To understand information security governance, it’s important to know the difference between governance and management. 

Management involves decision making regarding day-to-day business operations. Governance provides the framework—the vision, mission, values, strategies, core policies, and other factors—used to guide these decisions.

If business were a journey, management might involve deciding how to get from point A to point B—the best route to take, which mode of transportation to use, when to embark, how fast to travel, and so on.

Governance would provide an overview of the journey—the reason for going, available transportation options, the final destination, and a map showing all the possible ways to get there.

In IT security, information security management includes risk management—which steps should be used to avoid, mitigate, or otherwise handle information security risks.

Information security governance, on the other hand, is the system that guides how those decisions get made and by whom, with the goal of achieving overall organizational goals.

The security policies, information security program, information security strategy, and other documents and measures guiding enterprise security are all a part of cybersecurity governance, which is, in turn, a part of IT governance overall. Information security governance ensures that those strategies and programs conform to the business strategy, advance business objectives, and comply with regulations and industry standards.

How information security governance works

Governance is the purview of an organization’s board of directors and executive management, especially the chief information security officer (CISO).

Working together, board members and executives consult with senior management and security professionals on staff to identify information assets and information technology security risks, set the strategic direction for ensuring the security of information systems and the data those systems contain, and create an information security policy that may address cybersecurity measures from information systems access control to organizational security awareness.

To ensure that the organization’s policies, procedures, and practices conform to regulations and standards, using a governance framework is crucial. Commonly used information security governance frameworks include:

  • National Institute for Security and Technology (NIST) publication 800-53
  • International Organization for Standardization (ISO) 27001
  • Control Objectives for Information and Related Technology (COBIT)
  • The Health Information Portability and Accountability Act (HIPAA)
  • The Payment Card Industry Data Security Standard (PCI DSS)