JOnline: Beyond Compliance—10 Practical Actions on Regulation, Risk and IT Management 

Download Article

Beyond Compliance—10 Practical Actions on Regulation, Risk and IT Management covers the US Sarbanes-Oxley Act, COSO, COBIT and IT Infrastructure Library (ITIL) and brings out the relationship among risk management, IT and regulatory compliance. The target audience is senior management, especially IT management, risk managers, IT service providers and internal auditors. The book covers four major action areas of managing IT complexity, managing IT risks, managing IT service support and managing IT service delivery.

IT governance, risk management and compliance are the triumvirate that support business processes and enable effective management and control, aligning business with IT and, thereby, realizing the expression “IT is business and business is IT.”

Evolving legislation concerning corporate governance and reporting as well as increasing regulations and accords such as Basel II have placed considerable responsibility on corporate management and boards regarding compliance with emerging legislation, regulations and standards. The need for IT service management arises not only to protect and avert IT risks, but also minimize the possible damage in case of adverse fallout. Managing IT risks and processes needs to go beyond compliance, as ultimately regulation, standards, best practices and procedures have evolved to provide a minimum common denominator/benchmark. The realization of business objectives and goals requires moving beyond compliance into the zone of optimization through IT efficiency and effectiveness.

The book begins with managing the complexity of IT. The three action areas covered are:
  • Know, transform and rationalize infrastructure.
  • Manage third parties.
  • Implement and put in place a governance framework.
The next area covered is risk management. The action points covered are:
  • Implement risk management.
  • Ensure continuous testing of controls.
The next area covered is managing service support. The action areas covered are:
  • Implement change management.
  • Implement release management.
  • Implement incident management.
The last area covered is managing service delivery. The action areas covered are:
  • Ensure secure handling of data.
  • Plan IT continuity.

The book has figures depicting various aspects, including a risk matrix and risk management process charts. The “To Dos” given at the end of each chapter are very useful and the details of supporting documentation required are provided, making this a very useful, practical guide.

The major strength of the book is that it attempts to go beyond the mere technological view of IT and looks at the organizational and process perspectives.

Thus, the thread of business case, business objective and relevance is maintained throughout the book. The book helps in identifying and dealing with areas that need to be concentrated on, starting from infrastructure, application, streamlining IT management, risk, service support and delivery.

Coming from authors who have been providing consulting for IT governance issues to clients across Europe, the book is useful and has an estimated shelf-life of three to five years.

Editor’s Note

Beyond Compliance—10 Practical Actions on Regulation, Risk and IT Management is available from the ISACA Bookstore. For information, see the ISACA Bookstore supplement in the latest Journal, visit, e-mail or telephone +1.847.660.5650.

Reviewed by Vishnu Kanhere, Ph.D., CIS A, CIS M, AICWA, CFE, FCA
an expert in software valuation, IS security and IS audit. A renowned faculty member at several management institutes, government academies and corporate training programs, Kanhere is a member of the Sectional Committee LITD 17 on Information Security and Biometrics of the Bureau of Indian Standards. He is currently newsletter editor and academic relations, standards and research coordinator of the ISACA Mumbai (India) Chapter; member of the ISACA Publications Committee; honorary secretary of the Computer Society of India, Mumbai Chapter; convener of a special interest group on security; chairman of WIRC of eISA; and convener of the security committee of the IT cell of Indian Merchants’ Chamber. He can be contacted at or

ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.