You must be logged in to post a comment to this blog.
ISACA > Journal > Journal Author Blog > Posts > Are the Organization’s Policies Sufficient, Complete and Beneficial?
Are the Organization’s Policies Sufficient, Complete and Beneficial?
Jorge Carrillo

Jorge Carrillo, Ph.D., CISA, CISM, CISSP

I have had many long discussions with colleagues about whether policies are predetermined courses of actions established as guides toward accepted business strategies and objectives. After sharing some initial ideas, usually everybody agrees that such guidance is required and useful. However, after the discussion is over, we read a real policy and we immediately realize that, in many cases, it is not clear how the concrete policy is helping or impacting our behaviors in our daily activities.

Indeed, if we keep reading more policies, we will be able to identify good policies from bad policies; however, it will be very difficult to confirm whether a given set of policies and other documentation are complete and sufficient to meet business needs. In some cases, we might decide that the policies are not adding any value to the business and that they are just additional documents that are required to make auditors or regulators happy.

In summary, the question—“Are these policies and supporting procedures/standards sufficient, complete and beneficial for the organization?”—is very difficult to answer. IT technology is moving so fast, that it can be hard to catch up with new trends and identify advantages, limitations and risk factors impacting the business. Furthermore, there is not a clear approach for writing good IT policies and defining a proper policy framework.

As a consequence, it is common to see policies and other documents that are not properly structured or related. In such cases, we are trapped in the loop of creating policies just for the sake of creating policies or because someone is telling us to write them.

Read my recent Journal article to see how I’ve addressed this problem. In short, I have applied the COBIT 5 principles, enablers and their dimensions to provide a guide and illustrate the steps, processes and considerations required to design and implement an effective IT policy framework, which can help to answer the question:  “Are these policies and supporting procedures/standards sufficient, complete and beneficial for the organization?”

I look forward to reading your comments!

Read Jorge Carrillo’s recent Journal article:
IT Policy Framework Based on COBIT 5,” ISACA Journal, volume 1, 2013

Comments

There are no comments yet for this post.