PDIS0/IEC TR38502:2017 TECHNICAL ISO/IEC TR REPORT 38502 Second edition 2017-12-15 Information technology Governance of IT Framework and model Technologies de I'information - Gouvernance des TI - Cadre général et modele Reference number IS0/IEC TR 38502:2017(E) TEC @IS0/IEC2017 PDIS0/IECTR38502:2017 IS0/IECTR38502:2017(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISO copyrightoffice Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org ii @ IS0/IEC 2017 - All rights reserved PD IS0/IEC TR 38502:2017 IS0/IEC TR 38502:2017(E) Contents Page Foreword ..iv Introduction. 1 Scope. 2 Normative references ..1 3 Terms and definitions ..1 4 Model and framework. .2 4.1 Model for governance of IT .2 4.1.1 Governing body responsibilities and accountabilities .2 4.1.2 Governance tasks. .3 4.1.3 Managers' responsibilities and accountabilities .3 4.1.4 Applicability of the model. .3 4.2 Relationship between governance and management of IT .3 4.3 Key elements of a governance framework for IT. 4 5 Guidance on the application of the model .5 5.1 Responsibilities of thegoverning body .5 5.1.1 General. .5 5.1.2 Governing body and oversight mechanisms .6 5.2 Strategy formulation and oversight .6 5.2.1 General. .6 5.2.2 The governing body's role in strategy formulation ..6 5.3 Delegation .7 5.3.1 General .7 5.3.2 Delegation by the governing body 7 5.4 Responsibilities of managers. .8 5.4.1 General .8 5.4.2 The role of managers. .8 5.5 Governance and internal control .9 5.5.1 General .9 5.5.2 Establishing internal control .9 Annex A (informative) Principles of good governance of IT ..10 Bibliography .11 @ IS0/IEC 2017 - All rights reserved iii