# Governance vs Management One-sentence definition: Governance sets direction, policy, and oversight; management plans, builds, runs, and monitors to achieve objectives. ## Key Facts - Governance: define risk appetite, approve policies, ensure accountability. - Management: implement controls, allocate resources, meet SLAs. - Metrics roll up from management to governance dashboards. - Escalation: out-of-tolerance issues go to governance for decisions. - Framework examples: COBIT distinguishes Govern vs Manage domains. - **Label:** **Roles**: board/executives vs managers/teams. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose whether a decision is governance or management in scenario items. **Mnemonic:** “Govern = Decide; Manage = Do.” ## Mini Scenario Q: Who approves enterprise encryption standard? A: Governance body/executive sponsor (with management drafting). ## Revision Checklist - Provide 2 actions per side (govern vs manage). - Identify who sets risk appetite. - Map a KPI to a governance question. ## Related [[Security Governance]] · [[Security Policy Hierarchy]] · [[Risk Management Lifecycle]] · [[Security Metrics, KPIs, KRIs]] · [[Compliance and Regulatory Concepts]] · [[Domain 1 - Index]]