Infonomics
Plain language about Corporate Governance of
Information Technology for Executives and Directors  
●Principles restated
 ●Guides behaviour
●Fundamental tasks
●Complements frameworks
ISO/IEC 38500
guides behaviour of the organisation through six principles for good governance of IT.

IT complements and provides rich context for frameworks such as ITIL and CobiT, but does not specifically mandate any particular approach to implementing the governance system.

ISO/IEC 38500 is an updated version of the Australian Standard AS8015, which was published in 2005. The updates arose from critical review by many national standards bodies which participated in a formal ballot for adoption of the standard.

In its revised form, this standard expresses six principles for good governance of IT use:

  • Responsibility;

  • Strategy;

  • Acquisition;

  • Performance;

  • Conformance; and

  • Human Behaviour.

It is intended to guide the behaviour of the organisation, and thus provides a lens or framework through which the behaviour can be evaluated.  

Leading academic and researcher, Peter Weill suggested that behaviour is a significant problem, when he reported that, although formal systems of governance may be defined, many managers do not follow the prescribed system.  ISO/IEC 38500 makes it clear that this is not acceptable – with the Responsibility, Conform and Human Behaviour principles being relevant.

Because ISO/IEC 38500 establishes principles to guide the behaviour of organisations, it complements frameworks that focus on process, such as ITIL and COBIT. Thus, with the right frameworks or processes, complemented by the right behaviours, organisations are more likely to establish highly effective systems of governance.

The standard does describes three fundamental tasks that must be implemented in the governance system – but it does so at a much higher level than one finds in the available frameworks.  

The key tasks are simply to evaluate, direct and monitor the current and future use of IT in achieving the organisation’s goals. Describing the tasks in this way provides a way of engaging the governing body – the board of directors, when many of the classical IT processes are too detailed to suit the role of the directors.

ISO/IEC 38500 standard makes no reference to frameworks such as ITIL and COBIT. This ensures that it is not seen as prescribing any specific model – recognising that many can work well if the governance system is well designed. But it also does not prevent the use of any framework – indeed it specifically acknowledges that organisations should select appropriate frameworks.