Define your strategy and your security politics.
Identify your important assets and the risks they run.
Implement your security measures.
Continually evaluate your results.