- The well-known “Plan, Do, Check, Act”-cycle is followed to achieve a sufficient level of information security, in line with the risk attitude.
- PLAN: Drafting ICT and information security policy and planning with associated governance. Training the organization can be part of this.
- DO: Conduct risk assessments and business impact analyses (BIA scores) and initiate improvements.
- CHECK: Assessment of your own IT system and that of outsourcing relations and suppliers.
- ACT: Setting up monitoring and reporting to provide insight into the management of ICT risk for possible adjustments.
Substantive Key Points
- The needs of the organization are leading
- Providing insight into ICT risk and control
- Formulating and implementing policies
- Assessment of suppliers
- Enable monitoring and adjustments