While I was in the process of implementing the ISO 27001 standard for a mission-critical healthcare system for one of the major health care organizations in India, I became COBIT-certified, and I took the opportunity to use COBIT to ensure compliance not only in an ISO 27001 audit but also in the privacy assessment that the organization was undergoing at the same time, which was conducted by a government agency.
Senior management was skeptical initially, but I convinced them that the preparations for both governance programs have lots of overlap and the structure of COBIT is such that it can be easily used to ensure success in other Governance, Risk and Compliance (GRC) programs.
I started with the five principles and seven enablers of COBIT, preparing the literature in organization-specific language that could be quickly grasped by the senior management, and we were able to identify the strengths and weaknesses to achieve compliance success. Senior management was able to zero in on the “disablers” that were dispersed across the seven points, but mostly on “Culture, ethics and behavior.” It became so catchy with the senior management that the chairman started asking in every meeting the status of the “disablers” and the timelines for them becoming rectified.
As a next step, I enlisted the best practices of COBIT and prepared a management report on the following:
- Defining clearly what GRC requirements are applicable (our enablers report and its running status)
- Identifying the regulatory and compliance landscape (ISO 27001 Audit, IT Act 2000 and privacy requirements)
- Reviewing the current GRC status (weekly management meetings on status with RACI chart)
- Determining the most optimal approach (resourcing, cost and budget review)
- Setting out key parameters on which success will be measured (number of non-compliance, issues resolved, etc.)
- Using a process-oriented approach (procedures and guidelines with associated policies duly updated)
- Adapting global best practices as applicable (ISO 27001, ISO 9000 and ITIL framework)
- Using a uniform and structured approach that is auditable (ISO 19000 and an organization’s internal audit policies and procedures)
After six months, we completed the ISO 27001 certification audit successfully and I also prepared a list of parameters to evaluate COBIT success in a GRC program, along the following lines:
- The reduction of redundant controls and related time to execute (audit, test and remediate) Some internal audits have been dispensed with and cost-effective controls have taken the place of less effective and costlier controls.
- The reduction in control failures in all key areas (by ensuring back-up options and disaster recovery procedures)
- The reduction of expenditures related to legal, regulatory and compliance issues (we were able to calibrate the reduction in cost due to compliance issues and had a reduction in insurance premiums paid toward IT risk management)
- Reduction in the overall time required to audit key business areas (due to the presence of detailed audit reports with NCs and its status of resolution)
- Improvement in timely reporting of regular compliance issues and remediation measures (because the reports are now customized per compliance requirements)
- Creation of a dashboard of overall compliance status and key issues for senior management on a real-time basis
The following points need to be kept in mind for the successful implementation of COBIT or any other framework:
- One should have a thorough knowledge of business and compliance requirements, and business-related technology risk.
- Frameworks should be customized to suit the organization and business requirements. In other words, the language used should be management friendly.
- Only those requirements of the framework that need to be implemented should be considered.
- A cost-benefit analysis report or ROI on framework implementation should be presented to management, which should, include among other things, loss-avoidance in monetary terms and reputation risk factors.
- One should not try to boil the ocean, but instead be specific and show tangible results and benefits to management to earn ongoing buy-in and sponsorship.
Author’s note: The views expressed in this article are the author’s views and do not represent that of the organization or of the professional bodies to which he is associated.