What is ISO/IEC 38500?
ISO/IEC 38500 is an international standard providing guiding principles for directors and those in governing roles on the effective, efficient, and acceptable use of Information Technology (IT) within their organisations.
Unlike operational IT management standards, ISO 38500 focuses on governance at the board and executive level, ensuring IT investments align with business strategy and stakeholder expectations.
The standard applies to all organisations regardless of size, purpose, or IT dependency, from small businesses to multinational corporations and public sector bodies.
The Six Principles of IT Governance
Responsibility
Individuals and groups understand and accept their responsibilities for both supply of, and demand for, IT. Those with responsibility have the authority to perform actions.
Strategy
The organisation's business strategy takes into account current and future IT capabilities. IT strategic plans satisfy current and ongoing needs of the business strategy.
Acquisition
IT acquisitions are made for valid reasons based on analysis, with clear and transparent decision-making balancing benefits, opportunities, costs, and risks.
Performance
IT is fit for purpose in supporting the organisation, providing services and service levels required to meet current and future business requirements.
Conformance
IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented, and enforced throughout the organisation.
Human Behaviour
IT policies, practices, and decisions respect human behaviour including the current and evolving needs of all people involved in the process.
The Evaluate-Direct-Monitor Model
Evaluate
Examine and judge current and future use of IT. Consider external and internal pressures, business trends, and IT capabilities to inform strategic planning.
Direct
Prepare and implement plans and policies to ensure IT use meets business objectives. Assign responsibilities and direct preparation of IT investments.
Monitor
Track IT performance through appropriate measurement systems. Ensure conformance to policies and performance against plans using KPIs and dashboards.
Benefits of Implementing ISO 38500
✓ Strategic Alignment
Ensure IT investments directly support and enable business strategy, eliminating wasteful projects that don't deliver value.
✓ Risk Management
Better understand and manage IT-related risks including cyber security, project failure, and regulatory non-compliance.
✓ Value Delivery
Maximise return on IT investments through better decision-making, resource allocation, and performance monitoring.
✓ Board Confidence
Enable directors to fulfil their IT governance duties with confidence through structured frameworks and clear accountability.
✓ Regulatory Compliance
Meet UK regulatory expectations including FCA operational resilience requirements and GDPR data protection obligations.
✓ Stakeholder Trust
Demonstrate responsible IT governance to investors, customers, and partners through internationally recognised standards.
Who Needs IT Governance?
ISO 38500 is designed for those who govern, not manage, IT. It's essential for anyone with fiduciary responsibility for technology decisions.
Board Directors
NEDs and executive directors with IT oversight responsibilities
C-Suite Executives
CEOs, CFOs, and CIOs driving digital transformation
Public Sector Leaders
Government department heads and council executives
Audit Committees
Members responsible for IT risk and control oversight
IT Steering Committees
Bodies overseeing IT strategy and major investments
IT Leaders
CIOs and IT directors supporting governance implementation
Our Implementation Approach
Governance Assessment
Evaluate current IT governance maturity against ISO 38500 principles. Identify gaps in board oversight, decision rights, and accountability structures.
Framework Design
Design a governance framework tailored to your organisation including committee structures, decision matrices, and reporting mechanisms.
Board Education
Provide training for directors and executives on IT governance responsibilities, enabling informed decision-making on technology matters.
Implementation & Embedding
Roll out governance processes, establish KPIs and dashboards, and embed IT governance into board and committee cycles.
UK Regulatory Context
UK Corporate Governance Code
The FRC's Code expects boards to assess emerging risks including technology. ISO 38500 provides the framework for effective IT risk oversight.
FCA Operational Resilience
Financial services firms must ensure operational resilience including IT systems. ISO 38500 governance supports these requirements.
GDPR & Data Protection
Board-level accountability for data protection requires effective IT governance to ensure compliance with UK GDPR requirements.
Public Sector Digital
Government Digital Service standards and Cabinet Office technology controls align with ISO 38500 governance principles.
Frequently Asked Questions
Is ISO 38500 certifiable?
ISO 38500 is a guidance standard rather than a requirements standard, so it is not directly certifiable. However, organisations can demonstrate conformance through independent assessment and maturity evaluations.
How does ISO 38500 relate to COBIT and ITIL?
ISO 38500 provides high-level governance principles, while COBIT offers detailed governance and management objectives, and ITIL focuses on IT service management. They are complementary and can be used together.
Do small organisations need IT governance?
Yes, all organisations that use IT benefit from governance. The complexity of governance arrangements should be proportionate to the organisation's size and IT dependency, but the principles remain relevant.
What's the difference between IT governance and IT management?
IT governance is about direction and oversight at board level (what should be done), while IT management is about execution and operation (how to do it). ISO 38500 focuses exclusively on governance.
How Much Does ISO/IEC 38500 Cost?
The cost of ISO/IEC 38500 certification varies based on several factors. Some auditors and certifiers adopt charging models based on the project's complexity, company size, and sometimes even the company's turnover.
At Certigence, our pricing is straightforward, calculated by multiplying an agreed day rate by the number of days work. This is based on the work to be done, mitigated by any the company has done already or will be doing internally. This ensures clarity and transparency, giving you a clear understanding of the commitment before the project commences.
We provide a free telephone or Zoom enquiry with one of our auditors to find out enough about your organisation to be able to make a formal proposal without charge or obligation. This allows you to research costs for free before making any commitments!
How Can Certigence Help?
Certigence's extensive auditor network spans the entire UK and has been operating ISO systems expertise combined with industry know-how for over 25 years. This dual proficiency enables them to comprehend your unique needs and translate them into certifier-accepted procedures that genuinely suit your organisation's operations.
Our services encompass full or partial ISO system development and implementation, including GAP analysis and customised internal training to support system functionality. We craft organisation-specific reports tailored to your activities.
Beyond initial implementation, we conduct internal audits, facilitate management review meetings, and offer ongoing maintenance for short, medium, or long terms. Our presence during certification stages, if desired, ensures assessors avoid unnecessary complexity. Furthermore, we offer pre- and post-certification review services to address certifier-raised concerns, reinforcing your ISO system's effectiveness.
Process Overview
Initiation and Assessment Discussion
We engage in a free, no-obligation discussion to understand your existing systems and operations, allowing us to generate a formal proposal.
Work Commencement and Collaborative Development
Upon acceptance, collaborative work commences to create and install systems, involving you and your team to ensure alignment with your needs, your understanding and acceptance of the results and compliance with ISO standards.
Initial Assessment (Stage 1): Ensuring Systems Meet Standard
The certifier reviews that systems cover all relevant parameters correctly. You may choose to have our auditor present during the initial assessment to assist with any questions the certifier may have.
Final Evaluation (Stage 2): Achieving Certification
The auditor ensures internal audit, management review, and training aspects are covered. The certifier conducts the conclusive Stage 2 assessment, verifying operational systems' alignment with Standard requirements. Upon successful completion, you attain Certification.
Why Should You Use a Certigence Auditor?
At Certigence, we match your requirements with suitable auditors based on their industry expertise, proximity, and compatibility. In the event of a auditor's unavailability, a substitute can step in promptly, avoiding project disruptions and re-hiring expenses. Our auditors have often previously worked with certifiers, learning that side of the procedure - facilitating a seamless Certification process.
This commitment reflects in our track record - a 100% first-time certification success rate spanning over 25 years.
Ready to Speak? What Happens Next?
After contacting Certigence, you'll receive an email or a call from the Director or a auditor. Discussions about needs, timelines, reasons, and costs occur. A auditor will directly engage with you to understand your requirements and system alignment. A formal proposal is then presented for your consideration. Charges apply only from that point if you proceed with the proposal.
Transform Your IT Governance
Work with our governance specialists to implement ISO 38500 principles and ensure your board is equipped to oversee technology effectively.