Blogs

Move Fast and Don’t Break Things: Help Evaluate the Agile Control Map

By Gerhard Schreihans posted 5 hours ago

  

Agile delivery and strong IT governance are often treated as opposing forces. On one side, agile frameworks such as SAFe emphasize speed, customer value, and rapid iteration. On the other, established governance and security frameworks - COBIT, ITIL, ISO/IEC 27001/27002, and the CIS Critical Security Controls - focus on risk reduction, resilience, and control.

In practice, this tension frequently leads to a familiar outcome: solutions that deliver business value quickly, but address security, compliance, or control requirements too late.

Bridging Agile Delivery and Control Frameworks

As part of a Design Science research project, I developed an artifact called the Agile Control Map. Its purpose is simple and practical: To show when governance, security, and service management controls should be considered within agile solution development - without introducing yet another framework.

The Agile Control Map links:

  • Artifacts (Epic, Capability, Feature) of agile solution development projects to

  • Relevant practices and controls from COBIT, ITIL 4, ISO/IEC 27001/27002, and the CIS Controls.

The result is a pragmatic mapping that helps teams address non-functional requirements early, reduce friction between agile delivery and control functions, and avoid late-stage findings or rework.

Why This Matters for ISACA Professionals

If you work in IT governance, security, risk, audit, or compliance and your organization is managing projects in an agile way, the Agile Control Map may be directly relevant to your daily practice - especially where speed and assurance must coexist.

Call for Expert Participation: Ex Post Evaluation Survey

The artifact has now reached its ex post evaluation phase, and expert input is essential.

I invite ISACA members to participate in a short survey (20-30 minutes).

Please find the survey link here: https://forms.office.com/Pages/ResponsePage.aspx?id=lYNC_ZopUUmjJC_5Y8QNubx_I_CIAe1MuI0wjYdGmEZUQ1ZPVktIVzlaVzBVUkRGQ1ZPQzYxMjczMy4u

TL;DR

  • Agile teams often overlook governance and security controls until it’s too late

  • The Agile Control Map links artifacts of agile solution development with COBIT, ITIL, ISO 27001/27002, and CIS Controls

  • ISACA experts are invited to evaluate the artifact via a short survey

Thank you for helping bridge agility and control in practice.

0 comments
9 views

Related Content

Permalink

https://engage.isaca.org/blogs/gerhard-schreihans/2025/12/23/move-fast-and-dont-break-things