Managing Framework Change

From business frameworks including COSO, CobiT, ISO17799 and ITIL, to regulatory requirements including HIPAA, SOX and GLBA, change management or versioning has always been a significant challenge for control practioners. It seems as if the regulatory and framework standards bodies are simply changing for the sake of change, however, there are ususally very good reasons for updating the content and structure of these components.

Change management is a well known challenge for business leaders who manage enterprise software especially when new versions are released. Similar challenges arises when new versions of frameworks are released (e.g. Cobit 4 or ISO17799:2005). Most corporate governance leaders are familiar with mapping business processes, procedures and corporate risk and control matrices (RACM) to framework versions and regulatory requirements. The original mapping process is manually intensive and sometimes the secondary mapping process can be more manually intensive depending on the breadth and struture of the change to the framework.

CobiT 4 now includes a significantly reduced number of control objectives when compared to CobiT 3. Not only has the mapping now changed but, the control objectives are no longer at the same level as the previous version. Versioning or change management for frameworks and regulations is one of the most significant challenges to retaining a high level of mapping relationship currency.