IT security governance is the system by which an organization directs and controls IT security (adapted from ISO 38500). IT security governance should not be confused with IT security management. IT security management is concerned with making decisions to mitigate risks; governance determines who is authorized to make decisions. Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations. To learn more about Information Security Governance, see the Information Security Guide's Toolkit on this topic.