1、Governance of information technology Guidance for principles-based standards in the governance of information technology PD ISO/IEC TR 38504:2016 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06National foreword This Published Document is the UK implementation of IS
2、O/IEC TR 38504: 2016. The UK participation in its preparation was entrusted by Technical Committee IST/60, IT Service Management and IT Governance, to Subcommittee IST/60/1, Governance of Information Technology. A list of organizations represented on this committee can be obtained on request to its
3、secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 89987 4 ICS 35.020 Compliance with a British Standard
4、cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standards Policy and Strategy Committee on 30 September 2016. Amendments/corrigenda issued since publication Date Text affected PUBLISHED DOCUMENT PD ISO/IEC TR 38504:2016Governance of inf
5、ormation technology Guidance for principles- based standards in the governance of information technology Gouvernance des technologies de linformation Lignes directrices pour des normes fondes sur des principes relatives la gouvernance des technologies de linformation TECHNICAL REPORT ISO/IEC TR 3850
6、4 First edition 2016-09-15 Reference number ISO/IEC TR 38504:2016(E) ISO/IEC 2016 PD ISO/IEC TR 38504:2016 ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be repro
7、duced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester
8、. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC TR 38504:2016(E) PD ISO/IEC TR 38504:2016 ISO/IEC TR 38504:2016(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T
9、 erms and definitions . 1 4 Governance standards for information technology . 1 4.1 Purpose and focus of governance standards for information technology . 1 4.2 General recommendations for governance standards for information technology 2 5 Principles-based guidance for governance of information tec
10、hnology 2 5.1 Use of principles-based standards . 2 5.2 System of governance . . 2 5.3 Set of principles 2 5.4 Relationship between the adoption of principles and business outcomes. 2 6 Information required for each governance principle 4 6.1 Information elements 4 6.2 Name of the principle 4 6.3 Th
11、e statement of the principle 4 6.4 Rationale for the principle 5 6.5 Relationship with other principles 5 6.6 Implications . 5 6.7 Desired outcomes . 5 6.8 Governance behaviours . 6 Bibliography 8 ISO/IEC 2016 All rights reserved iii Contents Page PD ISO/IEC TR 38504:2016 ISO/IEC TR 38504:2016(E) Fo
12、reword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technica
13、l committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part i
14、n the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approv
15、al criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject
16、 of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any
17、 trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformit y assessment, as well as information about ISOs adherence to the World Trade Organi
18、zation (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 40, IT service management and IT governance.iv ISO/IEC 2016 All rights reserved PD ISO/IEC T
19、R 38504:2016 ISO/IEC TR 38504:2016(E) Introduction This document has been developed to give guidance on the information required to support principles- based standards in the area of governance and management of information technology. A principles-based approach to standardization is aimed at provi
20、ding non-prescriptive guidance that is applicable to all organizations, including public and private companies, government entities and not-for- profit organizations of all sizes from the smallest to the largest, regardless of the extent of their use of IT. The benefit of a principles-based standard
21、 is that it can identify the outcomes of applying the principles without specifying explicit methodologies, structures, processes and techniques needed to achieve the outcomes. Within the International Standards arena, the definition of guidance in the area of governance of information technology fa
22、lls within the scope of ISO/IEC JTC 1/SC 40. The existing International Standards in this area are ISO/IEC 38500, ISO/IEC TS 38501 and ISO/IEC TR 38502. Experience with principles-based standards in the area of governance of IT has indicated that there is a need to establish a common understanding o
23、f proposed principles and the expected outcomes of applying the recommended principles as a basis for consensus. This requires a clear statement of the rationale for the principles, the expected governance behaviours associated with the principle together with the expected outcomes from their adopti
24、on. In order for future standards and revisions of current standards to select the appropriate forms of principle description and apply them in a consistent fashion, it is desired to develop a common characterization of all of these forms of principle description. This document presents guidelines f
25、or the general recommendations of principles-based governance standards and the description of principles in terms of their format, content and level of prescription. The intended audience for this document are the editors, working group members, reviewers and other participants in the development o
26、f principles-based standards and technical reports as well as governance of IT practitioners. An additional audience may be experts developing organizational policies and standards. It is intended that they will select the elements suitable for their project from those described in this document. It
27、 is further intended that, having selected the appropriate elements, users of this document will apply them in a manner consistent with the guidance provided by this document. ISO/IEC 2016 All rights reserved v PD ISO/IEC TR 38504:2016 Governance of information technology Guidance for principles-bas
28、ed standards in the governance of information technology 1 Scope This document provides guidance on the information required to support principles-based standards in the area of governance and management of information technology. Guidance includes general recommendations, identification of elements
29、 and advice for their formulation. It does not describe the detail of specific principles or how they are aggregated into specific guidance to fulfil business objectives and achieve business outcomes from the use of IT. 2 Normative references There are no normative references in this document. 3 T e
30、rms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 38500 and ISO/IEC TR 38502 apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/ ISO
31、Online browsing platform: available at http:/ /www.iso.org/obp 3.1 governance behaviour actions of individuals and groups as part of an organizations governance system 4 Governance standards for information technology 4.1 Purpose and focus of governance standards for information technology A governa
32、nce standard provides guidance on the system of directing and controlling for an organization with respect to the business outcomes from the use of information technology. Governance standards for IT may provide guidance on the role of the governing body within an organization and its interactions w
33、ith managers or what is required of a governance framework for IT or all of these. Governance standards for information technology can either focus on all or part of the use of information technology within an organization. Guidance may include consideration of business strategy and IT strategy. It
34、may also explore links between governance behaviour, policy setting, management behaviour and business objectives and outcomes. The audience for such standards will include members of the governing body of organizations and the executive managers responsible for high level oversight of the organizat
35、ions. TECHNICAL REPORT ISO/IEC TR 38504:2016(E) ISO/IEC 2016 All rights reserved 1 PD ISO/IEC TR 38504:2016 ISO/IEC TR 38504:2016(E) 4.2 General recommendations for governance standards for information technology Governance standards for information technology a) should be anchored in accepted funda
36、mental concepts of governance, such as those of the Organisation for Economic Co-operation and Development (OECD), and describe governance of information technology as a subset of organizational governance; b) should be written in a way that is readable by the target audience including the governing
37、 body and executive managers; c) should clearly describe the domain that they address, particularly when they involve a subset of the domain of information technology; d) should be principles based; e) should conform to the model for governance of IT using Evaluate-Direct-Monitor as described in ISO
38、/IEC 38500; f) should distinguish between the responsibilities and accountabilities of the governing body and those of managers as outlined in ISO/IEC TR 38502; g) should be able to be applied on a consistent basis without prescribing particular organizational structures or processes; h) unless othe
39、rwise specified, should be applicable to all sizes and types of organization. 5 Principles-based guidance for governance of information technology 5.1 Use of principles-based standards The benefit of a principles-based standard is that such a standard can identify the value and outcomes of applying
40、the principles without specifying explicit methodologies, structures, processes and techniques. This enables the development of guidance that can be applied on a consistent basis and gives organizations flexibility in how they implement the guidance within their own structures and processes. 5.2 Sys
41、tem of governance A principles-based governance standard should be based on a clear established system of governance involving both the actions of the governing body (or delegates) and the actions of management operating within a governance framework. Good governance both oversees and guides the beh
42、aviour of management, and governance principles, to be effective, should become embedded in the organization. 5.3 Set of principles A principles-based standard for a governance domain should include the set of principles that describe the fundamental concepts or propositions that underpin the system
43、 of governance for the domain being addressed and include other guidance on the adoption and implementation of the principles. Each principle should be stated with sufficient detail to ensure that there is clarity about the concepts and its implication for organizations system of governance. Any rel
44、ationship between the principles and the avoidance of overlap should be stated. 5.4 Relationship between the adoption of principles and business outcomes Underpinning the guidance in a principles-based standard for governance of IT is the expectation that there is a relationship between the adoption
45、 of the governance principles and the achievement 2 ISO/IEC 2016 All rights reserved PD ISO/IEC TR 38504:2016 ISO/IEC TR 38504:2016(E) of business outcomes. The actual relationship between governance principles and business outcomes will differ between organizations and will be influenced by the gov
46、ernance framework, organizational capability and external factors. Figure 1 shows some example factors that are represented by puzzle pieces, such as governance behaviours, management behaviours, IT enablers, policies and culture, that could assist in understanding and establishing a causal link. Th
47、e figure is not intended to infer any specific relationship between the factors or puzzle pieces and leaves gaps for other factors that may be important for a specific organization. Figure 1 Relationship between governance principles and business outcomes The end objective of the adoption of governa
48、nce to IT is the fulfilment of strategic business objectives and the achievement of positive business outcomes, enabled by IT. However, adopting governance principles for IT should result in the establishment of a system of governance, involving both the action of the governing body and of managers
49、operating within a governance framework and will lead to the achievement of beneficial business outcomes as depicted in Figure 1. This document proposes that principles-based guidance clearly identifies appropriate governance behaviours and the outcomes that are the direct results of the adoption of the specified principles as a basis for assessing and improving governance of IT and the system of governance in place. A principles-based guidance document should contain all of the principles that are relevant and advice on the consisten
