Skip to main content
Custom print
Download Original PDF

2.4 Information Technology Governance Maturity Model

No: 43028139 Date(g): 4/11/2021 | Date(h): 29/3/1443

Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right

The Information Technology Governance maturity level will be measured with the help of a predefined maturity model. The information technology governance maturity model distinguishes 6 maturity levels (0, 1, 2, 3, 4 and 5), which are summarized in the table below. In order to achieve levels 3, 4 or 5, Member Organizations should first meet all criteria of the preceding maturity levels.

Maturity LevelDefinition and CriteriaExplanation

0

Non-existent

•    No documentation.

•    There is no awareness or attention for certain information technology control.		•    IT controls are not in place. There may be no awareness of the particular risk area or no current plans to implement such IT controls.

1

Ad-hoc

•    IT controls is not or partially defined.

•    IT controls are performed in an inconsistent way.

•    IT controls are not fully defined.		•    IT control design and execution varies by department or owner.

•    IT control design may only partially mitigate the identified risk and execution may be inconsistent.

2

Repeatable but informal

•    The execution of the IT control is based on an informal and unwritten, though standardized, practice.•    Repeatable IT controls are in place. However, the control objectives and design are not formally defined or approved.

•    There is limited consideration for a structured review or testing of a control.

3

Structured and formalized

•    IT controls are defined, approved and implemented in a structured and formalized way.

•    The implementation of IT controls can be demonstrated.		•    IT policies, standards and procedures are established.

•    Compliance with IT documentation i.e., policies, standards and procedures is monitored, preferably using a governance, risk and compliance tool (GRC).

•    Key performance indicators are defined, monitored and reported to evaluate the implementation.

4

Managed and measurable

•    The effectiveness of the IT controls are periodically assessed and improved when necessary.

•    This periodic measurement, evaluations and opportunities for improvement are documented.		•    Effectiveness of IT controls are measured and periodically evaluated.

•    Key risk indicators and trend reporting are used to determine the effectiveness of the IT controls.

•    Results of measurement and evaluation are used to identify opportunities for improvement of the IT controls.

5

Adaptive

•    IT controls are subject to a continuous improvement plan.•    The enterprise-wide IT governance program focuses on continuous compliance, effectiveness and improvement of the IT controls.

•    IT controls are integrated with enterprise risk management framework and practices.

•    Performance of IT controls are evaluated using peer and sector data.
 

Table 1 - Information technology governance Maturity Model