# Security Governance Backlink: [[Domain 1 - Index]] **Definition:** The system by which executive leadership directs and controls security to align with business objectives, risk appetite, and legal obligations. ## Key Facts - Board and senior management own risk; security leaders enable and report. - Aligns security strategy with corporate strategy and enterprise architecture. - Policies/standards define expectations; oversight via audits and metrics. - **Frameworks:** ISO/IEC 27001, NIST CSF, COBIT guide governance practices. - Tone at the top: culture, ethics, and accountability start with leadership. - Governance → management: “what and why” vs. “how and when.” - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Questions on accountability (board), alignment, and policy hierarchy - Distinguish governance (direction) from management (execution) >[!note] **Mnemonic** - “Guide, Align, Oversight (GAO)” ### Example Q: Who is ultimately accountable for risk? A: Senior management/board. ## Revision Checklist - [ ] Contrast governance vs. management - [ ] Name 2–3 governance frameworks - [ ] State who owns risk and policy approval - [ ] Explain tone-at-the-top significance ## Related [[Control Frameworks (ISO/IEC 27001, NIST, COBIT)]] · [[Security Program Management (PDCA)]] · [[Security Policy Types]] · [[Security Metrics, KPIs, and KRIs]] · [[Risk Appetite and Tolerance]] #cisSP #domain-1 #concept