ISO/IEC 38500 is a principles-based standard. It
describes what directors should do, but does not
provide guidance on how they should go about
implementing an IT governance framework.
The board, in effect, needs to create a mechanism
through which it can exercise its IT governance
responsibilities and provide the business with
technology leadership. The most effective way of
doing this is through the creation of a standing
board IT committee. Technology or IT leadership
requires a specific mechanism of this sort, in a
way that, for instance, neither HR (Human
Resources) nor Sales do, for two reasons.
HR, sales, marketing, and so on, are usually
already dealt with effectively as part of the
existing board agenda; most board members
already understand the issues around sales and
marketing, and the people involved in making
sales happen already get a great deal of
informed attention. The organisation almost
certainly already has well-developed
governance frameworks for these key
activities. No additional benefits would accrue
to the organisation through the creation of
additional leadership mechanisms for
these activities.
IT, in contrast, is not as well understood at
board level and there are usually no
established IT governance frameworks inside
organisations. It is not well understood, but it
6: ISO/IEC 38500 & the IT steering committee
is critical: on average, investment in IT
represents more than 50% of every
organisation’s annual capital investment and,
typically, more than 30% of its cost base is in
IT for most businesses, the direct cost of IT
operations is now second only to staffing as an
expense item. There is, in other words, a gap
between the importance of IT and the
understanding of IT: an IT governance
framework closes that gap, providing all those
with a limited understanding of IT in the
enterprise with a framework within which they
can improve their understanding to a level
appropriate for this critical contributor to their
competitive position.
The board-level IT steering or strategy committee
has a number of functions, some of
which (depending on the size, structure and
complexity of the organisation) may be dealt with
through subcommittees.
This committee takes the lead, on behalf of the
board, in dealing with IT governance principles
(including the decision-making hierarchy),
strategy and risk treatment criteria. ISO/IEC 38500
is very clear in its statement that the board cannot
escape its overall responsibility for IT and,
therefore, the board continues to have a key role in
monitoring and oversight across the whole of IT,
and particularly in respect of project governance.
This monitoring component means that the board
IT committee has similarities to the audit
committee and, given the extent to which IT
governance issues impinge on audit issues
(particularly around internal control), there is some
6: ISO/IEC 38500 & the IT steering committee
sense in having a number of members of each
committee in common.
They are not necessarily the same committees,
however. Many boards expect their audit
committees to carry out, on their behalf, the
crucial monitoring activities of their overall
governance framework. In many such
organisations, the monitoring component of the IT
governance framework will be included in the
agenda of the audit committee, in order to ensure a
clear segregation between those responsible for
determining (the Direct and Evaluate actions) the
ICT strategy of the organisation and approving
investment, and those responsible for monitoring
and overseeing the appropriateness and
effectiveness of those decisions.
Composition of the IT steering committee
The composition of the IT steering committee
should be straightforward. The chair should be
selected on exactly the same basis, following the
same rules, as the chair of the audit committee.
There should be a majority of independent
directors on the committee, and key executives
should be invited to attend: the CEO, the CFO and
the CIO (or equivalent) would be included as a
minimum. In some organisations, it would be
appropriate to include the CCO (Chief Compliance
Officer) as well.
The other key business heads in the organisation
(whether they are from production, procurement,
retail, sales, marketing, and so on, depends on the
sector, the organisation and the existing
management structure) the ones who would be

Get ISO/IEC 38500: The IT Governance Standard now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.