IT governance and Information Security Management (ISM) are currently topics of great interest to practitioners and researchers alike. In reaction to financial fraud at major US companies, organizations are facing legal pressures and ongoing scrutiny of their overall governance processes, with efforts increasingly driven by the IT organization. ISM practice is also evolving, to help organizations strengthen security governance and develop a security culture that can address increasing internal and external threats. Organizations are showing interest in various formal methodologies as reference frameworks for their efforts, and expect the right choice to enhance both IT and security governance. The ultimate choice, however, must fit the organization context and risk profile, and ISM frameworks are only workable if organizations derive value from them.