In this blog, we are going to look at governance. We are regularly asked, ‘what do you mean by governance?’ or, ‘is information governance the same as IT governance?’ There seems to be a lot of confusion and mispositioning of governance, its role and the different forms; so let us provide some clarity.
Traditionally, the response from board-level executives in relation to information security issues was to defer all decisions to the company’s CIO. In small to medium size businesses, where executive directors and senior management cover multiple roles, a CIO may not exist. The information governance responsibility often then falls to the IT department, on the premise that information = data = IT’s problem. As obligations for demonstrating good corporate governance intensify, driven by multi-faceted and ever-changing compliance initiatives, the IT Manager is likely to be overwhelmed with this perceived ownership and facing many challenges. Not least of which is the need to keep up to date with relevant legislation, codes of best practice and industry sector regulations, let alone understanding the impact these will have on the organisation’s information processing and already stretched IT resources. This leaves little time for the IT Manager to devote time and effort to what is typically their real passion – delivering excellent technology performance and efficiency.
URM’s consultants are often called upon to assist with unravelling the growing demands compliance places upon the IT department and frequently asked how effective security risk management underpins corporate governance requirements.
So, what is corporate governance? At a high level, corporate governance is the whole management system of internal controls, i.e., processes, customs, policies, laws and regulations, which affect the way a company is directed, administered or controlled. It also includes the goals which drive the company and its relationships with stakeholders, e.g., shareholders, the board of directors, employees, customers, creditors and the public. The board and officers of the company must diligently perform their duties in the best interests of their stakeholders and in the manner that ‘an ordinary prudent person would do’. Failure to do so could result in the executive being held liable, both personally and as officers of the company.
In a nutshell, IT governance is a subset of this management system that ensures the effective and efficient use of IT in enabling an organisation to achieve its goals. Essentially, IT governance provides a structure for aligning IT strategy with business strategy. By following a formal framework, organisations can produce measurable results toward achieving their strategies and goals. Like corporate governance, a formal programme also takes stakeholders’ interests into account, as well as the needs of staff and the processes they follow. In the big picture, IT governance is an integral part of overall corporate governance, in which all stakeholders must have the necessary input into the IT decision making process. URM often finds this alignment between IT and corporate governance is missing or challenged, and this is particularly prevalent in relation to unauthorised and uninformed acceptance of security risks without understanding the true potential impact.
So, what is information governance and where does it fit? Information governance is the wider set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information in all its forms (electronic, paper etc) in such a way that it supports the organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements. This requires a much deeper understanding, competence and regular review, and can only be achieved with the involvement of multiple internal departments/roles e.g., IT, HR, the data protection officer, Legal, Facilities, Internal Audit etc. Ignorance is no defence in this area. For example, directors and management can still be held personally liable under data protection laws if they ‘knew, or ought to have known’ that a breach was likely and failed to prevent it.
Therefore, effectively, IT and information governance should be a subset of corporate governance. Appropriate stakeholder involvement, risk management and clear roles and responsibilities are vital.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
If you want to learn more about ISO 27002:2022 and how to implement the new controls and the new attributes, you can attend URM’s ISO 27001:2022 Control Migration Course.
URM’s blog outlines the 6 of the key steps you can take to successfully implement an ISO 27001 conformant information security management system.
URM’s blog discusses the changes to the requirements around threat intelligence in ISO 27001:2022 and what certified organisations will need to do differently.
URM’s blog discusses everything you need to know about the CISMP, including its benefits, who it’s suited to, the topics the CISMP covers, and more.