This document outlines a framework for ICT governance based on the ISO/IEC 38500 standard, modified for non-profit organizations. It describes six key dimensions that board members should monitor, evaluate, and direct: responsibility, strategy, acquisition, performance, conformance, and human behavior. For each dimension, it lists requirements from the standard and provides a column to note implications for developing an ICT governance policy, including questions, strengths/weaknesses, and anything already in place. The framework is intended to guide a board workshop discussion on defining the policy.

1. Commercial in Confidence
The ICT Governance Standard
This diagram encapsulates ICT governance as defined by the ISO/IEC 38500 standard
modified for a non-profit organisation.
The core duties are the monitor, evaluate and direct ICT. The standard suggests six
dimensions in which directors should carry out these duties.
Responsibility
Strategy
Acquisition
Performance
Conformance
Human Behaviour
Page 1 of 9

2. Commercial in Confidence
The following tables lists the tasks required to monitor evaluate and direct each
dimension. Our board workshop will include a discussion about this framework and
will start defining the implications in terms of policy, reporting and KPIs.
You’ll note that some of the requirements are that we’ve defined our requirements.
And in many cases the monitoring, evaluating and directing are all encompassed by
having a policy in place. So this list isn’t a daunting as it appears from the number of
pages involved.
Please start by making notes in the Implications column ready for a group discussion.
In that discussion we will effectively make a first outline draft of your governance
framework for later revision and refinement. In the first instance make a note of
Any questions arising
Strengths and opportunities
Weaknesses and threats
Anything already in place
Anything from another source you think could be helpful
Page 2 of 9

3. Commercial in Confidence
Direct
Evaluate
Monitor
DIMENSION: RESPONSIBILITY
REQUIREMENT (from ISO 38500)
IMPLICATIONS
Directors should monitor that appropriate ICT governance
mechanisms are established and maintained.
Directors should monitor that those given responsibility
acknowledge and understand their responsibilities.
Directors should monitor the performance of those given
responsibility in the governance of ICT (for example, those people
serving on steering committees or presenting proposals to
director(s)
Directors should evaluate the options for assigning
responsibilities in respect of the organization’s current and future
use of ICT. In evaluating options, directors should seek to ensure
effective, efficient, and acceptable use and delivery of ICT in
support of current and future business objectives.
Directors should evaluate the competence of those given
responsibility to make decisions regarding ICT.
Directors should direct that plans be carried out according to the
assigned ICT responsibilities.
Directors should direct that they receive the information that
they need to meet their responsibilities and accountability.
Page 3 of 9

4. Commercial in Confidence
Direct
Evaluate
Monitor
DIMENSION: STRATEGY
REQUIREMENT
Directors should monitor the progress of approved ICT proposals
to ensure that they are achieving objectives in required
timeframes using allocated resources.
Directors should monitor the use of ICT to ensure that it is
achieving its intended benefits
IMPLICATIONS
Directors should evaluate developments in ICT and business
processes to ensure that ICT will provide support for future
business needs.
In considering plans and policies, directors should evaluate ICT
activities to ensure they align with the organization’s objectives
for changing circumstances, take consideration of better
practices and satisfy other key stakeholder requirements.
Directors should ensure that ICT is subject to appropriate risk
assessment and evaluation, as described in relevant
international and national standards.
Directors should direct the preparation and use of plans and
policies that ensure the organization does benefit from
developments in ICT.
Directors should encourage the submission of proposals for
innovative ICTuse that enables the organization to respond to
new opportunities or challenges, undertake new businesses or
improve processes.
Page 4 of 9

5. Commercial in Confidence
Direct
Evaluate
Monitor
DIMENSION: AQUISITION
REQUIREMENT
Directors should monitor ICT investments to ensure that they
provide the required capabilities.
Directors should monitor the extent to which their organization
and suppliers maintain the shared understanding of the
organization's intent in making any ICT acquisition
Directors should evaluate options for providing ICT to realize
approved proposals, balancing risks and value for money of
proposed investments.
IMPLICATIONS
Directors should direct that ICT assets (systems and
infrastructure) be acquired in an appropriate manner, including
the preparation of suitable documentation, while ensuring that
required capabilities are provided.
Directors should direct that supply arrangements (including both
internal and external supply arrangements) support the business
needs of the organization.
Page 5 of 9

6. Commercial in Confidence
Evaluate
Monitor
DIMENSION: PERFORMANCE
REQUIREMENT
Directors should monitor the extent to which ICT does support
the business.
Directors should monitor the extent to which allocated resources
and budgets are prioritised according to business objectives.
Directors should monitor the extent to which the policies, such
as for data accuracy and the efficient use of ICT, are followed
properly
Directors should evaluate the means proposed by the managers
to ensure that ICT will support business processes with the
required capability and capacity. These proposals should address
the continuing normal operation of the business and the
treatment of risk associated with the use of ICT.
Directors should evaluate the risks to continued operation of the
business arising from ICT activities.
Directors should evaluate the risks to the integrity of information
and the protection of ICT assets, including associated intellectual
property and organizational memory.
Directors should evaluate options for assuring effective, timely
decisions about use of ICT in support of business goals.
Directors should regularly evaluate the effectiveness and
performance of the organization’s system for Governance of ICT.
Directors should ensure allocation of sufficient resources so that
ICT meets the needs of the organization, according to the agreed
priorities and budgetary constraints.
IMPLICATIONS
Page 6 of 9

7. Commercial in Confidence
IMPLICATIONS
Direct
DIMENSION: PERFORMANCE continued
REQUIREMENT
Directors should ensure allocation of sufficient resources so that
ICT meets the needs of the organization, according to the agreed
priorities and budgetary constraints.
Directors should direct those responsible to ensure that ICT
supports the business, when required for business reasons, with
correct and up-to-date data that is protected from loss or
misuse.
Page 7 of 9

8. Commercial in Confidence
Direct
Evaluate
Monitor
DIMENSION: CONFORMANCE
REQUIREMENT
Directors should monitor ICT compliance and conformance
through appropriate reporting and audit practices, ensuring that
reviews are timely, comprehensive, and suitable for the
evaluation of the extent of satisfaction of the business.
Directors should monitor ICT activities, including disposal of
assets and data, to ensure that environmental, privacy, strategic
knowledge management,
preservation of organizational memory and other relevant
obligations are met
Directors should regularly evaluate the extent to which ICT
satisfies obligations (regulatory, legislation, common law,
contractual), internal policies, standards and professional
guidelines.
Directors should regularly evaluate the organization’s internal
conformance to its system for Governance of ICT.
Directors should direct those responsible to establish regular and
routine mechanisms for ensuring that the use of ICT complies
with relevant obligations (regulatory, legislation, common law,
contractual), standards and guidelines.
Directors should direct that policies are established and enforced
to enable the organization to meet its internal obligations in its
use of ICT.
Directors should direct that ICT staff follow relevant guidelines
for professional behaviour and development.
Directors should direct that all actions relating to ICT be ethical
IMPLICATIONS
Page 8 of 9

9. Commercial in Confidence
IMPLICATIONS
Direct
Evaluate
Monitor
DIMENSION: HUMAN BEHAVIOUR
REQUIREMENT
Directors should monitor ICT activities to ensure that identified
human behaviours remain relevant and that proper attention is
given to them.
Directors should monitor work practices to ensure that they are
consistent with the appropriate use of ICT
Directors should evaluate ICT activities to ensure that human
behaviours are identified and appropriately considered.
Directors should direct that ICT activities are consistent with
identified human behaviour.
Directors should direct that risks, opportunities, issues and
concerns may be identified and reported by anyone at any time.
These risks should be managed in accordance with published
policies and procedures and escalated to the relevant decision
makers
Page 9 of 9