An organization uses an IT governance framework to set directions and policies to monitor compliance and how risk decisions will be made.
Risk management follows after the governance to determine what risks are acceptable to the organization.
Then this follows into compliance. This is where security is monitored and ensuring governance is being followed.
Security governance is built by being aligned with an organization’s organizational policy which includes what’s their mission, values, strategies, and objectives.
An information security governance focuses on involving information security integrated with processes to organizational resources. It is the responsibility of the board of directors and executive management to develop this governance.
Cybersecurity Fundamentals 