ISO/IEC 38500 is the international standard for the corporate governance of information and communication technology.

There are, broadly speaking, two types of standards2:

•A specification that describes requirements that must be achieved (ISO 9001 and the Payment Card Industry Data Security Standard (PCI DSS), for example).

•A code of practice, which is a set of guidelines and supporting information that describe best practice and provide advice on how something might be done (such as ISO 27002 or ITIL®).

A specification sets out clear requirements against which an audit can be carried out. Third-party certification schemes – such as the ISO/IEC 27001 certification scheme – are able to exist because an accredited ...

Get ISO/IEC 38500: A pocket guide, second edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.