The vast majority of organizations, and probably every SMB, will find it needs to draw the line somewhere in between. This paper has been written for that majority. It describes three stages of development along the security risk management path, starting at the beginning.
Stage 1 – Do the security essentials. Every organization should implement at least this minimum set of security controls to give themselves a baseline level of protection. This paper will say what these basic security controls are. Every organization, no matter how small, should at least make sure it gets through to the end of Stage 1.
Customize the essentials. Before trying to take on a wider range of security controls, customize those basic security controls to maximise the return they provide. This paper will describe how to do that. Every organization should make a start on this second stage, even if it decides not to make it through to the end.
For those who still have some fuel in the tank, identify where there is a mismatch between security need and security provision and start to fill in the gaps. This paper will show how to go about that.