ISO 38500 decribes governance as being distinct from management and defines governance as the system used by the most senior governing body (e.g. board of directors) of an organisation for directing and controlling the current and future use of IT. The objective is to support the organisation achieve its plans.
Managers looking to implement ISO 38500 will find CobiT (www.isaca.org) a good reference for the policies, processes, structures and controls needed to implement the management system that supports governance as this standard only describes what should happen, but not how, by when or by whom.
The scope of this standard is the governance of all management processes relating to IT services. The six principles address:
- Assigning reponsibilities to competent persons with decision-making authority, making use of appropriate governance mechanisms and make sure responsibilities are understood
- Align IT activities with business objectives, focus on organisational benefits and ensure benefits are realised
- Invest in IT so that propsals can be realised, balncing risk and value delivered
- Provide the capability and capacity in IT to support the business, risks are to be managed, resources are to be protected (including intellectual property and the organisational memory), measure how IT supports the business
- Provide adequate internal controls to meet internal and external compliance requirements
- Identify the human behaviour require and develop work practices for the appropriateuse of IT.