Skip to content

ISO/IEC 38500

ISO/IEC 38500

International Standard for Corporate Governance of IT

1. Overview of ISO/IEC 38500, the International Standard for IT Governance

    flowchart LR
    A["Traditional IT management"] -- "Shift to business-centered governance" --> B["ISO/IEC 38500 Standard"]
  

Definition: An IT governance standard model that helps an organization’s decision-makers (the board) manage IT use effectively, efficiently, and acceptably.

Characteristics:
(Business-centered) Emphasizes a top-down governance approach from a business perspective rather than a technology perspective.
(Six principles) Sets the direction for IT governance through six principles: Responsibility, Strategy, Acquisition, Performance, Conformance, and Human Behavior.
(EDM model) Clearly separates governance and management responsibilities through three activities: Evaluate, Direct, and Monitor.


2. ISO/IEC 38500 Governance Model and Core Principles

A. IT Governance Framework (EDM Model)

    flowchart TD
    BOA["Board of Directors"]
    BUS["Business environment / requirements"]

    subgraph EDM["Governance Activities (EDM)"]
        E["Evaluate"]
        D["Direct"]
        M["Monitor"]
        
        E --> D
        D --> M
        M --> E
    end

    MGT["Management"]

    BUS --> BOA
    BOA --> E
    D -->|"Direct policy and strategy"| MGT
    MGT -->|"Report performance and compliance"| M
    M --> BOA
    
    style EDM fill:#f9f9f9,stroke:#333,stroke-width:2px
    style BOA fill:#1E3A5F,color:#fff
    style MGT fill:#16A34A,color:#fff
  
ActivityDescriptionKey Role
EvaluateContinuously evaluates current and future use of ITAssesses business value creation and risk level
DirectDirects strategy and policy to achieve business objectivesEstablishes guidelines and policy for IT asset use
MonitorMeasures policy compliance and performance (monitoring)Confirms whether directives are implemented and risk is controlled

B. Six Principles for Successful IT Governance Implementation

    flowchart TD
  ROOT["ISO/IEC 38500: Six Principles"]
  P1["Responsibility"]
  P2["Strategy"]
  P3["Acquisition"]
  P4["Performance"]
  P5["Conformance"]
  P6["Human Behavior"]

  ROOT --> P1
  ROOT --> P2
  ROOT --> P3
  ROOT --> P4
  ROOT --> P5
  ROOT --> P6

  style ROOT fill:#1E3A5F,color:#fff
  
PrincipleKey Content
ResponsibilityClarifies the authority and accountability of individuals and groups for IT supply and demand within the organization
StrategyAligns business strategy with IT capability and supports the achievement of objectives
AcquisitionRational IT asset acquisition and risk-based decision-making through investment analysis
PerformanceEnsures the performance and service level of IT systems in support of business processes
ConformanceEnsures compliance with laws, regulations, contracts, and other external and internal policies
Human BehaviorEstablishes IT policy that takes into account user behavior patterns and social needs

3. Effects and Applications of Adopting ISO/IEC 38500

CategoryKey Expected EffectApplication and Practical Use
Executive perspectiveEnsuring decision-making transparencyStrengthening accountability for IT investment and establishing a governance framework
Business perspectiveMaximizing valueImproving IT project success rates and strengthening responsiveness to business change
Risk managementRisk control and complianceCompliance response and proactive management of IT operational risk