When is industry self-regulation (ISR) a legitimate form of governance? In principle, ISR can serve the interests of participating companies, regulators and other stakeholders. However, in practice, empirical evidence shows that ISR schemes often under-perform, leading to criticism that such schemes are tantamount to firms marking their own homework. In response, this paper explains how current management theory on ISR has failed to separate the pragmatic legitimacy of ISR based on selfinterested calculations, from moral legitimacy based on normative approval. The paper traces three families of management theory on ISR and uses these to map the pragmatic and moral legitimacy of ISR schemes. It identifies tensions between the pragmatic and moral legitimacy of ISR schemes, which the current ISR literature does not address, and draws implications for the future theory and practice of ISR.