IT Governance & ISO 38500

ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Ramiro Cid | @ramirocid
IT Governance & ISO 38500

2
Index
1. First approach to IT Governance Slide 3
2. Problems with IT Governance Slide 4
3. IT Governance: Frameworks Slide 5
4. IT Governance: Lifecycle Slide 7
5. ISO/IEC 38500:2008 - Main topics Slide 8
6. ISO/IEC 38500:2008 - Main purposes Slide 9
7. ISO/IEC 38500:2008 - 6 Basic principles Slide 10
8. ISO/IEC 38500:2008 - Remarking 2 Basic principles Slide 11
9. Sources used to expand knowledge Slide 12

IT Governance or Corporate governance of information technology is a subset discipline of corporate
governance, focused on information and technology (IT) and its performance and risk management.
The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts
on an organization's strategic objectives and to better manage the performance of those responsible for
creating this value in the best interest of all stakeholders.
It is also very important to have an alignment of IT strategy with the business strategy. It has evolved from
The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management
system.
An IT Governance framework is used to identify, establish and link the mechanisms to oversee the use of
information and related technology to create value and manage the risks associated with using information
and technology.
1. First approach to IT Governance

IT governance is often confused with IT management, compliance and IT controls. The problem is increased by
terms such as "governance, risk and compliance (GRC)" that establish a link between governance and
compliance. The primary focus of IT governance is the stewardship of IT resources on behalf of various
stakeholders whose ranking is established by the organization's governing body. A simple way to explain IT
governance is: what is to be achieved from the leveraging of IT resources. While IT management is about
"planning, organizing, directing and controlling the use of IT resources" (that is, the how), IT governance is
about creating value for the stakeholders based on the direction given by those who govern. ISO 38500 has
helped clarify IT governance by describing a model to be used by company directors.
While directors are responsible for this stewardship it is not unusual that will delegate this responsibility to
management (business and IT) who are expected to develop the necessary capability to deliver the
performance expected. Whilst managing risk and ensuring compliance are essential components of good
governance, the primary focus is on delivering value and managing performance (i.e. "Governance, Value
delivery and Performance management" (GVP)).
2. Problems with IT Governance

 AS8015-2005: Australian Standard for Corporate Governance of Information and Communication
Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008.
 ISO/IEC 38500:2008: Corporate governance of information technology (very closely based on AS8015-
2005) provides a framework for effective governance of IT to assist those at the highest level of
organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their
organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and
private companies, government entities, and not-for-profit organizations.
3. IT Governance: Frameworks

 COBIT: Is regarded as the world's leading IT governance and control framework. COBIT provides a
reference model of 37 IT processes typically found in an organization. Each process is defined together
with process inputs and outputs, key process activities, process objectives, performance measures and an
elementary maturity model. ISACA published COBIT 5 in April 2012 as a "business framework for the
governance and management of enterprise IT". COBIT 5 consolidates COBIT4.1, Val IT and Risk IT into a
single framework acting as an enterprise framework aligned and interoperable with TOGAF and ITIL. Last
version is COBIT 5.
3. IT Governance: Frameworks

4. IT Governance: Lifecycle

IT Governance has an ISO, it is the ISO/IEC 38500:2008 called “Corporate governance of information
technology”. This presentation will focus in this IT Governance framework.
This standard was published in June 2008 and complements the set of ISO standards that affect the
systems and information technologies (such as ISO/IEC 27001, ISO/IEC 20000, etc.).
This rule sets standards for good management of business processes and decisions related to information
and communication services that are usually managed by specialists in IS / internal or within other business
units of the IT organization, such as suppliers external service.
5. ISO/IEC 38500:2008 - Main topics

In essence, all that this proposed rule can be summarized into three main purposes:
a) Ensure that, if the rule is followed properly, the stakeholders (managers, consultants, engineers, hardware
vendors, auditors, etc.), can rely on the corporate governance of IT.
b) Provide information and guidance to managers that control the use of IS/IT in your organization/company.
c) Provide a basis for objective evaluation by top management of IT management. IT governance framework
Likewise, the rule encourages adopt a minimum set of measures for the organization to get your IT goals.
6. ISO/IEC 38500:2008 - Main purposes

1. The establishment of responsibilities to competent people for decision making
2. Alignment of IT with the strategic objectives of the organization (a good planning support to the
improvement of the organization)
3. The investment in IT goods suitable
4. Quality in the operation of IT systems
5. Ensuring legal compliance or regulatory IT systems
6. The involvement of the human factor and respect at the same
7. ISO/IEC 38500:2008 - 6 Basic principles

 Compliance with the legal environment is a growing need in the context of IS/IT organizations of any size,
as there is a lot of legislation regulating the use of information, communications, etc. forming a binding
legal framework that can not be ignored.
 The human factor is often treated very tangentially in many business strategies and, above all, IS/IT.
Fortunately, this standard (as ISO 27001 for example in his domain “8. Security linked to Human
Resources”), incorporated as a fundamental pillar more.
8. ISO/IEC 38500:2008 - Remarking 2 Basic principles

 IT Governance Definition and Solutions | cio.com
URL: http://www.cio.com/article/2438931/governance/it-governance-definition-and-solutions.html
 “Corporate governance of information technology” definition | Wikipedia
URL: https://en.wikipedia.org/wiki/Corporate_governance_of_information_technology
 IT Governance Defined | ITGovernance
URL: http://www.itgovernance.co.uk/it_governance.aspx
 “IT Governance Developing a successful governance strategy” | National Computing Centre (published on Isaca.org
website)
URL: https://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Prepare-for-the-Exam/Study-
Materials/Documents/Developing-a-Successful-Governance-Strategy.pdf
9. Sources used to expand knowledge

Questions?
Many thanks !
Ramiro Cid
CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL
ramiro@ramirocid.com
@ramirocid
http://www.linkedin.com/in/ramirocid
http://ramirocid.com http://es.slideshare.net/ramirocid
http://www.youtube.com/user/cidramiro

IT Governance & ISO 38500

More Related Content

What's hot

Similar to IT Governance & ISO 38500

More from Ramiro Cid

Recently uploaded

IT Governance & ISO 38500