I’ve been reading recently about governance models, particularly the ISACA Governance model. Indeed, ISACA has lately revised its governance and management of Enterprise IT (GEIT) framework from COBIT 4.1 to 5, incorporating several operational governance aspects, more particularly a new way for defining governance goals and performance metrics, as well as new process capability maturity models.
The International Standard Organization (ISO) is also in the process of developing its governance standard (ISO 38501: ISO/IEC JTC 1/WG6 N 261) to assist enterprises with initiating and implementing governance on an accurate and complete basis.
Two separate models to assist in implementing governance exist: COBIT 5 and ISO Governance model. The ISACA model, COBIT 5 has the merit of providing an implementation approach based on quality improvement life cycles. COBIT 5 provides to enterprises a model to create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. The COBIT 5 framework addresses both business and IT functional areas across an organization. Organizations of all size, whether private or in the public sector, can benefit from COBIT 5.
COBIT 5 is based on five key principles for GEIT:
- Meeting stakeholder needs
- Covering the enterprise end-to-end
- Applying a single, integrated framework
- Enabling a holistic approach
- Separating governance from management
ISO governance model is more focused on IT aspects. Indeed, ISO/IEC 38500 framework tends to be more specific to operational aspects of IT. According to ISO governance working group, this will ensure that organizations are appropriately guided in their use of IT, rather than operationally managed, which is the approach of the more detailed process and controls-oriented frameworks, the outputs of which generally provide the inputs in support of GEIT.
With these two major governance models, one should ask: is one better than the other? Should each one be used in different situations?
For sure, the ISACA governance model has the advantage in terms of maturity but the ISO standard benefit from its standard implementation maturity and its IT and security related legacy standards. ISO 38501 is in draft and the approach may change, but the fact is that, there’s a need to implement a unified approach to follow in implementing GEIT model that crosses the ISACA and ISO approaches.
IT SECURITY CONSULTANT, NCI