example, incorporates cyber security, incident response, risk management and business continuity, and is ideal for organisations subject to wide-reaching regulations such as the General Data Protection Regulation (GDPR) or the Network and Information Systems (NIS) Directive, and all overseen by a comprehensive governance framework.

¹⁸www.itgovernance.co.uk/iso27001.

¹⁹www.itgovernance.co.uk/shop/category/iso-27001-training-courses.

²⁰www.itgovernance.co.uk/cissp.

²¹www.itgovernance.co.uk/cism.

²²www.itgovernance.co.uk/itil.

²³www.itgovernance.co.uk/iso22301-business-continuity-standard.

²⁴www.itgovernance.co.uk/pmbok.

²⁵www.itgovernance.co.uk/prince2.

²⁶www.itgovernance.co.uk/msp.

²⁷www.itgovernance.co.uk/M_o_R.

²⁸www.zifa.com/.

²⁹www.opengroup.org/togaf.