It all starts with a plan. If a Security Program Plan is not developed, documented, and effectively communicated to all stakeholders, organizations run the risk of losing focus on the necessary key components that make up a complete, comprehensive Security Program. An effective Plan should contain information about the controls adopted by the organization, should be the basis for how the Security Program is implemented, and must have ongoing maintenance as well as management support for continuous improvement. Organizations should avoid making the Plan too complex. An overly complex Plan will take unnecessary time to complete. It will also likely be ineffective if people do not understand it.
Many organizations have found success with implementing a Security Program Planning Policy that also serves as the Security Program Plan. This makes sense as the policy itself is intended to identify the requirements needed to implement and maintain an effective Plan. Why maintain two documents with the same details? As long as the policy includes all appropriate details needed for the Security Program Plan, this is an effective way to achieve two goals with one well-written document.