Definition and purpose

The purpose of ISO/IEC 38500 is to provide principles, definitions, and a model for governing bodies to use when evaluating, directing, and monitoring the use of IT in their organizations. It is designed to help organizations ensure that their IT resources are used responsibly, efficiently, effectively, and aligned with business objectives.

Governing Body

The standard is developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Last updated

Initially published as ISO/IEC 38500:2008, the standard was withdrawn and replaced by ISO/IEC 38500:2015. It will be revised by ISO/IEC 38500, currently under development.

Applies to

ISO/IEC 38500 is applicable to organizations of all sizes, including public and private companies, government entities, and not-for-profit organizations. It is relevant to all industries that use IT as part of their operations.

Controls and requirements

ISO/IEC 38500 outlines six principles for good corporate governance of IT:

• Responsibility: Individuals and groups within the organization understand and accept their responsibilities in respect of both supply and demand for IT.
• Strategy: The organization’s business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization.
• Acquisition: IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision-making.
• Performance: IT is fit for purpose; ongoing monitoring and evaluation of IT performance is conducted.
• Conformance: IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented, and enforced.
• Human Behavior: IT policies, practices, and decisions demonstrate respect for human behavior, including the current and evolving needs of all the people in the process.

Please refer to the official ISO/IEC 38500:2015 documentation for details on controls and requirements.

Audit type, frequency, and duration

Audits typically involve an assessment of the organization's IT governance practices in relation to ISO/IEC 38500 standards. This can be conducted internally or by external auditors. The frequency of audits can vary based on the organization's size, complexity, and the nature of its IT operations. However, regular reviews are recommended to ensure ongoing compliance and effectiveness.

The duration of the audit depends on the scope of the audit and the size and complexity of the organization's IT governance practices.