ISO/IEC 38500

Last updated

ISO/IEC 38500 is an international standard for Corporate governance of information technology published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard is heavily based on the AS 8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology, originally published in January 2005. [1] [2]

Contents

History

The introduction of AS 8015 in 2005 brought about the first standard "to describe governance of IT without resorting to descriptions of management systems and processes." [3] The 12-page document stood out and attracted the attention of the international community. The ISO/IEC technical committee JTC 1 reached out to Standards Australia, the group that pushed AS 8015 forward, and asked them to participate in the international adaptation process. [4] On 1 February 2007 the ISO/IEC published the first draft international standard (DIS) of the revised AS 8015 as ISO/IEC DIS 29382. [5] The DIS then received "fast-track" status in July 2007 (meaning the draft standard could then be submitted for approval as an ISO standard [6] ), revisions of the document were made in September 2007, and the final disposition of comments was completed in January 2008, resulting in the standard being sent to the ISO/IEC Information Technology Task Force for international standards processing. [7]

Depending on the source, shortly before final approval of the standard in either April [8] [9] or May 2008, [10] the ISO/IEC chose to rename the document ISO/IEC 38500, before finally publishing the finalized version on 1 June as ISO/IEC 38500:2008. [10] [11]

Updates to the standard

On 12 February 2015 the ISO/IEC updated the standard to 38500:2015. Standards Australia described the changes as such: [12]

With the evolution of thinking in the field of IT governance, ISO/IEC 38500 was revised in 2015. The main changes include the title of the standard, from Corporate Governance of IT to Governance of IT for the Organization, which reflects the wider applicability of the standard. Terminology and definitions have also been updated and refined throughout the document to reflect the widened scope and to make the standard more applicable across different international jurisdictions, cultures and languages.

In a February 2015 article submitted to Communications of the ACM, Juiz and Toomey (involved in the development process) highlighted this "wider applicability": [3]

In the ISO/IEC 38500 model, the governing body is a generic entity (the individual or group of individuals) responsible and accountable for performance and conformance (through control) of the organization. While ISO/IEC 38500 makes clear the role of the governing body, it also allows that such delegation could result in a subsidiary entity giving more focused attention to the tasks in governance of IT (such as creation of a board committee). It also includes delegation of detail to management, as in finance and human resources. There is an implicit expectation that the governing body will require management establish systems to plan, build, and run the IT-enabled organization.

See also

Related Research Articles

<span class="mw-page-title-main">International Organization for Standardization</span> International standards development organization

The International Organization for Standardization is an international standard development organization composed of representatives from the national standards organizations of member countries. Membership requirements are given in Article 3 of the ISO Statutes.

<span class="mw-page-title-main">Moving Picture Experts Group</span> Alliance of working groups to set standards for multimedia coding

The Moving Picture Experts Group (MPEG) is an alliance of working groups established jointly by ISO and IEC that sets standards for media coding, including compression coding of audio, video, graphics, and genomic data; and transmission and file formats for various applications. Together with JPEG, MPEG is organized under ISO/IEC JTC 1/SC 29 – Coding of audio, picture, multimedia and hypermedia information.

The Open Document Format for Office Applications (ODF), also known as OpenDocument, is an open file format for word processing documents, spreadsheets, presentations and graphics and using ZIP-compressed XML files. It was developed with the aim of providing an open, XML-based file format specification for office applications.

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

ISO/IEC 20000 is the international standard for IT service management. It was developed in 2005 by ISO/IEC JTC1/SC7 and revised in 2011 and 2018. It was originally based on the earlier BS 15000 that was developed by BSI Group.

The Open Document Format for Office Applications, commonly known as OpenDocument, was based on OpenOffice.org XML, as used in OpenOffice.org 1, and was standardised by the Organization for the Advancement of Structured Information Standards (OASIS) consortium.

AS 8015-2005: Australian Standard for Corporate Governance of Information and Communication Technology is a technical standard developed by Standards Australia Committee IT-030 and published in January 2005. The standard provides principles, a model and vocabulary as a basic framework for implementing effective corporate governance of information and communication technology (ICT) within any organization. The standard was the first "to describe governance of IT without resorting to descriptions of management systems and processes." AS 8105 later became the catalyst and main infrastructure for the creation of the international ISO/IEC 38500:2008 Information technology — Governance of IT for the organization standard.

ISO/IEC JTC 1/SC 34, Document description and processing languages is a subcommittee of the ISO/IEC JTC 1 joint technical committee, which is a collaborative effort of both the International Organization for Standardization and the International Electrotechnical Commission, which develops and facilitates standards within the field of document description and processing languages. The international secretariat of ISO/IEC JTC 1/SC 34 is the Japanese Industrial Standards Committee (JISC) located in Japan.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC JTC 1, entitled "Information technology", is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and promote standards in the fields of information and communications technology (ICT).

The Office Open XML file formats, also known as OOXML, were standardised between December 2006 and November 2008, first by the Ecma International consortium, and subsequently, after a contentious standardization process, by the ISO/IEC's Joint Technical Committee 1.

ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 27 develops International Standards, Technical Reports, and Technical Specifications within the field of information security. Standardization activity by this subcommittee includes general methods, management system requirements, techniques and guidelines to address information security, cybersecurity and privacy. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote. The international secretariat of ISO/IEC JTC 1/SC 27 is the Deutsches Institut für Normung (DIN) located in Germany.

ISO/IEC JTC 1/SC 36 Information Technology for Learning, Education and Training is a standardization subcommittee (SC), which is part of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates standards within the field of information technology (IT) for learning, education and training (LET). ISO/IEC JTC 1/SC 36 was established at the November 1999 ISO/IEC JTC 1 plenary in Seoul, Korea. The subcommittee held its first plenary meeting in March 2000 in London, United Kingdom. The international secretariat of ISO/IEC JTC 1/SC 36 is the Korean Agency for Technology and Standards (KATS), located in the Republic of Korea.

ISO/IEC JTC 1/SC 39 Sustainability for and by Information Technology is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates standards within the field of sustainability and resource efficiency through Information Technology. The international secretariat of ISO/IEC JTC 1/SC 39 is the American National Standards Institute (ANSI), located in the United States.

ISO/IEC JTC 1/SC 7 Software and systems engineering is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates standards within the field of engineering of software products and systems. The international secretariat of ISO/IEC JTC 1/SC 7 is the Bureau of Indian Standards (BIS) located in India.

ISO/IEC JTC 1/SC 2 Coded character sets is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates standards within the field of coded character sets. The international secretariat of ISO/IEC JTC 1/SC 2 is the Japanese Industrial Standards Committee (JISC), located in Japan. SC 2 is responsible for the development of the Universal Coded Character Set which is the international standard corresponding to the Unicode Standard.

ISO/IEC JTC 1/SC 40 IT Service Management and IT Governance is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 40 develops and facilitates the development of international standards, technical reports, and technical specifications within the fields of IT service management and IT governance, with a focus in IT activity such as audit, digital forensics, governance, risk management, outsourcing, service operations and service maintenance. The international secretariat of ISO/IEC JTC 1/SC 40 is Standards Australia (SA), located in Australia.

ISO/IEC JTC 1/SC 24 Computer graphics, image processing and environmental data representation is a standardization subcommittee of the joint subcommittee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of computer graphics, image processing, and environmental data representation. The international secretariat of ISO/IEC JTC 1/SC 24 is the British Standards Institute (BSI) located in the United Kingdom.

ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

References

  1. Smallwood, R.F. (2014). "Chapter 10: Information Governance and Information Technology Functions". Information Governance: Concepts, Strategies, and Best Practices. John Wiley & Sons, Inc. pp. 189–206. ISBN   9781118421017 . Retrieved 23 June 2016.
  2. Toomey, M. (20 November 2008). "A Significant Achievement" (PDF). The Informatics Letter. Infonomics Pty Ltd. Archived from the original (PDF) on 27 February 2016. Retrieved 23 June 2016.
  3. 1 2 Juiz, C.; Toomey, M. (2015). "To Govern IT, or Not to Govern IT?". Communications of the ACM. 58 (2): 58–64. doi:10.1145/2656385. S2CID   34086325.
  4. McKay, A. (2007). "Australia leads the world on ICT governance". Up. 8 (Summer 2007): 3. Archived from the original (PDF) on 11 September 2009. Retrieved 23 June 2016.
  5. "ISO/IEC DIS 29382: 2007 Edition, February 1, 2007". IHS Standards Store. IHS, Inc. Archived from the original on 23 June 2016. Retrieved 23 June 2016.
  6. Jones, B. (29 January 2007). "Explanation of the ISO "Fast-Track" process". Microsoft Developer Network Blog. Microsoft. Retrieved 23 June 2016.
  7. "JTC1/SC7 List of Documents: N3851 - N3900". ISO/IEC. 18 January 2008. Archived from the original on 23 June 2016. Retrieved 23 June 2016.
  8. "IT Governance and The International Standard, ISO/IEC 38500". IT Governance. IT Governance Ltd. Archived from the original on 17 March 2016. Retrieved 23 June 2016.
  9. "ISO 38500 IT Governance Standard". 38500.org. 2008. Archived from the original on 5 June 2016. Retrieved 23 June 2016.
  10. 1 2 Garcia-Menendez, M. (1 June 2009). "ISO/IEC 38500:2008. Un año difundiendo el concepto de 'Buen Gobierno Corporativo de las TIC'". Gobernanza de TI (in Spanish). Retrieved 23 June 2016.
  11. "ISO/IEC 38500:2008". ISO. Retrieved 23 June 2016.
  12. "2015 Edition of ISO/IEC 38500 Published" (PDF). Standards Australia. 23 March 2015. Archived from the original (PDF) on 30 March 2016. Retrieved 23 June 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.