Security governance is considered as the most appropriate method not only to gain control of security processes but also to guarantee alignment with business strategies (Rebollo, Mellado, Fernández-Medina, & Mouratidis, 2015). With increased cyber-attacks, and compliance failures, organizations are moving towards implementing security governance frameworks and standards. Hence, the problem of appropriate selection of adequate security controls and optimal risk treatment relies on international assurance standards (Rebollo et al., 2015). The current information security landscape is moving towards a more strategic approach, commonly referred to as information security governance (Dlamini, Eloff, & Eloff, 2007). Despite this approach, information security governance (ISG) is poorly understood, ill defined, and means multiple things to different people (Moulton & Coles, 2003). Considering the lack of empirical studies related to ISG methodology, the present study aims at complementing the body of literature on information security governance by developing, and empirically testing a theoretical model outlining the methodological process of ISG in an organization. IT governance and IS security is a tightly knit concept. ISG is directly related to three research subjects namely IT governance, corporate governance and information security (Rebollo, Mellado, & Fernández-Medina, 2012). Both security and governance have in common the concepts of trust in an organization and its practices, data safeguards, and operations that rely not only on sound governance practices but also on good security (Wilson, 2007). IT management teams (representing the governance perspective) and IS security management teams are expected to implement the elements of good governance in conjunction (Whitman & Mattord, 2014). Thus, it has been argued that the protection of information as a valuable asset should not be left solely to the chief information officer of an organization, but should be treated as a governance issue (Abu-Musa, 2010). Since information security within an organization encompasses technical, as well as strategic and legal, concerns, information security needs to be addressed as a corporate governance responsibility involving risk management, reporting and accountability on the part of executive leadership and boards of directors (Posthumus & Solms, 2004). In light of this concept, our research will explore the methodological process of integrating and implementing IS security and IT governance into a process model within an organization.