Getting Started With

Governance of Enterprise IT (GEIT)

AN ISACA WHITE PAPER

Implementing a governance of enterprise IT (GEIT) system successfully will bring myriad benefits, including lower costs, greater control,
and overall increased efficiency and effectiveness. The primary purpose of using a GEIT system is to deliver value to stakeholders. If that
value cannot be delivered, or if its delivery is not well understood, the resources consumed to implement GEIT are wasted.

A proven GEIT framework identifies the steps that are needed to perform this value delivery and how to measure its impact and ongoing
effectiveness. Given the uniqueness of enterprises around the world, a framework is the appropriate tool to use. A framework allows, even
requires, customization to fit the enterprise it serves, as opposed to standards, which command compliance.

Enterprises with strong governance operate with lower costs and make more efficient and effective use of their resources. External parties
assess enterprises with strong governance as having greater internal control and lower general levels of risk. This last fact has been
documented in studies that look at the cost of capital. Enterprises with strong governance actually pay lower interest in the capital markets
when accessing funds.

This paper will describe the use of a framework to implement GEIT, the resources needed to do so and the benefits that can be expected.
 Getting Started With Governance of Enterprise IT (GEIT)

ISACA®
3701 Algonquin Road, Suite 1010 With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps
Rolling Meadows, IL 60008 USA business and IT leaders build trust in, and value from, information and information
Phone: +1.847.253.1545 systems. Established in 1969, ISACA is the trusted source of knowledge, standards,
Fax: +1.847.253.1443 networking, and career development for information systems audit, assurance,
security, risk, privacy and governance professionals. ISACA offers the Cybersecurity
Email: info@isaca.org
Nexus™, a comprehensive set of resources for cybersecurity professionals, and
Web site: www.isaca.org
COBIT®, a business framework that helps enterprises govern and manage their
Provide feedback: information and technology. ISACA also advances and validates business-critical skills
www.isaca.org/Getting-Started-With-GEIT and knowledge through the globally respected Certified Information Systems Auditor ®
(CISA®), Certified Information Security Manager ® (CISM ®), Certified in the Governance
Participate in the ISACA Knowledge
Center:
of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™
www.isaca.org/knowledge-center (CRISC™) credentials. The association has more than 200 chapters worldwide.

Follow ISACA on Twitter:

https://twitter.com/ISACANews DISCLAIMER
ISACA has designed and created Getting Started With Governance of Enterprise IT (GEIT) white paper (the
Join ISACA on LinkedIn: “Work”) primarily as an educational resource for governance professionals. ISACA makes no claim that use of
ISACA (Official), any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper
http://linkd.in/ISACAOfficial information, procedures and tests or exclusive of other information, procedures and tests that are reasonably
directed to obtaining the same results. In determining the propriety of any specific information, procedure or test,
governance professionals should apply their own professional judgment to the specific circumstances presented
by the particular systems or information technology environment.
Like ISACA on Facebook:
www.facebook.com/ISACAHQ

2 © 2015 ISACA. All rights reserved.

 Getting Started With Governance of Enterprise IT (GEIT)

ACKNOWLEDGMENTS
ISACA Board of Directors Knowledge Board Framework Committee
Robert E Stroud Steven A. Babb Sushil Chatterji
CGEIT, CRISC, CGEIT, CRISC, ITIL CGEIT,
CA, USA, International President Vodafone, UK, Chairman Edutech Enterprises, Singapore, Chairman
Steven A. Babb Rosemary M. Amato David Cau
CGEIT, CRISC, ITIL, CISA, CMA, CPA, GRCP, ITIL V3, MSP,
Vodafone, UK, Vice President Deloitte Touche Tohmatsu Ltd., The Netherlands Deloitte, France
Garry J. Barnes Neil Patrick Barlow Joanne De Vito De Palma
CISA, CISM, CGEIT, CRISC, CISA, CISM, CRISC, CISSP, CISM, BCMM Assessor,
BAE Systems Detica, Australia, Vice President Capital One, UK PFI, USA
Robert A. Clyde Charlie Blanchard Jimmy Heschl
CISM, CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, CISA, CISM, CGEIT, ITIL Expert,
Clyde Consulting LLC, USA, Vice President Amgen Inc., USA Red Bull, Austria
Ramses Gallego Sushil Chatterji Katherine McIntosh
CISM, CGEIT, CCSK, CISSP, SCPM, CGEIT, CISA, CIA,
Six Sigma Black Belt, Edutech Enterprises, Singapore Central Hudson Gas & Electric Corp., USA
Dell, Spain, Vice President Phil J. Lageschulte Andre Pitkowski
Theresa Grafenstine CGEIT, CPA, CGEIT, CRISC,
CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, KPMG LLP, USA APIT Informatica, Brazil
US House of Representatives, USA, Vice President Anthony P. Noble Paras Kesharichand Shah
Vittal R. Raj CISA, CISA, CGEIT, CRISC, CA,
CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Viacom, USA Vital Interacts, Australia
Kumar & Raj, India, Vice President Jamie Pasfield Sylvia Tosar
Tony Hayes CGEIT, ITIL V3, MSP, PRINCE2, CGEIT, PMP,
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Pfizer, UK Uruguay
Queensland Government, Australia, Past Ivan Sanchez Lopez Tichaona Zororo
International President CISA, CISM, ISO 27001 LA, CISSP, CISA, CISM, CGEIT, CRISC, CIA, CRMA,
Gregory T. Grocholski DHL Global Forwarding & Freight, Germany EGIT | Enterprise Governance of IT (PTY) LTD., South Africa
CISA,
SABIC, Saudi Arabia, Past International President
Debbie A. Lew
CISA, CRISC,
Ernst & Young LLP, USA, Director
Frank K.M. Yam
CISA, CIA, FHKCS, FHKIoD,
Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis
CISA, CGEIT, CRISC, ITIL, PMP,
Grupo Cynthus S.A. de C.V., Mexico, Director

3 © 2015 ISACA. All rights reserved.

 Getting Started With Governance of Enterprise IT (GEIT)

INTRODUCTION
WHAT IS THE PURPOSE OF THIS
As outlined in appendix E of the framework,
PUBLICATION AND HOW IS IT ORGANIZED?
COBIT 5 is aligned with the six principles of ISO/IEC
Practitioners need a practical guide to using GEIT frameworks
38500. The ISO/IEC 3850X approach is to provide
without the need to become framework experts themselves.
principles-based guidance on the governance
This guide will provide that pathway and lead users through the
of IT for the organization, a subset of enterprise
available GEIT material to quickly gain the value of using GEIT.
governance.

This guide is organized around the steps that a project team

AXELOS owns Information Technology
follows in implementing a GEIT system. As such, it can be used
Infrastructure Library (ITIL®). AXELOS is a joint
as a field guide to executing GEIT.
venture between the British Cabinet Office and
Capita plc. AXELOS also owns PRINCE2®, a project
WHAT IS GEIT AND WHAT FRAMEWORKS
management methodology. ITIL is quite popular
ARE AVAILABLE? for determining what specific tasks can be used to
Governance of enterprise information technology (GEIT) is a
accomplish specific service delivery objectives.
discipline concerned primarily with organizing the resources of
an enterprise for the purpose of satisfying stakeholders. GEIT is
The Committee of Sponsoring Organizations of
meant to bring alignment between high-level strategic objectives
the Treadway Commission (COSO) publishes a
with operational level activities and work outcomes. The formal
controls framework. Its most recent version was
definition of GEIT in COBIT 51 mentions three key elements:
published in 2013. ISACA recently published a
evaluate, direct and monitor. These key elements make up the
white paper, Relating the COSO Internal Control—
activities of GEIT and are what enterprise leaders focus on.
Integrated Framework and COBIT 3, which explains
COBIT 5 Implementation 2 has a much more detailed discussion
the relationship between COSO and COBIT 5
of GEIT.
and how they can effectively be used with each
other. The frameworks are complementary and
ISACA’s COBIT 5 is a comprehensive governance and
compatible as guidance to support the assessment
management framework that allows the user to structure and
and improvement of internal control practices and
align the enterprise resources with the requirements of their
activities within the governance and management
stakeholders. The International Organization for Standardization
arrangements of an enterprise. However, the use of
(ISO) published a standard titled ISO/International
both frameworks continues to require professional
Electrotechnical Commission (IEC) 38500:2015, Information
judgment and work by enterprise management
technology-Governance of IT for the organization and ISO/IEC
and its auditors/advisors to comprehend, adapt
TR 38502:2014 Information technology-Governance of
and apply the principles and guidance to specific
IT-Framework and model. ISO is also developing a standard
enterprise goals and enterprise capabilities.
titled ISO/IEC TS 38501, Information technology-Governance
Relating the COSO Internal Control—Integrated
of IT-Implementation guide, which is planned for publication in
Framework and COBIT provides support for such
early 2016.
professional judgment.

1
ISACA, COBIT 5, USA, 2012, www.isaca.org/COBIT
2
ISACA, COBIT 5 Implementation, USA, 2012
3
ISACA, Relating the COSO Internal Control—Integrated Framework and COBIT, USA, 2014, www.isaca.org/COSO-and-COBIT
4 © 2015 ISACA. All rights reserved.
 Getting Started With Governance of Enterprise IT (GEIT)
The Open Group publishes The Open Group Architecture
Framework (TOGAF ), which is currently at version 9.1.
®
TOGAF focuses on determining what the enterprise
architecture should look like and then maintaining that
architecture in a flexible enough manner such that the
enterprise can adapt to change readily.
WHAT ARE THE BENEFITS
OF USING GEIT?
GEIT ensures greater alignment of IT functionality with
business needs. The most commonly experienced
outcomes of implementing GEIT are improvements in
management of IT-related risk and communication and
relationships between business and IT. GEIT can also
help to transition IT’s role to a more proactive one. This
can be done through the use of mechanisms such as
GEIT boards, an appropriate organization structure
encompassing roles for managing business relationships
and standardized processes to effectively bridge the
business demand with the IT supply. IT innovation offers
ample opportunities for IT to play a more proactive role.
For example, GEIT enablers, such as optimal investment
management processes, can help ensure a balance
between IT innovation and “run-the-business” initiatives.
GEIT initiatives must take a balanced and holistic view
of the five GEIT focus areas: strategic alignment, risk
management, value delivery, resource management,
performance measurement. During an economic crisis,
when there is a strong focus on managing cost, effective
GEIT can ensure that this focus is balanced with a view
on investments that can generate cost savings and are
ultimately self-funding.
Successfully implementing GEIT depends on several
factors: change management, communication, proper
scoping and identification of achievable objectives. The
outcomes of a successful GEIT implementation produce
5 © 2015 ISACA. All rights reserved.
both shorter-term, tangible benefits, such as reduced
cost, and longer-term benefits, such as enhanced
management of IT-related risk, improved relationships
between business and IT, and increased business
competitiveness.
A strong presence of GEIT can also contribute to lowered
financial costs because lenders assess the risk level of
the enterprise due to increased control.
IMPLEMENTING A
GEIT FRAMEWORK
Commitment from the enterprise leadership at the
highest level (C-suite, board of directors, etc.) is
necessary to ensure a successful implementation.
After that commitment is secured, a comprehensive
GEIT implementation may proceed. In the sections
below, a step-by-step approach for implementing
GEIT is presented.
UNDERSTANDING WHEN TO
IMPLEMENT A FRAMEWORK
Securing commitment to implement GEIT requires a
clear discussion of pain points that an enterprise is
experiencing. From the pain points identified, a business
case for the implementation of GEIT can be built. This
business case will be used to identify the scope of the
GEIT implementation project and to help understand the
resources that it will require.
The implementation is a simple matter of confirming that
the reasons prompting the desire to adopt or upgrade the
framework are worthwhile. If not, the resources expended
are likely to be for naught. Pain points and their related
trigger points are discussed further in the COBIT 5
Implementation guide.
 Getting Started With Governance of Enterprise IT (GEIT)

After commitment to implementing GEIT is in place, the

ACTION ITEMS:
real work begins. A project team must be assembled, and
1. Write business case for implementing GEIT.
they should temporarily take ownership of getting the
appropriate GEIT elements in place. This implementation
STEPS TO IMPLEMENT GEIT
team should then develop a project plan based on the seven
Follow an established project methodology to
implementation steps from the COBIT 5 Implementation
ensure reasonable use of resources and control of
guide. Figure 1 is taken from COBIT 5 and shows the seven
implementation project deliverables, budget and timing.
project phases.

Initially, for an enterprise to implement a new GEIT

Getting the Environment and Resources in Place
system, commitment must be secured from the highest
The enterprise must be ready for a significant GEIT
levels. GEIT implementation can only succeed when
implementation. Getting resources in place is necessary,
the C-suite, board of directors and others of the highest
but more important is making certain staff understands the
authority drive the need for it.
urgency of the project and what is needed. This is getting
change enablement in place.

Figure 1—Implementation Phases

mentu
m going? 1 What a
the mo re th
ed
p
kee Initiat
rive
we rs?
do view s e pr
ow Re tivenes ogr
am
ec me
eff
7H

Establ
is
stai
n to ch h des
Su ang ire
2W

e
Def opport
re?

efits
6 Did we get the

ine

Recog
here a

r
nito
Fo

Mo and need nise

rm team

• Programme management
probleities
Realise ben

uate act to
approach ew
es

l
re we now?
impl

a
ev
Embed n

(outer ring)
un
ementation
Operate

Asseent
e

curr te

ms and
measur

• Change enablement
sta
and

ss

(middle ring)
I m p o ve m

rg n e

• Continual improvement life cycle

imp

De a
ta e t
fi
le m
r

e
te

t
en n t
m e te

s (inner ring)
co c a

ts B u il d
O p d us

i m pro
ut u ni

ve m e nts
an
er

ap

e
m

m
at
E xe

e?

e Co o
dm
5H

to b
cu

I d e n tif y r o l e
oa
ow

te

ant

la
er

pla ye rs
n fi n
p
do

ew

De
we

ow
ge

th e
ed

er
t

re ? P la n p ro g ra m m e Wh
3
4 W hat n eeds to be d one?

Source: ISACA, COBIT 5, USA, 2012, figure 17

6 © 2015 ISACA. All rights reserved.

 Getting Started With Governance of Enterprise IT (GEIT)
ACTION ITEMS:
1. Establish the project teams authority.
2. Communicate vision.
3. Empower all team members to carry out their charge.
One of the earliest actions the project team will undertake
is selecting a framework. Assuming COBIT 5 will be
used, the framework must be carefully understood and
then modified as needed to fit the enterprise. All of the
materials presented in COBIT 5 are examples and not
meant to be a prescriptive approach or the complete
solution. Carefully determine which elements are needed,
and communicate those to the project sponsor(s).
Determining what the enterprise needs is done through a
complete examination of stakeholder requirements. These
requirements determine all enterprise goals that follow.
These enterprise goals will make clear what other goals,
IT and other resources (enablers), will be required.
The COBIT 5 framework contains a deeper discussion on
the goals cascade. It is shown in figure 2.
Figure 2—Goals Cascade
Stakeholder Drivers
(Environment, Technology Evolution, …)
Influence
Stakeholder Needs
Benefits Risk Resource
Realisation Optimisation Optimisation
Cascade to
Enterprise Goals
Cascade to
IT-related Goals
Cascade to
Enabler Goals
Source: ISACA, COBIT 5, USA, 2012, figure 4
7 © 2015 ISACA. All rights reserved.
ACTION ITEMS:
1. Assemble project team.
2. Assess current drivers and pain and trigger points
for implementing GEIT.
3. Consider all seven enablers when considering
resources to support.
Creating a Plan
Establish an implementation plan, and secure approval
from the highest level of authority to implement it. This
acts as a project charter, and provides authority to the
project team members in conducting the implementation.
This authority is necessary because resources will be
needed from various areas in the enterprise and their
superiors must be committed to their availability.
ACTION ITEMS:
1. Project team should create project plan, showing all
sub-plans (communication, procurement, etc.) that
will be needed to implement GEIT.
2. Identify specific milestones to demonstrate
accomplishment of each implementation phase.
3. Deliver project plan to project sponsor, and ask for
approval to move forward with the overall plan.
Executing the Plan
Follow the implementation plan, delivering on milestones
as planned and creating project continuation or departure
points. Use appropriate tools (goals cascade and
Responsible, Accountable, Consulted, Informed [RACI]
chart) in determining how strategic goals and stakeholder
objectives will be satisfied (value delivery). Apply the
framework as broadly as the enterprise needs.
ACTION ITEMS:
1. Implement the GEIT plan.
2. Report on milestone accomplishments.
 Getting Started With Governance of Enterprise IT (GEIT)

INTEGRATING MULTIPLE
FRAMEWORKS, STANDARDS
AND GOOD PRACTICES
MANAGING CHANGE
Consider whether there are multiple frameworks or sets Be careful to provide only the level of GEIT detail that
of standards in place in the enterprise. If there are, plan the enterprise needs. In particular, define domains,
for their integration into the overarching framework. processes and practices only to the extent that users
Consider which framework is the most appropriate for in the enterprise need these terms. Be mindful that
GEIT over IT resources. a common language is an important aspect to a
successful framework implementation.
UNDERSTANDING AVAILABLE AND
NECESSARY RESOURCES
(PROCESSES, ETC.)
Enterprise resources need to tie processes into the
internal control environment, which likely will have risk
and controls detailed against a control matrix of control
designs and control objectives. Plan to provide detail on
how control objectives can be made from governance and
management practices.

8 © 2015 ISACA. All rights reserved.