Article for SanDisk Newsletter
September 2008
ISO/IEC 38500, the global best practice standard for IT governance
IT governance is not that well understood by Board directors, executives and business owners – yet strict governance of the organisation’s IT practices is an increasingly important area of concern for exactly these people. The emergence of ISO/IEC 38500 – the international standard for the corporate governance of information and communication technology (‘ICT’) – puts Boards around the world in a position to deploy best practice in this area.
ISO/IEC 38500 (http://www.itgovernance.co.uk/products/1863) does not replace any existing standards or frameworks (such as CobiT, ITIL, ISO27001, etc) that an organisation may already have implemented; what it does provide is a coherent framework for the Board’s oversight of ICT strategy and projects.
ISO/IEC 38500 is clear that governance is distinct from management and, in this respect, is aligned with OECD Principles (2004) and the Combined Code. The standard is explicitly addressed to the governing body of an organisation. In smaller organisations, of course, the members of the governing body may also have management responsibility. In this way, the standard is applicable to all sizes of organisation, regardless of purpose, design or ownership structure.
The standard aims to ‘promote effective, efficient, and acceptable use of IT’ through assuring consumers and shareholders, as well as employees and suppliers, that they can have confidence in the organisation’s ICT. It also informs and guides directors in their ICT governance activities; and finally it provides a basis for objective evaluation of best practice.
Directors are not simply responsible for complying with legislation; they also have to take risks and deliver a financial return for their shareholders. In the public and not-for-profit sectors, they have to manage the costs of the organisation efficiently. Directors who apply the guidance of ISO/IEC 38500 are more likely to succeed at this than those who don’t. The standard identifies a number of ways in which ICT can contribute positively to performance.
The standard identifies six principles of good IT governance, and three main tasks for which directors are responsible. The principle of ‘Responsibility’ recognises that those responsible for IT must have the authority to perform the actions for which they are tasked. ‘Strategy’ recognises that an organisation’s business strategy should take into account current and future IT capabilities and equally should reflect the requirements of the business’s strategy.
‘Acquisition’ is the principle that stakeholders should applaud, since it recommends that all IT investment decisions are clear and transparent.
Thirdly, ICT should be ‘fit for purpose’. ‘Performance’ is the fourth principle and IT service management is one way of expressing this principle in action. ICT underpins financial accounting and the data on which the organisation’s survival depends; the principle of ‘Conformance’ requires the organisation to ensure compliance with all regulatory and contractual requirements. The sixth principle, ‘Human behaviour,’ requires IT policies, practices and decisions to respect human behaviour, one of the defined terms in the standard.
The three core tasks of directors in respect of each of these principles is to evaluate current and future use of ICT; direct plans and policies to ensure ICT meets business requirements; and monitor ICT to ensure conformance to polices and performance against plans.
A short article like this cannot give more than an introduction to the new standard; every Board director needs to be able to understand and demonstrate that ICT risks are managed and corporate objectives are supported and achieved. Becoming familiar with this standard is an important part of that process.
Alan Calder is chief executive of IT Governance Limited (www.itgovernance.co.uk), the one-stop-shop for IT governance information, books, tools, training and consultancy.