iso iec 29382 the new standard for ict governance christophe feltus

itSMF-NL Spring 2008 Conference

"Best Practices in IT Management:

BEYOND ITIL, BEYOND CONTROL"

April 22, 2008 Hotel & Congrescentrum De Reehorst , Ede , Nederland

July 21, 2010 1

Christophe Feltus

Member of the ISO Study Group on ICT Governance

Public Research Centre Henri Tudor,

29, Rue John F. Kennedy

L-1855 Luxembourg

[email protected]

ISO/IEC 29382 - the new standard

for ICT Governance

July 21, 2010


"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 2

Outline

ICT Governance definitions

SG on ICT Governance

itSMF involvement

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles

Model for Corporate Governance of ICT

Conclusions

July 21, 2010



Outline



itSMF involvement

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles


Conclusions

July 21, 2010



Some definitions

AS 8015 – Australian National Standards

Corporate Governance of ICT is the system by which the current andfuture use of ICT is directed and controlled. It involves evaluating anddirecting the plans for the use of ICT to support the organization andmonitoring this use to achieve plans. It includes the strategy and policiesfor using ICT within an organization. (Corporate Governance ofInformation and Communication Technology; January 2005).

OECD Corporate Governance

Corporate governance involves a set of relationships between acompany‘s management, its board, its shareholders and otherstakeholders. Corporate governance also provides the structure throughwhich the objectives of the company are set, and the means of attainingthose objectives and monitoring performance are determined. Goodcorporate governance should provide proper incentives for the board andmanagement to pursue objectives that are in the interests of the companyand its shareholders and should facilitate effective monitoring. (OECDCode on Corporate Governance)

July 21, 2010



Some definitions

ITGI (IT Governance Institute)

IT Governance is the responsibility of the board of directors and executive

management. It is an integral part of enterprise governance and consists

of the leadership and organisational structures and processes that ensure

that the organisation‘s IT sustains and extends the organisation‘s

strategies and objectives. (Board Briefing, 2nd edition; 2003).

World Bank Definition of Corporate Governance

Corporate governance refers to the structures and processes for the

direction and control of companies. Corporate governance concerns the

relationships among the management, the Board of Directors, the

controlling shareholders and other stakeholders. Good corporate

governance contributes to sustainable economic development by

enhancing the performance of companies and increasing their access to

outside capital.

July 21, 2010



Some definitions

MIT Sloan Center for Information Systems Research :

IT Governance is specifying the decision rights and accountabilityframework to encourage desirable behaviour in the use of IT. (MIT CISRWorking Paper No. 326; April 2002).

University of Tasmania

The survey of the literature by academics from the University of Tasmania(Webb, Phyl, Pollard, Carol, and Ridley, Gail (2006), Attempting to DefineIT Governance: Wisdom or Folly?, Proceedings of the 39th HawaiiInternational Conference on Systems Sciences) brings out the ‗elements‘that are common to a range of suggested definitions. The elements are:strategic alignment, delivery of business values, performancemanagement, risk management, policies and procedures, and control andaccountability. Their resultant definition is : IT Governance is thestrategic alignment of IT with the business such that maximumbusiness value is achieved through the development andmaintenance of effective IT control and accountability, performancemanagement and risk management.

July 21, 2010



Outline



itSMF involvment

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles


Conclusions

July 21, 2010



Study Group in ISO

JTC1 : Information Technology Standards

JTC1 / SC7 : Software and System Engineering

JTC1 / SC7 / WG25 : IT Operations (service management)

Basically : Study Group in WG25

Study Group Chair : Alison Holt (New Zeland)

Co-Chair : Ed Lewis (Australia)

Members : Alwyn Smit, South Africa

Melanie Cheong, South Africa

Jyrki Lahnalahti, Finland

Craig Pattison, itSMFI/New Zealand

Darcie Destito, United States

Gargi Keeni, India

Sushil Chatterji, ISACA/ITGI

Brian Cusack, New Zealand

Christophe Feltus, Luxembourg

Yoshiyuki Hirano, Japan

K.T. Hwang, Korea

Bill Powell, United States

Dennis Ravenelle, itSMFI

Hella Shrader, United Kingdom

Mark Toomey, Australia

Mikhail Pototsky, Russian Federation/itSMFI

Max Shanahan, ISACA/ITGI

Luis Rosa, Spain

Jenny Dugmore, UK.

July 21, 2010



Study Group in ISO

In Seoul (2006) :

Reduce – if not remove – the confusion in the professional and the

academic literature about the topic

Resolutions :

- New SG

- 1st report

- Fast Track

In Moscow (May 2007) :

Preparation of 1st report

Definition of ICT Governance

What is ICT Governance ?

July 21, 2010



Study Group in ISO

Montreal (November 2007)

Fast Track on Australian Standard on ICT Governance

Accepted in July

Resolution of comments on Fast Track : 149 Canada : 2

Spain : 1

France : 5

Italy : 10

Japan : 10

Korea : 1

Luxembourg : 46

New Zealand : 6

UK : 4

Sweden : 9

USA : 15

South Africa : 40

1st report

NWI

July 21, 2010



Outline



itSMF involvement

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles


Conclusions

July 21, 2010



ISO – itSMF liaison (by WG)

July 21, 2010



ISO 20000 - The standard describes the controls needed to effectivelydeliver services that meet the needs of the customer and businessrequirements.

The processes described in ISO 20000 underpin an effectivegovernance framework and therefore need to be closely aligned toany proposed ICT Governance standard.

All reviewed standards have a relationship with ICT Governanceand many sections overlap not only in comparison to ISO/IEC38500 standard but also amongst the individual reviewedstandards. Any drafting of a new international ICTGovernance standard needs to take the above existingstandards into account and ensure that a) there are noconflicts and b) all governance related sections are covered.A weakness of all reviewed standards is around the need forstrategic direction and the implementation of controls tosupport and manage this area.

Link with ISO 20000

July 21, 2010



The formal description it offers is:

“Governance is the collective set of procedures, policies, roles

and responsibilities, and organizational structures required

to support an effective decision-making process”.

Advisory Board Paper

July 21, 2010



Benefits of Governance : (Key words)

Achieving business objectives by ensuring that each element of the mission andstrategy are assigned and managed with a clearly understood and transparentdecisions rights and accountability framework.

Defining and encouraging desirable behavior in the use of IT and in the executionof IT outsourcing arrangements.

Implementing and integrating the desired business processes into the organization.

Providing stability and overcoming the limitations of organizational structure.

Improving customer, business and internal relationships and satisfaction, andreducing internal territorial strife by formally integrating the customers, businessunits, and external IT providers into a holistic IT governance framework.

Enabling effective and strategically aligned decision making for the IT Principlesthat define the role of IT, IT Architecture, IT Infrastructure, Application Portfolio andFrameworks, Service Portfolio, Information and Competency Portfolios and ITInvestment & Prioritization.

Advisory Board Paper

July 21, 2010



Outline



itSMF involvement

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles


Conclusions

July 21, 2010



Interim Report

A review of national governance activities

The identification of a set of guiding principles for the development of an ICT Governance standard to meet market requirements

The identification of the ICT governance needs to be addressed in the standard

An assessment of where ICT governance sits within JTC1

A review of elements of ICT governance in existing SC7 standards

Analysis to determine the level of standard required to sit above existing frameworks and methodologies without replacing or displacing existing material. Identification of the sort of ―standard‖ required - TR, code of practice or guidelines

Analysis of what would need to be added to AS 8015 to meet these needs

Analysis of whether a maturity framework could be included from the outset

Liaison Relationships: Contributions requested from existing bodies of knowledge

Call to action dependent on AS 8015 fast tack result (which is now known)

July 21, 2010



Written and oral reports were presented to the ICT Study

Group reviewing the state of different ICT Standards

environments within the different jurisdictions.

A general movement towards compliance frameworks was

reported in terms of legislation, Standards adoption and

control framework adoption (eg. CobiT, ITIL, and so on).

Several reports noted that regulatory requirements were

pending and that there is considerable momentum gathering

for comprehensive directives (both explicit and implicit). The

importance of ICT Governance and the current opportune

moment in time for ICT Governance advancement was

reported in each case.

Review of the status of ICT

Governance across different nations

July 21, 2010



What is ICT Governance?

The Working Group should establish a Glossary of governance terms. The Glossary especially should include definitions that help to establish the difference between Governance and Management. The definitions must be compatible with those in existing ISO Standards

Director

Member of the most senior governing body of an organization. Includes owners, board members, partners, senior executives or similar, and officers authorized by legislation or regulation.

Management

Management is the process of controlling the activities required to achieve the strategic objectives set by the organisation's governing body. Management is subject to the policy guidance and monitoring set through corporate governance.

July 21, 2010



What is ICT Governance?

The objective of governance is to determine and cause the desired

behavior and results to achieve the strategic impact of IT.

The system in which directors monitor, evaluate and direct IT management to

ensure effectiveness, accountability and compliance of IT

The active distribution of decision-making rights and accountabilities

among different stakeholders in an organization and the rules and

procedures for making and monitoring those decisions to determine and

achieve desired behaviors and results .

who makes directing, controlling and executing decisions

how the decisions will be made

what information is required to make the decisions

what decision-making mechanisms should be required

how exceptions will be handled

how the governance results should be reviewed and improved

July 21, 2010



Outline



itSMF involvement

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles


Conclusions

July 21, 2010



The objective of this Standard is to provide a framework of principles

for Directors to use when evaluating, directing and monitoring the

use of information technology (IT) in their organizations.

Beyond ISO 29382 : scope

July 21, 2010



Governance is distinct from management, and for the avoidance ofconfusion, the two concepts are clearly defined in the standard.

…the members of the governing body may also occupy the key rolesin management.

It provides guidance to those advising, informing, or assistingdirectors. They include:

• Senior managers.

• Members of groups monitoring the resources within the organization.

• External business or technical specialists, such as legal or accounting

specialists, retail associations, or professional bodies.

• Vendors of hardware, software, communications and other IT products.

• Internal and external service providers (including consultants).

• IT auditors.

The standard is applicable for all organizations, from the smallest, tothe largest, regardless of purpose, design and ownership structure.

Beyond ISO 29382 : scope

July 21, 2010



Outline



itSMF involvement

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles


Conclusions

July 21, 2010



This standard is applicable to all organizations, including public and

private companies, government entities, and not-for-profit

organizations.

The standard is applicable to organizations of all sizes from the

smallest to the largest, regardless of the extent of their use of IT.

Beyond ISO 29382 : application

July 21, 2010



Outline



itSMF involvement

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles


Conclusions

July 21, 2010



The purpose of this Standard is to promote effective, efficient, and

acceptable use of IT in all organizations by:

assuring stakeholders (including consumers, shareholders, and

employees) that, if the standard is followed, they can have

confidence in the organization’s corporate governance of IT;

informing and guiding directors in governing the use of IT in their

organization; and

providing a basis for objective evaluation of the corporate

governance of IT.

Beyond ISO 29382 : objectives

July 21, 2010



Outline



itSMF involvement

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles


Conclusions

July 21, 2010



Principle 1: Establish clearly understood responsibilities for IT

Principle 2: Plan IT to best support the organization

Principle 3: Acquire IT validly

Principle 4: Ensure that IT performs well, whenever required

Principle 5: Ensure IT conforms with formal rules

Principle 6: Ensure IT use respects human factors

Beyond ISO 29382 : 6 principles

July 21, 2010



Outline



itSMF involvement

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles


Conclusions

July 21, 2010



Beyond ISO 29382 : Model for

Corporate Governance of ICT

Directors should govern ICT through three main tasks:

(a) Evaluate the use of ICT.

(b) Direct preparation and implementation of plans and policies.

(c) Monitor conformance to policies, and performance against the plans.

July 21, 2010



Evaluate

Directors should examine and make judgement on the current and

future use of IT, including strategies, proposals and supply

arrangements (whether internal, external, or both).

In evaluating the use of IT, directors should consider the pressures

acting upon the business, such as technological change, economic

and social trends, and political influences.

Directors should also take account of both current and future

business needs — the current and future organizational objectives

that they must achieve, such as maintaining competitive

advantage, as well as the specific objectives of the strategies and

proposals they are evaluating.

July 21, 2010



Direct

Directors should assign responsibility for, and direct preparation

and implementation of plans and policies. Plans should set the

direction for investments in IT projects and IT operations. Policies

should establish sound behaviour in the use of IT.

Directors should ensure that the transition of projects to

operational status is properly planned and managed, taking into

account impacts on business and operational practices and

existing IT systems and infrastructure.

Directors should encourage a culture of good governance of IT in

their organization by requiring managers to provide timely

information, to comply with direction and to conform with the six

principles of good governance.

July 21, 2010



Monitor

To complete the cycle, directors should monitor, through

appropriate measurement systems, the performance of IT use.

They should reassure themselves that performance is in

accordance with plans, particularly with regard to business

objectives.

They should also make sure that the use of IT conforms with

external obligations (regulatory, legislation, common law,

contractual) and internal work practices. If necessary, directors

should direct the submission of proposals for approval to address

identified needs.

July 21, 2010



Outline



itSMF involvement

Interim Report

Beyond ISO 29382

Scope

Application

Objectives

6 principles


Conclusions

July 21, 2010



Conclusions and Future Works

Review the use of the Plan, Do, Check Act (PDCA) lifecycle versus Evaluate,

Direct Monitor (EDM). Show mapping of EDM versus PDCA.

Incorporate human behavioural aspects to the chosen lifecycle.

Produce a diagram demonstrating the inter-relation of principles.

Develop derivative material to cover:

· Clarification on the risks of poor governance and decision making;

· Analysis on the benefits of Governance across the IT lifecycle; and

· The explanation of each principle.

July 21, 2010



Conclusions and Future Works

Determine market requirements and then determine the coverage of future

standards for example IT Projects, IT Operations, IT Use or some other

frameworks.

Development of a TR2 for CIOs and executives to assist them in explaining

the rationale and implications (risks and benefits) of the principles.

Development of a TR2 for guidelines for the use of the standard by Public

Sector organizations

iso iec 29382 the new standard for ict governance christophe feltus

Documents