Skip to content
Log in

Three lines of defence

Definition

A governance model that separates security responsibility into three distinct layers: operational management that owns controls (first line), risk and compliance functions that monitor and challenge (second line), and internal audit that provides independent assurance (third line).

Related terms

CISO (Chief Information Security Officer)
The senior executive responsible for developing and maintaining the information security programme. The CISO reports to the board or a board committee...
Audit committee
A sub-committee of the board of directors composed principally of independent non-executive directors, responsible for overseeing financial reporting, internal controls, and the...
First-line controls
Controls owned and operated by the business units and IT functions that process or store information. The first line is accountable for...
Governance, Risk, and Compliance (GRC)
An integrated discipline that combines governance structures, risk management processes, and compliance monitoring into a unified programme. GRC platforms and frameworks allow...
Policy hierarchy
The layered document set that translates governance intent into operational requirements. Tiers typically run: information security policy, topic-specific policies, standards, procedures, and...
Risk appetite
The amount and type of risk an organisation is willing to accept in pursuit of its objectives, as defined by its governing...
Second-line oversight
The risk management and compliance functions, including the CISO office and the risk function, that set policy, monitor control effectiveness across the...
Security governance
The set of structures, roles, policies, and accountability mechanisms by which an organisation directs, controls, and monitors its information security activities. Governance...
Security steering committee
A cross-functional management body, typically chaired by the CISO or Chief Risk Officer, that coordinates security priorities across business units, approves major...

Explained in these topics

  • Security Governance Frameworks OverviewA governance model that allocates accountability across: first line (operational teams that own and manage risk), second line (risk and compliance functions th...
  • Security Governance Structures and RolesA governance model that separates security responsibility into three distinct layers: operational management that owns controls (first line), risk and complian...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account