ISO/IEC 38500

ISO 38500 is the International Standards that specifies guiding principles for directors of organizations on the:

  • acceptable;
  • effective;
  • efficient.

use of Information Technology (IT) within their organizations and applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization.

These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.

It also provides guidance to those advising, informing, or assisting directors. They include:

  • external business or technical specialists, such as legal or accounting specialists,
  • internal and external service providers (including consultants);
  • IT auditors.
  • members of groups monitoring the resources within the organization;
  • professional bodies;
  • retail associations,
  • senior managers;
  • vendors of hardware, software, communications and other IT products;

ISO 38500 draws upon a number of sources, the main one being AS 8015:2005, which defines six principles of IT governance:

  • acquire validly;
  • ensure conformance with formally documented organisational rules;
  • ensure performance when required;
  • ensure human factors respected;
  • establish clearly understood responsibilities;
  • plan to best support the organization.

ISO 38500 superseded ISO 29382. It was officially re-named ISO/IEC 38500 in April 2008.

International Standards can be purchased from the British Standards Institutive Shop (BSi)