The recent release of the new International Standard for IT Governance has caught the attention of many organization Owners and Directors in the United States and abroad. ISO 38500 provides a framework of standards that demonstrate efficient, effective and acceptable use of Information and Communication Technology (ICT) within an organization with respect to managing good corporate governance.
Being the first real IT governance standard of its kind, ISO 38500 is expected to have significant impact on the management of information and its associated functions, as it directly relates to the governance of management decisions and processes relating to an organization’s information and communication services. ISO 38500 also allows for these processes to be controlled by internal IT professionals, external vendors, or by organizational units within the business itself.
ISO 38500 was developed using a number of different sources, the main source being AS 8015:2005, which describes six major principles that comprise the framework:
Principle 1: Responsibility: Establish clear and concise responsibilities for ICT
These responsibilities should be easy to understand and accepted by those who are in the position to implement effective decisions and appropriately use governance mechanisms.
Principle 2: Strategy: Create ICT plans that best support the organization
ICT plans should be written to conform to current and future needs of the organization. Examples of ICT plans include policies and procedures that ensure ICT facilities, programs, services, and data are protected from all forms of threats, whether external or internal, accidental or deliberate.
Principle 3: Acquisition: Acquire and manage ICT validity
ICT-based solutions should target specific business needs. Because business needs are ever-changing, ICT plans should undergo periodic validity testing to measure and ensure that IT has the ability, reliability and integrity to continually conform to the needs of the company.
Principle 4: Performance: Ensure ICT is suitable and functions as needed
ICT should conform to its specific purposes and be responsive to changes in the business environment. IT should be provided the capacity and the capability to support the business.
Principle 5: Conformance: Ensure ICT compliance
ICT should conform to internal policies and procedures as well as comply with external rules and regulations.
Principle 6: Human Behavior: ICT should account for human behavior
IT practices, policies and decisions communicate respect for human behavior, including the current and the ever-changing needs of all the “people in the process.”
IT Governance Global Status Report – 2008, published by the IT Governance Institute, identified that problems in IT persist and stated that people are the most critical problem. The ISO 38500 framework addresses the human behavior factor.
The release of ISO 38500 will certainly have a major impact on the IT governance front, much in the way that Control Objectives for Information and related Technology (COBiT) and Information Technology Infrastructure Library (ITIL) have.