The primary function of an information security governance committee is to ensure that security strategies are aligned with business objectives and that risk is managed across the entire enterprise. To achieve this holistic, enterprise-wide perspective, the committee's composition is paramount. Including members who represent various functions (e.g., IT, legal, human resources, finance, operations) ensures that diverse business needs, priorities, and impacts are considered when making governance decisions. This cross-functional structure facilitates organizational buy-in, promotes the integration of security into business processes, and ensures that policies are both comprehensive and practical for the whole organization.

A. Members have knowledge of information security controls.

This is beneficial but not primary; the committee's role is strategic governance, and it can consult with technical experts as needed.

B. Members are business risk owners.

This is very important, but cross-functional representation is a more foundational requirement to ensure the committee has the necessary enterprise-wide viewpoint to govern effectively.

C. Members are rotated periodically.

This is a good operational practice for maintaining committee vitality but is not a foundational consideration for its initial establishment and structure.

1. ISACA

CISM Review Manual

15th Edition. Domain 1: Information Security Governance

Section 1.5.2

"Organizational Structures

Roles

and Responsibilities." The manual emphasizes that an information security steering committee should be composed of senior representatives from various functional areas across the organization to ensure decisions reflect the needs of the entire enterprise and are aligned with strategic objectives.

2. ISACA

COBIT 2019 Framework: Introduction and Methodology. The core principles of the COBIT framework

which underpins CISM concepts

stress a holistic approach to governance. Principle 1

"Provide Stakeholder Value

" and Principle 2

"Holistic Approach

" necessitate a governance structure (like a committee) that integrates representatives from across the enterprise to balance stakeholder needs and achieve enterprise goals.

3. Tassabehji

R. (2005). Information Security Governance: The role of the board and senior management. Proceedings of the 1st International Conference on E-government. This academic publication discusses governance structures

noting that effective information security steering committees require cross-functional membership from senior management to ensure that security policy is driven by business needs and integrated throughout the organization

rather than being isolated within the IT department. (Available via academic databases like IEEE Xplore or ACM Digital Library).