Corporate governance is under pressure after world-wide large-scale scandals, which were caused by inadequate internal control and supervision. Reforms, such as the Sarbanes-Oxley Act, brought changes to the internal control processes and the frameworks that organizations had in place. As a supreme governing body, the board of directors is responsible for internal control and corporate governance. And since the scandals, there is a lot of focus on the boards and how they do their work. Typically, organizations have separate sub-committees within the boards: audit committee, compensation committee, and lastly risk management committee. The boards with risk management committees show due diligence and have stronger risk management expertise, and thus, could show sound and transparent corporate governance to the shareholders.In this project, six board members were interviewed, and financial reports of 16 Norwegian organizations were analyzed. The main focus of the survey was on the perceived expertise in information security, cyber security related challenges, and board sub-committees association. Hilb’s New governance model is used as a theoretical framework to structure the results and understand how Norwegian organizations compare to that framework.In the era of information technology, organizations have to decide how to gain competitive advantage by employing new technology, but at the same time, they should not forget the importance of assessing the risks they are exposing themselves while proceeding with digitalizationThe IT expertise within the board is vital for the correct strategical decisions on new technology, and information security expertise is necessary for the governance of IT risks matching the risk appetite of the shareholders and stakeholders.In Norway, most larger organizations have audit and compensation committees. Additionally, forward-looking firms have included risk management committees as a separate committee, or combined it with the audit committee. Just two organization had board structure close to the New governance model. These organizations also disclosed extensive information on information security incidents and risks. Other reviewed organizations had no risk committees and had no connection to information security strategy. The strategy and security programmes existed within organizations but disconnected from the enterprise strategy.It is beneficial for those organizations to move in the same direction as the two leaders. Particularly important is getting information security expertise into the board of directors. The next step after that is the disclosure of information security report as part of the annual report. Disclosure should include the information security framework and top-level performance indicators. Simply stating that cyber security is a critical risk is not sufficient.An information security model is developed based on the findings from the interviews, reports, and literature. This model is useful to the boards of directors – it shows how information security governance process flows from the board to the organization and back to the board with reporting and relevant metrics.The primary limitation of this project is the number of respondents. Future research should expand the number of respondents and perform sampling in a balanced way representing all sectors and directors with various backgrounds. This data can be used to improve the model and to draw further conclusions.