The aim of this paper is to report on how information security governance (ISG) arrangements are framed and shaped in practice. Our objective is to examine the extent to which the similarities and differences in institutional environments can subject organizations to multiple, competing and even contradictory arrangements for ISG. Using an interpretive case based research strategy we investigate how ISG arrangements are framed and shaped in fourteen critical infrastructure organizations in Australia. We explicitly recognize the socio-technical nature of ISG and draw insights from institutional theory. Our findings illustrate the heterogeneity and malleability of ISG across different organizations and highlight the need for an information centric view.