Home > Articles > Software Development & Management

This chapter is from the book

This chapter is from the book

Applying the CPR Framework to IT Governance

As stated in the introduction to the chapter, IT governance, properly construed, is a discipline within corporate governance; as such, the board’s perspective should be primary, and the board should be the ultimate driver of IT governance. As a discipline within corporate governance, IT governance activity should be directed in the dimensions important to corporate governance: CPR. This section provides guidance on how to implement the CPR framework for IT governance.

Applying the CPR framework to IT governance has a number of important implications, many of which flow down from the overarching discipline of corporate governance:

  1. The board, not the IT function, must be the prime driver for IT governance and must provide a framework for governance to provide a standardized communication interface and channel for governance along with simple rules to align and inform everyday decisions and actions toward sustainable financial results.

  2. As with the corporation as a whole, sustained financial results must be the objective and prime driver for IT decisions and actions.

  3. Govern four assets with the purview of IT governance (infrastructure, clients and external stakeholders, internal people and process (including suppliers and partners), and value creation) in the three dimensions of CPR, and governance must include managing the current and propelling toward the future state of the enterprise.

  4. Since governance is behavior, emphasis in implementing this framework must be on changing behavior rather than introducing or changing work artifacts; roles must be set out, including expected behavior changes, not just for the board and top management, but for auditors (IT, security, financial), internal staff, and external entities (such as suppliers).

  5. Other IT governance activities (such as IT service continuity management) and frameworks (such as the IT Infrastructure Library) must be aligned within the CPR framework, including program office, project, financial/investment processes, service-level management, business/IT alignment, security and IT audit/conformance, and IT service management processes.

These implications lead to a set of five imperatives for governance, shown in Table 19.3.

Table 19.3 Five Imperatives for Implementing IT Governance

Ensure the board drives governance and provides the governance framework.

Focus on sustained financial results.

Govern four assets—infrastructure, clients and external stakeholders, internal people and process, value creation—in three dimensions—conformance, performance, and relating responsibly—and include within governance managing the current and directing toward the future state of the firm.

Organize around governance as behavior involving key stakeholders.

Align sources of guidance for all IT governance within the CPR framework.

The sections that follow highlight how to go about applying the CPR framework to the IT function by suggesting how to implement governance measures to meet each of the five imperatives. The five imperatives are addressed in turn.

Ensure the Board Drives Governance and Provides the Governance Framework

Governance is an activity performed jointly by the board and corporate departments. The board sets direction and policy, and departments execute and contribute their best advice and judgment. The IT function cannot be an exception. Where IT really matters to the corporation’s future, it makes sense to involve corporate directors in infrastructure concerns. The following statements, from a recent article by Thomas Hoffman (2004) attest to this fact.

A small number of companies, including Novell, Inc., and FedEx Corp., have elevated responsibility for IT governance to their boards of directors in an attempt to ensure that they have high-level oversight of technology investments.

Novell’s oversight committee, which also includes four other directors from outside the company, monitors major projects and decisions about Novell’s technology architecture.

FedEx created an IT oversight committee four years ago that includes board members. Like Novell’s committee, the one at FedEx oversees major IT-related projects and architecture decisions and advises both the senior IT management team and other board members on technology issues, according to a spokeswoman for the Memphis-based company.

While the board should rightly drive IT governance, this does not mean that you, the CIO, cannot or should not work to influence how they go about it. In fact, you must ensure that you have what you need to be successful in your role. This starts with understanding your board’s current posture, that is, the role they play in the corporation. Typical board postures include

  • Window dressing (provide image enhancement)

  • Strategic (address long-term and policy issues)

  • Operational (direct day-to-day activities)

  • Networking (create and enhance relationships)

  • All-purpose (work at all levels to some extent)

Understanding your board’s current posture is essential because you may need to take steps to make the integration of corporate and IT governance a "real and present" concern for your board.

Reckoning your board’s current posture or raison d’ être is a vital first step to understanding what you can do to influence their perception. This is essential to getting the m to drive IT governance, as they must see it as a real and present concern in order to do so.

Once you have taken into account the current posture of the board, you must decide where responsibility for IT governance should reside. You will need to define the roles and relationships relative to IT governance of key stakeholders, including owners/shareholders, the board, and top management. The following is intended as a helpful guideline for dividing these responsibilities in a large enterprise:

  • Performance aspect: the board

  • Conformance aspect: corporate governance committee, compliance committee, audit committee

  • Relate responsibly: the board and committees

It is important to map these roles specifically to the IT function to ensure clarity of purpose and completeness of coverage.

You may also have to adjust the board’s tasks, roles, and education to ensure that the integration of corporate and IT governance "takes." Ask, Do you have someone on board who has

  • primary responsibility for IT governance, including in their role and responsibilities?

  • the requisite specialized knowledge and expertise to do the job?

  • the interest to invest the appropriate time and energy required to make a difference?

If not, consider including an outside director for this role.

Also, ask yourself the following questions:

  • Do you have an independent audit, corporate governance, or compliance committee?

  • Are members clear on their role in crisis management for major IT incidents, including how they should liaison with operational IT crisis teams? Have they been trained to do so?

  • Is the intersection of IT and corporate governance part of your ongoing education program plan for your directors and part of your orientation program for new directors

  • Is IT governance information part of the package prepared for new board members?

So far, the tactics mentioned for getting the board to drive IT governance have been largely influence, education, and role specification. Another key tactic is to leverage Service Level Management as the "communications interface" between corporate and IT governance. This tactic is outlined in the paragraphs that follow.

Leverage Service-Level Management as Nexus between IT and Corporate Governance

Properly construed, IT organizations are service providers within the corporation. Ideally, they provide a defined set of IT-based services to business customers (those who shape and fund the services) and users (those who rely on the services to perform their work). The notion of IT as a service provider is the essence of the concept of IT service management (ITSM). ITSM is a model for managing IT as a business, where the quality of service, as perceived by the customer, is the number one driving and aligning force in the organization.

ITSM guidance includes the Service Level Management (SLM) process, which consists of the following activities:

  • Defining and agreeing to the services provided (quality, service levels, cost)

  • Aligning IT infrastructure provider activities to deliver on commitments

  • Managing the service experience

  • Managing customer–provider (and provider–provider) relationships

  • Improving service levels and value within cost constraints

  • Delivering as agreed, consistently maintaining commitments

The benefits of SLM include:

  • Enhanced understanding by the business and IT of each others’ requirements and constraints

  • Better information for IT and business decision making

  • Better alignment between the business and IT

  • More focused and accountable providers and suppliers

  • Clearly defined services, cost, and value

  • Continuous improvement of services and lower costs

  • Enhanced customer and provider satisfaction

  • More effective business use of IT

Service-level management is the primary mechanism for managing the IT function as a services business. As shown in Figure 19.4, a good deal of effort goes into ensuring that the services IT provides meet business needs, are delivered in a way that creates and maintains customers’ satisfaction, and ultimately help the corporation create value and drive profit.

Figure 19.4

Figure 19.4 The service-level management pyramid.
Source: Pultorak, David. Exploring the Intersection of Service Level Management and Corporate Governance. BetterManagement.com Web Seminar, Thursday, December 4, 2003.

As you can see, in managing IT as a services business, services are at the center of all activity. To ensure services are delivered and supported according to commitments, the underlying technical infrastructure and systems must be up to the task. The boxes on the left-hand side of the diagram depict services as part of a larger catalog of services and may depend on other services as well as on service support and delivery processes for proper functioning. The boxes on the right-hand side illustrate that services need tending—a service manager of some sort—and rely on internal agreements between organizational units (operational level agreements) as well as contractual agreements with suppliers (underpinning contracts) to function properly. The relationship with providers needs tending, including both internal and external service providers.

The right-hand upper boxes show that a service-level management process—a process that ensures services are designed, developed, delivered, and supported as they should be through agreeing, measuring, monitoring, reviewing, auditing, reporting, managing, and improving—must be in place to ensure consistent results and value. Lastly, the boxes at the top of the diagram show that the service-level agreement (SLA) is the primary interface to the customer, existing only to meet business needs that drive value and financial results.

Service-level management provides an ideal basis for the interface between IT and corporate governance because it and corporate governance have much in common; both service-level management and corporate governance

  • Are governance mechanisms.

  • Have the aspect of agency/representation; that is, a small group of individuals represents the interests of a larger group.

  • Have a "down and in" management aspect and an "up and out" leadership aspect—in other words, both SLM and corporate governance require managing infrastructure and internal people and process as well as managing clients and external stakeholders.

  • Focus on performance, conformance, and relating responsibly to stakeholders.

  • Focus on maximizing value and minimizing risk.

  • Have stakeholders in common.

  • Are evolving areas after many years without change.

  • Feature widespread agreement on "why" and "what" and just as widespread lack of agreement on the "how" of implementation.

How to Integrate Service-Level Management and Corporate Governance

To leverage SLM as the nexus for IT and corporate governance, it helps to start by adopting and adapting internationally recognized standards that are understood by IT. The de facto international standard for IT service management is the IT Infrastructure Library (ITIL), an open standard developed by a consortium of industry experts. ITIL includes the service-level management process and is an excellent place to start. While ITIL guidance is strong in the areas of performance and relating responsibly, it is weak in conformance aspects. To cover these, one should look to the internationally recognized guidance contained in CobiT, which is also internationally recognized guidance, in this case focusing on control and compliance. A standards-based approach leveraging ITIL and CobiT helps ensure a defensible compliance position and accelerates compliance. A word of warning: while CobiT and ITIL can and should be used in conjunction, one should not expect them to fit together like so many jigsaw puzzle pieces; for example, a key difference is that CobiT tends to focus on describing where you should be, whereas ITIL has more coverage of how you might get there.

Focus on Sustained Financial Results

To drive governance down into the IT organization, all day-to-day decisions and actions must include a focus on and consideration of sustained financial results as a goal. For example, a "go/no-go" decision on an IT change should not be made just on technical merits; the business impact of the change must be considered as well.

Maintaining focus on financial results is another area where utilizing industry-standard ITIL guidance is extremely useful. ITIL includes process guidance for Service Level Management, as previously mentioned, which ensures a focus on the business value of services, as well as guidance for Financial Management for IT Services, which covers aspects of investment appraisal, budgeting and accounting, and charging.

Govern four assets—infrastructure, clients & external stakeholders, internal people & process, value creation—in three dimensions—conformance, performance, and relating responsibly, and include within governance managing the current and directing toward the future state of the firm

Table 19.4 outlines the dashboard of metrics required to manage the current state of the IT function and its future state along the dimensions of CPR and in the four key areas all businesses must pay attention to: infrastructure, clients and external stakeholders, internal people and process, and value creation. The idea is that a short list of the most relevant metrics for the organization be represented in each of the boxes and measured and managed to, ensuring that the IT function is driving toward sustainable financial results.

Table 19.4

Table 19.4 CPR Key Performance Indicator Dashboard

Organize Around Governance as Behavior Involving Key Stakeholders

Each internal key stakeholder must have his or her activities relative to IT governance stated as a set of job parts and standards (completing the statement "performance is effective when..."). Figure 19.5 is adapted from the author’s chapters in IT People: Doing More with Less (2005), which you can refer to for a worksheet and more information about how to go about it.

Figure 19.5

Figure 19.5 4-S job planning.
Source: Kern, Pultorak et al., IT People: Doing More with Less, 2005.

A similar exercise is recommended to describe the roles of clients and external stakeholders in order to capture their roles and responsibilities, although of course such documentation would not constitute job parts and standards.

Align Sources of Guidance for IT Governance with the CPR Framework

In this section, a number of common IT governance frameworks are mentioned in turn, with guidance on how each can be aligned within the CPR framework.

ISO/IEC 17799 and BS7799-2

ISO/IEC 17799 is an international standard code of practice that constitutes best practices in information security. Security guidelines are provided in the ten areas shown in Table 19.5.

Table 19.5 The Ten Guidelines Areas of ISO/IEC 17799

Business continuity planning

Personnel security

System access control

Security organization

System development and maintenance

Computer and network management

Physical and environmental security

Asset classification and control


Security policy

BS7799-2 is a complementary standard to ISO/IEC 17799, providing a model for managing and improving compliance with BS7799-2 standards. BS7799-2 is the standard that one can be certified against, while ISO/IEC 17799 is a code of practice providing guidance on the identification and implementation of controls to meet the standard.

ISO/IEC 17799 and BS7799-2 can be integrated into the CPR governance framework primarily within the conformance dimension. Tracking of improvements falls under the performance dimension, and managing perceptions around security issues falls under the relating responsibly dimension. Infrastructure and internal people and process are the two primary asset areas within which ISO/IEC 17799 and BS7799-2 fit.


The original Capability Maturity Model (CMM), and subsequent integrated versions (CMMI), were created by the Software Engineering Institute (SEI) to optimize software development through a framework of continuous process improvement. CMM defines five levels of maturity of software processes: initial, repeatable, defined, managed, and optimizing. ISO/IEC 15504 (also known as SPICE) is a framework for assessment methods compatible with CMMI, the first elements of which were published in 1995.

CMM/CMMI and ISO/IEC 15504 can be integrated into the CPR governance framework primarily within the Performance dimension. Tracking of compliance to specified policies and procedures falls under the Conformance dimension. Managing perceptions around capability achievement falls under the "Relating Responsibly" dimension. The primary asset area that these maturity models fall under is Internal People and Process.

Deming, EFQM, BNQP, ISO/IEC 9000, TQM, Six Sigma

Deming, EFQM, BNQP, ISO/IEC 9000, TQM, and Six Sigma are quality management systems and methods. The management aspects of these frameworks fall primarily under the Conformance dimension. The improvement aspects fall largely under the Performance dimension. The primary asset area governed by these frameworks is Internal People & Process, although Infrastructure is also important here.

IT Governance: Weill and Ross

Weill and Ross’s recent book (2004) is widely quoted as a reliable source of research on IT governance. It is research-based, describing how real practitioners view IT governance. In it, Weill and Ross conceptualize IT governance as decision making within a decision-making framework; their consequent focus is on decision rights and accountability. The book comes from an IT perspective: your perspective, that of CIO.

Weill and Ross’s work spans all asset areas to be governed, and the authors provide their own take on what those assets should be: human, financial, physical, IP, information and IT, and relationship. While the book spans all dimensions of governance as well, the focus is on a subset of governance behavior—decision making. Weill and Ross’s contribution is an excellent source of guidance for realizing many, but not all, aspects of the CPR framework.


The Control Objectives for Information and Related Technology (CobiT) framework focuses on compliance and control. The guidance comes from an IT perspective, this time from the perspective of IT auditors. CobiT (ISACA 2000) substantially strengthens the EDP audit function. It is detailed, prescriptive, and complete, and provides a standardized approach to IT accountability.

As Table 19.6 shows, CobiT provides guidance in four key areas: Planning & Organization, Acquisition & Implementation, Delivery & Support, and Monitoring.

Table 19.6 CobiT Provides Guidance on 34 Processes in Four Key Groups



Define a strategic IT plan

Identify automated solutions

Define the information architecture

Acquire and maintain application software

Determine the technology direction

Acquire and maintain technology infrastructure

Define the IT organization and relationships

Develop and maintain IT procedures

Manage the investment in IT

Install and accredit systems

Communicate management aims and direction

Managing changes

Manage human resources


Ensure compliance with external requirements


Assess and manage risks


Manage projects


Manage quality




Define and manage service levels

Monitor the processes

Manage third-party services

Assess internal control adequacy

Manage performance and capacity

Obtain independent assurance

Ensure continuous service

Provide for independent audit

Ensure systems security


Identify and allocate costs


Educate and train users


Assist and advise IT customers


Manage the configuration


Manage problems and incidents


Manage data


Manage facilities


Manage operations


Because CobiT focuses on control and comes from the perspective of IT audit professionals, CobiT is ideal for approaching the Conformance dimension of IT governance. While the focus is on control, CobiT is applicable beyond the Conformance dimension, with guidance in seven criteria areas:

  • Effectiveness

  • Efficiency

  • Availability

  • Integrity

  • Confidentiality

  • Reliability

  • Compliance

The primary asset area aligning with CobiT is Internal People & Process, with emphasis also in the Infrastructure asset area.


ITIL (the Information Technology Infrastructure Library) is a collection of best practices for IT service management. ITIL’s guidance is written from the perspective of the IT professional and is aimed at alignment with the business and focused on efficient and effective IT services. ITIL has been developed and widely implemented globally over the last 20 years. ITIL is appropriate for all corporations because it is vendor-neutral, nonpropriety, and scalable. That is, no matter how large or small your corporation, national or international in scope, ITIL "fits" with whatever technology you have put in place. Over 10,000 companies are using ITIL, and over 100,000 IT professionals worldwide are certified in ITIL practices.

The focus in ITIL is on effective and efficient IT processes (such as Change Management and Capacity Management) in support of the delivery of IT services. The objective is to position IT as a service provider, a partner with the business, and an enabler of business goals rather than as a mere operator of increasingly complex technology.

ITIL provides guidance and mechanisms that are ideal for realizing the performance and relating responsibly dimensions of IT governance. While the primary asset area that aligns with ITIL is internal people and process, ITIL guidance spans all four asset areas. In addition, while ITIL guidance is not focused on conformance, it enables conformance by specifying the process domains required to carry out the business of IT, which is a necessary basis for ensuring compliance with codes produced by relevant authorities (for example, a particular conformance area such as Sarbanes-Oxley compliance may require that change management processes be in place; ITIL provides the general outlines of such processes, into which controls can be inserted to ensure compliance). As such, it provides an ideal complement to CobiT as the basis for realizing full coverage in all three dimensions of governance: conformance, performance, and relating responsibly.

As such, IT must broadcast its contribution to the corporation in service terms. Who, what, where, why, and when has IT applied the resources at its command to support the business? Running an infrastructure, no matter how complex, does not add value to customers and profit to the corporation. Aligning that infrastructure engine so that it drives toward understandable business results is the goal, and this alignment can only come about through ongoing, specific dialogue between IT and the business on the subject of service.

The focus in ITIL is on effective and efficient IT processes (change management and capacity management, etc.) and tools (service-level agreements and configuration management databases) in support of the delivery of IT services.

ITIL is very clear on what needs to be done for IT to support a business service. In focusing on business and IT alignment, it drives home the performance and relating responsibly tenets of governance through close definition of a set of processes. These processes are directed at IT customers (i.e., corporate departments that define and commission IT services) as well as users (i.e., employees that use IT day-in and day-out). The ITIL service management processes and their aims are listed and described in Table 19.7.

Table 19.7

Table 19.7 Information Technology Infrastructure Library

These ten disciplines work in concert to present the power of the underlying IT infrastructure in ways understandable to the business. Principal among its tools are the service catalog and corresponding service-level agreements (SLA) that document the mutual expectations of IT and the business. According to Weill and Ross (2004), the service catalog and SLAs...

list available services, alternative quality levels, and related costs. Through negotiations between the IT services unit and the business units, an SLA leads to articulation of the services IT offers and the costs of the services. These negotiations clarify the requirements of the business units, thereby informing governance decisions on infrastructure, architecture, and business application needs. (p. 101)

The service catalog and SLAs drive all of the other ITIL processes. The service catalog acts a menu, and the SLA as an agreed "order" from that menu, forming the basis for common ground between corporate departments and IT. It establishes the boundaries of conformance because it has the business and IT work together to plan what to do, to do it, and to accumulate evidence that it has been done. It records the mutual understanding of quality whose measurement brings performance characteristics to the fore. Lastly, it sets the cost parameters—what the business can afford and what IT can spend—reflecting the balance of supply and demand that underscores relating responsibly.

IT service management is not a one-step approach for infusing IT with the three-part framework of governance, but it takes the first step by elevating the dialogue where business goals and objectives are the nouns, service is the verb, and the innumerable details that constitute the technical infrastructure are secondary.

In short, the service focus proposed here allows the board to expect more, to demand more, and to require greater transparency in reporting on the business value of IT services. Microsoft adopted and adapted ITIL, transforming it into the Microsoft Operations Framework (MOF) to secure even stronger benefits for the corporation and its goals. As Ron Markezich, CIO for Microsoft Corporation says, "Our goal in IT at Microsoft is to use technology as a competitive advantage for Microsoft. Our focus on Microsoft Operations Framework and service management helps us ensure a foundation of reliable, effective and trustworthy IT services that are required for our users to get the most out of the services IT provides."

Other Mechanisms Associated with IT Governance

Some professionals equate IT governance in whole or in part with a variety of management mechanisms in use in organizations. Chief among them are program, project, and portfolio management, enterprise architecture, business and IT alignment, and the strategy, policysetting, and planning functions performed by the board, executive management, and specialized staff. A variety of guidance exists for these mechanisms, such as the PMBOK for project management. While it is beyond the scope of this chapter to review all such guidance, it is important to note that many consider such mechanisms an important part, and in some cases, the primary part of IT governance, sometimes going so far as equating these mechanisms with governance. While each has a role in governance, the general guidance given here is to apply such mechanisms within an overarching framework that aligns them.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020