The Action Plan


CISM: Domain 1 - Module 2
The Action Plan

The course is part of this learning path

The Action Plan

In this course, we start off by looking at constraints that may prevent us from reaching our security objectives before moving on to how to form an action plan. This involves carrying out a gap analysis to see where you are and where you want to be (with regards to information security, of course) and then putting a plan into place to close the gap.

We then need to implement ways to measure progress towards closing the gap and we will look at that in the metrics and monitoring lecture. Finally, we look at the six strategic outcomes which help us to define what success looks like.

Learning Objectives

  • Understand the potential constraints that may impede our security measures
  • Learn how to create an action plan to reach our security goals
  • Learn how to measure progress through metrics and monitoring
  • Understand how we define success

Intended Audience

This course is intended for anyone preparing for the Certified Information Security Management exam or anyone who is simply interested in improving their knowledge of information security governance.


Before taking this course, we recommend taking the CISM Foundations learning path first.


So we come to section 31, Information Security Governance, still Domain 1, and the Action Plan. Part of every program development or strategy conception will be to perform a gap analysis. This is the delta between where you are and where you want to be, or, if the question is compliance, where you must be. This needs to be performed to a reasonable level of detail on each control goal, risk, and impact goal. It should be repeated once a year to capture all the changes or any changes that occur during that period.

One consideration might be to work backwards, starting with the desired state and work your way backwards to where you are today, the current state. You need to determine the steps required to reach each goal so that you can lay out a program pathway to achieve it. Other methods include CMMI that can help you assess the gaps and lay out the plan for making it from where you are to where you must be.

Once you've performed your gap analysis, the next step will probably be to develop an action plan to execute a strategy. This will involve developing policies to describe how the gaps, the risks, the threats, the vulnerabilities will all be dealt with.

In developing policies, we will need to conceive what standards will be helpful in ensuring that the policies are properly implemented and that the various standards and metrics are upheld. One of the things that standards help us do is interpret policies and how to apply them.

Standards can also help us measure how we're doing compared to the policy standards that are set and the metrics that are contained therein. These provide a great benefit and a great basis for auditors to come in and check how the program is proceeding and whether or not it's meeting its objectives. These can set boundaries for how procedures and practices will be implemented, how they will be performed, and how they'll be measured. They govern the creation of procedures and guidelines to ensure that the standards are met.

We use these standards also to set security baselines. They reflect what is acceptable, in terms of risk and control goals, and what is not. In the end, these standards that are developed along with the policies must be accepted by the information security management and subsequently by the area or system owner.

There will, of course, be the need to create an exception process so that instead of a standard or a policy, a guideline can be developed that will facilitate meeting the goal, even if an alternate route has to be taken to do so. So as we discussed before, using a governance framework can help answer many of these questions and help us arrive at appropriate conclusions.

The governance framework is oftentimes linked directly with the strategic goals assigned to the enterprise and subsequently to the security framework program itself. Policies that cover strategy, controls, and regulations are included in the framework as well as the specifications for how they should be described and implemented.

The security organization should, of course, have the authority and the resources to take the governance framework and implement it, and operate it properly. Part of this will be to develop workflow structures, processes, the metrics, how to determine whether compliance has been met, and how to maintain effectiveness both operationally and cost. It helps define the cost-effective security program in terms of what will actually be performed and how it will be measured. This ensures an alignment with business goals and protects the information that these business processes price as high priorities.

One of the things we have to examine is the relationship between each of the components of the governance framework we've chosen. IT security, of course, is a subset of the overall program known as information security.

The IT security, of course, is concerned primarily with the information contained within the information systems themselves. Information security is broader in that it governs the information whether it's in a system, or in paper form, or in some other form, direct use, in motion, or in storage. And in this diagram you see, you see how it flows from senior management down through physical and electronic security measures.

Now, governance of each, whether it be data in the computer form or data in the physical form, it needs to be separate and yet it needs to be aligned to the same set of processes and goals to ensure uniform alignment with the business goals themselves.

So let's look at the interaction of the various government elements. Senior management, of course, sets the goals for IT and information security, usually separately. The IT goals center on performance and are typically handed off to the CIO and his staff. Goals on risk tolerance and mitigation of information plans oftentimes go to the information security manager.

Now, both tracks need to follow the same steps, ensuring operational alignment and compatibility between the IT itself and the information security manager. So the typical steps you see in this process of eight steps.

Lower management defines outcomes to meet the direction given from the top. They have to therefore define the plan to take the requirements to meet and achieve the outcomes. The objectives are defined based on these requirements. The strategy is then developed to encompass the goals.

A road map is created as to how these goals are going to be met. And then, we develop the structures that underlie it, the policies, the standards, and develop the procedures for the actual performance and achievement of the individual tasks and objectives.

Now, the components, like road maps, are to lead us into their IT counterparts from any other form of information security management. For example, the road map for security is used as an input to the IT road map, something that's separate, a superset of IT security, and then making sure that any impacts of one strategy upon another are worked out and harmonized.

The output of policies and standards feeds into the control selection that will be implemented to ensure the operation meets all of the objectives. These in turn feed into a physical architecture, and the physical architecture in its turn feeds into operational architecture.

Now, the six outcomes that we need are here. Strategic alignment, effective risk management, value delivery, resource optimization, performance measurement, and convergence. And all of these are conceptually the guidelines and framework of any architecture that we employ.

So we have, of course, near-term and long-term goals. The near-term goals for the action plan are gonna be prioritized based on certain things, like the business impact analysis. We have to look at critical resources, and we have to look at the current state of security according to CMMI gap analysis, as one example. This, of course, has to fit into our strategy in the long-term plan that we need to engage and integrate our near term activities with the longer term goals and objectives.

One of the things that we must overcome is this unintegrated solutions. These, which some are called point solutions, can become costly and very difficult to manage, especially if they don't align with the overall strategy. And so these will be requiring analysis and perhaps adaptation or elimination and change in the event that they don't correspond to proper outcomes and operations within the strategy itself.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.