ISO/IEC 38500

ISO/IEC 38500: The IT Governance Standard

ALAN CALDER
Copyright Date: 2008
Published by: IT Governance Publishing
Pages: 49
https://www.jstor.org/stable/j.ctt5hh518
  • Cite this Item
  • Book Info
    ISO/IEC 38500
    Book Description:

    ISO/IEC38500 is the international standard for the corporate governance of information and communication technology. The purpose of the standard is to create a framework to ensure that the Board is appropriately involved in the governance of the organisation's IT. The standard sets out guiding principles for directors on how to ensure the effective, efficient and acceptable use of IT within their company. This useful pocket guide provides an account of the scope and objectives of the standard. It outlines the standard's six core principles, sets out the three major tasks that the standard assigns to directors regarding IT, and explains the interrelationship between the two. The guide also offers advice on how to set up and implement the IT governance framework.

    eISBN: 978-1-905356-58-4
    Subjects: Technology, Business

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. ABOUT THE AUTHOR
    (pp. 5-6)
  3. ACKNOWLEDGEMENTS
    (pp. 6-6)
  4. Table of Contents
    (pp. 7-7)
  5. INTRODUCTION
    (pp. 8-9)

    In the twenty-first century, IT governance has become a much-discussed topic among IT professionals. It is not well understood by senior managers, company directors, board members and chairmen – which is a pity, because IT governance is a key topic for exactly these people,

    InIT Governance: Guidelines for Directors, I wrote:

    In today’s corporate governance environment, where the value and importance of intellectual assets are significant, boards must be seen to extend the core governance principles – setting strategic aims, providing strategic leadership, overseeing and monitoring the performance of executive management and reporting to shareholders on their stewardship of...

  6. CHAPTER 1: WHAT IS ISO/IEC 38500?
    (pp. 10-11)

    ISO/IEC 38500 is an international standard for the corporate governance of information and communication technology.

    There are, broadly speaking, two types of standards:

    a specification that describes exactly how something must be done (ISO9001 is an example of this)

    a Code of Practice is a set of guidelines that describe best practice and provide advice on how something might be done (ITIL™ is an example of this).

    A specification sets out clear requirements against which an audit can be carried out and third-party certification schemes – such as the ISO/IEC 27001 certification scheme, for instance – are able to exist...

  7. CHAPTER 2: THE CORPORATE GOVERNANCE CONTEXT
    (pp. 12-14)

    ISO/IEC 38500 is clear that governance is distinct from management. It identifies the role of an organisation’s governing body, and aligns that with the governing body’s role as described in the OECD Principles of Corporate Governance, as revised in 2004, and in the Cadbury Report on Corporate Governance of 1992.

    ‘Corporate governance could be thought of as the combined statutory and non-statutory framework within which boards of directors exercise their fiduciary duties to the organisations that appoint them.’³

    The term ‘corporate governance’ first gained prominence⁴ when used by Robert Tricker inThe Independent Director. InCorporate Governance(1984) he described...

  8. CHAPTER 3: SCOPE, APPLICATION AND OBJECTIVES
    (pp. 15-18)

    This chapter deals with the scope, application and objectives of ISO/IEC 38500. It also sets out some of the benefits of using the standard in terms of the conformance and performance of the organisation. It further provides a set of definitions, some of which are drawn from ISO Guide 73:2002 (Risk Management – Vocabulary – Guidelines for Use in Standards).

    As might be expected, the scope of the standard is ‘the governance of management processes (and decisions) relating to the information and communications processes used by an organisation’.⁶ The standard recognises that these processes could be controlled by one of...

  9. CHAPTER 4: FRAMEWORK FOR GOOD IT GOVERNANCE
    (pp. 19-23)

    This, the second chapter of ISO/IEC 38500, contains the meat of the matter, the most important part of the standard, and the core of the standard’s concept of IT governance. It identifies six principles of good IT governance, and three main tasks for which directors are responsible.

    The six principles – which are intended to guide decision making – of good IT governance are:

    1 Responsibility

    2 Strategy

    3 Acquisition

    4 Performance

    5 Conformance

    6 Human behaviour.

    The principle of Responsibility recognises that those responsible for IT within organisations must have the authority to perform the actions for which they...

  10. CHAPTER 5: IMPLEMENTING THE SIX IT GOVERNANCE PRINCIPLES
    (pp. 24-29)

    The third chapter of ISO/IEC 38500 describes how the three actions intersect with the six principles; it provides, if you will, guidance on how the six principles are to be implemented, by applying the three actions in each case. Of course, none of this is intended to be exhaustive, and each organisation is encouraged to give ‘due consideration’ to its own nature and make an ‘appropriate analysis of the risk and opportunities for the use of IT’....

  11. CHAPTER 6: ISO/IEC 38500 AND THE IT STEERING COMMITTEE
    (pp. 30-33)

    ISO/IEC 38500 is a principles-based standard. It describes what directors should do, but does not provide guidance on how they should go about implementing an IT governance framework.

    The board, in effect, needs to create a mechanism through which it can exercise its IT governance responsibilities and provide the business with technology leadership. The most effective way of doing this is through the creation of a standing board IT committee. Technology or IT leadership requires a specific mechanism of this sort, in a way that, for instance, neither HR (Human Resources) nor Sales do, for two reasons.

    HR, sales, marketing,...

  12. CHAPTER 7: PROJECT GOVERNANCE
    (pp. 34-37)

    It may seem unusual, in a pocket guide on the international IT governance standard, to have a chapter on project governance. Effective project governance, though, is one of the areas in which ISO/IEC 38500 can have the most immediately beneficial impact.

    Organisations continuously upgrade their IT systems or deploy new systems to improve customer service, reduce cost, improve product or service quality, and to deliver new products, services and business models. These deployments often involve strategic risk for the organisation; they always involve operational risk.

    Risk management is a board responsibility and, therefore, project governance – from inception through to...

  13. CHAPTER 8: OTHER IT GOVERNANCE STANDARDS AND FRAMEWORKS
    (pp. 38-41)

    ISO/IEC 38500 is an overarching framework of principles and guidance for the directors of an organisation. It deals with the governance of IT, not its management.

    A number of frameworks and standards have evolved over the last 20 years that do provide detailed guidance and support for specific areas of IT activity for which the board is responsible. Each of these frameworks has its own strengths and weaknesses and each is capable of being used on its own, or in conjunction with one or more of the other frameworks; all can be used within an ISO/IEC 38500 IT governance framework....

  14. CHAPTER 9: THE CALDER–MOIR FRAMEWORK
    (pp. 42-47)

    The Calder–Moir IT Governance Framework27(see Figure 2) is a straightforward framework that helps identify how each of the available standards can be co-ordinated within an organisation’s IT governance framework.

    Most of the IT-related disciplines offer solutions and tools that can help with IT governance, but most of them are very detailed, and have narrow scopes. No single tool provides a full picture of IT governance, and collectively they can provide a confusing picture that hinders the purpose of IT governance, which is to equip boards with information and levers for directing, evaluating and monitoring how well IT supports...

  15. ITG RESOURCES
    (pp. 48-49)