INTERNATIONAL ISO/IEC STANDARD 38505-1 First edition 2017-04 Information technology Governance of IT Governance of data - Part 1: Application of IS0/IEC 38500 to the governance of data Technologies de I'information - Gouvernance des technologies de I'information Gouvernance des données Partie 1: Application de I'IS0/IEC 38500 a la gouvernance des données Reference number IEC IS0/IEC 38505-1:2017(E) os1 @IS0/IEC2017 IS0/IEC 38505-1:2017(E) COPYRIGHT PROTECTED DOCUMENT IS0/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form writtenpermission.Permission canberequestedfromeitherIsOattheaddressbelow orIso'smemberbodyinthecountryof the requester. ISO copyright office Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org ii @ IS0/IEC 2017 - All rights reserved IS0/IEC 38505-1:2017(E) Contents Page Foreword ..V Introduction. ...vi 1 Scope. 2 Normative references 3 Terms and definitions 4 Good governance of data 4.1 Benefits of good governance of data .4 4.2 Responsibilities of the governing body 4.3 Governing body and oversight mechanisms. ..5 5 Principles, model and aspects for good governance of data ..5 6 Data accountability .6 6.1 General. ..6 6.2 Collect. .7 6.3 Store. ..8 6.4 Report. ..8 6.5 Decide ..9 6.6 Distribute ..9 6.7 Dispose. ..10 Guidance for the governance of data Principles ..10 7.1 General. ..10 7.2 Principle 1 Responsibility .10 7.3 Principle 2 Strategy .11 7.4 Principle 3 -Acquisition .11 7.5 Principle 4 — Performance. .11 7.6 Principle 5 — ( Conformance.. .11 7.7 Principle 6 - Human behaviour ..12 8 Guidance for the governance of data Model ..12 8.1 Applying the model. ..12 8.2 Internal requirements ..13 8.3 External pressures. .13 8.4 Evaluate. .13 8.5 Direct. ..14 8.6 Monitor ..14 9 Guidance for the governance of data Data-specific aspects ..15 9.1 General. .15 9.2 Value ..15 9.2.1 General. .15 9.2.2 Quality. .15 9.2.3 Timeliness. ..16 9.2.4 Context. ..16 9.2.5 Volume ..16 9.3 Risk. .16 9.3.1 General. .16 9.3.2 Management ..16 9.3.3 Data classification schemes .17 9.3.4 Security ..17 9.4 Constraints ..17 9.4.1 General. ..17 9.4.2 Regulation and legislation ..17 9.4.3 Societal ..17 9.4.4 Organizational policy .18 IS0/IEC 2017 - All rights reserved iii