It all starts with a plan. If a Security Program Plan is not developed, documented, and effectively communicated to all stakeholders, organizations run the risk of losing focus on the necessary key components that make up a complete, comprehensive Security Program. An effective Plan should contain information about the controls adopted by the organization, should be the basis for how the Security Program is implemented, and must have ongoing maintenance as well as management support for continuous improvement. Organizations should avoid making the Plan too complex. An overly complex Plan will take unnecessary time to complete. It will also likely be ineffective if people do not understand it.

Your documented Security Program Plan should be appropriate for the size and complexity of your organization. It should be defined based on the mission, objectives, stakeholders, and activities of your organization. Ensure your Plan is disseminated to all affected personnel to provide insight into the requirements for the Security Program. Be sure to assign someone the responsibility of ensuring the Security Program Plan is reviewed and appropriate updates are made at least annually. Stale documentation is the worst enemy of an audit, exam, or assessment. You need to ensure all Security Program documentation is kept current.

Many organizations have found success with implementing a Security Program Planning Policy that also serves as the Security Program Plan. This makes sense as the policy itself is intended to identify the requirements needed to implement and maintain an effective Plan. Why maintain two documents with the same details? As long as the policy includes all appropriate details needed for the Security Program Plan, this is an effective way to achieve two goals with one well-written document.