Usually, a formal ISG program is required to promote information assets safeguarding. ISG programs should ensure the Control Objectives for Information and related Technology (COBIT) framework confidentiality, integrity, availability, compliance, and reliability information criteria compromise does not occur through gaps in controls. Therefore, the information security program and associated systems, processes, and activities need regular quality and compliance assessments. Monitoring and evaluating information security drives assurances provided or obtained through due care and due diligence as well as enables managerial fiduciary oversight expectations fulfilment. Planning and organizing are essential to organizational cohesiveness.

ISG usually occurs at different organizational strata, with team leaders reporting to and receiving direction from their managers, with managers reporting up to an executive, and the highest-level executive conferring with and receiving instruction from the entity's oversight committee. Information that indicates deviation from targets will usually include recommendations for action requiring endorsement by the entity's oversight layer. Transparently, this approach is ineffective unless strategies, objectives, and goals development and deployment occur first within the entity's organizational structure.

Within an enterprise's organizational structure, providing acceptable service delivery necessitates the installation of an effective support system. Information security service delivery and support may range from operational protection deployment to crisis response training. However, assessing changes in, and maintenance of, existing systems are critical security service components contributing to delivering value. Required information protection changes and maintenance inducement can occur through various problems encountered by users or deliberate attacks on the established information security architecture.

Instituting and sustaining information security governance (ISG) requires comprehensive planning and organizing; robust acquisitions and implementations; effective delivery and support; as well as continuous monitoring and evaluation to address the myriad of managerial, operational, and technical issues that can thwart satisfying an enterprise’s declared mission. Consequently, information security requires an adaptive balance between sound management and applied technology. Sound management enables assuring adequate asset safeguarding while applied technology can introduce efficiencies for addressing potential external or internal threats. Information security design, deployment, and assurance require dedication to continuous improvement to ensure optimum effectiveness and efficiency. Whereby, confirmation of compliance with legislation, regulations, policies, directives, procedures, standards, and rules enable asserting superior ISG. Nonetheless, monitoring and evaluating the current state of implemented controls may take a variety of forms; including control self-assessments and information technology (IT) audits. Furthermore, an IT auditor may not be the individual who executes an organization’s information security internal control review (ICR). However, an IT auditor may subsequently assess an ICR for effectiveness and/or efficiency. In the regulatory arena, a negative finding, coupled with prompt corrective actions can mitigate civilly and criminal enforcement penalties, thereby potentially reducing or avoiding legal risks.