IT Governance
Study plans 2016-2017 - IMT4571 - 5 ECTS

Expected learning outcomes

Calder and Watkins define IT Governance as ”the framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensures that the organization’s information systems support and enable the achievement of its strategies and objectives”. IT Governance is of crucial importance for any organization's ability to safeguarding critical information in the context of growing threats, as well as increasing requirements from national and international regulations.

However, IT Governance does not exist "per se", but is based on IT and operational risk management methods, appropriate business continuity / IT disaster recovery management, and the subsequent design, implementation and operation of an appropriate level of organizational and technical information security.

This course provides an overview of IT Governance, IT Risk Management, Business Continuity Management and Information Security and their dependencies in general, and the information security standards ISO 27001 / ISO 27002 in particular.

After attending the course, candidates should possess the following knowledge:

  • security management as an important input to IT and corporate risk management and as a continuous improvement process
  • the basic concepts of the ISO 27001 / ISO 27002 standard

After attending the course, candidates should possess the following skills:

  • master the principles for designing, implementing and auditing ISO 27001-based Information security management system (ISMS) , using both organizational and technical building blocks
  • be able to design an appropriate level of IT Risk Management and Information Security for a given organisational context

After attending the course, candidates should possess the following general competence:

  • main principles, functions and dependencies of IT Governance, IT Risk Management, Business Continuity Management/IT Disaster Recovery and Information Security


  • Introduction to Corporate Governance and subsequent IT Governance
  • The Internal Control System (ICS)
  • Introduction to Compliance Management
  • Introduction to Risk Management and Operational Risk
  • IT-specific Risks and Threats
  • Risk Awareness and Sustainability of Countermeasures
  • The role of IT Audit
  • Introduction to Information Security
  • Introduction to Business Continuity Management/IT Disaster Recovery
  • The Role of IT in Event and Crisis Management
  • Information Security standards and Best Practices (ISO 2700x, CoBIT, Baselining)

Teaching Methods


Teaching Methods (additional text)

Lectures, exercises and homework in between lecture blocks.

The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be given on campus and are open for both categories of students. All the lectures will also be available on Internet through GUC’s learning management system (Fronter).

Form(s) of Assessment


Form(s) of Assessment (additional text)

Final Written Exam, 3 hours

No support material allowed during exam, except English / mother language dictionary

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Evaluated by the lecturer. An external examiner will be used every 4th year. Next time in the school-year 2018/2019.

Re-sit examination

Ordinary re-sit examination in August.

Coursework Requirements


Teaching Materials

PDF Version of slides and exercises as published on-line


Alan Calder & Steve Watkins. IT Governance : IT Governance: A Manager's Guide to Data Security and ISO 27001 / ISO 27002. Fourth Edition. Kogan Page. 2008.

Peter L. Bernstein, "Against the Gods - the Remarkable Story of Risk", John Wiley & Sons, ISBN 0-471-29563-9 ,Paperback, 1998