With the advent of the era of big data, digital technology has changed from a tool to help economic development to the core of leading economic development. According to IDC (International Data Corporation), China's data scale will reach 48.6ZB in 2025, ranking first in the world in total. With such a huge amount of data, the prospect of data empowering enterprise value will be promising. In order to ensure high-quality, efficient, and secure digital construction, it is indispensable to carry out data governance. From the perspective of data governance, this paper introduces the latest international standard ISO 38505-1 in this field, and discusses the certification practice of this standard.

1) Background

Data governance refers to the collection of activities (planning, monitoring and execution) that exercise power and control over the management of data assets. It aims to lay the foundation and enable the digital transformation of an organization, help maximize the value of data assets, and expand the imagination of digital applications. space.

ISO (International Organization for Standardization) launched the first international standard for IT governance in 2008: ISO 38500. Subsequently, a resolution was formed at the 2015 Brazil Conference to divide the international standard for data governance into two parts: ISO/IEC 38505-1 "Data Governance Based on ISO/IEC 38500" (hereinafter referred to as ISO 38505-1) and ISO/IEC TR 38505-2 The Impact of Data Governance on Data Management. At present, ISO/IEC 38505-1 has been officially released, and the principles and models of the ISO 38500 IT governance framework have been adopted.

2) ISO 38505-1 standard content

ISO 38505-1 expounds the meaning of data governance, clarifies the responsibilities of governance subjects and the requirements for data governance supervision mechanisms, and proposes a data governance framework (including goals, principles and models) to help governance subjects evaluate, guide and supervise data utilization. the process of.

In terms of objectives , ISO 38505-1 believes that data governance should ensure compliance constraints and risk management while enhancing the value of data utilization; in terms of principles , ISO 38505-1 follows the six basic principles of IT governance: Responsibility, Strategy, Acquisition, Performance, Compliance, and Human behavior, with specifics on how these principles guide decision-making in data governance; in terms of models , ISO 38505-1 It is believed that the governance body should use the EDM model of Evaluate-Direct-Monitor to carry out data governance work, as shown in the following figure:

ISO 38505-1 EDM Model

EDM Models for Evaluation, Guidance and Supervision

• Assessment: Current and future data usage. For example, assessing data aspects of company strategy and business model, application of technology tools, etc.

• Guidance: Develop and implement strategies and policies to ensure data usage is aligned with business objectives . Develop a data strategy and corresponding governance system policies around the assessment.

• Supervision: The implementation of policies and strategies. Establish a corresponding monitoring mechanism to ensure that relevant measures are implemented within the organization, such as incorporating relevant governance indicators into the KPI assessment system.

Among them, the scope of data governance needs to cover the data governance responsibility map - collection, storage, reporting, decision-making, publishing and disposal.

ISO 38505-1 Data Governance Responsibility Map

In actual data applications, enterprises collect and store data through creation, collection, procurement, etc., use data for report analysis, assist decision-making to exert its value, and in some cases publish it to external parties or delete it dispose of. Therefore , the data responsibility map covers the scope of data application to promote enterprises to improve the management of data responsibility points and ensure that data, a key asset, meets the needs of different business scenarios and regulatory compliance requirements.

The data responsibility map can be evaluated by combining the three characteristics of data governance: value (Value), risk (Risk) and constraints (Constraints) . Among them, data value includes data quality, timeliness, volume and context; data risk includes risk management, data classification and security; constraints include laws and regulations, organizational policies, etc.

3) Key Interpretation of ISO 38505-1 Standard

The main body of responsibility for data governance lies in the governance layer. In the process of data governance, the governance layer mainly guides data management activities by formulating data strategies , and the management needs to achieve strategic goals through management activities. At the same time, the governing body needs to establish a data policy to ensure that data management activities meet the needs of the data strategy, and then meet the strategic goals of the enterprise. A data governance system document consists of a data strategy and a data policy.

Main content of ISO 38505-1 standard

4) ISO 38505-1 Certification Practice

4.1 Compilation of Data Governance System Documentation

The documents of the data governance system need to reflect the guiding ideology and content of the ISO 38505-1 standard, but it is not based on the script, but based on the standard . According to the actual situation, improve the design of the existing governance system and form a complete and standard-compliant data governance system document.

According to the requirements of the standard, the data strategy needs to be adapted to the company's business strategy. Therefore, it is necessary to have an in-depth understanding of the company's strategic situation when formulating, so that it can be targeted and truly play the role of data governance in enabling enterprise development goals.

Data policies can usually be divided into three-level documents: the first-level document serves as the general outline, which guides the governance system and defines the governance domain framework, mainly covering the policy objectives, organizational structure, and governance domain scope of the governance system; the second-level document serves as the The management specification covers the core requirements of the ISO 38505-1 standard and establishes management policies for each governance domain; the third-level document is used as a management procedure to specifically construct the operation management process of the management specification in the enterprise and attach corresponding templates, forms, etc.

In the actual compilation process, it is worth noting that:

a. A detailed assessment of the status quo of data governance is a major reference element before compiling system documents, and it is also an important starting point to ensure normalized control of data governance. The basis for the construction of the data governance system document is that the content of the system meets the requirements of the ISO 38505-1 standard, and the real difficulty lies in achieving a high degree of fit with the existing business process of the enterprise , which is the core of the implementation of the governance system standard, otherwise it will be difficult to continue. Implement landing.

b.  The data governance of ISO 38505-1 belongs to a broad concept, and enterprises need to frame the specific data governance certification scope before certification: data scope and data governance domain (such as data security, data quality). Therefore, the data governance system documents should cover the specific certification scope when planning , and plan the number of system documents and the main points of each governance domain from a global perspective. On the one hand, it is to avoid unnecessary duplication within the system, and on the other hand, it is to avoid conflicts or redundancy with other documents of the enterprise and increase the difficulty of subsequent implementation.

c.  To comply with the requirements of the ISO 38505-1 standard, the data governance system documents should not only cover the main points in the standard, but also consider how to incorporate the system documents into the EDM model from the perspective of the governance body , so as to reflect the governance layer. The use of EDM models in data governance work.

4.2 System publicity and trial operation

"Practice is the only criterion for testing reason"

The trial operation stage is a test of the completed data governance system, and it is also an excellent opportunity for system builders to find, correct and adjust the system. The two links of "Check" and "Act" pave the way for the system to enter the next cycle after the actual operation.

PDCA cycle management mode diagram

The trial operation of the data governance system is ultimately in the hands of the persons in charge (including the implementers) involved in the governance and control measures. There is a lack of awareness training and system guidance for the “front-line” personnel involved in these systems. It will cause the hard-built data governance system to become a dead letter.

Of course, the training and publicity of the governance system also needs to pay attention to methods and countermeasures. This process usually faces two challenges: one is that it is the first time for most people involved in the system to come into contact with the field of data governance, and it is ineffective to directly instill knowledge of the governance system; The focus of the control domain is different. The business department may pay more attention to the efficiency of data utilization, and the security department may pay more attention to the confidentiality of sensitive data. Therefore, the training and publicity of the governance system should be carried out step by step. At the same time, in order to improve efficiency, departments or roles involving the same governance area can focus on training and publicity.

Value-oriented continuous optimization

The construction and investment of the data governance system should always be guided by the enhancement of business value . At the same time, during the construction and maintenance of the data governance system, attention should be paid to avoid dogmatic understanding of the ISO 38505-1 standard and lack of compatibility with the actual business scenarios of the enterprise. combine. Finally, it should be emphasized that the implementation of data governance is a long-term project . Enterprises need to continuously practice the PDCA cycle, so that enterprises can continue to exude vitality in data governance, so that data and business can reach a more stable and balanced state, and more confidently meet the opportunities and challenges from the information age.

5) Practical guiding significance

ISO 38505-1 has formed a certification system in China, and the applicant organization can obtain a certificate issued by a nationally recognized certification body. However, because the ISO 38505-1 certification is relatively new and has a wider coverage, there are not many institutions that have obtained certification in China at present. However, with the advent of the digital age, data has become an important asset of an organization and a booster of emerging business models, and it has also created security risks. In this context, more and more enterprises have recognized the value and necessity of data governance at the long-term strategic level. Therefore, it is recommended that relevant enterprises also keep pace with the times, grasp the tide of the transformation of the times, and consider applying for certification. In this way, it can improve its own data governance capabilities to be in line with international standards, gain a first-mover advantage in the market in advance, provide a strong impetus for the digital transformation of enterprises, and lay the foundation for future data business layout in advance .

This article has been written for general informational purposes and is not intended to be relied upon as accounting, tax, legal or other professional advice. Please seek specific advice from your advisor