How does IT survive with no policy framework?
As far as I can tell there is no such thing as a policy framework for IT. ISO38500 bangs on about the need for policies. ITIL and COBIT mention legions of policies. But I can find nothing that gives us a comprehensive list of necessary policies, let alone describes what a policy structure looks like and what the priorities are.
There seems to be no systematic authoritative way to answer the following questions:
- What policy applies to this situation? What policy applies to my role?
- Are our IT policies complete? sufficient?
- What is the maturity of our organisation's set of policies?
- Does each audience (users, operators, customers, managers...) have a complete set of policies? Which audiences are not covered?
- What is the hierarchy/structure of policies? how do they inter-relate?
- If we have gaps, how do I prioritise addressing those gaps? What is most important?
It seems to me organisations fire off policies in an ad-hoc manner, usually to lock some stable door in sight of the receding rear of the horse. Most organisations are drowning in policy: staff aren't aware of all of them and certainly don't know the contents. The policy situation is like the proliferation of laws and regulations: you need a professional expert lawyer just to know what applies to you in a certain situation.
Frameworks are no help. Aale identified an extraordinary list of 44 ITIL policies and strategies, which ITIL mentions in passing scattered throughout the five books. COBIT is much the same.
An authorative systematic approach to policy is essential to get some control, management and usability. Who is goin got help us out here? OGC won't get it. TSO will lock it up in ITIL Live. ISACA, how about this for COBIT 5 then?