ISO/IEC 38500 is an

international standard international standard is a technical standard developed by one or more international standards organization, standards organizations. International standards are available for consideration and use worldwide. The most prominent such organization ...

for

Corporate governance of information technology Information technology (IT) governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizati ...

published jointly by the

International Organization for Standardization The International Organization for Standardization (ISO ) is an international standard development organization composed of representatives from the national standards organizations of member countries. Membership requirements are given in A ...

(ISO) and the

International Electrotechnical Commission The International Electrotechnical Commission (IEC; in French: ''Commission électrotechnique internationale'') is an international standards organization that prepares and publishes international standards for all electrical, electronic and ...

(IEC). It provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. The standard is heavily based on the AS 8015-2005 ''Australian Standard for Corporate Governance of Information and Communication Technology'', originally published in January 2005.

History

The introduction of AS 8015 in 2005 brought about the first standard "to describe governance of IT without resorting to descriptions of management systems and processes." The 12-page document stood out and attracted the attention of the international community. The ISO/IEC technical committee JTC 1 reached out to

Standards Australia Standards Australia is a standards organisation established in 1922 and is recognised through a Memorandum of Understanding (MoU) with the Australian government as the primary non-government standards development body in Australia. It is a com ...

, the group that pushed AS 8015 forward, and asked them to participate in the international adaptation process. On 1 February 2007 the ISO/IEC published the first draft international standard (DIS) of the revised AS 8015 as ISO/IEC DIS 29382. The DIS then received "fast-track" status in July 2007 (meaning the draft standard could then be submitted for approval as an ISO standard), revisions of the document were made in September 2007, and the final disposition of comments was completed in January 2008, resulting in the standard being sent to the ISO/IEC Information Technology Task Force for international standards processing. Depending on the source, shortly before final approval of the standard in either April or May 2008, the ISO/IEC chose to rename the document ISO/IEC 38500, before finally publishing the finalized version on 1 June as ISO/IEC 38500:2008.

Updates to the standard

On 12 February 2015 the ISO/IEC updated the standard to 38500:2015. Standards Australia described the changes as such:

With the evolution of thinking in the field of IT governance, ISO/IEC 38500 was revised in 2015. The main changes include the title of the standard, from ''Corporate Governance of IT'' to ''Governance of IT for the Organization'', which reflects the wider applicability of the standard. Terminology and definitions have also been updated and refined throughout the document to reflect the widened scope and to make the standard more applicable across different international jurisdictions, cultures and languages.

In a February 2015 article submitted to ''Communications of the ACM'', Juiz and Toomey (involved in the development process) highlighted this "wider applicability":

In the ISO/IEC 38500 model, the governing body is a generic entity (the individual or group of individuals) responsible and accountable for performance and conformance (through control) of the organization. While ISO/IEC 38500 makes clear the role of the governing body, it also allows that such delegation could result in a subsidiary entity giving more focused attention to the tasks in governance of IT (such as creation of a board committee). It also includes delegation of detail to management, as in finance and human resources. There is an implicit expectation that the governing body will require management establish systems to plan, build, and run the IT-enabled organization.

The standard

ISO/IEC 38500 is applicable to organizations of all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of

Information Technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology syste ...

(IT) within their organizations. It is organized into three prime sections: Scope, Framework and Guidance. The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT: * Responsibility * Strategy * Acquisition * Performance * Conformance * Human behavior It also provides guidance to those advising, informing, or assisting directors.

References

{{DEFAULTSORT:ISO IEC 38500 Corporate governance in Australia Information technology governance #38500

History

Updates to the standard

The standard

See also

References