ISO 38500: A new corporate governance standard for IT

By Yuga Chaudhari, Principal Correspondent 08 Oct 2009 | SearchCIO.in

Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

ISO/IEC 38500 was prepared by Standards Australia (as AS8015:2005). Published in 2008, this standard is a high level, principles-based advisory standard. In addition to providing broad guidance on the role of a governing body, it encourages organizations to use appropriate standards to underpin their governance of IT.

The ISO 38500 standard basically defines six principles, which are an attempt to establish responsibilities and plans to best support the organization's IT services. According to www.iso.org, ISO/IEC 38500:2008 provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or others) on the effective, efficient, and acceptable use of IT within their organizations. This standard is applicable to all organizations, which include public and private companies, government entities and not-for-profit organizations. The standard is applicable to organizations of all sizes from the smallest to the largest, regardless of the extent of their IT usage.

According to Nishant Singh, the IT markets analyst of IT research firm Ovum India, ISO 38500 is more elaborate than other standards of the past, and will find a greater acceptance as an adoptable standard. "ISO 38500 has achieved overwhelming approval and unanimous support from ISO -- being passed with not a single country disapproving of the standard. This suggests that there is a greater acceptance of the fact that organizations need to maintain a consistent approach to their IT governance. It also means that people at the highest level of organizations need to appreciate and execute their legal, regulatory, and ethical obligations towards their organizations' use of IT," says Singh.

Most Indian CIOs that SearchCIO.in spoke to were not aware of ISO 38500. One of the major analyst firms refused to comment on ISO 38500 due to limited knowledge on the subject.

The ISO 38500 standard seeks to establish that IT is the entire executive management team's responsibility, and not just dependant on the CIO. In essence, the governing body of any organization that plans to adopt this standard will have to shoulder the responsibility of appraising IT proposals, scrutinizing current projects and providing guidelines for improved IT policies. "For CIOs, this means that IT adoption will follow more defined frameworks. Conversely, this translates to lesser resistances and ambiguities from within the organization," says Singh.

ISO 38500's objective is to provide a framework of principles that directors can use when evaluating, directing and monitoring the use of IT in their organizations. "This means that the board will be responsible for setting strategic directions, managing risks, allocating resources and monitoring performance in all business areas (including IT). This helps bring enhanced IT governance within the organization to the forefront," says Captain Felix Mohan, the senior vice president and chief information security officer of Bharti Airtel Ltd.

The ISO 38500 standard has yet to gain popularity among Indian CIOs due to the lack of awareness. Most Indian CIOs that SearchCIO.in spoke to were not aware of the standard. One of the major analyst firms refused to comment on ISO 38500 due to limited knowledge on the subject. This is why Mohan states that the momentum is yet to pick up for ISO 38500. Due to the current pressure on companies to show a good corporate governance model to the world and stakeholders, increasing adoption rates can be expected in the near future.

According to Ovum, ISO 38500 should see a slow adoption rate globally, and the situation is not expected to be different in India. "Traditional" Indian organizations are not expected to be enthusiastic about adoption of the standard, especially since it also requires a cultural shift. However, the situation is expected to be different among Indian IT service providers. "Indian IT service providers are quick to adapt, and the standard's adoption also provides a way to differentiate themselves from their competitors. Therefore, we should expect an early adoption of ISO 38500 from these organizations," says Singh.

ISO 38500 places a strong emphasis on corporate governance, which may not work in the favor of the standard. Even though the standard has been received with enthusiasm, it will take a while for the process of awarding the formal certification, as the authorities and the associated processes for providing this certification are yet to be established in India.

The ISO 38500 standard expects directors to provide a set of IT principles and oversee the implementation (which includes approvals). This may create resistance to the new work arrangements. Hence organizations need to evolve in order to implement this standard. "It is likely that the governing body of organizations feel that it brings too much of responsibility upon them -- something that they would generally expect managers to look into. It will take some time for organizations to work out their new responsibilities around this standard's adoption," Singh points out.

According to Mohan, the challenge of ISO 38500 is all about translating it to on-ground implementation. This is a complicated task since ISO 38500 standard requires directors to put into practice a six-principle-based governance system, and to evaluate the IT implementation process.

Experts believe that control objectives for information and related technology (CobiT) will be a useful tool to help implement the new ISO 38500. CobiT straddles the corporate governance and process control dimensions, and focuses on aligning IT strategy with business goals, meeting regulatory compliance and managing risk. However, only time will tell the impact that ISO 38500 has on Indian businesses.

Tags: IT governance strategies in India,  IT leadership and planning,  IT Governance Tips,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IT governance strategies in India Prevent IT project failures with business analysts, project managers Remote infrastructure management reduces opex by 60% at Globus Val IT 2.0 framework yet to gain momentum in India Coming soon: IT advice from an infrastructure behemoth How IT gap analysis can be the first step to ITIL success A dozen danger signs that your outsourcing contract is on the rocks IT service management to get easier at Apeejay with ITIL v2 Laptop security: Securing corporate data for users on the go ERP migration project underway at Soma The change management process: Ensuring a smooth transition IT leadership and planning Coming soon: IT advice from an infrastructure behemoth A Windows 7 migration ahead? What a CIO should know Retail IT spending in India to revive this year The change management process: Ensuring a smooth transition Optimizing ERP investments through manufacturing ERP management best practices Migrating from Windows XP to Windows 7: Weighing the options Four tips for managing ERP maintenance and support BI, customer apps, cloud computing lead manufacturing budget wishlist From CIO to CEO: Traversing the chasm Disaster recovery strategies for organizations on a budget IT Governance Tips Prevent IT project failures with business analysts, project managers Val IT 2.0 framework yet to gain momentum in India Coming soon: IT advice from an infrastructure behemoth How IT gap analysis can be the first step to ITIL success IT service management to get easier at Apeejay with ITIL v2 Laptop security: Securing corporate data for users on the go ERP migration project underway at Soma The change management process: Ensuring a smooth transition ITIL v3 can co-exist with existing frameworks New IT management framework focuses on business value

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ISO/IEC 38500  (SearchCIOIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary