The use of technology has applied in all areas of Polri's duties. However, the use of this technology does not yet have a level of capability in information security management. For this reason, it is necessary to design recommendations and an ideal information governance roadmap based on COBIT 2019 and ISO/IEC 27001: 2013 concerning Information Security Management Systems (ISMS). The design is carried out based on six stages in the Design Science Research Methodology (DSRM) in the form of identify problems and motivate, define objects of a solution, design and development, demonstration, evaluation, and communication. By mapping ISO/IEC 27001: 2013 into COBIT 2019, 29 domains of the 2019 COBIT core model selected which became the basis for designing and assessing the level of information security management capability at Ditreskrimsus Polda XYZ. The formulation of recommendations considered the assessment results. It produced the model of organizational structure, human resources, and policies and procedures that must be applied to Ditreskrimsus Polda XYZ in the form of a roadmap starting in 2021-2025 in managing information security. This research contributes to producing an information security governance design.