Governance Program Guideline for SMEs

A new guide from global technology association ISACA provides guidance for small and medium sized enterprises (SMEs) on developing an enterprise governance system for information technology.

The benefits of good governance systems are widely acknowledged, but often governance programs in smaller organisations are non-existent or immature. Small and medium sized enterprises (SMEs) often deal with constraints such as limited IT resources and smaller budgets.

COBIT for Small and Medium Enterprises explains the core model and components of the globally recognised COBIT framework, illuminates the key governance and management objectives that are most relevant to SMEs, and walks SMEs through the fundamentals of starting and implementing an IT governance program.

It also provides detailed COBIT guidance specific to SMEs by domain, objective, component, activities, capability levels and metrics. In addition, the guide features mechanisms to help a SME including a governance system design workflow, a suitability assessment, COBIT goals cascade mapping tables, a practical example with detailed steps, and descriptions of SME roles and organisational structures.

“There is no magic formula for all small and medium enterprises to follow when it comes to developing an IT governance system,” says Lisa Villanueva, ISACA IT Governance Professional Practices Lead.

“However, by using tailored resources and a governance system design workflow, SMEs can thoughtfully develop an actionable road map for developing a governance system that can help guide them through the process and ultimately help them design and implement a system tailored especially to their needs.”

Some of the activities outlined in the detailed guidance include:

  • Evaluate the governance system - Consider external regulations, laws and contractual obligations and determine how they should be applied within the governance of enterprise I&T.
  • Understand enterprise context and direction - Develop and maintain an understanding of the current way of working: the operational environment, the enterprise architecture (processes, data, applications and technology domains), organisational culture, and current challenges.
  • Initiate a program - Appoint a dedicated manager for the program, with the commensurate competencies and skills to manage the program effectively and efficiently.
  • Monitor, control, and report on the program outcomes - Manage program performance against key criteria (e.g., scope, schedule, quality, benefits realisation, costs, risk, velocity), identify deviations from the plan and take timely remedial action when required.


COBIT for Small and Medium Enterprises is geared toward organisations with up to 250 full- time employees, in which 30 to 70 employees work with IT systems and services, including business managers, professional staff, IT managers, quality or security professionals, and internal auditors.

The guidance reflects that enterprises of this size may have limited in-house IT skills and/or capacity, lack complex IT infrastructure, tend to be cost conscious, have a short span of control, and may need to outsource more complex tasks

COBIT for Small and Medium Enterprises can be downloaded at Additional COBIT resources and publications can be found at