Involve top management
The organization's management is responsible for the security of information and must establish the objectives and ambitions of the organization.
The strategy and the support of the management can be declined as :
- Involvement of management
- Develop a strategy for information security aligned to the strategy of the organisation so that it supports the objectives of the organisation, fully respecting the legal and regulatory provisions
- Identify the assets
- Manage the risks to define the priorities and put measures in place
- Manage the resources allocated to information security and infrastructures in an efficient and effective way, including the designation of responsibilities for information security
- Put in place technical and organisational measures
- Define a long-term plan for regular training and awareness-raising for all internal and external stakeholders, and the organisation.
- Integrate a culture of security and risk analysis for every project ( for example : development of applications, new infrastructure or architecture) from the start ("security by design")
- Have a plan to manage major/serious security incidents and crises
- Have a plan for the continuity of activities
- Measure the performance of the actions (previous points) implemented but also the development of threats and vulnerabilities at regular intervals to ensure that the objectives are achieved