ISO/IEC TS 38508:2024

Technical
Specification
ISO/IEC TS 38508
First edition
Information technology —
2024-02
Governance of IT — Governance
implications of the use of a shared
digital service platform among
ecosystem organizations
Technologies de l'information — Gouvernance des technologies
de l'information — Implications de gouvernance de l'utilisation
d'une plateforme mutualisée de services numériques dans les
organisations d'un écosystème
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview of shared digital service platform among ecosystem organizations . 2
4.1 The purpose of a shared digital service platform among ecosystem organizations .2
4.2 Governance arrangement of shared digital service platform among ecosystem
organizations .3
4.2.1 General .3
4.2.2 Centralized model .3
4.2.3 Consortium model .3
4.2.4 Open platform model .3
4.3 Consortium model — exemplar of an alliance .4
5 Benefits of good governance of a shared digital service platform . 5
6 Governance framework for a shared digital service platform . 5
7 Governance model for organizations participating in shared digital service platform . 6
8 Guidance for the governance of a shared digital service platform . 8
8.1 General .8
8.2 Strategy .8
8.3 Acquisition .8
8.4 Compliance .9
8.5 Performance .9
8.6 Human behaviour and culture .9
8.7 Data quality .10
8.8 Risk governance .10
8.9 Organizational governance oversight .11
9 Guidance for the management of shared digital service platform .12
9.1 Roles of management . 12
9.2 Considerations for management systems . 12
Annex A (informative) Plug and play architecture of a platform and its ecosystem . 14
Annex B (informative) Use case of shared digital service platform .15
Bibliography .16

© ISO/IEC 2024 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 40, IT service management and IT governance.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
iv
Introduction
Organizations are increasingly using plug and play architecture on shared digital service platforms to
develop new digital services that can be adapted to meet future needs. This architecture allows organizations
to add new applications and features to the platform without disrupting the overall system. Using a shared
digital service platform also enables organizations to enhance the value they offer to customers by bundling
existing capabilities with new digital capabilities and forming flexible value networks with business
partners and suppliers.
The plug and play architecture of a shared digital service platform can easily add the applications of
suppliers or other ecosystem organizations. For example, a product manufacturer could monitor product
performance data for preventive maintenance by adding applications from their part suppliers and other
ecosystem organizations.
The plug and play architecture of a shared digital service platform also enables independently developed
applications to be combined and integrated into the platform through a standardized interface, thereby
reducing overall adjustment costs incurred in the platform ecosystem. The plug and play architecture of the
platform enables ecosystem organizations to focus on their work relatively autonomously, which ultimately
helps to lower both application innovation costs and system integration costs borne by the ecosystem
organizations.
The plug and play architecture of a shared digital service platform lays the foundation for platform
participants to innovate the platform through application development instead of the platform owner being
fully responsible for application development and thus platform innovation. The plug and play architecture
of the platform and its underlying scalable technologies, with the option of adding additional elements
[technology for Internet of Things (IoT), data storage, application development, analytics and security],
makes it possible for organizations to dramatically enhance value offered to customers by easily expanding
the organizations’ existing capabilities with new digital capabilities in cooperation with the ecosystem
organizations.
The use of a shared digital service platform creates governance and control issues that the governing
body and management have to ensure are addressed. These include ensuring that there is a clear basis
for governance and a governance framework that provides policies and accountabilities that meet the
organization’s requirements.
This document aims to provide guidance to the governing body of organizations that are accountable for
their organization’s adoption of a digital service platform among an ecosystem organization. Thus, this
document focuses on governance and not on the technologies themselves. The technological and managerial
aspects of a "digital service platform" are only covered to the extent that is necessary to understand the
governance implications of their use.
For information on the technological aspects of digital service platforms and cloud computing, please see
ISO/IEC TS 5928 and ISO/IEC 22123-2.
This document is applicable to all organizations, including public and private companies, government
entities, and not-for-profit organizations. This document is applicable to organizations of all sizes from the
smallest to the largest, regardless of the extent of their dependence on data or information technologies.

© ISO/IEC 2024 – All rights reserved
v
Technical Specification ISO/IEC TS 38508:2024(en)
Information technology — Governance of IT — Governance
implications of the use of a shared digital service platform
among ecosystem organizations
1 Scope
This document provides guidance for members of governing bodies of organizations on the effective,
efficient and acceptable use of a shared digital service platform among ecosystem organizations by:
— establishing a vocabulary for the governance of a shared digital service platform among ecosystem
organizations;
— providing a framework for understanding the implications of the use of a shared digital service platform
among ecosystem organizations;
— guiding governing bodies to evaluate, direct and monitor the introduction and use of a digital service
platform, applying the governance principles of ISO/IEC 38500;
— assuring stakeholders that, if the guidance proposed by this document is followed, they can have
confidence in the organization’s use of shared digital service platform among ecosystem organizations.
This document also provides guidance to those advising, informing or assisting governing bodies, including:
— executive managers;
— members of groups monitoring the resources within the organization;
— external businesses or technical specialists, such as legal or accounting specialists, retail or industrial
associations, or professional bodies;
— public authorities and policy makers;
— internal and external service providers (including consultants);
— auditors.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 38500, Information technology — Governance of IT for the organization
ISO/IEC 38505-1, Information technology — Governance of IT — Governance of data — Part 1: Application of
ISO/IEC 38500 to the governance of data
ISO 37000, Governance of organizations — Guidance
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 38500, ISO/IEC 38505-1,
ISO 37000 and the following apply.

© ISO/IEC 2024 – All rights reserved
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
alliance
collaborative relationship formed between two or more organizations to pursue common interests or
objectives
Note 1 to entry: Alliance can be formally contracted agreements or be entirely informal.
3.2
consortium
cooperative arrangement where several organizations or entities join together to achieve a common goal
Note 1 to entry: A consortium typically involves multiple independent entities, such as companies, pooling their
resources, expertise, and interests to work on a specific project or pursue shared objectives.
Note 2 to entry: Consortium members typically retain their individual identities and operate independently outside of
the consortium.
Note 3 to entry: Consortium members contribute resources, contribute to decision-making, and share the risks and
benefits associated with the project or initiative.
Note 4 to entry: Consortia are often governed by a set of agreements or contracts that outline the terms of collaboration,
resource allocation, intellectual property rights, and other relevant aspects.
3.3
core partner
organization that has a significant role in shaping a shared digital service platform's direction and core
functionality
3.4
ecosystem organization
community of business partners, suppliers and customers that share a digital service platform for mutual
benefits
3.5
plug and play architecture
architecture of a digital service platform which ensures that the dependencies between the platform core
and applications are kept to a minimum and that changes in a platform core or an application do not require
corresponding adjustments to ensure continued interoperability
Note 1 to entry: Through the plug and play architecture, resilience and capacity to accommodate changes in the future
that were not originally planned can be ensured.
3.6
shared digital service platform
platform that enables partners, suppliers and customers to share resources, processes and capabilities to
deliver unique digital services for the ecosystem organizations
4 Overview of shared digital service platform among ecosystem organizations
4.1 The purpose of a shared digital service platform among ecosystem organizations
The purpose of a shared digital service platform is to enable organizations to collaborate with partners
and suppliers to create unique digital services for their organizations. Such a platform provides a software
tool that allows businesses to rapidly deliver these services by combining products with sensors, data
and advanced analytics, thereby creating new value models with significantly improved or unique value

© ISO/IEC 2024 – All rights reserved
[6]
propositions for their organizations. Through effective ecosystem strategies, third-party software and
data integration, the shared digital service platform can provide a powerful tool for businesses to create
differentiated and more effective digital services that meet the evolving needs of their organizations.
Ultimately, the purpose of a shared digital service platform is to facilitate collaboration and innovation
among organizations and their partners, leading to the creation of more valuable digital services for
organizations.
The shared digital service platform involves an extensible codebase of a software-based system that
provides core functionality shared by applications that interoperate with it and the interfaces through
[7]
which they interoperate. In the shared digital service platform, an application is defined as an add-on
software subsystem that is connected to the platform core to add functionality. This allows applications
to add functionality to the shared digital service platform and deliver rapid and continuous innovation to
organizations that adopt the shared digital service platform.
For more information on the difference between the technical, economic and general uses of the word
"platform" in the context of digital services, see ISO/IEC TS 5928.
4.2 Governance arrangement of shared digital service platform among ecosystem
organizations
4.2.1 General
Shared digital service platforms among ecosystem organizations involve an alliance between different
organizations using the platform to generate value for their organizations. The shared digital service
platform among ecosystem organizations can have different governance arrangements based on the specific
industry, organization size and goals.
4.2.2 Centralized model
Under this model, one entity is responsible for providing shared services. This central entity has the
authority to set policies, define service standards and ensure compliance across different departments or
business units involved.
A centralized governing body, consisting of representatives from various departments or business units,
makes decisions regarding service offerings, resource allocation and overall strategy for shared services.
The centralized governing body establishes service level agreements (SLAs) with internal stakeholders (e.g.
production departments) and external stakeholders (e.g. partners, suppliers and customers), specifying
service levels, performance metrics and expectations for shared services.
4.2.3 Consortium model
Under this model, multiple entities, for example manufacturing organizations in the car industry, come
together to form a consortium and jointly govern a shared digital service platform (see Annex A for details
about roles and responsibilities of the consortium model and Annex B for related use cases). The consortium
establishes a governance structure with representatives from participating organizations.
The governing body, consisting of representatives from participating entities, collectively makes decisions
regarding service offerings, investment priorities, resource allocation and governance policies for the
shared digital service platform.
The consortium establishes SLAs with participating organizations, outlining service levels, responsibilities
and financial arrangements for utilizing the shared digital service platform.
4.2.4 Open platform model
Striving to be open, the open platform model encourages collaboration and participation from external
stakeholders, such as partners, suppliers or customers. The platform provides a common infrastructure and
set of services that can be extended and customized by external parties, fostering innovation and ecosystem

© ISO/IEC 2024 – All rights reserved
growth. For example, in the financial sector, the platform connects financial institutions and other service
providers, enabling seamless integration and interoperability between different financial systems.
In the open platform model, the governance structure includes representatives from the organization
operating the platform and external stakeholders, such as partners or developers. The governing body sets
rules, standards and policies for platform usage.
The governing body makes decisions related to platform features, integration protocols, data sharing
policies, and participation guidelines. It ensures that the platform remains open, secure and aligned with
the interests of all stakeholders.
Depending on the nature of the platform, SLAs can be established with external stakeholders, defining
service levels, data usage rights and responsibilities.
4.3 Consortium model — exemplar of an alliance
This subclause presents a consortium model as an exemplar of an alliance. Under this model, a shared digital
service platform typically involves a consortium of organizations that play different roles (see Annex A for a
more detailed description).
The owner of the shared digital service platform is the entity that controls the platform's intellectual
[1]
property and decides who can participate and in what capacity.
The core partners are the organizations involved in developing the shared digital service platform's core
functionality.
Peripheral partners are third-party developers who want to offer their resources, such as applications,
sensors, and devices on the shared digital service platform to gain market access.
Organizations can participate in the shared digital service platform ecosystem as either core partners or
peripheral partners. Core partners typically have a more significant role in shaping the platform's direction
and functionality, while peripheral partners contribute to the platform by adding new applications or
devices that can interoperate with the platform's core functionality.
The owner of the shared digital service platform is typically a well-established organization with a large
installed base. The owner of the shared digital service platform develops the platform with core partners.
The organizations entering the platform ecosystem are attracted to the platform to gain access to the
platform owner’s installed base, that is, a large customer base. The organizations joining in the ecosystem
expect to increase their returns through successful exploitation of the installed base of the platform owner.
Expanding the size of the platform ecosystem is key to the success of the shared digital service platform.
In order to do that, the platform owner should incentivize the ecosystem organizations with data, the
application programming interface (API) and developer tools to create and monetize services in the
platform. To get started, the platform owner needs to actively look for the organizations for collaboration
and incentivize them for value cocreation. The platform owner can make a selective decision on integration
of the organizations into the ecosystem.
While there are advantages that customers receive through data-based digital services, various problems
can occur. Since a large amount of personal data is created, it can be possible to infer the identity of an
individual. This in turn can lead to privacy infringement.
Therefore, the governing body of the shared digital service platform needs to establish policies for privacy,
security, risk governance and other areas of its digital services.
The governing body ensures that personal data and the fundamental rights of individuals are protected in
the case of personal data transfer to third-party processors, especially in third countries. If the platform
owner needs to share the sensor data with third-party service providers or make a profit by selling the
sensor data, the requirements for the relevant regulations need to be addressed. Guidance should be given
on conformance to regulatory requirements for personal data processing.

© ISO/IEC 2024 – All rights reserved
The governing body should also ensure that its organization implements and maintains appropriate
technologies and measures to protect customer and personal data against destruction, loss and unauthorized
access or modification. Guidance should be given on conformance with the security and privacy requirements
defined in ISO/IEC 27001 and ISO/IEC 27701.
The shared digital service platform may enable organizations to combine devices with sensors, data and
advanced analytics to deliver unique digital services to their customers and to shift their existing business
model to selling digital services. Since such a shared digital service platform enabled digital transformation
requires dramatic changes in strategy, structure, operation and culture, the role of the governing body
[5]
becomes more important than ever. The following clauses provide governance guidelines on how existing
companies can adopt and build the shared digital service platform to spearhead their digital transformations.
5 Benefits of good governance of a shared digital service platform
Good governance of a shared digital service platform assists the governing body in ensuring that the use of a
shared digital service platform contributes positively to the performance of the organization by:
— accelerating the flow of innovation into an ecosystem in order to sustain its competitive advantage;
— clarifying role, responsibility and accountability for both the supply of and demand for a shared digital
service platform;
— the actual realization of the expected benefits from each IT investment;
— minimizing the risk of negative impact to stakeholders, such as customers, partners and employees, due
to security and privacy breaches;
— maximizing the value creation potential of the shared digital service platform by fostering collaboration
among ecosystem partners and facilitating the creation of new services and business models;
— building trust among stakeholders through transparent decision-making processes and effective
communication.
Overall, good governance of a shared digital service platform can lead to more effective use of digital
technologies, improved organizational performance, and enhanced customer experiences.
6 Governance framework for a shared digital service platform
The establishment of a shared digital service ecosystem should involve a governance framework that defines
the ecosystem’s purpose, guiding principles, decision-making arrangements, participant obligations, and
regulatory compliance obligations. This can include memorandums of understanding, SLAs and contracts.
The ecosystem’s governing body composition, authority and accountability will depend on the structure
of the ecosystem and the basis under which it is organized. Those responsible for the governance of the
platform ecosystem should establish a governance framework appropriate for the ecosystem’s legal
arrangements, complexity and purpose.
Governing bodies of organizations seeking to engage with the shared digital service ecosystem should be
aware of the platform alliance’s governance arrangements.
The specific issues that need to be dealt with in a governance framework for a shared digital service
platform will depend on the purpose and design of the shared digital service platform, but could address the
following.
— Basis: Whether the ecosystem platform is owned by a single organization or shared by multiple owners.
— Accountability: Who is responsible and accountable for budgeting, developing commercial models,
marketing, profit sharing, expanding new business lines and criteria for selecting new consortium
[8]
members?
© ISO/IEC 2024 – All rights reserved
— Decision-making structures: The processes and framework by which decisions are made regarding
service offerings, investment priorities, resource allocation and governing policies for the shared digital
service platform.
— Technical strategies: The mechanism and responsibility for setting information security and other
standards for accessing the ecosystem solution, permitting new platform participants when they satisfy
applicable criteria and standards, determining the timing of upgrade to a new version of the software,
[8]
and resolving disputes. Once established, technical architecture is not easy to change, and on a shared
digital service platform, such architecture presents a challenge in determining the future evolutionary
trajectory of the shared digital service platform. I
...