SO/IEC 38500 provides guiding principles for governance specifically directed for Information Technology. It can be used to help integrate business strategy, information technology, and information security initiatives.
Would we want to add this after our ISO/IEC 27001 that we are working on?
ISO 27001 does not require the implementation of any other standard, so the decision about the application of ISO/IEC 38500 would depend on the evaluation of potential benefits that can be achieved and the costs of implementing an additional standard.
Also, in regards to the ISO 22301, does this compliment the GDPR that we are working on?
ISO 22301 is about business continuity and resilience of systems. It can help you to demonstrate compliance with security measures under Article 32 GDPR (which requires technical and organizational security measures) but it does not cover all GDPR requirements (i.e. the information to be provided to data subjects, or the respect of data subject rights are outside the purposes of ISO 22301 and they are the core of GDPR). GDPR refers to all data processing regardless of the form and it is not only about data security (yet it is crucial), it is also about information, transparency, and lawful processing.