The final step of the exercise is "draft the improvement roadmap." What makes a good security roadmap in this approach, and why is it the last step?
A good roadmap is risk-based and prioritized — it sequences the control gaps (step 6) by the impact and likelihood of the threats they address, so the most important protections come first.
It is last because every earlier step feeds it: the industry and high-value asset (steps 1–2) set context, the threat actor and scenario (steps 3–4) define what you are defending against, the impact estimate (step 5) ranks severity, and the current-vs-desired gaps (step 6) list the work. WHY end here: a roadmap built this way protects "what matters most" with limited budget, and you can show executives a clear, evidence-backed line from each investment to the specific risk it reduces.