IT auditors
International Copyright GRC Group, 1360 Clifton Avenue, Mail Stop 163, Clifton, New Jersey 07012.
email@grcg.com.
GRC Institute
ISO/IEC 38500 Workbook
Principle 1: Example
Model Domains Evaluate the current and future use of IT Direct preparation and implementation Monitor conformance and performance
Action Area/ Task within Date Freq- Responsibility Task within Date Freq- Responsibility Task within Date Freq- Responsibility
Specific Items Model Area Start uency and Sign-off Model Area Start uency and Sign-off Model Area Start uency and Sign-off
Area: Current IT Review 1/09 Yearly IT Committee Provide 2/09 Qtrly IT Committee/ Review Steering 4/09 Qtrly IT Committee/
Environment Infrastructure business Assigned Committee
Item: Steering
objectives to Managers/ minutes
Infrastructure Evaluate Committee
1/09 Qtrly IT Committee identified
current Steering
Business managers for
business Comittee 4/09 Qtrly
Objectives project Review Project
needs/objecti IT Committee/
selection and budgets and
Projects ves
implementation timelines Steering
Staff Committee/
1/09 Qtrly IT Committee IT Committee/
Map all IT Assigned
Provide Assigned
projects to 2/09 Qtrly Managers
reporting Managers/
objectives Review
expectations for 4/09 Qtrly IT Committee/
project updates Steering outcomes
As Committee versus Steering
Evaluate staff neede expectations Committee/
roles/capabilit 1/09 IT Committee (meet business
d
ies for each objectives) Assigned
project Managers
International Copyright GRC Group, 1360 Clifton Avenue, Mail Stop 163, Clifton, New Jersey 07012. email@grcg.com.
GRC Institute
ISO/IEC 38500 Workbook
Principle 1: Responsibility
Individuals and groups within the organization understand and accept their responsibilities in respect to the supply of, and demand for, IT. Those with
responsibility for actions also have the authority to perform those actions.
Model Domains Evaluate the current and future use of IT Direct preparation and implementation Monitor conformance and performance
Action Area/ Task within Date Freq- Responsibility Task within Date Freq- Responsibility Task within Date Freq- Responsibility
Specific Items Model Area Start uency and Sign-off Model Area Start uency and Sign-off Model Area Start uency and Sign-off
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
International Copyright GRC Group, 1360 Clifton Avenue, Mail Stop 163, Clifton, New Jersey 07012. email@grcg.com.
GRC Institute
ISO/IEC 38500 Workbook
Principle 2: Strategy
The organizations business strategy takes into account the current and future capabilities of IT. In addition, the strategic plans for IT satisfy the current and
ongoing needs of the organizations business strategy.
Model Domains Evaluate the current and future use of IT Direct preparation and implementation Monitor conformance and performance
Action Area/ Task within Date Freq- Responsibility Task within Date Freq- Responsibility Task within Date Freq- Responsibility
Specific Items Model Area Start uency and Sign-off Model Area Start uency and Sign-off Model Area Start uency and Sign-off
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
International Copyright GRC Group, 1360 Clifton Avenue, Mail Stop 163, Clifton, New Jersey 07012. email@grcg.com.
GRC Institute
ISO/IEC 38500 Workbook
Principle 3: Acquisition
IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision-making. There is an appropriate
balance among benefits, opportunities, costs, and risks, in both the short term and the long term.
Model Domains Evaluate the current and future use of IT Direct preparation and implementation Monitor conformance and performance
Action Area/ Task within Date Freq- Responsibility Task within Date Freq- Responsibility Task within Date Freq- Responsibility
Specific Items Model Area Start uency and Sign-off Model Area Start uency and Sign-off Model Area Start uency and Sign-off
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
International Copyright GRC Group, 1360 Clifton Avenue, Mail Stop 163, Clifton, New Jersey 07012. email@grcg.com.
GRC Institute
ISO/IEC 38500 Workbook
Principle 4: Performance
IT is fit for purpose in supporting the organization, and providing the services, levels of service, and service quality required to meet current and future business
requirements.
Model Domains Evaluate the current and future use of IT Direct preparation and implementation Monitor conformance and performance
Action Area/ Task within Date Freq- Responsibility Task within Date Freq- Responsibility Task within Date Freq- Responsibility
Specific Items Model Area Start uency and Sign-off Model Area Start uency and Sign-off Model Area Start uency and Sign-off
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
International Copyright GRC Group, 1360 Clifton Avenue, Mail Stop 163, Clifton, New Jersey 07012. email@grcg.com.
GRC Institute
ISO/IEC 38500 Workbook
Principle 5: Conformance
IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented, and enforced.
Model Domains Evaluate the current and future use of IT Direct preparation and implementation Monitor conformance and performance
Action Area/ Task within Date Freq- Responsibility Task within Date Freq- Responsibility Task within Date Freq- Responsibility
Specific Items Model Area Start uency and Sign-off Model Area Start uency and Sign-off Model Area Start uency and Sign-off
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
International Copyright GRC Group, 1360 Clifton Avenue, Mail Stop 163, Clifton, New Jersey 07012. email@grcg.com.
GRC Institute
ISO/IEC 38500 Workbook
IT policies, practices, and decisions demonstrate respect for human behavior, including the current and evolving needs of all the people in the process.
Model Domains Evaluate the current and future use of IT Direct preparation and implementation Monitor conformance and performance
Action Area/ Task within Date Freq- Responsibility Task within Date Freq- Responsibility Task within Date Freq- Responsibility
Specific Items Model Area Start uency and Sign-off Model Area Start uency and Sign-off Model Area Start uency and Sign-off
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Area: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
Item: ___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
___________ ____________ _____ _____ _____________ _____________ _____ _____ _____________ _____________ _____ _____ ____________
International Copyright GRC Group, 1360 Clifton Avenue, Mail Stop 163, Clifton, New Jersey 07012. email@grcg.com.