ISO/IEC TR 38505-2:2018

TECHNICAL ISO/IEC TR
REPORT 38505-2
First edition
2018-06
Information technology — Governance
of IT — Governance of data —
Part 2:
Implications of ISO/IEC 38505-1 for
data management
Technologies de l'information — Gouvernance des technologies de
l'information —
Partie 2: Implications de l'ISO/IEC 38505-1 pour la gestion des données
Reference number
ISO/IEC TR 38505-2:2018(E)
©
ISO/IEC 2018

---------------------- Page: 1 ----------------------
ISO/IEC TR 38505-2:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 38505-2:2018(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Governance and management roles . 2
4.1 General . 2
4.2 The governance role . 2
4.3 The management role . 4
5 Connecting business strategy to data management . 5
6 Establishing policies through the checklist of considerations . 7
Annex A (informative) Example worksheets .10
Annex B (informative) Applying the guidance — example coffee shop .18
Annex C (informative) Case study example — travel service company .22
Annex D (informative) Case study example — China financial industry .25
Annex E (informative) Case study example — air transport ICT company .30
Bibliography .36
© ISO/IEC 2018 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 38505-2:2018(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 40, IT Service Management and IT Governance.
A list of all parts in the ISO 38505 series can be found on the ISO website.
iv © ISO/IEC 2018 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 38505-2:2018(E)

Introduction
This document describes what the governing body of an organization expects and requires from the
data management team in order to be assured that the governing principles of IT can be implemented
and are being upheld for data and its use by the organization.
As the core business processes of nearly all organizations become much more reliant on data, the
strategic use of that data makes its governance a priority for the governing bodies of organizations.
This governance of data, as part of the overall governance of IT, aims to help the organization extract
business value from the data, while operating at an acceptable level of risk and with an appropriate
level of accountability of the data and its use.
The governing body is responsible for the strategy of the organization and as ISO/IEC TR 38502 states:
“Managers are responsible for achieving organizational strategic objectives within the strategies and
policies for use of IT set by the governing body”.
However, management not only accepts the strategy as set by the governing body, it should also provide
proposals and plans to assist with the creation of that strategy.
The impact of data to the organization can be highlighted through its many potential uses - including
improving operations, altering the nature of products and services, informing and enabling employees,
customers and suppliers.
Management can inform the governing body of the existing and required data management capabilities
to support such data uses as well as inform them of technologies that enable new data scenarios that
can impact strategic plans.
The governing body evaluates such data use options and forms a strategy regarding the use of data
and the associated value, risk and constraints so it aligns to and supports the overall organizational
purpose.
Utilizing the framework outlined in ISO/IEC 38505-1, this document examines the data management
implications of such strategy, showing how the strategy can inform data policy, processes and controls.
Those same controls and processes should also be designed to monitor the implementation of the
strategy such that the governing body can be assured of the performance and conformance to the
strategy.
© ISO/IEC 2018 – All rights reserved v

---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/IEC TR 38505-2:2018(E)
Information technology — Governance of IT — Governance
of data —
Part 2:
Implications of ISO/IEC 38505-1 for data management
1 Scope
This document provides guidance to the members of governing bodies of organizations and their
executive managers on the implications of ISO/IEC 38505-1 for data management. It assumes
understanding of the principles of ISO/IEC 38500 and familiarization with the data accountability map
and associated matrix of considerations, as presented in ISO/IEC 38505-1.
This document enables an informed dialogue between the governing body and the senior/executive
management team of an organization to ensure that the data use throughout the organization aligns
with the strategic direction set by the governing body.
This document covers the following:
— identifying the information that a governing body requires in order to evaluate and direct the
strategies and policies relating to a data-driven business;
— identifying the capabilities and potential of measurement systems that can be used to monitor the
performance of data and its uses.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 38500:2015, Information technology — Governance of IT for the organization
ISO/IEC 38505-1, Information technology — Governance of IT — Governance of data — Part 1: Application
of ISO/IEC 38500 to the governance of data
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 38500 and ISO/IEC 38505-
1 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at https: //www .electropedia .org/
— ISO Online browsing platform: available at https: //www .iso .org/obp
© ISO/IEC 2018 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC TR 38505-2:2018(E)

4 Governance and management roles
4.1 General
This clause covers the linkage between ISO/IEC 38505-1 and this document, by explaining how those
responsible for governance and management within an organization should develop policies for data
use (including collection, reporting, distributing and so on) that align with the organizational culture,
vision, mission and associated goals.
4.2 The governance role
ISO/IEC 38505-1 gives an overall view of key focus areas for data and its use in the organization, through
the application of a data accountability map. Assessing the value, risk and constraints related to the
elements in the data accountability map (Figure 1), will assist in identifying issues and concerns that
can require policies to be defined in order to implement the overall data strategy of the organization.
Figure 1 — ISO/IEC 38505-1 data accountability map
As data management technology advances, the ability to process large volumes of data from many
sources and then extract value from that data becomes economically viable for an increasing number of
organizations. Along with this increased value comes increased risk.
The governing body sets the overall data strategy for the organization which outlines how much the
organization is expected to leverage data to extract value for its stakeholders. Closely linked to this
strategy, the governing body sets the data risk appetite which describes the level of risk relating to data
that the organization is willing to pursue or retain.
No matter what strategy or data risk appetite the governing body establishes, the governing body
remains accountable for data and its use by the organization, including all data-related and data-
enabled decisions that are made in the organization. The governing body should take into account the
constraints of regulation and legislation, societal needs and cultural norms and existing organizational
policies that can limit or constrain how data can be collected and used.
2 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC TR 38505-2:2018(E)

ISO/IEC 38505-1 combines these accountability concepts into a checklist of considerations for data
strategy and policies. An example checklist is summarized in Table 1 below.
Table 1 — Data areas and data-specific aspects of governance (from ISO/IEC 38505-1)
Value Risk Constraints
Collect [V1] The governing body should [R1] The governing body should [C1] The governing body
decide the degree to which the recognize the risks associated should approve the policies
organization will leverage or with the collection and use of for data collection, taking
monetize data to achieve its data and agree to an acceptable into account constraints such
strategic objectives. level of their data risk within as quality, privacy, consent
the overall risk appetite for requirements and transpar-
the organization. This should ency of use.
include an examination of the
risks of not collecting and using
the data.
Store [V2] The governing body should [R2] The governing body should [C2] The governing body
approve policies that allocate direct managers to ensure that should direct managers to
the appropriate resources for an ISMS (Information Security ensure data storage prac-
data storage and data subscrip- Management System) is in place tices (including third-party
tion such that the potential extending to data and technolo- data subscriptions) support
value of data can be extracted. gy suppliers, with adequate re- the data collection con-
sources, controls and trust such straints.
that the level of risk appetite is
not exceeded.
Report [V3] The governing body should [R3] The governing body should [C3] The governing body
direct managers to use the nec- establish the significance of should establish the im-
essary tools and technologies to the context of data, including portance of the relation-
ensure that the full value of data cultural norms and its potential ship between data and its
can be extracted. misinterpretation in aggregate. constraints – particularly if
the data is aggregated from
different datasets.
Decide [V4] The governing body should [R4] The appropriate data and [C4] The output of the deci-
ensure that the data culture format should be delivered sion-making process, as new
for the organization aligns in a report for automated or data, will have its own value,
with its data strategy including human decision-making. While risk and constraints – and
behaviours such as data access remaining accountable for these the governing body should
practices, data-enabled decision decisions, the governing body set the expectations for the
making and the organization- should delegate decision-mak- decision process and associ-
al learning from the decision ing responsibilities appropriate- ated responsibilities.
process. ly for the organization and for
the acceptable level of data risk.
Distribute [V5] The governing body should [R5] The governing body [C5] The governing body
establish a policy for data dis- should ensure that managers should ensure that the ap-
tribution such that it allows the have implemented adequate propriate distribution rights
organization to satisfy the stra- controls to prevent inappropri- are implemented and that
tegic plan of the organization. ate distribution. they are respected by third
parties.
Dispose [V6] The governing body should [R6] The governing body should [C6] The governing body
approve policies that allow for direct managers to implement should monitor data
the disposal of data when the an appropriate data disposal retention and disposal
data is no longer valuable or can process that includes such con- obligations and ensure that
no longer be held. trols as the secure and perma- adequate processes have
nent destruction of the data. been implemented.
As noted in ISO/IEC 38505-1, “the checklist is not exhaustive and governing bodies should evaluate
their organizational situation and add additional actions as required”.
There are many data management implications behind each of the considerations in this table. In
evaluating any of these, the governing body should be aware of the possible or potential options, and
© ISO/IEC 2018 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC TR 38505-2:2018(E)

the current and future capabilities of the organization. The governing body will want to evaluate these
options and their implications for data use in the context of the overall strategy of the organization.
The concepts in Table 1 can be used to describe the resulting strategies and policies to be implemented.
In many cases, metrics should also be associated with each element — and monitoring processes should
be established to measure progress.
For these reasons, Table 1 is used as a checklist for this document.
4.3 The management role
Once the governing body has set the direction for data strategy in alignment with the overall
organizational strategy, data policies or data components of existing organizational policies should be
established. In the case of data, where the governing body can be unaware of the capabilities of those
responsible for data management, neither the governing body nor the management team should create
policy in isolation of the other party.
The management team and the governing body should agree on the current capability and desired
future capability of the organization for data management. It can be advantageous to take advantage of
new markets or products that can be made possible through diligent data collection and use.
Figure 2 — Data strategy and data policies
Figure 2 shows that the governing body is responsible for the data strategy and data policies for
the organization and for ensuring that these align with the overall organizational strategy. It is the
management team that is responsible, within their delegated authority, for the implementation of these
policies.
Please note that Figure 2 does not show other nuances of the relationship between the governing body
and the management team, such as how they can work together to establish the organizational strategy
through considerations of stakeholders, risk analysis, market pressures, compliance and other factors.
Another important element not shown here is the impact of the culture of the organization and how
that would permeate all aspects of the accountability and implementation of the strategy.
As outlined in ISO/IEC TR 38502, “Managers are responsible for ensuring the achievement of the
objectives of the organization within the strategies and policies established by the governing body”.
4 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC TR 38505-2:2018(E)

ISO/IEC 38505-1 describes a “checklist of considerations for a governing body to take into account when
developing a governance framework for data” as shown in Table 1. This document demonstrates how
this checklist can be used to establish data policies.
5 Connecting business strategy to data management
This clause describes the implementation of business strategy through the development of policy,
processes and controls. The focus of this document is on the development of policy as an activity
carried out by members of the governing body in discussion with the members of the management
team responsible for implementing the strategy.
Figure 3 — Cascade mechanism
Figure 3 shows a possible cascade mechanism with data strategy developed by the governing body
informing policy, policy developed by the governing body with the management team, guiding and
influencing the development of suitable processes, and then controls that enable the processes to match
the strategy. Unless these four activities are aligned, the data strategy, a subset of the organizational
strategy, developed by the governing body cannot be delivered.
Note the cascade is bi-directional and is important to ensure there is a feedback mechanism from
controls up to strategy. The governing body can monitor the performance and conformance according
to the reports and alerts produced by controls and be assured that there is alignment from strategy to
implementation.
© ISO/IEC 2018 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC TR 38505-2:2018(E)

Figure 4 — Connecting the governance of data to data management (adapted from ISO/
IEC 38500:2015)
Figure 4 shows how the governing body and management teams work together to implement policy to
support the organizational strategy, and specifically, the strategy for data. As shown in Figure 3, the
governing and management bodies are connected through the cascade mechanism which includes —
amongst other mechanisms — elements of strategy, policy, processes and controls. These connections
are developed and maintained through the EDM (Evaluate, Direct, Monitor) model, as follows:
— Evaluate. It is the responsibility of the management body to design proposals and plans for the
implementation and evaluation of activities to fulfil the organizational strategy developed by
the governing body. The plans and proposals should take into account the introduction of new
technology which can improve the utility of data such as big data technology. It should also take
into consideration the current and future capabilities of infrastructure critical for performing data
management activities. The technology and capabilities should be described in the management
processes, which is the expression of management activities. Using the management proposals and
plans, along with other sources of information, the governing body will be able to evaluate a suitable
data strategy.
— Direct. The governing body formulates data strategies and policies for the governance of data and
assigns responsibilities and accountabilities to build the governance structure. The governing
body directs the development of data strategy and policies according to the aspect-accountability
mapping introduced in ISO/IEC 38505-1. Activities to be considered include data classification and
the organization’s risk appetite with respect to data. The mapping assists with the development of
policy for managers to implement, taking into account aspects of value, risk and constraints.
— Monitor. The governing body should monitor the performance and conformance of management
activities against the set directions. The reports and alerts provided by the management body will
assist in this task. These reports should include status reports on alignment with legislation and
regulation and notification of the occurrence of specific identified high-risk events. Alerts should
be activated on the occurrence of key risk, security and privacy events identified in the mapping
process.
A data strategy deals primarily with environmental constraints and opportunities to reach the
organizational goals and objectives, but data policy refers to a set of rules made by the organization
6 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC TR 38505-2:2018(E)

for rational decision-making. Strategy and policy are both set at the governing level of an organization,
with the governing body establishing policies, in conjunction with the management team, that help
the management team to operate in alignment with the strategy, serve as a guideline for operational
decision-making and drive expected behaviours within the organization.
Governance of data policy produced by a governing body should
— align with strategy and the organizational goals and objectives,
— be consistent with other organizational policy, and
— include mechanisms for policy implementation and revision.
Policy development within a data governance framework is likely to be an ongoing process, so the
governing body should ensure that the following tasks are addressed by management:
— Identify and define:
— Identify new regulatory requirements, technology developments, operational needs and current
issues or gaps;
— Identify sponsors, stakeholders and determine their relevant roles;
— Identify different business activities;
— Formulate a method to define the policies;
— Obtain approval to proceed with draft policy.
— Develop:
— Develop and draft initial set of policies;
— Distribute draft policy to stakeholders for review and input;
— Review and, where appropriate, incorporate feedback;
— Obtain approval.
— Implement and maintain:
— Post and announce policy;
— Conduct educational and communication activities;
— Coordinate and support the operation of policy.
— Monitor and improve:
— Document the effect and result of the operation;
— Monitor compliance and effectiveness of implemented policy;
— Review modifications on an annual review cycle;
— Design a continual improvement process for the set of policies.
6 Establishing policies through the checklist of considerations
This clause demonstrates how the data accountability map and associated considerations matrix from
ISO/IEC 38505-1, as shown in Table 1, can be applied to assist with the development of organizational
policy that aligns with and informs the data strategy of the organization. The data accountability
map provides six areas of focus for governance activities across an organization, and therefore six
© ISO/IEC 2018 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/IEC TR 38505-2:2018(E)

distinct areas where policy should applied. The associated considerations of value, risk and constraints
prompt discussion and decisions around the appetite of an organization to deliver business value and
opportunities through data, and also to inform how this value and these opportunities can be delivered
in a way that meets the compliance needs of the organization.
Figure 5 — Data management schema for deriving policy
As shown in Figure 5, by taking each area from the ISO/IEC 38505-1 data accountability map, as
represented in Figure 1, (i.e. collect, store, report, decide, distribute and dispose), and considering the
aspects of value, risk and constraints for each accountability area, the governing body will be prompted
to consider data activities across the organization.
The Annexes provide examples of how the matrix of map areas and considerations can be applied and
demonstrate the type and range of policy statements that can result from asking questions around each
cell of the matrix. The examples demonstrate how these resulting policy statements can be added to
existing organizational policies or set aside in a separate data policy.
Annex A provides a set of worksheets that can be used as the basis for developing policy statements to
help implement a data strategy and associated governance framework.
Annex B demonstrates how applying the matrix can assist with the development of sound governance
practices and good policy to underpin the development of new data-driven services and products
within an organization. The example organization introduced in Annex B is a fictional organization, but
the resulting questions and example policy statements are generic.
Annex C provides a mapping of the guidance provided in this document to an exemplar Chinese travel
service company, to demonstrate the relationship between developing good governance practices and
completing the matrix of map areas and considerations.
Annex D gives an overview of data governance policy development for a large and complex industry.
Annex E describes data governance at an air transport IT and communications specialist.
8 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/IEC TR 38505-2:2018(E)

Table 2 below shows an example approach to the collect activity on the data accountability map.
It is envisaged that representatives of the governing body and the management team would work
through each cell and consider the data collection activities required to support the delivery of the
organizational data strategy and over-arching organizational strategy. These considerations should
result in the development of policy to direct management activities and performance and conformance
measures along with a reporting structure to enable the governing body to monitor the delivery of the
strategy.
Table 2 — Collect a
...