ISO/IEC 38500 provides a framework of principles for corporate governance of information technology, while ISO/IEC 27000 standards address information security management. ISO/IEC 38500 covers responsibilities, planning, acquisition, performance, conformity, and human factors of IT use. ISO/IEC 27000 overlaps with areas like risk management, legal compliance, performance, and management responsibility. A new IT governance standard should account for similarities to prevent inconsistencies, especially for combined auditing against governance and information security standards.

1. ISO/IEC 38500 vs. ISO/IEC 27000
Christophe Feltus
Member of the ISO Working Group on Identity Management
Member of the ISO Study Group on ICT Governance
Public Research Centre Henri Tudor,
29, Rue John F. Kennedy
L-1855 Luxembourg
christophe.feltus@tudor.lu

2. Outline
Beyond ISO 38500
Scope
Objectives
6 principles
Model for Corporate Governance of ICT
Review of elements of ICT governance in ISO/IEC 27000 standards
Conclusions

3. Beyond ISO 38500 : scope
The objective of this Standard is to provide a framework of principles for Directors to
use when evaluating, directing and monitoring the use of information technology
(IT) in their organizations.
This standard provides a framework for effective governance of IT, to assist those at
the highest level of organizations to understand and fulfil their legal, ethical and
moral obligations in respect of their organizations’ use of IT. The framework
comprises definitions, principles and a model.

4. Beyond ISO 38500 : scope
Governance is distinct from management, and for the avoidance of confusion, the two
concepts are clearly defined in the standard.
…the members of the governing body may also occupy the key roles in management.
It provides guidance to those advising, informing, or assisting directors. They include:
• Senior managers.
• Members of groups monitoring the resources within the organization.
• External business or technical specialists, such as legal or accounting
specialists, retail associations, or professional bodies.
• Vendors of hardware, software, communications and other IT products.
• Internal and external service providers (including consultants).
• IT auditors.
The standard is applicable for all organizations, from the smallest,
to the largest, regardless of purpose, design and ownership structure.

5. Beyond ISO 38500 : objectives
The purpose of this Standard is to promote effective, efficient, and acceptable use of IT
in all organizations by:
assuring stakeholders (including consumers, shareholders, and employees) that, if
the standard is followed, they can have confidence in the organization’s corporate
governance of IT;
informing and guiding directors in governing the use of IT in their organization; and
providing a basis for objective evaluation of the corporate governance of IT.

6. Beyond ISO 38500 : 6 principles
Principle 1: Establish clearly understood responsibilities for IT
Principle 2: Plan IT to best support the organization
Principle 3: Acquire IT validly
Principle 4: Ensure that IT performs well, whenever required
Principle 5: Ensure IT conforms with formal rules
Principle 6: Ensure IT use respects human factors

7. Beyond ISO 38500 : Model for Corporate
Governance of ICT
Directors should govern ICT through
three main tasks:
(a) Evaluate the use of ICT.
(b) Direct preparation and implementation of plans and policies.
(c) Monitor conformance to policies, and performance against the plans.

8. Elements of ICT governance in existing
ISO/IEC 27000 standards
ISO/IEC 27000 family of standards

9. Elements of ICT governance in existing
ISO/IEC 27000 standards
The standard ISO/IEC 27000 overlaps with ICT governance in many areas.
Most significant of these are :
Risk Management
4.2 Establishing and managing the ISMS.
Connections with legislation
4.2.1/ISMS policy,
7.3 Management review output,
A.15.1 Compliance with legal requirements.
Performance
A.10.3.1 Capacity management
Tight relationship with management is required
Clause 5 Management responsibility
Internal auditing
Clause 6 Internal ISMS audits
Ensuring business continuity
A.14 Business continuity management

10. Conclusions
This rough analysis shows that ISO/IEC 27001 and ISO/IEC 17799 have many
relationships with ICT governance.
New ICT governance standard should be taken into account these similarities
thoroughly so that inconsistent overlapping can be prevented.
This is very important especially if it will be possible to certify against this new
standard so that combined audits with both ISO/IEC 27001 and ICT governance
standard can be conducted in a logical and cost-effective way.
Source :
ISO/IEC 38500 : Corporate governance of information technology
ISO/IEC 27000 family
Inspecta Certification report for ISO/IEC 38500