ISG: Information security governance


Rules that run the organisation = Governance. ISG includes the element required to provide the Senior Management assurance that its direction and intent are reflected in the security posture of the organisation.

Policies + Standards + Procedures = Governance

Information security governance objective is to `establish and/or maintain an information security strategy in alignment with organisation goals and objectives to guide the establishment and/or ongoing management of the information security program`.

The outcomes that senior management wants from the information security program defines the security governance building block and are often defined in terms of risks management and acceptable levels of risk.

It is a subset of corporate governance, and must be consistent with the enterprise’s governance. It provides strategic direction for security activities and ensures that objectives are achieved.

  1. Strategic Alignment: Align Information security to Business security to support organisational objectives.
  2. Risk Management: Executing appropriate measures to mitigate risk and reduce potential impacts on information resources to an acceptable level.
  3. Value delivery: Optimising security investments in support of business objectives.
  4. Resource Optimisation
  5. Performance measurement: Monitoring and Reporting.
  6. Assurance process integration: It operates as intended.

A governance framework will consist of

  1. A comprehensive security strategy intrinsically linked with business objectives
  2. Governing security policies that clearly expresses the managements intent and addresses each aspect of strategy, controls and regulation
  3. A complete set of standards for each policy to ensure that people, procedures, practices and technologies comply with policy requirement and sets appropriate baselines for the enterprise.
  4. An effective organisational structure, with sufficient authority and adequate resources, void of conflict of interest.
  5. Defined workflows and structures that assist in defining responsibilities and accountability for information security governance.
  6. Institutionalised metrics and monitoring processes to ensure compliance, provide feedback on control effectiveness and provide the basis for appropriate management decision.

Who defines the want?

Senior Management and Business unit leaders.

Who defines the Strategy

Information security manager defines the security program. ISM does GAP analysis to identify how to go from the current state to the desired state which becomes the basis of strategy.

Security Strategy: Desired State of the Enterprise

It is based on the outcomes set by the senior management.

What is SS?

A security strategy will define the approach of achieving the security program outcomes management wants. It is a statement of how security aligns with and supports business objectives, and it provides the basis for good security governance.


They are statement of managements intent and direction at a high level.

Security Policy

To address viable threats to the organisation, prioritised by the likelihood of occurrence and their potential impact on the business. The strictest policies apply to the areas of greatest business value.


How we want the things to be or rather how it should be defines a standard. They define the boundaries for people, process, procedure, and technologies to maintain compliance with policies and support the achievement of the organisations goal and objectives. There can be several standards for the same policy based on the classification level e.g for Information – Confidential, Private, Public. Collectively standards are combined with other controls to create security baseline.


Guidelines are usually the desires of the organisation.


Lowest level of acceptable risk. Standards along with controls create a baseline.


Objective of procedure is to work as intended step by step. It should be unambiguous and should meet the applicable standards and therefore comply with policy.

A business case is used to capture the business reasoning for initiating a project or a task.

3 thoughts on “ISG: Information security governance

  1. `Key Risk Indicators`: Defined as measures that in some manner, indicate when an enterprise is subject to risk that exceeds the defined risk level.

  2. `Effective KRI’s`: Which measures will serves as effective KPI’s?
    1. Highly relevant
    2. Possess a high probability of predicting or indicating an important risk.
    Criteria to evaluate effective KPI
    1. Impact: Indicators for risk with high potential impact are more likely to be KRIs
    2. Effort to measure, implement and report: For different indicators of equivalent sensitivity to changing risk, the ones that are easier to measure.
    3. Reliability: High correlation with the risk and be a good predictor or outcome measure
    4. Sensitivity: Accurately indicating variances in the level.

  3. – What is entitlement review process?
    An `entitlement review` is part of a standard access control process and user account management. The entitlement review involves a `recurring review of access rights, or permissions` for all of an organisation’s employees and vendors.

    Typically, an `entitlement review` will include a review of user roles, access rights and privileges.


Leave a Reply

Your email address will not be published.