At the strategic level, the question is whether sufficient leadership, structures and processes are in place to achieve the objectives and support the business strategy. With regard to IT, this concerns the following questions:
- Alignment of the ICT strategy with the strategies and objectives of the organization;
- The support of the organization's strategies and objectives through the ICT governance structure.
With regard to the IT governance structure, the following topics are important:
- Organization structure:
Do the IT organizational structure and human resources management (personnel management) support the organization's strategies and objectives? - Policy:
Do IT policies (and associated standards and procedures and the processes for their development, approval, release/publication, implementation and maintenance) support IT strategy and compliance with regulatory and legal requirements? - Accountability mechanisms:
Do the monitoring and reporting of IT key performance indicators (KPIs) provide management with sufficient and timely information? - Monitoring practices:
Do IT management and monitoring of control measures (eg continuous monitoring and quality assurance) provide sufficient insight into compliance with the policies, standards and procedures?
We can support you in answering these questions.
At the tactical level, the central question is whether the methods, techniques and tools for purchasing, developing, testing and implementing information systems support the strategies and objectives of the organization. The following topics are important here:
- The business case for the intended investments in information systems;
- The internal and/or external IT vendors and the processes that ensure that the organization's service levels and management objectives are met;
- The project management and controls that ensure that business requirements are met in an effective and efficient manner while adequately managing risks to the organization;
- The qualitative and quantitative progress of a project in accordance with the project plans;
- The operation of control measures within the information systems during the development and testing phases;
- The "readiness" of information systems for implementation and migration to production;
- The functioning of systems after commissioning.
We can support you in obtaining assurance about these subjects.
At the operational level, it is important to ensure that IT service level expectations are derived from the company's business objectives and that these expectations are met by the IT organization. The following topics are important here:
- The IT service management framework and practices (internally or by third parties) to determine whether the service levels expected by the organization are being met and whether the strategic objectives are being met;
- The continued compliance of information systems with the objectives of the organization;
- IT management activities (operations, configuration management, capacity and performance management);
- IT maintenance (patches, upgrades);
- Database management;
- Data management;
- Problem and incident management;
- Change and release management;
- End-user computing (end-user computing);
- IT continuity (backups / recovery, disaster recovery).
We can support you in obtaining assurance about these subjects.
Information security ensures that the confidentiality, integrity and availability (CIA) of confidential data is ensured through the design, implementation and monitoring of controls. The following topics are important in this regard:
- The information security and privacy policy;
- Physical security;
- Logical access security;
- Data classification;
- Safe personnel;
- Encryption;
- Network security;
- Security Incidents
- Compliance with Laws and Regulations.
We can support you in obtaining assurance on these and other information security topics.