Legal governance of enterprise information security is an effective way to ensure national network and information security, defend personal information rights and interests, and promote the industry to "develop" in "security". The enterprise information security obligations in China's Law are mostly in static and tactical state, which can not protect against the changeable security risks. The incentive mechanism of compliance with the laws and regulations of enterprises is lacking, and the motivation to compliance is insufficient. The popularization of information security culture is lacking. In order to solve the above problems, we should base on the thinking of legal governance and position "corporate governance" as the focus of legal governance of enterprise information security. In the level of system design, we should draw lessons from the beneficial experience of American enterprise information security legal governance in legislation supervision and enterprise autonomy, take the basic principles of information security legal governance as the guide, give full play to the role of legislative incentive, encourage all enterprises to establish a mandatory and voluntary information security "corporate governance" structure, attach importance to the implementation of information security obligations of the directors and senior executives, promote the construction of enterprise information security culture, and highlight the value of security culture.