Shamkris Global Group

ISO/IEC 38500:2015 – Information Technology

Information technology — Governance of IT for the organization

What is ISO/IEC 38500:2015 Certification?

ISO/IEC 38500 is a standard that provides guidance on the corporate governance of information technology within organizations. Unlike ISO/IEC 27001, which focuses specifically on information security management systems, ISO/IEC 38500 addresses the broader governance aspects of IT.

ISO/IEC 38500 certification, however, does not exist in the same way as ISO/IEC 27001 certification. ISO/IEC 38500 is not a certifiable standard like ISO/IEC 27001, meaning organizations cannot obtain formal certification against ISO/IEC 38500. Instead, ISO/IEC 38500 provides guidelines and principles for corporate governance of IT, helping organizations ensure that their IT investments support business objectives, manage IT-related risks, and optimize IT resources effectively.

 

Key principles outlined in ISO/IEC 38500 include:

Responsibility: Clearly defining roles and responsibilities for IT governance within the organization, including the governing body, management, and stakeholders.

Strategy: Aligning IT strategy with the organization’s overall business strategy to ensure that IT investments contribute to achieving business objectives.

Acquisition: Ensuring that IT investments are made wisely, considering factors such as value for money, risk management, and alignment with business needs.

Performance: Monitoring and evaluating the performance of IT investments and IT service delivery to ensure they meet agreed-upon objectives and performance targets.

Conformance: Ensuring that IT activities and investments comply with relevant laws, regulations, and standards, as well as internal policies and procedures.

Human Behavior: Recognizing the importance of human behavior and organizational culture in governing IT effectively, including factors such as ethics, communication, and stakeholder engagement.

Feel free to Contact Us

Benefits of ISO/IEC 38500:2015 Certification

Improved IT Governance

ISO/IEC 38500 provides a framework for effective IT governance, helping organizations establish clear roles, responsibilities, and processes for decision-making related to IT. By adopting its principles, organizations can enhance their governance structures, ensuring that IT investments support business objectives and are managed in a transparent and accountable manner.

Enhanced Alignment with Business Objectives

One of the key principles of ISO/IEC 38500 is the alignment of IT with business strategy. By following this principle, organizations can ensure that their IT initiatives are closely aligned with the needs and priorities of the business, leading to more effective use of IT resources and better support for business goals.

Better Risk Management

ISO/IEC 38500 emphasizes the importance of risk management in IT governance. By implementing its principles, organizations can improve their ability to identify, assess, and mitigate IT-related risks, reducing the likelihood of costly disruptions or security breaches.

Increased Stakeholder Confidence

Adhering to ISO/IEC 38500 principles can enhance stakeholder confidence in an organization's ability to manage IT effectively. This can be particularly important for investors, customers, regulators, and other stakeholders who rely on IT systems and services to support critical business functions.

Legal and Regulatory Compliance

ISO/IEC 38500 promotes compliance with relevant laws, regulations, and standards related to IT governance. By following its guidelines, organizations can reduce the risk of non-compliance and mitigate potential legal and regulatory issues related to IT management.

Enhanced Decision-Making

ISO/IEC 38500 encourages a structured approach to IT decision-making, based on a clear understanding of business objectives, risks, and opportunities. By adopting its principles, organizations can improve the quality and consistency of their IT-related decisions, leading to better outcomes and resource allocation.

Who can get ISO/IEC 38500:2015 Certification?

Since ISO/IEC 38500 is a guideline standard rather than a certifiable standard like ISO/IEC 27001, there isn’t a certification process for ISO/IEC 38500. However, organizations can use ISO/IEC 38500 to improve their IT governance practices. Here’s a list of broad product categories or entities that could benefit from adopting ISO/IEC 38500 principles:

Enterprise Software Solutions Providers

Companies that develop and provide enterprise software solutions, including governance, risk management, and compliance (GRC) software, can incorporate ISO/IEC 38500 principles into their products to help organizations better manage IT governance.

Consulting Firms

Consulting firms specializing in IT governance, risk management, and compliance can offer services to help organizations align their IT governance practices with ISO/IEC 38500 guidelines. They can provide assessments, guidance, and implementation support to facilitate compliance.

Training and Education Providers

Organizations that offer training and education programs related to IT governance, such as professional certifications or workshops, can develop curriculum and materials based on ISO/IEC 38500 principles to help professionals understand and apply effective IT governance practices.

IT Service Providers

Managed service providers, IT outsourcing firms, and other IT service providers can use ISO/IEC 38500 principles to enhance their service offerings and ensure that they align with client organizations' IT governance requirements.

Auditing and Assurance Firms

Auditing firms and assurance providers can incorporate ISO/IEC 38500 principles into their audit methodologies and assessment frameworks to evaluate the effectiveness of IT governance practices within client organizations.

Regulatory and Compliance Software Providers

Companies that develop software solutions for regulatory compliance management can integrate ISO/IEC 38500 principles into their products to help organizations address IT governance requirements more effectively.

Risk Management Software Providers

Providers of risk management software solutions can incorporate ISO/IEC 38500 principles into their products to help organizations identify, assess, and mitigate IT-related risks in alignment with best practices.

Corporate Governance Consulting Firms

Firms specializing in corporate governance consulting can offer services to help organizations integrate IT governance into their overall governance framework, leveraging ISO/IEC 38500 principles as a guiding framework.

Industry Associations

Industry associations and professional organizations in fields such as IT, governance, risk management, and compliance can promote awareness of ISO/IEC 38500 principles and provide guidance and resources to help member organizations adopt effective IT governance practices.

Government Agencies

Government agencies responsible for regulating and overseeing IT governance practices in specific industries or sectors can use ISO/IEC 38500 principles as a reference framework to inform regulatory requirements and industry standards.

Risk Management Software Providers

Providers of risk management software solutions can incorporate ISO/IEC 38500 principles into their products to help organizations identify, assess, and mitigate IT-related risks in alignment with best practices.

Corporate Governance Consulting Firms

Firms specializing in corporate governance consulting can offer services to help organizations integrate IT governance into their overall governance framework, leveraging ISO/IEC 38500 principles as a guiding framework.

Validity of ISO/IEC 38500:2015 Certification

The ISO/IEC 38500:2015 certification is typically valid for 3 years from the date of issue. During this period, the organization must demonstrate ongoing compliance with the standard’s principles and guidelines.

Documents Required for ISO/IEC 38500:2015 Certification

The extent of Documented Information differs as per:

Role of Shamkris and Process of ISO/IEC 38500:2015 Certification

Shamkris adopts a results-oriented approach to effective system implementation in the organization. A simple and practical method of system implementation helps organizations increase business efficiency and sustainability. Shamkris supports 100% documentation to obtain an accreditation body of success in addition to enhanced performance.

The implementation process is described below:

Time Frame

Task

Process

Day 1

GAP Analysis
Certification Body
Selection
Cost Estimates

Week 1

Developing Documents

Week 4

Implementing Management System

Week 8

Internal Audit
MRM
CAPA

Week 10

Self Certification/NoBo
Audit
N-C Closing

Week 12

Self Certification/NoBo

Year on Year

Yearly Compliance

Who can issue the ISO/IEC 38500:2015 Certification?

Approved Agency
Approved CB

FAQ

No, ISO/IEC 38500 does not have a formal certification process. It provides guidance on IT governance principles but does not offer certification.

Organizations can demonstrate compliance with ISO/IEC 38500 by aligning their IT governance practices with its principles. This may involve conducting self-assessments, engaging in external audits or assessments, and integrating ISO/IEC 38500 principles into governance frameworks.

Yes, some training providers offer courses on IT governance or corporate governance that may cover ISO/IEC 38500 principles. These courses can help professionals understand and apply effective IT governance practices within their organizations.

Adopting ISO/IEC 38500 principles can help organizations improve decision-making, manage IT-related risks more effectively, and align IT investments with business objectives. It promotes transparency, accountability, and value creation through IT governance.

ISO/IEC 38500 is not mandatory, but organizations may choose to adopt its principles voluntarily to enhance their IT governance practices. Compliance with ISO/IEC 38500 can help organizations demonstrate good governance and align IT with business objectives.