Five Questions With...
Do you have
to say about
Visit the Journal pages
of the ISACA web site
find the article, and
choose the Comments
tab to share your
Francisco Garcia Moran
Francisco Garcia Moran started his career as a teacher and
IT engineer at the University of Seville (Spain) and worked for
several years in the IT departments of the Ministry of Education
and Science at the national level and at the Regional Government
of Andalusia, where he worked as the head of several IT services.
Q How do you see the role of governance of enterprise IT (GEIT) changing in the next
A I see IT governance being more and more aligned with enterprise governance.
Actually, the ultimate goal is that IT governance
is completely integrated into enterprise
governance since an organization does not have
separate IT and business goals, but has business
goals with, most of the time, IT components.
In the European Commission (EC), the
business has started fully understanding the
importance of this alignment, given the fact
that the organization relies more and more on
IT tools and systems to improve performance,
efficiency, effectiveness and compliance and
to support European Union (EU) policies.
Today, nearly every EU directive or regulation
contains provision for the development and
implementation of an information system and the
associated infrastructure to support the policies.
Furthermore, there is some legislation that would
be impossible to implement without the support
of IT tools.
IT tools are integrated into the business,
and given the complexity of interaction among
stakeholder organizations, IT governance—and,
more globally, governance at all levels—will need
to improve a great deal in the coming years.
appointed Director General in November 2005. DIGIT defines the
IT strategy of the EC, provides information and communication
technology (ICT) corporate services, and is also responsible
for the European program Interoperable Solutions for Public
Garcia Moran is a member of the Management Board of the
European Network and Information Security Agency (ENISA) and
the World Bank’s High Level E Transformation Group (HLEG).
Garcia Moran is an avid sports enthusiast. When not in the
office, he can be found cycling, playing tennis or basketball, or
jogging. He also enjoys reading and classical music.
Q How did major frameworks (e.g., COBIT®, ITIL, ISO 27001) change the landscape of IT
management, and what impact did they have
A The EC uses these frameworks intensively in its IT management and, particularly, in DIGIT
in which ITIL, or standard project management
methodologies, are systematically deployed.
Furthermore, when carrying out IT audits,
these frameworks are used as references. The
standard wording at an audit kick-off meeting is,
The scope of the audit includes the following
• DS1 Define and manage service levels.
• DS2 Manage third-party services.
• ME1 Monitor and evaluate IT performance.
• ME3 Ensure compliance with external
• Regulatory framework at EC
• 16 internal control standards (baseline
requirements as of 1 January 2008),
• Legislation (e.g., Regulation 45 (2001)
on personal data protection), internal
regulation framework (e.g., CEAF,
C(2006)3602, SEC(2006)898 & 899).