CHAPTER 1: WHAT IS ISO/IEC 38500?

ISO/IEC 38500 is the international standard for the corporate governance of information and communication technology.

There are, broadly speaking, two types of standards²:

•A specification that describes requirements that must be achieved (ISO 9001 and the Payment Card Industry Data Security Standard (PCI DSS), for example).

•A code of practice, which is a set of guidelines and supporting information that describe best practice and provide advice on how something might be done (such as ISO 27002 or ITIL^®).

A specification sets out clear requirements against which an audit can be carried out. Third-party certification schemes – such as the ISO/IEC 27001 certification scheme – are able to exist because an accredited certification body can carry out an audit against the requirements of the standard to establish whether or not the requirements are being met.

A code of practice, on the other hand, provides guidelines and advice on a given subject, and does not provide a framework against which an audit can be carried out. Organisations that use the standard can deploy any bit (or bits) of it they think appropriate, and in a way that they consider appropriate.

ISO/IEC 38500 is a code of practice that was jointly published by ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) which, between them, form the system for worldwide standardisation. ISO/IEC 38500 was originally prepared by Standards Australia, the Australian national member of ISO, and had the number AS 8015:2005. It was adopted by ISO and IEC under a ‘fast track procedure’ in 2008 and published to the international community. The Standard was revised and updated in 2015.

ISO/IEC 38500 is a “high level, principles-based advisory standard”.³ It provides “broad guidance on the role of a governing body, [and] it encourages organisations to use appropriate standards to underpin their governance of IT.”⁴ ISO/IEC 38500 does not, in other words, replace those standards and frameworks (such as COBIT^®, ITIL, ISO 27001, etc.) that an organisation may already have deployed for the better governance of its IT; what it does do is provide a coherent framework for ensuring that the board is appropriately involved.

ISO/IEC 38500 is divided into five chapters:

1.Scope

2.Terms and definitions

3.Benefits of Good Governance of IT

4.Principles and Model for Good Governance of IT

5.Guidance for the Governance of IT

It also has a foreword and an introduction, in which the process by which the Standard was created is outlined and the corporate governance context is described.

²ISO refers to Type A and B management system standards. Type A standards contain specifications and requirements (such as ISO 9001), and Type B standards provide guidelines and supporting advice (such as ISO 27002). The absence of ‘code of practice’ in the title of a given ISO standard (as with ISO 38500) does not imply a different classification.

³ISO/IEC 38500:2015, Introduction.

⁴Ibid.