ISO 38500 - An Opportunity for Directors
by Gerald Trites, FCA, CA*CISA/IT

The publication of ISO 38500 in 2008, an International Standard on Corporate Governance of IT (Information Technology) will fill a void that has existed for many years. In most organizations, IT has grown from an isolated glass house unit to a spread-out function, distributed like the networks that began to form the central point of their function. At first, IT managers were isolated from the Board and top management and therefore from the area of corporate governance, which in fact scarcely existed in the early days of IT implementation. In more recent years, however, IT has moved into the C-Suite and has even begun to penetrate the activities of Boards of Directors. Nevertheless, there has been a lot of uncertainty as to how this should be carried out.

ISO 38500 provides a means whereby companies can implement governance over IT, mobilize the Board's oversight of this very important strategic element of their organization and do it in accordance with International Standards.

The standard is framed according to six principles for good corporate governance of IT:

• Responsibility;
• Strategy;
• Acquisition;
• Performance;
• Conformance;
• Human behaviour.

ISO 38500 provides useful guidance for directors in oversight of IT and will be of considerable assistance to those who advise directors. There will be a move to become ISO 38500 certified and indeed, with the pressure these days to show a good governance model to the world, companies would be ill advised to ignore it. The standard is available from the ISO website. There is also a website devoted to it and various commentaries on it on the web, including a particularly good one on Serge Thorn's Blog.