What is InfoSec Governance?

Information Security Governance, or InfoSec Governance, for short is a defined system, which is based upon the ISO standard ISO 38500. This standard or framework has been built to allow businesses to control and direct their business when it comes to the management and security of their IT.

When it comes to the management of IT security, the process involves not only the identification and mitigation of any risks, but also includes the applying of security patching, incident response, protection of assets and so forth. As part of this management process, businesses need to also decide who is authorised to make decisions when needed and this forms part of the Governance process.

By implementing Governance within the business, it allows the business to establish a workflow and procedure to ensure that is a process available to maintain assurance and ensure that any security related strategies are implemented correctly and on time. Not only this, but the Governance process also ensures that the business complies with any regulations and laws which are applicable to the business. Such laws could be the GDPR, Data Protection Act 2018.

The people who are responsible for the Governance of the IT framework will also need to have close relationships with other departments of the business, including the backing of the leadership team.

How do you ensure that Governance is implemented correctly?

If your business is new to implementing InfoSec Governance, you may not have anything in place, to ensure that the Governance of your information security is implemented correctly you should look at the following:

1. Ensure you have the backing and support of the leadership team without the weight of the leadership any issues identified may not go as expected or add unneeded delays.
2. Start with the basics, especially if this is new. You should look at identifying your key stakeholders and who will be responsible for the governance of IT security within the business.
3. Prioritise your goals by identifying what the problems are and what needs resolving in what order.
4. Implement processes, if you have no formal documented processes in place, now is the time to design and implement them. If you have some, are they up to date, are people aware of them?
5. Communicate, once you have laid the foundations, you should ensure that you communicate with the wider business and ensure everyone knows what is happening. Keep them up to date throughout the year.

With the above implemented, you can start to look at improving the security of the business, but be aware that the 5 stages above, wont be the last, you may look at creating steering committees, add more people, define other areas and so forth.

What’s the difference between Governance and management?

A lot of people may thing that Governance and management within the business context is the same. However, you should look at Governance being the role who is leading the business with regards to the security of the business. The Governance part identifies and aims to complete objectives to ensure the security. The Governance team will provide the direction and control to ensure that processes are completed on time and on budget. Whereas management is more in line with the day to day running of the business or operations.