What is Planning in Information Security?

In information security, planning is the foundational process of defining an organization's security

vision, establishing a strategic roadmap, and outlining the specific steps, policies, and procedures
needed to protect its information assets. It is a proactive, systematic, and continuous effort to align
security with business objectives, manage risk, and ensure resilience against threats.

Far from being a one-time event, security planning is a cyclical process that involves strategy,
implementation, operation, and continuous improvement.

The Core Purpose of Security Planning

Effective security planning serves several critical purposes:

1. Align Security with Business Goals: Security should not be a barrier to business but an
enabler. Planning ensures that security investments and controls directly support the
organization's mission, risk appetite, and legal/regulatory obligations.
2. Proactive Risk Management: It shifts the organization from a reactive "firefighting" mode to
a proactive stance, anticipating threats and vulnerabilities before they can be exploited.
3. Resource Optimization: Security budgets, personnel, and technology are often limited.
Planning helps prioritize initiatives based on risk, ensuring resources are allocated to the most
critical areas first.
4. Establishing Accountability and Structure: A clear plan defines roles, responsibilities, and
reporting structures, ensuring everyone knows his/her part in maintaining security.
5. Ensuring Business Continuity: A key component of planning is preparing for the inevitable
—incidents, disasters, and disruptions—to ensure the organization can continue to operate or
recover quickly.

Key Levels of Security Planning

Security planning typically operates on three interconnected levels, often following a strategic,
tactical, and operational hierarchy.
 Time
Level Focus Key Artifacts Audience
Horizon

Strategic Security Plan,

The Long-term
Strategic Security Charter, Risk Board of Directors
"Why" (1-5 years)
Appetite Statement

Security Policies,
The Mid-term Security Managers, IT
Standards, Baselines,
Tactical "What" & (6-18 Managers, Business
Major project plans (e.g.,
"How" months) Unit Heads
migration to Zero Trust)

System
The Short-term Procedures, Workflows,
Operationa Administrators,
"When" & (daily, Runbooks, Playbooks,
l Analysts, Technicians,
"Who" weekly) Shift schedules
End-Users

The Security Planning Process: A Continuous Cycle

Security planning is not a linear project but a continuous cycle that integrates with organizational
change.

1. Initiation & Scoping

a. Define the "why": Secure executive sponsorship. Align security objectives with business
drivers (e.g., entering a new market, complying with a regulation like GDPR(General Data
Protection Regulation) or HIPAA(Health Insurance Portability and Accountability Act)).
b. Set scope: Determine what is in scope (e.g., a new cloud environment, the entire
enterprise, a specific product line).

2. Risk Assessment

This is the analytical heart of planning. You cannot protect what you don't understand.

a. Asset Identification: What are the critical systems, data, and people?
b. Threat Identification: Who or what wants to harm these assets? (e.g., nation-states,
criminals, insider threats, natural disasters).
 c. Vulnerability Analysis: What weaknesses could be exploited? (e.g., unpatched software,
weak passwords, lack of access controls).
d. Impact Analysis: What is the business impact if an asset is compromised? (e.g., financial
loss, reputational damage, legal penalties).
e. Likelihood Determination: How likely is a given threat to exploit a vulnerability?

The output is a risk register, a prioritized list of risks that need to be addressed.

3. Strategy & Control Selection

Based on the risk assessment, the organization decides how to handle each risk:

a. Accept: Acknowledge the risk but choose not to act (usually for low-impact, low-likelihood
risks).
b. Mitigate: Implement controls to reduce the risk to an acceptable level (the most common
approach).
c. Transfer: Shift the risk to a third party (e.g., purchasing cyber insurance, using a managed
security service provider).
d. Avoid: Eliminate the risk entirely by discontinuing the activity that creates it (e.g., not
storing certain types of customer data).

4. Policy & Procedure Development

This step translates strategy into formal, enforceable rules.

a. Policies: High-level, mandatory statements of intent (e.g., "All data must be classified").
b. Standards: Specific, mandatory rules that support policies (e.g., "The encryption standard
for data at rest is AES-256").
c. Procedures: Step-by-step instructions on how to perform a task (e.g., "How to onboard a
new employee").
d. Guidelines: Best-practice recommendations that are not mandatory (e.g., "Recommended
strong password examples").

5. Implementation & Integration

This is where plans become reality. It includes:

a. Deploying Technologies (firewalls, endpoint protection, SIEM( Security Information and

Event Management).
 b. Hiring and training security personnel.
c. Developing a Security Awareness Training Program for all employees.
d. Integrating security into existing business processes like software development
(DevSecOps) and procurement.

6. Monitoring, Review, & Audit

Planning is incomplete without continuous improvement. This phase involves:

a. Measuring effectiveness of controls (KPIs and KRIs(key Risk Indicators )).

b. Conducting internal and external audits to verify compliance.
c. Performing regular tabletop exercises and penetration tests.
d. Using the findings to feed back into a new risk assessment, restarting the cycle.

Common Security Planning Frameworks

To streamline the process, organizations often adopt established frameworks:

a. NIST Cybersecurity Framework (CSF): A widely used, risk-based framework built on

five core functions: Identify, Protect, Detect, Respond, Recover. It's excellent for building
a comprehensive program.
b. ISO/IEC 27001: An international standard that specifies requirements for an Information
Security Management System (ISMS) . It provides a formal, certifiable structure for
managing security.
c. CIS Controls: A prioritized set of 18 critical security actions (formerly 20) that are highly
effective against common attacks. It's very practical for tactical and operational planning.
d. COBIT (Control Objectives for Information and Related Technologies): A framework
focused on IT governance and management, linking security planning to broader business
and regulatory requirements.

Common Pitfalls in Security Planning

a. Lack of Executive Support: Without a mandate from the top, plans lack the authority and
budget to succeed.
b. Treating it as a One-Time Project: Security is not a destination. Plans that are not reviewed
and updated become obsolete.
 c. Focusing Only on Technology: Ignoring the people (training, culture) and process elements
leads to failure.
d. Misalignment with Business Goals: Creating a security plan in a silo that hinders
productivity will be bypassed or ignored.
e. Over-Planning or Analysis Paralysis: Spending so much time planning that no action is
taken.

Individual Assignment: Conduct a real survey on your organization’s IS/ICT/IT security policies
and submit a formal report.