Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Iso iec 38500 ict governance workbook

1,752 views

Published on

A basic workbook based on ISO/IEC 38500 which organisations can use to re-view their own status.

Delegate materials used in our work with charity boards in NZ

Published in: Business, Technology
  • Be the first to comment

Iso iec 38500 ict governance workbook

  1. 1. Commercial in Confidence The ICT Governance Standard This diagram encapsulates ICT governance as defined by the ISO/IEC 38500 standard modified for a non-profit organisation. The core duties are the monitor, evaluate and direct ICT. The standard suggests six dimensions in which directors should carry out these duties. Responsibility Strategy Acquisition Performance Conformance Human Behaviour Page 1 of 9
  2. 2. Commercial in Confidence The following tables lists the tasks required to monitor evaluate and direct each dimension. Our board workshop will include a discussion about this framework and will start defining the implications in terms of policy, reporting and KPIs. You’ll note that some of the requirements are that we’ve defined our requirements. And in many cases the monitoring, evaluating and directing are all encompassed by having a policy in place. So this list isn’t a daunting as it appears from the number of pages involved. Please start by making notes in the Implications column ready for a group discussion. In that discussion we will effectively make a first outline draft of your governance framework for later revision and refinement. In the first instance make a note of Any questions arising Strengths and opportunities Weaknesses and threats Anything already in place Anything from another source you think could be helpful Page 2 of 9
  3. 3. Commercial in Confidence Direct Evaluate Monitor DIMENSION: RESPONSIBILITY REQUIREMENT (from ISO 38500) IMPLICATIONS Directors should monitor that appropriate ICT governance mechanisms are established and maintained. Directors should monitor that those given responsibility acknowledge and understand their responsibilities. Directors should monitor the performance of those given responsibility in the governance of ICT (for example, those people serving on steering committees or presenting proposals to director(s) Directors should evaluate the options for assigning responsibilities in respect of the organization’s current and future use of ICT. In evaluating options, directors should seek to ensure effective, efficient, and acceptable use and delivery of ICT in support of current and future business objectives. Directors should evaluate the competence of those given responsibility to make decisions regarding ICT. Directors should direct that plans be carried out according to the assigned ICT responsibilities. Directors should direct that they receive the information that they need to meet their responsibilities and accountability. Page 3 of 9
  4. 4. Commercial in Confidence Direct Evaluate Monitor DIMENSION: STRATEGY REQUIREMENT Directors should monitor the progress of approved ICT proposals to ensure that they are achieving objectives in required timeframes using allocated resources. Directors should monitor the use of ICT to ensure that it is achieving its intended benefits IMPLICATIONS Directors should evaluate developments in ICT and business processes to ensure that ICT will provide support for future business needs. In considering plans and policies, directors should evaluate ICT activities to ensure they align with the organization’s objectives for changing circumstances, take consideration of better practices and satisfy other key stakeholder requirements. Directors should ensure that ICT is subject to appropriate risk assessment and evaluation, as described in relevant international and national standards. Directors should direct the preparation and use of plans and policies that ensure the organization does benefit from developments in ICT. Directors should encourage the submission of proposals for innovative ICTuse that enables the organization to respond to new opportunities or challenges, undertake new businesses or improve processes. Page 4 of 9
  5. 5. Commercial in Confidence Direct Evaluate Monitor DIMENSION: AQUISITION REQUIREMENT Directors should monitor ICT investments to ensure that they provide the required capabilities. Directors should monitor the extent to which their organization and suppliers maintain the shared understanding of the organization's intent in making any ICT acquisition Directors should evaluate options for providing ICT to realize approved proposals, balancing risks and value for money of proposed investments. IMPLICATIONS Directors should direct that ICT assets (systems and infrastructure) be acquired in an appropriate manner, including the preparation of suitable documentation, while ensuring that required capabilities are provided. Directors should direct that supply arrangements (including both internal and external supply arrangements) support the business needs of the organization. Page 5 of 9
  6. 6. Commercial in Confidence Evaluate Monitor DIMENSION: PERFORMANCE REQUIREMENT Directors should monitor the extent to which ICT does support the business. Directors should monitor the extent to which allocated resources and budgets are prioritised according to business objectives. Directors should monitor the extent to which the policies, such as for data accuracy and the efficient use of ICT, are followed properly Directors should evaluate the means proposed by the managers to ensure that ICT will support business processes with the required capability and capacity. These proposals should address the continuing normal operation of the business and the treatment of risk associated with the use of ICT. Directors should evaluate the risks to continued operation of the business arising from ICT activities. Directors should evaluate the risks to the integrity of information and the protection of ICT assets, including associated intellectual property and organizational memory. Directors should evaluate options for assuring effective, timely decisions about use of ICT in support of business goals. Directors should regularly evaluate the effectiveness and performance of the organization’s system for Governance of ICT. Directors should ensure allocation of sufficient resources so that ICT meets the needs of the organization, according to the agreed priorities and budgetary constraints. IMPLICATIONS Page 6 of 9
  7. 7. Commercial in Confidence IMPLICATIONS Direct DIMENSION: PERFORMANCE continued REQUIREMENT Directors should ensure allocation of sufficient resources so that ICT meets the needs of the organization, according to the agreed priorities and budgetary constraints. Directors should direct those responsible to ensure that ICT supports the business, when required for business reasons, with correct and up-to-date data that is protected from loss or misuse. Page 7 of 9
  8. 8. Commercial in Confidence Direct Evaluate Monitor DIMENSION: CONFORMANCE REQUIREMENT Directors should monitor ICT compliance and conformance through appropriate reporting and audit practices, ensuring that reviews are timely, comprehensive, and suitable for the evaluation of the extent of satisfaction of the business. Directors should monitor ICT activities, including disposal of assets and data, to ensure that environmental, privacy, strategic knowledge management, preservation of organizational memory and other relevant obligations are met Directors should regularly evaluate the extent to which ICT satisfies obligations (regulatory, legislation, common law, contractual), internal policies, standards and professional guidelines. Directors should regularly evaluate the organization’s internal conformance to its system for Governance of ICT. Directors should direct those responsible to establish regular and routine mechanisms for ensuring that the use of ICT complies with relevant obligations (regulatory, legislation, common law, contractual), standards and guidelines. Directors should direct that policies are established and enforced to enable the organization to meet its internal obligations in its use of ICT. Directors should direct that ICT staff follow relevant guidelines for professional behaviour and development. Directors should direct that all actions relating to ICT be ethical IMPLICATIONS Page 8 of 9
  9. 9. Commercial in Confidence IMPLICATIONS Direct Evaluate Monitor DIMENSION: HUMAN BEHAVIOUR REQUIREMENT Directors should monitor ICT activities to ensure that identified human behaviours remain relevant and that proper attention is given to them. Directors should monitor work practices to ensure that they are consistent with the appropriate use of ICT Directors should evaluate ICT activities to ensure that human behaviours are identified and appropriately considered. Directors should direct that ICT activities are consistent with identified human behaviour. Directors should direct that risks, opportunities, issues and concerns may be identified and reported by anyone at any time. These risks should be managed in accordance with published policies and procedures and escalated to the relevant decision makers Page 9 of 9

×