ISO/IEC 38500:2024 Information technology — Governance of IT for the organization applies to the governance of the organization’s current and future use of IT including management processes and decisions related to its use. Such processes can be controlled by IT specialists or business units within the organization, or external service providers.
What is its purpose?
The standard utilizes three tools for the governing body and associated governance and management practices to achieve good governance of IT:
- principles for the governance of IT — applying these principles to the responsible and strategic use of IT can lead to an organization that is more agile and adaptive;
- model for the governance of IT — the model shows the main governance tasks and interactions throughout the organization, leading to a clarity of decision-making and responsibilities for all aspects of the use of IT;
- framework for the governance of IT — the framework describes the elements through which the organization’s governance of IT arrangements operate, which helps to ensure the critical actions of governance are considered and applied to the use of IT by the organization.
Who should use the standard?
ISO/IEC 38500 provides guiding principles for members of governing bodies of organizations on the effective, efficient, and acceptable use of information technology (IT) in their organizations. It also provides guidance to those advising, informing, or assisting governing bodies including:
- executive managers;
- members of groups monitoring the resources within the organization;
- external business or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies;
- internal and external service providers (including consultants);
- auditors.
What does it cover?
Introduction |
1 Scope |
2 Normative references |
3 Terms and definitions |
4 Good governance of IT |
4.1 Outcomes of good governance of IT |
4.2 Principles, model and framework |
5 Principles for the governance of IT |
5.1 Overview |
5.2 Purpose |
5.3 Value generation |
5.4 Strategy |
5.5 Oversight |
5.6 Accountability |
5.7 Stakeholder engagement |
5.8 Leadership |
5.9 Data and decisions |
5.10 Risk governance |
5.11 Social responsibility |
5.12 Viability and performance over time |
6 Model for the governance of IT |
6.1 Introduction |
6.2 Governance of IT practice |
6.3 Management of IT practice |
6.4 Framework for the governance of IT |
7 Framework for the governance of IT |
7.1 General |
7.2 Elements of the framework |
What are the steps in applying ISO/IEC 38500?
Applying governance of IT in accordance with ISO/IEC 38500 involves several key steps.
1. Establish the Governance Framework
Begin by establishing a governance framework that aligns with the principles outlined in ISO/IEC 38500. This involves defining roles, responsibilities, and decision-making processes related to IT governance.
2. Define Objectives and Strategy
Clearly define the objectives and strategy for IT governance, ensuring alignment with the overall objectives and strategy of the organization. This involves identifying the IT-related goals, risks, and opportunities that need to be addressed.
3. Assign Accountability
Assign clear accountability for IT governance at all levels of the organization, including the governing body, executive management, and IT management. Ensure that roles and responsibilities are well-defined and understood.
4. Establish Policies and Procedures
Develop and implement policies and procedures that support the governance of IT, covering areas such as risk management, compliance, security, and decision-making processes. These policies should be in line with the principles and guidelines of ISO/IEC 38500.
5. Implement Controls and Measures
Implement controls and measures to monitor and evaluate the effectiveness of IT governance processes. This may include performance indicators, audits, and reviews to ensure compliance with policies and objectives.
6. Provide Resources and Support
Allocate the necessary resources and support for the implementation of IT governance initiatives. This includes providing training and development opportunities for staff involved in IT governance roles.
7. Communicate and Educate
Communicate the importance of IT governance throughout the organization and provide education and awareness programs to ensure that stakeholders understand their roles and responsibilities.
8. Monitor and Review
Continuously monitor and review the effectiveness of IT governance practices, making adjustments as necessary to ensure ongoing improvement. This includes regular reviews of policies, procedures, and performance indicators.
9. Manage Stakeholder Relationships
Foster positive relationships with stakeholders, including senior management, board members, employees, customers, and suppliers, to ensure alignment and support for IT governance initiatives.
10. Continual Improvement
Ensure there is a culture of continual improvement within the organization, where lessons learned are used to enhance IT governance practices over time. This aligns with the principle of continual improvement outlined in ISO/IEC 38500.
Some further words of advice…
By following these steps, organizations can effectively implement governance of IT in conformity with ISO/IEC 38500, leading to improved decision-making, risk management, and overall performance of IT within the organization.
ISO/IEC 38500 can be purchased through the ISO.org website.
This Post Has 0 Comments