According to ISO/IEC 38500, management relates to “the system of controls and processes required to achieve the strategic objectives set by the organization’s governing body. Management is subject to the policy guidance and monitoring set through corporate governance”. For COBIT®, ICT management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.

This section of the guidelines provides a starting point for the application of ICT management processes overall and the ICT-based implementation of social security functions, and addresses the definition of ICT strategy and business continuity management.

The definition of an ICT strategy (Guideline 3) is especially relevant for social security institutions. On the one hand, the size and complexity of projects in social security necessitates a medium- and long-term perspective on technologies and products. First, fostering compatibility (interoperability) among ICT systems requires a prudent, forward-looking outlook and a definition of institutional standards to be followed in the long term. In addition, given the rapid obsolescence of ICT products, choosing those to be used in long-term projects requires a prospective analysis to identify those with as long a life as possible and which will enable easier evolution. On the other hand, the financial and technological dependency implications related to the selection of technologies and products necessitates medium- and long-term strategies for ICT portfolio management.

The ICT strategy aims at aligning ICT plans with the institution’s strategic objectives and plans. It also builds on enterprise architecture building blocks and components, including external services and related capabilities, to enable nimble, reliable and efficient responses to strategic objectives. To achieve this, the strategy links into information technology and related service trends, ensures the identification of innovation opportunities and enables planning so that business needs benefit from innovation.

A key activity in social security institutions is operationalizing social security functions through ICT-based approaches (Guideline 5). This mainly consists of defining and implementing ICT-related plans and projects, based on the institution’s goals and strategic plans and frameworks. The nature of implementation will ultimately depend on contextual factors, but some pointers are given here relevant to different types of social security functions. In this line, the implementation of e-services delivering a number of such functions constitutes nowadays a main activity of social security institutions (Guideline 6).