Write Information Security Management Policy

Write Information Security Management Program document
- Establish any frameworks
- Establish scope of program (organizational, business unit, information system)
- Establish product and boundaries
- Establish required control domains, which determine policy and procedure requirements, does not include writing policies and procedures

Program management controls
- Write controls
- Tailor to customer organization/BU/system
- Provide implementation guidance

Program management control monitoring
- Establish frequencies
- Establish audit trail for activities
- Create alerting for upcoming activities