it governance & iso 38500

ramirocid.com [email protected] Twitter: @ramirocid

Ramiro Cid | @ramirocid

IT Governance & ISO 38500

ramirocid.com [email protected] Twitter: @ramirocid 2

Index1. First approach to IT Governance Slide 32. Problems with IT Governance Slide 43. IT Governance: Frameworks Slide 54. IT Governance: Lifecycle Slide 75. ISO/IEC 38500:2008 - Main topics Slide 86. ISO/IEC 38500:2008 - Main purposes Slide 97. ISO/IEC 38500:2008 - 6 Basic principles Slide 108. ISO/IEC 38500:2008 - Remarking 2 Basic principles Slide 119. Sources used to expand knowledge Slide 12


IT Governance or Corporate governance of information technology is a subset discipline of corporate governance, focused on information and technology (IT) and its performance and risk management.

The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders.

It is also very important to have an alignment of IT strategy with the business strategy. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

An IT Governance framework is used to identify, establish and link the mechanisms to oversee the use of information and related technology to create value and manage the risks associated with using information and technology.

1. First approach to IT Governance


IT governance is often confused with IT management, compliance and IT controls. The problem is increased by terms such as "governance, risk and compliance (GRC)" that establish a link between governance and compliance. The primary focus of IT governance is the stewardship of IT resources on behalf of various stakeholders whose ranking is established by the organization's governing body. A simple way to explain IT governance is: what is to be achieved from the leveraging of IT resources. While IT management is about "planning, organizing, directing and controlling the use of IT resources" (that is, the how), IT governance is about creating value for the stakeholders based on the direction given by those who govern. ISO 38500 has helped clarify IT governance by describing a model to be used by company directors.

While directors are responsible for this stewardship it is not unusual that will delegate this responsibility to management (business and IT) who are expected to develop the necessary capability to deliver the performance expected. Whilst managing risk and ensuring compliance are essential components of good governance, the primary focus is on delivering value and managing performance (i.e. "Governance, Value delivery and Performance management" (GVP)).

2. Problems with IT Governance


AS8015-2005: Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008.

ISO/IEC 38500:2008: Corporate governance of information technology (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations.

3. IT Governance: Frameworks


COBIT: Is regarded as the world's leading IT governance and control framework. COBIT provides a reference model of 37 IT processes typically found in an organization. Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model. ISACA published COBIT 5 in April 2012 as a "business framework for the governance and management of enterprise IT". COBIT 5 consolidates COBIT4.1, Val IT and Risk IT into a single framework acting as an enterprise framework aligned and interoperable with TOGAF and ITIL. Last version is COBIT 5.

3. IT Governance: Frameworks


4. IT Governance: Lifecycle


IT Governance has an ISO, it is the ISO/IEC 38500:2008 called “Corporate governance of information technology”. This presentation will focus in this IT Governance framework.

This standard was published in June 2008 and complements the set of ISO standards that affect the systems and information technologies (such as ISO/IEC 27001, ISO/IEC 20000, etc.).

This rule sets standards for good management of business processes and decisions related to information and communication services that are usually managed by specialists in IS / internal or within other business units of the IT organization, such as suppliers external service.

5. ISO/IEC 38500:2008 - Main topics


In essence, all that this proposed rule can be summarized into three main purposes:

a) Ensure that, if the rule is followed properly, the stakeholders (managers, consultants, engineers, hardware vendors, auditors, etc.), can rely on the corporate governance of IT.

b) Provide information and guidance to managers that control the use of IS/IT in your organization/company.

c) Provide a basis for objective evaluation by top management of IT management. IT governance framework Likewise, the rule encourages adopt a minimum set of measures for the organization to get your IT goals.

6. ISO/IEC 38500:2008 - Main purposes


1. The establishment of responsibilities to competent people for decision making

2. Alignment of IT with the strategic objectives of the organization (a good planning support to the improvement of the organization)

3. The investment in IT goods suitable

4. Quality in the operation of IT systems

5. Ensuring legal compliance or regulatory IT systems

6. The involvement of the human factor and respect at the same

7. ISO/IEC 38500:2008 - 6 Basic principles


Compliance with the legal environment is a growing need in the context of IS/IT organizations of any size, as there is a lot of legislation regulating the use of information, communications, etc. forming a binding legal framework that can not be ignored.

The human factor is often treated very tangentially in many business strategies and, above all, IS/IT. Fortunately, this standard (as ISO 27001 for example in his domain “8. Security linked to Human Resources”), incorporated as a fundamental pillar more.

8. ISO/IEC 38500:2008 - Remarking 2 Basic principles


IT Governance Definition and Solutions | cio.comURL: http://www.cio.com/article/2438931/governance/it-governance-definition-and-solutions.html

“Corporate governance of information technology” definition | WikipediaURL: https://en.wikipedia.org/wiki/Corporate_governance_of_information_technology

IT Governance Defined | ITGovernanceURL: http://www.itgovernance.co.uk/it_governance.aspx

“IT Governance Developing a successful governance strategy” | National Computing Centre (published on Isaca.org website)

URL: https://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Prepare-for-the-Exam/Study-Materials/Documents/Developing-a-Successful-Governance-Strategy.pdf

9. Sources used to expand knowledge


Questions?

Many thanks !Ramiro Cid

CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, [email protected]

@ramirocid

http://www.linkedin.com/in/ramirocidhttp://ramirocid.com http://es.slideshare.net/ramirocid

http://www.youtube.com/user/cidramiro

it governance & iso 38500

Government & Nonprofit