Is your board struggling with limited visibility into your organisation’s IT landscape? Computer One addresses this challenge by defining and then helping you implement an IT board governance and information security framework that gives your board clear line-of-sight into IT operations, projects and risks without creating frustration for your C-suite.
If your organisation lacks an IT governance body or regular IT briefings at board meetings, we will facilitate those – from setting up an IT Steering Committee to providing board-ready IT performance dashboards. Our approach makes what was once a clouded issue for directors far more transparent – enabling informed, strategic decision-making and effective risk governance.
We pride ourselves on making IT understandable and manageable at the highest levels of the company. With Computer One’s governance service, you won’t get dense technical jargon or endless policy documents – you’ll get actionable insights and practical structures that improve oversight. We operate with transparency and integrity, regularly reporting on progress and adapting our approach as your business evolves.
Ultimately, our goal is to help your board drive better business performance through effective governance of IT and information security.
Please call us on 1300 667 871 or fill in the form below and we’ll be in touch quickly.
It refers to the oversight and direction that a company’s Board of Directors provides over information technology and security. In practice, board governance of IT means the board is actively evaluating IT strategy, directing how technology is used (through policies and priorities), and monitoring performance and risk. Rather than delegating all technology decisions to management, the board integrates IT governance into its overall corporate governance responsibilities – ensuring that IT investments support the business strategy and that key IT risks (like cybersecurity, outages and data loss) are adequately controlled. Good IT governance at the board level typically follows frameworks such as Evaluate, Direct, Monitor (from ISO 38500), meaning the board regularly evaluates IT’s role in the business, sets directives for IT through strategy and policy, and monitors outcomes against plans.
Because technology is a core driver of business success (and failure) today, boards need a clear window into what is happening in IT. Without visibility, directors might be unaware of major risks – for example, vulnerabilities that could lead to a cyber breach or an IT project going off the rails – until it’s too late. Having proper visibility means the board receives regular updates on IT performance, project status, and risk indicators. This enables proactive oversight: directors can ask informed questions and require corrective actions before small issues escalate into major crises. In essence, visibility into IT gives the board confidence that the company’s technology is being managed in line with the business’s risk appetite and strategic goals, and it prevents unpleasant “surprises” like sudden system failures, budget blowouts, or compliance violations.
COBIT (Control Objectives for Information and Related Technology) is a leading IT governance framework that provides a comprehensive model for managing and governing IT. Using COBIT correctly means your organisation is implementing best-practice processes across areas such as IT strategy, operations, security, and performance measurement. For the board, COBIT provides assurance that there is a structured approach in place – it defines specific governance components, like processes, objectives, and metrics, that align IT efforts with business objectives. In practice, COBIT helps the board and management ensure that IT investments are delivering value, that risks are mitigated with appropriate controls, and that progress can be measured (e.g. through KPIs and maturity levels). If your board prioritises COBIT, they will typically receive reports that map IT activities to COBIT’s domains (such as Strategy Alignment, Value Delivery, Risk Management, Resource Management, and Performance Measurement). This makes it easier for directors to evaluate whether IT is under good governance. In short, using COBIT gives the board a well-tested blueprint for oversight, making IT governance more transparent and standardized.
Yes. In addition to COBIT, many boards look to ISO/IEC 38500 – which is an international standard specifically for corporate governance of IT, providing guiding principles for directors. ISO 38500 emphasises that board members should evaluate, direct, and monitor IT just as they do other facets of the business. For information security, standards like ISO/IEC 27001 are important; they provide a framework for managing security controls and risks, which boards often want assurance on. Furthermore, industry-specific guidelines (for example, APRA’s CPS 234 in the Australian financial sector for information security) might apply. Our approach is to prioritise COBIT for its broad coverage, but we integrate elements of these other frameworks as needed – ensuring your IT governance is comprehensive. Ultimately, the choice of framework will depend on your organisation’s context, regulatory environment, and what the board is most comfortable with, but it’s common to use a combination of these frameworks to cover all bases.
An IT Steering Committee is a governance body, usually composed of senior executives and sometimes one or two board members, that meets regularly to oversee and guide the organisation’s IT strategy and projects. The committee acts as a bridge between the board and the IT management team. Its responsibilities include reviewing major IT project proposals, prioritising IT investments, monitoring ongoing project status, and ensuring that IT initiatives are aligned with business strategy. If your company has a board of directors but no formal mechanism for IT oversight, an IT Steering Committee is a very good idea. It ensures that there is a dedicated forum to discuss IT matters at a high level, which in turn provides the board with greater confidence that IT is being managed strategically. The committee can report up to the board (or a board subcommittee) on key decisions and progress. In many cases, we help clients establish an IT Steering Committee from scratch – setting its charter, membership, and reporting cadence – so that IT governance becomes a routine, organised part of corporate governance. In summary, if technology plays an important role in your business (which it likely does), having an IT Steering Committee is an effective way to formalise oversight and involve the right leaders in guiding IT.
It’s a common scenario that not every board has a tech-savvy director. There are a few ways to bridge the gap. Firstly, consider bringing in an external specialist as a board advisor or even appointing a board member with IT experience (such as a former CIO) when board refresh opportunities arise. We offer services akin to a Virtual CIO or an IT advisor who can attend board meetings and provide insight – this means you get expert input without permanently adding to the board. Secondly, establish a Technology or Digital subcommittee of the board (or use the Audit/Risk Committee) that can focus on IT issues in more detail. This subcommittee can invite outside experts to brief them. Thirdly, invest in director education: there are courses and workshops (for example, through AICD or other governance institutes) on IT governance and cyber risk for directors, which can quickly raise the knowledge level. Finally, ensure management presents information in a board-friendly manner: clear dashboards, risk heatmaps, trend analysis, and less technical jargon. Part of our role when we work with you is translating the IT-speak into strategic business terms. By taking these steps, even a non-technical board can exercise strong oversight – asking the right questions and making well-informed decisions about IT and information security.
Strengthening board-level IT governance pays off in multiple ways.
Strategic benefit: IT will more closely support your business strategy – projects and systems will be chosen and designed to enable the specific goals the board cares about (growth, efficiency, customer experience, etc.), rather than IT operating in a silo.
Risk reduction: You can expect fewer surprises, such as major outages or security breaches, because risks are identified earlier and mitigated proactively under board scrutiny. If a serious incident does occur, clear governance means there are response plans in place and the board is already aware of the risk context.
Financial performance: Effective IT governance often leads to better ROI on technology spend – resources are allocated to the highest-value initiatives, budgets are monitored, and there is accountability for delivering business results from IT investments. Over time, this can reduce wasteful spending on low-priority or misaligned projects.
Compliance and reputation: With the board paying attention to IT, compliance with laws and regulations (like privacy laws, financial reporting standards for IT systems, industry-specific IT requirements) is strengthened, which protects the organisation and Directors from legal penalties and reputational damage.
Stakeholder confidence: Lastly, investors, auditors, and regulators gain confidence knowing that the company’s leadership is in control of its technology landscape.
Better IT governance at the board level helps ensure that technology truly serves the business and that pitfalls are managed – leading to a more successful organisation.
This is an important distinction. IT management is about running the day-to-day IT operations – things like network maintenance, software development, user support, and executing projects. It’s the realm of CIOs, IT managers, and their teams who make technical and tactical decisions. IT governance, on the other hand, is about high-level direction, policy, and oversight. For example, governance involves setting an IT strategic plan, deciding how much to invest in IT this year, determining risk appetite for cybersecurity, and monitoring whether IT is delivering value. A way to put it is: IT management focuses on “doing things right” (efficient, correct operation of IT), while IT governance focuses on “doing the right things” (ensuring IT choices align with business goals and values). Our governance services help the board and leadership steer IT. We don’t replace your IT managers; rather, we work with them to establish the frameworks and reporting so that the board can guide and evaluate IT from an informed, strategic perspective. Effective organisations need both: competent IT management and strong IT governance, each reinforcing the other.
Boards should treat IT and security as a regular item on their agenda, not just an annual discussion. A good practice is to have quarterly updates to the full board on IT strategy execution and major risk areas. Many boards also get monthly or bi-monthly reports via an Audit & Risk Committee or a Technology Committee if one exists – these reports can be more detailed, allowing that committee to deep-dive and then brief the full board with highlights.
Key events should trigger immediate board communication as well (for instance, a serious cyber incident or a major project going off-track shouldn’t wait until the next scheduled meeting). In terms of project governance, large IT projects might warrant a dashboard update at each board meeting.
When we set up governance for clients, we often help define a calendar: e.g. Q1: review IT strategy and budget; Q2: cybersecurity drill and report; Q3: IT performance scorecard; Q4: IT risk appetite and policy review, etc., alongside ongoing project status updates. The exact frequency depends on your industry and how critical IT is to your operations – but as a rule, some aspect of IT governance should be reviewed in every board meeting (even if briefly), and a deeper dive should happen at least once or twice a year on strategic topics. We ensure that whatever schedule makes sense for you is implemented, so that the board’s oversight is continuous and up-to-date.
The board plays a critical role in cybersecurity governance – in fact, cyber risk is now considered one of the top issues for boards worldwide. Directors don’t need to understand the minutiae of firewalls or encryption, but they do need to set the tone at the top and ensure the company has a strong security strategy.
Practically, the board should approve the organisation’s information security policy and risk appetite (how far are we willing to go to mitigate cyber risks, and what level of investment in security is appropriate?). They should also ensure management has implemented frameworks like ISO 27001 or the Essential Eight, and that there’s regular independent testing (such as security audits or penetration tests). The board should receive summaries of cybersecurity posture at least quarterly: this might include metrics like number of incidents, time to detect/respond, results of any audits, and status of key security initiatives. In case of a major incident (like a data breach), the board must be informed promptly and be part of high-level decision-making (for example, customer notification, legal reporting obligations, etc.)
Our service helps boards by providing clear visibility into these security metrics and preparing the governance structure for incident response. We often conduct cyber risk workshops with boards to walk through potential scenarios and ensure everyone understands their role. In short, the board’s job is to ask the right questions – “Are we secure enough? What else should we do? How are we preparing for emerging threats?” – and to hold management accountable for maintaining a strong security posture.
