single,single-post,postid-630,single-format-standard,ajax_fade,page_not_loaded,,qode_grid_1300,footer_responsive_adv,hide_top_bar_on_mobile_header,qode-content-sidebar-responsive,qode-theme-ver-9.2,wpb-js-composer js-comp-ver-,vc_responsive



It is key to note that the core concept of IT governance mandates that the strategic decisions related to IT should not only be done at the CIO level, but they also should be done at the level of directors, commissioners and even at the level of shareholders of a company. Basically the concept of IT governance is inseparable from the concept of corporate governance, IT governance is an integral part of corporate governance.

In the past, people might not be aware of using inappropriate terminology of IT governance, they thought IT governance was just another term of IT management, as it was reflected in the use of some terms such as information security governance, data governance, project governance even storage governance and bandwidth allocation governance. Perhaps the use of information security governance and data governance terms is not entirely wrong, but what about the use of project governance, storage governance and bandwidth allocation governance terms?

In the past, the implementation of IT governance concept could be misleading because of the tendency in the IT industry to use “management” and “governance” terms interchangeably. Almost everything that was touted as IT governance in the IT industry was actually just a plain old IT management, whereas governance and management are two things fundamentally different.

Nowadays people are starting to be aware of the appropriate meaning of IT governance, especially after ISO published the ISO 38500 Corporate Governance of IT standard in 2008.

Before ISO 38500 was published, there was no single and complete IT governance framework that could be used, however there were a number of frameworks available could be used as a useful starting point for developing an IT governance model.

At that time, the majority of IT organizations were developing their IT governance models by borrowing intensively from the existing standards or best practices such as COBIT and ITIL or even ISO 27002. Most of the existing standards are complementary, with strengths in each different area, so that a mix-and-match approach is often used.

Prior to ISO 38500 was published, many experts agree that either COBIT or ITIL is a suitable standard to be used for IT governance framework. The question is, are they really suitable to be used for IT governance framework or are they actually more suitable to be used for IT management framework?, and what is actually the difference between IT management and IT governance?.

As mentioned above that IT governance is an integral part of corporate governance, so if we want to know about the difference between management and governance we can take a look at the difference between corporate management and corporate governance. It can be briefly explained that the difference between management and governance in corporate management and corporate governance is as follows:

Management focuses on strategic decisions, management decisions and control, and operational management, while governance focuses on oversight, accountability and strategic decisions.

Based on the above brief description and if we take a look at the content of each standard, it can be concluded that COBIT and ITIL are standards more suitable to be used for IT management, while ISO 38500 is a standard suitable to be used for IT governance.

Some people may strongly disagree why COBIT is not suitable as a reference for IT governance. Yes, COBIT is very good, detailed and comprehensive as a reference, but it’s just too complicated for directors or commissioners who in charge of IT governance in a company, but if anyone in the company can summarize it for them, then it is just fine.

The following statement quoted from ISACA website ( can give us a better picture about the position of each standard: “ISO 38500 looks down from the top, much like a roof on a house. COBIT (the what) is the walls, and process frameworks such as ITIL and Projects in Controlled Environments 2 (PRINCE2) (the how) are the foundation. Using the house analogy, if the board tried to implement the roof, ISO 38500, without the foundation or walls, it would collapse. Furthermore, without the roof, enterprises would be exposed to the elements. ISO 38500 is not one size fits all. It does not replace COBIT, ITIL, or other standards or frameworks, but, rather, it complements them by providing a demand-side-of-IT-use focus.”

The above statement at least have given us a clearer picture about the position of each standard even though it raises a new question “Does it mean that before ISO 38500 was published, we live in a house that is not covered by a roof?”. Either way – the time has passed! The REAL question is – How does your organization stack up?

No Comments

Post A Comment