Archive for the ‘IT Governance’ Category

International standard for IT Governance

Wednesday, July 16th, 2008

The International standards organisation (ISO) has recently published an International Standard for the corporate governance of information technology.  This standard is the result of several months of work by the ICT Governance Study Group, within the bit of ISO known as ISO/IEC JCT1/SC7.  Although I was nominally a member of this working group (which meant that I got included in all the communications, drafts, meeting minutes, etc.), I have to admit that I was something of a “lurker”, mainly because this was my first involvement with ISO and I wanted to see how things worked before chipping in with my opinions.  I also couldn’t quite justify the time and expense of attending the occasional meetings, as they were held in Seoul, Moscow, Montreal, Berlin,…

Anyway, the group finally achieved a consensus from the representatives of the many national bodies involved, and the result is ISO/IEC 38500:2008.  The standard can be purchased in paper form or as a PDF download from the ISO web site; the price is 84 Swiss francs (about £42).  I’m not going to go into any great detail of the content of the standard here – you’ll have to invest your 84 Swiss francs to get the full thing, but I’ll give a very brief overview.

The document has 3 main sections.  The first explains the scope, application and objectives of the standard – what it is trying to achieve; the second describes a framework for good corporate governance of IT; and the third provides guidance on how the framework should be used for the corporate governance of IT.

The framework consists of a set of principles for good corporate governance of IT, and a model that indicates how the principles should be applied.  The six principles are:

  1. Responsibility.  To ensure that individuals and groups within an organisation understand and accept their responsibilities
  2. Strategy.  To ensure that the business strategy takes into account the current and future capabilities of IT
  3. Acquisition.  To ensure that IT acquisitions are made for valid reasons
  4. Performance.  To ensure that the IT services delivered are fit for purpose in supporting the organisation
  5. Conformance.  To ensure IT complies with all mandatory legislation and regulations
  6. Human Behaviour.  To ensure that policies, practices and decisions demonstrate respect for human behaviour

The model describes the 3 main tasks that directors should perform to govern IT:

  1. Evaluate the current and future use of IT
  2. Direct preparation and implementation of plans and policies
  3. Monitor conformance to policies and performance against the plan

The Guidance section of the standard describes how each of the 3 tasks is applied to each of the 6 principles in order to achieve good governance of IT.  This is the bit that goes into the detail of what things should happen within an organisation in order to achieve an acceptable level of governance of IT.  Although called a “standard”, the guidance is presented in terms of what “should” happen, and is therefore more a “code of practice” – a standard that could be certified against would use the term “shall” in order to indicate the activities that were mandatory.  Whether there will ever be a certification scheme for this standard is open to speculation – of course, I’ll keep my eyes and ears open on that subject.

My opinion of the standard is that it does what it claims to set out to do – to provide a framework of principles to assist directors of organisations in the achievement of good corporate governance of IT.  How useful it will be remains to be seen; I think the value of the standard will be in shaping the development of lower level standards and guidance, and it will only really come into its own when it can be mapped to practical “best practice” guidelines such as COBIT and ITIL.

Welcome to my IT Service Management and IT Governance blog

Saturday, July 12th, 2008

Well, after a few weeks of experimentation and finding my feet with registering my web domain, getting the web hosting sorted out, and familiarising myself with WordPress, I think I’m just about ready to launch this blog on to an unsuspecting world.  My main areas of interest are IT Governance and IT Service Management; these areas are very dynamic at the moment, and they are continuing to rise up the agendas of many IT Directors and Board members.

In the area of IT Governance, a new international standard – ISO/IEC 38500 – has recently been released, and the emerging global best practice framework – COBIT – is growing more popular.

In the IT Service Management world, the refresh of ITIL (IT Infrastructure Library), commonly known as ITIL v3, is now a year old, and the anniversary has attracted a lot of comment and opinion about whether it is better or worse than the previous version.

In this blog I will aim to give my views on the latest events in this sector of the IT industry, and to provide links to the views of other commentators in the industry (even if I don’t agree with them).  It would be nice to get feedback on my postings (even if you don’t agree with me), so please feel free to leave a comment to give your views on the subject.