Updated edition of ISO/IEC 38500:2015

Updated edition of ISO/IEC 38500:2015 published with new title: ”Governance of IT for the organisation”

Published in February 2015 and barely changed from “ISO/IEC 38500:2008, Corporate governance of IT”. Good to see it has been revised in the 5+ year timescale generally expected for international standards. Additionally two associated standards are now available, too, ISO/IEC TR 38501:2015 – Governance of IT – Implementation Guide and ISO/IEC 38502:2014 – Governance of IT – Framework and model. Interestingly, Standards Australia reported that Australia and 27 other countries participated in the update. I have spent several hours analysing the differences and I trust this will save time for IT governance managers and consultants.

Key points

  • Essentially the same key concepts as in the ISO/IEC 38500:2008 edition.
  • Formally, governance of IT, part of the standard’s title, is “the system by which the current and future use of IT is directed and controlled”, but “Notes” given in the standard (not formally part of an ISO/IEC standard) make it clear that the term is equivalent to:
    • corporate governance of IT,
    • enterprise governance of IT
    • organizational governance of IT
      Unfortunately, governance of enterprise IT as used by COBIT 5 is not mentioned!
  • It is now indicated that ISO/IEC 38500:2015 is aligned with the definition of corporate governance from the “Cadbury Report” that was written in London in 1992 by a committee representing the London Stock Exchange and the accountancy profession. This will assist IT Governance staff to explain to the governing body that the governance of IT is aligned with corporate governance.
  • Model - virtually word for word the same explanation for each:
    • Evaluate
    • Direct
    • Monitor
  • Principles - virtually word for word the same explanation for each:
  1. Responsibility
  2. Strategy
  3. Acquisition
  4. Performance
  5. Conformance
  6. Human Behaviour
  • Wording is virtually identical except Governing bodies is used to replace Directors. A Governing Body is defined as “person or group of people who are accountable for the performance and conformance of the organisation”.
  • The only figure in the standard, Figure 1, is essentially the same but has added clarity. It shows The Governing Body and Managers rather than calling them Corporate governance of ICT and Business processes. Expanded explanation of pressures on the governing body has been added: regulatory obligations and stakeholder expectations. Activities conducted by managers are now simply stated as “Management systems for the use of IT” rather than ICT Projects feeding ICT Operations.
  • Minor clarification such as a set of 25 terms and definitions, increased from 18.
Added definitions Removed definitions
accountable competent
accountability strategy
  risk management
executive manager  
governing body director 
governance of IT corporate governance of IT
organizational governance  


  • A bibliography has been added that refers to the other ISO/IEC 38500 series standards:
  • ISO/IEC TR 38501:2015 - Governance of IT - Implementation guide (just published 2nd April 2015 – only 15 pages and the link shows a free preview).
  • ISO/IEC 38502:2014 – Governance of IT – Framework and model – very readable and only 14 pages with the link showing a free preview.

© 2015 Geoff Harmer

Your rating: None Average: 4.7 (3 votes)
Roman Jouravlev (05/05/2015)

Dear Geoff, thanks for the review!
I dared to reproduce it in Russian on realitsm.ru - with link to this column and you as the author: http://www.realitsm.ru/2015/05/isoiec-385002015-perfect-from-the-beginning
Hope you don't mind.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <br><p>
  • Lines and paragraphs break automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.