Implementing an information security governance framework is more than just building the individual components. These components must be developed and implemented in a coordinated manner with buy-in from senior leadership across the organization. The enterprise-wide accepted risk posture and baseline should set and drive all other information security and risk management activities.