You are on page 1of 10

ISO/IEC 38500 vs.

ISO/IEC 27000
Christophe Feltus

Member of the ISO Working Group on Identity Management
Member of the ISO Study Group on ICT Governance
Public Research Centre Henri Tudor,
29, Rue John F. Kennedy
L-1855 Luxembourg

Beyond ISO 38500
6 principles
Model for Corporate Governance of ICT

Review of elements of ICT governance in ISO/IEC 27000 standards


The objective of this Standard is to provide a framework of principles for Directors to
use when evaluating, directing and monitoring the use of information technology
(IT) in their organizations.

This standard provides a framework for effective governance of IT, to assist those at
the highest level of organizations to understand and fulfil their legal, ethical and
moral obligations in respect of their organizations use of IT. The framework
comprises definitions, principles and a model.
Beyond ISO 38500 : scope

Governance is distinct from management, and for the avoidance of confusion, the two
concepts are clearly defined in the standard.

the members of the governing body may also occupy the key roles in management.

It provides guidance to those advising, informing, or assisting directors. They include:
Senior managers.
Members of groups monitoring the resources within the organization.
External business or technical specialists, such as legal or accounting
specialists, retail associations, or professional bodies.
Vendors of hardware, software, communications and other IT products.
Internal and external service providers (including consultants).
IT auditors.

The standard is applicable for all organizations, from the smallest,
to the largest, regardless of purpose, design and ownership structure.
Beyond ISO 38500 : scope

The purpose of this Standard is to promote effective, efficient, and acceptable use of IT
in all organizations by:

assuring stakeholders (including consumers, shareholders, and employees) that, if
the standard is followed, they can have confidence in the organizations corporate
governance of IT;

informing and guiding directors in governing the use of IT in their organization; and

providing a basis for objective evaluation of the corporate governance of IT.
Beyond ISO 38500 : objectives

Principle 1: Establish clearly understood responsibilities for IT

Principle 2: Plan IT to best support the organization

Principle 3: Acquire IT validly

Principle 4: Ensure that IT performs well, whenever required

Principle 5: Ensure IT conforms with formal rules

Principle 6: Ensure IT use respects human factors

Beyond ISO 38500 : 6 principles
Beyond ISO 38500 : Model for Corporate
Governance of ICT
Directors should govern ICT through
three main tasks:
(a) Evaluate the use of ICT.
(b) Direct preparation and implementation of plans and policies.
(c) Monitor conformance to policies, and performance against the plans.
Elements of ICT governance in existing
ISO/IEC 27000 standards
ISO/IEC 27000 family of standards
Elements of ICT governance in existing
ISO/IEC 27000 standards
The standard ISO/IEC 27000 overlaps with ICT governance in many areas.
Most significant of these are :

Risk Management
4.2 Establishing and managing the ISMS.
Connections with legislation
4.2.1/ISMS policy,
7.3 Management review output,
A.15.1 Compliance with legal requirements.
A.10.3.1 Capacity management
Tight relationship with management is required
Clause 5 Management responsibility
Internal auditing
Clause 6 Internal ISMS audits
Ensuring business continuity
A.14 Business continuity management

This rough analysis shows that ISO/IEC 27001 and ISO/IEC 17799 have many
relationships with ICT governance.

New ICT governance standard should be taken into account these similarities
thoroughly so that inconsistent overlapping can be prevented.

This is very important especially if it will be possible to certify against this new
standard so that combined audits with both ISO/IEC 27001 and ICT governance
standard can be conducted in a logical and cost-effective way.

Source :
ISO/IEC 38500 : Corporate governance of information technology
ISO/IEC 27000 family
Inspecta Certification report for ISO/IEC 38500