The governance of data according to the ISO/IEC 38505-1 standard

Reading time: ~ 2 min.

The ISO/IEC 38505-1 standard on «Information technology — Governance of IT — Governance of data» provides effective guidelines to apply the ICT governance principles set by the ISO 38500 and ISO 38501 standards to the data governance.

We should keep in mind that the ISO/IEC 38505-1:2017 standard is applicable to every kind of organizations, such as companies (private or public ownership), government (agencies, departments, bureaus and other public bodies) and nonprofit organizations.

Both small and large organizations can take advantage of the application of ISO/IEC 38505-1 standard, no matters how big can be the dependence on data of their activities. The guidance provided by this standard can be useful to professionals as:

• executive managements
• external specialists (business or technical): legal, accounting, retail, industrial,...
• external and internal service providers (consultants too)
• auditors

The ISO/IEC 38505-1 standard has 11 main chapters. This is an overview on the structure:

• Chapter 1: scope
• Chapter 2: normative reference
• Chapter 3: terms and definitions

• Chapter 4: good governance of data
• 4.1 benefits of good governance of data
• 4.2 responsibilities of the governing body
• 4.3 governing body and oversight mechanisms
• Chapter 5: principles, model and aspects for good governance of data
• Chapter 6: data accountability
• 6.1 General
• 6.2 Collect
• 6.3 Store
• 6.4 Report
• 6.5 Decide
• 6.6 Distribute
• 6.7 Dispose
• Chapter 7: guidance for the governance of data – principles
• 7.1 General
• 7.2 Principle 1 – responsibility
• 7.3 Principle 2 – strategy
• 7.4 Principle 3 – acquisition
• 7.5 Principle 4 – performance
• 7.6 Principle 5 – conformance
• 7.7 Principle 6 – human behaviour
• Chapter 8: guidance for the governance of data – model
• 8.1 Applying the model
• 8.2 Internal requirements
• 8.3 External requirements
• 8.4 Evaluate
• 8.5 Direct
• 8.6 Monitor
• Chapter 9: guidance for the governance of data – data-specific aspects
• 9.1 General
• 9.2 Value
• 9.3 Risk
• 9.4 Contraints
• Chapter 10: application of the data accountability map

To better figure out  the «big picture» about the ISO 38505-1 standard, take a look at our infographic:

If we consider the ISO/IEC 38505-1:2017 standard, we find direct and natural correlations with the following standards:

• ISO 20000-1 on «Information technology – service management»
• ISO 27001 on «Information security, cybersecurity and privacy protection — Information security management systems — Requirements»

Among the references with the regulations or laws, we find several them in particular on protection of personal data, such as: European GDPR, Swiss FAPD (known also as LPD and DSG).