IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Greater Guidance and IT Governance with ISO 38500

June 24th, 2008 · 1 Comment

Lack of alignment between business and technology services is a proven epidemic.  It is attributable to obvious security / fraud instances and causes greater damage to the competitive nature of every business that leverages technology.  An interesting napkin fact – nearly a third of IPOs over the past 12 months were for businesses that are solely technology company (i.e., they are not making a widget in a factory but have digital assets and such services).  Businesses that have the right technology, deployed in a manner that is optimal for operations, and delivers the necessary value are more competitive and a byproduct is less susceptible to frauds and security incidents.

According to Francois Coallier of the ISO subcommittee, “ISO/IEC 38500 will help the governing body to evaluate, direct and monitor the use of IT. It will assist directors in assuming conformance with obligations – regularly, legislation, common law, contractual – concerning the acceptable use of IT and to have a proper corporate governance of IT.

The framework (yes another one) is broken out into principles (so don’t expect specific tactical guidance or how-tos) that establish decision making flows:  Responsibility, Strategy, Acquisition, Performance, Conformance, and Human Behavior.

It is a total of 16 pages, so an astonishingly short read for such an important subject.   Similar to how BS 7799 became ISO 17799…AS8015-2005 – Australian Standard for Corporate Governance of Information and Communication Technology (ICT) is the origin for ISO 38500 (a nice write up here – thanks for the link Serge).  Calvin Powers wrote a nice article describing the standard and provided a nice cross analysis between the ITGI’s recent release of their own Val IT.   Also check out Serge Thorn’s take of this standard release

Call to Action:  Purchase the standard and commit to having your organization’s governance process baselined against this latest release.  For each variance, determine if the concerns raised by this standard and others are addressed.

There are numerous other references, so what are you favorites?


James DeLuccia

Tags: Uncategorized

1 response so far ↓

  • 1 John James O'Brien // Oct 25, 2008 at 8:32 pm

    Governance, transparency, consistency–principles–all good. I’d like to see ICT management informed with the thinking that derives from wrapping one’s head around ISO 15489 (better yet, our own pending publication model for knowledge resource mananagement).

    It’s about really thinking these issues through–kudos to you for the Call to Action. So many think one simply buys the standard and requires compliance. Variance is a norm, to be justified in context.

    Glad to have found your blog.

Leave a Comment