InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
1. The New Era of AI Governance AI is now part of everyday life—from facial recognition and recommendation engines to complex decision-making systems. As AI capabilities multiply, businesses urgently need standardized frameworks to manage associated risks responsibly. ISO 42001:2023, released at the end of 2023, offers the first global management system standard dedicated entirely to AI systems.
2. What ISO 42001 Offers The standard establishes requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS). It covers everything from ethical use and bias mitigation to transparency, accountability, and data governance across the AI lifecycle.
3. Structure and Risk-Based Approach Built around the Plan-Do-Check-Act (PDCA) methodology, ISO 42001 guides organizations through formal policies, impact assessments, and continuous improvement cycles—mirroring the structure used by established ISO standards like ISO 27001. However, it is tailored specifically for AI management needs.
4. Core Benefits of Adoption Implementing ISO 42001 helps organizations manage AI risks effectively while demonstrating responsible and transparent AI governance. Benefits include decreased bias, improved user trust, operational efficiency, and regulatory readiness—particularly relevant as AI legislation spreads globally.
5. Complementing Existing Standards ISO 42001 can integrate with other management systems such as ISO 27001 (information security) or ISO 27701 (privacy). Organizations already certified to other standards can adapt existing controls and processes to meet new AI-specific requirements, reducing implementation effort.
6. Governance Across AI Lifecycle The standard covers every stage of AI—from development and deployment to decommissioning. Key controls include leadership and policy setting, risk and impact assessments, transparency, human oversight, and ongoing monitoring of performance and fairness.
7. Certification Process Overview Certification follows the familiar ISO 17021 process: a readiness assessment, then stage 1 and stage 2 audits. Once certified, organizations remain valid for three years, with annual surveillance audits to ensure ongoing adherence to ISO 42001 clauses and controls.
8. Market Trends and Regulatory Context Interest in ISO 42001 is rising quickly in 2025, driven by global AI regulation like the EU AI Act. While certification remains voluntary, organizations adopting it gain competitive advantage and pre-empt regulatory obligations.
9. Controls Aligned to Ethical AI ISO 42001 includes 38 distinct controls grouped into control objectives addressing bias mitigation, data quality, explainability, security, and accountability. These facilitate ethical AI while aligning with both organizational and global regulatory expectations.
10. Forward-Looking Compliance Strategy Though certification may become more common in 2026 and beyond, organizations should begin early. Even without formal certification, adopting ISO 42001 practices enables stronger AI oversight, builds stakeholder trust, and sets alignment with emerging laws like the EU AI Act and evolving global norms.
Opinion: ISO 42001 establishes a much-needed framework for responsible AI management. It balances innovation with ethics, governance, and regulatory alignment—something no other AI-focused standard has fully delivered. Organizations that get ahead by building their AI governance around ISO 42001 will not only manage risk better but also earn stakeholder trust and future-proof against incoming regulations. With AI accelerating, ISO 42001 is becoming a strategic imperative—not just a nice-to-have.
The global data governance market is on a strong upward trajectory and is expected to reach $9.62 billion by 2030. This growth is fueled by an evolving business landscape where data is at the heart of decision-making and operations. As organizations recognize the strategic value of data, governance has shifted from a technical afterthought to a business-critical priority.
The demand surge is largely attributed to increased regulatory pressure, including global mandates like ISO 27001, ISO 42001, ISO 27701, GDPR and CCPA, which require organizations to manage personal data responsibly. Simultaneously, companies face mounting obligations to demonstrate compliance and accountability in their data handling practices.
The exponential growth in data volumes, driven by digital transformation, IoT, and cloud adoption, has added complexity to data environments. Enterprises now require sophisticated frameworks to ensure data accuracy, accessibility, and security throughout its lifecycle.
Highly regulated sectors such as finance, insurance, and healthcare are leading the charge in governance investments. For these industries, maintaining data integrity is not just about compliance—it’s also about building trust with customers and avoiding operational and reputational risks.
Looking back, the data governance market was valued at just $1.3 billion in 2015. Over the past decade, cyber threats, cloud adoption, and the evolving regulatory climate have dramatically reshaped how organizations view data control, privacy, and stewardship.
Governance is no longer a luxury—it’s an operational necessity. Businesses striving to scale and innovate recognize that a lack of governance leads to data silos, inconsistent reporting, and increased exposure to risk. As a result, many are embedding governance policies into their digital strategy and enterprise architecture.
The focus on data governance is expected to intensify over the next five years. Emerging trends such as AI governance, real-time data lineage, and automation in compliance management will shape the next generation of tools and frameworks. As organizations increasingly adopt data mesh and decentralized architectures, governance solutions will need to be more agile, scalable, and intelligent to meet modern demands.
Data Governance Market Progression (Next 5 Years):
The next five years will see data governance evolve into a more intelligent, automated, and embedded function within digital enterprises. Expect the market to expand across small and mid-sized businesses, not just large enterprises, driven by affordable SaaS solutions and frameworks tailored to industry-specific needs. Additionally, AI and machine learning will become central to governance platforms, enabling predictive policy enforcement, automated classification, and real-time anomaly detection. With the increasing use of generative AI, data lineage and auditability will gain prominence. Overall, governance will move from being reactive to proactive, adaptive, and risk-focused, aligning closely with broader ESG (Environmental, Social, and Governance factors) and data ethics initiatives.
📘 Data Governance Guidelines Outline
1. Define Objectives and Scope
Align governance with business goals (e.g., compliance, quality, security).
Identify which data domains and systems are in scope.
The SEC has charged a major tech company for deceiving investors by exaggerating its use of AI—highlighting that the falsehood was about AI itself, not just product features. This signals a shift: AI governance has now become a boardroom-level issue, and many organizations are unprepared.
Advice for CISOs and execs:
Be audit-ready—any AI claims must be verifiable.
Involve GRC early—AI governance is about managing risk, enforcing controls, and ensuring transparency.
Educate your board—they don’t need to understand algorithms, but they must grasp the associated risks and mitigation plans.
If your current AI strategy is nothing more than a slide deck and hope, it’s time to build something real.
AI Washing
The Securities and Exchange Commission (SEC) has been actively pursuing actions against companies for misleading statements about their use of Artificial Intelligence (AI), a practice often referred to as “AI washing”.Â
Here are some examples of recent SEC actions in this area:
Presto Automation: The SEC charged Presto Automation for making misleading statements about its AI-powered voice technology used for drive-thru order taking. Presto allegedly failed to disclose that it was using a third party’s AI technology, not its own, and also misrepresented the extent of human involvement required for the product to function.
Delphia and Global Predictions: These two investment advisers were charged with making false and misleading statements about their use of AI in their investment processes. The SEC found that they either didn’t have the AI capabilities they claimed or didn’t use them to the extent they advertised.
Nate, Inc.: The founder of Nate, Inc. was charged by both the SEC and the DOJ for allegedly misleading investors about the company’s AI-powered app, claiming it automated online purchases when they were primarily processed manually by human contractors.
Key takeaways from these cases and SEC guidance:
Transparency and Accuracy: Companies need to ensure their AI-related disclosures are accurate and avoid making vague or exaggerated claims.
Distinguish Capabilities: It’s important to clearly distinguish between current AI capabilities and future aspirations.
Substantiation: Companies should have a reasonable basis and supporting evidence for their AI-related claims.
Disclosure Controls: Companies should establish and maintain disclosure controls to ensure the accuracy of their AI-related statements in SEC filings and other communications.
The SEC has made it clear that “AI washing” is a top enforcement priority, and companies should be prepared for heightened scrutiny of their AI-related disclosures.Â
In the rapidly evolving landscape of artificial intelligence (AI), Chief Information Security Officers (CISOs) are grappling with the challenges of governance and data provenance. As AI tools become increasingly integrated into various business functions, often without centralized oversight, the traditional methods of data governance are proving inadequate. The core concern lies in the assumption that popular or “enterprise-ready” AI models are inherently secure and compliant, leading to a dangerous oversight of data provenance—the ability to trace the origin, transformation, and handling of data.
Data provenance is crucial in AI governance, especially with large language models (LLMs) that process and generate data in ways that are often opaque. Unlike traditional systems where data lineage can be reconstructed, LLMs can introduce complexities where prompts aren’t logged, outputs are copied across systems, and models may retain information without clear consent. This lack of transparency poses significant risks in regulated domains like legal, finance, or privacy, where accountability and traceability are paramount.
The decentralized adoption of AI tools across enterprises exacerbates these challenges. Various departments may independently implement AI solutions, leading to a sprawl of tools powered by different LLMs, each with its own data handling policies and compliance considerations. This fragmentation means that security organizations often lose visibility and control over how sensitive information is processed, increasing the risk of data breaches and compliance violations.
Contrary to the belief that regulations are lagging behind AI advancements, many existing data protection laws like GDPR, CPRA, and others already encompass principles applicable to AI usage. The issue lies in the systems’ inability to respond to these regulations effectively. LLMs blur the lines between data processors and controllers, making it challenging to determine liability and ownership of AI-generated outputs. In audit scenarios, organizations must be able to demonstrate the actions and decisions made by AI tools, a capability many currently lack.
To address these challenges, modern AI governance must prioritize infrastructure over policy. This includes implementing continuous, automated data mapping to track data flows across various interfaces and systems. Records of Processing Activities (RoPA) should be updated to include model logic, AI tool behavior, and jurisdictional exposure. Additionally, organizations need to establish clear guidelines for AI usage, ensuring that data handling practices are transparent, compliant, and secure.
Moreover, fostering a culture of accountability and awareness around AI usage is essential. This involves training employees on the implications of using AI tools, encouraging responsible behavior, and establishing protocols for monitoring and auditing AI interactions. By doing so, organizations can mitigate risks associated with AI adoption and ensure that data governance keeps pace with technological advancements.
CISOs play a pivotal role in steering their organizations toward robust AI governance. They must advocate for infrastructure that supports data provenance, collaborate with various departments to ensure cohesive AI strategies, and stay informed about evolving regulations. By taking a proactive approach, CISOs can help their organizations harness the benefits of AI while safeguarding against potential pitfalls.
In conclusion, as AI continues to permeate various aspects of business operations, the importance of data provenance in AI governance cannot be overstated. Organizations must move beyond assumptions of safety and implement comprehensive strategies that prioritize transparency, accountability, and compliance. By doing so, they can navigate the complexities of AI adoption and build a foundation of trust and security in the digital age.
For further details, access the article here on Data provenance
The article from IBM emphasizes the critical role of data governance in ensuring high-quality, secure, and accessible data, which is vital for organizations aiming to leverage emerging technologies like AI, ML, and automation.
Effective data governance acts like air traffic control, managing the flow of data to ensure integrity and prevent misuse. Without proper governance, organizations risk basing decisions on inaccurate data or suffering breaches that can lead to financial losses and erode trust. Data governance also ensures organizations have access to real-time, high-quality data, enabling them to make better business decisions, optimize operations, and maintain compliance with regulations.
Establishing an effective data governance framework requires a long-term commitment, collaboration across departments, and thoughtful implementation. Organizations should start small, define roles and responsibilities, secure stakeholder buy-in, and select the right tools to manage data. Continuous monitoring, improvement, and alignment with broader business strategies are essential for sustained success. Strong data security practices, adherence to privacy regulations, and the use of maturity models help organizations build a dynamic governance ecosystem that evolves alongside the business, fostering a culture that views data as a strategic asset.
With the rise of modern trends such as cloud computing and remote work, healthcare institutions strive to balance accessibility, convenience, and robust security.
In this Help Net Security interview, Ken Briggs, General Counsel at Salucro, discusses how fostering a culture of security awareness has become paramount for healthcare organizations. Understanding the upcoming technological shifts and trends is crucial for preemptive preparation as we look toward the future.
The healthcare industry faces unique security challenges, especially with the increasing interconnectivity of systems. How important is it for organizations to obtain vendors who understand healthcare-specific security requirements?
Monitoring healthcare-specific security requirements is a full-time job. The amount of data processed at healthcare institutions grows exponentially, but it remains some of the most valuable information to the patients and—unfortunately—bad actors. These factors require a vendor’s mastery of healthcare-specific security requirements if technology is utilized by healthcare companies in any manner.
If a vendor does not appropriately respect the complex and evolving web of security obligations that healthcare institutions operate within, the vendor may not be able to build technology that is suitable for use by sophisticated healthcare enterprises.
Organizations should not shy away from holding vendors to a very high expectation of familiarity with security requirements within the healthcare industry. These organizations should look to healthcare-specific vendors who have a deep understanding of the standards, complexity, and sensitivity of these payments over non-healthcare-specific vendors.
How would you approach implementing a security program within a healthcare organization that meets the legal requirements and industry standards and goes beyond them to ensure maximum protection? What key elements or components should be included in such a program?
A well-tailored security program must be just that: tailored. Many security legal frameworks are moving from specificity in controls towards a discretionary-based approach. This “discretionary” standard is interpreted by governing bodies that interpret the leading-edge developments in the industry.
An organization must trace what data is stored or processed and ensure security controls are mapped internally to an organization and externally across vendors. Healthcare organizations must dedicate time to ensure appropriate administrative, technical, and physical controls are in place at the organization and its vendors to protect data stored and processed.
The saying “one size fits all” is never true for how a security program is administered and applied in the healthcare technology industry, or any other industry. However, the fundamental principles are the same: understanding what data is processed by an organization, identifying true risks (internal and external) to the data, evaluating the impacts of those risks, and whether existing controls are adequate to reduce those risks to an acceptable standard.
Considering the recent trends in cybersecurity, such as the rise of cloud computing and remote work, what considerations should healthcare organizations keep in mind to maintain a strong security posture? How can they balance convenience and accessibility with the need for robust security measures?
Cloud computing and remote work are certainly unique trends, but there are always trends in one way or another whether occurring within the organization, the market, or geographically.
Sophisticated security organizations work hard to build flexible security programs, but it’s important to revisit the program on a fluid cadence to ensure that external or internal changes—small or big—are encompassed withing the security controls. For example, in response to COVID-19 many healthcare billing and revenue cycle teams transitioned to remote work. How does that impact payment acceptance security? Is it more important to adopt remote devices to accept secure, P2PE payments, or transition to a deviceless approach that prioritizes security and online patient engagement? These are all questions that providers have needed to answer in the last three years, and highlight the importance of an approach to security measures that welcome rather than avoid adaptation.
The evaluation of the suitability of a security control should not perform in a silo as it must consider business objectives to not weigh down the business unnecessarily. This evaluation may even warrant a reduced burden by offloading obligations to a qualified vendor or utilizing additional services from an existing vendor. For example, in payments, the move to Point-to-Point Encryption in payment systems can offload very complicated security burdens to a vendor while reducing administrative barriers. Companies may be surprised at how well new technologies being adapted within healthcare organization can protect data with more transparency all while promoting consumer-friendly accessibility and convenience (which are tenants of a good data governance program).
How can healthcare organizations foster a culture of security awareness among their employees?
It all starts with leadership that buys into the security program and understands that investment in a security culture is an investment in risk minimization. There are three ways a company’s leadership can fast-track a security-minded culture:
Establish a consistent awareness communication program, with friendly trainings and succinct reminders about security controls.
Ensure that security is considered at the first stages of any material initiative having to do with data or technology (this is “security-by-design” operational principles). Your security team needs to be a partner in business enablement.
Ensure the security team is proactive and available to other departments to ensure a clear line of sight where questions may arise. Expect your security department to be available and responsive.
How do you see the future of cybersecurity in the healthcare industry? What emerging technologies or trends do you believe will shape the landscape, and what steps should organizations take to prepare themselves for these changes?
Cybersecurity in the healthcare industry will be pushed to higher levels in at least two ways. First, legal frameworks that permit a discretionary application of security controls will reference security standards published from non-governmental security organizations as “industry standard.” These organizations have the resources and expertise to help set the standards of the industry. While this may mean more transparency of what are deemed acceptable standards, healthcare organizations may need to be subject to external third-party audits. Second, cybersecurity controls will continue to be bound together with privacy standards.
Although many laws may treat privacy and security as independent concepts, newer frameworks may treat one as dependent on the other. Sophisticated healthcare organizations are already managing to these predictions by eliminating silos between privacy and security operations, and ensuring a well-documented security program from policies to actions.
Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:
A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR.
Easy-to-use dashboards and project tools to ensure complete coverage of the GDPR.
Direction and guidance from expert GDPR practitioners.
Includes two licenses for the GDPR Staff Awareness E-learning Course.
Organizations across the United States have a number of cybersecurity regulations to comply with, and need to show that they take protection of sensitive data seriously.
Consumer data in the US is currently protected by a patchwork of industry-specific, federal, and state laws, the scope and jurisdiction of which vary. The challenge of compliance for organizations that conduct business across all 50 states is considerable.
“Increased regulatory fragmentation unduly diverts focus and resources, and ultimately threatens to make us more vulnerable to cyber attacks. Instead of a fractured approach by state, we need a coordinated national strategy for regulating cybersecurity.”
For example, NY financial institutions will be required to implement security measures in order to protect themselves against cyber attacks from March 1, 2017. They will need to not only maintain a cybersecurity policy and program, appoint a CISO, and implement risk assessment controls and an incident response plan, they will also have to provide regular cybersecurity awareness training, conduct penetration testing, and identify vulnerabilities.
Fulfil multiple cybersecurity obligations and benefit from international information security best practice to produce a solid framework with the ISO 27001 Cybersecurity Documentation Toolkit.
Covering state, national, and international cybersecurity frameworks, this toolkit will enable you to produce a robust management system that complies with:
NIST SP 800-53
New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies
Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
ISO 27001, the internationally-recognized cybersecurity framework
Implement IT service management (ITSM) best practice the easy way with expert guidance and fully customizable pre-written documents created by ITIL® and ISO 20000 service management experts.
Guidance and documentation templates from service management experts to help all organizations improve their ITSM, adopt ITIL best practices, and/or achieve ISO 20000 registration
• Developed by service management gurus Shirley Lacy and Jenny Dugmore, the ITSM, ITIL & ISO/IEC 20000 Implementation Toolkit contains a complete set of tools and documentation templates, policies, and procedures that will enable organizations of all types and sizes to assess their current levels of service management and implement processes to deliver better services.
• Completely up to date with the latest editions of ITIL and ISO 20000, this toolkit makes administration and branding simple.
• The Office 2010 version features an integrated dashboard, allowing easy customization of templates, and one-click formatting.
• The ITSM, ITIL & ISO20000 Implementation Toolkit is the perfect investment for organizations that want an optimal route to implementing service management best practice, adopting ITIL, and/or achieving ISO/IEC 20000 registration.
Use SAVE15 at the checkout to save 15% on toolkit, containing all of the pre-written documents you need to accelerate your management system projects. Offer expires Monday August 31 2015.
ITGP: Thanks for speaking to us Andy. Let’s begin with your book. Most books on ISO9000 only cover the rules and requirements of ISO9000 and how you might implement it. Your book seems more ambitious. What was your thinking behind Exploding the Myths?
AN: I decided to write Exploding the Myths Surrounding ISO9000 as people are often confused about the purpose of implementing a quality management system to meet ISO9000, and what third-party certification involves. Some common myths have endured for more than 20 years – one of them being that ISO9000 is: “say what you do, do what you say”. I felt it was a good time to expose these myths and provide practical guidance on what an organization should consider, instead, when implementing ISO9000 and preparing for external certification.
ITGP: You felt there was confusion regarding the purpose of ISO9000 and certification?
AN: When I look at various online forums, people are posting questions about the basics of quality management and are clearly confused. Although, as you say, there are many books describing how to implement a quality management system, the background to ISO standards etc., these are mainly written from the theoretical point of view. Little has been written to address the “hearsay” which has accompanied the development of ISO9000 over the past 25 years.
ITGP: It sounds like this advice is long overdue and based on plenty of experience. How did you get started in quality management?
AN: I began my career in Quality back in the late 1970s. We relied very heavily on inspection and QC in those days. Luckily, in the mid-to-late 1980s, I was responsible for developing a quality management system to meet a NATO contract requirement using AQAP-1, which is the “great grand daddy” of what we know as ISO9001 today. We did what the AQAP-1 quality requirements told us, and delivered fault-free equipment and installed it without a hitch. This allowed me to pursue roles as implementer, supplier, quality and certification body auditor, as well as consultant and trainer.
ITGP: So, you’ve been meeting customers’ quality requirements right from the beginning of your career?
AN: Yes. The experience of implementing a quality management system to meet a customer’s contract provided an excellent foundation for understanding the basics of implementing quality management systems, without the confusion of third-party certification.
ITGP: Based on all your experience, can I ask what advice you have for those just beginning to use and implement ISO9000?
AN: For those starting out in quality management, and evaluating implementation of ISO 9000 it’s important to remember that much of what is required is already being done, if you are satisfying your customers. What’s needed is some formality to those processes and activities which are working well and then to work on improving them. ISO 9000 brings about a maturity in the way an organisation operates and then requires that management takes a long hard look at its performance and asks what needs correction and what needs improving.
If any organisation finds itself doing something “because of ISO” or “to keep an auditor happy”, then they have to question why this is happening.
ITGP: One final question before we run out of time. Â Are there particular parts of your work that you enjoy?
AN: In my position as certification body sales manager, I’ve found that assisting clients in understanding the certification process, what’s expected at each step and how to be successful is the most rewarding. Many organizations are new to the process of certification – even though they may have experience of customer audits, security audits etc. Being able to complete their knowledge, before they select a certification body and begin the process is enjoyable.
ITGP: I can appreciate that ensuring the client is properly informed is very important in making the right choices about ISO9000 and certification. I guess that’s also what made you write the book in the first place.  We’re out of time sadly, but many thanks for speaking to us.
English: ITIL Service Desk (Photo credit: Wikipedia)
Enhanced IT Service Management though integrated management frameworks
Learn how to integrate COBIT®, ITIL® and ISO/IEC 20000 for better IT Service Management
With the increasing popularity of ITIL® as a framework for IT Service Management (ITSM), a number of organizations have realized that this approach is sometimes not enough on its own. As a result, service managers are looking for ways to enhance their ITIL-based ITSM without having to throw it away and start again. Many are already working towards compliance with ISO/IEC 20000 — the International Standard for IT Service Management. With the recent release of COBIT®5, service management practitioners have even more options. However, until now, there has been little guidance on how to merge these frameworks, standards and methodologies to develop best practice across the ITSM function and produce a robust enterprise philosophy for service delivery.
Guidance on creating an integrated system
Written by service management gurus Suzanne D. Van Hove and Mark Thomas, Pragmatic Application of Service Management is the first book to provide guidance on creating an integrated system based on the three leading service management approaches: COBIT®5, ISO/IEC 20000 and ITIL and, to provide a unique mapping to assist service management practitioners in their information gathering. This practical book presents a holistic view of the three and enables service managers to immediately adapt and deploy the guidance, quickly improving their ITSM function.
Create a stronger, more robust Service Management System
Packed with instructive illustrations and helpful tables, this book is ideal for service managers, consultants, auditors and anyone who is considering adopting, adapting or merging COBIT®5, ISO/IEC 20000 and ITIL. Through mini case studies, the authors apply their unique Five Anchor Approach to demonstrate how the improvement aspects of COBIT®5, ISO/IEC 20000 and ITIL can help identify and deal with common problems faced by today’s organizations. Read this book to learn how to merge COBIT®5, ISO/IEC 20000 and ITIL for better service management
About the Authors
Dr Suzanne D. Van Hove is the founder and CEO of SED-IT. A prior Board member of itSMF USA and recipient of the Industry Knowledge Award as well as Lifetime Achievement, she is an advocate for professionalism within Service Management.
Mark Thomas is the founder and President of Escoute, LLC, an IT Governance consultant as well as the previous President of the itSMF USA Kansas City LIG and COBIT® SIG. As a well- known ITIL and COBIT® expert with over 20 years of professional experience, Mark’s background spans leadership roles from datacenter CIO to Management and IT Consulting. Mark has led large teams in outsourced IT arrangements, conducted PMO, Service Management and governance activities for major project teams and managed enterprise applications implementations across multiple industries.
New IT-GRC Glossary from IT Governance designed to simplify industry terms
IT Governance Ltd, the single source provider of IT governance, risk management and compliance (IT-GRC), has just published a glossary on their website.
The IT-GRC glossary is designed to help IT professionals recognize the wide range of acronyms used within the industry to further their understanding and avoid confusion.
Currently there are 70 terms in the glossary and IT Governance is looking to grow this significantly. IT Governance is encouraging readers to contribute to the glossary with new terms or refined definitions so that the glossary continues to develop and become a resource for IT professionals to use worldwide.
The glossary contains a wide range of IT governance terms, including information security, business continuity, quality management, IT service management and IT governance topics. The glossary is arranged alphabetically and provides easy-to-use definitions that drop down when clicked. The definitions have been written and edited by industry experts and link to information pages for further guidance. View the glossary:
Founder and Executive Chairman of IT Governance Ltd, Alan Calder, explains the reasons behind developing the glossary: “The industry within which we operate in contains a huge number of shortened phrases and acronyms which can be somewhat confusing for those starting out in their career. With different associations, institutions, standards, frameworks and certificates to remember, we decided it was important to start documenting these terms so that beginners would have a useful source to refer to.”
This new resource further strengthens the IT Governance mission statement of “approaching IT from a non-technology background and talking to management in their own language”. The glossary reduces industry jargon and simplifies terms for IT professionals.
The glossary has been added to the growing number of resources offered from IT Governance, which includes a wide number of green papers, product demos and case studies – all which are freely available to download.
Are you implementing, or thinking about implementing, the COBIT 5 framework?
ITG COBIT bookstore includes all the titles you’ll need to help support your implementation of COBIT 5 and get the most out of this IT governance control framework.
A guide to optimising resources and minimising risk, using the COBIT 5 framework to establish appropriate standards of security for the introduction of new technology.
In this manual you will be shown how the relevant frameworks, best practices and standards for information security can be adapted to form a cohesive framework using COBIT 5.
The Governance & Control Toolkit has been designed to help simplify the complex implementation of COBIT 5. Containing all the documents and policy templates you’ll need to cover the 37 COBIT processes this toolkit will dramatically speed up your implementation project.
Download one of IT Governance industry leading ebooks. IT Governance source and publish titles on cyber security, compliance, project management, risk and IT service management.
Fantastic Reads… All Better Priced Than Amazon
Learn and stay ahead on your topic of choice. download an ebook today!
ISO22301: A Pocket Guide is designed to help you do what is necessary to satisfy the requirements of ISO22301. With the expert advice contained in this guide, you can ensure your organisation develops a business continuity plan that is fit for purpose.
30 Key Questions that Unlock Management is a book that provides direct responses to real questions posed by real people in management. Each section contains practical advice and immediate steps you can take to deal with the issue at hand.
Brush up on your soft skills and see the working relationships with your IT Audit clients flourish. Exploring how and why an auditor can remain trapped in an ascribed role, this book fills a gap in the market by helping the reader to avoid the traditional finger-pointing stance and instead become a convincing partner with business and technology counterparts.
Running IT like a Business will show you how your IT function can add real value to your business, taking guidance from Accenture who doubled its revenue in ten years. With clear strategies, helpful diagrams and real-life examples, this book will give you the keys to unlocking your IT function’s hidden potential.
Understand how to bring your SAP projects in on time and within budget with the help of this guide, written by Project Management Professional and Certified ScrumMaster, Sean Robson.
This pocket guide describes the crucial issues of Corporate IT governance and guides how to align with organization business objectives.
This book is easy to read and understand for both technical and non-tecnical readers and very useful for IT Governance, IT Audit and information security professionals. This book include the IT Governance framework (Calder Moir) which guides the professional on how to align the IT governance with business goals of an organization.
This pocket guide describes the drivers for IT governance
why it matters; the relationship between IT governance, risk management, information risk, project governance and compliance risk; lists the symptoms of inadequate IT governance and the benefits that can be won by implementing an IT governance framework, and describes – in principle – how to go about doing this.
This pocket guide covers:
Why IT Governance Matters
Drivers for IT Governance
Strategic and Operational Risk Management
Symptoms of Inadequate IT Governance
What is an IT Governance Framework?
Benefits of an IT Governance Framework
The Calder-Moir IT Governance Framework
This is a good overview of this important subject from the author of IT Governance: Guidelines for Directors.
Wouldn’t it be nice to have someone doing all the dull stuff for you?
1. The IT Governance documentation toolkit contains 1591 pages of pre-written policies, procedures, checklists, guidance, presentations, planning tools and diagrams.
2. The IT Governance documentation toolkit can save you thousands of pounds, countless hours of time and an awful lot of stress.
3. The IT Governance framework integrates CobiT, ITIL, ISO27001/2, ISO20000, Prince2, PMBOK, TOGAF and many other concepts.
4. The IT Governance documentation toolkit is cheaper than one day of consultancy.
, the internationally-recognized cybersecurity framework
