IT Governance
IT governance is the structure through which an organisation ensures its use of IT supports its objectives, manages risk appropriately, and remains accountable at the right levels. Done well, it connects IT decision-making to corporate strategy. Done poorly, or not maintained after initial implementation, it becomes documentation that nobody reads and a process that nobody owns.
I have implemented governance frameworks across a range of organisations over more than twenty years, and I have seen both outcomes. The engagements that work are rarely the ones with the most comprehensive frameworks. They are the ones where governance is sized to what the organisation can actually sustain, owned by someone with the authority to act on what it reveals, and connected clearly to the risk decisions that matter.
My approach to IT governance is grounded in COBIT 2019 and informed by CRISC and CISSP knowledge. It is also informed by a practitioner’s understanding of why governance frameworks so frequently fail in practice — which shapes how I design and implement them.
|
If you want to understand my thinking on why IT governance fails and what a more honest approach looks like, the blog post ‘Why IT Security Governance Keeps Failing, and What Actually Needs to Change‘ sets out the argument in full. |
What IT Governance Is, and What It Is Not
IT governance is often confused with IT management. Management is about running IT systems effectively day to day, maintaining infrastructure, delivering projects, resolving incidents. Governance is about ensuring that IT as a whole is directed, controlled, and accountable in ways that serve the organisation’s objectives and manage its risk exposure.
COBIT 2019, the leading governance framework from ISACA, provides a structured model for this. It defines governance objectives across five domains: Evaluate, Direct and Monitor (the governance layer); Align, Plan and Organise; Build, Acquire and Implement; Deliver, Service and Support; and Monitor, Evaluate and Assess (the management layers). It also provides a capability maturity model that allows organisations to assess where they are and define where they need to be, without prescribing a single universal standard.
What COBIT is not is a compliance check-list. An organisation can implement every COBIT control and still have governance that does not work, if the controls are not owned, not understood, and not connected to actual risk. The framework provides the structure; effective governance requires the human and organisational conditions to operate within that structure.
Governance as the Foundation for DR and ISMS Work
IT governance frequently comes up in the context of disaster recovery and information security management engagements, because both disciplines require governance to function properly.
A disaster recovery plan without governance is a document. Governance is what determines who owns DR planning, who has authority to invoke plans, how decisions are made during an incident, how plans are tested and updated, and how recovery performance is measured and reported. Without that governance layer, even a well-designed DR plan will degrade over time as organisational changes go untracked and ownership becomes unclear.
Similarly, an information security management system without governance is a set of controls. Governance connects those controls to risk appetite, ensures accountability for their operation, and provides the structure through which the ISMS is reviewed and improved. ISO 27001’s management system requirements are, at their core, governance requirements, they specify how security decisions are made, reviewed, and owned, not just what security controls are implemented.
In practice, this means that when a DR or ISM engagement reveals significant gaps in how the organisation makes and owns IT decisions, governance work is a natural and necessary part of addressing those gaps.
What I Provide
IT Governance Assessment
An evaluation of your existing governance structure against COBIT 2019 objectives and your organisation’s specific context. This identifies where governance is functioning, where it exists on paper but not in practice, and where it is absent entirely. The output is an honest assessment of current capability and a prioritised view of what needs to change, not a gap report measured against every COBIT objective, but a practical view of what matters most for your organisation.
Governance Framework Design and Implementation
Design of a governance framework right-sized to your organisation, drawing on COBIT 2019 structure but scoped to what can realistically be owned, operated, and maintained. This includes defining governance roles and responsibilities, establishing decision-making structures for key IT domains, and ensuring the framework connects to the risk and compliance requirements that actually apply to the organisation.
Where a full COBIT implementation is appropriate, typically in larger or more regulated organisations, I can support that. For most organisations, a focused implementation that applies COBIT 2019 governance objectives selectively, prioritising those most relevant to the organisation’s size, sector, and risk profile, is more effective than attempting to operationalise the full framework at once. The selection is grounded in COBIT’s own design principles and capability maturity model, not in substituting personal judgement for the framework.
Governance for DR and ISMS Programmes
Governance design specifically scoped to support a disaster recovery or information security management programme. This includes accountability structures, escalation frameworks, decision rights for risk acceptance, review and reporting mechanisms, and the connection between operational IT decisions and senior leadership oversight.
Governance Maturity Improvement
For organisations that have existing governance frameworks, including those implemented for ISO 27001 certification or regulatory compliance, an assessment of current maturity and a structured improvement programme. This typically involves identifying where governance has drifted from the documented framework, re-establishing ownership, and simplifying or restructuring where the framework has become too complex to maintain effectively.
Leadership and Management Briefings
One of the most consistent governance failures I encounter is the gap between IT’s understanding of governance requirements and senior management’s understanding of why those requirements exist and what they are being asked to own. I provide structured briefings that translate IT governance into the language of corporate risk, helping senior leaders understand what they are accountable for and why it matters, and helping IT managers make the case for governance in terms that resonate at board level.
Working Together
IT governance engagements vary considerably in scope. Some begin with a client who wants a governance structure built from scratch. Others begin with a DR or ISM engagement where governance gaps emerge as a significant underlying issue. Others begin with a senior leader who has read an audit report, experienced an incident, or simply started to question whether the organisation’s IT decision-making is as structured as it should be.
Whatever the starting point, the approach is the same: understand what the organisation actually needs, design something it can own and sustain, and be honest about the gap between what the documentation says and what the organisation can realistically operate. Governance that exists on paper and governance that works are not the same thing. The goal is the latter.