This website uses cookies. View our cookie policy
Select regional store:

ISO/IEC 38500—the international standard for IT Governance

ISO 38500 (also known by its official title of ISO/IEC 38500:2008) is the international standard for the corporate governance of IT, providing guidance on the effective and acceptable use of information and communication technologies in an organization.

ISO 38500 is derived from an earlier international standard, ISO 29382, which itself evolved from the Australian Standard AS8015. The first, and current, version of ISO 38500 was officially published in 2008. This page introduces ISO 38500 and provides useful links to related resources.

On this page:

Contents of ISO 38500
Who is ISO 38500 for?
ISO 38500 implementation
Further ISO 38500 resources

Contents of ISO 38500

ISO 38500 sets out guiding principles for directors on ensuring effective, efficient and acceptable use of IT within their organizations so that they can understand and fulfil their legal, ethical, and regulatory requirements.

It applies to the governance of management processes and decisions relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization, by external service providers, or by business units within the organization.

ISO/IEC 38500 defines six principles:

  • Establish responsibilities
  • Plan to best support the organization
  • Acquire validly
  • Ensure performance when required
  • Ensure conformance with rules
  • Ensure respect for human factors

Who is ISO 38500 for?

ISO 38500 is suitable for any organization, whatever its size, sector, or location. It is primarily targeted at directors of all kinds (including owners, board members, directors, partners, and senior executives) and those who advise, inform, or assist directors. It is also suitable not only for those directly responsible for IT, but for associate members of staff such as IT managers; IT staff and business unit managers; members of groups monitoring resources within the organization; external business or technical specialists (such as legal or accounting specialists, retail associations, or professional bodies); vendors of hardware, software, communications and other IT products; internal and external service providers (including consultants); and IT auditors.

ISO 38500 implementation

Although ISO 38500 is a relatively straightforward international standard, actual implementation of an IT governance framework can be challenging. The Calder–Moir IT Governance Framework evolved alongside ISO 38500 as a conceptual approach to help organizations visualize effective IT governance, drawing on and integrating the wide range of IT management tools and systems that exist in the world today.

The effectiveness of the Calder–Moir Framework as a unifying approach to IT governance and management is exemplified by the IT Governance Framework Toolkit, which provides practical, detailed tools and guidance for implementing IT governance in your organization, based on ISO 38500.

IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT provides practical guidance on how to implement an IT Governance framework based on ISO 38500 in your own organization.

Further ISO 38500 resources

The IT Governance ISO 38500 Web Store carries a wide range of helpful resources, including standards, books, and toolkits. We recommend the following: