ISO 38500 for IT Governance
ISO 38500 for the Design and Implementation of IT Governance
If you think about IT governance you are often confronted with Cobit 5 and other already established frameworks. Besides that, the ISO tried to establish general IT governance principles to best support business and its governance infrastructure. This web post is a brief summary of the main concepts and principles of ISO 38500.
ISO 38500 – IT Management Principles
The ISO 38500 emerged from the publication “AS 8015-2005 Governance of Information and communication technology “ by the Australian standards board Standards Australia. In a so called fast track procedure this document was transferred to the ISO 38500 with only minor changes in May 2008.
What is the intention of this IT governance standard? Today, in many companies IT plays a fundamental role in reaching overall business objectives. Hence, IT expenditures often make up a considerable portion of the total resources of an organization. However, the impact of IT performance on overall performance is often completely ignored or only partially seen. A reason for this is that the place that IT has in the big business picture is nebulous to many. At this point the ISO 38500 sets in as a framework of guidelines and principles which puts emphasis on the business context of IT. This standard is directed at executives who are responsible for managing IT processes as well as to their advisors (e.g. IT auditors, controllers, specialists, vendors etc.); it is applicable in all sorts of private and public organizations independent of their size and form.
Goals and guiding principles of ISO 38500
The global objective of ISO 38500 is to provide top managers with a framework of principles for evaluating, directing and monitoring the use of information technology in their organizations, thereby promoting IT performance and acceptance. Moreover, the ISO 38500 aims at fostering confidence of all stakeholders in their IT processes and providing an objective base for the evaluation of IT governance measures. The ISO 38500 standard delivers a model which helps executives structure the task of managing IT and equips them with a standardized IT-terminology. This increased order in turn helps managers meet their IT related obligations (e.g. legal compliance, record keeping, IT-security etc.) Finally, a major benefit of the ISO 38500 lies in its ability to integrate IT goals with overall business goals thereby ensuring that IT works to the right end.
Essentially, the ISO 38500 consists of six guiding principles for good corporate governance of IT:
- Responsibility – Employees know their responsibilities both in terms of demand and supply of IT and have the authority to meet them.
- Strategy – Business strategies take into account IT resources & capabilities and IT strategies are aligned with business strategies.
- Acquisition – IT acquisition decisions are taken in a reasonable and transparent way, short-term and long-term costs/risks and benefits are weighed.
- Performance – The purpose of IT is to serve business. It is ready to meet current and future needs.
- Conformance – IT complies with legislation and regulations. Policies and practices are clearly defined and implemented.
- Human behavior – IT policies, practices and decisions show respect for Human behavior and the needs of all the ‘people in the process’.
The Model of ISO 38500
According to ISO 38500 IT management includes 3 essential tasks: to evaluate, to direct and to monitor. In working out each one of the six principles listed above, executives have to perform all of these three essential tasks, such that e.g. implementing the human behavior principle would require evaluating, directing and monitoring:
Evaluate
Generally, managers should continually examine and assess the current and future use of IT as well as strategies, proposals and sourcing issues. In doing so external factors, such as economic or social trends and the development of business needs must be considered. In relation to the human behavior principle this would mean that managers evaluate IT activities in respect to desired human behaviors, e.g. an open approach to communication among IT specialists and the users of IT in originations.
Direct
In general managers should assign responsibilities for and direct the preparation and implementation of plans and policies. While plans set the direction for IT investments policies define the way employees should behave in the use of IT. In directing, managers must ensure that when projects are being implemented their impact on business and common practice are taken into account. In regard to the human behavior principle managers would e.g. direct that IT activities are consistent with desired behaviors.
Monitor
In order to measure actual IT performance against planed performance, especially in regard to business objectives, appropriate measurement systems must be in place. Additionally, managers must make sure that IT conforms with external regulations and internal policies. E.g. managers could ensure that attention stays focused on desired human behaviors. The combination of the six guiding principles listed above with these three simple activities constitutes the ISO 38500 framework. This simple, straight forward approach makes the ISO 38500 a powerful and widely applicable framework for managing IT in organizations. Its focus on linking IT performance to overall business performance makes the ISO 38500 an effective instrument for IT top management. A great benefit of the ISO 38500 is that it tries to put your focus on a very wide range of topics and helps structure reflecting IT Management in the organization rather than providing a ready to use framework. This gives the ISO 38500 principles an advantage over other already established and well known frameworks, their procedures and principles respectively. We would strongly recommend using this standard as a basis and pool of knowledge if you are thinking about introducing or changing your IT governance framework.