What the framework should cover
- Management of all cyber and information security activities.
- Making sure activities are relevant to prevailing and potential risk and timetabled effectively.
- Decisions on the most relevant investment decisions to the organisation.
- Compliance with relevant prevailing legislation and best practice.
- Establishing and cascading a culture of security and safety.
- Measurement against objectives.
It is vital that the framework and strategy are reviewed and, where necessary, updated either periodically (at intervals to be determined in the framework) or as needs arise. This is to allow for changes in business model, company growth, working practices, mergers and acquisitions, technology updates / upgrades, globalisation and, of course, the evolving threat landscape.