ISO/IEC 38500 – the new international standard for IT governance

Published: 06th July 2008
Views: N/A

In the 21st century, IT governance has become a much-discussed topic amongst IT professionals. It is not that well understood by senior managers, company directors, board members and chairmen - which is a pity, because IT governance is a key topic for exactly these people.

The emergence of ISO/IEC 38500 - the international standard for the corporate governance of information and communication technology - puts boards around the world in a position from which they can take effective action to apply core governance principles to their information and communication technology.

ISO/IEC 38500 is an international standard that defines IT governance in an agreed, standardised way.

It is a 'high level, principles based advisory standard'. It provides 'broad guidance on the role of governing body, [and] it encourages organisations to use appropriate standards to underpin their governance of IT.' ISO/IEC 38500 does not, in other words, replace those standards and frameworks (such as CobiT, ITIL, ISO27001, etc) that an organisation may already have deployed for the better governance of its IT; what it does do is provide a coherent framework for ensuring that the board is appropriately involved in the effective governance of IT.

ISO/IEC 38500 is clear that governance is distinct from management. It identifies the role of an organisation's governing body, and aligns that with the governing body's role as described in the OECD Principles of Corporate Governance, as revised in 2004, and in the Cadbury Report on Corporate Governance of 1992.

The standard makes itself applicable to organisations of all sizes, regardless of purpose, design or ownership structure.


The standard aims to 'promote effective, efficient, and acceptable use of IT' in three ways:

1. Assuring stakeholders (which includes consumers and shareholders as well as employees and providers/vendors) that they can have confidence in the organisation's IT governance if the standard is followed;

2. Informing and guiding the directors in their IT governance activities; and

3. Providing a basis for objective evaluation of IT governance (and it is this clause that is particularly interesting to IT auditors).


ISO/IEC 38500 'establishes a model for the governance of IT' and helps directors find an appropriate balance between risk and reward in their stewardship of the organisation's IT investment - exactly the requirement of today's corporate governance regime.

The standard identifies two principle benefits that organisations can derive from following its guidance:

1. Conformance - directors who exercise proper IT governance are more likely to address specific IT-related risks and compliance requirements (and the standard provides a series of examples of these) in a way that enables them to demonstrate that their obligations have been met.

2. Directors, though, are not simply responsible for complying with legislation; they also have to take risks and deliver a financial return for their shareholders. Directors who apply the guidance of ISO/IEC 38500 are more likely to succeed at this than those who don't. Again, the standard identifies a number of ways in which IT can contribute positively to the performance of the organisation.

The three main tasks of directors in respect of IT are to:

1. Evaluate - the current and future use of IT;

2. Direct - plans and policies to ensure IT use meets business requirements; and

3. Monitor - to ensure that IT conforms to polices and performs against plans.

Each of these actions should be exercised across each of the 6 principles of good IT governance: responsibility, strategy, acquisition, performance, conformance and human behaviour.

A short article like this cannot give more than an introduction to the new standard; every IT professional should become familiar with the standard, which is available from national standards bodies and from

Report this article Ask About This Article

More to Explore