...
To make a yearly plan:
The CISO should make his own plan, implement it in the company, check internal (f.i. business) external (f.i. law) changes, check compliancy and make a plan for the next year to implement findings out of the evaluation. Part of the yearly plan will be quarterly or monthly plansactivities.
1.1 Security Improvement Activities
...
| Department | Area | Recurrence | Next Date | Status* |
|---|---|---|---|---|
| Accounting | Logical Access | quarterly | 11 November 2017 | Planned |
| HR system | Logical Access | quarterly | ||
| Datacenter | Physical Access | 2/year | ||
| Quality Management | Risk register | quarterly | ||
| Quality managament | Risk acceptance (system owner/senior management) | 2/year | ||
| Quality management | ASecurity Security management system | annual |
1.3 Awareness and Security training
| Department/role | Training/Awareness | Date | Status |
|---|---|---|---|
| All | How to detect phishing | 4 October 2017 | Completed |
| All | Newsletter/blog on actual events | Monthly | |
| All or targeted groups | Phishing test | bi-monthly | |
| New employees | Initial security training/onboarding | monthly |
1.4 Internal Audit
| Department | Type of Audit | Due date | Status |
|---|---|---|---|
| H.R. | Questionaire | 18 april 2018 | Planned |
...