Achieving an organisation's strategic objectives doesn’t occur overnight. It requires ongoing attention from management and continuous improvement on what is already in place.
As a company’s internal and external requirements change, it is essential that management regularly review and check that:
When necessary, appropriate remedial action is taken.
The international standard ISO/IEC 15504-2 provides a methodology for recognising capability and planning improvements. The actual approach to conducting a COBIT 5 assessment is detailed in the COBIT 5 (or ISO 15504) Assessor Guide.
First the process performance is assessed and thereafter the management of that performance and the associated work products is assessed to determine what role, if any the activities or the work products play in the successful achievement of the process outcomes.
Higher levels of management indicate greater sophistication in the ability of management to direct and control the effectiveness, efficiency and quality of assigned work.
"IT Governance" means different things to different people. For some, it is "GRC" - governance, risk and compliance. Often this is not much more than the implementation of controls and maintaining a controls checklist for the purpose of regularly checking compliance. This approach to governance is frequently of little interest to operational management focused on providing the business with the services they need to succeed. These IT managers are more likely to prefer "GVP" - governance, value delivery and performance management.
The ISO 38500 standard for the "Corporate Governance of ICT" splits the implementation of governance between "performance" and "conformance". It requires that IT deliver the performance expected by the business whilst conforming the regulatory and other compliance requirements.
The COBIT framework from ISACA has evolved from being a control framework for auditors to a governance and management framework for the board and IT leadership to direct the use of information and technology and create value according to stakeholder expectations. It now supports auditors wishing to evaluate risk and assess internal controls as much as it supports IT leaders aiming to implement a LEAN organisation that is sufficiently agile to respond quickly to changes in business requirements.
The ITGN has a wide range of expertise to assist with the implementation of better IT governance for both GRC and GVP purposes.
The IT Governance Network, a global leader in the use of COBIT 5 for a wide range of business applications, is an accredited training provider for the COBIT 5 Foundation, COBIT 5 Implementation and COBIT 5 Assessor certifications.
Events are held regularly at locations around the world. Details of individual events are listed on the Seminar Schedule.
The Protection of Personal Information Act is South Africa's most complex and technical law and, it impacts everyone.
POPI training is held regularly throughout South Africa. Details and dates of the public events are listed on the SEMINAR SCHEDULE above. Alternatively, there is the annual POPI Act Conference
Our POPI trainers have an excellent understanding of what is required by the Act and more importantly, how to implement these requirements in a practical manner. They participated in the Parliamentary discussions the resulted in the POPI Act and have many years practical experience. These courses are developed from extensive experience, specialist legal, business and IT knowledge, and from participating in the Parliamentary discussions that formulated the POPI Act.
2 day POPI Complying with the Act course
The Protection of Personal Information Act requires all public and private bodies to process personal information in accordance with the conditions for the lawful processing of personal information. In most organisations personal information is ubiquitous and the risk of not processing personal information is high.
This course provides the attendee with an understanding of the key requirements of the Act and a road map to address the requirements and manage the risk.
2 day POPI for the HR function course
The processing of personal information with the human resources function presents many challenges for those responsible. Currently the misuse of personal information within HR is widespread making many organisations vulnerable to complains from unsuccessful job applicants and employees.
This course includes topics about processing personal information within the human resources function. Practical examples illustrate what is acceptable and what is unlawful.
2 day POPI and Information Security using ISO 27001 course
The Protection of Personal Information Act requires all organisations to implement the necessary safeguards to protect personal information according to generally accepted information security practices and procedures.
This course provides attendees with an understanding of the approach required to identify and implement the necessary safeguards to protect the processing of personal information using ISO 27001, the international generally accepted standard for information security.
2 day POPI: Auditing Readiness and the Programme course
The Protection of Personal Information Act is technical and complex. It has numerous requirements that impact just about everyone within an organisation, it’s customers, suppliers and service providers.
This seminar includes topics about:
2 day POPI Requirements for ERP Systems course
Enterprise Resource Planning (ERP) systems process a wide variety of business information, including many types of personal information. ERP systems have many features that can assist responsible parties protect personal information. Omitting to use the available features could be a problem when non-compliance is reported to the Information Regulator.
This course provides attendees with an understanding of the privacy-related issues that will need attention in ERP systems.
2 day POPI: Role of the Information Officer course
Information officers have a significant role in overseeing the protection of personal information and can be personally liable in some instances where they do not fulfil their responsibilities.
This course will assist attendees understand the role and responsibilities of the information officer in encouraging a public or private body complying with the requirements for the lawful processing of personal information, handle personal information requests and respond to interferences.
1 day POPI: Role of Responsible Parties course
It is the responsibility of the “Responsible Parties” identified by the CEO and listed in the PAIA manual to ensure that personal information is processed lawfully and in a reasonable manner that does not infringe the constitutional rights of individuals to privacy.
This seminar informs heads of public bodies, CEO’s of private bodies and the business leaders identified as “responsible parties” about their role and responsibilities for processing personal information lawfully.
1 day POPI: Managing Operators course
The POPI Act requires responsible parties to have in place a written contract between the responsible party and the operator to ensure that the operator who processes personal information for the responsible party, processes personal information only with the knowledge and authorisation of the responsible party and establishes and maintains the necessary measures.
Attendees on this course will learn about the specific POPI requirements for responsible parties to manage operators.
Popular POPI in-house and public courses include:
Every organisation needs to identify and manage many activities to function effectively. For example: strategic goals, customer requirements, corporate policies, business opportunities, risk management responses, regulatory compliance requirements and contractual obligations are all triggers for action and therefore need to be managed.
Even in the best run organisations there is enormous waste of effort. Introducing a management system (e.g. COBIT APO01) to better organise the effort will cut costs and lead to substantial productivity improvements.
An organisation should start with organising activities into processes, each with a common goal. Once this is completed, they develop a management plan. Next they establish, implement, operate, monitor, review, maintain and improve their management system. Using a "management system" to organise and coordinate activities provides a systemic approach to reducing waste and lifting productivity.
Success comes from using the familiar Deming “Plan‐Do‐Check‐Act” model.
The management's plan identifies and prioritises the issues and actions that need to be undertaken for the organisation to function effectively.
Instead of relying only on the efforts of individuals, process owners plan and direct the actions and related activities, filtering the triggers for additional work and ensuring that resources are only being consumed for valid activities aligned with the strategic objectives of the organisation.
The management plan focuses on ensuring proper attention to activities in each component of the “Plan‐Do‐Check‐Act” model. It also focuses on the collaboration between processes ensuring that all of the requirements for the organisation to function effectively are carried out optimally and that the organisation’s strategic goals are achieved.
The management plan is turned into action with the aid of an Implementation Plan.
The Protection of Personal Information has been signed by the President. It is now the law!
The uncertainty about the obligation public and private bodies have regarding the protection of personal information is over. People have the right to not have their personal information misused and should take action against anyone who willfully misuses their personal information.
Are your HR recruiters requesting unnecessary information from job applicants? Are the job applicant vetting procedures unlawful? Is your "Tip-off Anonymous" reporting service in breach of the Protection of Personal Information Act? Contact us to find out why these practices are unlawful.
ISO 27001 is widely regarded as an acceptable framework for information security management. However many ISO 27001 implementations do not adhere to the specification and therefore fail to provide an acceptable level of information security.
An ISO 27001 information security management system (ISMS) coordinates and manages the effective and efficient deployment of information security resources and processes to ensure ongoing confidentiality, integrity and availability of information and information systems in line with predefined operational and strategic objectives.
This is a sample ...