Domain Owner: Enterprise Architecture & CISO
Frameworks: ITIL v4 · COBIT 2019 · ISO 27001:2022
The Governance domain provides the policy, process, and accountability structures that ensure IT operates in alignment with business objectives, regulatory obligations, and risk appetite. It connects the technical domains (Compute, Network, Desktop, Cyber) to organisational strategy, risk management, and compliance.
| Page | Description |
|---|---|
| Architecture Decision Records | How to raise, approve, and record architecture decisions |
| Technology Standards Register | Approved, emerging, and deprecated technologies |
Board / Audit Committee
│
▼
IT Steering Committee (monthly)
├── CIO
├── CISO
├── Head of Infrastructure
├── Head of Software Engineering
└── Business Representatives
│
▼
Architecture Review Board (ARB) — fortnightly
├── Enterprise Architect (chair)
├── Domain Architects (Compute, Network, Desktop, Cyber)
└── Engineering Leads
│
▼
Change Advisory Board (CAB) — weekly
├── Change Manager (chair)
├── Domain Engineering Leads
└── Operations Representatives
| Process | Owner | Cadence | Tool |
|---|---|---|---|
| Architecture Review Board | Enterprise Architect | Fortnightly | ADR log (this wiki) |
| Change Advisory Board | Change Manager | Weekly | ServiceNow ITSM |
| Risk Register Review | CISO | Monthly | ServiceNow GRC |
| Technology Roadmap Review | IT Steering Committee | Quarterly | Roadmap tool |
| IT Budget Review | CIO | Quarterly + Annual | Finance systems |
| Compliance Audit (ISO 27001) | CISO | Annual + surveillance | External auditor |
| Business Continuity Test | IT + Business | Annual | BCP documents |
All information assets must be classified according to the following scheme:
| Classification | Description | Examples | Controls |
|---|---|---|---|
| Public | Approved for external disclosure | Press releases, public website | None specific |
| Internal | General business use, not for external sharing | Internal policies, org charts | Standard access controls |
| Confidential | Sensitive business data, restricted distribution | Financial data, contracts, HR data | Encryption, need-to-know access |
| Restricted | Highly sensitive, very limited access | PCI data, M&A plans, security reports | Strong encryption, DLP, audit log |
Data handling requirements for each classification are defined in the Data Classification Policy (SharePoint).
All technologies are assigned a lifecycle stage in the Standards Register:
| Stage | Definition | Procurement Action |
|---|---|---|
| Strategic | Preferred platform — invest and grow | Approved for new projects |
| Tactical | Acceptable — maintain, no growth | Approved for like-for-like only |
| Containment | Phase-out planned — do not expand | No new deployments |
| Sunset | End-of-life — active decommission required | Decommission project mandatory |
| Emerging | Under evaluation — proof of concept stage | POC only, not production |
New technology procurement above £10,000 requires:
Recurring vendor reviews are conducted annually for all Tier 1 technology suppliers.