ISO 38500 for IT Corporate Governance

An inadequate information technology (IT) system can hinder the performance and competitiveness of your organization or expose it to the risk of not complying with legislation. The new ISO 38500 standard provides broad guidance on the role of top management in regards to the corporate governance of IT.

Most organizations use IT as a fundamental business tool and few can function without it. IT is also a significant enabler in the future business plans of many organizations. ISO 38500 will help the governing body to evaluate, direct, and monitor the use of IT.

ISO 38500:2008, Corporate Governance of Information Technology, is applicable to organizations of all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in their use of IT.

The framework is comprised of definitions, principles, and a model. It sets out six principles for good corporate governance of IT that express preferred behavior to guide decision making:

  • responsibility
  • strategy
  • acquisition
  • performance
  • conformance
  • human behavior

The purpose of the standard is to promote effective, efficient, and acceptable use of IT in all organizations by:

  • assuring stakeholders that, if the standard is followed, they can have confidence in the corporate governance of IT
  • informing and guiding directors in governing the use of IT in their organization
  • providing a basis for objective evaluation of the corporate governance of IT

This standard is targeted at the Board of an organization, to assist the Board in delivering the maximum value from IT and information assets across the organization.