Quiz Entry - updated: 2026.07.05
What are the key steps to getting started with information security in an organization?
Start by getting management on board, then establish processes, define responsibilities, take a holistic view, and implement incrementally.
The five steps:
- Get management on board — Without executive sponsorship, nothing else works (resources, authority, priority)
- Establish an information security process — Make security an ongoing, managed activity rather than a one-time project
- Define responsibilities — Clearly assign who is accountable for what (CISO, data owners, system admins, etc.)
- Take a holistic view of security — Cover people, processes, AND technology — not just firewalls
- Implement step by step, continuously — Don't try to do everything at once; iterate and improve over time
Tip: This maps directly to establishing an ISMS (Information Security Management System) as described in ISO 27001. The iterative approach aligns with the PDCA (Plan-Do-Check-Act) cycle.