“Corporate Governance of Information and Communication Technology is the System by which the Current and Future Use of ICT is Directed and Controlled.”
This formal definition was developed for the Australian Standard for Corporate Governance of Information and Communication Technology, AS8015, and carried over unchanged to ISO/IEC 38500.
It provides clarity in the face of numerous industry and vendor-created definitions, many of which focus on subsets of the overall systems of control.
ISO/IEC 38500 is designed to help organisations reduce risk and improve success with IT investments and IT enabled business operations. It does this by guiding leaders of organisations including senior executives and board directors in oversight of IT use.
ISO/IEC encourages adoption of behaviours throughout the organisation, to ensure that IT use is efficient, effective and acceptable, in pursuit of the organisation’s objectives, with appropriate levels of risk and reward.
Good governance of IT, from the top, has direct benefits to corporate performance overall, as well as reducing the risk of IT failures for that current and future business operations. Researchers such as Peter Weill at MIT’s Sloan Management School have demonstrated that, in addition to direct cost savings, good governance of IT drives higher return on investment in IT and, most importantly, higher return on assets for the organisation overall.
An effective system for Governance of IT should be designed around three fundamental processes, overseen by and operating under the delegated authority of the organisation’s governing body.
These processes should Evaluate the potential use of IT, Direct its use in current and future business and Monitor the performance and conformance of IT as a business tool.
The Governance System should ensure that decisions regarding the use and delivery of ICT to the organisation are rational and appropriate. ISO/IEC 38500 provides guidance for decision making in the form of six Principles of Good ICT Governance:
Infonomics recommends that organisational behaviour in planning and using IT should be guided by clear top level policies that correspond to the six principles and embed the organisation’s attitudes in the decision-making processes.