The release of ISO 38500 brings greater clarity to the topic of IT governance. Described as a standard for "corporate governance of IT" this standard is aligned with the 1992 definition of Corporate Governance published in the Cadbury Report in the United Kingdom. This standard provides a framework with six guiding principles for good corporate governance of IT and a model for directors to govern IT with three main tasks: evaluate, direct and control.

ISO 38500 decribes governance as being distinct from management and defines governance as the system used by the most senior governing body (e.g. board of directors) of an organisation for directing and controlling the current and future use of IT. The objective is to support the organisation achieve its plans.

Managers looking to implement ISO 38500 will find CobiT (www.isaca.org) a good reference for the policies, processes, structures and controls needed to implement the management system that supports governance as this standard only describes what should happen, but not how, by when or by whom.

The scope of this standard is the governance of all management processes relating to IT services. The six principles address:

  • Assigning reponsibilities to competent persons with decision-making authority, making use of appropriate governance mechanisms and make sure responsibilities are understood
  • Align IT activities with business objectives, focus on organisational benefits and ensure benefits are realised
  • Invest in IT so that propsals can be realised, balncing risk and value delivered
  • Provide the capability and capacity in IT to support the business, risks are to be managed, resources are to be protected (including intellectual property and the organisational memory), measure how IT supports the business
  • Provide adequate internal controls to meet internal and external compliance requirements
  • Identify the human behaviour require and develop work practices for the appropriateuse of IT.