29 April, 2008

IT Governance, finally a worldwide recognition: ISO 38500

Finally IT Governance will be recognised as a standard. We already had a series of ISO standards for various IT Governance domains such as IT Service Management ISO 20000, Security Management ISO 27001, and Quality ISO 9000, but recently the international organization recognized that a new standard would be well accepted. It will be named ISO 38500 which will cover Corporate Governance of information technology. This standard was originally defined as an Australian standard AS8015, which by the way was the only alternative available.

AS8015 is (was?) intended to provide guiding principles to any organisation, from the smallest to the largest, including private and public (listed and unlisted) companies, not-for-profit organisations, associations, clubs and government agencies. This standard has an application to just about any organisation, either because you are a supplier of ICT related goods and services or more simply because you implement and use ICT in your business.

AS8015 provides six guiding principles for good corporate governance and the effective, efficient and acceptable use of ICT. The six principles (and examples of each) are:

1 Establish clearly understood responsibilities for ICT (eg, ensure individuals understand and accept their responsibilities)
2 Plan ICT to best support the organisation (eg, ensure ICT plans fit current and future needs and the organisation’s corporate plans)
3 Acquire ICT validly (eg, ICT acquisitions should be made for approved reasons and in the approved way; on the basis of ongoing analysis)
4 Ensure ICT performs well, whenever required (eg, ensure ICT is fit for its purpose and is responsive to changing requirements)
5 Ensure ICT conforms with formal rules (eg, ensure compliance with external regulations and internal policies and practices)
6 Ensure ICT use respects human factors (eg, ensure ICT meets the evolving needs of the ‘people in the process’)

The following ISO website used to be where the draft was located (different number) but if you want more information you may refer to


The 26th of May, the standard will be launched in the Netherlands. As any ISO standards, this will impact how IT Departments are organized!


Anonymous said...

You're absolutely right: "finally".... For the last decade, the number of definitions and interpretations of IT Governance has been endless. This new ISO standard hopefully will provide an authoritative definition on what we will see as IT Governance.
One comment on your opening statement: a crucial design criterium of ISO38500 is the separation between governance and management - in that respect the standards you mention are NOT governance frameworks but management frameworks.
At the launch seminar, on 26 May at Amsterdam Airport, we'll elaborate on that difference in a practical way. More information on the standard and the launch: http://www.bita-center.com/ITgovernance_seminar

Jan van Bon

Anonymous said...

Hm... what about COBIT!?

Anonymous said...

Nice write up, will definitely be interesting to see the impact this has on IT departments. As someone else mentioned, "finally" is right!

MVeeraragaloo said...

Hi, I am excited about the this new standard. I just need to know in your opinion. How is this going to affect Enterprise Architecture moving forward?

MVeeraragaloo said...

Hi, I am excited about the launch of the ISO 38500 standard - it is long overdue.

In your opinion: How is this going to affect or change the face of Enterprise Architecture moving forward?

SP said...

Here in Britain I have attended an ISACA event where the standard was presented, and to be honest the presenter was not very enthusiastic about the standard itself. It was perceived that CobiT is covering a lot more ground and would therefore be more beneficial to aim at. However I still think it is good to have a standard, as it just elevates the whole topic to a different level - and I assume (not having compared the two, just basing it on the framework attitude of CobiT) that you can satisfy the requirements of ISO 38500 with implementing CobiT, just like you can satisfy the requirements of ISO 20000 with implementing ITIL.

Anonymous said...

anonymous asks "what about COBIT"?

There is in my mind a place for both. ISO 38500 is a standard which specifies the minimum required for an organisation to do. COBIT provides a complete description of HOW IT governance can be done.

As an analogy, there are standards for sunglasses (in Oz AS/NZS 1337) but that doesn't specify style, colour, durability etc. It is great that there is a standard because it means that all sunglasses sold here are "safe", but it still doesn't specify everything that is desirable about a pair I might buy.

As an analogy closer to home, we have a standard for ITSM (ISO/IEC 20000) as well as a framework of good practice (ITIL V3). As an industry we should hope to comply with the standard by drawing on the body of good practice.

So we can expect that organisations seeking to comply with ISO 38500 will draw on COBIT, COSO, SOX, ITIL etc. to help with the practices that will achieve compliance.

Evita said...

Hello, thanks for this information. My blog doesn't speak about what I do, but I'm actually in Quality Assurance. But I am far left behind with ISO certifications.

Anyway, can I add your link in my blog?


A reflective voyageur on the Anisotropic Road said...

It would be interesting to see a stronger interface among the ISO Standards. Do you have views on how ISO 38500 and ISO 15489 interrelate? To me, it seems that the consciousness that derives from addressing 15489 is critical to effective adoption of 38500. Thoughts?

Peter said...

I mean, thats standards in IT organisation and process are ok.
But is this right (from my point of view): I didn't need an new ISO standard? Why? We have ISO 20000, 27001, ITIL, CMMI, CoBIT, PMI and so on...
I mean a corporate governance is enough who to managed IT? IT follow the corporate, in strategy and in governance understand - or not?

Regards from Munich,
Peter Bergmann

Anonymous said...

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!