Journal Online

Fundamentals of IT Governance Based on

ISO/IEC 38500
Haris Hamidovic, CIA, is The presence of an effective corporate governance for directors of organizations on the effective,
chief information security system, within an individual company and across efficient and acceptable use of IT within their
officer at Microcredit an economy as a whole, helps to provide a degree organizations based on ISO/IEC 38500:2008.7
Foundation EKI Sarajevo, of confidence that is necessary for the proper It should assist board members in starting to
Bosnia and Herzegovina. Prior function of a market economy.1 fulfill obligations in respect to their organizations’
to his current assignment, Governance is a process by which a board use of IT.
Hamidovic served as IT of directors, through management, guides an
specialist in the North Atlantic institution in fulfilling its corporate mission WHAT DOES IT GOVERNANCE COVER?
Treaty Organization (NATO)- and protects the institution’s assets. Effective The IT Governance Institute® (ITGI®) states that,
led Stabilization Force (SFOR) governance occurs when a board provides fundamentally, the governance of IT is concerned
in Bosnia and Herzegovina. proper guidance to management regarding the about two things: IT’s delivery of value to the
He is the author of four books strategic direction for the institution and oversees business and the mitigation of IT risks. The first
and more than 60 articles management’s efforts to move in this direction.2 is driven by strategic alignment of IT with the
for business and IT-related Over the years, IT has become the backbone business. The second is driven by embedding
publications. Hamidovic of businesses to the point where it would be accountability into the enterprise. Both need to be
is a certified information impossible for many to function without it. IT supported by adequate resources and measured to
technology expert appointed is no longer separate from the enterprise; it is ensure that the results are obtained.
by the Federal Ministry an essential element of it. While, in the past, This leads to the five main focus areas for IT
of Justice of Bosnia and business executives could delegate, ignore or governance, all driven by stakeholder value. Two
Herzegovina. avoid IT decisions, this is now impossible in most of them are outcomes: value delivery and risk
sectors and industries.3 management. Three of them are drivers: strategic
A lack of board oversight for IT activities is alignment, resource management (which overlays
dangerous; it puts the enterprise at risk in the them all) and performance measurement. IT
same way that failing to audit its books would.4 governance is also a continuous life cycle.8

“
In fact, the Bank IT governance is distinct from IT management.
A lack of board oversight for International Governance determines who makes the decisions.
Settlements Management is the process of making and
for IT activities is (BIS) has implementing the decisions.9
dangerous; it puts the pointed out that IT governance is about who is entitled to

”
enterprise at risk. board members make major decisions, who has input and who
in financial is accountable for implementing those decisions.
institutions It is not synonymous with IT management. IT
should address IT as they would any other governance is about decision rights, whereas IT
strategic board agenda item.5 management is about making and implementing
Critical dependency on information technology specific IT decisions.10
calls for a specific focus on IT governance to
ensure that the investments in IT will generate the IT GOVERNANCE FRAMEWORKS
required business value and that risks associated A number of experts suggest frameworks that
with IT are mitigated.6 are detailed and intended for implementation
The main objective of this article is to by middle managers. These are known as IT
provide an introduction to the key elements governance “frameworks.” Some of the frequently
of IT governance, to key industry frameworks cited frameworks are:11
used by organizations, and to guiding principles •฀COBIT12

ISACA JOURNAL VOLUME 5, 2010 1

 •฀IT฀Infrastructure฀Library฀(ITIL)13 2. Strategy—The organization’s business strategy takes
•฀ISO/IEC฀2700114 into account the current and future capabilities of IT; the
Although these frameworks are characterized as strategic plans for IT satisfy the current and ongoing needs
“IT governance frameworks,” some of them are in fact of the organization’s business strategy.
management frameworks.15 3. Acquisition—IT acquisitions are made for valid reasons,
These frameworks are not alternative treatments of the on the basis of appropriate and ongoing analysis, with clear
same issues. and transparent decision making. There is an appropriate
COBIT is an IT governance framework and supporting balance between benefits, opportunities, costs and risks, in
tool set that allows managers to bridge the gap between both the short term and the long term.
control requirements, technical issues and business risks. 4. Performance—IT is fit for purpose in supporting the
COBIT enables clear policy development and good practice organization and in providing the services, the levels of
for IT control throughout organizations. COBIT emphasizes service, and the service quality required to meet current
regulatory compliance, helps organizations increase the and future business requirements.
value attained from IT, enables alignment and simplifies 5. Conformance—IT complies with all mandatory legislation
implementation of the COBIT framework.16 and regulations. Policies and practices are clearly defined,
ITIL฀is฀essentially฀a฀series฀of฀documents฀that฀are฀used฀to฀aid฀ implemented and enforced.
the implementation of a framework for IT service management. 6. Human behavior—IT policies, practices and decisions
This customizable framework defines how service management demonstrate respect for human behavior, including
is฀applied฀within฀an฀organization.฀Although฀ITIL฀was฀originally฀ the current and evolving needs of all the “people in
created by the Central Computer and Telecommunications the process.”
Agency (CCTA), a UK government agency, it is now being ISO/IEC 38500 recommends that directors should govern
adopted and used across the world as the de facto standard for IT through three main tasks:
best฀practice฀in฀the฀provision฀of฀IT฀service.฀Although฀ITIL฀covers฀ •฀Evaluate฀the฀current฀and฀future฀use฀of฀IT.
a number of areas, its main focus is on IT service management.17 •฀Direct฀preparation฀and฀implementation฀of฀plans฀and฀policies฀
ISO/IEC 27001:2005 is a standard that sets out the to ensure that use of IT meets business objectives.
requirements for an information security management •฀Monitor฀conformance฀to฀policies฀and฀performance฀against฀
system. It helps identify, manage and minimize the range the plans.
of threats to which information is regularly subjected. The
standard is designed to ensure the selection of adequate and IT GOVERNANCE IMPLEMENTATION
proportionate security controls that protect information Enterprises implement their governance arrangements through
assets and give confidence to interested parties, including an a set of governance mechanisms: structures, processes and
organization’s customers.18 communications.20 Well-

PRINCIPLES FOR GOOD CORPORATE GOVERNANCE OF IT

An example of the growing importance of IT governance,
ISO released in 2008 a new worldwide standard, the objective
of which is to provide a framework of principles for directors
to use when evaluating, directing and monitoring the use of IT
designed, well-understood
and transparent governance
mechanisms promote desirable
IT behaviors. Conversely,
if mechanisms are poorly
implemented, then governance
“ Well-designed, well-
understood and
transparent governance
mechanisms promote

”
in their organizations. In this standard, ISO puts forward six arrangements will fail to yield desirable IT behaviors.
principles for governance of IT:19 desirable results.
1. Responsibility—Individuals and groups within the Effective governance deploys three different types of
organization understand and accept their responsibilities in mechanisms:
respect of the supply of and the demand for IT. Those with •฀Decision-making structures—Organizational units and roles
responsibility for actions also have the authority to perform responsible for making IT decisions, such as committees,
those actions. executive teams and business/IT relationship managers

2 ISACA JOURNAL VOLUME 5, 2010

•฀Alignment processes—Formal processes for ensuring that Directors฀must฀determine฀that฀procedures฀are฀in฀place,฀
daily behaviors are consistent with IT policies and provide that the procedures are appropriate, and they must obtain
input back to decisions. These include IT investment proposal corroborating evidence.24
and evaluation processes, architecture exception processes,
service-level agreements, chargeback, and metrics. CONCLUSION
• Communication approaches—Announcements, advocates, Maturity of the governance of key assets varies significantly
channels and education efforts that disseminate IT in most enterprises today. Financial and physical assets
governance principles and policies and outcomes of IT are typically the best governed, and information assets are
decision-making processes among the worst governed. However, IT governance should
be an integral part of corporate governance. Asking proper
WHAT QUESTIONS SHOULD BE ASKED? questions is an effective way to get started in implementing
The Australian Computer Society president, Richard Hogg, said: IT governance. Board members must learn what questions
to ask about IT governance. Then, they need good answers
Just as [information and communication technologies to these questions and they must require action. The next
(ICT)] managers are having to broaden their skills to step is to implement governance arrangements through a
better understand the business structure and processes set of governance mechanisms—structures, processes and
they are required to support, so must boards enhance communications.
their awareness of the various issues associated with
IT. Corporate boards must learn what questions to ENDNOTES
ask about ICT governance… It is poor corporate 1
฀ ฀Organisation฀for฀Economic฀Co-operation฀and฀Development฀
governance to push ICT governance down to the IT (OECD),฀OECD฀Principles of Corporate Governance,
manager level. ICT is an integral part of their business France, 2004
2
and ICT governance is an integral part of corporate Rock, Rachel; Maria Otero; Sonia Saltzman; Principles
governance.21 and Practices of Microfinance Governance, ACCION
International, USA, August 1998
Asking tough questions is an effective way to get started 3
฀ ฀Van฀Grembergen,฀Wim;฀Steven฀DeHaes;฀Implementing
in implementing IT governance. Of course, those responsible Information Technology Governance: Models, Practices
for governance want good answers to these questions. Then and Cases, IGI Publishing, USA, 2008
4
they want action. Then they need follow-up. It is essential to Nolan, Richard; F. Warren McFarlen; “Information
determine not just the action, but also who is responsible to Technology฀and฀the฀Board฀of฀Directors,”฀Harvard Business
deliver what by when.22 Review, 1 October 2005
5
The Canadian Institute of Chartered Accountants (CICA) Bank for International Settlements (BIS), “Enhancing
released฀a฀brochure฀called฀“20฀Questions฀Directors฀Should฀ Corporate Governance in Banking Organisations,”
Ask About IT” to assist corporate directors in the discharge September 1999, referenced in IT Governance Institute
of their responsibilities. The document is also intended (ITGI), Unlocking Value: An Executive Primer on the
to be helpful to audit and IT steering committees.23 The Critical Role of IT Governance, USA, 2008
6
questions make it clear that the prime responsibility rests with Op cit,Van฀Grembergen฀and฀DeHaes,฀2008
7
management to implement the necessary procedures. The International Organization for Standardization (ISO) and
board members need to determine that management has done International Electrotechnical Commission (IEC), ISO/
so—that the procedures are in place. IEC 38500:2008, Corporate governance of information
Moreover, if the directors are to perform an effective technology, 2008, www.iso.org/iso/catalogue_detail.
oversight role with regard to management, they would be htm?csnumber=51639
8
remiss to rely simply on the representations of management, ITGI, Board Briefing on IT Governance, 2nd Edition,
no matter how honest and reliable management might be. USA, 2003
Therefore, some corroborating evidence would be essential.
ISACA JOURNAL VOLUME 5, 2010 3
 9 15
Weill, Peter; Jeanne Ross; IT Governance: How Top Van Bon, Jan; Arjen de Jong; Axel Kolthof; Mike Pieper;
Performers Manage IT Decision Rights for Superior Ruby Tjassing; Annelies van der Veen; Tieneke Verheijen;
Results, Harvard Business Press, USA, 2004 Foundations of IT Service Management Based on ITIL®
10
Broadbent, Marianne; “Understanding IT Governance,” V3, Van Haren Publishing, The Netherlands, 2007
16
CIO Canada, 1 April 2003 ISACA, www.isaca.org/cobit
11
฀ ฀Musson,฀David;฀“IT฀Governance:฀฀A฀Critical฀Review฀of฀ 17
IT Service Management Zone, www.itil.org.uk
the฀Literature,”฀Information Technology Governance and 18
BSI Management Systems, www.bsi-emea.com
19
Service Management: Frameworks and Adaptations, Ed. Op cit, ISO/IEC 38500:2008
20
Aileen Cater-Steel, Information Science Reference, USA, Op cit, Weill and Ross
21
2009 Australian Computer Society (ACS), “ACS Stresses Need
12
ITGI, COBIT, 1996-2007, www.isaca.org/cobit for Better ICT Governance,” media release, 5 March 2002
13 22
Office of Government Commerce, IT Infrastructure Op cit, ITGI, 2003
Library฀(ITIL)฀V3,฀UK,฀2009 23
Canadian Institute of Chartered Accountants (CICA), “20
14
ISO and IEC, ISO/IEC 27001, Information technology— Questions฀Directors฀Should฀Ask฀About฀IT,”฀Canada,฀2004
Security techniques—Information security management 24
฀ ฀Trites,฀Gerald;฀“Director฀Responsibility฀for฀IT฀
systems—Requirements, 2005, www.iso.org/iso/catalogue_ Governance,” International Journal of Accounting
detail?csnumber=42103 Information Systems, vol. 5, issue 2, July 2004

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription
to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance
Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in
writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St.,
Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date,
volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without
express permission of the association or the copyright owner is expressly prohibited.

www.isaca.org

4 ISACA JOURNAL VOLUME 5, 2010