IT Governance
2013-2014 - IMT4571 - 5sp

Forventet læringsutbytte


  • The candidate possesses detailed knowledge of IT Governance principles and procedures, and the basic concepts of the ISO 27001 / ISO 27002 standard.
  • The candidate possesses thorough knowledge about the overall process for establishment and maintenance of an Information Security Management Systems (ISMS).
  • The candidate possesses detailed knowledge about the role of policies, standards and guidelines for controls and is capable of applying his/her knowledge in case studies.


  • The candidate is capable of applying IT Governance principles on practical case-studies, including proposal and evaluation of technical security architectures and solutions.
  • The candidate is capable of performing stakeholder analysis, risk assessment and recommending risk treatment plans on limited case-studies.
  • The candidate is capable of evaluating the applicability of common security mechanism for various controls given a certain scope and policy for the control.

General competence

  • The candidate is capable of analyzing business and organizational needs for an ISMS and has a thorough understanding of security management as a continuous improvement process.
  • The candidate can work independently and is familiar with IT Governance terminology.
  • The candidate is capable of discussing professional problems such as documentation, decision making processes, implementation plans, operations, reviews and corrective actions, with both IT specialists and general managers.

Emnets temaer

  •  Reasons for IT Governance: Compliance, liability, stability
  •  Organizing information security
  •  Information security policy and scope
  •  The risk assessment and statement of applicability
  •  Identification of risks related to external parties
  •  Asset management
  •  Human resources security
  •  Physical and environmental security
  •  Equipment security
  •  Communications and operations management
  •  Controls against malicious software (malware) and back-ups
  •  Network security management and media handling
  •  Exchanges of information
  •  Electronic commerce services
  •  E-mail and internet use
  •  Access control
  •  Network access control
  •  Operating system access control
  •  Application access control and teleworking
  •  Systems acquisition, development and maintenance
  •  Cryptographic controls
  •  Security in development and support processes
  •  Monitoring and information security incident management
  •  Business continuity management
  •  Compliance
  •  Principles of auditing

Pedagogiske metoder


Pedagogiske metoder (fritekst)

Lectures, exercises and projects.

The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be given on campus and are open for both categories of students. All the lectures will also be available on Internet through GUC’s learning management system (ClassFronter).




  •  1-2 Multiple Choice Tests (weight: 20%)
  •  1-2 group Assignments (weight: 30%)
  • Digital Final exam, 2 hours (weight: 50%)

The final digital exam is conducted in Fronter with students present in the computer lab at HiG
All three parts are mandatory and must be passed!


Bokstavkarakterer, A (best) - F (ikke bestått)


Evaluated by the lecturer. An external examiner will be used every 4th year. Next time in the school-year 2014/2015.

Utsatt eksamen (tidl. kontinuasjon)

For the final exam: Ordinary re-sit examnination.

Obligatoriske arbeidskrav




Alan Calder & Steve Watkins. IT Governance : IT Governance: A Manager's Guide to Data Security and ISO 27001 / ISO 27002. Fifth Edition. Kogan Page. 2008.

Anderson, Ross (1999) Why cryptosystems fail, University Computer Laboratory,University of Cambridge, Cambridge, UK,