Abstract This study aims to analyze the fundamental governance practices of Yemeni banks' information security management systems (ISMS). Therefore, an empirical investigation was performed to define the information security governance (ISG) maturity of banks and make recommendations that allow their administrations to improve security and reduce risks to their businesses. This study uses a mixed qualitative and quantitative approach, convenience sampling, and data collection from 26 experts and specialists in banking information security, in a total of 13 government and commercial banks through a survey. This study adopted Ngwum's maturity framework to develop the study's instrument. It provides empirical insights and identifies the strengths and weaknesses of Yemeni banks' information security management systems' ISG practices. The general level at which bank systems implement ISG requirements was found to be the average basic security maturity level. The results demonstrate that practices at the level of information security management, training, and awareness are the strengths of banks' ISMSs, whereas those of the role and responsibility factors constitute a significant weakness. This study meets the needs identified to assess ISG maturity, includes a detailed discussion on banks' and ISG indicators' strengths and weaknesses, and their implications, and provides the required recommendations. Moreover, these recommendations may help stakeholders in banks formulate more appropriate policies or provide a more effective focus on ISG controversies that are needed to improve the information security situation and reduce the estimated gap in their practices.