New ISO standard kind-of explains how to ignore standards The International Organization for Standardization this week signed off ISO 38504, new “Guidance for principles-based standards in the governance of information technology.” And ironically it is almost an anti-standard. To understand why, know that the opposite of principles-based governance is rules-based governance. In the …
I'm the manager for an operational unit that operates to (and is accredited to) and ISO/ IEC standard.
Its name begins "General requirements...." but once you're beyond the general quality organization and record keeping rules, it's really quite generalist. I would expect this one to have requirements that anything you come up with is justifiable.
Crikey. My company will have to hire all new IT folks.
The existing IT dronediots have been programmed around fixed God-given rules. Expecting them to switch from rules-based to principles-based standards is expecting far too much from their pea-sized brain stems.
This transition is going to take 40 years...
This is a beautiful moment for me because last year I worked with a team to turn an international IT policy document that was 80 pages long and no one ever read into a 10 page long principles-based policy document of which 3 pages were the contents. We basically cut out implementation details that were generally already out of date by the time the document made it through the organisations approval process.
As someone commented above, training some people that they are allowed to actually think and identify the best solution for their situation has been interesting. Otherwise I love this new world and it's been a success. People actually read it now.
I think it's the first time I've implemented an ISO standard even before it was written too!!
"A few years ago, Friday, October 14 was World Standards Day. Or, at least, it was World Standards Day in *some* countries. However, in America, the celebrations were held on October 11th. In Finland, World Standards Day was marked on October 13th. Italy planned a separate conference on standards for October 18th." - from my sigmonster file.
ISO rules were not very strict about how one fulfilled them but generally described what was required from my time running an ISO QA program. The problem was how many chose to implement them with long tedious wordy manuals. I remember the auditor suggesting that our top level document often could be a few pages long - he was pushing for a one page document if possible. The rest of the program would have enough detail to make sure one produced the quality products you intended, etc.
Is this article praising rules based standards and lamenting the advent of principles based standards?
Rules based standards encourage organisations and the teams implementing the standards to act without thinking. The expectation is that if you simply do what the standard prescribes, all will be well. OK, that works for screw threads, but it's never worked for technology, because rules based standards never exactly match the circumstances of individual organisations. Rigorously following a prescription in a standard often means missing a nuance through which anomalies grow, and can actually require deliberately implementing something that will not work, even when the problem is obvious.
On the other hand, a principles based standard focuses on the outcome and demands that the implementers think about the context in which the guidance is being implemented, to find the most appropriate and effective way of implementing. It's harder to do, but vastly more effective and efficient in the long run. In other words, especially for smaller organisations, implementing principles based standards involves more thinking up front, but less long term overhead and better results.
The accountancy profession has been working to move to principles rather than rules based for some time. The aim was to avoid complexity in interpretation so the concept is not new.
In this case this standard is within the ISO/IEC 38500 family of standard which are around governance of IT. It was thought a principle based approach was more appropriate given its subject matter and audiences (Board and senior management). One of the problems in my view with the this set of standard has been lack of detailed justification for the principles as well as guidance eon application. 38504 is an attempt to define what information should be in place to support the standard. I confess to a vested interest here in that I prepared the initial draft ( a bit out of frustration) when in involved in standard setting, although the project editor who took it through to publication was someone else. I would note that rule based standards are appropriate in many cases, although such standard should also have a clear statements as to the principles that underpin them. Most are written to help people avoid problems of the past but sometimes a lack of understanding of what the intent was causes problems in themselves, both in application and assessment in a changing environment.
However I will say that my biggest criticism of standards is the costs and the fact that many people don’t read them and there are too many with standard setting becoming an industry in itself. However, looking at it from the perspective of someone who commences in IT 50 years ago, albeit the last 30 years an auditor, I would suggest that the development of “standards” has worked to improve the industry.
Having regularly encountered “compliance on paper” that does not reflect real fulfilment of the intent of rules based standards, I wholeheartedly agree as to the potential benefit of principles based standards, provided that the principles included therein are real ones.
Particularly in the area of information/IT risk management, existing rules based standards still perpetuate flawed guidance (most particularly relating to risk assessment) derived from failure of those contributing to the content to recognise some real underlying principles.
Consequently, unless this changes, the move to principles based standards may make no difference, or even make the situation worse by reinforcing a misconceived 'understanding' of fallacies.
38504 is not a Standard, it is a Technical Report. Yes - it has been written for standards developers. It did not come out of Brussels.
Having said this it is important to understand that standards do not have to be a set of rules. Standards can and should provide guidance. See the ISO definition in ISO Guide 2,
Perhaps we already have too many sets of rules?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
