Information technology — Governance of IT — Application of ISO/IEC 38500 to the governance of IT enabled investments

This document provides guidance on governance of IT enabled investments to the governing body of all forms of organizations, whether private, public or government entities, and will equally apply regardless of the size of the organization or its industry or sector. The terms business and business outcome throughout this document include all forms of organization covered by this document. The document also provides guidance to other parties interacting with governing bodies such as project personnel, accountants, management consultants, investment portfolio managers and governance support staff. IT enabled investments within the scope of this document could be investments of any scale from acquiring businesses to any business change incorporating IT, building new business services or addressing effectiveness and efficiency gains in IT operational services to gain competitive edge, whether those services are internal or provided by external parties. Resource allocation for strategic innovation is addressed by providing guidance to the governing body's decision for investment resource allocation between short-, medium- and long-term innovation projects. This document also provides guidance that can be applied in the due diligence process related to business acquisitions. This document may provide guidance on the application of the principles documented in ISO/IEC 38500 for ranking IT enabled investments including assessing the value and risks of IT elements in the context of investment banking or as performed by investment companies. This document does not prescribe or define specific management practices required for IT enabled investments. ISO/IEC TS 38501 contains guidance on the implementation arrangement for the effective governance of IT in general. The constructs in ISO/IEC TS 38501 can help to identify internal and external factors relating to the governance of IT and to define beneficial outcomes and identify evidence of success. ISO/IEC TR 38502 contains guidance on the integration between the governing body and management of an organization in general. This document is written in accordance with the principles of ISO/IEC TR 38504:2016.

Technologies de l'information — Gouvernance des technologies de l'information — Application de l'ISO/IEC 38500 à la gouvernance des investissements reposant sur les technologies de l’information

General Information

Status
Published
Publication Date
18-Feb-2020
Current Stage
6060 - International Standard published
Start Date
19-Feb-2020
Completion Date
19-Feb-2020
Ref Project

Buy Standard

Standard
ISO/IEC 38506:2020 - Information technology -- Governance of IT -- Application of ISO/IEC 38500 to the governance of IT enabled investments
English language
14 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 38506
First edition
2020-02
Information technology —
Governance of IT — Application of
ISO/IEC 38500 to the governance of IT
enabled investments
Technologies de l'information — Gouvernance des technologies de
l'information — Application de l'ISO/IEC 38500 à la gouvernance des
investissements reposant sur les technologies de l’information
Reference number
ISO/IEC 38506:2020(E)
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC 38506:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 38506:2020(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Good governance of IT enabled investments .......................................................................................................................... 2

4.1 Benefits of good governance of IT enabled investments .................................................................................... 2

4.2 Focus on value ......................................................................................................................................................................................... 2

4.3 Accountability of the governing body ................................................................................................................................. 3

5 The model for good governance of IT enabled investments ................................................................................... 4

5.1 The model for good governance applied to the governance of IT enabled investments......... 4

5.1.1 Evaluate ................................................................................................................................................................................... 5

5.1.2 Direct .......................................................................................................................................................................................... 5

5.1.3 Monitor ...................................................................... ............................................................................................................... 6

6 Principles for governance of IT enabled investments ................................................................................................... 6

6.1 General ........................................................................................................................................................................................................... 6

6.2 Principle 1 — Responsibility ...................................................................................................................................................... 7

6.2.1 Applying the principle ................................................................................................................................................. 7

6.2.2 Implications for the governing body .............................................................................................................. 7

6.2.3 Desired outcomes ...................................................................... ...................................................................................... 7

6.2.4 Governance behaviours ............................................................................................................................................. 7

6.3 Principle 2 — Strategy ..................................................................................................................................................................... 8

6.3.1 Applying the principle ................................................................................................................................................. 8

6.3.2 Implications for the governing body .............................................................................................................. 8

6.3.3 Desired outcomes ...................................................................... ...................................................................................... 8

6.3.4 Governance behaviours ............................................................................................................................................. 9

6.4 Principle 3 — Acquisition .............................................................................................................................................................. 9

6.4.1 Applying the principle ................................................................................................................................................. 9

6.4.2 Implications for the governing body .............................................................................................................. 9

6.4.3 Desired outcomes ...................................................................... ...................................................................................10

6.4.4 Governance behaviours ..........................................................................................................................................10

6.5 Principle 4 — Performance .......................................................................................................................................................10

6.5.1 Applying the principle ..............................................................................................................................................10

6.5.2 Implications for the governing body ...........................................................................................................10

6.5.3 Desired outcomes ...................................................................... ...................................................................................11

6.5.4 Governance behaviours ..........................................................................................................................................11

6.6 Principle 5 — Conformance ......................................................................................................................................................11

6.6.1 Applying the principle ..............................................................................................................................................11

6.6.2 Implications for the governing body ...........................................................................................................11

6.6.3 Desired outcomes ...................................................................... ...................................................................................12

6.6.4 Governance behaviours ..........................................................................................................................................12

6.7 Principle 6 — Human behaviour ..........................................................................................................................................12

6.7.1 Applying the principle ..............................................................................................................................................12

6.7.2 Implications for the governing body ...........................................................................................................12

6.7.3 Desired outcomes ...................................................................... ...................................................................................13

6.7.4 Governance behaviours ..........................................................................................................................................13

Bibliography .............................................................................................................................................................................................................................14

© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 38506:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see http:// patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/

iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 40, IT Service Management and IT Governance.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 38506:2020(E)
Introduction

In today’s rapidly evolving digital age, the world is experiencing unpredictable changes through shifts

in political and economic power combined with disruptive business models, seemingly constant

technology breakthroughs and innovative approaches to conducting business.

How can governing bodies prepare their organizations to address constant and new challenges while

being ready for an increasing information and technology driven future?

Information Technology (IT) supports the core functions of all organizations, underpins the basis of

almost all business activities and interfaces with customers and other stakeholders. Investments in IT

enablement and the contribution of IT to the business capability and performance of the organization

play a significant role in the achievement of strategic plans and the delivery of business value.

Effective governance of IT enabled investments will provide governing bodies with a better

understanding of their obligations and how value is derived to support the organization’s business

opportunities and to appropriately mitigate the organisation's risk.

Risks comprise such things as the failure to deliver required capabilities, failure of the business to

achieve the required benefits, with the impact on the organization leading to e.g. business disruption,

breach of obligations, regulatory non-compliance, failures of security, loss of data, down time. Effective

governance will proactively prevent or mitigate the IT aspects of the risk of such events occurring, for

example, by addressing prolonged underinvestment.

Governance of IT, including investments in IT, is part of sound corporate governance. Governance of IT

is not IT management but should be supported by a governance framework and the organization’s IT

management system.

This document provides guidelines to members of the governing bodies to apply the principles and

model documented in ISO/IEC 38500 to IT enabled investments. Throughout this document the word

"investments" is synonymous with IT enabled investments.
© ISO/IEC 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 38506:2020(E)
Information technology — Governance of IT — Application
of ISO/IEC 38500 to the governance of IT enabled
investments
1 Scope

This document provides guidance on governance of IT enabled investments to the governing body

of all forms of organizations, whether private, public or government entities, and will equally apply

regardless of the size of the organization or its industry or sector. The terms business and business

outcome throughout this document include all forms of organization covered by this document.

The document also provides guidance to other parties interacting with governing bodies such as project

personnel, accountants, management consultants, investment portfolio managers and governance

support staff.

IT enabled investments within the scope of this document could be investments of any scale from

acquiring businesses to any business change incorporating IT, building new business services or

addressing effectiveness and efficiency gains in IT operational services to gain competitive edge,

whether those services are internal or provided by external parties.

Resource allocation for strategic innovation is addressed by providing guidance to the governing

body’s decision for investment resource allocation between short-, medium- and long-term innovation

projects.

This document also provides guidance that can be applied in the due diligence process related to

business acquisitions. This document may provide guidance on the application of the principles

documented in ISO/IEC 38500 for ranking IT enabled investments including assessing the value and

risks of IT elements in the context of investment banking or as performed by investment companies.

This document does not prescribe or define specific management practices required for IT enabled

investments.

ISO/IEC TS 38501 contains guidance on the implementation arrangement for the effective governance

of IT in general. The constructs in ISO/IEC TS 38501 can help to identify internal and external factors

relating to the governance of IT and to define beneficial outcomes and identify evidence of success.

ISO/IEC TR 38502 contains guidance on the integration between the governing body and management

of an organization in general.

This document is written in accordance with the principles of ISO/IEC TR 38504:2016.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 38500:2015, Information technology — Governance of IT for the organization

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 38500 and the

following apply.
© ISO/IEC 2020 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 38506:2020(E)

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
benefit
created advantage, value or other positive effect
[SOURCE: ISO 21505:2017, 3.4]
3.2
governance framework

strategies, policies, decision-making structures and accountabilities through which the organization’s

governance arrangements operate
[SOURCE: ISO/IEC TR 38502:2017, 3.1]
3.3
IT enabled investments

investments that are dependent on the use of information technology for the achievement of business

outcomes
3.4
value
quantifiable financial or non-financial gain
[SOURCE: ISO 37500:2014, 3.25]
4 Good governance of IT enabled investments
4.1 Benefits of good governance of IT enabled investments

When technology investment outcomes are established as assets rather than cost elements, they

become a strategic enabler of growth and sustainability of organizations in an increasingly competitive

environment.

Good governance of IT enabled investments helps the organization to ensure that those investments

contribute positively to the performance and conformance of the organization through:

— giving priority to investments that align with the organization’s strategy and business objectives

and have the potential to return the greatest value to the organization;
— optimising the value from investments;
— providing a mechanism for appropriate risk mitigation of the investments;

— balancing investments between short and longer term outcomes to ensure continued business

sustainability;

— ensuring conformance with obligations (regulatory, legislation, common law and contractual).

Inadequate governance of IT enabled investments can expose an organization to loss of confidence

by clients and consumers in the brand or product/services being provided, unsuccessful or delayed

innovation and penalties of not being conformant with obligations.
4.2 Focus on value

The value to the organization of any and all investments should be the first and main focus when

evaluating and prioritizing investments.
2 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 38506:2020(E)

Value from IT enabled investments is not realized by the implementation of IT alone. The achievement

of value requires complementary planned business changes, including but not limited to, purpose,

organizational values, culture, organization structure, business processes, roles and responsibilities,

people skills and reward systems. For successful implementation of IT enabled investment, significant

business resources are required and the impact to the business should always be considered foremost.

The interdependencies between the business strategy and the underlying technology is inseparable.

The achievement of such changes can be difficult to sustain over time, and the governing body should

continue to monitor the organization’s ability to maintain the required commitment to business

changes over time.

Value may relate to increased market share, new opportunities developed, increased customer

satisfaction or improved customer access. In addition, direct cost reduction on process outsourcing

cost and conformance to rules and regulations can also provide value to an organization. Furthermore,

value may be due to societal or environmental objectives. However, the expected value should be clearly

defined and be measurable by an accepted mechanism to ensure realization of that value.

The value of business change may be enabled directly by adoption of innovative IT assets and IT

capabilities in new business services or products. However, the indirect value of investments in

underlying and supportive IT assets, for example infrastructure components or security capabilities,

should be carefully evaluated and continued maintenance should be appropriately prioritized within

the portfolio of investments.

When considering a business acquisition, value assessment could be obtained by ensuring that a

structured due diligence process includes evaluation of performed IT governance principles and

practices, IT assets and IT capabilities.

The value forecast from IT enabled investments, as with all investments, should also be evaluated

against time and resource diversion from other business activities. Risk based prioritization should be

made between current product/services and future product/service development.
Specific guidance relating to focus on value are made in Clauses 5 and 6.
4.3 Accountability of the governing body

The governing body is ultimately accountable for the success of all investments an organization

undertakes. This accountability derives from the governing body’s accountability for governance of the

organization and consequently the governance of the IT within the organization.

The governing body should exhibit the same behaviours with all investments whether IT enabled or not.

The governing body should take and retain accountability of business change, to take visible and active

leadership and champion the investments rather than delegate all responsibility, as a result, creating an

environment for successful strategic innovation. With clear visibility of outcomes, value creation and

mitigation of risks will increase the likelihood of successful investment.

The governing body should establish, promote and support an environment to enable the success of the

organization’s investments, and provide the leadership to support the people involved.

An environment without surprises for the governing body and a supportive response to messages about

potential problems builds on two-way trust and transparency and ensures alignment of objectives.

Accountability for the effective, efficient and acceptable use of IT and the success of the organization’s

investments in IT remain with the governing body and cannot be delegated. Retaining a level of

engagement by the governing body significantly increases the organizational focus on successful

outcomes and value realization of all investments.

The governing body can delegate the decision-making authority and hold the management accountable

for aspects of investments, ensuring that management have the requisite competence to satisfy such

responsibilities associated with the delegation, and that the governing body itself retains appropriate

© ISO/IEC 2020 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 38506:2020(E)

visibility of key decisions. The governing body should clearly communicate the management’s

accountability for outcomes.
The governing body should retain visibility of investments that involve:

— a focus on strategic innovation, with potential to provide continued long-term competitive

advantage;

— investments evaluated to have high risk to the organization’s sustainability of existence;

— investments evaluated to require a commitment of significant financial magnitude;

— high levels of integration with other investments and/or business activity.
5 The model for good governance of IT enabled investments
5.1 The model for good governance applied to the governance of IT enabled
investments

ISO/IEC 38500 introduces a model for the governance of IT that establishes a cycle of Evaluate – Direct-

Monitor. This “EDM” model describes the three main tasks for governing IT and has been applied to the

governance of IT enabled investments in the following clauses.

Figure 1 shows the model as it applies to IT enabled investments. This figure is based on the model in

ISO/IEC 38500:2015, Figure 1.
Figure 1 — Model for governance of IT
4 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 38506:2020(E)
5.1.1 Evaluate

In applying the ISO/IEC 38500 model the key questions asked by the governing body, when evaluating

IT enabled investments, should include the following:

— To what extent is value being created or eroded by the investments over the full lifecycle of the

investment decision?

— In what way does the portfolio of investments deliver to the business strategy plan, the development

of existing and new (business and IT) capabilities and is the timing right for the business?

— Is the resource allocation between short- and long-term investments right for ensuring relevant

business capabilities?

— What steps are being taken to enhance and protect the reputation and brand of the business, is the

trustworthiness of the organization being considered?

— How are security, privacy, data governance, legal, societal and business requirements being

enforced?

— Does the risk profile of the overall portfolio of IT enabled investment sufficiently business

sustainability and match the organization’s risk appetite?

— Is the balance between growth, innovation and cost reduction consistent with the organization’s

strategic objectives for IT effectiveness and efficiency?

— What use is being made of evolving technologies to optimise the future growth of the organization?

— Is the overall level of business change right for the capability of the organization, customers and

external stakeholders?

— What are the organizational barriers where the governing body’s assistance is required to ensure

an environment for success?

— Is the proposed approach to deliver the investment appropriate and consistent with future strategic

direction on development versus acquisition, internal versus outsourcing, service versus product?

5.1.2 Direct

The governing body should direct the establishment of a framework for control and visibility of

investments that is appropriate to the size, number and type being undertaken. The governance

framework and management system may:

— direct that the focus of all investments is to create and sustain short- and long-term business value

where value is a function of strategic alignment, benefits, costs and risks over the full life cycle of an

investment;

— direct that the investments include all the necessary business changes for the expected value to be

realized;

— direct that the investments must have an accountable business owner/sponsor and that relevant

metrics and feedback mechanisms are in place to ensure and assure the value is delivered;

— direct that business strategic plans include identified success criteria to drive the investments;

— direct clearly defined policies, processes, responsibilities and accountabilities for transparency in

delegated decision-making authority;

— direct the required speed, timeliness and resource allocation with respect to the innovation

investment or application of current and future technologies;

— direct the application of appropriate due diligence for all types of investments;

© ISO/IEC 2020 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 38506:2020(E)

— direct the organization to the level of expected capacity, capability and maturity to deal with the

risk and complexity required and to realize the value and benefits desired;

— establish an organizational environment and culture which considers how the use of IT impacts

people and is addressed to optimise business value;

— require independent and accountable risk management assessment with separation of duties

utilizing appropriate business and IT capabilities.
5.1.3 Monitor

The governing body should monitor the performance and conformance of investments to ensure they

are driving the most effective and efficient behaviours and value delivery.

The key considerations of the monitoring task for the governing body may include the following:

— ensuring that the investments continue to be aligned with the strategy and are continuing to create

and sustain value to the organization;

— monitoring an environment of trust and transparency continually exists highlighting early

indicators of barriers and solutions for governing body action;

— ensuring a level of technology in the organization is aligned with strategic propositions and the

governing body’s risk appetite;

— challenging interdependencies between investments that could result in non-delivery of value to

the business;

— monitoring whether the organization has the capacity (or ability) and culture to sustain the required

level of organizational change;
— monitoring stakeholder engagement t
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.