Overview & Preparation
What IT governance actually is, the international standards that anchor it (ISO/IEC 38500, COBIT, NIST CSF 2.0), and the 7-phase / 5-domain / 12-G-step roadmap.
Most IT-governance books are theory. This one is the playbook — ten chapters, three sections, twelve concrete G-steps, and four real-world voyages: Chernobyl's three failures, Singapore's Smart Nation, Estonia's portfolio of investments, NASA's fifteen-year mission. Built on the nautical-navigation analogy: where you are, where you're going, and what it takes to sail between them — for IT.
The voyage
The book follows a single nautical voyage from one shore (the as-is organisation) to another (governed IT). The visual below is a panoramic chart — every icon corresponds to a chapter or G-step in the book. Three legs: Overview & Preparation (chapters 1–3), Implementation (4–8), Measurement & Next Steps (9–10).
What IT governance actually is, the international standards that anchor it (ISO/IEC 38500, COBIT, NIST CSF 2.0), and the 7-phase / 5-domain / 12-G-step roadmap.
Phase 1 → 5. Lay the groundwork, assess current state, design strategy and architecture, set the budget, execute. Nine G-steps live in this section.
Phase 6–7. Performance monitoring, BCP, audit, continuous evolution. Plus the future-proofing chapter on AI, cyber, and CSF 2.0.
10 chapters
Every chapter has a panorama on the right. The badges show which G-steps that chapter covers. The Japanese subtitle shows the original 章扉 reading.
Why IT Governance is a board-level concern, not a help-desk one. ISO/IEC 38500, COBIT, NIST CSF 2.0, and the Weill & Ross definition compared. Cloud / AI / DX as governance challenges.
A tour of the international standards and core frameworks. The six principles of ISO/IEC 38500, the governance scope defined by COBIT (ISACA), and ITIL — broken down for practitioners. What to place under governance, and who is accountable for how much.
The book's central diagram. 7 phases (vertical) × 5 domains (horizontal) × 12 G-steps (the practical work). How to keep an organisational change moving when conflict is the norm, not the exception.
G1: governance framework. G2: stakeholder management and benefit realisation. The first concrete deliverables of the engagement — and the moment most failures begin.
G3: risk · quality · data management as one integrated discipline. Featured case study: Chernobyl — the three failures of risk, quality, and data, and their corporate-IT analogues.
G4: IT strategy + enterprise architecture. G5: organisation, talent, vendor management. Featured case study: Singapore's Smart Nation — what nation-scale strategy design looks like.
G6: investment, budget, portfolio management. G7: project and programme management. Featured case study: Estonia's e-government — three explicit investment categories instead of "we'll figure it out."
G8: system build / acquisition / implementation. G9: operations and incident management. Featured case study: NASA Opportunity — fifteen years of unbroken operations from 225 million km away.
G10: performance monitoring & evaluation. G11: business continuity & availability. G12: audit & assurance. ISO/IEC 38500's "performance" principle, applied. The PDCA Check + Act of IT governance.
The "Responsibility" principle of ISO/IEC 38500 extended into the future — the four responsibilities an AI era demands: to create, to continue, to bring to an end, and to judge. Plus cybersecurity escalation, NIST CSF 2.0's GOVERN function, and the regulatory wave still building.
12 G-steps
The 7 phases tell you when. The 5 domains tell you where. The 12 G-steps tell you what — concrete deliverables an engagement can plan against, audit against, and finish.
Phase 1 · Ch.4
Phase 1 · Ch.4
Phase 2 · Ch.5
Phase 3 · Ch.6
Phase 3 · Ch.6
Phase 4 · Ch.7
Phase 4 · Ch.7
Phase 5 · Ch.8
Phase 5 · Ch.8
Phase 6 · Ch.9
Phase 7 · Ch.9
Phase 7 · Ch.9
Real voyages
The book leans on real, named cases — not anonymised composites. Each is examined in the chapter that maps to its lesson.
Three failures, one explosion. Risk: the RBMK reactor's low-output instability was known and not communicated to the operators. Quality: an emergency-power test that had failed before was rerun with the ECCS disabled. Data: contamination maps were classified for three years; high contamination 300 km from the plant was only confirmed in 1989.
Smart Nation 1.0 set goals first (digital government / digital economy / digital society / digital security). Those goals were then shaped into strategy. The Smart Nation and Digital Government Group (SNDGG) under the Prime Minister's Office gave them an organisation, and the Singapore Government Tech Stack (SGTS) gave them a shared architecture. Goals → strategy → org → architecture, in that order.
In a nation of roughly 1.3 million people, government-issued ID cards reach almost every citizen and a wide range of public services run entirely online — funded out of a small national budget. Three explicit investment categories: Mandatory (compliance / security, judged by what's lost if not done), Strategic (e-Residency, internet voting — long-term value, not short-term ROI), Optimisation (efficiency, with measurable cost reduction).
A 90-day mission that ran 15 years. ~$1 B lifecycle cost for the MER programme — with cost overruns the norm in space programmes (NASA's major projects average ~28% overrun), a comparatively well-managed budget. 800+ recovery attempts after the 2018 dust storm. Standardised incident response, strict change management, 24/7 monitoring, clear inter-team roles — operating an instrument on a planet 225 million km away.
Definitions compared
Each institution emphasises a different facet — system, leadership, cyber risk, decision rights — and the book uses all four. Sources cited verbatim.
| Institution / Standard | Emphasis | Definition (verbatim where cited) |
|---|---|---|
| ISO/IEC 385002024 · §3.4 / §3.3 | System | "System by which the current and future use of IT is governed." Governance itself is "a human-based system comprising directing, overseeing and accountability." Treats governance of IT as a component or domain of organisational governance. |
| COBIT 2019ISACA | Leadership & structure | "IT governance is the responsibility of the board of directors and executive management… consists of the leadership, organisational structures and processes that ensure that the enterprise's IT sustains and extends the organisation's strategies and objectives." Operationalised through the EDM domain (Evaluate · Direct · Monitor). |
| NIST CSF 2.02024 | Cyber risk integration | Added GOVERN (GV) as a sixth core function "because organisations need to incorporate cyber risk management throughout their corporate governance structure." Covers leadership/accountability, policy, strategic alignment, continuous monitoring/improvement. |
| Weill & RossMIT CISR · 2004 | Decision rights | "Specifying the decision rights and accountability framework to encourage desirable behaviour in using IT." Key distinction: "IT Governance is not about making specific decisions — management does that — but rather determines who systematically makes and contributes to those decisions." |
Publication status
Sample figures
A subset shown below. Each chapter (and each G-step in a multi-G chapter) gets its own panoramic ship-journey illustration. Twelve panoramas in total.









Drop your email for a notification when the Japanese edition ships in August 2026.
Plain-language summary drawn from the book manuscript.