Governance is the framework of policies, procedures, and organizational structures that direct and control security activities. It ensures security aligns with business objectives, resources are allocated appropriately, risks are managed consistently, and accountability is clear. Governance comes from the board and executive leadership, not the IT department.
Security governance includes defining security strategy, establishing policies and standards, creating organizational structures with clear roles, and implementing oversight mechanisms. Effective governance treats security as a business issue, not just a technical problem.
CISSP Relevance
Domain 1 (Security and Risk Management) heavily emphasizes governance concepts. Understand governance frameworks, the role of senior management and the board, policy hierarchy (policies, standards, procedures, guidelines), and how governance enables consistent security across the organization. The CISSP perspective is managerial, not just technical.
NIST’s Cybersecurity Framework governance guidance is at NIST Cybersecurity Framework.
Related terms: Security Policy, Compliance