Frequently Asked Questions
Why did ISACA feel the need to explore its strategy now?
ISACA felt the time was right because of the growth it has experienced over the past several years, coupled with the quickly changing environment in which the association functions. Both situations generate opportunities and challenges, which ISACA wanted to be ready to face appropriately, quickly and nimbly. It can be tempting for an organization to rest on its laurels when it has been successful. However, in today’s global business environment, standing still is falling behind.
The strategy talks about ISACA’s “core constituents.” Who are they?
ISACA’s core constituency remains much as it has been for the past decade: professionals in information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. The work on the strategy has made it possible to define those groups more specifically and target their needs, as well as to identify “core influencers”—the individuals who have an important role to play in supporting the activities and involvement of ISACA’s constituents.
What are ISACA’s vision and mission statements, and how do they reflect the strategy?
The vision statement—“Trust in, and value from, information systems”—represents the goal the association aspires to achieve. Because trust and value from information systems are the results of the efforts of ISACA’s constituents, the association must provide the tools to help constituents generate those results, as noted in the mission statement. The mission statement—“For professionals and organizations be the leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance”—contains in its few words a clear definition of ISACA’s target audiences, its products and services, and its areas of professional expertise.
How will the strategy affect COBIT?
One outcome of the market research that preceded the strategy development was the recognition of the widespread awareness of the COBIT brand. To capitalize on that awareness, much of ISACA’s and ITGI’s existing intellectual property (IP) will be restructured under the COBIT umbrella. This includes existing frameworks such as Risk IT, now in development; Val IT; the IT Auditing Framework (ITAF); and the Business Model for Information Security (BMIS). New COBIT-related publications will be developed as well, primarily focused on security, applications, an information reference model, and level 3 and 4 controls.
The strategy mentions several different new opportunities for credentialing. How will they tie into ISACA’s existing certifications?
Three primary areas of credentialing are noted in the strategy:
- Add-on certificates, which are extra credentials for specialty expertise. They will be available only as an extension to a CISA, CISM or CGEIT, not in replacement of any of them.
- A new certification targeted at IT professionals who deal in risk and exposure, which will overlap in some areas of knowledge with CISA, but will not replace or compete with it in its overarching focus
- A COBIT enterprise certification, which will be for enterprises, not individuals, and will attest to the rigor of the enterprise’s control framework, as specified by COBIT
How can a member be involved in executing the strategy?
There are a couple of ways a member may be involved in the new areas of activity within ISACA. First is as a member of a committee, subcommittee or task force. These volunteer groups will undertake the majority of the work to transition the strategy from planning to reality. Committees are being populated throughout May based on the applications received through the Invitation to Participate process. Another way to become involved in strategy execution is via participation in the many open source models to be made available through ISACA’s own web site and other social media networks. ISACA’s members and constituents are the subject matter experts in the information systems assurance, security and governance professional space; ISACA’s new site will include many ways individuals can share their expertise with colleagues, helping to build the continually expanding portfolio of IP.
How are chapters affected by the strategy?
Chapters will be, as they always have been, a key conduit for delivering value and benefit to members. Over the past few years, most chapters have been organizing their activities around the chapter balanced scorecard, to ensure that member service, internal learning and growth, and operations are addressed equally with financial measures. The strategy and the balanced scorecard align quite well, so chapters are not expected to be required to make any major changes in their operations—they will just keep on doing the good work they have been doing!
How does IT Governance Institute play into the new strategy?
ITGI will continue to operate under the ISACA umbrella, as it has done since its formation in 1998. Its focus will change, however. The COBIT family of products will be branded ISACA, rather than ITGI, and ITGI will instead concentrate on externally funded, academic/empirical research, alone or in partnership with other organizations.
What will happen to all the key boards and committees that exist now? Will they continue to operate?
The functions of all current volunteer groups—key boards, committees and task forces—will continue to be addressed under the new strategy. However, some of the names of the groups will change, and some will be combined. The structure will now be organized under three main volunteer boards, focusing on the three major areas of the strategy: Relations Board, which will focus on relationships with members, chapters, other organizations, commercial partners, governments and online communities; Credentialing Board, which will address the three existing certifications and any new credentialing programs developed; and Knowledge Board, which will oversee the development of the COBIT and all other ISACA/ITGI frameworks, as well as standards, pragmatic knowledge (such as benchmarking), the bodies of knowledge for the certifications, and conferences/education. Reporting to each of these boards will be a number of committees, subcommittees and task forces, each focusing on a specific area of the general topic.
Does ISACA’s new strategy incorporate the focus on IT governance that has been a priority over the past decade?
Yes. It is ISACA’s clear intention to continue with, and build on, its governance activities. There are many ways the activities called for in the new strategy address IT governance:
- The planned expansion of the COBIT framework (working title: COBIT 5.0) will provide a complete view on enterprise governance of IT.
- COBIT 5.0 will be designed to accommodate a changing global governance environment.
- COBIT 5.0 will integrate the existing ISACA/ITGI frameworks—COBIT, Val IT, Risk IT, Board Briefing, ITAF and BMIS—in order to establish one overarching, common framework for all ISACA/ITGI constituents to improve market acceptance and ease of the framework's adoption.
- The COBIT 5.0 scope will cover the governance and management levels, while the supporting product set will cover all applicable levels, including practitioner guidance.
- COBIT 5.0 will be clear on the concepts of enterprise governance and management of IT and their relative positioning, building from the Taking Governance Forward work; the Evaluate, Direct, Monitor (EDM) approach from ISO38500; and the Plan, Build, Run, Monitor (PBRM) approach from COBIT 4.1; and also support the balancing of the performance and conformance aspects of the enterprise governance of IT.
- The new vision statement focuses on “trust” and “value” from information systems. These are “outcome” terms that have strong and consistently understood meaning (while the meaning and acceptance of “governance” remain murky in some places around the world). Governance is process-oriented and is a means to achieving the successful outcomes of trust and value. Therefore, ISACA seeks to position itself as a thought leader by emphasizing outcomes rather than process.
These changes, and others, are focused on transitioning "IT governance" to the "enterprise governance of IT" and will support IT professionals in their engagement with all aspects of enterprise GRC, specifically as it relates to use of information and related technology. ISACA does appreciate that a significant portion of its membership is committed to governance, and the association’s commitment to those needs is undiminished.
The strategy discusses development of COBIT level three and four controls material. What does that mean?
COBIT Level 1 controls material consists of the current COBIT 4.1 control objectives, and Level 2 refers to the current COBIT 4.1 control practices. “COBIT Levels 3 and 4 controls material” is how the strategy refers to the content to be developed by volunteers using an open collaboration approach, within the overall COBIT framework structure. This open development activity will be centered on control objectives (Level 3) and control practices (Level 4) that are specific to a particular technology platform and/or industry line and/or geographic region. ISACA believes this level of detail will be of value to the practitioners and will provide practitioners a way they can add to the collective body of knowledge.