Governance, management, standards, and control frameworks


This is an important lesson and is relevant for many roles in the field of cybersecurity. The concepts and the standards briefly illustrated here will help you to understand:

  1. “How can I manage the conflicting demands of effective risk management, cost and regulatory scrutiny?”

  2. “How do I gain comfort that I am made aware of all key risks and issues?”

  3. “How do I effectively oversee the constantly changing regulatory environment, regionally and globally, divisionally and functionally impacting my business?”

  4. “How do I gain reliable assurance that risks are being managed to an acceptable level?”

  5. “How do I make sure everyone understands their roles and does what is needed to maximise the opportunities for the business?”

Learning objectives

The answers to all these questions stay under the umbrella of the Governance standards and control frameworks. See below all items covered.

Governance standards and control frameworks

A large number of Business Governance Frameworks exist in a national and international context. They affect various geographical regions and apply to different industry sectors. There are guidelines for business governance in every country – however, not all are formulated as regulations of the governing law, some are only generally accepted norms of conduct.

Here is presented a set of principles for corporate governance and It should be noted that the list below contains only a selection of well-known frameworks and standards not all of them. This list is in any way relevant for the Certified Information Security Manager (CISM) certification examination.


The Payment Card Industry Data Security Standard (PCI-DSS) is for organizations that handle branded credit cards from the major card schemes.

The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.


The Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®) approach define a risk-based strategic assessment and planning technique for security. OCTAVE is a self-directed approach, meaning that people from an organization assume responsibility for setting the organization’s security strategy. OCTAVE-S is a variation of the approach tailored to the limited means and unique constraints typically found in small organizations (less than 100 people).


The Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology management and governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.

The Business and IT goals are linked and measured to create responsibilities for business and IT teams.


The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations. COSO is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. COSO Goals apply to the entire organization.


The Information Technology Infrastructure Library (ITIL), is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of the business.


The Facilitated Risk Analysis Process (FRAP) analyses one business unit, one application or system one at a time in a roundtable brainstorm with internal employees. The outcome of the process is the impact analyzed, with all applicable threats and risks prioritized.

ISO 27001

The ISO/IEC 27001 is an international standard on how to manage information security.

The standard is widely known, providing requirements for an information security management system (ISMS) Establish, implement, control and improve the ISMS. The ISO 27001 uses the PDCA model (Plan, Do, Check, Act)

ISO 27002 (From BS 7799, 1/2, ISO 17799)

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission, titled Information technology – Security techniques – Code of practice for information security controls.

The Standard provides practical advice on how to implement security controls. It has 10 domains it uses for ISMS (Information Security Management Systems).

ISO 27004

ISO/IEC 27004 Information Technology – Security techniques – Information Security Management – Measurement. It is part of a family of standards of information security management system, which is a systematic approach to securing sensitive information, of ISO/IEC and provides metrics for measuring the success of your ISMS.

ISO 27005

The standard ISO 27005 provides guidelines and techniques for managing information security risks.

ISO 27799

Directives on how to protect PHI (Personal Health Information). Gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).

Defence in Depth

Last but not least we have: Defence in Depth! it is also called Layered Defense or Onion Defense.

The concept of Defence in Depth implements multiple overlapping security controls (defence) to protect an asset (e.g. an information technology IT system). This is true and applies both to physical and logical controls.

It intends to provide redundancy in the event a security control fails, or a vulnerability is exploited. Security control can cover aspects of personnel, procedural, technical and physical security for the duration of the system's life cycle.

For example: to get hands-on with a server console, you may have to go through multiple locked doors, security guards, man-traps.

Another Example: to get data available and process it at your own peace, you may need to get past firewalls, routers, switches, the server, and the applications security.

By implementing Defense in Depth, you improve your organization’s Confidentiality, Integrity and Availability because an asset is secured having multiple security controls.


As companies grow, expand their services and evolve over time, they must establish sound governance practices in the management of risk, and ensure effectiveness and efficiency of their control environment to facilitate informed decision making;

  • achieve strategic goals; and

  • meet the expectations of both internal and external stakeholders.

Implementing effective governance can facilitate information flows to communicate threats through the correct forum, to define roles and responsibilities with clear ownership, and using a common approach, to ensure that risk reporting and assurance is provided in a timely way.

Lesson Learned

What we have done here is to have planted a robust understanding of Governance, management, standards, and control frameworks. will help you to build a solid and relevant set of competencies:

  • Recognises the organisation has environmental, social and governance responsibilities.

  • Using reporting frameworks to produce integrated reports.

  • Considers existing laws, regulations and best practice to assess whether the organisation’s governance structure is fit-for-purpose.

  • Recommends appropriate corporate governance objectives, structures and processes.

Understands the purpose, role and responsibilities of the board, its committees and the directors.

Please refer to the resource section for relevant material about this lesson. You will have the opportunity to further expand your knowledge and skills.

Other Relevant Posts

Governance and management | ID-CISM-SM 001