CHAPTER 1: WHAT IS ISO/IEC 38500?
ISO/IEC 38500 is the international standard for the corporate governance of information and communication technology.
There are, broadly speaking, two types of standards2:
•A specification that describes requirements that must be achieved (ISO 9001 and the Payment Card Industry Data Security Standard (PCI DSS), for example).
•A code of practice, which is a set of guidelines and supporting information that describe best practice and provide advice on how something might be done (such as ISO 27002 or ITIL®).
A specification sets out clear requirements against which an audit can be carried out. Third-party certification schemes – such as the ISO/IEC 27001 certification scheme – are able to exist because an accredited ...