ABSTRACT
Before describing information security governance, we
need at least an overview of corporate governance as a
context. Fundamentally, corporate governance concerns
the means by which managers are held accountable to
stakeholders (e.g., investors, employees, society) for
the use of assets and by which the firm’s directors
and managers act in the interests of the firm and
these stakeholders. Corporate governance specifies the
relationships between, and the distribution of rights and
responsibilities among, the four main groups of parti-
cipants in a corporate body:
Board of directors Managers Workers Shareholders or owners
The edifice of corporate governance comprises the national
laws governing the formation of corporate bodies, the
bylaws established by the corporate body itself, and the
organizational structure of the corporate body. The objec-
tive of corporate governance is to describe the rules and
procedures for making decisions regarding corporate
affairs, to provide the structure through which the corpo-
rate objectives are set, to provide a means of achieving the
set objectives, and to monitor the corporate performance
against the set objectives.