ISO/IEC 38500:2015 pdf download – Information technology — Governance of IT for the organization.
This International Standard establishes principles for the effective, efficient and acceptable use of IT. Governing bodies, by ensuring that their organizations follow these principles, will be assisted in managing risks and encouraging the exploitation of opportunities arising from the use of IT. Good governance of IT also assists governing bodies in assuring conformance with obligations (regulatory, legislation, contractual) concerning the acceptable use of IT. This International Standard establishes a model for the governance of IT. The risk of governing bodies not fulfilling their obligations is mitigated by giving due attention to the model in appropriately applying the principles. Inadequate IT systems and improper or inappropriate use of IT can expose an organization to the risk of not complying with legislation. For example, in some jurisdictions, members of governing bodies could be held personally accountable if an inadequate accounting system results in tax not being paid. Processes dealing with IT incorporate specific risks that should be addressed appropriately. For example governing bodies and members of governing bodies can be held accountable for: — breaches of privacy, spam, health and safety, record keeping legislation and regulations; — non-compliance with standards relating to security, social responsibility; — matters relating to intellectual property rights including licensing agreements. Governing bodies using the guidance in this standard are more likely to meet their obligations.
Principle 5: Conformance The use of IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced. Principle 6: Human Behaviour IT policies, practices and decisions demonstrate respect for Human Behaviour, including the current and evolving needs of all the ‘people in the process’. 4.2 Model Governing bodies should govern IT through three main tasks: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of strategies and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the strategies. Authority for specific aspects of IT may be delegated to managers within the organization. However, accountability for the effective, efficient and acceptable use of IT by an organization remains with the governing body and cannot be delegated. Figure 1 shows the model for governance of IT using Evaluate-Direct- Monitor. The text following Figure 1 explains the elements and relationships depicted.