1、BSI Standards Publication Information technology Governance of IT Implementation guide PD ISO/IEC TS 38501:2015National foreword This Published Document is the UK implementation of ISO/IEC TS 38501:2015. The UK participation in its preparation was entrusted by Technical Committee IST/60, IT Service
2、Management and IT Governance, to Subcommittee IST/60/1, Governance of Information Technology. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsi
3、ble for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 72038 3 ICS 35.080 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standa
4、rds Policy and Strategy Committee on 30 April 2015. Amendments/corrigenda issued since publication Date Text affected PUBLISHED DOCUMENT PD ISO/IEC TS 38501:2015Information technology Governance of IT Implementation guide Technologies de linformation Gouvernance des technologies de linformation Guid
5、e dimplmentation ISO/IEC TS 38501 First edition 2015-04-01 Reference number ISO/IEC TS 38501:2015(E) TECHNICAL SPECIFICATION ISO/IEC 2015 ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015 All rights reserved. Unless otherwise specified, no part of this publication may be
6、reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requ
7、ester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ISO/IEC TS 38501:2015(E) PD ISO/IEC TS 38501:2015 ISO/IEC TS 38501:2015(E)Foreword iv Introduction v 1 Scope . 1 1.1 Overview 1
8、1.2 Purpose 1 1.3 Audience . 1 2 Normative references 1 3 Implementation approach . 1 4 Establish and sustain enabling environment . 2 4.1 Overview 2 4.2 Ensure internal stakeholder engagement . 2 4.3 Clarify sponsorship and responsibilities 3 5 Govern IT 3 5.1 Overview 3 5.2 Evaluate . 4 5.2.1 Over
9、view . 4 5.2.2 Understand internal environment 4 5.2.3 Understand external environment . 4 5.2.4 Identify current state of the use of IT 5 5.3 Direct . 5 5.3.1 Overview . 5 5.3.2 Define desired state for the use of IT . 5 5.3.3 Initiate change program 6 5.3.4 Identify governance enabling mechanisms
10、6 5.4 Monitor 7 5.4.1 Overview . 7 5.4.2 Define evidence of success 8 5.4.3 Establish monitoring system . 8 6 Continual Review . 8 Annex A (informative) Assessment Scheme .10 Annex B (informative) ISO/IEC 38500 principles and assessment criteria 12 Bibliography .15 ISO/IEC 2015 All rights reserved i
11、ii Contents Page PD ISO/IEC TS 38501:2015 ISO/IEC TS 38501:2015(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC parti
12、cipate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmenta
13、l and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described
14、in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the poss
15、ibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the IS
16、O list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, a
17、s well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT), see the following URL: Foreword Supplementary information. This committee responsible for this document is ISO/IEC JTC 1, Information Technology, Subcommittee SC 40, IT Service Maintenance and
18、IT Governance.iv ISO/IEC 2015 All rights reserved PD ISO/IEC TS 38501:2015 ISO/IEC TS 38501:2015(E) Introduction Information technology (IT) has become pervasive in supporting and enabling the strategy of organizations and this prevalence mandates the governance of IT as an organizational imperative
19、. Organizations have made significant investments in IT to automate business processes and to communicate and transact electronically with their customers and suppliers. The benefits from these investments have unfortunately not always materialised and in some instances, organizations have incurred
20、significant financial and reputational damage as a result of IT failures. This has further heightened governing body awareness of the need for the governance of IT and of their responsibilities in this regard. It might be, however, that some governing bodies are uncertain of what arrangements they n
21、eed to have in place for the governance of IT. This Technical Specification has therefore been developed to provide guidance on the implementation of governance of IT within organizations. It considers governance, both from the perspective of gaining assurance that the risks associated with the use
22、of IT are appropriately managed, as well as ensuring that the organization maximizes the value from its investments in IT. It expands on the model and principles for good governance of IT, as described in ISO/IEC 38500 and ISO/IEC/TR 38502, and provides guidance on a methodology for implementing pri
23、nciples-based governance of IT. ISO/IEC 2015 All rights reserved v PD ISO/IEC TS 38501:2015 Information technology Governance of IT Implementation guide 1 Scope 1.1 Overview This Technical Specification provides guidance on how to implement arrangements for effective governance of IT within an organ
24、ization. 1.2 Purpose This Technical Specification identifies the key activities that an organization has to undertake to implement governance of IT, in accordance with ISO/IEC 38500. It provides guidance on the design and establishment of the arrangements for the governance of IT, clarifying roles a
25、nd responsibilities of key stakeholders within the organization, as well as providing examples of matters to consider in the design of the governance of IT. 1.3 Audience This Technical Specification can be used by individuals responsible for governance of IT within an organization and individuals su
26、pporting in the governance of organizations. This Technical Specification is applicable to organizations of all sizes and types. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated refer
27、ences, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 38500, Corporate governance of information technology ISO/IEC/TR 38502, Information technology Governance of IT Framework and model 3 Implementatio
28、n approach The implementation of the governance of IT should be based on a cyclic approach considering the model presented in ISO/IEC 38500, Figure 1. The first cycle of activities involves the establishment of the initial “implementation” or baseline, with subsequent cycles of the activities being
29、used to support and enhance the governance of IT implementation by means of continual improvement. The duration of cycles will be different for each organization, depending on a number of factors including the organizations size, its industry, as well as the maturity of the governance of IT in the o
30、rganization. The implementation cycle comprises the following main activities which are expanded in the clauses below. Establish and sustain enabling environment: Commence by es t ablishing a n enabling env ironment which ensures that all stakeholders are appropriately identified and made aware of t
31、heir roles and responsibilities. Subsequent cycles will ensure that the enabling environment is sustained. Govern IT: Progress to the evaluate, direct, and monitor activities to perform the governance of IT. TECHNICAL SPECIFICATION ISO/IEC TS 38501:2015(E) ISO/IEC 2015 All rights reserved 1 PD ISO/I
32、EC TS 38501:2015 ISO/IEC TS 38501:2015(E) Continual review: Review the governance of IT arrangements to determine whether desired outcomes are being achieved. If not, recommence the implementation cycle to effect the necessary changes, thereby ensuring continual improvement of the governance of IT i
33、mplementation. Continual Review Stakeholder Engagement Establish and Sustain Enabling Environment Sponsorship the risks associated with maintaining current and implementing new IT capability; the need for the governance of IT and how it fits with corporate governance; the model and principles that a
34、re described in ISO/IEC 38500; the framework, roles and responsibilities of stakeholders as described in ISO/IEC/TR 38502; facilitating stakeholder assessments of the effectiveness of current governance of IT arrangements (see Annex A and Annex B). The first cycle of the implementation provides the
35、opportunity to explain and bed down these concepts in the context of the organization. This will lead to greater stakeholder understanding and ownership of their respective roles and responsibilities, as well as the identification of areas for improvement. Subsequent cycles will provide for the on-b
36、oarding of new stakeholders, as well as the refinement and updating of knowledge and responsibilities for existing stakeholders. 4.3 Clarify sponsorship and responsibilities There are many activities associated with improving and maintaining effective governance of IT that need to be actively manage
37、d within the organization. These include awareness and education about the governance of IT, as well as on-going coordination and administration activities. It is therefore important to determine and appoint a sponsor and a small group of individuals on the first cycle of the implementation. This gr
38、oup is referred to as the Governance Steering Group in this Technical Specification but in smaller organizations it may simply be an individual. The Governance Steering Group has the responsibility to drive the adoption and or transformation of the governance of IT in the organization. These activit
39、ies are discussed in further detail in 5.3.4. The sponsor should be a key influential business/marketing/operations executive manager and should not be a risk or governance expert or department. 5 Govern IT 5.1 Overview The three activities of the governance model in ISO/IEC 38500, namely evaluate,
40、direct and monitor, take place in the Govern IT phase. These are framed and guided by the six principles of the standard (responsibility, strategy, acquisition, performance, conformance, human behaviour) within the context of the internal and external environments, as well as organizations culture f
41、or the governance of IT. It is important to focus and describe what the result of the governance of IT should be when applying the ISO/IEC 38500 framework, rather than being process or control oriented. This will ensure that the governing body determines what needs to be achieved, rather than prescr
42、ibing how it should be done, thereby appropriately guiding or steering the organization in its use of IT. In addition, an appropriate mechanism of assessment is required, which must take into account the principles-based nature of ISO/IEC 38500. ISO/IEC 2015 All rights reserved 3 PD ISO/IEC TS 38501:2015