There are several different IT governance solutions that can be applied for successful governance. IT governance solutions can vary according to the precise characteristics of the organization, its products, and the legislative and regulatory environment that it operates in. Solutions for IT governance risk and compliance also come in many forms, including:
In this article, we will take a brief look at each of these IT governance solutions.
Consultancy in IT governance can take many forms. Consultants who can provide solutions ranging from single operators to large multi-nationals and the fees can vary greatly. Before engaging any consultants in IT governance risk and compliance, it is important that you clearly define what the expected outcomes from the engagement are. If you don’t, then you run the risk of costs exceeding the value and your budget. The different forms of consultancy in IT governance solutions include:
- Gap analysis – Identifying gaps in an existing IT governance model compared with a best practice model.
- Maturity assessments – assessing the maturity of existing IT governance solutions.
- Strategy formulation – helping the organization to map out their strategy for IT governance.
- Design – Designing a model for how IT will be governed.
- Implementation – assisting with the implementation of IT governance models and solutions.
- Standards accreditation – assisting the organization in gaining accreditation against a standard such as ISO/IEC 38500.
- Audit – auditing governance processes and activities to verify that they comply with the design.
- Managed service – providing an outsourced service for the governance of IT.
IT governance risk and compliance management can be enhanced by good consultancy but can be harmed by bad consultancy. When engaging a consultant in IT governance solutions, you are investing in the consultancy; you are also investing in your future. Hence, verifying any external consultant’s credentials, experience, and success record should be a critical part of your engagement process.
There are many different forms of training that can help to provide solutions to IT governance challenges. These range from formal training courses aimed at imparting knowledge about specific IT governance solutions such as the ISO 27001 standard, training in specific compliance requirements such as GDPR, or training that is aimed at a specific governance specialism such as IT security governance risk and compliance. Training can be delivered using traditional classroom-based approaches or by using self-paced online learning.
The outcome of training is a certification for the attendee in the topic, usually tested by an examination. Examinations provide an excellent and well-tried test of the attendee’s assimilation of what has been taught during the training. A good approach is to follow training with a practical application of the skills in the workplace. This helps to embed the learning and immediately provides value back to the organization.
Effective training provides the foundation for all other types of IT governance solutions. Whether an individual’s role is focused on task execution or on IT governance risk and compliance management, training is a very good way for attendees to learn the principles, practices, and approaches that make up solutions to the governance of IT.
Education should not be confused with training. Training will transfer knowledge about specific skills that are required for IT governance. Education will provide a general awareness of the need for IT governance and the characteristics of IT governance solutions. This can be used to brief all staff on why IT governance is important, which will help company-wide adoption of the necessary principles. Education can also be targeted at providing awareness of the specifics of IT governance solutions adopted by the organization, such as IT security governance risk and compliance or GDPR.
Education can, of course, be combined with training. This is common at the foundation level, where attendees expect to get a high-level awareness of the topic, the outline principles, and any specific terminology.
Just like training, education can be delivered in a number of different ways. These include webinars, posters, briefing sessions, and presentations. Whereas success with training can be evaluated by the award of certifications, it can be a challenge to assess if education has been successful. It is, however, important to make attempts to do this, using techniques including survey forms and quizzes. If this is not done, there is a risk that attendees leave without really understanding anything.
One highly important topic in IT governance solutions is how to make employees aware of the risks of phishing emails. These provide an easy way for hackers to breach IT security defenses and are the most commonly used method of attack. Without education on this aspect of IT security governance risk and compliance, every organization runs a very high risk of being impacted by this form of cyber attack.
IT Governance Solutions – Toolkits
Toolkits can include templates, outline models, example documents, and sample processes. The design and implementation phases of any IT governance project can be accelerated by using appropriate toolkits. For example, a toolkit for PCI DSS implementation could include samples of all the documents required to achieve PCI DSS compliance. These would then be tailored for your organization. Using this one of the IT governance solutions can help ensure that you cover all of the necessary requirements for compliance and standards, as they are built using the experience of organizations that have successfully done this.
Toolkits are available for all of the widely used governance approaches and standards, including IT security governance risk and compliance as well as general IT governance. Examples of toolkits include:
- ISO 27001 cybersecurity
- Remote working policy
- PCI DSS documentation
- ISO 20000
- ISO 22301
- ISO 38500
- PYOD policy
- IT strategy
Toolkits should be just one part of your overall IT governance solutions but can give you a good starting position for any implementation.
IT Governance Solutions – Software
Software applications are available to provide support for just about every aspect of IT governance. These can be bundled together into a comprehensive suite of IT governance solutions or can be stand-alone. Software applications include:
- Compliance management
- Risk management
- Dataflow mapping
- Document management
Using software applications for the governance of IT can help with the efficiency of the processes, but the old adage ‘a fool with a tool is still a fool’ always applies. Tools must be used intelligently as part of an overall model for the governance of IT in conjunction with other governance solutions.
IT Governance Solutions – Standards
Several standards are relevant solutions for IT governance. These include:
- ISO/IEC 38500: Information Technology – Governance of IT for the organization Standard. This is the international standard for IT governance, providing guidance for governing bodies and their advisors on the effective, efficient, and acceptable use of IT in their organizations.
- ISO/IEC 20000. This group of standards are focused on IT service management. There are several parts:
- ISO/IEC 20000-1:2011 (ISO 20000-1) Information technology – Service management – Part 1: Service management system requirements which define the requirements for an organization to establish, implement, maintain and improve a service management system.
- ISO/IEC 20000-2:2012 (ISO 20000-2) Information technology – Service management – Part 2: Guidance on the application of service management systems
- ISO/IEC 20000-3:2012 (ISO 20000-3) Information technology – Service management – Part 3: Guidance on Scope definition and applicability of ISO/IEC 20000-1
- ISO/IEC 20000-4:2010 (ISO 20000-4) Information technology – Service management – Part 4: Process reference model
- PAS 555:2013 (PAS 555) Cyber security risk – Governance and Management – Specification. This standard provides an outcomes-based, holistic approach to cyber security.
- ISO/IEC 27000. This large group of standards focuses on IT security. There are many different parts:
- ISO/IEC 27000:2016 (ISO 27000) Information Technology – Security Techniques – Information Security Management Systems – Overview and Vocabulary.
- ISO/IEC 27001:2013 (ISO 27001) Information technology — Security techniques – Information security management systems – Requirements.
- ISO/IEC 27002:2013 (ISO 27002) Information Technology – Security Techniques – Code of Practice for Information Security Controls.
- ISO/IEC 27003:2010 (ISO 27003) Information Technology — Security Techniques – Information Security Management Systems Implementation Guidance.
- ISO/IEC 27004:2016 (ISO 27004) Information technology – Security techniques – Information security management – Monitoring, measurement, analysis, and evaluation.
- ISO/IEC 27005:2011 (ISO 27005) Information technology – Security techniques – Information security risk management.
- ISO/IEC 27006:2015 (ISO 27006) Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems.
- ISO/IEC 27007:2011 (ISO 27007) Information technology – Security techniques – Guidelines for information security management systems auditing.
- ISO/IEC TR 27008:2011 (ISO 27008) Information technology – Security techniques – Guidelines for auditors on information security controls.
- ISO/IEC 27010:2015 (ISO 27010) Information technology – Security techniques – Information security management for inter-sector and inter-organizational communications.
- ISO/IEC 27011:2016 (ISO 27011) Information technology – Security techniques – Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations.
- ISO/IEC 27013:2015 (ISO 27013) Information technology – Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.
- ISO/IEC 27014:2013 (ISO 27014) Information technology – Security techniques – Governance of information security.
- ISO/IEC TR 27015:2012 (ISO 27015) Information technology – Security techniques – Information security management guidelines for financial services.
- ISO/IEC TR 27016:2014 (ISO 27016) Information technology – Security techniques – Information security management – Organizational economics.
- ISO/IEC 27017:2015 (ISO 27017) Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
- ISO/IEC 27018:2014 (ISO27018) Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
- ISO/IEC TR 27019:2013 (ISO 27019) Information technology – Security techniques – Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry.
- ISO/IEC 27023:2015 (ISO 27023) Information technology – Security techniques – Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002.
- ISO/IEC 27032:2012 (ISO 27032) Information technology – Security techniques – Guidelines for cybersecurity.
- ISO/IEC 27035-1:2016 (ISO 27035-1) Information technology – Security techniques – Information security incident management – Part 1: Principles of incident management.
- ISO/IEC 27036-1:2014 (ISO 27036-1) Information technology – Security techniques – Information security for supplier relationships – Part 1: Overview and concepts.
- ISO/IEC 27036-2:2014 (ISO 27036-2) Information technology – Security techniques – Information security for supplier relationships – Part 2: Requirements.
- ISO/IEC 27036-3:2013 (ISO 27036-3) Information technology – Security techniques – Information security for supplier relationships – Part 3: Guidelines for information and communication technology supply chain security.
- ISO/IEC 27038:2014 (ISO 27038) Information technology – Security techniques – Specification for digital redaction.
- ISO/IEC 27039:2015 (ISO 27039) Information technology – Security techniques – Selection, deployment, and operations of intrusion detection systems (IDPS).
- ISO/IEC 27040:2015 (ISO 27040) Information technology – Security techniques – Storage security.
- ISO/IEC 27041:2015 (ISO 27041) Information technology – Security techniques – Guidance on assuring suitability and adequacy of incident investigative methods.
- ISO/IEC 27042:2015 (ISO 27042) Information technology – Security techniques – Guidelines for the analysis and interpretation of digital evidence.
- ISO/IEC 27043:2015 (ISO 27043) Information technology – Information technology – Security techniques – Incident investigation principles and processes.
- ISO/IEC 3100 is a standard for risk management. There are two parts:
- ISO 31000:2009 (ISO 31000) Risk management – Principles and guidelines.
- ISO/IEC 31010:2009 (ISO 31010) Risk management – Risk assessment techniques.
Getting accredited against any of these standards is not a trivial exercise and will take time and investment. However, the activities necessary to gain compliance will benefit how you govern IT, and external accreditation will validate your capabilities against an accepted standard.
IT Governance Solutions Conclusion
There are many different IT governance solutions. These are most effective when used together as part of an overall model for the governance of IT. The solutions by themselves provide no guarantee of success, but used wisely; they can help you improve how you do IT governance.