No longer call it GAGSI—use MAGNum instead.
This change marks the shift from a systems-centric view to a comprehensive, organization-wide digital approach, according to Cigref.
The association launched this document, developed with two peers: the AFAI-ISACA (Association française de l’audit et du conseil informatique; now ISACA France) and IFACI (Institut français de l’audit et du contrôle internes).
The integration of a maturity model
The initial version was published in 2011. The first update followed in 2019, still under the name GAGSI (guide for IT governance audit). It had notably added innovation culture and data management as vectors of analysis.
Cigref and its peers are releasing a new revision. It also adds an axis of analysis: CSR. More importantly, it focuses on the notion of “digital.” And it positions governance best practices at the level of the entire organization — not just the IT department. Hence the acronym MAGNum, standing for “maturity model and audit of digital governance.”
Earlier work had paved the way for this approach. It had enabled the classification of “best practices” for each vector by maturity levels. The MAGNum adopts this system, but in a finer way, applying it to all the criteria that compose each best practice. The levels depend on the effort required to implement them. Cigref and its partners attach a measurement tool to it, the consolidated score intended to yield a “maturity radar.”
Alongside the addition of CSR, the “risks” axis is enriched with compliance best practices and places greater emphasis on cybersecurity. AI is now spreading across all vectors, starting with the data-related one.
Movements in the lines, and their content too
From GAGSI to MAGNum, structural evolutions are numerous. The first axis (“Strategy”) provides a good illustration, with refinement, merging, division and the addition of criteria.
The first best practice — the CIO’s involvement in shaping the company’s strategy — remains. But the criterion for communicating the results of technology watch is split into two, corresponding to the implementation of the watch mechanism and the sharing of results.
In the MAGNum version, this same best practice gains additional criteria. On the one hand, translate the organization’s strategic plan into a digital roadmap. On the other, ensure that digital transformation topics enjoy sponsorship at the highest levels of the organization.
There are also additions to the best practice of integrating, in the digital portion of the strategic plan, the business and technological targets as well as the planning of the resources needed to achieve them. Notably, a criterion appears asking to describe the milestones on the path to the objectives. In parallel, MAGNum merges the criterion related to sourcing strategy into the one that calls for specifying the necessary resources.
To find criteria that MAGNum specifies, you can look at the communication section of the digital component. The novelty: an requirement to adapt this communication to target audiences. Another example of precision: the strategic IT governance body set up to validate this same component and monitor it. It will typically operate at the level of the executive management, but, if necessary, may be run by the management of the affected business unit.
Innovation: thinking about reprioritization mechanisms
The same kinds of structural changes show up on the second axis (“Innovation”). A case in point is the best practice regarding guiding efforts through an appropriate policy and governance. There is no longer talk of a single body responsible for the innovation effort, but of a structured set of activities, adaptable in various ways, more or less formal. MAGNum notes, in this regard, the closer alignment between IT and strategic marketing. The whole thing wasn’t absent from GAGSI, but it appeared in another best practice.
With the disappearance of the criterion for the existence of said body, the associated responsibility suggestions shift to another criterion (clear definition of roles and responsibilities in the innovation policy).
From GAGSI to MAGNum, the notion of PMO (Product Management Office, meant to facilitate innovation through emerging technologies) also disappears (though it persists on the “Project Portfolio” axis). Meanwhile, the best practice related to communication and performance is split into two, to cover separately each aspect.
The best practice on agile handling of innovation initiatives hardly changes. Except that it now includes the notion of reprioritization devices, in a logic of budgetary flexibility.
A broader surface for cyber protection and compliance
GAGSI dedicated a best practice to identifying and documenting controls in applications. With MAGNum, it disappears… only to be integrated into another, new, one related to data protection.
The compliance now has its own specific best practice. This includes, among other things, drafting a charter, compliance by design, documenting gaps and reporting.
The same goes for the protection against cyberattacks (identifying a CISO function, defining a PSSI, training and awareness, third-party tests and certifications, etc.). And for the protection of digital infrastructures (redundancy, backup policy, obsolescence and vulnerability management processes…).
On the section “identification and assessment of risks,” GAGSI had a SOC sub-criterion. MAGNum does not, even though it includes the identification of sufficiently significant threats. Instead, it asks organizations to consider risks that impact their ecosystem. As well as the influence of their own internal evolutions.
As for the risk management framework, MAGNum, unlike GAGSI, mentions the aspect of professional certifications. It also specifies the need to integrate third-party risks into the risk map. And it cites more risk-referencing standards (ISO 31000, EBIOS RM, COSO ERM, NIST CSF, OCTAVE and MEHARI join Risk IT Framework, COBIT and ISO 27005).
IT for green and digital accessibility, new features in the 2026 version
The CSR axis is more concise than the previous ones. It includes 5 best practices:
- Governance
Sponsorship by the executive leadership for responsible digital, integration of the organization’s CSR policy into the digital strategy, a governance body for responsible digital initiatives… - Awareness and training program
Responsible digital referees within business units, integrating this dimension into the skills sought for IT job candidatures… - Digital eco-design
Dedicated governance of the IT system’s ecological performance, actions dedicated to digital accessibility, support for business units in developing IT-for-green solutions… - Policy of responsible digital procurement
Explicit CSR criteria in specs, preference for CSR-labeled or CSR-certified equipment, challenging suppliers on the end-of-life of equipment… - The digital sector leads its contribution to the organization’s CSR
Data for AI… and AI for data
In the data component, GAGSI was organized around five best practices. Broadly, governance, valorization, security, regulation and ethics.
MAGNum splits the governance aspect into two best practices. In the first, it combines mapping and analysis of the value chain. In the second, it merges criteria for maintaining a repository and a data dictionary, as well as control of data quality. It adds a mention of AI, as it can be used to “make the governance process more efficient.”
A best practice remains dedicated to value creation, with two clarifications. First, initiatives may concern both structured and unstructured data. Second, measuring their effectiveness must include the use of AI engines (e.g., RAG).
The best practice on “securing” remains, but without the criterion of integrating the data dimension into the PCA/DR plans.
Reflecting the new CSR axis and the compliance complement, regulation and ethics no longer have dedicated best practices. AI, on the other hand, now has its own, covering usage policy, specific criteria in investment decision processes, promotional actions, skills development and a roadmap for scaling up.
