IT Governance (and cyber-risk) in your governance framework – Part 2

It is more evident than ever before that information technologies are essential enablers of almost all strategic and operational activities undertaken by associations and charities.  Equally, we must now acknowledge that cyber-risks and cybersecurity concerns present as significant risks for not-for-profit entities.

Recognising this, the importance of addressing IT governance and risk management within your organisation’s governance framework and strategy has been highlighted by peak bodies such as the Australian Institute of Company Directors (AICD) and the International Organisation for Standardisation (ISO).AICD Directors Guide

The AICD published A Director’s Guide to Governing Information Technology and Cybersecurity (Tate and Tate) in 2016, and copies of this can be obtained from the AICD Book Store ($45 to members).

The Director’s Guide addresses its subject in three main parts:


  1. Understanding IT and Cybersecurity
  2. Implementing governance
  3. Legal Guidance

In the section related to the selection of a suitable governance framework, the Guide recommends ISO/IEC 38500:2015 Information technology — Governance of IT for the organization (which was originally developed in Australia).  The ISO makes the following statements about the purpose and focus of the standard.  ISO/IEC 38500:2015:

… “provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.

… “applies to the governance of the organization’s current and future use of IT including management processes and decisions related to the current and future use of IT. These processes can be controlled by IT specialists within the organization, external service providers, or business units within the organization.”

… “is applicable to all organizations, including public and private companies, government entities, and not-for-profit organizations. ISO/IEC 38500:2015 is applicable to organizations of all sizes from the smallest to the largest, regardless of the extent of their use of IT.”  (emphasis added)

The following chart summarises the way ISO/IEC38500 sees the relationship between board and management roles in governing and managing the organisation, and in particular, how the board and management will liaise regarding IT-enabled business projects and operations.


Call to Action

Contact Garry Pearson at PolGovPro Pty Ltd (Mobile 0419 347 599) if you would like:

  • a Board or committee briefing on IT Governance within your governance framework, and/or measures by which to address cyber-risk in your governance framework, or
  • assistance in updating your governance framework to better address IT governance, including data protection and cyber risk management. NB PolGovPro does not offer technical IT services, and these should be sourced from reputable IT consultants and service providers.

See also

Cyber-risk in your governance framework – Part 1


Leave a Reply