ISO/IEC 38500 - IT Governance

Governance, Risk & Compliance

ISO/IEC 38500:2015 - IT Governance provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations. It also provides guidance to those advising, informing, or assisting governing bodies. They include the following:

• executive managers;
• members of groups monitoring the resources within the organization;
• external business or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies;
• internal and external service providers (including consultants);
• auditors.

ISO/IEC 38500:2015 applies to the governance of the organization's current and future use of IT including management processes and decisions related to the current and future use of IT. These processes can be controlled by IT specialists within the organization, external service providers, or business units within the organization.

ISO/IEC 38500:2015 defines the governance of IT as a subset or domain of organizational governance, or in the case of a corporation, corporate governance.

Principles of ISO/IEC 38500:2015 IT Governance

• Establish responsibilities
• Plan to best support the organisation
• Make acquisitions for valid reasons
• Ensure necessary levels of performance
• Ensure conformance with rules
• Ensure respect for human factors

This Standard originated from an existing Australian standard, AS8015. ISO/IEC 29382, Corporate Governance of Information and Communication Technology, was first published early in 2007 and was officially re-named ISO/IEC 38500 in 2008.