Plan as a verb according to http://www.merriam-webster.com/dictionary/plan
Inflected Form(s): planned; plan·ning
transitive verb 1 : to arrange the parts of : design <plan a new layout> 2 : to devise or project the realization or achievement of <planned their escape> 3 : to have in mind : intend <plans to leave soon> intransitive verb 1 : to make plans <plan ahead> 2 : to have a specified intention —used with on<plans on going>
This description is important to keep in mind when creating the organizations Information Security Plans. A plan is a design of other parts, ie: security policies that follow an organized process of thought and action. Information Security is not a singular entity. It encompasses a myriad of elements that deal with organizational risk, corporate and customer data, access controls, monitoring and the all important security of such. Information Security Plans therefore, are the essential backbone to effective security management.
Information Security Plans are usually the foundation by which governing boards and executives are given opportunity to either address or accept known risk. Without an Information Security Plan, known risks may become acceptable within the organization inadvertently.
Using known standards, such as ISO/IEC27001:2005 as a template to create the plans can be a beneficial start. Taking a lead from the standard, establishing your Information Security Plans should take into account:
- A framework for setting objectives and establish an overall sense of direction and principles for action with regard to information security;
- Business and legal or regulatory requirements and contractual security obligations;
- Alignment with the organizations strategic risk management context in which the establishment and maintenance of the plans will take place
- Establish criteria against which risk will be evaluated; and
- Has been approved by management
- Include ongoing continuous review and improvement of the plans