ISO IEC 29382 - The New Standard For ICT Governance

itSMF-NL Spring 2008 Conference
"Best Practices in IT Management:

BEYOND ITIL, BEYOND CONTROL"
April 22, 2008 Hotel & Congrescentrum De Reehorst , Ede , Nederland
ISO/IEC 29382 - the new standard

for ICT Governance
Christophe Feltus
Member of the ISO Study Group on ICT Governance
Public Research Centre Henri Tudor,
29, Rue John F. Kennedy
L-1855 Luxembourg
christophe.feltus@tudor.lu
July 21, 2010
Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
July 21, 2010

"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL"
Outline
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Conclusions
July 21, 2010

Some definitions
AS 8015 Australian National Standards
Corporate Governance of ICT is the system by which the current and
future use of ICT is directed and controlled. It involves evaluating and
directing the plans for the use of ICT to support the organization and
monitoring this use to achieve plans. It includes the strategy and policies
for using ICT within an organization. (Corporate Governance of
Information and Communication Technology; January 2005).
OECD Corporate Governance

Corporate governance involves a set of relationships between a
companys management, its board, its shareholders and other
stakeholders. Corporate governance also provides the structure through
which the objectives of the company are set, and the means of attaining
those objectives and monitoring performance are determined. Good
corporate governance should provide proper incentives for the board and
management to pursue objectives that are in the interests of the company
and its shareholders and should facilitate effective monitoring. (OECD
Code on Corporate Governance)
July 21, 2010

Some definitions
ITGI (IT Governance Institute)
IT Governance is the responsibility of the board of directors and executive
management. It is an integral part of enterprise governance and consists
of the leadership and organisational structures and processes that ensure
that the organisations IT sustains and extends the organisations
strategies and objectives. (Board Briefing, 2nd edition; 2003).
World Bank Definition of Corporate Governance

Corporate governance refers to the structures and processes for the
direction and control of companies. Corporate governance concerns the
relationships among the management, the Board of Directors, the
controlling shareholders and other stakeholders. Good corporate
governance contributes to sustainable economic development by
enhancing the performance of companies and increasing their access to
outside capital.
July 21, 2010

Some definitions
MIT Sloan Center for Information Systems Research :
IT Governance is specifying the decision rights and accountability
framework to encourage desirable behaviour in the use of IT. (MIT CISR
Working Paper No. 326; April 2002).
University of Tasmania
The survey of the literature by academics from the University of Tasmania
(Webb, Phyl, Pollard, Carol, and Ridley, Gail (2006), Attempting to Define
IT Governance: Wisdom or Folly?, Proceedings of the 39th Hawaii
International Conference on Systems Sciences) brings out the elements
that are common to a range of suggested definitions. The elements are:
strategic alignment, delivery of business values, performance
management, risk management, policies and procedures, and control and
accountability. Their resultant definition is : IT Governance is the
strategic alignment of IT with the business such that maximum
business value is achieved through the development and
maintenance of effective IT control and accountability, performance
management and risk management.
July 21, 2010

Outline
itSMF involvment
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Conclusions
July 21, 2010

Study Group in ISO

JTC1 : Information Technology Standards
JTC1 / SC7 : Software and System Engineering
JTC1 / SC7 / WG25 : IT Operations (service management)
Basically : Study Group in WG25
Study Group Chair : Alison Holt (New Zeland)
Co-Chair : Ed Lewis (Australia)
Members :
Alwyn Smit, South Africa
Melanie Cheong, South Africa

Jyrki Lahnalahti, Finland
Craig Pattison, itSMFI/New Zealand
Darcie Destito, United States
Gargi Keeni, India
Sushil Chatterji, ISACA/ITGI
Brian Cusack, New Zealand
Christophe Feltus, Luxembourg
July 21, 2010
Yoshiyuki Hirano, Japan

K.T. Hwang, Korea
Bill Powell, United States
Dennis Ravenelle, itSMFI
Hella Shrader, United Kingdom
Mark Toomey, Australia
Mikhail Pototsky, Russian Federation/itSMFI
Max Shanahan, ISACA/ITGI
Luis Rosa, Spain
Jenny Dugmore, UK.

Study Group in ISO

In Seoul (2006) :
Reduce if not remove the confusion in the professional and the
academic literature about the topic
Resolutions :
- New SG
- 1st report
- Fast Track
In Moscow (May 2007) :
July 21, 2010
Preparation of 1st report

Definition of ICT Governance
What is ICT Governance ?

Study Group in ISO

Montreal (November 2007)
Fast Track on Australian Standard on ICT Governance
Accepted in July
Resolution of comments on Fast Track : 149
Canada : 2
Spain : 1
France : 5
Italy : 10
Japan : 10
Korea : 1
Luxembourg : 46
New Zealand : 6
UK : 4
Sweden : 9
USA : 15
South Africa : 40
1st report
NWI
July 21, 2010

10
Outline
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Conclusions
July 21, 2010

11
ISO itSMF liaison (by WG)
July 21, 2010

12
ISO itSMF liaison (by WG)
July 21, 2010

13
Link with ISO 20000

ISO 20000 - The standard describes the controls needed to effectively
deliver services that meet the needs of the customer and business
requirements.
The processes described in ISO 20000 underpin an effective
governance framework and therefore need to be closely aligned to
any proposed ICT Governance standard.
All reviewed standards have a relationship with ICT Governance
and many sections overlap not only in comparison to ISO/IEC
38500 standard but also amongst the individual reviewed
standards. Any drafting of a new international ICT
Governance standard needs to take the above existing
standards into account and ensure that a) there are no
conflicts and b) all governance related sections are covered.
A weakness of all reviewed standards is around the need for
strategic direction and the implementation of controls to
support and manage this area.
July 21, 2010

14
Advisory Board Paper

The formal description it offers is:
Governance is the collective set of procedures, policies, roles

and responsibilities, and organizational structures required
to support an effective decision-making process.
July 21, 2010

15
Advisory Board Paper

Benefits of Governance : (Key words)
Achieving business objectives by ensuring that each element of the mission and
strategy are assigned and managed with a clearly understood and transparent
decisions rights and accountability framework.
Defining and encouraging desirable behavior in the use of IT and in the execution
of IT outsourcing arrangements.
Implementing and integrating the desired business processes into the organization.
Providing stability and overcoming the limitations of organizational structure.
July 21, 2010
Improving customer, business and internal relationships and satisfaction, and

reducing internal territorial strife by formally integrating the customers, business
units, and external IT providers into a holistic IT governance framework.
Enabling effective and strategically aligned decision making for the IT Principles
that define the role of IT, IT Architecture, IT Infrastructure, Application Portfolio and
Frameworks, Service Portfolio, Information and Competency Portfolios and IT
Investment & Prioritization.
16
Outline
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Conclusions
July 21, 2010

17
Interim Report
A review of national governance activities
The identification of a set of guiding principles for the development of an ICT
Governance standard to meet market requirements
The identification of the ICT governance needs to be addressed in the
standard
An assessment of where ICT governance sits within JTC1
A review of elements of ICT governance in existing SC7 standards
Analysis to determine the level of standard required to sit above existing
frameworks and methodologies without replacing or displacing existing
material. Identification of the sort of standard required - TR, code of
practice or guidelines
Analysis of what would need to be added to AS 8015 to meet these needs
Analysis of whether a maturity framework could be included from the outset
Liaison Relationships: Contributions requested from existing bodies of
knowledge
Call to action dependent on AS 8015 fast tack result (which is now known)
July 21, 2010

18
Review of the status of ICT

Governance across different nations
Written and oral reports were presented to the ICT Study
Group reviewing the state of different ICT Standards
environments within the different jurisdictions.
A general movement towards compliance frameworks was
reported in terms of legislation, Standards adoption and
control framework adoption (eg. CobiT, ITIL, and so on).
Several reports noted that regulatory requirements were

pending and that there is considerable momentum gathering
for comprehensive directives (both explicit and implicit). The
importance of ICT Governance and the current opportune
moment in time for ICT Governance advancement was
reported in each case.
July 21, 2010

19
What is ICT Governance?

The Working Group should establish a Glossary of governance
terms. The Glossary especially should include definitions that help
to establish the difference between Governance and Management.
The definitions must be compatible with those in existing ISO
Standards
Director
Member of the most senior governing body of an organization.
Includes owners, board members, partners, senior executives or
similar, and officers authorized by legislation or regulation.
Management
Management is the process of controlling the activities required to
achieve the strategic objectives set by the organisation's governing
body. Management is subject to the policy guidance and
monitoring set through corporate governance.
July 21, 2010

20
What is ICT Governance?

The objective of governance is to determine and cause the desired
behavior and results to achieve the strategic impact of IT.
The system in which directors monitor, evaluate and direct IT management to

ensure effectiveness, accountability and compliance of IT
The active distribution of decision-making rights and accountabilities

among different stakeholders in an organization and the rules and
procedures for making and monitoring those decisions to determine and
achieve desired behaviors and results .
July 21, 2010
who makes directing, controlling and executing decisions

how the decisions will be made
what information is required to make the decisions
what decision-making mechanisms should be required
how exceptions will be handled
how the governance results should be reviewed and improved

21
Outline
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Conclusions
July 21, 2010

22
Beyond ISO 29382 : scope
The objective of this Standard is to provide a framework of principles

for Directors to use when evaluating, directing and monitoring the
use of information technology (IT) in their organizations.
July 21, 2010

23
Beyond ISO 29382 : scope

Governance is distinct from management, and for the avoidance of
confusion, the two concepts are clearly defined in the standard.
the members of the governing body may also occupy the key roles
in management.
It provides guidance to those advising, informing, or assisting
directors. They include:
Senior managers.
Members of groups monitoring the resources within the organization.
External business or technical specialists, such as legal or accounting
specialists, retail associations, or professional bodies.
Vendors of hardware, software, communications and other IT products.
Internal and external service providers (including consultants).
IT auditors.
The standard is applicable for all organizations, from the smallest, to

the largest, regardless of purpose, design and ownership structure.
July 21, 2010

24
Outline
itSMF involvement
Interim Report
Beyond ISO 29382

Scope
Application
Objectives
6 principles
Conclusions
July 21, 2010

25
Beyond ISO 29382 : application
This standard is applicable to all organizations, including public and

private companies, government entities, and not-for-profit
organizations.
The standard is applicable to organizations of all sizes from the
smallest to the largest, regardless of the extent of their use of IT.
July 21, 2010

26
Outline
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Conclusions
July 21, 2010

27
Beyond ISO 29382 : objectives
The purpose of this Standard is to promote effective, efficient, and

acceptable use of IT in all organizations by:
assuring stakeholders (including consumers, shareholders, and

employees) that, if the standard is followed, they can have
confidence in the organizations corporate governance of IT;
informing and guiding directors in governing the use of IT in their
organization; and
providing a basis for objective evaluation of the corporate
governance of IT.
July 21, 2010

28
Outline
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Conclusions
July 21, 2010

29
Beyond ISO 29382 : 6 principles
Principle 1: Establish clearly understood responsibilities for IT

Principle 2: Plan IT to best support the organization
Principle 3: Acquire IT validly
Principle 4: Ensure that IT performs well, whenever required
Principle 5: Ensure IT conforms with formal rules
Principle 6: Ensure IT use respects human factors
July 21, 2010

30
Outline
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Conclusions
July 21, 2010

31
Beyond ISO 29382 : Model for

Corporate Governance of ICT
Directors should govern ICT through three main tasks:

(a) Evaluate the use of ICT.
(b) Direct preparation and implementation of plans and policies.
(c) Monitor conformance to policies, and performance against the plans.
July 21, 2010

32
Evaluate
Directors should examine and make judgement on the current and

future use of IT, including strategies, proposals and supply
arrangements (whether internal, external, or both).
In evaluating the use of IT, directors should consider the pressures
acting upon the business, such as technological change, economic
and social trends, and political influences.
Directors should also take account of both current and future
business needs the current and future organizational objectives
that they must achieve, such as maintaining competitive
advantage, as well as the specific objectives of the strategies and
proposals they are evaluating.
July 21, 2010

33
Direct
Directors should assign responsibility for, and direct preparation

and implementation of plans and policies. Plans should set the
direction for investments in IT projects and IT operations. Policies
should establish sound behaviour in the use of IT.
Directors should ensure that the transition of projects to
operational status is properly planned and managed, taking into
account impacts on business and operational practices and
existing IT systems and infrastructure.
Directors should encourage a culture of good governance of IT in
their organization by requiring managers to provide timely
information, to comply with direction and to conform with the six
principles of good governance.
July 21, 2010

34
Monitor
To complete the cycle, directors should monitor, through

appropriate measurement systems, the performance of IT use.
They should reassure themselves that performance is in
accordance with plans, particularly with regard to business
objectives.
They should also make sure that the use of IT conforms with
external obligations (regulatory, legislation, common law,
contractual) and internal work practices. If necessary, directors
should direct the submission of proposals for approval to address
identified needs.
July 21, 2010

35
Outline
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Conclusions
July 21, 2010

36
Conclusions and Future Works

Review the use of the Plan, Do, Check Act (PDCA) lifecycle versus Evaluate,
Direct Monitor (EDM). Show mapping of EDM versus PDCA.
Incorporate human behavioural aspects to the chosen lifecycle.
Produce a diagram demonstrating the inter-relation of principles.
Develop derivative material to cover:
Clarification on the risks of poor governance and decision making;
Analysis on the benefits of Governance across the IT lifecycle; and
The explanation of each principle.
July 21, 2010

37
Conclusions and Future Works

Determine market requirements and then determine the coverage of future
standards for example IT Projects, IT Operations, IT Use or some other
frameworks.
Development of a TR2 for CIOs and executives to assist them in explaining

the rationale and implications (risks and benefits) of the principles.
Development of a TR2 for guidelines for the use of the standard by Public
Sector organizations
July 21, 2010

38

ISO IEC 29382 - The New Standard For ICT Governance

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

ISO IEC 29382 - The New Standard For ICT Governance

Enviado por

Direitos autorais:

Formatos disponíveis

itSMF-NL Spring 2008 Conference

"Best Practices in IT Management: