International Standards: ISACA Update on ISO Governance and Management Standards Initiatives

Max Shanahan
Author: Max Shanahan, ISACA Hall of Fame Inductee and Veteran Auditor
Date Published: 24 August 2022

I, along with Lisa Villanueva from ISACA Global, recently had the pleasure of attending the ISO/IEC JTC 1 Subcommittee meetings for ISO SC 40. This subcommittee and its workgroups met virtually in June, and the following is a brief summary of the current activities of the group:

ISACA’s Engagement in Standards Development
ISACA’s involvement with international standards is through a formal liaison arrangement with three subcommittees of ISO/IEC JTC 1. These are ISO/IEC JTC 1. SC7—software development, ISO/IEC JTC 1. SC27—Information Security and ISO/IEC JTC 1 SC 40—Governance and Management of IT.

The development of an international standard involves a number of stages, with contributions and votes at each stage.

ISACA update on ISO governance and management standards initiatives

Under the liaison arrangements, ISACA can nominate experts to participate in the working group developing a standard, vote on new item proposal (NP) and working drafts (WDs), and make suggestions for improvement as the standard goes through the steps for approval.   

ISO/IEC JTC 1 Subcommittee SC 40—IT Service Management and IT Governance Standards  
SC 40 was established to develop standards, tools, frameworks, best practices and related documents for IT service management and IT governance, including areas of IT activity such as audit, governance, risk management, outsourcing, service operations and service maintenance. SC 40 has three workgroups. The current activities of each are described below:

WG 1 Governance of Information Technology: 

  • ISO/IEC 38507:2022 Governance implications of the use of artificial intelligence by organizations. This is the most recent international standard in the governance of IT family. The standard addresses the governance implications of artificial intelligence by organizations. This standard was developed with ISO/IEC JTC 1/SC 42Artificial intelligence.
  • ISO/IEC 38500:2015 Governance of IT. ISO/IEC 38500, the core standard for IT governance, is being revised to take into account the significant changes in the environment in which organizations manage and use technology. A Draft International Standard (DIS) is also planned in the near future. The standard will align with ISO/IEC 37000, Governance of Organizations.
  • AWI TS 38508 Information technology—Governance implications of using shared digital service platform ecosystem organizations. This is in a working draft stage.
  • WG 1 is also preparing a strategy for further development of the core governance standards. This will be considered at a meeting in November 2022.

WG 2 Service Management—Information Technology

  • ISO/IEC PWI TS 20000-14: Guidance on the application of service integration and management to ISO/IEC 20000. This standard will address the application of 20000-1 to SIAM (Service Integration and Management). It will address SIAM’s approach to managing multiple suppliers of services and integrating them to provide a single business-facing IT organization.
  • ISO/IEC PWI TS 20000-15 – Guidance on the agile, dev-ops and service management. This is a new project proposal to produce guidance on how to adopt Agile and DevOps principles within an SMS.

WG 3 IT-Enabled Services/Business Process Outsourcing

  • ISO/IEC AWI 30105-1: 2016 IT Enabled Services-Business Process—Part 1: Process reference model (PRM). The standard is under review with a working draft study initiated.
  • ISO/IEC AWI 30105-2: 2016 IT Enabled Services-Business Process Outsourcing (ITES-BPO) lifecycle processes—Part 2: Process assessment model (PAM). The standard is under review with a revised committee draft (CD).
  • ISO/IEC AWI 30105-3 :2016 IT Enabled Services-Business Process Outsourcing (ITES-BPO) lifecycle processes—Part 3: Measurement framework (MF) and organization maturity model (OMM). The standard is under review with a working draft study initiated.
  • ISO/IEC 30105-4:2016 IT Enabled Services-Business Process Outsourcing (ITES-BPO) lifecycle processes. Part 4: Terms and concepts—This standard is under revision with final text received or FDIS registered for formal approval.
  • ISO/IEC AWI 30105-5 :2016 IT Enabled Services-Business Process Outsourcing (ITES). New project approved to revise the standard.
  • ISO/IEC AWI 30105-5:2016: IT Enabled Services-Business Process Outsourcing (ITES-BPO) lifecycle processes—Part 5: Guidelines. There will be a new project to revise the TC/SC work program.
  • ISO/IEC 30105-8 IT Enabled Services-Business Process Outsourcing (ITES-BPO) lifecycle processes—Part 8: Continual Performance Improvement (CPI) of ITES-BPO. Not yet published; under ballot for approval of the DIS.
  • TS 30105-9 IT Enabled Services-Business Process Outsourcing (ITES-BPO) lifecycle processes—Part 9: Guidelines on maturity assessment to support digital transformation. Not yet published; CD study/ballot initiated.

For more information about ISACA’s involvement in SC 40, contact Lisa Villanueva (lvillanueva@cp55586.com) or Max Shanahan (shanahan@ozemail.com.au).

About the author: Max Shanahan is a veteran auditor with a passion for good IT governance and audit.    He was the editor of AS/NZ 8016 on the governance of IT-enabled projects and ISO/IEC 38502 Governance of IT, model and framework. Max was the foundation president of ISACA’s Canberra Chapter. He has been involved in CISA and CGEIT certification, COBIT 4 and 5 development, and ISACA’s engagement in standardization of IT governance. He chaired four ISACA Oceania Conferences. Max holds ISACA’s CISA and CGEIT certifications (retired status). He is a proud recipient of the 2002 John Lainhart Common Body of Knowledge Award and three ISACA president’s awards (from John Kuyers in 1990, Deepak Sarup in 1991 and Rob Stroud in 2015), and was nominated to ISACA’s hall of fame in 2021.