...
The CISO should make his own plan, than implement it in the company, than check internal (f.i. business) external (f.i. law) changes, and than check compliance and to make a plan for the next year to implement findings out of the evaluation.
Establish an ISMS
...