IEC 38500-2015 pdf free download – Information technology — Governance of IT for the organization.
Good governance of IT also assists governing bodies in assuring_conformance with obligations(regulatory, legislation, contractual) concerning the acceptable use of TT.
This International Standard establishes a model for the governance of lT.The risk of governing bodiesnot fulfilling their obligations is mitigated by giving due attention to the model in appropriately applyingthe principles.
Inadequate IT systems and improper or inappropriate use of IT can expose an organization to the risk ofnot complying with legislation.For example, in some jurisdictions, members of governing bodies couldbe held personally accountable if an inadequate accounting system results in tax not being paid.
Processes dealing with ITincorporate specific risks that should be addressed appropriately.For examplegoverning bodies and members of governing bodies can be held accountable for:
– breaches of privacy, spam, health and safety,record keeping legislation and regulations;-non-compliance with standards relating to security, social responsibility;
– matters relating to intellectual property rights including licensing agreements.
Governing bodies using the guidance in this standard are more likely to meet their obligations.
4Principles and Model for Good Governance of IT
4.1 Principles
This clause sets out six principles for good governance of lT.The principles express preferred behaviourto guide decision making.The statement of each principle refers to what should happen, but does notprescribe how, when or by whom the principles would be implemented – as these aspects are dependenton the nature of the organization implementing the principles.Governing bodies should require thatthese principles are applied.
Principle 1: Responsibility
Individuals and groups within the organization understand and accept their responsibilities in respectof both supply of, and demand for IT.Those with responsibility for actions also have the authority toperform those actions.
Principle 2: Strategy
The organization’s business strategy takes into account the current and future capabilities of IT; theplans for the use of IT satisfy the current and on-going needs of the organization’s business strategy.
Principle 3: Acquisition
IT acquisitions are made for valid reasons, on the basis of appropriate and on-going analysis, with clearand transparent decision making.There is appropriate balance between benefits, opportunities, costs,and risks,in both the short term and the long term.
Principle 4: Performance
IT is fit for purpose in supporting the organization, providing the services, levels of service and servicequality required to meet current and future business requirements.
Principle 5: Conformance
The use of IT complies with all mandatory legislation and regulations.Policies and practices are clearlydefined, implemented and enforced.
Principle 6: Human Behaviour
rT policies, practices and decisions demonstrate respect for Human Behaviour, including the currentand evolving needs of all the “people in the process’.
4.2 Model
Governing bodies should govern lT through three main tasks:a)Evaluate the current and future use of IT.
b) Direct preparation and implementation of strategies and policies to ensure that use of lT meets
business objectives.
c)Monitor conformance to policies, and performance against the strategies.
Authority for specific aspects of lT may be delegated to managers within the organization. However,accountability for the effective, efficient and acceptable use of iT by an organization remains with thegoverning body and cannot be delegated.
Figure 1 shows the model for governance of IT using Evaluate-Direct- Monitor. The text followingFigure 1 explains the elements and relationships depicted.BS ISO-IEC 38500 pdf download.