Information Systems Strategy

Each organization that efficiently manages its information systems should develop and occasionally update a "Strategy of Information Systems" document. Changes to the ICT market bring chaos to information systems, mostly due to new emerging technologies, regulatory compliance initiatives, and changes in business processes. Without a clear strategy, information systems could suffer from inconsistent ICT equipment, software platforms, and managing procedures, which lead to big information (and operational) losses and risks.

The Information Systems Strategy should come out of organizational business strategy that facilitates current and future organization goals and creates competitive advantages due to the use of modern information and communication technology. This strategy should be formalized as a document that will be maintained and updated, and responsibility for this process is up to the head of the Information Systems organizational unit (e.g. the CIO) in close cooperation with the Information Systems Board.

The main goal of the Information Systems Strategy is to ensure consistent implementation and compliance of technological plans with organizational business goals and ensure information systems support organizational services and products that are designed as a response to market demand.

Here are some of the chapters that the Information Systems Strategy should consist of:

1. Introduction

  • CIO foreword
  • General purpose of strategy
  • References, Definitions, Roles and Responsibilities

2. Business goals and environment

  • Business strategy summary (e.g. market expansion, new business office openings)
  • Regulatory obligations, current economy state, current market state
  • ICT trends and good practices

3. Current state of information systems

  • Organizational structure
  • Information systems architecture
  • IT services catalogue
  • Communication infrastructure
  • ICT equipment
  • Staffing and education
  • Information system security

4. Future needs analysis

  • Same sections as in the previous chapter on the current state of information systems

5. Risk assessment and feasibility

  • Rough risk assessment
  • SWOT analysis
  • Cost benefit analysis

6. Action plans and costs

  • Global strategic plan with projects, costs, and resource engagements

7. Monitoring strategy execution

  • Used methodology (e.g. IT Balanced Scorecard)
  • Reporting
  • Metrics

It’s obvious that the main problems lie within future needs analysis and figuring out a way to accomplish this. As with any analysis, the CIO's ability to think clearly and synthesize information emerges as a crucial point. The CIO should use as many input variables and as much information as is required to make a complete and global picture of each of the points numbered in the above-mentioned chapter 3 proposals. Some of these variables and this information could be found in various documents and reports already produced within the Information Systems groups such as risk assessment reports, business impact analysis, current capacity and performance reports, and help desk requests.

Last but not least, the strategy must be approved by the Information Systems Board and constantly monitored on its execution as it could end up as yet another piece of wasted paper.



IT Governance Institute - Cobit 4.1 - Framework, 2007.

John Wiley & Sons - Governance Of The Extended Enterprise, 2005.

John Wiley & Sons - Corporate Management, Governance, and Ethics Best Practices, 2008.

Bournemouth University - Information Systems Strategy 2006-2010.

Northern Island Police Service - IS Strategy 2004-2008, April 20.


Dalibor Uremovic is the founder of Alterinfo d.o.o. (, a freelance consultant, and a graduate of the Faculty of Organization and Informatics in Croatia. He has worked in several companies on the development and programming of information systems, database administration, and IS operations. He has been working as a consultant for information security since 2007. His focus has been on the implementation of Information Security Management Systems (ISMS), implementation of Business Continuity Management Systems (BCMS), governance of IT processes, and auditing of information systems. Projects that he has been working on include all business sectors: industry, finance, telecommunication, and civil service in companies of various sizes.

He is an active member of the ISACA organization and holds some well-known ICT certificates such as CISA, CRISC, and MCSD.NET. Occasionally he writes for a leading ICT magazine in Croatia – Mrez@.


Comments (0)
Only registered users can write comments!