This, the second chapter of ISO/IEC 38500,
contains the meat of the matter, the most important
part of the standard, and the core of the standard’s
concept of IT governance. It identifies six
principles of good IT governance, and three main
tasks for which directors are responsible.
Six principles
The six principles which are intended to guide
decision making – of good IT governance are:
1 Responsibility
2 Strategy
3 Acquisition
4 Performance
5 Conformance
6 Human behaviour.
The principle of Responsibility recognises that
those responsible for IT within organisations must
have the authority to perform the actions for which
they are responsible. The notion of
‘accountability’ is contained in this principle.
Strategy recognises that an organisation’s
business strategy should take into account the
current and future IT capabilities; conversely, the
IT strategy should reflect the requirements of the
business strategy. This notion is often described as
business–IT alignment, as though the requirement
is a surprising one!
4: Framework for good IT governance
Acquisition is the principle that stakeholders
should applaud: it argues that IT investment
decision making should be clear and transparent,
with an appropriate balance between cost and
opportunity, with a clear understanding of risk and
both a long and a short term view.
IT should be ‘fit for purpose’, and Performance is
the fourth principle; IT service management is one
way of expressing this principle in action.
IT underpins financial accounting and houses,
supports and manipulates data on which the
organisation’s survival depends; the principle of
Conformance requires the organisation to ensure
that IT complies with all regulatory and
contractual requirements; standards such as
ISO/IEC 27001 have a key role to play here.
IT, of course, is part of an organisation that
depends primarily on its humans; the sixth
principle, Human behaviour, requires IT policies,
practices and decisions to respect human
behaviour (which is one of the defined terms in the
The IT governance model
ISO/IEC 38500 says that directors have three main
tasks in respect of IT.
Evaluate the current and future use of IT.
Direct – plans and policies to ensure IT use
meets business requirements.
Monitorto ensure that IT conforms to
polices and performs against plans.
4: Framework for good IT governance
The standard proposes a model for IT governance,
which is set out in Figure 1. This model, which
was first published in AS 8015:2005, is a clear and
simple one that clearly contextualises the board’s
role in respect of IT governance.
Figure 1: ICT corporate governance
The standard says directors should evaluate the
current and future use of IT (including strategies,
implementation plans, supply arrangements and so
on, whether this is internal, external or some
combination of both). Directors should take
account of pressures acting on the business,
including technological change, economic and
other trends, and politics; evaluations should be
regular, and be informed by and consider current
and future business needs and objectives.
4: Framework for good IT governance
The board must assign responsibility for
implementation of IT plans and policies. The
board, therefore, must hold management to
account for delivery of those plans. Plans set the
direction for IT investment, operation and projects,
while policies are directional and should help
establish sound behaviour.
This action encompasses the requirement for good,
transparent and timely information from
management to the board about the progress of IT
operations and projects, thus putting the board in a
position to ensure that IT projects move smoothly
into the operational phase without more disruption
than planned for. As most IT projects fail, this
aspect of just this one IT governance action could
have a significant effect on improving rates of IT
project success.
Those directors who want timely information that
will enable them to act must first implement
monitoring systems that will tell them what
is going on and which will alert them to
any failures to comply with regulation, statute
or contract. Internal audit is as much a part
of effective monitoring as is clear
management accountability and meaningful
performance reporting.
4: Framework for good IT governance
ISO/IEC 38500 makes a very clear statement at
the end of this chapter: ‘Accountability for the
effective, efficient and acceptable use and delivery
of IT by an organisation remains with the directors
and cannot be delegated.’

Get ISO/IEC 38500: The IT Governance Standard now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.