ISO/IEC 38500 — Corporate Governance of Information Technology — is among the shortest and most frequently overlooked of the international standards. It is written explicitly for boards and executive teams, not for IT departments, and its purpose is to provide directors with a structured way to govern IT without requiring them to become IT specialists. Where COBIT covers governance and management of IT in detail, ISO 38500 sits one level higher — the principles, model, and director responsibilities a board uses to set direction and assure outcomes.
The Six Principles
The standard rests on six principles that directors are expected to apply: responsibility, strategy, acquisition, performance, conformance, and human behaviour. Responsibility — IT roles have clear authority and accountability. Strategy — IT plans support business strategy. Acquisition — IT acquisitions are made for valid reasons with appropriate analysis. Performance — IT supports the organisation's service quality and capacity needs. Conformance — IT complies with applicable legislation and policy. Human behaviour — IT respects current and evolving needs of stakeholders.
The Evaluate-Direct-Monitor Model
The standard's governance model has directors performing three activities: Evaluate (assess current and future use of IT), Direct (assign responsibility, prepare and implement plans and policies, set direction), and Monitor (against plans, policy decisions, and external compliance). This is deliberately the same shape as the broader corporate governance disciplines directors already practice. IT is treated as one capability area to which the same governance process applies — not as a domain that requires specialist directorial expertise.
How It Differs from COBIT
COBIT 2019 covers both governance and management of enterprise IT in considerable detail. ISO 38500 covers governance only — the part the board owns — and covers it briefly. The two are complementary rather than competing. A board familiar with ISO 38500 can use COBIT as the implementation detail for the management activities they direct. An IT executive familiar with COBIT can use ISO 38500 as the framework that organises the governance conversations with the board. Many organisations adopt elements of both.
A useful framing for executive teams: ISO 38500 gives the board the language to ask the right questions about IT. Without that structure, IT governance conversations at board level either drift into operational detail the directors cannot meaningfully assess or stay so high-level that nothing actionable emerges. The principles provide enough structure that directors can govern IT competently without becoming experts in it.
Where the Standard Adds the Most Value
For boards new to deliberate IT governance, ISO 38500 provides an entry point that COBIT does not. For organisations subject to regulators that expect demonstrable IT governance — financial services, healthcare, critical infrastructure — the standard provides a recognised framework that auditors can map to their expectations. For mature IT governance functions, the standard is useful as a periodic check that the board-level discipline has not eroded into operational reporting.
How to Use It in Practice
- Use the six principles as the agenda template for the board IT governance discussion
- Frame the board's role explicitly as Evaluate-Direct-Monitor; resist drift into operational decisions
- Map regulatory IT governance expectations against the principles to demonstrate coverage
- Pair with COBIT or NIST CSF as the management-level implementation detail
- Review director understanding and capability against the principles annually
Why the Brevity Matters
ISO 38500 is not the standard you reach for when implementing detailed control frameworks. It is the standard that organises board-level governance of IT into something concrete enough to act on but small enough to fit into the time directors actually spend on IT topics. The brevity is not an oversight; it is the design. Standards that demand more director attention than directors can realistically give end up unused. ISO 38500 is sized for actual board practice.