IT Governance

King III

The IT Governance Network has produced an ebook looking at IT Governance and the issues in King III Report. The King Commission on Corporate Governance released its report on 2 September 2009. This report contains a chapter on IT Governance.

To download the FREE ebook "Executive Overview IT Governance aligned to King III" click here.

Other FREE Downloads:

pdf Getting started with King III

Pdf King III Essentials and the 43 Steps to Implementation

Pdf King III and the IT Governance Charter

pdf King III and the role of Internal vs External Audit

Pdf King III and Internal Controls

Pdf King III and the Status of IT Governance

Pdf King III and System Management for increased Productivity

pdf King III and Information Security

pdf King III and Developing an Information Security Management System

pdf King III and the Protection of Personal Information

pdf ITIL and Productivity Improvement


Governance is different from Management

The word "manager" normally refers to a person who provides technical and administrative direction and control to those performing tasks or activities within the manager’s area of responsibility.

The traditional functions of a manager include planning, organising, directing, and controlling work within an area of responsibility. If a manager does this, he/she is likely to be providing “good management”.

In many instances there isn’t sufficient time and resources for the manager to focus on anything other than the operational activities he/she is responsible for. Frequently the manager is “fighting fires” – managing an endless number of operational problems.


People accountable for good governance are responsible for making the changes necessary to deliver the performance expected by the Business.

The Criteria for Certification

ISO certification can provide tremendous benefits, but these are often not realised. At the centre of the problem is dishonest auditors and incompetent certification bodies. Harsh words, but unfortunately very true! Certification bodies must comply with ISO 17021 and ISO auditors must comply with ISO 19011. Unfortunately some organisations choose to have their ISO certification from incompetent auditors and non-compliant certification bodies.

There are two fundamental requirements to ISO certification - the certification body must make public its criteria for certification and the auditor must make public, prior to the audit, the audit requirements you are expected to satisfy. ISO 17021 and ISO 19011 require that this information be publically available. Unfortunately this does not always happen. Before you seek ISO certification, request these two documents from the certification body and auditor respectively. If they are not available, you need to be concerned and you should change your auditors, your certification body, or both. ISO 19011 requires that ISO auditors develop a specific audit programme relevant to your processes, your management system and your stated objectives.

Certain certifications (i.e ISO 9001, ISO 14001, ISO 20000-1, ISO 27001, ISO 31000 and ISO 38500) require a management system, an integrated set of processes and most important of all, a clear set of business objectives to be achieved. A fundamental requirement for ISO certification is the actual achievement of the stated objectives. The three core requirements for ISO certification are 1) agreed business objectives, 2) a management system and 3) an integrated set of processes that will achieve the stated objectives. Without these, you cannot be certified as compliant!

'Auditors' of ISO standard implementations often lack the necessary skill and therefore the audit approach they follow is to simply examine the implemented controls, determine whether they have been documented and establish that they are working as described. For example, an ISO 27001 audit is usually (but incorrectly) based on ISO 27002 - a checklist of control objectives and controls. You don't need ISO 27002 (previously known as ISO 17799) at all! What you do need are processes to achieve the stated objectives and a management system to ensure this happens. Of course controls are required, but the purpose of controls is to place the processes under control, so they achieve the stated objectives. In other words, controls mitigate the process risks.

If you do not achieve the stated business objectives of your ISO implementation, if you do not have an effective and efficient management system and you do not have a set of integrated processes - you are not ISO compliant. Anyone who says you are is incompetent and/or dishonest!

To implement the ISO 38500 standard a system to direct and control the current and future use of IT is required. The system comprises controls and processes to achieve the strategic objectives set by the organisation's governing body. A few choices are available

COBIT is a popular IT management framework that defines both processes and controls. In many respects its purpose is similar to ISO 38500 as it also aims to enable better governance of information technology so that the organisational objectives are achieved.

iso 38500 modelAt the centre of ISO 38500 is a framework of 6 principles. To implement these principles it is easiest if they are mapped to the COBIT process model and through the execution of these processes ISO 38500 becomes effective.

The advantage of using a process framework like COBIT is that it groups related IT activities in processes that have a life-cycle and are focused on achieving specific outcomes. Through cascading the organisation's business objectives down to the IT processes you are able to align day to day activities with the organisation's stakeholder expectations.

Roles, responsibilities and decision-rights at the process level can be aligned with the business goals. Governance mechanisms such as job descriptions and contracts can be crafted to support the achievement of specific outcomes. Performance measures can be fine tuned to drive the required behaviour. Over time, controls are implemented to manage risk and capability is developed so the organisation is better able to perform as expected.

Building Capability

The first Capability Maturity Model was developed by the Software Engineering Institute of the Carnegie Mellon University. The aim is to assist organisations improve their processes by following an evolutionary path.

The maturity level of an organisation provides a way to predict the future performance of an organisation within a given discipline or set of disciplines. Experience has shown that organisations do their best when they focus their process-improvement efforts on a manageable number of process areas that require increasingly sophisticated effort as the organisation improves. A maturity level is a defined evolutionary plateau of process improvement. Each maturity level stabilizes an important part of the organisation's processes.

The maturity levels are measured by the achievement of the specific and generic goals that apply to each predefined set of process areas. There are five maturity levels, each a layer in the foundation for ongoing process improvement, designated by the numbers 1 through 5.

The first step in improving a process is to understand the boundaries of the process you are trying to improve. The process could be any process and it will be a combination of people, tools, technologies, and methods employed to accomplish a task.

Once the operational entity is defined, a clear understanding of the operational entity's purpose and objectives guides improvement efforts. Many times, the purpose and objectives are stated in strategic planning documents. A clear understanding of the purpose and objectives will keep improvement efforts aligned with strategic needs and will avoid expending critical resources on improvement efforts that don't contribute to those needs.

Along with understanding the operational entity's objectives, it's important to understand how to know if you achieve its objectives. It sounds good to say you intend to make your operation "world class", but how would you know when you're there? The objectives of an operational entity are stated first so that you can perform some level of verification to confirm that your improvement efforts move you closer to those objectives.

Once the operational entity requiring improvement is identified and its purpose is clearly understood, constraints and risks are more easily identified and addressed. The current state of the operational entity could be assessed against its objectives to identify current and potential barriers to meeting those objectives. Improvement plans would then be developed and implemented to address these barriers.

Operational process improvement using the COBIT framework enables an organised approach to identifying and addressing the constraints and risks, and helping the operational entity more effectively achieve its purpose.


King IV Corporate Governance Assessment

King IV assessmentAssess the current level of your organisation's corporate governance using this King IV assessment tool.


COBIT Assessment as a Service

COBIT 5 AssessmentConduct a COBIT assessment using this COBIT Assessment-as-a-Service.


POPIA Preliminary Assessments

it governance oversightPOPIA preliminary assessments provide an efficient and effective approach to determining the extent to which the requirements of the Protection of Personal Information Act have been addressed.


Go to top