Press Release


 ISACA Shares Eight Controls to Help Manage Shadow IT and Optimize Its Benefits 

New Guidance Dispels Misconceptions About Shadow IT

Rolling Meadows, IL, USA (11 December 2017) – While shadow IT is often stigmatized as initiated by rogue employees, that is typically far from the case. Most employees who look to use shadow IT have no ill will to harm the enterprise but instead are driven by the functionality of a tool and its ability to provide a competitive advantage. ISACA’s white paper, Shadow IT Primer, highlights controls and good practices for handling shadow IT. Insight from the latest guidance will also be helpful in conjunction with ISACA’s recent Shadow IT Audit/Assurance program.

“While there are certainly risks to shadow IT, it also drives innovation,” said Zach Loeber, senior manager of infrastructure and operations at ISACA, and a contributor to the guidance. “Employees using shadow IT typically have the best intentions in mind—they want to fill a need, add value and seize opportunity. ISACA’s guidance helps organizations leverage those intentions in a more controlled and secure manner.”

The guidance outlines common examples of shadow IT—from brand-monitoring software to task management tools—and outlines eight controls and practices for managing shadow IT, including:

  • A shadow IT policy
  • IT department as a service-delivery organization
  • IT budgeting and procurement
  • IT system consolidation
  • User education

These controls help mitigate the most concerning shadow IT-related threats. A recent poll of ISACA members indicated that loss of regulated personal or financial data is the biggest concern (58 percent), followed by exposure of valuable and commercially sensitive information (20 percent) and loss of brand credibility (16 percent).

Once a decision has been made to introduce shadow IT into the workplace, auditors play a role in informing management of the effectiveness of the shadow IT governance, monitoring and management. For guidance on the issue, ISACA developed a shadow IT audit/assurance program, which seeks to:

  • Provide management with an assessment of shadow IT policies, procedures and operating effectiveness
  • Identify control weaknesses that could result in the proliferation of shadow IT solutions and a greater likelihood that shadow IT is not detected
  • Evaluate the effectiveness of the enterprise’s response to, and ongoing management of, shadow IT

Built on the premises of “prevent, discover and manage,” the Shadow IT Audit Program allows auditors to identify the scope of organizational functions, systems and assets to be reviewed. The audit program is available free to ISACA members or US $50 for nonmembers here. To access the complimentary white paper, visit


Nearing its 50th year, ISACA ( is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA leverages the expertise of its half-million engaged professionals in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 215 chapters and offices in both the United States and China.



Michelle Micor, +1 .847. 385.7217,
Kristen Kessinger, +1.847.660.5512,