Information technology. Governance of IT. Assessment of the governance of IT

Scope

What is ISO/IEC 38503 – Assessment of governance of information technology about?

ISO/IEC 38503 is a series on information technology. Information technology is the use of computers to create, process, store, retrieve, and exchange all kinds of electronic data and information. ISO/IEC 38503 provides guidance on the assessment of governance of information technology (IT) based on the principles, definitions, and model for the governance of IT outlined in ISO/IEC 38500 and ISO/IEC TR 38502 and the implementation considerations outlined in ISO/IEC TS 38501.

ISO/IEC 38503 includes approaches for conducting the assessment, the criteria against which the assessment can be made, guidance on the evidence that can be used for the assessment, as well as a method for determining the maturity of the organization’s governance of information technology. ISO/IEC 38503 is applicable to organizations of all sizes, regardless of the extent of their use of information technology.

Who is ISO/IEC 38503 – Assessment of governance of information technology for?

ISO/IEC 38503 on assessment of governance of information technology is useful for:

• IT sector
• Design engineers
• Software engineers
• Telecommunication sector

Why should you use ISO/IEC 38503 – Assessment of governance of information technology?

As part of their accountability for an organization, governing bodies are responsible and accountable for the current and future use of information technology (information technology) within an organization. To meet this obligation, it is recommended that members of the governing body ensure that there is effective governance of information technology within the organization, involving both their own activities in setting the direction for the organizational use of information technology, as well as their oversight and evaluation of the management of information technology within the organization. ISO/IEC 38503 provides principles, definitions, and a model for governing bodies to use when evaluating, directing, and monitoring the use of information technology in their organizations. ISO/IEC 38503 provides guidance on how to assess an organization’s governance of information technology arrangements based on ISO/IEC 38500, ISO/IEC TS 38501, and ISO/IEC TR 38502. The specific arrangements for the governance of information technology vary from organization to organization. The variation depends on various factors including the organization’s level of reliance on information technology, both strategically and operationally, as well as the size and nature of the organization.

The purpose of ISO/IEC 38503 is to assist governing bodies, authorized subcommittees, and other key stakeholders in assessing the capability and maturity of the arrangements for the governance of information technology in the organization. ISO/IEC 38503 provides an objective approach for determining whether the governing body is appropriately governing information technology, as well as examples of the practices and outcomes (referred to as ‘characteristics’ in ISO/IEC 38503) of the good governance of information technology (see Tables A.1 to A.7 in Annex A). The outcomes of the assessment can be used to assist the governing body to determine where and how the governance of information technology can be improved in the organization. The primary audiences for ISO/IEC 38503 are the governing body and its subcommittees, executive managers, and assessors, who will also derive benefit from ISO/IEC 38503 when planning and assessing the organization’s governance of information technology. Using ISO/IEC 38503 you can provide guidance on the assessment of governance of information technology based on the principles, definitions, and models for the governance of information technology.

© British Standards Institution 2022

External Links