A new guide from global technology association ISACA, COBIT® for Small and Medium Enterprises, provides guidance for SMEs on developing an enterprise governance system for information and technology (I&T) tailored especially to their unique needs.
COBIT for Small and Medium Enterprises explains the core model and components of the globally recognised COBIT framework, illuminates the key governance and management objectives that are most relevant to SMEs, and walks SMEs through the fundamentals of starting and implementing an I&T governance program. It also provides detailed COBIT guidance specific to SMEs by domain, objective, component, activities, capability levels and metrics. In addition, the guide features mechanisms to help an SME including a governance system design workflow, a suitability assessment, COBIT goals cascade mapping tables, a practical example with detailed steps, and descriptions of SME roles and organisational structures.
“There is no magic formula for all small and medium enterprises to follow when it comes to developing an I&T governance system,” says ISACA IT Governance Professional Practices Lead, Lisa Villanueva. “However, by using tailored resources and a governance system design workflow, SMEs can thoughtfully develop an actionable road map for developing a governance system that can help guide them through the process and ultimately help them design and implement a system tailored especially to their needs.”
Some of the activities outlined in the detailed guidance include:
- Evaluate the governance system—Consider external regulations, laws and contractual obligations and determine how they should be applied within the governance of enterprise I&T.
- Understand enterprise context and direction—Develop and maintain an understanding of the current way of working: the operational environment, the enterprise architecture (processes, data, applications and technology domains), organisational culture, and current challenges.
- Initiate a program—Appoint a dedicated manager for the program, with the commensurate competencies and skills to manage the program effectively and efficiently.
- Monitor, control, and report on the program outcomes—Manage program performance against key criteria (e.g., scope, schedule, quality, benefits realisation, costs, risk, velocity), identify deviations from the plan and take timely remedial action when required.
COBIT for Small and Medium Enterprises is geared toward organisations with up to 250 full-time employees, in which 30 to 70 employees work with IT systems and services, including business managers, professional staff, IT managers, quality or security professionals, and internal auditors. The guidance reflects that enterprises of this size may have limited in-house IT skills and/or capacity, lack complex IT infrastructure, tend to be cost-conscious, have a short span of control, and may need to outsource more complex tasks.
COBIT for Small and Medium Enterprises can be downloaded at https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004L2noEAC. Additional COBIT resources and publications can be found at www.isaca.org/resources/cobit.