Governance Frameworks, Compliance, and the Regulatory Environment

This chapter explains the governance and compliance frameworks that shape how organizations manage technology risk. ISC questions in this area usually turn on knowing which framework or regulatory lens best fits the situation.

In This Chapter

• COSO Internal Control – Integrated Framework: Relevance to Information Systems shows how a familiar control model applies to technology environments.
• COSO ERM for IT: Risk Management Across Digital Environments extends control thinking into broader enterprise-risk management.
• COBIT 2019 Overview: Governance System Principles and Components introduces a governance model built specifically for information and technology.
• Other Influential Standards and Regulations (e.g., PCI DSS, HIPAA, GDPR) surveys major external rules that affect system design and compliance.
• ITIL and IT Service Management Overviews explains the service-management perspective that supports controlled operations.

How to Use This Chapter

• Read this chapter when frameworks and regulations are blending together.
• Focus on the purpose of each framework and what kind of control problem it helps solve.
• Revisit it whenever a question asks which governance or compliance structure is most relevant.

In this section

• Applying COSO Internal Control to Information Systems
  How COSO internal control principles apply to information systems.
• COSO ERM for Technology Risk and Digital Environments
  COSO ERM applied to technology risk, resilience, and digital operations.
• COBIT 2019 Governance Principles and System Components
  COBIT 2019 governance principles and components relevant to ISC.
• PCI DSS, HIPAA, GDPR, and Other Influential Compliance Rules
  Major compliance rules that affect information systems and controls.
• ITIL and IT Service Management for Controlled Operations
  ITIL and service-management concepts that support controlled operations.