LLMpediaThe first transparent, open encyclopedia generated by LLMs

ISO/IEC 38500

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Information Systems Audit and Control Association Hop 4
Expansion Funnel Raw 100 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted100
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
ISO/IEC 38500
TitleISO/IEC 38500
StatusPublished
Year2008
OrganizationISO, IEC
DomainInformation Technology, Corporate Governance

ISO/IEC 38500 ISO/IEC 38500 is an international standard providing high-level principles and model for the corporate governance of information technology, intended to guide boards of directors and senior executives in strategic oversight. It aligns with governance frameworks used by organizations such as OECD, World Economic Forum, United Nations, European Commission, and professional bodies like Institute of Directors and ISACA, while drawing on management influences from ITIL, COBIT, COSO, BSI, and IEEE.

Overview

The standard presents a concise set of principles designed to assist non-executive and executive leadership across institutions including International Monetary Fund, World Bank, Asian Development Bank, African Union, and private sector entities such as Microsoft Corporation, IBM, Google LLC, and Apple Inc.. It was developed through collaboration among national members of ISO and IEC and reflects input from experts at organizations like British Standards Institution, Standards Australia, Standards Council of Canada, Deutsches Institut für Normung, and Association Française de Normalisation. ISO/IEC 38500 positions IT oversight alongside fiduciary responsibilities familiar to boards involved with entities including Goldman Sachs, JP Morgan Chase, HSBC, and Deutsche Bank.

Principles and Model

The model articulates six principles—responsibility, strategy, acquisition, performance, conformance, and human behaviour—intended to be applied by governing bodies akin to the charters used by Securities and Exchange Commission, Financial Conduct Authority, European Central Bank, and Bank for International Settlements. The principle set is often compared and contrasted with governance guidance from COSO ERM, COBIT 5, ITIL 4, and NIST Cybersecurity Framework, and has been cited in corporate policies from firms such as Accenture, Deloitte, PricewaterhouseCoopers, and KPMG. The model emphasizes roles similar to those delineated in instruments like the Sarbanes–Oxley Act and the UK Corporate Governance Code.

Scope and Applicability

ISO/IEC 38500 is applicable to governing bodies across a diverse range of organizations including United Nations Development Programme, Red Cross, Toyota Motor Corporation, Siemens, Boeing, Airbus SE, Shell plc, and ExxonMobil. It is designed to be technology-agnostic so it can complement sector-specific regulation such as HIPAA, GDPR, Basel III, and procurement frameworks used by NATO and World Health Organization. The standard addresses strategic decision-making pertaining to systems comparable to enterprise platforms from SAP SE, Oracle Corporation, cloud providers like Amazon Web Services, Microsoft Azure, and Google Cloud Platform, and service integrations managed by consultancy firms such as Capgemini and Infosys.

Governance Processes and Practices

Practices recommended by the standard encompass board-level accountability, risk oversight, resource stewardship, and performance monitoring paralleling committee structures at International Olympic Committee, FIFA, United Nations Security Council, and corporate boards of conglomerates like General Electric and Samsung Electronics. It advises alignment between policies used in frameworks like COBIT, audit functions seen in Institute of Internal Auditors, and risk committees modeled after Committee of Sponsoring Organizations of the Treadway Commission work. Implementation often involves coordination with legal counsel familiar with statutes including Companies Act 2006, regulatory filings to Securities and Exchange Commission, and compliance programs referenced by Financial Action Task Force.

Adoption and Impact

Adoption has been documented across public, private, and non-profit sectors with endorsements or references by entities such as Australian Government, New Zealand Government, Singapore Government, Canadian Centre for Cyber Security, and multinational corporations including Siemens, Vodafone Group, HSBC Holdings, and Shell. The standard influenced national guidelines issued by bodies like Office of Government Commerce and spurred integration into curricula of professional associations including Chartered Institute of Management Accountants, Association of Chartered Certified Accountants, and university programs at institutions such as Harvard University, University of Oxford, Stanford University, and Massachusetts Institute of Technology.

Development and Revision History

Work on the standard was undertaken in ISO/IEC joint working groups with participants from national standards bodies including Standards Australia, BSI, DIN, AFNOR, and ANSI. The original version released in 2008 followed consultations involving stakeholders such as ISACA, IEEE Computer Society, IFAC, and corporate representatives from HP Inc. and Cisco Systems. Subsequent revisions and maintenance activities have been coordinated through ISO/IEC technical committees and mirror processes similar to updates seen in ISO 9001, ISO/IEC 27001, and ISO 14001, with public comment periods engaging regulators like European Banking Authority and industry consortia such as Cloud Security Alliance.

Category:Information technology governance standards