IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT
By Alan Calder
4.5/5
()
About this ebook
Implementing Frameworks and Standards for the Corporate Governance of IT sets out for managers, executives and IT professionals the practical steps necessary to meet today’s corporate and IT governance requirements.
It provides practical guidance on how board executives and IT professionals can navigate, integrate and deploy to best corporate and commercial advantage the most widely used of today’s IT management and IT governance frameworks and standards from around the world.
Alan Calder
Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
Read more from Alan Calder
Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5ISO/IEC 38500: The IT Governance Standard Rating: 5 out of 5 stars5/5Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5PCI DSS: A pocket guide, sixth edition Rating: 0 out of 5 stars0 ratingsRisk Assessment for Asset Owners Rating: 4 out of 5 stars4/5IT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5Cyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5ISO 27001/ISO 27002: A guide to information security management systems Rating: 0 out of 5 stars0 ratingsEU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsIT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide Rating: 2 out of 5 stars2/5The Case for ISO27001:2013 Rating: 1 out of 5 stars1/5Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsSelling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsNine Steps to Success: North American edition: An ISO 27001 Implementation Overview Rating: 0 out of 5 stars0 ratingsThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to compliance Rating: 0 out of 5 stars0 ratingsThe Green Office: A Business Guide Rating: 0 out of 5 stars0 ratingsIT Regulatory Compliance in the UK Rating: 0 out of 5 stars0 ratingsCompliance for Green IT: A Pocket Guide Rating: 5 out of 5 stars5/5Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsA concise introduction to the NIS Directive: A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratings
Related to IT Governance
Related ebooks
Governance of Enterprise IT based on COBIT 5: A Management Guide Rating: 5 out of 5 stars5/5IT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5Practical IT Service Management: A concise guide for busy executives Rating: 0 out of 5 stars0 ratingsIT Asset Management: A Pocket Survival Guide Rating: 4 out of 5 stars4/5Ten Steps to ITSM Success: A Practitioner’s Guide to Enterprise IT Transformation Rating: 0 out of 5 stars0 ratingsIT Governance: Guidelines for Directors Rating: 0 out of 5 stars0 ratingsISO/IEC 38500: A pocket guide, second edition Rating: 4 out of 5 stars4/5Presentations on Classical ITIL Rating: 0 out of 5 stars0 ratingsGovernance of IT: An executive guide to ISO/IEC 38500 Rating: 0 out of 5 stars0 ratingsIT Governance to Drive High Performance: Lessons from Accenture Rating: 0 out of 5 stars0 ratingsI/T Architecture in Action Rating: 0 out of 5 stars0 ratingsPrinciples of Data Management: Facilitating information sharing Rating: 0 out of 5 stars0 ratingsISO/IEC 27701:2019: An introduction to privacy information management Rating: 4 out of 5 stars4/5Information Security Management Principles Rating: 3 out of 5 stars3/5Outsourcing IT: A governance guide Rating: 3 out of 5 stars3/5An Introduction to Information Security and ISO27001:2013: A Pocket Guide Rating: 4 out of 5 stars4/5ISO27001 in a Windows Environment: The best practice implementation handbook for a Microsoft Windows environment Rating: 0 out of 5 stars0 ratingsService Integration and Management (SIAM™) Foundation Body of Knowledge (BoK), Second edition Rating: 0 out of 5 stars0 ratingsISO 27001 Controls – A guide to implementing and auditing Rating: 5 out of 5 stars5/5Data Governance: Governing data for sustainable business Rating: 0 out of 5 stars0 ratingsITIL Foundation Essentials: The exam facts you need Rating: 3 out of 5 stars3/5ITIL® Guide to Software and IT Asset Management - Second Edition Rating: 1 out of 5 stars1/5The Data Governance Imperative Rating: 0 out of 5 stars0 ratingsStaying the Course as a CIO: How to Overcome the Trials and Challenges of IT Leadership Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5Release and Deployment: An ITSM narrative Rating: 4 out of 5 stars4/5Enterprise Architecture: A Pocket Guide Rating: 4 out of 5 stars4/5ITIL 4: Digital and IT strategy: Reference and study guide Rating: 5 out of 5 stars5/5
Business For You
The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don’t Agree with or Like or Trust Rating: 4 out of 5 stars4/5Summary of J.L. Collins's The Simple Path to Wealth Rating: 5 out of 5 stars5/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5Capitalism and Freedom Rating: 4 out of 5 stars4/5How to Get Ideas Rating: 5 out of 5 stars5/5Leadership and Self-Deception: Getting out of the Box Rating: 4 out of 5 stars4/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5High Conflict: Why We Get Trapped and How We Get Out Rating: 4 out of 5 stars4/5Just Listen: Discover the Secret to Getting Through to Absolutely Anyone Rating: 4 out of 5 stars4/5Lying Rating: 4 out of 5 stars4/5The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5Nickel and Dimed: On (Not) Getting By in America Rating: 4 out of 5 stars4/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5Buy, Rehab, Rent, Refinance, Repeat: The BRRRR Rental Property Investment Strategy Made Simple Rating: 5 out of 5 stars5/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5Suddenly Frugal: How to Live Happier and Healthier for Less Rating: 3 out of 5 stars3/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5How to Write a Grant: Become a Grant Writing Unicorn Rating: 5 out of 5 stars5/5Company Rules: Or Everything I Know About Business I Learned from the CIA Rating: 4 out of 5 stars4/5Summary of Eve Rodsky's Fair Play Rating: 2 out of 5 stars2/5
Reviews for IT Governance
3 ratings0 reviews
Book preview
IT Governance - Alan Calder
978-1-849281-28-7
FOREWORD
Corporate governance increasingly provides the context within which twenty-first century organisations have to assess and deal with their investments in, and risks to, their corporate information assets and the Information and Communications Technology (ICT, or just IT) infrastructure within which those information assets are collected, manipulated, stored and deployed. But what is corporate governance, and why is it important to the IT professional? Why is IT governance important to the company director, and what do directors of companies— #8212;both quoted and unquoted—need to know?
This book aims to do two things.
The first is to set out for managers, executives and IT professionals the practical steps necessary to meet today’s corporate and IT governance requirements.
The second is to provide practical guidance on how board executives and IT professionals can navigate and deploy to best corporate and commercial advantage the numerous IT management and IT governance frameworks and standards —#8212;particularly ISO/IEC 38500—that have been published over the course of the last 10 years. Each of these standards and frameworks has a potentially valuable role to play in the organisation; the challenge lies in integrating them so that each can deliver what it was designed to do, and do this within the context of an overarching framework (a ‘super framework’, or ‘meta-framework’) that enables each organisation to design IT governance to meet its own needs. The Calder-Moir Framework (which is freely available to download from www.itgovernance.co.uk/calder_moir.aspx) was developed specifically to help organisations manage and govern their IT operations more effectively, and to coordinate the sometimes wide range of overlapping and competing frameworks and standards. It also specifically supports implementation of ISO/IEC 38500, the new international standard for best practice IT governance.
PREFACE
This book assembles, restructures and stitches together a number of Alan Calder’s recent articles on aspects of IT governance and is designed to provide a current guide to this subject. It also introduces and contextualises the Calder-Moir Framework, a meta-model for IT governance. This book provides an overview of this framework and some perspectives on its implementation.
This book should be read alongside Alan’s two other books on this subject: IT Governance: Guidelines for Directors¹ and IT Governance Today: a Practitioner’s Handbook² . Both of these books are available from www.itgovernance.co.uk.
This book also serves as an effective introduction to the contents of the IT Governance Framework Toolkit³ and, along with the two books mentioned above, provides a comprehensive toolset for the IT governance professional.
¹ Alan Calder, IT Governance: Guidelines for Directors (ITGP, 2005). See www.itgovernance.co.uk/products/19 .
² Alan Calder, IT Governance Today: a Practitioner’s Handbook (ITGP, 2005). See www.itgovernance.co.uk/products/18 .
³ www.itgovernance.co.uk/products/519.
ABOUT THE AUTHOR
Alan Calder is a leading author on information security and IT governance issues. He is Chief Executive of IT Governance Limited, the one-stop-shop for books, tools, training and consultancy on governance, risk management and compliance. He is also Chairman of the Board of Directors of CEME, a public-private sector skills partnership.
Alan is an international authority on IT Governance and, with Steve Moir, originated the innovative Calder-Moir IT Governance Framework. He is also an international expert on ISO27001 (formerly BS7799), the international security standard, about which he wrote with colleague Steve Watkins the definitive compliance guide, IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799. This work is based on his experience of leading the world’s first successful implementation of BS7799 (with the fourth edition published in May 2008) and is the basis for the UK Open University’s postgraduate course on information security.
Other books written by Alan include The Case for ISO27001, ISO27001—Nine Steps to Success, IT Governance: Guidelines for Directors, IT Governance Today: a Practitioner’s Handbook and IT Regulatory Compliance in the UK.
Alan is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
Alan was previously CEO of Wide Learning, a supplier of e-learning; of Focus Central London, a training and enterprise council; and of Business Link London City Partners, a government agency focused on helping growing businesses to develop. He was a member of the Information Age Competitiveness Working Group of the UK Government’s Department for Trade and Industry, and was until recently a member of the DNV Certification Services Certification Committee, which certifies compliance with international standards including ISO27001.
ACKNOWLEDGEMENTS
While this book was written by Alan Calder, elements of it (including almost all the graphical representations) were contributed by Steve Moir who, with Alan Calder, originated the Calder-Moir IT Governance Framework. Steve Moir created the IT Governance Framework Toolkit, which provides significant and extensive support to organisations implementing IT governance using the Calder-Moir Framework and ISO38500. Some of Alan’s material has also appeared elsewhere, albeit in a slightly different form.
CONTENTS
INTRODUCTION: CORPORATE GOVERNANCE CONTEXT
Corporate governance is a daily newspaper subject and, to one extent or another, all company directors—and the directors of public sector and quasi-autonomous governmental organisations (known in the UK as ‘quangos’)—want to know what corporate governance really means for them. What is good corporate governance practice? To whom does the UK’s Combined Code really apply? Is SOX⁴ important outside the US? Should the directors of privately owned companies pay the same attention to corporate governance as those that are listed on public exchanges?
In the twenty-first century, corporate governance has become critical for all medium-sized and large organisations. Those without a governance strategy face significant risks; those with one perform measurably better:
Corporations work within a governance framework which is set first by the law and then by regulations emanating from the regulatory bodies to which they are subject. In addition, publicly quoted companies are subject to their shareholders in general meeting and all companies to the forces of public opinion.⁵
Background
The ‘greed is good’ business philosophy of the 1980s and 1990s seemed to give way, at the end of the twentieth
⁴ The US Sarbanes-Oxley Act of 2002.
⁵ Sir Adrian Cadbury, ‘The future for Governance: the Rules of the Game’ in Journal of General Management, Vol. 24, No. 1, Autumn 1998, pp. 1–14.
century, to a ‘looting is good’ approach. Catastrophic financial failure is, of course, a characteristic of the business cycle and it is not uncommon for a downturn in the cycle to expose organisations that have been playing fast and loose with their shareholders’ funds. Warren Buffet has long talked about how a receding economic tide exposes those who have been swimming without any clothes on. Looting has happened before: BICC and Maxwell Communications in the UK are good examples. Corporate collapse, originating in a failure of internal control, has happened before: Baring, again in the UK, is one instance.
The spate of collapses and financial failures at the end of the Internet bubble, though, suggested a systemic weakness, and one whose increasingly worldwide implications had a significant, negative knock-on effect on already problematic pension funds and pensioner assets. Enron, Worldcom, Marconi, Parmalat and many other corporate disasters could be described as the storm damage of unbridled executive authority.
Governments, already grappling with the challenge of funding the pensions of an inexorably greying population bulge, and unwilling to afford further wanton asset destruction, started applying themselves to rooting out corporate misbehaviour. They did this through a combination of overt regulatory action, and slightly more covert pressure on institutional investors to stand up for their rights as shareholders and exercise more determinedly their de facto responsibility to insist on proper governance from those organisations in which they were invested.
The concept of governance is a simple one: it ‘is the system by which business corporations are directed and controlled’⁶. The ‘holy trinity’ of good corporate governance has long been seen as shareholder rights, transparency and board accountability.
The global economy recovered rapidly from the slump that followed the bursting of the Internet bubble. It turns out, though, that this recovery was fuelled to an unsustainable extent by a toxic combination of leverage and incomprehensible financial instruments. The financial crash of 2008 and its subsequent recession arose from significant governance, regulatory and risk-management failures in the financial sector, globally. Well-governed corporations are surviving the economic fall-out and their governance of IT plays a significant role in how effectively they compete to survive.
Governance
While corporate governance appears overtly concerned with board structure, executive compensation and shareholder reporting, the underlying assumption is that the board of the corporation is responsible for how the business is managed and for controlling the risks to the organisation’s assets and trading future. Across the OECD⁷, institutions, investors, regulatory bodies and governments have converged around a common understanding of corporate governance⁸ and, in the developing world, corporate governance is increasingly seen as a basic ‘cost of entry’ into the global capital
⁶ OECD Principles of Corporate Governance, 1999.
⁷ The Organisation for Economic Co-operation and Development, an international agency which endeavours to do exactly what its title suggests.
⁸ See IT Governance: Guidelines for Directors, Alan Calder (IT Governance Publishing, 2005).
markets. The economic turmoil that began in 2008 has increased the importance of governance; well-governed organisations are able to survive and, in the battle of limited investor funds, have a significant competitive advantage.
The term ‘Corporate Governance’ first gained prominence when it was used by Robert Tricker⁹. He described corporate governance as being ‘concerned with the way corporate entities are governed, as distinct from the way businesses within