International standard for IT Governance

The International standards organisation (ISO) has recently published an International Standard for the corporate governance of information technology.  This standard is the result of several months of work by the ICT Governance Study Group, within the bit of ISO known as ISO/IEC JCT1/SC7.  Although I was nominally a member of this working group (which meant that I got included in all the communications, drafts, meeting minutes, etc.), I have to admit that I was something of a “lurker”, mainly because this was my first involvement with ISO and I wanted to see how things worked before chipping in with my opinions.  I also couldn’t quite justify the time and expense of attending the occasional meetings, as they were held in Seoul, Moscow, Montreal, Berlin,…

Anyway, the group finally achieved a consensus from the representatives of the many national bodies involved, and the result is ISO/IEC 38500:2008.  The standard can be purchased in paper form or as a PDF download from the ISO web site; the price is 84 Swiss francs (about £42).  I’m not going to go into any great detail of the content of the standard here – you’ll have to invest your 84 Swiss francs to get the full thing, but I’ll give a very brief overview.

The document has 3 main sections.  The first explains the scope, application and objectives of the standard – what it is trying to achieve; the second describes a framework for good corporate governance of IT; and the third provides guidance on how the framework should be used for the corporate governance of IT.

The framework consists of a set of principles for good corporate governance of IT, and a model that indicates how the principles should be applied.  The six principles are:

  1. Responsibility.  To ensure that individuals and groups within an organisation understand and accept their responsibilities
  2. Strategy.  To ensure that the business strategy takes into account the current and future capabilities of IT
  3. Acquisition.  To ensure that IT acquisitions are made for valid reasons
  4. Performance.  To ensure that the IT services delivered are fit for purpose in supporting the organisation
  5. Conformance.  To ensure IT complies with all mandatory legislation and regulations
  6. Human Behaviour.  To ensure that policies, practices and decisions demonstrate respect for human behaviour

The model describes the 3 main tasks that directors should perform to govern IT:

  1. Evaluate the current and future use of IT
  2. Direct preparation and implementation of plans and policies
  3. Monitor conformance to policies and performance against the plan

The Guidance section of the standard describes how each of the 3 tasks is applied to each of the 6 principles in order to achieve good governance of IT.  This is the bit that goes into the detail of what things should happen within an organisation in order to achieve an acceptable level of governance of IT.  Although called a “standard”, the guidance is presented in terms of what “should” happen, and is therefore more a “code of practice” – a standard that could be certified against would use the term “shall” in order to indicate the activities that were mandatory.  Whether there will ever be a certification scheme for this standard is open to speculation – of course, I’ll keep my eyes and ears open on that subject.

My opinion of the standard is that it does what it claims to set out to do – to provide a framework of principles to assist directors of organisations in the achievement of good corporate governance of IT.  How useful it will be remains to be seen; I think the value of the standard will be in shaping the development of lower level standards and guidance, and it will only really come into its own when it can be mapped to practical “best practice” guidelines such as COBIT and ITIL.

Leave a Reply