ISO/IEC 38500 is an international standard for Corporate governance of information technology published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. The standard is heavily based on the AS 8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology, originally published in January 2005.
The introduction of AS 8015 in 2005 brought about the first standard "to describe governance of IT without resorting to descriptions of management systems and processes." The 12-page document stood out and attracted the attention of the international community. The ISO/IEC technical committee JTC 1 reached out to Standards Australia, the group that pushed AS 8015 forward, and asked them to participate in the international adaptation process. A study group (WG25) was set up with individuals from all around the world participating, including co-chair Ed Lewis from Standards Australia. On February 1, 2007, the ISO/IEC published the first draft international standard (DIS) of the revised AS 8015 as ISO/IEC DIS 29382. The DIS then received "fast-track" status in July 2007 (meaning the draft standard could then be submitted for approval as an ISO standard), revisions of the document were made in September 2007, and the final disposition of comments was completed in January 2008, resulting in the standard being sent to the ISO/IEC Information Technology Task Force for international standards processing.
Depending on the source, shortly before final approval of the standard in either April or May 2008, the ISO/IEC chose to rename the document ISO/IEC 38500, before finally publishing the finalized version on June 1 as ISO/IEC 38500:2008.
On February 12, 2015, the ISO/IEC updated the standard to 38500:2015. Standards Australia described the changes as such:
With the evolution of thinking in the field of IT governance, ISO/IEC 38500 was revised in 2015. The main changes include the title of the standard, from Corporate Governance of IT to Governance of IT for the Organization, which reflects the wider applicability of the standard. Terminology and definitions have also been updated and refined throughout the document to reflect the widened scope and to make the standard more applicable across different international jurisdictions, cultures and languages.
In a February 2015 article submitted to Communications of the ACM, Juiz and Toomey (involved in the development process) highlighted this "wider applicability":
In the ISO/IEC 38500 model, the governing body is a generic entity (the individual or group of individuals) responsible and accountable for performance and conformance (through control) of the organization. While ISO/IEC 38500 makes clear the role of the governing body, it also allows that such delegation could result in a subsidiary entity giving more focused attention to the tasks in governance of IT (such as creation of a board committee). It also includes delegation of detail to management, as in finance and human resources. There is an implicit expectation that the governing body will require management establish systems to plan, build, and run the IT-enabled organization.
ISO/IEC 38500 is applicable to organizations of all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. It is organized into three prime sections: Scope, Framework and Guidance.
It also provides guidance to those advising, informing, or assisting directors.
AS 8015-2005: Australian Standard for Corporate Governance of Information and Communication Technology is a technical standard developed by Standards Australia Committee IT-030 and published in January 2005. The standard provides principles, a model and vocabulary as a basic framework for implementing effective corporate governance of information and communication technology (ICT) within any organization. The standard was the first "to describe governance of IT without resorting to descriptions of management systems and processes." AS 8105 later became the catalyst and main infrastructure for the creation of the international ISO/IEC 38500:2008 Information technology — Governance of IT for the organization standard.COBIT
COBIT (Control Objectives for Information and Related Technologies) is a good-practice framework created by international professional association ISACA for information technology (IT) management and IT governance. COBIT provides an implementable "set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers."Corporate Governance of ICT
ICT governance is a term that has evolved out of use within the Australian government and formalised within the Australian standards community. The Australian Standard for Corporate Governance of Information and Communication Technology (ICT), AS8015, defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."
AS8015 was fast tracked for International adoption and published as the International Standard ISO/IEC 38500 Corporate Governance of Information Technology May 2008.
ICT is an umbrella term that includes any communication device or application, encompassing: radio, television, cellular phones, computer and network hardware and software, satellite systems and so on, as well as the various services and applications associated with them, such as videoconferencing and distance learning.Corporate governance of information technology
Information and technology (IT) governance is a subset discipline of corporate governance, focused on information and technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.
Historically, board-level executives deferred key IT decisions to the company's IT management and business leaders. Short-term goals of those responsible for managing IT can be in conflict with the best interests of other stakeholders unless proper oversight is established. IT governance systematically involves everyone: board members, executive management, staff, customers, communities, investors and regulators. An IT Governance framework is used to identify, establish and link the mechanisms to oversee the use of information and related technology to create value and manage the risks associated with using information and technology.
Various definitions of IT governance exist. While in the business world the focus has been on managing performance and creating value, in the academic world the focus has been on "specifying the decision rights and an accountability framework to encourage desirable behavior in the use of IT."The IT Governance Institute's definition is: "... leadership, organizational structures and processes to ensure that the organisation's IT sustains and extends the organisation's strategies and objectives."AS8015, the Australian Standard for Corporate Governance of Information and Communication Technology (ICT), defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."Data governance
Data governance is a data management concept concerning the capability that enables an organization to ensure that high data quality exists throughout the complete lifecycle of the data. The key focus areas of data governance include availability, usability, consistency, data integrity and data security and includes establishing processes to ensure effective data management throughout the enterprise such as accountability for the adverse effects of poor data quality and ensuring that the data which an enterprise has can be used by the entire organization.
A data steward is a role that ensures that data governance processes are followed, guidelines enforced, and recommends improvements to data governance processes.ISO/IEC JTC 1/SC 40
ISO/IEC JTC 1/SC 40 IT Service Management and IT Governance is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 40 develops and facilitates the development of international standards, technical reports, and technical specifications within the fields of IT service management and IT governance, with a focus in IT activity such as audit, digital forensics, governance, risk management, outsourcing, service operations and service maintenance. The international secretariat of ISO/IEC JTC 1/SC 40 is Standards Australia (SA), located in Australia.List of International Organization for Standardization standards
This is a list of published International Organization for Standardization (ISO) standards and other deliverables. For a complete and up-to-date list of all the ISO standards, see the ISO catalogue.The standards are protected by copyright and most of them must be purchased. However, about 300 of the standards produced by ISO and IEC's Joint Technical Committee 1 (JTC1) have been made freely and publicly available.Service integration and management
Service Integration and Management (SIAM) is an approach to managing multiple suppliers of services (business services as well as information technology services) and integrating them to provide a single business-facing IT organisation. It aims at seamlessly integrating interdependent services from various internal and external service providers into end-to-end services in order to meet business requirements.
ISO standards by standard number