See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/254864216

Fundamentals of IT Governance Based on ISO/IEC 38500

Article · October 2010

CITATIONS READS

0 4,016

1 author:

Haris Hamidovic
Independent Researcher - Information Security
86 PUBLICATIONS   19 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Haris Hamidovic on 21 May 2014.

The user has requested enhancement of the downloaded file.

Journal Online
Haris Hamidovic, CIA, is
chief information security
officer at Microcredit
Foundation EKI Sarajevo,
Bosnia and Herzegovina. Prior
to his current assignment,
Hamidovic served as IT
specialist in the North Atlantic
Treaty Organization (NATO)-
led Stabilization Force (SFOR)
in Bosnia and Herzegovina.
He is the author of four books
and more than 60 articles
for business and IT-related
publications. Hamidovic
is a certified information
technology expert appointed
by the Federal Ministry
of Justice of Bosnia and
Herzegovina.
Fundamentals of IT Governance Based on
ISO/IEC 38500
The presence of an effective corporate governance
system, within an individual company and across
an economy as a whole, helps to provide a degree
of confidence that is necessary for the proper
function of a market economy.1
Governance is a process by which a board
of directors, through management, guides an
institution in fulfilling its corporate mission
and protects the institution’s assets. Effective
governance occurs when a board provides
proper guidance to management regarding the
strategic direction for the institution and oversees
management’s efforts to move in this direction.2
Over the years, IT has become the backbone
of businesses to the point where it would be
impossible for many to function without it. IT
is no longer separate from the enterprise; it is
an essential element of it. While, in the past,
business executives could delegate, ignore or
avoid IT decisions, this is now impossible in most
sectors and industries.3
A lack of board oversight for IT activities is
dangerous; it puts the enterprise at risk in the
same way that failing to audit its books would.4
“
In fact, the Bank
A lack of board oversight for International
Settlements
for IT activities is (BIS) has
dangerous; it puts the pointed out that
”
enterprise at risk. board members
in financial
institutions
should address IT as they would any other
strategic board agenda item.5
Critical dependency on information technology
calls for a specific focus on IT governance to
ensure that the investments in IT will generate the
required business value and that risks associated
with IT are mitigated.6
The main objective of this article is to
provide an introduction to the key elements
of IT governance, to key industry frameworks
used by organizations, and to guiding principles
for directors of organizations on the effective,
efficient and acceptable use of IT within their
organizations based on ISO/IEC 38500:2008.7
It should assist board members in starting to
fulfill obligations in respect to their organizations’
use of IT.
WHAT DOES IT GOVERNANCE COVER?
The IT Governance Institute® (ITGI®) states that,
fundamentally, the governance of IT is concerned
about two things: IT’s delivery of value to the
business and the mitigation of IT risks. The first
is driven by strategic alignment of IT with the
business. The second is driven by embedding
accountability into the enterprise. Both need to be
supported by adequate resources and measured to
ensure that the results are obtained.
This leads to the five main focus areas for IT
governance, all driven by stakeholder value. Two
of them are outcomes: value delivery and risk
management. Three of them are drivers: strategic
alignment, resource management (which overlays
them all) and performance measurement. IT
governance is also a continuous life cycle.8
IT governance is distinct from IT management.
Governance determines who makes the decisions.
Management is the process of making and
implementing the decisions.9
IT governance is about who is entitled to
make major decisions, who has input and who
is accountable for implementing those decisions.
It is not synonymous with IT management. IT
governance is about decision rights, whereas IT
management is about making and implementing
specific IT decisions.10
IT GOVERNANCE FRAMEWORKS
A number of experts suggest frameworks that
are detailed and intended for implementation
by middle managers. These are known as IT
governance “frameworks.” Some of the frequently
cited frameworks are:11
s#/")412
ISACA JOURNAL VOLUME 5, 2010 1
 s)4)NFRASTRUCTURE,IBRARY)4), 13
s)3/)%#14
Although these frameworks are characterized as
“IT governance frameworks,” some of them are in fact
management frameworks.15
These frameworks are not alternative treatments of the
same issues.
COBIT is an IT governance framework and supporting
tool set that allows managers to bridge the gap between
control requirements, technical issues and business risks.
COBIT enables clear policy development and good practice
for IT control throughout organizations. COBIT emphasizes
regulatory compliance, helps organizations increase the
value attained from IT, enables alignment and simplifies
implementation of the COBIT framework.16
)4),ISESSENTIALLYASERIESOFDOCUMENTSTHATAREUSEDTOAID implemented and enforced.
the implementation of a framework for IT service management.
This customizable framework defines how service management
ISAPPLIEDWITHINANORGANIZATION!LTHOUGH)4),WASORIGINALLY the current and evolving needs of all the “people in
created by the Central Computer and Telecommunications
Agency (CCTA), a UK government agency, it is now being
adopted and used across the world as the de facto standard for
BESTPRACTICEINTHEPROVISIONOF)4SERVICE!LTHOUGH)4),COVERS s%VALUATETHECURRENTANDFUTUREUSEOF)4
a number of areas, its main focus is on IT service management.17
ISO/IEC 27001:2005 is a standard that sets out the
requirements for an information security management
system. It helps identify, manage and minimize the range
of threats to which information is regularly subjected. The
standard is designed to ensure the selection of adequate and
proportionate security controls that protect information
assets and give confidence to interested parties, including an
organization’s customers.18
PRINCIPLES FOR GOOD CORPORATE GOVERNANCE OF IT
An example of the growing importance of IT governance,
ISO released in 2008 a new worldwide standard, the objective
of which is to provide a framework of principles for directors
to use when evaluating, directing and monitoring the use of IT
in their organizations. In this standard, ISO puts forward six
principles for governance of IT:19
1. Responsibility—Individuals and groups within the
organization understand and accept their responsibilities in
respect of the supply of and the demand for IT. Those with
responsibility for actions also have the authority to perform
those actions.
2 ISACA JOURNAL VOLUME 5, 2010
2. Strategy—The organization’s business strategy takes
into account the current and future capabilities of IT; the
strategic plans for IT satisfy the current and ongoing needs
of the organization’s business strategy.
3. Acquisition—IT acquisitions are made for valid reasons,
on the basis of appropriate and ongoing analysis, with clear
and transparent decision making. There is an appropriate
balance between benefits, opportunities, costs and risks, in
both the short term and the long term.
4. Performance—IT is fit for purpose in supporting the
organization and in providing the services, the levels of
service, and the service quality required to meet current
and future business requirements.
5. Conformance—IT complies with all mandatory legislation
and regulations. Policies and practices are clearly defined,
6. Human behavior—IT policies, practices and decisions
demonstrate respect for human behavior, including
the process.”
ISO/IEC 38500 recommends that directors should govern
IT through three main tasks:
s$IRECTPREPARATIONANDIMPLEMENTATIONOFPLANSANDPOLICIES
to ensure that use of IT meets business objectives.
s-ONITORCONFORMANCETOPOLICIESANDPERFORMANCEAGAINST
the plans.
IT GOVERNANCE IMPLEMENTATION
Enterprises implement their governance arrangements through
a set of governance mechanisms: structures, processes and
“
communications.20 Well-
designed, well-understood
Well-designed, well-
and transparent governance
mechanisms promote desirable understood and
IT behaviors. Conversely, transparent governance
if mechanisms are poorly
mechanisms promote
”
implemented, then governance
arrangements will fail to yield desirable IT behaviors.
desirable results.
Effective governance deploys three different types of
mechanisms:
sDecision-making structures—Organizational units and roles
responsible for making IT decisions, such as committees,
executive teams and business/IT relationship managers
sAlignment processes—Formal processes for ensuring that
daily behaviors are consistent with IT policies and provide
input back to decisions. These include IT investment proposal
and evaluation processes, architecture exception processes,
service-level agreements, chargeback, and metrics.
s Communication approaches—Announcements, advocates,
channels and education efforts that disseminate IT
governance principles and policies and outcomes of IT
decision-making processes
WHAT QUESTIONS SHOULD BE ASKED?
The Australian Computer Society president, Richard Hogg, said:
Just as [information and communication technologies
(ICT)] managers are having to broaden their skills to
better understand the business structure and processes
they are required to support, so must boards enhance
their awareness of the various issues associated with
IT. Corporate boards must learn what questions to
ask about ICT governance… It is poor corporate
OPERATIONAND$EVELOPMENT
$IRECTORSMUSTDETERMINETHATPROCEDURESAREINPLACE
that the procedures are appropriate, and they must obtain
corroborating evidence.24
CONCLUSION
Maturity of the governance of key assets varies significantly
in most enterprises today. Financial and physical assets
are typically the best governed, and information assets are
among the worst governed. However, IT governance should
be an integral part of corporate governance. Asking proper
questions is an effective way to get started in implementing
IT governance. Board members must learn what questions
to ask about IT governance. Then, they need good answers
to these questions and they must require action. The next
step is to implement governance arrangements through a
set of governance mechanisms—structures, processes and
communications.
ENDNOTES
1
/RGANISATIONFOR%CONOMIC#O
governance to push ICT governance down to the IT
manager level. ICT is an integral part of their business
and ICT governance is an integral part of corporate 2
governance.21
Asking tough questions is an effective way to get started 3
/%#$ /%#$Principles of Corporate Governance,
France, 2004
Rock, Rachel; Maria Otero; Sonia Saltzman; Principles
and Practices of Microfinance Governance, ACCION
International, USA, August 1998
in implementing IT governance. Of course, those responsible
for governance want good answers to these questions. Then
they want action. Then they need follow-up. It is essential to
6AN'REMBERGEN7IM3TEVEN$E(AESImplementing
Information Technology Governance: Models, Practices
and Cases, IGI Publishing, USA, 2008
4
Nolan, Richard; F. Warren McFarlen; “Information
determine not just the action, but also who is responsible to 4ECHNOLOGYANDTHE"OARDOF$IRECTORSvHarvard Business
deliver what by when.22 Review, 1 October 2005
The Canadian Institute of Chartered Accountants (CICA) 5
Bank for International Settlements (BIS), “Enhancing
RELEASEDABROCHURECALLEDh1UESTIONS$IRECTORS3HOULD Corporate Governance in Banking Organisations,”
Ask About IT” to assist corporate directors in the discharge September 1999, referenced in IT Governance Institute
of their responsibilities. The document is also intended (ITGI), Unlocking Value: An Executive Primer on the
to be helpful to audit and IT steering committees.23 The Critical Role of IT Governance, USA, 2008
questions make it clear that the prime responsibility rests with 6
management to implement the necessary procedures. The 7
board members need to determine that management has done
so—that the procedures are in place.
Moreover, if the directors are to perform an effective
oversight role with regard to management, they would be
remiss to rely simply on the representations of management, 8
no matter how honest and reliable management might be.
Therefore, some corroborating evidence would be essential.
Op cit6AN'REMBERGENAND$E(AES
International Organization for Standardization (ISO) and
International Electrotechnical Commission (IEC), ISO/
IEC 38500:2008, Corporate governance of information
technology, 2008, www.iso.org/iso/catalogue_detail.
htm?csnumber=51639
ITGI, Board Briefing on IT Governance, 2nd Edition,
USA, 2003
ISACA JOURNAL VOLUME 5, 2010 3
 9
Weill, Peter; Jeanne Ross; IT Governance: How Top 15
Van Bon, Jan; Arjen de Jong; Axel Kolthof; Mike Pieper;
Performers Manage IT Decision Rights for Superior Ruby Tjassing; Annelies van der Veen; Tieneke Verheijen;
Results, Harvard Business Press, USA, 2004 Foundations of IT Service Management Based on ITIL®
10
Broadbent, Marianne; “Understanding IT Governance,” V3, Van Haren Publishing, The Netherlands, 2007
CIO Canada, 1 April 2003 16
ISACA, www.isaca.org/cobit
11
-USSON$AVIDh)4'OVERNANCE!#RITICAL2EVIEWOF 17
IT Service Management Zone, www.itil.org.uk
THE,ITERATUREvInformation Technology Governance and 18
BSI Management Systems, www.bsi-emea.com
Service Management: Frameworks and Adaptations, Ed. 19
Op cit, ISO/IEC 38500:2008
Aileen Cater-Steel, Information Science Reference, USA, 20
Op cit, Weill and Ross
2009 21
Australian Computer Society (ACS), “ACS Stresses Need
12
ITGI, COBIT, 1996-2007, www.isaca.org/cobit for Better ICT Governance,” media release, 5 March 2002
13
Office of Government Commerce, IT Infrastructure 22
Op cit, ITGI, 2003
,IBRARY)4), 65+ 23
Canadian Institute of Chartered Accountants (CICA), “20
14
ISO and IEC, ISO/IEC 27001, Information technology— 1UESTIONS$IRECTORS3HOULD!SK!BOUT)4v#ANADA
Security techniques—Information security management 24
4RITES'ERALDh$IRECTOR2ESPONSIBILITYFOR)4
systems—Requirements, 2005, www.iso.org/iso/catalogue_ Governance,” International Journal of Accounting
detail?csnumber=42103 Information Systems, vol. 5, issue 2, July 2004

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription
to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance
Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in
writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St.,
Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date,
volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without
express permission of the association or the copyright owner is expressly prohibited.

www.isaca.org

4 ISACA JOURNAL VOLUME 5, 2010

View publication stats