During my continued exploration of IT Control Frameworks, I have been examining elements of enterprise operation at the Strategic (IT Governance), Operational (Project Management) and Tactical (IT Service Management) levels. All of these areas are covered by my professional certifications, which include the ITIL, PMP, and CGEIT as well as many others like CISSP, CISA, CISM, and CRISC in addition to less-than-Enterprise scale achievements on Cisco Networking, Microsoft and Linux operating systems and the like.
This post addresses IT Governance/COBIT and CGEIT.
WHY will we do it?
Moving up the pyramid from the Tactics of ITSM through the Operations of PPP Management, we arrive at the Strategic level addressing IT Governance (ITG). This practice is often confused with IT Management functions, but is distinct as a subset discipline of Corporate Governance, ensuring that IT Management functions operate so as to create value for the stakeholders based on the direction given – in fact principle 5 of the COBIT (version5) IT Governance methodology is “Separating Governance from Management” so that both can focus on their specific roles and duties. Governance helps to guide WHAT we will do and HOW we will do it with Strategic details on WHY we will do (or cease to do) the practices our Tactical and Operational controls afford.
Created originally by the Information Systems Audit and Control Association (ISACA), the Control Objectives for IT (COBIT) is now on version 5 and has been transferred to be managed by the IT Governance Institute (ITGI) for a more global reach beyond individual governmental IT Governance frameworks like the Australian AS 8015-2005 or general corporate governance practices such as the Balanced Scorecard (BSC) approach. IT Governance is often blended in with IT Management due to the practice of merging it together with Risk and Compliance and through roles related to Governance, Risk and Compliance (GRC) in the enterprise, where Compliance Audit and Risk Management tend to be presented more obviously.
The progress of COBIT has shown this ongoing transition with each new version, where the original COBIT framework was focused towards Audit practices, COBIT2 added Control, through Management and IT Governance with the addition of Val IT and Risk IT sub-framework components later rolled into COBIT5 for Enterprise Governance as a whole. My own certifications illustrate this progression around Governance with the CISA (System Audit) and CISM (Security Manager), then the CRISC (Risk Management) and finally the CGEIT (Governance of Enterprise IT). Each of these credentials requires validated experience and a multi-hour proctored exam, and each represents knowledge and experience in aspects of the COBIT methodology, and in guiding the IT elements of an enterprise setting. The CGEIT in particular requires 5 or more years of experience in the practice of IT Governance, along with two or more Domains:
- Strategic Management
- Benefits Realization
- Risk Optimization
- Resource Optimization
Two years as a full-time University instructor teaching IT Governance can replace one year of this requirement, but there are no “entry level” options for the CGEIT for developing IT Governance professionals. The CGEIT designation is simply not awarded until all requirements are met, and then yearly renewals and ongoing Continuing Professional Education (CPE) requirements ensure that practitioners must continue to develop their skills to meet emerging needs in the Enterprise setting. Mentoring and participation in professional activities are also included in the requirement for maintaining the CGEIT designation.
The COBIT Framework is now up to its 5th version, with tools and design strategies compromising 34 Processes aligned with other standards such as: COSO, ITIL, TOGAF, and PMBOK as well as EU-specific practices like Prince2, with continually evolving needs met by add-on documents like “COBIT 5 for Information Security (2012)” and “COBIT 5 for Assurance (2013)” as well as focused guides for integration with ITSM, Basel II, ISO/IEC 27002, CMMI, or Sarbanes-Oxley requirements.
“By properly guiding IT operations through IT Governance (ITG)practices,we identify WHY we will do (or cease to do) what is needed to provide value within our enterprise.”