Capability is the ability and capacity that enables an enterprise to achieve a business goal in a certain context. Capability-driven-development (CDD) is an approach to capability management, that maps company's capabilities onto information technology (IT) solutions, captures context influencing the capability delivery and corresponding capability delivery adjustments, which ensure achieving goals and previously defined KPIs in variable contextual situations. CDD allows to separate data integration and interpretation from actions that are necessary for reacting to the current contextual situation. Separation of concerns facilitates creation of more maintainable Information Systems (IS). This paper presents a use case of Riga Technical University, that exemplifies use of CDD in the area of IS governance. The designed capability model includes such elements as data providers and associated measurable properties, context elements, context set, goals and adjustments, that are performed to ensure that IS security governance goals are reached. The overall objective of the IS security governance capability is to reduce IS security incidents that are affecting information confidentiality, integrity and availability, while CDD allows to achieve greater maintainability and traceability of the IS governance solution.