ABSTRACT

Before describing information security governance, we need at least an overview of corporate governance

as a context. Fundamentally, corporate governance concerns the means by which managers are held

accountable to stakeholders (e.g., investors, employees, society) for the use of assets and by which the

firm’s directors and managers act in the interests of the firm and these stakeholders. Corporate

governance specifies the relationships between, and the distribution of rights and responsibilities

among, the four main groups of participants in a corporate body:

† Board of directors

† Managers

† Workers

† Shareholders or owners

The edifice of corporate governance comprises the national laws governing the formation of corporate

bodies, the bylaws established by the corporate body itself, and the organizational structure of the

corporate body. The objective of corporate governance is to describe the rules and procedures for making

decisions regarding corporate affairs, to provide the structure through which the corporate objectives are

set, to provide a means of achieving the set objectives, and to monitor the corporate performance against

the set objectives.