IT Governance Standard Final

GOVERNMENT ICT STANDARDS
IT Governance Standard
ICTA. 5.002: 2019
Second Edition
The ICT Authority is a State Corporation under the State Corporations Act 446
www.icta.go.ke
© ICTA 2019 - All Rights Reserved

GOVERNMENT ICT STANDARD ICTA. 5.002: 2019
REVISION OF ICT STANDARDS
In order to keep abreast of progress in industry, ICTA Standards shall be regularly reviewed.
Suggestions for improvements to published standards, addressed to the Chief Executive Officer,
ICT Authority, are welcome.
©ICT Authority 2019
Copyright. Users are reminded that by virtue of Section 25 of the Copyright Act, Cap. 12 of 2001 of
the Laws of Kenya, copyright subsists in all ICTA Standards and except as provided under Section
26 of this Act, no standard produced by ICTA may be reproduced, stored in a retrieval system in
any form or transmitted by any means without prior permission in writing from the Chief Executive
Officer.
ICT AUTHORITY (ICTA)
Head Office: P.O. Box 27150, Nairobi-00100, Tel.: (+254 202) 211 960/61
E-Mail: [email protected], Web:http://standards.icta.go.ke
www.icta.go.ke
2
DOCUMENT CONTROL
Document Name: Government IT Governance Standard
Prepared by: Government IT Governance Technical Committee
Edition: Second Edition
Approved by: Board of Directors
Date Approved: 13th January 2020
Effective Date: 1st February 2020
Next Review Date: After 3 years
www.icta.go.ke
3
CONTENT

1. INTRODUCTION 7
1.1 DESCRIPTION OF STANDARD 8
2. SCOPE 8
APPLICATION 9
3.0 NORMATIVE REFERENCES 9
4.0 TERMS AND DEFINITIONS 9
5.0 ENTERPRISE ARCHITECTURE 11
5.1. BUSINESS ARCHITECTURE 11
5.2. APPLICATION ARCHITECTURE 11
5.3 INFORMATION ARCHITECTURE 11
5.4 INFRASTRUCTURE ARCHITECTURE 11
6.0 ICT GOVERNANCE 12
6.1 INDEPENDENT ICT FUNCTION 12
6.2 ICT GOVERNANCE COMMITTEES 12
6.3 ICT ORGANIZATION 12
6.4 IT STRATEGY 13
6.5 IT PROJECT GOVERNANCE 13
7.0 IT SERVICE MANAGEMENT 13
7.1 IT SERVICE STRATEGY 13
7.1.2 IT SERVICE MANAGEMENT 13
7.2 SERVICE LEVEL MANAGEMENT 13
7.2.1 SERVICE DESK 14
7.2.2 IT OPERATIONS CONTROL 14
7.2.3 BUSINESS RELATIONSHIP MANAGEMENT 14
7.3 IT SERVICE DESIGN 14
7.3.1 AVAILABILITY MANAGEMENT 14
7.3.2 IT INFRASTRUCTURE CAPACITY MANAGEMENT 14
7.3.3 INFORMATION SECURITY MANAGEMENT 14
7.3. 4 SUPPLIER MANAGEMENT 15
7.4 IT SERVICE TRANSITION 15
7.4.1 IT SERVICE CHANGE MANAGEMENT 15
7.4.2 KNOWLEDGE MANAGEMENT 15
7.5 IT CONTINUOUS SERVICE IMPROVEMENT 15
7.5.1 SERVICE AND PROCESS PERFORMANCE REVIEW 15
8.0 LEGAL AND REGULATORY 15
8.1 KENYA LAWS ON ICT 15
8.2 ROLES AND RESPONSIBILITIES 16
9.0 ICT RISK MANAGEMENT 16
9.1 GENERAL 16
9.2 ICT RISK FRAMEWORK 16
10.0 SOURCING, RESOURCING AND FINANCING OF IT FUNCTIONS 16
10.1 GENERAL 16
10.2 SOURCING OF ICT EQUIPMENT, PRODUCTS AND SERVICES 16
10.3 RESOURCING 17
10. 4 FINANCING 17
10.5 ASSET MANAGEMENT 17
10.6 CAPACITY BUILDING 17
10. 7 TOOLS 18
10.8 INNOVATION 18
www.icta.go.ke
4
APPENDIX1: COMPLIANCE CHECKLIST FOR ENTERPRISE ARCHITECTURE 18

APPENDIX 2: COMPLIANCE CHECKLIST FOR ICT GOVERNANCE 20
6.2 ICT GOVERNANCE COMMITTEES 20
6.3 ICT ORGANIZATION 20
6.4 IT STRATEGY 21
6.5 IT PROJECT GOVERNANCE 21
APPENDIX 3: COMPLIANCE CHECKLIST FOR IT LEGAL AND REGULATORY 22
8.1 KENYA LAWS ON ICT 22
8.2 ROLES AND RESPONSIBILITIES 23
APPENDIX 4 COMPLIANCE CHECKLIST FOR IT SERVICE MANAGEMENT 24
APPENDIX 5 COMPLIANCE CHECKLIST FOR ICT AND RISK MANAGEMENT 30
APPENDIX 6 IT PROJECT MANAGEMENT 31
APPENDIX 7 PERFORMANCE MANAGEMENT 32
APPENDIX 8 RISK MANAGEMENT 32
APPENDIX 9 34
IT GOVERNING COMMITTEES 34
APPENDIX 10 GUIDELINES FOR SOURCING 36
APPENDIX 11 GOK PROJECT MANAGEMENT GOVERNANCE STRUCTURE 37
APPENDIX 12: ICT ORGANIZATION STRUCTURES 38
APPENDIX13: PROJECT GOVERNANCE ROLES 40
APPENDIX 14: PROJECT MANAGEMENT DOCUMENTATION 53
APPENDIX 15: PROJECT MANAGEMENT STAGES 54
APPENDIX 16: PROJECT DOCUMENTATION DEVELOPMENT 55
APPENDIX 17: A GENERIC PROJECT GOVERNANCE MODEL FOR LARGER, MORE COMPLEX
PROJECTS 56
APPENDIX 18: SAMPLE OUTCOME REALIZATION DATA FOR THE PROJECT BUSINESS PLAN 57
APPENDIX 19: STAKEHOLDER ENGAGEMENT PROCESS 58
APPENDIX 20: STAKEHOLDER ENGAGEMENT PROCESS 59
APPENDIX 21: ELEMENTS OF THE RISK MANAGEMENT PROCESS 60
APPENDIX 22: RISK MATRIX FOR GRADING RISKS 61
APPENDIX 23: RECOMMENDED ACTIONS FOR GRADES OF RISK 61
APPENDIX 24: ISSUE MANAGEMENT FLOWCHART 62
APPENDIX 25 SAMPLE PROJECT ISSUES REGISTER 63
APPENDIX 26: PROJECT CLOSURE 64
APPENDIX 27: SAMPLE SERVICE MANAGEMENT STRUCTURE (ITIL) FOR SMALL
ORGANIZATIONS 65
APPENDIX 28: SAMPLE SERVICE MANAGEMENT STRUCTURE (ITIL) FOR LARGE
ORGANIZATIONS 66
APPENDIX 29: SERVICE DESK 1ST, LEVEL, 2ND LEVEL AND 3RD LEVEL SUPPORT
DEFINITIONS 67
APPENDIX 30: SAMPLE ICT STRATEGY FORMAT 68
APPENDIX 31: WHO NEEDS TO BE INVOLVED IN LEGAL CONTRACTS 75
APPENDIX 32: RISK MANAGEMENT PROCESS 77
APPENDIX 33: ACCREDITATION OF ICT SERVICE PROVIDERS 78
APPENDIX 34: ACCREDITATION OF ICT PROFESSIONALS 85
APPENDIX 35: GOVERNMENT ICT PROJECT GOVERNANCE STRUCTURES 90
APPENDIX 36: AUDIT FOR OUTSOURCED APPLICATIONS 92
www.icta.go.ke
5
FOREWORD
The ICT Authority has the mandate to set and enforce ICT standards and guidelines across all aspects
of information and communication technology including Systems, Infrastructure, Processes,
Human Resources and Technology for the public service. The overall purpose of this mandate is
to ensure coherent and unified approach to acquisition, deployment, management and operation
of ICTs across the public service in order to achieve secure, efficient, flexible, integrated and cost
effective deployment and use of ICTs.
To achieve this mandate, the Authority established a standards committee to identify the relevant
standard domains and oversee the standards development process. The committee consulted and
researched broadly among subject matter experts to ensure conformity to acceptable international
and national industry best practices as well as relevance to the Kenyan public service. The
committee eventually adopted the Kenya Bureau of Standards (KEBS) format and procedure for
standards development. In an engagement founded on a memorandum of understanding KEBS,
participated in the development of these Standards and gave invaluable advice and guidance.
For example, the IT Governance Standard, which falls under the overall Government Enterprise
Architecture (GEA), has therefore been prepared in accordance with KEBS standards development
guidelines which are, in turn, based on the international best practices by standards development
organizations including ISO.
The Authority’s Directorate of Programmes and Standards has the oversight role and responsibility
for management, enforcement and review of this standard. The Directorate shall carry out quarterly
audits in all the Ministries, Counties, and Agencies (MCA) to determine compliance to this Standard.
The Authority shall issue a certificate for compliance to agencies upon inspection and assessment
of the level of compliance to the standard. For non-compliant agencies, a report detailing the extent
of the deviation and the prevailing circumstances shall be tabled before the Standards Review Board
who shall advise and make recommendations to remedy the shortfall.
The ICT Authority management, conscious of the central and core role that standards play in
public service integration, fostering shared services and increasing value in ICT investments,
shall prioritize the adoption of this standard by all Government agencies. The Authority therefore
encourages agencies to adhere to this standard in order to obtain value from their ICT investments.
Dr. Katherine W. Getao, EBS

Chief Executive Officer
ICT Authority
www.icta.go.ke
6
1.0 INTRODUCTION
IT Governance is part of the wider Corporate Governance activity but with a specific focus to IT.
IT Governance covers the culture, organization, policies, and practices that provide oversight
and transparency of IT. For organizational investment in IT to deliver full value, IT has to be
fully aligned to organizational strategies. The benefits of good IT risk management, oversight,
and clear communication not only reduce the cost and damage caused by IT failures – but also
engenders greater trust, teamwork, and confidence in the use of IT itself and the people trusted
with IT services.
The biggest risk and concern to the government today is failing to align IT to real business needs,
and a failure to deliver or be seen to be delivering, value to the business. Since IT can have such a
dramatic effect on MCDA performance and competitiveness, a failure to manage IT effectively can
have a very serious impact on the organization as a whole.
The current climate of cost reduction and budget restriction has resulted in new norms – there
is an expectation that IT resources should always be used as efficiently as possible and that
steps are taken to organize these IT resources ready for the next cycle of growth and new IT
developments. A key aspect of these factors is the increasing use of third-party service providers
and the need to manage these suppliers properly to avoid costly and damaging service failures.
In addition, IT governance recognizes the critical role IT functions play in an organization and the
need to place it at par with other core functions in terms of reporting lines.
IT governance shall assist MCAs to:
v Create deeper understanding and awareness of all IT related risks likely to have an impact
on their organization;
v Know how to improve the management processes within IT to manage these risks;
v Ensure there are manageable relationships with suppliers, service providers and with the
business (customers);
v Contract and managed IT suppliers with expect level of performance
v Ensure there is a transparent and understandable communication of these IT activities and
management processes to satisfy interested stakeholders.
v Recruit and maintain IT Professionals who are competent and regulated
IT Governance is not a one-time exercise or something achieved by a mandate or set of rules. It

requires a commitment from top management of the organization to instill a better way of dealing
with the management and control of IT. IT Governance is an ongoing activity that requires a
continuous improvement mentality and responsiveness to the fast-changing IT environment.
IT governance shall result in:
a. Transparency and accountability
- Improved transparency of IT costs, IT process, IT portfolio (projects and services).
- Clarified decision-making accountabilities and definition of user and provider
relationships.
b. Return on investment
- Improved understanding of overall IT costs and their input to ROI cases.
- Combining focused cost-cutting with an ability to reason for investment.
- Stakeholders allowed seeing IT risk/returns.
c. Opportunities and Partnerships
- Provide route to realize opportunities that might not receive attention or sponsorship.
- Positioning of IT as a business partner (and clarifying what sort of business partner IT is).
www.icta.go.ke
7
- Facilitate joint ventures with other organizations.

- Facilitate more business like relationships with key IT partners (vendors and suppliers).
- Achieve a consistent approach to taking risks.
- Enables IT participation in business strategy (which is then reflected in IT strategy) and
vice versa.
- Improve responsiveness to challenges and opportunities.
d. External Compliance
- Enables an integrated approach to meeting government legal and regulatory
requirements.
1.1 DESCRIPTION OF STANDARD
IT governance is defined as the processes that ensure effective and efficient use of IT in enabling
an organization to achieve its goals.
2.0 SCOPE
IT governance consists of the leadership and organizational structures and processes that ensure
the enterprise sustains and extends strategies and objectives. It spans the culture, organization,
policy, and practices that provide for IT management and control across five key areas:
• Alignment – Provide for strategic direction of IT and the alignment of IT and the business with
respect to services and projects.
• Value delivery – Confirm that the IT/Business organization is designed to drive maximum
business value from IT. Oversee the delivery of value by IT to the business, and assessment of
ROI.
• Risk Management– Ascertain that processes are in place to ensure that risks have been
adequately managed. This includes the assessment of the risk aspects of IT investments.
• Resource management – Provide high-level direction for sourcing and use of IT
resources. Oversee the aggregate funding of IT at the enterprise level. Ensure there is
adequate IT capability and infrastructure to support current and expected future business
requirements. Ensure competent human resource with desired ethical behaviors and norms.
• Performance – Verify strategic compliance, i.e. achievement of strategic IT objectives. Review
the measurement of IT performance and the contribution of IT to the business (i.e. delivery of
promised business value). Ensure that IT service providers are regulated and managed so as
to maintain expected level of performance in delivery of their services to government
www.icta.go.ke
8
APPLICATION
This standard applies to:
v Central Government of Kenya
v County Governments
v Constitutional Commissions
v State Corporations
v Government Institutions
3.0 NORMATIVE REFERENCES
The following standards contain provisions which, through reference in this text, constitute provi-
sions of this standard. All standards are subject to revision and, since any reference to a standard
is deemed to be a reference to the latest edition of that standard, parties to agreements based on
this standard are encouraged to take steps to ensure the use of the most recent editions of the
standards indicated below. Information on currently valid national and international standards can
be obtained from the Kenya Bureau of Standards.
v PRINCE2
v COBIT 5
v ITIL V4
v CISA Review Manual 27th edition
v Government Enterprise Architecture
Managers of projects dealing with software products or software-intensive systems may find
the contents of the PMBOK®6 Guide and ISO 10006:2018 helpful, in managing their projects to a
successful conclusion.
4.0 TERMS AND DEFINITIONS

4.1 Entreprise Architecture
Enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of
ICTin an organization. EA involves documenting an organization’s IT assets in a structured manner
to facilitate understanding, management, and planning for IT investments. An EA often involves
both a current state and an optimized future-state representation (e.g., a road map).
4.2 Enterprise IT Governance
EGIT is about the stewardship of IT resources on behalf of all stakeholders (internal and external)
who expect their interests to be met. Management, processes, operational governance structure
of the enterprise ICT.
4.3 Service desk

A Service Desk is a primary IT function within the discipline of IT service management. It is in-
tended to provide a Single Point of Contact to meet the communication needs of both users and IT
staff.
www.icta.go.ke
9
4.4 ABBREVIATIONS
4.1 EA Enterprise Architecture
6.2 WAN Wide Area Network
6.3 LAN Local Area Network
6.4 SLA Service Level Agreement
6.5 MCDA Ministry, County, and agency
6.6 ICTA ICT Authority
6.7 ROI Return on Investment
6.8 NEMA National Environment Management Authority
6.9 CIO Chief Information Officer
6.10 QOS Quality of Service
6.11 COBIT Control Objectives for IT
6.12 PMBOK Project Management Book
6.13 SWOT Strength Weakness Opportunity and Threat
6.14 CMMI Capability Maturity Model Integration
6.15 COSO Committee of Sponsoring Organizations
6.16 PPP Public-Private Partnership
6.17 GEA Government Enterprise Architecture
6.18 CISO Chief Information Security Officer
6.19 IT Information Technology
www.icta.go.ke
10
5.0 ENTERPRISE ARCHITECTURE

a) MCDAs shall develop an Enterprise architecture as a conceptual blueprint that defines the
structure and operation of ICT in an organization
b) MCDAs shall be guided by the approved Government Enterprise Architecture when developing their
enterprise Architecture based on appropriate business, application, information, and infrastructure,
security, performance, and project governance architecture to support the entire ecosystem
5.1. Business Architecture
5.1.1 Business plans and objectives
a) MCDAs shall adopt principles of their specific business architecture in line with the Government
Enterprise Architecture.
b) MCDAs shall have clearly defined ICT plans, objectives and metrics that support business
goals
c) MCDAs shall have mechanisms for monitoring the performance of ICT investments.
5.1.2 Business Process
a) MCDAs shall have business processes designed and applied to focus on service to Citizens
provided as a single interface through multiple access platforms
b) MCDAs will seek to optimize business processes and then use performance standards to define
automation requirements
5.2 Application Architecture
a. MCDAs shall ensure the design; implementation and delivery of the application architecture shall
adhere to the application architecture principles as guided by GEA.
5.3 Information/data Architecture
a) MCDAs shall adopt appropriate analytical services for discovery interpretation of meaningful data
patterns
b) MCDAs shall implement master data management to define and manage their critical data with
integration and a single point of reference.
5.4 Infrastructure Architecture
a. MCDAs shall ensure the design, implementation, and delivery of the infrastructure architecture
shall adhere to the infrastructure architecture principles as guided by GEA.
The principles are:-
i) Ensuring technology diversity is contained
ii) Technology components are able to interoperate and exchange information
b. The MCDAs shall implement LAN/WAN, internet, computing, enterprise networks, storage, and
data center to support business operations in line with the GEA and Infrastructure Standard
5.5 Security and Compliance

a) MCDAs shall ensure the design, implementation, and delivery of information security shall adhere
to the information security architecture principles as guided in the GEA
b) MCDAs shall establish information security governance structure as guided by appendix 9 b
www.icta.go.ke
11
5.6 Project Management and Governance Architecture
a) MCDAs shall ensure the design, implementation, and delivery of ICT projects shall adhere
to the project management and governance architecture principles as defined in the GEA
5.7 Performance Architecture
5.7.1 Capability Maturity Model Integration (CMMI)
a) MCDAs shall improve business goals or develop process guidance models that provide
a clear definition to promote improved performance.
5.7.2 Balanced Scorecard
b) MCDAs shall have an ICT Balanced Scorecard to measure performance consisting of four
perspectives: IT Value, User, Operational Excellence, and Future Orientation
6.0 ICT GOVERNANCE

6.1 Independent ICT Function
a) MCDAs shall have a defined structure for the ICT function in the organization reporting to
the Accounting Officer or the Chief Executive Officer (CEO).
6.2 ICT Governance Committees
MCDAs shall establish two ICT governance committees;

a) An IT Strategy committee to provide strategic advice on ICT initiatives and investments to
the board as defined in Appendix 9.
b) An IT Steering Committee to define the IT mission and goals aligned with the strategic
direction of the organization; authorize and direct the development of the services and
operation plans as defined in Appendix 9
6.3 ICT Organization
a) MCDAs shall establish an ICT organization structure that adequately responds to the
business goals, mandate, and vision of the organization.
b) The head of the ICT function shall report to the accounting officer and shall hold either
the following titles
i. Chief Information Officer (CIO)
ii. Chief Information Technology Officer (CITO)
iii. Chief Technology Officer (CTO)
iv. Director ICT (DICT) or Head of IT(HIT)
www.icta.go.ke
12
6.4 IT strategy
a) IT shall be a strategic objective in the overall strategic plan of the MCDAs.

b) The MCDAs shall prepare and maintain an ICT strategic plan with a clear IT vision and
mission that defines how the MCDAs plan to improve internal services and services to
businesses and citizens.
c) The strategy shall be developed with input from internal and external stakeholders.
d) The strategy shall be informed by a situational analysis of the internal and external
business environment
e) The strategy shall define specific tasks and responsibilities for achieving value delivery
from ICT investment
f) The strategy shall be implemented to achieve ICT optimized investment
6.5 IT Project governance
a) MCDAs shall establish a Project Management Office.

b) Projects shall be based on clear and compelling concept and business case.
c) A project charter shall be prepared for all projects.
d) A project implementation committee shall be created to report to the IT steering committee and
shall be led by a project manager.
e) MCDAs shall adopt and approve a project’s implementation methodology based on globally
accepted approaches such as PMBOK or Prince 2.
f) MCDAs shall adopt software development methodologies that include waterfall, agile, SDLC and
SCRUM. as guided by the Systems and Applications standard
g) MCDAs shall carry out their project management as guided in Appendix 11-19.
7.0 IT SERVICE MANAGEMENT

7.1 IT Service Strategy
a) MCDAs shall develop an IT service strategy to create new and improved services.
7.1. 2 IT Service management
a) MCDAs shall have a service charter for IT enabled services.

b) The charter shall define the desired outcomes of the services.
c) The charter shall define the assets required to offer the services.
d) MCDAs shall annually evaluate usage of the IT enabled services and customer satisfaction.
7.2 Service level management
a) MCDAs shall develop and sign service level agreement (SLA) with service providers (internet,
systems support, maintenance, etc.) to ensure the availability and reliability of IT enabled
services.
b) The SLA shall define performance metrics for the service providers.
c) MCDAs shall monitor achievement of service levels and compare them with agreed service
targets in the SLA
d) SLAs shall have penalties for failure to meet agreed service levels
www.icta.go.ke
13
7.2.1 Service desk
a) MCDAs shall establish an IT service desk management system to handle all requests
from end-users
b) The service desk shall have 1stlevel, 2nd level, and 3rd level support
c) The service desk shall develop and document standard operating procedures for IT services
d) MCDAs shall have a system to track customer complaints, compliments, and resolution
7.2.2 IT Operations Control
a) MCDAs shall designate staff to manage the day to day operational activities in IT e.g. back
up, routine maintenance, print and output management, installations to ensure they are
done in a reliable and timely manner
b) MCDAs should manage fraud using the COSO framework
c) MCDAs should adopt IT service and governance framework such as COBIT for internal
controls and management of IT
7.2.3 Business Relationship Management
a) MCDA shall conduct and document customer satisfaction surveys on IT enabled services
annually for internal and external customers
b) MCDA shall conduct training and awareness programs annually to sensitize internal and
external customers on IT enabled services
7.3 IT Service Design
7.3.1 Availability Management
a) MCDAs shall develop and implement quarterly preventive maintenance plans for IT
equipment
b) MCDAs shall develop and maintain manuals on how to operate and maintain systems and
equipment
c) MCDAs shall develop a disaster recovery plan for all services
7.3.2 IT Infrastructure Capacity Management
a) MCDAs shall annually evaluate the capacity of IT infrastructure to understand the current
environment and plan for future needs. The ICT Authority shall validate such evaluation
b) MCDAs shall establish a framework for IT infrastructure improvement
c) MCDAs shall set realistic targets for IT infrastructure improvement, prioritize gaps and
propose achievable solutions
7.3.3 Information Security Management
a) MCDAs shall establish an information security management framework as guided by the

information security standard
www.icta.go.ke
14
b) The Information Security function shall be separate from the IT department. The head
of the Information Security function may report to the CIO or have a dotted-line (indirect
reporting relationship to the CIO. The implementation of this requirement shall be guided
by appendix 12 depending on the risk levels of the organization.
7.3. 4 Supplier management
a) All ICT suppliers and contractors Government shall be registered by the ICT Authority in accordance
with the requirements stipulated in Appendix 33
7.4 IT Service transition
7.4.1 IT Service change management
a) MCDAs shall develop a policy to ensure that any changes to IT enabled services are
conducted with minimal disruption to services
7.4.2 Knowledge management
a) MCDAs shall implement an ICT knowledge base which shall contain a database of common
IT service problems and how to solve them
7.5 IT Continuous service improvement
7.5.1 Service and process performance review
a) MCDAs shall conduct annual performance reviews of IT processes and IT enabled services.
The review shall include suggestions for improvement. MCDA s shall seek guidance from
ICT Authority
b) MCDAs shall conduct benchmarking with the aim of identifying shortcoming and developing
plans for improvement
c) MCDAs shall in collaboration with ICT Authority, conduct regular system audits for all
systems to ensure compliance and conformity to the ICT standards.
8.0 LEGAL AND REGULATORY

8.1 Kenya laws on ICT
a) MCDAs shall identify the specific laws and regulations affecting IT in their organizations and
respond accordingly. The Kenya laws on ICT include:
i. Computer Misuse and Cybercrime Act 2018 -Information Security, Systems and Applications
ii. Access to Information Act 2016- E-records, Systems, and Applications
iii. Kenya Information and Communications Act 2013- E- records and Data Management, Systems
and applications
iv. Evidence Act 2014- E-records and Data Management
www.icta.go.ke
15
v. Legal Notice 183, 2013( The Information and Communication Technology Authority Order
2013)- IT Governance, Information Security, Systems and Applications, E-records and Data
Management
vi. Public Archives and Documentation Service Act 2012- E-records and Data Management
vii. Industrial Property Act 2001 and Copyright Act- End User Devices, Systems and
applications, cloud computing, Information Security
viii. Public Officers Ethics Act 2003- End-user devices, IT Governance, Systems, and
Applications
ix. NEMA guidelines on E-waste- End-User Devices
x. Private-Public Partnership Act 2013 – IT Governance
8.2 Roles and Responsibilities
a) IT functions in MCDAs shall seek legal advice as necessary internally or externally to

better manage contracts
b) MCDAs shall seek technical advice or service from a competent third party as maybe
required from the ICT Authority.
9.0 ICT RISK MANAGEMENT
9.1 General
a) ICT risk management will be undertaken as guided in Appendix 21, 22 and 23
9.2 ICT Risk Framework
a) MCDAs shall develop a risk strategy

b) MCDAs shall set acceptable levels of risk.
c) MCDAs shall undertake a regular risk assessment for identification, recording, analysis,
and mitigation.
d) Responsibility for risk mitigation shall be assigned to the relevant function for managing
key risks depending on the type of risk and its possible impact, the MCDAs shall adopt any
of the following mitigation measures: Reduce, Transfer, Accept and Mitigate risks.
10.0 SOURCING, RESOURCING, AND FINANCING OF IT FUNCTIONS
10.1 General
a) To support IT Governance, MCDAs shall establish structures to manage IT resources as per

Appendix 11.
10.2 Sourcing of ICT equipment, products, and services
a) MCDAs shall source ICT resources while adhering to the GoK ICT standards. as per the
guidelines in Appendix 10
www.icta.go.ke
16
10.3 Resourcing
a) MCDAs should develop a guideline for the engagement of consultants, contractors and
external service providers. The guidelines should document the decision to acquire
external support. The guidelines should provide a framework for the accounting of the
consultancy, contracting and external service providers.
b) The MCDA should develop a risk assessment and management framework for the
consultants, contractors and external suppliers.
c) MCDAs while resourcing the ICT functions should ensure there is clear segregation of roles in the
assigned functions as per the GoK ICT Human Capacity and Workforce Development standard.
d) MCDAs must use a consistent and evidence-based ICT resources strategic planning
process.
e) MCDAs can use the public-private partnership to resource their ICT functions while guided
by the GoK PPP Legal and regulatory framework that includes Private Public Partnership
Policy, Private Public Partnership Act and Private Public Partnership regulations.
f) All ICT professionals shall be registered as guided in Appendix 34 and the ICT human
capacity standard
10. 4 Financing
a) MCDAs shall allocate funds for ICT activities through the annual budget. The ratio of ICT
to the institutional budget shall be at least 5%
b) The budget shall be aligned to the ICT strategy
c) The budget shall be allocated for development and recurrent purposes
d) The development budget shall cover ICT Infrastructure enhancement and improvement
e) The recurrent budget shall cover ICT infrastructure maintenance and servicing
f) Donor funded government ICT initiatives shall be subject to the requirements of government
ICT standards.
10.5 Asset management
a) MCDAs shall maintain and update an inventory of all ICT assets. The inventory system
shall be automated and shall show relationships between these assets
b) MCDA should ensure that their ICT equipment are physically standard tagged for
identification and tracking.
10.6 Capacity building
a) The IT establishment shall cover all the relevant IT technical cadres including Basic
support, Network, systems and database administration, IT service management, IT project
management, Web administrators, information security officers, other contextual IT roles
b) MCDAs shall develop and implement ICT training policy in line with ICT human resource
development standard
c) The policy shall define required ICT qualifications for different cadres of staff as per the
ICT human capacity standard IT education, training, and development needs shall be fully
identified and addressed for all staff regularly
d) IT staff shall be trained on professional courses, ethics, and code of conduct outlined in
the ICT Human Capacity Development Standard
www.icta.go.ke
17
10. 7 Tools
a) ICT personnel shall be issued the relevant software and hardware tools to manage IT
resources (e.g. for user support, hardware maintenance, IT service and project management,
application development)
10.8 Innovation
a) MCDAs shall establish a resource centre for IT research and innovation

b) The resource centre shall manage knowledge through databases and online resources to
spur innovation
Appendix1: Compliance Checklist for Enterprise Architecture
Enterprise Architecture YES/NO Comment

MCDA has developed an Enterprise
architecture as a conceptual blueprint that
defines the structure and operation of ICT in an
organization
MCDA has been guided by the approved
Government Enterprise Architecture when
developing their enterprise Architecture
based on appropriate business, application,
information, and infrastructure, security,
performance and project governance
architecture to support the entire ecosystem
Business Architecture
Business plans and objectives
MCDA has adapted principles of their
specific business architecture in line with the
Government Enterprise Architecture.
MCDA has clearly defined its ICT plans,
objectives and metrics that support business
goals
MCDA has mechanisms for monitoring the
performance of ICT investments.
Business Process
MCDA has business processes designed and
applied to focus on service to Citizens provided
as a single interface through multiple access
platforms
MCDA will seek to optimize business processes
and then use performance standards to define
automation requirements
Application Architecture
www.icta.go.ke
18

MCDA has ensured the design,
implementation, and delivery of the application
architecture has adhered to the application
architecture principles as guided by GEA.
Information Architecture
MCDA has adopted an appropriate analytical
services for discovery, interpretation of
meaningful data patterns
MCDA has implemented a master data
management to define and manage their
critical data with integration and a single point
of reference.
Infrastructure Architecture
implementation, and delivery of the
infrastructure architecture has adhered to
the infrastructure architecture principles as
guided by GEA.
MCDA has implemented LAN/WAN, internet,
computing, enterprise networks, storage, and
data center to support business operations in
line with the GEA and Infrastructure Standard
Security and Compliance
implementation, and delivery of information
security shall adhere to the information
security architecture principles as guided in
the GEA
MCDA has established an information security
governance structure as guided by appendix 9
b
Project Management and Governance
Architecture
implementation, and delivery of ICT projects
has adhered to the project management and
governance architecture principles as defined
in the GEA
Performance Architecture
Capability Maturity Model Integration (CMMI)
MCDAs have improved business goals or develop
process guidance models that provide a clear
definition to promote improved performance.
Balanced Scorecard
www.icta.go.ke
19

MCDA has an ICT Balanced Scorecard to
measure performance consisting of four
perspectives: IT Value, User, Operational
Excellence, and Future Orientation
Appendix 2: Compliance Checklist for ICT Governance
Checklist for ICT YES/NO Comment

Governance
Independent ICT Function
MCDA has a defined structure for the ICT
function in the organization reporting to the
Accounting Officer or the Chief Executive
Officer (CEO).
ICT Governance Committees
MCDA has established two ICT governance
committees;
i) An IT Strategy committee to provide strategic
advice on ICT initiatives and investments to the
board as defined in Appendix 9.
ii) An IT Steering Committee to define the IT
mission and goals aligned with the strategic
direction of the organization; authorize and
direct the development of the services and
operation plans as defined in Appendix 9
ICT Organization
MCDA has established an ICT organization
structure that adequately responds to the
business goals, mandate, and vision of the
organization.
The head of the ICT function reports to the
accounting officer and shall hold either
thefollowing titles
i. Chief Information Officer (CIO)
ii. Chief Information Technology Officer (CITO)
iii. Chief Technology Officer (CTO)

iv. Director ICT (DICT) or Head of IT(HIT)
IT strategy
IT is a strategic objective in the overall
strategic plan of the MCDA.
www.icta.go.ke
20
MCDA has prepared and maintained an ICT

strategic plan with a clear IT vision and
mission that defines how the MCDA plans
to improve internal services and services to
businesses and citizens.
The strategy has been developed with input
from internal and external stakeholders.
The strategy has been informed by a
situational analysis of the internal and
external business environment
The strategy has defined specific tasks and
responsibilities for achieving value delivery
from ICT investment
The strategy has been implemented to achieve
ICT optimized investment
IT Project governance
MCDA has established a Project Management
Office.
Projects are based on clear and compelling
concept and business case.
A project charter has been prepared for all
projects.
A project implementation committee has been
created to report to the IT steering committee
and is led by a project manager.
MCDAs has adopted and approved a project
implementation methodology based on a
globally accepted approach such as PMBOK or
Prince 2.
MCDA has adopted a software development
methodologies that include waterfall, agile,
SDLC and SCRUM. as guided by the Systems
and Applications standard
MCDA has carried out their project
management as guided in Appendix 11-19.
www.icta.go.ke
21
Appendix 3: Compliance Checklist for IT Legal and regulatory
Legal and Regulatory Legal and Regulatory YES/NO Comment
Kenya laws on ICT
MCDAs has identified

the specific laws and
regulations affecting IT
in their organizations
and respond
accordingly. The Kenya
laws on ICT include:
Computer Misuse
and Cybercrime Act
2018 -Information
Security, Systems and
Applications
Access to Information
Act 2016- E-records,
Systems, and
Applications
Kenya Information and
Communications Act
2013- E- Records and
Data Management,
Systems and
applications
Evidence Act 2014-
E-records and Data
Management
www.icta.go.ke
22
Legal Notice 183,

2013 ( The Information
and Communication
Technology Authority
Order 2013)- IT
Governance,
Information
Security, Systems
and Applications,
E-records and Data
Management
Public Archives
and Documentation
Service Act 2012-
E-records and Data
Management
Industrial Property Act
2001 and Copyright
Act- End User
Devices, Systems
and applications,
cloud computing,
Information Security
Public Officers
Ethics Act 2003-
End-user devices, IT
Governance, Systems,
and Applications
NEMA guidelines on
E-waste- End-User
Devices
Private Public
Partnership Act 2013 –
IT Governance
Roles and
responsibilities
IT functions in MCDA
has sought legal
advice as necessary
internally or externally
to better manage
contracts
www.icta.go.ke
23
MCDA has sought

technical advice
or service from a
competent third party
as maybe required
from the ICT Authority.
Appendix 4: Compliance Checklist for IT Service Management
Service Management Service Management YES/NO Comment

IT Service Strategy
MCDA has developed
an IT service strategy
to create new and
improved services.
IT Service
management
MCDA has a service
charter for IT enabled
services.
The charter defines
the desired outcomes
of the services.
The charter defines
the assets required to
offer the services.
MCDA, annually
evaluates usage
of the IT enabled
services and customer
satisfaction.
Service level
management
MCDA has developed
and signed service
level agreement(s)
(SLA) with service
providers (internet,
systems support,
maintenance, etc.) to
ensure the availability
and reliability of IT
enabled services.
www.icta.go.ke
24

The SLA shall define
performance metrics
for the service
providers.
MCDA monitors
achievement of service
levels and compares
them with agreed
service targets in the
SLA
SLAs has penalties for
failure to meet agreed
service levels
Service desk
MCDA has established
an IT service desk
management system
to handle all requests
from end-users
The service desk has
1st level, 2nd level, and
3rd level support
The service desk
has developed and
documented standard
operatingprocedures
for IT services
MCDA has a system
to track customer
complaints,
compliments, and
resolution
IT Operations Control
MCDA has designated
staff to manage the
day to day operational
activities in IT e.g.
back up, routine
maintenance, print and
output management,
installations to ensure
they are done in a
reliable and timely
manner
www.icta.go.ke
25

MCDA has managed
fraud using the COSO
framework
MCDA has adopted
IT service and
governance framework
such as COBIT for
internal controls and
management of IT
Business Relationship
Management
MCDA has conducted
and document
customer satisfaction
surveys on IT enabled
services annually for
internal and external
customers
MCDA conducts
training and
awareness programs
annually to sensitize
internal and external
customers on IT
enabled services
IT Service Design
Availability
Management
MCDA has developed
and implemented
quarterly preventive
maintenance plans for
IT equipment
MCDA has developed
and maintained
manuals on how
to operate and
maintain systems and
equipment
MCDAs has developed
a disaster recovery
plan for all services
IT Infrastructure
Capacity Management
www.icta.go.ke
26

MCDA annually
evaluates the capacity
of IT infrastructure
to understand the
current environment
and plan for future
needs. The ICT
Authority has validated
such evaluation
a framework for
IT infrastructure
improvement
MCDA has set
realistic targets for
IT infrastructure
improvement,
prioritize gaps and
propose achievable
solutions
Information Security
Management
an information
security management
framework as guided
by the information
security standard
The Information
Security function has
a separate from the IT
department. The head
of the Information
Security function may
report to the CIO or
have a dotted-line
(indirect reporting
relationship to the CIO.
The implementation of
this requirement shall
be guided by appendix
12 depending on the
risk levels of the
organization.
www.icta.go.ke
27

Supplier management
All ICT suppliers
and contractors
Government have
been registered
by ICT Authority in
accordance with
the requirements
stipulated in Appendix
33
IT Service transition
IT Service change
management
MCDA has developed
a policy to ensure
that any changes to
IT enabled services
are conducted with
minimal disruption to
services
Knowledge
management
MCDA has
implemented an ICT
knowledge base which
contains a database
of common IT service
problems and how to
solve them
IT Continuous service
improvement
Service and process
performance review
MCDA conducts annual
performance reviews
of IT processes and
IT enabled services.
The review includes
suggestions for
improvement.
MCDA has sought from
the ICT Authority
www.icta.go.ke
28

MCDA has conducted
benchmarking with
the aim of identifying
shortcoming and
developing plans for
improvement
MCDA has in
collaboration with
the ICT Authority,
conducted regular
system audits for all
systems to ensure
compliance and
conformity to the ICT
standards.
Appendix 5: Compliance Checklist for ICT and Risk Management
ICT Risk
management
S/No YES/NO Comment
General MCDA has
undertaken ICT
risk management
as guided in
Appendix 20, 21
and 22
ICT Risk MCDA has
framework developed a risk
strategy
MCDA has set
acceptable levels
of risk.
MCDA has
undertaken a
regular risk
assessment for
identification,
recording,
analysis and
mitigation.
www.icta.go.ke
29
ICT Risk
management
Responsibility for
risk mitigation
has been
assigned to the
relevant function
for managing key
risks depending
on the type of risk
and its possible
impact, MCDA
has adopted any
of the following
mitigation
measures:
Reduce, Transfer,
Accept and
Mitigate risks.
www.icta.go.ke
30
Appendix 6: IT Project Management
1.1 Project Governance
a) MCDAs shall ensure that governance of all ICT projects comply with the governance
structures as per Appendix 7 and Appendix 30
1 Project initiation
a) The project shall have an objective and documented business case/ project
proposal
b) The proposal shall define the expected benefits/outputs and outcomes
c) The project shall have appropriate approval
1.2 Project planning
a) The project shall have a project management plan with activity schedules
b) The project shall have risk management and communication plan
c) The project shall have an implementation, testing and training strategy
d) The Project shall have a stakeholder management plan
1.3 Analysis and design
a) The project shall have user requirements

b) The project shall have user systems and technical specifications
c) The project shall have a system acceptance test plan
1.4 Project Building and testing
a) There shall be a development and test environment

b) There shall be operational and training procedures
c) There shall be detailed test plans
1.5 Project Implementation
a) There shall be a system installation and migration plan

b) There shall be a data conversion plan
c) There shall be a training and contingency plan
1.6 Project Completion
a) There shall be a post-implementation review report

b) There shall be a documented system support group
c) There shall be project closure sign off
www.icta.go.ke
31
Appendix 7: Performance management
1.1 IT service management
a) Overall financial performance (costs v. budgets)

b) Performance with respect to reliability and availability of critical services
c) Complaints (QOS) and customer perception
d) Number of significant reactive fixes to errors
e) SLA performance by third parties
f) Relationships with suppliers (quality & value)
g) Capability e.g. process maturity
h) Internal and external benchmarks
i) Business continuity status
1.2 Project management
a) Major project delivery performance (objectives, time and budget)

b) ROI for IT investments (business benefit)
1.3 Risk management
a) Status of critical risks

b) Audit weaknesses
c) Human Resource measures for people involved in IT activities
Appendix 8: Risk management
Subject Requirement
Define a framework MCDAs has ensured the following staff are
trained in risk management in their specific
areas :(e.g CobiT, ISO17799, ITIL, ISO9000
PMBOK and Prince2)
• IT Auditors
• IT Project Managers
• IT Risk Managers
• Business Analysts
• Infrastructure Management
• Procurement/Contract Management
• IS Strategy – alignment with the business
• Quality Management
• Business Relationship Management
• Programme Managers
MCDAs shall conduct benchmarking to

compare how risk management is being
addressed within the organization in relation to
best practice, industry peer groups and other
organizations.
www.icta.go.ke
32
Subject Requirement
Identify risks MCDA has ensured that new risks are identified
in a timely manner?
The following risks are identified
• Business-specific risk (e.g. Operational risk
of mandate not being delivered)
• Generic common IT risk (e.g. IT availability
risk)
• Specific IT risk (e.g. Denial of service attack
on Internet customer request system)
Identify probable risk owners Auditors provide initial momentum by

highlighting to senior management inadequate
risk management practices of specific risks that
are not being adequately addressed?
Responsibility is allocated at a senior level for
managing key risks?
Every risk has an owner?

MCDAs has adopted a mechanism for reporting
issues – ultimately to the individual who has to
retain overall responsibility?
Evaluate the risks MCDAs has set acceptable levels of risk
MCDA has developed a risk register.
The risk register has a prioritized list of risks
which must be subsequently addressed
Identify suitable response to risk MCDA has implemented suitable response to

risks
www.icta.go.ke
33
Appendix 9: IT GOVERNING COMMITTEES
a) Committees
Level IT Strategy Committee IT Steering Committee

Responsibility -Provides insight and advice to - Decides the overall level of IT
the board on topics such as: spending and how costs will be
-The relevance of the allocated
development in IT from a - Aligns and approves the
business perspective enterprise’s IT architecture
-The alignment of IT with the - Approves project plans and
business direction budgets, setting priorities and
-The achievement of strategic milestones
IT objectives - Acquires and assigns
-The availability of suitable appropriate resources
IT resources, skills and - Ensures that projects
infrastructure to meet the continuously meet business
strategic objectives requirements including a
-Optimization of IT costs, reevaluation of the business
including the role of and case
value delivery of external IT - Monitors projects plan for
sourcing delivery of expected value and
-Risk, return and competitive desired outcomes, on time and
aspects of IT investments within budget
-The contribution of IT to the - Monitors resource and
business. priority conflict between
-Exposure to IT Risks, enterprise divisions and the IT
including compliance risks functions as well as between
-Direction to management projects.
relative to IT strategy - Makes recommendations
-Drivers and catalysts for the and requests for changes to
boards IT strategic plans (Priorities,
funding, technology
approaches and resources)
- Communicates strategic
goals to projects teams
- Is a major contributor to
management’s IT governance
responsibilities and practices
Authority -Advises the board and - Assists the executive in the

management on IT strategy delivery of the IT strategy
-Is delegated by the board to - Oversees the day to day
provide input to the strategy management of the IT service
and prepare its approval delivery and IT projects
-Focuses on the current and - Focuses on implementation
future strategic IT issues
www.icta.go.ke
34
Level IT Strategy Committee IT Steering Committee

Membership Board members and -Sponsoring executive
specialists non board members -Business executive
-Chief information officer
-Key advisors as required
(IT, audit, legal, finance)
a) Sub-Committees
Committee Responsibilities Membership

Information Security Sub- • Facilitates achieving • C-level executive
Committee consensus on priorities and management and senior
trade-offs. managers from IT,
• Serves as an effective • Application owners,
communications channel and • Business process owners,
provides an ongoing basis for • Operations,
ensuring the alignment of the • HR, audit and
security program with business • Legal
objectives.
• The committee will
deliberate on the suitability of
recommended controls and
good practices in the context
of the organization, including
the secure configuration of
operating systems (OSs) and
databases.
Project steering committee – Reviews project progress • A senior representative from

regularly (e.g., semimonthly or each business area
monthly) and • The project manager
Holds emergency meetings • The project sponsor who
when required. assumes the overall ownership
– Serves as coordinator and and accountability of the
advisor. Members of the project and chairs the steering
committee should be committee
available to answer questions
and make user-related
decisions about
system and program design.
– Takes corrective action
if necessary due to project
progress and issues
escalated to the committee.
Appendix 10: Guidelines for Sourcing

www.icta.go.ke
35
a) MCDAs should evaluate its ICT function and determine the most appropriate method of
delivering the ICT function based on the following;
1. Is this a core function of the organization

2. Does this function have specific knowledge, processes, and staff critical to meeting its
goals and objectives and that cannot be replicated externally or in another location?
3. Can this function be performed by another party or in another location for the same or
lower price, with the same or higher quality and without increasing risk?
4. Does the organization have experiences managing third parties or using remote/offshore
locations to execute IS or business functions?
5. Are there any contractual or regulatory restrictions preventing offshore locations or use
of foreign materials.
b) On completion of the sourcing strategy, the IT steering committee should review and
approve the strategy. At this point, if the committee has chosen to use outsourcing, a
rigorous process should be followed including the following steps
1. Define the IT function to be outsourced

2. Describe the service levels required and minimum metrics to be met
3. Know the desired level of knowledge, skills, and quality of the expected service provider
4. Know the current in-house cost information to compare with third party bids
5. Conduct due diligence reviews of potential service providers
6. Confirm any considerations to meeting contractual or regulatory requirements.
www.icta.go.ke
36
Appendix 11: GoK Project Management Governance Structure
www.icta.go.ke
37
Appendix 12: ICT Organization Structures
i. Large MCDA’s
ii. Medium MCDA’s
www.icta.go.ke
38
iii. Small MCDA’s
www.icta.go.ke
39
Appendix13: Project governance roles
Project Role Accountabilities, responsibilities and tasks

Corporate Client - Has ultimate authority in large, complex
or politically driven projects.
- Is the champion of the project, promotes
the benefits of the project to the
community and may be viewed as the
‘public face’ of the project. For example,
the Corporate Client may be the Premier,
Minister of the State or Head of Agency.
- May also be the Project Funder.
In a small, less complex project, there
would be no Corporate Client, but the
Project Sponsor would act as the
champion of the project, and fulfil the role
of the Project Champion.
www.icta.go.ke
40

Project Sponsor
- Ultimately accountable and responsible for
the project, and is sometimes referred to as the
Project Owner.
- Responsible for the attainment of the agreed
Project Target Outcomes. The Target Outcomes
should be secured before the project is closed
formally.
- Member of the Steering Committee, and
is usually the Committee Chair. For projects
where there is no Steering Committee, the
Sponsor assumes responsibility for approving
the project scope and all subsequent decision-
making.
- Oversight of the business management and
project management issues that arise outside
the formal business of the Steering Committee.
- Provides support by advocacy at senior levels,
and ensures that the necessary resources
(both financial and human) are available to the
project.
- May also be the Business Owner for the
project and can also be the Funder, but it varies
within government, depending on the budgetary
arrangements and decisions about who will be
managing the Outputs after the project closes.
In the case of large whole-of-government
projects, the project funds may be managed by
one Agency on behalf of the government, but
there may be several Business Owners.
The Corporate Client and Project Sponsor may

be the same person for some projects.
The Project Sponsor must be identified for all
projects, no matter what the size or complexity.
Accountable to: Corporate Client (where
applicable)
www.icta.go.ke
41

Steering Committee - Responsible and accountable for policy and
resourcing decisions essential to the delivery
of project Output and the attainment of
project’s Target Outcomes.
- Accountable to the Corporate Client and/or
Sponsor for providing the Project Manager and
Team with effective management and
guidance in the development of the project
Outputs and implementation of required
organisational change, in order to attain the
project’s Outcomes.
- Responsible for ensuring appropriate
management of the project components
outlined in the endorsed Project Business
Plan, which usually includes approving the
initial Project Proposal or Business Case and
then the Project Business Plan.
- Responsible for assessing, approving or
rejecting changes to the scope as documented
in the Project Business Plan as the project
progresses.
- Responsible for monitoring progress (not just
activity) and scrutinising the project’s budget.
- Ultimately accountable for ensuring
appropriate risk management processes
are applied, which may include responsibility
for undertaking specific risk management
activities.
- Must also consider how (or if( the project’s
objective(s(, Outcomes, Target Outcomes, and
longer-term business benefits align with the
organisational strategic agenda and direction,
and making the hard decisions to re-scope
or terminate the project if there is little or no
alignment.
- Should develop an agreed Terms of Reference
for how the Steering Committee will operate.
www.icta.go.ke
42
Business Owner(s) - Responsible for managing the project Outputs

for utilisation by Project Customers.
- Responsible for ongoing maintenance
(including costs) of the project Outputs after
the project closes.
- Accountable to the Project Sponsor and/or
Corporate Client (or their delegate(s))
following formal project closure for the
achievement of and reporting against the
project’s Target Outcomes and realisation of
the longer-term business benefits.
- Must be satisfied that the project’s Outcomes
(including Target Outcomes( and longer term
business benefits are meaningful in the
context of the Business Unit’s operational
environment and forward strategic agenda.
- Contracted by the Project Sponsor and/or
Steering Committee to implement the
change management described in the
Outcome Realisation Plan, and thereby
achieve the project’s Outcomes, Target
Outcomes and realise the business benefits.
- May be required to contribute resources to
the project to ensure the change management
described in the Outcome Realisation Plan is
implemented effectively.
- ‘Owns’ the Project Outcome Realisation Plan,
although the Project Manager may assist in
its development.
- Must be satisfied that the project scope
includes all of the Outputs necessary for the
realisation of the project’s Target Outcomes
and agreed business benefits.
- May be required to contribute resources
to the project to ensure that the Outputs are
developed satisfactorily and ‘fit for purpose’.
- Responsible after project closure for ongoing

ownership and maintenance of the project
Outputs, which may require revised budget
forecasts to accommodate maintenance costs
and staffing implications.
www.icta.go.ke
43
- Responsible after project closure for

ensuring the project’s Target Outcomes and
agreed longer-term business benefits are
used to revise the Business Unit’s relevant
performance measures. Agency or Divisional
Corporate or Annual Business Plans should
be updated appropriately. Reporting lines
and requirements may also need to be
updated post-project.
- Responsible after project closure for ongoing
ownership and maintenance of the project
Outputs, which may require revised budget
forecasts to accommodate maintenance costs
and staffing implications.
Project Customers The person or entities that will utilise the

project Outputs to undertake their own activity,
and therefore unconsciously generate the
project Outcomes and business benefits as a
by-product of this utilisation. For example, the
Tasmanian public, who transacts business with
Service Tasmania, would have been classed as
Project Customers when the entity was set up.
Project Customers are sometimes described as
Beneficiaries
www.icta.go.ke
44
Project Observer - May be a role in a large, complex or politically

driven project, possibly involving whole-of-
government or more than one Agency where
potential learnings through observation of
project processes are possible.
- Usually present at Steering Committee
meetings or Project Team meetings to act
as an information channel to the Agency/
organisation they are representing.
- The Observer’s Agency may not necessarily be
represented on the Steering Committee if
they are not Business Owners.
- Cannot participate in decision-making while
attending meetings.
- May raise issues for discussion on the
understanding that those issues may or
may not be addressed or resolved as part of
the meetings. The issues may be considered
outside of the formal meeting structure.
- Accountable to the Agency they are
representing. If issues arise that may have
implications for the Agency/organisation, they
have a responsibility to report these issues
back to their Agency/organisation. The
Agency/organisation may then wish to raise
these issues formally with the Project
Sponsor.
Please note: The Project Sponsor and/or

Steering Committee Chair should agree to the
role of the Project Observer before that role is
implemented.
Quality Consultants - Work independently of the Project Team.

- Often contracted from outside the Agency/
organisation.
- Maybe contracted to undertake formal Quality
Review of the project as a whole in terms of
structure, processes, and progress toward
Outputs.
- Maybe contracted to undertake formal Quality
Review of the quality of products or services
(Outputs) being produced within a project in a
technical field (eg law, IT, construction).
(Refer to Appendix 4 A Charter for Project

Management Quality Advisory Consultants and
Appendix 5 A Charter for Project Management
Quality Review Consultants.)
Accountable to: Project Sponsor and/or
Steering Committee
www.icta.go.ke
45
Project Director - Usually created to manage a large, complex

or politically sensitive project or program
of projects in partnership with one or several
Project Manager(s).
- Responsible for the implementation of the
Project/Program Business Plan following its
approval by the Steering Committee.
- Directs and monitors project/program activity
through quality management, detailed plans
and schedules, and reports progress to the
Steering Committee.
- Provides expert and authoritative advice to
various Ministers, Heads of Agency and
senior representatives of the public
and private sectors and key community
stakeholders on a wide range of sensitive
issues associated with the project/program.
- Provides highest-level leadership by
articulating the project/program vision,
and negotiating and defining objectives
and developing and nurturing highest-level
relationships with stakeholders and end
users, to facilitate the effective delivery of a
major government initiative.
www.icta.go.ke
46

Steering Committee
Project Manager
- Contracted by the Project Sponsor and/or
Steering Committee to deliver the defined
project Outputs as articulated in the approved
Project Business Plan.
- Works in partnership with and reports to
the Project Director to implement the Project
Business Plan.
- Responsible for engaging the Project
Sponsor, Business Owner(s) and/or Steering
Committee in order to clarify the project
Objectives, Outcomes, Target Outcomes,
required Outputs and stakeholders within
agreed time, cost and quality parameters.
- Develops and maintains the Project
Business Plan, Project Work/Execution and
Implementation Plan(s) and related
schedules.
- Responsible for organising the project into
one or more sub-projects, managing the
day-to-day aspects of the project, resolving
planning and implementation issues, and
monitoring progress and budget.
- Reports to the Project Sponsor and/or
Steering Committee at regular intervals.
- Manages (client/provider/stakeholder)
expectations through formal specification
and agreement of the project objective(s),
Outcomes, Target Outcomes, Outputs,
quality requirements, resources required,
budget, schedule, project structure, roles,
and responsibilities described in the Outcome
Realisation Plan.
www.icta.go.ke
47
The Project Manager must be identified for all

projects, no matter what the size or complexity.
Accountable to: Project Director (where
applicable), Project Sponsor and/or Steering
Committee
Project Team - Led by the Project Manager or Project Team

Leader.
- Responsible for completing tasks and
activities required for delivery of the project
Outputs, as outlined in the Project Business
Plan and elaborated in the Project Execution
and/or Implementation Plan(s).
- Usually includes representatives from the
Business Unit(s) impacted by the project.
- Must include the requisite skills for each
phase of a project to ensure success. The
skills should be explicitly identified as a part
of the project planning process.
The composition of the Team may change as

the project moves through its various phases.
Accountable to: Project Manager and/or Project
Team Leader.
Project Team Leader

- Usually appointed in large and/or complex
projects to work under the direction of the
Project Manager.
- May be a representative of a Business Unit
impacted by the project.
- Responsible for completing the required
tasks and activities as defined in the Project
Execution and/or Implementation Plan(s) for
delivering the project Output(s).

Accountable to: Project Manager
www.icta.go.ke
48
Project Officer - Responsible for completing tasks and

activities required for delivering project
Output, as determined by the Project
Manager or Project Team Leader.
- Most common responsibilities are related
to project coordination (eg administration,
including development and/or
maintenance of project documentation,
assisting with status reporting and
follow-up), stakeholder liaison
(eg secretarial support to the project
reference group or project
communications) and general
administrative support activities (eg
scheduling and meeting preparations).
- May also be directly involved in the
development and quality assurance of
specific Outputs.

Accountable to: Project Manager or Project
Team Leader
Reference Groups - Provide forums to achieve consensus among

groups of stakeholders.
- Do not do the work of Output production, but
may ratify/endorse Output quality on behalf of
the stakeholders they represent.
- The group may already exist, have an
indefinite life span or may continue for the life
of the project.
- Maybe a general reference group delegated
by the Steering Committee to monitor or
modify the Project Business Plan for approval
by the Steering Committee.
- May consist of collection of people with like
skills to address a particular set of issues.
- May report to the Steering Committee or
Project Manager, depending on who has
appointed them and what they are requested
to achieve.
www.icta.go.ke
49
- Members provide an excellent channel to

assist the project communicate information to
and from their stakeholder group(s) who may
be impacted by, or impact on, the project.

Steering Committee via the Project Manager or
Project Director (where applicable)
Advisory Groups
- Forums of stakeholders, usually experts to
provide specific advice or technical expertise
to the project.
- Do not do the work of Output production, but
may advise the Project Manager on Output
quality (‘fitness-for-purpose’( on behalf of the
stakeholders they represent.
assist the project communicate information to
and from their stakeholder group(s) who may
be impacted by, or impact on, the project.
- Able to advise the project of any emerging
issues from a stakeholder perspective.
- Members may also be willing to play an
ongoing role in Output maintenance after
the project has closed, to ensure the Outputs
remain relevant and retain their practical
utility.
- May report to the Steering Committee or
Project Manager, depending on who has
appointed them and what they are requested
to achieve.
- The group may already exist, have an
indefinite life span or may continue for the
life of the project. An information technology
advisory group is an example.
www.icta.go.ke
50

Working Groups
- Small specialist work groups, each dedicated
to producing a well-defined Output within a
specific timeframe, appointed by the Project
Manager.
- Report directly to the Project Manager. May
also report to the Reference/Advisory Group
on Output development progress.
- Membership may be drawn from Reference
or Advisory Groups, or the Business Unit(s)
where Output implementation will occur.
- May have no life beyond the delivery of that
Output.
- Probably involve one or more members of a
Project Team to support activity.
assist the project communicate information
to and from their stakeholder group(s) who
may be impacted by, or impact on, the
project.
- Members may also be willing to play an
ongoing role in Output maintenance after
the project has closed, to ensure the Outputs
remain relevant and retain their practical
utility.
Accountable to: Project Manager or Project

Director (where applicable)
Consultants - Are employed from outside the organisation

to provide independent, high-level specialist
expertise or professional advice unavailable
from internal resources, to assist project
decision-making.
- Typically Project Consultants may include:
• Information technology specialists who

define and manage the technological
aspects of the project
• Representatives employed by stakeholders
to ensure their interests are represented
and managed
• Legal advisers who assist in the
development and review of the contractual
documentation
• Auditors who ensure compliance with
internal and external audit requirements
www.icta.go.ke
51
May report directly to the Chair of the Steering

Committee (or perhaps the Chair of a general
Reference Group).
Please note: The Head of Agency or Deputy
Secretary (or equivalent) must approve
any decision to engage a consultant prior
to the Agencyundertaking the appropriate
procurement process.

Contractors Are employed, external to the business area,

to provide a specified service in relation to the
development of project Outputs. Examples
include developing guides and/or manuals,
business application software, develop and
deliver marketing programs, prepare and
deliver training to staff in the business area.
May be engaged to undertake work as part of
the Project Team.
www.icta.go.ke
52
Appendix 14: Project management documentation
PHASE Key documents Other documents Proformas
INITIATE Project Proposal Business Needs

Feasibility Study Analysis
Report Project Brief
Project Business Case
MANAGE Project Business Plan Risk Management Project Status Report

Project Execution Plan Plan Project Risk Register
Project Review and Stakeholder Project Issues Register
Evaluation Report Engagement Plan
Project Phase Review Organizational Change
Report Management (or
Transition) Plan
Implementation Plan
Project
Communication
Strategy and Action
Plan
Marketing Strategy
Training Strategy
FINALISE Outcome Realization Handover Plan

Plan Project Output
Project Closure Report Management Plan
Project Review and
Closure Report
www.icta.go.ke
53
Appendix 15: Project management stages and activities
Key Element INITIATE SET UP MANAGE FINALISE

   
1. Planning and
scoping
2. Governance    
3. Outcome    
Realization
4. Stakeholder    
engagement
5. Risk    
management
6. Issues    
management
7. Resource    
management
8. Quality    
management
9. Status    
reporting
   
10. Project review
and evaluation
   
11. Project
closure
www.icta.go.ke
54
Appendix 16: Project documentation development
www.icta.go.ke
55
Appendix 17: A generic project governance model for larger, more complex projects
www.icta.go.ke
56
Appendix 18: Sample Outcome Realization data for the Project Business Plan
Target Performance Measure Baseline Target Level Target Accountability

Outcome Indicator Date
The A description The actual The current The targeted The Who is
measurable of the type of mechanism level of the level of date by accountable
benefits change that for measuring performance performance when for the
that are will indicate the level indicator as (i.e how the achievement
sought from performance of the at [date] success is target of the targeted
undertaking towards the performance defined levels outcomes and
a project (i.e achievement indicator are reports on
what we want of the Target to be the progress
to achieve) Outcomes towards the
measurable target?
benefits
that are
sought from
undertaking
a project (i.e
what we want
to achieve)
www.icta.go.ke
57
Appendix 19: Stakeholder engagement process
www.icta.go.ke
58
Appendix 20: Stakeholder engagement process

[NB appendix 19 expounds on appendix 18]
Verbal Electronic Written Visual

• Presentations/ • Personal email • Mailouts of • Display –
briefing sessions to identified important workplace,
(one-to-one, one- stakeholders (one documentation conference
to-many) to one, one to (letter, • Transport
• Telephone many) memorandum, advertising
(one-to-one)/ • Broadcast email factsheet, FAQs) • ‘Roadshow’
Teleconferences (one to many) • Newsletter • ‘Parody’
(one-to-many) • Internet/intranet • Advertising – presentation –
• Forums including online newspaper, play, puppet show
• Networking forums, fact magazine, web • 3D presentation
facilitation sheets, newsletter, • Pamphlets
• Staff meetings SharePoint – web and brochures
• Seminars/ sharing of ongoing (consider shelf life
workshops project planning issues)
• Community with internal • Information in
meetings and/or external agency newsletters
• Launches stakeholders etc
• Specific events • SMS messaging • Media release
• Social gatherings • Weblog • Ministerial
• Visitation • Facebook, • Request for Tender
programs Myspace, YouTube (RFT)
• Radio/television • Twitter • Contract
• RSS Feed • Project planning
• CD-ROM/DVDs documentation
• Fax stream,
faxback
www.icta.go.ke
59
Appendix 21: Elements of the risk management process
www.icta.go.ke
60
Appendix 22: Risk matrix for grading risks
Seriousness
Likelihood Low Medium High Extreme
(Insignificant (Reasonable (Will have
adverse adverse significant
impact, note impact, needs adverse
only) monitoring) impact)
Low N D C Extreme
(Unlikely to
occur during
project)
Medium D C B Extreme
(May occur at
some stage in
project)
High C B A Extreme
(Probably will
occur during
project)
Appendix 23: Recommended actions for grades of risk
Grade Risk Mitigation Actions Who

A & Extreme Mitigation actions to reduce Project Steering Committee
the likelihood and seriousness and/or Project Sponsor
to be identified, costed and
prioritized for implementation
before the project commences
or immediately as they arise
during project execution.
B Mitigation actions to reduce Project Steering Committee
the likelihood and seriousness and/or Project Manager
to be identified costed and
prioritized. Appropriate actions
implemented during project
execution,
C Mitigation actions to reduce Project Manager
the likelihood and seriousness
to be identified and costed for
possible action if funds permit.
www.icta.go.ke
61
D&N To be noted; no action is needed Project Manager

unless grading increases over
time.
Appendix 24: Issue management flowchart
www.icta.go.ke
62
Appendix 25: Sample Project Issues Register
Issue Description Raised By Date Priority Responsible Actions & Status Date Resolved
Number Officer Progress
Notes
1.1 Lack of Working 1/09/22 High Jane Letter of Open
agency Group invitation
from
Project
Sponsor
(i.e
Director)
to
agencies
which
are not
2.1 Lack of Project 1/11/22 High Senior Send out Open
registrants Manager Project
for next Officer
forum
1.3 How to Project 10/09/22 Medium Senior Matrix Closed 30/11/22
show links Team Project to be
between member Officer
PM
www.icta.go.ke
63
Appendix 26: Project closure
www.icta.go.ke
64
Appendix 27: Sample Service Management structure (ITIL) for Small organizations
Head of IT
Service Business Programme

Management Teams Management
Service Desk Infrastructure Business Analysis
Systems
• Incident Mgmt • Business Analysis
• Problem Mgmt Application • Project Management
Support
• Service Requests • Change Management
• Change Co-ordination • Commercial Mgmt
• SLA Reporting • 2nd/3rd Level Support • Account Management
• Vendor Mgmt • Problem Resolution • Contracts/Procurement
• Design & Planning
• Maintenance
• Projects
• Change ‘Building’
www.icta.go.ke
65
Appendix 28: Sample Service Management structure (ITIL) for large organizations
www.icta.go.ke
66
Appendix 29: Service desk 1st, level, 2nd level and 3rd level support definitions
GENERAL DEFINTIONS
First Level Support
• Dedicated and managed Support area/telephone access
• Routine call and incident taking, logging and classification
• Initial fast resolutions to Routine Incidents – e.g. password resets
• Short term support to keep lines open and provide access to IT
• Calls within target guidelines before escalation – e.g. 5 - 10 minutes
• Generally at least 40% - 50% of calls resolved
Second Level Support

• Dedicated and managed Support area
• Longer resolution Incidents – e.g. more than 5-10 minutes
• Incidents that require greater technical knowledge or system access
• Fast Response and Target resolution times – support is highest priority
• Task to build Knowledgebase to ensure future response in Incident Management/1st
Level
• Involvement in the technical analysis and resolution of underlying Problems
• Generally 40% - 50% of calls resolved
Third Level Support

• Long Term Problem resolution
• Incidents/Problems that require high level of technical knowledge or system access
• Task to build Knowledgebase to ensure future response in Incident Management/1st
or 2nd Level
• Generally less than 10% of calls handled
www.icta.go.ke
67
APPENDIX 30: SAMPLE ICT STRATEGY FORMAT
ICT STRATEGY FORMAT & TEMPLATE
STRATEGIC PLAN FORMAT and TEMPLATE
Strategy Development Process
www.icta.go.ke
68
Note: All Strategic plan proposals should be accompanied with a ‘Table of Contents’ and should be in the
order depicted below.
Executive Summary
Give brief outline of the (Org/Dept).
Environmental Analysis
Internal Environment
[Internal Assessment: Organizational assets, resources, people, culture, systems, partnerships,
suppliers, etc]
External Environment
[External Assessment: Marketplace, competitor’s, social trends, technology, regulatory
environment, economic cycles, etc]
www.icta.go.ke
69
Tools for comparison analysis
[It involves specifying the objective of the institution or project and identifying the internal and
external factors that are favorable and unfavorable to achieving that objective.]
Examples:
SWOT Analysis; Six Forces Model; VRIO; PEST analysis; Porter’s Four Corners Model
Benchmarking
[Benchmarking is the process of comparing one’s business processes and performance metrics
to industry bests and/or from other industries. Dimensions typically measured are quality, time,
and cost. Improvements from learning mean doing things better, faster, and cheaper.
Benchmarking involves management identifying the best institutions in their industry, or any
other industry where similar processes exist, and comparing the results and processes of those
studied (the “targets”) to one’s own results and processes to learn how well the targets perform
and, more importantly, how they do it.]
Best practices
[A bestpractice is a technique, method, process, activity, incentive, or reward that is believed to be

more effective at delivering a particular outcome than any other technique, method, process, etc.
when applied to a particular condition or circumstance. The idea is that with proper processes,
checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen
complications. Best practices can also be defined as the most efficient (least amount of effort)
and effective (best results) way of accomplishing a task, based on repeatable procedures that
have proven themselves over time for large numbers of people.]
www.icta.go.ke
70
Gap Analysis
[Identify the gap between the optimized allocation and integration of the inputs, and the current
level of allocation. This helps provide the institution with insight into areas which could be
improved. The gap analysis process involves determining, ‘where you are now’ and ‘where you
want to be’.]
Strategic Plan
The strategic plan should be communicated to all relevant individuals, including stakeholders and
sponsors. It should include the following:
Vision
[What the org/dept wants to be; it should be compelling, vivid and concise, challenges everyone to
reach for something significant – inspires a compelling future; it is time bound. An organization’s
Vision sets out its aspirations for the future. The Vision is the ‘dream’ of the future, a picture
painted in words, which is intended to inspire people by appealing to the heart as well as the
head.]
Mission
[Our purpose of existence; should be brief and to the point; it provides context for major decisions
and capable of infinite fulfillment; it is not time bound].
www.icta.go.ke
71
MISSION Formulation
Answer each of these questions.
What services and/ or products will the organization/department offer?
Who are the people who may use or benefit from this services or products?
What are the reasons for the organization/ department?
Why will the organization/ department exist?
Now combine all the answers into one statement of purpose.
Values
[Values will guide every major decision making; it embodies the spirit of the org/ dept; revisit
Vision and Mission statement.]
www.icta.go.ke
72
Strategic Objectives
List specific actionable results needed to support the vision and the mission. Use the mnemonic
SMART/ER
S Specific
M Measurable
A Attainable
R Relevant
T Time bound
And
E Evaluate
R Reevaluate
Initiatives
[These are actions that will lead to achievement of your objectives, often taking the form of
projects or programs]
Measures (KPI(s), Timeline and Deliverables
[These are objective, quantifiable methods for measuring success. Indicators and monitors of
success. It includes; performance measurement, initiatives and projects and action plans.]
[Each Initiative has a supporting Action Plan(s) attached to it. Action Plans are geared toward
operations, procedures, and processes They describe who does what, when it will be completed,
and how the organization knows when steps are completed Like Initiatives; Action Plans require
the monitoring of progress on Objectives, for which measures are needed]
www.icta.go.ke
73
Quick wins
[These are improvement which is expected to provide a Return on Investment in a short period of
time with relatively small cost and effort.]
Organization Structure
[Organizational structure allows the expressed allocation of responsibilities for different functions
and processes to different entities such as the department, workgroup and individual. Please
provide a diagram]
Resource
Personnel
Finance/ Budget
Facilities/ equipment
Summary (include a 5 by 5 year timeline towards 2030
www.icta.go.ke
74
APPENDIX 31: Who needs to be involved in Legal contracts
Investors Providers Controllers

• The Board • Project and change • Internal audit and external
• IT Council/Management managers (IT and Business) audit (due diligence)
Team • Project and change • External regulators
• Senior business unit managers (IT and • Corporate governance
managers e.g. key customers Business) coordinator
of IT services • Programme managers • Risk managers
• Business Partners • Business managers and • Compliance – regulatory and
• External investors/ users internal
shareholders – as part of • Technical delivery and • Finance/Project Managers/IT
corporate governance support teams and business
• Key players e.g. Business managers – reviewers of
sponsors, Project benefits/ROI
champions • Post investment appraisal/
• Relationship managers and Post project
internal review teams
communications teams
• Suppliers (especially
outsourced service providers)
• Contract and procurement
management
• Peripheral players/
influencers/Policy owners
e.g. HR, Facilities
Management, Legal
Legal and regulatory Responsibilities

• Understand requirements • Advise on IT related technical • Maintain awareness of
(what regulations are to be and current and emerging laws,
complied with) commercial risks that could and regulations affecting IT
• Set the mandate impact legal and regulatory to assess their impact on the
• Set priorities and requirements organization’s business
expectations • Provide proposals and • Develop an understanding of
• Establish and ensure the business cases for their impact on
expected degree of compliance legal and regulatory the organization and advise
• Based on advice concerning programmes, projects or accordingly on “what is
risk and cost: action plans needed” - not necessarily
• Assess impact on business “how”
www.icta.go.ke
75
• Understand requirements • Formulate solutions for Monitor adequacy of controls

(what regulations are to be compliance or commercial and
complied with) contracts compliance processes
• Set the mandate • Identify best practices for • Monitor the business and IT
• Set priorities and ongoing good control of legal functions
expectations and regulatory requirements for performance in meeting
• Establish and ensure the • Exploit technology and tools legal and
expected degree of compliance where regulatory requirements and
• Based on advice concerning appropriate for ensuring report back to management
risk and cost: compliance (e.g. with advice regarding any
• Assess impact on business asset registers) shortcomings
• Provide resource and funding • Execution of compliance and • Provide independent
to ensure issues are addressed contractual processes, and assurance to
• Define who is accountable operation of elated controls management that adequate
• Obtain internal or external • Provide compliance controls are in place to deal
assurance as required that framework to ensure a with legal and regulatory
issues have been addressed sustainable “business as requirements
and controls established usual” approach to compliance
• Monitor and evaluate • Provide evidence of
compliance compliance
programmes and significant • Provide information relating
commercial contracts to the cost of compliance and
• Sign off specific compliance also cost of any incidents
programmes • Evaluate impact on business
• Provide approvals when environment together with
required for business units
significant legal or regulatory • Ensure vendors, service
decisions providers, and subcontractors
are involved properly and
integrated within the overall
compliance approach
www.icta.go.ke
76
Appendix 32: Risk management process
www.icta.go.ke
77
Appendix 33: Accreditation of ICT Service Providers
A. REGISTRATION
i. An application for registration as a contractor/supplier shall be made in the prescribed form and
shall be accompanied by-
a. Duly signed Code of Conduct for ICT service providers (ICTA/STD/006)
b. Certified copies of statutory documents and other relevant documents as are necessary
to prove qualification for registration:
c. The ICT service providers shall adhere to the following code of conduct
Code of Conduct for ICT service providers:
i. Ensure government receives competent professional services.
ii. Enhance the professional development of its staff.
iii. Respect the confidentiality of any information given by government institutions
iv. Enhance integrity in the delivery of products and services to government

institutions
v. Comply with all government of Kenya laws and regulations.
vi. Protect and respect third-party intellectual property and utilize it only after having
properly secured rights to its use.
d. Certified copies of the shareholders’ certificates of the company;
e. In the case of a trust, a copy of trust deed
f. Audited financial statements of the person or firm for the period immediately
preceding the application and/or recent certified bank statements.
g. Certified copies of the identity documents of the principal or principals of the firm;
h. In the case of a foreign contractor-proof of current registration status from their

country of domicile or origin certified by a local commissioner oath. The registration of
a foreign contractor shall be guided by the relevant government policies.
i. Sufficient proof of financial capability of the contractor; (f). proof of registration

with an association of contractors;
j. Suppliers / Contractors shall provide tax compliance certificates
www.icta.go.ke
78
ii. Proof of employment of qualified persons by the contractor and in the case of an application
relating to specialized software, a certified copy of the current license issued by the relevant
statutory regulatory or Authority or organization.
iii. Proof of competent directors and technical staff as evidenced by IT related certificates, project
management certificates, professional certificates, national IDs and KRA pin certificates.
iv. If an application in relation to this standard is made electronically, all supporting documents
shall be attached.
v. Local purchase orders shall be provided as proof of projects undertaken in the area of
specialization applied for.
vi. An application shall not be considered duly completed for purposes of this regulation, unless
all documents are received by the Authority.
vii. The Authority shall make a decision on an application by a person or firm within thirty days
of receiving such application including rejection if such person does not fully comply
with requirements set by the Authority, and shall inform the applicant accordingly giving
reasons for such rejection.
viii. An application form for registration may be made in English or Kiswahili.
ix. A register of registered contractors shall be kept.
x. A person who qualifies for registration in a specialized area shall be issued with a Certificate of
Registration in the specialized area of ICT by the Authority.
xi. A person or firm shall submit an annual application for renewal of the certificate of
registration to the Authority in the prescribed form accompanied by the prescribed fee (See
schedule B) and the Authority shall process the application in accordance with the provisions of
the standard.
xii. A person who is aggrieved by the decision of the Authority in relation to the category of
registration may submit a written petition indicating the reasons of such grievance, sufficient to
justify review or the assessment by Authority.
xiii. The Authority shall within thirty days of receiving a petition under notify the person of the
Authority’s decision on both applications.
www.icta.go.ke
79
xiv. Registration of contractors under CTA - I (See schedule B) category shall be open to both local
and foreign contractors.
xv. Any registrations that fall between ICTA -2 to ICTA -8 as set out in the standard shall be
restricted to local contractors only.
xvi. A contractor may make an application for upgrading to the Authority in a form to be prescribed
by the Authority accompanied by the prescribed fee, and the Authority shall process the application
in accordance with the provisions of the standard.
xvii. Application for renewal of the license shall be submitted to the Authority in writing at least
thirty days before the expiry of such license.
xviii. In each year during which a contractor holds a license, the contractor or, in the case of a
firm or company; the partner who possesses technical qualifications, skills or experience shall
attend at least one Continuous Professional Development event recognized by the Authority
and the Authority shall consider the attendances while determining an application to renew or
upgrade the Contractor.
xix. During the vetting and verification of contractor’s documents, the Authority/
representative may visit contractor’s premise to ascertain the information provided.
xx. The Authority shall published list of contractors with valid licenses in their websites.
www.icta.go.ke
80
SCHEDULE B. CLASSIFICATION OF WORKS
Points Registration Fee (Ksh.) Annual Renewal

Fee(Ksh.)
Local Contractor
ICTA 1 85 – 100 30,000 10,000
ICTA 2 75 – 84 25,000 8,300
ICTA 3 65 – 74 20,000 6,600
ICTA 4 55 – 64 15,000 5,000
ICTA 5 45 – 54 12,000 4,000
ICTA 6 35 – 44 10,000 3,300
ICTA 7 25 – 34 5,000 1,600
ICTA 8 10– 24 2,500 830
Re-apply Below 10
Foreign Contractor
ICTA 1 75,000 50,000
ICTA 2
ICTA 3
ICTA 4
ICTA 5
ICTA 6
ICTA 7
ICTA 8
TOTAL
SCHEDULE B. CLASSIFICATION OF WORKS
i. There shall be payable to the Authority such fees for its services as the Authority may
determine from time to time.
ii. The Authority may remove the name or a contractor from the register of contractors if the
contractor has been debarred from participating in a procurement process under any legislation
or received written complaints from any government agency in regards to the contractors’
performance;
iii. The registration of a contractor shall be suspended after investigations into his conduct have
been concluded and it is established that the contractor has engaged in misconduct.
iv. Fails to comply with the provisions in regard to the payment of the fees;
v. The Authority shall conduct an inquiry in to the conduct or the contractor before removing the
name of the contractor from the register
www.icta.go.ke
81
SCHEDULED. Mandatory Requirements for the various Sections
REFERENCE PARTICULARS SPECIFIC SCORE MATRIX MAXIMUM AWARDED

ITEMS SCORE SCORE
A Directors’ Technical • Degree (at least 2 marks
Qualification Director BSc in Computer
and work [7 marks] Science, IT or related
experience. Name:
• Certification in 2 marks
Project Management
• Work experience 3 marks
in (3) similar
assignments as
team leader,1 mark
per assignment
Other • Work experience 3 marks
directors in (3) similar
5 marks assignments as
Name: team leader,1 mark
per assignment
• Certification in 2 marks
Project Management
www.icta.go.ke
82
B Staff Technical staff ii) Project

qualification in specialized team – at least
area 5 persons.
[25 marks] (5 marks for
each person)
Scoring is
based on the 10 marks
following.
• Degree (at
least BSc
Computer
Science,
/IT or
related(2
marks per
person)
Professional 5 marks
certification
(1 mark per
person)
Work 5 marks
experience
in 3 similar
assignments
(1 mark per
person)
5 marks
Certification
in project
management
(1 mark per
person)
www.icta.go.ke
83
C Financial Turnover [14 marks] i) Turnover (KES)

status
• High turnover
(over 100m) (14
marks)
• Average turnover
(5-100m) (7 marks) 14 marks
• Low turnover
(below 5m) (3.5
marks)
Largest projects in i) Project cost 14 marks

area of Specialization value (KES)
for the last 5 years [14
marks] • Over 100m (14
marks)
• 75 – 100m (10.5)
• 25 – 75m (7
marks)
• 5 -25m (5 marks)
• Below 5m (3
marks)
Cash flow [10 marks] i) Cash flow (KES) 10 marks

• Over 100m (10
marks)
• 75 – 100m (7.5
marks)
• 25 – 75 (5 marks)
• 5 -25 (3 marks)
• Below 5 (1 mark)
D Office and Adequate office space Business permit 5 marks

service [5 marks]
facilities
www.icta.go.ke
84
E Company Details of Demonstrable capacity at company 16 Marks

experience development level by providing evidence of 4
projects relevant works carried out for the
undertaken last 5 years, evidenced by copy of
in area of purchase order or contract and
specialization contact details, job completion
(max 4 certificates/ Client testimonials/
projects) contracts. (16 marks)
– 4 marks for each job carried out in
Kenyan government institutions and
- 2 marks for each job carried out in
private organizations
Relevant compliance certificates 4 Marks

(Government, Manufacturer) as per
category
TOTAL 100 Marks
Appendix 34: Accreditation of ICT Professionals
1. REGISTRATION OF ICT PROFESSIONALS
Applicant should be compliant with the standard on ICT Human Capital and workforce development,
both ethically and in terms of professional qualifications in the area of expertise. ICT Authority shall
issue a certificate of accreditation on compliance with the standard.
To commence the registration process, ICT Authority will register ICT Professionals according to four
categories of registration. The professional registrations category includes the following:
a. ICT Professional
b. ICT Practitioner
c. ICT Graduate
d. ICT Technician
2. CODE OF PROFESSIONAL CONDUCT
Registered professionals and ICTA accreditation/certification holders shall:
1. Perform their duties with objectivity, due diligence and care, in accordance with professional
IT standards and procedures for effective governance and management of Information and
Communications Technologies.
www.icta.go.ke
85
2. Serve for public good in a lawful manner, while maintaining high standards of conduct and
character.
3. Maintain the privacy and confidentiality of information obtained in the course of their activities.
4. Perform services only in areas of their competence
5. Inform appropriate parties of the results of work performed including the full disclosure of all
significant facts
6. Support the professional education of stakeholders in enhancing their understanding of the

governance and effective management of information and communications technology.
Failure to comply with this Code of Professional Ethics can result in an investigation into a
registered professional or accredited holder’s conduct and, ultimately, in disciplinary measures
including exclusion from the roll of IT professionals.
3. APPLICATION PROCESS
Step 1: Registration
Please visit the ICT Authority website www.icta.go.ke/standards/resources/ and check if you
meet the criteria for the registration category you wish to apply for, fill in details on the form then
submit to the ICT authority offices. Pay the registration fee as tabulated below;
REGISTRATION FEES ANNUAL FEES

ICT TECHNICIAN 600 500
ICT GRADUATE 1000 1000
ICT PRACTITIONER 2000 1000
ICT PROFESSIONAL 5000 3000
Table 1:- Registration of ICT professionals
In case of any difficulties or in need of more details please contact us via email standards@ict.
go.ke
Step 2: Assessment Evaluation
ICT Authority will conduct an evaluation of your application to make the decision on whether
your application is successful or not. You will be notified within 60 days of application on the
application evaluation decision. The ICT Authority may contact individual’s referees to ascertain
the information filled in the applicant’s application form.
www.icta.go.ke
86
REGISTRATION FORM
PERSONAL INFORMATION
Personal Details Surname
Other Names
ID Number
Date of birth
Gender
Telephone
Email
Home Address Town/City
Address
Postal code
Country
Residence
Details of Employer Employer Name
Telephone
E-mail
Details of Contact Person Name
Telephone
E-mail
MEMBERSHIP CATEGORY Requirements Select Category
ICT Technician Application fee: Ksh. 600
Form:(ICTA/STD/TECH/F001) Annual subscription: Kshs.500
Submit
www.icta.go.ke
87
ICT Graduate • A duly filled Registration

Form: ICTA/STD/GRAD/F002 Application form for ICT
Technician (ICTA/STD/TECH/
F001) and signed Code of
Conduct (ICTA/STD/PROF/
F005)
• Diploma certificate in ICT/
Engineering related field
from accredited institution of
learning; or Diploma certificate
in any field from accredited
institution of learning with
proof of two years’ experience
practicing ICT;
• Copy of National ID/Passport.
• Fees as above.
ICT Practitioner Application fee: Ksh. 1000

Form:(ICTA/STD/PRACT/F003) Annual subscription:Kshs.1000
Submit
• A duly filled Registration
Application form for ICT
Technician
(ICTA/STD/TECH/F002) and
signed Code of Conduct (ICTA/
STD/PROF/F005)
• Graduate certificate in ICT/
Engineering related field from
accredited institution of higher
learning
• Copy of National ID/Passport.
• Fees as above.
www.icta.go.ke
88
ICT Professional Application fee: Ksh. 5000

FORM:(ICTA/STD/PROF/F004) Annual subscription:
Kshs.3000
Submit
• A duly filled Registration
Application form for ICT
Professional (ICTA/STD/PROF/
F004) and signed Code of
Conduct (ICTA/STD/PROF/
F005)
• Graduate certificate in ICT/
Engineering related field from
accredited institution of
Higher learning or A Copy of
the Registration Certificate
for either ICT Graduate/
Practitioner from ICTA.
• Professional Certificate in the
specific area from recognized
institution by ICTA/government
body
• Letters of reference from
employer(s) covering the
previous two years confirming
professional integrity
• Statements of two referees
detailing their knowledge of
the applicant.
• Fees as above.
4. Continuous Professional Development (CPD)
CPD is defined as the undertaking of development activities that lead to the systematic maintenance,
improvement and broadening of knowledge and skills, and the development of personal qualities
necessary for the execution of professional and technical duties throughout a person`s ICT
professional career.
CPD Requirements
a) Certified Professionals (CP) must complete 90 CPD hours over a period of three years.
b) Members shall demonstrate commitment to professional development via written evidence of
CPD activities.
c) Sources of CPD
• Attend conferences, seminars, training courses, presentations.

• Present papers at conferences and seminars, write articles for journals (Contributions to
knowledge)
www.icta.go.ke
89
Appendix 35: Government ICT Project Governance Structures
A. National ICT Project Governance Structures
Name of Commit. Membership Terms of Reference

1 The ICT Oversight His Excellency the President –Chair Review and approve
Committee Members projects for initiation
Cabinet Secretary-; To provide oversight of
Ministry of Land Housing flagship ICT Projects
& Urban Development To receive and consider
Ministry of interior and Coordination reports from inter-
Ministry of Education ministerial Steering
Science and Technology Project Committee
Ministry of ICT To resolve inter-
Ministry of Devolution and Planning ministerial Project
Ministry of National challenges.
Treasury Appointing Authority: H.E.
Chief Executive Officer , ICT The President
Authority-Secretary Meeting : Bi-annual
2. Inter-Ministerial Principal Secretary Ministry of ICT – 1.Champion

Project Steering Chair Implementation of Key
Committee Members Projects
Permanent Secretary -; 2. Monitor and Evaluation
Ministry of Lands, Housing Projects and take
and Urban development necessary action for the
The National Treasury success of the project.
Ministry of interior and Coordination 3. Prepare and report
Ministry of Education Projects status to
Science & Technology oversight Committee
Ministry of Devolution and Planning 4. Resolve inter-
Chief Executive officer , ICTA – ministerial Project
Secretary challenges.
5. Receive and
review quarterly
reports from Project
Implementation and
Monitoring Committee.
6. Co-opt the ministry
that own the key
project(s)
Appointing Authority:
H.E.The President
Meetings: Quarterly
www.icta.go.ke
90
1.0 Project Implementation and Monitoring/Steering Committee

Role Person Terms of Reference
Project champion (Chair) A top-ranking officer from the Initiate projects within
organ Ministries, Agencies &
Ps for Ministry and CEO for Counties
Agencies
Review and approve project
concepts and implementation
Project owner The user of the system
plans
Chair of Technical committee This is the person who
is responsible for the Resolve project challenges to
implementation of the system. ensure smooth implementation
[Head of ICT]
Review and approve project
Project Management Office Project Manager ICT Authority budget
Monitor and evaluate projects

at implementation stage
Prepare and present quarterly

progress report to inter-
ministerial project Steering
committee
Appoints Project implementing

team[s]
Co-opt stakeholder’s
representatives or other
members
Meetings: Regularly
Appointing Authority: Cabinet

Secretary/Governor/CEO
appropriately
www.icta.go.ke
91
2.0 Project Technical Committee
Role Person
Project owner and Chair The user of the system
Project manager (Secretary) The person who is responsible for the execution
of the project
Beneficiaries representative Stakeholder’s representative(s)
PMO Liaison officer An officer from the ICTA PMO
Consultant / Systems integrator Representative(s) of any third party who is

involved in the development of the project
Standard Liaison officer A Standard officer from ICTA
Technical liaison Selected technical expert(s) in line with the

technical requirements of the project
Appendix 36 Audit for outsourced applications
MCDA has;
a) Defined a strategy on how acquisition will be conducted.
b) Prepared a request for the supply of a product or service that includes the
requirements.
c) Communicated the request for the supply of a product or service to potential
suppliers
d) Selected one or more suppliers.
e) Developed an agreement with the supplier that includes acceptance criteria.
f) Identified necessary changes to the agreement.
g) Evaluated the impact of changes on the agreement.
h) Negotiated the agreement with the supplier.
i) Updated the agreement with the supplier, as necessary.
j) Assessed the execution of the agreement.
k) Provided data needed by the supplier and resolved issues in a timely manner.
l) Confirmed that the delivered product or service complies with the agreement.
m) Provided payment or other agreed consideration.
n) Accepted the product or service from the supplier, or other party, as directed by
the agreement.
www.icta.go.ke
92
IT GOVERNANCE STANDARD WORKING GROUP
FRANCIS MWAURA- ICTA
JOSEPH KURIA- COMMISSION FOR REVENUE ALLOCATION
THOMAS ODHIAMBO- ICTA
MATHEW CHEMON- ICTA
www.icta.go.ke
93
ICT Authority
Telposta Towers, 12th Floor, Kenyatta Ave
P.O. Box 27150 - 00100 Nairobi, Kenya
t: + 254-020-2211960/62
Email: [email protected] or [email protected] or [email protected]
Visit: www.icta.go.ke
Become a fan: www.facebook.com/ICTAuthorityKE

Follow us on twitter: @ICTAuthorityKE
www.icta.go.ke
94
www.icta.go.ke
95

IT Governance Standard Final

Uploaded by

Copyright:

Available Formats

IT Governance Standard Final

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IT Governance Standard Final

Uploaded by

Copyright:

Available Formats

GOVERNMENT ICT STANDARDS

© ICTA 2019 - All Rights Reserved

REVISION OF ICT STANDARDS

©ICT Authority 2019

ICT AUTHORITY (ICTA)

Document Name: Government IT Governance Standard

Prepared by: Government IT Governance Technical Committee

Edition: Second Edition

Approved by: Board of Directors

Date Approved: 13th January 2020

Effective Date: 1st February 2020

Next Review Date: After 3 years

APPENDIX1: COMPLIANCE CHECKLIST FOR ENTERPRISE ARCHITECTURE 18

Dr. Katherine W. Getao, EBS

IT governance shall assist MCAs to:

IT Governance is not a one-time exercise or something achieved by a mandate or set of rules. It

- Facilitate joint ventures with other organizations.

1.1 DESCRIPTION OF STANDARD

3.0 NORMATIVE REFERENCES

4.0 TERMS AND DEFINITIONS

4.2 Enterprise IT Governance

4.3 Service desk

5.0 ENTERPRISE ARCHITECTURE

5.1. Business Architecture

5.1.1 Business plans and objectives

5.1.2 Business Process

5.2 Application Architecture

5.3 Information/data Architecture

5.4 Infrastructure Architecture

5.5 Security and Compliance

5.6 Project Management and Governance Architecture

5.7 Performance Architecture

5.7.1 Capability Maturity Model Integration (CMMI)

5.7.2 Balanced Scorecard

6.0 ICT GOVERNANCE

6.2 ICT Governance Committees

MCDAs shall establish two ICT governance committees;

6.3 ICT Organization

a) IT shall be a strategic objective in the overall strategic plan of the MCDAs.

6.5 IT Project governance

a) MCDAs shall establish a Project Management Office.

7.0 IT SERVICE MANAGEMENT

7.1. 2 IT Service management

a) MCDAs shall have a service charter for IT enabled services.

7.2 Service level management

7.2.1 Service desk

7.2.2 IT Operations Control

7.2.3 Business Relationship Management

7.3 IT Service Design

7.3.1 Availability Management

7.3.2 IT Infrastructure Capacity Management

7.3.3 Information Security Management

a) MCDAs shall establish an information security management framework as guided by the

7.3. 4 Supplier management

7.4 IT Service transition

7.4.1 IT Service change management

7.4.2 Knowledge management

7.5 IT Continuous service improvement

7.5.1 Service and process performance review

8.0 LEGAL AND REGULATORY