Shall we discuss concepts of Information Governance (IG) and Information Security (IS) and their importance in information management to your organisation?


A strong governance network is an essential part of the success of any company. As information governance (IG) can have a broad definition, this literature review will narrow it down to the leadership practices that comprise integrity, efficiency, control, risk management, compliance and securely disposal of the information (Nolan and McFarlan, 2005), (Benfeldt, 2017), (Laudon and Laudon, 2020). Thus, before we can go any further, one has to clarify some aspects of this concept – where information is data in context (Boisot, 2004) and data “row material”; governance requires the highest level of accountability, strategic thinking and always finds a way of monitoring and achieving organisational goals (Weber at al., 2009).

Similarly, information security (IS) extends to the IG definition and adds aspects of confidentiality, integrity and availability; it considers IG’s legal and regulatory implications. Hagen et al. (2008) defined IS as the activity in charge of ensuring the business information is protected and capable of guaranteeing its continuity while reducing its risks, maximising opportunities, and providing a higher ROI.

One may argue that both concepts (IG and IS) must also follow corporate governance principles (CG) and should be seen as coequals within the information framework. Many researchers have seen IG as part of the CG methodology, strongly driven by the CG rules’ compulsory forces and emphasising its technical control (Moulton and Coles, 2003), (Posthumus and Von Solms, 2004). Therefore, from this perspective, IG and IS are the most potent elements for an organisation to take care of its security systems by ensuring that they all comply with the organisation’s priorities.

Suppose we look into the IG framework separately. One can argue that IG can serve as a tool for risk reduction. It provides the structure to organise the information and consequently, allows a company to climb the information ladder argued by Longworth (1996), where information (what) becomes knowledge (how), supporting productivity enrichment, the elimination of waste (wasted time, money and resources), business efficiency and development (wisdom). Wisdom then becomes the meaning of understanding the information and the most crucial business tool not only to determine “what” to do but “when” to do it (Savoie, 2012). In other words, the main objective of IG is to increase efficiency speed, or what is the same, to boost the effectiveness of decision-making by obtaining a better use of information to create value, reduce costs and minimise risks (Hagmann, 2013). Many researchers see IG as the art of working with major stakeholders in an honest and trustworthy manner (Laudon and Laudon, 2020), (Blair, 2011). The concept was first introduced in a book called “Information nation” (Kahn and Blair, 2004), giving a robust similarity to the managing information concept and other business responsibilities such as (1) governance and (2) risk management (including risk tolerance) and (3) compliance. Kahn and Blair (2004) also defined in their earliest description of IG the information management compliance (IMC) as an oriented-approach concept responsible for handling theories such as the organisation’s information life cycle and business activities, which all rest now under the IG’s framework.

IG’s importance relies on the concept’s understanding that organisational sustainability cannot be achieved without harnessing organisational information. This concept pays particular attention to making managers comprehend the consequences of information mismanagement (losing business value, slowdown organisations, unnecessary risks) and the importance of building the necessary IG cross-function business efforts for the information management to be reliable. IG’s value rests on the concept’s ability to make leaders recognise that when it comes to productivity, risks and costs, and in the words of Newton: “every action has an equal reaction” and therefore, carefully considering every piece of information that can provide risks, create costs, or decrease value is the only answer to gain competitive advantage (Blair, 2011).

Information security, on the other hand, does not only relies upon the technological context. Thus many researchers have paid particular attention to its technical side and how it is managed. Soomoro et al. (2016) found that numerous managerial activities related to development, execution, awareness and compliance (IT infrastructure management/ alignment, well-created information security policies), among others, have a powerful impact on how managers manage the quality of information security. Datskovsky (2009) also argued how the proper information security governance process allows employees to receive reliable information at all levels. Some other researchers have stated the importance of linking information security to organisational security culture and have argued for the significance of developing more empirical research on the power of information sharing, security knowledge, and security policies within IS studies (Hafizah et al. 2015). 

IS, as well as the system that supports it, are significant business assets. Managers need to understand that looking into the quality of the information is of pivotal importance when assessing the requirements of IS. This quality needs to be protected and maintained to secure security. Vermeulen and Rossouw (2002) provided us with three essential requirements of IS as the central aspect of preserving the IS security aspects: (1) confidentiality and data protection, (2) information accuracy and trustworthiness, and (3) its availability. They discussed the importance of not mixing the security IT infrastructure of an organisation with the assessment of the organisation’s information protection. They have also extended their argument stating the necessity of being ethical when dealing with IS and touching on basic ethics concepts such as responsibility, accountability and liabilities. One may argue that ethics is not the only issue when managing IS. Laudon and Laudon (2020) have raised awareness of the political and legal matters IS’s mismanagement can have and the moral dimensions to bear in mind when dealing with its protocols.

The question here is, how is your IG & IS working together to achieve your organisational success?

© We Dance Agency