By Chinenye Marylyn AKINOLA
Effective IT governance is no longer optional, it is essential. As organizations in Africa and across the globe strive to modernize operations, enhance security, and maintain regulatory compliance, a strong IT governance framework forms the backbone of sustainable success.
Understanding IT governance frameworks: COBIT & ISO 27001
Two of the most widely adopted frameworks for IT governance are COBIT (Control Objectives for Information and Related Technologies) and ISO/IEC 27001. COBIT, developed by ISACA, provides a comprehensive framework for managing and governing enterprise IT.
It helps organizations align IT strategy with business goals, manage performance, mitigate risks, and optimize resources (ISACA, 2019). Furthermore, COBIT is effective in helping organizations define clear responsibilities and accountability for IT processes.
ISO 27001, on the other hand, is an internationally recognized standard for managing information security. It provides a systematic approach to identifying, managing, and reducing information security risks through the implementation of an Information Security Management System (ISMS) (ISO, 2022).
This is especially relevant for African businesses operating in sectors such as finance, health, and telecommunications, where data security and privacy are mission-critical.
Together, COBIT and ISO 27001 offer complementary approaches. COBIT focuses on overall IT governance, while ISO 27001 hones in on data protection and information security.
Building robust IT risk management practices
For organizations to fully realize the benefits of IT governance, it is vital to establish robust IT risk management practices. This involves:
- Conducting regular risk assessments: Identifying and prioritizing IT risks based on business impact.
- Developing a risk register: Maintaining a comprehensive record of identified risks, mitigation strategies, and responsible parties.
- Implementing control measures: Applying technical, administrative, and physical controls to mitigate risks in alignment with frameworks like COBIT and ISO 27001.
- Continuous monitoring: Leveraging automation and analytics to monitor key risk indicators and maintain an up-to-date risk profile.
In Africa, where digital infrastructure is gradually evolving, businesses must tailor these practices to local realities, such as inconsistent internet access, shortage of power supply, regulatory ambiguity, and cybersecurity skill gaps.
However, with strategic investments and training, organizations can turn these challenges into opportunities for innovation.
Case studies: Organizations leading in IT governance
Evaluating some IT Governance Framework in use across Africa, the following organizations have been highlighted;
- Ghana – Ghana Interbank Payment and Settlement Systems (GhIPSS), the national payment switch for Ghana, obtained ISO/IEC 27001 certification to secure its IT infrastructure and improve information security governance. This certification has been crucial in establishing risk-based security policies, structured audit trails, and system resilience protocols (GhIPSS Official Report & ISO.org News).
- South Africa – MTN Group, one of Africa’s largest telecommunications companies headquartered in South Africa, has implemented ISO 27001 across its data centers to ensure the secure handling of customer and business data. Their structured IT governance approach, anchored in COBIT principles, has enabled them to achieve greater operational resilience and compliance across multiple jurisdictions (MTN Annual Report, 2023).
- Kenya – Safaricom, a Kenyan organization known for its leadership in digital risk management, leverages IT governance frameworks to manage risks associated with M-Pesa, its mobile money platform. By integrating COBIT practices and aligning with ISO 27001 standards, Safaricom ensures data privacy and regulatory compliance while supporting millions of financial transactions daily (Safaricom Sustainability Report, 2022).
- Nigeria – The Central Bank of Nigeria (CBN) recognized the need to address IT governance challenges and adopted the COBIT framework to enhance its IT processes. The initiative began with a comprehensive assessment involving multiple departments to identify pain points including role clarity, performance measurement, and stakeholder engagement, and align IT strategies with business objectives. By integrating COBIT, CBN improved its IT strategy alignment, risk management capabilities, and operational efficiency.
This case underscores the importance of aligning IT initiatives with organizational goals and securing stakeholder buy-in for successful framework implementation. (ISACA Journal, Volume 6, 2022).
In addition, a case study from the Nigerian pharmaceutical sector demonstrated how COBIT 5 was used to improve Strategic Information Systems Planning (SISP). The company aimed to ensure that IT initiatives were aligned with broader business objectives.
COBIT helped the organization adopt a more structured, measurable approach to IT governance, enabling better control, strategic planning, and risk oversight (IJSER, 2021).
- Global – Globally, governments and organizations continue to manage IT governance by adopting established frameworks like COBIT, ITIL, and ISO/IEC 38500 to align IT strategy with business goals, manage risks, and ensure regulatory compliance. Many are also integrating cybersecurity standards and data privacy regulations to enhance accountability and decision-making across IT operations. For instance, the U.S. employs frameworks such as COBIT and the NIST Cybersecurity Framework to ensure accountability, risk management, and alignment with organizational objectives.
Similarly, global organizations like PwC use COBIT to guide its internal IT audit functions and advise clients worldwide. Their adoption of IT governance standards helps clients align IT objectives with business strategy while navigating global compliance landscapes, such as GDPR and SOX (PwC, 2023).
Conclusion
Strengthening IT governance is critical for businesses in Africa and globally. By adopting proven frameworks like COBIT and ISO 27001, organizations can align their IT strategies with business objectives, enhance risk management, and build trust with stakeholders.
As digital transformation accelerates, those who prioritize IT governance will be best positioned to lead in a complex, tech-driven future.
>>>The writer is an international risk and audit professional with over 17 years of experience spanning finance, information technology systems, and auditing across both global and domestic organizations. She is a Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), and a Certified Fraud Examiner (CFE), bringing deep expertise in forensic audits, IT control assessments, and regulatory compliance.
Currently serving as the Assistant Director at the Bureau of Information Technology Audits within the Pennsylvania Auditor General’s Office, United States, she oversees IT audit initiatives, ensuring adherence to federal and state standards. Her global work involves reviewing complex regulatory frameworks, including Government Auditing Standards, GAAS, ISACA Standards, and federal internal control guidelines, to evaluate their impact on audit testing and conclusions. Her expertise includes IT general controls testing, business process assessments, and compliance reviews aligned with SOX, ISO, and GAAP standards. She leverages advanced data analytics to enhance audit efficiency and ensure the reliability of information systems.
Prior to her current role, she held key positions such as Senior IT Auditor at Penske and Senior Auditor at NCR Corporation in Nigeria, where she led critical audit engagements and risk assessments within complex IT environments. She can be reached via [email protected].
