Define the elements of a control environment for IT, aligned with the enterprise’s management philosophy and operating style. These elements should include expectations/requirements regarding delivery of value from IT investments, appetite for risk, integrity, ethical values, staff competence, accountability and responsibility. The control environment should be based on a culture that supports value delivery whilemanaging significant risks, encourages cross-divisional co-operation and teamwork, promotes compliance and continuous process improvement, and handles process deviations (including failure) well.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Develop and maintain a framework that defines the enterprise’s overall approach to IT risk and control and that aligns with the IT policy and control environment and the enterprise risk and control framework.

Develop and maintain a set of policies to support IT strategy. These policies should include policy intent; roles and responsibilities; exception process; compliance approach; and references to procedures, standards and guidelines. Their relevance should be confirmed and approved regularly.

Roll out and enforce IT policies to all relevant staff, so they are built into and are an integral part of enterprise operations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Communicate awareness and understanding of business and IT objectives and direction to appropriate stakeholders and users throughout the enterprise.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.