Why is IT Governance Important?
Why IT governance?
The recognition of the need for corporate governance in organisations has been around for several centuries. However, it is only at the end of the last century that people began to put it on a more formal footing. The early 1990s saw the dismissal of several CEOs by their boards in the US, while in the UK Robert Maxwell used £400 million from his employees’ pension fund to prop up the failing Mirror Group. These and other examples of corporate irregularities and fraud forced governments to place corporate governance on a more formal and structured footing. In the UK, this was achieved by the Companies (Audit, Investigations and Community Enterprise) Act 2004, and in the US by the Sarbanes-Oxley Act of 2002.With the increasing influence of IT on the functions of an organisation and the need for appropriate financial controls becoming more apparent, it was realised that IT governance was necessary to achieve appropriate corporate governance. This, in turn, prompted the creation of IT governance standards such as COBIT or AS 8015-2005 (which became the ISO/IEC 38500 standard) which we still use today.ISO 38500 Standard
The ISO 38500 standard is one of the simpler IT governance standards that try to give a high-level overview of key IT governance ideas. Developed from the Australian AS 8015-2005 standard, it was first published in January 2008 having been fast-tracked through the ISO standards processes as it was realised to be a key standard. In 2015 it was revised to the current version, with the key change being a shift in focus from ‘corporate governance of IT’ focusing at the top of the organisation ‘to governance of IT for the organisation’, which focuses on applying IT governance across the organisation with units of the organisation taking ownership of their own governance.The standard is designed to be applicable across all organisations that use IT in any manner and is designed to help ensure that IT systems in the organisation are effective, efficient, and used in an appropriate manner. It does this by- Providing stakeholders* with confidence in the IT governance of the organisation (provided the standard is being followed)
* The ISO 38500:2015 standard defines a stakeholder as ‘any individual, group, or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity’ - Informing and guiding governing bodies in organisational IT use
- Establishing an IT governance vocabulary
- Evaluate the current state of IT in the organisation to judge if it is fit for the current and future needs of the organisation. This will involve internal drivers (such as business needs and stakeholder requirements) and external drivers (such as regulatory requirements, technological changes, changes in the market, etc). This is an ongoing process and needs to be applied to both specific development plans as well as the more general organisational objectives.
- Direct organisational IT usage by the creation of strategies (which set the tone and direction for IT objectives and investment) and policies (which establish the norms for IT behaviour). These strategies and policies can be created by the board or, more commonly, the board will assign responsibilities for their creation to a particular person or organisational unit.
- Monitor the performance of the IT, both with respect to system performance and with respect to strategies, policies and external regulations.

Responsibility
People and groups, both those using and those providing IT resources, should understand and accept their responsibilities for the provision and use of the IT systems. People and groups who have to undertake management or governance tasks should have the authority to carry out those tasks.Strategy
The organisational business strategy takes account of the current and future needs and capabilities of the IT system and the plans for the IT system are capable of meeting the current and future needs of the organisation.Acquisition
Any and all IT acquisitions are made in a clear and transparent manner. Each acquisition is scrutinised in terms of benefits, opportunities, costs, and risks and the reasoning explained and justified.Performance
IT services, IT service levels and IT service quality are fit for current and future business requirements.Conformance
Policies and practices are clearly defined, implemented and enforced. IT usage needs to comply with all mandatory legislation and regulation.Human behaviour
IT systems need to take account of and respect the users of the system. Anybody who interacts with the system in any way should be able to use the parts of the system that they need to in as easy a manner as possible. This will include such things as accessibility for people with a disability, AUPs, physical workstation setup, etc.For each of the above principles, the standard gives guidance and best practice practices on how the principle can be evaluated, directed and monitored.In practice, the ISO 38500 is an excellent starting point and introduction to the key issues in IT governance. However, the whole standard is only 12 pages long, and as such does not provide as much detail or guidance as many of the other IT governance standards.COBIT
COBIT (Control Objectives for Information and Related Technologies) is perhaps one of the best known IT governance frameworks. Developed by ISACA in 1996 as a set of controls to help the financial audit community handle IT systems, it was subsequently expanded to become a full-blown IT governance framework.The current version of COBIT is COBIT 2019, which was released in November and December 2018. The differences between the two versions are small (considering the breadth of COBIT) and focus on updating the standard to better integrate with other related standards, integrating performance management into the main model, and facilitating more openness through the use of new COBIT focus areas.COBIT 2019 was designed around two different sets of principles – six principles that describe the core requirements for a governance system for enterprise IT and three principles for a governance framework that can be used to help build an organisation’s governance system. The six principles for a governance system given in the COBIT framework are:- Each enterprise needs a governance system to satisfy stakeholder needs and to generate value from the use of I&T. Value reflects a balance among benefits, risk and resources, and enterprises need an actionable strategy and governance system to realise this value.
- A governance system for enterprise I&T is built from a number of components that can be of different types and that work together in a holistic way.
- A governance system should be dynamic. This means that each time one or more of the design factors are changed (eg a change in strategy or technology), the impact of these changes on the Enterprise Governance of Information and Technology (EGIT) system must be considered. A dynamic view of EGIT will lead toward a viable and future-proof EGIT system.
- A governance system should clearly distinguish between governance and management activities and structures.
- A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customise and prioritise the governance system components.
- A governance system should cover the enterprise end to end, focusing not only on the IT function but on all technology and information processing the enterprise puts in place to achieve its goals, regardless where the processing is located in the enterprise.
- A governance framework should be based on a conceptual model, identifying the key components and relationships among components, to maximise consistency and allow automation.
- A governance framework should be open and flexible. It should allow the addition of new content and the ability to address new issues in the most flexible way while maintaining integrity and consistency.
- A governance framework should align to relevant major related standards, frameworks and regulations.
- Align, plan and organize (APO) – these objectives focus on the overall organisation and strategy, as well as supporting activities for IT.
- Build, acquire and implement (BAI) – these objectives look at the delivery of new IT services and solutions through either through creation or acquisition. A key part of this group is the need for clear definitions and integration into business processes.
- Delivery, service and support (DSS) – objectives in this group look at the operational side of IT and are particularly relevant to us as this is where security is primarily considered.
- Monitor, evaluate and assess (MEA) – objectives in this group are concerned with performance monitoring and ensuring that systems conform to internal and external requirements. Again this area is particularly relevant to us, as it is here where a SOC will undertake most of its activities.

- Processes – an organised set of descriptions of practices and activities that achieve specified objectives
- Organisational structure – key decision-making entities in an organisation
- Principles, policies and frameworks – the mechanisms for translating desired behaviour into guidance for operational activities
- Information – any information needed for the effective and efficient functioning of the governance system
- Culture, ethics and behaviour – both of individuals and the organisation as a whole need to be considered when deciding how best to design and implement an IT governance system
- People, skills and competencies – these are needed to make sure that good decisions are being made, activities are completed successfully, and when things do go wrong, appropriate corrective action is taken promptly
- Services, infrastructure and applications – the IT side of things
IT governance and the SOC
It should go without saying that the SOC will play a key role in the IT governance of the organisation. This will primarily be in the area of cyber security, but will not be restricted to this. The SOC should be key in helping design any security, privacy and related areas of the IT governance framework. However, the SOC is itself subject to the organisation’s IT governance system. This is particularly important to ensure when you consider both the skill set and the tool set of the SOC.Further reading
ISACA (2018) COBIT 2019 Framework: Introduction and Methodology. [online] available from http://www.isaca.org/COBIT/Pages/COBIT-2019-Framework-Introduction-and-Methodology.aspx [31 July 2019]References
BSI (2018) BS ISO/IEC 38500:2015 Information Technology. Governance of IT for the Organization. [online] available from https://bsol.bsigroup.com/Bibliographic/BibliographicInfoData/000000000030372032 [30 July 2019]Companies (Audit, Investigations and Community Enterprise) Act (2004) [online] London: The Stationery Office. available from https://www.legislation.gov.uk/ukpga/2004/27/contents [31 July 2019]ISACA (2018) COBIT 2019 Framework: Governance and Management Objectives. [online] available from http://www.isaca.org/COBIT/Pages/COBIT-2019-Framework-Governance-and-Management-Objectives.aspx [31 July 2019]Sarbanes-Oxley Act of 2002 15 § 7201. available from https://www.congress.gov/107/plaws/publ204/PLAW-107publ204.pdf [31 July 2019]Our purpose is to transform access to education.
We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.
We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.
Learn more about how FutureLearn is transforming access to education