IT Governance Concepts

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for
free download

IT Governance Concepts

by Brady Hicks

Docid: 00021382

Publication Date: 2204

Report Type: TUTORIAL


The term “IT governance,” at its core, represents a system for optimally
using information technology to best achieve an organization’s goals. The
practice came about after groups in a variety of industries began to feel
increased pressure to more formally control IT practices, leading to
technology being viewed as something for top executives to govern. As a
result, IT departments are provided with an overall direction based on the
same strategic thinking that guides other core business activities. Such a
large-scale philosophical shift has changed the role of IT within
organizations. Understanding this change and adapting to it are critical
for today’s enterprises, which have complex technology environments and
must comply with a range of legal and regulatory demands. This
tutorial examines these considerations.

Report Contents:

Executive Summary

[return to top of this

The concept of “IT governance” refers to a system that is designed to
better promote the use of information technology to achieve one’s goals.
This subset of the term “corporate governance” focuses in particular on
performance and risk management, and is not to be confused with IT
management, which relates more to the IT resources that are employed to
better meet an organization’s priorities.

Related Faulkner Reports
Enterprise Governance,
Risk, and Compliance Software Tutorial
ITIL for Enterprise IT Management
IT Project Risk Management Tutorial
The ISO 9001 Quality Management Standard

A combination of trends, however, now seem to be forcing organizations to
approach IT differently than they did just a few years ago. Among the more
prominent concerns are:

  • Regulations – Elevate IT concerns to corporate
  • Security Breaches and Web Site Outages– Make IT shortcomings more visible to the public
  • Hacker Sophistication – Compounds the process of
    coping with threats

As a result of these and other threats, executives are often left
accountable when issues arise. IT governance – unlike IT management – is
both strategic and business oriented, and focuses on long-term
planning. This shift – from IT management to governance – leads to the
need for many potential changes, including:

  • Chains of Authority
  • Decision-Making Policies
  • Skill Demands for Technical Personnel
  • Options for Measuring Performance

It should also be noted that the process for making this transition can
be assisted through published frameworks such as ITIL (IT Infrastructure
Library) and COBIT (Control Objectives for Information and Related
Technologies), although these frameworks only provide the skeleton for a
governance program. As a result, any organization that looks to implement
a comprehensive IT governance program needs to:

  • Flesh out details, based on circumstances and goals
  • Reconsider past IT philosophies
  • Carefully benchmark performance
  • Actively monitor the new system and direct changes as necessary


[return to top of this

The practice of governance treats IT much like functions such as
financial and operational planning. Governance uses the vocabulary and
methodologies of business to guide IT strategy and measure results. The
practice starts from the top down, specifying broad strategic aims and
measurable goals rather than tactics or technical details.

IT Management Differences

Table 1 identifies the differences between IT management and IT

Table 1. IT Management vs. IT Governance
IT Management IT Governance
Overseen by an IT director or
Overseen by executives, possibly
a dedicated Chief Information Officer
Technology focused Business focused
Focused on everyday oversight
and near-term planning
Focused on long-term planning
Tactical thinking Strategic thinking
Charged with determining how to
execute plans
Charged with answering the
following planning questions: Why? What? When?

Similarities to IT Management

The transition from “IT management” to “IT governance” is a gradual
process. An organization may choose to structure its transition by using a
“levels of maturity” approach that is defined by milestones along the path
from simple management to full governance. Each milestone represents a
more stable way of operating. In an organization with good governance, IT
managers will more-than-likely evolve a more business-centered mindset,
and executives will learn some technical lingo. As organizations begin to
put IT governance practices into place, however, new developments tend to
occur such as:

  • New chains of authority
  • Longer-term thinking
  • New decision-making policies (e.g., ROI analysis for IT decisions)
  • New relationships (cloud and mobile providers)
  • New vocabularies
  • Added requirements for personnel skills
  • Revised hiring standards
  • Different performance metrics
  • Close collaboration
  • Broad information sharing

Current View

[return to top of this

IT governance is growing more formal and more widespread in part because
technology environments are growing more complex and diverse, encompassing
cloud-based and mobile communications. At the same time, IT departments
have experienced somewhat of a fundamental shift from being a specialized
business unit to being a core part of enterprise strategies. The increased
formality can be seen in the rise of standards and published practices
relating to governance. Among the more noteworthy frameworks are:

  • ITIL – IT Infrastructure Library is a framework that
    defines core best practices for IT governance and management.
  • COBIT – Control Objectives for Information and
    Related Technology is an IT governance control framework for meeting
    regulatory compliance, risk management, and aligning IT strategy with
    organizational goals.
  • ISO 38500 – ISO 38500 is a global standard for IT


ITIL (originally, the IT Infrastructure Library) is a framework that
defines core best practices for IT governance and management. It has grown
and evolved since its first incarnation in the early 1990s. Version 4
of the standard was officially released in February 2019, 12 years after
Version 3, which is now being retired.1


V3 is structured around the service lifecycle. It consists of five books
plus the Official Introduction, which summarizes the service lifecycle for

The current set of core books is:

  1. Service Strategy – Covers financial management,
    service portfolio management, and demand management. Service strategy is
    the center of the current ITIL lifecycle approach.
  2. Service Design – Covers service catalog management,
    service level management, capacity management, availability management,
    IT service continuity management, information security management, and
    supplier management.
  3. Service Transition – Covers the movement of services
    from design and development to production. It includes transition
    planning and support, change management, service asset and configuration
    management, release and deployment management, service validation and
    testing, evaluation, and knowledge management.
  4. Service Operation – This is the most visible
    component, encompassing event management, incident management, request
    fulfillment, problem management, access management, monitor and control,
    IT operations, and service desk.
  5. Continual Service Improvement – An ongoing process
    to examine and improve components of the other four areas.


Many aspects of the design of ITIL 3 carry over to version 4, but there are
differences. Overall, the new version aims to be more “more agile” and more
“value-driven.”2 The focus on agility is in step with the trend
in software development toward approaches that are more flexible and that
encourage closer collaboration with IT operations as well as non-technical

The focus on “value” is made explicit by Axelos, which contends that
because of the evolution of technology, it has become “crucial” for
organizations to “understand the value of IT, and to know how to
articulate that value.”4 In this conception of IT, value is a
key metric for making investment decisions. The focus on value is also
connected to the new version’s tilt toward the IT-as-a-service approach,
which, also in step with industry trends, encourages IT to be viewed as a
service delivered to customers, even if they are internal employees.5

With version 4, Axelos has also sought to argue for ITIL’s applicability
to particular new technologies, including cloud computing, artificial
intelligence, Big Data, the Internet of Things, and blockchain.6


According to ISACA, COBIT is a framework for the governance and
management of enterprise IT, defining the:

  • Components to build and sustain a governance system
  • Design factors that should be considered by the enterprise to build a
    best fit governance system

Importantly, COBIT is not:

  • A full description of the whole IT environment of an enterprise
  • An IT technical framework to manage all technology7

The current COBIT version is COBIT 2019.

ISO 38500

According to the International Organization for Standardization (ISO), ISO/IEC
38500:2015: Information technology – Governance of IT for the
provides guiding principles for members of governing
bodies of organizations (which can comprise owners, directors, partners,
executive managers, or similar) on the effective, efficient, and
acceptable use of information technology (IT) within their organizations.

It also provides guidance to those advising, informing, or assisting
governing bodies. They include the following:

  • Executive managers
  • Members of groups monitoring the resources within the organization
  • External business or technical specialists, such as legal or
    accounting specialists, retail or industrial associations, or
    professional bodies
  • Internal and external service providers (including consultants)
  • Auditors

ISO/IEC 38500:2015 is applicable to all organizations, including public
and private companies, government entities, and not-for-profit
organizations. ISO/IEC 38500:2015 is applicable to organizations of all
sizes from the smallest to the largest, regardless of the extent of their
use of IT. 

Note: The ISO is presently preparing a new, replacement
standard: ISO/IEC CD 38500.


[return to top of this

There is a broad push, in both the public and private sector, for
organizations to implement better IT governance. The factors driving
increased adoption are tied to the long-term development of information
technology and how it is employed by enterprises. Therefore, governance is
almost certain to continue becoming more formal, more standardized, and
more widespread.

Still, the practice’s application to IT is still maturing. Areas in which
governance will likely continue to develop include cloud-based computing
oversight, social media management, and other areas governing the flexible
maintenance of IT deployments. As the leading governance frameworks
continue to change over time – and other drafts gain more influence – the
shape that IT governance practices take will likely only continue to
change. While best practices are often dictated from the top down, as they
are by these frameworks, they also tend to emerge naturally as certain
organizations develop effective approaches that other organizations


[return to top of this

As the landscape for IT governance continues to mature, most
organizations would take heed to follow a number of recommendations.

Change Philosophies, Not Just Processes

Implementing effective governance requires a broad philosophical shift.

Focus On More Widely-Held Frameworks

Governance strategy does not need to conform to a standard approach,
however an organization should consider whether its approaches are widely
followed. Using governance practices that are well established will keep
an organization in step with the rest of its industry, thus satisfying
many of the needs of regulators, partners, and customers. Doing so will
also help an organization to take advantage of the collective wisdom of
the many contributors to the creation of a best practice. The benefits of
using a widely accepted approach can be weighed against the advantages of
using a purely customized approach, which include being more flexible and
more responsive to the demands of everyday business and to industry

Actively Monitor Results

IT governance aims to ensure that information technology supports an
organization’s business goals. Thus, as plans and business climates
change, governance practices must keep pace. The more that executives and
other company leaders engage in monitoring a governance program, the more
likely that organization will be able to effectively make such

Combine IT and Security Governance

With security management – and security governance – claiming a larger
share of enterprise attention, especially as the number and severity of
cyber attacks, particularly ransomware attacks, increase, enterprise CEOs and
other stakeholders should insist on integrating IT and security governance
standards, and rationalizing any differences between the two.


1 “ITIL 4: The Framework for the Management of IT-Enabled
Services.” Axelos.

2 Sarah K. White. “ITIL 4: ITSM Gets Agile.” CIO. January
10, 2019.

3 Ibid.

4 Mark Smalley. “ITIL 4 and Fast Value Co-Creation.” Axelos.
February 2019.

5 Sarah K. White. “ITIL 4: ITSM Gets Agile.” CIO. January
10, 2019.

6 Mark O’Loughlin. “ITIL 4 and the Cloud.” Axelos. February

7 “Introducing COBIT 2019.” ISACA. 2018.

[return to top of this

About the Author

[return to top of this

Brady Hicks is an editor with Faulkner Information
Services. He writes about computer and networking hardware, software,
communications networks and equipment, and the Internet.

[return to top of this