Security Zone: The ISO/IEC 38500 IT Governance Standard

IT governance means different things to different folks, yet it is generally understood to require alignment with best practice standards and methodologies. However, it can be really hard to see the wood for the trees due to the multiple frameworks, all of which can be applicable for organisations to demonstrate good governance.

IT governance means different things to different folks, yet it is generally understood to require alignment with best practice standards and methodologies. However, it can be really hard to see the wood for the trees due to the multiple frameworks, all of which can be applicable for organisations to demonstrate good governance. For example, Isaca's VAL IT framework helps quantify return on investment (RoI), and Prince2 is used for project implementation and acquisitions activities, just as ISO/IEC 27001 is the go to governance framework for security.

Yet despite the blurred lines between management and governance frameworks, a single IT governance standard (ISO/IEC 38500:2008) is now in place. It provides excellent overall simple guidance on IT governance for owners, board members, partners, directors, senior executives or similar on the effective, efficient, acceptable and secure use of IT in their organisations.

ISO/IEC 38500:2008 helps to clarify IT governance from the top down by describing it as the means of directors demonstrating to all stakeholders and compliance bodies their effective stewardship over IT resources by ensuring that an appropriate governance and security framework exists for all IT activities by covering the following:

• responsibility

• strategy

• acquisition (and implementation)

• performance

• conformance

• human behaviour

The primary advantage of the ISO/IEC 38500:2008 IT governance framework is to ensure that accountability is clearly assigned for all IT risks and activities. This specifically includes assigning and monitoring IT security responsibilities, strategies and behaviours so that appropriate measures and mechanisms are established for reporting and responding on the current and planned use of IT - for example, meeting the latest data protection requirements for encryption of all portable devices such as laptops and memory sticks used to store and transmit personal data.

As ever, all security and IT audit assurance professionals should encourage the development and use of embedded security management processes, and the ISO/IEC 38500:2008 framework will help to achieve this by establishing appropriate matrices which go beyond compliance to minimum standards of individual pockets of best practice by embracing continuous governance and management security improvements.

The www.itgovernance.co.uk site has established a toolkit for the integrated ISO/IEC 38500:2008 framework to help users to get the best out of the plethora of best practice standards and methodologies, including CobiT, ITIL, ISO 27001/27002, ISO 20000, Prince2, PMBOK, TOGAF, IT balanced scorecards, the Zachman Enterprise Architecture, IT portfolio management, IT dashboards and so much more.

Many ISC2 and Isaca members are getting signed up to the LinkedIn IT governance group and the http://itgovernance.collectivex.com/ website, which gives an opportunity to share and exchange information, methodologies, articles, books, references, tools, case study experiences and other matters of interest to IT governance and security professionals. Of particular interest are the two ISO/IEC 38500 JTC 1WG6 corporate governance of IT documents that are currently to out for comment.

• ISO/IEC WD1 38500 is a first working draft of proposed changes to ISO IEC 38500

• ISO/IEC TR29184WD is a first working draft of a proposed implementation guide

I would strongly recommend anyone interested in IT governance to evaluate the current version of ISO 38500 and comment on the new working drafts to ensure that IT security and audit assurance professionals appropriately influence the security aspects of the ISO IT governance working group.

Chris Power, CISSP, is senior IT audit manager in the internal audit practice of the enterprise risk services group, Deloitte & Touche.

Read more on IT risk management