ISO/IEC 38500 vs. ISO/IEC 27000

Christophe Feltus

Member of the ISO Working Group on Identity Management

Member of the ISO Study Group on ICT Governance

Public Research Centre Henri Tudor,

29, Rue John F. Kennedy

L-1855 Luxembourg

christophe.feltus@tudor.lu

Outline

Beyond ISO 38500

Scope

Objectives

6 principles

Model for Corporate Governance of ICT

Review of elements of ICT governance in ISO/IEC 27000 standards

Conclusions

The objective of this Standard is to provide a framework of principles for Directors to

use when evaluating, directing and monitoring the use of information technology

(IT) in their organizations.

This standard provides a framework for effective governance of IT, to assist those at

the highest level of organizations to understand and fulfil their legal, ethical and

moral obligations in respect of their organizations’ use of IT. The framework

comprises definitions, principles and a model.

Beyond ISO 38500 : scope

Governance is distinct from management, and for the avoidance of confusion, the two

concepts are clearly defined in the standard.

…the members of the governing body may also occupy the key roles in management.

It provides guidance to those advising, informing, or assisting directors. They include:

• Senior managers.

• Members of groups monitoring the resources within the organization.

• External business or technical specialists, such as legal or accounting

specialists, retail associations, or professional bodies.

• Vendors of hardware, software, communications and other IT products.

• Internal and external service providers (including consultants).

• IT auditors.

The standard is applicable for all organizations, from the smallest,

to the largest, regardless of purpose, design and ownership structure.

Beyond ISO 38500 : scope

The purpose of this Standard is to promote effective, efficient, and acceptable use of IT

in all organizations by:

assuring stakeholders (including consumers, shareholders, and employees) that, if

the standard is followed, they can have confidence in the organization’s corporate

governance of IT;

informing and guiding directors in governing the use of IT in their organization; and

providing a basis for objective evaluation of the corporate governance of IT.

Beyond ISO 38500 : objectives

Principle 1: Establish clearly understood responsibilities for IT

Principle 2: Plan IT to best support the organization

Principle 3: Acquire IT validly

Principle 4: Ensure that IT performs well, whenever required

Principle 5: Ensure IT conforms with formal rules

Principle 6: Ensure IT use respects human factors

Beyond ISO 38500 : 6 principles

Beyond ISO 38500 : Model for Corporate

Governance of ICT

Directors should govern ICT through

three main tasks:

(a) Evaluate the use of ICT.

(b) Direct preparation and implementation of plans and policies.

(c) Monitor conformance to policies, and performance against the plans.

Elements of ICT governance in existing

ISO/IEC 27000 standardsISO/IEC 27000 family of standards

Elements of ICT governance in existing

ISO/IEC 27000 standards

The standard ISO/IEC 27000 overlaps with ICT governance in many areas.

Most significant of these are :

Risk Management4.2 Establishing and managing the ISMS.

Connections with legislation4.2.1/ISMS policy,

7.3 Management review output,

A.15.1 Compliance with legal requirements.

PerformanceA.10.3.1 Capacity management

Tight relationship with management is requiredClause 5 Management responsibility

Internal auditingClause 6 Internal ISMS audits

Ensuring business continuityA.14 Business continuity management

This rough analysis shows that ISO/IEC 27001 and ISO/IEC 17799 have manyrelationships with ICT governance.

New ICT governance standard should be taken into account these similaritiesthoroughly so that inconsistent overlapping can be prevented.

This is very important especially if it will be possible to certify against this newstandard so that combined audits with both ISO/IEC 27001 and ICT governancestandard can be conducted in a logical and cost-effective way.

Source :

ISO/IEC 38500 : Corporate governance of information technology

ISO/IEC 27000 family

Inspecta Certification report for ISO/IEC 38500

Conclusions