ISO/IEC 38500 — Framework Crosswalk
Document ID: ISO-XW-38500-001
Date: June 2026
Maps: ISO/IEC 38500 principles and EDM cycle → ICT Governance Framework sections and ADPA artefacts
Six principles crosswalk
| ISO 38500 principle |
Framework section |
Policies / docs |
ADPA artefact |
Code / service evidence |
| Responsibility |
Governance Structure, RACI Matrix |
Roles & Responsibilities |
raci-authority |
RBAC, service responsibility boundary service |
| Strategy |
Purpose, Target alignment |
Strategic-Tactical Overview |
framework-charter, target-state |
Executive metrics API |
| Acquisition |
Technology lifecycle, procurement |
Technology selection policy |
policy-alignment |
vendor-registry-service.js, marketplace |
| Performance |
Success Metrics, FAIR, KPIs |
Governance Metrics |
kpi-catalog |
governance-executive-metrics.js, FAIR engine |
| Conformance |
Compliance and Regulatory Alignment |
ISO library, A033/A034 |
compliance-as-code-map |
Compliance lineage, escalations, contract tests |
| Human behaviour |
Employee lifecycle, training |
docs/training/ |
operating-model |
Onboarding services, timebound onboarding |
Evaluate – Direct – Monitor crosswalk
| EDM phase |
ISO 38500 intent |
Framework activities |
Evidence type |
| Evaluate |
Assess current and future IT use; external factors |
Gap analysis (A023), maturity assessment, benchmarking, FAIR evaluation |
Assessment reports, risk telemetry |
| Direct |
Policies, plans, programmes, performance targets |
Council decisions, policy approval, ADPA generation, procurement governance |
Signed policies, ADPA deployed artefacts |
| Monitor |
Performance vs policies and plans; compliance |
Dashboards, SLA monitoring, compliance escalations, regression registry |
API metrics, escalation JSON, test results |
ADPA template placeholder
The tenant crosswalk template (adpa/templates/ict-governance/iso38500-crosswalk.template.md) includes `` for per-tenant EDM evidence injection at generation time.
Governance roles crosswalk
| 38500 accountability |
Framework role |
ISO 27001 parallel |
| Governing body |
ICT Governance Council |
A.5.1 policies (approval) |
| Executive management |
Strategic Governance Council / SGC |
A.5.4 management responsibilities |
| IT leadership |
CISO, Domain Owners |
A.5.2 information security roles |
| Business ownership |
Tenant Domain Owners |
A.5.3 segregation of duties |
| 38500 performance question |
Framework KPI area |
Metric examples |
| Is IT fit for purpose? |
Service tiers, SLA compliance |
Obligation-SLA binding status |
| Is IT delivering value? |
Business value quantification |
FAIR ALE, cost optimisation |
| Is IT reliable? |
Resilience, uptime |
DR posture, incident MTTR |
| Is IT sustainable? |
Sustainability scope |
ESG metrics (emerging) |
Gaps
| Gap |
Remediation |
38500 not in compliance-lineage-bridge.json |
Add principle-level or EDM-phase control IDs |
| EDM evidence not auto-collected |
Wire executive metrics + test results to ADPA crosswalk generation |
| Board-level attestation manual |
Quarterly governance pack via ADPA |