ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations
(which can comprise owners, directors, partners, executive managers, or similar) on the effective,
efficient, and acceptable use of information technology (IT) within their organizations.
It also provides guidance to those advising, informing, or assisting governing bodies. They include
Members of groups monitoring the resources within the organization
External business or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies
Internal and external service providers (including consultants)
ISO/IEC 38500:2015 applies to the governance of the organization's current and future use of IT including management processes and decisions related to the current and future use of IT. These processes can be controlled by IT specialists within the organization, external service providers, or business units within the organization.
ISO/IEC 38500:2015 defines the governance of IT as a subset or domain of organizational governance, or in the case of a corporation, corporate governance.
ISO/IEC 38500:2015 is applicable to all organizations, including public and private companies, government entities, and not-for-profit organizations. ISO/IEC 38500:2015 is applicable to organizations of all sizes from the smallest to the largest, regardless of the extent of their use of IT.
The purpose of ISO/IEC 38500:20015 is to promote effective, efficient, and acceptable use of IT in all organizations by
Assuring stakeholders that, if the principles and practices proposed by the standard are followed, they can have confidence in the organization's governance of IT,
Informing and guiding governing bodies in governing the use of IT in their organization, and
Establishing a vocabulary for the governance of IT
ISO 38500 —Why Another Standard?
IT is not getting sufficient coverage in the boardroom or at executive meetings. Discussions on IT are viewed as complex and are at the wrong level. There is a need to talk about the use of technology, not the technology itself, e.g., improved productivity as opposed to the latest version of technology. IT governance is also given lip service at higher levels in the organization. Even though the board and executives outwardly support IT governance initiatives, when it comes to funding, the answer is usually along the line of “Yes, we know we should do this; we just do not have the budget.”
Additionally, failures in projects and operational disruptions continue even though processes (developed using COBIT) or management tools are in place. Often, these failures can be directly attributed to poorly informed decisions made at the board or executive level. Business sees information technology as an IT department responsibility instead of as a corporate asset. ISO 38500 positions IT at a strategic level and looks at it from a demand standpoint (“how can we use IT?” rather than “how do we deliver IT?”). It also places emphasis on the board’s behavior around the use of IT.
ISO 38500 Vs. COBIT Vs. ITIL
ISO 385001 looks down from the top, much like a roof on a house. COBIT (the what) is the walls, and process frameworks such as ITIL and Projects in Controlled Environments 2 (PRINCE2) (the how) are the foundation. Using the house analogy, if the board tried to implement the roof, ISO 38500, without the foundation or walls, it would collapse. Furthermore, without the roof, enterprises would be exposed to the elements. ISO 38500 is not one size fits all. It does not replace COBIT, ITIL, or other standards or frameworks, but, rather, it complements them by providing a demand-side-of-IT-use focus.
Directors should govern IT through three main tasks:
1. Evaluate the current and future use of IT.
2. Direct preparation and implementation of plans and policies to ensure that the use of IT meets business objectives.
3. Monitor conformance to policies and performance against the plans.
The standard sets out six principles for good corporate governance of IT. The principles express preferred behavior to guide decision making. The statement of each principle refers to what should happen, but does not prescribe how, when or by whom the principles would be implemented; these aspects are dependent on the nature of the organization implementing the principles. It is similar to a capability maturity model description of an ideal state.
Each of the principles is then tied into the model to provide a best practice for each principle
As ISO 38500 is driven from the top down, IT departments need to make sure that they are ready for the new demands the board will pose (e.g., performance measurements, clear governance mechanisms). Initially, an assessment of readiness from an IT point of view would be a good idea so that the department is not found wanting, should the board adopt the standard. In principle, if COBIT maturity is high for governance processes, e.g., PO1, PO4, ME1, ME4, the department should be in a good position. These processes were chosen because they deal mostly with governance and provide a link to ISO 38500. It would be a good idea to develop a checklist using COBIT to address the six principles of ISO 38500. The IT director should understand the requirements of ISO 38500 and begin driving the readiness.
ISO/IEC 38500 for Governance of IT for the organization
ISO/IEC 38500 Available Course