Hand pointing towards cybery things Defense

Security Planning 101

I have been thinking about how organisations manage (or do not manage) their security postures from both a governance and management point of view. To help organisations that are just starting on their security improvement journey I thought I have put together a list of activities they may want to have in a forward schedule document (you could even call it a roadmap). It is not going to be all things to all people and different organisations and markets will have different requirements.


  • Review information security management policies
  • Risk Review
  • General Policy Review
  • General Governance Structure Review
  • Roles and Responsibilities
  • Capability Maturity Assessment
  • External Security Audit
  • Physical Security Audit
  • Review Disaster Recovery Plan
  • Review Business Continuity Plan
  • Security Awareness Training Plan
  • PCI Self-Assessment/Audit
  • Incident Response Plan Review (thnx Darren Chapman)

Security Management & Operations

  • Backup and Recovery Testing (sample)
  • Disaster Recover Testing (at least once a year)
  • Incident Response Simulations
    • Simulation
    • Tabletop Exercises
  • Vulnerability Assessments (at least quarterly)
  • Penetration Tests (minimum of once a year but also after any major change to security controls, service architecture or risk landscape)
  • Security Awareness Training (at least once a year)
  • Password audit (at least yearly)

Now there’s loads more I personally would do (see the post Things to try & keep an environment safe) and I would consider this post a MINUMUM list not a recmoended list. In the end business risk managment can pay dividends if you build it into your organisation DNA rather than trying to tack it on (same goes for secops).


I have only really touched the tip of the iceberg with regard to security governance, management, and operations and in my mind the frequencies of some of these activities are too low (hence the minimum rather than recommended statement). Hopefully, this gives people in smaller organisations food for thought. Remember security needs to be relevant and appropriate to your business, how you determine that is important but that is in the hands of the business leadership.

Good luck and may the force be with you!

Leave a Reply