The International Organization for Standardization (ISO) thinks so. It has developed ISO 38500 to complement COBIT and ITIL, comparing the standards to the roof, walls and foundation of a house:
If the board tried to implement the roof, ISO 38500, without the foundation or walls, it would collapse. Furthermore, without the roof, enterprises would be exposed to the elements. ISO 38500 … does not replace COBIT, ITIL, or other standards or frameworks, but, rather, it complements them by providing a demand-side-of-IT-use focus. …
This standard provides a structure for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory and ethical obligations regarding their organizations’ use of IT. The scope of the standard is to provide guiding principles for directors of organizations on the effective, efficient and acceptable use of IT within their organizations.
Without direction—and, crucially, understanding—from above (i.e., owners, board members, directors, partners and senior executives), information technology can’t be aligned with strategic objectives. ISO 38500 sets out three main tasks for directors with respect to IT:
- Evaluate the current and future use of IT
- Direct preparation and implementation of plans and policies to ensure that the use of IT meets business objectives
- Monitor conformance to policies and performance against the plans
COBIT Focus also offers some tips to implement the standard:
- Make ISO 38500 a board and executive management priority; if it is to succeed, IT governance must be directed from the top
- Make IT governance part of the IT strategy, which is, in turn, part of the business strategy
- Look for tangible benefits as opposed to “compliance for compliance’s sake”
- Acknowledge the people factor, and incorporate it into key performance indicators (KPIs)
- Prioritize IT governance activities with clear milestones
I last wrote about IT strategy a year ago. That post focused more on management than directors, but it demonstrates nonetheless how organizations can benefit from engaging those at the top in IT discussions.
Adam Gorley
First Reference Internal Controls, Human Resources and Compliance Editor