What is the Difference Between IT and Information Governance?

|
|
PUBLISHED on
27 Jul
2022

In this blog, we are going to look at governance.  We are regularly asked, ‘what do you mean by governance?’ or, ‘is information governance the same as IT governance?’ There seems to be a lot of confusion and mispositioning of governance, its role and the different forms; so let us provide some clarity.

Traditionally, the response from board-level executives in relation to information security issues was to defer all decisions to the company’s CIO.  In small to medium size businesses, where executive directors and senior management cover multiple roles, a CIO may not exist.  The information governance responsibility often then falls to the IT department, on the premise that information = data = IT’s problem.   As obligations for demonstrating good corporate governance intensify, driven by multi-faceted and ever-changing compliance initiatives, the IT Manager is likely to be overwhelmed with this perceived ownership and facing many challenges.  Not least of which is the need to keep up to date with relevant legislation, codes of best practice and industry sector regulations, let alone understanding the impact these will have on the organisation’s information processing and already stretched IT resources.  This leaves little time for the IT Manager to devote time and effort to what is typically their real passion – delivering excellent technology performance and efficiency.

URM’s consultants are often called upon to assist with unravelling the growing demands compliance places upon the IT department and frequently asked how effective security risk management underpins corporate governance requirements.

So, what is corporate governance?  At a high level, corporate governance is the whole management system of internal controls, i.e., processes, customs, policies, laws and regulations, which affect the way a company is directed, administered or controlled.  It also includes the goals which drive the company and its relationships with stakeholders, e.g., shareholders, the board of directors, employees, customers, creditors and the public.  The board and officers of the company must diligently perform their duties in the best interests of their stakeholders and in the manner that ‘an ordinary prudent person would do’.  Failure to do so could result in the executive being held liable, both personally and as officers of the company.

In a nutshell, IT governance is a subset of this management system that ensures the effective and efficient use of IT in enabling an organisation to achieve its goals. Essentially, IT governance provides a structure for aligning IT strategy with business strategy.  By following a formal framework, organisations can produce measurable results toward achieving their strategies and goals.  Like corporate governance, a formal programme also takes stakeholders’ interests into account, as well as the needs of staff and the processes they follow.  In the big picture, IT governance is an integral part of overall corporate governance, in which all stakeholders must have the necessary input into the IT decision making process.  URM often finds this alignment between IT and corporate governance is missing or challenged, and this is particularly prevalent in relation to unauthorised and uninformed acceptance of security risks without understanding the true potential impact.

So, what is information governance and where does it fit?  Information governance is the wider set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information in all its forms (electronic, paper etc) in such a way that it supports the organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements.  This requires a much deeper understanding, competence and regular review, and can only be achieved with the involvement of multiple internal departments/roles e.g., IT, HR, the data protection officer, Legal, Facilities, Internal Audit etc.  Ignorance is no defence in this area.  For example, directors and management can still be held personally liable under data protection laws if they ‘knew, or ought to have known’ that a breach was likely and failed to prevent it.

Therefore, effectively, IT and information governance should be a subset of corporate governance.  Appropriate stakeholder involvement, risk management and clear roles and responsibilities are vital.

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
23/1/2024
6 Must Do's When Implementing ISO 27001

URM’s blog outlines the 6 of the key steps you can take to successfully implement an ISO 27001 conformant information security management system.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/2/2024
The New Threat Intelligence Requirements in ISO 27001:2022

URM’s blog discusses the changes to the requirements around threat intelligence in ISO 27001:2022 and what certified organisations will need to do differently.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
10/7/2024
A Guide to the Certificate in Information Security Management Principles (CISMP)

URM’s blog discusses everything you need to know about the CISMP, including its benefits, who it’s suited to, the topics the CISMP covers, and more.

Read more
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.