INTERNATIONAL ISO/IEC

STANDARD 38500
First edition
2008-06-01
Corporate governance of information
technology
Gouvernance des technologies de l'information par l'entreprise
Reference number
ISOIE! "8#00$2008%E&
' ISOIE! 2008
ISO/IEC 38500:2008(E)

ii ' ISOIE! 2008 - A(( ri)*ts reser+ed
ISO/IEC 38500:2008(E)
Content !age
1 S!O,E- A,,LI!ATION AND O./E!TI0ES 1111111111111111111111111111111111111111111111111111111111112 1
111 Sco3e 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1
112 A33(ic4tion 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1
11" Ob5ecti+es 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1
116 .enefits of 7sin) T*is St4nd4rd 1111111111111111111111111111111111111111111111111111111111111111111111111 1
11# Referenced Documents 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111 "
116 Definitions 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 "
2 FRA8E9OR: FOR ;OOD !OR,ORATE ;O0ERNAN!E OF IT 111111111111111111111111112 6
211 ,rinci3(es 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 6
212 8ode( 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 <
" ;7IDAN!E FOR T=E !OR,ORATE ;O0ERNAN!E of IT 111111111111111111111111111111111111121>
"11 ;ener4( 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 >
"12 ,rinci3(e 1$ Res3onsibi(it? 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 >
"1" ,rinci3(e 2$ Str4te)? 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
"16 ,rinci3(e "$ Ac@uisition 111111111111111111111111111111111111111111111111111111111111111111111111111111111111112
"1# ,rinci3(e 6$ ,erform4nce 11111111111111111111111111111111111111111111111111111111111111111111111111111111111"
"16 ,rinci3(e #$ !onform4nce 11111111111111111111111111111111111111111111111111111111111111111111111111111111116
"1< ,rinci3(e 6$ =um4n .e*4+iour 111111111111111111111111111111111111111111111111111111111111111111111111111#




' ISOIE! 2008 A A(( ri)*ts reser+ed
iii
ISO/IEC 38500:2008(E)
"ore#or$
ISO %t*e Intern4tion4( Or)4niB4tion for St4nd4rdiB4tion& 4nd IE! %t*e Intern4tion4(
E(ectrotec*nic4( !ommission& form t*e s3eci4(iBed s?stem for Cor(dCide st4nd4rdiB4tion1
N4tion4( bodies t*4t 4re members of ISO or IE! 34rtici34te in t*e de+e(o3ment of
Intern4tion4( St4nd4rds t*rou)* tec*nic4( committees est4b(is*ed b? t*e res3ecti+e
or)4niB4tion to de4( Cit* 34rticu(4r fie(ds of tec*nic4( 4cti+it?1 ISO 4nd IE! tec*nic4(
committees co((4bor4te in fie(ds of mutu4( interest1 Ot*er intern4tion4( or)4niB4tions-
)o+ernment4( 4nd non-)o+ernment4(- in (i4ison Cit* ISO 4nd IE!- 4(so t4De 34rt in t*e
CorD1 In t*e fie(d of inform4tion tec*no(o)?- ISO 4nd IE! *4+e est4b(is*ed 4 5oint tec*nic4(
committee- ISOIE! /T! 11
Intern4tion4( St4nd4rds 4re dr4fted in 4ccord4nce Cit* t*e ru(es )i+en in t*e ISOIE!
Directi+es- ,4rt 21 T*e m4in t4sD of t*e 5oint tec*nic4( committee is to 3re34re
Intern4tion4( St4nd4rds1 Dr4ft Intern4tion4( St4nd4rds 4do3ted b? t*e 5oint tec*nic4(
committee 4re circu(4ted to n4tion4( bodies for +otin)1 ,ub(ic4tion 4s 4n Intern4tion4(
St4nd4rd re@uires 433ro+4( b? 4t (e4st <# E of t*e n4tion4( bodies c4stin) 4 +ote1
Attention is dr4Cn to t*e 3ossibi(it? t*4t some of t*e e(ements of t*is document m4? be
t*e sub5ect of 34tent ri)*ts1 ISO 4nd IE! s*4(( not be *e(d res3onsib(e for identif?in) 4n?
or 4(( suc* 34tent ri)*ts1
ISOIE! "8#00 C4s 3re34red b? St4nd4rds Austr4(i4 %4s AS801#$200#& 4nd C4s
4do3ted- under 4 Ff4st-tr4cD 3rocedureG- b? /oint Tec*nic4( !ommittee ISOIE! /T! 1-
Information technology- in 34r4((e( Cit* its 433ro+4( b? n4tion4( bodies of ISO 4nd IE!1
ISOIE! "8#00 is 4 *i)* (e+e(- 3rinci3(es b4sed 4d+isor? st4nd4rd1 In 4ddition to
3ro+idin) bro4d )uid4nce on t*e ro(e of 4 )o+ernin) bod?- it encour4)es
or)4niB4tions to use 433ro3ri4te st4nd4rds to under3in t*eir )o+ern4nce of IT1
At t*e time of 3ub(ic4tion of t*is st4nd4rd- /T!1 is continuin) efforts to de+e(o3 furt*er
documents re(4tin) to )o+ern4nce of Inform4tion Tec*no(o)?1 T*ese documents- C*ic*
4re (iDe(? to be re(e4sed in t*e future 4s ISOIE! Tec*nic4( Re3orts 4nd- 3ossib(?- 4s
St4nd4rds- 4re eH3ected to 4ddress 4 r4n)e of to3ics inc(udin)$
I ;o+ern4nce of ,ro5ects in+o(+in) IT In+estment
I ;o+ern4nce of IT used in on)oin) .usiness O3er4tions




i+ ' ISOIE! 2008 A A(( ri)*ts reser+ed
ISO/IEC 38500:2008(E)
Intro$%ction
T*e ob5ecti+e of t*is st4nd4rd is to 3ro+ide 4 fr4meCorD of 3rinci3(es for Directors to
use C*en e+4(u4tin)- directin) 4nd monitorin) t*e use of inform4tion tec*no(o)? %IT&
in t*eir or)4niB4tions1
8ost or)4niB4tions use IT 4s 4 fund4ment4( business too( 4nd feC c4n function
effecti+e(? Cit*out it1 IT is 4(so 4 si)nific4nt f4ctor in t*e future business 3(4ns of
m4n? or)4niB4tions1
EH3enditure on IT c4n re3resent 4 si)nific4nt 3ro3ortion of 4n or)4niB4tionJs eH3enditure
of fin4nci4( 4nd *um4n resources1 =oCe+er- 4 return on t*is in+estment is often not
re4(iBed fu((? 4nd t*e 4d+erse effects on or)4niB4tions c4n be si)nific4nt1
T*e m4in re4sons for t*ese ne)4ti+e outcomes 4re t*e em3*4sis on t*e tec*nic4(-
fin4nci4( 4nd sc*edu(in) 4s3ects of IT 4cti+ities r4t*er t*4n em3*4sis on t*e C*o(e
business conteHt of IT use1
T*is st4nd4rd 3ro+ides 4 fr4meCorD for effecti+e )o+ern4nce of IT- to 4ssist t*ose 4t t*e
*i)*est (e+e( of or)4niB4tions to underst4nd 4nd fu(fi( t*eir (e)4(- re)u(4tor?- 4nd et*ic4(
ob(i)4tions in res3ect of t*eir or)4niB4tionsJ use of IT1 T*e fr4meCorD com3rises
definitions- 3rinci3(es 4nd 4 mode(1
T*is st4nd4rd is 4(i)ned Cit* t*e definition of !or3or4te ;o+ern4nce t*4t C4s 3ub(is*ed
4s 4 Re3ort of t*e !ommittee on t*e Fin4nci4( As3ects of !or3or4te ;o+ern4nce %t*e
!4dbur? Re3ort& in 1>>21 T*e !4dbur? Re3ort 4(so 3ro+ided t*e found4tion definition of
!or3or4te ;o+ern4nce in t*e OE!D ,rinci3(es of !or3or4te ;o+ern4nce in 1>>> %re+ised
in 2006&1 7sers of t*is st4nd4rd 4re encour4)ed to f4mi(i4rise t*emse(+es Cit* t*e
!4dbur? Re3ort 4nd t*e OE!D ,rinci3(es of !or3or4te ;o+ern4nce1
;o+ern4nce is distinct from m4n4)ement- 4nd for t*e 4+oid4nce of confusion- t*e tCo
conce3ts 4re c(e4r(? defined in t*e st4nd4rd1
9*i(e t*is st4nd4rd is 4ddressed 3rim4ri(? to t*e )o+ernin) bod?- C*ic* m4? in turn direct
t*4t cert4in 4ctions be t4Den b? t*e m4n4)ement of t*e or)4niB4tion- it 4(so 4((oCs t*4t- in
some %t?3ic4((? sm4((er& or)4niB4tions- t*e members of t*e )o+ernin) bod? m4? 4(so
occu3? t*e De? ro(es in m4n4)ement1 In t*is C4?- it ensures t*4t t*e st4nd4rd is
433(ic4b(e for 4(( or)4niB4tions- from t*e sm4((est- to t*e (4r)est- re)4rd(ess of 3ur3ose-
desi)n 4nd oCners*i3 structure1
T*e st4nd4rd is 4(so intended to inform 4nd )uide t*ose in+o(+ed in desi)nin) 4nd
im3(ementin) t*e m4n4)ement s?stem of 3o(icies- 3rocesses- 4nd structures t*4t su33ort
)o+ern4nce1




' ISOIE! 2008 A A(( ri)*ts reser+ed +



I&'E(&)'IO&)* S')&+)(+ ISO/IEC 38500:2008(E)
Corporate governance of information technology
, SCO!E- )!!*IC)'IO& )&+ O./EC'I0ES
,1, Scope
T*is st4nd4rd 3ro+ides )uidin) 3rinci3(es for directors of or)4niB4tions %inc(udin) oCners- bo4rd
members- directors- 34rtners- senior eHecuti+es- or simi(4r& on t*e effecti+e- efficient- 4nd
4cce3t4b(e use of Inform4tion Tec*no(o)? %IT& Cit*in t*eir or)4niB4tions1
T*is st4nd4rd 433(ies to t*e )o+ern4nce of m4n4)ement 3rocesses %4nd decisions& re(4tin) to
t*e inform4tion 4nd communic4tion ser+ices used b? 4n or)4niB4tion1 T*ese 3rocesses cou(d
be contro((ed b? IT s3eci4(ists Cit*in t*e or)4niB4tion or eHtern4( ser+ice 3ro+iders- or b?
business units Cit*in t*e or)4niB4tion1
It 4(so 3ro+ides )uid4nce to t*ose 4d+isin)- informin)- or 4ssistin) directors1 T*e? inc(ude$
I senior m4n4)ersK
I members of )rou3s monitorin) t*e resources Cit*in t*e or)4niB4tionK
I eHtern4( business or tec*nic4( s3eci4(ists- suc* 4s (e)4( or 4ccountin)K s3eci4(ists- ret4i(
4ssoci4tions- or 3rofession4( bodiesK
I +endors of *4rdC4re- softC4re- communic4tions 4nd ot*er IT 3roductsK
I intern4( 4nd eHtern4( ser+ice 3ro+iders %inc(udin) consu(t4nts&K
I IT 4uditors1
,12 )pplication
T*is st4nd4rd is 433(ic4b(e to 4(( or)4niB4tions- inc(udin) 3ub(ic 4nd 3ri+4te com34nies- )o+ernment
entities- 4nd not-for-3rofit or)4niB4tions1 T*e st4nd4rd is 433(ic4b(e to or)4niB4tions of 4(( siBes from
t*e sm4((est to t*e (4r)est- re)4rd(ess of t*e eHtent of t*eir use of IT1
,13 O23ective
T*e 3ur3ose of t*is st4nd4rd is to 3romote effecti+e- efficient- 4nd 4cce3t4b(e use of IT in 4((
or)4niB4tions b?$
I 4ssurin) st4De*o(ders %inc(udin) consumers- s*4re*o(ders- 4nd em3(o?ees& t*4t- if t*e
st4nd4rd is fo((oCed- t*e? c4n *4+e confidence in t*e or)4niB4tionJs cor3or4te
)o+ern4nce of ITK
I informin) 4nd )uidin) directors in )o+ernin) t*e use of IT in t*eir or)4niB4tionK
4nd
I 3ro+idin) 4 b4sis for ob5ecti+e e+4(u4tion of t*e cor3or4te )o+ern4nce of IT1
,14 .enefit of 5ing 'hi Stan$ar$
,141, 6eneral
T*is st4nd4rd est4b(is*es 3rinci3(es for t*e effecti+e- efficient 4nd 4cce3t4b(e use of IT1
Ensurin) t*4t t*eir or)4nis4tions fo((oC t*ese 3rinci3(es Ci(( 4ssist




' ISOIE! 2008 A A(( ri)*ts reser+ed ,
ISO/IEC 38500:2008(E)
directors in b4(4ncin) risDs 4nd encour4)in) o33ortunities 4risin) from t*e use of IT1
T*is st4nd4rd est4b(is*es 4 mode( for t*e )o+ern4nce of IT1 T*e risD of directors not fu(fi((in)
t*eir ob(i)4tions is miti)4ted b? )i+in) due 4ttention to t*e mode( in 3ro3er(? 433(?in) t*e
3rinci3(es1
T*e st4nd4rd est4b(is*es 4 +oc4bu(4r? for t*e ;o+ern4nce of IT1
,1412 Conformance of the organi7ation
,ro3er cor3or4te )o+ern4nce of IT m4? 4ssist directors in 4ssurin) conform4nce Cit* ob(i)4tions
%re)u(4tor?- (e)is(4tion- common (4C- contr4ctu4(& concernin) t*e 4cce3t4b(e use of IT1
In4de@u4te IT s?stems c4n eH3ose t*e directors to t*e risD of not com3(?in) Cit* (e)is(4tion1
For eH4m3(e- in some 5urisdictions- directors cou(d be *e(d 3erson4((? 4ccount4b(e if 4n
in4de@u4te 4ccountin) s?stem resu(ts in t4H not bein) 34id1
,rocesses de4(in) Cit* IT incor3or4te s3ecific risDs t*4t must be 4ddressed 433ro3ri4te(?1 For
eH4m3(e- directors cou(d be *e(d 4ccount4b(e for bre4c*es of$
I securit? st4nd4rdsK
I 3ri+4c? (e)is(4tionK
I s34m (e)is(4tionK
I tr4de 3r4ctices (e)is(4tionK
I inte((ectu4( 3ro3ert? ri)*ts- inc(udin) softC4re (icensin) 4)reementsK
I record Dee3in) re@uirementsK
I en+ironment4( (e)is(4tion 4nd re)u(4tionsK
I *e4(t* 4nd s4fet? (e)is(4tionK
I 4ccessibi(it? (e)is(4tionK
I soci4( res3onsibi(it? st4nd4rds1
Directors usin) t*e )uide(ines in t*is st4nd4rd 4re more (iDe(? to meet t*eir ob(i)4tions1
,1413 !erformance of the organi7ation
,ro3er cor3or4te )o+ern4nce of IT 4ssists directors to ensure t*4t IT use contributes
3ositi+e(? to t*e 3erform4nce of t*e or)4niB4tion- t*rou)*$
I 433ro3ri4te im3(ement4tion 4nd o3er4tion of IT 4ssetsK
I c(4rit? of res3onsibi(it? 4nd 4ccount4bi(it? for bot* t*e use 4nd 3ro+ision of IT in
4c*ie+in) t*e )o4(s of t*e or)4niB4tionK
I business continuit? 4nd sust4in4bi(it?K
I 4(i)nment of IT Cit* business needsK
I efficient 4((oc4tion of resourcesK
I inno+4tion in ser+ices- m4rDets- 4nd businessK
I )ood 3r4ctice in re(4tions*i3s Cit* st4De*o(dersK
I reduction in t*e costs for 4n or)4niB4tionK 4nd
I 4ctu4( re4(iB4tion of t*e 433ro+ed benefits from e4c* IT in+estment1




2 ' ISOIE! 2008 A A(( ri)*ts reser+ed
ISO/IEC 38500:2008(E)
,15 (eference$ +oc%ment
T*e fo((oCin) documents 4re referred to in t*is St4nd4rd$
Re3ort of t*e !ommittee on t*e Fin4nci4( As3ects of !or3or4te ;o+ern4nce- Sir Adri4n !4dbur?-
London- 1>>2 IS.N 0 8#2#8 >1" 1
OE!D ,rinci3(es of !or3or4te ;o+ern4nce- OE!D- 1>>> 4nd 2006
ISO ;uide <" 2002 - RisD m4n4)ement L 0oc4bu(4r? L ;uide(ines for use in st4nd4rds1
,18 +efinition
For t*e 3ur3ose of t*is St4nd4rd- t*e definitions be(oC 433(?1
It is eH3ected t*4t 4n or)4niB4tion Ci(( 4d43t t*e termino(o)? used Cit*in t*is st4nd4rd to
suit t*eir circumst4nces or structure1
,181, )ccepta2le
8eetin) st4De*o(der eH3ect4tions t*4t 4re c434b(e of bein) s*oCn 4s re4son4b(e or merited1
,1812 Corporate governance
T*e s?stem b? C*ic* or)4niB4tions 4re directed 4nd contro((ed1 %4d43ted from !4dbur? 1>>2
4nd OE!D 1>>>&
,1813 Corporate governance of I'
T*e s?stem b? C*ic* t*e current 4nd future use of IT is directed 4nd contro((ed1
!or3or4te )o+ern4nce of IT in+o(+es e+4(u4tin) 4nd directin) t*e use of IT to su33ort
t*e or)4niB4tion 4nd monitorin) t*is use to 4c*ie+e 3(4ns1 It inc(udes t*e str4te)? 4nd
3o(icies for usin) IT Cit*in 4n or)4niB4tion1
,1814 Competent
=4+in) t*e combin4tion of DnoC(ed)e- form4( 4nd inform4( sDi((s- tr4inin)- eH3erience
4nd be*4+iour4( 4ttributes re@uired to 3erform 4 t4sD or ro(e1
,1815 +irector
8ember of t*e most senior )o+ernin) bod? of 4n or)4niB4tion1 Inc(udes oCners- bo4rd
members- 34rtners- senior eHecuti+es or simi(4r- 4nd officers 4ut*oriBed b? (e)is(4tion or
re)u(4tion1
,1818 9%man 2ehavio%r
T*e underst4ndin) of inter4ctions 4mon) *um4ns 4nd ot*er e(ements of 4 s?stem Cit* t*e
intent to ensure Ce(( bein) 4nd s?stems 3erform4nce1 =um4n


' ISOIE! 2008 A A(( ri)*ts reser+ed 3
ISO/IEC 38500:2008(E)
be*4+iour inc(udes cu(ture- needs 4nd 4s3ir4tions of 3eo3(e 4s indi+idu4(s 4nd 4s )rou3s1
Note$ In res3ect of IT- t*ere 4re numerous )rou3s or communities of *um4ns- e4c* Cit* t*eir
oCn needs- 4s3ir4tions 4nd be*4+iours1 For eH4m3(e- 3eo3(e C*o use inform4tion s?stems
mi)*t eH*ibit needs re(4tin) to 4ccessibi(it? 4nd er)onomics- 4s Ce(( 4s 4+4i(4bi(it? 4nd
3erform4nce1 ,eo3(e C*ose 5ob ro(es 4re c*4n)in) bec4use of t*e use of IT mi)*t eH*ibit
needs re(4tin) to communic4tion- tr4inin)- 4nd re4ssur4nce1 ,eo3(e in+o(+ed in bui(din) 4nd
o3er4tin) IT c434bi(ities mi)*t eH*ibit needs re(4tin) to CorDin) conditions 4nd de+e(o3ment of
sDi((s1
,181: Information technology (I')
Resources re@uired to 4c@uire- 3rocess- store 4nd dissemin4te inform4tion1 T*is term 4(so
inc(udes F!ommunic4tion Tec*no(o)? %!T&G 4nd t*e com3osite term FInform4tion 4nd
!ommunic4tion Tec*no(o)? %I!T&G1
,1818 Invetment
A((oc4tion of *um4n- c43it4( 4nd ot*er resources to 4c*ie+e defined ob5ecti+es 4nd ot*er
benefits1
,181; <anagement
T*e s?stem of contro(s 4nd 3rocesses re@uired to 4c*ie+e t*e str4te)ic ob5ecti+es set b? t*e
or)4nis4tionMs )o+ernin) bod?1 84n4)ement is sub5ect to t*e 3o(ic? )uid4nce 4nd monitorin)
set t*rou)* cor3or4te )o+ern4nce1
,181,0 Organi7ation
An? com34n?- cor3or4tion- )o+ernment- not-for-3rofit or ot*er (e)4((? constituted bod? inc(udin)
4ssoci4tions- c(ubs- 34rtners*i3s- )o+ernment 4)encies- 3ub(ic(? (isted com34nies- 3ri+4te
com34nies 4nd so(e tr4ders t*4t *4s its oCn function%s& 4nd 4dministr4tion1
,181,, !olicy
!(e4r 4nd me4sur4b(e st4tements of 3referred direction 4nd be*4+iour to condition
t*e decisions m4de Cit*in 4n or)4niB4tion1
,181,2 !ropoal
!om3i(4tion of benefits- costs- risDs- o33ortunities- 4nd ot*er f4ctors 433(ic4b(e to decisions to
be m4de1 Inc(udes business c4ses1
,181,3 (eo%rce
,eo3(e- 3rocedures- softC4re- inform4tion- e@ui3ment- consum4b(es-
infr4structure- c43it4( 4nd o3er4tin) funds- 4nd time1



4 ' ISOIE! 2008 A A(( ri)*ts reser+ed
ISO/IEC 38500:2008(E)
,181,4 (i=
!ombin4tion of t*e 3rob4bi(it? of 4n e+ent 4nd its conse@uence %ISOIE! ;uide <"&1
Note$ T*e conse@uences 4re im34cts u3on t*e or)4niB4tion1 T*e? c4n be ne)4ti+e- 4s
in common us4)e- or No33ortunitiesJ in common us4)e1
,181,5 (i= management
!oordin4ted 4cti+ities to direct 4nd contro( 4n or)4niB4tion Cit* re)4rd to risD %ISOIE!
;uide <"&1
,181,8 Sta=ehol$er
An? indi+idu4(- )rou3 or or)4niB4tion C*o m4? 4ffect- be 4ffected b?- or 3ercei+e
t*emse(+es to be 4ffected b?- 4 decision or 4cti+it? %4d43ted from ISOIE! ;uide <"&1
,181,: Strategy
An or)4niB4tionJs o+er4(( 3(4n of de+e(o3ment- describin) t*e effecti+e use of resources in
su33ort of t*e or)4niB4tion in its future 4cti+ities1 It in+o(+es settin) ob5ecti+es 4nd
3ro3osin) initi4ti+es for 4ction1
,181,8 5e of I'
T*e 3(4nnin)- desi)n- de+e(o3ment- de3(o?ment- o3er4tion- m4n4)ement- 4nd 433(ic4tion
of IT to meet t*e needs of t*e business1 It inc(udes bot* t*e dem4nd for- 4nd t*e su33(? of-
IT ser+ices b? intern4( business units- s3eci4(ist IT units- or eHtern4( su33(iers 4nd uti(it?
ser+ices %suc* 4s t*ose 3ro+idin) softC4re 4s ser+ices&1



' ISOIE! 2008 A A(( ri)*ts reser+ed
5
ISO/IEC 38500:2008(E)
2 "()<E>O(? "O( 6OO+ CO(!O()'E 6O0E(&)&CE O" I'
21, !rinciple
T*is section sets out siH 3rinci3(es for )ood cor3or4te )o+ern4nce of IT1 T*e 3rinci3(es
4re 433(ic4b(e to most or)4niB4tions1
T*e 3rinci3(es eH3ress 3referred be*4+iour to )uide decision m4Din)1 T*e st4tement of e4c*
3rinci3(e refers to C*4t s*ou(d *433en- but does not 3rescribe *oC- C*en or b? C*om t*e
3rinci3(es Cou(d be im3(emented A 4s t*ese 4s3ects 4re de3endent on t*e n4ture of t*e
or)4niB4tion im3(ementin) t*e 3rinci3(es1 Directors s*ou(d re@uire t*4t t*ese 3rinci3(es 4re
433(ied1
21,1, !rinciple ,: (eponi2ility
Indi+idu4(s 4nd )rou3s Cit*in t*e or)4niB4tion underst4nd 4nd 4cce3t t*eir res3onsibi(ities
in res3ect of bot* su33(? of- 4nd dem4nd for IT1 T*ose Cit* res3onsibi(it? for 4ctions 4(so
*4+e t*e 4ut*orit? to 3erform t*ose 4ctions1
21,12 !rinciple 2: Strategy
T*e or)4niB4tionJs business str4te)? t4Des into 4ccount t*e current 4nd future c434bi(ities of
ITK t*e str4te)ic 3(4ns for IT s4tisf? t*e current 4nd on)oin) needs of t*e or)4niB4tionJs
business str4te)?1
21,13 !rinciple 3: )c@%iition
IT 4c@uisitions 4re m4de for +4(id re4sons- on t*e b4sis of 433ro3ri4te 4nd on)oin) 4n4(?sis-
Cit* c(e4r 4nd tr4ns34rent decision m4Din)1 T*ere is 433ro3ri4te b4(4nce betCeen benefits-
o33ortunities- costs- 4nd risDs- in bot* t*e s*ort term 4nd t*e (on) term1
21,14 !rinciple 4: !erformance
IT is fit for 3ur3ose in su33ortin) t*e or)4niB4tion- 3ro+idin) t*e ser+ices- (e+e(s of ser+ice 4nd
ser+ice @u4(it? re@uired to meet current 4nd future business re@uirements1
21,15 !rinciple 5: Conformance
IT com3(ies Cit* 4(( m4nd4tor? (e)is(4tion 4nd re)u(4tions1 ,o(icies 4nd 3r4ctices 4re
c(e4r(? defined- im3(emented 4nd enforced1
21,18 !rinciple 8: 9%man .ehavio%r
IT 3o(icies- 3r4ctices 4nd decisions demonstr4te res3ect for =um4n .e*4+iour- inc(udin) t*e
current 4nd e+o(+in) needs of 4(( t*e N3eo3(e in t*e 3rocessJ1



8 ' ISOIE! 2008 A A(( ri)*ts reser+ed
ISO/IEC 38500:2008(E)
212 <o$el
Directors s*ou(d )o+ern IT t*rou)* t*ree m4in t4sDs$
4& E+4(u4te t*e current 4nd future use of IT1
b& Direct 3re34r4tion 4nd im3(ement4tion of 3(4ns 4nd 3o(icies to ensure t*4t use of
IT meets business ob5ecti+es1
c& 8onitor conform4nce to 3o(icies- 4nd 3erform4nce 4)4inst t*e 3(4ns1
Fi)ure 1 s*oCs t*e IT ;o+ern4nce mode( of t*e c?c(e of E+4(u4te-Direct-8onitor1 T*e teHt
fo((oCin) Fi)ure 1 eH3(4ins t*e e(ements 4nd re(4tions*i3s de3icted1
Fi)ure 1 8ode( for !or3or4te ;o+ern4nce of IT
Eval%ate
Directors s*ou(d eH4mine 4nd m4De 5ud)ement on t*e current 4nd future use of IT- inc(udin)
str4te)ies- 3ro3os4(s 4nd su33(? 4rr4n)ements %C*et*er intern4(- eHtern4(- or bot*&1
In e+4(u4tin) t*e use of IT- directors s*ou(d consider t*e eHtern4( or intern4( 3ressures 4ctin)
u3on t*e business- suc* 4s tec*no(o)ic4( c*4n)e- economic 4nd soci4( trends- 4nd 3o(itic4(
inf(uences1
Directors s*ou(d undert4De e+4(u4tion continu4((?- 4s 3ressures c*4n)e1
Directors s*ou(d 4(so t4De 4ccount of bot* current 4nd future business needs L t*e current 4nd
future or)4niB4tion4( ob5ecti+es t*4t t*e? must 4c*ie+e- suc* 4s m4int4inin) com3etiti+e
4d+4nt4)e- 4s Ce(( 4s t*e s3ecific ob5ecti+es of t*e str4te)ies 4nd 3ro3os4(s t*e? 4re e+4(u4tin)1
+irect
Directors s*ou(d 4ssi)n res3onsibi(it? for- 4nd direct 3re34r4tion 4nd im3(ement4tion of 3(4ns
4nd 3o(icies1 ,(4ns s*ou(d set t*e direction for in+estments in IT 3ro5ects 4nd IT o3er4tions1
,o(icies s*ou(d est4b(is* sound be*4+iour in t*e use of IT1



' ISOIE! 2008 A A(( ri)*ts reser+ed :
ISO/IEC 38500:2008(E)
Directors s*ou(d ensure t*4t t*e tr4nsition of 3ro5ects to o3er4tion4( st4tus is 3ro3er(?
3(4nned 4nd m4n4)ed- t4Din) into 4ccount im34cts on business 4nd o3er4tion4(
3r4ctices 4s Ce(( 4s eHistin) IT s?stems 4nd infr4structure1
Directors s*ou(d encour4)e 4 cu(ture of )ood )o+ern4nce of IT in t*eir or)4niB4tion b?
re@uirin) m4n4)ers to 3ro+ide time(? inform4tion- to com3(? Cit* direction 4nd to conform Cit*
t*e siH 3rinci3(es of )ood )o+ern4nce1
If necess4r?- directors s*ou(d direct t*e submission of 3ro3os4(s for 433ro+4( to 4ddress
identified needs1
<onitor
Directors s*ou(d monitor- t*rou)* 433ro3ri4te me4surement s?stems- t*e 3erform4nce of IT1
T*e? s*ou(d re4ssure t*emse(+es t*4t 3erform4nce is in 4ccord4nce Cit* 3(4ns- 34rticu(4r(?
Cit* re)4rd to business ob5ecti+es1
Directors s*ou(d 4(so m4De sure t*4t IT conforms Cit* eHtern4( ob(i)4tions %re)u(4tor?-
(e)is(4tion- common (4C- contr4ctu4(& 4nd intern4( CorD 3r4ctices1
Note$ Res3onsibi(it? for s3ecific 4s3ects of IT m4? be de(e)4ted to m4n4)ers
Cit*in t*e or)4niB4tion1 =oCe+er- 4ccount4bi(it? for t*e effecti+e- efficient 4nd
4cce3t4b(e use 4nd de(i+er? of IT b? 4n or)4niB4tion rem4ins Cit* t*e
directors 4nd c4nnot be de(e)4ted1



8 ' ISOIE! 2008 A A(( ri)*ts reser+ed
ISO/IEC 38500:2008(E)
3 65I+)&CE "O( '9E CO(!O()'E 6O0E(&)&CE of I'
31, 6eneral
T*e fo((oCin) sections 3ro+ide )uid4nce for t*e )ener4( 3rinci3(es of )ood IT )o+ern4nce
4nd t*e 3r4ctices re@uired to im3(ement t*e 3rinci3(es1
T*e 3r4ctices described 4re not eH*4usti+e but 3ro+ide 4 st4rtin) 3oint for discussion of t*e
res3onsibi(ities of Directors for t*e )o+ern4nce of IT1 T*4t is- t*e 3r4ctices described 4re
su))ested )uid4nce for IT ;o+ern4nce1
It is t*e res3onsibi(it? of e4c* or)4niB4tion- indi+idu4((?- to identif? t*e s3ecific 4ctions
re@uired to im3(ement t*e 3rinci3(es- )i+in) due consider4tion to t*e n4ture of t*e
or)4niB4tion- 4nd 433ro3ri4te 4n4(?sis of t*e risDs 4nd o33ortunities of t*e use of IT1
As 4 b4sis for i((ustr4tion- t*e 3r4ctices described 4re 433(ic4b(e to most or)4niB4tions
%(4r)e or sm4((&- most of t*e time1 An? +4ri4tion s*ou(d be Ce(( considered1
312 !rinciple ,: (eponi2ility
Eval%ate
Directors s*ou(d e+4(u4te t*e o3tions for 4ssi)nin) res3onsibi(ities in res3ect of t*e
or)4niB4tionJs current 4nd future use of IT1 In e+4(u4tin) o3tions- directors s*ou(d seeD to
ensure effecti+e- efficient- 4nd 4cce3t4b(e use 4nd de(i+er? of IT in su33ort of current 4nd
future business ob5ecti+es1
Directors s*ou(d e+4(u4te t*e com3etence of t*ose )i+en res3onsibi(it? to m4De decisions
re)4rdin) IT1 ;ener4((?- t*ese 3eo3(e s*ou(d be business m4n4)ers C*o 4re 4(so
res3onsib(e for t*e or)4niB4tionJs business ob5ecti+es 4nd 3erform4nce- 4ssisted b? IT
s3eci4(ists C*o underst4nd business +4(ues 4nd 3rocesses1
+irect
Directors s*ou(d direct t*4t 3(4ns be c4rried out 4ccordin) to t*e 4ssi)ned IT
res3onsibi(ities1
Directors s*ou(d direct t*4t t*e? recei+e t*e inform4tion t*4t t*e? need to meet t*eir
res3onsibi(ities 4nd 4ccount4bi(it?1




' ISOIE! 2008 A A(( ri)*ts reser+ed
;
ISO/IEC 38500:2008(E)
<onitor
Directors s*ou(d monitor t*4t 433ro3ri4te IT )o+ern4nce mec*4nisms 4re
est4b(is*ed1
Directors s*ou(d monitor t*4t t*ose )i+en res3onsibi(it? 4cDnoC(ed)e 4nd underst4nd
t*eir res3onsibi(ities1
Directors s*ou(d monitor t*e 3erform4nce of t*ose )i+en res3onsibi(it? in t*e )o+ern4nce of IT
%for eH4m3(e- t*ose 3eo3(e ser+in) on steerin) committees or in 3resentin) 3ro3os4(s to
directors&1



,0 ' ISOIE! 2008 A A(( ri)*ts reser+ed
ISO/IEC 38500:2008(E)
313 !rinciple 2: Strategy
Eval%ate
Directors s*ou(d e+4(u4te de+e(o3ments in IT 4nd business 3rocesses to ensure t*4t IT Ci((
3ro+ide su33ort for future business needs1
In considerin) 3(4ns 4nd 3o(icies- directors s*ou(d e+4(u4te IT 4cti+ities to ensure t*e? 4(i)n
Cit* t*e or)4niB4tionJs ob5ecti+es for c*4n)in) circumst4nces- t4De consider4tion of better
3r4ctices 4nd s4tisf? ot*er De? st4De*o(der re@uirements1
Directors s*ou(d ensure t*4t IT use 4re sub5ect to 433ro3ri4te risD 4ssessment 4nd e+4(u4tion-
4s described in re(e+4nt intern4tion4( 4nd n4tion4( st4nd4rds1
+irect
Directors s*ou(d direct t*e 3re34r4tion 4nd use of 3(4ns 4nd 3o(icies t*4t ensure t*e
or)4niB4tion does benefit from de+e(o3ments in IT1
Directors s*ou(d 4(so encour4)e t*e submission of 3ro3os4(s for inno+4ti+e uses of IT t*4t
en4b(e t*e or)4niB4tion to res3ond to neC o33ortunities or c*4((en)es- undert4De neC
businesses or im3ro+e 3rocesses1
<onitor
Directors s*ou(d monitor t*e 3ro)ress of 433ro+ed IT 3ro3os4(s to ensure t*4t t*e? 4re
4c*ie+in) ob5ecti+es in re@uired timefr4mes usin) 4((oc4ted resources1
Directors s*ou(d monitor t*e use of IT to ensure t*4t it is 4c*ie+in) its intended benefits1




' ISOIE! 2008 A A(( ri)*ts reser+ed ,,
ISO/IEC 38500:2008(E)
314 !rinciple 3: )c@%iition
Eval%ate
Directors s*ou(d e+4(u4te o3tions for 3ro+idin) IT to re4(iBe 433ro+ed 3ro3os4(s- b4(4ncin)
risDs 4nd +4(ue for mone? of 3ro3osed in+estments1
+irect
Directors s*ou(d direct t*4t IT 4ssets %s?stems 4nd infr4structure& be 4c@uired in 4n
433ro3ri4te m4nner- inc(udin) t*e 3re34r4tion of suit4b(e document4tion- C*i(e ensurin) t*4t
re@uired c434bi(ities 4re 3ro+ided1
Directors s*ou(d direct t*4t su33(? 4rr4n)ements %inc(udin) bot* intern4( 4nd eHtern4( su33(?
4rr4n)ements& su33ort t*e business needs of t*e or)4niB4tion1
<onitor
Directors s*ou(d monitor IT in+estments to ensure t*4t t*e? 3ro+ide t*e re@uired
c434bi(ities1
Directors s*ou(d monitor t*e eHtent to C*ic* t*eir or)4niB4tion 4nd su33(iers m4int4in t*e
s*4red underst4ndin) of t*e or)4niB4tionMs intent in m4Din) 4n? IT 4c@uisition1




,2 ' ISOIE! 2008 A A(( ri)*ts reser+ed
ISO/IEC 38500:2008(E)
315 !rinciple 4: !erformance
Eval%ate
Directors s*ou(d e+4(u4te t*e me4ns 3ro3osed b? t*e m4n4)ers to ensure t*4t IT Ci(( su33ort
business 3rocesses Cit* t*e re@uired c434bi(it? 4nd c434cit?1 T*ese 3ro3os4(s s*ou(d 4ddress
t*e continuin) norm4( o3er4tion of t*e business 4nd t*e tre4tment of risD 4ssoci4ted Cit* t*e
use of IT1
Directors s*ou(d e+4(u4te t*e risDs to continued o3er4tion of t*e business 4risin)
from IT 4cti+ities1
Directors s*ou(d e+4(u4te t*e risDs to t*e inte)rit? of inform4tion 4nd t*e 3rotection of
IT 4ssets- inc(udin) 4ssoci4ted inte((ectu4( 3ro3ert? 4nd or)4niB4tion4( memor?1
Directors s*ou(d e+4(u4te o3tions for 4ssurin) effecti+e- time(? decisions 4bout use of IT in
su33ort of business )o4(s1
Directors s*ou(d re)u(4r(? e+4(u4te t*e effecti+eness 4nd 3erform4nce of t*e or)4niB4tionJs
s?stem for ;o+ern4nce of IT1
+irect
Directors s*ou(d ensure 4((oc4tion of sufficient resources so t*4t IT meets t*e needs of t*e
or)4niB4tion- 4ccordin) to t*e 4)reed 3riorities 4nd bud)et4r? constr4ints1
Directors s*ou(d direct t*ose res3onsib(e to ensure t*4t IT su33orts t*e business- C*en
re@uired for business re4sons- Cit* correct 4nd u3-to-d4te d4t4 t*4t is 3rotected from (oss or
misuse1
<onitor
Directors s*ou(d monitor t*e eHtent to C*ic* IT does su33ort t*e business1
Directors s*ou(d monitor t*e eHtent to C*ic* 4((oc4ted resources 4nd bud)ets 4re 3rioritised
4ccordin) to business ob5ecti+es1
Directors s*ou(d monitor t*e eHtent to C*ic* t*e 3o(icies- suc* 4s for d4t4 4ccur4c?
4nd t*e efficient use of IT- 4re fo((oCed 3ro3er(?1




' ISOIE! 2008 A A(( ri)*ts reser+ed ,3
ISO/IEC 38500:2008(E)
318 !rinciple 5: Conformance
Eval%ate
Directors s*ou(d re)u(4r(? e+4(u4te t*e eHtent to C*ic* IT s4tisfies ob(i)4tions
%re)u(4tor?- (e)is(4tion- common (4C- contr4ctu4(&- intern4( 3o(icies- st4nd4rds 4nd
3rofession4( )uide(ines1
Directors s*ou(d re)u(4r(? e+4(u4te t*e or)4niB4tionJs intern4( conform4nce to its s?stem
for ;o+ern4nce of IT1
+irect
Directors s*ou(d direct t*ose res3onsib(e to est4b(is* re)u(4r 4nd routine mec*4nisms for
ensurin) t*4t t*e use of IT com3(ies Cit* re(e+4nt ob(i)4tions %re)u(4tor?- (e)is(4tion- common
(4C- contr4ctu4(&- st4nd4rds 4nd )uide(ines1
Directors s*ou(d direct t*4t 3o(icies 4re est4b(is*ed 4nd enforced to en4b(e t*e
or)4niB4tion to meet its intern4( ob(i)4tions in its use of IT1
Directors s*ou(d direct t*4t IT st4ff fo((oC re(e+4nt )uide(ines for 3rofession4( be*4+iour
4nd de+e(o3ment1
Directors s*ou(d direct t*4t 4(( 4ctions re(4tin) to IT be et*ic4(1
<onitor
Directors s*ou(d monitor IT com3(i4nce 4nd conform4nce t*rou)* 433ro3ri4te re3ortin) 4nd
4udit 3r4ctices- ensurin) t*4t re+ieCs 4re time(?- com3re*ensi+e- 4nd suit4b(e for t*e
e+4(u4tion of t*e eHtent of s4tisf4ction of t*e business1
Directors s*ou(d monitor IT 4cti+ities- inc(udin) dis3os4( of 4ssets 4nd d4t4- to ensure t*4t
en+ironment4(- 3ri+4c?- str4te)ic DnoC(ed)e m4n4)ement- 3reser+4tion of or)4niB4tion4(
memor? 4nd ot*er re(e+4nt ob(i)4tions 4re met1




,4 ' ISOIE! 2008 A A(( ri)*ts reser+ed
ISO/IEC 38500:2008(E)
31: !rinciple 8: 9%man .ehavio%r
Eval%ate
Directors s*ou(d e+4(u4te IT 4cti+ities to ensure t*4t *um4n be*4+iours 4re identified 4nd
433ro3ri4te(? considered1
+irect
Directors s*ou(d direct t*4t IT 4cti+ities 4re consistent Cit* identified *um4n be*4+iour1
Directors s*ou(d direct t*4t risDs- o33ortunities- issues 4nd concerns m4? be identified
4nd re3orted b? 4n?one 4t 4n? time1 T*ese risDs s*ou(d be m4n4)ed in 4ccord4nce Cit*
3ub(is*ed 3o(icies 4nd 3rocedures 4nd esc4(4ted to t*e re(e+4nt decision m4Ders1
<onitor
Directors s*ou(d monitor IT 4cti+ities to ensure t*4t identified *um4n be*4+iours
rem4in re(e+4nt 4nd t*4t 3ro3er 4ttention is )i+en to t*em1
Directors s*ou(d monitor CorD 3r4ctices to ensure t*4t t*e? 4re consistent Cit* t*e
433ro3ri4te use of IT1

' ISOIE! 2008 A A(( ri)*ts reser+ed ,5