ISO IEC 38505-1-2017 PDF

Full title and description

ISO/IEC 38505-1:2017 — Information technology — Governance of IT — Governance of data — Part 1: Application of ISO/IEC 38500 to the governance of data. This international standard provides high-level, principles-based guidance for members of governing bodies and senior management on the effective, efficient and acceptable use of data within organizations, by applying the governance principles and model of ISO/IEC 38500 to data governance and by establishing a common vocabulary for governance of data.

Abstract

ISO/IEC 38505-1:2017 offers guiding principles and a governance model to help governing bodies evaluate, direct and monitor data-related decisions and outcomes. It aims to assure stakeholders that, when its principles are followed, the organization’s governance of data is reliable. The document is advisory (principles-based) rather than prescriptive and is intended to be usable by organizations of any size and type.

General information

• Status: Published (confirmed following 2022 review; listed for revision in ISO lifecycle).
• Publication date: 2017 (edition 1 — published April 2017).
• Publisher: Joint ISO/IEC standard (published under ISO/IEC JTC 1/SC 40).
• ICS / categories: 35.020 (Information technology — IT governance / IT service management).
• Edition / version: Edition 1 (2017).
• Number of pages: 20 pages.

Scope

Applies to the governance of the current and future use of data that is created, collected, stored or controlled by IT systems and to the management decisions and processes that relate to data. The standard defines the governance of data as a domain or subset of the governance of IT (which itself is within organizational/corporate governance) and is intended for all organization types and sizes (public, private, government and not-for-profit).

Key topics and requirements

• Application of ISO/IEC 38500 governance principles (Responsibility, Strategy, Acquisition, Performance, Conformance and Human behaviour) specifically to data governance.
• Governance model roles (Evaluate, Direct, Monitor) adapted for data-related decisions and oversight.
• Data accountability and lifecycle considerations (collect, store, report, decide, distribute, dispose) to assign oversight and accountability.
• Guidance on data value, data quality, timeliness, context, volume, and risk classification relevant to governance decisions.
• Emphasis on stakeholder assurance — providing confidence that data use is governed appropriately — and a common vocabulary/definitions for consistent governance language.
• Advises governance and oversight but does not prescribe operational implementation; implementation arrangements and operational guidance are referenced in related guidance documents (e.g., ISO/IEC/TS 38501 and ISO/IEC TR 38505-2).

Typical use and users

Primary users are members of governing bodies (owners, directors, partners, executive managers) and senior management who need to assure appropriate governance of data. Secondary users include CIOs, data governance teams, data protection officers, auditors, compliance and legal teams, external consultants, and service providers who advise or implement data-related activities. The standard supports boards and executives in aligning data strategy, risk and compliance with organizational objectives.

Related standards

ISO/IEC 38505-1:2017 is linked to ISO/IEC 38500 (Governance of IT) as the source of governance principles and model. ISO/IEC TR 38505-2:2018 provides further guidance on the implications of 38505-1 for data management. Implementation guidance for IT governance arrangements is provided in ISO/IEC/TS 38501. The series and related documents together cover governance principles, implications for management, and implementation considerations.

Keywords

data governance, governance of IT, ISO/IEC 38500, governance principles, data accountability, data lifecycle, data quality, stakeholder assurance, IT governance, JTC 1/SC 40.

FAQ

Q: What is this standard?

A: ISO/IEC 38505-1:2017 is an international, principles-based standard that applies the ISO/IEC 38500 governance principles and model specifically to the governance of data within organizations.

Q: What does it cover?

A: It covers high-level governance guidance — principles, a governance model (Evaluate/Direct/Monitor), vocabulary, and accountability concepts — for oversight of the use of data (created, collected, stored or controlled by IT systems). It is advisory rather than a prescriptive implementation standard.

Q: Who typically uses it?

A: Members of governing bodies and senior management, CIOs and data governance teams, compliance/legal and audit professionals, data protection officers, and consultants or service providers involved in advising on data governance.

Q: Is it current or superseded?

A: The standard was published in 2017 and was reviewed/confirmed in 2022; ISO lists it in a lifecycle state indicating it is to be revised (a DIS version has been under development). Users should check the standards body for the most recent revision status before procurement.

Q: Is it part of a series?

A: Yes — it is Part 1 (application of ISO/IEC 38500 to data governance). Related publications include ISO/IEC TR 38505-2:2018 (implications for data management) and reference to ISO/IEC 38500 (the parent governance of IT standard) and ISO/IEC/TS 38501 for implementation arrangements.

Q: What are the key keywords?

A: Data governance, governance of IT, governance principles, data accountability, lifecycle, data quality, stakeholder assurance, ISO/IEC 38500.