ISO 38500

ISO 38500

About ISO 38500:2015-IT governance

ISO/IEC 38500:2015 was previously 38500:2008 ,It is been revised on 12th Febuary 2015 .This standard is applicable to all organizations like public and private companies, government entities, and non profit organizations. its  applicable to organizations irrespective of size and regardless of IT usage.


  • The ISO/IEC 38500:2015 will enable efficient and acceptable IT usage in an Organization by providing,

  • It will setup a vocabulary for IT governance

  • Increase confidence of customers in IT governance of organization by following the proposed practices and principles of ISO 38500

  • Give guidance and information to governing bodies regarding IT governance


The main changes made are :

  • The title of the standard has been changed, from Corporate Governance of IT to Governance of IT for the Organization, which reflects the wider applicability of the standard.

  • Updated the terms and definitions

  • Scope and application is wider  -This is been reflected in all documents

  • Terminology and definitions have also been updated



When it comes to ISO 38500:2008,


ISO/IEC 38500:2008 provides guiding principles and standards for the directors, executives of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within the organization in all levels. ISO/IEC 38500:2008 applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.


The ISO/IEC 38500:2008 helps the organization to streamline the IT governance from top down approach by describing and demonstrating the importance and the effective compliance to the stakeholders for dedicating an appropriate governance and security framework.


The key advantage for the ISO/IEC 38500:2008 IT Governance framework was focused mainly on the accountability, ensuring and assigning all the IT risks and activities within your organization. The standards includes IT security responsibilities, strategies and behaviors to be completely assigned and monitored individually. The standards will help the organization to apply appropriate measures and mechanisms which were already established within the organization including the reporting and the response on the current and planned use of IT – In today’s technology, any organization must comply and meet the latest data protection requirements for all the externally used devices that should support the data encryption this is to avoid transmitting personal data and misusing the company information. 


Main Highlights


ISO 38500:2015 is an International Standard which is applicable for all organizations regardless of size, purpose, design, and ownership structure.

  • The objective of ISO 38500 to help an organization by providing principles ,definitions and model of governing bodies and to enable monitoring and evaluation of IT usage 

  • This is a high level International standard, principles-based consultative standard.

  • More than implementing broad guidance on the role of a governing body, it also encourages organizations to use appropriate standards for IT governance 

  • By the proper implementation we can avoid  negative outcomes that are affecting the technical, financial, and scheduling aspects of IT activities

  • To fulfil their legal, regulatory, and ethical obligations of their organizations' use of IT.Proper maintenance of ISO 38500 is required

  • This International Standard is addressed primarily to the governing body. In some (typically smaller) organizations

  • The members of the governing body can also be executive managers.

In ISO 38500 :2008

The management processes and decisions are involved in the ISO/IEC 38500:2008 this is in relation with the current practices and the future use of the IT governance within the organization. The processes involved can be controlled mainly by the ICT specialists/authorities, business units or external service providers.


The above standards also defines the governance of IT as a separate section or domain of the organizational or corporate governance.


ISO/IEC 38500:2008 is applicable to any sizes of organizations from the smallest to the largest regardless of the sector, industries, coverage of their use of IT and is applicable including the public, private and government entities and non-profit organizations.


The standard will help the organization to promote and achieve the acceptable use of IT throughout the organizations in the most effective and efficient implementation which includes the following:


  • Providing assurance for the Top-Level Management and stakeholders that the principles and practices are being implemented within the organization. It will allow the organization to gain higher confidence on the governance of IT.

  • The standard will help the organization to create a vocabulary on the governance of IT.

  • The organizations governing bodies will be well-informed and guided with the use of every IT members throughout the organization.





Brief about the ISO standard


The three main tasks that shall be governed with the involvement of the directors are as follows:

  1. Continuously evaluate the current and future use of IT which will benefit the organization;

  2. Direct preparation, evaluation and implementation of plans and policies to ensure that the use of IT is aligned within the organizations business objectives.

  3. Monitoring the conformances to the current implemented policies, performances which is aligned within the plans of the organization.

ISO 38500 Standard

Adapted from the ISO standard: ISO 38500



Need help or have a question?