POPI based on ISO 29100
The ISO 38500 standard for Corporate Governance of IT sets out a framework of 6 principles, a model and guidance for the corporate governance of IT that all companies should apply. Corporate governance of IT is described as the system by which the current and future use of IT is directed and controlled. It is different to management, the system of controls and processes required to achieve the strategic objectives set by the organization's governing body.
The first challenge for most organisations in applying the ISO 38500 standard for the corporate governance of IT is to identify what are the essential requirements. The six principles of the ISO 38500 standard for good corporate governance of IT address:
- Human Behaviour.
Incorporating these principles in decision making about IT will drive the effective, efficient and acceptable use of IT within an organisation.
The six principles of ISO 38500 define a rigorous framework for governing information and technology which, if adopted, will assist directors and top management balance risk and encourage opportunities arising from the use of IT. Proper corporate governance of IT assists organisations ensure that IT use contributes positively to the performance of the organization, through:
- appropriate implementation and operation of IT assets
- clarity of responsibility and accountability for the use and provision of IT in achieving the goals of the organization
- business continuity and sustainability
- alignment of IT with business needs
- efficient allocation of resources
- innovation in services, markets, and business
- good practice in relationships with stakeholders
- reduction in the costs for an organization
- realization of approved benefits from each IT investment.
While many organisations have addressed the need for conformance with obligations, few have addressed the use of IT that contributes positively to the performance of the organisation. CIOs need to prioritise the opportunities for IT to impact positively on their organizations.
Governing information technology requires a combination of direction and control at the strategic, tactical and operational levels within the organisation and across it’s business and IT.
Adopting ISO 38500 starts with the first principle ‐ establish “Responsibility” through:
- IT governance charter
- IT governance framework
- Accountability framework
- CIO role and responsibilities
- Assignment of authority to business, IT, service providers.
Organisations are expected to respond to a wide range of requirements specified in ISO 38500 while at the same time being mindful that two of the cornerstones of IT governance are resource optimisation and the delivery of value to business and customers. Without a well structured and streamlined approach organisations are likely to do more than is necessary in some areas and not enough it others when applying the ISO 38500 standard to the governance of information and related technology.
As much as it is often the expressed intention to “do only the minimum” in applying the ISO 38500 standard, this is illogical. The more that top management apply ISO 38500 the better top management will be able to direct and control. To minimise the risk of managers doing more than is necessary the ITGN has identified 34 steps that are essential for organisations to efficiently and effectively fulfill the requirements of ISO 38500.
The ITGN provides templates and supporting procedures to assist organisations develop a system by which the current and future use of IT can be directed and controlled. The 34 steps provide organisations with a clear and economical roadmap to applying ISO 38500 and be ready for ISO 38500 certification.
In determining what is essential to fulfilling the ISO 38500 requirements it is important to recognise the distinction made in ISO 38500 between the management and the corporate governance of IT. Specifically, good governance is about effective leadership, accountability, decision‐making and being focused strategically.