Before I started working with IT audit I’ve worked for several years in different areas on IT. Thinking back on these previous years I always think that I would have loved to know about the tools I learned about as an IT auditor, for example when I was writing a demand specification for a server room, buying new systems or how to set up roles and responsibilities in the organization.
The primary organization that has the tools I find very valuable is ISACA, a non-profit organization. This was also one of the reasons I involved myself in the board of the local ISACA chapter for several years, where I met a lot of interesting people and learned a lot. One of the issues with ISACA, at least here in Norway, is that it’s not well known outside of the audit, security and regulatory communities. But I truly believe that some of the tools ISACA provides would be very useful both for board members, management and IT technical personnel.
The main collection of useful tools from ISACA is COBIT®. At a first glance this can seem massive, and yes it is if you think you need to implement everything written in all these documents. But this is a framework and it’s meant as useful guidance to consider when implementing good governance and management of enterprise IT in your organization. But you can also fint a lot of useful tips and hints if you are working on one area and need some guidance on what you should consider when working on that area.
One basic area as an example is an implementation and management of a server room or datacenter. There is a document called COBIT 5: enabling processes, this is available free for members or at small cost to non-members. Take a look at page 175 which covers the management practices DSS01.04 Manage the Environment and DSS 01.05 Manage facilities, the security management practice DSS05.05 Manage physical access to IT assets on page 194 is also important to review. These are just examples that are directly relevant, other process areas are also relevant. The point of this example is that a quick 10 minute review of these pages I mentioned can give huge value to a small server room you are responsible for managing or a larger datacenter, if just one of these activites that are suggested is relevant for your organization and you implement it because you spent some time looking at the COBIT framework then I think the business case is quite good.
I will write about other COBIT documents later, lots of value to find there.
(COBIT is a trademark of ISACA).