BCS MEMBERSHIP

Lady Smiling Nav

Join the global and diverse home for digital, technical and IT professionals.

CHARTERED IT PROFESSIONAL

CITP Logo (1)

CITP validates technical expertise and professional behaviours in the tech industry

STARTING YOUR IT CAREER

Girl With Braids Nav

Kick-start a career in IT, whether you're starting out or looking for a career change.

SOFTWARE TESTING CERTIFICATION

Man Writing

Over 100,000 professionals worldwide are certified with BCS.

ESSENTIAL DIGITAL SKILLS

Lady In Green Hijab Nav (1)

Improve your digital skills so you can get on in today's workplace.

EVENTS CALENDAR

Group Of People Smiling

View all of our upcoming events.

ARTICLES, OPINION AND RESEARCH

Man On Tablet

The latest insights, ideas and perspectives.

In focus

BCS MEMBERSHIP

CHARTERED IT PROFESSIONAL

STARTING YOUR IT CAREER

SOFTWARE TESTING CERTIFICATION

ESSENTIAL DIGITAL SKILLS

EVENTS CALENDAR

ARTICLES, OPINION AND RESEARCH

In focus

Sixty years of IRMA

This year is the 60th anniversary of the Information Risk Management and Assurance (IRMA) Specialist Group

John Mitchell FBCS, IRMA Chair, reflects on the foundation and development of IRMA.

The Information Risk Management and Assurance (IRMA) specialist group has a remarkable history, which highlights its significance in the domain of risk management & assurance within IT in general and the BCS in particular. As a cornerstone in the broader framework of the Institute, IRMA has played a significant role in shaping best practices, fostering professional development, and driving forward the agenda of information assurance in an increasingly digital world. It is the second-oldest SG in the BCS and currently has over a thousand members, many of whom reside overseas.

The origins of IRMA can be traced back to a few far-sighted accountants (yes, accountants!), who in the early 1960s, realised that many of the financial systems they then audited, such as Payroll and Accounting, would be replaced with computerised versions, and auditors would need new skills to provide assurance on their accuracy and reliability. During the 1960s, computerised systems ran on large single-thread, mainframe computers, so these visionary people decided that any group they created would ideally be associated with the BCS, which had been created around 1957 (it would not receive its Royal Charter until 1964). They adopted the name “Auditing by Computer” (ABC) and became the second specialist group affiliated to the BCS (they would not become incorporated until 2004). The adopted name was not their first choice, but at that time, and for many years afterwards, the BCS was focused on the use of computers in business and academia, rather than managing them, so Auditing by Computer implied the use of computers for the actual audit activity, rather than auditing the systems which ran on those computers.  It would take 25 years before they were able to adopt a name which reflected their initial intentions, which were to cover such areas as:

  • information governance
  • information systems risk management and audit
  • awareness and use of computer auditing
  • control and risk management techniques.

Not many will remember that up until 2004, all SGs associated with the BCS ran their own affairs with responsibility for their own membership, financial affairs, and education programme. From the start, the ABC group had a two-tier subscription model with BCS members receiving a discount. It became a recruiting ground for the BCS in that people who would never have joined the BCS in the first instance joined the ABC group and subsequently signed up to the BCS.

The group quickly recognised the need to address the growing governance complexities associated with information technology. The technology refused to stand still! By the late 1980s, the proliferation of computers of all sizes, coupled with the advent of interconnected networks, necessitated an expansion in the scope of the group’s coverage, and the group became the “Computer Audit Specialist Group” (CASG) in 1990. It is interesting to note that even at this time, the BCS’ Industry Structure Model (the precursor to SFIA - Skills Framework for the Information Age), still showed “governance” as being non-core to IT activities! This led to a period of tension with the BCS, which at that time saw itself as an association to promote the use of IT, and not to constrain it, which was the then the view of many IT professionals towards the CASG group. CASG believed that with the proliferation of computing in the business world, it was becoming difficult to separate computing from business. Indeed, many businesses were so reliant on computing that management of the technology was becoming core to the business. Many IT professionals took exception to this, arguing that technology was for IT to manage (not that they knew how to do it) and certainly not for those with (then) a predominantly financial background. Indeed, this ultimately led to a new group being formed, the ISSG (Information Security Specialist Group), with which IRMA retains very cordial relations and with which we often share joint events, due to the overlap between IT security and IT governance.

CASG attracted many people who were joining the new computer audit profession, and at its zenith, it had more than 2,500 members, many of whom subsequently joined the BCS, which was slowly beginning to recognise that there was more to the IT profession than just the development and delivery of applications. Being, at that time, the only group in the UK dedicated to computer auditing, control, and compliance, the CASG Group was able to run conferences that attracted up to 500 paying attendees. CASG was financially independent at a time when many other groups were reliant on contributions from the BCS. Indeed, there were very few groups that were revenue-positive. The significance of this will be explained later.

Ultimately, a number of significant IT and company failures, coupled with a recognition for the need for a focused approach towards information risk management, led to a more pragmatic understanding of the requirement for good IT governance, so in 2001 CASG adopted the name it has today, the Information Risk Management and Assurance (IRMA) group with the objective of providing a dedicated platform for professionals to discuss, develop, and disseminate knowledge on managing information systems. The group could now meet the intentions of the founders, which were to bring together practitioners from various fields, including IT security, auditing, risk management, and compliance, to collaboratively enhance the understanding and mitigation of IT risks.

Advances in technology raised new risks to the management and control of IT, and IRMA was pressed to tackle these to keep the control lid on an increasingly volatile kettle. The technological advances were often outstripping our ability to manage them, but we were becoming more agile in identifying the problems, even if it took us a bit longer to identify the solutions. We named this the ‘control lag.’  Examples of significant changes that required a change in our approach were:

  • The move from Batch processing to Remote Access.
  • The ability of the user to make direct changes to the data in real-time.
  • The introduction of Local Area Networks.
  • The connection of the LANs to Wide Area Networks.
  • Outsourcing
  • The Internet & IoT
  • The Cloud
  • Quantum computing
  • Artificial Intelligence

These advances in technology led both to the globalisation of business and the increasing regulatory requirements across different jurisdictions, which added layers of complexity to information risk management. IRMA acted to provide guidance that was both globally relevant and locally applicable. At the same time, research into control theory was beginning to yield dividends as to how to approach the control implications in a robust way.

The changes in focus of the group, due to advances in technology, is reflected in its three name changes:  ABC to CASG to IRMA. This reflects the need for all specialist groups to regularly examine their relevance in the digital world and to review their mission and objectives.

As mentioned earlier, the journey of IRMA has not been without challenges. The rapid evolution of technology has continually reshaped the landscape of information risk management, necessitating constant adaptation. If one reviews the changes in technology over the last thirty years, it becomes clear why IRMA has needed to adapt. In the early days of large single-thread mainframes, operated by professionals in a secure location and running batch processes, it was easy to identify the major risks: failure of physical security; weaknesses in the operating system; flawed program logic; poor data quality. However, with the advent of real-time and networked systems, there became a requirement to manage the logical access to the syste,m and the arrival of direct user data input required a different approach for ensuring data quality, but all of this was still predominantly under the internal control of the organisation. IRMA adapted its risk management and assurance strategies accordingly. However, the increased use of outsourcing, the advent of the internet and subsequently the cloud, plus an increasingly severe regulatory framework (SOX in the USA and GDPR in Europe) it became much more difficult to ensure that the company’s integrated systems were both secure and compliant. The advent of AI poses both a threat and an opportunity to IRMA, which we will be exploring at this, our 60th anniversary conference.

These advances in IT have required changes in the way it should be controlled. We have moved from a preventative culture of trying to prevent bad things from happening to a detective culture of identifying the bad things sufficiently quickly to put things right.  This has required a change in our control methodology, which accepts that no matter how hard we try to prevent a bad thing, such as unauthorised sign-on, it will happen. What we then need is to quickly detect it and have mechanisms in place which enable speedy recovery to the situation before the bad thing occurs.  Think of ransomware attacks as an example. They are difficult to prevent as their success is usually because of human failure. Recovery is inhibited because of too much focus on prevention and insufficient attention to resilience.

The primary mission of IRMA has always been to promote best practices in information risk management and assurance. This encompasses a wide array of activities:

  • encouraging research into the risk management of information systems and to promote the development of information risk management, control & assurance.
  • providing a forum for the development of awareness and competence in information systems risk management.
  • promoting the efficient, effective, and economical use of risk management within information systems.
  • representing the interests of the Information Risk Management and Assurance specialist group to other bodies.
  • being the primary focus for information risk management and assurance within the BCS.

We have achieved this through:

Education and Awareness: IRMA has been pivotal in raising awareness about the importance of information risk management. Through seminars, workshops, and conferences, the group has consistently offered educational opportunities for both BCS members, the broader professional community, and the public. During the years 1990 to 2008, IRMA published a quarterly Journal to inform its members of advances in information risk management and assurance. To my knowledge, no other specialist group attempted anything on this scale. The Journal was allocated an ISBN, and a copy of every edition was required to be sent to the British Library. In addition, the City of London’s Guildhall Library has an archive of all IRMA publications, including the early “How To” series, which provided guidance on the auditing of computerised systems. Several editors of the Journal were academics from the Business School of London’s City University, and a close collaboration has existed between the two institutions since the 1980s. A full set of Journals is available on the IRMA website.

The Journal ceased publication in 2008 when it became apparent that members could conduct their own research using search engines, rather than wait for a quarterly publication which may not have addressed their immediate concerns. We have been in the vanguard of student development and promote BCS membership via our association with student chapters at universities. We also help students in their research by distributing their surveys to our members and providing a forum for the spreading of their research results.

Professional Development: Recognising the dynamic nature of the IT landscape, IRMA has focused on continuous professional development. It has facilitated the sharing of the latest methodologies, tools, and frameworks that practitioners can utilise to stay ahead in their field. Over the years, IRMA created time-limited special interest groups to deal with specific changes in technology, such as the introduction of the IBM AS400 and the control implications associated with the increased use of Unix in business. We strive to hold eleven members’ meetings each year to inform our members of advances in information risk and control.

Standards and Best Practices: One of IRMA’s significant contributions has been in the development and promotion of standards and best practices in information risk management. By collaborating with other BCS groups and external organisations, such as the ISO, IRMA has helped in the formulation of guidelines and standards that ensure robust information risk management and assurance protocols.

Networking and Collaboration: IRMA has served as a critical networking hub, bringing together professionals from diverse backgrounds to collaborate on shared challenges and share insights. We have close internal working relations with the Information Security SG (ISSG) and externally with the Information Systems Audit & Control Association (ISACA) and the Institute of Chartered Accountants (ICAEW).

IRMA has shown adaptability, which is reflected in its three name changes. The group has evolved by integrating new perspectives, embracing interdisciplinary approaches, and fostering a culture of continuous learning and innovation. In the current digital age, the role of IRMA is more critical than ever. The exponential growth of data, the widespread adoption of digital technologies, and the increasing interconnectedness of systems have amplified the importance of robust information risk management.

The history of IRMA is a testament to the enduring importance of IT governance in the profession. From its start in the mid-1960s to its current role in the digital age, IRMA has consistently championed the cause of protecting information assets and managing risks. Through education, professional development, standards-setting, and advocacy, IRMA has made significant contributions to the field and continues to be a vital resource for professionals navigating the complexities of information risk management and assurance. As the digital landscape continues to evolve, IRMA’s role will undoubtedly remain crucial in ensuring that organisations can manage IT risks effectively and safeguard their information assets in an ever-changing environment. Such is today’s focus on IT governance (note the public enquiry into the Post Office Horizon scandal), it is incumbent on IT professionals to adhere not only to the BCS’ Code of Conduct, but also to the myriad of standards and legislation which now surround IT. No matter what area of IT you represent or what job you have, you will find that being a member of IRMA will be of immense value to your career. 

Conclusion

As IRMA celebrates its 60th anniversary, it is worth reflecting on the contributions of those who have shaped the group and the field it represents. The journey from mainframes to microcomputers, from COBOL to AI, underscores the importance of adaptability and continuous learning. IRMA’s history is not just a testament to technological progress but a reminder of the enduring need for thoughtful oversight in an ever-evolving digital world.

About