By Jason Wilk, Peakstone Practice Director, Governance of Information & Technology
There aren’t many of us who get excited about a new ISO standard, so you can be forgiven for not being across the latest, being ISO 38500:2024.
While I would recommend the whole ISO 38500:2024 as mandatory bedtime reading, I completely understand you tuning into your favourite podcast instead. That’s why I’ve written the below update to keep you informed of the essentials. We are always here at Peakstone Global to give you the extra support you need on IT governance and all things related to being a Board Director.
I must say that I lament the lost opportunity for this review to highlight the difference between Information Governance (e.g. the data that is the lifeblood of an organisation) and Information Technology (IT) Governance, e.g. all the technology doo-dads we need to create and use that data. I believe the distinction between the two is still not well understood in the Directors’ world. However, there are a range of changes in this revised standard that can help Directors better deliver their governance duties in this highly technical but increasingly important aspect of every organisation. It also has some brilliant guidance on board level IT governance metrics.
As with all principles-based ISO Standards, the guidance is of a general nature and must be interpreted for each organisation, so this document is not a silver bullet. However, when used in conjunction with ISO 37001:2021 – Governance of organizations, ISO 31000:2018 – Risk Management Guideline and ISO 24142:2022 Information Governance there is a wealth of guidance for how Directors can appropriately govern both information and technology.
The first big change to note is the increase from six to 11 Principles. The five new ones include:
- Stakeholder engagement
- Data and decisions
- Risk governance
- Social responsibility and
- Viability and performance over time.
The governance guidance in these Principles link directly to some very common IT governance failings. This is important because, by and large, in the boardroom we’re still not getting the governance of IT right. This is completely understandable as we’re still not seeing a lot of people with IT backgrounds in boardrooms.
Some of the new Principles (e.g. Value Generation, Oversight, Accountability, Leadership) are both building on the 2015 Principles and collating important governance distinctions into relevant sections. However, the Stakeholder engagement, Data and decisions, Risk governance, Social responsibility and Viability and performance over time Principles bring a wealth of much needed new content that re-enforces the broader governance and risk principles laid out in ISO 37001:2021 and ISO 31000:2018.
Reading these Principles brought me an embarrassing amount of joy and optimism. The synergy between these Principles and a Director’s fundamental role are truly insightful. If you don’t read the rest of the Standard these five should be your quick read.
Stakeholder engagement was touched on in the prior versions but has been lifted into clearer focus and better reflects the way Directors think about stakeholders. This also helps simplify and focus the Governance Model on the role of governance.
Consideration of social and environmental issues and responsibility was raised in the 2015 version but the scale at which IT is and can impact our society and our environment has not always received the attention from Directors that is deserved. For Directors grappling with ethical decisions in AI, cyber or IT as a whole, the stated desired outcome of “Ethical checks and balances” re-enforces current thinking on good governance.
Viability and performance over time is about the whole lifecycle challenge. How many times have we seen IT Strategies or Digital Transformation Roadmaps that focus on the new ‘bright shiny object’? (Yes, I know I am so guilty of this personally!). ‘Keeping the lights on’ or keeping those 15-year-old systems working may not be the innovation we want to focus on, but our businesses are dependent on those boring old systems. Ensuring governance is in place for the whole lifecycle of Information and Technology assets is crucial as it is too often a blind spot of management.
Finally, there are six elements to the standards guidance and they align nicely to contemporary governance thinking. I especially like the work that has been done on the Accountability element. All too often I see great governance activity that is not seen or understood by stakeholders.
I could go on, but I would be diving into the weeds. What I’ve covered here is what I feel are the high-level improvements Directors should be aware of and getting their collective heads around to guide them on ensuring that IT is governed appropriately in their organisation.
The Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 40, IT service management and IT governance and everyone involved with this edition are to be commended for the work they have put into this update with its clear improvements and simplification that will assist Directors to better govern IT.
Through short and targeted face to face discussions on each side of the Board / Management interface and a review of relevant documentation, we form and share an independent and balanced view on the “as is” and “to be” status of your cyber governance framework. For each key principle and overall, we will assess current alignment as “well aligned,” “generally aligned” or “misaligned.”
Taking account of your evolving approach to cyber security and cyber resilience, we will work with you to identify and action prioritised opportunities for improvement. These will be informed by our broader cyber governance experience from other companies.
Our deliverable will be discussed and agreed with board members and management and will provide a valuable assessment of the current state of cyber governance practices and a clear and aligned roadmap for further improvement.