Define the principles that underpin the organization's approach to information security management. Define the information security policies and controls to be put in place, taking into account relevant information security standards, legislative and regulatory compliance requirements, contractual obligations, information security objectives, and incident reports.
Develop an information security strategic plan to define how the organization's information security objectives can be achieved, and put the plan into operation.
Establish governance structures for information security management. Define the scope of information security management governance bodies, and outline decision rights and authorizations. Establish reporting arrangements, audit log designs, issue escalation protocols, and rules to govern and control the application of information security management authority within the organization.
Identify the roles required for information security management tasks, and assign employees with the requisite knowledge and experience to those roles. Define the associated responsibilities and assign these to employees who will be accountable for ensuring that information security management objectives are met.
Put in place an information security management training curriculum and other employee developmental mechanisms to enhance the skills and competences of employees in this area.
Establish an information security management aware culture. Motivate stakeholders, secure their support for key information security management initiatives, and create a shared understanding of how they can help ensure that information security management objectives are met.
Define security requirements for the procurement and supply of hardware, software, data, and cloud and other IT services to satisfy the information security strategy and objectives of the organization.