christophe feltus introduction to iso 38500 v1 0
TRANSCRIPT
Introducing ISO/IEC 38500:Corporate Governance in ICT
Christophe Feltus
Member of the ISO JTC1/SC7/WG1A on ICT Governance
Public Research Centre Henri Tudor,
29, Rue John F. Kennedy
L-1855 Luxembourg
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvement
– Interim Report
Beyond ISO 38500– Beyond ISO 38500• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvement
– Interim Report
Beyond ISO 38500– Beyond ISO 38500• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
Some definitions• AS 8015 – Australian National Standards
Corporate Governance of ICT is the system by which the current and future useof ICT is directed and controlled. It involves evaluating and directing the plans forthe use of ICT to support the organization and monitoring this use to achieveplans. It includes the strategy and policies for using ICT within an organization.(Corporate Governance of Information and Communication Technology; January2005).
• OECD Corporate Governance
Corporate governance involves a set of relationships between a company’smanagement, its board, its shareholders and other stakeholders. Corporategovernance also provides the structure through which the objectives of thecompany are set, and the means of attaining those objectives and monitoringperformance are determined. Good corporate governance should provide properincentives for the board and management to pursue objectives that are in theinterests of the company and its shareholders and should facilitate effectivemonitoring. (OECD Code on Corporate Governance)
Some definitions• ITGI (IT Governance Institute)
IT Governance is the responsibility of the board of directors and executivemanagement. It is an integral part of enterprise governance and consists of theleadership and organisational structures and processes that ensure that theorganisation’s IT sustains and extends the organisation’s strategies andobjectives. (Board Briefing, 2nd edition; 2003).
• World Bank Definition of Corporate Governance
Corporate governance refers to the structures and processes for the directionand control of companies. Corporate governance concerns the relationshipsamong the management, the Board of Directors, the controlling shareholdersand other stakeholders. Good corporate governance contributes to sustainableeconomic development by enhancing the performance of companies andincreasing their access to outside capital.
Some definitions• MIT Sloan Center for Information Systems Research :
IT Governance is specifying the decision rights and accountability framework toencourage desirable behaviour in the use of IT. (MIT CISR Working Paper No. 326;April 2002).
• University of Tasmania
The survey of the literature by academics from the University of TasmaniaThe survey of the literature by academics from the University of Tasmania(Webb, Phyl, Pollard, Carol, and Ridley, Gail (2006), Attempting to Define ITGovernance: Wisdom or Folly?, Proceedings of the 39th Hawaii InternationalConference on Systems Sciences) brings out the ‘elements’ that are common to arange of suggested definitions. The elements are: strategic alignment, deliveryof business values, performance management, risk management, policies andprocedures, and control and accountability. Their resultant definition is : ITGovernance is the strategic alignment of IT with the business such thatmaximum business value is achieved through the development andmaintenance of effective IT control and accountability, performancemanagement and risk management.
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvment
– Interim Report
Beyond ISO 38500– Beyond ISO 38500• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
Study Group in ISO
• JTC1 : Information Technology Standards
• JTC1 / SC7 : Software and System Engineering
• JTC1 / SC7 / WG25 : IT Operations (service management)
• Basically : Study Group in WG25
Study Group Chair : Alison Holt (New Zeland)
Co-Chair : Ed Lewis (Australia)
Members : Alwyn Smit, South Africa
Melanie Cheong, South Africa
Jyrki Lahnalahti, Finland
Craig Pattison, itSMFI/New Zealand
Darcie Destito, United States
Gargi Keeni, India
Sushil Chatterji, ISACA/ITGI
Brian Cusack, New Zealand
Christophe Feltus, Luxembourg
Yoshiyuki Hirano, Japan
K.T. Hwang, Korea
Bill Powell, United States
Dennis Ravenelle, itSMFI
Hella Shrader, United Kingdom
Mark Toomey, Australia
Mikhail Pototsky, Russian Federation/itSMFI
Max Shanahan, ISACA/ITGI
Luis Rosa, Spain
Jenny Dugmore, UK.
Study Group in ISO
• In Seoul (2006) :
Reduce – if not remove – the confusion in the professional and the
academic literature about the topic
Resolutions :
- New SG
- 1st report- 1st report
- Fast Track
• In Moscow (May 2007) :Preparation of 1st report
Definition of ICT Governance
What is ICT Governance ?
Study Group in ISO• Montreal (November 2007)
Fast Track on Australian Standard on ICT Governance
– Accepted in July
– Resolution of comments on Fast Track : 149– Canada : 2
– Spain : 1
– France : 5
– Italy : 10– Italy : 10
– Japan : 10
– Korea : 1
– Luxembourg : 46
– New Zealand : 6
– UK : 4
– Sweden : 9
– USA : 15
– South Africa : 40
– 1st report
– NWI
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvement
– Interim Report– Interim Report
– Beyond ISO 38500• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
ISO – itSMF liaison (by WG)
ISO – itSMF liaison (by WG)
The formal description it offers is:
“Governance is the collective set of procedures, policies, roles andresponsibilities, and organizational structures required to support aneffective decision-making process”.
Advisory Board Paper
Benefits of Governance : (Key words)
– Achieving business objectives by ensuring that each element of the mission and strategy areassigned and managed with a clearly understood and transparent decisions rights andaccountability framework.
– Defining and encouraging desirable behavior in the use of IT and in the execution of IToutsourcing arrangements.
Advisory Board Paper
– Implementing and integrating the desired business processes into the organization.
– Providing stability and overcoming the limitations of organizational structure.
– Improving customer, business and internal relationships and satisfaction, and reducing internalterritorial strife by formally integrating the customers, business units, and external IT providersinto a holistic IT governance framework.
– Enabling effective and strategically aligned decision making for the IT Principles that define therole of IT, IT Architecture, IT Infrastructure, Application Portfolio and Frameworks, ServicePortfolio, Information and Competency Portfolios and IT Investment & Prioritization.
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvement
– Interim Report– Interim Report
– Beyond ISO 38500• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
Interim Report
• A review of national governance activities
• The identification of a set of guiding principles for the development of an ICTGovernance standard to meet market requirements
• The identification of the ICT governance needs to be addressed in the standard
• An assessment of where ICT governance sits within JTC1
• A review of elements of ICT governance in existing SC7 standards
• Analysis to determine the level of standard required to sit above existingframeworks and methodologies without replacing or displacing existing material.Identification of the sort of “standard” required - TR, code of practice or guidelines
• Analysis of what would need to be added to AS 8015 to meet these needs
• Analysis of whether a maturity framework could be included from the outset
• Liaison Relationships: Contributions requested from existing bodies of knowledge
• Call to action dependent on AS 8015 fast tack result (which is now known)
Written and oral reports were presented to the ICT Study Group reviewing
the state of different ICT Standards environments within the differentjurisdictions.
A general movement towards compliance frameworks was reported interms of legislation, Standards adoption and control framework adoption
Governancearound the world
terms of legislation, Standards adoption and control framework adoption(eg. CobiT, ITIL, and so on).
Several reports noted that regulatory requirements were pending and thatthere is considerable momentum gathering for comprehensive directives(both explicit and implicit). The importance of ICT Governance and thecurrent opportune moment in time for ICT Governance advancement was
reported in each case.
What is ICT Governance ?
• The Working Group should establish a Glossary of governance terms. The Glossaryespecially should include definitions that help to establish the difference betweenGovernance and Management. The definitions must be compatible with those in existingISO Standards
Director
Member of the most senior governing body of an organization. Includes owners, boardmembers, partners, senior executives or similar, and officers authorized by legislation ormembers, partners, senior executives or similar, and officers authorized by legislation orregulation.
Management
Management is the process of controlling the activities required to achieve the strategicobjectives set by the organisation's governing body. Management is subject to the policyguidance and monitoring set through corporate governance.
What is ICT Governance ?
• The objective of governance is to determine and cause the desired behavior andresults to achieve the strategic impact of IT.
– The system in which directors monitor, evaluate and direct IT management to ensureeffectiveness, accountability and compliance of IT
• The active distribution of decision-making rights and accountabilities among• The active distribution of decision-making rights and accountabilities amongdifferent stakeholders in an organization and the rules and procedures formaking and monitoring those decisions to determine and achieve desiredbehaviors and results .
– who makes directing, controlling and executing decisions
– how the decisions will be made
– what information is required to make the decisions
– what decision-making mechanisms should be required
– how exceptions will be handled
– how the governance results should be reviewed and improved
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvement
– Interim Report
Beyond ISO 38500– Beyond ISO 38500• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
The objective of this Standard is to provide a framework of principles for Directorsto use when evaluating, directing and monitoring the use of information
technology (IT) in their organizations.
Scope
Governance is distinct from management, and for the avoidance of confusion, the twoconcepts are clearly defined in the standard.
…the members of the governing body may also occupy the key roles in management.
It provides guidance to those advising, informing, or assisting directors. They include:
• Senior managers.
Scope
• Senior managers.
• Members of groups monitoring the resources within the organization.
• External business or technical specialists, such as legal or accounting
specialists, retail associations, or professional bodies.
• Vendors of hardware, software, communications and other IT products.
• Internal and external service providers (including consultants).
• IT auditors.
The standard is applicable for all organizations, from the smallest, to the largest, regardless of purpose,design and ownership structure.
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvement
– Interim Report– Interim Report• Beyond ISO 38500
• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
This standard is applicable to all organizations, including public and privatecompanies, government entities, and not-for-profit organizations.
The standard is applicable to organizations of all sizes from the smallest to the
largest, regardless of the extent of their use of IT.
Application
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvement
– Interim Report– Interim Report
– Beyond ISO 38500• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
The purpose of this Standard is to promote effective, efficient, and acceptable use ofIT in all organizations by:
• assuring stakeholders (including consumers, shareholders, and employees) that,if the standard is followed, they can have confidence in the organization’scorporate governance of IT;
Objectives
corporate governance of IT;
• informing and guiding directors in governing the use of IT in their organization;and
• providing a basis for objective evaluation of the corporate governance of IT.
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvement
– Interim Report– Interim Report
– Beyond ISO 38500• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
Principle 1: Establish clearly understood responsibilities for IT
Principle 2: Plan IT to best support the organization
Principle 3: Acquire IT validly
6 principles
Principle 3: Acquire IT validly
Principle 4: Ensure that IT performs well, whenever required
Principle 5: Ensure IT conforms with formal rules
Principle 6: Ensure IT use respects human factors
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvement
– Interim Report– Interim Report
– Beyond ISO 38500• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
Model for Corporate Governanceof ICT
Directors should govern ICT through three main tasks:
(a) Evaluate the use of ICT.
(b) Direct preparation and implementation of plans and policies.
(c) Monitor conformance to policies, and performance against the plans.
Evaluate
• Directors should examine and make judgement on the current and future use of IT,including strategies, proposals and supply arrangements (whether internal,external, or both).
• In evaluating the use of IT, directors should consider the pressures acting upon thebusiness, such as technological change, economic and social trends, and politicalbusiness, such as technological change, economic and social trends, and politicalinfluences.
• Directors should also take account of both current and future business needs —the current and future organizational objectives that they must achieve, such asmaintaining competitive advantage, as well as the specific objectives of the
strategies and proposals they are evaluating.
Direct
• Directors should assign responsibility for, and direct preparation andimplementation of plans and policies. Plans should set the direction forinvestments in IT projects and IT operations. Policies should establish soundbehaviour in the use of IT.
• Directors should ensure that the transition of projects to operational status is• Directors should ensure that the transition of projects to operational status isproperly planned and managed, taking into account impacts on business andoperational practices and existing IT systems and infrastructure.
• Directors should encourage a culture of good governance of IT in their organizationby requiring managers to provide timely information, to comply with direction andto conform with the six principles of good governance.
Monitor
• To complete the cycle, directors should monitor, through appropriatemeasurement systems, the performance of IT use. They should reassurethemselves that performance is in accordance with plans, particularly with regardto business objectives.
• They should also make sure that the use of IT conforms with external obligations• They should also make sure that the use of IT conforms with external obligations(regulatory, legislation, common law, contractual) and internal work practices. Ifnecessary, directors should direct the submission of proposals for approval toaddress identified needs.
Outline
• ICT Governance definitions
• SG on ICT Governance– itSMF involvement
– Interim Report– Interim Report
– Beyond ISO 38500• Scope
• Application
• Objectives
• 6 principles
• Model for Corporate Governance of ICT
• Conclusions
Conclusions and Future Works
Review the use of the Plan, Do, Check Act (PDCA) lifecycle versus Evaluate, Direct Monitor(EDM). Show mapping of EDM versus PDCA.
Incorporate human behavioural aspects to the chosen lifecycle.
Produce a diagram demonstrating the inter-relation of principles.
Develop derivative material to cover:
· Clarification on the risks of poor governance and decision making;· Clarification on the risks of poor governance and decision making;
· Analysis on the benefits of Governance across the IT lifecycle; and
· The explanation of each principle.
Development of a TR2 for CIOs and executives to assist them in explaining the rationaleand implications (risks and benefits) of the principles.
Development of a TR2 for guidelines for the use of the standard by Public Sectororganizations
Conclusions and Future Works
Determine market requirements and then determine the coverage of futurestandards for example IT Projects, IT Operations, IT Use or some other frameworks :
3 SGs
Digital Forensics,
Governance of IT operations,
Schedule of Products.Schedule of Products.
3 NWIs
Guides for the Implementation of 38500
Standard for the Governance of Business Change involving IT investment
Standard for the Corporate Governance of business projects involving ITinvestment