Professional Documents
Culture Documents
Getting Started With Governance of Enterprise IT (GEIT) : An Isaca White Paper
Getting Started With Governance of Enterprise IT (GEIT) : An Isaca White Paper
Implementing a governance of enterprise IT (GEIT) system successfully will bring myriad benefits, including lower costs, greater control,
and overall increased efficiency and effectiveness. The primary purpose of using a GEIT system is to deliver value to stakeholders. If that
value cannot be delivered, or if its delivery is not well understood, the resources consumed to implement GEIT are wasted.
A proven GEIT framework identifies the steps that are needed to perform this value delivery and how to measure its impact and ongoing
effectiveness. Given the uniqueness of enterprises around the world, a framework is the appropriate tool to use. A framework allows, even
requires, customization to fit the enterprise it serves, as opposed to standards, which command compliance.
Enterprises with strong governance operate with lower costs and make more efficient and effective use of their resources. External parties
assess enterprises with strong governance as having greater internal control and lower general levels of risk. This last fact has been
documented in studies that look at the cost of capital. Enterprises with strong governance actually pay lower interest in the capital markets
when accessing funds.
This paper will describe the use of a framework to implement GEIT, the resources needed to do so and the benefits that can be expected.
Getting Started With Governance of Enterprise IT (GEIT)
ISACA®
3701 Algonquin Road, Suite 1010 With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps
Rolling Meadows, IL 60008 USA business and IT leaders build trust in, and value from, information and information
Phone: +1.847.253.1545 systems. Established in 1969, ISACA is the trusted source of knowledge, standards,
Fax: +1.847.253.1443 networking, and career development for information systems audit, assurance,
security, risk, privacy and governance professionals. ISACA offers the Cybersecurity
Email: info@isaca.org
Nexus™, a comprehensive set of resources for cybersecurity professionals, and
Web site: www.isaca.org
COBIT®, a business framework that helps enterprises govern and manage their
Provide feedback: information and technology. ISACA also advances and validates business-critical skills
www.isaca.org/Getting-Started-With-GEIT and knowledge through the globally respected Certified Information Systems Auditor ®
(CISA®), Certified Information Security Manager ® (CISM ®), Certified in the Governance
Participate in the ISACA Knowledge
Center:
of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™
www.isaca.org/knowledge-center (CRISC™) credentials. The association has more than 200 chapters worldwide.
ACKNOWLEDGMENTS
ISACA Board of Directors Knowledge Board Framework Committee
Robert E Stroud Steven A. Babb Sushil Chatterji
CGEIT, CRISC, CGEIT, CRISC, ITIL CGEIT,
CA, USA, International President Vodafone, UK, Chairman Edutech Enterprises, Singapore, Chairman
Steven A. Babb Rosemary M. Amato David Cau
CGEIT, CRISC, ITIL, CISA, CMA, CPA, GRCP, ITIL V3, MSP,
Vodafone, UK, Vice President Deloitte Touche Tohmatsu Ltd., The Netherlands Deloitte, France
Garry J. Barnes Neil Patrick Barlow Joanne De Vito De Palma
CISA, CISM, CGEIT, CRISC, CISA, CISM, CRISC, CISSP, CISM, BCMM Assessor,
BAE Systems Detica, Australia, Vice President Capital One, UK PFI, USA
Robert A. Clyde Charlie Blanchard Jimmy Heschl
CISM, CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, CISA, CISM, CGEIT, ITIL Expert,
Clyde Consulting LLC, USA, Vice President Amgen Inc., USA Red Bull, Austria
Ramses Gallego Sushil Chatterji Katherine McIntosh
CISM, CGEIT, CCSK, CISSP, SCPM, CGEIT, CISA, CIA,
Six Sigma Black Belt, Edutech Enterprises, Singapore Central Hudson Gas & Electric Corp., USA
Dell, Spain, Vice President Phil J. Lageschulte Andre Pitkowski
Theresa Grafenstine CGEIT, CPA, CGEIT, CRISC,
CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, KPMG LLP, USA APIT Informatica, Brazil
US House of Representatives, USA, Vice President Anthony P. Noble Paras Kesharichand Shah
Vittal R. Raj CISA, CISA, CGEIT, CRISC, CA,
CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Viacom, USA Vital Interacts, Australia
Kumar & Raj, India, Vice President Jamie Pasfield Sylvia Tosar
Tony Hayes CGEIT, ITIL V3, MSP, PRINCE2, CGEIT, PMP,
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Pfizer, UK Uruguay
Queensland Government, Australia, Past Ivan Sanchez Lopez Tichaona Zororo
International President CISA, CISM, ISO 27001 LA, CISSP, CISA, CISM, CGEIT, CRISC, CIA, CRMA,
Gregory T. Grocholski DHL Global Forwarding & Freight, Germany EGIT | Enterprise Governance of IT (PTY) LTD., South Africa
CISA,
SABIC, Saudi Arabia, Past International President
Debbie A. Lew
CISA, CRISC,
Ernst & Young LLP, USA, Director
Frank K.M. Yam
CISA, CIA, FHKCS, FHKIoD,
Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis
CISA, CGEIT, CRISC, ITIL, PMP,
Grupo Cynthus S.A. de C.V., Mexico, Director
INTRODUCTION
WHAT IS THE PURPOSE OF THIS
As outlined in appendix E of the framework,
PUBLICATION AND HOW IS IT ORGANIZED?
COBIT 5 is aligned with the six principles of ISO/IEC
Practitioners need a practical guide to using GEIT frameworks
38500. The ISO/IEC 3850X approach is to provide
without the need to become framework experts themselves.
principles-based guidance on the governance
This guide will provide that pathway and lead users through the
of IT for the organization, a subset of enterprise
available GEIT material to quickly gain the value of using GEIT.
governance.
1
ISACA, COBIT 5, USA, 2012, www.isaca.org/COBIT
2
ISACA, COBIT 5 Implementation, USA, 2012
3
ISACA, Relating the COSO Internal Control—Integrated Framework and COBIT, USA, 2014, www.isaca.org/COSO-and-COBIT
4 © 2015 ISACA. All rights reserved.
Getting Started With Governance of Enterprise IT (GEIT)
The Open Group publishes The Open Group Architecture both shorter-term, tangible benefits, such as reduced
Framework (TOGAF ), which is currently at version 9.1.
®
cost, and longer-term benefits, such as enhanced
TOGAF focuses on determining what the enterprise management of IT-related risk, improved relationships
architecture should look like and then maintaining that between business and IT, and increased business
architecture in a flexible enough manner such that the competitiveness.
enterprise can adapt to change readily.
A strong presence of GEIT can also contribute to lowered
WHAT ARE THE BENEFITS financial costs because lenders assess the risk level of
OF USING GEIT? the enterprise due to increased control.
GEIT ensures greater alignment of IT functionality with
business needs. The most commonly experienced
outcomes of implementing GEIT are improvements in IMPLEMENTING A
management of IT-related risk and communication and
relationships between business and IT. GEIT can also
GEIT FRAMEWORK
help to transition IT’s role to a more proactive one. This Commitment from the enterprise leadership at the
can be done through the use of mechanisms such as highest level (C-suite, board of directors, etc.) is
GEIT boards, an appropriate organization structure necessary to ensure a successful implementation.
encompassing roles for managing business relationships After that commitment is secured, a comprehensive
and standardized processes to effectively bridge the GEIT implementation may proceed. In the sections
business demand with the IT supply. IT innovation offers below, a step-by-step approach for implementing
ample opportunities for IT to play a more proactive role. GEIT is presented.
For example, GEIT enablers, such as optimal investment
management processes, can help ensure a balance UNDERSTANDING WHEN TO
between IT innovation and “run-the-business” initiatives. IMPLEMENT A FRAMEWORK
Securing commitment to implement GEIT requires a
GEIT initiatives must take a balanced and holistic view clear discussion of pain points that an enterprise is
of the five GEIT focus areas: strategic alignment, risk experiencing. From the pain points identified, a business
management, value delivery, resource management, case for the implementation of GEIT can be built. This
performance measurement. During an economic crisis, business case will be used to identify the scope of the
when there is a strong focus on managing cost, effective GEIT implementation project and to help understand the
GEIT can ensure that this focus is balanced with a view resources that it will require.
on investments that can generate cost savings and are
ultimately self-funding. The implementation is a simple matter of confirming that
the reasons prompting the desire to adopt or upgrade the
Successfully implementing GEIT depends on several framework are worthwhile. If not, the resources expended
factors: change management, communication, proper are likely to be for naught. Pain points and their related
scoping and identification of achievable objectives. The trigger points are discussed further in the COBIT 5
outcomes of a successful GEIT implementation produce Implementation guide.
mentu
m going? 1 What a
the mo re th
ed
p
kee Initiat
rive
we rs?
do view s e pr
ow Re tivenes ogr
am
ec me
eff
7H
Establ
is
stai
n to ch h des
Su ang ire
2W
e
Def opport
re?
efits
6 Did we get the
ine
Recog
here a
r
nito
Fo
• Programme management
probleities
Realise ben
uate act to
approach ew
es
l
re we now?
impl
a
ev
Embed n
(outer ring)
un
ementation
Operate
Asseent
e
curr te
ms and
measur
• Change enablement
sta
and
ss
(middle ring)
I m p o ve m
rg n e
De a
ta e t
fi
le m
r
e
te
t
en n t
m e te
s (inner ring)
co c a
ts B u il d
O p d us
i m pro
ut u ni
ve m e nts
an
er
ap
e
m
m
at
E xe
e?
e Co o
dm
5H
to b
cu
I d e n tif y r o l e
oa
ow
te
ant
la
er
pla ye rs
n fi n
p
do
ew
De
we
ow
ge
th e
ed
er
t
re ? P la n p ro g ra m m e Wh
3
4 W hat n eeds to be d one?
Influence
Executing the Plan
Stakeholder Needs Follow the implementation plan, delivering on milestones
Benefits Risk Resource as planned and creating project continuation or departure
Realisation Optimisation Optimisation
points. Use appropriate tools (goals cascade and
Cascade to Responsible, Accountable, Consulted, Informed [RACI]
chart) in determining how strategic goals and stakeholder
Enterprise Goals objectives will be satisfied (value delivery). Apply the
framework as broadly as the enterprise needs.
Cascade to
ACTION ITEMS:
IT-related Goals
1. Implement the GEIT plan.
2. Report on milestone accomplishments.
Cascade to
Enabler Goals
INTEGRATING MULTIPLE
FRAMEWORKS, STANDARDS
AND GOOD PRACTICES
MANAGING CHANGE
Consider whether there are multiple frameworks or sets Be careful to provide only the level of GEIT detail that
of standards in place in the enterprise. If there are, plan the enterprise needs. In particular, define domains,
for their integration into the overarching framework. processes and practices only to the extent that users
Consider which framework is the most appropriate for in the enterprise need these terms. Be mindful that
GEIT over IT resources. a common language is an important aspect to a
successful framework implementation.
UNDERSTANDING AVAILABLE AND
NECESSARY RESOURCES
(PROCESSES, ETC.)
Enterprise resources need to tie processes into the
internal control environment, which likely will have risk
and controls detailed against a control matrix of control
designs and control objectives. Plan to provide detail on
how control objectives can be made from governance and
management practices.