cisspSecurity and Risk Management· 10 min read· 14 May 2026
Security Governance: Aligning Security to Business Strategy
Security governance is the set of responsibilities and practices exercised by the board of directors and executive management to provide strategic direction, ensure objectives are achieved, manage risk appropriately, and verify that enterprise resources are used responsibly. For the CISSP exam, governance is the conceptual layer above security management — it is about accountability structures, policy frameworks, and the alignment of security objectives with business objectives.
This article covers the governance concepts that appear most frequently in CISSP Domain 1: the organisational reporting structure for security, due care versus due diligence, control frameworks, and how to handle governance in acquisition and divestiture scenarios.
Why the CISO Reports to the Board, Not IT
This question appears — directly or indirectly — in multiple CISSP exam scenarios: who should the Chief Information Security Officer report to?
The answer the exam wants is the board of directors or the Chief Executive Officer, not the Chief Information Officer. The reason is fundamental to governance thinking. If the CISO reports to the CIO, then the security function is subordinate to the IT function. This creates a conflict of interest: the CIO is responsible for delivering IT projects on time and on budget, while the CISO is responsible for managing risk — including risks created by those same IT projects.
When security reports to the board or CEO, it achieves organisational independence. The CISO can raise risk concerns without being overruled by the IT budget priorities. The board can hold leadership accountable for security posture as a strategic concern, not just a technical one.
For the exam, whenever a question describes a CISO who cannot escalate concerns effectively or whose warnings are ignored, the governance failure is the reporting structure — security has been subordinated to a function with a competing objective.
Organisational Processes: Acquisitions, Divestitures, and Governance Committees
Governance does not only apply to day-to-day operations — it applies to major corporate events that change the organisation's risk profile.
When an organisation acquires another company, the CISSP mindset is: conduct a security assessment before the deal closes if possible, and immediately after if not. The acquired organisation brings its own systems, policies, users, and vulnerabilities. Until those are understood, the acquiring organisation cannot manage risk it does not know about. The exam frequently tests this with a scenario where an organisation has just completed an acquisition and asks what the CISO should do first — the answer is always to assess the new organisation's security posture before integrating systems.
Divestitures (selling off a business unit or subsidiary) raise the reverse concern: ensuring that the sold entity no longer has access to the parent organisation's systems, data, and intellectual property. Governance requires a clean separation of access, data ownership, and contractual obligations before the divestiture is finalised.
Governance committees — such as a Security Steering Committee or Risk Committee — exist to provide oversight, approve security policies, allocate resources, and adjudicate competing priorities. The exam may test whether you understand that governance committees are a management control, not a technical one.
Due Care vs Due Diligence: The Exam's Favourite Distinction
Few distinctions appear more often in CISSP governance questions than due care versus due diligence. Getting these right is non-negotiable.
Due care means doing the right thing — taking the actions that a reasonably prudent person or organisation would take to protect assets. It is about active effort and implementation. Installing a firewall, training employees on phishing, encrypting sensitive data — these are examples of due care.
Due diligence means proving that you did it — conducting the research, assessment, and documentation to verify that your due care actions are appropriate and effective. It is about investigation and evidence. Conducting a risk assessment before selecting controls, reviewing vendor security practices before signing a contract, and maintaining audit logs are examples of due diligence.
The exam tests this distinction in both directions. A scenario describing an organisation that implements security controls without first assessing whether they are appropriate is exercising due care but failing at due diligence. A scenario describing an organisation that conducts detailed security assessments but never implements the recommended controls is exercising due diligence but failing at due care.
A common exam phrase: "A company was found liable because they knew about a vulnerability but did not patch it." This is a failure of due care — they had the knowledge (arguably due diligence was done) but did not act on it.
Control Frameworks: ISO 27001, NIST CSF, COBIT, SABSA, PCI, and FedRAMP
The CISSP exam expects you to know the major control frameworks — not as a deep technical expert, but well enough to select the appropriate framework for a given context.
ISO/IEC 27001 is an international standard for Information Security Management Systems (ISMS). It specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. ISO 27001 certification requires a formal audit by an accredited body. It is internationally recognised and commonly required in contractual obligations, particularly in Europe and APAC regions.
The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the US National Institute of Standards and Technology. It organises security activities around five functions: Identify, Protect, Detect, Respond, and Recover. The NIST CSF is widely used in US government and critical infrastructure contexts, though it has gained global adoption. It is risk-based and highly flexible.
COBIT (Control Objectives for Information and Related Technologies) is a framework from ISACA focused on IT governance and management. Unlike the other frameworks, COBIT is primarily concerned with aligning IT with business goals and ensuring accountability. It is the framework most aligned with the governance lens that the CISSP exam takes.
SABSA (Sherwood Applied Business Security Architecture) is an enterprise security architecture framework that starts from business requirements rather than technical controls. It is most relevant in large enterprise architecture contexts.
PCI DSS (Payment Card Industry Data Security Standard) is a contractual standard required of any organisation that processes, stores, or transmits cardholder data. It specifies a detailed set of technical and operational requirements. On the exam, PCI DSS appears in scenarios involving payment card data or retail environments.
FedRAMP (Federal Risk and Authorization Management Program) is the US federal government's standardised approach to cloud service security assessment and authorisation. It is relevant for any cloud service provider seeking to serve US government agencies.
For exam scenarios: ISO 27001 when the question involves international certification or ISMS; NIST CSF when the question involves US government, critical infrastructure, or a flexible risk-based approach; COBIT when the question is about IT governance or business alignment; PCI DSS when payment cards are mentioned; FedRAMP when US federal cloud services are mentioned.
Scenario: As CISO, Your FIRST Step After an Acquisition Is…
This scenario type tests whether you default to technical actions or governance actions. The correct first step is always a risk assessment or security due diligence review — not deploying new firewalls, not merging Active Directory, and not training users on the new security policy.
Why? Because without understanding the risk landscape of the acquired organisation, any technical action could be premature, misdirected, or create new vulnerabilities through premature integration. Governance first, implementation second.
The exam answer hierarchy for post-acquisition scenarios is: assess first, plan second, implement third.
Governance vs Management vs Operations
A distinction that appears implicitly throughout Domain 1: governance, management, and operations are three separate layers.
Governance sets direction and accountability — it belongs to the board and executive leadership. Management allocates resources and oversees execution — it belongs to the CISO and security management team. Operations implements and executes — it belongs to security analysts, engineers, and administrators.
When the exam describes a governance failure, it is typically about accountability, reporting structure, or lack of senior-level support. When it describes a management failure, it is about resource allocation, risk decision-making, or policy development. When it describes an operational failure, it is about execution — misconfigurations, missed patches, or failed procedures.
Understanding which layer is being tested helps you identify the correct answer. A question about whether the security team has sufficient budget is a governance question (the board decides funding). A question about how to prioritise which systems to patch is a management question. A question about how to implement a specific patch is an operational question.
Exam Tip
Due care means doing the right thing. Due diligence means proving you did it. Know this cold — it appears in governance questions, legal liability questions, and third-party management questions throughout the exam. Whenever the question involves liability, negligence, or legal consequences, ask yourself: Did the organisation take action (due care)? Did they document and verify their actions (due diligence)? Both are required to avoid legal liability.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Security and Risk Management
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.