About ISO 38500-IT Governance

ISO/IEC 38500:2008 provides guiding principles and standards for the directors, executives of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within the organization in all levels. ISO/IEC 38500:2008 applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.

 

The ISO/IEC 38500:2008 helps the organization to streamline the IT governance from top down approach by describing and demonstrating the importance and the effective compliances to the stakeholders for dedicating an appropriate governance and security framework.

 

The key advantage for the ISO/IEC 38500:2008 IT Governance framework was focused mainly on the accountability, ensuring and assigning all the IT risks and activities within your organization. The standards includes IT security responsibilities, strategies and behaviors to be completely assigned and monitored individually. The standards will help the organization to apply appropriate measures and mechanisms which were already established within the organization including the reporting and the response on the current and planned use of IT – In today’s technology, any organization must comply and meet the latest data protection requirements for all the externally used devices that should support the data encryption this is to avoid transmitting personal data and misusing the company information. 

Main Highlights

The management processes and decisions are involved in the ISO/IEC 38500:2008 this is in relation with the current practices and the future use of the IT governance within the organization. The processes involved can be controlled mainly by the ICT specialists/authorities, business units or external service providers.

 

The above standards also defines the governance of IT as a separate section or domain of the organizational or corporate governance.

 

ISO/IEC 38500:2008 is applicable to any sizes of organizations from the smallest to the largest regardless of the sector, industries, coverage of their use of IT and is applicable including the public, private and government entities and non-profit organizations.

 

The standard will help the organization to promote and achieve the acceptable use of IT throughout the organizations in the most effective and efficient implementation which includes the following:

 

  • Providing assurance for the Top-Level Management and stakeholders that the principles and practices are being implemented within the organization. It will allow the organization to gain higher confidence on the governance of IT.
  • The standard will help the organization to create a vocabulary on the governance of IT.
  • The organizations governing bodies will be well-informed and guided with the use of every IT members throughout the organization.

 

 

 

Brief about the ISO standard

The three main tasks that shall be governed with the involvement of the directors are as follows:

  1. Continuously evaluate the current and future use of IT which will benefit the organization;
  2. Direct preparation, evaluation and implementation of plans and policies to ensure that the use of IT is aligned within the organizations business objectives.
  3. Monitoring the conformances to the current implemented policies, performances which is aligned within the plans of the organization.

ISO 38500 Standard


Adapted from the ISO standard: ISO 38500

 

 

  • doodles

    Articulate the drive within the organization and demonstrate to the key stakeholders (Customers, Suppliers and Partners) the key benefits on the effective corporate governance of IT.

  • doodles

    Increases the organizations competitive advantage and boosts the image and reputation of the company.

  • doodles

    It helps the organization to achieve an internationally recognized certification which can increase customer’s loyalty and trust for the company.

  • doodles

    It will help the organization to comply with all the mandatory legal and regulatory requirements.

  • doodles

    The above standard can be aligned and integrated to the ISO 9001, ISO 27001 and ISO 14001, ISO 20000 and ISO 28000 management standards in order to deliver significant benefits to the organization.

  • doodles

    Establishes an appropriate metrics that will clearly demonstrate the success for the organization.


BAS 4P methodology is the way of standardizing the client process and procedure in a systematic way. The 4P enables BAS and client to go through a series of activities that leads to certifications. The 4P methodology deeply analyze and reviews the process and procedure within the organization and improves overall performance of the organization and finally get certified. 
BAS implements the following activities.

 

bas-methodology

 

PREPARE

Understand the context

  • Capture and review business goals to understand the context and client.
  • Determine goals of the assessment of the client by questionnaire, interviews etc.
  • Identify key stakeholders.
  • Determine the scope (functional areas, geographical coverage etc) and timeline.
  • Finalize scope, timeline and resource needs.
  • Confirm approach and seek client commitment.
  • Mobilize the Assessment project team.
  • Schedule interviews.
  • Hold a kick-off meeting.
  •  

PERFORM

Gather Data

  • Gather and Analyze/Review existing documentation, portals, past audit reports, forms, metrics, data etc and understand how the operations is compliance with standards.
  • Conduct interviews and workshops.
  • Document survey results and preliminary ratings if any.
  • Document preliminary findings.
  • Assess environment and, gaining evidentiary support from interviews and documents.
  • Identify key issues and challenges and seek agreements from stakeholders
  • Implement and improve process and procedures

 

PRESENT

Develop Recommendations

  • Identify opportunities to overcome identified issues and/or reach maturity levels.
  • Prioritize alternatives.
  • Develop recommendations and near-term timeline.
  • Prepare final report.
  • Preview final report with stakeholders and update as required.
  • Present final report.

 

PURSUE

Continual Improvement 

  • Follow up with the organization and analyze the how the organization is compliance with the standards
  • Check with the organization that the standards are being implemented and maintained.
  • Evaluate the continual fulfillment and improvement of all the required and relevant documents.

 

Certification Details

 

BAS is a versatile ISO certification body, with various industrial expertise and strong exposures in the field of Quality, Health, Safety and Environmental, Service Management and Information Security Management. We provide reliable services in the UK, Middle East, India and Other countries.

 

We at BAS with our veteran assessors provide you with certification which provides value for your management system. Many clients around the world have greatly benefited through our exemplary service. 

 

The following are the steps in this phase we do as part of certification

 

Contract signature

BAS representative sends out an application which is a questionnaire to the organization which is the applicant for the Certification.

Once BAS receives the filled in application, the BAS representative sends an official quote to the applicant for approval.

 

Pre-audit (optional):

Gap analysis and diagnosis of your systems current position against requirements of the standard - A pre-certification audit is a high level evaluation indicating where your company currently stands in compliance with specific standards before the main certification audit. 

 

Audit Stage 1- Initial Visit: to verify the establishment and implementation of the basic structure of your Management System

 

BAS will carry out a Document review Assessment of the clients Management System according to the requirements of  Standard in order to establish to what extent the System addresses the requirements of the standard and if a subsequent Initial Assessment for Accredited Certificate is likely to result in successful certification at an early stage, by which usually companies take the necessary corrective/preventive actions as appropriate and prior to the Initial Assessment. The Pre-audit should not be considered as a Consultancy Service

 

Audit Stage 2 - Certification audit (certificate issued after successful certification audit)

 

The principal purpose of the Initial Assessment is to audit the Companys Management Systems for compliance with the the standard. Please note that Initial Assessment is the obligatory service.   In this phase if there are any opportunities for improvements identified BAS auditors would report them in the interest of the organization.  

 

Surveillance audits to follow the continual improvement

 

It is also an obligatory service; BAS will perform Surveillance Visit approximately after every year i.e. a total of 3 Surveillance Visits will be performed every year during the 3 years validation period of the Certificate. Such routine surveillance Visits are performed to ensure the continuous compliance of your Management System to the requirements of  Standards.

 

Re-certification after 3 years through full audit or continual assessment.

What we do?

  • BAS can assist your organization to acquire any relevant ISO certifications in UAE which is well-known internationally. It will generate additional business opportunities, exhibit the organizations compliance and commitment to the best-practices in any industries in order to be more competitive in todays market.
  • We at BAS with our veteran assessors provide you with certification which provides value for your management system. Many clients around the world have greatly benefited through our exemplary service.
  • When you choose BAS as your certification partner you stand to gain monetarily in your business by our straight forward assessment. The overall aim of certification is to give confidence to all parties that a management system fulfills specified requirements. The value of certification is the degree of public confidence and trust that is established by an Impartial and competent assessment by a third party. 
  • With BAS, you will have the capability to deliver on the promises you make this helps you to enhance your     reputation, creates confidence in your capabilities, substantiates claims and differentiates your     organization; 
  • With BAS,  Obtains the full tangible benefits and value of your management systems this helps you to     link assessment system benefits to financial performance or improvements in effectiveness     and efficiency that help drive your business forward in  measurable and verifiable ways; and develops your capability to better manage a range of non-financial risks. 
  • As an integral part of this process, BAS will evaluate the relevance of the quality objectives against the analysis of stakeholder expectations and strategic goals of the company. We will assess the capability of the management system in controlling the defined processes. We will assess the effectiveness of the management decision making in respect to this data and, on the basis of this assessment, we will help senior management identify any changes required to support continual improvement. 
  • Providing more opportunities for improvements than just performing a compliance audit against the standards requirements.  
  • Understand the local culture and working patterns of the clients will facilitate better communication and understanding between BAS and the clients.
  • BAS possesses resources who have the knowledge and skills of multiple standards such as ISO 20000, ISO 27001, SKEA for eg., in Abu Dhabi for Business Excellence programs etc.,. This greatly helps the clients to have better inputs as the standards can be applied in an integrated way and the auditors can provide a holistic feedback. 
  • BAS has offices around the world and the auditors  have access to the knowledge from all around the global parts which will be helpful to the clients as they can have a better understanding and more practical suggestions from BAS auditors.
  • BAS location advantage within the Emirates on the following: Abu Dhabi, Dubai, Al Ain, Sharja, Ajman, Ras Al Kaimah and Fujairah (We have successfully completed many and different projects locally and also internationally).
  • BAS strongly promotes and implements the facilitations on the relevant Management System not only for the sake of certification but to really make a difference in the processes and procedures that will be implemented throughout any organization.
  • BAS consist of some project members which are also EFQM International Assessors this can add value to the assignment as Abu Dhabi government is highly recommending Organizational Excellence program across Abu Dhabi Emirate (and UAE).

Back to Top