ISO/IEC DTS 38501-2

Style Definition
...
Style Definition
...
Style Definition
ISO/IEC DTS 38501 - -2 .
Style Definition
...
ISO/IEC JTC 1/SC 40/WG 1
Style Definition
...
Style Definition
Secretariat: SA .
Style Definition
...
Date: YYYY-MM-DD2026-03-12
Style Definition
...
Style Definition
...
INFORMATION TECHNOLOGY — GOVERNANCE OF IT —
Style Definition
...
IMPLEMENTATION GUIDANCE, PART 2: ASSESSMENT SCHEME AND
Style Definition
...
EXAMPLES
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
DTSInformation technology — Governance of IT
Style Definition
...
implementation guidance —
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Part 2:
Style Definition
...
Assessment scheme and examples
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
FDIS stage
Style Definition
...
Style Definition
...
Style Definition
...
Warning for WDs and CDs
Style Definition
...
Style Definition
...
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Style Definition
...
Style Definition
...
Style Definition
© ISO #### – All rights reserved
...
Style Definition
...
Formatted
...
Formatted
...
Formatted
...
Formatted
...
ISO #####-#:####(X)
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.

A model document of an International Standard (the Model International Standard) is available at:
https://www.iso.org/drafting-standards.html

2 © ISO #### – All rights reserved

Formatted: Font: Bold
© ISO #### – All rights reserved

ISO #####-#:####(X)
© ISO/IEC 2026
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this
Formatted: Indent: Left: 0 cm, Right: 0 cm, Adjust
publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical,
space between Latin and Asian text, Adjust space
including photocopying, or posting on the internet or an intranet, without prior written permission. Permission
between Asian text and numbers
can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Formatted: French (France)
EmailE-mail: copyright@iso.org
Formatted: French (France)
Website: www.iso.orgwww.iso.org
Formatted: French (France)
Published in Switzerland
Formatted: English (United Kingdom)
Formatted: English (United Kingdom)

iv © ISO #### – All rights reserved

ISO/IEC DTS38501 – 2:2025
Contents Formatted: Space Before: 48 pt
Foreword . vi
Introduction . viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Assessment scheme for the governance of IT . 1
4.1 General . 1
4.2 Assessment framework . 3
4.3 Rating scale . 3
4.4 Assessment scheme . 4
Annex A (informative) Sample governance of IT characteristics, by principle . 6

Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Assessment scheme for the governance of IT . 1
4.1 General . 1
4.2 Assessment framework . 2
4.3 Rating scale . 2
4.4 Assessment scheme . 3
Annex A (informative) Sample governance of IT characteristics, by principle . 4
A.1 Purpose . 4
A.2 Value generation . 5
A.3 Strategy . 6
A.4 Oversight . 7
A.5 Accountability . 9
A.6 Stakeholder engagement . 10
A.7 Leadership . 11
A.8 Data and decisions . 12
A.9 Risk governance . 13
A.10 Social responsibility . 14
A.11 Viability and performance over time . 15

© ISO/IEC 2024 – All rights reserved
v
ISO #####-#:####(X)
Foreword
ISO (the International Organization for Standardization) is a and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide federation of national
standardsstandardization. National bodies (that are members of ISO member bodies). The workor IEC
participate in the development of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has
been established has the right to be represented on that committee. Internationalby the respective
organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-
governmental, in liaison with ISO and IEC, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documentsdocument should be noted. This document was drafted in accordance
with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives 2 (see
www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO drawsand IEC draw attention to the possibility that the implementation of this document may
Formatted: English (United Kingdom)
involve the use of (a) patent(s). ISO takesand IEC take no position concerning the evidence, validity or
Formatted: English (United Kingdom)
applicability of any claimed patent rights in respect thereof. As of the date of publication of this
Formatted: English (United Kingdom)
document, ISO and IEC had not received notice of (a) patent(s) which may be required to implement this
document. However, implementers are cautioned that this may not represent the latest information,
Formatted: Font color: Auto, English (United Kingdom)
which may be obtained from the patent database available at www.iso.org/patents.
Formatted: Font: Not Italic, Font color: Auto, English
ISOwww.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held responsible for
(United Kingdom)
identifying any or all such patent rights.
Formatted: Font color: Auto, English (United Kingdom)
Any trade name used in this document is information given for the convenience of users and does not
Formatted: English (United Kingdom)
constitute an endorsement.
Formatted: English (United Kingdom)
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
Formatted: Font color: Auto
www.iso.org/iso/foreword.html) see www.iso.org/iso/foreword.html. In the IEC, see
www.iec.ch/understanding-standards. Formatted: Font color: Auto
Formatted: Font color: Auto
This document was prepared by Joint Technical Committee ISO/JTC1IEC JTC 1, Information
Formatted: Font color: Auto
Technologytechnology, Subcommittee SC 40, IT service Managementmanagement and IT
Governancegovernance. Formatted: Font color: Auto
Formatted: Font color: Auto
It comprises This first edition of ISO/IEC TS 38501-2, together with the first edition of ISO/IEC 38501-
Formatted: Font color: Auto
1, cancels and replaces the first edition of ISO/IEC TS 38501:2015, which has been technically revised.
Formatted: Font color: Auto
The main changes are as follows:
Formatted: Font color: Auto
— the content has been aligned to take updates to ISO/IEC 38500:2024 into account; Formatted: Font color: Auto
Formatted: Font color: Auto
— Annex A (assessment scheme) and Annex B (sample characteristics by principle) have been moved
Formatted: Font color: Auto
to be usedISO/IEC TS 38501-2 (this document) to facilitate alignment and use with ISO/IEC 38501-
138503.
Formatted: List Continue 1
Formatted: Font color: Auto
A list of all parts in the ISO/IEC 3850038501 series can be found on the ISO websiteand IEC websites.
Formatted: Font color: Auto
Formatted: Font: Cambria
vi © ISO #### – All rights reserved

ISO/IEC DTS38501 – 2:2025
Any feedback or questions on this document should be directed to the user’s national standards body.
A complete listing of these bodies can be found at
www.iso.org/members.htmlwww.iso.org/members.html and www.iec.ch/national-committees.
© ISO/IEC 2024 – All rights reserved
vii
ISO #####-#:####(X)
Introduction
The measurement of performance is an essential aspect when implementing the governance of IT in the
Formatted: Body Text, Adjust space between Latin and
organization. It helps the governing body understand how well the organization is achieving its Asian text, Adjust space between Asian text and
governance of IT objectives and provides critical insights into the areas for improvement, thereby numbers
helping the governing body to make informed decisions and allocate resources effectively.

ISO/IEC 38500 is a principles-based standard for the governance of IT and so it. It is therefore crucial
Formatted: Body Text, Adjust space between Latin and
that an appropriate assessment scheme is utilized, that, which enables the organization to define the
Asian text, Adjust space between Asian text and
practices, evidence of success and outcomes, that are appropriate for the organization, be used. Once numbers
this is in place, the organization will be able to effectively measure its performance towards the
achievement of its governance of IT objectives.

viii © ISO #### – All rights reserved

ISO/IEC DTS38501 – DTS 38501-2:2025 :(en) Formatted: Font: 11 pt, Bold
Formatted: Font: 11 pt, Bold
Formatted: Font: 11 pt, Bold
INFORMATION TECHNOLOGY — GOVERNANCE OF IT —
Formatted: HeaderCentered, Left, Space After: 0 pt,
Line spacing: single
IMPLEMENTATION GUIDANCE, PART 2 : ASSESSMENT SCHEME AND
EXAMPLES
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: FooterCentered, Left, Line spacing: single
Formatted: Font: 11 pt
Formatted: FooterPageRomanNumber, Left, Space
After: 0 pt, Line spacing: single
© ISO/IEC 20242026 – All rights reserved
ix
Formatted: Font: Bold
Formatted: HeaderCentered
Information technology — Governance of IT implementation
guidance —
Formatted: Left: 1.5 cm, Right: 1.5 cm, Bottom: 1 cm,
Part 2:
Section start: New page, Header distance from edge:
Assessment scheme and examples
1.27 cm, Footer distance from edge: 0.5 cm
1 Scope
This document provides guidance on the assessment scheme to be utilizedused when implementing the
Formatted: Body Text, Adjust space between Latin and
governance of IT in organizations, in accordance with ISO/IEC 38500 and ISO/IEC 38501-1.
Asian text, Adjust space between Asian text and
numbers
It establishes the assessment framework and rating scale, appropriate for principles-based governance of IT,
Formatted: Body Text, Adjust space between Latin and
and provides sample governance of IT characteristics for each of the 11 principles listed in ISO/IEC 38500
Asian text, Adjust space between Asian text and
(Annex A). see Annex A).
numbers
This document can be used by individuals responsible for governance of IT in an organization, as well as
Formatted: Body Text
individuals supporting the governance of IT in organizations, and is applicable to organizations of all sizes and
types.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 38500, Information technology — Governance of IT for the organization
ISO/IEC 38501-1, Information technology — Governance of IT — Implementation guidance, Part 1 : Approach
There are no normative references in this document.
3 Terms and definitions
No terms and definitions are listed in this document.
Formatted: Hyperlink, No underline, Font color: Auto

Formatted: No underline, Font color: Auto
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
Formatted: List Continue 1, No bullets or numbering,
Don't keep with next
— ISO Online browsing platform: available at https://www.iso.org/obp
Field Code Changed
— IEC Electropedia: available at https://www.electropedia.org/https://www.electropedia.org/ Formatted: No underline, Font color: Auto
Formatted: Body Text
4 Assessment scheme for the governance of IT
Formatted: Font: 10 pt
4.1 General Formatted: Font: 10 pt
Formatted: FooterCentered, Left, Line spacing: single
The assessment scheme for implementing principles-based governance of IT, based on ISO/IEC 38500,
Formatted: Font: 11 pt
comprises an assessment framework and rating scale in support of outcomes-based governance of IT.
Formatted: FooterPageNumber, Left, Space After: 0 pt,
Line spacing: single
© ISO/IEC 20242026 – All rights reserved
Formatted: Font: Bold
Formatted: HeaderCentered
These components provide structure and guidance to the assessment process, which maycan assist
organizations to createin creating more comprehensive assessments.

Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: Font: 11 pt
Formatted: FooterPageNumber, Space After: 0 pt, Line
spacing: single
2 © ISO #### /IEC 2026 – All rights reserved
Formatted: Font: Bold
Formatted: HeaderCentered
4.2 Assessment framework
The framework comprises the following three characteristics, which are applied to each of the principles in
Formatted: Body Text
the standard: ISO/IEC 38500 (see Figure 1).
•— The extent to which governance tasks and practices are in place.
Formatted: List Continue 1, No bullets or numbering
•— The evidence demonstrating the successful performance of these tasks and practices.
•— The extent to which outcomes are being achieved.

Formatted: Figure title, Left
Formatted: Font: Font color: Auto
Formatted: Body Text
Formatted: English (United Kingdom)

Formatted: English (United Kingdom)
Formatted: English (United Kingdom)
Figure 1 –— Assessment framework for the governance of IT
Formatted: Table title
Formatted: Font: Not Bold
Formatted: Font: Not Bold
4.3 Rating scale
Formatted Table
The rating scale used to assess the status of implementation is qualitative rather than quantitative in nature,
Formatted: List Continue 1 (-), Indent: Left: 0 cm, First
since principles-based standards focus on the achievement of outcomes, rather than the means of achieving
line: 0 cm, Line spacing: single, Bulleted + Level: 1 +
outcomes. This is shown below.in Table 1.
Aligned at: 0 cm + Indent at: 0 cm
Formatted: Table body, Line spacing: single

Formatted: Font: 10 pt
Table 1 -— Rating scale and description
Formatted: Font: 10 pt
Rating Description
Formatted: FooterCentered, Left, Line spacing: single
•— No knowledge of the governance tasks, practices, evidence of success or whether outcomes
Formatted: Font: 11 pt
Unknown are being achieved.
Formatted: FooterPageNumber, Left, Space After: 0 pt,
Line spacing: single
© ISO/IEC 20242026 – All rights reserved
Formatted: Font: Bold
Formatted: HeaderCentered
Rating Description
Formatted: Font: Not Bold
•— The majority of governance tasks and practices are not being performed and there is little
Formatted: Font: Not Bold
evidence of success .
Formatted Table
Not Appliedapplied
•— Outcomes are not being achieved. Formatted: List Continue 1 (-), Indent: Left: 0 cm, First
line: 0 cm, Line spacing: single, Bulleted + Level: 1 +
Aligned at: 0 cm + Indent at: 0 cm
•— Certain governance tasks and practices are being performed and there is some evidence of
success, although one or more aspects are not in place at all.
Formatted: Table body, Line spacing: single
Somewhat
Formatted: List Continue 1 (-), Indent: Left: 0 cm, First
Appliedapplied
•— Some outcomes are being achieved to a certain degree, but one or more outcomes are not
line: 0 cm, Line spacing: single, Bulleted + Level: 1 +
being achieved at all.
Aligned at: 0 cm + Indent at: 0 cm
Formatted: Table body, Line spacing: single
•— Majority of governance tasks and practices are being performed and evidence of success
is visible to a large extent. Certain aspects are fully in place.
Formatted: List Continue 1 (-), Indent: Left: 0 cm, First
Largely
line: 0 cm, Line spacing: single, Bulleted + Level: 1 +
Appliedapplied
•— Majority of outcomes are being achieved to a large degree with certain outcomes being
Aligned at: 0 cm + Indent at: 0 cm
fully achieved.
Formatted: Table body, Line spacing: single
•— All governance tasks and practices are being fully performed and evidence of success is Formatted: List Continue 1 (-), Indent: Left: 0 cm, First
fully in placevisible.
line: 0 cm, Line spacing: single, Bulleted + Level: 1 +
Fully
Aligned at: 0 cm + Indent at: 0 cm
Appliedapplied
•— All outcomes are being fully achieved.
Formatted: Table body, Line spacing: single

4.4 Assessment scheme
Formatted: Space Before: 12 pt
The assessment scheme for the governance of IT maycan be obtained by combining the assessment framework
Formatted: Body Text
and the rating scale defined above, alongin Figure 1 and Table 1 with the current and desired future state of
achievement for the organisation.organization. Figure 2 provides an example. Examples of how this maycan
be populated are provided in Annex A Annex A.

Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: Font: 11 pt
Formatted: FooterPageNumber, Space After: 0 pt, Line
spacing: single
4 © ISO #### /IEC 2026 – All rights reserved
Formatted: Font: Bold
Formatted: HeaderCentered
Figure 2 –— Assessment scheme for the governance of IT
Formatted: Figure title, Left
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: FooterCentered, Left, Line spacing: single
Formatted: Font: 11 pt
Formatted: FooterPageNumber, Left, Space After: 0 pt,
Line spacing: single
© ISO/IEC 20242026 – All rights reserved
Formatted: Font: Bold
Formatted: HeaderCentered
Annex A Formatted: English (United Kingdom)
(informative)
Formatted: Space After: 0 pt
Formatted: Annex Heading_Line 2, Font: Bold
Sample governance of IT characteristics, by principle
A.1 Purpose
Formatted: Table header (+), Indent: Left: 0 cm, Adjust
space between Latin and Asian text, Adjust space
Table A.1 provides an example assessment scheme for the principle "purpose".
between Asian text and numbers, Position: Horizontal:
Left, Relative to: Column, Vertical: In line, Relative to:
Table A.1— Example assessment scheme: Purpose
Margin, Horizontal: 0 cm, Wrap Around
Governance Taskstasks and
Formatted Table
Evidence of Successsuccess Outcomes
Practicespractices
Formatted: Font: Not Bold
•— The governing body assesses the •— Appropriate governing •— Confidentiality and integrity of
Formatted: Font: Not Bold
engagement with internal and mechanisms for the use of IT and organizational data maintained
external stakeholders to ensure data between ecosystem by external and internal
Formatted: Font: Not Bold
that their use of the organisationsorganizations. stakeholders .
Formatted: Indent: Left: 0 cm, First line: 0 cm, Right: 0
organization’s IT and data is
cm, Bulleted + Level: 1 + Aligned at: 0 cm + Indent at:
aligned to the purpose and values
0 cm, Position: Horizontal: Left, Relative to: Column,
of the organization.
•— Relevant clauses for the use of IT •— Organizational compliance to
Vertical: In line, Relative to: Margin, Horizontal: 0 cm,
and data in contracts with legislation and regulations .
Wrap Around
customers and suppliers.
• The governing body evaluates

Formatted: Indent: Left: 0 cm, First line: 0 cm, Right: 0
how new and emerging
• Stakeholders embrace the
cm, Bulleted + Level: 1 + Aligned at: 0 cm + Indent at:
technologies can enable or
•— Policies and procedures organization’s purpose and
0 cm, Position: Horizontal: Left, Relative to: Column,
enhance the organization’s enforcing appropriate use of IT values by using its digital
Vertical: In line, Relative to: Margin, Horizontal: 0 cm,
purpose and values
and data within the organization. capabilities
Wrap Around
— .
— .
Formatted: Indent: Left: 0 cm, First line: 0 cm, Right: 0

cm, Bulleted + Level: 1 + Aligned at: 0 cm + Indent at:
• Governing body assessment of
0 cm, Position: Horizontal: Left, Relative to: Column,
emerging technology projects to
Vertical: In line, Relative to: Margin, Horizontal: 0 cm,
ensure alignment to the purpose
Wrap Around
and values of the organization
— .
Formatted: Indent: Left: 0 cm, First line: 0 cm, Right: 0
cm, Bulleted + Level: 1 + Aligned at: 0 cm + Indent at:
0 cm, Position: Horizontal: Left, Relative to: Column,
Current State   Current State   Current State
Are the govAessernassmnce ent Assessment Assessment
Is there evidence of Are outcomes being
Vertical: In line, Relative to: Margin, Horizontal: 0 cm,
tasks and practices
Future State   Futursuccee Sssta?te    Fauturchieev Setad?te
being applied? Wrap Around
Formatted: Right: 0 cm, Bulleted + Level: 1 + Aligned

at: 0 cm + Indent at: 0 cm, Position: Horizontal: Left,
Relative to: Column, Vertical: In line, Relative to: Margin,

Horizontal: 0 cm, Wrap Around

Formatted: Right: 0 cm, Bulleted + Level: 1 + Aligned
at: 0 cm + Indent at: 0 cm, Position: Horizontal: Left,

Relative to: Column, Vertical: In line, Relative to: Margin,
Horizontal: 0 cm, Wrap Around

Formatted
...
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: Font: 11 pt
Formatted: FooterPageNumber, Space After: 0 pt, Line
spacing: single
6 © ISO #### /IEC 2026 – All rights reserved
Unknown
Not
Somewhat
Largely
Fully
Unknown
Not
Somewhat
Largely
Fully
Unknown
Not
Somewhat
Largely
Fully
Formatted: Font: Bold
Formatted: HeaderCentered
A.2 Value generation
Governance Tasks and Practices Evidence of Success Outcomes
• The governing body evaluates • Products transformed into • New models of business value
whether IT is embedded into the services through the inclusion of enabled through the adoption of
organisation’s products and digital capabilities digital capabilities
services to support new value
generation models • Key digital roles identified and • New value generation projects

filled in organogram successfully delivered achieving
• The governing body directs that projected benefits
the periodical assessment of the • Service contracts entered into
impact of market changes to the with partners to provide required
• Compliance to legislation and
value generation models is digital services regulation relating to new value
performed
generation models by:
o The organisation’s digital
• Organisational policies contain
statements relating to digital products and services
o The organisation’s partners in
• The governing body directs that technologies supporting new
value generation models e.g.  the value generation
the digital capabilities to
ecosystem
support new value generation o The ethical use of IT
o Ecosystem partner roles,
models exist within the
organisation’s ecosystem responsibilities and • Governing body fully endorses
behaviours the risks and opportunities of

digital technologies supporting
• The governing body directs that
the organisation’s value
appropriate policies are in place • Decisions regarding the use of AI
in the organisation’s value generation models
to support the organisation’s
value generation models. generation are approved by the
governing body • Business value generated for:

o The organisation
• The governing body monitors
o The organisation’s ecosystem
• Relevant metrics defined,
that appropriate delegation of
measured and reported to ensure
authority is in place to support
successful digital support for
• High level of trust in the
the organisation’s value
value generation models e.g. organisation’s digital products
generation models and ensures
o Network effects and services
that these are not exceeded.
o Service levels across
organisational ecosystems • Organisation’s good reputation
• The governing body directs that
o User experience
maintained
appropriate performance
measurement is in place to
• Relevant metrics defined,
determine the effectiveness of
measured and reported to ensure
digitally enabled value creation
regulatory compliance for value
models
generation models e.g.
o Personal data protection
• The governing body monitors
Data provenance / use in AI
that the organisation complies

with its policies pertaining to
new value generation models
Assessment Assessment Assessment
Are the governance
Is there evidence of Are outcomes being
tasks and practices
Formatted: Font: 10 pt
success? achieved?
being applied?
Formatted: Font: 10 pt
Current State   Current State   Current State
Formatted: FooterCentered, Left, Line spacing: single
Future State   Future State   Future State
Formatted: Font: 11 pt
Formatted: FooterPageNumber, Left, Space After: 0 pt,
Line spacing: single
© ISO/IEC 20242026 – All rights reserved
Unknown
Not
Somewhat
Largely
Fully
Unknown
Not
Somewhat
Largely
Fully
Unknown
Not
Somewhat
Largely
Fully
Formatted: Font: Bold
Formatted: HeaderCentered
A.3 Strategy
Governance Tasks and Practices Evidence of Success Outcomes
• The governing body evaluates • IT strategy clearly articulates • The organization's IT, data and
whether the IT strategy aligns to how it supports the business digital capabilities successfully
the organizational strategy strategy and goals support and enable the
achievement of business goals
• The governing body directs that • Business strategy incorporates and objectives

the organizational strategy new technologies to achieve
considers the impact of new and competitive advantage • The organisation invests
emerging technologies. appropriately in digital
technologies, innovation and
• Key internal factors covered in
• The governing body evaluates reports to governing body / personnel, to ensure its IT
remains current and does not
whether internal factors relevant addressed in the IT strategy,
to the organization are including:  degrade and become obsolete
over time.
adequately addressed in the IT o Strategic business and
strategy. technology change initiatives
o The digital ecosystem in • The organisation is not
which the organization compromised by cyber security
• The governing body evaluates
whether external factors relevant operates breaches
o Cybersecurity, resilience, total
to the organization are
adequately addressed in the IT cost of ownership, flexibility, • The organisation complies with
and resources.
strategy. relevant legislation and
o Autonomy of essential regulation e.g.

services (e.g. online identity
o Cybersecurity
• The governing body monitors
management, data storage, o Data protection
progress towards the
communications etc.)
achievement of the IT strategy,
o Skills, training and resources
including whether:
o The implementation is on
• Key external factors covered in
track
reports to governing body /
o Changes are required to
addressed in the IT strategy,
designs, plans, budgets, or
including:
scope
o Legal & regulatory factors
o Progress information is
o New technologies & solutions
accurate, up to date, and
o Consumer & market forces
Formatted: Font: 10 pt
useful
o Cybersecurity / threats
o Sustainability & climate Formatted: Table body, Position: Horizontal: Left,
change Relative to: Column, Vertical: In line, Relative to: Margin,

Horizontal: 0 cm, Wrap Around
Assessment Assessment Assessment
Formatted: Font: 10 pt
Are the governance
Formatted: Font: 10 pt
Is there evidence of Are outcomes being
tasks and practices
success? achieved?
Formatted: Font: 10 pt
being applied?
Formatted: Table body, Position: Horizontal: Left,
Current State   Current State   Current State
Relative to: Column, Vertical: In line, Relative to: Margin,
Future State   Future State   Future State
Horizontal: 0 cm, Wrap Around
Formatted: Font: Not Bold
Formatted: Font: Not Bold
Formatted: Font: Not Bold
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: Font: 11 pt
Formatted: FooterPageNumber, Space After: 0 pt, Line
spacing: single
8 © ISO #### /IEC 2026 – All rights reserved
Uk
N
Sh
Ll
F ll
Uk
Nt
Sh
Ll
F ll
Uk
Nt
Sh
Ll
F ll
Formatted: Font: Bold
Formatted: HeaderCentered
A.4 Oversight
Governance Tasks and Practices Evidence of Success Outcomes
• The governing body directs • Mature IT management systems, • The organization abides by its
those responsible to establish processes and controls in place, policies, rules and mandates that
regular mechanisms for ensuring conformance to are appropriately implemented
ensuring that the use of IT organizational policies, service by IT
conforms with relevant requirements and risk appetite
obligations, internal policies,
• Organizational behaviour aligned
standards and guidelines • Tracking systems in place to to purpose and values

ensure that appropriate
• The governing body directs that education and training is
• Organisational compliance to
a policy framework is in place to provided to all staff on relevant legislation and
cover applicable legislative, organizational policies and
regulations
regulatory and internal procedures.
requirements
• The organization properly
• Policies approved by the
manages its information and
• The governing body monitors governing body addressing all transactions so that there are no
the extent to which policies are aspects of the policy framework
breaches of legal and/or
properly followed by the regulatory requirements
organization
• Relevant policies in place that are
reviewed on a regular basis to
• The governing body directs that ensure appropriate
a performance measurement organizational behaviour with
framework is in place respect to the supply and use of
IT
• The governing body monitors IT
compliance and conformance • Reporting of key performance
through appropriate reporting indicators to the governing body,
and audit practices, ensuring relating to conformance to key
that reviews are timely, organizational controls
comprehensive, and suitable for
the organization.
• The governing body is informed

in a timely manner of any
• The governing body directs
material breaches, particularly in
those responsible to establish
regulatory or contractual
internal policies, standards and
compliance, and any risks to the
guidelines, as well as regular
organization that relate to the use
mechanisms for ensuring that
of IT in the organization.
the use of IT conforms with
relevant obligations,
Assessment Assessment Assessment
Are the governance
Is there evidence of Are outcomes being
tasks and practices
success? achieved?
being applied?
Current State   Current State   Current State
Future State   Future State   Future State

Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: FooterCentered, Left, Line spacing: single
Formatted: Font: 11 pt
Formatted: FooterPageNumber, Left, Space After: 0 pt,
Line spacing: single
© ISO/IEC 20242026 – All rights reserved
Unknown
Not
Somewhat
Largely
Fully
Unknown
Not
Somewhat
Largely
Fully
Unknown
Not
Somewhat
Largely
Fully
Formatted: Font: Bold
Formatted: HeaderCentered
A.5 Accountability
Governance Tasks and Practices Evidence of Success Outcomes
• The governing body evaluates • Senior decision-making and • The governing body takes
the responsibilities for the oversight structures in place that accountability for proper and
supply and use of IT and digital review: effective governance of IT:
capabilities within the o The effectiveness and quality o Within the organization
organization and among its of the IT and digital services o Among organizational
ecosystem partners supplied to the organization ecosystem partners
o The extent of adoption and
use of IT and digital services
• The governing body directs that • Management takes responsibility
the parties responsible for the by the organization for the identification, deployment

supply IT and digital services be and adoption of relevant digital
held to account for the proper • Appropriate controls regarding capabilities to support the
delivery and performance of the the use of IT, data and digital organization’s strategic and
respective services services in the organization and operational requirements
by ecosystem partners, e.g.
o Acceptable use policies
• The governing body directs that • Users held to account for the
the parties using the o Confidentiality and non- appropriate use of the
disclosure agreements
organization’s IT and digital ser organization’s digital systems and
vices be held to account for the  data
proper use of the respective • Independent assessment and
technologies and services assurance on the effectiveness
and appropriateness of oversight
and controls of IT, data and
digital capabilities in the
organization and its ecosystem
partners
Formatted: Font: 10 pt
Formatted: Table body, Position: Horizontal: Left,
Assessment Assessment Assessment
Relative to: Column, Vertical: In line, Relative to: Margin,
Are the governance
Horizontal: 0 cm, Wrap Around
Is there evidence of Are outcomes being
tasks and practices
success? achieved?
Formatted: Font: 10 pt
being applied?
Formatted: Font: 10 pt
Current Statestate      Current Statestate      Current Statestate
Formatted: Font: 10 pt
Future Statestate      Future Statestate      Future Statestate
Formatted: Table body, Position: Horizontal: Left,

Relative to: Column, Vertical: In line, Relative to: Margin,
Horizontal: 0 cm, Wrap Around
Formatted: Font: Not Bold
Formatted: Font: Not Bold
Formatted: Font: Not Bold
Formatted: Table body, Position: Horizontal: Left,
Relative to: Column, Vertical: In line, Relative to: Margin,
Horizontal: 0 cm, Wrap Around
Formatted: Table body, Position: Horizontal: Left,
Relative to: Column, Vertical: In line, Relative to: Margin,
Horizontal: 0 cm, Wrap Around
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: Font: 11 pt
Formatted: FooterPageNumber, Space After: 0 pt, Line
spacing: single
10 © ISO #### /IEC 2026 – All rights reserved
Uk
N
Sh
Ll
F ll
Uk
Nt
Sh
Ll
F ll
Uk
Nt
Sh
Ll
F ll
Formatted: Font: Bold
Formatted: HeaderCentered
A.6 Stakeholder engagement
A.2 Value generation
Table A.2 provides an example assessment scheme for the principle "value generation".
Table A.2— Example assessment scheme: Value generation
Formatted: Table header (+), Indent: Left: 0 cm, Adjust
space between Latin and Asian text, Adjust space
Governance Taskstasks and
Evidence of Successsuccess Outcomes between Asian text and numbers, Position: Horizontal:
Practicespractices
Left, Relative to: Column, Vertical: In line, Relative to:
— The governing body evaluates — Products transformed into • Satisfied customers, including Margin, Horizontal: 0 cm, Wrap Around
whether IT is embedded into the services through the inclusion of
o High customer retention rates
Formatted Table
organization’s products and digital capabilities. — Positive customer feedback
Formatted: Font: Not Bold
services to support new value
onNew models of business value
generation models. •— Key stakeholdersdigital roles enabled through the adoption of
Formatted: Font: Not Bold
identified e.g.: and filled in digital capabilities.
Formatted: Font: Not Bold
— The governing body directs that a organogram.
stakeholder management
— New value generation projects
Formatted: Indent: Left: 0 cm, First line: 0 cm, Bulleted
strategy is the periodical successfully delivered, achieving
o Customers
+ Level: 1 + Aligned at: 0 cm + Indent at: 0 cm,
assessment of the impact of o Suppliers projected benefits.
Position: Horizontal: Left, Relative to: Column, Vertical:
market changes to the value
o Ecosystem partners
In line, Relative to: Margin, Horizontal: 0 cm, Wrap
generation models is performed. o Employees — Compliance to legislation and
Formatted: List Continue 2 (-), Indent: Left: 0 cm, First
o Regulators regulation relating to new value
line: 0 cm, Bulleted + Level: 1 + Aligned at: 0 cm +
— The governing body directs that generation models by:
the digital capabilities to support Indent at: 0 cm, Position: Horizontal: Left, Relative to:
— Stakeholder engagementService
new value generation models contracts entered into with o— the organization’s digital Column, Vertical: In line, Relative to: Margin, Horizontal:
exist within the organization’s
partners to provide required products and services; 0 cm, Wrap Around
ecosystem. digital services.
Formatted: Indent: Left: 0 cm, First line: 0 cm, Bulleted

+ Level: 1 + Aligned at: 0 cm + Indent at: 0 cm,
•— The governing body directs that — Organizational policies contain •— Enhanced supplier /the
Position: Horizontal: Left, Relative to: Column, Vertical:
appropriate policies are in place statements relating to digital
organization’s partners in the
In line, Relative to: Margin, Horizontal: 0 cm, Wrap
for key stakeholders into support technologies supporting new value generation ecosystem
Formatted: List Continue 2 (-), Indent: Left: 0 cm, First
the organization’s digital value value generation models, e.g.:
partner relationships, including .
line: 0 cm, Bulleted + Level: 1 + Aligned at: 0 cm +
networkgeneration models.
Indent at: 0 cm, Position: Horizontal: Left, Relative to:
— the ethical use of IT;
o High service levels
Column, Vertical: In line, Relative to: Margin, Horizontal:
o Cost optimisation
— The governing body monitors 0 cm, Wrap Around
— ecosystem partner roles, o Scalability and flexibility
stakeholder engagementthat responsibilities and behaviours. o Enhanced innovation
Formatted: Indent: Left: 0 cm, First line: 0 cm, Bulleted
appropriate delegation of
o Good governance and
+ Level: 1 + Aligned at: 0 cm + Indent at: 0 cm,
authority is in place to support — Decisions regarding the use of AI
compliance
Position: Horizontal: Left, Relative to: Column, Vertical:
the organization’s value
in the organization’s value
In line, Relative to: Margin, Horizontal: 0 cm, Wrap
generation models and ensures generation are approved by the
• Management and staff positively
Formatted: Indent: Left: 0 cm, First line: 0 cm, Bulleted
that these are not exceeded. governing body. engaged on digital change
+ Level: 1 + Aligned at: 0 cm + Indent at: 0 cm,
initiatives, leading to successful
Position: Horizontal: Left, Relative to: Colum
...