top of page

A Practical Approach to Setting a Security Governance Structure

Updated: Jun 22, 2022

Secure Forte: A Practical Approach to Setting a Security Governance Structure

According to Forbes, Information Security risks are within the top three risks of every business, therefore they are required to be governed and managed by the executive team.

Straightforward, right? Then why do

most companies fail to achieve a meaningful and practical governance structure when it comes to Information Security?

How can you play your role in securing data across the supply chain if you deal with ambiguity in your organisation's roles and responsibilities?

The purpose of this article is to provide you with basic knowledge and a simplified approach to setting up an Information Security governance structure that is both compliant and value-driven.

Who do we need to get the ball rolling? An easy answer is the whole Executive team. But we don't want an unnecessarily crowd in our board room. We want the most relevant and influential members, including our usual fellows from the C-suite (CEO, CFO, COO, CIO, CRO) and elite members of the shadow government. In the end, it is not about your title but your influence to stop something or make it works. Do not underestimate the power of shadow government.

Once you form a decision team, you should collaboratively identify an Information Security

organisation that, as a foundation, includes the following pillars. You can also use the three lines of defense if your audience is more from risk and audit background but do not allow the meeting to go too far with unnecessary jargon.

Accountable Body

The highest level of the chain of command within the organisation (e.g., Board or Executive Team) must be ultimately accountable for Information Security risks by setting the tone at the top. They need to the stakeholders why Information Security matters to the company and identify a SMART set of Information Security objectives. They should also delegate the responsibilities of Information Security to a competent team(s) or individuals but stay informed on priority risks and mitigation strategies. In the end, accountable means delegate but stay informed, right?

Oversight Body

The Information Security Steering Committee, an oversight body, is a group of senior representatives of the organisation (e.g., IT, Risk, Compliance, Operations, HR, etc.) who are appointed by the Accountable Body to direct, oversee, approve and communicate policies, and make decisions on critical Information Security risks.

Information Security Management (ISM)

The ISM represents competent individuals (e.g., Information Security Manager, Security Administrator, etc.) or teams across the organisation reporting to the Oversight body. The ISM is responsible for implementing, operationalising, monitoring, and improving Information Security controls based on Information Security policies, risk and audit findings, and security best practices.


The Audit function, whether internal or external, assures the Accountable body that

adequate controls are implemented over business processes in compliance with the

Information Security Policy and security best practices. Audit reviews should be conducted

frequently and independently. The audit report on the highlighted issues, recommended

solutions, and the level of compliance is to be submitted to the Accountable body.

At the end of the day, your ability to respond on-the-fly to security threats will largely depend upon the preparedness of your security governance structure. So getting this right is really the first order of business for any growth-minded company.


For press comment or additional information please contact

Mani Amini at Secure Forte 1300 272 182

86 views0 comments


bottom of page