3 INTRODUCTION TO THE GOVERNANCE OF IT STANDARD ISO/IEC 38500

When the IT department was a small band of computer science specialists sitting around a mainframe computer providing number crunching services to an organisation, it was reasonable to delegate responsibility for IT activity to the key users of the data. However, the role of IT within an organisation has grown extensively and IT is pervasive across all areas of a business, supporting and providing HR, finance, sales and marketing, product and service development and delivery, facilities management, and general information and intellectual property (IP) protection. Directors and senior executives now have a responsibility to ensure the proper use of the organisational IT systems so that key organisational data is available as required, accessible, secure and protected.

The goal of ISO 38500 is to provide guidelines for directors and senior executives on the effective, efficient and acceptable use of information and communication technology within their organisations.

These directors could be members of the board of large corporations, owners of small businesses, or secretaries of public service departments. Regardless of size or sector, unless directors and their senior officers understand their responsibility for governing IT systems, there is potential for a number of problems. I have picked a few examples that I have seen in organisations:

• Different parts of the organisation have different relationships with different IT vendors. This can result in the organisation procuring systems that do not fully integrate with each other. I have witnessed the situation where one part of an organisation was purchasing new PCs unaware of a master agreement that would have reduced the price considerably.
• IT systems evolve across the organisation in an ad hoc way, with no united direction or strategy.
• IT systems over-perform for the requirements of the organisation.
• IT managers have less than a full understanding of the legislative requirements for storing personal data.
• IT users are frustrated by not being able to carry out their work responsibilities efficiently on account of a perceived lack of resources. Sometimes this is just because of poor documentation and users are asking for services that are already available.
• Responsibility for the disaster recovery of a system falls between the cracks where the business owner thought the CIO had plans in place that were under regular review and test, and vice versa.

Unfortunately, some serious problems resulting in issues whose consequences range in severity from financial loss to imprisonment can develop in a way that is invisible to the senior leaders of an organisation. Rigorous disaster recovery is often neglected because of a lack of funds. Living as I do in an earthquake zone, I observe a flurry of activity after each minor shake. However, even here in Wellington, the probability of an earthquake destroying the computer systems of an organisation is less than that of flood or fire. Human error is a significant contributory factor of most disasters that I have witnessed – labourers cutting through Internet cables, somebody powering down an entire server room thinking they were flicking the light switch. The problem is that it is only when some form of disaster strikes that it becomes obvious that the IT department have been operating on a wing and a prayer. Of course, there are ways to ensure that this could not possibly happen in your organisation – and that is what this book is all about.

HOW DID ISO 38500 COME ABOUT?

As a working group convenor of an international standards group, my job was to research international market requirements and to see where my group could add value or provide useful guidance. The ISO process for developing new standards has many endearing qualities, and a number of fail-safe measures that protect us from wasting too much time on something that is not worthwhile. Most of the new ideas and projects that came from my group started off in a study group. To set up a study group in a new area, you need at least five nations to agree that the new area is of interest to them. We agree a scope – and that is generally along the lines of ‘let’s see if there’s any need for standardisation in this area’ – and we agree an approach – and that is generally along the lines of ‘let’s talk to anyone and any organisation that has ever done anything in this area’. We agree a timeline and an output – and that is normally one year to put together a report that can be presented to our formal standards meeting, and circulated round the 35+ nations who are involved in our wider work programme. So, we are expecting a formal report and something of substance, backed up by international research.

New ideas come to us from all nations and all directions. We started work on IT governance in 2006, having discovered a need for guidance in the area whilst running a study group on IT service management. We had plotted a chart of IT standards, frameworks and other guidance against a timeline of how long the average IT process described took to complete, and we made the discovery that there was very little guidance available for IT strategic planning/long-term decision making. So we kicked off a study group to see if there was sufficient international interest to develop a standard. I had our room set up with two sets of white boards and a projector, and I invited all the participants to bring along any relevant articles and presentations. One set of white boards was to catch a set of principles for good IT governance, and the second set of white boards was to collect a set of ideas around what we thought would make a good standard. By the end of the week, we had immersed ourselves in international research, national standards and position papers. We had developed a plan to invite Australia (a nation which ironically had not been represented at the meeting) to present their IT governance standard for ‘fast track’ (see next section for details), we had started to analyse the gap between the Australian standard and our requirements for an international IT governance standard, and we had started putting together our study group report.

The fast track process

In the ‘old days’ an international IT standard would have been built from nothing but a vague thought that standardisation was required in a particular area – and some IT standards are still successfully built this way. A draft standard would be created by a group of standards subject matter experts, starting with an idea and a blank sheet of paper. The ensuing rounds of voting, refinement, refinement and voting would take place over approximately five to seven years. Alas, it was too often the case that by the time the final standard was published the original market need had gone away or had been superseded by a new, more pressing need. The idea of the fast track process was to enable a national standard (or similarly validated document) that had been adopted, or had the potential to be adopted by other nations, to be turned into a full international standard by following a shorter form of the refinement and voting process.

Although AS 8015 (the Australian standard for the Corporate Governance of ICT) had not been formally adopted by any other nation at the time of my fast track request, it aligned closely to the guidance provided in Japanese national standards and it was rooted in internationally acknowledged principles of good corporate governance. It also appeared to fit quite neatly with academic research we saw coming from European universities in Luxembourg, Belgium and Spain. The standard was criticised for being very short but I saw this as advantageous – it would act as a basis on which we could deliver a body of knowledge in the area.

I was also very keen that, in introducing an international IT governance standard, we would not displace or replace existing material in the area. In particular, I saw an opportunity to work closely with groups such as ISACA and itSMF to ensure that our standard would work as an umbrella standard over their guidance frameworks and documents. I envisaged our standard being accepted by the board of an organisation who would pass it to their management team to ‘make it so’. I expected the management team to then use a combination of ISACA and itSMF frameworks to introduce operational governance processes and controls that would enable easy monitoring and would guarantee the roll-up of reporting from the operational team through the management team to the board, with each level of the organisation seeing the exact breadth and detail to enable them to do their job/carry out their governance role.

It was in this context that we invited Australia to submit AS 8015 for fast track. We were delighted that the standard passed ballot and that, once we had addressed the comments associated with our ‘no’ votes, we were able to publish the first international IT governance standard in June 2008.