ISO IEC 38503-2022 PDF

Full title and description

ISO/IEC 38503:2022 — Information technology — Governance of IT — Assessment of the governance of IT. Provides guidance and practical approaches for assessing an organization’s IT governance, including assessment criteria, evidence sources and a method to determine governance maturity.

Abstract

This international standard describes approaches for conducting assessments of the governance of information technology (IT), the criteria against which assessments can be made, guidance on the evidence that can be used, and a method for determining the maturity of an organization’s governance of IT. It is applicable to organizations of all sizes and sectors.

General information

• Status: Published / Current
• Publication date: 17 January 2022
• Publisher: Joint publication by ISO and IEC (ISO/IEC)
• ICS / categories: 35.020 (Information technology)
• Edition / version: Edition 1.0 (2022)
• Number of pages: 24

Core bibliographic details as published by ISO and IEC.

Scope

Provides guidance on assessing the governance of IT based on the principles, definitions and governance model established in the ISO/IEC 38500 family (including ISO/IEC TR 38502) and implementation considerations in ISO/IEC TS 38501. The document covers assessment approaches, criteria, evidence and a maturity-determination method; it is intended for organizations of all sizes regardless of the extent of their IT usage.

Key topics and requirements

• Assessment approaches and practical methods for evaluating IT governance arrangements.
• Defined assessment criteria mapped to governance principles and model elements.
• Guidance on acceptable types of evidence and documentation to support assessment findings.
• A maturity assessment method to rate governance effectiveness and identify improvement opportunities.
• Applicability notes for organizations of varying size and IT dependency.

These topics align the assessment content to the ISO/IEC 38500 governance principles and supporting guidance.

Typical use and users

Used by governing bodies, senior management, internal and external auditors, governance and risk teams, IT leadership, consultants and assessors who need a structured, standards-based way to evaluate the effectiveness, completeness and maturity of IT governance arrangements within an organization. The standard is suitable for public and private organizations, large and small.

Related standards

Key related documents in the ISO/IEC 38500 family and governance guidance include ISO/IEC 38500 (governance principles for IT), ISO/IEC TR 38502 (framework and model) and ISO/IEC TS 38501 (implementation guidance). These documents provide the principles, model and implementation context that ISO/IEC 38503 uses for assessment criteria and maturity considerations.

Keywords

IT governance, governance assessment, maturity assessment, ISO/IEC 38500 family, evidence, assessment criteria, governance model, IT management, governance of IT

FAQ

Q: What is this standard?

A: ISO/IEC 38503:2022 is an international standard that provides guidance and methods for assessing the governance of information technology within an organization.

Q: What does it cover?

A: It covers assessment approaches, the criteria to be applied, the types of evidence that can support assessments, and a method to determine governance maturity, all aligned to the ISO/IEC 38500 governance principles and model.

Q: Who typically uses it?

A: Governing bodies, senior management, auditors, governance or risk teams, IT leaders, assessors and consultants use it to evaluate and improve IT governance arrangements across organizations of any size.

Q: Is it current or superseded?

A: ISO/IEC 38503:2022 was published in January 2022 and is a current published standard (not superseded). Users should check the issuing bodies for any subsequent amendments or revisions.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 38500 family of documents (principles, framework/model, implementation guidance and assessment guidance), intended to be used together for governance design, implementation and assessment.

Q: What are the key keywords?

A: IT governance, governance assessment, maturity model, assessment criteria, evidence, ISO/IEC 38500.