CHAPTER 3: SCOPE, APPLICATION AND OBJECTIVES
This chapter deals with the scope, application and objectives of ISO/IEC 38500. It also sets out some of the benefits of using the Standard in terms of the organisation’s conformance and performance.
Scope
As might be expected, the scope of the Standard is “guiding principles for members of governing bodies of organizations […] on the effective, efficient, and acceptable use of information technology (IT) within their organizations”.8 ISO/IEC 38500 recognises that these processes could be controlled by one of the following:
•IT specialists within the organisation.
•External service providers.
•Business units within the organisation.
The Standard is directed at providing ‘guiding principles’ for members of governing bodies of organisations on how to ensure that the use of information technology within their organisations is effective, efficient and acceptable. It also recognises that it has a role in providing guidance to the wide range of people whose role might be to advise, assist or inform governing bodies – including external specialists and IT auditors.
Application
As is usually the case with standards published by ISO/IEC, ISO/IEC 38500 is written to be sector-agnostic. It is designed so that it can be applied by companies of all sizes and from all sectors: public, private and not-for-profit.
Objectives
The Standard aims to “promote effective, efficient, and acceptable use of IT” in three ways9:
1.Assuring stakeholders (which includes consumers and shareholders, as well as employees and providers/vendors) that they can have confidence in the organisation’s IT governance if the Standard is followed.
2.Informing and guiding governing bodies in their IT governance activities.
3.Establishing a vocabulary for the governance of IT.
Benefits
ISO/IEC 38500 “establishes a model for the governance of IT”10 and helps governing bodies find an appropriate balance between risk and reward in their stewardship of the organisation’s IT investment – exactly the requirement of today’s corporate governance regime.
The Standard identifies two principal benefits that organisations can derive from following its guidance.
1.Conformance – directors who exercise proper IT governance are more likely to address specific IT-related risks and compliance requirements (and the Standard provides examples of these) in a way that enables them to demonstrate that their obligations have been met.
2.Directors, though, are not simply responsible for complying with legislation; they also have to take risks and deliver a financial return for their shareholders. In the public and not-for-profit sectors, they must manage the costs of the organisation efficiently to deliver against the expectations of their stakeholders. Directors who apply the guidance of ISO/IEC 38500 are more likely to succeed at this than those who do not. Again, the Standard identifies a number of ways IT can contribute positively to the performance of the organisation.
Definitions
ISO/IEC 38500 contains a number of definitions of terms used within the Standard. Those dealing with risk are taken from ISO Guide 73:2009. The most important of these definitions provide for the corporate governance of IT, or what most people simply call IT governance:
The system by which the current and future use of IT is directed and controlled.
The definitions are all good, sensible, practical ones that will make sense to any director or manager and which, on their own, almost justify purchasing a copy of the Standard!
8ISO/IEC 38500:2015, Clause 1.
9ISO/IEC 38500:2015, Scope.
10ISO/IEC 38500:2015, Clause 3.