ISO 38500

ISO 38500 is the International Standard for Corporate Governance of Information Technology. A copy of the official standard is available to purchase here.

The standard applies to the governance of management processes and information and communication services used by an organisation. ISO/IEC 38500 - The IT governance standard Pocket Guide will help you to understand the standard and the wider topic of IT governance.

The standard has its origins in the 2005 Australian standard AS8015. ISO/IEC 29382 was published in 2007, having been created to address the Corporate Governance of Information and Communication Technology. It was officially renamed and republished as ISO/IEC 38500 in 2008.

ISO/IEC 38500 defines the following six principles of IT Governance:

  • Establish responsibilities
  • Plan to best support the organisation
  • Acquire validly
  • Ensure performance when required
  • Ensure conformance with rules
  • Ensure respect for human factors.

Implementing ISO 38500

The Calder-Moir IT Governance Framework offers structured guidance on how to approach this complex subject, and provides a useful tool for benchmarking the balance and effectiveness of IT governance practices within an organisation. The IT Governance Toolkit also provides practical assistance and guidance for practitioners and board members who are tackling the subject.

The overarching scope of the IT governance framework is depicted in the diagram below:

We have developed the IT Governance Framework Toolkit as a documentation tool to help you implement the Calder-Moir framework cost-effectively and align your management systems to ISO/IEC 38500.

Containing pre-written documents, this toolkit will provide you with a single framework to integrate and manage all your management systems e.g. COBIT®, ITIL®, ISO27001/ISO27002, ISO20000, Prince2®, PMBOK®, KING III, TOGAF® and many more.

Sub-domains of IT Governance

Broadly speaking, the sub-domains of IT governance include: ITIL, COBIT, ISO 27002 and King III.

There are four widely recognised, vendor-neutral, third party frameworks that are often described as 'IT governance frameworks'. While none of them is completely adequate to that task on their own, each has significant IT governance strengths.

  • ITIL, or IT Infrastructure Library®, was developed by the UK's Office of Government Commerce as a library of best practice processes for IT service management. Widely adopted around the world, ITIL is supported by ISO/IEC 20000, against which independent certification can be achieved.
  • COBIT, or Control Objectives for Information and related Technology, now in version 5, was developed by America's IT Governance Institute. COBIT is increasingly accepted as good practice for control over information, IT and related risks. COBIT's Management Guidelines component contains a framework for the control and measurability of IT by providing tools to assess and measure the enterprise’s IT capability for the 37 identified COBIT processes. Governance of the Extended Enterprise, published by the IT Governance Institute, explores how some of the world's most successful enterprises have integrated information technology with business strategies, culture, and ethics to optimise information value, attain business objectives, and capitalise on technologies in highly competitive environments.
  • ISO27002 is designed to support ISO27001, the global best practice standard for information security management in organisations.
  • KING III is a set of corporate governance principles which enhance the effectiveness of a company’s performance. This framework was compiled by the King Committee in response to the emergence of the South African Companies Act 71 of 2008. King III is now law in South Africa, and represents a significant milestone in the evolution of corporate governance. Download our free KING III & IT governance Briefing Paper here >>

The four IT governance frameworks above are best-practice approaches to regulatory and corporate governance compliance. Many organisations have trouble implementing a framework which integrates all four of these frameworks. The IT Governance Institute (ITGI), the owners of COBIT, has, with the owners of ITIL AXELOS, put together the recently released Joint Framework, which is a good step to the right direction. The Joint Framework simplifies the planning process for the implementation of more than one of these four frameworks, and provides detailed mapping of the various clauses within each of these frameworks.

Some of the key sub-domains of IT governance are:

  • Business continuity and disaster recovery
  • Enterprise Architecture
  • Regulatory compliance
  • Information governance and information security
  • IT Service Management, including ITIL® and Service Level Management
  • Knowledge Management, including Intellectual Capital
  • Leadership skills
  • Project governance
  • Risk management

You maybe also interested in: