The ISO/IEC 38500 standard, which was issued by the international organization for standardization (ISO) and the international electrotechnical commission (IEC) is an attempt to bring out a framework to make IT governance a critical component of corporate governance. With this standard's implementation, IT governance can demand more accountability from corporate boards.
ISO/IEC 38500 was prepared by Standards Australia (as AS8015:2005). Published in 2008, this standard is a high level, principles-based advisory standard. In addition to providing broad guidance on the role of a governing body, it encourages organizations to use appropriate standards to underpin their governance of IT.
The ISO 38500 standard basically defines six principles, which are an attempt to establish responsibilities and plans to best support the organization's IT services. According to www.iso.org, ISO/IEC 38500:2008 provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or others) on the effective, efficient, and acceptable use of IT within their organizations. This standard is applicable to all organizations, which include public and private companies, government entities and not-for-profit organizations. The standard is applicable to organizations of all sizes from the smallest to the largest, regardless of the extent of their IT usage.
According to Nishant Singh, the IT markets analyst of IT research firm Ovum India, ISO 38500 is more elaborate than other standards of the past, and will find a greater acceptance as an adoptable standard. "ISO 38500 has achieved overwhelming approval and unanimous support from ISO -- being passed with not a single country disapproving of the standard. This suggests that there is a greater acceptance of the fact that organizations need to maintain a consistent approach to their IT governance. It also means that people at the highest level of organizations need to appreciate and execute their legal, regulatory, and ethical obligations towards their organizations' use of IT," says Singh.
ISO 38500 and the CIO
The ISO 38500 standard seeks to establish that IT is the entire executive management team's responsibility, and not just dependant on the CIO. In essence, the governing body of any organization that plans to adopt this standard will have to shoulder the responsibility of appraising IT proposals, scrutinizing current projects and providing guidelines for improved IT policies. "For CIOs, this means that IT adoption will follow more defined frameworks. Conversely, this translates to lesser resistances and ambiguities from within the organization," says Singh.
ISO 38500's objective is to provide a framework of principles that directors can use when evaluating, directing and monitoring the use of IT in their organizations. "This means that the board will be responsible for setting strategic directions, managing risks, allocating resources and monitoring performance in all business areas (including IT). This helps bring enhanced IT governance within the organization to the forefront," says Captain Felix Mohan, the senior vice president and chief information security officer of Bharti Airtel Ltd.
The ISO 38500 standard has yet to gain popularity among Indian CIOs due to the lack of awareness. Most Indian CIOs that SearchCIO.in spoke to were not aware of the standard. One of the major analyst firms refused to comment on ISO 38500 due to limited knowledge on the subject. This is why Mohan states that the momentum is yet to pick up for ISO 38500. Due to the current pressure on companies to show a good corporate governance model to the world and stakeholders, increasing adoption rates can be expected in the near future.
According to Ovum, ISO 38500 should see a slow adoption rate globally, and the situation is not expected to be different in India. "Traditional" Indian organizations are not expected to be enthusiastic about adoption of the standard, especially since it also requires a cultural shift. However, the situation is expected to be different among Indian IT service providers. "Indian IT service providers are quick to adapt, and the standard's adoption also provides a way to differentiate themselves from their competitors. Therefore, we should expect an early adoption of ISO 38500 from these organizations," says Singh.
Challenges to ISO 38500 adoption
ISO 38500 places a strong emphasis on corporate governance, which may not work in the favor of the standard. Even though the standard has been received with enthusiasm, it will take a while for the process of awarding the formal certification, as the authorities and the associated processes for providing this certification are yet to be established in India.
The ISO 38500 standard expects directors to provide a set of IT principles and oversee the implementation (which includes approvals). This may create resistance to the new work arrangements. Hence organizations need to evolve in order to implement this standard. "It is likely that the governing body of organizations feel that it brings too much of responsibility upon them -- something that they would generally expect managers to look into. It will take some time for organizations to work out their new responsibilities around this standard's adoption," Singh points out.
According to Mohan, the challenge of ISO 38500 is all about translating it to on-ground implementation. This is a complicated task since ISO 38500 standard requires directors to put into practice a six-principle-based governance system, and to evaluate the IT implementation process.
Experts believe that control objectives for information and related technology (CobiT) will be a useful tool to help implement the new ISO 38500. CobiT straddles the corporate governance and process control dimensions, and focuses on aligning IT strategy with business goals, meeting regulatory compliance and managing risk. However, only time will tell the impact that ISO 38500 has on Indian businesses.