ICT governance can be defined as a “framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives”.
ISO/IEC 38500 defines corporate governance of ICT as “the system by which the current and future use of ICT is directed and controlled”. This involves evaluating and directing the use of ICT to support the organization and monitoring this use to achieve plans. The standard includes the strategy and policies for using ICT within an organization.
ISO/IEC 38500 establishes six principles for good corporate governance of ICT. The principles express preferred behaviour to guide decision-making.
Principle 1: Responsibility. Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of and demand for ICT. Those with responsibility for actions also have the authority to perform those actions.
Principle 2: Strategy. The organization’s business strategy takes into account the current and future capabilities of ICT; the strategic plans for ICT satisfy the current and ongoing needs of the organization’s business strategy.
Principle 3: Acquisition. ICT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision-making. There is appropriate balance between benefits, opportunities, costs and risks, in both the short and long term.
Principle 4: Performance. ICT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.
Principle 5: Conformance. ICT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.
Principle 6: Human Behaviour. ICT policies, practices and decisions demonstrate respect for human behaviour, including the current and evolving needs of all the “people in the process”.