Board’s Roles and Responsibilities in Information Security

A majority of board members believe that IT and security executives need to improve the way they report to the Board[1]. What questions should the Board ask when it comes to Information Security? What information should Management provide?

“Oversight” and “monitoring” are terms that are often used to explain Board’s role and responsibilities in corporate governance codes, but these terms might be interpreted differently for each organization, and it might be up to the organization’s management how and what information related to information security they give to the Board. Understanding Board’s role and responsibility will help management, including CISOs, communicate information security in a manner that the Board will find helpful.

Information security governance, including Board’s role and responsibility, is described in standards and frameworks such as Information Technology Governance Institute (ITGI), NCSP Industry Framework for Information Security Governance, CERT Governing for Enterprise Security Implementation, and ISO/IEC 27000 series. The frameworks have in common that information security must be addressed on the highest level in the organization and not only in the IT department[2].

The ISO 27000 series is the main standard used in organizations and the standard ISO/IEC 27014:2020 addresses the governance of information security and sets out the responsibilities of the Board in four governance processes; Evaluate, direct, monitor, and communicate. However, it does not advise on more specific actions on how the Board should operationalize their responsibility and what capability is needed at the board level to maintain that responsibility[3].

To better understand how the Board should operationalize the governance processes, including what resources and competency the Board need, more research and good practice can be found in the following articles and good practice advice:

  • A study based on interviews with over 100 directors who collectively represent more than 200 public companies found key actions the boards can take as they oversee security risks[4]
  • World Economic Forum has developed a set of principles for Boards to exercise the oversight role[5]
  • In the United Kingdom, the National Cyber Security Center government’s technical authority provides guidance and advice on cybersecurity for UK organizations. They have made a “Cyber Security toolkit for Boards”[6]

Based on the framework and good practice for processes and key actions the Board establishes, a set of expectations on reports and information should be agreed upon.

The possible gains of agreeing on these expectations:

  • The Board knows what to expect and which questions to raise
  • Information security risks are “translated” to how they might affect the whole organization and strategic objectives
  • More effective reporting and improved actions
  • Improved tone at the top when it comes to information security
  • Raised awareness throughout the organization
  • Effective reporting lines and improved understanding of roles and responsibilities

The table below suggests what the Board should expect from the administration and what management should expect from the Board.

Process Key action What should the Board expect from management What should management expect from the Board
Evaluate The Board should discuss information security regularly and not be restricted to yearly or semi-annual reports Status on information security KPIs, including resources and competencies in the security organization

Information security concerns in new initiatives and projects
Questions on prioritization of resources

Approval of KPIs

Questions related to information security concern in initiatives before approval
Monitor The Board should have periodic reviews from a third party (internal Audit) to assess the ISMS

Reports from management on information security implications of their activities
Audits on the efficiency of the ISMS

Results of security tests
How management will handle audit recommendations

Plan for improvements
Direct The Board should instruct the organization to implement an ISMS

The Board should require that there is a responsible person for information security such as a CISO and that sufficient funding is given to information security measures

Ensure that the information security risk management process is established and set the organization’s risk appetite
Strategy for information security

Plan for the implementation of an ISMS

Clear roles and responsibilities in security organization

Risk plan for top information security risks
Strategic direction for information security

Follow up on the implementation of ISMS

Question on who is responsible for information security initiatives

Decisions on how top risks should be handled, e.g., cyber risk insurance
Communicate Share best governance practices across institutional boundaries

Collaborating with suppliers, partners, and other organizations on improving cyber resilience

Develop a positive information security culture
Plans for collaborations with suppliers and sector organization

Plan for information security awareness
Questions on how the organization best share knowledge and collaborate with suppliers and partners

Leading with a good example and raise awareness on information security


Corporater Information Security Management software is an enterprise-grade digital tool that enables organizations to establish a centrally managed framework for the governance of information security policies and procedures, enhance defense against cyber-attacks, and safeguard confidentiality, integrity, and availability of data. The solution supports a comprehensive set of tools needed for an efficient information security management, including dashboards, templates, policy and procedures management, controls mapping, workflow automation, risk register, impact analysis, alerts, notifications, and automated reporting.


1 Marks, N. (2019). Making business sense of technology risk. Norman Marks

2 Whitman, M., & Mattord, H. (2018). Management of information security. CENGAGE

3 Leblanc, R., & Fraser, J. (2016). The Handbook of Board Governance: A Comprehensive Guide for Public, Private, and Not-For-Profit Board Members. John Wiley & Sons, Incorporated.

4 Klemash, S., Cordero, P., & Sees, C. (2021). Cyber risk Board oversight. Harvard Law School Forum on Corporate Governance.

5 Clinton, L., Dobrygowski, D., Joyce, S., & Van der Oord, F. (2021). Principle for Board Governance of Cyber risk. World Economic Forum.

6 CSC (2019). Cyber Security Toolkit for Boards. National Cyber Security Center UK