iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 38500:2008

(Main)

Corporate governance of information technology

Corporate governance of information technology

ISO/IEC 38500:2008 provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. ISO/IEC 38500:2008 applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization. It also provides guidance to those advising, informing, or assisting directors. They include: senior managers; members of groups monitoring the resources within the organization; external business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies; vendors of hardware, software, communications and other IT products; internal and external service providers (including consultants); IT auditors.

Gouvernance des technologies de l'information par l'entreprise

General Information

Status
Withdrawn
Publication Date
02-Jun-2008
Withdrawal Date
02-Jun-2008
ICS
35.080 - Software
Technical Committee
ISO/IEC JTC 1 - Information technology
Drafting Committee
ISO/IEC JTC 1 - Information technology
Current Stage
9599 - Withdrawal of International Standard
Completion Date
11-Feb-2015
Ref Project

Relations

Revised
ISO/IEC 38500:2015 - Information technology — Governance of IT for the organization
Effective Date
29-Sep-2012
Revises
ISO/IEC PRF 29382 - Corporate governance of information technology
Effective Date
12-May-2008

Buy Standard

ISO/IEC 38500:2008 - Corporate governance of information technologyISO/IEC 38500:2008 - Corporate governance of information technology
PreviousNext
Standard
ISO/IEC 38500:2008 - Corporate governance of information technology
English language
15 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 38500
First edition
2008-06-01

Corporate governance of information
technology
Gouvernance des technologies de l'information par l'entreprise



Reference number
ISO/IEC 38500:2008(E)
©
ISO/IEC 2008

---------------------- Page: 1 ----------------------
ISO/IEC 38500:2008(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2008
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2008 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 38500:2008(E)
Contents Page

1 SCOPE, APPLICATION AND OBJECTIVES.1
1.1 Scope .1
1.2 Application .1
1.3 Objectives.1
1.4 Benefits of Using This Standard .1
1.5 Referenced Documents .3
1.6 Definitions.3
2 FRAMEWORK FOR GOOD CORPORATE GOVERNANCE OF IT.6
2.1 Principles .6
2.2 Model .7
3 GUIDANCE FOR THE CORPORATE GOVERNANCE of IT .9
3.1 General.9
3.2 Principle 1: Responsibility.9
3.3 Principle 2: Strategy .11
3.4 Principle 3: Acquisition.12
3.5 Principle 4: Performance .13
3.6 Principle 5: Conformance.14
3.7 Principle 6: Human Behaviour.15

© ISO/IEC 2008 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 38500:2008(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the
International Electrotechnical Commission) form the specialized system for
worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical
committees established by the respective organization to deal with particular
fields of technical activity. ISO and IEC technical committees collaborate in
fields of mutual interest. Other international organizations, governmental and
non-governmental, in liaison with ISO and IEC, also take part in the work. In
the field of information technology, ISO and IEC have established a joint
technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the
ISO/IEC Directives, Part 2. The main task of the joint technical committee is
to prepare International Standards. Draft International Standards adopted by
the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of
the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this
document may be the subject of patent rights. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
ISO/IEC 38500 was prepared by Standards Australia (as AS8015:2005) and
was adopted, under a “fast-track procedure”, by Joint Technical Committee
ISO/IEC JTC 1, Information technology, in parallel with its approval by
national bodies of ISO and IEC.
ISO/IEC 38500 is a high level, principles based advisory standard. In
addition to providing broad guidance on the role of a governing body, it
encourages organizations to use appropriate standards to underpin their
governance of IT.
At the time of publication of this standard, JTC1 is continuing efforts to
develop further documents relating to governance of Information Technology.
These documents, which are likely to be released in the future as ISO/IEC
Technical Reports and, possibly, as Standards, are expected to address a
range of topics including:
• Governance of Projects involving IT Investment
• Governance of IT used in ongoing Business Operations
iv © ISO/IEC 2008 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 38500:2008(E)
Introduction
The objective of this standard is to provide a framework of principles for
Directors to use when evaluating, directing and monitoring the use of
information technology (IT) in their organizations.
Most organizations use IT as a fundamental business tool and few can
function effectively without it. IT is also a significant factor in the future
business plans of many organizations.
Expenditure on IT can represent a significant proportion of an organization’s
expenditure of financial and human resources. However, a return on this
investment is often not realized fully and the adverse effects on organizations
can be significant.
The main reasons for these negative outcomes are the emphasis on the
technical, financial and scheduling aspects of IT activities rather than
emphasis on the whole business context of IT use.
This standard provides a framework for effective governance of IT, to assist
those at the highest level of organizations to understand and fulfil their legal,
regulatory, and ethical obligations in respect of their organizations’ use of IT.
The framework comprises definitions, principles and a model.
This standard is aligned with the definition of Corporate Governance that was
published as a Report of the Committee on the Financial Aspects of Corporate
Governance (the Cadbury Report) in 1992. The Cadbury Report also
provided the foundation definition of Corporate Governance in the OECD
Principles of Corporate Governance in 1999 (revised in 2004). Users of this
standard are encouraged to familiarise themselves with the Cadbury Report
and the OECD Principles of Corporate Governance.
Governance is distinct from management, and for the avoidance of confusion,
the two concepts are clearly defined in the standard.
While this standard is addressed primarily to the governing body, which may
in turn direct that certain actions be taken by the management of the
organization, it also allows that, in some (typically smaller) organizations, the
members of the governing body may also occupy the key roles in
management. In this way, it ensures that the standard is applicable for all
organizations, from the smallest, to the largest, regardless of purpose, design
and ownership structure.
The standard is also intended to inform and guide those involved in designing
and implementing the management system of policies, processes, and
structures that support governance.
© ISO/IEC 2008 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 38500:2008(E)

Corporate governance of information technology
1 SCOPE, APPLICATION AND OBJECTIVES
1.1 Scope
This standard provides guiding principles for directors of organizations
(including owners, board members, directors, partners, senior executives, or
similar) on the effective, efficient, and acceptable use of Information Technology
(IT) within their organizations.
This standard applies to the governance of management processes (and
decisions) relating to the information and communication services used by an
organization. These processes could be controlled by IT specialists within the
organization or external service providers, or by business units within the
organization.
It also provides guidance to those advising, informing, or assisting directors.
They include:
senior managers;

members of groups monitoring the resources within the organization;

• external business or technical specialists, such as legal or accounting;
specialists, retail associations, or professional bodies;
• vendors of hardware, software, communications and other IT products;
internal and external service providers (including consultants);

• IT auditors.
1.2 Application
This standard is applicable to all organizations, including public and private
companies, government entities, and not-for-profit organizations. The standard
is applicable to organizations of all sizes from the smallest to the largest,
regardless of the extent of their use of IT.
1.3 Objectives
The purpose of this standard is to promote effective, efficient, and acceptable
use of IT in all organizations by:
• assuring stakeholders (including consumers, shareholders, and
employees) that, if the standard is followed, they can have confidence in
the organization’s corporate governance of IT;
• informing and guiding directors in governing the use of IT in their
organization; and
• providing a basis for objective evaluation of the corporate governance of
IT.
1.4 Benefits of Using This Standard
1.4.1 General
This standard establishes principles for the effective, efficient and acceptable
use of IT. Ensuring that their organisations follow these principles will assist
© ISO/IEC 2008 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 38500:2008(E)
directors in balancing risks and encouraging opportunities arising from the use
of IT.
This standard establishes a model for the governance of IT. The risk of
directors not fulfilling their obligations is mitigated by giving due attention to
the model in properly applying the principles.
The standard establishes a vocabulary for the Governance of IT.
1.4.2 Conformance of the organization
Proper corporate governance of IT may assist directors in assuring conformance
with obligations (regulatory, legislation, common law, contractual) concerning
the acceptable use of IT.
Inadequate IT systems can expose the directors to the risk of not complying
with legislation. For example, in some jurisdictions, directors could be held
personally accountable if an inadequate accounting system results in tax not
being paid.
Processes dealing with IT incorporate specific risks that must be addressed
appropriately. For example, directors could be held accountable for breaches of:
• security standards;
• privacy legislation;

spam legislation;
• trade practices legislation;
• intellectual property rights, including software licensing agreements;
• record keeping requirements;
• environmental legislation and regulations;
• health and safety legislation;
• accessibility legislation;
• social responsibility standards.
Directors using the guidelines in this standard are more likely to meet their
obligations.
1.4.3 Performance of the organization
Proper corporate governance of IT assists directors to ensure that IT use
contributes positively to the performance of the organization, through:
• appropriate implementation and operation of IT assets;
• clarity of responsibility and accountability for both the use and provision
of IT in achieving the goals of the organization;
• business continuity and sustainability;
• alignment of IT with business needs;
• efficient allocation of resources;
• innovation in services, markets, and business;
• good practice in relationships with stakeholders;
• reduction in the costs for an organization; and
• actual realization of the approved benefits from each IT investment.
2 © ISO/IEC 2008 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 38500:2008(E)

1.5 Referenced Documents
The following documents are referred to in this Standard:

Report of the Committee on the Financial Aspects of Corporate
Governance, Sir Adrian Cadbury, London, 1992 ISBN 0 85258 913 1
OECD Principles of Corporate Governance, OECD, 1999 and 2004
ISO Guide 73 2002 - Risk management — Vocabulary — Guidelines for
use in standards.

1.6 Definitions
For the purpose of this Standard, the definitions below apply.
It is expected that an organization will adapt the terminology used within this
standard to suit their circumstances or structure.
1.6.1 Acceptable
Meeting stakeholder expectations that are capable of being shown as reasonable
or merited.
1.6.2 Corporate governance
The system by which organizations are directed and controlled. (adapted from
Cadbury 1992 and OECD 1999)
1.6.3 Corporate governance of IT
The system by which the current and future use of IT is directed and controlled.
Corporate governance of IT involves evaluating and directing the use of IT to
support the organization and monitoring this use to achieve plans. It includes
the strategy and policies for using IT within an organization.
1.6.4 Competent
Having the combination of knowledge, formal and informal skills, training,
experience and behavioural attributes required to perform a task or role.
1.6.5 Director
Member of the most senior governing body of an organization. Includes owners,
board members, partners, senior executives or similar, and officers authorized
by legislation or regulation.
1.6.6 Human behaviour
The understanding of interactions among humans and other elements of a
system with the intent to ensure well being and systems performance. Human

© ISO/IEC 2008 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 38500:2008(E)
behaviour includes culture, needs and aspirations of people as individuals and
as groups.
Note: In respect of IT, there are numerous groups or communities of humans,
each with their own needs, aspirations and behaviours. For example, people
who use information systems might exhibit needs relating to accessibility and
ergonomics, as well as availability and performance. People whose job roles are
changing because of the use of IT might exhibit needs relating to
communication, training, and reassurance. People involved in building and
operating IT capabilities might exhibit needs relating to working conditions and
development of skills.
1.6.7 Information technology (IT)
Resources required to acquire, process, store and disseminate information. This
term also includes “Communication Technology (CT)” and the composite term
“Information and Communication Technology (ICT)”.
1.6.8 Investment
Allocation of human, capital and other resources to achieve defined objectives
and other benefits.
1.6.9 Management
The system of controls and processes required to achieve the strategic
objectives set by t
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 5962:2021(Main)
Information technology — SPDX® Specification V2.2.1

This Software Package Data Exchange® (SPDX®) specification defines a standard data format for communicating the component and metadata information associated with software packages. An SPDX document can be associated with a set of software packages, files or snippets and contains information about the software in the SPDX format described in this specification.

  • Standard
    145 pages
    English language
    sale 15% off
  • Draft
    145 pages
    English language
    sale 15% off
ISO
ISO/IEC 5055:2021(Main)
Information technology — Software measurement — Software quality measurement — Automated source code quality measures

The measures in this standard were calculated from detecting and counting violations of good architectural and coding practices in the source code that could result in unacceptable operational risks or excessive costs. Establishing standards for these measures at the source code level is important because they have been used in outsourcing and system development contracts without having international standards to reference. For instance, the ISO/IEC 25000 series of standards that govern software product quality provide only a small set of measures at the source code level. A primary objective of updating these measures was to extend their applicability to embedded software, which is especially important for the growing implementation of embedded devices and the Internet of Things. Functionality that has traditionally been implemented in IT applications is now being moved to embedded chips. Since the weaknesses included in the measures specified in this document have been found to be applicable to all forms of software, embedded software is not treated separately in this specification.

  • Standard
    235 pages
    English language
    sale 15% off
  • Draft
    235 pages
    English language
    sale 15% off
ISO
ISO/IEC 19515:2019(Main)
Information technology — Object Management Group Automated Function Points (AFP), 1.0

1.1 Purpose This International Standard defines a method for automating the counting of Function Points that is generally consistent with the Function Point Counting Practices Manual, Release 4.3.1 (IFPUG CPM) produced by the International Function Point Users Group (IFPUG). Guidelines in this International Standard may differ from those in the IFPUG CPM at points where subjective judgments have to be replaced by the rules needed for automation. The IFPUG CPM was selected as the anchor for this International Standard because it is the most widely used functional measurement specification with a large supporting infrastructure maintained by a professional organization. 1.2 Applicability This International Standard is applicable to the functional sizing of transaction-oriented software applications, and in particular those with data persistency. To be consistent with the IFPUG CPM, the International Standard provides details on the support of applications using relational databases. However, the International Standard can be used and extended for any type of transactional application with data persistency. 1.3 Limitations This International Standard does not address the sizing of enhancements to an application or maintained functionality (often called Enhancement Function Points). Extensions of the automated counting methods described in this International Standard such as Automated Enhancement Function Points will be addressed in future addendums to this International Standard. This International Standard does not address sizing for the non-functional components of a software application. Non-functional components (as defined by IFPUG) include: — Structural Quality Constraints Reliability, Security, Performance Efficiency, Maintainability, etc. — Organizational Constraints locations for operations, target hardware, compliance to standards, etc. — Environmental Constraints interoperability, security, privacy, safety, etc. — Implementation Constraints development language, delivery schedule, etc.

  • Standard
    28 pages
    English language
    sale 15% off
ISO
ISO/IEC 24570:2018(Main)
Software engineering — NESMA functional size measurement method — Definitions and counting guidelines for the application of function point analysis

ISO/IEC 24570:2018 specifies the set of definitions, rules and guidelines for applying the Nesma Function Point Analysis (FPA) method.

  • Standard
    70 pages
    English language
    sale 15% off
ISO
ISO/IEC 19513:2017(Main)
Information technology — Object Management Group Unified Profile for DoDAF and MODAF (UPDM), 2.1.1

This International Standard provides a specification language, UPDM, that is readily understandable not only by the community of architects of information technology systems but also by a wide range of end users including executives and enterprise management that sponsor such systems, program managers that oversee their development, developers of supporting hardware and software (design, implementation, and testing), subject matter experts, and end users. UPDM bridges the gap from setting of requirements to high level system design and to visualization for practitioners. While designed in the context of military organizations and their procurement processes, UPDM can also be applied in entirely civilian industrial and service organization contexts. UPDM 2.1.1 supports the capability to: ? model architectures for a broad range of complex systems, which may include hardware, software, data, personnel, and facility elements; ? model consistent architectures for system-of-systems down to lower levels of design and implementation; ? model service oriented architectures; ? support the analysis, specification, design, and verification of complex systems; and ? improve the ability to exchange architecture information among related tools that are UML based and tools that are based on other standards. The profile provides the modeling of operational capabilities, services, system activities, nodes, system functions, ports, protocols, interfaces, performance, and physical properties and units of measure. In addition, the profile enables the modeling of related architecture concepts such as DoD's doctrine, organization, training material, leadership & education, personnel, and facilities (DOTMLPF) and the equivalent UK Ministry of Defence Lines of Development (DLOD) elements. UPDM 2.1.1, as illustrated in Figure 1.1, addresses DoDAF and MODAF Viewpoints as well as enabling extensions to new architecture perspectives (e.g., Services views, Custom views, Logistics views cost views, etc.). MODAF terminology has been used for simplicity.

  • Standard
    415 pages
    English language
    sale 15% off
ISO
ISO/IEC 19678:2015(Main)
Information Technology — BIOS Protection Guidelines

ISO 19678:2015 provides requirements and guidelines for preventing the unauthorized modification of Basic Input/Output System (BIOS) firmware on PC client systems. Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS's unique and privileged position within the PC architecture. A malicious BIOS modification could be part of a sophisticated, targeted attack on an organization ?either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). As used in this publication, the term BIOS refers to conventional BIOS, Extensible Firmware Interface (EFI) BIOS, and Unified Extensible Firmware Interface (UEFI) BIOS. This International Standard applies to system BIOS firmware (e.g., conventional BIOS or UEFI BIOS) stored in the system flash memory of computer systems, including portions that may be formatted as Option ROMs. However, it does not apply to Option ROMs, UEFI drivers, and firmware stored elsewhere in a computer system. Subclause 7.2 provides platform vendors with requirements for a secure BIOS update process. Additionally, subclause 7.3 provides guidelines for managing the BIOS in an operational environment. While this International Standard focuses on current and future x86 and x64 client platforms, the controls and procedures are independent of any particular system design.

  • Standard
    15 pages
    English language
    sale 15% off
ISO
ISO/IEC 40500:2012(Main)
Information technology — W3C Web Content Accessibility Guidelines (WCAG) 2.0

ISO/IEC 40500:2012 [Web Content Accessibility Guidelines (WCAG) 2.0] covers a wide range of recommendations for making Web content more accessible. Following these guidelines will make content accessible to a wider range of people with disabilities, including blindness and low vision, deafness and hearing loss, learning disabilities, cognitive limitations, limited movement, speech disabilities, photo-sensitivity and combinations of these. Following these guidelines will also often make your Web content more usable to users in general. WCAG 2.0 success criteria are written as testable statements that are not technology-specific. Guidance about satisfying the success criteria in specific technologies, as well as general information about interpreting the success criteria, is provided in separate documents. An overview of WCAG 2.0, the WCAG 2.0 standard, technical and education material supporting implementation of WCAG 2.0, and information on translating WCAG 2.0, are freely available from Web Content Accessibility Guidelines (WCAG) Overview.

  • Standard
    2 pages
    English language
    sale 15% off
ISO
ISO/IEC 17998:2012(Main)
Information technology — SOA Governance Framework

ISO/IEC 17998:2012 describes a framework that provides context and definitions to enable organizations to understand and deploy service-oriented architecture (SOA) governance. ISO/IEC 17998:2012 defines: SOA Governance, including its relationship between Business, IT, and EA governance; this assists organizations in understanding the impact that the introduction of SOA into an organization has on governance; an SOA Governance Reference Model (SGRM) and its constituent parts, which assists organizations in specifying their appropriate governance regimes; and capturing best practice as a basis for a common approach; the SOA Governance Vitality Method (SGVM) which assists organizations in customizing the SGRM and realizing their SOA Governance Regimen. ISO/IEC 17998:2012 is not intended to be used as provided; it is intended to be customized to create appropriate SOA governance for the organization. Many of the lists are non-normative and exemplary and intended to be filtered and as input to the customization process. ISO/IEC 17998:2012 does not include an explanation of the fundamentals and value of SOA, which is important for being able to understand and apply SOA governance. It lists some of the many other specifications and books that are available on SOA basics.

  • Standard
    87 pages
    English language
    sale 15% off
ISO
ISO/IEC 19500-1:2012(Main)
Information technology — Object Management Group — Common Object Request Broker Architecture (CORBA) — Part 1: Interfaces

ISO/IEC 19500-1:2012 specifies the CORBA Object Model and uses concepts from that model to define the operation of the Object Request Broker (ORB). The ORB is the basic mechanism by which objects transparently make requests to, and receive responses from, each other on the same machine or across a network. A client need not be aware of the mechanisms used to communicate with or activate an object, how the object is implemented, or where the object is located.

  • Standard
    509 pages
    English language
    sale 15% off
  • Standard
    509 pages
    English language
    sale 15% off
ISO
ISO/IEC 19500-2:2012(Main)
Information technology — Object Management Group — Common Object Request Broker Architecture (CORBA) — Part 2: Interoperability

ISO/IEC 19500-2:2012 specifies a comprehensive, flexible approach to supporting networks of objects that are distributed across and managed by multiple, heterogeneous CORBA-compliant Object Request Brokers (ORBs). The approach to inter-ORB operation is universal, because elements can be combined in many ways to satisfy a very broad range of needs. ISO/IEC 19500-2:2012 specifies ORB interoperability architecture Inter-ORB bridge support General Inter-ORB Protocol (GIOP) for object request broker (ORB) interoperability. GIOP can be mapped onto any connection-oriented transport protocol that meets a minimal set of assumptions defined by this International Standard Internet Inter-ORB Protocol (IIOP), a specific mapping of the GIOP which runs directly over connections that use the Internet Protocol and the Transmission Control Protocol (TCP/IP connections) CORBA Security Attribute Service (SAS) protocol and its use within the CSIv2 architecture to address the requirements of CORBA security for interoperable authentication, delegation, and privileges ISO/IEC 19500-2:2012 provides a widely implemented and used particularization of ITU-T Rec. X.931 | ISO/IEC 14752. It supports interoperability and location transparency in ODP systems.

  • Standard
    226 pages
    English language
    sale 15% off