ISO/IEC 38500: Governance of IT for the Organization
ISO/IEC 38500 “Information technology — Governance of IT for the organization” provides guiding principles for governing bodies on the effective, efficient, and acceptable use of information technology. Currently in its third edition (2024), it is published jointly by ISO and IEC and aligned with ISO 37000 (Governance of organizations).
The standard applies to all organizations regardless of size, sector, or extent of IT use — from small enterprises to multinational corporations, public agencies, and not-for-profit organizations. It addresses the governance of current and future IT use, helping ensure that IT decisions serve the organization’s strategic objectives while managing risk and meeting stakeholder expectations.
Evolution
- AS 8015:2005: Australian predecessor standard
- ISO/IEC 38500:2008: First international edition, adopted from AS 8015
- ISO/IEC 38500:2015: Second edition, minor updates
- ISO/IEC 38500:2024: Third edition, adds sustainability, cybersecurity governance, AI and cloud considerations, and alignment with ISO 37000
Governance Model: Evaluate — Direct — Monitor
ISO/IEC 38500 structures IT governance around three recurring tasks:
| Task | Purpose |
|---|---|
| Evaluate | Assess the current and future use of IT, considering stakeholder needs, organizational objectives, and external factors (technology trends, regulatory changes, risks). |
| Direct | Set direction through policies and plans that ensure IT supports organizational goals. Assign responsibilities and authorize resources. |
| Monitor | Measure IT performance against plans and objectives. Ensure conformance with policies, regulations, and ethical standards. |
This Evaluate–Direct–Monitor cycle is applied to each of the six governance principles below.
Six Governance Principles
| Principle | Governance Concern |
|---|---|
| Responsibility | Roles, accountability, and decision-making authority for IT are clearly defined and assigned throughout the organization. |
| Strategy | IT plans and investments are aligned with the organization’s current and future strategic objectives. |
| Acquisition | IT acquisitions are made for valid reasons, based on appropriate and ongoing analysis, with clear and transparent decision-making. |
| Performance | IT supports the organization by delivering services and meeting quality levels required by current and future business needs. |
| Conformance | IT complies with all mandatory legislation and regulations as well as internal policies and commitments. |
| Human Behaviour | IT governance respects human factors including the needs, expectations, and ethical considerations of all people affected by IT decisions. |
Scope and Structure
ISO/IEC 38500:2024 comprises seven clauses:
| Clause | Content |
|---|---|
| 1 — Scope | Applicability to all organizations and IT governance contexts |
| 2 — Normative References | References to ISO 37000 (Governance of organizations) |
| 3 — Terms and Definitions | Consistent terminology for governance, IT, and stakeholders |
| 4 — Good Governance of IT | Desired outcomes: performance, stewardship, ethics |
| 5 — Principles | The six governance principles (see above) |
| 6 — Model | The Evaluate–Direct–Monitor framework |
| 7 — Framework | Implementation approach for applying principles in practice |
Key Characteristics of the 2024 Edition
- Sustainability: Encourages governing bodies to consider the environmental impact of IT operations and promote eco-friendly technologies.
- Cybersecurity governance: Strengthened guidance for resilience against cyber threats, data breaches, and privacy risks.
- AI and emerging technology: Recognizes governance challenges arising from artificial intelligence, cloud computing, and remote working.
- ISO 37000 alignment: Integrates IT governance within broader organizational governance, treating IT as a critical business function rather than a siloed operation.
Quality Attributes Required or Emphasized
ISO/IEC 38500 is a governance standard, not a technical quality model — it does not prescribe specific system properties. However, its principles create governance conditions that directly influence several quality attributes:
| Quality Attribute | Relevance in ISO/IEC 38500 |
|---|---|
| Governability | Core focus: establishing policies, roles, and oversight structures for IT decision-making. The Evaluate–Direct–Monitor model is a governance framework in itself. |
| Compliance | Conformance principle: IT must comply with legislation, regulations, internal policies, and contractual commitments. |
| Accountability | Responsibility principle: clear assignment of roles, decision authority, and accountability for IT outcomes. |
| Auditability | Monitor task: governance requires measurable, auditable evidence of IT performance and conformance. |
| Transparency | Acquisition and Strategy principles: decisions must be made transparently and based on appropriate analysis. |
| Security | 2024 edition strengthens cybersecurity governance; Conformance principle requires adherence to security policies and regulations. |
| Sustainability | 2024 edition explicitly addresses environmental impact of IT operations and promotes eco-friendly technology choices. |
| Risk Identification | Evaluate task: governing bodies must assess risks to the organization arising from IT use. |
| Traceability | Monitor task: tracking IT decisions, investments, and outcomes back to organizational objectives and policies. |
| Performance | Performance principle: IT must deliver services that meet quality levels required by business needs. |
References and Resources
Official ISO Sources
- ISO/IEC 38500:2024 — Official page — Scope, preview, and ordering information
- ISO/IEC 38500:2024 — Online browsing — Terms and definitions (freely accessible sections)
Related Standards
- ISO 37000:2021 — Governance of organizations — Parent governance framework aligned with ISO/IEC 38500:2024
- ISO/IEC 38505-1:2017 — Governance of data — Data governance extension within the 38500 family
- ISO/IEC 27001 — Information security management — Complementary standard for security governance