IT Governance ISO standard in publication for end of May release

Submitted by skeptic on Sun, 2008-05-11 00:55

Share this post with

IT Governance standard PRF 29382 "Corporate governance of information technology" has been renumbered as ISO/IEC 38500 (memorise that number) and is currently being published for end of May release, which is excellent news. Perhaps now we can get people to use the word "governance" properly.

governance

Comments

Submitted by Terry Rowlings (not verified) on Tue, 2008-06-03 23:13.

ISO/IEC 38500

Having been involved in the development of AS8015 I can say it was not our intention that this was to be a prescriptive 'tick the box', style compliance standard, or a do-it-yourself recipe for implementing ICT govenance, but rather and educational/informational standard. AS8015 simply lays out a set of principles for governors (company directors, or their equivalents)to follow - in basic terms 'governance is about what govenors do, and management is what what managers do'. It provides guidance on what to do, not how to do it. It is reasonable assumption that people at this level are very capable of deciding this in a way that best suits their organisation. CobiT, ITIL, etc provide guidance to CIOs, IT managers and specialists on 'how to' exercise their governance responsibilities within their specific context. The Evaluate, Direct, Monitor model was designed to place the focus of ICT govenance at the director level and clearly differentiate it from the Plan-Do-Check-Act model that managers typically execute. I believe that we now need directors to get engaged in driving ICT governance and get this top down involvement. Driving it from the bottom up will not address the persistent failure of ICT to deliver the benefits that the investments are intended to achieve.

Submitted by LizB (not verified) on Mon, 2008-06-09 14:03.

ISO 38500 Review/Comments

So I just purchased the standard, and am reading through it. At first glance, it seems as though its just a re-statement of IT Strategy best (or should I say "good") practices. Good information to have, as sometimes it is sadly necessary to reiterate common sense under the banner of "standards", but there it is.

My only complaint is the cost...which is a bit much for 22 pages of what can be found in most every IT Strategy book I've ever read..

Liz

Submitted by skeptic on Mon, 2008-06-09 20:59.

what all standards are?

Isn't that what all standards are? "re-statement of ...best (or should I say "good") practices"

Submitted by JamesFinister on Mon, 2008-06-09 14:22.

21 pages more than needed?

Liz,

I've found it very useful when talking to senior management, but I think you could actually condense the important bits down to a page ;-)

Submitted by skeptic on Wed, 2008-06-04 08:00.

the PDCA cycle is sacred

Hi Terry

thanks for joining in.

Soemthing that concerns me is that certain people believe the PDCA cycle is sacred and ISO38500 must comply with it. they can't handle the idea that governance shoudl have a different model. As you say, there is value in clearly delineating between the behaviours of governors and managers - and distinct models help do that. So we'll watch with interest to see how the politics play out around 38500

Submitted by Terry Rowlings (not verified) on Thu, 2008-06-12 00:21.

The PDCA cycle

I learned from a collegue who attended many of the ISO discussions that there was considerable angst about a standard not based upon PDCA, principally because that is the model that has always been used. There was discomfort that the main audience of AS 8015 was not managers, specialists and practitioners, but members of the Board (and their equivalents). The fact that ISO 38500 has been released is a recogition by the ISO participants of the fact that directors and managers have different roles and accountabilities. It does not mean that either model is wrong, but simply that operate at different levels (and must also work with each other). The most rewarding feedback I have had was from the owner of a small retail outlet with 3 employees. She applied the AS 8015 principles to her small business and as a result has saved money, improved data management and recovered from a storeroom fire with no adverse impact on his business. She told me that if it had happended three months earlier she may well have have gone out of business. So the principles good ICT governance work not just for the big business end of town. If directors apply the standard then the politics probably won't matter. Cheers TerryR

Submitted by JoePearson on Wed, 2008-05-21 19:07.

AS 8015

Do you know if this has drawn on the Australian standard AS 8015 "Corporate Governance of ICT"? I don't have a copy of it but the summary I've read looks promising.

Submitted by Michiel on Wed, 2008-05-21 19:38.

AS8015 / ISO

Yes, it is indeed based on AS8015. Next monday, there will be a workshop / seminar on the new ISO standard at Schiphol/Amsterdam airport, organised by BITA center. As people who were directly involved in the new ISO standard will be there to present it, I will definately attend.

Submitted by JoePearson on Wed, 2008-05-21 20:22.

Thanks Michiel. Do you know

Thanks Michiel. Do you know if there is or will be any publicly available summary of AS8015 or ISO 38500?

Submitted by Michiel on Thu, 2008-05-22 07:46.

Seminar

Joe,

I'll do my best to give some feedback from the seminar through this thread.

Regards,

Michiel

Submitted by Michiel on Tue, 2008-05-27 19:28.

ISO 38500

Joe and others,

We had a meeting at Schiphol airport yesterday with aprox. 70 people from (if I am not mistaken) 7 countries involved. There were several presentations on governance, ISO38.5K and AS8015. These were delivered by Professor Chris Verhoef (Free University, Amsterdam), Alison Holt and Mark Toomey. The latter two were directly involved with AS8015 and ISo38500.

The new standard is supposed to be published early june. We did not have an opportunity to get a preview, we only had a small glance at the AS8015 standard.

ISO38500 is based on 6 principles:
* Responsibility
* Strategy
* Acquisition
* Performance
* Conformance
* Human Behaviour

As with many definitions of governance, ISO38500 activities are Direct, Evaluate and Monitor. Results of governance are performance and conformance.

My personal feeling based upon what I heard is, that ISO38.5K needs more 'flesh' before it can prove it's added value: reference stories, implementation guidance etc. And above all, more info about certification etc.

I am sure that Jan will add a more thorough view ;-)

Submitted by skeptic on Tue, 2008-05-27 21:12.

more flesh to ISO38500

You touch on an interesting point: ISO38500 only defines what IT governance is (or more precisely: what governance is generally but supposedly in an IT context - I don't see what is IT-specific about ISO38500). It is not a guidance standard: it defines nothing about how governance should be performed. As you say, it is only the first step.

Submitted by jvbon on Tue, 2008-05-27 22:04.

more flesh indeed

One of the targets for the launch event in the Netherlands was indeed to get some opinion about the practical value of the new standard.
We discussed this after the presentations, using 4 discussion statements:

Statement 1 - ISO 38500 is still all about management.
(Note: the term "management" is defined in ISO 9000 in the same terms as IT governance is defined in 38500: "The coordinated activities to direct and control an organization, a system, or a process.")

Statement 2 - ISO 38500 is theory and does not help us in practice.

Statement 3 - ISO 38500 represents global best practice for IT Governance.

Statement 4 - The ISO 38500 standard is sufficient for the execution of IT Governance.

You can imagine that there were quite a few comments from actively engaged international audience.... We've taped the entire seminar and hope to be able to share some of the results.

On the "guidance" comment: the chair of the ISO committee made very clear that this ISO publication is not a standard in terms of a certifiable set of metrics, but more a guidance document. So it indeed seems that we *can* call it "guidance".

On the flesh issue: as you may expect from me, I'm working on some publications to get that done.

Submitted by skeptic on Tue, 2008-05-27 22:21.

ISO38500 is only guidance

Thanks for all the great info Jan and Michiel!

So I meant the opposite of what I said :-D

Try again:
ISO38500 is only guidance: what governance looks like, what the word means. It does not define the specifics of exactly what needs to be done (...in order to be measured or certified) let alone how (most standards don't define how, but some provide guidance on how or others do e.g. ITIL, which was what I meant by guidance)

Still not getting much sleep thanks to this wee guy...

Submitted by jvbon on Fri, 2008-05-23 13:22.

videotape

The seminar is organized by bITa Center and Inform-IT. I'll chair the meeting. We'll make sure the entire session is videotaped. Don't exactly know how we're making that available, but we intend to use it to inform people on the real value of this standard, through the bITa center (www.bita-center.com) and ITSM PORTAL (http://en.itsmportal.net) websites.
Visitors from at least 7 European countries are participating in the seminar.
Jan van Bon

Submitted by skeptic on Thu, 2008-05-22 00:28.

we'll have to buy it

Theer will be lots of them, but the standard is copyright, like all ISO standards and like ITIL, so we'll have to buy it.

incidentally from what I've seen it is similar but not the same. The basic three-weay model of Direct-Evaluate-Monitor isn't in the Aussie standard - it seems to be simpler.

Submitted by JamesFinister on Thu, 2008-05-22 08:18.

Direct Evaluate Monitor

Knowing it was coming I've already used the Direct Evaluate Monitor approach with a client and it worked really well. I think it helped the board distinguish governance activity from other activity, and gave them an idea of where their intervention was needed.