Purpose: This study aims to determine the capability level of information system security in PT. CPPI. In addition, it provides recommendations for enhancing IS security. Methodology: This study used a qualitative approach. The objective of this study was PT. The CPPI, a company in Batam, operates in the fields of Forwarding, Transportation, and warehousing. The interviews were directed to personnel in the IT department. Framework for evaluation using the COBIT 2019 framework. Results: The study results show that the capability level value in the APO12 process reaches level 2 with an average value of 67%, which is the fully achieved level. In addition, in the APO13 process, the capability level reached level 2, with a value of 64%. In the DSS05 process, the capability level is at level 2, with a value of 71%. Finally, in the DSS06 process, the capability level was level 3, with a value of 86%. Limitations: Some management practices and activities from each process domain were not used as questionnaire material. For example, in the APO12 process, only one management practice is revealed, namely APO12.01, Collect Data. Meanwhile, other practices were not disclosed, such as APO12.02 - Analyze Risk, APO12.03 - Maintain a Risk Profile, etc. The author suggests that other research reveals these management practices. Contribution: This study can help companies increase their level of capability in IT governance, especially in the area of information technology security. Achievement targets for capability levels can be realized according to COBIT 2019 standards.