The complex world of IT – Is there an easy way out?

Last Updated Saturday, October 30, 2010 09:46:41 PM


Being a CIO these days is not for everyone. The daunting task of deciding and prioritising between an abundance of standards, regulations and best practices that are available, makes for clear thinking with a defined end goal to survive.

When looking at the complex world of Program Management, a number of issues immediately spring to mind: Enterprise Risk Management, Vulnerability Management, Business Continuity Management, Metrics and Measurement, Corporate Governance, Management buy in, Audit findings and Budget approval, to name but a few, the picture looks overwhelming to say but the least.

Add to this mix some current laws and legislation such as Promotion of Access to Information, The ECT act, Regulation of Inception of Communications, the Company Act, the Protection of Personal Information Bill and Protection of Information Bill, (not even mentioning the confusion between the latter two) the plot thickens.

And we haven’t even started talking about standards and best practices. Let’s add to the mix: ISO 20000, ISO 27001/2, ISO 38500 and BS 25999. What about best practices, frameworks and methodologies such as King III, ITIL, CobiT, Val IT, SOA, SAS 70, CMMI, Togaf, Zachman, Six Sigma, COSO, Etom, MOF, Prince2 and PMBok?

So what is the answer? Where does one begin?  
The truth is there is no easy answer, but one should start by:

  • Understanding the strategic needs of the organisation
  • Balancing these needs against applying the relevant standards, frameworks and best practices

By using a framework to evaluate the role of standards, regulations and best practices, 4 questions can be asked:

What will be the role of the standard, regulation or best practice in my organisation?

  • Options are:
    • Prescriptive
    • Guideline
    • Assessment
    • What is the scope to apply the standard, regulation or best practice?
  • Options are:
    • Enterprise wide
    • IT Specific
  • If it is Enterprise wide, what should be the focus area?
  • Options are
    • Quality improvement
    • Corporate Governance
    • If it is IT specific, what should be the focus area?
  • Options are: 
    • IT Governance,
    • IT Service Management
    • IT functions
    • IT assets

Standards, regulations and best practices must be implemented to enable IT to be more effective, efficient and in compliance. Otherwise the joke may be on you. Paying R1000.00 to fix a fault in the factory: R10.00 to tap with a hammer, and R990.00 to know where to tap.

Autor: Peet Smith, CISA, CGEIT, CISSP, ISO 27000 LA
Peet is a Principal Consultant in the GRC Division of Aptronics. He is also the Managing Director of Information Security Group Africa (ISG Africa)

Recent Comments
There are currently no comments. Be the first to make a comment.