2

January 1999

MANAGING INFORMATION TECHNOLOGY

PLANNING FOR BUSINESS IMPACT

CONTENTS

Paragraphs
Preface
Executive Summary................................................................................ 1-5
Key definitions........................................................................................ 6
Why is Information Technology Planning Important?........................... 7-10
What is Information Technology Planning?........................................... 11-14
What are the Key Principles in Developing an Information Technology Plan?
..........................................................................................................15-25
What is the Best Approach for Information Technology Planning?....... 26-44

Appendix:
Key Control Objectives and Assessment Issues for Information Technology
Planning
PREFACE

In a digital world, the management and use of information, information systems and
communications is of critical importance to the success of an organization. The
criticality arises from:
• the increasing dependence on information and the systems and communications that deliver the
information;
• the scale and cost of the current and future investments in information; and
• the potential of technologies to dramatically change organizations and business practices,
create new opportunities and reduce costs.
Many organizations recognize the potential benefits that technology can yield.
Successful organizations, however, understand and manage the risks associated with
implementing new technologies. Executive management needs to have an appreciation
of the benefits, risks and constraints of information technology in order to provide
effective direction and adequate control.
In this guideline series, the International Federation of Accountants, through its
Information Technology Committee, seeks to promote executive understanding of key
issues affecting the management of information and communications. This series of
guidelines is written for management.
This guideline is the second of the series and covers managing information technology
planning. In addition to emphasizing the nature and need for information technology
planning and its impact on business strategy, these guidelines provide an understanding
of the main principles on which plans should be formulated, and a generic approach for
implementing effective planning.
Executives in various capacities — for example, accountants, financial controllers,
auditors, or business managers — are frequently called upon to manage, participate in,
assess, or comment on the information technology planning process. It is, therefore,
essential for executives to have a sound knowledge of the principles and practices of
managing information technology planning.
IFAC’s Information Technology Committee would like to acknowledge the support from
the Information Systems Audit and Control Association and to thank its various
contributors who provided valuable input for this document:
Susan M. Caldwell, ISACA
Michael Donahue, PricewaterhouseCoopers
John W. Lainhart IV, PricewaterhouseCoopers
Akira Matsuo, Chuo Audit Corporation
Robert G. Parker, Deloitte & Touche LLP
Deepak Sarup, ALLTEL International Resource
Patrick Stachtchenko, Deloitte Touche Tohmatsu
Paul A. Williams, Arthur Andersen
EXECUTIVE SUMMARY

WHY?
1. For most organizations, the rapid developments in information technology provide management
with an opportunity to develop and implement new or improved products and services. To take
advantage of this opportunity, management must first recognize the potential represented by
information technologies, and, next, identify and implement information systems which assist in
better meeting the organization’s business objectives. Information technology planning, as
described in these guidelines, is an effective approach to assist management in this process since it
provides:
• a structured basis for evaluating the impact of technologies in the broader context of business
objectives and comparative assessment with similar organizations;
• a framework for scheduling necessary information system projects in an integrated manner
while recognizing available resources and constraints; and
• assurance that investments in the information system projects are justified in terms of
realizable benefits and represent the most appropriate option to the organization.

WHAT?
2. An information technology plan supports the business goals and strategies within the business plan.
The objective of the information technology plan is to provide a road-map of the information
technology required to support the business direction of an organization, outlining the resources that
are required and the benefits that will be realized on implementation of the plan. While each
information technology plan is unique to the needs and circumstances of an organization, it is
generally formulated using the following ten principles:

CORE PRINCIPLES
• ALIGNMENT — The plan should support and complement the business direction of an
organization.
• RELEVANT SCOPE — The scope of the plan should be established to facilitate formulation
of effective strategies.
• RELEVANT TIMEFRAME — A planning horizon should be formulated that provides long-
term direction and short-to-medium term deliverables in a manner consistent with the business
strategy.
• BENEFITS REALIZATION — Costs of implementation should be justified through tangible
and intangible benefits that can be realized.
• ACHIEVABILITY — The planning process should recognize the capability and capacity of
the organization to deliver solutions within the stated planning timeframe.
• MEASURABLE PERFORMANCE — The plan should provide a basis for measuring and
monitoring performance.
• REASSESSMENT — The plan should be reassessed periodically.
• AWARENESS — The plan should be disseminated widely.
• ACCOUNTABILITY — Responsibility for implementing the plan should be explicit.
• COMMITMENT — Management commitment in implementing the plan should be exhibited.
HOW?
3. Although information technology plans are unique, the planning process and the underlying
activities are similar. Usually, the plan will be developed in four phases:

APPROACH — Phase I: Orientation

This start-up phase is required to establish the scope of the plan and the methodology and
techniques to be applied. In this phase the resources that are required for developing the plan are
mobilized.

APPROACH — Phase II: Assessment

The focus of this phase is to establish the broad information technology requirements of the
organization and compare these with the current information technology usage. Also, this phase
provides an opportunity to identify other potential uses of technologies which may assist in meeting
business objectives. Major steps in this phase are: confirm business direction and drivers; review
technology trends; outline future requirements; inventory existing information systems; and develop
an assessment of what is needed. In the concluding step of this phase there should be a well-
developed assessment of the current and future business needs, the benefits available from
implementing technologies, the gap between what is desired and what is required by the
organization, and a list of the key issues to be considered in the formulation of the information
technology strategies.

APPROACH — Phase III: Strategic Plan

This phase commences with developing the vision and desired future positioning of information
technology within the organization. This is followed by an analysis of the options that are available
with respect to information, applications, technology infrastructure, communications, business
process re-engineering, and organizational resources. The option analysis culminates in the
selection of appropriate, justified and compatible strategies which, collectively, form the strategic
plan.

APPROACH — Phase IV: Tactical Plan

In this phase, the selected strategies are divided into a series of projects which are
scheduled for implementation depending upon relative priorities and resource
availability. The planning process is concluded by recommending a monitoring
and control mechanism that will ensure that the plan is implemented in a timely,
efficient and effective manner.
WHEN?
4. The information technology plan necessarily complements the business plan of an organization. A
new information technology plan is necessary when there is a fundamental change in the business
strategies; or when most of the projects comprising the existing plan have been implemented; or
when the business and technology assumptions of the existing plan have changed to the extent that
the plan is no longer viable. Even if a new plan is not necessary, the existing plan must be
reassessed on a periodic basis.

WHO?
5. The information technology plan is usually prepared under the direction of a steering committee that
is headed by the Chief Executive Officer, Chief Information Officer, or another senior business
executive. The steering committee may comprise senior business executives, key business unit
managers, the information technology manager and the information systems audit manager. The
steering committee is supported by a specifically formed project team — which may include
external consultants with expertise in developing information technology plans.
KEY DEFINITIONS
6. Applications means the computer programs, specifications, and procedures for their operation, use
and maintenance that are required to input, store, process, share, transmit, or retrieve data and
information relating to one or more groups of business processes.
Communications is the transmission and reception of messages and includes both
voice and data communications.
Data means a representation of facts, concepts, or instructions in a formalized
manner suitable for communication, interpretation or processing by human beings
or by automatic means.
Information is the meaning assigned to data by means of conventions applied to
that data.
Information Systems means the technology infrastructure and applications
together with the data and information that may be recorded, stored, processed,
shared, retrieved, or transmitted by them.
Information Technology refers to information systems and the organizational
resources required to plan, acquire, implement, deliver and monitor them.
Technology Infrastructure refers to the hardware and software components and
their interconnections required to support the applications.
WHY IS INFORMATION TECHNOLOGY PLANNING IMPORTANT?
7. Effective management of information technology is a business imperative and increasingly a source
of competitive advantage. The rapid pace of technological changes together with the declining unit
costs, are providing organizations with increasing potential for:
• enhancing the value of existing products or services;
• providing new products and services; and
• introducing alternative delivery mechanisms.
To benefit from information technology requires: foresight to prepare for the changes; planning to provide
an economical and effective approach; as well as, effort and commitment in making it happen.
8. Information technology planning provides a structured means of addressing the impact of
technologies, including emerging technologies, on an organization. Through the planning process,
relevant technologies are identified and evaluated in the context of broader business goals and
targets. Based on a comparative assessment of relevant technologies, the direction for the
organization can be established.
9. The implementation of information technologies may be a complex, time consuming and expensive
process for organizations. Information technology planning provides a framework to approach and
schedule, wherever possible, necessary information technology projects in an integrated manner.
Through this process, performance milestones can be agreed upon, scope of specific projects
established, resources mobilized and constraints or limitations identified. Without effective
planning, the implementation of information technologies may be misguided, haphazard, delayed
and more expensive than justified.
10. Good governance requires that all investments be justified — including any information technology
investments. Information technology planning provides a process for not only evaluating alternative
approaches, but also for justifying the selected approach in terms of benefits, both tangible and
intangible, that will be realized by an organization. This is an important dimension when many of
the underlying projects may be difficult to support on an individual basis.
WHAT IS INFORMATION TECHNOLOGY PLANNING?
11. Business planning is an accepted responsibility of management. Plans provide a direction and
framework for action. Plans enunciate business goals and the actions that need to be initiated to
achieve those goals including related benefits, resources and timeframes.
12. Increasingly, information technologies not only supports but, also, may drive or enable business
strategies. In this context information technologies are an integral part of the business planning
process itself. If such potential is evident after the completion of the business plan, then the
business plan must be revisited and, if appropriate, revised.
13. An information technology plan is supportive of the business plan. It is based on the business goals
and strategies. It provides a framework for information technology investments so that the desired
outcome, in terms of benefits, can be obtained with the most effective and efficient use of available
resources.
14. The objective of information technology planning is to “provide a road-map of the information
technology required to support and enhance the business direction of an organization, outlining the
resources that are required and benefits that will be realized on implementation of the plan.”
In this context:
• road-map defines the desired position for the organization’s use of information technology at a
future point in time (strategies) and the manner in which the position will be attained over the
intervening period (tactics);
• resources encompass existing information technology, and on-going expenditures on
information systems, related facilities and personnel, as well as any additional investments
proposed within the plan; and
• benefits to be realized may include incremental revenue or reduced costs of operations or
improved service quality that will arise from the implementation of the plan.

WHAT ARE THE KEY PRINCIPLES IN DEVELOPING AN INFORMATION TECHNOLOGY

PLAN?
15. Each organization should develop information technology plans which reflect its business strategy
and match its information technology needs for a given future period. Notwithstanding the
uniqueness of a business perspective, an information technology plan must be based on the
following ten principles. Each of these is briefly discussed below.

ALIGNMENT — The plan should support and complement the business direction of an
organization.
16. An information technology plan must be integrated to the needs and direction of the organization.
To achieve this alignment, the key drivers of the information technology plan are the desired short-
and long-term business targets as contained in the current business plan. Throughout the planning
process, the focus must remain on the information and services/processes to be provided and the
technology infrastructure required to provide effective and efficient services which meet business
and organizational requirements. A successful information technology plan must be prioritized and
executed within the framework of these business strategies.
Issues to consider include:
• business direction and any changes that are anticipated — for example, new product launches,
emerging delivery channels, or alternate business scenarios;
• legal and regulatory framework and changes thereto — the impact of likely changes must be
factored into the planning process;
• competitive environment and the corresponding challenges and opportunities such as an
alliance with third-parties through inter-organizational systems;
• key business strategies and the related information technology support requirements;
 • risks and costs of adopting more flexible information technology plans that are adaptable to
evolving business strategies; and
• service-level requirements of the business in terms of, for example, security (availability,
integrity, and confidentiality), information system response times — particularly during peak
periods — and data storage and archiving requirements.

RELEVANT SCOPE — The scope of the plan should be established to facilitate formulation of
effective strategies.
17. The scope of the information technology plan has a major impact on the effort required to prepare it,
as well as the plans acceptance and ultimate success. An inadequate scope would inhibit the
formulation of effective strategies and an excessively wide scope will mitigate against
implementation of the plan.
Issues to consider include:
• extent to which the plan should address the business needs of geographically dispersed units or
autonomous business units;
• linkages with other business or functional strategies — for example, a business process re-
engineering program may require extensive dovetailing with human resource and workplace
redesign strategies; and
• requirements to incorporate linkages to third parties (customers, suppliers, partners, etc.) and
the manner in which joint plans should be established.

RELEVANT TIMEFRAME — A planning horizon should be formulated that provides long-term

direction and short-to-medium term deliverables in a manner consistent with the business strategy.
18. Information technology initiatives can take a long period, even years, to implement. The duration of
the plan depends upon the complexity of the projects required to support business strategies and the
certainty of the business direction itself. The more complex the projects, and the more certainty in
direction, the further the planning horizon can be. Typically, plans have a three-to-five year
strategic horizon and a two-to-three year tactical horizon. This timeframe may vary according to the
type of the industry or an organizations circumstances.
Issues to consider include:
• recognition of the planning horizon of the business plan and business cycle;
• anticipated life cycle of the technology infrastructure — for example, an existing industry
standard may become obsolete in the foreseeable future;
• impact of business objectives on the timeframe for an information technology initiative — for
example, a product launch date will require that the corresponding information systems are
operational prior to that date; and
• requirement to adopt a building block approach, where a consecutive series of projects is
required to achieve the end result, may necessitate a longer planning timeframe.

BENEFITS REALIZATION — Costs of implementation should be justified through tangible and

intangible benefits that can be realized.
19. The implementation of information technologies can lead to considerable cost savings or other
strategic benefits, for example, increased market share through better service delivery. These
benefits, both tangible and intangible, must be realized to ensure that an organization receives value-
for-money from its information technology investments. Occasionally, the plan or specific
strategies within it may be justified as being necessary for the survival of the business — for
example, the cost of implementing an information system required to support a product or service or
meet a new legal or regulatory requirement.
Issues to consider include:
 • manner in which the benefits enumerated in the plan will be realized. For instance, if the
expenditure in a particular area is justified on efficiency grounds, then the plan must specify
the amount, nature, and timing of cost savings that arise with the implementation of the
strategy;
• extent to which the proposed expenditures within the plan are necessary to support the
business. This needs to be differentiated from other incremental expenditures. For example,
essential but obsolete information systems and equipment may need to be systematically
replaced as part of the cost of staying in business;
• degree of uncertainty, if any, that applies to the benefits. For example, if the primary benefit
from the strategy is to provide information for improved decision-making, then this intangible
benefit may be both difficult to assess and realize; and
• return on capital provided by the investment and the impact of not pursuing or delaying the
implementation of specific strategies.

ACHIEVABILITY — The planning process should recognize the capability and capacity of the
organization to deliver solutions within the stated planning timeframe.
20. Information technology related initiatives can require major investments in terms of capital and
people. It is essential that the strategies and tactics in the information technology plan not only offer
a high payback but are also within the means of an organization. At times, this limitation may
necessitate adoption of a less than ideal solution, or a delayed or phased implementation of the ideal
solution.
Issues to consider include:
• availability of additional resources (capital, technology infrastructure, people) required to
implement the plan — for example, if the plan is based on a significant increase in capital
expenditure on information technology, then the source of such capital must be considered
before the plan is fully developed; and
• compatibility of proposed information technology-related initiatives with the organizational
culture — for example, if a given initiative requires a high level of user experience in
information technology, then this requirement must be compared to the user skill level within
the organization.

MEASURABLE PERFORMANCE — The plan should provide a basis for measuring and
monitoring performance.
21. A successful plan must provide a yardstick for measuring progress and serve as a benchmark for
modifying objectives to improve and provide input for corrective action — either to improve
performance or revise the plan. Typically, an information technology plan will provide performance
milestones against which performance can be measured.
Issues to consider include:
• setting realistic and specific performance milestones that facilitate periodic review of
performance against the plan;
• formalizing a process for the periodic review of progress against established milestones;
• assessing benefits realized against benefits anticipated on completion of the projects;
• providing for progress reporting against plans on an on-going basis, including early warning of
any problem areas; and
• linking information technology plan deliverables to business targets and budgets so that the
impact of any delay is apparent and leads to a corresponding revision of the business plan.
REASSESSMENT — The plan should be reassessed periodically.
22. Plans are based on business and information technology assumptions. If these assumptions change,
the existing initiatives and projects may be inappropriate or more effective alternatives may have
emerged. An effective plan must be flexible and provide for periodic reassessment of the validity
and effectiveness of both strategies and tactics.
Issues to consider include:
• establish a check list of business and information technology assumptions on which the plan is
formulated;
• incorporate a mechanism to periodically confirm validity of planning assumptions (against the
above check list) and critical success factors — for example, if a selected information
technology becomes obsolete, then the plan should be immediately evaluated and appropriate
revisions made; and
• volatility of the business environment and its impact on project priorities — for example, if a
new business line is to be launched, then the information technology plan may need to be
changed to reflect this business imperative.

AWARENESS — The plan should be disseminated widely.

23. Once the information technology plan has been approved, it should be disseminated to all concerned
parties to ensure there is broad understanding of the direction and strategy. This may be assisted
through the use of an easy to read summary of the plan.
Issues to consider include:
• elements of the plan which contain sensitive information — for example, competitive strategy
should not be disclosed beyond those who need to know; and
• providing relevant information to third-parties with an interest in the information technology
strategies — without compromising the competitive needs or other sensitivities of the
organization.

ACCOUNTABILITY — Responsibility for implementing the plan should be explicit.

24. All plans require translation into action. Therefore, it is imperative to establish roles and
responsibilities with respect to the execution and monitoring of the plans.
Issues to consider include:
• identifying sponsors for each planned project — usually a senior executive for the business
area most effected by the project; and
• specifying the technical and business team leaders together with other appropriately skilled
team members for each project and establishing clear areas of responsibility of key team
members with agreed dates for delivery.

COMMITMENT — Management commitment in implementing the plan should be exhibited.

25. The implementation of the projects contained in the plan usually requires significant resources.
These resources are only likely to be available on a timely basis if there is strong support for the
plan and its objectives from executive management. Further, implementation of the plan may be
hindered by unforeseen impediments. Management intervention may be necessary to circumvent
these difficulties.
Issues to consider include:
• active executive management participation in the formulation of key strategies is imperative —
for example, management participation is needed through interviews and workshops, in order
to both contribute to the planning process and develop a progressive buy-in to the plan; and
• progressive executive management approvals and endorsements are needed at the end of each
phase of the planning process.
WHAT IS THE BEST APPROACH FOR INFORMATION TECHNOLOGY PLANNING?
26. While organizations develop information technology plans that are matched to their needs, the
planning process and the activities undertaken are similar. The sequence and importance of the
planning activity may vary, but the conceptual information technology planning process is generic.
This process entails that organizations will develop information technology plans in four phases —
an orientation phase, an assessment phase, a strategy phase and a tactical phase.

PHASE I: ORIENTATION
27. The first phase is required to establish or confirm the scope of the information technology for the
planning process, the methodology and techniques to be applied, mobilization of the planning team,
and the reporting lines for the planning process. The planning process may have been initiated in
response to a major change in the business strategies, or the implementation of most of the projects
in the tactical plan, or where the business or information technology assumptions of the existing
plan have changed significantly. Major steps in this phase and the key activities are described
below.
28. Establish scope: The scope of the information technology plan normally follows the business plan
of the organization and represents an essential starting point to the planning process. Key activities
include:
• determining if the plan incorporates all business units or that separate plans will be developed
for selected business units;
• assessing the impact, if any, of organizational structure and policies on the scope — for
example, for autonomous business units the practicality of formulating centralized strategies;
• evaluating the extent of third-party involvement in the planning process — for example, to
support inter-organizational systems; and
• establishing an overall timeframe for the strategic and tactical plans.
At the end of this step, the scope and timeframe for the information technology plan will have been
established.
29. Establish methodology/techniques and mobilize resources: Information technology planning can
be a time-consuming process depending on the size of the organization, and the scale of its current
or desired information technology usage. Once the scope has been established, the methodology
and techniques need to be established and the background information and resources necessary for
the planning effort need to be mobilized, including a clear delineation of reporting lines. Key
activities include:
• gathering necessary background information on the organization, its information technology
profile and capabilities and any impending changes that may impact the planning process;
• selecting a proven methodology to support the planning activities. This may be provided by
external consultants, internally developed, or acquired from a third party;
• determining techniques that will be used for collecting and analyzing information, including
questionnaires, interviews, workshops, etc.;
• developing a specific timetable for the completion of the plan, particularly the key phases;
• establishing an information technology project team. Typically, this will be a multidisciplinary
team, comprised of persons with both information technology and business skills. Frequently,
the team is supplemented by external consultants with expertise in information technology
planning; and
• formalizing the reporting mechanism for the project team. Generally, the team reports to a
steering committee which is headed by the Chief Executive Officer, Chief Information Officer,
or another senior business executive and comprises key business unit managers, the
information technology manager, and an information systems audit manager.
 At the end of this step, a methodology, approach and timetable will have been established,
background information gathered and an information technology planning team will be in place for
the planning activities remaining.

PHASE II: ASSESSMENT

30. In the second phase of the information technology planning process the focus is on establishing a
base line. During this phase, data is collected and analyzed to describe the existing usage and
management of information technology and the extent to which they are unable, or may be unable,
to support business objectives. Also, this phase provides an opportunity to identify other potential
uses of information technologies which may assist in meeting business objectives. Major steps in
this phase and key activities are briefly described below.
31. Confirm business direction and drivers: This step is necessary to ensure that the key driver for
the information technology plan is the business direction of the organization. Typically, this
information will be extracted from the business plan of the organization. Key activities include:
• identifying core business goals, strategies and priorities, critical success factors, business and
information technology assumptions, external relationships, trading partners or information
technology providers, conceptual business models, launch of new or improved lines of
products, current or changing regulatory requirements, major business opportunities and
threats;
• developing a competitive profile of the business, through a business planning methodology,
with respect to strengths, weaknesses, opportunities, and threats.
• developing a competitive profile of the business in the use of information technology,
preferably by reference to available benchmarks, such as expenditure on information
technology as a percentage of total expenditure or total assets, service delivery times or
customer satisfaction levels; and
• analyzing the current and future organizational structures of the business and determining the
impact of these structures and their distribution on the information and information system
needs and related assumptions.
At the end of this step, a perspective will have been developed of the direction of
the business and its impact on information technology usage, given competitive
pressures.
32. Review technology trends: In this step, a view is formulated of the technologies from, for
instance, discussions with vendors and other third parties. Key activities include:
• establishing the cost, complexity, applicability and practicality of each major technology; and
• assessing, at a high level, the benefits, costs and risks from leading the technology direction for
the industry compared to established practice within the industry.
At the end of this step a view will have been developed on the impact of
information technologies and the potential they represent.
33. Outline future requirements: Based on the business direction and the technology trends, the high-
level existing and future requirements of the organization should be established. Key activities
include:
• identifying the information and related data needs of an organization through high-level data
modeling and business process analysis;
• determining the broad applications areas that are required to support the information needs;
and
• determining current and future service-level requirements, such as security, response times,
and problem resolution procedures.
 At the end of this step there should be a clear understanding of the business
requirements that will need to be met over the planning horizon.
34. Inventory existing information systems: In this step, information technology usage is described.
Key activities include:
• documenting existing information flows to support operations and decision making;
• describing current applications — nature, scope, source, language and hardware requirements,
functionality, interfaces, dependencies, age, operating cost, complexity and known limitations;
• documenting linkages and interfaces between internal information systems and to external
information systems;
• listing technology infrastructure — processors, peripheral and storage devices,
communications and network equipment, terminals and personal computers — and associated
operating system software, protocols and communications software. The nature, use, age, cost,
residual life and limitation of each group should also be identified; and
• identifying organizational resources, including skills, experiences, methodologies and tools.
At the end of this step there should be a factual description of information
technology usage within the organization.
35. Develop an assessment: In this step, the information gathered in the preceding steps is analyzed so
that a baseline is established. Key activities include:
• comparing what information technology is required by the business against what exists so that
an understanding of the major gaps is formulated;
• evaluating each major area of the existing information systems to identify areas where there
are significant deficiencies or, apparent, user dissatisfaction with function, availability and
service delivery;
• identifying business areas or practices where significant new or improved information systems
are required; and
• preparing a list of major issues that need to be addressed in the formulation of the strategies —
for example, capital constraints; infrastructure development; change management; exploitation
of new technologies; business and information technology assumptions; improved service
levels; risks and other obstacles to successful completion.
In the concluding step of this phase there should be a well developed assessment of
the current and future business needs, the benefits available from implementing
technologies, the gap between what is desired and what is required by the
organization, and a list of the key issues to be considered in the formulation of the
information technology strategies. (To assist in this assessment effort, the appendix
includes key control objectives and assessment issues that should be considered.)
PHASE III: STRATEGIC PLAN
36. In the third phase of the information technology planning process appropriate strategies are
formulated. These strategies are founded on the assessment of the business needs and priorities,
information technology direction and other related issues considered in the assessment phase.
Major steps in the phase and the corresponding activities are described below.
37. Develop a vision: Before any strategies are formulated it is useful to establish the desired position
in terms of information technology at the end of the planning horizon — namely, where do we want
to be? Usually, this is accomplished by developing a vision for the future which encompasses the
desired information technology-related position in alignment with the business strategies. Key
activities include:
• determining the information technology critical success factors and related business and
information technology assumptions;
 • identifying areas of emphasis in developing the strategies — for example, to out perform the
competition in the use of technology may be an important objective, or to meet agreed service-
levels may be more critical; and
• developing a realistic vision and supporting goals for the plan which recognize both the critical
success factors and areas of emphasis.
At the end of this step a vision, in terms of information technology matching
organizational objectives, will have been established.
38. Conduct option analysis: This step is critical to the formulation of an effective plan. Alternatives
must be analyzed for meeting the information needs of the organization. The alternatives must
cover information, applications, technology infrastructure, communications and organizational
resources that are required. Also, the alternatives must recognize mutual dependencies. For
example, if the decision is to acquire package solutions, then the information and technology
infrastructure needs are, to a large extent, driven by the package selected. Alternatively, if the
decision is to adopt a particular technology infrastructure standard, then the information,
application, and the business process needs are driven by the most appropriate solution available for
the standard selected. Key activities include:
• developing alternate models for assessing and delivering the data and information
requirements of the organization — what, why, when, and where information is required;
• identifying alternative application approaches for meeting the information needs of the
organization for each business segment — for example, custom develop, retain existing
information system, acquire a package, or a hybrid solution;
• assessing alternate approaches and associated risks for meeting the technology infrastructure
needs which are compatible with the chosen application and satisfy the service level
requirements of the organization, including technology infrastructure standards;
• evaluating alternate approaches for meeting the communication needs — for example, a
centralized communications network management model against a distributed network model;
and
• identifying organizational processes and policies needed to support the acquisition,
development, implementation, operation and maintenance of the information systems and the
various ways that these needs may be met — for example, defining new policies, re-
engineering business processes, recruitment of additional personnel; and outsourcing of
implementation and/or delivery of new functionality.
At the end of this step, there should be a clear understanding of the alternatives that
are available to the organization and the relative merits, including risks, costs and
benefits, represented by each alternative.
39. Develop a strategic plan: Once all the alternative options are identified, the most effective
strategic options should be selected, providing they are within the resource capacity and capability
of the organization and all the selected options are compatible with each other to the extent
necessary. Key activities include:
• justifying selection of the strategy — degree of fit to the business needs, compatibility with
other strategies selected, flexibility to adapt to changing circumstances, adherence to industry
standards, speed of implementation, organizational capability and learning curve required, and
relative costs and benefits;
• developing an integrated planning framework to bring together the individual strategies
culminating in a cohesive overall strategy covering information, applications, technology
infrastructure, and organization perspectives in a manner that meets business objectives; and
• developing a broad implementation plan as a prelude to more detailed planning in the next
phase.
 At the conclusion of this phase, there should be a well-developed strategic plan.
There should also be an overall justification for pursuing the plan and a broad
implementation timetable.
PHASE IV: TACTICAL PLAN
40. In the last phase of the planning process, the tactical (or implementation) plan is developed. In the
tactical plan, the focus is on the projects that need to be undertaken to implement each of the
strategies. Major steps in this phase and corresponding activities are described below.
41. Identify and specify projects: In this step, each strategy is broken into specific projects — to
facilitate control, implementation and matching to the resource capability of the organization. Also,
the projects may need to be integrated to business related projects such as business re-engineering.
These projects include any transitional projects that are required as a bridge between the new and
existing information systems. Key activities include:
• specifying the nature, functionality, and scope of each project;
• establishing interdependencies between projects;
• identifying the costs and benefits of individual projects; and
• estimating the implementation timeframe for each project.
At the end of this step, all the projects required to support the implementation of
the strategic plan will have been specified.
42. Prioritize projects: The strategic plan provides only broad guidance on the priorities of the
projects. Now that the projects are specified, their priorities must be confirmed. Criteria to consider
include:
• strategic impact of the project in supporting the business strategy;
• dependencies on other projects — for example, a communication network may be the
foundation project for a new service delivery offering and would need to be scheduled and
completed prior to the new service delivery offering;
• business imperatives — for example, the launch date of a new product or changes to regulatory
requirements or meeting competitive or customer needs;
• benefits that can be realized — projects with high benefits or quick results should be fast-
tracked; and
• resource requirements — for example, funding may constrain the concurrent implementation
of major projects.
At the end of this step all the projects in the tactical plan will have been prioritized.
43. Develop the tactical plan: In this step, each project is scheduled for implementation based on its
priority, the resources required, the resources available and the implementation timeframe. The
implementation plan should:
• schedule all projects, specifying who does what and when;
• identify the critical path and performance milestones for key deliverables;
• provide the underlying assumptions and constraints; and
• develop financial, resource allocation, and benefit realization plans to support the
implementation of the projects.
At the end of this activity, the organization will have formulated a plan for translating the strategy
into actions.
44. Recommend monitoring and control process: In this concluding step, the monitoring and control
mechanisms need to be established to ensure that the plan is implemented in a timely, efficient, and
effective manner. Typically, the overall responsibility for the continuing approval and oversight of
the plan rests with an executive level committee — the Information Technology Steering
Committee. Key activities include:
• developing a monitoring and control mechanism that will ensure that the plan implementation
as well as business and information technology assumptions are periodically reviewed and,
where appropriate, corrective action is taken;
• assigning accountabilities for the implementation of specific projects within the plan — for
example, a project sponsor and project manager; and
• assigning responsibilities for delivering estimated benefits from those parts of the information
technology plan that have been implemented — for example, the senior business executives
responsible for areas where the new or enhanced system is being used.
This step marks the conclusion of the information technology planning process.
 Appendix *

KEY CONTROL OBJECTIVES AND ASSESSMENT ISSUES

FOR INFORMATION TECHNOLOGY PLANNING

(For use by the Information Technology control professional

as an assessment guide)
Key Control Objectives

Define a Strategic Information Technology Plan

1. Information Technology as Part of the Organization's Long- and Short-Range Plan **
2. Information Technology Long-Range Plan
3. Information Technology Long-Range Planning -- Approach and Structure
4. Information Technology Long-Range Plan Changes
5. Short-Range Planning for the Information Services Function
6. Assessment of Existing Systems

1. Information Technology as Part of the Organization's Long- and Short-Range Plan

Senior management is responsible for developing and implementing long- and short-range plans that
fulfill the organization's mission and goals. In this respect, senior management should ensure that
information technology issues as well as opportunities are adequately assessed and reflected in the
organization's long- and short-range plans.
2. Information Technology Long-Range Plan
Management of the information services function is responsible for regularly developing
information technology long-range plans supporting the achievement of the organization's overall
missions and goals. Accordingly, management should implement a long-range planning process,
adopt a structured approach and set up a standard plan structure.
3. Information Technology Long-Range Planning -- Approach and Structure
Management of the information services function should establish and apply a structured approach
regarding the long-range planning process. This should result in a high-quality plan which covers
the basic questions of what, who, how, when and why. Aspects which need to be taken into account
and adequately addressed during the planning process are the organizational model and changes to
it, geographical distribution, technological evolution, costs, legal and regulatory requirements,
requirements of third-parties or the market, planning horizon, business process re-engineering,
staffing, in- or out-sourcing, etc. Benefits of the choices made should be clearly identified. The plan
itself should also refer to other plans such as the organization quality plan and the information risk
management plan.
4. Information Technology Long-Range Plan Changes
Management of the information services function should ensure a process is in place to timely and
accurately modify the information technology long-range plan to accommodate changes to the
organization's long-range plan and changes in information technology conditions.
5. Short-Range Planning for the Information Services Function
Management of the information services function should ensure that the information technology
long-range plan is regularly translated into information technology short-range plans. Such short-
range plans should ensure that appropriate information services function resources are allocated on a
 basis consistent with the information technology long-range plan. The short-range plans should be
reassessed periodically and amended as necessary in response to changing business and information
technology conditions. The timely performance of feasibility studies should ensure that the
execution of the short-range plans is adequately initiated.
6. Assessment of Existing Systems
Prior to developing or changing the strategic information technology plan, management of the
information services function should assess the existing information systems in terms of degree of
business automation, functionality, stability, complexity, costs, strengths and weaknesses, in order
to determine the degree to which the existing systems support the organization's business
requirements.

Key Assessment Issues

Consider whether:
• Information services function or business enterprise policies and procedures address a structured
planning approach
• A methodology is in place to formulate and modify the plans and at a minimum, they cover:
– organization mission and goals
– information technology initiatives to support the organization mission and goals
– opportunities for information technology initiatives
– feasibility studies of information technology initiatives
– risk assessments of information technology initiatives
– optimal investment of current and future information technology investments
– re-engineering of information technology initiatives to reflect changes in the organization's mission
and goals
– evaluation of the alternative strategies for data applications, technology and organization
• Organizational changes, technology evolution, regulatory requirements, business process re-
engineering, staffing, in- and out-sourcing, etc. are taken into account and adequately addressed
in the planning process;
• Long- and short-range information technology plans exist, are current, adequately address overall
enterprise, its mission and key business functions;
• Information technology projects are supported by the appropriate documentation as identified in
the information technology planning methodology;
• Checkpoints exist to ensure that information technology objectives and long- and short-range
plans continue to meet organizational objectives and long- and short-range plans;
• Review and sign-off occurs by process owners and senior management of information technology
plans; and
• The information technology plan assesses the existing information systems in terms of degree of
business automation, functionality, stability, complexity, costs, strengths and weaknesses.
Test whether:
• Minutes from information services function planning/steering committee meetings reflect the
planning process;
• Planning methodology deliverables exist and are as prescribed;
• Relevant information technology initiatives are included in the information services function
long- and short- range plans (i.e., hardware changes, capacity planning, information architecture,
new system development or procurement, disaster recovery planning, installation of new
processing platforms, etc.);
 • Information technology initiatives support the long- and short-range plans and consider
requirements for research, training, staffing, facilities, hardware and software;
• Technical implications of information technology initiatives have been identified;
• Consideration has been given to optimizing current and future information technology
investments;
• Information technology long- and short-range plans are consistent with the organization's long-
and short-range plans and organization requirements;
• Plans have been changed to reflect changing conditions;
• Information technology long-range plans are periodically translated into short-range plans; and
• Tasks exist to implement the plans.
Substantiate the risk of control objectives not being met by:
• Benchmarking of strategic information technology plans against similar organizations or
appropriate international standards/recognized industry best practices;
• A detailed review of the IT plans to ensure that IT initiatives reflect the organization's mission
and goals; and
• A detailed review of the IT plans to determine if known areas of weakness within the
organization are being identified for improvement as part of the IT solutions contained in the
plans.

* abstracted from “Control Objectives for Information and related Technology (COBIT)
2nd Edition” published by the Information Systems Audit and Control Foundation
(ISACF), 1996, 1998
** the term “long-range” is comparable to “strategic” and the term “short-range” is
comparable to “tactical”