ISO IEC 38500:2008, or ISO 38500 is the international standard for the corporate governance of information technology.
ISO 38500 provides guidance to those advising, informing or assisting directors on the effective and acceptable use of Information Technology (IT) within the organisation. The important advantage of the ISO 38500 IT governance framework is to make sure that accountability is clearly assigned for all IT risks and activities. This specifically includes assigning and monitoring IT security responsibilities, strategies and behaviours so that appropriate measures and mechanisms are established for reporting and responding on the current and planned use of IT - for example, meeting the latest data protection requirements for encryption of all portable devices such as laptops and memory sticks used to store and transmit personal data.
ISO 38500 provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
ISO 38500 applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.
It also provides guidance to those advising, informing, or assisting directors.
- senior managers;
- members of groups monitoring the resources within the organization;
- external business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies;
- vendors of hardware, software, communications and other IT products;
- internal and external service providers (including consultants);
- IT auditors.
All security and IT audit assurance professionals should encourage the development and use of embedded security management processes. ISO 38500 will help to achieve this by establishing appropriate matrices which go beyond compliance to minimum standards of individual pockets of best practice by embracing continuous governance and management security improvements.