Place Information Technology operations in a position to support the business model.

Business Processes


This Control directly supports the implied Control(s):
  • Establish and maintain the staff structure in line with the strategic plan., CC ID: 00764

There are no implementation support Controls.


  • Senior management should establish an effective organisation of IT functions to deliver technology services and to provide day-to-day technology support to business units. A clear IT organisation structure and related job descriptions of individual IT functions should be documented and approved by s… (2.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The information system department should consider changing its organizational structure to include separation of duty, specialization, authorization, and outsourcing, based on the organization's size and characteristics, to implement the overall optimization plan effectively and efficiently. This is… (App 2-1 Item Number I.2.2(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Management should ensure company-wide policies and procedures are implemented, such as an appropriate organizational structure. (Practice Standard § I.5(1), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • (§, OGC ITIL: Security Management)
  • Evaluate staffing requirements on a regular basis or upon major changes to the business, operational or IT environments to ensure that the IT function has sufficient resources to adequately and appropriately support the business goals and objectives. (PO4.12 IT Staffing, CobiT, Version 4.1)
  • Assign responsibility for the performance of the quality assurance (QA) function and provide the QA group with appropriate QA systems, controls and communications expertise. Ensure that the organisational placement and the responsibilities and size of the QA group satisfy the requirements of the org… (PO4.7 Responsibility for IT Quality Assurance, CobiT, Version 4.1)
  • Transfer knowledge to business management to allow those individuals to take ownership of the system and data, and exercise responsibility for service delivery and quality, internal control, and application administration. (AI4.2 Knowledge Transfer to Business Management, CobiT, Version 4.1)
  • Place the IT function in the overall organisational structure with a business model contingent on the importance of IT within the enterprise, specifically its criticality to business strategy and the level of operational dependence on IT. The reporting line of the CIO should be commensurate with the… (PO4.4 Organisational Placement of the IT Function, CobiT, Version 4.1)
  • Develop a strategy and plan for infrastructure maintenance, and ensure that changes are controlled in line with the organisation's change management procedure. Include periodic reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities assessment and security requir… (AI3.3 Infrastructure Maintenance, CobiT, Version 4.1)
  • The senior security or assets protection manager should be as high as possible in the organizational structure and should report directly to senior management. (Revised Volume 1 Pg 2-I-26, Protection of Assets Manual, ASIS International)
  • A medical device manufacturer shall establish and maintain an organizational structure that ensures devices are designed and produced in accordance with the requirements. (§ 820.20(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Review of the centralization processes for the IT functions and understanding of interrelationships between the entity's IT and business functions. (App A Objective 2:9a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organizational structure provides for effective IT support throughout the institution, from IT management up through senior management and the board. (App A Objective 2:11 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Coordinates priorities between the IT department and lines of business. (App A Objective 2:8 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • IT has the ability to meet business needs. (App A Objective 4:2 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine the institution's ability to attract and retain a competent workforce and the ability of HR management to effectively meet the requirements for IT and the lines of business that IT supports. (App A Objective 5:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The plan incorporates the entire IT environment. (App A Objective 4:2 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the corporate and Information Technology (IT) departmental organization charts to determine if: ▪ The organizational structure provides for effective IT support throughout the organization, ▪ IT management reports directly to senior level management, ▪ The IT department's responsibiliti… (Exam Obj 2.1, FFIEC IT Examination Handbook - Management)
  • The organizational structure should support the business objectives and functional operations of the organization. (Pg 4, FFIEC IT Examination Handbook - Operations, July 2004)