In the past few years, many frameworks and standards have been developed to cover different aspects of IT to provide best practices, such as COBIT, ITIL, CMMI, ISO/IEC 20000, ISO/IEC 38500 and ISO/IEC 27000, and improve IT governance and IT service management in organizations. This research presents how self-assessments for IT standards improve significantly the strategic and tactical evaluation of IT requirements. Self-assessments measure the state of an organization in relation to experts’ recommendations of a specific framework. As a result of the number and excellence of the current standards, the authors propose a Compliance Model (MOPLACO) that uses, as a starting point, a combination of self-assessments and standards to plan the early strategic and tactical stages of the IT departments.
TopIntroduction
Information Systems is a field that is in continuous evolution and transformation. The development of infrastructure and processing capacities, with constant adjustments in applications and standards, makes possible an endless change that allows ambitious business objectives. In the last few years, many frameworks and standards have emerged. These aim to give guidelines or best practices on how IT governance, IT management and IT operation are carried out. These frameworks are focused on different IT features such as IT Governance (ITGI, 2007), IT Services Management, (Tailor & Nieves, 2007), Software Development (CMMI, 2006); or more specific and detailed features (tactical level) such as security management, continuity management and capacity management.
The present research work can be expressed as follows: if different standards, methods, regulations and best practices are the result of many years of work done by experts in the IT field, these should be employed as a primary resource to determine the needs in our IT organization. This research concentrates on IT compliance in the IT planning process because governance, risk and corporate management are interdependent (Bhimani, 2009) and together can lead the strategy. The proposed model is called MOPLACO (MOdel of IT Strategic and Tactical PLAnning based on COmpliance with IT Standards). IT compliance is a new tendency to know the state of the organization in relation to the different IT standards, policies and regulations. From the beginning, this concept was closely related to complying with the laws and regulations within the intricate business world. However, the authors prefer to conceive IT compliance as something wider that can formulate the compliance of every type of IT external regulation and standard as internal policies and procedures. Some important norms that MOPLACO recommends as basic to planning are the service management standard ISO/IEC 20000, business continuity management standard BS25999, information security standard ISO/IEC 27001 or the IT governance standard ISO/IEC 38500.
Nowadays, much attention is being paid to regulations, mainly in banking, telecommunications or insurance (Grubb & Burke, 2008). An organization is conditioned by different types of legislative or commercial regulations, or its own policies (Tarantino, 2006). Compliance with these regulations is important to the organization because it reduces risk and avoids penalties from government agencies, improving corporate governance (Ingley & van der Walt, 2008; Rasmussen, 2008). In recent years, due to their importance, governance, risk management and compliance, or GRC, have became very popular in organizations (Tarantino, 2008).
- 1.
Governance: governance is a task for directors of organizations. It formulates policies and procedures that guide an organization to work according to their goals.
- 2.
Risk management: risk management determines the level of tolerance by taking into account possible threats. It identifies the threats and establishes priorities.
- 3.
Compliance: this area ascertains compliance with legislative or commercial regulations or the organization’s policies.