ABSTRACT
Before describing information security governance, we need at least an overview of corporate governance
as a context. Fundamentally, corporate governance concerns the means by which managers are held
accountable to stakeholders (e.g., investors, employees, society) for the use of assets and by which the
firm’s directors and managers act in the interests of the firm and these stakeholders. Corporate
governance specifies the relationships between, and the distribution of rights and responsibilities
among, the four main groups of participants in a corporate body:
† Board of directors
† Managers
† Workers
† Shareholders or owners
The edifice of corporate governance comprises the national laws governing the formation of corporate
bodies, the bylaws established by the corporate body itself, and the organizational structure of the
corporate body. The objective of corporate governance is to describe the rules and procedures for making
decisions regarding corporate affairs, to provide the structure through which the corporate objectives are
set, to provide a means of achieving the set objectives, and to monitor the corporate performance against
the set objectives.