ISO/IEC 38500 vs.

ISO/IEC 27000
Christophe Feltus
Member of the ISO Working Group on Identity Management
Member of the ISO Study Group on ICT Governance
Public Research Centre Henri Tudor,
29, Rue John F. Kennedy
L-1855 Luxembourg
christophe.feltus@tudor.lu

Outline
Beyond ISO 38500
Scope
Objectives
6 principles
Model for Corporate Governance of ICT

Review of elements of ICT governance in ISO/IEC 27000 standards

Conclusions

Beyond ISO 38500 : scope

The objective of this Standard is to provide a framework of principles for Directors to
use when evaluating, directing and monitoring the use of information technology
(IT) in their organizations.

This standard provides a framework for effective governance of IT, to assist those at
the highest level of organizations to understand and fulfil their legal, ethical and
moral obligations in respect of their organizations use of IT. The framework
comprises definitions, principles and a model.

Beyond ISO 38500 : scope

Governance is distinct from management, and for the avoidance of confusion, the two
concepts are clearly defined in the standard.
the members of the governing body may also occupy the key roles in management.
It provides guidance to those advising, informing, or assisting directors. They include:
Senior managers.
Members of groups monitoring the resources within the organization.
External business or technical specialists, such as legal or accounting
specialists, retail associations, or professional bodies.
Vendors of hardware, software, communications and other IT products.
Internal and external service providers (including consultants).
IT auditors.

The standard is applicable for all organizations, from the smallest,

to the largest, regardless of purpose, design and ownership structure.

Beyond ISO 38500 : objectives

The purpose of this Standard is to promote effective, efficient, and acceptable use of IT
in all organizations by:
assuring stakeholders (including consumers, shareholders, and employees) that, if
the standard is followed, they can have confidence in the organizations corporate
governance of IT;
informing and guiding directors in governing the use of IT in their organization; and
providing a basis for objective evaluation of the corporate governance of IT.

Beyond ISO 38500 : 6 principles

Principle 1: Establish clearly understood responsibilities for IT
Principle 2: Plan IT to best support the organization
Principle 3: Acquire IT validly
Principle 4: Ensure that IT performs well, whenever required
Principle 5: Ensure IT conforms with formal rules
Principle 6: Ensure IT use respects human factors

Beyond ISO 38500 : Model for Corporate

Governance of ICT

Directors should govern ICT through

three main tasks:
(a) Evaluate the use of ICT.
(b) Direct preparation and implementation of plans and policies.
(c) Monitor conformance to policies, and performance against the plans.

Elements of ICT governance in existing

ISO/IEC 27000 standards
ISO/IEC 27000 family of standards

Elements of ICT governance in existing

ISO/IEC 27000 standards
The standard ISO/IEC 27000 overlaps with ICT governance in many areas.
Most significant of these are :
Risk Management
4.2 Establishing and managing the ISMS.

Connections with legislation

4.2.1/ISMS policy,
7.3 Management review output,
A.15.1 Compliance with legal requirements.

Performance
A.10.3.1 Capacity management

Tight relationship with management is required

Clause 5 Management responsibility

Internal auditing
Clause 6 Internal ISMS audits

Ensuring business continuity

A.14 Business continuity management

Conclusions
This rough analysis shows that ISO/IEC 27001 and ISO/IEC 17799 have many
relationships with ICT governance.
New ICT governance standard should be taken into account these similarities
thoroughly so that inconsistent overlapping can be prevented.
This is very important especially if it will be possible to certify against this new
standard so that combined audits with both ISO/IEC 27001 and ICT governance
standard can be conducted in a logical and cost-effective way.

Source :
ISO/IEC 38500 : Corporate governance of information technology
ISO/IEC 27000 family
Inspecta Certification report for ISO/IEC 38500