ISO/IEC TS 38501:2015

TECHNICAL ISO/IEC TS
SPECIFICATION 38501
First edition
2015-04-01
Information technology — Governance
of IT — Implementation guide
Technologies de l’information — Gouvernance des technologies de
l’information — Guide d’implémentation
Reference number
ISO/IEC TS 38501:2015(E)
©
ISO/IEC 2015

---------------------- Page: 1 ----------------------
ISO/IEC TS 38501:2015(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2015 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TS 38501:2015(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
1.1 Overview . 1
1.2 Purpose . 1
1.3 Audience . 1
2 Normative references . 1
3 Implementation approach . 1
4 Establish and sustain enabling environment . 2
4.1 Overview . 2
4.2 Ensure internal stakeholder engagement . 2
4.3 Clarify sponsorship and responsibilities . 3
5 Govern IT . 3
5.1 Overview . 3
5.2 Evaluate . 4
5.2.1 Overview . 4
5.2.2 Understand internal environment . . 4
5.2.3 Understand external environment . 4
5.2.4 Identify current state of the use of IT . 5
5.3 Direct . 5
5.3.1 Overview . 5
5.3.2 Define desired state for the use of IT . 5
5.3.3 Initiate change program . 6
5.3.4 Identify governance enabling mechanisms . 6
5.4 Monitor . 7
5.4.1 Overview . 7
5.4.2 Define evidence of success . 8
5.4.3 Establish monitoring system . 8
6 Continual Review . 8
Annex A (informative) Assessment Scheme .10
Annex B (informative) ISO/IEC 38500 principles and assessment criteria .12
Bibliography .15
© ISO/IEC 2015 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TS 38501:2015(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT), see the following URL: Foreword — Supplementary information.
This committee responsible for this document is ISO/IEC JTC 1, Information Technology, Subcommittee
SC 40, IT Service Maintenance and IT Governance.
iv © ISO/IEC 2015 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TS 38501:2015(E)

Introduction
Information technology (IT) has become pervasive in supporting and enabling the strategy of
organizations and this prevalence mandates the governance of IT as an organizational imperative.
Organizations have made significant investments in IT to automate business processes and to
communicate and transact electronically with their customers and suppliers. The benefits from
these investments have unfortunately not always materialised and in some instances, organizations
have incurred significant financial and reputational damage as a result of IT failures. This has further
heightened governing body awareness of the need for the governance of IT and of their responsibilities
in this regard.
It might be, however, that some governing bodies are uncertain of what arrangements they need to have
in place for the governance of IT.
This Technical Specification has therefore been developed to provide guidance on the implementation
of governance of IT within organizations. It considers governance, both from the perspective of gaining
assurance that the risks associated with the use of IT are appropriately managed, as well as ensuring
that the organization maximizes the value from its investments in IT.
It expands on the model and principles for good governance of IT, as described in ISO/IEC 38500
and ISO/IEC/TR 38502, and provides guidance on a methodology for implementing principles-based
governance of IT.
© ISO/IEC 2015 – All rights reserved v

---------------------- Page: 5 ----------------------
TECHNICAL SPECIFICATION ISO/IEC TS 38501:2015(E)
Information technology — Governance of IT —
Implementation guide
1 Scope
1.1 Overview
This Technical Specification provides guidance on how to implement arrangements for effective
governance of IT within an organization.
1.2 Purpose
This Technical Specification identifies the key activities that an organization has to undertake to
implement governance of IT, in accordance with ISO/IEC 38500.
It provides guidance on the design and establishment of the arrangements for the governance of IT,
clarifying roles and responsibilities of key stakeholders within the organization, as well as providing
examples of matters to consider in the design of the governance of IT.
1.3 Audience
This Technical Specification can be used by individuals responsible for governance of IT within an
organization and individuals supporting in the governance of organizations. This Technical Specification
is applicable to organizations of all sizes and types.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 38500, Corporate governance of information technology
ISO/IEC/TR 38502, Information technology — Governance of IT — Framework and model
3 Implementation approach
The implementation of the governance of IT should be based on a cyclic approach considering the model
presented in ISO/IEC 38500, Figure 1. The first cycle of activities involves the establishment of the initial
“implementation” or baseline, with subsequent cycles of the activities being used to support and enhance
the governance of IT implementation by means of continual improvement. The duration of cycles will be
different for each organization, depending on a number of factors including the organization’s size, its
industry, as well as the maturity of the governance of IT in the organization.
The implementation cycle comprises the following main activities which are expanded in the clauses below.
— Establish and sustain enabling environment: Commence by establishing an enabling environment
which ensures that all stakeholders are appropriately identified and made aware of their roles and
responsibilities. Subsequent cycles will ensure that the enabling environment is sustained.
— Govern IT: Progress to the evaluate, direct, and monitor activities to perform the governance of IT.
© ISO/IEC 2015 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC TS 38501:2015(E)

— Continual review: Review the governance of IT arrangements to determine whether desired
outcomes are being achieved. If not, recommence the implementation cycle to effect the necessary
changes, thereby ensuring continual improvement of the governance of IT implementation.
Continual Review
Establish and Sustain Enabling
Environment
Source of
Govern IT
Authority
Stakeholder
Engagement
Sponsorship
Stakeholder
&
Regulatory
Expectations
The
Responsibilities Obligations
Governing
Body
Business
Business
Evaluate
Needs
Pressures
Direct Monitor
Managers
Management systems for the use of IT
Figure 1 — Implementation approach (incorporates ISO/IEC 38500)
4 Establish and sustain enabling environment
4.1 Overview
The execution and improvement of the governance of IT implementation activities will generally
require clear leadership and commitment from the governing body and the executive managers of the
organization.
The level of engagement of these stakeholders should be proportionate to the importance of the role of IT to
the organization — both currently and in the future, as required by the organization’s goals and strategy.
This may lead to change in terms of organizational culture and behaviours in respect of IT, in addition
to requiring new or improved processes in the governance of IT.
This is achieved through the identification and engagement of appropriate stakeholder groups, as
well as the clarification of roles and responsibilities for the various stakeholders. This is an on-going
activity and therefore needs to be revisited through each pass of the implementation cycle, as individual
stakeholders can change and the stakeholder group responsibilities can mature over time. These
activities are discussed below.
4.2 Ensure internal stakeholder engagement
Two key stakeholder groups should be considered when commencing with a governance of IT
implementation, namely the governing body and executive managers. Awareness should be developed
in these stakeholder groups of the purpose and objectives of governing IT and their various roles
and responsibilities in this regard (see ISO/IEC/TR 38502 for further detail on the relationships and
boundaries between these key stakeholder groups).
2 © ISO/IEC 2015 – All rights reserved
Strategy & Policies
Proposals & Plans
Performance &
Conformance

---------------------- Page: 7 ----------------------
ISO/IEC TS 38501:2015(E)

Developing and maintaining awareness is an on-going process that is enhanced through the successive
iterations of the activities described in this Technical Specification. The awareness should be initiated
by holding briefing sessions and or workshops covering, inter alia:
— how business value is realised from the use of IT;
— the risks associated with maintaining current and implementing new IT capability;
— the need for the governance of IT and how it fits with corporate governance;
— the model and principles that are described in ISO/IEC 38500;
— the framework, roles and responsibilities of stakeholders as described in ISO/IEC/TR 38502;
— facilitating stakeholder assessments of the effectiveness of current governance of IT arrangements
(see Annex A and Annex B).
The first cycle of the implementation provides the opportunity to explain and bed down these concepts
in the context of the organization. This will lead to greater stakeholder understanding and ownership
of their respective roles and responsibilities, as well as the identification of areas for improvement.
Subsequent cycles will provide for the on-boarding of new stakeholders, as well as the refinement and
updating of knowledge and responsibilities for existing stakeholders.
4.3 Clarify sponsorship and responsibilities
There are many activities associated with improving and maintaining effective governance of IT that
need to be actively managed within the organization. These include awareness and education about
the governance of IT, as well as on-going coordination and administration activities. It is therefore
important to determine and appoint a sponsor and a small group of individuals on the first cycle of
the implementation. This group is referred to as the Governance Steering Group in this Technical
Specification but in smaller organizations it may simply be an individual. The Governance Steering
Group has the responsibility to drive the adoption and or transformation of the governance of IT in the
organization. These activities are discussed in further detail in 5.3.4.
The sponsor should be a key influential business/marketing/operations executive manager and should
not be a risk or governance expert or department.
5 Govern IT
5.1 Overview
The three activities of the governance model in ISO/IEC 38500, namely evaluate, direct and monitor,
take place in the Govern IT phase. These are framed and guided by the six principles of the standard
(responsibility, strategy, acquisition, performance, conformance, human behaviour) within the context
of the internal and external environments, as well as organization’s culture for the governance of IT.
It is important to focus and describe what the result of the governance of IT should be when applying
the ISO/IEC 38500 framework, rather than being process or control oriented. This will ensure that the
governing body determines what needs to be achieved, rather than prescribing how it should be done,
thereby appropriately guiding or steering the organization in its use of IT.
In addition, an appropriate mechanism of assessment is required, which must take into account the
principles-based nature of ISO/IEC 38500.
© ISO/IEC 2015 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC TS 38501:2015(E)

5.2 Evaluate
5.2.1 Overview
The evaluate activity is used to establish the internal and external environment and to determine how
the organization is currently supported and enabled through the use of IT (the current state).
The first cycle of the implementation approach also provides an opportunity to introduce, explain and
reinforce the concepts of ISO/IEC 38500 and to highlight the value of the standard to key stakeholders.
Subsequent cycles should also form a key part of the on-going awareness and education program for the
governing body and executive managers.
5.2.2 Understand internal environment
The governing body should maintain an understanding of key aspects of the organization so that IT related
assessments and decisions can be made that are relevant to the organization. Key considerations include:
— business goals;
— business strategy;
— risk appetite and performance;
— culture of the organization and tone at the top;
— organizational maturity and levels of skill, training and competence in the use of IT;
— strategic change initiatives;
— the need for innovative use of IT to obtain competitive advantage;
— assurance reporting including audit and risk;
— how key business processes use and are supported by IT;
— key IT services and how they are provided;
— how the organization engages with partner organizations.
Much of this information will be provided to the governing body for validation or review (e.g. business
strategy, organizational performance, strategic change initiatives, risk appetite, etc.), however, some of
the “softer”, more human aspects might not be formally quantified. In these instances, the governing
body should request executive managers to perform organizational assessments so that this feedback
can be presented to the governing body and taken into consideration.
5.2.3 Understand external environment
The governing body should ensure that they are kept appraised of external factors that might drive
business opportunities and risks, thereby mandating IT related business change responses. These
factors should form part of the environmental reviews that are presented by executive managers when
preparing strategic plans for approval by the governing body. Key considerations include:
Regulatory The impacts that local and global regulations might have on how the organiza-
environment tion treats its IT
Technological How advances in IT can be used to redefine business models and change the
advances ways in which individuals engage
Generational trends The social and cultural expectations of younger generations and the risks and
opportunities that these present for IT – both for members of the organizatio
...