ISO/IEC 38500:2015 – Information Technology
Information technology — Governance of IT for the organization
What is ISO/IEC 38500:2015 Certification?
ISO/IEC 38500 is a standard that provides guidance on the corporate governance of information technology within organizations. Unlike ISO/IEC 27001, which focuses specifically on information security management systems, ISO/IEC 38500 addresses the broader governance aspects of IT.
ISO/IEC 38500 certification, however, does not exist in the same way as ISO/IEC 27001 certification. ISO/IEC 38500 is not a certifiable standard like ISO/IEC 27001, meaning organizations cannot obtain formal certification against ISO/IEC 38500. Instead, ISO/IEC 38500 provides guidelines and principles for corporate governance of IT, helping organizations ensure that their IT investments support business objectives, manage IT-related risks, and optimize IT resources effectively.
Key principles outlined in ISO/IEC 38500 include:
Responsibility: Clearly defining roles and responsibilities for IT governance within the organization, including the governing body, management, and stakeholders.
Strategy: Aligning IT strategy with the organization’s overall business strategy to ensure that IT investments contribute to achieving business objectives.
Acquisition: Ensuring that IT investments are made wisely, considering factors such as value for money, risk management, and alignment with business needs.
Performance: Monitoring and evaluating the performance of IT investments and IT service delivery to ensure they meet agreed-upon objectives and performance targets.
Conformance: Ensuring that IT activities and investments comply with relevant laws, regulations, and standards, as well as internal policies and procedures.
Human Behavior: Recognizing the importance of human behavior and organizational culture in governing IT effectively, including factors such as ethics, communication, and stakeholder engagement.
Feel free to Contact Us
Benefits of ISO/IEC 38500:2015 Certification
Improved IT Governance
ISO/IEC 38500 provides a framework for effective IT governance, helping organizations establish clear roles, responsibilities, and processes for decision-making related to IT. By adopting its principles, organizations can enhance their governance structures, ensuring that IT investments support business objectives and are managed in a transparent and accountable manner.
Enhanced Alignment with Business Objectives
One of the key principles of ISO/IEC 38500 is the alignment of IT with business strategy. By following this principle, organizations can ensure that their IT initiatives are closely aligned with the needs and priorities of the business, leading to more effective use of IT resources and better support for business goals.
Better Risk Management
ISO/IEC 38500 emphasizes the importance of risk management in IT governance. By implementing its principles, organizations can improve their ability to identify, assess, and mitigate IT-related risks, reducing the likelihood of costly disruptions or security breaches.
Increased Stakeholder Confidence
Adhering to ISO/IEC 38500 principles can enhance stakeholder confidence in an organization's ability to manage IT effectively. This can be particularly important for investors, customers, regulators, and other stakeholders who rely on IT systems and services to support critical business functions.
Legal and Regulatory Compliance
ISO/IEC 38500 promotes compliance with relevant laws, regulations, and standards related to IT governance. By following its guidelines, organizations can reduce the risk of non-compliance and mitigate potential legal and regulatory issues related to IT management.
Enhanced Decision-Making
ISO/IEC 38500 encourages a structured approach to IT decision-making, based on a clear understanding of business objectives, risks, and opportunities. By adopting its principles, organizations can improve the quality and consistency of their IT-related decisions, leading to better outcomes and resource allocation.
Who can get ISO/IEC 38500:2015 Certification?
Since ISO/IEC 38500 is a guideline standard rather than a certifiable standard like ISO/IEC 27001, there isn’t a certification process for ISO/IEC 38500. However, organizations can use ISO/IEC 38500 to improve their IT governance practices. Here’s a list of broad product categories or entities that could benefit from adopting ISO/IEC 38500 principles:
Enterprise Software Solutions Providers
Companies that develop and provide enterprise software solutions, including governance, risk management, and compliance (GRC) software, can incorporate ISO/IEC 38500 principles into their products to help organizations better manage IT governance.
Consulting Firms
Consulting firms specializing in IT governance, risk management, and compliance can offer services to help organizations align their IT governance practices with ISO/IEC 38500 guidelines. They can provide assessments, guidance, and implementation support to facilitate compliance.
Training and Education Providers
Organizations that offer training and education programs related to IT governance, such as professional certifications or workshops, can develop curriculum and materials based on ISO/IEC 38500 principles to help professionals understand and apply effective IT governance practices.
IT Service Providers
Managed service providers, IT outsourcing firms, and other IT service providers can use ISO/IEC 38500 principles to enhance their service offerings and ensure that they align with client organizations' IT governance requirements.
Auditing and Assurance Firms
Auditing firms and assurance providers can incorporate ISO/IEC 38500 principles into their audit methodologies and assessment frameworks to evaluate the effectiveness of IT governance practices within client organizations.
Regulatory and Compliance Software Providers
Companies that develop software solutions for regulatory compliance management can integrate ISO/IEC 38500 principles into their products to help organizations address IT governance requirements more effectively.
Risk Management Software Providers
Providers of risk management software solutions can incorporate ISO/IEC 38500 principles into their products to help organizations identify, assess, and mitigate IT-related risks in alignment with best practices.
Corporate Governance Consulting Firms
Firms specializing in corporate governance consulting can offer services to help organizations integrate IT governance into their overall governance framework, leveraging ISO/IEC 38500 principles as a guiding framework.
Industry Associations
Industry associations and professional organizations in fields such as IT, governance, risk management, and compliance can promote awareness of ISO/IEC 38500 principles and provide guidance and resources to help member organizations adopt effective IT governance practices.
Government Agencies
Government agencies responsible for regulating and overseeing IT governance practices in specific industries or sectors can use ISO/IEC 38500 principles as a reference framework to inform regulatory requirements and industry standards.
Risk Management Software Providers
Providers of risk management software solutions can incorporate ISO/IEC 38500 principles into their products to help organizations identify, assess, and mitigate IT-related risks in alignment with best practices.
Corporate Governance Consulting Firms
Firms specializing in corporate governance consulting can offer services to help organizations integrate IT governance into their overall governance framework, leveraging ISO/IEC 38500 principles as a guiding framework.
Validity of ISO/IEC 38500:2015 Certification
The ISO/IEC 38500:2015 certification is typically valid for 3 years from the date of issue. During this period, the organization must demonstrate ongoing compliance with the standard’s principles and guidelines.
Documents Required for ISO/IEC 38500:2015 Certification
- System Manual
- System Procedure
- Policy
- Objectives
- Mission & Vision
- Standard Operating Procedure (SOP)
- Checklist
- Forms
- Formats
- Records
The extent of Documented Information differs as per:
- Organization’s size
- Activities performed by the organization
- Processes undertaken by the Organization
- Products and services offered by the organization
- The complexity of processes undertaken
- Competence of persons involved
Role of Shamkris and Process of ISO/IEC 38500:2015 Certification
Shamkris adopts a results-oriented approach to effective system implementation in the organization. A simple and practical method of system implementation helps organizations increase business efficiency and sustainability. Shamkris supports 100% documentation to obtain an accreditation body of success in addition to enhanced performance.
The implementation process is described below:
Time Frame
Task
Process
Day 1
GAP Analysis
Certification Body
Selection
Cost Estimates
- Finding the GAP between existing system related to ISO requirements
- Selecting the appropriate certification Body
- Based on the scope of your business & certification Body you choose
Week 1
Developing Documents
- Management System Manual, Management System Procedures, Policy, Objectives, Forms etc.
- Review of Standard Operating Procedures (SOP)
Week 4
Implementing Management System
- ISO Awareness training for the top management and staff
- Implementing a well-documented management system throughout the organization
Week 8
Internal Audit
MRM
CAPA
- Internal audits identifying nonconformities related to ISO requirements
- Management Review Meetings
- Corrective and Preventive Action plan for nonconformities
Week 10
Self Certification/NoBo
Audit
N-C Closing
- Shamkris acts on your behalf and assists you in the third-party audit
- Closing of any nonconformities identified by the certification Body
Week 12
Self Certification/NoBo
- ISO certificates issued for 3 years
- Surveillance Audits yearly
Year on Year
Yearly Compliance
- Support of Yearly documentation for audit
Who can issue the ISO/IEC 38500:2015 Certification?
FAQ
No, ISO/IEC 38500 does not have a formal certification process. It provides guidance on IT governance principles but does not offer certification.
Organizations can demonstrate compliance with ISO/IEC 38500 by aligning their IT governance practices with its principles. This may involve conducting self-assessments, engaging in external audits or assessments, and integrating ISO/IEC 38500 principles into governance frameworks.
Yes, some training providers offer courses on IT governance or corporate governance that may cover ISO/IEC 38500 principles. These courses can help professionals understand and apply effective IT governance practices within their organizations.
Adopting ISO/IEC 38500 principles can help organizations improve decision-making, manage IT-related risks more effectively, and align IT investments with business objectives. It promotes transparency, accountability, and value creation through IT governance.
ISO/IEC 38500 is not mandatory, but organizations may choose to adopt its principles voluntarily to enhance their IT governance practices. Compliance with ISO/IEC 38500 can help organizations demonstrate good governance and align IT with business objectives.