ISO/IEC 38500
ISO/IEC 38500
International Standard for Corporate Governance of IT
1. Overview of ISO/IEC 38500, the International Standard for IT Governance
flowchart LR
A["Traditional IT management"] -- "Shift to business-centered governance" --> B["ISO/IEC 38500 Standard"]
Definition: An IT governance standard model that helps an organization’s decision-makers (the board) manage IT use effectively, efficiently, and acceptably.
Characteristics:
(Business-centered) Emphasizes a top-down governance approach from a business perspective rather than a technology perspective.
(Six principles) Sets the direction for IT governance through six principles: Responsibility, Strategy, Acquisition, Performance, Conformance, and Human Behavior.
(EDM model) Clearly separates governance and management responsibilities through three activities: Evaluate, Direct, and Monitor.
2. ISO/IEC 38500 Governance Model and Core Principles
A. IT Governance Framework (EDM Model)
flowchart TD
BOA["Board of Directors"]
BUS["Business environment / requirements"]
subgraph EDM["Governance Activities (EDM)"]
E["Evaluate"]
D["Direct"]
M["Monitor"]
E --> D
D --> M
M --> E
end
MGT["Management"]
BUS --> BOA
BOA --> E
D -->|"Direct policy and strategy"| MGT
MGT -->|"Report performance and compliance"| M
M --> BOA
style EDM fill:#f9f9f9,stroke:#333,stroke-width:2px
style BOA fill:#1E3A5F,color:#fff
style MGT fill:#16A34A,color:#fff
| Activity | Description | Key Role |
|---|---|---|
| Evaluate | Continuously evaluates current and future use of IT | Assesses business value creation and risk level |
| Direct | Directs strategy and policy to achieve business objectives | Establishes guidelines and policy for IT asset use |
| Monitor | Measures policy compliance and performance (monitoring) | Confirms whether directives are implemented and risk is controlled |
B. Six Principles for Successful IT Governance Implementation
flowchart TD
ROOT["ISO/IEC 38500: Six Principles"]
P1["Responsibility"]
P2["Strategy"]
P3["Acquisition"]
P4["Performance"]
P5["Conformance"]
P6["Human Behavior"]
ROOT --> P1
ROOT --> P2
ROOT --> P3
ROOT --> P4
ROOT --> P5
ROOT --> P6
style ROOT fill:#1E3A5F,color:#fff
| Principle | Key Content |
|---|---|
| Responsibility | Clarifies the authority and accountability of individuals and groups for IT supply and demand within the organization |
| Strategy | Aligns business strategy with IT capability and supports the achievement of objectives |
| Acquisition | Rational IT asset acquisition and risk-based decision-making through investment analysis |
| Performance | Ensures the performance and service level of IT systems in support of business processes |
| Conformance | Ensures compliance with laws, regulations, contracts, and other external and internal policies |
| Human Behavior | Establishes IT policy that takes into account user behavior patterns and social needs |
3. Effects and Applications of Adopting ISO/IEC 38500
| Category | Key Expected Effect | Application and Practical Use |
|---|---|---|
| Executive perspective | Ensuring decision-making transparency | Strengthening accountability for IT investment and establishing a governance framework |
| Business perspective | Maximizing value | Improving IT project success rates and strengthening responsiveness to business change |
| Risk management | Risk control and compliance | Compliance response and proactive management of IT operational risk |