A College needs a good governance in implementation of information technology, especially which related with information security because information is an important asset. Framework which can be used for the preparation of information security governance is COBIT 5 from ISACA. The first step to start the preparation of the governance using COBIT is mapping between the goal of college with enterprise goals (EG), IT Related Goals and domain process COBIT 5. From 15 colleges that have been accredited in West Java (15 Januari 2015), produced 13 EG related for college accreditation A, B and 10 for college accreditation EG C. For a sample in process capability assessment of information security governance, we used Universitas Muhammadiyah Sukabumi (UMMI) as the research object, which is an accredited college C, and EG focused on optimization of business process functionality associated with the alignment of IT goals of IT and business strategy, and 10 processes, i.e EDM01, EDM01, APO01, APO02, APO03, APO05, APO07, APO08, BAI01, BAI02. From the results obtained capability assessment process UMMI value of 7 is on level 0, ie the value of the attribute <15-50% and 3 process closer to fulfillment level 1, ie the interval> 50-85%. Gap analysis results, it turns out that making such UMMI lack of work products (evidence / result) of activities of governance processes deemed to have been executed. To meet the achievement level, it is recommended to perform compliance on each best practice and work products, and can be initiated by creating a guide to information security.