Upload
christophe-feltus
View
237
Download
0
Embed Size (px)
Citation preview
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
1/38
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management:
BEYOND ITIL, BEYOND CONTROL"
April 22, 2008 Hotel & Congrescentrum De Reehorst , Ede , Nederland
July 21, 2010 1
Christophe Feltus
Member of the ISO Study Group on ICT Governance
Public Research Centre Henri Tudor,
29, Rue John F. Kennedy
L-1855 Luxembourg
ISO/IEC 29382 - the new standard
for ICT Governance
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
2/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 2
Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
3/38
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
4/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 4
Some definitions
AS 8015 – Australian National Standards
Corporate Governance of ICT is the system by which the current andfuture use of ICT is directed and controlled. It involves evaluating anddirecting the plans for the use of ICT to support the organization andmonitoring this use to achieve plans. It includes the strategy and policiesfor using ICT within an organization. (Corporate Governance of Information and Communication Technology; January 2005).
OECD Corporate Governance
Corporate governance involves a set of relationships between acompany‘s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure throughwhich the objectives of the company are set, and the means of attainingthose objectives and monitoring performance are determined. Good
corporate governance should provide proper incentives for the board andmanagement to pursue objectives that are in the interests of the companyand its shareholders and should facilitate effective monitoring. (OECDCode on Corporate Governance)
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
5/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 5
Some definitions
ITGI (IT Governance Institute)
IT Governance is the responsibility of the board of directors and executivemanagement. It is an integral part of enterprise governance and consists
of the leadership and organisational structures and processes that ensure
that the organisation‘s IT sustains and extends the organisation‘s
strategies and objectives. (Board Briefing, 2 nd edition; 2003).
World Bank Definition of Corporate Governance
Corporate governance refers to the structures and processes for the
direction and control of companies. Corporate governance concerns the
relationships among the management, the Board of Directors, the
controlling shareholders and other stakeholders. Good corporate
governance contributes to sustainable economic development byenhancing the performance of companies and increasing their access to
outside capital.
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
6/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 6
Some definitions
MIT Sloan Center for Information Systems Research :
IT Governance is specifying the decision rights and accountability
framework to encourage desirable behaviour in the use of IT. (MIT CISR Working Paper No. 326; April 2002).
University of Tasmania
The survey of the literature by academics from the University of Tasmania(Webb, Phyl, Pollard, Carol, and Ridley, Gail (2006), Attempting to DefineIT Governance: Wisdom or Folly?, Proceedings of the 39th Hawaii International Conference on Systems Sciences) brings out the ‗elements‘that are common to a range of suggested definitions. The elements are:strategic alignment, delivery of business values, performancemanagement, risk management, policies and procedures, and control andaccountability. Their resultant definition is : IT Governance is the
strategic al ignment of IT with the business such that max imum bus iness value is achieved th rough the developmen t and
maintenance of effective IT contr ol and accoun tabi l i ty, perfo rmance
management and risk management.
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
7/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 7
Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvment
Interim Report
Beyond ISO 29382
Scope Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
8/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 8
Study Group in ISO
JTC1 : Information Technology Standards
JTC1 / SC7 : Software and System Engineering
JTC1 / SC7 / WG25 : IT Operations (service management)
Basically : Study Group in WG25
Study Group Chair : Al iso n Holt (New Zeland) Co-Chair : Ed Lewis (Aus tralia)
Members : Alwyn Smit, South AfricaMelanie Cheong, South Africa
Jyrki Lahnalahti, Finland
Craig Pattison, itSMFI/New ZealandDarcie Destito, United States
Gargi Keeni, India
Sushil Chatterji, ISACA/ITGI
Brian Cusack, New Zealand
Christophe Feltus, Luxembourg
Yoshiyuki Hirano, Japan
K.T. Hwang, Korea
Bill Powell, United States
Dennis Ravenelle, itSMFI
Hella Shrader, United Kingdom
Mark Toomey, Australia
Mikhail Pototsky, Russian Federation/itSMFI
Max Shanahan, ISACA/ITGI
Luis Rosa, Spain
Jenny Dugmore, UK.
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
9/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 9
Study Group in ISO
In Seoul (2006) :
Reduce – if not remove – the confusion in the professional and the
academic literature about the topic
Resolutions :
- New SG
- 1st
report- Fast Track
In Moscow (May 2007) :
Preparation of 1st report Definition of ICT Governance
What is ICT Governance ?
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
10/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 10
Study Group in ISO
Montreal (November 2007)
Fast Track on Australian Standard on ICT Governance
Accepted in July
Resolution of comments on Fast Track : 149 Canada : 2
Spain : 1
France : 5
Italy : 10
Japan : 10
Korea : 1
Luxembourg : 46
New Zealand : 6
UK : 4
Sweden : 9
USA : 15
South Africa : 40
1st report
NWI
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
11/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 11
Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
12/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 12
ISO – itSMF liaison (by WG)
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
13/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 13
ISO – itSMF liaison (by WG)
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
14/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 14
ISO 20000 - The standard describes the controls needed to effectively deliver services that meet the needs of the customer and business
requirements.
The processes described in ISO 20000 underpin an effectivegovernance framework and therefore need to be closely aligned toany proposed ICT Governance standard.
All reviewed stand ards have a relationship w ith ICT Governance
and many sec tions ov erlap no t on ly in comparis on to ISO/IEC
38500 standard b ut also amongs t th e indiv idual rev iewed
s tandards . Any d raf ting o f a new in ternational ICT
Governance s tandard needs to take the above exis ting
standards into account and ensure that a) there are no
conf l ic ts and b) all go vern ance related sec tions are co vered .A weakness of all reviewed standards is arou nd the need for
strategic di rect ion and the implementat ion of contro ls to
suppor t and manage this area.
Link with ISO 20000
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
15/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 15
The formal description it offers is:
“Governance is the coll ectiv e set of p rocedu res, po l icies, roles
and responsibi l i t ies , and organizational stru ctu res requ ired
to supp ort an effective decis ion-making process ” .
Advisory Board Paper
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
16/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 16
Benefits of Governanc e : (Key wo rds )
Achieving business objectives by ensuring that each element of the mission and strategy are assigned and managed with a clearly understood and transparent decisions rights and accountability framework.
Defining and encouraging desirable behavior in the use of IT and in the executionof IT outsourcing arrangements.
Implementing and integrating the desired business processes into the organization.
Providing stability and overcoming the limitations of organizational structure.
Improving customer, business and internal relationships and satisfaction, and reducing internal territorial strife by formally integrating the customers, business
units, and external IT providers into a holistic IT governance framework.
Enabling effective and strategically aligned decision making for the IT Principlesthat define the role of IT, IT Architecture, IT Infrastructure, Application Portfolio and Frameworks, Service Portfolio, Information and Competency Portfolios and IT Investment & Prioritization.
Advisory Board Paper
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
17/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 17
Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
18/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 18
Interim Report
A review of national governance activities
The identification of a set of guiding principles for the development of an ICT
Governance standard to meet market requirements The identification of the ICT governance needs to be addressed in the
standard
An assessment of where ICT governance sits within JTC1
A review of elements of ICT governance in existing SC7 standards
Analysis to determine the level of standard required to sit above existingframeworks and methodologies without replacing or displacing existingmaterial. Identification of the sort of ―standard‖ required - TR, code ofpractice or guidelines
Analysis of what would need to be added to AS 8015 to meet these needs
Analysis of whether a maturity framework could be included from the outset
Liaison Relationships: Contributions requested from existing bodies ofknowledge
Call to action dependent on AS 8015 fast tack result (which is now known)
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
19/38July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 19
Written and oral reports were presented to the ICT StudyGroup reviewing the state of different ICT Standards
environments within the different jurisdictions.
A general movement towards compliance frameworks was
reported in terms of legislation, Standards adoption andcontrol framework adoption (eg. CobiT, ITIL, and so on).
Several reports noted that regulatory requirements were
pending and that there is considerable momentum gathering
for comprehensive directives (both explicit and implicit). The
importance of ICT Governance and the current opportune
moment in time for ICT Governance advancement was
reported in each case.
Review of the status of ICT
Governance across different nations
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
20/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 20
What is ICT Governance?
The Working Group should establish a Glossary of governanceterms. The Glossary especially should include definitions that help
to establish the difference between Governance and Management.The definitions must be compatible with those in existing ISOStandards
Director
Member of the most senior governing body of an organization.Includes owners, board members, partners, senior executives orsimilar, and officers authorized by legislation or regulation.
Management
Management is the process of controlling the activities required toachieve the strategic objectives set by the organisation's governingbody. Management is subject to the policy guidance andmonitoring set through corporate governance.
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
21/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 21
What is ICT Governance?
The objective of governance is to determine and cause the desired
behavior and results to achieve the strategic impact of IT .
The system in which directors monitor, evaluate and direct IT management to
ensure effectiveness, accountability and compliance of IT
The active distribution of decision-making rights and accountabilities
among different stakeholders in an organization and the rules and procedures for making and monitoring those decisions to determine and
achieve desired behaviors and results .
who makes directing, controlling and executing decisions
how the decisions will be made
what information is required to make the decisions
what decision-making mechanisms should be required
how exceptions will be handled
how the governance results should be reviewed and improved
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
22/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 22
Outline
ICT Governance definitions
SG on ICT Governance itSMF involvement
Interim Report
Beyond ISO 29382
Scope Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
23/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 23
The ob jectiv e of this Standard is to provid e a framework of prin cip les fo r Director s to use when evaluating , directin g and monito ring the
use of info rmation techn ology (IT) in their org anizations .
Beyond ISO 29382 : scope
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
24/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 24
Governance is dist inc t from management , and fo r the avo idance of
confu sion, the two concepts are clearly defined in the stand ard.
…the members of the go vernin g bod y may also occu py the key roles in m anagement .
I t prov ides guidance to those adv is ing, in forming, or ass is t ing
directo rs. They inc lude: • Senior managers.
• Members of gro up s mo nito ring the resou rces with in the org anization.
• External bu sines s or techn ical special ists , su ch as legal or accounting
special ists, retai l assoc iat ions , or profess ional bodies.
• Vendor s of hardw are, so ftware, communic ations and other IT pro ducts.
• Internal and external servic e pro viders (inclu ding co nsu ltants).• IT audito rs.
The stan dard is app licab le fo r all or gan izations, from the smallest, to
the largest, regardless of pu rpo se, desig n and ownersh ip struct ure.
Beyond ISO 29382 : scope
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
25/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 25
Outline
ICT Governance definitions
SG on ICT Governance itSMF involvement
Interim Report
Beyond ISO 29382
Scope Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
26/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 26
This stand ard is app licab le to al l org anization s , inc lud ing publ ic and pr ivate compan ies , government en t it ies , and not -fo r-p ro fi t
organizat ions.
The standard is appl icable to organizat ions of all sizes f rom the
smallest to the largest, regard less o f the exten t of their us e of IT.
Beyond ISO 29382 : application
O
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
27/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 27
Outline
ICT Governance definitions
SG on ICT Governance itSMF involvement
Interim Report
Beyond ISO 29382
Scope Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
B d ISO 29382 bj ti
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
28/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 28
The purp ose of th is Standard is to p romote effect ive, eff ic ient, and accep tab le us e o f IT in all organ ization s by:
assur ing stakeholders (inc luding consumers, shareholders , and
employees ) that , i f the s tandard i s fo ll owed, they can have
confid ence in the organization’s co rpo rate go vernance of IT;
inform ing and gu iding directors in go vern ing the use of IT in their
org anization; and
p rovid ing a bas is for ob jec t ive evaluat ion o f the co rpo rate
go vernance of IT.
Beyond ISO 29382 : objectives
O tli
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
29/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 29
Outline
ICT Governance definitions
SG on ICT Governance itSMF involvement
Interim Report
Beyond ISO 29382
Scope Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
B d ISO 29382 6 i i l
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
30/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 30
Princip le 1: Estab lish clearly understood respon sibi l i t ies fo r IT
Princip le 2: Plan IT to best support the org anization
Princip le 3: Acquire IT val idly
Prin cip le 4: Ensur e that IT perf orms well , whenever requ ired
Princip le 5: Ensu re IT con form s w ith form al rules
Prin cip le 6: Ensur e IT use respects human factor s
Beyond ISO 29382 : 6 principles
O tli
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
31/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 31
Outline
ICT Governance definitions
SG on ICT Governance itSMF involvement
Interim Report
Beyond ISO 29382
Scope Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
B d ISO 29382 M d l f
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
32/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 32
Beyond ISO 29382 : Model for
Corporate Governance of ICT
Directors s hou ld gov ern ICT through three main tasks:
(a) Evaluate t he use o f ICT.
(b) Direct preparat ion and imp lementation o f plans and po l ic ies.
(c) Moni tor con formance to pol ic ies, and performance against the plans.
E l t
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
33/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 33
Evaluate
Directors should examine and make judgement on the current andfuture use of IT, including strategies, proposals and supply
arrangements (whether internal, external, or both).
In evaluating the use of IT, directors should consider the pressures
acting upon the business, such as technological change, economicand social trends, and political influences.
Directors should also take account of both current and future
business needs — the current and future organizational objectives
that they must achieve, such as maintaining competitiveadvantage, as well as the specific objectives of the strategies and
proposals they are evaluating.
Di t
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
34/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 34
Direct
Directors should assign responsibility for, and direct preparationand implementation of plans and policies. Plans should set the
direction for investments in IT projects and IT operations. Policies
should establish sound behaviour in the use of IT.
Directors should ensure that the transition of projects tooperational status is properly planned and managed, taking into
account impacts on business and operational practices and
existing IT systems and infrastructure.
Directors should encourage a culture of good governance of IT intheir organization by requiring managers to provide timely
information, to comply with direction and to conform with the six
principles of good governance.
Monitor
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
35/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 35
Monitor
To complete the cycle, directors should monitor, throughappropriate measurement systems, the performance of IT use.
They should reassure themselves that performance is in
accordance with plans, particularly with regard to business
objectives.
They should also make sure that the use of IT conforms with
external obligations (regulatory, legislation, common law,
contractual) and internal work practices. If necessary, directors
should direct the submission of proposals for approval to address
identified needs.
Outline
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
36/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 36
Outline
ICT Governance definitions
SG on ICT Governance itSMF involvement
Interim Report
Beyond ISO 29382
Scope Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
Conclusions and Future Works
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
37/38
July 21, 2010
itSMF-NL Spring 2008 Conference
"Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 37
Conclusions and Future Works
Review the use of the Plan, Do, Check Ac t (PDCA) li fecyc le versus Evaluate,
Direct Monitor (EDM). Show m apping of EDM versus PDCA.
Incorporate hum an behavioural aspects to the cho sen l i fecycle.
Produc e a diagram demo nstrat ing the inter-relat ion of princ iples .
Develop derivative material to cover:
· Clari fi cat ion on the r isks o f poor governance and decis ion mak ing ;
· Analys is on the benef i ts of Governance across the IT l i fecyc le; and
· The exp lanat ion o f each pr inc ip le.
Conclusions and Future Works
8/16/2019 ISO IEC 29382 -The New Standard for ICT Governance
38/38
Conclusions and Future Works
Determine market requirements and then d etermin e the coverage of future
standards for example IT Projects, IT Operations, IT Use or some other
f rameworks.
Development of a TR2 for CIOs and execut ives to assist them in explaining
the rationale and impl icat ions (r isks and benef i ts) of the pr inc iples.
Development of a TR2 for gu idel ines for the use of the standard by Publ ic
Sector organizat ions