ISO/IEC 38500 for IT Governance – in 3 minutes


The basics

ISO/IEC 38500:2008 provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of IT within their organizations.

Target audience

Senior managers;  members of groups monitoring the resources within the organization; external  business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies; vendors of hardware, software,  communications and other IT products; internal  and external  service providers (including consultants); IT auditors.


ISO/IEC 38500:2008 is owned by the International Standards Organization (ISO) and the International Electro technical Commission (IEC). The standard helps to clarify IT governance from the top down by describing  it as the means of directors demonstrating to all stakeholders and compliance bodies their effective stewardship over IT resources by ensuring that an appropriate  governance and security framework exists for all IT activities by covering the following principles

The principles are:

  • Responsibility  – Employees  know their responsibilities  both in terms of demand and supply of IT and have the authority  to meet them.
  • Strategy – Business strategies should be aligned with IT possibilities, and all IT within an organization should support the business strategies.
  • Acquisition – all IT investments must be made on the basis of a business case with regular monitoring in place to assess whether  the assumptions still hold.
  • Performance – the performance of IT systems should lead to business benefits and therefore it is necessary that IT supports the business properly.
  • Conformance – IT systems should help to ensure that business processes  comply with legislation and regulations;  IT itself must also comply with legal requirements and agreed internal  rules.
  • Human  behavior – IT policies, practices  and decisions respects human behavior and acknowledges the needs of all the people in the process.

The standard consists of three parts: Scope, Framework and Guidance.

Scope and constraints

ISO/IEC 38500:2008 applies to the governance of management processes  (and decisions) relating to the information and communication services used by an organization. These processes  could be controlled by IT specialists within the organization or external service providers, or by business units within the organization. The standard is applicable  in all types of private and public and not-for-profit organizations independent of their size and form and regardless of the extent  of their use of IT.


The primary  advantage of the ISO/IEC 38500:2008 IT governance framework is to ensure that accountability is clearly assigned for all IT risks and activities. This specifically includes assigning and monitoring IT security responsibilities,  strategies and behaviors  so that appropriate measures and mechanisms are established  for reporting  and responding on the current  and planned use of IT – for example, meeting the latest data protection requirements for encryption  of all portable devices such as laptops and memory sticks used to store and transmit personal data.


  • Outsourcing: some requirements are so specific to the managers  of IT that they cannot be imposed on the managers  of the company if their IT is outsourced. In cases such as these, requirements will need to be secured in the contract  with the supplier of IT services.
  • Applying the standard in isolation: ISO 38500 is not ‘one size fits all’. It does not replace COBIT, ITIL, or other standards  or frameworks, but, rather,  it complements them by providing a demand-side-of-IT-use focus.

Leave a Reply

Your email address will not be published.