1. Establish
Identify business objectives
Obtain management support
Select proper implementation scope
Define risk assessment methodology
2. Implement and Operate
Manage risks through Risk Treatment Plan
Design policies and procedures as appropriate to manage risks
Allocation resources and train staff
3. Monitor and Review
Monitor Information Security Framework implementation
Prepare for audit review
4. Maintain and Improve
Conduct periodic reassessment audits for continual improvement
Make corrective actions
Make preventative actions