IVI Framework Viewer

Governance Structures

A3

Establish governance structures for information security management. Define the scope of information security management governance bodies, and outline decision rights and authorizations. Establish reporting arrangements, audit log designs, issue escalation protocols, and rules to govern and control the application of information security management authority within the organization.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Governance Structures at each level of maturity.

2Basic
  • Practice
    Establish an informal governance body/working group for information security management with participants mostly from senior management.
    Outcome
    A basic governance model for information security management can emerge, and awareness of the need for appropriate governance of information security management is highlighted.
    Metrics
    • % of IT managers participating in governance body.
    • % of business unit managers participating in governance body.
3Intermediate
  • Practice
    Establish a formal governance board for information security management as part of overall governance, with participants from senior management and the most information intensive business units.
    Outcome
    A formal governance model for information security management can be agreed by relevant stakeholders, and structures put in place to assist with oversight and control.
    Metrics
    • % of IT managers participating in governance body.
    • % of business unit managers participating in governance body.
4Advanced
  • Practice
    Share responsibility for governance of information security management across a cross-functional governance board, with relevant participants from across the organization.
    Outcomes
    • The governance model for information security management seamlessly fits with the organization's culture.
    • All decisions and issue escalations can be promptly addressed and appropriately delegated.
    Metrics
    • % of IT managers participating in governance body.
    • % of business unit managers participating in governance body.
5Optimized
  • Practice
    Continually refine the governance model for information security management to reflect the latest recommendations from industry, security agencies, and research.
    Outcomes
    • Governance structures are always kept effective and relevant.
    • The governance model for information security management seamlessly fits with the organization's culture, management structure, and legally mandated criteria, and facilitates both the agility needed for the business and the controls necessary for the safe use of data and information.
    Metrics
    • Frequency of review cycle.
    • # of revisions to the governance model per time period.
    • % of IT managers participating in governance body.
    • % of business unit managers participating in governance body.