IT Governance consists of the leadership and the organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. IT Governance is based on a structure of relationships and processes to direct and control the organisation, in order to achieve the organisation’s goals by adding value while balancing risk versus return over Information Technology (IT) and its processes.
ISO 38500 defines IT Governance as “The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation.”
The overall objectives of IT Governance are therefore:
- to understand the issues and the strategic importance of IT,
- to ensure that the enterprise can sustain its operations, and
- to ascertain that it can implement the strategies required to extend its activities into the future.
IT Governance practices aim at ensuring that:
- expectations of IT are met,
- IT risks are mitigated.
IT Governance is a subset of Corporate or Enterprise Governance (see GRC), which are the set of responsibilities and practices exercised by the board and executive management with the goal of:
- providing strategic direction,
- ensuring that objectives are achieved,
- ascertaining that risks are managed appropriately, and
- verifying that the enterprise’s resources are used responsibly.
IT Controls and IT Control Objectives
Controls are the policies, procedures, practices and organisational structures that are designed to provide reasonable assurance that Business Objectives will be achieved and that undesired events will be prevented, detected or corrected. (see COSO Internal Control System)
An IT Control Objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.
IT Governance frameworks
IT Governance frameworks include:
- ISO/IEC 38500:2008 Corporate governance of information technology, based on the Australian Standard for Corporate Governance of Information and Communication Technology AS8015-2005, provides a framework for effective governance of IT to assist those at the highest level of organisations to understand and fulfil their legal, regulatory, and ethical obligations in respect of their organisations’ use of IT.
- COBIT is regarded as the world’s leading IT governance and control framework that an organisation can use to ensure that IT is working as effectively as possible to maximise the benefits of technology investments, to minimise risk and to optimise usage of the resources. (see COBIT)